Skip to content

Releases: numtide/system-manager

v1.1.0

12 Mar 12:02
@jfroche jfroche
v1.1.0
96cfa20

Choose a tag to compare

View all tags
v1.1.0 Latest
Latest

system-manager 1.1.0

Spring is coming, birds are singing, lot of new feats, let's cut a release.

Note

System manager is a tool to configure Linux machines. Unlike Chef, Puppet and Ansible, it only controls a small subset, and most of its changes are done in an immutable layer, thanks to the power of Nix.

Here are the important changes in this version.

User Management

You can now manage your system users through system-manager. Under the hood, this is managed by userborn.

Safety-wise, this feature never deletes an existing user. If anything goes wrong, disabling system-manager resets the users and groups to what they were before the system-manager activation.

TL;DR: this won't eat your kittens.

You can use it as you would create users on NixOS:

{
  nixpkgs.hostPlatform = system;

  # Create the zimbatm user
  users.users.zimbatm = {
    isNormalUser = true;
    extraGroups = [
      "wheel"
      "sudo"
    ];
    initialPassword = "test123";
  };

  # Create the postgres group
  users.groups.postgres = {};
}

Secrets

Now we're able to manage users, we're also able to use the sops-nix module as is.

Meaning you're finally able to manage your secrets declaratively from your system-manager config.

For instance:

{
  # Import the upstream module (through a flake input)
  imports = [ sops-nix.nixosModules.sops ];

  config = {
    nixpkgs.hostPlatform = system;
    # Set up the server decryption key
    sops = {
      age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      defaultSopsFile = ./sops/secrets-ssh.yaml;
      secrets.test = { };
    };

    # Adding a sysinit-reactivation.target dependency.
    systemd.services.sops-install-secrets = {
      before = [ "sysinit-reactivation.target" ];
      requiredBy = [ "sysinit-reactivation.target" ];
    };
    
    # Declare and use your secrets in the services config. 
    sops.secrets.miniflux-secrets = { };
    services.miniflux = {
      enable = true;
      adminCredentialsFile = config.sops.secrets.miniflux-secrets.path;
      config = {
        LISTEN_ADDR = "127.0.0.1:8003";
      };
    };
  };
}

Container Tests

We were already supporting VM tests analogous to the NixOS ones. We're now also supporting container tests.

The test driver has been extracted from clan-core and enhanced with an interactive mode.

It works very similarly as the NixOS test. You'll get your familiar interactive ipython shell to iterate of the test. The only major difference is the insanely fast boot time. The downside is that you can't test any kernel-related stuff with it.

We encourage you to use them as much as possible for your downstream tests. We wrote a how to page to help you getting started.

NixOS Compatibility Improvements

The endgoal of this project is to be able to re-use the upstream NixOS modules as-is. The road is still long, but we made quite some progress implementing some NixOS subsystems allowing us to cover more upstream modules.

In no particular order, we're now supporting:

  • wilcards in the environment.etc option.
  • the systemd.packages option. A convevenient way to inject the upstream projects systemd units to the configuration.
  • the systemd.maskedUnits option.
  • systemd unit overrides.
  • the environment.extraInit option. Allowing us to add some commands in shell init.
  • mocking networking.firewall. A proper implementation is a bit too tricky for now. Help welcome for a proper one.
  • security.wrappers options enable you to create binaries with setuid/setgid bit.

Full Changelog

Added

  • User and group management via userborn integration (#266)
  • Secrets management via sops-nix integration (#270)
  • Container test driver with Ubuntu support, testinfra integration, interactive debugging (#333)
  • Default value for --flake CLI option set to ~/.config/system-manager/flake.nix (#326)
  • target_host is now global CLI argument (#340)
  • Speed up system-manager build using Numtide cache substituter (#337)
  • Support running system-manager from macOS to deploy configurations to Linux (#325)
  • Reduce the number of flake inputs using a sub-flake (#329)
  • Add mocks for networking.firewall options (#356)
  • Support systemd.maskedUnits option (#361)
  • Add replaceExisting option to environment.etc entries to backup and replace existing files that are not managed by system-manager (#359)
  • Support systemd.packages option (#372)
  • Handle wildcards in environment.etc entries (#373)
  • Enable systemd unit overrides (#376)
  • Support environment.extraInit option (#389)
  • Support system.checks option (#390)
  • Support security.wrappers (#391)

