diff options
| author | John Ericson <John.Ericson@Obsidian.Systems> | 2017-07-26 13:46:04 -0400 |
|---|---|---|
| committer | John Ericson <John.Ericson@Obsidian.Systems> | 2017-07-26 13:46:04 -0400 |
| commit | 9be40841ea4251a09ae7a1023abc1b6d191f61bb (patch) | |
| tree | f45a3e2cc682740887b81517eca4bd4fecd6c1c2 /nixos/modules | |
| parent | 8ce4780eff33591ed54b2fb97ca96108e4e7a740 (diff) | |
| parent | ac4c567c3603c5106862f144c21037f6ad76c0ad (diff) | |
| download | nixlib-9be40841ea4251a09ae7a1023abc1b6d191f61bb.tar nixlib-9be40841ea4251a09ae7a1023abc1b6d191f61bb.tar.gz nixlib-9be40841ea4251a09ae7a1023abc1b6d191f61bb.tar.bz2 nixlib-9be40841ea4251a09ae7a1023abc1b6d191f61bb.tar.lz nixlib-9be40841ea4251a09ae7a1023abc1b6d191f61bb.tar.xz nixlib-9be40841ea4251a09ae7a1023abc1b6d191f61bb.tar.zst nixlib-9be40841ea4251a09ae7a1023abc1b6d191f61bb.zip | |
Merge remote-tracking branch 'upstream/master' into staging-base
Conflicts: pkgs/build-support/cc-wrapper/default.nix pkgs/build-support/gcc-wrapper-old/builder.sh pkgs/build-support/trivial-builders.nix pkgs/desktops/kde-4.14/kde-package/default.nix pkgs/development/compilers/openjdk-darwin/8.nix pkgs/development/compilers/openjdk-darwin/default.nix pkgs/development/compilers/openjdk/7.nix pkgs/development/compilers/openjdk/8.nix pkgs/development/compilers/oraclejdk/jdk-linux-base.nix pkgs/development/compilers/zulu/default.nix pkgs/development/haskell-modules/generic-builder.nix pkgs/misc/misc.nix pkgs/stdenv/generic/builder.sh pkgs/stdenv/generic/setup.sh
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/config/no-x-libs.nix | 12 | ||||
| -rw-r--r-- | nixos/modules/config/swap.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/programs/qt5ct.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/misc/autofs.nix | 17 | ||||
| -rw-r--r-- | nixos/modules/services/misc/autorandr.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/misc/fstrim.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/misc/zookeeper.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/services/monitoring/osquery.nix | 91 | ||||
| -rw-r--r-- | nixos/modules/services/network-filesystems/tahoe.nix | 18 | ||||
| -rw-r--r-- | nixos/modules/services/networking/coturn.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/services/networking/tinc.nix | 13 | ||||
| -rw-r--r-- | nixos/modules/services/networking/wireguard.nix | 2 |
13 files changed, 148 insertions, 28 deletions
diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 13477337bda5..4b7787302521 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -26,7 +26,15 @@ with lib; fonts.fontconfig.enable = false; - nixpkgs.config.packageOverrides = pkgs: - { dbus = pkgs.dbus.override { x11Support = false; }; }; + nixpkgs.config.packageOverrides = pkgs: { + dbus = pkgs.dbus.override { x11Support = false; }; + networkmanager_fortisslvpn = pkgs.networkmanager_fortisslvpn.override { withGnome = false; }; + networkmanager_l2tp = pkgs.networkmanager_l2tp.override { withGnome = false; }; + networkmanager_openconnect = pkgs.networkmanager_openconnect.override { withGnome = false; }; + networkmanager_openvpn = pkgs.networkmanager_openvpn.override { withGnome = false; }; + networkmanager_pptp = pkgs.networkmanager_pptp.override { withGnome = false; }; + networkmanager_vpnc = pkgs.networkmanager_vpnc.override { withGnome = false; }; + pinentry = pkgs.pinentry.override { gtk2 = null; qt4 = null; }; + }; }; } diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix index e57ed2565a10..5d47b09ded99 100644 --- a/nixos/modules/config/swap.nix +++ b/nixos/modules/config/swap.nix @@ -149,9 +149,7 @@ in fi ''} ${optionalString sw.randomEncryption '' - echo "secretkey" | cryptsetup luksFormat --batch-mode ${sw.device} - echo "secretkey" | cryptsetup luksOpen ${sw.device} ${sw.deviceName} - cryptsetup luksErase --batch-mode ${sw.device} + cryptsetup open ${sw.device} ${sw.deviceName} --type plain --key-file /dev/urandom mkswap ${sw.realDevice} ''} ''; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b97c3b0d816b..e7dea5cb9dad 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -356,6 +356,7 @@ ./services/monitoring/munin.nix ./services/monitoring/nagios.nix ./services/monitoring/netdata.nix + ./services/monitoring/osquery.nix ./services/monitoring/prometheus/default.nix ./services/monitoring/prometheus/alertmanager.nix ./services/monitoring/prometheus/blackbox-exporter.nix diff --git a/nixos/modules/programs/qt5ct.nix b/nixos/modules/programs/qt5ct.nix index 550634e65be9..aeb7fc508495 100644 --- a/nixos/modules/programs/qt5ct.nix +++ b/nixos/modules/programs/qt5ct.nix @@ -26,6 +26,6 @@ with lib; ###### implementation config = mkIf config.programs.qt5ct.enable { environment.variables.QT_QPA_PLATFORMTHEME = "qt5ct"; - environment.systemPackages = [ pkgs.qt5ct ]; + environment.systemPackages = with pkgs; [ qt5ct libsForQt5.qtstyleplugins ]; }; } diff --git a/nixos/modules/services/misc/autofs.nix b/nixos/modules/services/misc/autofs.nix index 40b48f70f7ed..f1742177326a 100644 --- a/nixos/modules/services/misc/autofs.nix +++ b/nixos/modules/services/misc/autofs.nix @@ -20,10 +20,10 @@ in enable = mkOption { default = false; - description = " + description = '' Mount filesystems on demand. Unmount them automatically. You may also be interested in afuse. - "; + ''; }; autoMaster = mkOption { @@ -45,10 +45,9 @@ in /auto file:''${mapConf} ''' ''; - description = " - file contents of /etc/auto.master. See man auto.master - See man 5 auto.master and man 5 autofs. - "; + description = '' + Contents of <literal>/etc/auto.master</literal> file. See <command>auto.master(5)</command> and <command>autofs(5)</command>. + ''; }; timeout = mkOption { @@ -58,9 +57,9 @@ in debug = mkOption { default = false; - description = " - pass -d and -7 to automount and write log to /var/log/autofs - "; + description = '' + Pass -d and -7 to automount and write log to the system journal. + ''; }; }; diff --git a/nixos/modules/services/misc/autorandr.nix b/nixos/modules/services/misc/autorandr.nix index 792a4c8375d9..3020130ad1f6 100644 --- a/nixos/modules/services/misc/autorandr.nix +++ b/nixos/modules/services/misc/autorandr.nix @@ -30,4 +30,5 @@ in { }; + meta.maintainers = with maintainers; [ gnidorah ]; } diff --git a/nixos/modules/services/misc/fstrim.nix b/nixos/modules/services/misc/fstrim.nix index e89366cbafed..15f283f093c0 100644 --- a/nixos/modules/services/misc/fstrim.nix +++ b/nixos/modules/services/misc/fstrim.nix @@ -42,4 +42,5 @@ in { }; + meta.maintainers = with maintainers; [ gnidorah ]; } diff --git a/nixos/modules/services/misc/zookeeper.nix b/nixos/modules/services/misc/zookeeper.nix index b7bca8b56b28..d85b5e4ec507 100644 --- a/nixos/modules/services/misc/zookeeper.nix +++ b/nixos/modules/services/misc/zookeeper.nix @@ -4,7 +4,7 @@ with lib; let cfg = config.services.zookeeper; - + zookeeperConfig = '' dataDir=${cfg.dataDir} clientPort=${toString cfg.port} @@ -49,7 +49,7 @@ in { default = 1; type = types.int; }; - + extraConf = mkOption { description = "Extra configuration for Zookeeper."; type = types.lines; @@ -119,7 +119,7 @@ in { ExecStart = '' ${pkgs.jre}/bin/java \ -cp "${pkgs.zookeeper}/lib/*:${pkgs.zookeeper}/${pkgs.zookeeper.name}.jar:${configDir}" \ - ${toString cfg.extraCmdLineOptions} \ + ${escapeShellArgs cfg.extraCmdLineOptions} \ -Dzookeeper.datadir.autocreate=false \ ${optionalString cfg.preferIPv4 "-Djava.net.preferIPv4Stack=true"} \ org.apache.zookeeper.server.quorum.QuorumPeerMain \ diff --git a/nixos/modules/services/monitoring/osquery.nix b/nixos/modules/services/monitoring/osquery.nix new file mode 100644 index 000000000000..ba0dc4c21768 --- /dev/null +++ b/nixos/modules/services/monitoring/osquery.nix @@ -0,0 +1,91 @@ +{ config, lib, pkgs, ... }: + +with builtins; +with lib; + +let + cfg = config.services.osquery; + +in + +{ + + options = { + + services.osquery = { + + enable = mkEnableOption "osquery"; + + loggerPath = mkOption { + type = types.path; + description = "Base directory used for logging."; + default = "/var/log/osquery"; + }; + + pidfile = mkOption { + type = types.path; + description = "Path used for pid file."; + default = "/var/osquery/osqueryd.pidfile"; + }; + + utc = mkOption { + type = types.bool; + description = "Attempt to convert all UNIX calendar times to UTC."; + default = true; + }; + + databasePath = mkOption { + type = types.path; + description = "Path used for database file."; + default = "/var/osquery/osquery.db"; + }; + + extraConfig = mkOption { + type = types.attrs // { + merge = loc: foldl' (res: def: recursiveUpdate res def.value) {}; + }; + description = "Extra config to be recursively merged into the JSON config file."; + default = { }; + }; + }; + + }; + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.osquery ]; + + environment.etc."osquery/osquery.conf".text = toJSON ( + recursiveUpdate { + options = { + config_plugin = "filesystem"; + logger_plugin = "filesystem"; + logger_path = cfg.loggerPath; + database_path = cfg.databasePath; + utc = cfg.utc; + }; + } cfg.extraConfig + ); + + systemd.services.osqueryd = { + description = "The osquery Daemon"; + after = [ "network.target" "syslog.service" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.osquery ]; + preStart = '' + mkdir -p ${escapeShellArg cfg.loggerPath} + mkdir -p "$(dirname ${escapeShellArg cfg.pidfile})" + mkdir -p "$(dirname ${escapeShellArg cfg.databasePath})" + ''; + serviceConfig = { + TimeoutStartSec = 0; + ExecStart = "${pkgs.osquery}/bin/osqueryd --logger_path ${escapeShellArg cfg.loggerPath} --pidfile ${escapeShellArg cfg.pidfile} --database_path ${escapeShellArg cfg.databasePath}"; + KillMode = "process"; + KillSignal = "SIGTERM"; + Restart = "on-failure"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/network-filesystems/tahoe.nix b/nixos/modules/services/network-filesystems/tahoe.nix index 9815a5434ee3..f70fbcc49751 100644 --- a/nixos/modules/services/network-filesystems/tahoe.nix +++ b/nixos/modules/services/network-filesystems/tahoe.nix @@ -237,13 +237,13 @@ in # arguments to $(tahoe start). The node directory must come first, # and arguments which alter Twisted's behavior come afterwards. ExecStart = '' - ${settings.package}/bin/tahoe start ${nodedir} -n -l- --pidfile=${pidfile} + ${settings.package}/bin/tahoe start ${lib.escapeShellArg nodedir} -n -l- --pidfile=${lib.escapeShellArg pidfile} ''; }; preStart = '' - if [ \! -d ${nodedir} ]; then + if [ ! -d ${lib.escapeShellArg