diff options
author | Jörg Thalheim <joerg@higgsboson.tk> | 2016-10-03 19:26:44 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-10-03 19:26:44 +0200 |
commit | 888f6a1280370de4f8268e0bae8d4b49d4db4cbc (patch) | |
tree | 80bd6b2ddfc435bf19ce2061867a2d8c5622f653 /nixos | |
parent | 54867a040055813462156809a33a260d8bf60642 (diff) | |
parent | 2ad13953a45a54816b73632277dcdbeda063827e (diff) | |
download | nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.tar nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.tar.gz nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.tar.bz2 nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.tar.lz nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.tar.xz nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.tar.zst nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.zip |
Merge pull request #19199 from wizeman/u/fix-help2man-hash
help2man: fix hash
Diffstat (limited to 'nixos')
62 files changed, 373 insertions, 220 deletions
diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix index 952f62569c93..fdc782b0579e 100644 --- a/nixos/modules/config/networking.nix +++ b/nixos/modules/config/networking.nix @@ -29,6 +29,19 @@ in ''; }; + networking.hostConf = lib.mkOption { + type = types.lines; + default = "multi on"; + example = '' + multi on + reorder on + trim lan + ''; + description = '' + The contents of <filename>/etc/host.conf</filename>. See also <citerefentry><refentrytitle>host.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + ''; + }; + networking.dnsSingleRequest = lib.mkOption { type = types.bool; default = false; @@ -171,6 +184,9 @@ in ${cfg.extraHosts} ''; + # /etc/host.conf: resolver configuration file + "host.conf".text = cfg.hostConf; + # /etc/resolvconf.conf: Configuration for openresolv. "resolvconf.conf".text = '' diff --git a/nixos/modules/i18n/input-method/ibus.nix b/nixos/modules/i18n/input-method/ibus.nix index d64cf2f283bf..e23e28aa25ef 100644 --- a/nixos/modules/i18n/input-method/ibus.nix +++ b/nixos/modules/i18n/input-method/ibus.nix @@ -17,7 +17,7 @@ let [Desktop Entry] Name=IBus Type=Application - Exec=${ibusPackage}/bin/ibus-daemon --daemonize --xim --cache=refresh + Exec=${ibusPackage}/bin/ibus-daemon --daemonize --xim ''; }; in diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index fd42d335bb82..d1a786d8f629 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -473,6 +473,7 @@ ./services/system/uptimed.nix ./services/torrent/deluge.nix ./services/torrent/flexget.nix + ./services/torrent/opentracker.nix ./services/torrent/peerflix.nix ./services/torrent/transmission.nix ./services/ttys/agetty.nix diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index d81f63c2acca..5b7d94157454 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -84,6 +84,14 @@ in type = types.bool; }; + enableSyntaxHighlighting = mkOption { + default = false; + description = '' + Enable zsh-syntax-highlighting + ''; + type = types.bool; + }; + }; }; @@ -120,6 +128,10 @@ in ${if cfg.enableCompletion then "autoload -U compinit && compinit" else ""} + ${optionalString (cfg.enableSyntaxHighlighting) + "source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" + } + HELPDIR="${pkgs.zsh}/share/zsh/$ZSH_VERSION/help" ''; @@ -182,7 +194,8 @@ in environment.etc."zinputrc".source = ./zinputrc; environment.systemPackages = [ pkgs.zsh ] - ++ optional cfg.enableCompletion pkgs.nix-zsh-completions; + ++ optional cfg.enableCompletion pkgs.nix-zsh-completions + ++ optional cfg.enableSyntaxHighlighting pkgs.zsh-syntax-highlighting; environment.pathsToLink = optional cfg.enableCompletion "/share/zsh"; diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml index 28415e89bfab..37314bdba8a5 100644 --- a/nixos/modules/security/grsecurity.xml +++ b/nixos/modules/security/grsecurity.xml @@ -149,6 +149,10 @@ <listitem><para>Trusted path execution: a desirable feature, but requires some more work to operate smoothly on NixOS.</para></listitem> + + <listitem><para>Module hardening: would break user initiated module + loading. Might enable this at some point, depending on the potential + breakage.</para></listitem> </itemizedlist> </para></listitem> @@ -208,8 +212,6 @@ let kernel = pkgs.linux_grsec_nixos.override { extraConfig = '' - GRKERNSEC y - PAX y GRKERNSEC_CONFIG_AUTO y GRKERNSEC_CONFIG_SERVER y GRKERNSEC_CONFIG_SECURITY y diff --git a/nixos/modules/services/cluster/kubernetes.nix b/nixos/modules/services/cluster/kubernetes.nix index 42efde36678f..4bdd7f95f774 100644 --- a/nixos/modules/services/cluster/kubernetes.nix +++ b/nixos/modules/services/cluster/kubernetes.nix @@ -421,7 +421,7 @@ in { description = "Kubernetes Api Server"; wantedBy = [ "multi-user.target" ]; requires = ["kubernetes-setup.service"]; - after = [ "network-interfaces.target" "etcd.service" ]; + after = [ "network.target" "etcd.service" "kubernetes-setup.service" ]; serviceConfig = { ExecStart = let authorizationPolicyFile = @@ -468,7 +468,7 @@ in { systemd.services.kube-scheduler = { description = "Kubernetes Scheduler Service"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" "kubernetes-apiserver.service" ]; + after = [ "network.target" "kubernetes-apiserver.service" ]; serviceConfig = { ExecStart = ''${cfg.package}/bin/kube-scheduler \ --address=${cfg.scheduler.address} \ @@ -487,7 +487,7 @@ in { systemd.services.kube-controller-manager = { description = "Kubernetes Controller Manager Service"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" "kubernetes-apiserver.service" ]; + after = [ "network.target" "kubernetes-apiserver.service" ]; serviceConfig = { ExecStart = ''${cfg.package}/bin/kube-controller-manager \ --address=${cfg.controllerManager.address} \ @@ -511,7 +511,7 @@ in { description = "Kubernetes Kubelet Service"; wantedBy = [ "multi-user.target" ]; requires = ["kubernetes-setup.service"]; - after = [ "network-interfaces.target" "etcd.service" "docker.service" ]; + after = [ "network.target" "etcd.service" "docker.service" "kubernetes-setup.service" ]; path = [ pkgs.gitMinimal pkgs.openssh ]; script = '' export PATH="/bin:/sbin:/usr/bin:/usr/sbin:$PATH" @@ -542,7 +542,7 @@ in { systemd.services.kube-proxy = { description = "Kubernetes Proxy Service"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" "etcd.service" ]; + after = [ "network.target" "etcd.service" ]; serviceConfig = { ExecStart = ''${cfg.package}/bin/kube-proxy \ --master=${cfg.proxy.master} \ diff --git a/nixos/modules/services/databases/cassandra.nix b/nixos/modules/services/databases/cassandra.nix index c98af617587d..b43b448ed7e1 100644 --- a/nixos/modules/services/databases/cassandra.nix +++ b/nixos/modules/services/databases/cassandra.nix @@ -377,7 +377,7 @@ in { systemd.services.cassandra = { description = "Cassandra Daemon"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; environment = cassandraEnvironment; restartTriggers = [ cassandraConfFile cassandraLogFile cassandraRackFile ]; serviceConfig = { diff --git a/nixos/modules/services/databases/influxdb.nix b/nixos/modules/services/databases/influxdb.nix index 11ea0e1b6b41..dd88624f406c 100644 --- a/nixos/modules/services/databases/influxdb.nix +++ b/nixos/modules/services/databases/influxdb.nix @@ -160,7 +160,7 @@ in systemd.services.influxdb = { description = "InfluxDB