diff options
| author | Matthew Bauer <mjbauer95@gmail.com> | 2020-03-16 14:34:03 -0400 |
|---|---|---|
| committer | Matthew Bauer <mjbauer95@gmail.com> | 2020-03-16 14:34:03 -0400 |
| commit | 67b0ddf3f30d975bd41bc2ac1cc871436ed1af0e (patch) | |
| tree | eddc87a600bfd5cf9f6f6ff15f8e735664eae1e1 /nixos | |
| parent | e9c2957c1465838c27c7a67e56a6ade95033eefd (diff) | |
| parent | b8cff61c330400e39dbac22b8993fe58fb35ec13 (diff) | |
| download | nixlib-67b0ddf3f30d975bd41bc2ac1cc871436ed1af0e.tar nixlib-67b0ddf3f30d975bd41bc2ac1cc871436ed1af0e.tar.gz nixlib-67b0ddf3f30d975bd41bc2ac1cc871436ed1af0e.tar.bz2 nixlib-67b0ddf3f30d975bd41bc2ac1cc871436ed1af0e.tar.lz nixlib-67b0ddf3f30d975bd41bc2ac1cc871436ed1af0e.tar.xz nixlib-67b0ddf3f30d975bd41bc2ac1cc871436ed1af0e.tar.zst nixlib-67b0ddf3f30d975bd41bc2ac1cc871436ed1af0e.zip | |
Merge remote-tracking branch 'origin/staging' into mb-cross-fixes-march-2020
Diffstat (limited to 'nixos')
59 files changed, 854 insertions, 243 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 892208b01d7d..e236b230332f 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -23,6 +23,11 @@ Support is planned until the end of April 2021, handing over to 21.03. </para> </listitem> + <listitem> + <para> + PHP now defaults to PHP 7.4, updated from 7.3. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/lib/eval-config.nix b/nixos/lib/eval-config.nix index 77490ca3762a..9892d6f160f7 100644 --- a/nixos/lib/eval-config.nix +++ b/nixos/lib/eval-config.nix @@ -41,6 +41,12 @@ let # default to the argument. That way this new default could propagate all # they way through, but has the last priority behind everything else. nixpkgs.system = lib.mkDefault system; + + # Stash the value of the `system` argument. When using `nesting.children` + # we want to have the same default value behavior (immediately above) + # without any interference from the user's configuration. + nixpkgs.initialSystem = system; + _module.args.pkgs = lib.mkIf (pkgs_ != null) (lib.mkForce pkgs_); }; }; diff --git a/nixos/lib/testing-python.nix b/nixos/lib/testing-python.nix index 6663864f1e56..3891adc10435 100644 --- a/nixos/lib/testing-python.nix +++ b/nixos/lib/testing-python.nix @@ -175,13 +175,13 @@ in rec { nodeNames = builtins.attrNames nodes; invalidNodeNames = lib.filter - (node: builtins.match "^[A-z_][A-z0-9_]+$" node == null) nodeNames; + (node: builtins.match "^[A-z_]([A-z0-9_]+)?$" node == null) nodeNames; in if lib.length invalidNodeNames > 0 then throw '' Cannot create machines out of (${lib.concatStringsSep ", " invalidNodeNames})! - All machines are referenced as perl variables in the testing framework which will break the + All machines are referenced as python variables in the testing framework which will break the script when special characters are used. Please stick to alphanumeric chars and underscores as separation. diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix index a522834e4294..21f4c7c6988f 100644 --- a/nixos/lib/utils.nix +++ b/nixos/lib/utils.nix @@ -14,7 +14,7 @@ rec { # becomes dev-xyzzy. FIXME: slow. escapeSystemdPath = s: replaceChars ["/" "-" " "] ["-" "\\x2d" "\\x20"] - (if hasPrefix "/" s then substring 1 (stringLength s) s else s); + (removePrefix "/" s); # Returns a system path for a given shell package toShellPath = shell: diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix index 81427bb8ee64..dd36696b94d2 100644 --- a/nixos/modules/config/networking.nix +++ b/nixos/modules/config/networking.nix @@ -35,12 +35,22 @@ in ''; }; + networking.hostFiles = lib.mkOption { + type = types.listOf types.path; + defaultText = lib.literalExample "Hosts from `networking.hosts` and `networking.extraHosts`"; + example = lib.literalExample ''[ "''${pkgs.my-blocklist-package}/share/my-blocklist/hosts" ]''; + description = '' + Files that should be concatenated together to form <filename>/etc/hosts</filename>. + ''; + }; + networking.extraHosts = lib.mkOption { type = types.lines; default = ""; example = "192.168.0.1 lanlocalhost"; description = '' Additional verbatim entries to be appended to <filename>/etc/hosts</filename>. + For adding hosts from derivation results, use <option>networking.hostFiles</option> instead. ''; }; @@ -159,6 +169,15 @@ in "::1" = [ "localhost" ]; }; + networking.hostFiles = let + stringHosts = + let + oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip} + "\n"; + allToString = set: concatMapStrings (oneToString set) (attrNames set); + in pkgs.writeText "string-hosts" (allToString (filterAttrs (_: v: v != []) cfg.hosts)); + extraHosts = pkgs.writeText "extra-hosts" cfg.extraHosts; + in mkBefore [ stringHosts extraHosts ]; + environment.etc = { # /etc/services: TCP/UDP port assignments. services.source = pkgs.iana-etc + "/etc/services"; @@ -167,12 +186,8 @@ in protocols.source = pkgs.iana-etc + "/etc/protocols"; # /etc/hosts: Hostname-to-IP mappings. - hosts.text = let - oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip}; - allToString = set: concatMapStringsSep "\n" (oneToString set) (attrNames set); - in '' - ${allToString (filterAttrs (_: v: v != []) cfg.hosts)} - ${cfg.extraHosts} + hosts.source = pkgs.runCommandNoCC "hosts" {} '' + cat ${escapeShellArgs cfg.hostFiles} > $out ''; # /etc/host.conf: resolver configuration file diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 979cdc5d4ad4..85e5534e906f 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -133,7 +133,7 @@ in tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice. firebird = 95; #keys = 96; # unused - #haproxy = 97; # DynamicUser as of 2019-11-08 + #haproxy = 97; # dynamically allocated as of 2020-03-11 mongodb = 98; openldap = 99; #users = 100; # unused @@ -448,7 +448,7 @@ in #tcpcryptd = 93; # unused firebird = 95; keys = 96; - #haproxy = 97; # DynamicUser as of 2019-11-08 + #haproxy = 97; # dynamically allocated as of 2020-03-11 #mongodb = 98; # unused openldap = 99; munin = 102; diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index afb74581e239..011d493c1538 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -216,6 +216,14 @@ in Ignored when <code>nixpkgs.pkgs</code> is set. ''; }; + + initialSystem = mkOption { + type = types.str; + internal = true; + description = '' + Preserved value of <literal>system</literal> passed to <literal>eval-config.nix</literal>. + ''; + }; }; config = { diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index e70a853624bf..dba2593bbef5 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -297,6 +297,7 @@ ./services/desktops/geoclue2.nix ./services/desktops/gsignond.nix ./services/desktops/gvfs.nix + ./services/desktops/malcontent.nix ./services/desktops/pipewire.nix ./services/desktops/gnome3/at-spi2-core.nix ./services/desktops/gnome3/chrome-gnome-shell.nix @@ -405,6 +406,7 @@ ./services/mail/sympa.nix ./services/mail/nullmailer.nix ./services/misc/airsonic.nix + ./services/misc/ankisyncd.nix ./services/misc/apache-kafka.nix ./services/misc/autofs.nix ./services/misc/autorandr.nix diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index 74c3e4425a7c..484f9eb44406 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -5,28 +5,34 @@ with lib; let cfg = config.programs.firejail; - wrappedBins = pkgs.stdenv.mkDerivation { - name = "firejail-wrapped-binaries"; - nativeBuildInputs = with pkgs; [ makeWrapper ]; - buildCommand = '' + wrappedBins = pkgs.runCommand "firejail-wrapped-binaries" + { preferLocalBuild = true; + allowSubstitutes = false; + } + '' mkdir -p $out/bin ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: '' - cat <<_EOF >$out/bin/${command} - #!