diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-09-21 12:57:30 +0200 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-09-21 12:57:30 +0200 |
| commit | 01f19f54e046417ca52ef67f5277ffe11de91371 (patch) | |
| tree | e0cb618ed08bea468a9c5b76ebd1552348bca2dc /nixos | |
| parent | e70593389fb3593408be57a4956190cfbe84f63e (diff) | |
| parent | 2d21e1e4ff42f4d6d93b166f495320f1a50fa181 (diff) | |
| download | nixlib-01f19f54e046417ca52ef67f5277ffe11de91371.tar nixlib-01f19f54e046417ca52ef67f5277ffe11de91371.tar.gz nixlib-01f19f54e046417ca52ef67f5277ffe11de91371.tar.bz2 nixlib-01f19f54e046417ca52ef67f5277ffe11de91371.tar.lz nixlib-01f19f54e046417ca52ef67f5277ffe11de91371.tar.xz nixlib-01f19f54e046417ca52ef67f5277ffe11de91371.tar.zst nixlib-01f19f54e046417ca52ef67f5277ffe11de91371.zip | |
Merge remote-tracking branch 'origin/master' into systemd-219
Conflicts: pkgs/os-specific/linux/systemd/fixes.patch pkgs/os-specific/linux/upower/0.99.nix pkgs/top-level/all-packages.nix
Diffstat (limited to 'nixos')
81 files changed, 1299 insertions, 620 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1509.xml b/nixos/doc/manual/release-notes/rl-1509.xml index d7d3d1a7fb13..098613f9685a 100644 --- a/nixos/doc/manual/release-notes/rl-1509.xml +++ b/nixos/doc/manual/release-notes/rl-1509.xml @@ -6,35 +6,48 @@ <title>Release 15.09 (“Dingo”, 2015/09/??)</title> -<para>In addition to numerous new and upgraded packages, this release has the following highlights: - - <itemizedlist> - <listitem> - <para> - The Haskell packages infrastructure has been re-designed from the ground up. - NixOS now distributes the latest version of every single package registered on - <link xlink:href="http://hackage.haskell.org/">Hackage</link>, i.e. well over - 8000 Haskell packages. Further information and usage instructions for the - improved infrastructure are available at <link - xlink:href="https://nixos.org/wiki/Haskell">https://nixos.org/wiki/Haskell</link>. - Users migrating from an earlier release will find also find helpful information - below, in the list of backwards-incompatible changes. - </para> - </listitem> - - <listitem> - <para> - Users running an SSH server who worry about the quality of their - <literal>/etc/ssh/moduli</literal> file with respect to the <link - xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities - discovered in the Diffie-Hellman key exchange</link> can now replace OpenSSH's - default version with one they generated themselves using the new - <literal>services.openssh.moduliFile</literal> option. - </para> - </listitem> - </itemizedlist> +<para>In addition to numerous new and upgraded packages, this release +has the following highlights:</para> -</para> +<itemizedlist> + + <listitem> + <para>The Haskell packages infrastructure has been re-designed + from the ground up. NixOS now distributes the latest version of + every single package registered on <link + xlink:href="http://hackage.haskell.org/">Hackage</link>, i.e. well + over 8000 Haskell packages. Further information and usage + instructions for the improved infrastructure are available at + <link + xlink:href="https://nixos.org/wiki/Haskell">https://nixos.org/wiki/Haskell</link>. + Users migrating from an earlier release will also find helpful + information below, in the list of backwards-incompatible changes.</para> + </listitem> + + <listitem> + <para>Nix has been updated to version 1.10, which among other + improvements enables cryptographic signatures on binary caches for + improved security.</para> + </listitem> + + <listitem> + <para>You can now keep your NixOS system up to date automatically + by setting + +<programlisting> +system.autoUpgrade.enable = true; +</programlisting> + + This will cause the system to periodically check for updates in + your current channel and run <command>nixos-rebuild</command>.</para> + </listitem> + + <listitem> + <para>This release is based on Glibc 2.21, GCC 4.9 and Linux + 3.18.</para> + </listitem> + +</itemizedlist> <para>When upgrading from a previous release, please be aware of the @@ -50,10 +63,11 @@ and want to continue to use them, please set system.stateVersion = "14.12"; </programlisting> -(The new option <option>system.stateVersion</option> ensures that +The new option <option>system.stateVersion</option> ensures that certain configuration changes that could break existing systems (such as the <command>sshd</command> host key setting) will maintain -compatibility with the specified NixOS release.)</para></listitem> +compatibility with the specified NixOS release. NixOps sets the state +version of existing deployments automatically.</para></listitem> <listitem><para><command>cron</command> is no longer enabled by default, unless you have a non-empty @@ -72,9 +86,9 @@ false</option>.</para></listitem> and old <literal>steam</literal> package -- to <literal>steamOriginal</literal>. </para></listitem> -<listitem><para>CMPlayer has been renamed to bomi upstream. Package <literal>cmplayer</literal> -was accordingly renamed to <literal>bomi</literal> -</para></listitem> +<listitem><para>CMPlayer has been renamed to bomi upstream. Package +<literal>cmplayer</literal> was accordingly renamed to +<literal>bomi</literal> </para></listitem> <listitem><para>Atom Shell has been renamed to Electron upstream. Package <literal>atom-shell</literal> was accordingly renamed to <literal>electron</literal> @@ -84,21 +98,20 @@ was accordingly renamed to <literal>electron</literal> which contains the latest Elm platform.</para></listitem> <listitem> - <para> - The CUPS printing service has been updated to version <literal>2.0.2</literal>. - Furthermore its systemd service has been renamed to <literal>cups.service</literal>. - </para> - <para> - Local printers are no longer shared or advertised by default. This behavior - can be changed by enabling <literal>services.printing.defaultShared</literal> - or <literal>services.printing.browsing</literal> respectively. - </para> + <para>The CUPS printing service has been updated to version + <literal>2.0.2</literal>. Furthermore its systemd service has been + renamed to <literal>cups.service</literal>.</para> + + <para>Local printers are no longer shared or advertised by + default. This behavior can be changed by enabling + <literal>services.printing.defaultShared</literal> or + <literal>services.printing.browsing</literal> respectively.</para> </listitem> <listitem> <para> - The VirtualBox host and guest options have been moved/renamed more - consistently and less confusing to be now found in + The VirtualBox host and guest options have been named more + consistently. They can now found in <literal>virtualisation.virtualbox.host.*</literal> instead of <literal>services.virtualboxHost.*</literal> and <literal>virtualisation.virtualbox.guest.*</literal> instead of @@ -207,25 +220,31 @@ nix-env -f "<nixpkgs>" -iA haskellPackages.cabal-install </para> -<para>The following new services were added since the last release: - -<itemizedlist> -<listitem><para><literal>brltty</literal></para></listitem> -<listitem><para><literal>marathon</literal></para></listitem> -<listitem><para><literal>tvheadend</literal></para></listitem> -</itemizedlist> -</para> - - <para>Other notable improvements: <itemizedlist> + <listitem><para>The nixos and nixpkgs channels were unified, so one <emphasis>can</emphasis> use <literal>nix-env -iA nixos.bash</literal> instead of <literal>nix-env -iA nixos.pkgs.bash</literal>. See <link xlink:href="https://github.com/NixOS/nixpkgs/commit/2cd7c1f198">the commit</link> for details. </para></listitem> + + <listitem> + <para> + Users running an SSH server who worry about the quality of their + <literal>/etc/ssh/moduli</literal> file with respect to the + <link + xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities + discovered in the Diffie-Hellman key exchange</link> can now + replace OpenSSH's default version with one they generated + themselves using the new + <literal>services.openssh.moduliFile</literal> option. + </para> + </listitem> + </itemizedlist> + </para> </section> diff --git a/nixos/doc/manual/release-notes/rl-unstable.xml b/nixos/doc/manual/release-notes/rl-unstable.xml index 2781cee36148..2745fb2cbe42 100644 --- a/nixos/doc/manual/release-notes/rl-unstable.xml +++ b/nixos/doc/manual/release-notes/rl-unstable.xml @@ -7,21 +7,39 @@ <title>Unstable</title> <para>When upgrading from a previous release, please be aware of the - following incompatible changes: - - <itemizedlist> - <listitem><para> - <command>wmiiSnap</command> has been replaced with - <command>wmii_hg</command>, but - <command>services.xserver.windowManager.wmii.enable</command> - has been updated respectively so this only affects you if you - have explicitly installed <command>wmiiSnap</command>. - </para></listitem> - <listitem><para> - <command>wmiimenu</command> is removed, as it has been removed by - the developers upstream. Use <command>wimenu</command> from the - <command>wmii-hg</command> package. - </para></listitem> - </itemizedlist> -</para> +following incompatible changes:</para> + +<itemizedlist> + <listitem> + <para><command>wmiiSnap</command> has been replaced with + <command>wmii_hg</command>, but + <command>services.xserver.windowManager.wmii.enable</command> has + been updated respectively so this only affects you if you have + explicitly installed <command>wmiiSnap</command>. + </para> + </listitem> + + <listitem> + <para><command>wmiimenu</command> is removed, as it has been + removed by the developers upstream. Use <command>wimenu</command> + from the <command>wmii-hg</command> package.</para> + </listitem> + + <listitem> + <para>Gitit is no longer automatically added to the module list in + NixOS and as such there will not be any manual entries for it. You + will need to add an import statement to your NixOS configuration + in order to use it, e.g. + +<programlisting><![CDATA[ +{ + imports = [ <nixos/modules/services/misc/gitit.nix> ]; +} +]]></programlisting> + + will include the Gitit service configuration options.</para> + </listitem> + +</itemizedlist> + </section> diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 922a9cf961df..be6662decea6 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -108,10 +108,8 @@ with lib; subpixel = { rgba = mkOption { - type = types.string // { - check = flip elem ["rgb" "bgr" "vrgb" "vbgr" "none"]; - }; default = "rgb"; + type = types.enum ["rgb" "bgr" "vrgb" "vbgr" "none"]; description = '' Subpixel order, one of <literal>none</literal>, <literal>rgb</literal>, <literal>bgr</literal>, @@ -120,10 +118,8 @@ with lib; }; lcdfilter = mkOption { - type = types.str // { - check = flip elem ["none" "default" "light" "legacy"]; - }; default = "default"; + type = types.enum ["none" "default" "light" "legacy"]; description = '' FreeType LCD filter, one of <literal>none</literal>, <literal>default</literal>, <literal>light</literal>, or diff --git a/nixos/modules/config/i18n.nix b/nixos/modules/config/i18n.nix index 3622b21626b3..f58e540a6e5c 100644 --- a/nixos/modules/config/i18n.nix +++ b/nixos/modules/config/i18n.nix @@ -52,6 +52,15 @@ in ''; }; + consoleUseXkbConfig = mkOption { + type = types.bool; + default = false; + description = '' + If set, configure the console keymap from the xserver keyboard + settings. + ''; + }; + consoleKeyMap = mkOption { type = mkOptionType { name = "string or path"; @@ -74,6 +83,13 @@ in config = { + i18n.consoleKeyMap = with config.services.xserver; + mkIf config.i18n.consoleUseXkbConfig + (pkgs.runCommand "xkb-console-keymap" { preferLocalBuild = true; } '' + '${pkgs.ckbcomp}/bin/ckbcomp' -model '${xkbModel}' -layout '${layout}' \ + -option '${xkbOptions}' -variant '${xkbVariant}' > "$out" + ''); + environment.systemPackages = optional (config.i18n.supportedLocales != []) glibcLocales; diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index 1a01533c585b..c87996df8855 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -108,7 +108,7 @@ in extraConfig = mkOption { default = ""; - type = types.string; + type = types.lines; description = '' Extra configuration options that will be added verbatim at the end of the nslcd configuration file (nslcd.conf). @@ -120,7 +120,7 @@ in distinguishedName = mkOption { default = ""; example = "cn=admin,dc=example,dc=com"; - type = types.string; + type = types.str; description = '' The distinguished name to bind to the LDAP server with. If this