diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2018-03-03 18:02:35 +0100 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2018-03-03 18:02:35 +0100 |
| commit | b70c93f211819f5d4475569093f75d0c1e8857d6 (patch) | |
| tree | b8514b9488e8bf739db9e5dbdf32cc270d27b127 /nixos | |
| parent | ceb0a28e8c2d3f3bd0f57dda74f185a570522ecf (diff) | |
| parent | ac3b53707c7edf238b297ba4ce3799cecf2ee72d (diff) | |
| download | nixlib-b70c93f211819f5d4475569093f75d0c1e8857d6.tar nixlib-b70c93f211819f5d4475569093f75d0c1e8857d6.tar.gz nixlib-b70c93f211819f5d4475569093f75d0c1e8857d6.tar.bz2 nixlib-b70c93f211819f5d4475569093f75d0c1e8857d6.tar.lz nixlib-b70c93f211819f5d4475569093f75d0c1e8857d6.tar.xz nixlib-b70c93f211819f5d4475569093f75d0c1e8857d6.tar.zst nixlib-b70c93f211819f5d4475569093f75d0c1e8857d6.zip | |
Merge branch 'master' into nix-2.0
Diffstat (limited to 'nixos')
63 files changed, 1165 insertions, 228 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml index ce58c4dc95b0..d5150d25d375 100644 --- a/nixos/doc/manual/release-notes/rl-1803.xml +++ b/nixos/doc/manual/release-notes/rl-1803.xml @@ -20,6 +20,18 @@ has the following highlights: </para> <itemizedlist> <listitem> <para> + Linux kernel defaults to the 4.14 branch (it was 4.9). + </para> + </listitem> + + <listitem> + <para> + GCC defaults to 7.x (it was 6.x). + </para> + </listitem> + + <listitem> + <para> MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. While upgrading a few changes have been made to the infrastructure involved: <itemizedlist> @@ -82,6 +94,11 @@ following incompatible changes:</para> <itemizedlist> <listitem> <para> + <literal>sound.enable</literal> now defaults to false. + </para> + </listitem> + <listitem> + <para> Dollar signs in options under <option>services.postfix</option> are passed verbatim to Postfix, which will interpret them as the beginning of a parameter expression. This was already true for string-valued options @@ -176,7 +193,7 @@ following incompatible changes:</para> </listitem> <listitem> <para> - <literal>lib.addPassthru drv passthru</literal> is removed. Use <literal>lib.extendDerivation true passthru drv</literal> instead. <emphasis role="strong">TODO: actually remove it before branching 18.03 off.</emphasis> + <literal>lib.addPassthru drv passthru</literal> is removed. Use <literal>lib.extendDerivation true passthru drv</literal> instead. </para> </listitem> <listitem> @@ -239,6 +256,58 @@ following incompatible changes:</para> <link xlink:href="http://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#attic-and-borg-0-xx-to-borg-1-x">here</link>. </para> </listitem> + <listitem> + <para> + The Piwik analytics software was renamed to Matomo: + <itemizedlist> + <listitem> + <para>The package <literal>pkgs.piwik</literal> was renamed to <literal>pkgs.matomo</literal>.</para> + </listitem> + <listitem> + <para>The service <literal>services.piwik</literal> was renamed to <literal>services.matomo</literal>.</para> + </listitem> + <listitem> + <para> + The data directory <filename>/var/lib/piwik</filename> was renamed to <filename>/var/lib/matomo</filename>. + All files will be moved automatically on first startup, but you might need to adjust your backup scripts. + </para> + </listitem> + <listitem> + <para> + The default <option>serverName</option> for the nginx configuration changed from + <literal>piwik.${config.networking.hostName}</literal> to + <literal>matomo.${config.networking.hostName}.${config.networking.domain}</literal> + if <option>config.networking.domain</option> is set, + <literal>matomo.${config.networking.hostName}</literal> if it is not set. + If you change your <option>serverName</option>, remember you'll need to update the + <literal>trustedHosts[]</literal> array in <filename>/var/lib/matomo/config/config.ini.php</filename> + as well. + </para> + </listitem> + <listitem> + <para> + The <literal>piwik</literal> user was renamed to <literal>matomo</literal>. + The service will adjust ownership automatically for files in the data directory. + If you use unix socket authentication, remember to give the new <literal>matomo</literal> user + access to the database and to change the <literal>username</literal> to <literal>matomo</literal> + in the <literal>[database]</literal> section of <filename>/var/lib/matomo/config/config.ini.php</filename>. + </para> + </listitem> + <listitem> + <para> + If you named your database `piwik`, you might want to rename it to `matomo` to keep things clean, + but this is neither enforced nor required. + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + <literal>nodejs-4_x</literal> is end-of-life. + <literal>nodejs-4_x</literal>, <literal>nodejs-slim-4_x</literal> and <literal>nodePackages_4_x</literal> are removed. + </para> + </listitem> </itemizedlist> </section> @@ -373,6 +442,13 @@ following incompatible changes:</para> and <literal>stopJob</literal> provide an optional <literal>$user</literal> argument for that purpose. </para> </listitem> + <listitem> + <para> + Enabling bash completion on NixOS, <literal>programs.bash.enableCompletion</literal>, will now also enable + completion for the Nix command line tools by installing the + <link xlink:href="https://github.com/hedning/nix-bash-completions">nix-bash-completions</link> package. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index e1c4d0d602af..d8980944adc0 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -28,13 +28,13 @@ with lib; nixpkgs.config.packageOverrides = pkgs: { dbus = pkgs.dbus.override { x11Support = false; }; - networkmanager_fortisslvpn = pkgs.networkmanager_fortisslvpn.override { withGnome = false; }; - networkmanager_l2tp = pkgs.networkmanager_l2tp.override { withGnome = false; }; - networkmanager_openconnect = pkgs.networkmanager_openconnect.override { withGnome = false; }; - networkmanager_openvpn = pkgs.networkmanager_openvpn.override { withGnome = false; }; - networkmanager_pptp = pkgs.networkmanager_pptp.override { withGnome = false; }; - networkmanager_vpnc = pkgs.networkmanager_vpnc.override { withGnome = false; }; - networkmanager_iodine = pkgs.networkmanager_iodine.override { withGnome = false; }; + networkmanager-fortisslvpn = pkgs.networkmanager-fortisslvpn.override { withGnome = false; }; + networkmanager-l2tp = pkgs.networkmanager-l2tp.override { withGnome = false; }; + networkmanager-openconnect = pkgs.networkmanager-openconnect.override { withGnome = false; }; + networkmanager-openvpn = pkgs.networkmanager-openvpn.override { withGnome = false; }; + networkmanager-pptp = pkgs.networkmanager-pptp.override { withGnome = false; }; + networkmanager-vpnc = pkgs.networkmanager-vpnc.override { withGnome = false; }; + networkmanager-iodine = pkgs.networkmanager-iodine.override { withGnome = false; }; pinentry = pkgs.pinentry_ncurses; }; }; diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index afaa65f6ce35..b61acf1815d9 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -37,8 +37,9 @@ in { hardware.firmware = with pkgs; [ firmwareLinuxNonfree intel2200BGFirmware - rtl8723bs-firmware rtl8192su-firmware + ] ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [ + rtl8723bs-firmware ]; }) (mkIf cfg.enableAllFirmware { diff --git a/nixos/modules/hardware/digitalbitbox.nix b/nixos/modules/hardware/digitalbitbox.nix new file mode 100644 index 000000000000..0888cfbef2a8 --- /dev/null +++ b/nixos/modules/hardware/digitalbitbox.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.hardware.digitalbitbox; +in + +{ + options.hardware.digitalbitbox = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables udev rules for Digital Bitbox devices. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.digitalbitbox; + defaultText = "pkgs.digitalbitbox"; + description = "The Digital Bitbox package to use. This can be used to install a package with udev rules that differ from the defaults."; + }; + }; + + config = mkIf cfg.enable { + services.udev.packages = [ cfg.package ]; + }; +} diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 5725938465f5..4c4e69d60d9c 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -69,7 +69,7 @@ with lib; in '' mkdir -p /root/Desktop ln -sfT ${desktopFile} /root/Desktop/nixos-manual.desktop - cp ${pkgs.gnome3.gnome_terminal}/share/applications/gnome-terminal.desktop /root/Desktop/gnome-terminal.desktop + cp ${pkgs.gnome3.gnome-terminal}/share/applications/gnome-terminal.desktop /root/Desktop/gnome-terminal.desktop chmod a+rx /root/Desktop/gnome-terminal.desktop cp ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop chmod a+rx /root/Desktop/gparted.desktop diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index a82ee63fd0cd..0e0744a52e42 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -603,6 +603,10 @@ $bootLoaderConfig # Enable CUPS to print documents. # services.printing.enable = true; + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + # Enable the X11 windowing system. # services.xserver.enable = true; # services.xserver.layout = "us"; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index c0c6a6ef9244..8d775ffc82d3 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -304,6 +304,7 @@ mighttpd2 = 285; hass = 286; monero = 287; + ceph = 288; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -576,6 +577,7 @@ mighttpd2 = 285; hass = 286; monero = 287; + ceph = 288; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/misc/label.nix b/nixos/modules/misc/label.nix index 250914e8f82e..8e5e57b3b83b 100644 --- a/nixos/modules/misc/label.nix +++ b/nixos/modules/misc/label.nix @@ -65,8 +65,8 @@ in # This is set here rather than up there so that changing it would # not rebuild the manual system.nixos.label = mkDefault (maybeEnv "NIXOS_LABEL" - (concatStringsSep "-" (sort (x: y: x < y) cfg.tags) - + "-" + maybeEnv "NIXOS_LABEL_VERSION" cfg.version)); + (concatStringsSep "-" ((sort (x: y: x < y) cfg.tags) + ++ [ (maybeEnv "NIXOS_LABEL_VERSION" cfg.version) ]))); }; } diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index e747fbc6755c..11bd148d5dee 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -93,7 +93,7 @@ in default = {}; example = literalExample '' - { firefox.enableGeckoMediaPlayer = true; } + { allowBroken = true; allowUnfree = true; } ''; type = configType; description = '' diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 098fac7a0c2d..3bb65c6b295a 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -31,6 +31,7 @@ ./hardware/ckb.nix ./hardware/cpu/amd-microcode.nix ./hardware/cpu/intel-microcode.nix + ./hardware/digitalbitbox.nix ./hardware/sensor/iio.nix ./hardware/ksm.nix ./hardware/mcelog.nix @@ -78,6 +79,7 @@ ./programs/command-not-found/command-not-found.nix ./programs/criu.nix ./programs/dconf.nix + ./programs/digitalbitbox/default.nix ./programs/environment.nix ./programs/fish.nix ./programs/freetds.nix @@ -109,6 +111,7 @@ ./programs/sway.nix ./programs/thefuck.nix ./programs/tmux.nix + ./programs/udevil.nix ./programs/venus.nix ./programs/vim.nix ./programs/way-cooler.nix @@ -436,6 +439,7 @@ ./services/network-filesystems/u9fs.nix ./services/network-filesystems/yandex-disk.nix ./services/network-filesystems/xtreemfs.nix + ./services/network-filesystems/ceph.nix ./services/networking/amuled.nix ./services/networking/aria2.nix ./services/networking/asterisk.nix @@ -637,7 +641,7 @@ ./services/web-apps/nixbot.nix ./services/web-apps/nexus.nix ./services/web-apps/pgpkeyserver-lite.nix - ./services/web-apps/piwik.nix + ./services/web-apps/matomo.nix ./services/web-apps/pump.io.nix ./services/web-apps/restya-board.nix ./services/web-apps/tt-rss.nix diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 1abdb4973a44..1a62f04972df 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -211,6 +211,9 @@ in "/share/bash-completion" ]; + environment.systemPackages = optional cfg.enableCompletion + pkgs.nix-bash-completions; + environment.shells = [ "/run/current-system/sw/bin/bash" "/var/run/current-system/sw/bin/bash" diff --git a/nixos/modules/programs/browserpass.nix b/nixos/modules/programs/browserpass.nix index a073c7e66eb8..5f8a44a9848e 100644 --- a/nixos/modules/programs/browserpass.nix +++ b/nixos/modules/programs/browserpass.nix @@ -18,5 +18,6 @@ with lib; "opt/chrome/native-messaging-hosts/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-host.json"; "opt/chrome/policies/managed/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-policy.json"; }; + nixpkgs.config.firefox.enableBrowserpass = true; }; } diff --git a/nixos/modules/programs/chromium.nix b/nixos/modules/programs/chromium.nix index 54739feab976..41c49db8c71c 100644 --- a/nixos/modules/programs/chromium.nix +++ b/nixos/modules/programs/chromium.nix @@ -36,6 +36,7 @@ in "chlffgpmiacpedhhbkiomidkjlcfhogd" # pushbullet "mbniclmhobmnbdlbpiphghaielnnpgdp" # lightshot "gcbommkclmclpchllfjekcdonpmejbdp" # https everywhere + "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin ] ''; }; @@ -52,8 +53,7 @@ in description = "Chromium default search provider url."; default = null; example = - "https://encrypted.google.com/search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google: - ↪searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}"; + "https://encrypted.google.com/search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}"; }; defaultSearchProviderSuggestURL = mkOption { @@ -79,7 +79,11 @@ in ###### implementation config = lib.mkIf cfg.enable { + # for chromium environment.etc."chromium/policies/managed/default.json".text = builtins.toJSON defaultProfile; environment.etc."chromium/policies/managed/extra.json".text = builtins.toJSON cfg.extraOpts; + # for google-chrome https://www.chromium.org/administrators/linux-quick-start + environment.etc."opt/chrome/policies/managed/default.json".text = builtins.toJSON defaultProfile; + environment.etc."opt/chrome/policies/managed/extra.json".text = builtins.toJSON cfg.extraOpts; }; } diff --git a/nixos/modules/programs/dconf.nix b/nixos/modules/programs/dconf.nix index 27bfdf022e7d..b7d8a345e65c 100644 --- a/nixos/modules/programs/dconf.nix +++ b/nixos/modules/programs/dconf.nix @@ -36,7 +36,7 @@ in "${pkgs.gnome3.dconf.lib}/lib/gio/modules"; # https://github.com/NixOS/nixpkgs/pull/31891 #environment.variables.XDG_DATA_DIRS = optional cfg.enable - # "$(echo ${pkgs.gnome3.gsettings_desktop_schemas}/share/gsettings-schemas/gsettings-desktop-schemas-*)"; + # "$(echo ${pkgs.gnome3.gsettings-desktop-schemas}/share/gsettings-schemas/gsettings-desktop-schemas-*)"; }; } diff --git a/nixos/modules/programs/digitalbitbox/default.nix b/nixos/modules/programs/digitalbitbox/default.nix new file mode 100644 index 000000000000..7c727489c6c9 --- /dev/null +++ b/nixos/modules/programs/digitalbitbox/default.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.digitalbitbox; +in + +{ + options.programs.digitalbitbox = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Installs the Digital Bitbox application and enables the complementary hardware module. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.digitalbitbox; + defaultText = "pkgs.digitalbitbox"; + description = "The Digital Bitbox package to use. This can be used to install a package with udev rules that differ from the defaults."; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + hardware.digitalbitbox = { + enable = true; + package = cfg.package; + }; + }; + + meta = { + doc = ./doc.xml; + maintainers = with stdenv.lib.maintainers; [ vidbina ]; + }; +} diff --git a/nixos/modules/programs/digitalbitbox/doc.xml b/nixos/modules/programs/digitalbitbox/doc.xml new file mode 100644 index 000000000000..7acbc2fc4dde --- /dev/null +++ b/nixos/modules/programs/digitalbitbox/doc.xml @@ -0,0 +1,85 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-programs-digitalbitbox"> + + <title>Digital Bitbox</title> + + <para> + Digital Bitbox is a hardware wallet and second-factor authenticator. + </para> + + <para> + The <literal>digitalbitbox</literal> programs module may be + installed by setting <literal>programs.digitalbitbox</literal> + to <literal>true</literal> in a manner similar to + + <programlisting> + programs.digitalbitbox.enable = true; + </programlisting> + + and bundles the <literal>digitalbitbox</literal> package (see <xref + linkend="sec-digitalbitbox-package" />), which contains the + <literal>dbb-app</literal> and <literal>dbb-cli</literal> binaries, + along with the hardware module (see <xref + linkend="sec-digitalbitbox-hardware-module" />) which sets up the + necessary udev rules to access the device. + </para> + + <para> + Enabling the digitalbitbox module is pretty much the easiest way to + get a Digital Bitbox device working on your system. + </para> + + <para> + For more information, see + <link xlink:href="https://digitalbitbox.com/start_linux" />. + </para> + + <section xml:id="sec-digitalbitbox-package"> + <title>Package</title> + + <para> + The binaries, <literal>dbb-app</literal> (a GUI tool) and + <literal>dbb-cli</literal> (a CLI tool), are available through the + <literal>digitalbitbox</literal> package which could be installed + as follows: + + <programlisting> + environment.systemPackages = [ + pkgs.digitalbitbox + ]; + </programlisting> + </para> + </section> + + + <section xml:id="sec-digitalbitbox-hardware-module"> + <title>Hardware</title> + + <para> + The digitalbitbox hardware package enables the udev rules for + Digital Bitbox devices and may be installed as follows: + + <programlisting> + hardware.digitalbitbox.enable = true; + </programlisting> + </para> + + <para> + In order to alter the udev rules, one may provide different values for + the <literal>udevRule51</literal> and <literal>udevRule52</literal> + attributes by means of overriding as follows: + + <programlisting> + programs.digitalbitbox = { + enable = true; + package = pkgs.digitalbitbox.override { + udevRule51 = "something else"; + }; + }; + </programlisting> + </para> + </section> +</chapter> diff --git a/nixos/modules/programs/udevil.nix b/nixos/modules/programs/udevil.nix new file mode 100644 index 000000000000..ba5670f9dfe9 --- /dev/null +++ b/nixos/modules/programs/udevil.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.udevil; + +in { + options.programs.udevil.enable = mkEnableOption "udevil"; + + config = mkIf cfg.enable { + security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil"; + }; +} diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index da83baed3719..489d7d8b9b50 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -148,6 +148,12 @@ with lib; # parsoid (mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] [ "services" "parsoid" "wikis" ]) + # piwik was renamed to matomo + (mkRenamedOptionModule [ "services" "piwik" "enable" ] [ "services" "matomo" "enable" ]) + (mkRenamedOptionModule [ "services" "piwik" "webServerUser" ] [ "services" "matomo" "webServerUser" ]) + (mkRenamedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] [ "services" "matomo" "phpfpmProcessManagerConfig" ]) + (mkRenamedOptionModule [ "services" "piwik" "nginx" ] [ "services" "matomo" "nginx" ]) + # tarsnap (mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir") diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index f39f64033ca7..e1cad03e66e2 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -311,7 +311,7 @@ let ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} ${optionalString cfg.enableGnomeKeyring - ("auth optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so")} + ("auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so")} ${optionalString cfg.googleAuthenticator.enable "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} '') + '' @@ -384,7 +384,7 @@ let ("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} ${optionalString (cfg.enableGnomeKeyring) - "session optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start"} + "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} ${optionalString (config.virtualisation.lxc.lxcfs.enable) "session optional ${pkgs.lxcfs}/lib/security/pam_cgfs.so -c freezer,memory,name=systemd,unified,cpuset"} ''); diff --git a/nixos/modules/services/audio/alsa.nix b/nixos/modules/services/audio/alsa.nix index acf48d3c3d03..e3e8bb28c58b 100644 --- a/nixos/modules/services/audio/alsa.nix +++ b/nixos/modules/services/audio/alsa.nix @@ -21,7 +21,7 @@ in enable = mkOption { type = types.bool; - default = true; + default = false; description = '' Whether to enable ALSA sound. ''; diff --git a/nixos/modules/services/continuous-integration/jenkins/default.nix b/nixos/modules/services/continuous-integration/jenkins/default.nix index 0dd59e4fb444..54047a50caa6 100644 --- a/nixos/modules/services/continuous-integration/jenkins/default.nix +++ b/nixos/modules/services/continuous-integration/jenkins/default.nix @@ -208,7 +208,7 @@ in { ''; postStart = '' - until [[ $(${pkgs.curl.bin}/bin/curl -s --head -w '\n%{http_code}' http://${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} | tail -n1) =~ ^(200|403)$ ]]; do + until [[ $(${pkgs.curl.bin}/bin/curl -L -s --head -w '\n%{http_code}' http://${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} | tail -n1) =~ ^(200|403)$ ]]; do sleep 1 done ''; diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 5b7390503552..21a131b90a81 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -133,7 +133,7 @@ in ''; example = [ "nextcloud" - "piwik" + "matomo" ]; }; @@ -289,10 +289,10 @@ in # Create initial databases if ! test -e "${cfg.dataDir}/${database.name}"; then echo "Creating initial database: ${database.name}" - ( echo "create database `${database.name}`;" + ( echo 'create database `${database.name}`;' ${optionalString (database ? "schema") '' - echo "use `${database.name}`;" + echo 'use `${database.name}`;' if [ -f "${database.schema}" ] then diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 9b5e3735239f..0dcbfe2e47ac 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -122,7 +122,7 @@ in extraPlugins = mkOption { type = types.listOf types.path; default = []; - example = literalExample "[ (pkgs.postgis.override { postgresql = pkgs.postgresql94; }).v_2_1_4 ]"; + example = literalExample "[ (pkgs.postgis.override { postgresql = pkgs.postgresql94; }) ]"; description = '' When this list contains elements a new store path is created. PostgreSQL and the elements are symlinked into it. Then pg_config, diff --git a/nixos/modules/services/desktops/gnome3/at-spi2-core.nix b/nixos/modules/services/desktops/gnome3/at-spi2-core.nix index 9e382241348b..cca98c43dc7a 100644 --- a/nixos/modules/services/desktops/gnome3/at-spi2-core.nix +++ b/nixos/modules/services/desktops/gnome3/at-spi2-core.nix @@ -30,9 +30,9 @@ with lib; config = mkMerge [ (mkIf config.services.gnome3.at-spi2-core.enable { - environment.systemPackages = [ pkgs.at_spi2_core ]; - services.dbus.packages = [ pkgs.at_spi2_core ]; - systemd.packages = [ pkgs.at_spi2_core ]; + environment.systemPackages = [ pkgs.at-spi2-core ]; + services.dbus.packages = [ pkgs.at-spi2-core ]; + systemd.packages = [ pkgs.at-spi2-core ]; }) (mkIf (!config.services.gnome3.at-spi2-core.enable) { diff --git a/nixos/modules/services/desktops/gnome3/evolution-data-server.nix