Server"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; serviceConfig = { ExecStart = ''${cfg.package}/bin/influxd -config "${configFile}"''; User = "${cfg.user}"; diff --git a/nixos/modules/services/databases/neo4j.nix b/nixos/modules/services/databases/neo4j.nix index 41b960685906..146a604adb2f 100644 --- a/nixos/modules/services/databases/neo4j.nix +++ b/nixos/modules/services/databases/neo4j.nix @@ -123,7 +123,7 @@ in { systemd.services.neo4j = { description = "Neo4j Daemon"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; environment = { NEO4J_INSTANCE = cfg.dataDir; }; serviceConfig = { ExecStart = "${cfg.package}/bin/neo4j console"; diff --git a/nixos/modules/services/misc/apache-kafka.nix b/nixos/modules/services/misc/apache-kafka.nix index 88ce8b5a23fc..c856d3294c01 100644 --- a/nixos/modules/services/misc/apache-kafka.nix +++ b/nixos/modules/services/misc/apache-kafka.nix @@ -139,7 +139,7 @@ in { systemd.services.apache-kafka = { description = "Apache Kafka Daemon"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; serviceConfig = { ExecStart = '' ${pkgs.jre}/bin/java \ diff --git a/nixos/modules/services/misc/emby.nix b/nixos/modules/services/misc/emby.nix index fe872349f45e..9f290ed70c97 100644 --- a/nixos/modules/services/misc/emby.nix +++ b/nixos/modules/services/misc/emby.nix @@ -43,7 +43,7 @@ in User = cfg.user; Group = cfg.group; PermissionsStartOnly = "true"; - ExecStart = "${pkgs.mono}/bin/mono ${pkgs.emby}/bin/MediaBrowser.Server.Mono.exe"; + ExecStart = "${pkgs.emby}/bin/MediaBrowser.Server.Mono"; Restart = "on-failure"; }; }; diff --git a/nixos/modules/services/misc/etcd.nix b/nixos/modules/services/misc/etcd.nix index d30cc5fd7e89..1de02d76ba0a 100644 --- a/nixos/modules/services/misc/etcd.nix +++ b/nixos/modules/services/misc/etcd.nix @@ -143,9 +143,9 @@ in { config = mkIf cfg.enable { systemd.services.etcd = { - description = "Etcd Daemon"; + description = "etcd key-value store"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; environment = (filterAttrs (n: v: v != null) { ETCD_NAME = cfg.name; @@ -168,12 +168,18 @@ in { ETCD_INITIAL_CLUSTER_TOKEN = cfg.initialClusterToken; }) // (mapAttrs' (n: v: nameValuePair "ETCD_${n}" v) cfg.extraConf); + unitConfig = { + Documentation = "https://github.com/coreos/etcd"; + }; + serviceConfig = { Type = "notify"; ExecStart = "${pkgs.etcd.bin}/bin/etcd"; User = "etcd"; PermissionsStartOnly = true; + LimitNOFILE = 40000; }; + preStart = '' mkdir -m 0700 -p ${cfg.dataDir} if [ "$(id -u)" = 0 ]; then chown etcd ${cfg.dataDir}; fi diff --git a/nixos/modules/services/misc/folding-at-home.nix b/nixos/modules/services/misc/folding-at-home.nix index 4f09cbfdd79b..053e7e95635f 100644 --- a/nixos/modules/services/misc/folding-at-home.nix +++ b/nixos/modules/services/misc/folding-at-home.nix @@ -50,7 +50,7 @@ in { }; systemd.services.foldingathome = { - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' mkdir -m 0755 -p ${stateDir} diff --git a/nixos/modules/services/misc/mesos-master.nix b/nixos/modules/services/misc/mesos-master.nix index 497646b2b418..99583ebeebd5 100644 --- a/nixos/modules/services/misc/mesos-master.nix +++ b/nixos/modules/services/misc/mesos-master.nix @@ -80,7 +80,7 @@ in { systemd.services.mesos-master = { description = "Mesos Master"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; serviceConfig = { ExecStart = '' ${pkgs.mesos}/bin/mesos-master \ diff --git a/nixos/modules/services/misc/mesos-slave.nix b/nixos/modules/services/misc/mesos-slave.nix index 8c29734813a1..9ddecb6fe30c 100644 --- a/nixos/modules/services/misc/mesos-slave.nix +++ b/nixos/modules/services/misc/mesos-slave.nix @@ -105,7 +105,7 @@ in { systemd.services.mesos-slave = { description = "Mesos Slave"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; environment.MESOS_CONTAINERIZERS = concatStringsSep "," containerizers; serviceConfig = { ExecStart = '' diff --git a/nixos/modules/services/misc/svnserve.nix b/nixos/modules/services/misc/svnserve.nix index c74befac749d..04a6cd7bfa9b 100644 --- a/nixos/modules/services/misc/svnserve.nix +++ b/nixos/modules/services/misc/svnserve.nix @@ -35,7 +35,7 @@ in config = mkIf cfg.enable { systemd.services.svnserve = { - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; preStart = "mkdir -p ${cfg.svnBaseDir}"; script = "${pkgs.subversion.out}/bin/svnserve -r ${cfg.svnBaseDir} -d --foreground --pid-file=/var/run/svnserve.pid"; diff --git a/nixos/modules/services/misc/zookeeper.nix b/nixos/modules/services/misc/zookeeper.nix index 4ce692b6f6a5..b7bca8b56b28 100644 --- a/nixos/modules/services/misc/zookeeper.nix +++ b/nixos/modules/services/misc/zookeeper.nix @@ -113,7 +113,7 @@ in { systemd.services.zookeeper = { description = "Zookeeper Daemon"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; environment = { ZOOCFGDIR = configDir; }; serviceConfig = { ExecStart = '' diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix index 08fc3f04dbfc..1de3320dc42c 100644 --- a/nixos/modules/services/monitoring/graphite.nix +++ b/nixos/modules/services/monitoring/graphite.nix @@ -387,7 +387,7 @@ in { systemd.services.carbonCache = let name = "carbon-cache"; in { description = "Graphite Data Storage Backend"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; environment = carbonEnv; serviceConfig = { ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd ${carbonOpts name}"; @@ -410,7 +410,7 @@ in { enable = cfg.carbon.enableAggregator; description = "Carbon Data Aggregator"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; environment = carbonEnv; serviceConfig = { ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd ${carbonOpts name}"; @@ -426,7 +426,7 @@ in { systemd.services.carbonRelay = let name = "carbon-relay"; in { description = "Carbon Data Relay"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; environment = carbonEnv; serviceConfig = { ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd ${carbonOpts name}"; @@ -448,7 +448,7 @@ in { systemd.services.graphiteWeb = { description = "Graphite Web Interface"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; path = [ pkgs.perl ]; environment = { PYTHONPATH = let @@ -501,7 +501,7 @@ in { systemd.services.graphiteApi = { description = "Graphite Api Interface"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; environment = { PYTHONPATH = let aenv = pkgs.python.buildEnv.override { @@ -538,7 +538,7 @@ in { systemd.services.seyren = { description = "Graphite Alerting Dashboard"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" "mongodb.service" ]; + after = [ "network.target" "mongodb.service" ]; environment = seyrenConfig; serviceConfig = { ExecStart = "${pkgs.seyren}/bin/seyren -httpPort ${toString cfg.seyren.port}"; @@ -561,7 +561,7 @@ in { systemd.services.graphitePager = { description = "Graphite Pager Alerting Daemon"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" "redis.service" ]; + after = [ "network.target" "redis.service" ]; environment = { REDIS_URL = cfg.pager.redisUrl; GRAPHITE_URL = cfg.pager.graphiteUrl; diff --git a/nixos/modules/services/monitoring/monit.nix b/nixos/modules/services/monitoring/monit.nix index 704693969a35..e07ffd2e8b54 100644 --- a/nixos/modules/services/monitoring/monit.nix +++ b/nixos/modules/services/monitoring/monit.nix @@ -36,11 +36,16 @@ in ]; systemd.services.monit = { - description = "Monit system watcher"; - after = [ "network-interfaces.target" ]; + description = "Pro-active monitoring utility for unix systems"; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - script = "${pkgs.monit}/bin/monit -I -c /etc/monit.conf"; - serviceConfig.Restart = "always"; + serviceConfig = { + ExecStart = "${pkgs.monit}/bin/monit -I -c /etc/monit.conf"; + ExecStop = "${pkgs.monit}/bin/monit -c /etc/monit.conf quit"; + ExecReload = "${pkgs.monit}/bin/monit -c /etc/monit.conf reload"; + KillMode = "process"; + Restart = "always"; + }; }; }; } diff --git a/nixos/modules/services/monitoring/nagios.nix b/nixos/modules/services/monitoring/nagios.nix index f2f7710de9e7..4914c5db97d2 100644 --- a/nixos/modules/services/monitoring/nagios.nix +++ b/nixos/modules/services/monitoring/nagios.nix @@ -163,7 +163,7 @@ in description = "Nagios monitoring daemon"; path = [ pkgs.nagios ]; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; serviceConfig = { User = "nagios"; diff --git a/nixos/modules/services/network-filesystems/openafs-client/default.nix b/nixos/modules/services/network-filesystems/openafs-client/default.nix index 891f41c8dcdc..6f51e287910a 100644 --- a/nixos/modules/services/network-filesystems/openafs-client/default.nix +++ b/nixos/modules/services/network-filesystems/openafs-client/default.nix @@ -75,7 +75,7 @@ in systemd.services.afsd = { description = "AFS client"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; preStart = '' mkdir -p -m 0755 /afs diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index 08afafceff24..41d7128ec31e 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -145,8 +145,8 @@ in }; systemd.services.bind = { - description = "BIND name server job"; - after = [ "network-interfaces.target" ]; + description = "BIND Domain Name Server"; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' @@ -155,6 +155,7 @@ in ''; script = "${pkgs.bind.bin}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; + unitConfig.Documentation = "man:named(8)"; }; }; } diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index 0495b32c6fa8..cb00139c5f1c 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -208,9 +208,9 @@ in # networking.firewall.allowedUDPPorts = ... systemd.services.cjdns = { - description = "encrypted networking for everybody"; - wantedBy = [ "network.target" ]; - after = [ "networkSetup.service" "network-interfaces.target" ]; + description = "cjdns: routing engine designed for security, scalability, speed and ease of use"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; preStart = if cfg.confFile != "" then "" else '' [ -e /etc/cjdns.keys ] && source /etc/cjdns.keys diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix index 4b0e90886510..87c0aa50a1ff 100644 --- a/nixos/modules/services/networking/dhcpcd.nix +++ b/nixos/modules/services/networking/dhcpcd.nix @@ -158,8 +158,8 @@ in { description = "DHCP Client"; wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; wants = [ "network.target" ]; - before = [ "network.target" ]; # Stopping dhcpcd during a reconfiguration is undesirable # because it brings down the network interfaces configured by diff --git a/nixos/modules/services/networking/gvpe.nix b/nixos/modules/services/networking/gvpe.nix index 27b64b5bb95f..3ef3548e0a08 100644 --- a/nixos/modules/services/networking/gvpe.nix +++ b/nixos/modules/services/networking/gvpe.nix @@ -105,7 +105,7 @@ in config = mkIf cfg.enable { systemd.services.gvpe = { description = "GNU Virtual Private Ethernet node"; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index a0cfc8f8fb94..08ba2fdb1646 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -171,7 +171,7 @@ in systemd.services = mkIf (!config.networking.firewall.enable) { nat = { description = "Network Address Translation"; wantedBy = [ "network.target" ]; - after = [ "network-interfaces.target" "systemd-modules-load.service" ]; + after = [ "network-pre.target" "systemd-modules-load.service" ]; path = [ pkgs.iptables ]; unitConfig.ConditionCapability = "CAP_NET_ADMIN"; diff --git a/nixos/modules/services/networking/oidentd.nix b/nixos/modules/services/networking/oidentd.nix index 651bb8e967cf..ba7acd879546 100644 --- a/nixos/modules/services/networking/oidentd.nix +++ b/nixos/modules/services/networking/oidentd.nix @@ -25,7 +25,7 @@ with lib; config = mkIf config.services.oidentd.enable { systemd.services.oidentd = { - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig.Type = "forking"; script = "${pkgs.oidentd}/sbin/oidentd -u oidentd -g nogroup" + diff --git a/nixos/modules/services/networking/openvpn.nix b/nixos/modules/services/networking/openvpn.nix index 8ee86ea863e3..3fbf5a9f0227 100644 --- a/nixos/modules/services/networking/openvpn.nix +++ b/nixos/modules/services/networking/openvpn.nix @@ -56,7 +56,7 @@ let description = "OpenVPN instance ‘${name}’"; wantedBy = optional cfg.autoStart "multi-user.target"; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; path = [ pkgs.iptables pkgs.iproute pkgs.nettools ]; diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix index e52c90227d3d..f9300fdabc57 100644 --- a/nixos/modules/services/networking/radicale.nix +++ b/nixos/modules/services/networking/radicale.nix @@ -50,7 +50,7 @@ in systemd.services.radicale = { description = "A Simple Calendar and Contact Server"; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; script = "${pkgs.radicale}/bin/radicale -C ${confFile} -f"; serviceConfig.User = "radicale"; diff --git a/nixos/modules/services/networking/softether.nix b/nixos/modules/services/networking/softether.nix index 5e49efc3aa3a..16530078b978 100644 --- a/nixos/modules/services/networking/softether.nix +++ b/nixos/modules/services/networking/softether.nix @@ -63,7 +63,6 @@ in ]; systemd.services."softether-init" = { description = "SoftEther VPN services initial task"; - wantedBy = [ "network-interfaces.target" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = false; @@ -84,8 +83,9 @@ in (mkIf (cfg.vpnserver.enable) { systemd.services.vpnserver = { description = "SoftEther VPN Server"; - after = [ "softether-init.service" ]; - wantedBy = [ "network-interfaces.target" ]; + after = [ "softether-init.service" "network.target" ]; + wants = [ "softether-init.service" ]; + wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "forking"; ExecStart = "${pkg}/bin/vpnserver start"; @@ -104,8 +104,9 @@ in (mkIf (cfg.vpnbridge.enable) { systemd.services.vpnbridge = { description = "SoftEther VPN Bridge"; - after = [ "softether-init.service" ]; - wantedBy = [ "network-interfaces.target" ]; + after = [ "softether-init.service" "network.target" ]; + wants = [ "softether-init.service" ]; + wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "forking"; ExecStart = "${pkg}/bin/vpnbridge start"; @@ -124,8 +125,9 @@ in (mkIf (cfg.vpnclient.enable) { systemd.services.vpnclient = { description = "SoftEther VPN Client"; - after = [ "softether-init.service" ]; - wantedBy = [ "network-interfaces.target" ]; + after = [ "softether-init.service" "network.target" ]; + wants = [ "softether-init.service" ]; + wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "forking"; ExecStart = "${pkg}/bin/vpnclient start"; diff --git