diff options
author | Peter Simons <simons@cryp.to> | 2014-08-08 09:51:01 +0200 |
---|---|---|
committer | Peter Simons <simons@cryp.to> | 2014-08-08 09:51:01 +0200 |
commit | 9226fbf56a28bcc43ceb73773e12fa1e5c3edaa2 (patch) | |
tree | e61a7de75f426c942f91da2b0828149631d92957 /nixos | |
parent | 5c276c4f68125e7d53e0467a3e74969dbd05b51b (diff) | |
parent | bdf5f45356afd6f4289e5e1f497a48c3dc54b38c (diff) | |
download | nixlib-9226fbf56a28bcc43ceb73773e12fa1e5c3edaa2.tar nixlib-9226fbf56a28bcc43ceb73773e12fa1e5c3edaa2.tar.gz nixlib-9226fbf56a28bcc43ceb73773e12fa1e5c3edaa2.tar.bz2 nixlib-9226fbf56a28bcc43ceb73773e12fa1e5c3edaa2.tar.lz nixlib-9226fbf56a28bcc43ceb73773e12fa1e5c3edaa2.tar.xz nixlib-9226fbf56a28bcc43ceb73773e12fa1e5c3edaa2.tar.zst nixlib-9226fbf56a28bcc43ceb73773e12fa1e5c3edaa2.zip |
Merge remote-tracking branch 'origin/master' into staging.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/misc/ids.nix | 1 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/logging/logrotate.nix | 16 | ||||
-rw-r--r-- | nixos/modules/services/networking/unifi.nix | 88 | ||||
-rw-r--r-- | nixos/modules/services/security/fail2ban.nix | 17 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-1-init.sh | 3 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-2-init.sh | 2 | ||||
-rw-r--r-- | nixos/modules/testing/test-instrumentation.nix | 16 | ||||
-rw-r--r-- | nixos/modules/virtualisation/ec2-data.nix | 15 | ||||
-rw-r--r-- | nixos/modules/virtualisation/virtualbox-image.nix | 236 | ||||
-rw-r--r-- | nixos/release-combined.nix | 4 |
11 files changed, 268 insertions, 131 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 4ba81dadb315..853efcc09dc1 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -138,6 +138,7 @@ znc = 128; polipo = 129; mopidy = 130; + unifi = 131; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2cbda50ba29d..ea647b43c9d2 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -233,6 +233,7 @@ ./services/networking/teamspeak3.nix ./services/networking/tftpd.nix ./services/networking/unbound.nix + ./services/networking/unifi.nix ./services/networking/vsftpd.nix ./services/networking/wakeonlan.nix ./services/networking/websockify.nix diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix index 804f9a0847ff..6887ab1e8052 100644 --- a/nixos/modules/services/logging/logrotate.nix +++ b/nixos/modules/services/logging/logrotate.nix @@ -8,10 +8,6 @@ let configFile = pkgs.writeText "logrotate.conf" cfg.config; - cronJob = '' - 5 * * * * root ${pkgs.logrotate}/sbin/logrotate ${configFile} - ''; - in { options = { @@ -33,6 +29,16 @@ in }; config = mkIf cfg.enable { - services.cron.systemCronJobs = [ cronJob ]; + systemd.services.logrotate = { + description = "Logrotate Service"; + wantedBy = [ "multi-user.target" ]; + startAt = "*-*-* *:05:00"; + + serviceConfig.Restart = "no"; + serviceConfig.User = "root"; + script = '' + exec ${pkgs.logrotate}/sbin/logrotate ${configFile} + ''; + }; }; } diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix new file mode 100644 index 000000000000..634f760328f7 --- /dev/null +++ b/nixos/modules/services/networking/unifi.nix @@ -0,0 +1,88 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.unifi; + stateDir = "/var/lib/unifi"; + cmd = "@${pkgs.icedtea7_jre}/bin/java java -jar ${stateDir}/lib/ace.jar"; +in +{ + + options = { + + services.unifi.enable = mkOption { + type = types.uniq types.bool; + default = false; + description = '' + Whether or not to enable the unifi controller service. + ''; + }; + + }; + + config = mkIf cfg.enable { + + users.extraUsers.unifi = { + uid = config.ids.uids.unifi; + description = "UniFi controller daemon user"; + home = "${stateDir}"; + }; + + # We must create the binary directories as bind mounts instead of symlinks + # This is because the controller resolves all symlinks to absolute paths + # to be used as the working directory. + systemd.mounts = map ({ what, where }: { + bindsTo = [ "unifi.service" ]; + requiredBy = [ "unifi.service" ]; + before = [ "unifi.service" ]; + options = "bind"; + what = what; + where = where; + }) [ + { + what = "${pkgs.unifi}/dl"; + where = "${stateDir}/dl"; + } + { + what = "${pkgs.unifi}/lib"; + where = "${stateDir}/lib"; + } + { + what = "${pkgs.mongodb}/bin"; + where = "${stateDir}/bin"; + } + ]; + + systemd.services.unifi = { + description = "UniFi controller daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = '' + # Ensure privacy of state + chown unifi "${stateDir}" + chmod 0700 "${stateDir}" + + # Create the volatile webapps + mkdir -p "${stateDir}/webapps" + chown unifi "${stateDir}/webapps" + ln -s "${pkgs.unifi}/webapps/ROOT.war" "${stateDir}/webapps/ROOT.war" + ''; + + postStop = '' + rm "${stateDir}/webapps/ROOT.war" + ''; + + serviceConfig = { + Type = "simple"; + ExecStart = "${cmd} start"; + ExecStop = "${cmd} stop"; + User = "unifi"; + PermissionsStartOnly = true; + UMask = "0077"; + WorkingDirectory = "${stateDir}"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index af5450166379..3758652ebddf 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -25,12 +25,17 @@ in options = { services.fail2ban = { + enable = mkOption { + default = false; + type = types.bool; + description = "Whether to enable the fail2ban service."; + }; daemonConfig = mkOption { default = '' [Definition] - loglevel = 3 + loglevel = INFO logtarget = SYSLOG socket = /run/fail2ban/fail2ban.sock pidfile = /run/fail2ban/fail2ban.pid @@ -80,7 +85,7 @@ in ###### implementation - config = { + config = mkIf cfg.enable { environment.systemPackages = [ pkgs.fail2ban ]; @@ -101,12 +106,13 @@ in preStart = '' mkdir -p /run/fail2ban -m 0755 + mkdir -p /var/lib/fail2ban ''; serviceConfig = { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run /var/tmp"; + ReadWriteDirectories = "/run /var/tmp /var/lib"; CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; }; @@ -131,15 +137,14 @@ in bantime = 600 findtime = 600 maxretry = 3 - backend = auto - ''; + backend = systemd + ''; # Block SSH if there are too many failing connection attempts. services.fail2ban.jails.ssh-iptables = '' filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] - logpath = /var/log/warn maxretry = 5 ''; diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 1b51c11e351a..73fc6ce543cf 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -194,6 +194,9 @@ checkFS() { # Don't check ROM filesystems. if [ "$fsType" = iso9660 -o "$fsType" = udf ]; then return 0; fi + # Don't check resilient COWs as they validate the fs structures at mount time + if [ "$fsType" = btrfs -o "$fsType" = zfs ]; then return 0; fi + # If we couldn't figure out the FS type, then skip fsck. if [ "$fsType" = auto ]; then echo 'cannot check filesystem with type "auto"!' diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index bfc3c9b5da39..fcefdfa88a36 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -180,4 +180,4 @@ echo "starting systemd..." PATH=/run/current-system/systemd/lib/systemd \ MODULE_DIR=/run/booted-system/kernel-modules/lib/modules \ LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive \ - exec systemd --log-target=journal # --log-level=debug --log-target=console --crash-shell + exec systemd diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 