commit 22bb61d1f848d64708fbf10ee542c7f850d22dbe · pyrox.dev/nixpkgs

nixos/modules/module-list.nix

···

       590
       590
        
         ./services/development/jupyterhub/default.nix

     

       591
       591
        
         ./services/development/livebook.nix

     

       592
       592
        
         ./services/development/lorri.nix

     

       593
       593
       +
         ./services/development/nixseparatedebuginfod2.nix

     

       593
       594
        
         ./services/development/nixseparatedebuginfod.nix

     

       594
       595
        
         ./services/development/rstudio-server/default.nix

     

       595
       596
        
         ./services/development/vsmartcard-vpcd.nix

+97

nixos/modules/services/development/nixseparatedebuginfod2.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         pkgs,

     

       3
       3
       +
         lib,

     

       4
       4
       +
         config,

     

       5
       5
       +
         utils,

     

       6
       6
       +
         ...

     

       7
       7
       +
       }:

     

       8
       8
       +
       let

     

       9
       9
       +
         cfg = config.services.nixseparatedebuginfod2;

     

       10
       10
       +
         url = "127.0.0.1:${toString cfg.port}";

     

       11
       11
       +
       in

     

       12
       12
       +
       {

     

       13
       13
       +
         options = {

     

       14
       14
       +
           services.nixseparatedebuginfod2 = {

     

       15
       15
       +
             enable = lib.mkEnableOption "nixseparatedebuginfod2, a debuginfod server providing source and debuginfo for nix packages";

     

       16
       16
       +
             port = lib.mkOption {

     

       17
       17
       +
               description = "port to listen";

     

       18
       18
       +
               default = 1950;

     

       19
       19
       +
               type = lib.types.port;

     

       20
       20
       +
             };

     

       21
       21
       +
             package = lib.mkPackageOption pkgs "nixseparatedebuginfod2" { };

     

       22
       22
       +
             substituter = lib.mkOption {

     

       23
       23
       +
               description = "nix substituter to fetch debuginfo from. Either http/https substituters, or `local:` to use debuginfo present in the local store.";

     

       24
       24
       +
               default = "https://cache.nixos.org";

     

       25
       25
       +
               example = "local:";

     

       26
       26
       +
               type = lib.types.str;

     

       27
       27
       +
             };

     

       28
       28
       +
             cacheExpirationDelay = lib.mkOption {

     

       29
       29
       +
               description = "keep unused cache entries for this long. A number followed by a unit";

     

       30
       30
       +
               default = "1d";

     

       31
       31
       +
               type = lib.types.str;

     

       32
       32
       +
             };

     

       33
       33
       +
           };

     

       34
       34
       +
         };

     

       35
       35
       +
         config = lib.mkIf cfg.enable {

     

       36
       36
       +
           systemd.services.nixseparatedebuginfod2 = {

     

       37
       37
       +
             wantedBy = [ "multi-user.target" ];

     

       38
       38
       +
             path = [ config.nix.package ];

     

       39
       39
       +
             serviceConfig = {

     

       40
       40
       +
               ExecStart = [

     

       41
       41
       +
                 (utils.escapeSystemdExecArgs [

     

       42
       42
       +
                   (lib.getExe cfg.package)

     

       43
       43
       +
                   "--listen-address"

     

       44
       44
       +
                   url

     

       45
       45
       +
                   "--substituter"

     

       46
       46
       +
                   cfg.substituter

     

       47
       47
       +
                   "--expiration"

     

       48
       48
       +
                   cfg.cacheExpirationDelay

     

       49
       49
       +
                 ])

     

       50
       50
       +
               ];

     

       51
       51
       +
               Restart = "on-failure";

     

       52
       52
       +
               CacheDirectory = "nixseparatedebuginfod2";

     

       53
       53
       +
               DynamicUser = true;

     

       54
       54
       +
       

     

       55
       55
       +
               # hardening

     

       56
       56
       +
               # Filesystem stuff

     

       57
       57
       +
               ProtectSystem = "strict"; # Prevent writing to most of /

     

       58
       58
       +
               ProtectHome = true; # Prevent accessing /home and /root

     

       59
       59
       +
               PrivateTmp = true; # Give an own directory under /tmp

     

       60
       60
       +
               PrivateDevices = true; # Deny access to most of /dev