is not specified, an anonymous bind will be done. @@ -129,7 +129,7 @@ in password = mkOption { default = "/etc/ldap/bind.password"; - type = types.string; + type = types.str; description = '' The path to a file containing the credentials to use when binding to the LDAP server (if not binding anonymously). @@ -149,7 +149,7 @@ in policy = mkOption { default = "hard_open"; - type = types.string; + type = types.enum [ "hard_open" "hard_init" "soft" ]; description = '' Specifies the policy to use for reconnecting to an unavailable LDAP server. The default is <literal>hard_open</literal>, which @@ -168,7 +168,7 @@ in extraConfig = mkOption { default = ""; - type = types.string; + type = types.lines; description = '' Extra configuration options that will be added verbatim at the end of the ldap configuration file (ldap.conf). diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index bff0b2991323..533280890a70 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -41,20 +41,7 @@ in strings. The latter is concatenated, interspersed with colon characters. ''; - type = types.attrsOf (mkOptionType { - name = "a string or a list of strings"; - merge = loc: defs: - let - defs' = filterOverrides defs; - res = (head defs').value; - in - if isList res then concatLists (getValues defs') - else if lessThan 1 (length defs') then - throw "The option `${showOption loc}' is defined multiple times, in ${showFiles (getFiles defs)}." - else if !isString res then - throw "The option `${showOption loc}' does not have a string value, in ${showFiles (getFiles defs)}." - else res; - }); + type = types.attrsOf (types.loeOf types.str); apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v); }; diff --git a/nixos/modules/config/system-environment.nix b/nixos/modules/config/system-environment.nix index 3ab32f00fd1d..3362400326d2 100644 --- a/nixos/modules/config/system-environment.nix +++ b/nixos/modules/config/system-environment.nix @@ -23,20 +23,7 @@ in strings. The latter is concatenated, interspersed with colon characters. ''; - type = types.attrsOf (mkOptionType { - name = "a string or a list of strings"; - merge = loc: defs: - let - defs' = filterOverrides defs; - res = (head defs').value; - in - if isList res then concatLists (getValues defs') - else if lessThan 1 (length defs') then - throw "The option `${showOption loc}' is defined multiple times, in ${showFiles (getFiles defs)}." - else if !isString res then - throw "The option `${showOption loc}' does not have a string value, in ${showFiles (getFiles defs)}." - else res; - }); + type = types.attrsOf (types.loeOf types.str); apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v); }; diff --git a/nixos/modules/config/system-path.nix b/nixos/modules/config/system-path.nix index 3a9a09ee87c1..748ada99be69 100644 --- a/nixos/modules/config/system-path.nix +++ b/nixos/modules/config/system-path.nix @@ -103,16 +103,23 @@ in [ "/bin" "/etc/xdg" "/info" - "/lib" + "/lib" # FIXME: remove + #"/lib/debug/.build-id" # enables GDB to find separated debug info "/man" "/sbin" + "/share/applications" + "/share/desktop-directories" "/share/doc" "/share/emacs" + "/share/icons" "/share/info" "/share/man" + "/share/menus" + "/share/mime" "/share/nano" "/share/org" "/share/terminfo" + "/share/themes" "/share/vim-plugins" ]; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 1e5393f26b54..b0e9ceea10b3 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -229,6 +229,10 @@ riak = 205; shout = 206; gateone = 207; + namecoin = 208; + dnschain = 209; + #lxd = 210; # unused + kibana = 211; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -436,6 +440,10 @@ riak = 205; #shout = 206; #unused gateone = 207; + namecoin = 208; + #dnschain = 209; #unused + lxd = 210; # unused + #kibana = 211; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 6734fa0b862b..b03f4494522b 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -197,7 +197,7 @@ ./services/misc/etcd.nix ./services/misc/felix.nix ./services/misc/folding-at-home.nix - ./services/misc/gitit.nix + #./services/misc/gitit.nix ./services/misc/gitlab.nix ./services/misc/gitolite.nix ./services/misc/gpsd.nix @@ -275,6 +275,7 @@ ./services/networking/ddclient.nix ./services/networking/dhcpcd.nix ./services/networking/dhcpd.nix + ./services/networking/dnschain.nix ./services/networking/dnscrypt-proxy.nix ./services/networking/dnsmasq.nix ./services/networking/docker-registry-server.nix @@ -303,6 +304,7 @@ ./services/networking/minidlna.nix ./services/networking/mstpd.nix ./services/networking/murmur.nix + ./services/networking/namecoind.nix ./services/networking/nat.nix ./services/networking/networkmanager.nix ./services/networking/ngircd.nix @@ -363,6 +365,7 @@ ./services/scheduling/fcron.nix ./services/scheduling/marathon.nix ./services/search/elasticsearch.nix + ./services/search/kibana.nix ./services/search/solr.nix ./services/security/clamav.nix ./services/security/fail2ban.nix @@ -372,6 +375,7 @@ ./services/security/haveged.nix ./services/security/hologram.nix ./services/security/munge.nix + ./services/security/physlock.nix ./services/security/torify.nix ./services/security/tor.nix ./services/security/torsocks.nix @@ -393,7 +397,6 @@ ./services/web-servers/lighttpd/default.nix ./services/web-servers/lighttpd/gitweb.nix ./services/web-servers/nginx/default.nix - ./services/web-servers/nginx/reverse_proxy.nix ./services/web-servers/phpfpm.nix ./services/web-servers/shellinabox.nix ./services/web-servers/tomcat.nix @@ -486,6 +489,7 @@ ./virtualisation/docker.nix ./virtualisation/libvirtd.nix ./virtualisation/lxc.nix + ./virtualisation/lxd.nix ./virtualisation/amazon-options.nix ./virtualisation/openvswitch.nix ./virtualisation/parallels-guest.nix diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index c207829aabd6..9aa0034783fa 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -47,7 +47,7 @@ ]; # Include support for various filesystems. - boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" "f2fs" "zfs" "ntfs" "cifs" ]; + boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "zfs" "ntfs" "cifs" ]; # Configure host id for ZFS to work networking.hostId = "8425e349"; diff --git a/nixos/modules/programs/cdemu.nix b/nixos/modules/programs/cdemu.nix index d1b1915eea91..98df9b94380f 100644 --- a/nixos/modules/programs/cdemu.nix +++ b/nixos/modules/programs/cdemu.nix @@ -9,19 +9,28 @@ in { programs.cdemu = { enable = mkOption { default = false; - description = "Whether to enable cdemu for users of appropriate group (default cdrom)"; + description = '' + <command>cdemu</command> for members of + <option>programs.cdemu.group</option>. + ''; }; group = mkOption { default = "cdrom"; - description = "Required group for users of cdemu"; + description = '' + Group that users must be in to use <command>cdemu</command>. + ''; }; gui = mkOption { default = true; - description = "Whether to install cdemu GUI (gCDEmu)"; + description = '' + Whether to install the <command>cdemu</command> GUI (gCDEmu). + ''; }; image-analyzer = mkOption { default = true; - description = "Whether to install image analyzer"; + description = '' + Whether to install the image analyzer. + ''; }; }; }; diff --git a/nixos/modules/programs/venus.nix b/nixos/modules/programs/venus.nix index 3b5ae07e82f7..ca3188b18199 100644 --- a/nixos/modules/programs/venus.nix +++ b/nixos/modules/programs/venus.nix @@ -41,7 +41,7 @@ in dates = mkOption { default = "*:0/15"; - type = types.string; + type = types.str; description = '' Specification (in the format described by <citerefentry><refentrytitle>systemd.time</refentrytitle> @@ -52,7 +52,7 @@ in user = mkOption { default = "root"; - type = types.string; + type = types.str; description = '' User for running venus script. ''; @@ -60,7 +60,7 @@ in group = mkOption { default = "root"; - type = types.string; + type = types.str; description = '' Group for running venus script. ''; @@ -68,7 +68,7 @@ in name = mkOption { default = "NixOS Planet"; - type = types.string; + type = types.str; description = '' Your planet's name. ''; @@ -76,7 +76,7 @@ in link = mkOption { default = "http://planet.nixos.org"; - type = types.string; + type = types.str; description = '' Link to the main page. ''; @@ -84,7 +84,7 @@ in ownerName = mkOption { default = "Rok Garbas"; - type = types.string; + type = types.str; description = '' Your name. ''; @@ -92,7 +92,7 @@ in ownerEmail = mkOption { default = "some@example.com"; - type = types.string; + type = types.str; description = '' Your e-mail address. ''; diff --git a/nixos/modules/programs/wvdial.nix b/nixos/modules/programs/wvdial.nix index 8e7d0e51a4e0..1ed929ed4afa 100644 --- a/nixos/modules/programs/wvdial.nix +++ b/nixos/modules/programs/wvdial.nix @@ -24,7 +24,7 @@ in dialerDefaults = mkOption { default = ""; - type = types.string; + type = types.str; example = ''Init1 = AT+CGDCONT=1,"IP","internet.t-mobile"''; description = '' Contents of the "Dialer Defaults" section of @@ -40,7 +40,7 @@ in persist noauth ''; - type = types.string; + type = types.str; description = "Default ppp settings for wvdial."; }; diff --git a/nixos/modules/programs/xfs_quota.nix b/nixos/modules/programs/xfs_quota.nix index d30a85922cff..90b6304fa999 100644 --- a/nixos/modules/programs/xfs_quota.nix +++ b/nixos/modules/programs/xfs_quota.nix @@ -32,25 +32,25 @@ in }; fileSystem = mkOption { - type = types.string; + type = types.str; description = "XFS filesystem hosting the xfs_quota project."; default = "/"; }; path = mkOption { - type = types.string; + type = types.str; description = "Project directory."; }; sizeSoftLimit = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "30g"; description = "Soft limit of the project size"; }; sizeHardLimit = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "50g"; description = "Hard limit of the project size."; diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index cb378b024490..62be7dc6cae2 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -165,5 +165,6 @@ in zipModules ([] ++ obsolete' [ "services" "syslog-ng" "serviceName" ] ++ obsolete' [ "services" "syslog-ng" "listenToJournal" ] ++ obsolete' [ "ec2" "metadata" ] +++ obsolete' [ "services" "openvpn" "enable" ] ) diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 474b93b4984d..88760574cbc6 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -419,7 +419,7 @@ in users.motd = mkOption { default = null; example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178."; - type = types.nullOr types.string; + type = types.nullOr types.lines; description = "Message of the day shown to users when they log in."; }; diff --git a/nixos/modules/security/prey.nix b/nixos/modules/security/prey.nix index e29fa5395a1a..1c643f2e1a57 100644 --- a/nixos/modules/security/prey.nix +++ b/nixos/modules/security/prey.nix @@ -16,19 +16,28 @@ in { default = false; type = types.bool; description = '' - Enables http://preyproject.com/ bash client. Be sure to specify api and device keys. - Once setup, cronjob will run evert 15 minutes and report status. + Enables the <link xlink:href="http://preyproject.com/" /> + shell client. Be sure to specify both API and device keys. + Once enabled, a <command>cron</command> job will run every 15 + minutes to report status information. ''; }; deviceKey = mkOption { - type = types.string; - description = "Device Key obtained from https://panel.preyproject.com/devices (and clicking on the device)"; + type = types.str; + description = '' + <literal>Device key</literal> obtained by visiting + <link xlink:href="https://panel.preyproject.com/devices" /> + and clicking on your device. + ''; }; apiKey = mkOption { - type = types.string; - description = "API key obtained from https://panel.preyproject.com/profile"; + type = types.str; + description = '' + <literal>API key</literal> obtained from + <link xlink:href="https://panel.preyproject.com/profile" />. + ''; }; }; diff --git a/nixos/modules/services/backup/bacula.nix b/nixos/modules/services/backup/bacula.nix index 9e3ae66f808b..69f3c3f8a758 100644 --- a/nixos/modules/services/backup/bacula.nix +++ b/nixos/modules/services/backup/bacula.nix @@ -169,14 +169,17 @@ in { type = types.bool; default = false; description = '' - Whether to enable Bacula File Daemon. + Whether to enable the Bacula File Daemon. ''; }; name = mkOption { default = "${config.networking.hostName}-fd"; description = '' - The client name that must be used by the Director when connecting. Generally, it