diff options
| author | Frederik Rietdijk <fridh@fridh.nl> | 2017-09-05 10:11:06 +0200 |
|---|---|---|
| committer | Frederik Rietdijk <fridh@fridh.nl> | 2017-09-05 10:11:06 +0200 |
| commit | d7ef196c26d3aff394da21122a8c4d08066aef7c (patch) | |
| tree | 33a50d79d2918172b9afeb2ba8b7623cb1fd606d /nixos | |
| parent | 2b928b477519afdef86f14a32770fd35fff86ae5 (diff) | |
| parent | a9e60689f48a97e0067c6a8312895e4ee7e66620 (diff) | |
| download | nixlib-d7ef196c26d3aff394da21122a8c4d08066aef7c.tar nixlib-d7ef196c26d3aff394da21122a8c4d08066aef7c.tar.gz nixlib-d7ef196c26d3aff394da21122a8c4d08066aef7c.tar.bz2 nixlib-d7ef196c26d3aff394da21122a8c4d08066aef7c.tar.lz nixlib-d7ef196c26d3aff394da21122a8c4d08066aef7c.tar.xz nixlib-d7ef196c26d3aff394da21122a8c4d08066aef7c.tar.zst nixlib-d7ef196c26d3aff394da21122a8c4d08066aef7c.zip | |
Merge remote-tracking branch 'upstream/master' into HEAD
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-1709.xml | 9 | ||||
| -rw-r--r-- | nixos/modules/config/i18n.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/desktops/gnome3/gpaste.nix | 30 | ||||
| -rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 46 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/nexus.nix | 100 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/x11/display-managers/xpra.nix | 9 | ||||
| -rw-r--r-- | nixos/tests/nexus.nix | 34 |
9 files changed, 220 insertions, 13 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1709.xml b/nixos/doc/manual/release-notes/rl-1709.xml index c275fe46d118..a1e443818012 100644 --- a/nixos/doc/manual/release-notes/rl-1709.xml +++ b/nixos/doc/manual/release-notes/rl-1709.xml @@ -193,6 +193,15 @@ rmdir /var/lib/ipfs/.ipfs No complete replacement for grsecurity/PaX is available presently. </para> </listitem> + <listitem> + <para> + The <literal>gnupg</literal> package used to suffix its programs + with <literal>2</literal>, like <command>gpg2</command> and + <command>gpgv2</command>. This suffix has since been dropped, + and the programs are now simply <command>gpg</command>, + <command>gpgv</command>, etc. + </para> + </listitem> </itemizedlist> <para>Other notable improvements:</para> diff --git a/nixos/modules/config/i18n.nix b/nixos/modules/config/i18n.nix index 65ef95127805..46b22fc12854 100644 --- a/nixos/modules/config/i18n.nix +++ b/nixos/modules/config/i18n.nix @@ -43,7 +43,7 @@ with lib; <literal>"all"</literal> means that all locales supported by Glibc will be installed. A full list of supported locales can be found at <link - xlink:href="http://sourceware.org/cgi-bin/cvsweb.cgi/libc/localedata/SUPPORTED?cvsroot=glibc"/>. + xlink:href="https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED"/>. ''; }; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index cc7aa519478e..8a7a5bf4bc4d 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -204,6 +204,7 @@ ./services/desktops/gnome3/gnome-online-miners.nix ./services/desktops/gnome3/gnome-terminal-server.nix ./services/desktops/gnome3/gnome-user-share.nix + ./services/desktops/gnome3/gpaste.nix ./services/desktops/gnome3/gvfs.nix ./services/desktops/gnome3/seahorse.nix ./services/desktops/gnome3/sushi.nix @@ -587,6 +588,7 @@ ./services/web-apps/frab.nix ./services/web-apps/mattermost.nix ./services/web-apps/nixbot.nix + ./services/web-apps/nexus.nix ./services/web-apps/pgpkeyserver-lite.nix ./services/web-apps/piwik.nix ./services/web-apps/pump.io.nix diff --git a/nixos/modules/services/desktops/gnome3/gpaste.nix b/nixos/modules/services/desktops/gnome3/gpaste.nix new file mode 100644 index 000000000000..0954cd2713aa --- /dev/null +++ b/nixos/modules/services/desktops/gnome3/gpaste.nix @@ -0,0 +1,30 @@ +# GPaste daemon. +{ config, lib, ... }: + +with lib; + +let + gnome3 = config.environment.gnome3.packageSet; +in +{ + ###### interface + options = { + services.gnome3.gpaste = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable GPaste, a clipboard manager. + ''; + }; + }; + }; + + ###### implementation + config = mkIf config.services.gnome3.gpaste.enable { + environment.systemPackages = [ gnome3.gpaste ]; + services.dbus.packages = [ gnome3.gpaste ]; + services.xserver.desktopManager.gnome3.sessionPath = [ gnome3.gpaste ]; + systemd.packages = [ gnome3.gpaste ]; + }; +} diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index fcb7aaa62716..412355fb35b5 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -10,7 +10,7 @@ let ruby = cfg.packages.gitlab.ruby; bundler = pkgs.bundler; - gemHome = "${cfg.packages.gitlab.ruby-env}/${ruby.gemPath}"; + gemHome = "${cfg.packages.gitlab.rubyEnv}/${ruby.gemPath}"; gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket"; gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket"; @@ -29,7 +29,13 @@ let gitalyToml = pkgs.writeText "gitaly.toml" '' socket_path = "${lib.escape ["\""] gitalySocket}" - # prometheus metrics + prometheus_listen_addr = "localhost:9236" + + [gitaly-ruby] + dir = "${cfg.packages.gitaly.ruby}" + + [gitlab-shell] + dir = "${cfg.packages.gitlab-shell}" ${concatStringsSep "\n" (attrValues (mapAttrs (k: v: '' [[storage]] @@ -54,6 +60,11 @@ let namespace: resque:gitlab ''; + redisYml = '' + production: + url: redis://localhost:6379/ + ''; + secretsYml = '' production: secret_key_base: ${cfg.secrets.secret} @@ -101,11 +112,22 @@ let upload_pack = true; receive_pack = true; }; + workhorse = { + secret_file = "${cfg.statePath}/.gitlab_workhorse_secret"; + }; git = { bin_path = "git"; max_size = 20971520; # 20MB timeout = 10; }; + monitoring = { + ip_whitelist = [ "127.0.0.0/8" "::1/128" ]; + sidekiq_exporter = { + enable = true; + address = "localhost"; + port = 3807; + }; + }; extra = {}; }; }; @@ -123,6 +145,8 @@ let GITLAB_SHELL_CONFIG_PATH = "${cfg.statePath}/home/config.yml"; GITLAB_SHELL_SECRET_PATH = "${cfg.statePath}/config/gitlab_shell_secret"; GITLAB_SHELL_HOOKS_PATH = "${cfg.statePath}/home/hooks"; + GITLAB_REDIS_CONFIG_FILE = pkgs.writeText "gitlab-redis.yml" redisYml; + prometheus_multiproc_dir = "/run/gitlab"; RAILS_ENV = "production"; }; @@ -130,12 +154,12 @@ let gitlab-rake = pkgs.stdenv.mkDerivation rec { name = "gitlab-rake"; - buildInputs = [ cfg.packages.gitlab cfg.packages.gitlab.ruby-env pkgs.makeWrapper ]; + buildInputs = [ cfg.packages.gitlab cfg.packages.gitlab.rubyEnv pkgs.makeWrapper ]; phases = "installPhase fixupPhase"; buildPhase = ""; installPhase = '' mkdir -p $out/bin - makeWrapper ${cfg.packages.gitlab.ruby-env}/bin/bundle $out/bin/gitlab-bundle \ + makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/bundle $out/bin/gitlab-bundle \ ${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \ --set GITLAB_CONFIG_PATH '${cfg.statePath}/config' \ --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar config.services.postgresql.package ]}:$PATH' \ @@ -455,6 +479,7 @@ in { ruby openssh nodejs + gnupg ]; serviceConfig = { Type = "simple"; @@ -463,7 +488,7 @@ in { TimeoutSec = "300"; Restart = "on-failure"; WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; - ExecStart="${cfg.packages.gitlab.ruby-env}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\""; + ExecStart="${cfg.packages.gitlab.rubyEnv}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\""; }; }; @@ -471,7 +496,7 @@ in { after = [ "network.target" "gitlab.service" ]; wantedBy = [ "multi-user.target" ]; environment.HOME = gitlabEnv.HOME; - path = with pkgs; [ gitAndTools.git ]; + path = with pkgs; [ gitAndTools.git cfg.packages.gitaly.rubyEnv ]; serviceConfig = { #PermissionsStartOnly = true; # preStart must be run as root Type = "simple"; @@ -515,7 +540,7 @@ in { + "-listenAddr /run/gitlab/gitlab-workhorse.socket " + "-authSocket ${gitlabSocket} " + "-documentRoot ${cfg.packages.gitlab}/share/gitlab/public " - + "-secretPath ${cfg.packages.gitlab}/share/gitlab/.gitlab_workhorse_secret"; + + "-secretPath ${cfg.statePath}/.gitlab_workhorse_secret"; }; }; @@ -551,7 +576,8 @@ in { # symlinked in the gitlab package to /run/gitlab/uploads to make it # configurable mkdir -p /run/gitlab - mkdir -p ${cfg.statePath}/uploads + mkdir -p ${cfg.statePath}/{log,uploads} + ln -sf ${cfg.statePath}/log /run/gitlab/log ln -sf ${cfg.statePath}/uploads /run/gitlab/uploads chown -R ${cfg.user}:${cfg.group} /run/gitlab @@ -599,7 +625,7 @@ in { # up the initial database if ! test -e "${cfg.statePath}/db-seeded"; then ${gitlab-rake}/bin/gitlab-rake db:seed_fu RAILS_ENV=production \ - GITLAB_ROOT_PASSWORD="${cfg.initialRootPassword}" GITLAB_ROOT_EMAIL="${cfg.initialRootEmail}" + GITLAB_ROOT_PASSWORD='${cfg.initialRootPassword}' GITLAB_ROOT_EMAIL='${cfg.initialRootEmail}' touch "${cfg.statePath}/db-seeded" fi @@ -618,7 +644,7 @@ in { TimeoutSec = "300"; Restart = "on-failure"; WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; - ExecStart = "${cfg.packages.gitlab.ruby-env}/bin/bundle exec \"unicorn -c ${cfg.statePath}/config/unicorn.rb -E production\""; + ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/bundle exec \"unicorn -c ${cfg.statePath}/config/unicorn.rb -E production\""; }; }; diff --git a/nixos/modules/services/web-apps/nexus.nix b/nixos/modules/services/web-apps/nexus.nix new file mode 100644 index 000000000000..a750aa66b27c --- /dev/null +++ b/nixos/modules/services/web-apps/nexus.nix @@ -0,0 +1,100 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.nexus; + +in + +{ + options = { + services.nexus = { + enable = mkEnableOption "SonarType Nexus3 OSS service"; + + user = mkOption { + type = types.str; + default = "nexus"; + description = "User which runs Nexus3."; + }; + + group = mkOption { + type = types.str; + default = "nexus"; + description = "Group which runs Nexus3."; + }; + + home = mkOption { + type = types.str; + default = "/var/lib/sonatype-work"; + description = "Home directory of the Nexus3 instance."; + }; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "Address to listen on."; + }; + + listenPort = mkOption { + type = types.int; + default = 8081; + description = "Port to listen on."; + }; + }; + }; + + config = mkIf cfg.enable { + users.extraUsers."