Merge branch 'master' into closure-size

Comparison to master evaluations on Hydra:
  - 1255515 for nixos
  - 1255502 for nixpkgs

5 files changed, 258 insertions, 104 deletions

diff --git a/nixos/modules/services/networking/iodine.nix b/nixos/modules/services/networking/iodine.nix
new file mode 100644
index 000000000000..1b0d2d9a517c
--- /dev/null
+++ b/nixos/modules/services/networking/iodine.nix
@@ -0,0 +1,136 @@
+# NixOS module for iodine, ip over dns daemon
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.iodine;
+
+  iodinedUser = "iodined";
+
+in
+{
+
+  ### configuration
+
+  options = {
+
+    services.iodine = {
+      clients = mkOption {
+        default = {};
+        description = ''
+          Each attribute of this option defines a systemd service that
+          runs iodine. Many or none may be defined.
+          The name of each service is
+          <literal>iodine-<replaceable>name</replaceable></literal>
+          where <replaceable>name</replaceable> is the name of the
+          corresponding attribute name.
+        '';
+        example = literalExample ''
+        {
+          foo = {
+            server = "tunnel.mdomain.com";
+            relay = "8.8.8.8";
+            extraConfig = "-P mysecurepassword";
+          }
+        }
+        '';
+        type = types.attrsOf (types.submodule (
+        {
+          options = {
+            server = mkOption {
+              type = types.str;
+              default = "";
+              description = "Domain or Subdomain of server running iodined";
+              example = "tunnel.mydomain.com";
+            };
+
+            relay = mkOption {
+              type = types.str;
+              default = "";
+              description = "DNS server to use as a intermediate relay to the iodined server";
+              example = "8.8.8.8";
+            };
+
+            extraConfig = mkOption {
+              type = types.str;
+              default = "";
+              description = "Additional command line parameters";
+              example = "-P mysecurepassword -l 192.168.1.10 -p 23";
+            };
+          };
+        }));
+      };
+
+      server = {
+        enable = mkOption {
+          type = types.bool;
+          default = false;
+          description = "enable iodined server";
+        };
+
+        ip = mkOption {
+          type = types.str;
+          default = "";
+          description = "The assigned ip address or ip range";
+          example = "172.16.10.1/24";
+        };
+
+        domain = mkOption {
+          type = types.str;
+          default = "";
+          description = "Domain or subdomain of which nameservers point to us";
+          example = "tunnel.mydomain.com";
+        };
+
+        extraConfig = mkOption {
+          type = types.str;
+          default = "";
+          description = "Additional command line parameters";
+          example = "-P mysecurepassword -l 192.168.1.10 -p 23";
+        };
+      };
+
+    };
+  };
+
+  ### implementation
+
+  config = mkIf (cfg.server.enable || cfg.clients != {}) {
+    environment.systemPackages = [ pkgs.iodine ];
+    boot.kernelModules = [ "tun" ];
+
+    systemd.services =
+    let
+      createIodineClientService = name: cfg:
+      {
+        description = "iodine client - ${name}";
+        wantedBy = [ "ip-up.target" ];
+        serviceConfig = {
+          RestartSec = "30s";
+          Restart = "always";
+          ExecStart = "${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${cfg.relay} ${cfg.server}";
+        };
+      };
+    in
+    listToAttrs (
+      mapAttrsToList
+        (name: value: nameValuePair "iodine-${name}" (createIodineClientService name value))
+        cfg.clients
+    ) // {
+      iodined = mkIf (cfg.server.enable) {
+        description = "iodine, ip over dns server daemon";
+        wantedBy = [ "ip-up.target" ];
+        serviceConfig.ExecStart = "${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${cfg.server.ip} ${cfg.server.domain}";
+      };
+    };
+
+    users.extraUsers = singleton {
+      name = iodinedUser;
+      uid = config.ids.uids.iodined;
+      description = "Iodine daemon user";
+    };
+    users.extraGroups.iodined.gid = config.ids.gids.iodined;
+  };
+}
diff --git a/nixos/modules/services/networking/iodined.nix b/nixos/modules/services/networking/iodined.nix
deleted file mode 100644
index 20d371c4e2d1..000000000000
--- a/nixos/modules/services/networking/iodined.nix
+++ /dev/null
@@ -1,86 +0,0 @@
-# NixOS module for iodine, ip over dns daemon
-
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.iodined;
-
-  iodinedUser = "iodined";
-
-in
-
-{
-
-  ### configuration
-
-  options = {
-
-    services.iodined = {
-
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Enable iodine, ip over dns daemon";
-      };
-
-      client = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Start iodine in client mode";
-      };
-
-      ip = mkOption {
-        type = types.str;
-        default = "";
-        description = "Assigned ip address or ip range";
-        example = "172.16.10.1/24";
-      };
-
-      domain = mkOption {