a/nixos/modules/services/networking/ssh/lshd.nix b/nixos/modules/services/networking/ssh/lshd.nix index 661a6a524631..eca599afb33b 100644 --- a/nixos/modules/services/networking/ssh/lshd.nix +++ b/nixos/modules/services/networking/ssh/lshd.nix @@ -120,7 +120,7 @@ in systemd.services.lshd = { description = "GNU lshd SSH2 daemon"; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 46ccf4ae62d5..3e9fae35847e 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -102,8 +102,8 @@ in }; permitRootLogin = mkOption { - default = "without-password"; - type = types.enum ["yes" "without-password" "forced-commands-only" "no"]; + default = "prohibit-password"; + type = types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"]; description = '' Whether the root user can login using ssh. ''; diff --git a/nixos/modules/services/networking/tcpcrypt.nix b/nixos/modules/services/networking/tcpcrypt.nix index 267653abce03..2f304165eb4b 100644 --- a/nixos/modules/services/networking/tcpcrypt.nix +++ b/nixos/modules/services/networking/tcpcrypt.nix @@ -39,7 +39,7 @@ in description = "tcpcrypt"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ]; diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index b751e9dad069..b26d30597b1f 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -151,8 +151,8 @@ in ("tinc.${network}") ({ description = "Tinc Daemon - ${network}"; - wantedBy = [ "network.target" ]; - after = [ "network-interfaces.target" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; path = [ data.package ]; restartTriggers = [ config.environment.etc."tinc/${network}/tinc.conf".source ] ++ mapAttrsToList (host: _ : config.environment.etc."tinc/${network}/hosts/${host}".source) data.hosts; diff --git a/nixos/modules/services/networking/wicd.nix b/nixos/modules/services/networking/wicd.nix index 9e5a437b4856..03c6bd28aaba 100644 --- a/nixos/modules/services/networking/wicd.nix +++ b/nixos/modules/services/networking/wicd.nix @@ -26,7 +26,9 @@ with lib; environment.systemPackages = [pkgs.wicd]; systemd.services.wicd = { - after = [ "network-interfaces.target" ]; + after = [ "network-pre.target" ]; + before = [ "network.target" ]; + wants = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; script = "${pkgs.wicd}/sbin/wicd -f"; }; diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index de99ce4f0260..a344d7855463 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -128,9 +128,9 @@ in { in { description = "WPA Supplicant"; - after = [ "network-interfaces.target" ] ++ lib.concatMap deviceUnit ifaces; + after = [ "network.target" ] ++ lib.concatMap deviceUnit ifaces; requires = lib.concatMap deviceUnit ifaces; - wantedBy = [ "network.target" ]; + wantedBy = [ "network-online.target" ]; path = [ pkgs.wpa_supplicant ]; diff --git a/nixos/modules/services/networking/xinetd.nix b/nixos/modules/services/networking/xinetd.nix index b398f346b942..270122ee659c 100644 --- a/nixos/modules/services/networking/xinetd.nix +++ b/nixos/modules/services/networking/xinetd.nix @@ -143,7 +143,7 @@ in config = mkIf cfg.enable { systemd.services.xinetd = { description = "xinetd server"; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.xinetd ]; script = "xinetd -syslog daemon -dontfork -stayalive -f ${configFile}"; diff --git a/nixos/modules/services/networking/zerobin.nix b/nixos/modules/services/networking/zerobin.nix index 1c524602f8e9..274bbca53fa3 100644 --- a/nixos/modules/services/networking/zerobin.nix +++ b/nixos/modules/services/networking/zerobin.nix @@ -86,15 +86,15 @@ in systemd.services.zerobin = { enable = true; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = "${pkgs.pythonPackages.zerobin}/bin/zerobin ${cfg.listenAddress} ${toString cfg.listenPort} false ${cfg.user} ${cfg.group} ${zerobin_config}"; serviceConfig.PrivateTmp="yes"; serviceConfig.User = cfg.user; serviceConfig.Group = cfg.group; preStart = '' - mkdir -p ${cfg.dataDir} - chown ${cfg.user} ${cfg.dataDir} + mkdir -p ${cfg.dataDir} + chown ${cfg.user} ${cfg.dataDir} ''; }; }; diff --git a/nixos/modules/services/scheduling/chronos.nix b/nixos/modules/services/scheduling/chronos.nix index db1f0f5f00c9..6c39997fec88 100644 --- a/nixos/modules/services/scheduling/chronos.nix +++ b/nixos/modules/services/scheduling/chronos.nix @@ -41,7 +41,7 @@ in { systemd.services.chronos = { description = "Chronos Service"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" "zookeeper.service" ]; + after = [ "network.target" "zookeeper.service" ]; serviceConfig = { ExecStart = "${pkgs.chronos}/bin/chronos --master ${cfg.master} --zk_hosts ${concatStringsSep "," cfg.zookeeperHosts} --http_port ${toString cfg.httpPort}"; diff --git a/nixos/modules/services/scheduling/marathon.nix b/nixos/modules/services/scheduling/marathon.nix index 4e837c62dc11..19c9a708f21f 100644 --- a/nixos/modules/services/scheduling/marathon.nix +++ b/nixos/modules/services/scheduling/marathon.nix @@ -83,7 +83,7 @@ in { description = "Marathon Service"; environment = cfg.environment; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" "zookeeper.service" "mesos-master.service" "mesos-slave.service" ]; + after = [ "network.target" "zookeeper.service" "mesos-master.service" "mesos-slave.service" ]; serviceConfig = { ExecStart = "${pkgs.marathon}/bin/marathon --master ${cfg.master} --zk zk://${concatStringsSep "," cfg.zookeeperHosts}/marathon --http_port ${toString cfg.httpPort} ${concatStringsSep " " cfg.extraCmdLineOptions}"; diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index 9299aaac2f70..574f74d547a5 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -129,7 +129,7 @@ in { systemd.services.elasticsearch = { description = "Elasticsearch Daemon"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; path = [ pkgs.inetutils ]; environment = { ES_HOME = cfg.dataDir; diff --git a/nixos/modules/services/search/kibana.nix b/nixos/modules/services/search/kibana.nix index 033b8139d341..d377a6feeb8e 100644 --- a/nixos/modules/services/search/kibana.nix +++ b/nixos/modules/services/search/kibana.nix @@ -138,7 +138,7 @@ in { systemd.services.kibana = { description = "Kibana Service"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" "elasticsearch.service" ]; + after = [ "network.target" "elasticsearch.service" ]; environment = { BABEL_CACHE_PATH = "${cfg.dataDir}/.babelcache.json"; }; serviceConfig = { ExecStart = "${cfg.package}/bin/kibana --config ${cfgFile}"; diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 4c20392214fc..caa7d9d50812 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -510,7 +510,7 @@ in description = "OAuth2 Proxy"; path = [ cfg.package ]; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; serviceConfig = { User = "oauth2_proxy"; diff --git a/nixos/modules/services/torrent/opentracker.nix b/nixos/modules/services/torrent/opentracker.nix new file mode 100644 index 000000000000..d86b9fea2d79 --- /dev/null +++ b/nixos/modules/services/torrent/opentracker.