${pkgs.stdenv.shell} -e - /run/wrappers/bin/firejail ${binary} "\$@" - _EOF - chmod 0755 $out/bin/${command} + cat <<_EOF >$out/bin/${command} + #! ${pkgs.runtimeShell} -e + exec /run/wrappers/bin/firejail ${binary} "\$@" + _EOF + chmod 0755 $out/bin/${command} '') cfg.wrappedBinaries)} ''; - }; in { options.programs.firejail = { enable = mkEnableOption "firejail"; wrappedBinaries = mkOption { - type = types.attrs; + type = types.attrsOf types.path; default = {}; + example = literalExample '' + { + firefox = "''${lib.getBin pkgs.firefox}/bin/firefox"; + mpv = "''${lib.getBin pkgs.mpv}/bin/mpv"; + } + ''; description = '' Wrap the binaries in firejail and place them in the global path. </para> @@ -41,7 +47,7 @@ in { config = mkIf cfg.enable { security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail"; - environment.systemPackages = [ wrappedBins ]; + environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ]; }; meta.maintainers = with maintainers; [ peterhoeg ]; diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 2cc6c46e3581..410db8fd84e7 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -21,12 +21,12 @@ with lib; (mkRemovedOptionModule [ "services" "firefox" "syncserver" "group" ] "") (mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.") - (mkRemovedOptionModule [ "environment.blcr.enable" ] "The BLCR module has been removed") - (mkRemovedOptionModule [ "services.beegfsEnable" ] "The BeeGFS module has been removed") - (mkRemovedOptionModule [ "services.beegfs" ] "The BeeGFS module has been removed") - (mkRemovedOptionModule [ "services.osquery" ] "The osquery module has been removed") - (mkRemovedOptionModule [ "services.fourStore" ] "The fourStore module has been removed") - (mkRemovedOptionModule [ "services.fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed") + (mkRemovedOptionModule [ "environment" "blcr" "enable" ] "The BLCR module has been removed") + (mkRemovedOptionModule [ "services" "beegfsEnable" ] "The BeeGFS module has been removed") + (mkRemovedOptionModule [ "services" "beegfs" ] "The BeeGFS module has been removed") + (mkRemovedOptionModule [ "services" "osquery" ] "The osquery module has been removed") + (mkRemovedOptionModule [ "services" "fourStore" ] "The fourStore module has been removed") + (mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed") (mkRemovedOptionModule [ "programs" "way-cooler" ] ("way-cooler is abandoned by its author: " + "https://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html")) (mkRemovedOptionModule [ "services" "xserver" "multitouch" ] '' diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 4c7f0ee657ce..b787a7675390 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -302,7 +302,7 @@ in lpath = "acme/${cert}"; apath = "/var/lib/${lpath}"; spath = "/var/lib/acme/.lego"; - rights = if data.allowKeysForGroup then "750" else "700"; + fileMode = if data.allowKeysForGroup then "640" else "600"; globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ] ++ optionals (cfg.acceptTerms) [ "--accept-tos" ] ++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ] @@ -331,7 +331,7 @@ in Group = data.group; PrivateTmp = true; StateDirectory = "acme/.lego ${lpath}"; - StateDirectoryMode = rights; + StateDirectoryMode = if data.allowKeysForGroup then "750" else "700"; WorkingDirectory = spath; # Only try loading the credentialsFile if the dns challenge is enabled EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null; @@ -354,10 +354,11 @@ in cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem ln -sf fullchain.pem cert.pem cat key.pem fullchain.pem > full.pem - chmod ${rights} *.pem - chown '${data.user}:${data.group}' *.pem fi + chmod ${fileMode} *.pem + chown '${data.user}:${data.group}' *.pem + ${data.postRun} ''; in @@ -399,7 +400,7 @@ in # Give key acme permissions chown '${data.user}:${data.group}' "${apath}/"{key,fullchain,full}.pem - chmod ${rights} "${apath}/"{key,fullchain,full}.pem + chmod ${fileMode} "${apath}/"{key,fullchain,full}.pem ''; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 8d520b82fb55..248bf0ebc915 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -21,6 +21,11 @@ let installOptions = "${mysqldOptions} ${lib.optionalString isMysqlAtLeast57 "--insecure"}"; + settingsFile = pkgs.writeText "my.cnf" ( + generators.toINI { listsAsDuplicateKeys = true; } cfg.settings + + optionalString (cfg.extraOptions != null) "[mysqld]\n${cfg.extraOptions}" + ); + in { @@ -76,9 +81,64 @@ in description = "Location where MySQL stores its table files"; }; + configFile = mkOption { + type = types.path; + default = settingsFile; + defaultText = "settingsFile"; + description = '' + Override the configuration file used by MySQL. By default, + NixOS generates one automatically from <option>services.mysql.settings</option>. + ''; + example = literalExample '' + pkgs.writeText "my.cnf" ''' + [mysqld] + datadir = /var/lib/mysql + bind-address = 127.0.0.1 + port = 3336 + plugin-load-add = auth_socket.so + + !includedir /etc/mysql/conf.d/ + '''; + ''; + }; + + settings = mkOption { + type = with types; attrsOf (attrsOf (oneOf [ bool int str (listOf str) ])); + default = {}; + description = '' + MySQL configuration. Refer to + <link xlink:href="https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html"/>, + <link xlink:href="https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html"/>, + and <link xlink:href="https://mariadb.com/kb/en/server-system-variables/"/> + for details on supported values. + + <note> + <para> + MySQL configuration options such as <literal>--quick</literal> should be treated as + boolean options and provided values such as <literal>true</literal>, <literal>false</literal>, + <literal>1</literal>, or <literal>0</literal>. See the provided example below. + </para> + </note> + ''; + example = literalExample '' + { + mysqld = { + key_buffer_size = "6G"; + table_cache = 1600; + log-error = "/var/log/mysql_err.log"; + plugin-load-add = [ "server_audit" "ed25519=auth_ed25519" ]; + }; + mysqldump = { + quick = true; + max_allowed_packet = "16M"; + }; + } + ''; + }; + extraOptions = mkOption { - type = types.lines; - default = ""; + type = with types; nullOr lines; + default = null; example = '' key_buffer_size = 6G table_cache = 1600 @@ -252,10 +312,27 @@ in config = mkIf config.services.mysql.enable { + warnings = optional (cfg.extraOptions != null) "services.mysql.`extraOptions` is deprecated, please use services.mysql.