is a good idea to use a name related to the machine so that error messages can be easily identified if you have multiple Clients. This directive is required. + The client name that must be used by the Director when connecting. + Generally, it is a good idea to use a name related to the machine + so that error messages can be easily identified if you have multiple + Clients. This directive is required. ''; }; @@ -184,7 +187,9 @@ in { default = 9102; type = types.int; description = '' - This specifies the port number on which the Client listens for Director connections. It must agree with the FDPort specified in the Client resource of the Director's configuration file. The default is 9102. + This specifies the port number on which the Client listens for + Director connections. It must agree with the FDPort specified in + the Client resource of the Director's configuration file. ''; }; @@ -202,7 +207,7 @@ in { description = '' Extra configuration to be passed in Client directive. ''; - example = '' + example = literalExample '' Maximum Concurrent Jobs = 20; Heartbeat Interval = 30; ''; @@ -213,7 +218,7 @@ in { description = '' Extra configuration to be passed in Messages directive. ''; - example = '' + example = literalExample '' console = all ''; }; diff --git a/nixos/modules/services/backup/sitecopy-backup.nix b/nixos/modules/services/backup/sitecopy-backup.nix index 5f2b4e76aeeb..6e4721ded68b 100644 --- a/nixos/modules/services/backup/sitecopy-backup.nix +++ b/nixos/modules/services/backup/sitecopy-backup.nix @@ -21,15 +21,16 @@ in enable = mkOption { default = false; description = '' - Whether to enable sitecopy backups of specified directories. + Whether to enable <command>sitecopy</command> backups of specified + directories. ''; }; period = mkOption { default = "15 04 * * *"; description = '' - This option defines (in the format used by cron) when the - sitecopy backup are being run. + This option defines (in the format used by <command>cron</command>) + when the <command>sitecopy</command> backups are to be run. The default is to update at 04:15 (at night) every day. ''; }; @@ -47,9 +48,10 @@ in ]; default = []; description = '' - List of attributesets describing the backups. + List of attribute sets describing the backups. - Username/password are extracted from <filename>${stateDir}/sitecopy.secrets</filename> at activation + Username/password are extracted from + <filename>${stateDir}/sitecopy.secrets</filename> at activation time. The secrets file lines should have the following structure: <screen> server username password diff --git a/nixos/modules/services/cluster/kubernetes.nix b/nixos/modules/services/cluster/kubernetes.nix index ba09f04d502b..a06384e27139 100644 --- a/nixos/modules/services/cluster/kubernetes.nix +++ b/nixos/modules/services/cluster/kubernetes.nix @@ -73,7 +73,7 @@ in { }; port = mkOption { - description = "Kubernets apiserver listening port."; + description = "Kubernetes apiserver listening port."; default = 8080; type = types.int; }; @@ -211,7 +211,7 @@ in { }; port = mkOption { - description = "Kubernets scheduler listening port."; + description = "Kubernetes scheduler listening port."; default = 10251; type = types.int; }; @@ -243,7 +243,7 @@ in { }; port = mkOption { - description = "Kubernets controller manager listening port."; + description = "Kubernetes controller manager listening port."; default = 10252; type = types.int; }; @@ -299,7 +299,7 @@ in { }; port = mkOption { - description = "Kubernets kubelet info server listening port."; + description = "Kubernetes kubelet info server listening port."; default = 10250; type = types.int; }; diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 1cdecedfc772..efc52e917b00 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -167,6 +167,12 @@ in unitConfig.RequiresMountsFor = "${cfg.dataDir}"; + path = [ + # Needed for the mysql_install_db command in the preStart script + # which calls the hostname command. + pkgs.nettools + ]; + preStart = '' if ! test -e ${cfg.dataDir}/mysql; then diff --git a/nixos/modules/services/hardware/brltty.nix b/nixos/modules/services/hardware/brltty.nix index d6c05a3d620c..03e530b2c96d 100644 --- a/nixos/modules/services/hardware/brltty.nix +++ b/nixos/modules/services/hardware/brltty.nix @@ -4,10 +4,6 @@ with lib; let cfg = config.services.brltty; - - stateDir = "/run/brltty"; - - pidFile = "${stateDir}/brltty.pid"; in { @@ -24,14 +20,24 @@ in { config = mkIf cfg.enable { systemd.services.brltty = { - description = "Braille console driver"; - preStart = '' - mkdir -p ${stateDir} - ''; + description = "Braille Device Support"; + unitConfig = { + Documentation = "http://mielke.cc/brltty/"; + DefaultDependencies = "no"; + RequiresMountsFor = "${pkgs.brltty}/var/lib/brltty"; + }; serviceConfig = { - ExecStart = "${pkgs.brltty}/bin/brltty --pid-file=${pidFile}"; - Type = "forking"; - PIDFile = pidFile; + ExecStart = "${pkgs.brltty}/bin/brltty --no-daemon"; + Type = "simple"; # Change to notidy after next releae + TimeoutStartSec = 5; + TimeoutStopSec = 10; + Restart = "always"; + RestartSec = 30; + Nice = -10; + OOMScoreAdjust = -900; + ProtectHome = "read-only"; + ProtectSystem = "full"; + SystemCallArchitectures = "native"; }; before = [ "sysinit.target" ]; wantedBy = [ "sysinit.target" ]; diff --git a/nixos/modules/services/hardware/freefall.nix b/nixos/modules/services/hardware/freefall.nix index 7867956c1ab0..2be339766069 100644 --- a/nixos/modules/services/hardware/freefall.nix +++ b/nixos/modules/services/hardware/freefall.nix @@ -2,40 +2,42 @@ with lib; -{ +let - ###### interface + cfg = config.services.freefall; - options = with types; { +in { - services.freefall = { + options.services.freefall = { - enable = mkOption { - default = false; - description = '' - Whether to protect HP/Dell laptop hard drives (not SSDs) in free fall. - ''; - type = bool; - }; + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to protect HP/Dell laptop hard drives (not SSDs) in free fall. + ''; + }; - devices = mkOption { - default = [ "/dev/sda" ]; - description = '' - Device paths to all internal spinning hard drives. - ''; - type = listOf string; - }; + package = mkOption { + type = types.package; + default = pkgs.freefall; + description = '' + freefall derivation to use. + ''; + }; + devices = mkOption { + type = types.listOf types.string; + default = [ "/dev/sda" ]; + description = '' + Device paths to all internal spinning hard drives. + ''; }; }; - ###### implementation - config = let - cfg = config.services.freefall; - mkService = dev: assert dev != ""; let dev' = utils.escapeSystemdPath dev; in @@ -43,12 +45,8 @@ with lib; description = "Free-fall protection for ${dev}"; after = [ "${dev'}.device" ]; wantedBy = [ "${dev'}.device" ]; - path = [ pkgs.freefall ]; - unitConfig = { - DefaultDependencies = false; - }; serviceConfig = { - ExecStart = "${pkgs.freefall}/bin/freefall ${dev}"; + ExecStart = "${cfg.package}/bin/freefall ${dev}"; Restart = "on-failure"; Type = "forking"; }; @@ -56,9 +54,9 @@ with lib; in mkIf cfg.enable { - environment.systemPackages = [ pkgs.freefall ]; + environment.systemPackages = [ cfg.package ]; - systemd.services = listToAttrs (map mkService cfg.devices); + systemd.services = builtins.listToAttrs (map mkService cfg.devices); }; diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 513eb27b4069..c747c24db67d 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -180,9 +180,7 @@ in firmware to function). If multiple packages contain firmware files with the same name, the first package in the list takes precedence. Note that you must rebuild your system if you add - files to any of these directories. For quick testing, - put firmware files in <filename>/root/test-firmware</filename> - and add that directory to the list. + files to any of these directories. ''; apply = list: pkgs.buildEnv { name = "firmware"; diff --git a/nixos/modules/services/logging/logstash.nix b/nixos/modules/services/logging/logstash.nix index 117ee1c900f5..aec45d9286d8 100644 --- a/nixos/modules/services/logging/logstash.nix +++ b/nixos/modules/services/logging/logstash.nix @@ -132,6 +132,7 @@ in description = "Logstash Daemon"; wantedBy = [ "multi-user.target" ]; environment = { JAVA_HOME = jre; }; + path = [ pkgs.bash ]; serviceConfig = { ExecStart = "${cfg.package}/bin/logstash agent " + diff --git a/nixos/modules/services/mail/mlmmj.nix b/nixos/modules/services/mail/mlmmj.nix index 5843a6745f58..e2b37522cb16 100644 --- a/nixos/modules/services/mail/mlmmj.nix +++ b/nixos/modules/services/mail/mlmmj.nix @@ -14,7 +14,7 @@ let alias = domain: list: "${list}: \"|${pkgs.mlmmj}/bin/mlmmj-receive -L ${listDir domain list}/\""; subjectPrefix = list: "[${list}]"; listAddress = domain: list: "${list}@${domain}"; - customHeaders = list: domain: [ "List-Id: ${list}" "Reply-To: ${list}@${domain}" ]; + customHeaders = domain: list: [ "List-Id: ${list}" "Reply-To: ${list}@${domain}" ]; footer = domain: list: "To unsubscribe send a mail to ${list}+unsubscribe@${domain}"; createList = d: l: '' ${pkgs.coreutils}/bin/mkdir -p ${listCtl d l} @@ -90,14 +90,15 @@ in enable = true; recipientDelimiter= "+"; extraMasterConf = '' - mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-receive -F -L ${spoolDir}/$nextHop + mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-receive -F -L ${spoolDir}/$nexthop ''; extraAliases = concatMapStrings (alias cfg.listDomain) cfg.mailLists; extraConfig = '' - transport = hash:${stateDir}/transports - virtual = hash:${stateDir}/virtuals + transport_maps = hash:${stateDir}/transports + virtual_alias_maps = hash:${stateDir}/virtuals + propagate_unmatched_extensions = virtual ''; }; @@ -108,9 +109,10 @@ in ${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${spoolDir} ${lib.concatMapStrings (createList cfg.listDomain) cfg.mailLists} echo ${lib.concatMapStrings (virtual cfg.listDomain) cfg.mailLists} > ${stateDir}/virtuals - echo ${cfg.listDomain} mailman: > ${stateDir}/transports - echo ${lib.concatMapStrings (transport cfg.listDomain) cfg.mailLists} >> ${stateDir}/transports - ''; + echo ${lib.concatMapStrings (transport cfg.listDomain) cfg.mailLists} > ${stateDir}/transports + ${pkgs.postfix}/bin/postmap ${stateDir}/virtuals + ${pkgs.postfix}/bin/postmap ${stateDir}/transports + ''; systemd.services."mlmmj-maintd" = { description = "mlmmj maintenance daemon"; diff --git a/nixos/modules/services/misc/gitit.nix b/nixos/modules/services/misc/gitit.nix index 10a706fbd71d..befd8c628f16 100644 --- a/nixos/modules/services/misc/gitit.nix +++ b/nixos/modules/services/misc/gitit.nix @@ -35,6 +35,7 @@ let }; haskellPackages = mkOption { + default = pkgs.haskellPackages; defaultText = "pkgs.haskellPackages"; example = literalExample "pkgs.haskell.packages.ghc784"; description = "haskellPackages used to build gitit and plugins."; @@ -99,7 +100,7 @@ let }; authenticationMethod = mkOption { - type = types.enum [ "form" "http" "generic"]; + type = types.enum [ "form" "http" "generic" "github" ]; default = "form"; description = '' 'form' means that users will be logged in and registered using forms @@ -137,6 +138,7 @@ let staticDir = mkOption { type = types.path; + default = gititShared + "/data/static"; description = '' Specifies the path of the static directory (containing javascript, css, and images). If it does not exist, gitit will create it and @@ -207,6 +209,7 @@ let templatesDir = mkOption { type = types.path; + default = gititShared + "/data/templates"; description = '' Specifies the path of the directory containing page templates. If it does not exist, gitit will create it with default templates. Users @@ -288,6 +291,7 @@ let plugins = mkOption { type = with types; listOf str; + default = [ (gititShared + "/plugins/Dot.hs") ]; description = '' Specifies a list of plugins to load. Plugins may be specified either by their path or by their module name. If the plugin name starts @@ -537,6 +541,42 @@ video/x-ms-wmx wmx through xss-sanitize. Set to no only if you trust all of your users. ''; }; + + oauthClientId = mkOption { + type = with types; nullOr str; + default = null; + description = "OAuth client ID"; + }; + + oauthClientSecret = mkOption { + type = with types; nullOr str; + default = null; + description = "OAuth client secret"; + }; + + oauthCallback = mkOption { + type = with types; nullOr str; + default = null; + description = "OAuth callback URL"; + }; + + oauthAuthorizeEndpoint = mkOption { + type = with types; nullOr str; + default = null; + description = "OAuth authorize endpoint"; + }; + + oauthAccessTokenEndpoint = mkOption { + type = with types; nullOr str; + default = null; + description = "OAuth access token endpoint"; + }; + + githubOrg = mkOption { + type = with types; nullOr str; + default = null; + description = "Github organization"; + }; }; configFile = pkgs.writeText "gitit.conf" '' @@ -587,6 +627,14 @@ video/x-ms-wmx wmx pdf-export: ${toYesNo cfg.pdfExport} pandoc-user-data: ${toString cfg.pandocUserData} xss-sanitize: ${toYesNo cfg.xssSanitize} + + [Github] + oauthclientid: ${toString cfg.oauthClientId} + oauthclientsecret: ${toString cfg.oauthClientSecret} + oauthcallback: ${toString cfg.oauthCallback} + oauthauthorizeendpoint: ${toString cfg.oauthAuthorizeEndpoint} + oauthaccesstokenendpoint: ${toString cfg.oauthAccessTokenEndpoint} + github-org: ${toString cfg.githubOrg} ''; in @@ -597,13 +645,6 @@ in config = mkIf cfg.enable { - services.gitit = { - haskellPackages = mkDefault pkgs.haskellPackages; - staticDir = gititShared + "/data/static"; - templatesDir = gititShared + "/data/templates"; - plugins = [ ]; - }; - users.extraUsers.gitit = { group = config.users.extraGroups.gitit.name; description = "Gitit user"; @@ -681,4 +722,3 @@ NAMED }; }; } - diff --git a/nixos/modules/services/misc/nix-gc.nix b/nixos/modules/services/misc/nix-gc.nix index 981299352575..6a7a7f4cee72 100644 --- a/nixos/modules/services/misc/nix-gc.nix +++ b/nixos/modules/services/misc/nix-gc.nix @@ -52,7 +52,7 @@ in systemd.services.nix-gc = { description = "Nix Garbage Collector"; - script = "exec ${config.nix.package}/bin/nix-store --gc ${cfg.options}"; + script = "exec ${config.nix.package}/bin/nix-collect-garbage ${cfg.options}"; startAt = optionalString cfg.automatic cfg.dates; }; diff --git a/nixos/modules/services/monitoring/bosun.nix b/nixos/modules/services/monitoring/bosun.nix index 7a53ce174542..7e8dea4ec024 100644 --- a/nixos/modules/services/monitoring/bosun.nix +++ b/nixos/modules/services/monitoring/bosun.nix @@ -30,6 +30,7 @@ in { package = mkOption { type = types.package; + default = pkgs.bosun; example = literalExample "pkgs.bosun"; description = '' bosun binary to use. @@ -95,8 +96,6 @@ in { config = mkIf cfg.enable { - services.bosun.package = mkDefault pkgs.bosun; - systemd.services.bosun = { description = "bosun metrics collector (part of Bosun)"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index f987c4792e93..0393d01054d1 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -206,7 +206,7 @@ in { package = mkOption { description = "Package to use."; - default = pkgs.grafana-backend; + default = pkgs.grafana; type = types.package; }; diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix index 61ba16123252..1017005226b2 100644 --- a/nixos/modules/services/monitoring/smartd.nix +++ b/nixos/modules/services/monitoring/smartd.nix @@ -119,7 +119,7 @@ in recipient = mkOption { default = "root"; - type = types.string; + type = types.str; description = "Recipient of the notification messages."; }; @@ -153,7 +153,7 @@ in display = mkOption { default = ":${toString config.services.xserver.display}"; - type = types.string; + type = types.str; description = "DISPLAY to send X11 notifications to."; }; }; diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index bbf21634c368..72e9b6144d4b 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -97,8 +97,8 @@ in description = '' Enabling this will add a line directly after pam_unix.so. Whenever a password is changed the samba password will be updated as well. - However you still yave to add the samba password once using smbpasswd -a user - If you don't want to maintain an extra pwd database you still can send plain text + However, you still have to add the samba password once, using smbpasswd -a user. + If you don't want to maintain an extra password database, you still can send plain text passwords which is not secure. ''; }; diff --git a/nixos/modules/services/networking/bitlbee.nix b/nixos/modules/services/networking/bitlbee.nix index 27b7dd71d9e5..5e6847097a94 100644 --- a/nixos/modules/services/networking/bitlbee.nix +++ b/nixos/modules/services/networking/bitlbee.nix @@ -16,11 +16,12 @@ let '' [settings] RunMode = Daemon - User = bitlbee + User = bitlbee ConfigDir = ${cfg.configDir} DaemonInterface = ${cfg.interface} DaemonPort = ${toString cfg.portNumber} AuthMode = ${cfg.authMode} + Plugindir = ${pkgs.bitlbee-plugins cfg.plugins}/lib/bitlbee ${lib.optionalString (cfg.hostName != "") "HostName = ${cfg.hostName}"} ${lib.optionalString (cfg.protocols != "") "Protocols = ${cfg.protocols}"} ${cfg.extraSettings} @@ -72,7 +73,7 @@ in Open -- Accept connections from anyone, use NickServ for user authentication. Closed -- Require authorization (using the PASS command during login) before allowing the user to connect at all. Registered -- Only allow registered users to use this server; this disables the register- and the account command until the user identifies himself. - ''; + ''; }; hostName = mkOption { @@ -85,6 +86,15 @@ in ''; }; + plugins = mkOption { + type = types.listOf types.package; + default = []; + example = literalExample "[ pkgs.bitlbee-facebook ]"; + description = '' + The list of bitlbee plugins to install. + ''; + }; + configDir = mkOption { default = "/var/lib/bitlbee"; type = types.path; @@ -107,14 +117,14 @@ in default = ""; description = '' Will be inserted in the Settings section of the config file. - ''; + ''; }; extraDefaults = mkOption { default = ""; description = '' Will be inserted in the Default section of the config file. - ''; + ''; }; }; @@ -138,7 +148,7 @@ in gid = config.ids.gids.bitlbee; }; - systemd.services.bitlbee = + systemd.services.bitlbee = { description = "BitlBee IRC to other chat networks gateway"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix index 482b61997ae1..deb1cbfc1858 100644 --- a/nixos/modules/services/networking/connman.nix +++ b/nixos/modules/services/networking/connman.nix @@ -5,7 +5,12 @@ with lib; let cfg = config.networking.connman; + configFile = pkgs.writeText "connman.conf" '' + [General] + NetworkInterfaceBlacklist=${concatStringsSep "," cfg.networkInterfaceBlacklist} + ${cfg.extraConfig} + ''; in { ###### interface @@ -22,6 +27,23 @@ in { ''; }; + extraConfig = mkOption { + type = types.lines; + default = '' + ''; + description = '' + Configuration lines appended to the generated connman configuration file. + ''; + }; + + networkInterfaceBlacklist = mkOption { + type = with types; listOf string; + default = [ "vmnet" "vboxnet" "virbr" "ifb" "ve" ]; + description = '' + Default blacklisted interfaces, this includes NixOS containers interfaces (ve). + ''; + }; + }; }; @@ -51,7 +73,7 @@ in { Type = "dbus"; BusName = "net.connman"; Restart = "on-failure"; - ExecStart = "${pkgs.connman}/sbin/connmand --nodaemon"; + ExecStart = "${pkgs.connman}/sbin/connmand --config=${configFile} --nodaemon"; StandardOutput = "null"; }; }; diff --git a/nixos/modules/services/networking/dnschain.nix b/nixos/modules/services/networking/dnschain.nix new file mode 100644 index 000000000000..f17f8c832ee4 --- /dev/null +++ b/nixos/modules/services/networking/dnschain.nix @@ -0,0 +1,110 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services; + + dnschainConf = pkgs.writeText "dnschain.conf" '' + [log] + level=info + + [dns] + host = 127.0.0.1 + port = 5333 + oldDNSMethod = NO_OLD_DNS + # TODO: check what that address is acutally used for + externalIP = 127.0.0.1 + + [http] + host = 127.0.0.1 + port=8088 + tlsPort=4443 + ''; + +in + +{ + + ###### interface + + options = { + + services.dnschain = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run dnschain. That implies running + namecoind as well, so make sure to configure + it appropriately. + ''; + }; + + }; + + services.dnsmasq = { + resolveDnschainQueries = mkOption { + type = types.bool; + default = false; + description = '' + Resolve <literal>.bit</literal> top-level domains + with dnschain and namecoind. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.dnschain.enable { + + services.namecoind.enable = true; + + services.dnsmasq.servers = optionals cfg.dnsmasq.resolveDnschainQueries [ "/.bit/127.0.0.1#5333" ]; + + users.extraUsers = singleton + { name = "dnschain"; + uid = config.ids.uids.dnschain; + extraGroups = [ "namecoin" ]; + description = "Dnschain daemon user"; + home = "/var/lib/dnschain"; + createHome = true; + }; + + systemd.services.dnschain = { + description = "Dnschain Daemon"; + after = [ "namecoind.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.openssl ]; + preStart = '' + # Link configuration file into dnschain HOME directory + if [ "$(${pkgs.coreutils}/bin/realpath /var/lib/dnschain/.dnschain.conf)" != "${dnschainConf}" ]; then + rm -rf /var/lib/dnschain/.dnschain.conf + ln -s ${dnschainConf} /var/lib/dnschain/.dnschain.conf + fi + + # Create empty namecoin.conf so that dnschain is not + # searching for /etc/namecoin/namecoin.conf + if [ ! -e /var/lib/dnschain/.namecoin/namecoin.conf ]; then + mkdir -p /var/lib/dnschain/.namecoin + touch /var/lib/dnschain/.namecoin/namecoin.conf + fi + ''; + serviceConfig = { + Type = "simple"; + User = "dnschain"; + EnvironmentFile = config.services.namecoind.userFile; + ExecStart = "${pkgs.dnschain}/bin/dnschain --rpcuser=\${USER} --rpcpassword=\${PASSWORD} --rpcport=8336"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/dnsmasq.nix b/nixos/modules/services/networking/dnsmasq.nix index eb3551515723..6907d63d7611 100644 --- a/nixos/modules/services/networking/dnsmasq.nix +++ b/nixos/modules/services/networking/dnsmasq.nix @@ -96,7 +96,7 @@ in Type = "dbus"; BusName = "uk.org.thekelleys.dnsmasq"; ExecStart = "${dnsmasq}/bin/dnsmasq -k --enable-dbus --user=dnsmasq -C ${dnsmasqConf}"; - ExecReload = "${dnsmasq}/bin/kill -HUP $MAINPID"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; }; restartTriggers = [ config.environment.etc.hosts.source ]; }; diff --git a/nixos/modules/services/networking/namecoind.nix b/nixos/modules/services/networking/namecoind.nix new file mode 100644 index 000000000000..83fc1ec66679 --- /dev/null +++ b/nixos/modules/services/networking/namecoind.nix @@ -0,0 +1,150 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.namecoind; + + namecoinConf = + let + useSSL = (cfg.rpcCertificate != null) && (cfg.rpcKey != null); + in + pkgs.writeText "namecoin.conf" '' + server=1 + daemon=0 + rpcallowip=127.0.0.1 + walletpath=${cfg.wallet} + gen=${if cfg.generate then "1" else "0"} + rpcssl=${if useSSL then "1" else "0"} + ${optionalString useSSL "rpcsslcertificatechainfile=${cfg.rpcCertificate}"} + ${optionalString useSSL "rpcsslprivatekeyfile=${cfg.rpcKey}"} + ${optionalString useSSL "rpcsslciphers=TLSv1.2+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH"} + txindex=1 + txprevcache=1 + ''; + +in + +{ + + ###### interface + + options = { + + services.namecoind = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run namecoind. + ''; + }; + + wallet = mkOption { + type = types.path; + example = "/etc/namecoin/wallet.dat"; + description = '' + Wallet file. The ownership of the file has to be + namecoin:namecoin, and the permissions must be 0640. + ''; + }; + + userFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/namecoin/user"; + description = '' + File containing the user name and user password to + authenticate RPC connections to namecoind. + The content of the file is of the form: + <literal> + USER=namecoin + PASSWORD=secret + </literal> + The ownership of the file has to be namecoin:namecoin, + and the permissions must be 0640. + ''; + }; + + generate = mkOption { + type = types.bool; + default = false; + description = '' + Whether to generate (mine) Namecoins. + ''; + }; + + rpcCertificate = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/namecoin/server.cert"; + description = '' + Certificate file for securing RPC connections. + ''; + }; + + rpcKey = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/namecoin/server.pem"; + description = '' + Key file for securing RPC connections. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + users.extraUsers = singleton + { name = "namecoin"; + uid = config.ids.uids.namecoin; + description = "Namecoin daemon user"; + home = "/var/lib/namecoin"; + createHome = true; + }; + + users.extraGroups = singleton + { name = "namecoin"; + gid = config.ids.gids.namecoin; + }; + + systemd.services.namecoind = { + description = "Namecoind Daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + if [ "$(stat --printf '%u' ${cfg.userFile})" != "${toString config.ids.uids.namecoin}" \ + -o "$(stat --printf '%g' ${cfg.userFile})" != "${toString config.ids.gids.namecoin}" \ + -o "$(stat --printf '%a' ${cfg.userFile})" != "640" ]; then + echo "ERROR: bad ownership or rights on ${cfg.userFile}" >&2 + exit 1 + fi + if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \ + -o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \ + -o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then + echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2 + exit 1 + fi + ''; + serviceConfig = { + Type = "simple"; + User = "namecoin"; + EnvironmentFile = cfg.userFile; + ExecStart = "${pkgs.altcoins.namecoind}/bin/namecoind -conf=${namecoinConf} -rpcuser=\${USER} -rpcpassword=\${PASSWORD} -printtoconsole"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID"; + StandardOutput = "null"; + Nice = "10"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/ntpd.nix b/nixos/modules/services/networking/ntpd.nix index a9183577d0a2..5256fc9bc071 100644 --- a/nixos/modules/services/networking/ntpd.nix +++ b/nixos/modules/services/networking/ntpd.nix @@ -6,6 +6,8 @@ let inherit (pkgs) ntp; + cfg = config.services.ntp; + stateDir = "/var/lib/ntp"; ntpUser = "ntp"; @@ -16,10 +18,10 @@ let restrict 127.0.0.1 restrict -6 ::1 - ${toString (map (server: "server " + server + " iburst\n") config.services.ntp.servers)} + ${toString (map (server: "server " + server + " iburst\n") cfg.servers)} ''; - ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup"; + ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup ${toString cfg.extraFlags}"; in @@ -51,6 +53,12 @@ in ''; }; + extraFlags = mkOption { + type = types.listOf types.str; + description = "Extra flags passed to the ntpd command."; + default = []; + }; + }; }; diff --git a/nixos/modules/services/networking/oidentd.nix b/nixos/modules/services/networking/oidentd.nix index 923e7cd0986e..738ab8313a5d 100644 --- a/nixos/modules/services/networking/oidentd.nix +++ b/nixos/modules/services/networking/oidentd.nix @@ -28,7 +28,9 @@ with lib; jobs.oidentd = { startOn = "started network-interfaces"; daemonType = "fork"; - exec = "${pkgs.oidentd}/sbin/oidentd -u oidentd -g nogroup"; + exec = "${pkgs.oidentd}/sbin/oidentd -u oidentd -g nogroup" + + optionalString config.networking.enableIPv6 " -a ::" + ; }; users.extraUsers.oidentd = { diff --git a/nixos/modules/services/networking/openvpn.nix b/nixos/modules/services/networking/openvpn.nix index 9dc88e61865d..a96888dec864 100644 --- a/nixos/modules/services/networking/openvpn.nix +++ b/nixos/modules/services/networking/openvpn.nix @@ -67,12 +67,6 @@ in options = { - /* !!! Obsolete. */ - services.openvpn.enable = mkOption { - default = true; - description = "Whether to enable OpenVPN."; - }; - services.openvpn.servers = mkOption { default = {}; diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index 64620bf16041..3436bd01d848 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -37,6 +37,12 @@ in { type = types.bool; }; + package = mkOption { + description = "Elasticsearch package to use."; + default = pkgs.elasticsearch; + type = types.package; + }; + host = mkOption { description = "Elasticsearch listen address."; default = "127.0.0.1"; @@ -123,7 +129,7 @@ in { after = [ "network-interfaces.target" ]; environment = { ES_HOME = cfg.dataDir; }; serviceConfig = { - ExecStart = "${pkgs.elasticsearch}/bin/elasticsearch -Des.path.conf=${configDir} ${toString cfg.extraCmdLineOptions}"; + ExecStart = "${cfg.package}/bin/elasticsearch -Des.path.conf=${configDir} ${toString cfg.extraCmdLineOptions}"; User = "elasticsearch"; PermissionsStartOnly = true; }; @@ -142,7 +148,7 @@ in { ''; }; - environment.systemPackages = [ pkgs.elasticsearch ]; + environment.systemPackages = [ cfg.package ]; users.extraUsers = singleton { name = "elasticsearch"; diff --git a/nixos/modules/services/search/kibana.nix b/nixos/modules/services/search/kibana.nix new file mode 100644 index 000000000000..f47ab8f55861 --- /dev/null +++ b/nixos/modules/services/search/kibana.nix @@ -0,0 +1,168 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.kibana; + + cfgFile = pkgs.writeText "kibana.json" (builtins.toJSON ( + (filterAttrsRecursive (n: v: v != null) ({ + server = { + host = cfg.host; + port = cfg.port; + ssl = { + cert = cfg.cert; + key = cfg.key; + }; + }; + + kibana = { + index = cfg.index; + defaultAppId = cfg.defaultAppId; + }; + + elasticsearch = { + url = cfg.elasticsearch.url; + username = cfg.elasticsearch.username; + password = cfg.elasticsearch.password; + ssl = { + cert = cfg.elasticsearch.cert; + key = cfg.elasticsearch.key; + ca = cfg.elasticsearch.ca; + }; + }; + + logging = { + verbose = cfg.logLevel == "verbose"; + quiet = cfg.logLevel == "quiet"; + silent = cfg.logLevel == "silent"; + dest = "stdout"; + }; + } // cfg.extraConf) + ))); +in { + options.services.kibana = { + enable = mkEnableOption "enable kibana service"; + + host = mkOption { + description = "Kibana listening host"; + default = "127.0.0.1"; + type = types.str; + }; + + port = mkOption { + description = "Kibana listening port"; + default = 5601; + type = types.int; + }; + + cert = mkOption { + description = "Kibana ssl certificate."; + default = null; + type = types.nullOr types.path; + }; + + key = mkOption { + description = "Kibana ssl key."; + default = null; + type = types.nullOr types.path; + }; + + index = mkOption { + description = "Elasticsearch index to use for saving kibana config."; + default = ".kibana"; + type = types.str; + }; + + defaultAppId = mkOption { + description = "Elasticsearch default application id."; + default = "discover"; + type = types.str; + }; + + elasticsearch = { + url = mkOption { + description = "Elasticsearch url"; + default = "http://localhost:9200"; + type = types.str; + }; + + username = mkOption { + description = "Username for elasticsearch basic auth."; + default = null; + type = types.nullOr types.str; + }; + + password = mkOption { + description = "Password for elasticsearch basic auth."; + default = null; + type = types.nullOr types.str; + }; + + ca = mkOption { + description = "CA file to auth against elasticsearch."; + default = null; + type = types.nullOr types.path; + }; + + cert = mkOption { + description = "Certificate file to auth against elasticsearch."; + default = null; + type = types.nullOr types.path; + }; + + key = mkOption { + description = "Key file to auth against elasticsearch."; + default = null; + type = types.nullOr types.path; + }; + }; + + logLevel = mkOption { + description = "Kibana log level"; + default = "normal"; + type = types.enum ["verbose" "normal" "silent" "quiet"]; + }; + + package = mkOption { + description = "Kibana package to use"; + default = pkgs.kibana; + type = types.package; + }; + + dataDir = mkOption { + description = "Kibana data directory"; + default = "/var/lib/kibana"; + type = types.path; + }; + + extraConf = mkOption { + description = "Kibana extra configuration"; + default = {}; + type = types.attrs; + }; + }; + + config = mkIf (cfg.enable) { + systemd.services.kibana = { + description = "Kibana Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-interfaces.target" "elasticsearch.service" ]; + serviceConfig = { + ExecStart = "${cfg.package}/bin/kibana --config ${cfgFile}"; + User = "kibana"; + WorkingDirectory = cfg.dataDir; + }; + }; + + environment.systemPackages = [ cfg.package ]; + + users.extraUsers = singleton { + name = "kibana"; + uid = config.ids.uids.kibana; + description = "Kibana service user"; + home = cfg.dataDir; + createHome = true; + }; + }; +} diff --git a/nixos/modules/services/security/physlock.nix b/nixos/modules/services/security/physlock.nix new file mode 100644 index 000000000000..34d0be3b1beb --- /dev/null +++ b/nixos/modules/services/security/physlock.nix @@ -0,0 +1,114 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.physlock; +in + +{ + + ###### interface + + options = { + + services.physlock = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the <command>physlock</command> screen locking mechanism. + + Enable this and then run <command>systemctl start physlock</command> + to securely lock the screen. + + This will switch to a new virtual terminal, turn off console + switching and disable SysRq mechanism (when + <option>services.physlock.disableSysRq</option> is set) + until the root or <option>services.physlock.user</option> + password is given. + ''; + }; + + user = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + User whose password will be used to unlock the screen on par + with the root password. + ''; + }; + + disableSysRq = mkOption { + type = types.bool; + default = true; + description = '' + Whether to disable SysRq when locked with physlock. + ''; + }; + + lockOn = { + + suspend = mkOption { + type = types.bool; + default = true; + description = '' + Whether to lock screen with physlock just before suspend. + ''; + }; + + hibernate = mkOption { + type = types.bool; + default = true; + description = '' + Whether to lock screen with physlock just before hibernate. + ''; + }; + + extraTargets = mkOption { + type = types.listOf types.str; + default = []; + example = [ "display-manager.service" ]; + description = '' + Other targets to lock the screen just before. + + Useful if you want to e.g. both autologin to X11 so that + your <filename>~/.xsession</filename> gets executed and + still to have the screen locked so that the system can be + booted relatively unattended. + ''; + }; + + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + # for physlock -l and physlock -L + environment.systemPackages = [ pkgs.physlock ]; + + systemd.services."physlock" = { + enable = true; + description = "Physlock"; + wantedBy = optional cfg.lockOn.suspend "suspend.target" + ++ optional cfg.lockOn.hibernate "hibernate.target" + ++ cfg.lockOn.extraTargets; + before = optional cfg.lockOn.suspend "systemd-suspend.service" + ++ optional cfg.lockOn.hibernate "systemd-hibernate.service" + ++ cfg.lockOn.extraTargets; + serviceConfig.Type = "forking"; + script = '' + ${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}${optionalString (cfg.user != null) " -u ${cfg.user}"} + ''; + }; + + }; + +} diff --git a/nixos/modules/services/torrent/deluge.nix b/nixos/modules/services/torrent/deluge.nix index 00df4042d890..becd57055d41 100644 --- a/nixos/modules/services/torrent/deluge.nix +++ b/nixos/modules/services/torrent/deluge.nix @@ -36,6 +36,8 @@ in { wantedBy = [ "multi-user.target" ]; path = [ pkgs.pythonPackages.deluge ]; serviceConfig.ExecStart = "${pkgs.pythonPackages.deluge}/bin/deluged -d"; + # To prevent "Quit & shutdown daemon" from working; we want systemd to manage it! + serviceConfig.Restart = "on-success"; serviceConfig.User = "deluge"; serviceConfig.Group = "deluge"; }; diff --git a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix index 8884569c7bc8..921f774bcaa0 100644 --- a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix +++ b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix @@ -5,8 +5,8 @@ with lib; let - version = "4.2"; - fullversion = "${version}.2"; + version = "4.3"; + fullversion = "${version}"; # Our bare-bones wp-config.php file using the above settings wordpressConfig = pkgs.writeText "wp-config.php" '' @@ -40,6 +40,8 @@ let RewriteRule ^(.