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.opentracker; +in { + options.services.opentracker = { + enable = mkEnableOption "opentracker"; + + package = mkOption { + type = types.package; + description = '' + opentracker package to use + ''; + default = pkgs.opentracker; + }; + + extraOptions = mkOption { + type = types.separatedString " "; + description = '' + Configuration Arguments for opentracker + See https://erdgeist.org/arts/software/opentracker/ for all params + ''; + default = ""; + }; + }; + + config = lib.mkIf cfg.enable { + + systemd.services.opentracker = { + description = "opentracker server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; + serviceConfig = { + ExecStart = "${cfg.package}/bin/opentracker ${cfg.extraOptions}"; + PrivateTmp = true; + WorkingDirectory = "/var/empty"; + # By default opentracker drops all privileges and runs in chroot after starting up as root. + }; + }; + }; +} + diff --git a/nixos/modules/services/torrent/peerflix.nix b/nixos/modules/services/torrent/peerflix.nix index 38fbd3b226cd..2e3dd9902d72 100644 --- a/nixos/modules/services/torrent/peerflix.nix +++ b/nixos/modules/services/torrent/peerflix.nix @@ -42,7 +42,7 @@ in { systemd.services.peerflix = { description = "Peerflix Daemon"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; environment.HOME = cfg.stateDir; preStart = '' diff --git a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix index 007c7669d8ac..2315c4729aec 100644 --- a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix +++ b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix @@ -245,7 +245,6 @@ in chown ${serverInfo.serverConfig.user} ${config.wordpressUploads} # we should use systemd dependencies here - #waitForUnit("network-interfaces.target"); if [ ! -d ${serverInfo.fullConfig.services.mysql.dataDir}/${config.dbName} ]; then echo "Need to create the database '${config.dbName}' and grant permissions to user named '${config.dbUser}'." # Wait until MySQL is up diff --git a/nixos/modules/services/web-servers/tomcat.nix b/nixos/modules/services/web-servers/tomcat.nix index fa6b4c0629d7..943415e08c64 100644 --- a/nixos/modules/services/web-servers/tomcat.nix +++ b/nixos/modules/services/web-servers/tomcat.nix @@ -139,7 +139,7 @@ in systemd.services.tomcat = { description = "Apache Tomcat server"; wantedBy = [ "multi-user.target" ]; - after = [ "network-interfaces.target" ]; + after = [ "network.target" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 1bd578424ee4..ec2f3a4f8bb1 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -149,6 +149,22 @@ in ''; }; + autoRepeatDelay = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Sets the autorepeat delay (length of time in milliseconds that a key must be depressed before autorepeat starts). + ''; + }; + + autoRepeatInterval = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Sets the autorepeat interval (length of time in milliseconds that should elapse between autorepeat-generated keystrokes). + ''; + }; + inputClassSections = mkOption { type = types.listOf types.lines; default = []; @@ -504,7 +520,6 @@ in environment = { - XKB_BINDIR = "${xorg.xkbcomp}/bin"; # Needed for the Xkb extension. XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime. LD_LIBRARY_PATH = concatStringsSep ":" ( [ "${xorg.libX11.out}/lib" "${xorg.libXext.out}/lib" "/run/opengl-driver/lib" ] @@ -536,7 +551,9 @@ in ] ++ optional (cfg.display != null) ":${toString cfg.display}" ++ optional (cfg.tty != null) "vt${toString cfg.tty}" ++ optional (cfg.dpi != null) "-dpi ${toString cfg.dpi}" - ++ optional (!cfg.enableTCP) "-nolisten tcp"; + ++ optional (!cfg.enableTCP) "-nolisten tcp" + ++ optional (cfg.autoRepeatDelay != null) "-ardelay ${toString cfg.autoRepeatDelay}" + ++ optional (cfg.autoRepeatInterval != null) "-arinterval ${toString cfg.autoRepeatInterval}"; services.xserver.modules = concatLists (catAttrs "modules" cfg.drivers) ++ diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index c703a3e083ba..515136c904c5 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -1,4 +1,4 @@ -#! @python@/bin/python +#! @python3@/bin/python3 import argparse import shutil import os @@ -13,29 +13,21 @@ def copy_if_not_exists(source, dest): if not os.path.exists(dest): shutil.copyfile(source, dest) -system_dir = lambda generation: "/nix/var/nix/profiles/system-%d-link" % (generation) +def system_dir(generation): + return "/nix/var/nix/profiles/system-%d-link" % (generation) -def write_entry(generation, kernel, initrd): - entry_file = "@efiSysMountPoint@/loader/entries/nixos-generation-%d.conf" % (generation) - generation_dir = os.readlink(system_dir(generation)) - tmp_path = "%s.tmp" % (entry_file) - kernel_params = "systemConfig=%s init=%s/init " % (generation_dir, generation_dir) - with open("%s/kernel-params" % (generation_dir)) as params_file: - kernel_params = kernel_params + params_file.read() - with open(tmp_path, 'w') as f: - print >> f, "title NixOS" - print >> f, "version Generation %d" % (generation) - if machine_id is not None: print >> f, "machine-id %s" % (machine_id) - print >> f, "linux %s" % (kernel) - print >> f, "initrd %s" % (initrd) - print >> f, "options %s" % (kernel_params) - os.rename(tmp_path, entry_file) +BOOT_ENTRY = """title NixOS +version Generation {generation} +linux {kernel} +initrd {initrd} +options {kernel_params} +""" def write_loader_conf(generation): with open("@efiSysMountPoint@/loader/loader.conf.tmp", 'w') as f: if "@timeout@" != "": - print >> f, "timeout @timeout@" - print >> f, "default nixos-generation-%d" % (generation) + f.write("timeout @timeout@\n") + f.write("default nixos-generation-%d\n" % generation) os.rename("@efiSysMountPoint@/loader/loader.conf.tmp", "@efiSysMountPoint@/loader/loader.conf") def copy_from_profile(generation, name, dry_run=False): @@ -47,10 +39,23 @@ def copy_from_profile(generation, name, dry_run=False): copy_if_not_exists(store_file_path, "@efiSysMountPoint@%s" % (efi_file_path)) return efi_file_path -def add_entry(generation): - efi_kernel_path = copy_from_profile(generation, "kernel") - efi_initrd_path = copy_from_profile(generation, "initrd") - write_entry(generation, efi_kernel_path, efi_initrd_path) +def write_entry(generation, machine_id): + kernel = copy_from_profile(generation, "kernel") + initrd = copy_from_profile(generation, "initrd") + entry_file = "@efiSysMountPoint@/loader/entries/nixos-generation-%d.conf" % (generation) + generation_dir = os.readlink(system_dir(generation)) + tmp_path = "%s.tmp" % (entry_file) + kernel_params = "systemConfig=%s init=%s/init " % (generation_dir, generation_dir) + with open("%s/kernel-params" % (generation_dir)) as params_file: + kernel_params = kernel_params + params_file.read() + with open(tmp_path, 'w') as f: + f.write(BOOT_ENTRY.format(generation=generation, + kernel=kernel, + initrd=initrd, + kernel_params=kernel_params)) + if machine_id is not None: + f.write("machine-id %s\n" % machine_id) + os.rename(tmp_path, entry_file) def mkdir_p(path): try: @@ -65,8 +70,8 @@ def get_generations(profile): "--list-generations", "-p", "/nix/var/nix/profiles/%s" % (profile), - "--option", "build-users-group", "" - ]) + "--option", "build-users-group", ""], + universal_newlines=True) gen_lines = gen_list.split('\n') gen_lines.pop() return [ int(line.split()[0]) for line in gen_lines ] @@ -89,33 +94,37 @@ def remove_old_entries(gens): if not path in known_paths: os.unlink(path) -parser = argparse.ArgumentParser(description='Update NixOS-related systemd-boot files') -parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help='The default NixOS config to boot') -args = parser.parse_args() +def