b/nixos/modules/services/desktops/gnome3/evolution-data-server.nix index 86a47488d865..7e312a1b81eb 100644 --- a/nixos/modules/services/desktops/gnome3/evolution-data-server.nix +++ b/nixos/modules/services/desktops/gnome3/evolution-data-server.nix @@ -30,11 +30,11 @@ with lib; config = mkIf config.services.gnome3.evolution-data-server.enable { - environment.systemPackages = [ pkgs.gnome3.evolution_data_server ]; + environment.systemPackages = [ pkgs.gnome3.evolution-data-server ]; - services.dbus.packages = [ pkgs.gnome3.evolution_data_server ]; + services.dbus.packages = [ pkgs.gnome3.evolution-data-server ]; - systemd.packages = [ pkgs.gnome3.evolution_data_server ]; + systemd.packages = [ pkgs.gnome3.evolution-data-server ]; }; diff --git a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix index 2a68af5a7dd8..aa1165ab3bba 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix @@ -31,9 +31,9 @@ with lib; config = mkIf config.services.gnome3.gnome-keyring.enable { - environment.systemPackages = [ pkgs.gnome3.gnome_keyring ]; + environment.systemPackages = [ pkgs.gnome3.gnome-keyring ]; - services.dbus.packages = [ pkgs.gnome3.gnome_keyring pkgs.gnome3.gcr ]; + services.dbus.packages = [ pkgs.gnome3.gnome-keyring pkgs.gnome3.gcr ]; }; diff --git a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix b/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix index 0da4aca73ecb..4286251357f7 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix @@ -30,9 +30,9 @@ with lib; config = mkIf config.services.gnome3.gnome-online-accounts.enable { - environment.systemPackages = [ pkgs.gnome3.gnome_online_accounts ]; + environment.systemPackages = [ pkgs.gnome3.gnome-online-accounts ]; - services.dbus.packages = [ pkgs.gnome3.gnome_online_accounts ]; + services.dbus.packages = [ pkgs.gnome3.gnome-online-accounts ]; }; diff --git a/nixos/modules/services/desktops/gnome3/gnome-terminal-server.nix b/nixos/modules/services/desktops/gnome3/gnome-terminal-server.nix index 3ac767bfa00d..fd14efee5f2e 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-terminal-server.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-terminal-server.nix @@ -30,11 +30,11 @@ with lib; config = mkIf config.services.gnome3.gnome-terminal-server.enable { - environment.systemPackages = [ pkgs.gnome3.gnome_terminal ]; + environment.systemPackages = [ pkgs.gnome3.gnome-terminal ]; - services.dbus.packages = [ pkgs.gnome3.gnome_terminal ]; + services.dbus.packages = [ pkgs.gnome3.gnome-terminal ]; - systemd.packages = [ pkgs.gnome3.gnome_terminal ]; + systemd.packages = [ pkgs.gnome3.gnome-terminal ]; }; diff --git a/nixos/modules/services/desktops/telepathy.nix b/nixos/modules/services/desktops/telepathy.nix index 2554f3a1666f..f5401c180984 100644 --- a/nixos/modules/services/desktops/telepathy.nix +++ b/nixos/modules/services/desktops/telepathy.nix @@ -30,9 +30,9 @@ with lib; config = mkIf config.services.telepathy.enable { - environment.systemPackages = [ pkgs.telepathy_mission_control ]; + environment.systemPackages = [ pkgs.telepathy-mission-control ]; - services.dbus.packages = [ pkgs.telepathy_mission_control ]; + services.dbus.packages = [ pkgs.telepathy-mission-control ]; }; diff --git a/nixos/modules/services/hardware/acpid.nix b/nixos/modules/services/hardware/acpid.nix index f69706ebff34..0f05876aee32 100644 --- a/nixos/modules/services/hardware/acpid.nix +++ b/nixos/modules/services/hardware/acpid.nix @@ -53,6 +53,12 @@ in description = "Whether to enable the ACPI daemon."; }; + logEvents = mkOption { + type = types.bool; + default = false; + description = "Log all event activity."; + }; + handlers = mkOption { type = types.attrsOf (types.submodule { options = { @@ -142,7 +148,7 @@ in ConditionPathExists = [ "/proc/acpi" ]; }; - script = "acpid --confdir ${acpiConfDir}"; + script = "acpid ${optionalString config.services.acpid.logEvents "--logevents"} --confdir ${acpiConfDir}"; }; }; diff --git a/nixos/modules/services/hardware/fwupd.nix b/nixos/modules/services/hardware/fwupd.nix index 1f4acd21eccf..d8abde2a600a 100644 --- a/nixos/modules/services/hardware/fwupd.nix +++ b/nixos/modules/services/hardware/fwupd.nix @@ -8,12 +8,8 @@ let cfg = config.services.fwupd; originalEtc = let - isRegular = v: v == "regular"; - listFiles = d: builtins.attrNames (filterAttrs (const isRegular) (builtins.readDir d)); - copiedDirs = [ "fwupd/remotes.d" "pki/fwupd" "pki/fwupd-metadata" ]; - originalFiles = concatMap (d: map (f: "${d}/${f}") (listFiles "${pkgs.fwupd}/etc/${d}")) copiedDirs; mkEtcFile = n: nameValuePair n { source = "${pkgs.fwupd}/etc/${n}"; }; - in listToAttrs (map mkEtcFile originalFiles); + in listToAttrs (map mkEtcFile pkgs.fwupd.filesInstalledToEtc); extraTrustedKeys = let mkName = p: "pki/fwupd/${baseNameOf (toString p)}"; diff --git a/nixos/modules/services/misc/disnix.nix b/nixos/modules/services/misc/disnix.nix index e96645c79c77..39d23610b064 100644 --- a/nixos/modules/services/misc/disnix.nix +++ b/nixos/modules/services/misc/disnix.nix @@ -32,11 +32,17 @@ in description = "Whether to enable Disnix"; }; + enableMultiUser = mkOption { + type = types.bool; + default = true; + description = "Whether to support multi-user mode by enabling the Disnix D-Bus service"; + }; + useWebServiceInterface = mkOption { default = false; description = "Whether to enable the DisnixWebService interface running on Apache Tomcat"; }; - + package = mkOption { type = types.path; description = "The Disnix package"; @@ -52,7 +58,7 @@ in config = mkIf cfg.enable { dysnomia.enable = true; - + environment.systemPackages = [ pkgs.disnix ] ++ optional cfg.useWebServiceInterface pkgs.DisnixWebService; services.dbus.enable = true; @@ -71,7 +77,7 @@ in }; systemd.services = { - disnix = { + disnix = mkIf cfg.enableMultiUser { description = "Disnix server"; wants = [ "dysnomia.target" ]; wantedBy = [ "multi-user.target" ]; @@ -92,7 +98,7 @@ in } // (if config.environment.variables ? DYSNOMIA_CONTAINERS_PATH then { inherit (config.environment.variables) DYSNOMIA_CONTAINERS_PATH; } else {}) // (if config.environment.variables ? DYSNOMIA_MODULES_PATH then { inherit (config.environment.variables) DYSNOMIA_MODULES_PATH; } else {}); - + serviceConfig.ExecStart = "${cfg.package}/bin/disnix-service"; }; diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix index 66148431709f..5bd9cf9086f1 100644 --- a/nixos/modules/services/misc/nix-ssh-serve.nix +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -1,8 +1,12 @@ { config, lib, pkgs, ... }: with lib; - -{ +let cfg = config.nix.sshServe; + command = + if cfg.protocol == "ssh" + then "nix-store --serve" + else "nix-daemon --stdio"; +in { options = { nix.sshServe = { @@ -10,7 +14,7 @@ with lib; enable = mkOption { type = types.bool; default = false; - description = "Whether to enable serving the Nix store as a binary cache via SSH."; + description = "Whether to enable serving the Nix store as a remote store via SSH."; }; keys = mkOption { @@ -20,14 +24,20 @@ with lib; description = "A list of SSH public keys allowed to access the binary cache via SSH."; }; + protocol = mkOption { + type = types.enum [ "ssh" "ssh-ng" ]; + default = "ssh"; + description = "The specific Nix-over-SSH protocol to use."; + }; + }; }; - config = mkIf config.nix.sshServe.enable { + config = mkIf cfg.enable { users.extraUsers.nix-ssh = { - description = "Nix SSH substituter user"; + description = "Nix SSH store user"; uid = config.ids.uids.nix-ssh; useDefaultShell = true; }; @@ -41,11 +51,11 @@ with lib; PermitTTY no PermitTunnel no X11Forwarding no - ForceCommand ${config.nix.package.out}/bin/nix-store --serve + ForceCommand ${config.nix.package.out}/bin/${command} Match All ''; - users.extraUsers.nix-ssh.openssh.authorizedKeys.keys = config.nix.sshServe.keys; + users.extraUsers.nix-ssh.openssh.authorizedKeys.keys = cfg.keys; }; } diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index d48b78ae6d02..921be23f3681 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -249,7 +249,7 @@ in { }; preStart = '' ln -fs ${cfg.package}/share/grafana/conf ${cfg.dataDir} - ln -fs ${cfg.package}/share/grafana/vendor ${cfg.dataDir} + ln -fs ${cfg.package}/share/grafana/tools ${cfg.dataDir} ''; }; diff --git a/nixos/modules/services/network-filesystems/ceph.nix b/nixos/modules/services/network-filesystems/ceph.nix new file mode 100644 index 000000000000..5de8ae79a246 --- /dev/null +++ b/nixos/modules/services/network-filesystems/ceph.nix @@ -0,0 +1,371 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + ceph = pkgs.ceph; + cfg = config.services.ceph; + # function that translates "camelCaseOptions" to "camel case options", credits to tilpner in #nixos@freenode + translateOption = replaceStrings upperChars (map (s: " ${s}") lowerChars); + generateDaemonList = (daemonType: daemons: extraServiceConfig: + mkMerge ( + map (daemon: + { "ceph-${daemonType}-${daemon}" = generateServiceFile daemonType daemon cfg.global.clusterName ceph extraServiceConfig; } + ) daemons + ) + ); + generateServiceFile = (daemonType: daemonId: clusterName: ceph: extraServiceConfig: { + enable = true; + description = "Ceph ${builtins.replaceStrings lowerChars upperChars daemonType} daemon ${daemonId}"; + after = [ "network-online.target" "local-fs.target" "time-sync.target" ] ++ optional (daemonType == "osd") "ceph-mon.target"; + wants = [ "network-online.target" "local-fs.target" "time-sync.target" ]; + partOf = [ "ceph-${daemonType}.target" ]; + wantedBy = [ "ceph-${daemonType}.target" ]; + + serviceConfig = { + LimitNOFILE = 1048576; + LimitNPROC = 1048576; + Environment = "CLUSTER=${clusterName}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + PrivateDevices = "yes"; + PrivateTmp = "true"; + ProtectHome = "true"; + ProtectSystem = "full"; + Restart = "on-failure"; + StartLimitBurst = "5"; + StartLimitInterval = "30min"; + ExecStart = "${ceph.out}/bin/${if daemonType == "rgw" then "radosgw" else "ceph-${daemonType}"} -f --cluster ${clusterName} --id ${if daemonType == "rgw" then "client.