nodedir} ]; then mkdir -p /var/db/tahoe-lafs - tahoe create-introducer ${nodedir} + tahoe create-introducer "${lib.escapeShellArg nodedir} fi # Tahoe has created a predefined tahoe.cfg which we must now @@ -252,7 +252,7 @@ in # we must do this on every prestart. Fixes welcome. # rm ${nodedir}/tahoe.cfg # ln -s /etc/tahoe-lafs/introducer-${node}.cfg ${nodedir}/tahoe.cfg - cp /etc/tahoe-lafs/introducer-${node}.cfg ${nodedir}/tahoe.cfg + cp /etc/tahoe-lafs/introducer-"${node}".cfg ${lib.escapeShellArg nodedir}/tahoe.cfg ''; }); users.extraUsers = flip mapAttrs' cfg.introducers (node: _: @@ -337,13 +337,13 @@ in # arguments to $(tahoe start). The node directory must come first, # and arguments which alter Twisted's behavior come afterwards. ExecStart = '' - ${settings.package}/bin/tahoe start ${nodedir} -n -l- --pidfile=${pidfile} + ${settings.package}/bin/tahoe start ${lib.escapeShellArg nodedir} -n -l- --pidfile=${lib.escapeShellArg pidfile} ''; }; preStart = '' - if [ \! -d ${nodedir} ]; then + if [ ! -d ${lib.escapeShellArg nodedir} ]; then mkdir -p /var/db/tahoe-lafs - tahoe create-node --hostname=localhost ${nodedir} + tahoe create-node --hostname=localhost ${lib.escapeShellArg nodedir} fi # Tahoe has created a predefined tahoe.cfg which we must now @@ -351,8 +351,8 @@ in # XXX I thought that a symlink would work here, but it doesn't, so # we must do this on every prestart. Fixes welcome. # rm ${nodedir}/tahoe.cfg - # ln -s /etc/tahoe-lafs/${node}.cfg ${nodedir}/tahoe.cfg - cp /etc/tahoe-lafs/${node}.cfg ${nodedir}/tahoe.cfg + # ln -s /etc/tahoe-lafs/${lib.escapeShellArg node}.cfg ${nodedir}/tahoe.cfg + cp /etc/tahoe-lafs/${lib.escapeShellArg node}.cfg ${lib.escapeShellArg nodedir}/tahoe.cfg ''; }); users.extraUsers = flip mapAttrs' cfg.nodes (node: _: diff --git a/nixos/modules/services/networking/coturn.nix b/nixos/modules/services/networking/coturn.nix index 14e6932d868b..65273a4bf939 100644 --- a/nixos/modules/services/networking/coturn.nix +++ b/nixos/modules/services/networking/coturn.nix @@ -320,6 +320,14 @@ in { RuntimeDirectory = "turnserver"; User = "turnserver"; Group = "turnserver"; + AmbientCapabilities = + mkIf ( + cfg.listening-port < 1024 || + cfg.alt-listening-port < 1024 || + cfg.tls-listening-port < 1024 || + cfg.alt-tls-listening-port < 1024 || + cfg.min-port < 1024 + ) "cap_net_bind_service"; Restart = "on-abort"; }; }; diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index 7376d2d24a0b..42341b2d4123 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -194,6 +194,19 @@ in }) ); + environment.systemPackages = let + cli-wrappers = pkgs.stdenv.mkDerivation { + name = "tinc-cli-wrappers"; + buildInputs = [ pkgs.makeWrapper ]; + buildCommand = '' + mkdir -p $out/bin + ${concatStringsSep "\n" (mapAttrsToList (network: data: '' + makeWrapper ${data.package}/bin/tinc "$out/bin/tinc.${network}" --add-flags "--pidfile=/run/tinc.${network}.pid" + '') cfg.networks)} + ''; + }; + in [ cli-wrappers ]; + users.extraUsers = flip mapAttrs' cfg.networks (network: _: nameValuePair ("tinc.${network}") ({ description = "Tinc daemon user for ${network}"; diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index d5b21ef1a23b..be832ea45d8f 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -208,7 +208,7 @@ let "${ipCommand} link set up dev ${name}" (map (peer: (map (ip: - "${ipCommand} route add ${ip} dev ${name}" + "${ipCommand} route replace ${ip} dev ${name}" ) peer.allowedIPs)) values.peers) values.postSetup |