diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2017-07-17 13:52:01 +0200 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2017-07-17 13:52:01 +0200 |
commit | 3eceecb90db691f22e46eb892bd7800f953d605e (patch) | |
tree | d7dae792d8f7a6f9eea7d8164e9849ab232d1d7d /nixos/modules | |
parent | 8e98811f76fa29e8a3782e9b0b0acc6d16926cac (diff) | |
parent | 8669fb1f96cfd68ed68d9d76ff1f0237d4d96748 (diff) | |
download | nixlib-3eceecb90db691f22e46eb892bd7800f953d605e.tar nixlib-3eceecb90db691f22e46eb892bd7800f953d605e.tar.gz nixlib-3eceecb90db691f22e46eb892bd7800f953d605e.tar.bz2 nixlib-3eceecb90db691f22e46eb892bd7800f953d605e.tar.lz nixlib-3eceecb90db691f22e46eb892bd7800f953d605e.tar.xz nixlib-3eceecb90db691f22e46eb892bd7800f953d605e.tar.zst nixlib-3eceecb90db691f22e46eb892bd7800f953d605e.zip |
Merge remote-tracking branch 'upstream/master' into HEAD
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/config/pulseaudio.nix | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/profiles/all-hardware.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/audio/alsa.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/misc/nixos-manual.nix | 5 | ||||
-rw-r--r-- | nixos/modules/services/misc/snapper.nix | 152 | ||||
-rw-r--r-- | nixos/modules/services/misc/taskserver/helper-tool.py | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/tinc.nix | 13 | ||||
-rw-r--r-- | nixos/modules/services/printing/cupsd.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 52 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/vhost-options.nix | 26 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-1-init.sh | 1 |
12 files changed, 227 insertions, 36 deletions
diff --git a/nixos/modules/config/pulseaudio.nix b/nixos/modules/config/pulseaudio.nix index bd80c8113483..b12ef2fe861d 100644 --- a/nixos/modules/config/pulseaudio.nix +++ b/nixos/modules/config/pulseaudio.nix @@ -6,6 +6,7 @@ with lib; let cfg = config.hardware.pulseaudio; + alsaCfg = config.sound; systemWide = cfg.enable && cfg.systemWide; nonSystemWide = cfg.enable && !cfg.systemWide; @@ -76,6 +77,7 @@ let ctl.!default { type pulse } + ${alsaCfg.extraConfig} ''); in { diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 1f2fbb7d85c9..4335a4b3eece 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -326,6 +326,7 @@ ./services/misc/ripple-data-api.nix ./services/misc/rogue.nix ./services/misc/siproxd.nix + ./services/misc/snapper.nix ./services/misc/sonarr.nix ./services/misc/spice-vdagentd.nix ./services/misc/ssm-agent.nix diff --git a/nixos/modules/profiles/all-hardware.nix b/nixos/modules/profiles/all-hardware.nix index 530b2fbffd1c..6e6ae98e19fc 100644 --- a/nixos/modules/profiles/all-hardware.nix +++ b/nixos/modules/profiles/all-hardware.nix @@ -41,6 +41,9 @@ # Virtio (QEMU, KVM etc.) support. "virtio_net" "virtio_pci" "virtio_blk" "virtio_scsi" "virtio_balloon" "virtio_console" + + # VMware support. + "mptspi" "vmw_balloon" "vmwgfx" "vmw_vmci" "vmw_vsock_vmci_transport" "vmxnet3" "vsock" # Hyper-V support. "hv_storvsc" diff --git a/nixos/modules/services/audio/alsa.nix b/nixos/modules/services/audio/alsa.nix index 53786dbc6270..acf48d3c3d03 100644 --- a/nixos/modules/services/audio/alsa.nix +++ b/nixos/modules/services/audio/alsa.nix @@ -7,6 +7,8 @@ let inherit (pkgs) alsaUtils; + pulseaudioEnabled = config.hardware.pulseaudio.enable; + in { @@ -80,7 +82,7 @@ in environment.systemPackages = [ alsaUtils ]; - environment.etc = mkIf (config.sound.extraConfig != "") + environment.etc = mkIf (!pulseaudioEnabled && config.sound.extraConfig != "") [ { source = pkgs.writeText "asound.conf" config.sound.extraConfig; target = "asound.conf"; diff --git a/nixos/modules/services/misc/nixos-manual.nix b/nixos/modules/services/misc/nixos-manual.nix index 622607f3b32d..515864ec2e2d 100644 --- a/nixos/modules/services/misc/nixos-manual.nix +++ b/nixos/modules/services/misc/nixos-manual.nix @@ -62,8 +62,7 @@ let name = "nixos-manual"; desktopName = "NixOS Manual"; genericName = "View NixOS documentation in a web browser"; - # TODO: find a better icon (Nix logo + help overlay?) - icon = "system-help"; + icon = "nix-snowflake"; exec = "${helpScript}/bin/nixos-help"; categories = "System"; }; @@ -115,7 +114,7 @@ in environment.systemPackages = [ manual.manual helpScript ] - ++ optional config.services.xserver.enable desktopItem + ++ optionals config.services.xserver.enable [desktopItem pkgs.nixos-icons] ++ optional config.programs.man.enable manual.manpages; boot.extraTTYs = mkIf cfg.showManual ["tty${toString cfg.ttyNumber}"]; diff --git a/nixos/modules/services/misc/snapper.nix b/nixos/modules/services/misc/snapper.nix new file mode 100644 index 