*\.php)$ $1 [L] RewriteRule . index.php [L] </IfModule> + + ${config.extraHtaccess} ''; # WP translation can be found here: @@ -72,7 +74,7 @@ let owner = "WordPress"; repo = "WordPress"; rev = "${fullversion}"; - sha256 = "0gq1j9b0d0rykql3jzdb2yn4adj0rrcsvqrmj3dzx11ir57ilsgc"; + sha256 = "0sz5jjhjpwqis8336gyq9a77cr4sf8zahd1y4pzmpvpzn9cn503y"; }; installPhase = '' mkdir -p $out @@ -220,7 +222,18 @@ in settings, see <link xlink:href='http://codex.wordpress.org/Editing_wp-config.php'/>. ''; }; - }; + extraHtaccess = mkOption { + default = ""; + example = + '' + php_value upload_max_filesize 20M + php_value post_max_size 20M + ''; + description = '' + Any additional text to be appended to Wordpress's .htaccess file. + ''; + }; + }; documentRoot = wordpressRoot; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index b16f701a0c9f..25816446e999 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -8,12 +8,13 @@ let configFile = pkgs.writeText "nginx.conf" '' user ${cfg.user} ${cfg.group}; daemon off; + ${cfg.config} + ${optionalString (cfg.httpConfig != "") '' http { - ${cfg.httpConfig} - ${cfg.httpServers} - ${cfg.httpDefaultServer} + include ${cfg.package}/conf/mime.types; + ${cfg.httpConfig} } ''} ${cfg.appendConfig} @@ -62,32 +63,7 @@ in httpConfig = mkOption { type = types.lines; default = ""; - description = '' - Configuration lines to be placed at the top inside of - the http {} block. The option is intended to be used for - the default configuration of the servers. - ''; - }; - - httpServers = mkOption { - type = types.lines; - default = ""; - description = '' - Configuration lines to be placed inside of the http {} - block. The option is intended to be used for defining - individual servers. - ''; - }; - - httpDefaultServer = mkOption { - type = types.lines; - default = ""; - description = '' - Configuration lines to be placed at the bottom inside of - the http {} block. The option is intended to be used for - setting up the default servers. The default server is used - if no previously specified server matches a request. - ''; + description = "Configuration lines to be appended inside of the http {} block."; }; stateDir = mkOption { diff --git a/nixos/modules/services/web-servers/nginx/reverse_proxy.nix b/nixos/modules/services/web-servers/nginx/reverse_proxy.nix deleted file mode 100644 index c21406dff29a..000000000000 --- a/nixos/modules/services/web-servers/nginx/reverse_proxy.nix +++ /dev/null @@ -1,233 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.nginx; - - defaultSSL = cfg.httpDefaultKey != null || cfg.httpDefaultCertificate != null; - - validSSL = key: cert: cert != null && key != null || cert == null && key == null; - -in - -{ - options = { - - services.nginx = { - - reverseProxies = mkOption { - type = types.attrsOf (types.submodule ( - { - options = { - proxy = mkOption { - type = types.str; - default = []; - description = '' - Exclude files and directories matching these patterns. - ''; - }; - - key = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - Exclude files and directories matching these patterns. - ''; - }; - - certificate = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - Exclude files and directories matching these patterns. - ''; - }; - }; - } - )); - - default = {}; - - example = literalExample '' - { - "hydra.yourdomain.org" = - { proxy = "localhost:3000"; - key = "/etc/nixos/certs/hydra_key.key"; - certificate = "/etc/nixos/certs/hydra_cert.crt"; - }; - } - ''; - - description = '' - A reverse proxy server configuration is created for every attribute. - The attribute name corresponds to the name the server is listening to, - and the proxy option defines the target to forward the requests to. - If a key and certificate are given, then the server is secured through - a SSL connection. Non-SSL requests on port 80 are automatically - re-directed to the SSL server on port 443. - ''; - }; - - httpDefaultKey = mkOption { - type = types.nullOr types.path; - default = null; - example = "/etc/nixos/certs/defaut_key.key"; - description = '' - Key of SSL certificate for default server. - The default certificate is presented by the default server during - the SSL handshake when no specialized server configuration matches - a request. - A default SSL certificate is also helpful if browsers do not - support the TLS Server Name Indication extension (SNI, RFC 6066). - ''; - }; - - httpDefaultCertificate = mkOption { - type = types.nullOr types.path; - default = null; - example = "/etc/nixos/certs/defaut_key.crt"; - description = '' - SSL certificate for default server. - The default certificate is presented by the default server during - the SSL handshake when no specialized server configuration matches - a request. - A default SSL certificate is also helpful if browsers do not - support the TLS Server Name Indication extension (SNI, RFC 6066). - ''; - }; - - }; - - }; - - - config = mkIf (cfg.reverseProxies != {}) { - - assertions = [ - { assertion = all id (mapAttrsToList (n: v: validSSL v.certificate v.key) cfg.reverseProxies); - message = '' - One (or more) reverse proxy configurations specify only either - the key option or the certificate option. Both certificate - with associated key have to be configured to enable SSL for a - server configuration. - - services.nginx.reverseProxies: ${toString cfg.reverseProxies} - ''; - } - { assertion = validSSL cfg.httpDefaultCertificate cfg.httpDefaultKey; - message = '' - The default server configuration specifies only either the key - option or the certificate option. Both httpDefaultCertificate - with associated httpDefaultKey have to be configured to enable - SSL for the default server configuration. - - services.nginx.httpDefaultCertificate: ${toString cfg.httpDefaultCertificate} - - services.nginx.httpDefaultKey : ${toString cfg.httpDefaultKey} - ''; - } - ]; - - services.nginx.config = mkBefore '' - worker_processes 1; - error_log logs/error.log debug; - pid logs/nginx.pid; - events { - worker_connections 1024; - } - ''; - - services.nginx.httpConfig = mkBefore '' - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - access_log logs/access.log main; - sendfile on; - tcp_nopush on; - keepalive_timeout 10; - gzip on; - - ${lib.optionalString defaultSSL '' - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_certificate ${cfg.httpDefaultCertificate}; - ssl_certificate_key ${cfg.httpDefaultKey}; - ''} - ''; - - services.nginx.httpDefaultServer = mkBefore '' - # reject as default policy - server { - listen 80 default_server; - listen [::]:80 default_server; - ${lib.optionalString defaultSSL "listen 443 default_server ssl;"} - return 444; - } - ''; - - services.nginx.httpServers = - let - useSSL = certificate: key: certificate != null && key != null; - - server = servername: proxy: certificate: key: useSSL: '' - server { - server_name ${servername}; - keepalive_timeout 70; - - ${if !useSSL then '' - listen 80; - listen [::]:80; - '' else '' - listen 443 ssl; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_certificate ${certificate}; - ssl_certificate_key ${key}; - ''} - - location / { - proxy_pass ${proxy}; - - ### force timeouts if one of backend is dead ## - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; - - ### Set headers #### - proxy_set_header Accept-Encoding ""; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - ${lib.optionalString useSSL '' - ### Most PHP, Python, Rails, Java App can use this header ### - #proxy_set_header X-Forwarded-Proto https;## - #This is better## - proxy_set_header X-Forwarded-Proto $scheme; - add_header Front-End-Https on; - ''} - - ### By default we don't want to redirect it #### - proxy_redirect off; - proxy_buffering off; - } - } - - ${lib.optionalString useSSL '' - # redirect http to https - server { - listen 80; - listen [::]:80; - server_name ${servername}; - return 301 https://$server_name$request_uri; - } - ''} - ''; - in - concatStrings (mapAttrsToList (n: v: server n v.proxy v.certificate v.key (useSSL v.proxy v.certificate)) cfg.reverseProxies); - - }; - -} diff --git a/nixos/modules/services/x11/desktop-managers/e19.nix b/nixos/modules/services/x11/desktop-managers/e19.nix index 74065c862ef7..2d5c7b192bc6 100644 --- a/nixos/modules/services/x11/desktop-managers/e19.nix +++ b/nixos/modules/services/x11/desktop-managers/e19.nix @@ -62,7 +62,6 @@ in waitPID=$! ''; }]; - services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; security.setuidPrograms = [ "e19_freqset" ]; diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 507c2d2da139..fdee5fbc6c5b 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -99,7 +99,6 @@ in { networking.networkmanager.enable = mkDefault true; services.upower.enable = config.powerManagement.enable; hardware.bluetooth.enable = mkDefault true; - services.xserver.displayManager.desktopManagerHandlesLidAndPower = false; # true doesn't make sense here, GNOME just doesn't handle it anymore fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell_fonts ]; diff --git a/nixos/modules/services/x11/desktop-managers/kde4.nix b/nixos/modules/services/x11/desktop-managers/kde4.nix index 7830e984219a..21b6243ba188 100644 --- a/nixos/modules/services/x11/desktop-managers/kde4.nix +++ b/nixos/modules/services/x11/desktop-managers/kde4.nix @@ -111,7 +111,6 @@ in exec ${kde_workspace}/bin/startkde ''; }; - services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; security.setuidOwners = singleton { program = "kcheckpass"; diff --git a/nixos/modules/services/x11/desktop-managers/kde5.nix b/nixos/modules/services/x11/desktop-managers/kde5.nix index 01a8704fea71..5061d59b7c7f 100644 --- a/nixos/modules/services/x11/desktop-managers/kde5.nix +++ b/nixos/modules/services/x11/desktop-managers/kde5.nix @@ -78,7 +78,6 @@ in bgSupport = true; start = ''exec ${plasma5.plasma-workspace}/bin/startkde;''; }; - services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; security.setuidOwners = singleton { program = "kcheckpass"; diff --git a/nixos/modules/services/x11/desktop-managers/kodi.nix b/nixos/modules/services/x11/desktop-managers/kodi.nix index e6d6efaf3a61..de00ff93b17c 100644 --- a/nixos/modules/services/x11/desktop-managers/kodi.nix +++ b/nixos/modules/services/x11/desktop-managers/kodi.nix @@ -25,7 +25,6 @@ in waitPID=$! ''; }]; - services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; environment.systemPackages = [ pkgs.kodi ]; }; diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index 746f810a11ff..88eefa13de35 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -37,7 +37,6 @@ in exec ${pkgs.stdenv.shell} ${pkgs.xfce.xinitrc} ''; }; - services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; environment.systemPackages = [ pkgs.gtk # To get GTK+'s themes. diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 55af2ecbb764..887b6f88a741 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -23,6 +23,10 @@ in <emphasis>GDM is very experimental and may render system unusable.</emphasis> ''; + debug = mkEnableOption '' + debugging messages in GDM + ''; + autoLogin = mkOption { default = {}; description = '' @@ -69,8 +73,7 @@ in config = mkIf cfg.gdm.enable { assertions = [ - { assertion = let autoLogin = cfg.gdm.autoLogin; in - if autoLogin.enable then autoLogin.user != null else true; + { assertion = cfg.gdm.autoLogin.enable -> cfg.gdm.autoLogin.user != null; message = "GDM auto-login requires services.xserver.displayManager.gdm.autoLogin.user to be set"; } ]; @@ -109,13 +112,21 @@ in programs.dconf.profiles.gdm = "${gdm}/share/dconf/profile/gdm"; + # Use AutomaticLogin if delay is zero, because it's immediate. + # Otherwise with TimedLogin with zero seconds the prompt is still + # presented and there's a little delay. environment.etc."gdm/custom.conf".text = '' [daemon] - ${optionalString cfg.gdm.autoLogin.enable '' - TimedLoginEnable=true - TimedLogin=${cfg.gdm.autoLogin.user} - TimedLoginDelay=${toString cfg.gdm.autoLogin.delay} - ''} + ${optionalString cfg.gdm.autoLogin.enable ( + if cfg.gdm.autoLogin.delay > 0 then '' + TimedLoginEnable=true + TimedLogin=${cfg.gdm.autoLogin.user} + TimedLoginDelay=${toString cfg.gdm.autoLogin.delay} + '' else '' + AutomaticLoginEnable=true + AutomaticLogin=${cfg.gdm.autoLogin.user} + '') + } [security] @@ -126,6 +137,7 @@ in [chooser] [debug] + ${optionalString cfg.gdm.debug "Enable=true"} ''; # GDM LFS PAM modules, adapted somehow to NixOS diff --git a/nixos/modules/services/x11/redshift.nix b/nixos/modules/services/x11/redshift.nix index 4f39e05f0f8d..ffae22d2d670 100644 --- a/nixos/modules/services/x11/redshift.nix +++ b/nixos/modules/services/x11/redshift.nix @@ -1,58 +1,90 @@ { config, lib, pkgs, ... }: + with lib; + let + cfg = config.services.redshift; in { - options = { - services.redshift.enable = mkOption { + + options.services.redshift = { + enable = mkOption { type = types.bool; default = false; example = true; - description = "Enable Redshift to change your screen's colour temperature depending on the time of day"; + description = '' + Enable Redshift to change your screen's colour temperature depending on + the time of day. + ''; }; - services.redshift.latitude = mkOption { - description = "Your current latitude"; + latitude = mkOption { type = types.str; + description = '' + Your current latitude. + ''; }; - services.redshift.longitude = mkOption { - description = "Your current longitude"; + longitude = mkOption { type = types.str; + description = '' + Your current longitude. + ''; }; - services.redshift.temperature = { + temperature = { day = mkOption { - description = "Colour temperature to use during day time"; - default = 5500; type = types.int; + default = 5500; + description = '' + Colour temperature to use during the day. + ''; }; night = mkOption { - description = "Colour temperature to use during night time"; - default = 3700; type = types.int; + default = 3700; + description = '' + Colour temperature to use at night. + ''; }; }; - services.redshift.brightness = { + brightness = { day = mkOption { - description = "Screen brightness to apply during the day (between 0.1 and 1.0)"; - default = "1"; type = types.str; + default = "1"; + description = '' + Screen brightness to apply during the day, + between <literal>0.1</literal> and <literal>1.0</literal>. + ''; }; night = mkOption { - description = "Screen brightness to apply during the night (between 0.1 and 1.0)"; - default = "1"; type = types.str; + default = "1"; + description = '' + Screen brightness to apply during the night, + between <literal>0.1</literal> and <literal>1.0</literal>. + ''; }; }; - services.redshift.extraOptions = mkOption { + package = mkOption { + type = types.package; + default = pkgs.redshift; + description = '' + redshift derivation to use. + ''; + }; + + extraOptions = mkOption { type = types.listOf types.str; default = []; example = [ "-v" "-m randr" ]; - description = "Additional command-line arguments to pass to the redshift(1) command"; + description = '' + Additional command-line arguments to pass to + <command>redshift</command>. + ''; }; }; @@ -63,7 +95,7 @@ in { after = [ "display-manager.service" ]; wantedBy = [ "graphical.target" ]; serviceConfig.ExecStart = '' - ${pkgs.redshift}/bin/redshift \ + ${cfg.package}/bin/redshift \ -l ${cfg.latitude}:${cfg.longitude} \ -t ${toString cfg.temperature.day}:${toString cfg.temperature.night} \ -b ${toString cfg.brightness.day}:${toString cfg.brightness.night} \ @@ -73,4 +105,5 @@ in { serviceConfig.Restart = "always"; }; }; + } diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 1ec098fded6e..3348e8d0582c 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -13,7 +13,6 @@ let # Map video driver names to driver packages. FIXME: move into card-specific modules. knownVideoDrivers = { - nouveau = { modules = [ pkgs.xf86_video_nouveau ]; }; unichrome = { modules = [ pkgs.xorgVideoUnichrome ]; }; virtualbox = { modules = [ kernelPackages.virtualboxGuestAdditions ]; driverName = "vboxvideo"; }; ati = { modules = [ pkgs.xorg.xf86videoati pkgs.xorg.glamoregl ]; }; diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index a977ddb7bb4d..81088a56fb12 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -99,7 +99,9 @@ let # makes it bootable. baseSystem = showWarnings ( if [] == failed then pkgs.stdenv.mkDerivation { - name = "nixos-${config.system.nixosVersion}"; + name = let hn = config.networking.hostName; + nn = if (hn != "") then hn else "unnamed"; + in "nixos-system-${nn}-${config.system.nixosVersion}"; preferLocalBuild = true; allowSubstitutes = false; buildCommand = systemBuilder; diff --git a/nixos/modules/system/boot/loader/efi.nix b/nixos/modules/system/boot/loader/efi.nix index 241cfc7e836d..726634e664d7 100644 --- a/nixos/modules/system/boot/loader/efi.nix +++ b/nixos/modules/system/boot/loader/efi.nix @@ -15,7 +15,7 @@ with lib; efiSysMountPoint = mkOption { default = "/boot"; - type = types.string; + type = types.str; description = "Where the EFI System Partition is mounted."; }; diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 1b4f0d401e6d..4a14ff1879c9 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -242,20 +242,20 @@ in name = mkOption { example = "luksroot"; - type = types.string; + type = types.str; description = "Named to be used for the generated device in /dev/mapper."; }; device = mkOption { example = "/dev/sda2"; - type = types.string; + type = types.str; description = "Path of the underlying block device."; }; header = mkOption { default = null; example = "/root/header.img"; - type = types.nullOr types.string; + type = types.nullOr types.str; description = '' The name of the file or block device that should be used as header for the encrypted device. @@ -265,7 +265,7 @@ in keyFile = mkOption { default = null; example = "/dev/sdb1"; - type = types.nullOr types.string; + type = types.nullOr types.str; description = '' The name of the file (can be a raw device or a partition) that should be used as the decryption key for the encrypted device. If @@ -349,7 +349,7 @@ in ramfsMountPoint = mkOption { default = "/crypt-ramfs"; - type = types.string; + type = types.str; description = "Path where the ramfs used to update the LUKS key will be mounted during early boot."; }; @@ -369,19 +369,19 @@ in fsType = mkOption { default = "vfat"; - type = types.string; + type = types.str; description = "The filesystem of the unencrypted device."; }; mountPoint = mkOption { default = "/crypt-storage"; - type = types.string; + type = types.str; description = "Path where the unencrypted device will be mounted during early boot."; }; path = mkOption { default = "/crypt-storage/default"; - type = types.string; + type = types.str; description = '' Absolute path of the salt on the unencrypted device with that device's root directory as "/". diff --git a/nixos/modules/system/boot/modprobe.nix b/nixos/modules/system/boot/modprobe.nix index c49380899664..9bb10eac9880 100644 --- a/nixos/modules/system/boot/modprobe.nix +++ b/nixos/modules/system/boot/modprobe.nix @@ -85,11 +85,7 @@ with lib; '')} ${config.boot.extraModprobeConfig} ''; - environment.etc."modprobe.d/usb-load-ehci-first.conf".text = - '' - softdep uhci_hcd pre: ehci_hcd - softdep ohci_hcd pre: ehci_hcd - ''; + environment.etc."modprobe.d/debian.conf".source = pkgs.kmod-debian-aliases; environment.systemPackages = [ config.system.sbin.modprobe pkgs.kmod ]; diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 893861a2eed2..f782eca3f647 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -241,6 +241,9 @@ let }; symlink = "/etc/modprobe.d/ubuntu.conf"; } + { object = pkgs.kmod-debian-aliases; + symlink = "/etc/modprobe.d/debian.conf"; + } ]; }; diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix index 0370e36fbec2..8b5dd22fd380 100644 --- a/nixos/modules/tasks/encrypted-devices.nix +++ b/nixos/modules/tasks/encrypted-devices.nix @@ -22,21 +22,21 @@ let blkDev = mkOption { default = null; example = "/dev/sda1"; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; description = "Location of the backing encrypted device."; }; label = mkOption { default = null; example = "rootfs"; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; description = "Label of the backing encrypted device."; }; keyFile = mkOption { default = null; example = "/root/.swapkey"; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; description = "File system location of keyfile."; }; }; diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index ce21d9fe7621..ce9e3555b6cd 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -22,14 +22,14 @@ let device = mkOption { default = null; example = "/dev/sda"; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; description = "Location of the device."; }; label = mkOption { default = null; example = "root-partition"; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; description = "Label of the device (if any)."; }; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index a967fc77e686..9931c977e8f0 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -499,7 +499,7 @@ in interface = mkOption { example = "enp4s0"; - type = types.string; + type = types.str; description = "The interface the macvlan will transmit packets through."; }; @@ -605,7 +605,7 @@ in interface = mkOption { example = "enp4s0"; - type = types.string; + type = types.str; description = "The interface the vlan will transmit packets through."; }; diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index 3f554d127c35..1013396c0498 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -26,7 +26,7 @@ in ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -O vpc $diskImage $out/disk.vhd rm $diskImage ''; - diskImageBase = "nixos-${config.system.nixosVersion}-${pkgs.stdenv.system}.raw"; + diskImageBase = "nixos-image-${config.system.nixosVersion}-${pkgs.stdenv.system}.raw"; buildInputs = [ pkgs.utillinux pkgs.perl ]; exportReferencesGraph = [ "closure" config.system.build.toplevel ]; diff --git a/nixos/modules/virtualisation/brightbox-image.nix b/nixos/modules/virtualisation/brightbox-image.nix index 3a956caca0c3..0eb46d39b521 100644 --- a/nixos/modules/virtualisation/brightbox-image.nix +++ b/nixos/modules/virtualisation/brightbox-image.nix @@ -26,7 +26,7 @@ in rm $diskImageBase popd ''; - diskImageBase = "nixos-${config.system.nixosVersion}-${pkgs.stdenv.system}.raw"; + diskImageBase = "nixos-image-${config.system.nixosVersion}-${pkgs.stdenv.system}.raw"; buildInputs = [ pkgs.utillinux pkgs.perl ]; exportReferencesGraph = [ "closure" config.system.build.toplevel ]; diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 59f486ff78b7..02cf1fe46a55 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -12,6 +12,12 @@ let perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/lib/perl5/site_perl"; su = "${pkgs.shadow.su}/bin/su"; inherit (pkgs) utillinux; + + postInstall = '' + t=$out/etc/bash_completion.d + mkdir -p $t + cp ${./nixos-container-completion.sh} $t/nixos-container + ''; }; # The container's init script, a small wrapper around the regular @@ -102,7 +108,7 @@ in }; hostAddress = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "10.231.136.1"; description = '' @@ -111,7 +117,7 @@ in }; localAddress = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "10.231.136.2"; description = '' @@ -299,7 +305,7 @@ in '' #! ${pkgs.stdenv.shell} -e ${nixos-container}/bin/nixos-container run "$INSTANCE" -- \ - bash --login -c "/nix/var/nix/profiles/system/bin/switch-to-configuration test" + bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" ''; SyslogIdentifier = "container %i"; diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index ba078cc0a11f..0115b972e80d 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -67,7 +67,7 @@ in postStart = mkOption { - type = types.string; + type = types.lines; default = '' while ! [ -e /var/run/docker.sock ]; do sleep 0.1 diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 516da926f847..f21ddc12ca5a 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -30,7 +30,7 @@ in rm $out/disk.raw popd ''; - diskImageBase = "nixos-${config.system.nixosVersion}-${pkgs.stdenv.system}.raw"; + diskImageBase = "nixos-image-${config.system.nixosVersion}-${pkgs.stdenv.system}.raw"; buildInputs = [ pkgs.utillinux pkgs.perl ]; exportReferencesGraph = [ "closure" config.system.build.toplevel ]; diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix new file mode 100644 index 000000000000..488153334bc1 --- /dev/null +++ b/nixos/modules/virtualisation/lxd.nix @@ -0,0 +1,64 @@ +# Systemd services for lxd. + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.virtualisation.lxd; + +in + +{ + ###### interface + + options = { + + virtualisation.lxd.enable = + mkOption { + type = types.bool; + default = false; + description = + '' + This option enables lxd, a daemon that manages + containers. Users in the "lxd" group can interact with + the daemon (e.g. to start or stop containers) using the + <command>lxc</command> command line tool, among others. + ''; + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + environment.systemPackages = + [ pkgs.lxd ]; + + systemd.services.lxd = + { description = "LXD Container Management Daemon"; + + wantedBy = [ "multi-user.target" ]; + after = [ "systemd-udev-settle.service" ]; + + # TODO(wkennington): Add lvm2 and thin-provisioning-tools + path = with pkgs; [ acl rsync gnutar xz btrfsProgs ]; + + serviceConfig.ExecStart = "@${pkgs.lxd}/bin/lxd lxd --syslog --group lxd"; + serviceConfig.Type = "simple"; + serviceConfig.KillMode = "process"; # when stopping, leave the containers alone + }; + + users.extraGroups.lxd.gid = config.ids.gids.lxd; + + users.extraUsers.root = { + subUidRanges = [ { startUid = 1000000; count = 65536; } ]; + subGidRanges = [ { startGid = 1000000; count = 65536; } ]; + }; + + }; + +} diff --git a/nixos/modules/virtualisation/nixos-container-completion.sh b/nixos/modules/virtualisation/nixos-container-completion.sh new file mode 100644 index 000000000000..0fe8ab811a17 --- /dev/null +++ b/nixos/modules/virtualisation/nixos-container-completion.