main(): + parser = argparse.ArgumentParser(description='Update NixOS-related systemd-boot files') + parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help='The default NixOS config to boot') + args = parser.parse_args() -if os.getenv("NIXOS_INSTALL_GRUB") == "1": - warnings.warn("NIXOS_INSTALL_GRUB env var deprecated, use NIXOS_INSTALL_BOOTLOADER", DeprecationWarning) - os.environ["NIXOS_INSTALL_BOOTLOADER"] = "1" + if os.getenv("NIXOS_INSTALL_GRUB") == "1": + warnings.warn("NIXOS_INSTALL_GRUB env var deprecated, use NIXOS_INSTALL_BOOTLOADER", DeprecationWarning) + os.environ["NIXOS_INSTALL_BOOTLOADER"] = "1" -if os.getenv("NIXOS_INSTALL_BOOTLOADER") == "1": - if "@canTouchEfiVariables@" == "1": - subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "install"]) - else: - subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "--no-variables", "install"]) + if os.getenv("NIXOS_INSTALL_BOOTLOADER") == "1": + if "@canTouchEfiVariables@" == "1": + subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "install"]) + else: + subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "--no-variables", "install"]) -mkdir_p("@efiSysMountPoint@/efi/nixos") -mkdir_p("@efiSysMountPoint@/loader/entries") -try: - with open("/etc/machine-id") as machine_file: - machine_id = machine_file.readlines()[0] -except IOError as e: - if e.errno != errno.ENOENT: - raise - machine_id = None + mkdir_p("@efiSysMountPoint@/efi/nixos") + mkdir_p("@efiSysMountPoint@/loader/entries") + try: + with open("/etc/machine-id") as machine_file: + machine_id = machine_file.readlines()[0] + except IOError as e: + if e.errno != errno.ENOENT: + raise + machine_id = None + + gens = get_generations("system") + remove_old_entries(gens) + for gen in gens: + write_entry(gen, machine_id) + if os.readlink(system_dir(gen)) == args.default_config: + write_loader_conf(gen) -gens = get_generations("system") -remove_old_entries(gens) -for gen in gens: - add_entry(gen) - if os.readlink(system_dir(gen)) == args.default_config: - write_loader_conf(gen) +if __name__ == '__main__': + main() diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index a778a4f539c9..cc43fb8bab4c 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -12,7 +12,7 @@ let isExecutable = true; - inherit (pkgs) python; + inherit (pkgs) python3; systemd = config.systemd.package; diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 2cf6a4cca9a4..8c139a94c0c8 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -296,35 +296,35 @@ let }; addressOptions = { - - addressConfig = mkOption { - default = {}; - example = { Address = "192.168.0.100/24"; }; - type = types.addCheck (types.attrsOf unitOption) checkAddress; - description = '' - Each attribute in this set specifies an option in the - <literal>[Address]</literal> section of the unit. See - <citerefentry><refentrytitle>systemd.network</refentrytitle> - <manvolnum>5</manvolnum></citerefentry> for details. - ''; + options = { + addressConfig = mkOption { + default = {}; + example = { Address = "192.168.0.100/24"; }; + type = types.addCheck (types.attrsOf unitOption) checkAddress; + description = '' + Each attribute in this set specifies an option in the + <literal>[Address]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; }; - }; routeOptions = { - - routeConfig = mkOption { - default = {}; - example = { Gateway = "192.168.0.1"; }; - type = types.addCheck (types.attrsOf unitOption) checkRoute; - description = '' - Each attribute in this set specifies an option in the - <literal>[Route]</literal> section of the unit. See - <citerefentry><refentrytitle>systemd.network</refentrytitle> - <manvolnum>5</manvolnum></citerefentry> for details. - ''; + options = { + routeConfig = mkOption { + default = {}; + example = { Gateway = "192.168.0.1"; }; + type = types.addCheck (types.attrsOf unitOption) checkRoute; + description = '' + Each attribute in this set specifies an option in the + <literal>[Route]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; }; - }; networkOptions = commonNetworkOptions // { @@ -471,7 +471,7 @@ let addresses = mkOption { default = [ ]; - type = with types; listOf (submodule [ addressOptions ]); + type = with types; listOf (submodule addressOptions); description = '' A list of address sections to be added to the unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle> @@ -481,7 +481,7 @@ let routes = mkOption { default = [ ]; - type = with types; listOf (submodule [ routeOptions ]); + type = with types; listOf (submodule routeOptions); description = '' A list of route sections to be added to the unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle> @@ -622,19 +622,19 @@ in systemd.network.links = mkOption { default = {}; - type = with types; attrsOf (submodule [ linkOptions ]); + type = with types; attrsOf (submodule [ { options = linkOptions; } ]); description = "Definition of systemd network links."; }; systemd.network.netdevs = mkOption { default = {}; - type = with types; attrsOf (submodule [ netdevOptions ]); + type = with types; attrsOf (submodule [ { options = netdevOptions; } ]); description = "Definition of systemd network devices."; }; systemd.network.networks = mkOption { default = {}; - type = with types; attrsOf (submodule [ networkOptions networkConfig ]); + type = with types; attrsOf (submodule [ { options = networkOptions; } networkConfig ]); description = "Definition of systemd networks."; }; @@ -667,7 +667,6 @@ in systemd.services.systemd-networkd = { wantedBy = [ "multi-user.target" ]; - before = [ "network-interfaces.target" ]; restartTriggers = [ config.environment.etc."systemd/network".source ]; }; diff --git a/nixos/modules/system/boot/systemd-lib.nix b/nixos/modules/system/boot/systemd-lib.nix index 2e93693cbfc8..997770b8beca 100644 --- a/nixos/modules/system/boot/systemd-lib.nix +++ b/nixos/modules/system/boot/systemd-lib.nix @@ -182,7 +182,7 @@ rec { mkdir -p $out/getty.target.wants/ ln -s ../autovt@tty1.service $out/getty.target.wants/ - ln -s ../local-fs.target ../remote-fs.target ../network.target \ + ln -s ../local-fs.target ../remote-fs.target \ ../nss-lookup.target ../nss-user-lookup.target ../swap.target \ $out/multi-user.target.wants/ ''} diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index d1b62e0fd4e4..6a8f20bab5b6 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -54,16 +54,22 @@ in networkSetup = { description = "Networking Setup"; - after = [ "network-interfaces.target" "network-pre.target" ]; - before = [ "network.target" ]; - wantedBy = [ "network.target" ]; + after = [ "network-pre.target" "systemd-udevd.service" "systemd-sysctl.service" ]; + before = [ "network.target" "shutdown.target" ]; + wants = [ "network.target" ]; + conflicts = [ "shutdown.target" ]; + wantedBy = [ "multi-user.target" ]; unitConfig.ConditionCapability = "CAP_NET_ADMIN"; path = [ pkgs.iproute ]; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + unitConfig.DefaultDependencies = false; script = '' @@ -108,8 +114,12 @@ in in nameValuePair "network-addresses-${i.name}" { description = "Address configuration of ${i.name}"; - wantedBy = [ "network-interfaces.target" ]; - before = [ "network-interfaces.target" ]; + wantedBy = [ "network-setup.service" ]; + # propagate stop and reload from network-setup + partOf = [ "network-setup.service" ]; + # order before network-setup because the routes that are configured + # there may need ip addresses configured + before = [ "network-setup.service" ]; bindsTo = [ (subsystemDevice i.name) ]; after = [ (subsystemDevice i.name) "network-pre.target" ]; serviceConfig.Type = "oneshot"; @@ -129,20 +139,11 @@ in echo "checking ip ${address}..." if out=$(ip addr add "${address}" dev "${i.name}" 2>&1); then echo "added ip ${address}..." - restart_network_setup=true elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then echo "failed to add ${address}" exit 1 fi - '') - + optionalString (ips != [ ]) - '' - if [ "$restart_network_setup" = "true" ]; then - # Ensure that the default gateway remains set. - # (Flushing this interface may have removed it.) - ${config.systemd.package}/bin/systemctl try-restart --no-block network-setup.service - fi - ''; + ''); preStop = flip concatMapStrings (ips) (ip: let address = "${ip.address}/${toString ip.prefixLength}"; @@ -156,10 +157,11 @@ in createTunDevice = i: nameValuePair "${i.name}-netdev" { description = "Virtual Network Interface ${i.name}"; - requires = [ "dev-net-tun.device" ]; + bindsTo = [ "dev-net-tun.device" ]; after = [ "dev-net-tun.device" "network-pre.target" ]; - wantedBy = [ "network.target" (subsystemDevice i.name) ]; - before = [ "network-interfaces.target" (subsystemDevice i.name) ]; + wantedBy = [ "network-setup.service" (subsystemDevice i.name) ]; + partOf = [ "network-setup.service" ]; + before = [ "network-setup.service" (subsystemDevice i.name) ]; path = [ pkgs.iproute ]; serviceConfig = { Type = "oneshot"; @@ -180,12 +182,12 @@ in deps = map subsystemDevice v.interfaces; in { description = "Bridge Interface ${n}"; - wantedBy = [ "network.target" (subsystemDevice n) ]; + wantedBy = [ "network-setup.service" (subsystemDevice n) ]; bindsTo = deps ++ optional v.rstp "mstpd.service"; - partOf = optional v.rstp "mstpd.service"; + partOf = [ "network-setup.service" ] ++ optional v.rstp "mstpd.service"; after = [ "network-pre.target" "mstpd.service" ] ++ deps ++ concatMap (i: [ "network-addresses-${i}.service" "network-link-${i}.service" ]) v.interfaces; - before = [ "network-interfaces.target" (subsystemDevice n) ]; + before = [ "network-setup.service" (subsystemDevice n) ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; path = [ pkgs.iproute ]; @@ -222,11 +224,11 @@ in ofRules = pkgs.writeText "vswitch-${n}-openFlowRules" v.openFlowRules; in { description = "Open vSwitch Interface ${n}"; - wantedBy = [ "network.target" "vswitchd.service" ] ++ deps; + wantedBy = [ "network-setup.service" "vswitchd.service" ] ++ deps; bindsTo = [ "vswitchd.service" (subsystemDevice n) ] ++ deps; - partOf = [ "vswitchd.service" ]; + partOf = [ "network-setup.service" "vswitchd.service" ]; after = [ "network-pre.target" "vswitchd.service" ] ++ deps; - before = [ "network-interfaces.target" ]; + before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; path = [ pkgs.iproute config.virtualisation.vswitch.package ]; @@ -254,11 +256,12 @@ in deps = map subsystemDevice v.interfaces; in { description = "Bond Interface ${n}"; - wantedBy = [ "network.target" (subsystemDevice n) ]; + wantedBy = [ "network-setup.service" (subsystemDevice n) ]; bindsTo = deps; + partOf = [ "network-setup.service" ]; after = [ "network-pre.target" ] ++ deps ++ concatMap (i: [ "network-addresses-${i}.service" "network-link-${i}.service" ]) v.interfaces; - before = [ "network-interfaces.target" (subsystemDevice n) ]; + before = [ "network-setup.service" (subsystemDevice n) ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; path = [ pkgs.iproute pkgs.gawk ]; @@ -291,10 +294,11 @@ in deps = [ (subsystemDevice v.interface) ]; in { description = "Vlan Interface ${n}"; - wantedBy = [ "network.target" (subsystemDevice n) ]; + wantedBy = [ "network-setup.service" (subsystemDevice n) ]; bindsTo = deps; + partOf = [ "network-setup.service" ]; after = [ "network-pre.target" ] ++ deps; - before = [ "network-interfaces.target" (subsystemDevice n) ]; + before = [ "network-setup.service" (subsystemDevice n) ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; path = [ pkgs.iproute ]; @@ -315,10 +319,11 @@ in deps = optional (v.dev != null) (subsystemDevice v.dev); in { description = "6-to-4 Tunnel Interface ${n}"; - wantedBy = [ "network.target" (subsystemDevice n) ]; + wantedBy = [ "network-setup.service" (subsystemDevice n) ]; bindsTo = deps; + partOf = [ "network-setup.service" ]; after = [ "network-pre.target" ] ++ deps; - before = [ "network-interfaces.target" (subsystemDevice n) ]; + before = [ "network-setup.service" (subsystemDevice n) ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; path = [ pkgs.iproute ]; @@ -342,10 +347,11 @@ in deps = [ (subsystemDevice v.interface) ]; in { description = "Vlan Interface ${n}"; - wantedBy = [ "network.target" (subsystemDevice n) ]; + wantedBy = [ "network-setup.service" (subsystemDevice n) ]; bindsTo = deps; + partOf = [ "network-setup.service" ]; after = [ "network-pre.target" ] ++ deps; - before = [ "network-interfaces.target" (subsystemDevice n) ]; + before = [ "network-setup.service" (subsystemDevice n) ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; path = [ pkgs.iproute ]; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 058e79b11f96..cac7e6b02eba 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -946,8 +946,10 @@ in ] ++ bridgeStp; + # The network-interfaces target is kept for backwards compatibility. + # New modules must NOT use it. systemd.targets."network-interfaces" = - { description = "All Network Interfaces"; + { description = "All Network Interfaces (deprecated)"; wantedBy = [ "network.target" ]; before = [ "network.target" ]; after = [ "network-pre.target" ]; diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index f9c3f2e53adc..17e69b311b48 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -138,7 +138,7 @@ let cfg = config.ec2; in # Allow root logins only using the SSH key that the user specified # at instance creation time. services.openssh.enable = true; - services.openssh.permitRootLogin = "without-password"; + services.openssh.permitRootLogin = "prohibit-password"; # Force getting the hostname from EC2. networking.hostName = mkDefault ""; diff --git a/nixos/modules/virtualisation/azure-common.nix b/nixos/modules/virtualisation/azure-common.nix index 70a3d752f6d1..5cd2304a2953 100644 --- a/nixos/modules/virtualisation/azure-common.nix +++ b/nixos/modules/virtualisation/azure-common.nix @@ -24,7 +24,7 @@ with lib; # Allow root logins only using the SSH key that the user specified # at instance creation time, ping client connections to avoid timeouts services.openssh.enable = true; - services.openssh.permitRootLogin = "without-password"; + services.openssh.permitRootLogin = "prohibit-password"; services.openssh.extraConfig = '' ClientAliveInterval 180 ''; diff --git a/nixos/modules/virtualisation/brightbox-image.nix b/nixos/modules/virtualisation/brightbox-image.nix index e2905913b6c5..7f45f0f34f71 100644 --- a/nixos/modules/virtualisation/brightbox-image.nix +++ b/nixos/modules/virtualisation/brightbox-image.nix @@ -103,7 +103,7 @@ in # Allow root logins only using the SSH key that the user specified # at instance creation