${cfg.user}" = { + isSystemUser = true; + group = cfg.group; + }; + + users.extraGroups."${cfg.group}" = {}; + + systemd.services.nexus = { + description = "SonarType Nexus3"; + + wantedBy = [ "multi-user.target" ]; + + path = [ cfg.home ]; + + environment = { + NEXUS_USER = cfg.user; + NEXUS_HOME = cfg.home; + }; + + preStart = '' + mkdir -p ${cfg.home}/nexus3/etc + + ln -sf ${cfg.home} /run/sonatype-work + + chown -R ${cfg.user}:${cfg.group} ${cfg.home} + + if [ ! -f ${cfg.home}/nexus3/etc/nexus.properties ]; then + echo "# Jetty section" > ${cfg.home}/nexus3/etc/nexus.properties + echo "application-port=${toString cfg.listenPort}" >> ${cfg.home}/nexus3/etc/nexus.properties + echo "application-host=${toString cfg.listenAddress}" >> ${cfg.home}/nexus3/etc/nexus.properties + else + sed 's/^application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties + sed 's/^# application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties + sed 's/^application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties + sed 's/^# application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties + fi + ''; + + script = "${pkgs.nexus}/bin/nexus run"; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + PrivateTmp = true; + PermissionsStartOnly = true; + LimitNOFILE = 102642; + }; + }; + }; + + meta.maintainers = with stdenv.lib.maintainers; [ ironpinguin ]; +} diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index a9ee6255fd40..97511aac9737 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -507,7 +507,6 @@ in example = literalExample '' { "hydra.example.com" = { - addSSL = true; forceSSL = true; enableACME = true; locations."/" = { diff --git a/nixos/modules/services/x11/display-managers/xpra.nix b/nixos/modules/services/x11/display-managers/xpra.nix index e60dd8765264..8f5ce3dccc6a 100644 --- a/nixos/modules/services/x11/display-managers/xpra.nix +++ b/nixos/modules/services/x11/display-managers/xpra.nix @@ -34,6 +34,12 @@ in }; pulseaudio = mkEnableOption "pulseaudio audio streaming."; + + extraOptions = mkOption { + description = "Extra xpra options"; + default = []; + type = types.listOf types.str; + }; }; }; @@ -233,7 +239,8 @@ in --socket-dirs=/var/run/xpra \ --xvfb="xpra_Xdummy ${concatStringsSep " " dmcfg.xserverArgs}" \ ${optionalString (cfg.bindTcp != null) "--bind-tcp=${cfg.bindTcp}"} \ - --auth=${cfg.auth} + --auth=${cfg.auth} \ + ${concatStringsSep " " cfg.extraOptions} ''; }; diff --git a/nixos/tests/nexus.nix b/nixos/tests/nexus.nix new file mode 100644 index 000000000000..1f19fc0867a4 --- /dev/null +++ b/nixos/tests/nexus.nix @@ -0,0 +1,34 @@ +# verifies: +# 1. nexus service starts on server +# 2. nexus user can be extended on server +# 3. nexus service not can startup on server (creating database and all other initial stuff) + +import ./make-test.nix ({ pkgs, ...} : { + name = "nexus"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ironpinguin ]; + }; + + nodes = { + + server = + { config, pkgs, ... }: + { virtualisation.memorySize = 2048; + + services.nexus.enable = true; + + users.extraUsers.nexus.extraGroups = [ "users" ]; + }; + }; + + testScript = '' + startAll; + + $server->waitForUnit("nexus"); + + print $server->execute("sudo -u nexus groups"); + $server->mustSucceed("sudo -u nexus groups | grep nexus | grep users"); + + $server->waitForOpenPort(8081); + ''; +}) |