Merge remote-tracking branch 'origin/master' into systemd-219

Conflicts:
	pkgs/development/libraries/libseccomp/default.nix

5 files changed, 146 insertions, 38 deletions

diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix
new file mode 100644
index 000000000000..e7e1db191529
--- /dev/null
+++ b/nixos/modules/services/networking/bird.nix
@@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkEnableOption mkIf mkOption singleton types;
+  inherit (pkgs) bird;
+  cfg = config.services.bird;
+
+  configFile = pkgs.writeText "bird.conf" ''
+    ${cfg.config}
+  '';
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.bird = {
+
+      enable = mkEnableOption "BIRD Internet Routing Daemon";
+
+      config = mkOption {
+        type = types.string;
+        description = ''
+          BIRD Internet Routing Daemon configuration file.
+          <link xlink:href='http://bird.network.cz/'/>
+        '';
+      };
+
+      user = mkOption {
+        type = types.string;
+        default = "ircd";
+        description = ''
+          BIRD Internet Routing Daemon user.
+        '';
+      };
+
+      group = mkOption {
+        type = types.string;
+        default = "ircd";
+        description = ''
+          BIRD Internet Routing Daemon group.
+        '';
+      };
+
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    users.extraUsers = singleton {
+      name = cfg.user;
+      description = "BIRD Internet Routing Daemon user";
+      uid = config.ids.uids.bird;
+      group = cfg.group;
+    };
+
+    users.extraGroups = singleton {
+      name = cfg.group;
+      gid = config.ids.gids.bird;
+    };
+
+    systemd.services.bird = {
+      description = "BIRD Internet Routing Daemon";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart   = "${bird}/bin/bird -d -c ${configFile} -s /var/run/bird.ctl -u ${cfg.user} -g ${cfg.group}";
+      };
+    };
+  };
+}
diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix
index 5308fd995085..53a9f4626254 100644
--- a/nixos/modules/services/networking/consul.nix
+++ b/nixos/modules/services/networking/consul.nix
@@ -6,11 +6,9 @@ let
   dataDir = "/var/lib/consul";
   cfg = config.services.consul;
 
-  configOptions = {
-    data_dir = dataDir;
-  }
-  // (if cfg.webUi then { ui_dir = "${pkgs.consul.ui}"; } else { })
-  // cfg.extraConfig;
+  configOptions = { data_dir = dataDir; } //
+    (if cfg.webUi then { ui_dir = "${pkgs.consul.ui}"; } else { }) //
+    cfg.extraConfig;
 
   configFiles = [ "/etc/consul.json" "/etc/consul-addrs.json" ]
     ++ cfg.extraConfigFiles;
@@ -52,23 +50,6 @@ in
         '';
       };
 
-      joinNodes = mkOption {
-        type = types.listOf types.str;
-        default = [ ];
-        description = ''
-          A list of addresses of nodes which should be joined at startup if the
-          current node is in a left state.
-        '';
-      };
-
-      joinRetries = mkOption {
-        type = types.int;
-        default = 10;
-        description = ''
-          The number of times to retry connecting to the join nodes.
-        '';
-      };
-
       interface = {
 
         advertise = mkOption {
@@ -159,10 +140,14 @@ in
     users.extraUsers."consul" = {
       description = "Consul agent daemon user";
       uid = config.ids.uids.consul;
+      # The shell is needed for health checks
+      shell = "/run/current-system/sw/bin/bash";
     };
 
     environment = {
       etc."consul.json".text = builtins.toJSON configOptions;
+      # We need consul.d to exist for consul to start
+      etc."consul.d/dummy.json".text = "{ }";
       systemPackages = with pkgs; [ consul ];
     };
 
@@ -170,10 +155,12 @@ in
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ] ++ systemdDevices;
       bindsTo = systemdDevices;
-      restartTriggers = [ config.environment.etc."consul.json".source ];
+      restartTriggers = [ config.environment.etc."consul.json".source ]
+        ++ mapAttrsToList (_: d: d.source)
+          (filterAttrs (n: _: hasPrefix "consul.d/" n) config.environment.etc);
 
       serviceConfig = {
-        ExecStart = "@${pkgs.consul}/bin/consul consul agent"
+        ExecStart = "@${pkgs.consul}/bin/consul consul agent -config-dir /etc/consul.d"
           + concatMapStrings (n: " -config-file ${n}") configFiles;
         ExecReload = "${pkgs.consul}/bin/consul reload";
         PermissionsStartOnly = true;
@@ -219,18 +206,6 @@ in
       + ''
         echo "}" >> /etc/consul-addrs.json
       '';
-      postStart = ''
-        # Issues joins to nodes which we statically connect to
-        ${flip concatMapStrings cfg.joinNodes (addr: ''
-          for i in {0..${toString cfg.joinRetries}}; do
-            # Try to join the other nodes ${toString cfg.joinRetries} times before failing
-            consul join "${addr}" && break
-            sleep 1
-          done &
-        '')}
-        wait
-        exit 0
-      '';
     };
 
     systemd.services.consul-alerts = mkIf (cfg.alerts.enable) {
diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix
new file mode 100644
index 000000000000..c2c579c3177e
--- /dev/null
+++ b/nixos/modules/services/networking/nix-serve.nix
@@ -0,0 +1,56 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.nix-serve;
+in
+{
+  options = {
+    services.nix-serve = {
+      enable = mkEnableOption "nix-serve, the standalone Nix binary cache server";
+
+      port = mkOption {
+        type = types.int;
+        default = 5000;
+        description = ''
+          Port number where nix-serve will listen on.
+        '';
+      };
+
+      bindAddress = mkOption {
+        type = types.string;
+        default = "0.0.0.0";
+        description = ''
+          IP address where nix-serve will bind its listening socket.
+        '';
+      };
+
+      extraParams = mkOption {
+        type = types.string;
+        default = "";
+        description = ''
+          Extra command line parameters for nix-serve.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.nix-serve = {
+      description = "nix-serve binary cache server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = [ config.nix.package pkgs.bzip2 ];
+      environment.NIX_REMOTE = "daemon";
+
+      serviceConfig = {
+        ExecStart = "${pkgs.nix-serve}/bin/nix-serve " +
+          "--port ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}";
+        User = "nobody";
+        Group = "nogroup";
+      };
+    };
+  };
+}
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index c25532511a07..6cc86b4e4b5a 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -282,8 +282,8 @@ in
   config = mkIf cfg.enable {
 
     users.extraUsers.sshd =
-      { description = "SSH privilege separation user";
-        home = "/var/empty";
+      { isSystemUser = true;
+        description = "SSH privilege separation user";
       };
 
     environment.etc = authKeysFiles ++ [
diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix
index f9ca796ea652..2d43c3d962dd 100644
--- a/nixos/modules/services/networking/tinc.nix
+++ b/nixos/modules/services/networking/tinc.nix
@@ -154,6 +154,7 @@ in
     users.extraUsers = flip mapAttrs' cfg.networks (network: _:
       nameValuePair ("tinc.${network}") ({
         description = "Tinc daemon user for ${network}";
+        isSystemUser = true;
       })
     );