-        type = types.str;
-        default = "";
-        description = "Domain or subdomain of which nameservers point to us";
-        example = "tunnel.mydomain.com";
-      };
-
-      extraConfig = mkOption {
-        type = types.str;
-        default = "";
-        description = "Additional command line parameters";
-        example = "-P mysecurepassword -l 192.168.1.10 -p 23";
-      };
-
-    };
-
-  };
-
-  ### implementation
-
-  config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.iodine ];
-    boot.kernelModules = [ "tun" ];
-
-    systemd.services.iodined = {
-      description = "iodine, ip over dns daemon";
-      wantedBy = [ "ip-up.target" ];
-      serviceConfig.ExecStart = "${pkgs.iodine}/sbin/iodined -f -u ${iodinedUser} ${cfg.extraConfig} ${cfg.ip} ${cfg.domain}";
-    };
-
-
-    users.extraUsers = singleton {
-      name = iodinedUser;
-      uid = config.ids.uids.iodined;
-      description = "Iodine daemon user";
-    };
-    users.extraGroups.iodined.gid = config.ids.gids.iodined;
-
-    assertions = [{ assertion = if !cfg.client then cfg.ip != "" else true;
-                    message = "cannot start iodined without ip set";}
-                  { assertion = cfg.domain != "";
-                    message = "cannot start iodined without domain name set";}];
-
-  };
-
-}
diff --git a/nixos/modules/services/networking/mfi.nix b/nixos/modules/services/networking/mfi.nix
new file mode 100644
index 000000000000..5afb83ed022f
--- /dev/null
+++ b/nixos/modules/services/networking/mfi.nix
@@ -0,0 +1,90 @@
+{ config, lib, pkgs, utils, ... }:
+with lib;
+let
+  name = "Ubiquiti mFi Controller";
+  cfg = config.services.mfi;
+  stateDir = "/var/lib/mfi";
+  # XXX 2 runtime exceptions using jre8: JSPException on GET / ; can't initialize ./data/keystore on first run.
+  cmd = "@${pkgs.jre7}/bin/java java -jar ${stateDir}/lib/ace.jar";
+  mountPoints = [
+    { what = "${pkgs.mfi}/dl"; where = "${stateDir}/dl"; }
+    { what = "${pkgs.mfi}/lib"; where = "${stateDir}/lib"; }
+    { what = "${pkgs.mongodb248}/bin"; where = "${stateDir}/bin"; }
+  ];
+  systemdMountPoints = map (m: "${utils.escapeSystemdPath m.where}.mount") mountPoints;
+  ports = [ 6080 6880 6443 6843 ];
+in
+{
+  options = {
+    services.mfi = {
+      enable = mkEnableOption name;
+      openPorts = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Whether to open TCP ports ${concatMapStrings (a: "${toString a} ") ports}for the services.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    networking.firewall.allowedTCPPorts = mkIf config.services.mfi.openPorts ports;
+
+    users.users.mfi = {
+      uid = config.ids.uids.mfi;
+      description = "mFi controller daemon user";
+      home = "${stateDir}";
+    };
+
+    # We must create the binary directories as bind mounts instead of symlinks
+    # This is because the controller resolves all symlinks to absolute paths
+    # to be used as the working directory.
+    systemd.mounts = map ({ what, where }: {
+        bindsTo = [ "mfi.service" ];
+        partOf = [ "mfi.service" ];
+        unitConfig.RequiresMountsFor = stateDir;
+        options = "bind";
+        what = what;
+        where = where;
+      }) mountPoints;
+
+    systemd.services.mfi = {
+      description = "mFi controller daemon";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ] ++ systemdMountPoints;
+      partOf = systemdMountPoints;
+      bindsTo = systemdMountPoints;
+      unitConfig.RequiresMountsFor = stateDir;
+
+      preStart = ''
+        # Clear ./webapps each run.
+        rm -rf                               "${stateDir}/webapps"
+        mkdir -p                             "${stateDir}/webapps"
+        ln -s "${pkgs.mfi}/webapps/ROOT.war" "${stateDir}/webapps"
+
+        # Copy initial config only once.
+        test -e "${stateDir}/conf" || cp -ar "${pkgs.mfi}/conf" "${stateDir}/conf"
+        test -e "${stateDir}/data" || cp -ar "${pkgs.mfi}/data" "${stateDir}/data"
+
+        # Fix Permissions.
+        # (Bind-mounts cause errors; ignore exit codes)
+        chown -fR mfi:      "${stateDir}" || true
+        chmod -fR u=rwX,go= "${stateDir}" || true
+      '';
+
+      postStop = ''
+        rm -rf "${stateDir}/webapps"
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${cmd} start";
+        ExecStop = "${cmd} stop";
+        User = "mfi";
+        PermissionsStartOnly = true;
+        UMask = "0077";
+        WorkingDirectory = "${stateDir}";
+      };
+    };
+  };
+}
diff --git a/nixos/modules/services/networking/minidlna.nix b/nixos/modules/services/networking/minidlna.nix
index aa28502a12c4..61d063dbfe0e 100644
--- a/nixos/modules/services/networking/minidlna.nix
+++ b/nixos/modules/services/networking/minidlna.nix
@@ -58,9 +58,9 @@ in
     services.minidlna.config =
       ''
         port=${toString port}
-        friendly_name=NixOS Media Server
+        friendly_name=${config.networking.hostName} MiniDLNA
         db_dir=/var/cache/minidlna
-        log_dir=/var/log/minidlna
+        log_level=warn
         inotify=yes
         ${concatMapStrings (dir: ''
           media_dir=${dir}
@@ -83,21 +83,18 @@ in
 
