Merge remote-tracking branch 'origin/master' into staging

Conflicts:
	pkgs/applications/audio/espeak/edit.nix
	pkgs/applications/audio/lmms/default.nix
	pkgs/desktops/e18/enlightenment.nix
	pkgs/games/exult/default.nix
	pkgs/os-specific/linux/alsa-plugins/default.nix

9 files changed, 112 insertions, 51 deletions

diff --git a/nixos/modules/services/amqp/rabbitmq.nix b/nixos/modules/services/amqp/rabbitmq.nix
index bef15fb64b7f..a930098bfeec 100644
--- a/nixos/modules/services/amqp/rabbitmq.nix
+++ b/nixos/modules/services/amqp/rabbitmq.nix
@@ -4,6 +4,8 @@ with lib;
 
 let
   cfg = config.services.rabbitmq;
+  config_file = pkgs.writeText "rabbitmq.config" cfg.config;
+  config_file_wo_suffix = builtins.substring 0 ((builtins.stringLength config_file) - 7) config_file;
 
 in {
   ###### interface
@@ -31,7 +33,6 @@ in {
         '';
       };
 
-
       dataDir = mkOption {
         type = types.path;
         default = "/var/lib/rabbitmq";
@@ -40,6 +41,30 @@ in {
         '';
       };
 
+      cookie = mkOption {
+        default = "";
+        type = types.str;
+        description = ''
+          Erlang cookie is a string of arbitrary length which must
+          be the same for several nodes to be allowed to communicate.
+          Leave empty to generate automatically.
+        '';
+      };
+
+      config = mkOption {
+        default = "";
+        type = types.str;
+        description = ''
+          Verbatim configuration file contents.
+          See http://www.rabbitmq.com/configure.htm
+        '';
+      };
+
+      plugins = mkOption {
+        default = [];
+        type = types.listOf types.str;
+        description = "The names of plugins to enable";
+      };
     };
   };
 
@@ -69,7 +94,10 @@ in {
         RABBITMQ_NODE_IP_ADDRESS = cfg.listenAddress;
         RABBITMQ_SERVER_START_ARGS = "-rabbit error_logger tty -rabbit sasl_error_logger false";
         SYS_PREFIX = "";
-      };
+        RABBITMQ_ENABLED_PLUGINS_FILE = pkgs.writeText "enabled_plugins" ''
+          [ ${concatStringsSep "," cfg.plugins} ].
+        '';
+      } //  optionalAttrs (cfg.config != "") { RABBITMQ_CONFIG_FILE = config_file_wo_suffix; };
 
       serviceConfig = {
         ExecStart = "${pkgs.rabbitmq_server}/sbin/rabbitmq-server";
@@ -81,6 +109,15 @@ in {
       preStart = ''
         mkdir -p ${cfg.dataDir} && chmod 0700 ${cfg.dataDir}
         if [ "$(id -u)" = 0 ]; then chown rabbitmq:rabbitmq ${cfg.dataDir}; fi
+        
+        ${optionalString (cfg.cookie != "") ''
+            echo -n ${cfg.cookie} > ${cfg.dataDir}/.erlang.cookie
+            chmod 400 ${cfg.dataDir}/.erlang.cookie
+            chown rabbitmq:rabbitmq ${cfg.dataDir}/.erlang.cookie
+        ''}
+
+        mkdir -p /var/log/rabbitmq && chmod 0700 /var/log/rabbitmq
+        chown rabbitmq:rabbitmq /var/log/rabbitmq
       '';
     };
 
diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix
index 80e7961b1f82..d70bd855c7ff 100644
--- a/nixos/modules/services/misc/nix-ssh-serve.nix
+++ b/nixos/modules/services/misc/nix-ssh-serve.nix
@@ -1,32 +1,35 @@
 { config, lib, pkgs, ... }:
 