`settings`."; + services.mysql.dataDir = mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/mysql" else "/var/mysql"); + services.mysql.settings.mysqld = mkMerge [ + { + datadir = cfg.dataDir; + bind-address = mkIf (cfg.bind != null) cfg.bind; + port = cfg.port; + plugin-load-add = optional (cfg.ensureUsers != []) "auth_socket.so"; + } + (mkIf (cfg.replication.role == "master" || cfg.replication.role == "slave") { + log-bin = "mysql-bin-${toString cfg.replication.serverId}"; + log-bin-index = "mysql-bin-${toString cfg.replication.serverId}.index"; + relay-log = "mysql-relay-bin"; + server-id = cfg.replication.serverId; + }) + ]; + users.users.mysql = { description = "MySQL server user"; group = "mysql"; @@ -266,25 +343,7 @@ in environment.systemPackages = [mysql]; - environment.etc."my.cnf".text = - '' - [mysqld] - port = ${toString cfg.port} - datadir = ${cfg.dataDir} - ${optionalString (cfg.bind != null) "bind-address = ${cfg.bind}" } - ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") - '' - log-bin=mysql-bin-${toString cfg.replication.serverId} - log-bin-index=mysql-bin-${toString cfg.replication.serverId}.index - relay-log=mysql-relay-bin - server-id = ${toString cfg.replication.serverId} - ''} - ${optionalString (cfg.ensureUsers != []) - '' - plugin-load-add = auth_socket.so - ''} - ${cfg.extraOptions} - ''; + environment.etc."my.cnf".source = cfg.configFile; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0700 ${cfg.user} mysql -" @@ -297,7 +356,7 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - restartTriggers = [ config.environment.etc."my.cnf".source ]; + restartTriggers = [ cfg.configFile ]; unitConfig.RequiresMountsFor = "${cfg.dataDir}"; diff --git a/nixos/modules/services/desktops/malcontent.nix b/nixos/modules/services/desktops/malcontent.nix new file mode 100644 index 000000000000..416464cbe08f --- /dev/null +++ b/nixos/modules/services/desktops/malcontent.nix @@ -0,0 +1,32 @@ +# Malcontent daemon. + +{ config, lib, pkgs, ... }: + +with lib; + +{ + + ###### interface + + options = { + + services.malcontent = { + + enable = mkEnableOption "Malcontent"; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.malcontent.enable { + + environment.systemPackages = [ pkgs.malcontent ]; + + services.dbus.packages = [ pkgs.malcontent ]; + + }; + +} diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index b5ed2c594f77..230a2ae3f825 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -14,18 +14,34 @@ let base_dir = ${baseDir} protocols = ${concatStringsSep " " cfg.protocols} sendmail_path = /run/wrappers/bin/sendmail + # defining mail_plugins must be done before the first protocol {} filter because of https://doc.dovecot.org/configuration_manual/config_file/config_file_syntax/#variable-expansion + mail_plugins = $mail_plugins ${concatStringsSep " " cfg.mailPlugins.globally.enable} '' - (if cfg.sslServerCert == null then '' - ssl = no - disable_plaintext_auth = no - '' else '' - ssl_cert = <${cfg.sslServerCert} - ssl_key = <${cfg.sslServerKey} - ${optionalString (cfg.sslCACert != null) ("ssl_ca = <" + cfg.sslCACert)} - ssl_dh = <${config.security.dhparams.params.dovecot2.path} - disable_plaintext_auth = yes - '') + ( + concatStringsSep "\n" ( + mapAttrsToList ( + protocol: plugins: '' + protocol ${protocol} { + mail_plugins = $mail_plugins ${concatStringsSep " " plugins.enable} + } + '' + ) cfg.mailPlugins.perProtocol + ) + ) + + ( + if cfg.sslServerCert == null then '' + ssl = no + disable_plaintext_auth = no + '' else '' + ssl_cert = <${cfg.sslServerCert} + ssl_key = <${cfg.sslServerKey} + ${optionalString (cfg.sslCACert != null) ("ssl_ca = <" + cfg.sslCACert)} + ssl_dh = <${config.security.dhparams.params.dovecot2.path} + disable_plaintext_auth = yes + '' + ) '' default_internal_user = ${cfg.user} @@ -45,55 +61,58 @@ let } '' - (optionalString cfg.enablePAM '' - userdb { - driver = passwd - } - - passdb { - driver = pam - args = ${optionalString cfg.showPAMFailure "failure_show_msg=yes"} dovecot2 - } - '') + ( + optionalString cfg.enablePAM '' + userdb { + driver = passwd + } - (optionalString (cfg.sieveScripts != {}) '' - plugin { - ${concatStringsSep "\n" (mapAttrsToList (to: from: "sieve_${to} = ${stateDir}/sieve/${to}") cfg.sieveScripts)} - } - '') + passdb { + driver = pam + args = ${optionalString cfg.showPAMFailure "failure_show_msg=yes"} dovecot2 + } + '' + ) - (optionalString (cfg.mailboxes != []) '' - protocol imap { - namespace inbox { - inbox=yes - ${concatStringsSep "\n" (map mailboxConfig cfg.mailboxes)} + ( + optionalString (cfg.sieveScripts != {}) '' + plugin { + ${concatStringsSep "\n" (mapAttrsToList (to: from: "sieve_${to} = ${stateDir}/sieve/${to}") cfg.sieveScripts)} } - } - '') - - (optionalString cfg.enableQuota '' - mail_plugins = $mail_plugins quota - service quota-status { - executable = ${dovecotPkg}/libexec/dovecot/quota-status -p postfix - inet_listener { - port = ${cfg.quotaPort} + '' + ) + + ( + optionalString (cfg.mailboxes != []) '' + protocol imap { + namespace inbox { + inbox=yes + ${concatStringsSep "\n" (map mailboxConfig cfg.mailboxes)} + } + } + '' + ) + + ( + optionalString cfg.enableQuota '' + service quota-status { + executable = ${dovecotPkg}/libexec/dovecot/quota-status -p postfix + inet_listener { + port = ${cfg.quotaPort} + } + client_limit = 1 } - client_limit = 1 - } - - protocol imap { - mail_plugins = $mail_plugins imap_quota - } - plugin { - quota_rule = *:storage=${cfg.quotaGlobalPerUser} - quota = maildir:User quota # per virtual mail user quota # BUG/FIXME broken, we couldn't get this working - quota_status_success = DUNNO - quota_status_nouser = DUNNO - quota_status_overquota = "552 5.2.2 Mailbox is full" - quota_grace = 10%% - } - '') + plugin { + quota_rule = *:storage=${cfg.quotaGlobalPerUser} + quota = maildir:User quota # per virtual mail user quota # BUG/FIXME broken, we couldn't get this working + quota_status_success = DUNNO + quota_status_nouser = DUNNO + quota_status_overquota = "552 5.2.2 Mailbox is full" + quota_grace = 10%% + } + '' + ) cfg.extraConfig ]; @@ -107,7 +126,7 @@ let mailbox "${mailbox.name}" { auto = ${toString mailbox.auto} '' + optionalString (mailbox.specialUse != null) '' - special_use = \${toString mailbox.specialUse} + special_use = \${toString mailbox.specialUse} '' + "}"; mailboxes = { ... }: { @@ -160,7 +179,7 @@ in protocols = mkOption { type = types.listOf types.str; - default = [ ]; + default = []; description = "Additional listeners to start when Dovecot is enabled."; }; @@ -183,6 +202,43 @@ in description = "Additional entries to put verbatim into Dovecot's config file."; }; + mailPlugins = + let + plugins = hint: types.submodule { + options = { + enable = mkOption { + type = types.listOf types.str; + default = []; + description = "mail plugins to enable as a list of strings to append to the ${hint} <literal>$mail_plugins</literal> configuration variable"; + }; + }; + }; + in + mkOption { + type = with types; submodule { + options = { + globally = mkOption { + description = "Additional entries to add to the mail_plugins variable for all protocols"; + type = plugins "top-level"; + example = { enable = [ "virtual" ]; }; + default = { enable = []; }; + }; + perProtocol = mkOption { + description = "Additional entries to add to the mail_plugins variable, per protocol"; + type = attrsOf (plugins "corresponding per-protocol"); + default = {}; + example = { imap = [ "imap_acl" ]; }; + }; + }; + }; + description = "Additional entries to add to the mail_plugins variable, globally and per protocol"; + example = { + globally.enable = [ "acl" ]; + perProtocol.imap.enable = [ "imap_acl" ]; + }; + default = { globally.enable = []; perProtocol = {}; }; + }; + configFile = mkOption { type = types.nullOr types.path; default = null; @@ -305,27 +361,33 @@ in enable = true; params.dovecot2 = {}; }; - services.dovecot2.protocols = - optional cfg.enableImap "imap" - ++ optional cfg.enablePop3 "pop3" - ++ optional cfg.enableLmtp "lmtp"; + services.dovecot2.protocols = + optional cfg.enableImap "imap" + ++ optional cfg.enablePop3 "pop3" + ++ optional cfg.enableLmtp "lmtp"; + + services.dovecot2.mailPlugins = mkIf cfg.enableQuota { + globally.enable = [ "quota" ]; + perProtocol.imap.enable = [ "imap_quota" ]; + }; users.users = { dovenull = - { uid = config.ids.uids.dovenull2; + { + uid = config.ids.uids.dovenull2; description = "Dovecot user for untrusted logins"; group = "dovenull"; }; } // optionalAttrs (cfg.user == "dovecot2") { dovecot2 = - { uid = config.ids.uids.dovecot2; - description = "Dovecot user"; - group = cfg.group; - }; + { + uid = config.ids.uids.dovecot2; + description = "Dovecot user"; + group = cfg.group; + }; } // optionalAttrs (cfg.createMailUser && cfg.mailUser != null) { ${cfg.mailUser} = - { description = "Virtual Mail User"; } // - optionalAttrs (cfg.mailGroup != null) + { description = "Virtual Mail User"; } // optionalAttrs (cfg.mailGroup != null) { group = cfg.mailGroup; }; }; @@ -334,7 +396,7 @@ in } // optionalAttrs (cfg.group == "dovecot2") { dovecot2.gid = config.ids.gids.dovecot2; } // optionalAttrs (cfg.createMailUser && cfg.mailGroup != null) { - ${cfg.mailGroup} = { }; + ${cfg.mailGroup} = {}; }; environment.etc."dovecot/modules".source = modulesDir; @@ -363,15 +425,19 @@ in rm -rf ${stateDir}/sieve '' + optionalString (cfg.sieveScripts != {}) '' mkdir -p ${stateDir}/sieve - ${concatStringsSep "\n" (mapAttrsToList (to: from: '' - if [ -d '${from}' ]; then - mkdir '${stateDir}/sieve/${to}' - cp -p "${from}/"*.sieve '${stateDir}/sieve/${to}' - else - cp -p '${from}' '${stateDir}/sieve/${to}' - fi - ${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/sieve/${to}' - '') cfg.sieveScripts)} + ${concatStringsSep "\n" ( + mapAttrsToList ( + to: from: '' + if [ -d '${from}' ]; then + mkdir '${stateDir}/sieve/${to}' + cp -p "${from}/"*.sieve '${stateDir}/sieve/${to}' + else + cp -p '${from}' '${stateDir}/sieve/${to}' + fi + ${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/sieve/${to}' + '' + ) cfg.sieveScripts + )} chown -R '${cfg.mailUser}:${cfg.mailGroup}' '${stateDir}/sieve' ''; }; @@ -379,17 +445,21 @@ in environment.systemPackages = [ dovecotPkg ]; assertions = [ - { assertion = intersectLists cfg.protocols [ "pop3" "imap" ] != []; + { + assertion = intersectLists cfg.protocols [ "pop3" "imap" ] != []; message = "dovecot needs at least one of the IMAP or POP3 listeners enabled"; } - { assertion = (cfg.sslServerCert == null) == (cfg.sslServerKey == null) - && (cfg.sslCACert != null -> !(cfg.sslServerCert == null || cfg.sslServerKey == null)); + { + assertion = (cfg.sslServerCert == null) == (cfg.sslServerKey == null) + && (cfg.sslCACert != null -> !(cfg.sslServerCert == null || cfg.sslServerKey == null)); message = "dovecot needs both sslServerCert and sslServerKey defined for working crypto"; } - { assertion = cfg.showPAMFailure -> cfg.enablePAM; + { + assertion = cfg.showPAMFailure -> cfg.enablePAM; message = "dovecot is configured with showPAMFailure while enablePAM is disabled"; } - { assertion = cfg.sieveScripts != {} -> (cfg.mailUser != null && cfg.mailGroup != null); + { + assertion = cfg.sieveScripts != {} -> (cfg.mailUser != null && cfg.mailGroup != null); message = "dovecot requires mailUser and mailGroup to be set when sieveScripts is set"; } ]; diff --git a/nixos/modules/services/misc/ankisyncd.nix b/nixos/modules/services/misc/ankisyncd.nix new file mode 100644 index 000000000000..5fc19649d3d9 --- /dev/null +++ b/nixos/modules/services/misc/ankisyncd.nix @@ -0,0 +1,79 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.ankisyncd; + + name = "ankisyncd"; + + stateDir = "/var/lib/${name}"; + + authDbPath = "${stateDir}/auth.db"; + + sessionDbPath = "${stateDir}/session.db"; + + configFile = pkgs.writeText "ankisyncd.conf" (lib.generators.toINI {} { + sync_app = { + host = cfg.host; + port = cfg.port; + data_root = stateDir; + auth_db_path = authDbPath; + session_db_path = sessionDbPath; + + base_url = "/sync/"; + base_media_url = "/msync/"; + }; + }); +in + { + options.services.ankisyncd = { + enable = mkEnableOption "ankisyncd"; + + package = mkOption { + type = types.package; + default = pkgs.ankisyncd; + defaultText = literalExample "pkgs.ankisyncd"; + description = "The package to use for the ankisyncd command."; + }; + + host = mkOption { + type = types.str; + default = "localhost"; + description = "ankisyncd host"; + }; + + port = mkOption { + type = types.int; + default = 27701; + description = "ankisyncd port"; + }; + + openFirewall = mkOption { + default = false; + type = types.bool; + description = "Whether to open the firewall for the specified port."; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + + environment.etc."ankisyncd/ankisyncd.conf".source = configFile; + + systemd.services.ankisyncd = { + description = "ankisyncd - Anki sync server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ cfg.package ]; + + serviceConfig = { + Type = "simple"; + DynamicUser = true; + StateDirectory = name; + ExecStart = "${cfg.package}/bin/ankisyncd"; + Restart = "always"; + }; + }; + }; + } diff --git a/nixos/modules/services/misc/autorandr.nix b/nixos/modules/services/misc/autorandr.nix index 4708e16e2a6c..cf7fb5f78d3d 100644 --- a/nixos/modules/services/misc/autorandr.nix +++ b/nixos/modules/services/misc/autorandr.nix @@ -48,5 +48,5 @@ in { }; - meta.maintainers = with maintainers; [ gnidorah ma27 ]; + meta.maintainers = with maintainers; [ gnidorah ]; } diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index d7f7324580c0..d5b3537068d3 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -77,6 +77,8 @@ in { `config.services.zoneminder.database.createLocally` to true. Otherwise, when set to `false` (the default), you will have to create the database and database user as well as populate the database yourself. + Additionally, you will need to run `zmupdate.pl` yourself when + upgrading to a newer version. ''; webserver = mkOption { @@ -330,6 +332,8 @@ in { ${config.services.mysql.package}/bin/mysql < ${pkg}/share/zoneminder/db/zm_create.sql touch "/var/lib/${dirName}/db-created" fi + + ${zoneminder}/bin/zmupdate.pl -nointeractive ''; serviceConfig = { User = user; diff --git a/nixos/modules/services/monitoring/cadvisor.nix b/nixos/modules/services/monitoring/cadvisor.nix index 695a8c42e85e..655a6934a266 100644 --- a/nixos/modules/services/monitoring/cadvisor.nix +++ b/nixos/modules/services/monitoring/cadvisor.nix @@ -135,7 +135,6 @@ in { serviceConfig.TimeoutStartSec=300; }; - virtualisation.docker.enable = mkDefault true; }) ]; } diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index b67f697ca0de..6b1a4be44d1d 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -9,12 +9,13 @@ let # a wrapper that verifies that the configuration is valid promtoolCheck = what: name: file: - pkgs.runCommand - "${name}-${replaceStrings [" "] [""] what}-checked" - { buildInputs = [ cfg.package ]; } '' - ln -s ${file} $out - promtool ${what} $out - ''; + if cfg.checkConfig then + pkgs.runCommand + "${name}-${replaceStrings [" "] [""] what}-checked" + { buildInputs = [ cfg.package ]; } '' + ln -s ${file} $out + promtool ${what} $out + '' else file; # Pretty-print JSON to a file writePrettyJSON = name: x: @@ -601,6 +602,20 @@ in { if Prometheus is served via a reverse proxy). ''; }; + + checkConfig = mkOption { + type = types.bool; + default = true; + description = '' + Check configuration with <literal>promtool + check</literal>. The call to <literal>promtool</literal> is + subject to sandboxing by Nix. When credentials are stored in + external files (<literal>password_file</literal>, + <literal>bearer_token_file</literal>, etc), they will not be + visible to <literal>promtool</literal> and it will report + errors, despite a correct configuration. + ''; + }; }; config = mkIf cfg.enable { diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 36ebffa44636..f9ad1457fc85 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -29,6 +29,7 @@ let "fritzbox" "json" "mail" + "mikrotik" "minio" "nextcloud" "nginx" @@ -197,13 +198,25 @@ in config = mkMerge ([{ assertions = [ { - assertion = (cfg.snmp.configurationPath == null) != (cfg.snmp.configuration == null); + assertion = cfg.snmp.enable -> ( + (cfg.snmp.configurationPath == null) != (cfg.snmp.configuration == null) + ); message = '' Please ensure you have either `services.prometheus.exporters.snmp.configuration' or `services.prometheus.exporters.snmp.configurationPath' set! ''; } { - assertion = (cfg.mail.configFile == null) != (cfg.mail.configuration == {}); + assertion = cfg.mikrotik.enable -> ( + (cfg.mikrotik.configFile == null) != (cfg.mikrotik.configuration == null) + ); + message = '' + Please specify either `services.prometheus.exporters.mikrotik.configuration' + or `services.prometheus.exporters.mikrotik.configFile'. + ''; + } { + assertion = cfg.mail.enable -> ( + (cfg.mail.configFile == null) != (cfg.mail.configuration == null) + ); message = '' Please specify either 'services.prometheus.exporters.mail.configuration' or 'services.prometheus.exporters.mail.configFile'. diff --git a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix index 8a90afa99842..fe8d905da3fe 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix @@ -61,7 +61,7 @@ in { ExecStart = '' ${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ - --config.file ${adjustedConfigFile} \ + --config.file ${escapeShellArg adjustedConfigFile} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix index 1cc346418091..972104630275 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix @@ -66,7 +66,7 @@ in serviceConfig = { ExecStart = '' ${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \ - -log.format ${cfg.logFormat} \ + -log.format ${escapeShellArg cfg.logFormat} \ -log.level ${cfg.logLevel} \ -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ ${collectSettingsArgs} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix b/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix index e9fa26cb1f5a..68afba21d64a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix @@ -30,7 +30,7 @@ in ${pkgs.prometheus-dnsmasq-exporter}/bin/dnsmasq_exporter \ --listen ${cfg.listenAddress}:${toString cfg.port} \ --dnsmasq ${cfg.dnsmasqListenAddress} \ - --leases_path ${cfg.leasesPath} \ + --leases_path ${escapeShellArg cfg.leasesPath} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix index a01074758ff8..aba3533e4395 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix @@ -64,7 +64,7 @@ in ${pkgs.prometheus-dovecot-exporter}/bin/dovecot_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ --web.telemetry-path ${cfg.telemetryPath} \ - --dovecot.socket-path ${cfg.socketPath} \ + --dovecot.socket-path ${escapeShellArg cfg.socketPath} \ --dovecot.scopes ${concatStringsSep "," cfg.scopes} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/json.nix b/nixos/modules/services/monitoring/prometheus/exporters/json.nix index 82a55bafc982..bd0026b55f72 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/json.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/json.nix @@ -27,7 +27,7 @@ in ExecStart = '' ${pkgs.prometheus-json-exporter}/bin/prometheus-json-exporter \ --port ${toString cfg.port} \ - ${cfg.url} ${cfg.configFile} \ + ${cfg.url} ${escapeShellArg cfg.configFile} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix index 7d8c6fb61404..18c5c4dd1623 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix @@ -90,7 +90,7 @@ let Timeout until mails are considered "didn't make it". ''; }; - disableFileDelition = mkOption { + disableFileDeletion = mkOption { type = types.bool; default = false; description = '' @@ -127,8 +127,8 @@ in ''; }; configuration = mkOption { - type = types.submodule exporterOptions; - default = {}; + type = types.nullOr (types.submodule exporterOptions); + default = null; description = '' Specify the mailexporter configuration file to use. ''; @@ -147,8 +147,9 @@ in ExecStart = '' ${pkgs.prometheus-mail-exporter}/bin/mailexporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --web.telemetry-path ${cfg.telemetryPath} \ --config.file ${ - if cfg.configuration != {} then configurationFile else cfg.configFile + if cfg.configuration != null then configurationFile else (escapeShellArg cfg.configFile) } \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/mikrotik.nix b/nixos/modules/services/monitoring/prometheus/exporters/mikrotik.nix new file mode 100644 index 000000000000..62c2cc568476 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/mikrotik.nix @@ -0,0 +1,66 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.mikrotik; +in +{ + port = 9436; + extraOpts = { + configFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to a mikrotik exporter configuration file. Mutually exclusive with + <option>configuration</option> option. + ''; + example = literalExample "./mikrotik.yml"; + }; + + configuration = mkOption { + type = types.nullOr types.attrs; + default = null; + description = '' + Mikrotik exporter configuration as nix attribute set. Mutually exclusive with + <option>configFile</option> option. + + See <link xlink:href="https://github.com/nshttpd/mikrotik-exporter/blob/master/README.md"/> + for the description of the configuration file format. + ''; + example = literalExample '' + { + devices = [ + { + name = "my_router"; + address = "10.10.0.1"; + user = "prometheus"; + password = "changeme"; + } + ]; + features = { + bgp = true; + dhcp = true; + routes = true; + optics = true; + }; + } + ''; + }; + }; + serviceOpts = let + configFile = if cfg.configFile != null + then cfg.configFile + else "${pkgs.writeText "mikrotik-exporter.yml" (builtins.toJSON cfg.configuration)}"; + in { + serviceConfig = { + # -port is misleading name, it actually accepts address too + ExecStart = '' + ${pkgs.prometheus-mikrotik-exporter}/bin/mikrotik-exporter \ + -config-file=${escapeShellArg configFile} \ + -port=${cfg.listenAddress}:${toString cfg.port} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/minio.nix b/nixos/modules/services/monitoring/prometheus/exporters/minio.nix index ab3e3d7d5d50..d6dd62f871bd 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/minio.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/minio.nix @@ -54,8 +54,8 @@ in ${pkgs.prometheus-minio-exporter}/bin/minio-exporter \ -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ -minio.server ${cfg.minioAddress} \ - -minio.access-key ${cfg.minioAccessKey} \ - -minio.access-secret ${cfg.minioAccessSecret} \ + -minio.access-key ${escapeShellArg cfg.minioAccessKey} \ + -minio.access-secret ${escapeShellArg cfg.minioAccessSecret} \ ${optionalString cfg.minioBucketStats "-minio.bucket-stats"} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix b/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix index 5f9a52053f79..aee6bd5e66ce 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix @@ -50,7 +50,7 @@ in -u ${cfg.username} \ -t ${cfg.timeout} \ -l ${cfg.url} \ - -p @${cfg.passwordFile} \ + -p ${escapeShellArg "@${cfg.passwordFile}"} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix b/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix index d50564717eaf..3b6ef1631f89 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix @@ -67,15 +67,15 @@ in ${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ --web.telemetry-path ${cfg.telemetryPath} \ - --postfix.showq_path ${cfg.showqPath} \ + --postfix.showq_path ${escapeShellArg cfg.showqPath} \ ${concatStringsSep " \\\n " (cfg.extraFlags ++ optional cfg.systemd.enable "--systemd.enable" ++ optional cfg.systemd.enable (if cfg.systemd.slice != null then "--systemd.slice ${cfg.systemd.slice}" else "--systemd.unit ${cfg.systemd.unit}") ++ optional (cfg.systemd.enable && (cfg.systemd.journalPath != null)) - "--systemd.journal_path ${cfg.systemd.journalPath}" - ++ optional (!cfg.systemd.enable) "--postfix.logfile_path ${cfg.logfilePath}")} + "--systemd.journal_path ${escapeShellArg cfg.systemd.journalPath}" + ++ optional (!cfg.systemd.enable) "--postfix.logfile_path ${escapeShellArg cfg.logfilePath}")} ''; }; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix index fe7ae8a8ac90..045e48a3d0f8 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix @@ -19,7 +19,7 @@ in configuration = mkOption { type = types.nullOr types.attrs; - default = {}; + default = null; description = '' Snmp exporter configuration as nix attribute set. Mutually exclusive with 'configurationPath' option. ''; @@ -36,15 +36,15 @@ in }; logFormat = mkOption { - type = types.str; - default = "logger:stderr"; + type = types.enum ["logfmt" "json"]; + default = "logfmt"; description = '' - Set the log target and format. + Output format of log messages. ''; }; logLevel = mkOption { - type = types.enum ["debug" "info" "warn" "error" "fatal"]; + type = types.enum ["debug" "info" "warn" "error"]; default = "info"; description = '' Only log messages with the given severity or above. @@ -54,13 +54,13 @@ in serviceOpts = let configFile = if cfg.configurationPath != null then cfg.configurationPath - else "${pkgs.writeText "snmp-eporter-conf.yml" (builtins.toJSON cfg.configuration)}"; + else "${pkgs.writeText "snmp-exporter-conf.yml" (builtins.toJSON cfg.configuration)}"; in { serviceConfig = { ExecStart = '' ${pkgs.prometheus-snmp-exporter.bin}/bin/snmp_exporter \ - --config.file=${configFile} \ - --log.format=${cfg.logFormat} \ + --config.file=${escapeShellArg configFile} \ + --log.format=${escapeShellArg cfg.logFormat} \ --log.level=${cfg.logLevel} \ --web.listen-address=${cfg.listenAddress}:${toString cfg.port} \ ${concatStringsSep " \\\n " cfg.extraFlags} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix b/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix index 9aa0f1b85aac..8d0e8764001c 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix @@ -55,8 +55,8 @@ in ${pkgs.prometheus-unifi-exporter}/bin/unifi_exporter \ -telemetry.addr ${cfg.listenAddress}:${toString cfg.port} \ -unifi.addr ${cfg.unifiAddress} \ - -unifi.username ${cfg.unifiUsername} \ - -unifi.password ${cfg.unifiPassword} \ + -unifi.username ${escapeShellArg cfg.unifiUsername} \ + -unifi.password ${escapeShellArg cfg.unifiPassword} \ -unifi.timeout ${cfg.unifiTimeout} \ ${optionalString cfg.unifiInsecure "-unifi.insecure" } \ ${concatStringsSep " \\\n " cfg.extraFlags} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix b/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix index 12153fa021ec..5b5a6e18fcd6 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix @@ -74,10 +74,10 @@ in ${pkgs.prometheus-varnish-exporter}/bin/prometheus_varnish_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ --web.telemetry-path ${cfg.telemetryPath} \ - --varnishstat-path ${cfg.varnishStatPath} \ + --varnishstat-path ${escapeShellArg cfg.varnishStatPath} \ ${concatStringsSep " \\\n " (cfg.extraFlags ++ optional (cfg.healthPath != null) "--web.health-path ${cfg.healthPath}" - ++ optional (cfg.instance != null) "-n ${cfg.instance}" + ++ optional (cfg.instance != null) "-n ${escapeShellArg cfg.instance}" ++ optional cfg.noExit "--no-exit" ++ optional cfg.withGoMetrics "--with-go-metrics" ++ optional cfg.verbose "--verbose" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix index 374f83a2939d..04421fc2d25a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix @@ -59,7 +59,7 @@ in { ${optionalString cfg.verbose "-v"} \ ${optionalString cfg.singleSubnetPerField "-s"} \ ${optionalString cfg.withRemoteIp "-r"} \ - ${optionalString (cfg.wireguardConfig != null) "-n ${cfg.wireguardConfig}"} + ${optionalString (cfg.wireguardConfig != null) "-n ${escapeShellArg cfg.wireguardConfig}"} ''; }; }; diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index 3fb85b16cbe2..5f8ac96b2292 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -29,17 +29,13 @@ let }; # Additional /etc/hosts entries for peers with an associated hostname - cjdnsExtraHosts = import (pkgs.runCommand "cjdns-hosts" {} - # Generate a builder that produces an output usable as a Nix string value - '' - exec >$out - echo \'\' - ${concatStringsSep "\n" (mapAttrsToList (k: v: - optionalString (v.hostname != "") - "echo $(${pkgs.cjdns}/bin/publictoip6 ${v.publicKey}) ${v.hostname}") - (cfg.ETHInterface.connectTo // cfg.UDPInterface.connectTo))} - echo \'\' - ''); + cjdnsExtraHosts = pkgs.runCommandNoCC "cjdns-hosts" {} '' + exec >$out + ${concatStringsSep "\n" (mapAttrsToList (k: v: + optionalString (v.hostname != "") + "echo $(${pkgs.cjdns}/bin/publictoip6 ${v.publicKey}) ${v.hostname}") + (cfg.ETHInterface.connectTo // cfg.UDPInterface.connectTo))} + ''; parseModules = x: x // { connectTo = mapAttrs (name: value: { inherit (value) password publicKey; }) x.connectTo; }; @@ -144,13 +140,15 @@ in connectTo = mkOption { type = types.attrsOf ( types.submodule ( connectToSubmodule ) ); default = { }; - example = { - "192.168.1.1:27313" = { - hostname = "homer.hype"; - password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM"; - publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k"; - }; - }; + example = literalExample '' + { + "192.168.1.1:27313" = { + hostname = "homer.hype"; + password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM"; + publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k"; + }; + } + ''; description = '' Credentials for making UDP tunnels. ''; @@ -189,13 +187,15 @@ in connectTo = mkOption { type = types.attrsOf ( types.submodule ( connectToSubmodule ) ); default = { }; - example = { - "01:02:03:04:05:06" = { - hostname = "homer.hype"; - password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM"; - publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k"; - }; - }; + example = literalExample '' + { + "01:02:03:04:05:06" = { + hostname = "homer.hype"; + password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM"; + publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k"; + }; + } + ''; description = '' Credentials for connecting look similar to UDP credientials except they begin with the mac address. @@ -278,7 +278,7 @@ in }; }; - networking.extraHosts = mkIf cfg.addExtraHosts cjdnsExtraHosts; + networking.hostFiles = mkIf cfg.addExtraHosts [ cjdnsExtraHosts ]; assertions = [ { assertion = ( cfg.ETHInterface.bind != "" || cfg.UDPInterface.bind != "" || cfg.confFile != null ); diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 15aaf7410674..b0045ff795e3 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -546,7 +546,7 @@ in options nf_conntrack nf_conntrack_helper=1 ''; - assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter; + assertions = [ { assertion = cfg.checkReversePath -> kernelHasRPFilter; message = "This kernel does not support rpfilter"; } ]; diff --git a/nixos/modules/services/networking/freeradius.nix b/nixos/modules/services/networking/freeradius.nix index e192b70c129c..f3fdd576b65c 100644 --- a/nixos/modules/services/networking/freeradius.nix +++ b/nixos/modules/services/networking/freeradius.nix @@ -10,14 +10,15 @@ let { description = "FreeRadius server"; wantedBy = ["multi-user.target"]; - after = ["network-online.target"]; - wants = ["network-online.target"]; + after = ["network.target"]; + wants = ["network.target"]; preStart = '' ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout ''; serviceConfig = { - ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout -xx"; + ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout" + + optionalString cfg.debug " -xx"; ExecReload = [ "${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout" "${pkgs.coreutils}/bin/kill -HUP $MAINPID" @@ -41,6 +42,16 @@ let ''; }; + debug = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable debug logging for freeradius (-xx + option). This should not be left on, since it includes + sensitive data such as passwords in the logs. + ''; + }; + }; in @@ -66,6 +77,7 @@ in }; systemd.services.freeradius = freeradiusService cfg; + warnings = optional cfg.debug "Freeradius debug logging is enabled. This will log passwords in plaintext to the journal!"; }; diff --git a/nixos/modules/services/networking/haproxy.nix b/nixos/modules/services/networking/haproxy.nix index aff71e5e97da..4678829986c6 100644 --- a/nixos/modules/services/networking/haproxy.nix +++ b/nixos/modules/services/networking/haproxy.nix @@ -26,6 +26,18 @@ with lib; ''; }; + user = mkOption { + type = types.str; + default = "haproxy"; + description = "User account under which haproxy runs."; + }; + + group = mkOption { + type = types.str; + default = "haproxy"; + description = "Group account under which haproxy runs."; + }; + config = mkOption { type = types.nullOr types.lines; default = null; @@ -49,7 +61,8 @@ with lib; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - DynamicUser = true; + User = cfg.user; + Group = cfg.group; Type = "notify"; # when running the config test, don't be quiet so we can see what goes wrong ExecStartPre = "${pkgs.haproxy}/sbin/haproxy -c -f ${haproxyCfg}"; @@ -60,5 +73,16 @@ with lib; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; }; }; + + users.users = optionalAttrs (cfg.user == "haproxy") { + haproxy = { + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = optionalAttrs (cfg.group == "haproxy") { + haproxy = {}; + }; }; } diff --git a/nixos/modules/services/networking/ntp/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix index b5403cb747d0..54ff054d84c7 100644 --- a/nixos/modules/services/networking/ntp/ntpd.nix +++ b/nixos/modules/services/networking/ntp/ntpd.nix @@ -23,6 +23,8 @@ let restrict -6 ::1 ${toString (map (server: "server " + server + " iburst\n") cfg.servers)} + + ${cfg.extraConfig} ''; ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup ${toString cfg.extraFlags}"; @@ -81,6 +83,17 @@ in ''; }; + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + fudge 127.127.1.0 stratum 10 + ''; + description = '' + Additional text appended to <filename>ntp.conf</filename>. + ''; + }; + extraFlags = mkOption { type = types.listOf types.str; description = "Extra flags passed to the ntpd command."; diff --git a/nixos/modules/services/networking/shorewall.nix b/nixos/modules/services/networking/shorewall.nix index c59a53669158..16383be2530f 100644 --- a/nixos/modules/services/networking/shorewall.nix +++ b/nixos/modules/services/networking/shorewall.nix @@ -26,13 +26,14 @@ in { description = "The shorewall package to use."; }; configs = lib.mkOption { - type = types.attrsOf types.str; + type = types.attrsOf types.lines; default = {}; description = '' This option defines the Shorewall configs. The attribute name defines the name of the config, and the attribute value defines the content of the config. ''; + apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text); }; }; }; @@ -62,7 +63,7 @@ in { ''; }; environment = { - etc = lib.mapAttrs' (name: conf: lib.nameValuePair "shorewall/${name}" {text=conf;}) cfg.configs; + etc = lib.mapAttrs' (name: conf: lib.nameValuePair "shorewall/${name}" {source=conf;}) cfg.configs; systemPackages = [ cfg.package ]; }; }; diff --git a/nixos/modules/services/networking/shorewall6.nix b/nixos/modules/services/networking/shorewall6.nix index 374e407cc7a1..e081aedc6c34 100644 --- a/nixos/modules/services/networking/shorewall6.nix +++ b/nixos/modules/services/networking/shorewall6.nix @@ -26,13 +26,14 @@ in { description = "The shorewall package to use."; }; configs = lib.mkOption { - type = types.attrsOf types.str; + type = types.attrsOf types.lines; default = {}; description = '' This option defines the Shorewall configs. The attribute name defines the name of the config, and the attribute value defines the content of the config. ''; + apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text); }; }; }; @@ -62,7 +63,7 @@ in { ''; }; environment = { - etc = lib.mapAttrs' (name: conf: lib.nameValuePair "shorewall6/${name}" {text=conf;}) cfg.configs; + etc = lib.mapAttrs' (name: conf: lib.nameValuePair "shorewall6/${name}" {source=conf;}) cfg.configs; systemPackages = [ cfg.package ]; }; }; diff --git a/nixos/modules/services/networking/vsftpd.nix b/nixos/modules/services/networking/vsftpd.nix index 47990dbb3772..b3e201844236 100644 --- a/nixos/modules/services/networking/vsftpd.nix +++ b/nixos/modules/services/networking/vsftpd.nix @@ -133,8 +133,8 @@ let ${optionalString cfg.enableVirtualUsers '' guest_enable=YES guest_username=vsftpd - pam_service_name=vsftpd ''} + pam_service_name=vsftpd ${cfg.extraConfig} ''; diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index ff8e54a1ce20..e8f83f6dd8bf 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -428,7 +428,7 @@ in ++ (attrValues ( mapAttrs (name: value: { assertion = value.generatePrivateKeyFile -> (value.privateKey == null); - message = "networking.wireguard.interfaces.${name}.generatePrivateKey must not be set if networking.wireguard.interfaces.${name}.privateKey is set."; + message = "networking.wireguard.interfaces.${name}.generatePrivateKeyFile must not be set if networking.wireguard.interfaces.${name}.privateKey is set."; }) cfg.interfaces)) ++ map ({ interfaceName, peer, ... }: { assertion = (peer.presharedKey == null) || (peer.presharedKeyFile == null); diff --git a/nixos/modules/services/wayland/cage.nix b/nixos/modules/services/wayland/cage.nix index cac5c042ec16..c59ca9983a6c 100644 --- a/nixos/modules/services/wayland/cage.nix +++ b/nixos/modules/services/wayland/cage.nix @@ -51,6 +51,7 @@ in { conflicts = [ "getty@tty1.service" ]; restartIfChanged = false; + unitConfig.ConditionPathExists = "/dev/tty1"; serviceConfig = { ExecStart = '' ${pkgs.cage}/bin/cage \ @@ -59,7 +60,6 @@ in { ''; User = cfg.user; - ConditionPathExists = "/dev/tty1"; IgnoreSIGPIPE = "no"; # Log this user with utmp, letting it show up with commands 'w' and diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index c8602e5975b3..28b433104a1c 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -87,10 +87,17 @@ let ${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"} ${optionalString (cfg.recommendedTlsSettings) '' - ssl_session_cache shared:SSL:42m; - ssl_session_timeout 23m; - ssl_ecdh_curve secp384r1; - ssl_prefer_server_ciphers on; + # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + # Breaks forward secrecy: https://github.com/mozilla/server-side-tls/issues/135 + ssl_session_tickets off; + # We don't enable insecure ciphers by default, so this allows + # clients to pick the most performant, per https://github.com/mozilla/server-side-tls/issues/260 + ssl_prefer_server_ciphers off; + + # OCSP stapling ssl_stapling on; ssl_stapling_verify on; ''} @@ -487,8 +494,9 @@ in sslCiphers = mkOption { type = types.str; - default = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; - description = "Ciphers to choose from when negotiating tls handshakes."; + # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate + default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + description = "Ciphers to choose from when negotiating TLS handshakes."; }; sslProtocols = mkOption { diff --git a/nixos/modules/services/web-servers/uwsgi.nix b/nixos/modules/services/web-servers/uwsgi.nix index 3481b5e60403..4b74c329e3dc 100644 --- a/nixos/modules/services/web-servers/uwsgi.nix +++ b/nixos/modules/services/web-servers/uwsgi.nix @@ -32,7 +32,7 @@ let inherit plugins; } // removeAttrs c [ "type" "pythonPackages" ] // optionalAttrs (python != null) { - pythonpath = "${pythonEnv}/${python.sitePackages}"; + pyhome = "${pythonEnv}"; env = # Argh, uwsgi expects list of key-values there instead of a dictionary. let env' = c.env or []; diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/tiny.