diff options
author | Luca Bruno <lucabru@src.gnome.org> | 2014-08-14 23:09:59 +0200 |
---|---|---|
committer | Luca Bruno <lucabru@src.gnome.org> | 2014-08-14 23:09:59 +0200 |
commit | b83aceaecb7e2d5150a1ba62b9c4bed50dd7fb04 (patch) | |
tree | 845793c328feaa6a8c5ee54483b27b453da1c7cd /nixos/modules | |
parent | d1ed0f44cd154926e761cedee1cee72e55345807 (diff) | |
parent | dfbc9ff78123f750e8c8782d10b2271a8062bc4a (diff) | |
download | nixlib-b83aceaecb7e2d5150a1ba62b9c4bed50dd7fb04.tar nixlib-b83aceaecb7e2d5150a1ba62b9c4bed50dd7fb04.tar.gz nixlib-b83aceaecb7e2d5150a1ba62b9c4bed50dd7fb04.tar.bz2 nixlib-b83aceaecb7e2d5150a1ba62b9c4bed50dd7fb04.tar.lz nixlib-b83aceaecb7e2d5150a1ba62b9c4bed50dd7fb04.tar.xz nixlib-b83aceaecb7e2d5150a1ba62b9c4bed50dd7fb04.tar.zst nixlib-b83aceaecb7e2d5150a1ba62b9c4bed50dd7fb04.zip |
Merge branch 'master' into staging
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/config/pulseaudio.nix | 10 | ||||
-rw-r--r-- | nixos/modules/misc/ids.nix | 4 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 4 | ||||
-rw-r--r-- | nixos/modules/programs/dconf.nix | 34 | ||||
-rw-r--r-- | nixos/modules/security/rngd.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/hardware/tcsd.nix | 139 | ||||
-rw-r--r-- | nixos/modules/services/networking/dhcpd.nix | 35 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/lighttpd/default.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/gnome3.nix | 25 | ||||
-rw-r--r-- | nixos/modules/services/x11/display-managers/gdm.nix | 151 | ||||
-rw-r--r-- | nixos/modules/services/x11/window-managers/bspwm.nix | 29 | ||||
-rw-r--r-- | nixos/modules/services/x11/window-managers/default.nix | 1 |
12 files changed, 420 insertions, 21 deletions
diff --git a/nixos/modules/config/pulseaudio.nix b/nixos/modules/config/pulseaudio.nix index 67e536f4fd93..96593885e5b7 100644 --- a/nixos/modules/config/pulseaudio.nix +++ b/nixos/modules/config/pulseaudio.nix @@ -80,12 +80,12 @@ in { package = mkOption { type = types.package; - default = pulseaudio; - example = literalExample "pulseaudio.override { jackaudioSupport = true; }"; + default = pulseaudioFull; + example = literalExample "pulseaudioFull"; description = '' - The PulseAudio derivation to use. This can be used to enable - features (such as JACK support) that are not enabled in the - default PulseAudio in Nixpkgs. + The PulseAudio derivation to use. This can be used to disable + features (such as JACK support, Bluetooth) that are enabled in the + pulseaudioFull package in Nixpkgs. ''; }; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 853efcc09dc1..fa81ff8a8398 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -139,6 +139,8 @@ polipo = 129; mopidy = 130; unifi = 131; + gdm = 132; + dhcpd = 133; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -252,6 +254,8 @@ polipo = 129; mopidy = 130; docker = 131; + gdm = 132; + tss = 133; # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399! diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 4806c0e93312..d90c56f2412a 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -50,6 +50,7 @@ ./programs/bash/bash.nix ./programs/bash/command-not-found.nix ./programs/blcr.nix + ./programs/dconf.nix ./programs/environment.nix ./programs/info.nix ./programs/screen.nix @@ -125,6 +126,7 @@ ./services/hardware/pcscd.nix ./services/hardware/pommed.nix ./services/hardware/sane.nix + ./services/hardware/tcsd.nix ./services/hardware/thinkfan.nix ./services/hardware/udev.nix ./services/hardware/udisks2.nix @@ -279,6 +281,7 @@ ./services/x11/desktop-managers/default.nix ./services/x11/display-managers/auto.nix ./services/x11/display-managers/default.nix + ./services/x11/display-managers/gdm.nix ./services/x11/display-managers/kdm.nix ./services/x11/display-managers/lightdm.nix ./services/x11/display-managers/slim.nix @@ -290,6 +293,7 @@ #./services/x11/window-managers/compiz.nix ./services/x11/window-managers/default.nix ./services/x11/window-managers/icewm.nix + ./services/x11/window-managers/bspwm.nix ./services/x11/window-managers/metacity.nix ./services/x11/window-managers/none.nix ./services/x11/window-managers/twm.nix diff --git a/nixos/modules/programs/dconf.nix b/nixos/modules/programs/dconf.nix new file mode 100644 index 000000000000..1b7e20799819 --- /dev/null +++ b/nixos/modules/programs/dconf.nix @@ -0,0 +1,34 @@ +{ config, lib, ... }: + +let + inherit (lib) mkOption mkIf types mapAttrsToList; + cfg = config.programs.dconf; + + mkDconfProfile = name: path: + { source = path; target = "dconf/profile/${name}"; }; + +in +{ + ###### interface + + options = { + programs.dconf = { + + profiles = mkOption { + type = types.attrsOf types.path; + default = {}; + description = "Set of dconf profile files."; + internal = true; + }; + + }; + }; + + ###### implementation + + config = mkIf (cfg.profiles != {}) { + environment.etc = + (mapAttrsToList mkDconfProfile cfg.profiles); + }; + +} diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix index c31e57e6f6f8..4d8fabc7696e 100644 --- a/nixos/modules/security/rngd.nix +++ b/nixos/modules/security/rngd.nix @@ -30,7 +30,8 @@ with lib; description = "Hardware RNG Entropy Gatherer Daemon"; - serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f"; + serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" + + (if config.services.tcsd.enable then " --no-tpm=1" else ""); restartTriggers = [ pkgs.rng_tools ]; }; diff --git a/nixos/modules/services/hardware/tcsd.nix b/nixos/modules/services/hardware/tcsd.nix new file mode 100644 index 000000000000..26b2c884b8f1 --- /dev/null +++ b/nixos/modules/services/hardware/tcsd.nix @@ -0,0 +1,139 @@ +# tcsd daemon. + +{ config, pkgs, ... }: + +with pkgs.lib; +let + + cfg = config.services.tcsd; + + tcsdConf = pkgs.writeText "tcsd.conf" '' + port = 30003 + num_threads = 10 + system_ps_file = ${cfg.stateDir}/system.data + # This is the log of each individual measurement done by the system. + # By re-calculating the PCR registers based on this information, even + # finer details about the measured environment can be inferred than + # what is available directly from the PCR registers. + firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements + kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements + #firmware_pcrs = 0,1,2,3,4,5,6,7 + #kernel_pcrs = 10,11 + platform_cred = ${cfg.platformCred} + conformance_cred = ${cfg.conformanceCred} + endorsement_cred = ${cfg.endorsementCred} + #remote_ops = create_key,random + #host_platform_class = server_12 + #all_platform_classes = pc_11,pc_12,mobile_12 + ''; + +in +{ + + ###### interface + + options = { + + services.tcsd = { + + enable = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable tcsd, a Trusted Computing management service + that provides TCG Software Stack (TSS). The tcsd daemon is + the only portal to the Trusted Platform Module (TPM), a hardware + chip on the motherboard. + ''; + }; + + user = mkOption { + default = "tss"; + type = types.string; + description = "User account under which tcsd runs."; + }; + + group = mkOption { + default = "tss"; + type = types.string; + description = "Group account under which tcsd runs."; + }; + + stateDir = mkOption { + default = "/var/lib/tpm"; + type = types.path; + description = '' + The location of the system persistent storage file. + The system persistent storage file holds keys and data across + restarts of the TCSD and system reboots. + ''; + }; + + platformCred = mkOption { + default = "${cfg.stateDir}/platform.cert"; + type = types.path; + description = '' + Path to the platform credential for your TPM. Your TPM + manufacturer may have provided you with a set of credentials + (certificates) that should be used when creating identities + using your TPM. When a user of your TPM makes an identity, + this credential will be encrypted as part of that process. + See the 1.1b TPM Main specification section 9.3 for information + on this process. ''; + }; + + conformanceCred = mkOption { + default = "${cfg.stateDir}/conformance.cert"; + type = types.path; + description = '' + Path to the conformance credential for your TPM. + See also the platformCred option''; + }; + + endorsementCred = mkOption { + default = "${cfg.stateDir}/endorsement.cert"; + type = types.path; + description = '' + Path to the endorsement credential for your TPM. + See also the platformCred option''; + }; + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.trousers ]; + +# system.activationScripts.tcsd = +# '' +# chown ${cfg.user}:${cfg.group} ${tcsdConf} +# ''; + + systemd.services.tcsd = { + description = "TCSD"; + after = [ "systemd-udev-settle.service" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.trousers ]; + preStart = + '' + mkdir -m 0700 -p ${cfg.stateDir} + chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir} + ''; + serviceConfig.ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}"; + }; + + users.extraUsers = optionalAttrs (cfg.user == "tss") (singleton + { name = "tss"; + group = "tss"; + uid = config.ids.uids.nginx; + }); + + users.extraGroups = optionalAttrs (cfg.group == "tss") (singleton + { name = "tss"; + gid = config.ids.gids.nginx; + }); + }; +} diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix index e5e1c103c686..900df67b53aa 100644 --- a/nixos/modules/services/networking/dhcpd.nix +++ b/nixos/modules/services/networking/dhcpd.nix @@ -13,7 +13,7 @@ let default-lease-time 600; max-lease-time 7200; authoritative; - ddns-update-style ad-hoc; + ddns-update-style interim; log-facility local1; # see dhcpd.nix ${cfg.extraConfig} @@ -108,22 +108,41 @@ in config = mkIf config.services.dhcpd.enable { - jobs.dhcpd = + users = { + extraUsers.dhcpd = { + uid = config.ids.uids.dhcpd; + description = "DHCP daemon user"; + }; + }; + + systemd.services.dhcpd = { description = "DHCP server"; - startOn = "started network-interfaces"; - stopOn = "stopping network-interfaces"; + wantedBy = [ "multi-user.target" ]; - script = + after = [ "network.target" ]; + + path = [ pkgs.dhcp ]; + + preStart = '' mkdir -m 755 -p ${stateDir} touch ${stateDir}/dhcpd.leases - exec ${pkgs.dhcp}/sbin/dhcpd -f -cf ${configFile} \ - -lf ${stateDir}/dhcpd.leases \ - ${toString cfg.interfaces} + mkdir -m 755 -p /run/dhcpd + chown dhcpd /run/dhcpd ''; + + serviceConfig = + { ExecStart = "@${pkgs.dhcp}/sbin/dhcpd dhcpd" + + " -pf /run/dhcpd/dhcpd.pid -cf ${configFile}" + + " -lf ${stateDir}/dhcpd.leases -user dhcpd -group nogroup" + + " ${toString cfg.interfaces}"; + Restart = "always"; + Type = "forking"; + PIDFile = "/run/dhcpd/dhcpd.pid"; + }; }; }; diff --git a/nixos/modules/services/web-servers/lighttpd/default.nix b/nixos/modules/services/web-servers/lighttpd/default.nix index f0f59a664026..fc9487ab4859 100644 --- a/nixos/modules/services/web-servers/lighttpd/default.nix +++ b/nixos/modules/services/web-servers/lighttpd/default.nix @@ -9,9 +9,9 @@ let cfg = config.services.lighttpd; needModRedirect = cfg.gitweb.enable; - needModAlias = cfg.cgit.enable or cfg.gitweb.enable; - needModSetenv = cfg.cgit.enable or cfg.gitweb.enable; - needModCgi = cfg.cgit.enable or cfg.gitweb.enable; + needModAlias = cfg.cgit.enable || cfg.gitweb.enable; + needModSetenv = cfg.cgit.enable || cfg.gitweb.enable; + needModCgi = cfg.cgit.enable || cfg.gitweb.enable; needModStatus = cfg.mod_status; needModUserdir = cfg.mod_userdir; diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index df50ca8c905c..06bcb6dbb8be 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -35,6 +35,14 @@ in { description = "Enable Gnome 3 desktop manager."; }; + services.xserver.desktopManager.gnome3.sessionPath = mkOption { + default = []; + example = "[ pkgs.gnome3.gpaste ]"; + description = "Additional list of packages to be added to the session search path. + Useful for gnome shell extensions or gsettings-conditionated autostart."; + apply = list: list ++ [ gnome3.gnome_shell ]; + }; + environment.gnome3.packageSet = mkOption { default = pkgs.gnome3; example = literalExample "pkgs.gnome3_12"; @@ -86,10 +94,19 @@ in { export XDG_MENU_PREFIX=gnome - # Don't let epiphany depend upon gnome-shell - # Don't let gnome-session depend upon vino (for .desktop autostart condition) + ${concatMapStrings (p: '' + if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then + export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} + fi + + if [ -d "${p}/lib/girepository-1.0" ]; then + export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib + fi + '') cfg.sessionPath} + # Override default mimeapps - export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${gnome3.gnome_shell}/share/gsettings-schemas/${gnome3.gnome_shell.name}:${gnome3.vino}/share/gsettings-schemas/${gnome3.vino.name}:${mimeAppsList}/share + export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${mimeAppsList}/share # Let gnome-control-center find gnome-shell search providers export GNOME_SEARCH_PROVIDERS_DIR=${config.system.path}/share/gnome-shell/search-providers/ @@ -123,7 +140,7 @@ in { gnome3.gnome_settings_daemon gnome3.gnome_shell gnome3.gnome_themes_standard - ] ++ (removePackagesByName [ + ] ++ cfg.sessionPath ++ (removePackagesByName [ gnome3.baobab gnome3.empathy gnome3.eog diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix new file mode 100644 index 000000000000..9d14fc2e137c --- /dev/null +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -0,0 +1,151 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.xserver.displayManager; + gdm = pkgs.gnome3_12.gdm; # gdm 3.10 not supported + gnome3 = config.environment.gnome3.packageSet; + +in + +{ + + ###### interface + + options = { + + services.xserver.displayManager.gdm = { + + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + Whether to enable GDM as the display manager. + <emphasis>GDM is very experimental and may render system unusable.