     

       61
       61
       +
               ProtectKernelTunables = true; # Protect some parts of /sys

     

       62
       62
       +
               ProtectControlGroups = true; # Remount cgroups read-only

     

       63
       63
       +
               RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files

     

       64
       64
       +
               PrivateMounts = true; # Give an own mount namespace

     

       65
       65
       +
               RemoveIPC = true;

     

       66
       66
       +
               UMask = "0077";

     

       67
       67
       +
       

     

       68
       68
       +
               # Capabilities

     

       69
       69
       +
               CapabilityBoundingSet = ""; # Allow no capabilities at all

     

       70
       70
       +
               NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options.

     

       71
       71
       +
       

     

       72
       72
       +
               # Kernel stuff

     

       73
       73
       +
               ProtectKernelModules = true; # Prevent loading of kernel modules

     

       74
       74
       +
               SystemCallArchitectures = "native"; # Usually no need to disable this

     

       75
       75
       +
               SystemCallFilter = "@system-service";

     

       76
       76
       +
               ProtectKernelLogs = true; # Prevent access to kernel logs

     

       77
       77
       +
               ProtectClock = true; # Prevent setting the RTC

     

       78
       78
       +
               ProtectProc = "noaccess";

     

       79
       79
       +
               ProcSubset = "pid";

     

       80
       80
       +
       

     

       81
       81
       +
               # Networking

     

       82
       82
       +
               RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";

     

       83
       83
       +
       

     

       84
       84
       +
               # Misc

     

       85
       85
       +
               LockPersonality = true; # Prevent change of the personality

     

       86
       86
       +
               ProtectHostname = true; # Give an own UTS namespace

     

       87
       87
       +
               RestrictRealtime = true; # Prevent switching to RT scheduling

     

       88
       88
       +
               MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python

     

       89
       89
       +
               RestrictNamespaces = true;

     

       90
       90
       +
       

     

       91
       91
       +
             };

     

       92
       92
       +
           };

     

       93
       93
       +
       

     

       94
       94
       +
           environment.debuginfodServers = [ "http://${url}" ];

     

       95
       95
       +
       

     

       96
       96
       +
         };

     

       97
       97
       +
       }

nixos/tests/all-tests.nix

···

       1047
       1047
        
         };

     

       1048
       1048
        
         nixpkgs = pkgs.callPackage ../modules/misc/nixpkgs/test.nix { inherit evalMinimalConfig; };

     

       1049
       1049
        
         nixseparatedebuginfod = runTest ./nixseparatedebuginfod.nix;

     

       1050
       1050
       +
         nixseparatedebuginfod2 = runTest ./nixseparatedebuginfod2.nix;

     

       1050
       1051
        
         node-red = runTest ./node-red.nix;

     

       1051
       1052
        
         nomad = runTest ./nomad.nix;

     

       1052
       1053
        
         nominatim = runTest ./nominatim.nix;

+72

nixos/tests/nixseparatedebuginfod2.nix

···

       1
       1
       +
       { pkgs, lib, ... }:

     

       2
       2
       +
       {

     

       3
       3
       +
         name = "nixseparatedebuginfod2";

     

       4
       4
       +
         # A binary cache with debug info and source for gnumake

     

       5
       5
       +
         nodes.cache =

     

       6
       6
       +
           { pkgs, ... }:

     

       7
       7
       +
           {

     

       8
       8
       +
             services.nginx = {

     

       9
       9
       +
               enable = true;

     

       10
       10
       +
               virtualHosts.default = {

     

       11
       11
       +
                 default = true;

     

       12
       12
       +
                 addSSL = false;

     

       13
       13
       +
                 root = "/var/lib/thebinarycache";

     

       14
       14
       +
               };

     

       15
       15
       +
             };

     

       16
       16
       +
             networking.firewall.allowedTCPPorts = [ 80 ];

     

       17
       17
       +
             systemd.services.buildthebinarycache = {

     

       18
       18
       +
               before = [ "nginx.service" ];

     

       19
       19
       +
               wantedBy = [ "nginx.service" ];

     

       20
       20
       +
               script = ''

     

       21
       21
       +
                 ${pkgs.nix}/bin/nix --extra-experimental-features nix-command copy --to file:///var/lib/thebinarycache?index-debug-info=true ${pkgs.gnumake.debug} ${pkgs.gnumake} ${pkgs.gnumake.src} ${pkgs.sl}