Fixed

  • Fix directory/file/symlink creation order in etc (#374)
  • Remove unused .mode/.uid/.gid sidecar files from etc static environment (#344)
  • Remove multiple eval warnings

Documentation

  • Reorganize documentation with tutorials, how-to guides, explanations, and reference pages
  • Update Nix installation instructions to recommend nix-installer
  • Add users, groups example and documentation
  • Add container test driver documentation
  • Improve remote deployment documentation
  • Add CONTRIBUTING.md with developer guidelines
  • Add supported platforms reference page
  • Add file permissions and ownership reference
  • Auto-generated module options reference integrated into MkDocs
  • Document how to import upstream NixOS modules

Contributors

Thanks to all the contributors who made this release possible:

  • Aaron Honeycutt
  • David Chocholatý
  • Francisco-Andre-Martins
  • Jean-François Roche
  • Jeffrey Cogswell
  • Jonas Chevalier
  • Julien Malka
  • picnoir
  • Rowan Amber-Jones
Assets 2
Loading

v1.0

06 Jan 17:54
@zimbatm zimbatm
v1.0.0
eb3d23a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.0

What's Changed

  • Introduce an intermediate target for systemd services. by @r-vdp in #4
  • Introduce a framework for automated VM tests. by @r-vdp in #5
  • Add config file for garnix.io. by @r-vdp in #6
  • Rename garnix.io config file. by @r-vdp in #7
  • Add Aarch64 tests and include multiple test images. by @r-vdp in #9
  • Add a pre-populate subcommand. by @r-vdp in #11
  • Fix handling of the --store argument. by @r-vdp in #12
  • Fix missing function parameter in README by @oluceps in #13
  • Only info logging by default. by @r-vdp in #14
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #15
  • Remove outdated to-do. by @r-vdp in #16
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #19
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #20
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #22
  • Expose the config in the passthru and move values into the config. by @r-vdp in #23
  • Add an unwrapped system-manager attribute. by @r-vdp in #24
  • Make package dependencies overridable. by @r-vdp in #25
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #26
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #29
  • Add support for environment.systemPackages. by @r-vdp in #17
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #31
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #32
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #33
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #35
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #36
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #38
  • Update test ubuntu images by @r-vdp in #40
  • Auto update deps by @r-vdp in #41
  • docs: add missing attribute to example by @a-h in #43
  • flake.nix: add workaround for ipetkov/crane#385 by @bryango in #44
  • Provide an implementation for systemd-tmpfiles by @jfroche in #27
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #42
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #47
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #48
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #49
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #50
  • fixup: use types.attrs instead of the nonexistent types.freeform by @aanderse in #53
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #54
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #55
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #56
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #57
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #58
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #59
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #60
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #61
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #62
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #63
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #64
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #65
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #66
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #67
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #68
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #69
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #71
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #73
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #74
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #75
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #76
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #79
  • Document allowAnyDistro by @mike-lloyd03 in #85
  • Use nix-vm-test for our tests by @r-vdp in #87
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #82
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #90
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #91
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #92
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #93
  • Auto update deps by @r-vdp in #94
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #95
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #96
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #97
  • Fix pre-popopulate script name by @wentasah in #99
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #100
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #101
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #102
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #103
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #105
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #106
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #107
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #108
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #110
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #111
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #112
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #113
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #114
  • Bump flake.lock and Cargo.lock by @github-actions[bot] in #118
  • Configure Renovate by @renovate[bot] in #104
  • Update Rust crate itertools to 0.13.0 by @renovate[bot] in #120
  • Update Rust crate env_logger to 0.11.0 by @renovate[bot] in #119
  • Update Rust crate nix to 0.29.0 by @renovate[bot] in #122
  • Switch to nixfmt by @r-vdp in #124
  • Update peter-evans/create-pull-request action to v7 by @renovate[bot] in #123
  • Update Rust crate clap to v4.5.19 by @r...
Read more

Contributors

zimbatm, Mic92, and 23 other contributors
Loading
0 Join discussion