9100a433cd63..54a376c9560e 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -66,13 +66,22 @@ let kernel = config.boot.kernelPackages.kernel; in # Panic if an error occurs in stage 1 (rather than waiting for # user intervention). boot.kernelParams = - [ "console=tty1" "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; + [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; # `xwininfo' is used by the test driver to query open windows. environment.systemPackages = [ pkgs.xorg.xwininfo ]; # Log everything to the serial console. - services.journald.console = "/dev/console"; + services.journald.extraConfig = + '' + ForwardToConsole=yes + MaxLevelConsole=debug + ''; + + # Don't clobber the console with duplicate systemd messages. + systemd.extraConfig = "ShowStatus=no"; + + boot.consoleLogLevel = 7; # Prevent tests from accessing the Internet. networking.defaultGateway = mkOverride 150 ""; @@ -88,6 +97,9 @@ let kernel = config.boot.kernelPackages.kernel; in networking.usePredictableInterfaceNames = false; + # Make it easy to log in as root when running the test interactively. + security.initialRootPassword = mkDefault ""; + }; } diff --git a/nixos/modules/virtualisation/ec2-data.nix b/nixos/modules/virtualisation/ec2-data.nix index 246d35065317..93a83a3e42af 100644 --- a/nixos/modules/virtualisation/ec2-data.nix +++ b/nixos/modules/virtualisation/ec2-data.nix @@ -22,21 +22,22 @@ with lib; systemd.services."fetch-ec2-data" = { description = "Fetch EC2 Data"; - wantedBy = [ "multi-user.target" ]; + wantedBy = [ "multi-user.target" "sshd.service" ]; before = [ "sshd.service" ]; - after = [ "network.target" ]; + wants = [ "ip-up.target" ]; + after = [ "ip-up.target" ]; - path = [ pkgs.curl pkgs.iproute ]; + path = [ pkgs.wget pkgs.iproute ]; script = '' ip route del blackhole 169.254.169.254/32 || true - curl="curl --retry 3 --retry-delay 0 --fail" + wget="wget -q --retry-connrefused -O -" echo "setting host name..." ${optionalString (config.networking.hostName == "") '' - ${pkgs.nettools}/bin/hostname $($curl http://169.254.169.254/1.0/meta-data/hostname) + ${pkgs.nettools}/bin/hostname $($wget http://169.254.169.254/1.0/meta-data/hostname) ''} # Don't download the SSH key if it has already been injected @@ -44,7 +45,7 @@ with lib; if ! [ -e /root/.ssh/authorized_keys ]; then echo "obtaining SSH key..." mkdir -p /root/.ssh - $curl -o /root/key.pub http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key + $wget http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key > /root/key.pub if [ $? -eq 0 -a -e /root/key.pub ]; then if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then cat /root/key.pub >> /root/.ssh/authorized_keys @@ -58,7 +59,7 @@ with lib; # Extract the intended SSH host key for this machine from # the supplied user data, if available. Otherwise sshd will # generate one normally. - $curl http://169.254.169.254/2011-01-01/user-data > /root/user-data || true + $wget http://169.254.169.254/2011-01-01/user-data > /root/user-data || true key="$(sed 's/|/\n/g; s/SSH_HOST_DSA_KEY://; t; d' /root/user-data)" key_pub="$(sed 's/SSH_HOST_DSA_KEY_PUB://; t; d' /root/user-data)" if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_dsa_key ]; then diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix index 2e30f4c62f97..106b269d9e1f 100644 --- a/nixos/modules/virtualisation/virtualbox-image.nix +++ b/nixos/modules/virtualisation/virtualbox-image.nix @@ -2,112 +2,132 @@ with lib; -{ - system.build.virtualBoxImage = - pkgs.vmTools.runInLinuxVM ( - pkgs.runCommand "virtualbox-image" - { memSize = 768; - preVM = - '' - mkdir $out - diskImage=$out/image - ${pkgs.vmTools.qemu}/bin/qemu-img create -f raw $diskImage "10G" - mv closure xchg/ - ''; - postVM = - '' - echo "creating VirtualBox disk image..." - ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -O vdi $diskImage $out/disk.vdi - rm $diskImage - ''; - buildInputs = [ pkgs.utillinux pkgs.perl ]; - exportReferencesGraph = - [ "closure" config.system.build.toplevel ]; - } - '' - # Create a single / partition. - ${pkgs.parted}/sbin/parted /dev/vda mklabel msdos - ${pkgs.parted}/sbin/parted /dev/vda -- mkpart primary ext2 1M -1s - . /sys/class/block/vda1/uevent - mknod /dev/vda1 b $MAJOR $MINOR - - # Create an empty filesystem and mount it. - ${pkgs.e2fsprogs}/sbin/mkfs.ext4 -L nixos /dev/vda1 - ${pkgs.e2fsprogs}/sbin/tune2fs -c 0 -i 0 /dev/vda1 - mkdir /mnt - mount /dev/vda1 /mnt - - # The initrd expects these directories to exist. - mkdir /mnt/dev /mnt/proc /mnt/sys - mount --bind /proc /mnt/proc - mount --bind /dev /mnt/dev - mount --bind /sys /mnt/sys - - # Copy all paths in the closure to the filesystem. - storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure) - - echo "filling Nix store..." - mkdir -p /mnt/nix/store - set -f - cp -prd $storePaths /mnt/nix/store/ - - mkdir -p /mnt/etc/nix - echo 'build-users-group = ' > /mnt/etc/nix/nix.conf - - # Register the paths in the Nix database. - printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db - - # Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env \ - -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} - - # `nixos-rebuild' requires an /etc/NIXOS. - mkdir -p /mnt/etc/nixos - touch /mnt/etc/NIXOS - - # `switch-to-configuration' requires a /bin/sh - mkdir -p /mnt/bin - ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh - - # Generate the GRUB menu. - ln -s vda /dev/sda - chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot - - umount /mnt/proc /mnt/dev /mnt/sys - umount /mnt - '' - ); - - system.build.virtualBoxOVA = pkgs.runCommand "virtualbox-ova" - { buildInputs = [ pkgs.linuxPackages.virtualbox ]; - vmName = "NixOS ${config.system.nixosVersion} (${pkgs.stdenv.system})"; - fileName = "nixos-${config.system.nixosVersion}-${pkgs.stdenv.system}.ova"; - } - '' - echo "creating VirtualBox VM..." - export HOME=$PWD - VBoxManage createvm --name "$vmName" --register \ - --ostype ${if pkgs.stdenv.system == "x86_64-linux" then "Linux26_64" else "Linux26"} - VBoxManage modifyvm "$vmName" \ - --memory 1536 --acpi on --vram 10 \ - --nictype1 virtio --nic1 nat \ - --audiocontroller ac97 --audio alsa \ - --rtcuseutc on \ - --usb on --mouse usbtablet - VBoxManage storagectl "$vmName" --name SATA --add sata --portcount 4 --bootable on --hostiocache on - VBoxManage storageattach "$vmName" --storagectl SATA --port 0 --device 0 --type hdd \ - --medium ${config.system.build.virtualBoxImage}/disk.vdi - - echo "exporting VirtualBox VM..." - mkdir -p $out - VBoxManage export "$vmName" --output "$out/$fileName" - ''; - - fileSystems."/".device = "/dev/disk/by-label/nixos"; - - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/sda"; - - services.virtualbox.enable = true; +let + + cfg = config.virtualbox; + +in { + + options = { + virtualbox = { + baseImageSize = mkOption { + type = types.str; + default = "10G"; + description = '' + The size of the VirtualBox base image. The size string should be on + a format the qemu-img command accepts. + ''; + }; + }; + }; + + config = { + system.build.virtualBoxImage = + pkgs.vmTools.runInLinuxVM ( + pkgs.runCommand "virtualbox-image" + { memSize = 768; + preVM = + '' + mkdir $out + diskImage=$out/image + ${pkgs.vmTools.qemu}/bin/qemu-img