time. services.openssh.enable = true; - services.openssh.permitRootLogin = "without-password"; + services.openssh.permitRootLogin = "prohibit-password"; # Force getting the hostname from Google Compute. networking.hostName = mkDefault ""; diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index b3055f49f9b2..5e1cfcdfc6fb 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -502,8 +502,7 @@ in }; allowedDevices = mkOption { - type = types.listOf types.optionSet; - options = [ allowedDeviceOpts ]; + type = with types; listOf (submodule allowedDeviceOpts); default = []; example = [ { node = "/dev/net/tun"; modifier = "rw"; } ]; description = '' diff --git a/nixos/modules/virtualisation/ec2-amis.nix b/nixos/modules/virtualisation/ec2-amis.nix index bdf6ed4dcd29..ffd1cbec3ce3 100644 --- a/nixos/modules/virtualisation/ec2-amis.nix +++ b/nixos/modules/virtualisation/ec2-amis.nix @@ -1,4 +1,4 @@ -{ +let self = { "14.04".ap-northeast-1.hvm-ebs = "ami-71c6f470"; "14.04".ap-northeast-1.pv-ebs = "ami-4dcbf84c"; "14.04".ap-northeast-1.pv-s3 = "ami-8fc4f68e"; @@ -134,4 +134,52 @@ "16.03".us-west-2.hvm-s3 = "ami-925c9ff2"; "16.03".us-west-2.pv-ebs = "ami-5e61a23e"; "16.03".us-west-2.pv-s3 = "ami-734c8f13"; -} + + # 16.09.666.3738950 + "16.09".ap-northeast-1.hvm-ebs = "ami-35578954"; + "16.09".ap-northeast-1.hvm-s3 = "ami-d6528cb7"; + "16.09".ap-northeast-1.pv-ebs = "ami-07548a66"; + "16.09".ap-northeast-1.pv-s3 = "ami-f1548a90"; + "16.09".ap-northeast-2.hvm-ebs = "ami-d48753ba"; + "16.09".ap-northeast-2.hvm-s3 = "ami-4c865222"; + "16.09".ap-northeast-2.pv-ebs = "ami-ca8551a4"; + "16.09".ap-northeast-2.pv-s3 = "ami-9c8551f2"; + "16.09".ap-south-1.hvm-ebs = "ami-922450fd"; + "16.09".ap-south-1.hvm-s3 = "ami-6d3a4e02"; + "16.09".ap-south-1.pv-ebs = "ami-4d394d22"; + "16.09".ap-south-1.pv-s3 = "ami-17384c78"; + "16.09".ap-southeast-1.hvm-ebs = "ami-f824809b"; + "16.09".ap-southeast-1.hvm-s3 = "ami-f924809a"; + "16.09".ap-southeast-1.pv-ebs = "ami-af2480cc"; + "16.09".ap-southeast-1.pv-s3 = "ami-5826823b"; + "16.09".ap-southeast-2.hvm-ebs = "ami-40fecd23"; + "16.09".ap-southeast-2.hvm-s3 = "ami-48fecd2b"; + "16.09".ap-southeast-2.pv-ebs = "ami-dffecdbc"; + "16.09".ap-southeast-2.pv-s3 = "ami-e0fccf83"; + "16.09".eu-central-1.hvm-ebs = "ami-1d8b7472"; + "16.09".eu-central-1.hvm-s3 = "ami-1c8b7473"; + "16.09".eu-central-1.pv-ebs = "ami-8c8d72e3"; + "16.09".eu-central-1.pv-s3 = "ami-3488775b"; + "16.09".eu-west-1.hvm-ebs = "ami-15662766"; + "16.09".eu-west-1.hvm-s3 = "ami-476b2a34"; + "16.09".eu-west-1.pv-ebs = "ami-876928f4"; + "16.09".eu-west-1.pv-s3 = "ami-70682903"; + "16.09".sa-east-1.hvm-ebs = "ami-27bc2e4b"; + "16.09".sa-east-1.hvm-s3 = "ami-e4b92b88"; + "16.09".sa-east-1.pv-ebs = "ami-4dbe2c21"; + "16.09".sa-east-1.pv-s3 = "ami-77fc6e1b"; + "16.09".us-east-1.hvm-ebs = "ami-93347684"; + "16.09".us-east-1.hvm-s3 = "ami-5e347649"; + "16.09".us-east-1.pv-ebs = "ami-b0387aa7"; + "16.09".us-east-1.pv-s3 = "ami-51357746"; + "16.09".us-west-1.hvm-ebs = "ami-06337a66"; + "16.09".us-west-1.hvm-s3 = "ami-76307916"; + "16.09".us-west-1.pv-ebs = "ami-fd327b9d"; + "16.09".us-west-1.pv-s3 = "ami-cc347dac"; + "16.09".us-west-2.hvm-ebs = "ami-49fe2729"; + "16.09".us-west-2.hvm-s3 = "ami-93fc25f3"; + "16.09".us-west-2.pv-ebs = "ami-14fe2774"; + "16.09".us-west-2.pv-s3 = "ami-74f12814"; + + latest = self."16.09"; +}; in self diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 489b612f1675..90dbd3b6d632 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -111,7 +111,7 @@ in # Allow root logins only using the SSH key that the user specified # at instance creation time. services.openssh.enable = true; - services.openssh.permitRootLogin = "without-password"; + services.openssh.permitRootLogin = "prohibit-password"; services.openssh.passwordAuthentication = mkDefault false; # Force getting the hostname from Google Compute. diff --git a/nixos/modules/virtualisation/nova-image.nix b/nixos/modules/virtualisation/nova-image.nix index 7971212b47c5..e253c77ebb4f 100644 --- a/nixos/modules/virtualisation/nova-image.nix +++ b/nixos/modules/virtualisation/nova-image.nix @@ -31,7 +31,7 @@ with lib; # Allow root logins services.openssh.enable = true; - services.openssh.permitRootLogin = "without-password"; + services.openssh.permitRootLogin = "prohibit-password"; # Put /tmp and /var on /ephemeral0, which has a lot more space. # Unfortunately we can't do this with the `fileSystems' option diff --git a/nixos/tests/networking.nix b/nixos/tests/networking.nix index d5a0a9b798f5..17d4a878d3a4 100644 --- a/nixos/tests/networking.nix +++ b/nixos/tests/networking.nix @@ -41,7 +41,6 @@ let machine.networking.useNetworkd = networkd; testScript = '' startAll; - $machine->waitForUnit("network-interfaces.target"); $machine->waitForUnit("network.target"); $machine->succeed("ip addr show lo | grep -q 'inet 127.0.0.1/8 '"); $machine->succeed("ip addr show lo | grep -q 'inet6 ::1/128 '"); @@ -71,9 +70,7 @@ let '' startAll; - $client->waitForUnit("network-interfaces.target"); $client->waitForUnit("network.target"); - $router->waitForUnit("network-interfaces.target"); $router->waitForUnit("network.target"); # Make sure dhcpcd is not started @@ -119,9 +116,7 @@ let '' startAll; - $client->waitForUnit("network-interfaces.target"); $client->waitForUnit("network.target"); - $router->waitForUnit("network-interfaces.target"); $router->waitForUnit("network.target"); # Wait until we have an ip address on each interface @@ -164,9 +159,7 @@ let startAll; # Wait for networking to come up - $client->waitForUnit("network-interfaces.target"); $client->waitForUnit("network.target"); - $router->waitForUnit("network-interfaces.target"); $router->waitForUnit("network.target"); # Wait until we have an ip address on each interface @@ -213,9 +206,7 @@ let startAll; # Wait for networking to come up - $client1->waitForUnit("network-interfaces.target"); $client1->waitForUnit("network.target"); - $client2->waitForUnit("network-interfaces.target"); $client2->waitForUnit("network.target"); # Test bonding @@ -259,11 +250,8 @@ let startAll; # Wait for networking to come up - $client1->waitForUnit("network-interfaces.target"); $client1->waitForUnit("network.target"); - $client2->waitForUnit("network-interfaces.target"); $client2->waitForUnit("network.target"); - $router->waitForUnit("network-interfaces.target"); $router->waitForUnit("network.target"); # Test bridging @@ -298,9 +286,7 @@ let startAll; # Wait for networking to come up - $client->waitForUnit("network-interfaces.target"); $client->waitForUnit("network.target"); - $router->waitForUnit("network-interfaces.target"); $router->waitForUnit("network.target"); # Wait until we have an ip address on each interface @@ -348,9 +334,7 @@ let startAll; # Wait for networking to be configured - $client1->waitForUnit("network-interfaces.target"); $client1->waitForUnit("network.target"); - $client2->waitForUnit("network-interfaces.target"); $client2->waitForUnit("network.target"); # Print diagnostic information @@ -391,9 +375,7 @@ let startAll; # Wait for networking to be configured - $client1->waitForUnit("network-interfaces.target"); $client1->waitForUnit("network.target"); - $client2->waitForUnit("network-interfaces.target"); $client2->waitForUnit("network.target"); # Test vlan is setup |