</emphasis> + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.gdm.enable { + + services.xserver.displayManager.slim.enable = false; + + users.extraUsers.gdm = + { name = "gdm"; + uid = config.ids.uids.gdm; + group = "gdm"; + home = "/run/gdm"; + description = "GDM user"; + }; + + users.extraGroups.gdm.gid = config.ids.gids.gdm; + + services.xserver.displayManager.job = + { + environment = { + GDM_X_SERVER = "${cfg.xserverBin} ${cfg.xserverArgs}"; + GDM_SESSIONS_DIR = "${cfg.session.desktops}"; + XDG_CONFIG_DIRS = "${gnome3.gnome_settings_daemon}/etc/xdg"; + }; + execCmd = "exec ${gdm}/sbin/gdm"; + }; + + # Because sd_login_monitor_new requires /run/systemd/machines + systemd.services.display-manager.wants = [ "systemd-machined.service" ]; + systemd.services.display-manager.after = [ "systemd-machined.service" ]; + + systemd.services.display-manager.path = [ gnome3.gnome_shell gnome3.caribou ]; + + services.dbus.packages = [ gdm ]; + + programs.dconf.profiles.gdm = "${gdm}/share/dconf/profile/gdm"; + + # GDM LFS PAM modules, adapted somehow to NixOS + security.pam.services = { + gdm-launch-environment.text = '' + auth required pam_succeed_if.so audit quiet_success user = gdm + auth optional pam_permit.so + + account required pam_succeed_if.so audit quiet_success user = gdm + account sufficient pam_unix.so + + password required pam_deny.so + + session required pam_succeed_if.so audit quiet_success user = gdm + session required pam_env.so envfile=${config.system.build.pamEnvironment} + session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional pam_keyinit.so force revoke + session optional pam_permit.so + ''; + + gdm.text = '' + auth requisite pam_nologin.so + auth required pam_env.so + + auth required pam_succeed_if.so uid >= 1000 quiet + auth optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so + auth sufficient pam_unix.so nullok likeauth + auth required pam_deny.so + + account sufficient pam_unix.so + + password requisite pam_unix.so nullok sha512 + + session required pam_env.so envfile=${config.system.build.pamEnvironment} + session required pam_unix.so + session required pam_loginuid.so + session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start + ''; + + gdm-password.text = '' + auth requisite pam_nologin.so + auth required pam_env.so envfile=${config.system.build.pamEnvironment} + + auth required pam_succeed_if.so uid >= 1000 quiet + auth optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so + auth sufficient pam_unix.so nullok likeauth + auth required pam_deny.so + + account sufficient pam_unix.so + + password requisite pam_unix.so nullok sha512 + + session required pam_env.so envfile=${config.system.build.pamEnvironment} + session required pam_unix.so + session required pam_loginuid.so + session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start + ''; + + gdm-autologin.text = '' + auth requisite pam_nologin.so + + auth required pam_succeed_if.so uid >= 1000 quiet + auth required pam_permit.so + + account sufficient pam_unix.so + + password requisite pam_unix.so nullok sha512 + + session optional pam_keyinit.so revoke + session required pam_env.so envfile=${config.system.build.pamEnvironment} + session required pam_unix.so + session required pam_loginuid.so + session optional ${pkgs.systemd}/lib/security/pam_systemd.so + ''; + + }; + + }; + +} diff --git a/nixos/modules/services/x11/window-managers/bspwm.nix b/nixos/modules/services/x11/window-managers/bspwm.nix new file mode 100644 index 000000000000..d234a432e9a9 --- /dev/null +++ b/nixos/modules/services/x11/window-managers/bspwm.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.bspwm; +in + +{ + options = { + services.xserver.windowManager.bspwm.enable = mkOption { + type = types.bool; + default = false; + example = true; + description = "Enable the bspwm window manager."; + }; + }; + + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "bspwm"; + start = " + ${pkgs.sxhkd}/bin/sxhkd & + ${pkgs.bspwm}/bin/bspwm + "; + }; + environment.systemPackages = [ pkgs.bspwm ]; + }; +} diff --git a/nixos/modules/services/x11/window-managers/default.nix b/nixos/modules/services/x11/window-managers/default.nix index f27ba3661413..45a4e947e0aa 100644 --- a/nixos/modules/services/x11/window-managers/default.nix +++ b/nixos/modules/services/x11/window-managers/default.nix @@ -17,6 +17,7 @@ in ./xmonad.nix ./i3.nix ./herbstluftwm.nix + ./bspwm.nix ]; options = { |