create -f raw $diskImage "${cfg.baseImageSize}" + mv closure xchg/ + ''; + postVM = + '' + echo "creating VirtualBox disk image..." + ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -O vdi $diskImage $out/disk.vdi + rm $diskImage + ''; + buildInputs = [ pkgs.utillinux pkgs.perl ]; + exportReferencesGraph = + [ "closure" config.system.build.toplevel ]; + } + '' + # Create a single / partition. + ${pkgs.parted}/sbin/parted /dev/vda mklabel msdos + ${pkgs.parted}/sbin/parted /dev/vda -- mkpart primary ext2 1M -1s + . /sys/class/block/vda1/uevent + mknod /dev/vda1 b $MAJOR $MINOR + + # Create an empty filesystem and mount it. + ${pkgs.e2fsprogs}/sbin/mkfs.ext4 -L nixos /dev/vda1 + ${pkgs.e2fsprogs}/sbin/tune2fs -c 0 -i 0 /dev/vda1 + mkdir /mnt + mount /dev/vda1 /mnt + + # The initrd expects these directories to exist. + mkdir /mnt/dev /mnt/proc /mnt/sys + mount --bind /proc /mnt/proc + mount --bind /dev /mnt/dev + mount --bind /sys /mnt/sys + + # Copy all paths in the closure to the filesystem. + storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure) + + echo "filling Nix store..." + mkdir -p /mnt/nix/store + set -f + cp -prd $storePaths /mnt/nix/store/ + + mkdir -p /mnt/etc/nix + echo 'build-users-group = ' > /mnt/etc/nix/nix.conf + + # Register the paths in the Nix database. + printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ + chroot /mnt ${config.nix.package}/bin/nix-store --load-db + + # Create the system profile to allow nixos-rebuild to work. + chroot /mnt ${config.nix.package}/bin/nix-env \ + -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} + + # `nixos-rebuild' requires an /etc/NIXOS. + mkdir -p /mnt/etc/nixos + touch /mnt/etc/NIXOS + + # `switch-to-configuration' requires a /bin/sh + mkdir -p /mnt/bin + ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh + + # Generate the GRUB menu. + ln -s vda /dev/sda + chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot + + umount /mnt/proc /mnt/dev /mnt/sys + umount /mnt + '' + ); + + system.build.virtualBoxOVA = pkgs.runCommand "virtualbox-ova" + { buildInputs = [ pkgs.linuxPackages.virtualbox ]; + vmName = "NixOS ${config.system.nixosVersion} (${pkgs.stdenv.system})"; + fileName = "nixos-${config.system.nixosVersion}-${pkgs.stdenv.system}.ova"; + } + '' + echo "creating VirtualBox VM..." + export HOME=$PWD + VBoxManage createvm --name "$vmName" --register \ + --ostype ${if pkgs.stdenv.system == "x86_64-linux" then "Linux26_64" else "Linux26"} + VBoxManage modifyvm "$vmName" \ + --memory 1536 --acpi on --vram 10 \ + --nictype1 virtio --nic1 nat \ + --audiocontroller ac97 --audio alsa \ + --rtcuseutc on \ + --usb on --mouse usbtablet + VBoxManage storagectl "$vmName" --name SATA --add sata --portcount 4 --bootable on --hostiocache on + VBoxManage storageattach "$vmName" --storagectl SATA --port 0 --device 0 --type hdd \ + --medium ${config.system.build.virtualBoxImage}/disk.vdi + + echo "exporting VirtualBox VM..." + mkdir -p $out + VBoxManage export "$vmName" --output "$out/$fileName" + ''; + + fileSystems."/".device = "/dev/disk/by-label/nixos"; + + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + + services.virtualbox.enable = true; + }; } diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index f59f71b0d6f8..dae3b9210a86 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -42,8 +42,8 @@ in rec { (all nixos.iso_graphical) (all nixos.ova) - # (all nixos.tests.efi-installer.simple) - (all nixos.tests.containers) + #(all nixos.tests.efi-installer.simple) + #(all nixos.tests.containers) (all nixos.tests.firefox) (all nixos.tests.firewall) (all nixos.tests.gnome3) |