000000000000..62b344d11b06 --- /dev/null +++ b/nixos/modules/services/misc/snapper.nix @@ -0,0 +1,152 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.snapper; +in + +{ + options.services.snapper = { + + snapshotInterval = mkOption { + type = types.str; + default = "hourly"; + description = '' + Snapshot interval. + + The format is described in + <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>. + ''; + }; + + cleanupInterval = mkOption { + type = types.str; + default = "1d"; + description = '' + Cleanup interval. + + The format is described in + <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>. + ''; + }; + + filters = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Global display difference filter. See man:snapper(8) for more details. + ''; + }; + + configs = mkOption { + default = { }; + example = literalExample { + "home" = { + subvolume = "/home"; + extraConfig = '' + ALLOW_USERS="alice" + ''; + }; + }; + + description = '' + Subvolume configuration + ''; + + type = types.attrsOf (types.submodule { + options = { + subvolume = mkOption { + type = types.path; + description = '' + Path of the subvolume or mount point. + This path is a subvolume and has to contain a subvolume named + .snapshots. + See also man:snapper(8) section PERMISSIONS. + ''; + }; + + fstype = mkOption { + type = types.enum [ "btrfs" ]; + default = "btrfs"; + description = '' + Filesystem type. Only btrfs is stable and tested. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Additional configuration next to SUBVOLUME and FSTYPE. + See man:snapper-configs(5). + ''; + }; + }; + }); + }; + }; + + config = mkIf (cfg.configs != {}) (let + documentation = [ "man:snapper(8)" "man:snapper-configs(5)" ]; + in { + + environment = { + + systemPackages = [ pkgs.snapper ]; + + # Note: snapper/config-templates/default is only needed for create-config + # which is not the NixOS way to configure. + etc = { + + "sysconfig/snapper".text = '' + SNAPPER_CONFIGS="${lib.concatStringsSep " " (builtins.attrNames cfg.configs)}" + ''; + + } + // (mapAttrs' (name: subvolume: nameValuePair "snapper/configs/${name}" ({ + text = '' + ${subvolume.extraConfig} + FSTYPE="${subvolume.fstype}" + SUBVOLUME="${subvolume.subvolume}" + ''; + })) cfg.configs) + // (lib.optionalAttrs (cfg.filters != null) { + "snapper/filters/default.txt".text = cfg.filters; + }); + + }; + + services.dbus.packages = [ pkgs.snapper ]; + + systemd.services.snapper-timeline = { + description = "Timeline of Snapper Snapshots"; + inherit documentation; + serviceConfig.ExecStart = "${pkgs.snapper}/lib/snapper/systemd-helper --timeline"; + }; + + systemd.timers.snapper-timeline = { + description = "Timeline of Snapper Snapshots"; + inherit documentation; + wantedBy = [ "basic.target" ]; + timerConfig.OnCalendar = cfg.snapshotInterval; + }; + + systemd.services.snapper-cleanup = { + description = "Cleanup of Snapper Snapshots"; + inherit documentation; + serviceConfig.ExecStart = "${pkgs.snapper}/lib/snapper/systemd-helper --cleanup"; + }; + + systemd.timers.snapper-cleanup = { + description = "Cleanup of Snapper Snapshots"; + inherit documentation; + wantedBy = [ "basic.target" ]; + timerConfig.OnBootSec = "10m"; + timerConfig.OnUnitActiveSec = cfg.cleanupInterval; + }; + }); +} + diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py index b97bc1df74f7..22a3d8d5311b 100644 --- a/nixos/modules/services/misc/taskserver/helper-tool.py +++ b/nixos/modules/services/misc/taskserver/helper-tool.py @@ -448,6 +448,8 @@ def cli(ctx): """ Manage Taskserver users and certificates """ + if not IS_AUTO_CONFIG: + return for path in (CA_KEY, CA_CERT, CRL_FILE): if not os.path.exists(path): msg = "CA setup not done or incomplete, missing file {}." diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index 79a0aa953feb..7376d2d24a0b 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -79,7 +79,15 @@ in default = null; type = types.nullOr types.str; description = '' - The ip adress to bind to. + The ip address to listen on for incoming connections. + ''; + }; + + bindToAddress = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + The ip address to bind to (both listen on and send packets from). ''; }; @@ -131,7 +139,8 @@ in Name = ${if data.name == null then "$HOST" else data.name} DeviceType = ${data.interfaceType} ${optionalString (data.ed25519PrivateKeyFile != null) "Ed25519PrivateKeyFile = ${data.ed25519PrivateKeyFile}"} - ${optionalString (data.listenAddress != null) "BindToAddress = ${data.listenAddress}"} + ${optionalString (data.listenAddress != null) "ListenAddress = ${data.listenAddress}"} + ${optionalString (data.bindToAddress != null) "BindToAddress = ${data.bindToAddress}"} Device = /dev/net/tun Interface = tinc.