v1.1.0 is released

[jfroche]

Spring is coming, birds are singing, lot of new feats, let's cut a release.

Note

System manager is a tool to configure Linux machines. Unlike Chef, Puppet and Ansible, it only controls a small subset, and most of its changes are done in an immutable layer, thanks to the power of Nix.

Here are the important changes in this version.

User Management

You can now manage your system users through system-manager. Under the hood, this is managed by userborn.

Safety-wise, this feature never deletes an existing user. If anything goes wrong, disabling system-manager resets the users and groups to what they were before the system-manager activation.

TL;DR: this won't eat your kittens.

You can use it as you would create users on NixOS:

{
  nixpkgs.hostPlatform = system;

  # Create the zimbatm user
  users.users.zimbatm = {
    isNormalUser = true;
    extraGroups = [
      "wheel"
      "sudo"
    ];
    initialPassword = "test123";
  };

  # Create the postgres group
  users.groups.postgres = {};
}

Secrets

Now we're able to manage users, we're also able to use the sops-nix module as is.

Meaning you're finally able to manage your secrets declaratively from your system-manager config.

For instance:

{
  # Import the upstream module (through a flake input)
  imports = [ sops-nix.nixosModules.sops ];

  config = {
    nixpkgs.hostPlatform = system;
    # Set up the server decryption key
    sops = {
      age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      defaultSopsFile = ./sops/secrets-ssh.yaml;
      secrets.test = { };
    };

    # Adding a sysinit-reactivation.target dependency.
    systemd.services.sops-install-secrets = {
      before = [ "sysinit-reactivation.target" ];
      requiredBy = [ "sysinit-reactivation.target" ];
    };
    
    # Declare and use your secrets in the services config. 
    sops.secrets.miniflux-secrets = { };
    services.miniflux = {
      enable = true;
      adminCredentialsFile = config.sops.secrets.miniflux-secrets.path;
      config = {
        LISTEN_ADDR = "127.0.0.1:8003";
      };
    };
  };
}

Container Tests

We were already supporting VM tests analogous to the NixOS ones. We're now also supporting container tests.

The test driver has been extracted from clan-core and enhanced with an interactive mode.

It works very similarly as the NixOS test. You'll get your familiar interactive ipython shell to iterate of the test. The only major difference is the insanely fast boot time. The downside is that you can't test any kernel-related stuff with it.

We encourage you to use them as much as possible for your downstream tests. We wrote a how to page to help you getting started.

NixOS Compatibility Improvements

The endgoal of this project is to be able to re-use the upstream NixOS modules as-is. The road is still long, but we made quite some progress implementing some NixOS subsystems allowing us to cover more upstream modules.

In no particular order, we're now supporting:

• wilcards in the environment.etc option.
• the systemd.packages option. A convevenient way to inject the upstream projects systemd units to the configuration.
• the systemd.maskedUnits option.
• systemd unit overrides.
• the environment.extraInit option. Allowing us to add some commands in shell init.
• mocking networking.firewall. A proper implementation is a bit too tricky for now. Help welcome for a proper one.
• security.wrappers options enable you to create binaries with setuid/setgid bit.

See full changelog here