${daemonId}" else daemonId} --setuser ceph --setgroup ceph"; + } // extraServiceConfig + // optionalAttrs (daemonType == "osd") { ExecStartPre = "${ceph.out}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}"; }; + } // optionalAttrs (builtins.elem daemonType [ "mds" "mon" "rgw" "mgr" ]) { preStart = '' + daemonPath="/var/lib/ceph/${if daemonType == "rgw" then "radosgw" else daemonType}/${clusterName}-${daemonId}" + if [ ! -d ''$daemonPath ]; then + mkdir -m 755 -p ''$daemonPath + chown -R ceph:ceph ''$daemonPath + fi + ''; + } // optionalAttrs (daemonType == "osd") { path = [ pkgs.getopt ]; } + ); + generateTargetFile = (daemonType: + { + "ceph-${daemonType}" = { + description = "Ceph target allowing to start/stop all ceph-${daemonType} services at once"; + partOf = [ "ceph.target" ]; + before = [ "ceph.target" ]; + }; + } + ); +in +{ + options.services.ceph = { + # Ceph has a monolithic configuration file but different sections for + # each daemon, a separate client section and a global section + enable = mkEnableOption "Ceph global configuration"; + + global = { + fsid = mkOption { + type = types.str; + example = '' + 433a2193-4f8a-47a0-95d2-209d7ca2cca5 + ''; + description = '' + Filesystem ID, a generated uuid, its must be generated and set before + attempting to start a cluster + ''; + }; + + clusterName = mkOption { + type = types.str; + default = "ceph"; + description = '' + Name of cluster + ''; + }; + + monInitialMembers = mkOption { + type = with types; nullOr commas; + default = null; + example = '' + node0, node1, node2 + ''; + description = '' + List of hosts that will be used as monitors at startup. + ''; + }; + + monHost = mkOption { + type = with types; nullOr commas; + default = null; + example = '' + 10.10.0.1, 10.10.0.2, 10.10.0.3 + ''; + description = '' + List of hostname shortnames/IP addresses of the initial monitors. + ''; + }; + + maxOpenFiles = mkOption { + type = types.int; + default = 131072; + description = '' + Max open files for each OSD daemon. + ''; + }; + + authClusterRequired = mkOption { + type = types.enum [ "cephx" "none" ]; + default = "cephx"; + description = '' + Enables requiring daemons to authenticate with eachother in the cluster. + ''; + }; + + authServiceRequired = mkOption { + type = types.enum [ "cephx" "none" ]; + default = "cephx"; + description = '' + Enables requiring clients to authenticate with the cluster to access services in the cluster (e.g. radosgw, mds or osd). + ''; + }; + + authClientRequired = mkOption { + type = types.enum [ "cephx" "none" ]; + default = "cephx"; + description = '' + Enables requiring the cluster to authenticate itself to the client. + ''; + }; + + publicNetwork = mkOption { + type = with types; nullOr commas; + default = null; + example = '' + 10.20.0.0/24, 192.168.1.0/24 + ''; + description = '' + A comma-separated list of subnets that will be used as public networks in the cluster. + ''; + }; + + clusterNetwork = mkOption { + type = with types; nullOr commas; + default = null; + example = '' + 10.10.0.0/24, 192.168.0.0/24 + ''; + description = '' + A comma-separated list of subnets that will be used as cluster networks in the cluster. + ''; + }; + }; + + mgr = { + enable = mkEnableOption "Ceph MGR daemon"; + daemons = mkOption { + type = with types; listOf str; + default = []; + example = '' + [ "name1" "name2" ]; + ''; + description = '' + A list of names for manager daemons that should have a service created. The names correspond + to the id part in ceph i.e. [ "name1" ] would result in mgr.name1 + ''; + }; + extraConfig = mkOption { + type = with types; attrsOf str; + default = {}; + description = '' + Extra configuration to add to the global section for manager daemons. + ''; + }; + }; + + mon = { + enable = mkEnableOption "Ceph MON daemon"; + daemons = mkOption { + type = with types; listOf str; + default = []; + example = '' + [ "name1" "name2" ]; + ''; + description = '' + A list of monitor daemons that should have a service created. The names correspond + to the id part in ceph i.e. [ "name1" ] would result in mon.name1 + ''; + }; + extraConfig = mkOption { + type = with types; attrsOf str; + default = {}; + description = '' + Extra configuration to add to the monitor section. + ''; + }; + }; + + osd = { + enable = mkEnableOption "Ceph OSD daemon"; + daemons = mkOption { + type = with types; listOf str; + default = []; + example = '' + [ "name1" "name2" ]; + ''; + description = '' + A list of OSD daemons that should have a service created. The names correspond + to the id part in ceph i.e. [ "name1" ] would result in osd.name1 + ''; + }; + extraConfig = mkOption { + type = with types; attrsOf str; + default = { + "osd journal size" = "10000"; + "osd pool default size" = "3"; + "osd pool default min size" = "2"; + "osd pool default pg num" = "200"; + "osd pool default pgp num" = "200"; + "osd crush chooseleaf type" = "1"; + }; + description = '' + Extra configuration to add to the OSD section. + ''; + }; + }; + + mds = { + enable = mkEnableOption "Ceph MDS daemon"; + daemons = mkOption { + type = with types; listOf str; + default = []; + example = '' + [ "name1" "name2" ]; + ''; + description = '' + A list of metadata service daemons that should have a service created. The names correspond + to the id part in ceph i.e. [ "name1" ] would result in mds.name1 + ''; + }; + extraConfig = mkOption { + type = with types; attrsOf str; + default = {}; + description = '' + Extra configuration to add to the MDS section. + ''; + }; + }; + + rgw = { + enable = mkEnableOption "Ceph RadosGW daemon"; + daemons = mkOption { + type = with types; listOf str; + default = []; + example = '' + [ "name1" "name2" ]; + ''; + description = '' + A list of rados gateway daemons that should have a service created. The names correspond + to the id part in ceph i.e. [ "name1" ] would result in client.name1, radosgw daemons + aren't daemons to cluster in the sense that OSD, MGR or MON daemons are. They are simply + daemons, from ceph, that uses the cluster as a backend. + ''; + }; + }; + + client = { + enable = mkEnableOption "Ceph client configuration"; + extraConfig = mkOption { + type = with types; attrsOf str; + default = {}; + example = '' + { + # This would create a section for a radosgw daemon named node0 and related + # configuration for it + "client.radosgw.node0" = { "some config option" = "true"; }; + }; + ''; + description = '' + Extra configuration to add to the client section. Configuration for rados gateways + would be added here, with their own sections, see example. + ''; + }; + }; + }; + + config = mkIf config.services.ceph.enable { + assertions = [ + { assertion = cfg.global.fsid != ""; + message = "fsid has to be set to a valid uuid for the cluster to function"; + } + { assertion = cfg.mgr.enable == true; + message = "ceph 12.x requires atleast 1 MGR daemon enabled for the cluster to function"; + } + { assertion = cfg.mon.enable == true -> cfg.mon.daemons != []; + message = "have to set id of atleast one MON if you're going to enable Monitor"; + } + { assertion = cfg.mds.enable == true -> cfg.mds.daemons != []; + message = "have to set id of atleast one MDS if you're going to enable Metadata Service"; + } + { assertion = cfg.osd.enable == true -> cfg.osd.daemons != []; + message = "have to set id of atleast one OSD if you're going to enable OSD"; + } + { assertion = cfg.mgr.enable == true -> cfg.mgr.daemons != []; + message = "have to set id of atleast one MGR if you're going to enable MGR"; + } + ]; + + warnings = optional (cfg.global.monInitialMembers == null) + ''Not setting up a list of members in monInitialMembers requires that you set the host variable for each mon daemon or else the cluster won't function''; + + environment.etc."ceph/ceph.conf".text = let + # Translate camelCaseOptions to the expected camel case option for ceph.conf + translatedGlobalConfig = mapAttrs' (name: value: nameValuePair (translateOption name) value) cfg.global; + # Merge the extraConfig set for mgr daemons, as mgr don't have their own section + globalAndMgrConfig = translatedGlobalConfig // optionalAttrs cfg.mgr.enable cfg.mgr.extraConfig; + # Remove all name-value pairs with null values from the attribute set to avoid making empty sections in the ceph.conf + globalConfig = mapAttrs' (name: value: nameValuePair (translateOption name) value) (filterAttrs (name: value: value != null) globalAndMgrConfig); + totalConfig = { + "global" = globalConfig; + } // optionalAttrs (cfg.mon.enable && cfg.mon.extraConfig != {}) { "mon" = cfg.mon.extraConfig; } + // optionalAttrs (cfg.mds.enable && cfg.mds.extraConfig != {}) { "mds" = cfg.mds.extraConfig; } + // optionalAttrs (cfg.osd.enable && cfg.osd.extraConfig != {}) { "osd" = cfg.osd.extraConfig; } + // optionalAttrs (cfg.client.enable && cfg.client.extraConfig != {}) cfg.client.extraConfig; + in + generators.toINI {} totalConfig; + + users.extraUsers = singleton { + name = "ceph"; + uid = config.ids.uids.ceph; + description = "Ceph daemon user"; + }; + + users.extraGroups = singleton { + name = "ceph"; + gid = config.ids.gids.ceph; + }; + + systemd.services = let + services = [] + ++ optional cfg.mon.enable (generateDaemonList "mon" cfg.mon.daemons { RestartSec = "10"; }) + ++ optional cfg.mds.enable (generateDaemonList "mds" cfg.mds.daemons { StartLimitBurst = "3"; }) + ++ optional cfg.osd.enable (generateDaemonList "osd" cfg.osd.daemons { StartLimitBurst = "30"; RestartSec = "20s"; }) + ++ optional cfg.rgw.enable (generateDaemonList "rgw" cfg.rgw.daemons { }) + ++ optional cfg.mgr.enable (generateDaemonList "mgr" cfg.mgr.daemons { StartLimitBurst = "3"; }); + in + mkMerge services; + + systemd.targets = let + targets = [ + { "ceph" = { description = "Ceph target allowing to start/stop all ceph service instances at once"; }; } + ] ++ optional cfg.mon.enable (generateTargetFile "mon") + ++ optional cfg.mds.enable (generateTargetFile "mds") + ++ optional cfg.osd.enable (generateTargetFile "osd") + ++ optional cfg.rgw.enable (generateTargetFile "rgw") + ++ optional cfg.mgr.enable (generateTargetFile "mgr"); + in + mkMerge targets; + + systemd.tmpfiles.rules = [ + "d /run/ceph 0770 ceph ceph -" + ]; + }; +} diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 62afbf32c2f6..f83fb7a6d5dc 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -133,10 +133,10 @@ in { basePackages = mkOption { type = types.attrsOf types.package; default = { inherit networkmanager modemmanager wpa_supplicant - networkmanager_openvpn networkmanager_vpnc - networkmanager_openconnect networkmanager_fortisslvpn - networkmanager_pptp networkmanager_l2tp - networkmanager_iodine; }; + networkmanager-openvpn networkmanager-vpnc + networkmanager-openconnect networkmanager-fortisslvpn + networkmanager-pptp networkmanager-l2tp + networkmanager-iodine; }; internal = true; }; @@ -273,28 +273,28 @@ in { { source = configFile; target = "NetworkManager/NetworkManager.conf"; } - { source = "${networkmanager_openvpn}/etc/NetworkManager/VPN/nm-openvpn-service.name"; + { source = "${networkmanager-openvpn}/etc/NetworkManager/VPN/nm-openvpn-service.name"; target = "NetworkManager/VPN/nm-openvpn-service.name"; } - { source = "${networkmanager_vpnc}/etc/NetworkManager/VPN/nm-vpnc-service.name"; + { source = "${networkmanager-vpnc}/etc/NetworkManager/VPN/nm-vpnc-service.name"; target = "NetworkManager/VPN/nm-vpnc-service.name"; } - { source = "${networkmanager_openconnect}/etc/NetworkManager/VPN/nm-openconnect-service.name"; + { source = "${networkmanager-openconnect}/etc/NetworkManager/VPN/nm-openconnect-service.name"; target = "NetworkManager/VPN/nm-openconnect-service.name"; } - { source = "${networkmanager_fortisslvpn}/etc/NetworkManager/VPN/nm-fortisslvpn-service.name"; + { source = "${networkmanager-fortisslvpn}/etc/NetworkManager/VPN/nm-fortisslvpn-service.name"; target = "NetworkManager/VPN/nm-fortisslvpn-service.name"; } - { source = "${networkmanager_pptp}/etc/NetworkManager/VPN/nm-pptp-service.name"; + { source = "${networkmanager-pptp}/etc/NetworkManager/VPN/nm-pptp-service.name"; target = "NetworkManager/VPN/nm-pptp-service.name"; } - { source = "${networkmanager_l2tp}/etc/NetworkManager/VPN/nm-l2tp-service.name"; + { source = "${networkmanager-l2tp}/etc/NetworkManager/VPN/nm-l2tp-service.name"; target = "NetworkManager/VPN/nm-l2tp-service.name"; } { source = "${networkmanager_strongswan}/etc/NetworkManager/VPN/nm-strongswan-service.name"; target = "NetworkManager/VPN/nm-strongswan-service.name"; } - { source = "${networkmanager_iodine}/etc/NetworkManager/VPN/nm-iodine-service.name"; + { source = "${networkmanager-iodine}/etc/NetworkManager/VPN/nm-iodine-service.name"; target = "NetworkManager/VPN/nm-iodine-service.name"; } ] ++ optional (cfg.appendNameservers == [] || cfg.insertNameservers == []) @@ -335,6 +335,7 @@ in { preStart = '' mkdir -m 700 -p /etc/NetworkManager/system-connections + mkdir -m 700 -p /etc/ipsec.d mkdir -m 755 -p ${stateDirs} ''; }; diff --git a/nixos/modules/services/networking/softether.nix