         preStart =
           ''
-            mkdir -p /var/cache/minidlna /var/log/minidlna /run/minidlna
-            chown minidlna /var/cache/minidlna /var/log/minidlna /run/minidlna
+            mkdir -p /var/cache/minidlna
+            chown -R minidlna:minidlna /var/cache/minidlna
           '';
 
-        # FIXME: log through the journal rather than
-        # /var/log/minidlna.  The -d flag does that, but also raises
-        # the log level to debug...
         serviceConfig =
           { User = "minidlna";
-            Group = "nogroup";
+            Group = "minidlna";
             PermissionsStartOnly = true;
-            Type = "forking";
+            RuntimeDirectory = "minidlna";
             PIDFile = "/run/minidlna/pid";
             ExecStart =
-              "@${pkgs.minidlna}/sbin/minidlnad minidlnad -P /run/minidlna/pid" +
+              "${pkgs.minidlna}/sbin/minidlnad -S -P /run/minidlna/pid" +
               " -f ${pkgs.writeText "minidlna.conf" cfg.config}";
           };
       };
diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix
index 67b90516b996..da9a270f30b6 100644
--- a/nixos/modules/services/networking/syncthing.nix
+++ b/nixos/modules/services/networking/syncthing.nix
@@ -5,6 +5,7 @@ with lib;
 let
 
   cfg = config.services.syncthing;
+  defaultUser = "syncthing";
 
 in
 
@@ -17,6 +18,7 @@ in
     services.syncthing = {
 
       enable = mkOption {
+        type = types.bool;
         default = false;
         description = ''
           Whether to enable the Syncthing, self-hosted open-source alternative
@@ -26,7 +28,8 @@ in
       };
 
       user = mkOption {
-        default = "syncthing";
+        type = types.string;
+        default = defaultUser;
         description = ''
           Syncthing will be run under this user (user must exist,
           this can be your user name).
@@ -34,8 +37,8 @@ in
       };
 
       all_proxy = mkOption {
-        type = types.string;
-        default = "";
+        type = types.nullOr types.string;
+        default = null;
         example = "socks5://address.com:1234";
         description = ''
           Overwrites all_proxy environment variable for the syncthing process to
@@ -45,6 +48,7 @@ in
       };
 
       dataDir = mkOption {
+        type = types.path;
         default = "/var/lib/syncthing";
         description = ''
           Path where the settings and keys will exist.
@@ -71,20 +75,33 @@ in
 
   config = mkIf cfg.enable {
 
+    users = mkIf (cfg.user == defaultUser) {
+      extraUsers."${defaultUser}" =
+        { group = defaultUser;
+          home  = cfg.dataDir;
+          createHome = true;
+          uid = config.ids.uids.syncthing;
+          description = "Syncthing daemon user";
+        };
+
+      extraGroups."${defaultUser}".gid =
+        config.ids.gids.syncthing;
+    };
+
     systemd.services.syncthing =
       {
         description = "Syncthing service";
-        after = [ "network.target" ];
+        after    = [ "network.target" ];
         wantedBy = [ "multi-user.target" ];
         environment = {
           STNORESTART = "yes";  # do not self-restart
           STNOUPGRADE = "yes";
-        } //
-        (config.networking.proxy.envVars) //
-        (if cfg.all_proxy != "" then { all_proxy = cfg.all_proxy; } else {});
+          inherit (cfg) all_proxy;
+        } // config.networking.proxy.envVars;
 
         serviceConfig = {
-          User = "${cfg.user}";
+          User  = cfg.user;
+          Group = optionalString (cfg.user == defaultUser) defaultUser;
           PermissionsStartOnly = true;
           Restart = "on-failure";
           ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -home=${cfg.dataDir}";