${network} ${data.extraConfig} diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index 7ce2ae38fb36..ba9f99e6a8fb 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -324,6 +324,8 @@ in fi ''} ''; + + serviceConfig.PrivateTmp = true; }; systemd.services.cups-browsed = mkIf avahiEnabled diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index ae14aa28ae34..f83413b4534e 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -123,45 +123,49 @@ let vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost: let - serverName = vhost.serverName; ssl = vhost.enableSSL || vhost.forceSSL; - port = if vhost.port != null then vhost.port else (if ssl then 443 else 80); - listenString = toString port + optionalString ssl " ssl http2" - + optionalString vhost.default " default_server"; - acmeLocation = optionalString vhost.enableACME ('' + defaultPort = if ssl then 443 else 80; + + listenString = { addr, port, ... }: + "listen ${addr}:${toString (if port != null then port else defaultPort)} " + + optionalString ssl "ssl http2 " + + optionalString vhost.default "default_server" + + ";"; + + redirectListenString = { addr, ... }: + "listen ${addr}:80 ${optionalString vhost.default "default_server"};"; + + acmeLocation = '' location /.well-known/acme-challenge { ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"} root ${vhost.acmeRoot}; auth_basic off; } - '' + (optionalString (vhost.acmeFallbackHost != null) '' - location @acme-fallback { - auth_basic off; - proxy_pass http://${vhost.acmeFallbackHost}; - } - '')); + ${optionalString (vhost.acmeFallbackHost != null) '' + location @acme-fallback { + auth_basic off; + proxy_pass http://${vhost.acmeFallbackHost}; + } + ''} + ''; + in '' ${optionalString vhost.forceSSL '' server { - listen 80 ${optionalString vhost.default "default_server"}; - ${optionalString enableIPv6 - ''listen [::]:80 ${optionalString vhost.default "default_server"};'' - } + ${concatMapStringsSep "\n" redirectListenString vhost.listen} - server_name ${serverName} ${concatStringsSep " " vhost.serverAliases}; - ${acmeLocation} + server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; + ${optionalString vhost.enableACME acmeLocation} location / { - return 301 https://$host${optionalString (port != 443) ":${toString port}"}$request_uri; + return 301 https://$host$request_uri; } } ''} server { - listen ${listenString}; - ${optionalString enableIPv6 "listen [::]:${listenString};"} - - server_name ${serverName} ${concatStringsSep " " vhost.serverAliases}; - ${acmeLocation} + ${concatMapStringsSep "\n" listenString vhost.listen} + server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; + ${optionalString vhost.enableACME acmeLocation} ${optionalString (vhost.root != null) "root ${vhost.root};"} ${optionalString (vhost.globalRedirect != null) '' return 301 http${optionalString ssl "s"}://${vhost.globalRedirect}$request_uri; @@ -380,7 +384,7 @@ in virtualHosts = mkOption { type = types.attrsOf (types.submodule (import ./vhost-options.nix { - inherit lib; + inherit config lib; })); default = { localhost = {}; diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index c0ea645b3dfe..60260512bc2f 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -3,7 +3,7 @@ # has additional options that affect the web server as a whole, like # the user/group to run under.) -{ lib }: +{ config, lib }: with lib; { @@ -26,12 +26,26 @@ with lib; ''; }; - port = mkOption { - type = types.nullOr types.int; - default = null; + listen = mkOption { + type = with types; listOf (submodule { + options = { + addr = mkOption { type = str; description = "IP address."; }; + port = mkOption { type = nullOr int; description = "Port number."; }; + }; + }); + default = + [ { addr = "0.0.0.0"; port = null; } ] + ++ optional config.networking.enableIPv6 + { addr = "[::]"; port = null; }; + example = [ + { addr = "195.154.1.1"; port = 443; } + { addr = "192.168.1.2"; port = 443; } + ]; description = '' - Port for the server. Defaults to 80 for http - and 443 for https (i.e. when enableSSL is set). + Listen addresses and ports for this virtual host. + IPv6 addresses must be enclosed in square brackets. + Setting the port to <literal>null</literal> defaults + to 80 for http and 443 for https (i.e. when enableSSL is set). ''; }; diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 9a125dcb0aeb..1f4ab3eae07e 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -301,6 +301,7 @@ mountFS() { *x-nixos.autoresize*) if [ "$fsType" = ext2 -o "$fsType" = ext3 -o "$fsType" = ext4 ]; then echo "resizing $device..." + e2fsck -fp "$device" resize2fs "$device" fi ;; |