b/nixos/modules/services/networking/softether.nix index 9087b75c29c1..65df93a00da9 100644 --- a/nixos/modules/services/networking/softether.nix +++ b/nixos/modules/services/networking/softether.nix @@ -5,6 +5,8 @@ with lib; let cfg = config.services.softether; + package = cfg.package.override { dataDir = cfg.dataDir; }; + in { @@ -49,7 +51,7 @@ in dataDir = mkOption { type = types.string; - default = "${cfg.package.dataDir}"; + default = "/var/lib/softether"; description = '' Data directory for SoftEther VPN. ''; @@ -64,11 +66,8 @@ in config = mkIf cfg.enable ( mkMerge [{ - environment.systemPackages = [ - (pkgs.lib.overrideDerivation cfg.package (attrs: { - dataDir = cfg.dataDir; - })) - ]; + environment.systemPackages = [ package ]; + systemd.services."softether-init" = { description = "SoftEther VPN services initial task"; wantedBy = [ "network.target" ]; @@ -80,11 +79,11 @@ in for d in vpnserver vpnbridge vpnclient vpncmd; do if ! test -e ${cfg.dataDir}/$d; then ${pkgs.coreutils}/bin/mkdir -m0700 -p ${cfg.dataDir}/$d - install -m0600 ${cfg.package}${cfg.dataDir}/$d/hamcore.se2 ${cfg.dataDir}/$d/hamcore.se2 + install -m0600 ${package}${cfg.dataDir}/$d/hamcore.se2 ${cfg.dataDir}/$d/hamcore.se2 fi done rm -rf ${cfg.dataDir}/vpncmd/vpncmd - ln -s ${cfg.package}${cfg.dataDir}/vpncmd/vpncmd ${cfg.dataDir}/vpncmd/vpncmd + ln -s ${package}${cfg.dataDir}/vpncmd/vpncmd ${cfg.dataDir}/vpncmd/vpncmd ''; }; } @@ -97,12 +96,12 @@ in wantedBy = [ "network.target" ]; serviceConfig = { Type = "forking"; - ExecStart = "${cfg.package}/bin/vpnserver start"; - ExecStop = "${cfg.package}/bin/vpnserver stop"; + ExecStart = "${package}/bin/vpnserver start"; + ExecStop = "${package}/bin/vpnserver stop"; }; preStart = '' rm -rf ${cfg.dataDir}/vpnserver/vpnserver - ln -s ${cfg.package}${cfg.dataDir}/vpnserver/vpnserver ${cfg.dataDir}/vpnserver/vpnserver + ln -s ${package}${cfg.dataDir}/vpnserver/vpnserver ${cfg.dataDir}/vpnserver/vpnserver ''; postStop = '' rm -rf ${cfg.dataDir}/vpnserver/vpnserver @@ -118,12 +117,12 @@ in wantedBy = [ "network.target" ]; serviceConfig = { Type = "forking"; - ExecStart = "${cfg.package}/bin/vpnbridge start"; - ExecStop = "${cfg.package}/bin/vpnbridge stop"; + ExecStart = "${package}/bin/vpnbridge start"; + ExecStop = "${package}/bin/vpnbridge stop"; }; preStart = '' rm -rf ${cfg.dataDir}/vpnbridge/vpnbridge - ln -s ${cfg.package}${cfg.dataDir}/vpnbridge/vpnbridge ${cfg.dataDir}/vpnbridge/vpnbridge + ln -s ${package}${cfg.dataDir}/vpnbridge/vpnbridge ${cfg.dataDir}/vpnbridge/vpnbridge ''; postStop = '' rm -rf ${cfg.dataDir}/vpnbridge/vpnbridge @@ -139,12 +138,12 @@ in wantedBy = [ "network.target" ]; serviceConfig = { Type = "forking"; - ExecStart = "${cfg.package}/bin/vpnclient start"; - ExecStop = "${cfg.package}/bin/vpnclient stop"; + ExecStart = "${package}/bin/vpnclient start"; + ExecStop = "${package}/bin/vpnclient stop"; }; preStart = '' rm -rf ${cfg.dataDir}/vpnclient/vpnclient - ln -s ${cfg.package}${cfg.dataDir}/vpnclient/vpnclient ${cfg.dataDir}/vpnclient/vpnclient + ln -s ${package}${cfg.dataDir}/vpnclient/vpnclient ${cfg.dataDir}/vpnclient/vpnclient ''; postStart = '' sleep 1 diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 3a3f64221c42..707d24b9220f 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -32,13 +32,13 @@ let ${caConf} ''; - strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' + strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' charon { ${if managePlugins then "load_modular = no" else ""} ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""} plugins { stroke { - secrets_file = ${ipsecSecrets secrets} + secrets_file = ${secretsFile} } } } @@ -135,7 +135,18 @@ in }; }; - config = with cfg; mkIf enable { + + config = with cfg; + let + secretsFile = ipsecSecrets cfg.secrets; + in + mkIf enable + { + + # here we should use the default strongswan ipsec.secrets and + # append to it (default one is empty so not a pb for now) + environment.etc."ipsec.secrets".source = secretsFile; + systemd.services.strongswan = { description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; @@ -143,11 +154,15 @@ in wants = [ "keys.target" ]; after = [ "network-online.target" "keys.target" ]; environment = { - STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; }; + STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; }; serviceConfig = { ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork"; }; + preStart = '' + # with 'nopeerdns' setting, ppp writes into this folder + mkdir -m 700 -p /etc/ppp + ''; }; }; } diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index dcdc203bdc62..e485c073cbdd 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -16,12 +16,6 @@ in { available on http://127.0.0.1:8384/. ''; - useInotify = mkOption { - type = types.bool; - default = false; - description = "Provide syncthing-inotify as a service."; - }; - systemService = mkOption { type = types.bool; default = true; @@ -90,6 +84,12 @@ in { }; }; + imports = [ + (mkRemovedOptionModule ["services" "syncthing" "useInotify"] '' + This option was removed because syncthing now has the inotify functionality included under the name "fswatcher". + It can be enabled on a per-folder basis through the webinterface. + '') + ]; ###### implementation @@ -100,8 +100,7 @@ in { allowedUDPPorts = [ 21027 ]; }; - systemd.packages = [ pkgs.syncthing ] - ++ lib.optional cfg.useInotify pkgs.syncthing-inotify; + systemd.packages = [ pkgs.syncthing ]; users = mkIf (cfg.user == defaultUser) { extraUsers."${defaultUser}" = @@ -125,7 +124,6 @@ in { STNOUPGRADE = "yes"; inherit (cfg) all_proxy; } // config.networking.proxy.envVars; - wants = mkIf cfg.useInotify [ "syncthing-inotify.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Restart = "on-failure"; @@ -141,20 +139,6 @@ in { syncthing-resume = { wantedBy = [ "suspend.target" ]; }; - - syncthing-inotify = mkIf (cfg.systemService && cfg.useInotify) { - description = "Syncthing Inotify File Watcher service"; - after = [ "network.target" "syncthing.service" ]; - requires = [ "syncthing.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - SuccessExitStatus = "2"; - RestartForceExitStatus = "3"; - Restart = "on-failure"; - User = cfg.user; - ExecStart = "${pkgs.syncthing-inotify.bin}/bin/syncthing-inotify -home=${cfg.dataDir} -logflags=0"; - }; - }; }; }; } diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index adb80ea29840..e3c9b5282b8c 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -178,6 +178,8 @@ in preStart = '' mkdir -p /etc/tinc/${network}/hosts chown tinc.${network} /etc/tinc/${network}/hosts + mkdir -p /etc/tinc/${network}/invitations + chown tinc.${network} /etc/tinc/${network}/invitations # Determine how we should generate our keys if type tinc >/dev/null 2>&1; then diff --git a/nixos/modules/services/networking/tox-bootstrapd.nix b/nixos/modules/services/networking/tox-bootstrapd.nix index c1f945773e23..cb0e6b158651 100644 --- a/nixos/modules/services/networking/tox-bootstrapd.nix +++ b/nixos/modules/services/networking/tox-bootstrapd.nix @@ -69,7 +69,7 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = - { ExecStart = "${pkg}/bin/tox-bootstrapd ${cfgFile}"; + { ExecStart = "${pkg}/bin/tox-bootstrapd --config=${cfgFile}"; Type = "forking"; inherit PIDFile; User = "tox-bootstrapd"; diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index 4e685e633354..5d469cabe2cb 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -192,7 +192,7 @@ in { serviceConfig = { Type = "simple"; - ExecStart = ''${pkgs.usbguard}/bin/usbguard-daemon -d -k -c ${daemonConfFile}''; + ExecStart = ''${pkgs.usbguard}/bin/usbguard-daemon -P -d -k -c ${daemonConfFile}''; Restart = "on-failure"; }; }; diff --git a/nixos/modules/services/web-apps/piwik-doc.xml b/nixos/modules/services/web-apps/matomo-doc.xml index a393a182d36a..456aae6cc366 100644 --- a/nixos/modules/services/web-apps/piwik-doc.xml +++ b/nixos/modules/services/web-apps/matomo-doc.xml @@ -2,16 +2,16 @@ xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" - xml:id="module-services-piwik"> + xml:id="module-services-matomo"> - <title>Piwik</title> + <title>Matomo</title> <para> - Piwik is a real-time web analytics application. - This module configures php-fpm as backend for piwik, optionally configuring an nginx vhost as well. + Matomo is a real-time web analytics application. + This module configures php-fpm as backend for Matomo, optionally configuring an nginx vhost as well. </para> <para> - An automatic setup is not suported by piwik, so you need to configure piwik itself in the browser-based piwik setup. + An automatic setup is not suported by Matomo, so you need to configure Matomo itself in the browser-based Matomo setup. </para> @@ -19,7 +19,7 @@ <title>Database Setup</title> <para> - You also need to configure a MariaDB or MySQL database and -user for piwik yourself, + You also need to configure a MariaDB or MySQL database and -user for Matomo yourself, and enter those credentials in your browser. You can use passwordless database authentication via the UNIX_SOCKET authentication plugin with the following SQL commands: @@ -27,20 +27,20 @@ <programlisting> # For MariaDB INSTALL PLUGIN unix_socket SONAME 'auth_socket'; - CREATE DATABASE piwik; - CREATE USER 'piwik'@'localhost' IDENTIFIED WITH unix_socket; - GRANT ALL PRIVILEGES ON piwik.* TO 'piwik'@'localhost'; + CREATE DATABASE matomo; + CREATE USER 'matomo'@'localhost' IDENTIFIED WITH unix_socket; + GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; # For MySQL INSTALL PLUGIN auth_socket SONAME 'auth_socket.so'; - CREATE DATABASE piwik; - CREATE USER 'piwik'@'localhost' IDENTIFIED WITH auth_socket; - GRANT ALL PRIVILEGES ON piwik.* TO 'piwik'@'localhost'; + CREATE DATABASE matomo; + CREATE USER 'matomo'@'localhost' IDENTIFIED WITH auth_socket; + GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; </programlisting> - Then fill in <literal>piwik</literal> as database user and database name, and leave the password field blank. - This authentication works by allowing only the <literal>piwik</literal> unix user to authenticate as the - <literal>piwik</literal> database user (without needing a password), but no other users. + Then fill in <literal>matomo</literal> as database user and database name, and leave the password field blank. + This authentication works by allowing only the <literal>matomo</literal> unix user to authenticate as the + <literal>matomo</literal> database user (without needing a password), but no other users. For more information on passwordless login, see <link xlink:href="https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/" />. </para> @@ -55,9 +55,9 @@ <title>Backup</title> <para> You only need to take backups of your MySQL database and the - <filename>/var/lib/piwik/config/config.ini.php</filename> file. - Use a user in the <literal>piwik</literal> group or root to access the file. - For more information, see <link xlink:href="https://piwik.org/faq/how-to-install/faq_138/" />. + <filename>/var/lib/matomo/config/config.ini.php</filename> file. + Use a user in the <literal>matomo</literal> group or root to access the file. + For more information, see <link xlink:href="https://matomo.org/faq/how-to-install/faq_138/" />. </para> </section> @@ -67,14 +67,14 @@ <itemizedlist> <listitem> <para> - Piwik's file integrity check will warn you. + Matomo's file integrity check will warn you. This is due to the patches necessary for NixOS, you can safely ignore this. </para> </listitem> <listitem> <para> - Piwik will warn you that the JavaScript tracker is not writable. + Matomo will warn you that the JavaScript tracker is not writable. This is because it's located in the read-only nix store. You can safely ignore this, unless you need a plugin that needs JavaScript tracker access. </para> @@ -88,7 +88,7 @@ <para> You can use other web servers by forwarding calls for <filename>index.php</filename> and - <filename>piwik.php</filename> to the <literal>/run/phpfpm-piwik.sock</literal> fastcgi unix socket. + <filename>piwik.php</filename> to the <literal>/run/phpfpm-matomo.sock</literal> fastcgi unix socket. You can use the nginx configuration in the module code as a reference to what else should be configured. </para> </section> diff --git a/nixos/modules/services/web-apps/piwik.nix b/nixos/modules/services/web-apps/matomo.nix index ce86c6873dd4..ef6ac9698e21 100644 --- a/nixos/modules/services/web-apps/piwik.