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +_nixos-container() { + local cur prev opts + COMPREPLY=() + cur="${COMP_WORDS[COMP_CWORD]}" + prev="${COMP_WORDS[COMP_CWORD-1]}" + opts="list create destroy start stop status update login root-login run show-ip show-host-key" + startstop_opts=$(nixos-container list) + update_opts="--config" + + if [[ "$prev" == "nixos-container" ]] + then + COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) ) + return 0 + fi + + if [[ $(echo "$opts" | grep "$prev") ]] + then + if [[ "$prev" == "start" || "$prev" == "stop" ]] + then + COMPREPLY=( $(compgen -W "${startstop_opts}" -- ${cur}) ) + return 0 + elif [[ "$prev" == "update" ]] + then + COMPREPLY=( $(compgen -W "${update_opts}" -- ${cur}) ) + return 0 + fi + fi +} + +complete -F _nixos-container nixos-container + diff --git a/nixos/modules/virtualisation/nixos-container.pl b/nixos/modules/virtualisation/nixos-container.pl index f1d9e64ee38f..004385f728c6 100644 --- a/nixos/modules/virtualisation/nixos-container.pl +++ b/nixos/modules/virtualisation/nixos-container.pl @@ -290,7 +290,8 @@ elsif ($action eq "show-ip") { } elsif ($action eq "show-host-key") { - my $fn = "$root/etc/ssh/ssh_host_ecdsa_key.pub"; + my $fn = "$root/etc/ssh/ssh_host_ed25519_key.pub"; + $fn = "$root/etc/ssh/ssh_host_ecdsa_key.pub" unless -e $fn; exit 1 if ! -f $fn; print read_file($fn); } diff --git a/nixos/modules/virtualisation/parallels-guest.nix b/nixos/modules/virtualisation/parallels-guest.nix index 2f40283b3e1d..204ab0b0df67 100644 --- a/nixos/modules/virtualisation/parallels-guest.nix +++ b/nixos/modules/virtualisation/parallels-guest.nix @@ -17,7 +17,7 @@ in type = types.bool; default = false; description = '' - This enables Parallel Tools for Linux guests, along with provided + This enables Parallels Tools for Linux guests, along with provided video, mouse and other hardware drivers. ''; }; diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix index c1538feb9df5..2d3b4834fc5b 100644 --- a/nixos/modules/virtualisation/virtualbox-image.nix +++ b/nixos/modules/virtualisation/virtualbox-image.nix @@ -101,7 +101,7 @@ in { system.build.virtualBoxOVA = pkgs.runCommand "virtualbox-ova" { buildInputs = [ pkgs.linuxPackages.virtualbox ]; vmName = "NixOS ${config.system.nixosVersion} (${pkgs.stdenv.system})"; - fileName = "nixos-${config.system.nixosVersion}-${pkgs.stdenv.system}.ova"; + fileName = "nixos-image-${config.system.nixosVersion}-${pkgs.stdenv.system}.ova"; } '' echo "creating VirtualBox VM..." @@ -109,7 +109,8 @@ in { VBoxManage createvm --name "$vmName" --register \ --ostype ${if pkgs.stdenv.system == "x86_64-linux" then "Linux26_64" else "Linux26"} VBoxManage modifyvm "$vmName" \ - --memory 1536 --acpi on --vram 10 \ + --memory 1536 --acpi on --vram 32 \ + ${optionalString (pkgs.stdenv.system == "i686-linux") "--pae on"} \ --nictype1 virtio --nic1 nat \ --audiocontroller ac97 --audio alsa \ --rtcuseutc on \ diff --git a/nixos/release.nix b/nixos/release.nix index 2dbc35c7d7bf..4492ee4046ea 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -226,6 +226,7 @@ in rec { tests.fleet = hydraJob (import tests/fleet.nix { system = "x86_64-linux"; }); #tests.gitlab = callTest tests/gitlab.nix {}; tests.gnome3 = callTest tests/gnome3.nix {}; + tests.gnome3-gdm = callTest tests/gnome3-gdm.nix {}; tests.i3wm = callTest tests/i3wm.nix {}; tests.installer.grub1 = forAllSystems (system: hydraJob (import tests/installer.nix { inherit system; }).grub1.test); tests.installer.lvm = forAllSystems (system: hydraJob (import tests/installer.nix { inherit system; }).lvm.test); diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix index 3624131b364e..213dd4ca43b3 100644 --- a/nixos/tests/chromium.nix +++ b/nixos/tests/chromium.nix @@ -44,6 +44,8 @@ import ./make-test.nix ( search --onlyvisible --name "startup done" windowfocus --sync windowactivate --sync + ''}"); + $machine->execute("${xdo "new-window" '' key Ctrl+n ''}"); }); @@ -55,6 +57,8 @@ import ./make-test.nix ( search --onlyvisible --name "new tab" windowfocus --sync windowactivate --sync + ''}"); + $machine->execute("${xdo "close-window" '' key Ctrl+w ''}"); for (1..20) { @@ -155,6 +159,8 @@ import ./make-test.nix ( $machine->succeed("${xdo "submit-url" '' search --sync --onlyvisible --name "sandbox status" windowfocus --sync + ''}"); + $machine->succeed("${xdo "submit-url" '' key --delay 1000 Ctrl+a Ctrl+c ''}"); diff --git a/nixos/tests/etcd.nix b/nixos/tests/etcd.nix index 8a4e7fffce0e..bac4ec6a918b 100644 --- a/nixos/tests/etcd.nix +++ b/nixos/tests/etcd.nix @@ -82,7 +82,7 @@ import ./make-test.nix ({ pkgs, ... } : { subtest "single node", sub { $simple->start(); $simple->waitForUnit("etcd.service"); - $simple->succeed("etcdctl set /foo/bar 'Hello world'"); + $simple->waitUntilSucceeds("etcdctl set /foo/bar 'Hello world'"); $simple->waitUntilSucceeds("etcdctl get /foo/bar | grep 'Hello world'"); }; @@ -91,7 +91,7 @@ import ./make-test.nix ({ pkgs, ... } : { $node2->start(); $node1->waitForUnit("etcd.service"); $node2->waitForUnit("etcd.service"); - $node1->succeed("etcdctl set /foo/bar 'Hello world'"); + $node1->waitUntilSucceeds("etcdctl set /foo/bar 'Hello world'"); $node2->waitUntilSucceeds("etcdctl get /foo/bar | grep 'Hello world'"); $node1->shutdown(); $node2->shutdown(); @@ -104,7 +104,7 @@ import ./make-test.nix ({ pkgs, ... } : { $discovery2->start(); $discovery1->waitForUnit("etcd.service"); $discovery2->waitForUnit("etcd.service"); - $discovery1->succeed("etcdctl set /foo/bar 'Hello world'"); + $discovery1->waitUntilSucceeds("etcdctl set /foo/bar 'Hello world'"); $discovery2->waitUntilSucceeds("etcdctl get /foo/bar | grep 'Hello world'"); }; ''; diff --git a/nixos/tests/gnome3-gdm.nix b/nixos/tests/gnome3-gdm.nix new file mode 100644 index 000000000000..1c07ddf79c2e --- /dev/null +++ b/nixos/tests/gnome3-gdm.nix @@ -0,0 +1,39 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "gnome3-gdm"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lethalman ]; + }; + + machine = + { config, pkgs, ... }: + + { imports = [ ./common/user-account.nix ]; + + services.xserver.enable = true; + + services.xserver.displayManager.gdm = { + enable = true; + autoLogin = { + enable = true; + user = "alice"; + }; + }; + services.xserver.desktopManager.gnome3.enable = true; + + virtualisation.memorySize = 512; + }; + + testScript = + '' + $machine->waitForX; + $machine->sleep(15); + + # Check that logging in has given the user ownership of devices. + $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); + + $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'"); + $machine->waitForWindow(qr/Terminal/); + $machine->sleep(20); + $machine->screenshot("screen"); + ''; +}) diff --git a/nixos/tests/logstash.nix b/nixos/tests/logstash.nix index 317ea063e17c..edece352cafe 100644 --- a/nixos/tests/logstash.nix +++ b/nixos/tests/logstash.nix @@ -19,8 +19,8 @@ import ./make-test.nix ({ pkgs, ...} : { exec { command => "echo dragons" interval => 1 type => "test" } ''; filterConfig = '' - if [type] == "test" { - grep { match => ["message", "flowers"] drop => true } + if [message] =~ /dragons/ { + drop {} } ''; outputConfig = '' diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix index 83a8b2835dc2..1a5a6f7b5bbc 100644 --- a/nixos/tests/virtualbox.nix +++ b/nixos/tests/virtualbox.nix @@ -1,26 +1,41 @@ -import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let - - debug = false; - - testVMConfig = vmName: attrs: { config, pkgs, ... }: { - boot.kernelParams = let - miniInit = '' - #!${pkgs.stdenv.shell} -xe - export PATH="${pkgs.coreutils}/bin:${pkgs.utillinux}/bin" - - ${pkgs.linuxPackages.virtualboxGuestAdditions}/bin/VBoxService - ${(attrs.vmScript or (const "")) pkgs} +{ debug ? false, ... } @ args: - i=0 - while [ ! -e /mnt-root/shutdown ]; do - sleep 10 - i=$(($i + 10)) - [ $i -le 120 ] || fail - done +import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let - rm -f /mnt-root/boot-done /mnt-root/shutdown - ''; - in [ + testVMConfig = vmName: attrs: { config, pkgs, ... }: let + guestAdditions = pkgs.linuxPackages.virtualboxGuestAdditions; + + miniInit = '' + #!${pkgs.stdenv.shell} -xe + export PATH="${pkgs.coreutils}/bin:${pkgs.utillinux}/bin" + + mkdir -p /etc/dbus-1 /var/run/dbus + cat > /etc/passwd <<EOF + root:x:0:0::/root:/bin/false + messagebus:x:1:1::/var/run/dbus:/bin/false + EOF + cat > /etc/group <<EOF + root:x:0: + messagebus:x:1: + EOF + cp -v "${pkgs.dbus.daemon}/etc/dbus-1/system.conf" \ + /etc/dbus-1/system.conf + "${pkgs.dbus.daemon}/bin/dbus-daemon" --fork --system + + ${guestAdditions}/bin/VBoxService + ${(attrs.vmScript or (const "")) pkgs} + + i=0 + while [ ! -e /mnt-root/shutdown ]; do + sleep 10 + i=$(($i + 10)) + [ $i -le 120 ] || fail + done + + rm -f /mnt-root/boot-done /mnt-root/shutdown + ''; + in { + boot.kernelParams = [ "console=tty0" "console=ttyS0" "ignore_loglevel" "boot.trace" "panic=1" "boot.panic_on_fail" "init=${pkgs.writeScript "mini-init.sh" miniInit}" @@ -39,7 +54,7 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let ]; boot.initrd.extraUtilsCommands = '' - copy_bin_and_libs "${pkgs.linuxPackages.virtualboxGuestAdditions}/bin/mount.vboxsf" + copy_bin_and_libs "${guestAdditions}/bin/mount.vboxsf" copy_bin_and_libs "${pkgs.utillinux}/bin/unshare" ${(attrs.extraUtilsCommands or (const "")) pkgs} ''; @@ -156,30 +171,26 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let ]; in { machine = { - systemd.sockets = listToAttrs (singleton { - name = "vboxtestlog-${name}"; - value = { - description = "VirtualBox Test Machine Log Socket"; - wantedBy = [ "sockets.target" ]; - before = [ "multi-user.target" ]; - socketConfig.ListenStream = "/run/virtualbox-log-${name}.sock"; - socketConfig.Accept = true; - }; - }); - - systemd.services = listToAttrs (singleton { - name = "vboxtestlog-${name}@"; - value = { - description = "VirtualBox Test Machine Log"; - serviceConfig.StandardInput = "socket"; - serviceConfig.StandardOutput = "syslog"; - serviceConfig.SyslogIdentifier = "GUEST-${name}"; - serviceConfig.ExecStart = "${pkgs.coreutils}/bin/cat"; - }; - }); + systemd.sockets."vboxtestlog-${name}" = { + description = "VirtualBox Test Machine Log Socket For ${name}"; + wantedBy = [ "sockets.target" ]; + before = [ "multi-user.target" ]; + socketConfig.ListenStream = "/run/virtualbox-log-${name}.sock"; + socketConfig.Accept = true; + }; + + systemd.services."vboxtestlog-${name}@" = { + description = "VirtualBox Test Machine Log For ${name}"; + serviceConfig.StandardInput = "socket"; + serviceConfig.StandardOutput = "syslog"; + serviceConfig.SyslogIdentifier = "GUEST-${name}"; + serviceConfig.ExecStart = "${pkgs.coreutils}/bin/cat"; + }; }; testSubs = '' + my ${"$" + name}_sharepath = '${sharePath}'; + sub checkRunning_${name} { my $cmd = 'VBoxManage list runningvms | grep -q "^\"${name}\""'; my ($status, $out) = $machine->execute(ru $cmd); @@ -286,9 +297,15 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let echo "$otherIP reachable" | ${pkgs.netcat}/bin/netcat -clp 5678 || : ''; + sysdDetectVirt = pkgs: '' + ${pkgs.systemd}/bin/systemd-detect-virt > /mnt-root/result + ''; + vboxVMs = mapAttrs createVM { simple = {}; + detectvirt.vmScript = sysdDetectVirt; + test1.vmFlags = hostonlyVMFlags; test1.vmScript = dhcpScript; @@ -307,7 +324,7 @@ in { mkVMConf = name: val: val.machine // { key = "${name}-config"; }; vmConfigs = mapAttrsToList mkVMConf vboxVMs; in [ ./common/user-account.nix ./common/x11.nix ] ++ vmConfigs; - virtualisation.memorySize = 768; + virtualisation.memorySize = 1024; virtualisation.virtualbox.host.enable = true; users.extraUsers.alice.extraGroups = let inherit (config.virtualisation.virtualbox.host) enableHardening; @@ -372,6 +389,18 @@ in { destroyVM_simple; + subtest "systemd-detect-virt", sub { + createVM_detectvirt; + vbm("startvm detectvirt"); + waitForStartup_detectvirt; + waitForVMBoot_detectvirt; + shutdownVM_detectvirt; + my $result = $machine->succeed("cat '$detectvirt_sharepath/result'"); + chomp $result; + die "systemd-detect-virt returned \"$result\" instead of \"oracle\"" + if $result ne "oracle"; + }; + subtest "net-hostonlyif", sub { createVM_test1; createVM_test2; @@ -403,4 +432,4 @@ in { destroyVM_test2; }; ''; -}) +}) args |