diff options
author | Jan Malakhovski <oxij@oxij.org> | 2018-03-10 14:41:34 +0000 |
---|---|---|
committer | Jan Malakhovski <oxij@oxij.org> | 2018-03-10 20:38:13 +0000 |
commit | 7079e744d4666db3af186899fe2fc0ef3cbeb842 (patch) | |
tree | d65e951be75dab998ecd2e8337e1c30e7722e28c /nixos/modules | |
parent | 4eec6bc9c9cafac55dbf774a2fd30da7e5a79cc4 (diff) | |
parent | ddddca5c2fe1c93369404979ac194a1bc5d5fbaf (diff) | |
download | nixlib-7079e744d4666db3af186899fe2fc0ef3cbeb842.tar nixlib-7079e744d4666db3af186899fe2fc0ef3cbeb842.tar.gz nixlib-7079e744d4666db3af186899fe2fc0ef3cbeb842.tar.bz2 nixlib-7079e744d4666db3af186899fe2fc0ef3cbeb842.tar.lz nixlib-7079e744d4666db3af186899fe2fc0ef3cbeb842.tar.xz nixlib-7079e744d4666db3af186899fe2fc0ef3cbeb842.tar.zst nixlib-7079e744d4666db3af186899fe2fc0ef3cbeb842.zip |
Merge branch 'master' into staging
Resolved the following conflicts (by carefully applying patches from the both branches since the fork point): pkgs/development/libraries/epoxy/default.nix pkgs/development/libraries/gtk+/3.x.nix pkgs/development/python-modules/asgiref/default.nix pkgs/development/python-modules/daphne/default.nix pkgs/os-specific/linux/systemd/default.nix
Diffstat (limited to 'nixos/modules')
35 files changed, 534 insertions, 968 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index c1102d558101..11e969b760e0 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -529,6 +529,9 @@ in { system.activationScripts.users = stringAfter [ "stdio" ] '' + install -m 0700 -d /root + install -m 0755 -d /home + ${pkgs.perl}/bin/perl -w \ -I${pkgs.perlPackages.FileSlurp}/lib/perl5/site_perl \ -I${pkgs.perlPackages.JSON}/lib/perl5/site_perl \ diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index c2c36f02a143..d9646704e6f6 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -34,10 +34,17 @@ in { options = { hardware.opengl.enable = mkOption { - description = "Whether this configuration requires OpenGL."; + description = '' + Whether to enable OpenGL drivers. This is needed to enable + OpenGL support in X11 systems, as well as for Wayland compositors + like sway, way-cooler and Weston. It is enabled by default + by the corresponding modules, so you do not usually have to + set it yourself, only if there is no module for your wayland + compositor of choice. See services.xserver.enable, + programs.sway.enable, and programs.way-cooler.enable. + ''; type = types.bool; default = false; - internal = true; }; hardware.opengl.driSupport = mkOption { diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 811449e9fe7e..e7cbf415a223 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -331,8 +331,7 @@ in config.system.build.toplevel.drvPath; # Create the squashfs image that contains the Nix store. - system.build.squashfsStore = import ../../../lib/make-squashfs.nix { - inherit (pkgs) stdenv squashfsTools perl pathsFromGraph; + system.build.squashfsStore = pkgs.callPackage ../../../lib/make-squashfs.nix { storeContents = config.isoImage.storeContents; }; @@ -383,11 +382,8 @@ in boot.loader.timeout = 10; # Create the ISO image. - system.build.isoImage = import ../../../lib/make-iso9660-image.nix ({ - inherit (pkgs) stdenv perl pathsFromGraph xorriso syslinux; - + system.build.isoImage = pkgs.callPackage ../../../lib/make-iso9660-image.nix ({ inherit (config.isoImage) isoName compressImage volumeID contents; - bootable = true; bootImage = "/isolinux/isolinux.bin"; } // optionalAttrs config.isoImage.makeUsbBootable { diff --git a/nixos/modules/installer/netboot/netboot.nix b/nixos/modules/installer/netboot/netboot.nix index 52239b619126..a4eda3c52dce 100644 --- a/nixos/modules/installer/netboot/netboot.nix +++ b/nixos/modules/installer/netboot/netboot.nix @@ -67,7 +67,7 @@ with lib; # Create the squashfs image that contains the Nix store. system.build.squashfsStore = import ../../../lib/make-squashfs.nix { - inherit (pkgs) stdenv squashfsTools perl pathsFromGraph; + inherit (pkgs) stdenv squashfsTools closureInfo; storeContents = config.netboot.storeContents; }; diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 131c779b1ab1..4774cf39c030 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/gy4yv67gv3j6in0lalw37j353zdmfcwm-nix-1.11.16"; - i686-linux = "/nix/store/ifmyq5ryfxhhrzh62hiq65xyz1fwffga-nix-1.11.16"; - aarch64-linux = "/nix/store/y9mfv3sx75mbfibf1zna1kq9v98fk2nb-nix-1.11.16"; - x86_64-darwin = "/nix/store/hwpp7kia2f0in5ns2hiw41q38k30jpj2-nix-1.11.16"; + x86_64-linux = "/nix/store/6p2gambjac7xdkd2a7w1dsxdk1q5cq4d-nix-2.0"; + i686-linux = "/nix/store/zznnaijjk3nwx0cmpczxsvngmqzhl7r4-nix-2.0"; + aarch64-linux = "/nix/store/ci96w9kxfkmlc7x2vwqiz4da0r6abxnq-nix-2.0"; + x86_64-darwin = "/nix/store/xmi4fylvx4qc79ji9v5q3zfy9vfdy4sv-nix-2.0"; } diff --git a/nixos/modules/installer/tools/nixos-enter.sh b/nixos/modules/installer/tools/nixos-enter.sh new file mode 100644 index 000000000000..679391189612 --- /dev/null +++ b/nixos/modules/installer/tools/nixos-enter.sh @@ -0,0 +1,60 @@ +#! @shell@ + +set -e + +# Re-exec ourselves in a private mount namespace so that our bind +# mounts get cleaned up automatically. +if [ -z "$NIXOS_ENTER_REEXEC" ]; then + export NIXOS_ENTER_REEXEC=1 + if [ "$(id -u)" != 0 ]; then + extraFlags="-r" + fi + exec unshare --fork --mount --uts --mount-proc --pid $extraFlags -- "$0" "$@" +else + mount --make-rprivate / +fi + +mountPoint=/mnt +system=/nix/var/nix/profiles/system +command=($system/sw/bin/bash "--login") + +while [ "$#" -gt 0 ]; do + i="$1"; shift 1 + case "$i" in + --root) + mountPoint="$1"; shift 1 + ;; + --system) + system="$1"; shift 1 + ;; + --help) + exec man nixos-enter + exit 1 + ;; + --command|-c) + command=($system/sw/bin/bash "-c" "$1") + shift 1 + ;; + --) + command=("$@") + break + ;; + *) + echo "$0: unknown option \`$i'" + exit 1 + ;; + esac +done + +if [[ ! -e $mountPoint/etc/NIXOS ]]; then + echo "$0: '$mountPoint' is not a NixOS installation" >&2 + exit 126 +fi + +mkdir -m 0755 -p "$mountPoint/dev" +mount --rbind /dev "$mountPoint/dev" + +# Run the activation script. Set $LOCALE_ARCHIVE to supress some Perl locale warnings. +LOCALE_ARCHIVE=$system/sw/lib/locale/locale-archive chroot "$mountPoint" "$system/activate" >&2 || true + +exec chroot "$mountPoint" "${command[@]}" diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index f994d5b4bde1..22c1e0fe9a34 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -1,35 +1,23 @@ #! @shell@ -# - make Nix store etc. -# - copy closure of Nix to target device -# - register validity -# - with a chroot to the target device: -# * nix-env -p /nix/var/nix/profiles/system -i <nix-expr for the configuration> -# * install the boot loader +set -e +shopt -s nullglob + +export PATH=@path@:$PATH # Ensure a consistent umask. umask 0022 -# Re-exec ourselves in a private mount namespace so that our bind -# mounts get cleaned up automatically. -if [ "$(id -u)" = 0 ]; then - if [ -z "$NIXOS_INSTALL_REEXEC" ]; then - export NIXOS_INSTALL_REEXEC=1 - exec unshare --mount --uts -- "$0" "$@" - else - mount --make-rprivate / - fi -fi - # Parse the command line for the -I flag extraBuildFlags=() -chrootCommand=(/run/current-system/sw/bin/bash) -buildUsersGroup="nixbld" + +mountPoint=/mnt +channelPath= while [ "$#" -gt 0 ]; do i="$1"; shift 1 case "$i" in - --max-jobs|-j|--cores|-I) + --max-jobs|-j|--cores|-I|--substituters) j="$1"; shift 1 extraBuildFlags+=("$i" "$j") ;; @@ -41,9 +29,11 @@ while [ "$#" -gt 0 ]; do --root) mountPoint="$1"; shift 1 ;; - --closure) - closure="$1"; shift 1 - buildUsersGroup="" + --system|--closure) + system="$1"; shift 1 + ;; + --channel) + channelPath="$1"; shift 1 ;; --no-channel-copy) noChannelCopy=1 @@ -57,17 +47,13 @@ while [ "$#" -gt 0 ]; do --show-trace) extraBuildFlags+=("$i") ;; - --chroot) - runChroot=1 - if [[ "$@" != "" ]]; then - chrootCommand=("$@") - fi - break - ;; --help) exec man nixos-install exit 1 ;; + --debug) + set -x + ;; *) echo "$0: unknown option \`$i'" exit 1 @@ -75,132 +61,83 @@ while [ "$#" -gt 0 ]; do esac done -set -e -shopt -s nullglob - -if test -z "$mountPoint"; then - mountPoint=/mnt -fi - if ! test -e "$mountPoint"; then echo "mount point $mountPoint doesn't exist" exit 1 fi # Get the path of the NixOS configuration file. -if test -z "$NIXOS_CONFIG"; then - NIXOS_CONFIG=/etc/nixos/configuration.nix +if [[ -z $NIXOS_CONFIG ]]; then + NIXOS_CONFIG=$mountPoint/etc/nixos/configuration.nix fi -if [ ! -e "$mountPoint/$NIXOS_CONFIG" ] && [ -z "$closure" ]; then - echo "configuration file $mountPoint/$NIXOS_CONFIG doesn't exist" +if [[ ${NIXOS_CONFIG:0:1} != / ]]; then + echo "$0: \$NIXOS_CONFIG is not an absolute path" exit 1 fi - -# Builds will use users that are members of this group -extraBuildFlags+=(--option "build-users-group" "$buildUsersGroup") - -# Inherit binary caches from the host -# TODO: will this still work with Nix 1.12 now that it has no perl? Probably not... -binary_caches="$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"binary-caches"};')" -extraBuildFlags+=(--option "binary-caches" "$binary_caches") - -# We only need nixpkgs in the path if we don't already have a system closure to install -if [[ -z "$closure" ]]; then - nixpkgs="$(readlink -f "$(nix-instantiate --find-file nixpkgs)")" - export NIX_PATH="nixpkgs=$nixpkgs:nixos-config=$mountPoint/$NIXOS_CONFIG" -fi -unset NIXOS_CONFIG - -# These get created in nixos-prepare-root as well, but we want to make sure they're here in case we're -# running with --chroot. TODO: --chroot should just be split into a separate tool. -mkdir -m 0755 -p "$mountPoint/dev" "$mountPoint/proc" "$mountPoint/sys" - -# Set up some bind mounts we'll want regardless of chroot or not -mount --rbind /dev "$mountPoint/dev" -mount --rbind /proc "$mountPoint/proc" -mount --rbind /sys "$mountPoint/sys" - -# If we asked for a chroot, that means we're not actually installing anything (yeah I was confused too) -# and we just want to run a command in the context of a $mountPoint that we're assuming has already been -# set up by a previous nixos-install invocation. In that case we set up some remaining bind mounts and -# exec the requested command, skipping the rest of the installation procedure. -if [ -n "$runChroot" ]; then - mount -t tmpfs -o "mode=0755" none $mountPoint/run - rm -rf $mountPoint/var/run - ln -s /run $mountPoint/var/run - for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done - for f in /etc/passwd /etc/group; do touch $mountPoint/$f; [ -f "$f" ] && mount --rbind -o ro $f $mountPoint/$f; done - - if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then - echo "$0: installation not finished; cannot chroot into installation directory" - exit 1 - fi - ln -s /nix/var/nix/profiles/system $mountPoint/run/current-system - exec chroot $mountPoint "${chrootCommand[@]}" +if [[ ! -e $NIXOS_CONFIG && -z $system ]]; then + echo "configuration file $NIXOS_CONFIG doesn't exist" + exit 1 fi -# A place to drop temporary closures +# A place to drop temporary stuff. trap "rm -rf $tmpdir" EXIT tmpdir="$(mktemp -d)" -# Build a closure (on the host; we then copy it into the guest) -function closure() { - nix-build "${extraBuildFlags[@]}" --no-out-link -E "with import <nixpkgs> {}; runCommand \"closure\" { exportReferencesGraph = [ \"x\" (buildEnv { name = \"env\"; paths = [ ($1) stdenv ]; }) ]; } \"cp x \$out\"" -} - -system_closure="$tmpdir/system.closure" -# Use a FIFO for piping nix-store --export into nix-store --import, saving disk -# I/O and space. nix-store --import is run by nixos-prepare-root. -mkfifo $system_closure - -if [ -z "$closure" ]; then - expr="(import <nixpkgs/nixos> {}).system" - system_root="$(nix-build -E "$expr")" - system_closure="$(closure "$expr")" -else - system_root=$closure - # Create a temporary file ending in .closure (so nixos-prepare-root knows to --import it) to transport the store closure - # to the filesytem we're preparing. Also delete it on exit! - # Run in background to avoid blocking while trying to write to the FIFO - # $system_closure refers to - nix-store --export $(nix-store -qR $closure) > $system_closure & -fi - -channel_root="$(nix-env -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")" -channel_closure="$tmpdir/channel.closure" -nix-store --export $channel_root > $channel_closure - -# Populate the target root directory with the basics -@prepare_root@/bin/nixos-prepare-root "$mountPoint" "$channel_root" "$system_root" @nixClosure@ "$system_closure" "$channel_closure" - -# nixos-prepare-root doesn't currently do anything with file ownership, so we set it up here instead -chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store +sub="auto?trusted=1" +# Build the system configuration in the target filesystem. +if [[ -z $system ]]; then + echo "building the configuration in $NIXOS_CONFIG..." + outLink="$tmpdir/system" + nix build --out-link "$outLink" --store "$mountPoint" "${extraBuildFlags[@]}" \ + --extra-substituters "$sub" \ + -f '<nixpkgs/nixos>' system -I "nixos-config=$NIXOS_CONFIG" + system=$(readlink -f $outLink) +fi +# Set the system profile to point to the configuration. TODO: combine +# this with the previous step once we have a nix-env replacement with +# a progress bar. +nix-env --store "$mountPoint" "${extraBuildFlags[@]}" \ + --extra-substituters "$sub" \ + -p $mountPoint/nix/var/nix/profiles/system --set "$system" + +# Copy the NixOS/Nixpkgs sources to the target as the initial contents +# of the NixOS channel. +if [[ -z $noChannelCopy ]]; then + if [[ -z $channelPath ]]; then + channelPath="$(nix-env -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")" + fi + if [[ -n $channelPath ]]; then + echo "copying channel..." + mkdir -p $mountPoint/nix/var/nix/profiles/per-user/root + nix-env --store "$mountPoint" "${extraBuildFlags[@]}" --extra-substituters "$sub" \ + -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channelPath" --quiet + install -m 0700 -d $mountPoint/root/.nix-defexpr + ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels + fi +fi -# Grub needs an mtab. -ln -sfn /proc/mounts $mountPoint/etc/mtab +# Mark the target as a NixOS installation, otherwise switch-to-configuration will chicken out. +mkdir -m 0755 -p "$mountPoint/etc" +touch "$mountPoint/etc/NIXOS" # Switch to the new system configuration. This will install Grub with # a menu default pointing at the kernel/initrd/etc of the new # configuration. -echo "finalising the installation..." -if [ -z "$noBootLoader" ]; then - NIXOS_INSTALL_BOOTLOADER=1 chroot $mountPoint \ - /nix/var/nix/profiles/system/bin/switch-to-configuration boot +if [[ -z $noBootLoader ]]; then + echo "installing the boot loader..." + # Grub needs an mtab. + ln -sfn /proc/mounts $mountPoint/etc/mtab + NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot fi -# Run the activation script. -chroot $mountPoint /nix/var/nix/profiles/system/activate - - -# Ask the user to set a root password. -if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/bin/passwd ] && [ -t 0 ]; then - echo "setting root password..." - chroot $mountPoint /run/wrappers/bin/passwd +# Ask the user to set a root password, but only if the passwd command +# exists (i.e. when mutable user accounts are enabled). +if [[ -z $noRootPasswd ]] && [ -t 0 ]; then + nixos-enter --root "$mountPoint" -c '[[ -e /nix/var/nix/profiles/system/sw/bin/passwd ]] && echo "setting root password..." && /nix/var/nix/profiles/system/sw/bin/passwd' fi - echo "installation finished!" diff --git a/nixos/modules/installer/tools/nixos-prepare-root.sh b/nixos/modules/installer/tools/nixos-prepare-root.sh deleted file mode 100644 index ed5af234fec9..000000000000 --- a/nixos/modules/installer/tools/nixos-prepare-root.sh +++ /dev/null @@ -1,104 +0,0 @@ -#! @shell@ - -# This script's goal is to perform all "static" setup of a filesystem structure from pre-built store paths. Everything -# in here should run in a non-root context and inside a Nix builder. It's designed primarily to be called from image- -# building scripts and from nixos-install, but because it makes very few assumptions about the context in which it runs, -# it could be useful in other contexts as well. -# -# Current behavior: -# - set up basic filesystem structure -# - make Nix store etc. -# - copy Nix, system, channel, and misceallaneous closures to target Nix store -# - register validity of all paths in the target store -# - set up channel and system profiles - -# Ensure a consistent umask. -umask 0022 - -set -e - -mountPoint="$1" -channel="$2" -system="$3" -shift 3 -closures="$@" - -PATH="@coreutils@/bin:@nix@/bin:@perl@/bin:@utillinux@/bin:@rsync@/bin" - -if ! test -e "$mountPoint"; then - echo "mount point $mountPoint doesn't exist" - exit 1 -fi - -# Create a few of the standard directories in the target root directory. -install -m 0755 -d $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home -install -m 01777 -d $mountPoint/tmp -install -m 0755 -d $mountPoint/tmp/root -install -m 0755 -d $mountPoint/var -install -m 0700 -d $mountPoint/root - -ln -sf /run $mountPoint/var/run - -# Create the necessary Nix directories on the target device -install -m 0755 -d \ - $mountPoint/nix/var/nix/gcroots \ - $mountPoint/nix/var/nix/temproots \ - $mountPoint/nix/var/nix/userpool \ - $mountPoint/nix/var/nix/profiles \ - $mountPoint/nix/var/nix/db \ - $mountPoint/nix/var/log/nix/drvs - -install -m 1775 -d $mountPoint/nix/store - -# All Nix operations below should operate on our target store, not /nix/store. -# N.B: this relies on Nix 1.12 or higher -export NIX_REMOTE=local?root=$mountPoint - -# Copy our closures to the Nix store on the target mount point, unless they're already there. -for i in $closures; do - # We support closures both in the format produced by `nix-store --export` and by `exportReferencesGraph`, - # mostly because there doesn't seem to be a single format that can be produced outside of a nix build and - # inside one. See https://github.com/NixOS/nix/issues/1242 for more discussion. - if [[ "$i" =~ \.closure$ ]]; then - echo "importing serialized closure $i to $mountPoint..." - nix-store --import < $i - else - # There has to be a better way to do this, right? - echo "copying closure $i to $mountPoint..." - for j in $(perl @pathsFromGraph@ $i); do - echo " $j... " - rsync -a $j $mountPoint/nix/store/ - done - - nix-store --option build-users-group root --register-validity < $i - fi -done - -# Create the required /bin/sh symlink; otherwise lots of things -# (notably the system() function) won't work. -if [ ! -x $mountPoint/@shell@ ]; then - echo "Error: @shell@ wasn't included in the closure" >&2 - exit 1 -fi -install -m 0755 -d $mountPoint/bin -ln -sf @shell@ $mountPoint/bin/sh - -echo "setting the system closure to '$system'..." -nix-env "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/system --set "$system" - -ln -sfn /nix/var/nix/profiles/system $mountPoint/run/current-system - -# Copy the NixOS/Nixpkgs sources to the target as the initial contents of the NixOS channel. -install -m 0755 -d $mountPoint/nix/var/nix/profiles -install -m 1777 -d $mountPoint/nix/var/nix/profiles/per-user -install -m 0755 -d $mountPoint/nix/var/nix/profiles/per-user/root - -if [ -z "$noChannelCopy" ] && [ -n "$channel" ]; then - echo "copying channel..." - nix-env --option build-use-substitutes false "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channel" --quiet -fi -install -m 0700 -d $mountPoint/root/.nix-defexpr -ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels - -# Mark the target as a NixOS installation, otherwise switch-to-configuration will chicken out. -touch $mountPoint/etc/NIXOS diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index eab5f1147667..beac9e29d59c 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -1,7 +1,9 @@ # This module generates nixos-install, nixos-rebuild, # nixos-generate-config, etc. -{ config, pkgs, modulesPath, ... }: +{ config, lib, pkgs, modulesPath, ... }: + +with lib; let cfg = config.installer; @@ -16,28 +18,11 @@ let src = ./nixos-build-vms/nixos-build-vms.sh; }; - nixos-prepare-root = makeProg { - name = "nixos-prepare-root"; - src = ./nixos-prepare-root.sh; - - nix = pkgs.nixUnstable; - inherit (pkgs) perl pathsFromGraph rsync utillinux coreutils; - }; - nixos-install = makeProg { name = "nixos-install"; src = ./nixos-install.sh; - - inherit (pkgs) perl pathsFromGraph rsync; nix = config.nix.package.out; - cacert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - root_uid = config.ids.uids.root; - nixbld_gid = config.ids.gids.nixbld; - prepare_root = nixos-prepare-root; - - nixClosure = pkgs.runCommand "closure" - { exportReferencesGraph = ["refs" config.nix.package.out]; } - "cp refs $out"; + path = makeBinPath [ nixos-enter ]; }; nixos-rebuild = @@ -69,6 +54,11 @@ let inherit (config.system.nixos) version codeName revision; }; + nixos-enter = makeProg { + name = "nixos-enter"; + src = ./nixos-enter.sh; + }; + in { @@ -77,16 +67,16 @@ in environment.systemPackages = [ nixos-build-vms - nixos-prepare-root nixos-install nixos-rebuild nixos-generate-config nixos-option nixos-version + nixos-enter ]; system.build = { - inherit nixos-install nixos-prepare-root nixos-generate-config nixos-option nixos-rebuild; + inherit nixos-install nixos-prepare-root nixos-generate-config nixos-option nixos-rebuild nixos-enter; }; }; diff --git a/nixos/modules/installer/virtualbox-demo.nix b/nixos/modules/installer/virtualbox-demo.nix index 5316cfce906b..13a0d7f4f6ee 100644 --- a/nixos/modules/installer/virtualbox-demo.nix +++ b/nixos/modules/installer/virtualbox-demo.nix @@ -19,4 +19,6 @@ with lib; # Add some more video drivers to give X11 a shot at working in # VMware and QEMU. services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" "modesetting" ]; + + powerManagement.enable = false; } diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 8d775ffc82d3..39a24cfecc53 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -233,7 +233,7 @@ calibre-server = 213; heapster = 214; bepasty = 215; - pumpio = 216; + # pumpio = 216; # unused, removed 2018-02-24 nm-openvpn = 217; mathics = 218; ejabberd = 219; @@ -514,7 +514,7 @@ xtreemfs = 212; calibre-server = 213; bepasty = 215; - pumpio = 216; + # pumpio = 216; # unused, removed 2018-02-24 nm-openvpn = 217; mathics = 218; ejabberd = 219; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 3bb65c6b295a..e7f28c670bed 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -642,7 +642,6 @@ ./services/web-apps/nexus.nix ./services/web-apps/pgpkeyserver-lite.nix ./services/web-apps/matomo.nix - ./services/web-apps/pump.io.nix ./services/web-apps/restya-board.nix ./services/web-apps/tt-rss.nix ./services/web-apps/selfoss.nix diff --git a/nixos/modules/profiles/demo.nix b/nixos/modules/profiles/demo.nix index ef6fd77b5f8d..c3ee6e98371e 100644 --- a/nixos/modules/profiles/demo.nix +++ b/nixos/modules/profiles/demo.nix @@ -10,4 +10,10 @@ password = "demo"; uid = 1000; }; + + services.xserver.displayManager.sddm.autoLogin = { + enable = true; + relogin = true; + user = "demo"; + }; } diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 506a6ee3eaa8..43f06c219f82 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -72,7 +72,13 @@ with lib; # To speed up installation a little bit, include the complete # stdenv in the Nix store on the CD. - system.extraDependencies = with pkgs; [ stdenv stdenvNoCC busybox ]; + system.extraDependencies = with pkgs; + [ + stdenv + stdenvNoCC # for runCommand + busybox + jq # for closureInfo + ]; # Show all debug messages from the kernel but don't log refused packets # because we have the firewall enabled. This makes installs from the diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 1a62f04972df..c0967316c0c7 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -126,7 +126,7 @@ in programs.bash = { shellInit = '' - . ${config.system.build.setEnvironment} + ${config.system.build.setEnvironment.text} ${cfge.shellInit} ''; diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 5102bfef0325..f689250dc61f 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -108,7 +108,7 @@ in if [ -n "$__ETC_ZSHENV_SOURCED" ]; then return; fi export __ETC_ZSHENV_SOURCED=1 - . ${config.system.build.setEnvironment} + ${config.system.build.setEnvironment.text} ${cfge.shellInit} diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index e884098cb08d..a67c61eb9949 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -7,8 +7,10 @@ let cfg = config.services.openldap; openldap = pkgs.openldap; + dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents; configFile = pkgs.writeText "slapd.conf" cfg.extraConfig; - + configOpts = if cfg.configDir == null then "-f ${configFile}" + else "-F ${cfg.configDir}"; in { @@ -81,6 +83,34 @@ in ''' ''; }; + + declarativeContents = mkOption { + type = with types; nullOr lines; + default = null; + description = '' + Declarative contents for the LDAP database, in LDIF format. + + Note a few facts when using it. First, the database + <emphasis>must</emphasis> be stored in the directory defined by + <code>dataDir</code>. Second, all <code>dataDir</code> will be erased + when starting the LDAP server. Third, modifications to the database + are not prevented, they are just dropped on the next reboot of the + server. Finally, performance-wise the database and indexes are rebuilt + on each server startup, so this will slow down server startup, + especially with large databases. + ''; + example = '' + dn: dc=example,dc=org + objectClass: domain + dc: example + + dn: ou=users,dc=example,dc=org + objectClass = organizationalUnit + ou: users + + # ... + ''; + }; }; }; @@ -88,7 +118,7 @@ in ###### implementation - config = mkIf config.services.openldap.enable { + config = mkIf cfg.enable { environment.systemPackages = [ openldap ]; @@ -98,11 +128,21 @@ in after = [ "network.target" ]; preStart = '' mkdir -p /var/run/slapd - chown -R ${cfg.user}:${cfg.group} /var/run/slapd - mkdir -p ${cfg.dataDir} - chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} + chown -R "${cfg.user}:${cfg.group}" /var/run/slapd + ${optionalString (cfg.declarativeContents != null) '' + rm -Rf "${cfg.dataDir}" + ''} + mkdir -p "${cfg.dataDir}" + ${optionalString (cfg.declarativeContents != null) '' + ${openldap.out}/bin/slapadd ${configOpts} -l ${dataFile} + ''} + chown -R "${cfg.user}:${cfg.group}" "${cfg.dataDir}" ''; - serviceConfig.ExecStart = "${openldap.out}/libexec/slapd -u ${cfg.user} -g ${cfg.group} -d 0 -h \"${concatStringsSep " " cfg.urlList}\" ${if cfg.configDir == null then "-f "+configFile else "-F "+cfg.configDir}"; + serviceConfig.ExecStart = + "${openldap.out}/libexec/slapd -d 0 " + + "-u '${cfg.user}' -g '${cfg.group}' " + + "-h '${concatStringsSep " " cfg.urlList}' " + + "${configOpts}"; }; users.extraUsers.openldap = diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index c076f90e5403..484079ed62df 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -33,9 +33,9 @@ let sh = pkgs.runtimeShell; binshDeps = pkgs.writeReferencesToFile sh; in - pkgs.runCommand "nix.conf" { extraOptions = cfg.extraOptions; inherit binshDeps; } '' + pkgs.runCommand "nix.conf" { extraOptions = cfg.extraOptions; } '' ${optionalString (!isNix20) '' - extraPaths=$(for i in $(cat binshDeps); do if test -d $i; then echo $i; fi; done) + extraPaths=$(for i in $(cat ${binshDeps}); do if test -d $i; then echo $i; fi; done) ''} cat > $out <<END # WARNING: this file is generated from the nix.* options in diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index e9a035d17d38..f83fb7a6d5dc 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -335,6 +335,7 @@ in { preStart = '' mkdir -m 700 -p /etc/NetworkManager/system-connections + mkdir -m 700 -p /etc/ipsec.d mkdir -m 755 -p ${stateDirs} ''; }; diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix index 3e865e3b76a8..8499e7c0f7c4 100644 --- a/nixos/modules/services/networking/nix-serve.nix +++ b/nixos/modules/services/networking/nix-serve.nix @@ -55,6 +55,8 @@ in environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile; serviceConfig = { + Restart = "always"; + RestartSec = "5s"; ExecStart = "${pkgs.nix-serve}/bin/nix-serve " + "--listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}"; User = "nix-serve"; diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 3a3f64221c42..707d24b9220f 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -32,13 +32,13 @@ let ${caConf} ''; - strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' + strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' charon { ${if managePlugins then "load_modular = no" else ""} ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""} plugins { stroke { - secrets_file = ${ipsecSecrets secrets} + secrets_file = ${secretsFile} } } } @@ -135,7 +135,18 @@ in }; }; - config = with cfg; mkIf enable { + + config = with cfg; + let + secretsFile = ipsecSecrets cfg.secrets; + in + mkIf enable + { + + # here we should use the default strongswan ipsec.secrets and + # append to it (default one is empty so not a pb for now) + environment.etc."ipsec.secrets".source = secretsFile; + systemd.services.strongswan = { description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; @@ -143,11 +154,15 @@ in wants = [ "keys.target" ]; after = [ "network-online.target" "keys.target" ]; environment = { - STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; }; + STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; }; serviceConfig = { ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork"; }; + preStart = '' + # with 'nopeerdns' setting, ppp writes into this folder + mkdir -m 700 -p /etc/ppp + ''; }; }; } diff --git a/nixos/modules/services/web-apps/pump.io-configure.js b/nixos/modules/services/web-apps/pump.io-configure.js deleted file mode 100644 index 1fbf346a34c4..000000000000 --- a/nixos/modules/services/web-apps/pump.io-configure.js +++ /dev/null @@ -1,23 +0,0 @@ -var fs = require('fs'); - -var opts = JSON.parse(fs.readFileSync("/dev/stdin").toString()); -var config = opts.config; - -var readSecret = function(filename) { - return fs.readFileSync(filename).toString().trim(); -}; - -if (opts.secretFile) { - config.secret = readSecret(opts.secretFile); -} -if (opts.dbPasswordFile) { - config.params.dbpass = readSecret(opts.dbPasswordFile); -} -if (opts.smtpPasswordFile) { - config.smtppass = readSecret(opts.smtpPasswordFile); -} -if (opts.spamClientSecretFile) { - config.spamclientsecret = readSecret(opts.opts.spamClientSecretFile); -} - -fs.writeFileSync(opts.outputFile, JSON.stringify(config)); diff --git a/nixos/modules/services/web-apps/pump.io.nix b/nixos/modules/services/web-apps/pump.io.nix deleted file mode 100644 index 27ae68516367..000000000000 --- a/nixos/modules/services/web-apps/pump.io.nix +++ /dev/null @@ -1,438 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.pumpio; - dataDir = "/var/lib/pump.io"; - runDir = "/run/pump.io"; - user = "pumpio"; - - optionalSet = condition: value: if condition then value else {}; - - configScript = ./pump.io-configure.js; - configOptions = { - outputFile = "${runDir}/config.json"; - config = - (optionalSet (cfg.driver != "disk") { - driver = cfg.driver; - }) // - { - params = (optionalSet (cfg.driver == "disk") { dir = dataDir; }) // - (optionalSet (cfg.driver == "mongodb" || cfg.driver == "redis") { - host = cfg.dbHost; - port = cfg.dbPort; - dbname = cfg.dbName; - dbuser = cfg.dbUser; - dbpass = cfg.dbPassword; - }) // - (optionalSet (cfg.driver == "memcached") { - host = cfg.dbHost; - port = cfg.dbPort; - }) // cfg.driverParams; - secret = cfg.secret; - - address = cfg.address; - port = cfg.port; - - noweb = false; - urlPort = cfg.urlPort; - hostname = cfg.hostname; - favicon = cfg.favicon; - - site = cfg.site; - owner = cfg.owner; - ownerURL = cfg.ownerURL; - - key = cfg.sslKey; - cert = cfg.sslCert; - bounce = false; - - spamhost = cfg.spamHost; - spamclientid = cfg.spamClientId; - spamclientsecret = cfg.spamClientSecret; - - requireEmail = cfg.requireEmail; - smtpserver = cfg.smtpHost; - smtpport = cfg.smtpPort; - smtpuser = cfg.smtpUser; - smtppass = cfg.smtpPassword; - smtpusessl = cfg.smtpUseSSL; - smtpfrom = cfg.smtpFrom; - - nologger = false; - enableUploads = cfg.enableUploads; - datadir = dataDir; - debugClient = false; - firehose = cfg.firehose; - disableRegistration = cfg.disableRegistration; - - inherit (cfg) secretFile dbPasswordFile smtpPasswordFile spamClientSecretFile; - } // - (optionalSet (cfg.port < 1024) { - serverUser = user; # have pump.io listen then drop privileges - }) // cfg.extraConfig; -}; in { - options = { - - services.pumpio = { - - enable = mkEnableOption "Pump.io social streams server"; - - secret = mkOption { - type = types.nullOr types.str; - default = null; - example = "my dog has fleas"; - description = '' - A session-generating secret, server-wide password. Warning: - this is stored in cleartext in the Nix store! - ''; - }; - - secretFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/pump.io-secret"; - description = '' - A file containing the session-generating secret, - server-wide password. - ''; - }; - - site = mkOption { - type = types.str; - example = "Awesome Sauce"; - description = "Name of the server"; - }; - - owner = mkOption { - type = types.str; - default = ""; - example = "Awesome Inc."; - description = "Name of owning entity, if you want to link to it."; - }; - - ownerURL = mkOption { - type = types.str; - default = ""; - example = "https://pump.io"; - description = "URL of owning entity, if you want to link to it."; - }; - - address = mkOption { - type = types.str; - default = "localhost"; - description = '' - Web server listen address. - ''; - }; - - port = mkOption { - type = types.int; - default = 31337; - description = '' - Port to listen on. Defaults to 31337, which is suitable for - running behind a reverse proxy. For a standalone server, - use 443. - ''; - }; - - hostname = mkOption { - type = types.nullOr types.str; - default = "localhost"; - description = '' - The hostname of the server, used for generating - URLs. Defaults to "localhost" which doesn't do much for you. - ''; - }; - - urlPort = mkOption { - type = types.int; - default = 443; - description = '' - Port to use for generating URLs. This basically has to be - either 80 or 443 because the host-meta and Webfinger - protocols don't make any provision for HTTP/HTTPS servers - running on other ports. - ''; - }; - - favicon = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - Local filesystem path to the favicon.ico file to use. This - will be served as "/favicon.ico" by the server. - ''; - }; - - enableUploads = mkOption { - type = types.bool; - default = true; - description = '' - If you want to disable file uploads, set this to false. Uploaded files will be stored - in ${dataDir}/uploads. - ''; - }; - - sslKey = mkOption { - type = types.path; - example = "${dataDir}/myserver.key"; - default = ""; - description = '' - The path to the server certificate private key. The - certificate is required, but it can be self-signed. - ''; - }; - - sslCert = mkOption { - type = types.path; - example = "${dataDir}/myserver.crt"; - default = ""; - description = '' - The path to the server certificate. The certificate is - required, but it can be self-signed. - ''; - }; - - firehose = mkOption { - type = types.str; - default = "ofirehose.com"; - description = '' - Firehose host running the ofirehose software. Defaults to - "ofirehose.com". Public notices will be ping this firehose - server and from there go out to search engines and the - world. If you want to disconnect from the public web, set - this to something falsy. - ''; - }; - - disableRegistration = mkOption { - type = types.bool; - default = false; - description = '' - Disables registering new users on the site through the Web - or the API. - ''; - }; - - requireEmail = mkOption { - type = types.bool; - default = false; - description = "Require an e-mail address to register."; - }; - - extraConfig = mkOption { - default = { }; - description = '' - Extra configuration options which are serialized to json and added - to the pump.io.json config file. - ''; - }; - - driver = mkOption { - type = types.enum [ "mongodb" "disk" "lrucache" "memcached" "redis" ]; - default = "mongodb"; - description = "Type of database. Corresponds to a nodejs databank driver."; - }; - - driverParams = mkOption { - default = { }; - description = "Extra parameters for the driver."; - }; - - dbHost = mkOption { - type = types.str; - default = "localhost"; - description = "The database host to connect to."; - }; - - dbPort = mkOption { - type = types.int; - default = 27017; - description = "The port that the database is listening on."; - }; - - dbName = mkOption { - type = types.str; - default = "pumpio"; - description = "The name of the database to use."; - }; - - dbUser = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The username. Defaults to null, meaning no authentication. - ''; - }; - - dbPassword = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The password corresponding to dbUser. Warning: this is - stored in cleartext in the Nix store! - ''; - }; - - dbPasswordFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/pump.io-dbpassword"; - description = '' - A file containing the password corresponding to dbUser. - ''; - }; - - smtpHost = mkOption { - type = types.nullOr types.str; - default = null; - example = "localhost"; - description = '' - Server to use for sending transactional email. If it's not - set up, no email is sent and features like password recovery - and email notification won't work. - ''; - }; - - smtpPort = mkOption { - type = types.int; - default = 25; - description = '' - Port to connect to on SMTP server. - ''; - }; - - smtpUser = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Username to use to connect to SMTP server. Might not be - necessary for some servers. - ''; - }; - - smtpPassword = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Password to use to connect to SMTP server. Might not be - necessary for some servers. Warning: this is stored in - cleartext in the Nix store! - ''; - }; - - smtpPasswordFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/pump.io-smtppassword"; - description = '' - A file containing the password used to connect to SMTP - server. Might not be necessary for some servers. - ''; - }; - - - smtpUseSSL = mkOption { - type = types.bool; - default = false; - description = '' - Only use SSL with the SMTP server. By default, a SSL - connection is negotiated using TLS. You may need to change - the smtpPort value if you set this. - ''; - }; - - smtpFrom = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Email address to use in the "From:" header of outgoing - notifications. Defaults to 'no-reply@' plus the site - hostname. - ''; - }; - - spamHost = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Host running activityspam software to use to test updates - for spam. - ''; - }; - spamClientId = mkOption { - type = types.nullOr types.str; - default = null; - description = "OAuth pair for spam server."; - }; - spamClientSecret = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - OAuth pair for spam server. Warning: this is - stored in cleartext in the Nix store! - ''; - }; - spamClientSecretFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/pump.io-spamclientsecret"; - description = '' - A file containing the OAuth key for the spam server. - ''; - }; - }; - - }; - - config = mkIf cfg.enable { - warnings = let warn = k: optional (cfg.${k} != null) - "config.services.pumpio.${k} is insecure. Use ${k}File instead."; - in concatMap warn [ "secret" "dbPassword" "smtpPassword" "spamClientSecret" ]; - - assertions = [ - { assertion = !(isNull cfg.secret && isNull cfg.secretFile); - message = "pump.io needs a secretFile configured"; - } - ]; - - systemd.services."pump.io" = - { description = "Pump.io - stream server that does most of what people really want from a social network"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - preStart = '' - mkdir -p ${dataDir}/uploads - mkdir -p ${runDir} - chown pumpio:pumpio ${dataDir}/uploads ${runDir} - chmod 770 ${dataDir}/uploads ${runDir} - - ${pkgs.nodejs}/bin/node ${configScript} <<EOF - ${builtins.toJSON configOptions} - EOF - - chgrp pumpio ${configOptions.outputFile} - chmod 640 ${configOptions.outputFile} - ''; - - serviceConfig = { - ExecStart = "${pkgs.pumpio}/bin/pump -c ${configOptions.outputFile}"; - PermissionsStartOnly = true; - User = if cfg.port < 1024 then "root" else user; - Group = user; - }; - environment = { NODE_ENV = "production"; }; - }; - - users.extraGroups.pumpio.gid = config.ids.gids.pumpio; - users.extraUsers.pumpio = { - group = "pumpio"; - uid = config.ids.uids.pumpio; - description = "Pump.io user"; - home = dataDir; - createHome = true; - }; - }; -} diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index c784f4756d19..8f7a56189a07 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -505,7 +505,7 @@ let ${cfg.database.name}'' else if cfg.database.type == "mysql" then '' - echo '${e}' | ${pkgs.mysql}/bin/mysql \ + echo '${e}' | ${pkgs.sudo}/bin/sudo -u ${cfg.user} ${config.services.mysql.package}/bin/mysql \ -u ${cfg.database.user} \ ${optionalString (cfg.database.password != null) "-p${cfg.database.password}"} \ ${optionalString (cfg.database.host != null) "-h ${cfg.database.host} -P ${toString dbPort}"} \ diff --git a/nixos/modules/services/web-servers/tomcat.nix b/nixos/modules/services/web-servers/tomcat.nix index 0b2e5c0b69d9..aa94e0e976c9 100644 --- a/nixos/modules/services/web-servers/tomcat.nix +++ b/nixos/modules/services/web-servers/tomcat.nix @@ -19,11 +19,7 @@ in options = { services.tomcat = { - - enable = mkOption { - default = false; - description = "Whether to enable Apache Tomcat"; - }; + enable = mkEnableOption "Apache Tomcat"; package = mkOption { type = types.package; @@ -36,10 +32,30 @@ in }; baseDir = mkOption { + type = lib.types.path; default = "/var/tomcat"; description = "Location where Tomcat stores configuration files, webapplications and logfiles"; }; + logDirs = mkOption { + default = []; + type = types.listOf types.path; + description = "Directories to create in baseDir/logs/"; + }; + + extraConfigFiles = mkOption { + default = []; + type = types.listOf types.path; + description = "Extra configuration files to pull into the tomcat conf directory"; + }; + + extraEnvironment = mkOption { + type = types.listOf types.str; + default = []; + example = [ "ENVIRONMENT=production" ]; + description = "Environment Variables to pass to the tomcat service"; + }; + extraGroups = mkOption { default = []; example = [ "users" ]; @@ -47,31 +63,46 @@ in }; user = mkOption { + type = types.str; default = "tomcat"; description = "User account under which Apache Tomcat runs."; }; group = mkOption { + type = types.str; default = "tomcat"; description = "Group account under which Apache Tomcat runs."; }; javaOpts = mkOption { + type = types.either (types.listOf types.str) types.str; default = ""; description = "Parameters to pass to the Java Virtual Machine which spawns Apache Tomcat"; }; catalinaOpts = mkOption { + type = types.either (types.listOf types.str) types.str; default = ""; description = "Parameters to pass to the Java Virtual Machine which spawns the Catalina servlet container"; }; sharedLibs = mkOption { + type = types.listOf types.str; default = []; description = "List containing JAR files or directories with JAR files which are libraries shared by the web applications"; }; + serverXml = mkOption { + type = types.lines; + default = ""; + description = " + Verbatim server.xml configuration. + This is mutually exclusive with the virtualHosts options. + "; + }; + commonLibs = mkOption { + type = types.listOf types.str; default = []; description = "List containing JAR files or directories with JAR files which are libraries shared by the web applications and the servlet container"; }; @@ -84,11 +115,21 @@ in }; virtualHosts = mkOption { + type = types.listOf (types.submodule { + options = { + name = mkOption { + type = types.listOf types.str; + description = "name of the virtualhost"; + default = []; + }; + }; + }); default = []; description = "List consisting of a virtual host name and a list of web applications to deploy on each virtual host"; }; logPerVirtualHost = mkOption { + type = types.bool; default = false; description = "Whether to enable logging per virtual host."; }; @@ -104,11 +145,13 @@ in enable = mkOption { default = false; + type = types.bool; description = "Whether to enable an Apache Axis2 container"; }; services = mkOption { default = []; + type = types.listOf types.str; description = "List containing AAR files or directories with AAR files which are web services to be deployed on Axis2"; }; @@ -140,130 +183,104 @@ in description = "Apache Tomcat server"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; preStart = '' # Create the base directory - mkdir -p ${cfg.baseDir} + mkdir -p \ + ${cfg.baseDir}/{conf,virtualhosts,logs,temp,lib,shared/lib,webapps,work} + chown ${cfg.user}:${cfg.group} \ + ${cfg.baseDir}/{conf,virtualhosts,logs,temp,lib,shared/lib,webapps,work} # Create a symlink to the bin directory of the tomcat component ln -sfn ${tomcat}/bin ${cfg.baseDir}/bin - # Create a conf/ directory - mkdir -p ${cfg.baseDir}/conf - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/conf - # Symlink the config files in the conf/ directory (except for catalina.properties and server.xml) - for i in $(ls ${tomcat}/conf | grep -v catalina.properties | grep -v server.xml) - do - ln -sfn ${tomcat}/conf/$i ${cfg.baseDir}/conf/`basename $i` + for i in $(ls ${tomcat}/conf | grep -v catalina.properties | grep -v server.xml); do + ln -sfn ${tomcat}/conf/$i ${cfg.baseDir}/conf/`basename $i` done - # Create subdirectory for virtual hosts - mkdir -p ${cfg.baseDir}/virtualhosts + ${if cfg.extraConfigFiles != [] then '' + for i in ${toString cfg.extraConfigFiles}; do + ln -sfn $i ${cfg.baseDir}/conf/`basename $i` + done + '' else ""} # Create a modified catalina.properties file # Change all references from CATALINA_HOME to CATALINA_BASE and add support for shared libraries sed -e 's|''${catalina.home}|''${catalina.base}|g' \ - -e 's|shared.loader=|shared.loader=''${catalina.base}/shared/lib/*.jar|' \ - ${tomcat}/conf/catalina.properties > ${cfg.baseDir}/conf/catalina.properties - - # Create a modified server.xml which also includes all virtual hosts - sed -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\ ${ - toString (map (virtualHost: ''<Host name=\"${virtualHost.name}\" appBase=\"virtualhosts/${virtualHost.name}/webapps\" unpackWARs=\"true\" autoDeploy=\"true\" xmlValidation=\"false\" xmlNamespaceAware=\"false\" >${if cfg.logPerVirtualHost then ''<Valve className=\"org.apache.catalina.valves.AccessLogValve\" directory=\"logs/${virtualHost.name}\" prefix=\"${virtualHost.name}_access_log.\" pattern=\"combined\" resolveHosts=\"false\"/>'' else ""}</Host>'') cfg.virtualHosts)}" \ - ${tomcat}/conf/server.xml > ${cfg.baseDir}/conf/server.xml - - # Create a logs/ directory - mkdir -p ${cfg.baseDir}/logs - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs - ${if cfg.logPerVirtualHost then - toString (map (h: '' - mkdir -p ${cfg.baseDir}/logs/${h.name} - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/${h.name} - '') cfg.virtualHosts) else ''''} - - # Create a temp/ directory - mkdir -p ${cfg.baseDir}/temp - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/temp - - # Create a lib/ directory - mkdir -p ${cfg.baseDir}/lib - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/lib - - # Create a shared/lib directory - mkdir -p ${cfg.baseDir}/shared/lib - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/shared/lib - - # Create a webapps/ directory - mkdir -p ${cfg.baseDir}/webapps - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/webapps + -e 's|shared.loader=|shared.loader=''${catalina.base}/shared/lib/*.jar|' \ + ${tomcat}/conf/catalina.properties > ${cfg.baseDir}/conf/catalina.properties + + ${if cfg.serverXml != "" then '' + cp -f ${pkgs.writeTextDir "server.xml" cfg.serverXml}/* ${cfg.baseDir}/conf/ + '' else '' + # Create a modified server.xml which also includes all virtual hosts + sed -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\ ${toString (map (virtualHost: ''<Host name=\"${virtualHost.name}\" appBase=\"virtualhosts/${virtualHost.name}/webapps\" unpackWARs=\"true\" autoDeploy=\"true\" xmlValidation=\"false\" xmlNamespaceAware=\"false\" >${if cfg.logPerVirtualHost then ''<Valve className=\"org.apache.catalina.valves.AccessLogValve\" directory=\"logs/${virtualHost.name}\" prefix=\"${virtualHost.name}_access_log.