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -1,10 +1,11 @@ { config, lib, pkgs, services, ... }: with lib; let - cfg = config.services.piwik; + cfg = config.services.matomo; - user = "piwik"; + user = "matomo"; dataDir = "/var/lib/${user}"; + deprecatedDataDir = "/var/lib/piwik"; pool = user; # it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770, @@ -13,17 +14,22 @@ let phpExecutionUnit = "phpfpm-${pool}"; databaseService = "mysql.service"; + fqdn = + let + join = hostName: domain: hostName + optionalString (domain != null) ".${domain}"; + in join config.networking.hostName config.networking.domain; + in { options = { - services.piwik = { + services.matomo = { # NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963 - # piwik issue for automatic piwik setup: https://github.com/piwik/piwik/issues/10257 - # TODO: find a nice way to do this when more NixOS MySQL and / or piwik automatic setup stuff is implemented. + # matomo issue for automatic matomo setup: https://github.com/matomo-org/matomo/issues/10257 + # TODO: find a nice way to do this when more NixOS MySQL and / or matomo automatic setup stuff is implemented. enable = mkOption { type = types.bool; default = false; description = '' - Enable piwik web analytics with php-fpm backend. + Enable matomo web analytics with php-fpm backend. Either the nginx option or the webServerUser option is mandatory. ''; }; @@ -32,8 +38,9 @@ in { type = types.nullOr types.str; default = null; example = "lighttpd"; + # TODO: piwik.php might get renamed to matomo.php in future releases description = '' - Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for piwik if the nginx + Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for matomo if the nginx option is not used. Either this option or the nginx option is mandatory. If you want to use another webserver than nginx, you need to set this to that server's user and pass fastcgi requests to `index.php` and `piwik.php` to this socket. @@ -55,7 +62,7 @@ in { catch_workers_output = yes ''; description = '' - Settings for phpfpm's process manager. You might need to change this depending on the load for piwik. + Settings for phpfpm's process manager. You might need to change this depending on the load for matomo. ''; }; @@ -65,7 +72,7 @@ in { (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) { # enable encryption by default, - # as sensitive login and piwik data should not be transmitted in clear text. + # as sensitive login and matomo data should not be transmitted in clear text. options.forceSSL.default = true; options.enableACME.default = true; } @@ -73,15 +80,19 @@ in { ); default = null; example = { - serverName = "stats.$\{config.networking.hostName\}"; + serverAliases = [ + "matomo.$\{config.networking.domain\}" + "stats.$\{config.networking.domain\}" + ]; enableACME = false; }; description = '' - With this option, you can customize an nginx virtualHost which already has sensible defaults for piwik. + With this option, you can customize an nginx virtualHost which already has sensible defaults for matomo. Either this option or the webServerUser option is mandatory. Set this to {} to just enable the virtualHost if you don't need any customization. - If enabled, then by default, the serverName is piwik.$\{config.networking.hostName\}, SSL is active, - and certificates are acquired via ACME. + If enabled, then by default, the <option>serverName</option> is + <literal>${user}.$\{config.networking.hostName\}.$\{config.networking.domain\}</literal>, + SSL is active, and certificates are acquired via ACME. If this is set to null (the default), no nginx virtualHost will be configured. ''; }; @@ -90,12 +101,12 @@ in { config = mkIf cfg.enable { warnings = mkIf (cfg.nginx != null && cfg.webServerUser != null) [ - "If services.piwik.nginx is set, services.piwik.nginx.webServerUser is ignored and should be removed." + "If services.matomo.nginx is set, services.matomo.nginx.webServerUser is ignored and should be removed." ]; assertions = [ { assertion = cfg.nginx != null || cfg.webServerUser != null; - message = "Either services.piwik.nginx or services.piwik.nginx.webServerUser is mandatory"; + message = "Either services.matomo.nginx or services.matomo.nginx.webServerUser is mandatory"; }]; users.extraUsers.${user} = { @@ -106,19 +117,20 @@ in { }; users.extraGroups.${user} = {}; - systemd.services.piwik_setup_update = { - # everything needs to set up and up to date before piwik php files are executed + systemd.services.matomo_setup_update = { + # everything needs to set up and up to date before matomo php files are executed requiredBy = [ "${phpExecutionUnit}.service" ]; before = [ "${phpExecutionUnit}.service" ]; # the update part of the script can only work if the database is already up and running requires = [ databaseService ]; after = [ databaseService ]; - path = [ pkgs.piwik ]; + path = [ pkgs.matomo ]; serviceConfig = { Type = "oneshot"; User = user; # hide especially config.ini.php from other UMask = "0007"; + # TODO: might get renamed to MATOMO_USER_PATH in future versions Environment = "PIWIK_USER_PATH=${dataDir}"; # chown + chmod in preStart needs root PermissionsStartOnly = true; @@ -127,27 +139,32 @@ in { # e.g. after restoring from backup or moving from another system. # Note that ${dataDir}/config/config.ini.php might contain the MySQL password. preStart = '' + # migrate data from piwik to matomo folder + if [ -d ${deprecatedDataDir} ]; then + echo "Migrating from ${deprecatedDataDir} to ${dataDir}" + mv -T ${deprecatedDataDir} ${dataDir} + fi chown -R ${user}:${user} ${dataDir} chmod -R ug+rwX,o-rwx ${dataDir} ''; script = '' - # Use User-Private Group scheme to protect piwik data, but allow administration / backup via piwik group + # Use User-Private Group scheme to protect matomo data, but allow administration / backup via matomo group # Copy config folder chmod g+s "${dataDir}" - cp -r "${pkgs.piwik}/config" "${dataDir}/" + cp -r "${pkgs.matomo}/config" "${dataDir}/" chmod -R u+rwX,g+rwX,o-rwx "${dataDir}" # check whether user setup has already been done if test -f "${dataDir}/config/config.ini.php"; then # then execute possibly pending database upgrade - piwik-console core:update --yes + matomo-console core:update --yes fi ''; }; systemd.services.${phpExecutionUnit} = { - # stop phpfpm on package upgrade, do database upgrade via piwik_setup_update, and then restart - restartTriggers = [ pkgs.piwik ]; + # stop phpfpm on package upgrade, do database upgrade via matomo_setup_update, and then restart + restartTriggers = [ pkgs.matomo ]; # stop config.ini.php from getting written with read permission for others serviceConfig.UMask = "0007"; }; @@ -175,14 +192,14 @@ in { # References: # https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html # https://github.com/perusio/piwik-nginx - "${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx { - # don't allow to override the root easily, as it will almost certainly break piwik. + "${user}.${fqdn}" = mkMerge [ cfg.nginx { + # don't allow to override the root easily, as it will almost certainly break matomo. # disadvantage: not shown as default in docs. - root = mkForce "${pkgs.piwik}/share"; + root = mkForce "${pkgs.matomo}/share"; # define locations here instead of as the submodule option's default # so that they can easily be extended with additional locations if required - # without needing to redefine the piwik ones. + # without needing to redefine the matomo ones. # disadvantage: not shown as default in docs. locations."/" = { index = "index.php"; @@ -191,6 +208,7 @@ in { locations."= /index.php".extraConfig = '' fastcgi_pass unix:${phpSocket}; ''; + # TODO: might get renamed to matomo.php in future versions # allow piwik.php for tracking locations."= /piwik.php".extraConfig = '' fastcgi_pass unix:${phpSocket}; @@ -212,6 +230,7 @@ in { locations."= /robots.txt".extraConfig = '' return 200 "User-agent: *\nDisallow: /\n"; ''; + # TODO: might get renamed to matomo.js in future versions # let browsers cache piwik.js locations."= /piwik.js".extraConfig = '' expires 1M; @@ -221,7 +240,7 @@ in { }; meta = { - doc = ./piwik-doc.xml; + doc = ./matomo-doc.xml; maintainers = with stdenv.lib.maintainers; [ florianjacob ]; }; } diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 7f3dc0d7847b..da3287aaea6e 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -33,7 +33,7 @@ in pkgs.xorg.xauth # used by kdesu pkgs.gtk2 # To get GTK+'s themes. pkgs.tango-icon-theme - pkgs.shared_mime_info + pkgs.shared-mime-info pkgs.gnome2.gnomeicontheme pkgs.xorg.xcursorthemes ]; diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 21d30df5b695..7256013d5d8b 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -27,7 +27,7 @@ let nixos-gsettings-desktop-schemas = pkgs.runCommand "nixos-gsettings-desktop-schemas" {} '' mkdir -p $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas - cp -rf ${pkgs.gnome3.gsettings_desktop_schemas}/share/gsettings-schemas/gsettings-desktop-schemas*/glib-2.0/schemas/*.xml $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas + cp -rf ${pkgs.gnome3.gsettings-desktop-schemas}/share/gsettings-schemas/gsettings-desktop-schemas*/glib-2.0/schemas/*.xml $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas ${concatMapStrings (pkg: "cp -rf ${pkg}/share/gsettings-schemas/*/glib-2.0/schemas/*.xml $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas\n") cfg.extraGSettingsOverridePackages} @@ -60,7 +60,7 @@ in { example = literalExample "[ pkgs.gnome3.gpaste ]"; description = "Additional list of packages to be added to the session search path. Useful for gnome shell extensions or gsettings-conditionated autostart."; - apply = list: list ++ [ pkgs.gnome3.gnome_shell pkgs.gnome3.gnome-shell-extensions ]; + apply = list: list ++ [ pkgs.gnome3.gnome-shell pkgs.gnome3.gnome-shell-extensions ]; }; extraGSettingsOverrides = mkOption { @@ -118,13 +118,13 @@ in { services.packagekit.enable = mkDefault true; hardware.bluetooth.enable = mkDefault true; services.xserver.