-let
-  serveOnly = pkgs.writeScript "nix-store-serve" ''
-    #!${pkgs.stdenv.shell}
-    if [ "$SSH_ORIGINAL_COMMAND" != "nix-store --serve" ]; then
-      echo 'Error: You are only allowed to run `nix-store --serve'\'''!' >&2
-      exit 1
-    fi
-    exec /run/current-system/sw/bin/nix-store --serve
-  '';
-
-  inherit (lib) mkIf mkOption types;
-in {
+with lib;
+
+{
   options = {
+
     nix.sshServe = {
+
       enable = mkOption {
-        description = "Whether to enable serving the nix store over ssh.";
-        default = false;
         type = types.bool;
+        default = false;
+        description = "Whether to enable serving the Nix store as a binary cache via SSH.";
+      };
+
+      keys = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        example = [ "ssh-dss AAAAB3NzaC1k... alice@example.org" ];
+        description = "A list of SSH public keys allowed to access the binary cache via SSH.";
       };
+
     };
+
   };
 
   config = mkIf config.nix.sshServe.enable {
+
     users.extraUsers.nix-ssh = {
-      description = "User for running nix-store --serve.";
+      description = "Nix SSH substituter user";
       uid = config.ids.uids.nix-ssh;
-      shell = pkgs.stdenv.shell;
+      useDefaultShell = true;
     };
 
     services.openssh.enable = true;
@@ -38,8 +41,11 @@ in {
         PermitTTY no
         PermitTunnel no
         X11Forwarding no
-        ForceCommand ${serveOnly}
+        ForceCommand ${config.nix.package}/bin/nix-store --serve
       Match All
     '';
+
+    users.extraUsers.nix-ssh.openssh.authorizedKeys.keys = config.nix.sshServe.keys;
+
   };
 }
diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix
index 966c2eca282a..21840bc67e8f 100644
--- a/nixos/modules/services/monitoring/munin.nix
+++ b/nixos/modules/services/monitoring/munin.nix
@@ -189,19 +189,18 @@ in
       wantedBy = [ "multi-user.target" ];
       path = [ pkgs.munin ];
       environment.MUNIN_PLUGSTATE = "/var/run/munin";
+      preStart = ''
+        echo "updating munin plugins..."
+
+        mkdir -p /etc/munin/plugins
+        rm -rf /etc/munin/plugins/*
+        PATH="/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
+      '';
       serviceConfig = {
         ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";
       };
     };
 
-    system.activationScripts.munin-node = ''
-      echo "updating munin plugins..."
-
-      mkdir -p /etc/munin/plugins
-      rm -rf /etc/munin/plugins/*
-      PATH="/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
-    '';
-
   }) (mkIf cronCfg.enable {
 
     services.cron.systemCronJobs = [
diff --git a/nixos/modules/services/networking/znc.nix b/nixos/modules/services/networking/znc.nix
index a40fd924741b..56946f37aaf9 100644
--- a/nixos/modules/services/networking/znc.nix
+++ b/nixos/modules/services/networking/znc.nix
@@ -23,7 +23,7 @@ let
   confOptions = { ... }: {
     options = {
       modules = mkOption {
-        type = types.listOf types.string;
+        type = types.listOf types.str;
         default = [ "partyline" "webadmin" "adminlog" "log" ];
         example = [ "partyline" "webadmin" "adminlog" "log" ];
         description = ''
@@ -34,7 +34,7 @@ let
       userName = mkOption {
         default = defaultUserName;
         example = "johntron";
-        type = types.string;
+        type = types.str;
         description = ''
           The user name to use when generating the `znc.conf` file.
           This is the user name used by the user logging into the ZNC web admin. 
@@ -44,7 +44,7 @@ let
       nick = mkOption {
         default = "znc-user";
         example = "john";
-        type = types.string;
+        type = types.str;
         description = ''
           The IRC nick to use when generating the `znc.conf` file.
         '';
@@ -53,7 +53,7 @@ let
       passBlock = mkOption {
         default = defaultPassBlock;
         example = "Must be the block generated by the `znc --makepass` command.";
-        type = types.string;
+        type = types.str;
         description = ''
           The pass block to use when generating the `znc.conf` file.
           This is the password used by the user logging into the ZNC web admin.
@@ -63,9 +63,9 @@ let
       };
 
       port = mkOption {
-        default = "5000";
-        example = "5000";
-        type = types.string;
+        default = 5000;
+        example = 5000;
+        type = types.int;
         description = ''
           Specifies the port on which to listen.
         '';
@@ -104,7 +104,7 @@ let
             AllowWeb = true
             IPv4 = true
             IPv6 = false
-            Port = ${if confOpts.useSSL then "+" else ""}${confOpts.port}
+            Port = ${if confOpts.useSSL then "+" else ""}${toString confOpts.port}
             SSL = ${if confOpts.useSSL then "true" else "false"}
     </Listener>
     