\" pattern=\"combined\" resolveHosts=\"false\"/>'' else ""}</Host>'') cfg.virtualHosts)}" \ + ${tomcat}/conf/server.xml > ${cfg.baseDir}/conf/server.xml + '' + } + ${optionalString (cfg.logDirs != []) '' + for i in ${toString cfg.logDirs}; do + mkdir -p ${cfg.baseDir}/logs/$i + chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/$i + done + ''} + ${optionalString cfg.logPerVirtualHost (toString (map (h: '' + mkdir -p ${cfg.baseDir}/logs/${h.name} + chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/${h.name} + '') cfg.virtualHosts))} # Symlink all the given common libs files or paths into the lib/ directory - for i in ${tomcat} ${toString cfg.commonLibs} - do - if [ -f $i ] - then - # If the given web application is a file, symlink it into the common/lib/ directory - ln -sfn $i ${cfg.baseDir}/lib/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/lib/* - do - ln -sfn $j ${cfg.baseDir}/lib/`basename $j` - done - fi + for i in ${tomcat} ${toString cfg.commonLibs}; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the common/lib/ directory + ln -sfn $i ${cfg.baseDir}/lib/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/lib/*; do + ln -sfn $j ${cfg.baseDir}/lib/`basename $j` + done + fi done # Symlink all the given shared libs files or paths into the shared/lib/ directory - for i in ${toString cfg.sharedLibs} - do - if [ -f $i ] - then - # If the given web application is a file, symlink it into the common/lib/ directory - ln -sfn $i ${cfg.baseDir}/shared/lib/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/shared/lib/* - do - ln -sfn $j ${cfg.baseDir}/shared/lib/`basename $j` - done - fi + for i in ${toString cfg.sharedLibs}; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the common/lib/ directory + ln -sfn $i ${cfg.baseDir}/shared/lib/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/shared/lib/*; do + ln -sfn $j ${cfg.baseDir}/shared/lib/`basename $j` + done + fi done # Symlink all the given web applications files or paths into the webapps/ directory - for i in ${toString cfg.webapps} - do - if [ -f $i ] - then - # If the given web application is a file, symlink it into the webapps/ directory - ln -sfn $i ${cfg.baseDir}/webapps/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/webapps/* - do - ln -sfn $j ${cfg.baseDir}/webapps/`basename $j` - done + for i in ${toString cfg.webapps}; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the webapps/ directory + ln -sfn $i ${cfg.baseDir}/webapps/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/webapps/*; do + ln -sfn $j ${cfg.baseDir}/webapps/`basename $j` + done - # Also symlink the configuration files if they are included - if [ -d $i/conf/Catalina ] - then - for j in $i/conf/Catalina/* - do - mkdir -p ${cfg.baseDir}/conf/Catalina/localhost - ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` - done - fi + # Also symlink the configuration files if they are included + if [ -d $i/conf/Catalina ]; then + for j in $i/conf/Catalina/*; do + mkdir -p ${cfg.baseDir}/conf/Catalina/localhost + ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` + done fi + fi done ${toString (map (virtualHost: '' @@ -275,94 +292,79 @@ in # Symlink all the given web applications files or paths into the webapps/ directory # of this virtual host - for i in "${if virtualHost ? webapps then toString virtualHost.webapps else ""}" - do - if [ -f $i ] - then - # If the given web application is a file, symlink it into the webapps/ directory - ln -sfn $i ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/webapps/* - do - ln -sfn $j ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $j` - done - - # Also symlink the configuration files if they are included - if [ -d $i/conf/Catalina ] - then - for j in $i/conf/Catalina/* - do - mkdir -p ${cfg.baseDir}/conf/Catalina/${virtualHost.name} - ln -sfn $j ${cfg.baseDir}/conf/Catalina/${virtualHost.name}/`basename $j` - done - fi + for i in "${if virtualHost ? webapps then toString virtualHost.webapps else ""}"; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the webapps/ directory + ln -sfn $i ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/webapps/*; do + ln -sfn $j ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $j` + done + + # Also symlink the configuration files if they are included + if [ -d $i/conf/Catalina ]; then + for j in $i/conf/Catalina/*; do + mkdir -p ${cfg.baseDir}/conf/Catalina/${virtualHost.name} + ln -sfn $j ${cfg.baseDir}/conf/Catalina/${virtualHost.name}/`basename $j` + done fi + fi done - - '' - ) cfg.virtualHosts) } - - # Create a work/ directory - mkdir -p ${cfg.baseDir}/work - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/work - - ${if cfg.axis2.enable then - '' - # Copy the Axis2 web application - cp -av ${pkgs.axis2}/webapps/axis2 ${cfg.baseDir}/webapps - - # Turn off addressing, which causes many errors - sed -i -e 's%<module ref="addressing"/>%<!-- <module ref="addressing"/> -->%' ${cfg.baseDir}/webapps/axis2/WEB-INF/conf/axis2.xml - - # Modify permissions on the Axis2 application - chown -R ${cfg.user}:${cfg.group} ${cfg.baseDir}/webapps/axis2 - - # Symlink all the given web service files or paths into the webapps/axis2/WEB-INF/services directory - for i in ${toString cfg.axis2.services} - do - if [ -f $i ] - then - # If the given web service is a file, symlink it into the webapps/axis2/WEB-INF/services - ln -sfn $i ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/webapps/axis2/WEB-INF/services/* - do - ln -sfn $j ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $j` - done - - # Also symlink the configuration files if they are included - if [ -d $i/conf/Catalina ] - then - for j in $i/conf/Catalina/* - do - ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` - done - fi - fi - done - '' - else ""} - ''; - - script = '' - ${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c 'CATALINA_BASE=${cfg.baseDir} JAVA_HOME=${cfg.jdk} JAVA_OPTS="${cfg.javaOpts}" CATALINA_OPTS="${cfg.catalinaOpts}" ${tomcat}/bin/startup.sh' - ''; - - preStop = '' - echo "Stopping tomcat..." - CATALINA_BASE=${cfg.baseDir} JAVA_HOME=${cfg.jdk} ${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c ${tomcat}/bin/shutdown.sh + '') cfg.virtualHosts)} + + ${optionalString cfg.axis2.enable '' + # Copy the Axis2 web application + cp -av ${pkgs.axis2}/webapps/axis2 ${cfg.baseDir}/webapps + + # Turn off addressing, which causes many errors + sed -i -e 's%<module ref="addressing"/>%<!-- <module ref="addressing"/> -->%' ${cfg.baseDir}/webapps/axis2/WEB-INF/conf/axis2.xml + + # Modify permissions on the Axis2 application + chown -R ${cfg.user}:${cfg.group} ${cfg.baseDir}/webapps/axis2 + + # Symlink all the given web service files or paths into the webapps/axis2/WEB-INF/services directory + for i in ${toString cfg.axis2.services}; do + if [ -f $i ]; then + # If the given web service is a file, symlink it into the webapps/axis2/WEB-INF/services + ln -sfn $i ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/webapps/axis2/WEB-INF/services/*; do + ln -sfn $j ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $j` + done + + # Also symlink the configuration files if they are included + if [ -d $i/conf/Catalina ]; then + for j in $i/conf/Catalina/*; do + ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` + done + fi + fi + done + ''} ''; + serviceConfig = { + Type = "forking"; + PermissionsStartOnly = true; + PIDFile="/run/tomcat/tomcat.pid"; + RuntimeDirectory = "tomcat"; + User = cfg.user; + Environment=[ + "CATALINA_BASE=${cfg.baseDir}" + "CATALINA_PID=/run/tomcat/tomcat.pid" + "JAVA_HOME='${cfg.jdk}'" + "JAVA_OPTS='${builtins.toString cfg.javaOpts}'" + "CATALINA_OPTS='${builtins.toString cfg.catalinaOpts}'" + ] ++ cfg.extraEnvironment; + ExecStart = "${tomcat}/bin/startup.sh"; + ExecStop = "${tomcat}/bin/shutdown.sh"; + }; }; - }; - } diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index b5e936830918..9d30155a7234 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -9,6 +9,10 @@ let xEnv = config.systemd.services."display-manager".environment; cfg = dmcfg.lightdm; + dmDefault = xcfg.desktopManager.default; + wmDefault = xcfg.windowManager.default; + hasDefaultUserSession = dmDefault != "none" || wmDefault != "none"; + inherit (pkgs) stdenv lightdm writeScript writeText; # lightdm runs with clearenv(), but we need a few things in the enviornment for X to startup @@ -54,14 +58,13 @@ let autologin-user-timeout = ${toString cfg.autoLogin.timeout} autologin-session = ${defaultSessionName} ''} + ${optionalString hasDefaultUserSession '' + user-session=${defaultSessionName} + ''} ${cfg.extraSeatDefaults} ''; - defaultSessionName = - let - dm = xcfg.desktopManager.default; - wm = xcfg.windowManager.default; - in dm + optionalString (wm != "none") ("+" + wm); + defaultSessionName = dmDefault + optionalString (wmDefault != "none") ("+" + wmDefault); in { # Note: the order in which lightdm greeter modules are imported @@ -179,6 +182,14 @@ in default session: ${defaultSessionName} is not valid. ''; } + { assertion = hasDefaultUserSession -> elem defaultSessionName dmcfg.session.names; + message = '' + services.xserver.desktopManager.default and + services.xserver.windowMananger.default are not set to valid + values. The current default session: ${defaultSessionName} + is not valid. + ''; + } { assertion = !cfg.greeter.enable -> (cfg.autoLogin.enable && cfg.autoLogin.timeout == 0); message = '' LightDM can only run without greeter if automatic login is enabled and the timeout for it diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index dd7929285cd2..c563614caaaf 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -117,14 +117,7 @@ in config = { - system.activationScripts.stdio = - '' - # Needed by some programs. - ln -sfn /proc/self/fd /dev/fd - ln -sfn /proc/self/fd/0 /dev/stdin - ln -sfn /proc/self/fd/1 /dev/stdout - ln -sfn /proc/self/fd/2 /dev/stderr - ''; + system.activationScripts.stdio = ""; # obsolete system.activationScripts.var = '' diff --git a/nixos/modules/system/boot/initrd-network.nix b/nixos/modules/system/boot/initrd-network.nix index 4a6e1c7e56e5..33862b0965cc 100644 --- a/nixos/modules/system/boot/initrd-network.nix +++ b/nixos/modules/system/boot/initrd-network.nix @@ -23,6 +23,8 @@ let fi ''; + udhcpcArgs = toString cfg.udhcpc.extraArgs; + in { @@ -47,6 +49,16 @@ in ''; }; + boot.initrd.network.udhcpc.extraArgs = mkOption { + default = []; + type = types.listOf types.str; + description = '' + Additional command-line arguments passed verbatim to udhcpc if + <option>boot.initrd.network.enable</option> and <option>networking.useDHCP</option> + are enabled. + ''; + }; + boot.initrd.network.postCommands = mkOption { default = ""; type = types.lines; @@ -91,7 +103,7 @@ in # Acquire a DHCP lease. echo "acquiring IP address via DHCP..." - udhcpc --quit --now --script ${udhcpcScript} && hasNetwork=1 + udhcpc --quit --now --script ${udhcpcScript} ${udhcpcArgs} && hasNetwork=1 fi '' diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 8b390e1b60c4..54dfb53fd30f 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with lib; let luks = config.boot.initrd.luks; - openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' + openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallbackToPassword, ... }: assert name' == name; '' # Wait for a target (e.g. device, keyFile, header, ...) to appear. wait_target() { @@ -43,8 +43,17 @@ let open_normally() { echo luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \ ${optionalString (header != null) "--header=${header}"} \ - ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} \ > /.luksopen_args + ${optionalString (keyFile != null) '' + ${optionalString fallbackToPassword "if [ -e ${keyFile} ]; then"} + echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \ + >> /.luksopen_args + ${optionalString fallbackToPassword '' + else + echo "keyfile ${keyFile} not found -- fallback to interactive unlocking" + fi + ''} + ''} cryptsetup-askpass rm /.luksopen_args } @@ -324,6 +333,16 @@ in ''; }; + fallbackToPassword = mkOption { + default = false; + type = types.bool; + description = '' + Whether to fallback to interactive passphrase prompt if the keyfile + cannot be found. This will prevent unattended boot should the keyfile + go missing. + ''; + }; + yubikey = mkOption { default = null; description = '' diff --git a/nixos/modules/system/boot/modprobe.nix b/nixos/modules/system/boot/modprobe.nix index b915a98d5375..dee0ab470c99 100644 --- a/nixos/modules/system/boot/modprobe.nix +++ b/nixos/modules/system/boot/modprobe.nix @@ -54,7 +54,7 @@ with lib; environment.systemPackages = [ pkgs.kmod ]; - system.activationScripts.modprobe = + system.activationScripts.modprobe = stringAfter ["specialfs"] '' # Allow the kernel to find our wrapped modprobe (which searches # in the right location in the Nix store for kernel modules). diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 7bf7a51a2417..eea10613ea58 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -650,11 +650,7 @@ let unitFiles = map (name: { target = "systemd/network/${name}"; source = "${cfg.units.${name}.unit}/${name}"; - }) (attrNames cfg.units) ++ - (map (entry: { - target = "systemd/network/${entry}"; - source = "${config.systemd.package}/lib/systemd/network/${entry}"; - }) (attrNames (builtins.readDir "${config.systemd.package}/lib/systemd/network"))); + }) (attrNames cfg.units); in { diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index 46aed44bf10f..9d2c580d62a7 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -82,7 +82,6 @@ ln -s /proc/mounts /etc/mtab mkdir -m 01777 -p /tmp mkdir -m 0755 -p /var/{log,lib,db} /nix/var /etc/nixos/ \ /run/lock /home /bin # for the /bin/sh symlink -install -m 0700 -d /root # Miscellaneous boot time cleanup. diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 8aa5163ce229..630fe6d114ce 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -288,6 +288,17 @@ let ${i} '')}" > /run/${n}.interfaces + ${optionalString config.virtualisation.libvirtd.enable '' + # Enslave dynamically added interfaces which may be lost on nixos-rebuild + for uri in qemu:///system lxc:///; do + for dom in $(${pkgs.libvirt}/bin/virsh -c $uri list --name); do + ${pkgs.libvirt}/bin/virsh -c $uri dumpxml "$dom" | \ + ${pkgs.xmlstarlet}/bin/xmlstarlet sel -t -m "//domain/devices/interface[@type='bridge'][source/@bridge='${n}'][target/@dev]" -v "concat('ip link set ',target/@dev,' master ',source/@bridge,';')" | \ + ${pkgs.bash}/bin/bash + done + done + ''} + # Enable stp on the interface ${optionalString v.rstp '' echo 2 >/sys/class/net/${n}/bridge/stp_state diff --git a/nixos/modules/virtualisation/parallels-guest.nix b/nixos/modules/virtualisation/parallels-guest.nix index fc0409e9ec77..36ca7f356d44 100644 --- a/nixos/modules/virtualisation/parallels-guest.nix +++ b/nixos/modules/virtualisation/parallels-guest.nix @@ -3,9 +3,7 @@ with lib; let - - prl-tools = config.boot.kernelPackages.prl-tools; - + prl-tools = config.hardware.parallels.package; in { @@ -22,6 +20,26 @@ in ''; }; + autoMountShares = mkOption { + type = types.bool; + default = true; + description = '' + Control prlfsmountd service. When this service is running, shares can not be manually + mounted through `mount -t prl_fs ...` as this service will remount and trample any set options. + Recommended to enable for simple file sharing, but extended share use such as for code should + disable this to manually mount shares. + ''; + }; + + package = mkOption { + type = types.package; + default = config.boot.kernelPackages.prl-tools; + defaultText = "config.boot.kernelPackages.prl-tools"; + example = literalExample "config.boot.kernelPackages.prl-tools"; + description = '' + Defines which package to use for prl-tools. Override to change the version. + ''; + }; }; }; @@ -67,7 +85,7 @@ in }; }; - systemd.services.prlfsmountd = { + systemd.services.prlfsmountd = mkIf config.hardware.parallels.autoMountShares { description = "Parallels Shared Folders Daemon"; wantedBy = [ "multi-user.target" ]; serviceConfig = rec { diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index afc5a42f8b4e..cf57868acef9 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -241,6 +241,12 @@ in ''; target = "default/xendomains"; } + ] + ++ lib.optionals (builtins.compareVersions cfg.package.version "4.10" >= 0) [ + # in V 4.10 oxenstored requires /etc/xen/oxenstored.conf to start + { source = "${cfg.package}/etc/xen/oxenstored.conf"; + target = "xen/oxenstored.conf"; + } ]; # Xen provides udev rules. @@ -262,7 +268,7 @@ in mkdir -p /var/lib/xen # so we create them here unconditionally. grep -q control_d /proc/xen/capabilities ''; - serviceConfig = if cfg.package.version < "4.8" then + serviceConfig = if (builtins.compareVersions cfg.package.version "4.8" < 0) then { ExecStart = '' ${cfg.stored}${optionalString cfg.trace " -T /var/log/xen/xenstored-trace.log"} --no-fork ''; @@ -275,7 +281,7 @@ in NotifyAccess = "all"; }; postStart = '' - ${optionalString (cfg.package.version < "4.8") '' + ${optionalString (builtins.compareVersions cfg.package.version "4.8" < 0) '' time=0 timeout=30 # Wait for xenstored to actually come up, timing out after 30 seconds @@ -320,7 +326,7 @@ in serviceConfig = { ExecStart = '' ${cfg.package}/bin/xenconsoled\ - ${optionalString ((cfg.package.version >= "4.8")) " -i"}\ + ${optionalString ((builtins.compareVersions cfg.package.version "4.8" >= 0)) " -i"}\ ${optionalString cfg.trace " --log=all --log-dir=/var/log/xen"} ''; }; |