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center - services.udev.packages = [ pkgs.gnome3.gnome_settings_daemon ]; + services.udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; systemd.packages = [ pkgs.gnome3.vino ]; # If gnome3 is installed, build vim for gtk3 too. nixpkgs.config.vim.gui = "gtk3"; - fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell_fonts ]; + fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell-fonts ]; services.xserver.desktopManager.session = singleton { name = "gnome3"; @@ -164,7 +164,7 @@ in { # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/ ${pkgs.xdg-user-dirs}/bin/xdg-user-dirs-update - ${pkgs.gnome3.gnome_session}/bin/gnome-session ${optionalString cfg.debug "--debug"} & + ${pkgs.gnome3.gnome-session}/bin/gnome-session ${optionalString cfg.debug "--debug"} & waitPID=$! ''; }; @@ -172,7 +172,7 @@ in { services.xserver.updateDbusEnvironment = true; environment.variables.GIO_EXTRA_MODULES = [ "${lib.getLib pkgs.gnome3.dconf}/lib/gio/modules" - "${pkgs.gnome3.glib_networking.out}/lib/gio/modules" + "${pkgs.gnome3.glib-networking.out}/lib/gio/modules" "${pkgs.gnome3.gvfs}/lib/gio/modules" ]; environment.systemPackages = pkgs.gnome3.corePackages ++ cfg.sessionPath ++ (removePackagesByName pkgs.gnome3.optionalPackages config.environment.gnome3.excludePackages); @@ -180,10 +180,10 @@ in { # Use the correct gnome3 packageSet networking.networkmanager.basePackages = { inherit (pkgs) networkmanager modemmanager wpa_supplicant; - inherit (pkgs.gnome3) networkmanager_openvpn networkmanager_vpnc - networkmanager_openconnect networkmanager_fortisslvpn - networkmanager_pptp networkmanager_iodine - networkmanager_l2tp; }; + inherit (pkgs.gnome3) networkmanager-openvpn networkmanager-vpnc + networkmanager-openconnect networkmanager-fortisslvpn + networkmanager-pptp networkmanager-iodine + networkmanager-l2tp; }; # Needed for themes and backgrounds environment.pathsToLink = [ "/share" ]; diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index 814503ab0bc4..0117dc9d132b 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -102,7 +102,7 @@ in services.dbus.packages = [ pkgs.gnome3.dconf - pkgs.at_spi2_core + pkgs.at-spi2-core ]; services.gnome3.gnome-keyring.enable = true; diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index b794e2b12d73..91d091d7d7e2 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -154,7 +154,7 @@ in print-manager breeze-icons - pkgs.hicolor_icon_theme + pkgs.hicolor-icon-theme kde-gtk-config breeze-gtk diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index c0c9d7ea47f7..489bffbee917 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -61,12 +61,12 @@ in # utilities-terminal, accessories-text-editor gnome3.defaultIconTheme - hicolor_icon_theme + hicolor-icon-theme tango-icon-theme xfce4-icon-theme - desktop_file_utils - shared_mime_info + desktop-file-utils + shared-mime-info # Needed by Xfce's xinitrc script # TODO: replace with command -v diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 07642a8b13db..70fc7388c2ac 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -133,7 +133,7 @@ in StandardError = "inherit"; }; - systemd.services.display-manager.path = [ pkgs.gnome3.gnome_session ]; + systemd.services.display-manager.path = [ pkgs.gnome3.gnome-session ]; services.dbus.packages = [ gdm ]; @@ -193,7 +193,7 @@ in auth required pam_env.so envfile=${config.system.build.pamEnvironment} auth required pam_succeed_if.so uid >= 1000 quiet - auth optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so + auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth ${optionalString config.security.pam.enableEcryptfs "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} @@ -213,7 +213,7 @@ in "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} session required pam_loginuid.so session optional ${pkgs.systemd}/lib/security/pam_systemd.so - session optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start + session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start ''; gdm-password.text = '' @@ -221,7 +221,7 @@ in auth required pam_env.so envfile=${config.system.build.pamEnvironment} auth required pam_succeed_if.so uid >= 1000 quiet - auth optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so + auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth ${optionalString config.security.pam.enableEcryptfs "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} @@ -240,7 +240,7 @@ in "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} session required pam_loginuid.so session optional ${pkgs.systemd}/lib/security/pam_systemd.so - session optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start + session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start ''; gdm-autologin.text = '' diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix index 35b715b98fcd..2a71d2338607 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix @@ -68,8 +68,8 @@ in package = mkOption { type = types.package; - default = pkgs.gnome3.gnome_themes_standard; - defaultText = "pkgs.gnome3.gnome_themes_standard"; + default = pkgs.gnome3.gnome-themes-standard; + defaultText = "pkgs.gnome3.gnome-themes-standard"; description = '' The package path that contains the theme given in the name option. ''; diff --git a/nixos/modules/services/x11/xautolock.nix b/nixos/modules/services/x11/xautolock.nix index 28fc92024bcb..a614559970e9 100644 --- a/nixos/modules/services/x11/xautolock.nix +++ b/nixos/modules/services/x11/xautolock.nix @@ -26,9 +26,9 @@ in }; locker = mkOption { - default = "xlock"; # default according to `man xautolock` - example = "i3lock -i /path/to/img"; - type = types.string; + default = "${pkgs.xlockmore}/bin/xlock"; # default according to `man xautolock` + example = "${pkgs.i3lock}/bin/i3lock -i /path/to/img"; + type = types.str; description = '' The script to use when automatically locking the computer. @@ -37,8 +37,8 @@ in nowlocker = mkOption { default = null; - example = "i3lock -i /path/to/img"; - type = types.nullOr types.string; + example = "${pkgs.i3lock}/bin/i3lock -i /path/to/img"; + type = types.nullOr types.str; description = '' The script to use when manually locking the computer with <command>xautolock -locknow</command>. @@ -56,10 +56,8 @@ in notifier = mkOption { default = null; - example = literalExample '' - "${pkgs.libnotify}/bin/notify-send \"Locking in 10 seconds\"" - ''; - type = types.nullOr types.string; + example = "${pkgs.libnotify}/bin/notify-send \"Locking in 10 seconds\""; + type = types.nullOr types.str; description = '' Notification script to be used to warn about the pending autolock. @@ -68,8 +66,8 @@ in killer = mkOption { default = null; # default according to `man xautolock` is none - example = "systemctl suspend"; - type = types.nullOr types.string; + example = "${pkgs.systemd}/bin/systemctl suspend"; + type = types.nullOr types.str; description = '' The script to use when nothing has happend for as long as <option>killtime</option> @@ -131,6 +129,12 @@ in assertion = cfg.killer != null -> cfg.killtime >= 10; message = "killtime has to be at least 10 minutes according to `man xautolock`"; } - ]; + ] ++ (lib.flip map [ "locker" "notifier" "nowlocker" "killer" ] + (option: + { + assertion = cfg."${option}" != null -> builtins.substring 0 1 cfg."${option}" == "/"; + message = "Please specify a canonical path for `services.xserver.xautolock.${option}`"; + }) + ); }; } diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index cdeff4845948..8b3dc2d90eb3 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -118,7 +118,7 @@ in echo ${escapeShellArg key} >> /root/.ssh/authorized_keys '') cfg.authorizedKeys)} - dropbear -s -j -k -E -m -p ${toString cfg.port} ${optionalString (cfg.hostRSAKey == null && cfg.hostDSSKey == null && cfg.hostECDSAKey == null) "-R"} + dropbear -s -j -k -E -p ${toString cfg.port} ${optionalString (cfg.hostRSAKey == null && cfg.hostDSSKey == null && cfg.hostECDSAKey == null) "-R"} ''; boot.initrd.secrets = diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 9056121fa7d1..0d83391de893 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -110,7 +110,7 @@ in device = mkOption { default = ""; - example = "/dev/hda"; + example = "/dev/disk/by-id/wwn-0x500001234567890a"; type = types.str; description = '' The device on which the GRUB boot loader will be installed. @@ -123,7 +123,7 @@ in devices = mkOption { default = []; - example = [ "/dev/hda" ]; + example = [ "/dev/disk/by-id/wwn-0x500001234567890a" ]; type = types.listOf types.str; description = '' The devices on which the boot loader, GRUB, will be @@ -135,8 +135,8 @@ in mirroredBoots = mkOption { default = [ ]; example = [ - { path = "/boot1"; devices = [ "/dev/sda" ]; } - { path = "/boot2"; devices = [ "/dev/sdb" ]; } + { path = "/boot1"; devices = [ "/dev/disk/by-id/wwn-0x500001234567890a" ]; } + { path = "/boot2"; devices = [ "/dev/disk/by-id/wwn-0x500009876543210a" ]; } ]; description = '' Mirror the boot configuration to multiple partitions and install grub @@ -178,7 +178,7 @@ in devices = mkOption { default = [ ]; - example = [ "/dev/sda" "/dev/sdb" ]; + example = [ "/dev/disk/by-id/wwn-0x500001234567890a" "/dev/disk/by-id/wwn-0x500009876543210a" ]; type = types.listOf types.str; description = '' The path to the devices which will have the GRUB MBR written. diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index eefee5a479e7..8b390e1b60c4 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -228,10 +228,6 @@ in [ "aes" "aes_generic" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha1" "sha256" "sha512" - # workaround until https://marc.info/?l=linux-crypto-vger&m=148783562211457&w=4 is merged - # remove once 'modprobe --show-depends xts' shows ecb as a dependency - "ecb" - (if pkgs.stdenv.system == "x86_64-linux" then "aes_x86_64" else "aes_i586") ]; description = '' @@ -441,7 +437,10 @@ in # Some modules that may be needed for mounting anything ciphered # Also load input_leds to get caps lock light working (#12456) boot.initrd.availableKernelModules = [ "dm_mod" "dm_crypt" "cryptd" "input_leds" ] - ++ luks.cryptoModules; + ++ luks.cryptoModules + # workaround until https://marc.info/?l=linux-crypto-vger&m=148783562211457&w=4 is merged + # remove once 'modprobe --show-depends xts' shows ecb as a dependency + ++ (if builtins.elem "xts" luks.cryptoModules then ["ecb"] else []); # copy the cryptsetup binary and it's dependencies boot.initrd.extraUtilsCommands = '' diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index eea10613ea58..7bf7a51a2417 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -650,7 +650,11 @@ let unitFiles = map (name: { target = "systemd/network/${name}"; source = "${cfg.units.${name}.unit}/${name}"; - }) (attrNames cfg.units); + }) (attrNames cfg.units) ++ + (map (entry: { + target = "systemd/network/${entry}"; + source = "${config.systemd.package}/lib/systemd/network/${entry}"; + }) (attrNames (builtins.readDir "${config.systemd.package}/lib/systemd/network"))); in { diff --git a/nixos/release.nix b/nixos/release.nix index c85150190587..2d8b6c6b8263 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -228,7 +228,9 @@ in rec { tests.boot = callSubTests tests/boot.nix {}; tests.boot-stage1 = callTest tests/boot-stage1.nix {}; tests.borgbackup = callTest tests/borgbackup.nix {}; + tests.buildbot = callTest tests/buildbot.nix {}; tests.cadvisor = callTestOnTheseSystems ["x86_64-linux"] tests/cadvisor.nix {}; + tests.ceph = callTestOnTheseSystems ["x86_64-linux"] tests/ceph.nix {}; tests.chromium = (callSubTestsOnTheseSystems ["x86_64-linux"] tests/chromium.nix {}).stable; tests.cjdns = callTest tests/cjdns.nix {}; tests.cloud-init = callTest tests/cloud-init.nix {}; @@ -258,7 +260,7 @@ in rec { tests.firefox = callTest tests/firefox.nix {}; tests.firewall = callTest tests/firewall.nix {}; tests.fleet = callTestOnTheseSystems ["x86_64-linux"] tests/fleet.nix {}; - #tests.fwupd = callTest tests/fwupd.nix {}; # build during evaluation + tests.fwupd = callTest tests/fwupd.nix {}; #tests.gitlab = callTest tests/gitlab.nix {}; tests.gitolite = callTest tests/gitolite.nix {}; tests.gjs = callTest tests/gjs.nix {}; @@ -318,6 +320,7 @@ in rec { tests.nfs4 = callTest tests/nfs.nix { version = 4; }; tests.nginx = callTest tests/nginx.nix { }; tests.nghttpx = callTest tests/nghttpx.nix { }; + tests.nix-ssh-serve = callTest tests/nix-ssh-serve.nix { }; tests.novacomd = callTestOnTheseSystems ["x86_64-linux"] tests/novacomd.nix { }; tests.leaps = callTest tests/leaps.nix { }; tests.nsd = callTest tests/nsd.nix {}; @@ -352,6 +355,7 @@ in rec { tests.snapper = callTest tests/snapper.nix {}; tests.statsd = callTest tests/statsd.nix {}; tests.sudo = callTest tests/sudo.nix {}; + tests.systemd = callTest tests/systemd.nix {}; tests.switchTest = callTest tests/switch-test.nix {}; tests.taskserver = callTest tests/taskserver.nix {}; tests.tomcat = callTest tests/tomcat.nix {}; @@ -361,6 +365,7 @@ in rec { tests.wordpress = callTest tests/wordpress.nix {}; tests.xfce = callTest tests/xfce.nix {}; tests.xmonad = callTest tests/xmonad.nix {}; + tests.xrdp = callTest tests/xrdp.nix {}; tests.yabar = callTest tests/yabar.nix {}; tests.zookeeper = callTest tests/zookeeper.nix {}; diff --git a/nixos/tests/ceph.nix b/nixos/tests/ceph.nix new file mode 100644 index 000000000000..b9993062c079 --- /dev/null +++ b/nixos/tests/ceph.nix @@ -0,0 +1,140 @@ +import ./make-test.nix ({pkgs, ...