@@ -160,7 +160,7 @@ in
       user = mkOption {
         default = "znc";
         example = "john";
-        type = types.string;
+        type = types.str;
         description = ''
           The name of an existing user account to use to own the ZNC server process.
           If not specified, a default user will be created to own the process.
@@ -170,7 +170,7 @@ in
       dataDir = mkOption {
         default = "/home/${cfg.user}/.znc";
         example = "/home/john/.znc";
-        type = types.string; 
+        type = types.path;
         description = ''
           The data directory. Used for configuration files and modules.
         '';
@@ -179,7 +179,7 @@ in
       zncConf = mkOption {
         default = "";
         example = "See: http://wiki.znc.in/Configuration";
-        type = types.string;
+        type = types.lines;
         description = ''
           The contents of the `znc.conf` file to use when creating it.
           If specified, `confOptions` will be ignored, and this value, as-is, will be used.
@@ -218,9 +218,9 @@ in
       };
  
       extraFlags = mkOption {
-        default = "";
-        example = "--debug";
-        type = types.string;
+        default = [ ];
+        example = [ "--debug" ];
+        type = types.listOf types.str;
         description = ''
           Extra flags to use when executing znc command.
         '';
@@ -272,7 +272,7 @@ in
           ${pkgs.znc}/bin/znc --makepem
         fi
       '';
-      script = "${pkgs.znc}/bin/znc --foreground --datadir ${cfg.dataDir} ${cfg.extraFlags}";
+      script = "${pkgs.znc}/bin/znc --foreground --datadir ${cfg.dataDir} ${toString cfg.extraFlags}";
     };
 
     users.extraUsers = optional (cfg.user == defaultUser)
diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix
index eeae11dc4ff3..c99d1e229677 100644
--- a/nixos/modules/services/search/elasticsearch.nix
+++ b/nixos/modules/services/search/elasticsearch.nix
@@ -21,6 +21,11 @@ let
     ];
   };
 
+  esPlugins = pkgs.buildEnv {
+    name = "elasticsearch-plugins";
+    paths = cfg.plugins;
+  };
+
 in {
 
   ###### interface
@@ -101,6 +106,12 @@ in {
       example = [ "-Djava.net.preferIPv4Stack=true" ];
     };
 
+    plugins = mkOption {
+      description = "Extra elasticsearch plugins";
+      default = [];
+      type = types.listOf types.package;
+    };
+
   };
 
   ###### implementation
@@ -111,14 +122,19 @@ in {
       wantedBy = [ "multi-user.target" ];
       after = [ "network-interfaces.target" ];
       environment = { ES_HOME = cfg.dataDir; };
+      path = [ pkgs.elasticsearch ];
       serviceConfig = {
-        ExecStart = "${pkgs.elasticsearch}/bin/elasticsearch -Des.path.conf=${configDir} ${toString cfg.extraCmdLineOptions}";
+        ExecStart = "elasticsearch -Des.path.conf=${configDir} ${toString cfg.extraCmdLineOptions}";
         User = "elasticsearch";
         PermissionsStartOnly = true;
       };
       preStart = ''
         mkdir -m 0700 -p ${cfg.dataDir}
         if [ "$(id -u)" = 0 ]; then chown -R elasticsearch ${cfg.dataDir}; fi
+
+        # Install plugins
+        rm ${cfg.dataDir}/plugins || true
+        ln -s ${esPlugins}/plugins ${cfg.dataDir}/plugins
       '';
     };
 