     

       22
       22
       +
               '';

     

       23
       23
       +
               serviceConfig = {

     

       24
       24
       +
                 User = "nginx";

     

       25
       25
       +
                 Group = "nginx";

     

       26
       26
       +
                 StateDirectory = "thebinarycache";

     

       27
       27
       +
                 Type = "oneshot";

     

       28
       28
       +
               };

     

       29
       29
       +
             };

     

       30
       30
       +
           };

     

       31
       31
       +
         # the machine where we need the debuginfo

     

       32
       32
       +
         nodes.machine = {

     

       33
       33
       +
           services.nixseparatedebuginfod2 = {

     

       34
       34
       +
             enable = true;

     

       35
       35
       +
             substituter = "http://cache";

     

       36
       36
       +
           };

     

       37
       37
       +
           environment.systemPackages = [

     

       38
       38
       +
             pkgs.valgrind

     

       39
       39
       +
             pkgs.gdb

     

       40
       40
       +
             pkgs.gnumake

     

       41
       41
       +
           ];

     

       42
       42
       +
         };

     

       43
       43
       +
         testScript = ''

     

       44
       44
       +
           start_all()

     

       45
       45
       +
           cache.wait_for_unit("nginx.service")

     

       46
       46
       +
           cache.wait_for_open_port(80)

     

       47
       47
       +
           machine.wait_for_unit("nixseparatedebuginfod2.service")

     

       48
       48
       +
           machine.wait_for_open_port(1950)

     

       49
       49
       +
       

     

       50
       50
       +
           with subtest("check that the binary cache works"):

     

       51
       51
       +
             machine.succeed("nix-store --extra-substituters http://cache --option require-sigs false -r ${pkgs.sl}")

     

       52
       52
       +
       

     

       53
       53
       +
           # test debuginfod-find

     

       54
       54
       +
           machine.succeed("debuginfod-find debuginfo /run/current-system/sw/bin/make")

     

       55
       55
       +
       

     

       56
       56
       +
           # test that gdb can fetch source

     

       57
       57
       +
           out = machine.succeed("gdb /run/current-system/sw/bin/make --batch -x ${builtins.toFile "commands" ''

     

       58
       58
       +
             start

     

       59
       59
       +
             l

     

       60
       60
       +
           ''}")

     

       61
       61
       +
           print(out)

     

       62
       62
       +
           assert 'main (int argc, char **argv, char **envp)' in out

     

       63
       63
       +
       

     

       64
       64
       +
           # test that valgrind can display location information

     

       65
       65
       +
           # this relies on the fact that valgrind complains about gnumake

     

       66
       66
       +
           # because we also ask valgrind to show leak kinds

     

       67
       67
       +
           # which are usually false positives.

     

       68
       68
       +
           out = machine.succeed("valgrind --leak-check=full --show-leak-kinds=all make --version 2>&1")

     

       69
       69
       +
           print(out)

     

       70
       70
       +
           assert 'main.c' in out

     

       71
       71
       +
         '';

     

       72
       72
       +
       }

+4 -1

pkgs/by-name/ni/nixseparatedebuginfod2/package.nix

···

       8
       8
        
         bubblewrap,

     

       9
       9
        
         elfutils,

     

       10
       10
        
         nix,

     

       11
       11
       +
         nixosTests,

     

       11
       12
        
       }:

     

       12
       13
        
       

     

       13
       14
        
       rustPlatform.buildRustPackage rec {

     
···

       38
       39
        
       

     

       39
       40
        
         env.OPENSSL_NO_VENDOR = "1";

     

       40
       41
        
       

     

       41
       41
       -
         meta = with lib; {

     

       42
       42
       +
         passthru.tests = { inherit (nixosTests) nixseparatedebuginfod2; };

     

       43
       43
       +
       

     

       44
       44
       +
         meta = {

     

       42
       45
        
           description = "Downloads and provides debug symbols and source code for nix derivations to gdb and other debuginfod-capable debuggers as needed";

     

       43
       46
        
           homepage = "https://github.com/symphorien/nixseparatedebuginfod2";

     

       44
       47
        
           license = lib.licenses.gpl3Only;