}: rec { + name = "All-in-one-basic-ceph-cluster"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lejonet ]; + }; + + nodes = { + aio = { config, pkgs, ... }: { + virtualisation = { + emptyDiskImages = [ 20480 20480 ]; + vlans = [ 1 ]; + }; + + networking = { + firewall.allowPing = true; + useDHCP = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = "192.168.1.1"; prefixLength = 24; } + ]; + }; + + environment.systemPackages = with pkgs; [ + bash + sudo + ceph + xfsprogs + ]; + nixpkgs.config.packageOverrides = super: { + ceph = super.ceph.override({ nss = super.nss; libxfs = super.libxfs; libaio = super.libaio; jemalloc = super.jemalloc; }); + }; + + boot.kernelModules = [ "xfs" ]; + + services.ceph.enable = true; + services.ceph.global = { + fsid = "066ae264-2a5d-4729-8001-6ad265f50b03"; + monInitialMembers = "aio"; + monHost = "192.168.1.1"; + }; + + services.ceph.mon = { + enable = true; + daemons = [ "aio" ]; + }; + + services.ceph.mgr = { + enable = true; + daemons = [ "aio" ]; + }; + + services.ceph.osd = { + enable = true; + daemons = [ "0" "1" ]; + }; + }; + }; + + testScript = { nodes, ... }: '' + startAll; + + $aio->waitForUnit("network.target"); + + # Create the ceph-related directories + $aio->mustSucceed( + "mkdir -p /var/lib/ceph/mgr/ceph-aio/", + "mkdir -p /var/lib/ceph/mon/ceph-aio/", + "mkdir -p /var/lib/ceph/osd/ceph-{0..1}/", + "chown ceph:ceph -R /var/lib/ceph/" + ); + + # Bootstrap ceph-mon daemon + $aio->mustSucceed( + "mkdir -p /var/lib/ceph/bootstrap-osd && chown ceph:ceph /var/lib/ceph/bootstrap-osd", + "sudo -u ceph ceph-authtool --create-keyring /tmp/ceph.mon.keyring --gen-key -n mon. --cap mon 'allow *'", + "ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --set-uid=0 --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'", + "ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/ceph.client.admin.keyring", + "monmaptool --create --add aio 192.168.1.1 --fsid 066ae264-2a5d-4729-8001-6ad265f50b03 /tmp/monmap", + "sudo -u ceph ceph-mon --mkfs -i aio --monmap /tmp/monmap --keyring /tmp/ceph.mon.keyring", + "touch /var/lib/ceph/mon/ceph-aio/done", + "systemctl start ceph-mon-aio" + ); + $aio->waitForUnit("ceph-mon-aio"); + + # Can't check ceph status until a mon is up + $aio->succeed("ceph -s | grep 'mon: 1 daemons'"); + + # Start the ceph-mgr daemon, it has no deps and hardly any setup + $aio->mustSucceed( + "ceph auth get-or-create mgr.aio mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/ceph-aio/keyring", + "systemctl start ceph-mgr-aio" + ); + $aio->waitForUnit("ceph-mgr-aio"); + $aio->waitUntilSucceeds("ceph -s | grep 'quorum aio'"); + + # Bootstrap both OSDs + $aio->mustSucceed( + "mkfs.xfs /dev/vdb", + "mkfs.xfs /dev/vdc", + "mount /dev/vdb /var/lib/ceph/osd/ceph-0", + "mount /dev/vdc /var/lib/ceph/osd/ceph-1", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-0/keyring --name osd.0 --add-key AQBCEJNa3s8nHRAANvdsr93KqzBznuIWm2gOGg==", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-1/keyring --name osd.1 --add-key AQBEEJNac00kExAAXEgy943BGyOpVH1LLlHafQ==", + "echo '{\"cephx_secret\": \"AQBCEJNa3s8nHRAANvdsr93KqzBznuIWm2gOGg==\"}' | ceph osd new 55ba2294-3e24-478f-bee0-9dca4c231dd9 -i -", + "echo '{\"cephx_secret\": \"AQBEEJNac00kExAAXEgy943BGyOpVH1LLlHafQ==\"}' | ceph osd new 5e97a838-85b6-43b0-8950-cb56d554d1e5 -i -" + ); + + # Initialize the OSDs with regular filestore + $aio->mustSucceed( + "ceph-osd -i 0 --mkfs --osd-uuid 55ba2294-3e24-478f-bee0-9dca4c231dd9", + "ceph-osd -i 1 --mkfs --osd-uuid 5e97a838-85b6-43b0-8950-cb56d554d1e5", + "chown -R ceph:ceph /var/lib/ceph/osd", + "systemctl start ceph-osd-0", + "systemctl start ceph-osd-1" + ); + + $aio->waitUntilSucceeds("ceph osd stat | grep '2 osds: 2 up, 2 in'"); + $aio->waitUntilSucceeds("ceph -s | grep 'mgr: aio(active)'"); + $aio->waitUntilSucceeds("ceph -s | grep 'HEALTH_OK'"); + + $aio->mustSucceed( + "ceph osd pool create aio-test 100 100", + "ceph osd pool ls | grep 'aio-test'", + "ceph osd pool rename aio-test aio-other-test", + "ceph osd pool ls | grep 'aio-other-test'", + "ceph -s | grep '1 pools, 100 pgs'", + "ceph osd getcrushmap -o crush", + "crushtool -d crush -o decrushed", + "sed 's/step chooseleaf firstn 0 type host/step chooseleaf firstn 0 type osd/' decrushed > modcrush", + "crushtool -c modcrush -o recrushed", + "ceph osd setcrushmap -i recrushed", + "ceph osd pool set aio-other-test size 2" + ); + $aio->waitUntilSucceeds("ceph -s | grep 'HEALTH_OK'"); + $aio->waitUntilSucceeds("ceph -s | grep '100 active+clean'"); + $aio->mustFail( + "ceph osd pool ls | grep 'aio-test'", + "ceph osd pool delete aio-other-test aio-other-test --yes-i-really-really-mean-it" + ); + ''; +}) diff --git a/nixos/tests/nix-ssh-serve.nix b/nixos/tests/nix-ssh-serve.nix new file mode 100644 index 000000000000..aa366d8612d7 --- /dev/null +++ b/nixos/tests/nix-ssh-serve.nix @@ -0,0 +1,39 @@ +import ./make-test.nix ({ pkgs, lib, ... }: +let inherit (import ./ssh-keys.nix pkgs) + snakeOilPrivateKey snakeOilPublicKey; + ssh-config = builtins.toFile "ssh.conf" '' + UserKnownHostsFile=/dev/null + StrictHostKeyChecking=no + ''; +in + { name = "nix-ssh-serve"; + meta.maintainers = [ lib.maintainers.shlevy ]; + nodes = + { server.nix.sshServe = + { enable = true; + keys = [ snakeOilPublicKey ]; + protocol = "ssh-ng"; + }; + server.nix.package = pkgs.nixUnstable; + client.nix.package = pkgs.nixUnstable; + }; + testScript = '' + startAll; + + $client->succeed("mkdir -m 700 /root/.ssh"); + $client->copyFileFromHost("${ssh-config}", "/root/.ssh/config"); + $client->succeed("cat ${snakeOilPrivateKey} > /root/.ssh/id_ecdsa"); + $client->succeed("chmod 600 /root/.ssh/id_ecdsa"); + + $client->succeed("nix-store --add /etc/machine-id > mach-id-path"); + + $server->waitForUnit("sshd"); + + $client->fail("diff /root/other-store\$(cat mach-id-path) /etc/machine-id"); + # Currently due to shared store this is a noop :( + $client->succeed("nix copy --to ssh-ng://nix-ssh\@server \$(cat mach-id-path)"); + $client->succeed("nix-store --realise \$(cat mach-id-path) --store /root/other-store --substituters ssh-ng://nix-ssh\@server"); + $client->succeed("diff /root/other-store\$(cat mach-id-path) /etc/machine-id"); + ''; + } +) diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 291544996889..b2d254e9d9d9 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -1,20 +1,7 @@ import ./make-test.nix ({ pkgs, ... }: -let - snakeOilPrivateKey = pkgs.writeText "privkey.snakeoil" '' - -----BEGIN EC PRIVATE KEY----- - MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49 - AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN - r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA== - -----END EC PRIVATE KEY----- - ''; - - snakeOilPublicKey = pkgs.lib.concatStrings [ - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA" - "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa" - "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil" - ]; - +let inherit (import ./ssh-keys.nix pkgs) + snakeOilPrivateKey snakeOilPublicKey; in { name = "openssh"; meta = with pkgs.stdenv.lib.maintainers; { diff --git a/nixos/tests/postgis.nix b/nixos/tests/postgis.nix index f6ce3fe38ed3..7fe905eb4254 100644 --- a/nixos/tests/postgis.nix +++ b/nixos/tests/postgis.nix @@ -12,7 +12,7 @@ import ./make-test.nix ({ pkgs, ...} : { services.postgresql = let mypg = pkgs.postgresql100; in { enable = true; package = mypg; - extraPlugins = [ (pkgs.postgis.override { postgresql = mypg; }).v_2_4_0 ]; + extraPlugins = [ (pkgs.postgis.override { postgresql = mypg; }) ]; }; }; }; diff --git a/nixos/tests/ssh-keys.nix b/nixos/tests/ssh-keys.nix new file mode 100644 index 000000000000..07d422196efa --- /dev/null +++ b/nixos/tests/ssh-keys.nix @@ -0,0 +1,15 @@ +pkgs: +{ snakeOilPrivateKey = pkgs.writeText "privkey.snakeoil" '' + -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49 + AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN + r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA== + -----END EC PRIVATE KEY----- + ''; + + snakeOilPublicKey = pkgs.lib.concatStrings [ + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA" + "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa" + "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil" + ]; +} diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix new file mode 100644 index 000000000000..2df6f341c4ef --- /dev/null +++ b/nixos/tests/systemd.nix @@ -0,0 +1,66 @@ +import ./make-test.nix { + name = "systemd"; + + machine = { lib, ... }: { + imports = [ common/user-account.nix common/x11.nix ]; + + virtualisation.emptyDiskImages = [ 512 ]; + + fileSystems = lib.mkVMOverride { + "/test-x-initrd-mount" = { + device = "/dev/vdb"; + fsType = "ext2"; + autoFormat = true; + noCheck = true; + options = [ "x-initrd.mount" ]; + }; + }; + + systemd.extraConfig = "DefaultEnvironment=\"XXX_SYSTEM=foo\""; + systemd.user.extraConfig = "DefaultEnvironment=\"XXX_USER=bar\""; + services.journald.extraConfig = "Storage=volatile"; + services.xserver.displayManager.auto.user = "alice"; + + systemd.services.testservice1 = { + description = "Test Service 1"; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + script = '' + if [ "$XXX_SYSTEM" = foo ]; then + touch /system_conf_read + fi + ''; + }; + + systemd.user.services.testservice2 = { + description = "Test Service 2"; + wantedBy = [ "default.target" ]; + serviceConfig.Type = "oneshot"; + script = '' + if [ "$XXX_USER" = bar ]; then + touch "$HOME/user_conf_read" + fi + ''; + }; + }; + + testScript = '' + $machine->waitForX; + + # Regression test for https://github.com/NixOS/nixpkgs/issues/35415 + subtest "configuration files are recognized by systemd", sub { + $machine->succeed('test -e /system_conf_read'); + $machine->succeed('test -e /home/alice/user_conf_read'); + $machine->succeed('test -z $(ls -1 /var/log/journal)'); + }; + + # Regression test for https://github.com/NixOS/nixpkgs/issues/35268 + subtest "file system with x-initrd.mount is not unmounted", sub { + $machine->shutdown; + $machine->waitForUnit('multi-user.target'); + # If the file system was unmounted during the shutdown the file system + # has a last mount time, because the file system wasn't checked. + $machine->fail('dumpe2fs /dev/vdb | grep -q "^Last mount time: *n/a"'); + }; + ''; +} |