diff --git a/nixos/modules/services/web-servers/lighttpd/cgit.nix b/nixos/modules/services/web-servers/lighttpd/cgit.nix
index dbff565bd8a3..d4663781fd84 100644
--- a/nixos/modules/services/web-servers/lighttpd/cgit.nix
+++ b/nixos/modules/services/web-servers/lighttpd/cgit.nix
@@ -29,7 +29,7 @@ in
         cache-size=1000
         scan-path=/srv/git
       '';
-      type = types.string;
+      type = types.lines;
       description = ''
         Verbatim contents of the cgit runtime configuration file. Documentation
         (with cgitrc example file) is available in "man cgitrc". Or online:
diff --git a/nixos/modules/services/web-servers/lighttpd/default.nix b/nixos/modules/services/web-servers/lighttpd/default.nix
index 3ba934c72bf8..f0f59a664026 100644
--- a/nixos/modules/services/web-servers/lighttpd/default.nix
+++ b/nixos/modules/services/web-servers/lighttpd/default.nix
@@ -102,7 +102,7 @@ in
 
       document-root = mkOption {
         default = "/srv/www";
-        type = types.str;
+        type = types.path;
         description = ''
           Document-root of the web server. Must be readable by the "lighttpd" user.
         '';
@@ -128,7 +128,7 @@ in
 
       configText = mkOption {
         default = "";
-        type = types.string;
+        type = types.lines;
 	example = ''...verbatim config file contents...'';
         description = ''
           Overridable config file contents to use for lighttpd. By default, use
@@ -138,7 +138,7 @@ in
 
       extraConfig = mkOption {
         default = "";
-        type = types.string;
+        type = types.lines;
         description = ''
           These configuration lines will be appended to the generated lighttpd
           config file. Note that this mechanism does not work when the manual
diff --git a/nixos/modules/services/web-servers/lighttpd/gitweb.nix b/nixos/modules/services/web-servers/lighttpd/gitweb.nix
index d49278be09a8..c407a1d89778 100644
--- a/nixos/modules/services/web-servers/lighttpd/gitweb.nix
+++ b/nixos/modules/services/web-servers/lighttpd/gitweb.nix
@@ -25,7 +25,7 @@ in
 
     projectroot = mkOption {
       default = "/srv/git";
-      type = types.str;
+      type = types.path;
       description = ''
         Path to git projects (bare repositories) that should be served by
         gitweb. Must not end with a slash.
@@ -34,7 +34,7 @@ in
 
     extraConfig = mkOption {
       default = "";
-      type = types.str;
+      type = types.lines;
       description = ''
         Verbatim configuration text appended to the generated gitweb.conf file.
       '';
diff --git a/nixos/modules/services/x11/desktop-managers/e18.nix b/nixos/modules/services/x11/desktop-managers/e18.nix
index e59b7f426837..cb717eea909c 100644
--- a/nixos/modules/services/x11/desktop-managers/e18.nix
+++ b/nixos/modules/services/x11/desktop-managers/e18.nix
@@ -6,6 +6,7 @@ let
 
   xcfg = config.services.xserver;
   cfg = xcfg.desktopManager.e18;
+  e18_enlightenment = pkgs.e18.enlightenment.override { set_freqset_setuid = true; };
 
 in
 
@@ -23,18 +24,20 @@ in
   config = mkIf (xcfg.enable && cfg.enable) {
 
     environment.systemPackages = [
-      pkgs.e18.efl pkgs.e18.evas pkgs.e18.emotion pkgs.e18.elementary pkgs.e18.enlightenment
+      pkgs.e18.efl pkgs.e18.evas pkgs.e18.emotion pkgs.e18.elementary e18_enlightenment
       pkgs.e18.terminology pkgs.e18.econnman
     ];
 
     services.xserver.desktopManager.session = [
     { name = "E18";
       start = ''
-        ${pkgs.e18.enlightenment}/bin/enlightenment_start
+        ${e18_enlightenment}/bin/enlightenment_start
         waitPID=$!
       '';
     }];
 
+    security.setuidPrograms = [ "e18_freqset" ];
+
   };
 
 }