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/tiny.nix new file mode 100644 index 000000000000..a9ba8e6280d6 --- /dev/null +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/tiny.nix @@ -0,0 +1,92 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + dmcfg = config.services.xserver.displayManager; + ldmcfg = dmcfg.lightdm; + cfg = ldmcfg.greeters.tiny; + +in +{ + options = { + + services.xserver.displayManager.lightdm.greeters.tiny = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable lightdm-tiny-greeter as the lightdm greeter. + + Note that this greeter starts only the default X session. + You can configure the default X session using + <xref linkend="opt-services.xserver.displayManager.defaultSession"/>. + ''; + }; + + label = { + user = mkOption { + type = types.str; + default = "Username"; + description = '' + The string to represent the user_text label. + ''; + }; + + pass = mkOption { + type = types.str; + default = "Password"; + description = '' + The string to represent the pass_text label. + ''; + }; + }; + + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Section to describe style and ui. + ''; + }; + + }; + + }; + + config = mkIf (ldmcfg.enable && cfg.enable) { + + services.xserver.displayManager.lightdm.greeters.gtk.enable = false; + + nixpkgs.config.lightdm-tiny-greeter.conf = + let + configHeader = '' + #include <gtk/gtk.h> + static const char *user_text = "${cfg.label.user}"; + static const char *pass_text = "${cfg.label.pass}"; + static const char *session = "${dmcfg.defaultSession}"; + ''; + in + optionalString (cfg.extraConfig != "") + (configHeader + cfg.extraConfig); + + services.xserver.displayManager.lightdm.greeter = + mkDefault { + package = pkgs.lightdm-tiny-greeter.xgreeters; + name = "lightdm-tiny-greeter"; + }; + + assertions = [ + { + assertion = dmcfg.defaultSession != null; + message = '' + Please set: services.xserver.displayManager.defaultSession + ''; + } + ]; + + }; +} diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index f7face0adb7e..cb7b5f959588 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -77,6 +77,7 @@ in ./lightdm-greeters/mini.nix ./lightdm-greeters/enso-os.nix ./lightdm-greeters/pantheon.nix + ./lightdm-greeters/tiny.nix ]; options = { diff --git a/nixos/modules/system/activation/switch-to-configuration.pl b/nixos/modules/system/activation/switch-to-configuration.pl index 641cf9faadc9..b82d69b3bb85 100644 --- a/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixos/modules/system/activation/switch-to-configuration.pl @@ -183,7 +183,7 @@ while (my ($unit, $state) = each %{$activePrev}) { # active after the system has resumed, which probably # should not be the case. Just ignore it. if ($unit ne "suspend.target" && $unit ne "hibernate.target" && $unit ne "hybrid-sleep.target") { - unless (boolIsTrue($unitInfo->{'RefuseManualStart'} // "no")) { + unless (boolIsTrue($unitInfo->{'RefuseManualStart'} // "no") || boolIsTrue($unitInfo->{'X-OnlyManualStart'} // "no")) { $unitsToStart{$unit} = 1; recordUnit($startListFile, $unit); # Don't spam the user with target units that always get started. @@ -222,7 +222,7 @@ while (my ($unit, $state) = each %{$activePrev}) { $unitsToReload{$unit} = 1; recordUnit($reloadListFile, $unit); } - elsif (!boolIsTrue($unitInfo->{'X-RestartIfChanged'} // "yes") || boolIsTrue($unitInfo->{'RefuseManualStop'} // "no") ) { + elsif (!boolIsTrue($unitInfo->{'X-RestartIfChanged'} // "yes") || boolIsTrue($unitInfo->{'RefuseManualStop'} // "no") || boolIsTrue($unitInfo->{'X-OnlyManualStart'} // "no")) { $unitsToSkip{$unit} = 1; } else { if (!boolIsTrue($unitInfo->{'X-StopIfChanged'} // "yes")) { diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index f67d29005616..14bd751ce324 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -15,6 +15,7 @@ let map (childConfig: (import ../../../lib/eval-config.nix { inherit baseModules; + system = config.nixpkgs.initialSystem; modules = (optionals inheritParent modules) ++ [ ./no-clone.nix ] diff --git a/nixos/modules/system/etc/etc.nix b/nixos/modules/system/etc/etc.nix index 57ade2880962..1f4d54a1ae20 100644 --- a/nixos/modules/system/etc/etc.nix +++ b/nixos/modules/system/etc/etc.nix @@ -94,7 +94,7 @@ in default = 0; type = types.int; description = '' - UID of created file. Only takes affect when the file is + UID of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink'). ''; }; @@ -103,7 +103,7 @@ in default = 0; type = types.int; description = '' - GID of created file. Only takes affect when the file is + GID of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink'). ''; }; @@ -113,7 +113,7 @@ in type = types.str; description = '' User name of created file. - Only takes affect when the file is copied (that is, the mode is not 'symlink'). + Only takes effect when the file is copied (that is, the mode is not 'symlink'). Changing this option takes precedence over <literal>uid</literal>. ''; }; @@ -123,7 +123,7 @@ in type = types.str; description = '' Group name of created file. - Only takes affect when the file is copied (that is, the mode is not 'symlink'). + Only takes effect when the file is copied (that is, the mode is not 'symlink'). Changing this option takes precedence over <literal>gid</literal>. ''; }; diff --git a/nixos/modules/tasks/auto-upgrade.nix b/nixos/modules/tasks/auto-upgrade.nix index 7fe066991918..bfc1e301efaf 100644 --- a/nixos/modules/tasks/auto-upgrade.nix +++ b/nixos/modules/tasks/auto-upgrade.nix @@ -63,6 +63,19 @@ let cfg = config.system.autoUpgrade; in ''; }; + randomizedDelaySec = mkOption { + default = "0"; + type = types.str; + example = "45min"; + description = '' + Add a randomized delay before each automatic upgrade. + The delay will be chozen between zero and this value. + This value must be a time span in the format specified by + <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry> + ''; + }; + }; }; @@ -109,6 +122,8 @@ let cfg = config.system.autoUpgrade; in startAt = cfg.dates; }; + systemd.timers.nixos-upgrade.timerConfig.RandomizedDelaySec = cfg.randomizedDelaySec; + }; } diff --git a/nixos/modules/tasks/filesystems/btrfs.nix b/nixos/modules/tasks/filesystems/btrfs.nix index 48be18c71021..f64493e1a3c7 100644 --- a/nixos/modules/tasks/filesystems/btrfs.nix +++ b/nixos/modules/tasks/filesystems/btrfs.nix @@ -118,12 +118,17 @@ in fs' = utils.escapeSystemdPath fs; in nameValuePair "btrfs-scrub-${fs'}" { description = "btrfs scrub on ${fs}"; + # scrub prevents suspend2ram or proper shutdown + conflicts = [ "shutdown.target" "sleep.target" ]; + before = [ "shutdown.target" "sleep.target" ]; serviceConfig = { - Type = "oneshot"; + # simple and not oneshot, otherwise ExecStop is not used + Type = "simple"; Nice = 19; IOSchedulingClass = "idle"; ExecStart = "${pkgs.btrfs-progs}/bin/btrfs scrub start -B ${fs}"; + ExecStop = "${pkgs.btrfs-progs}/bin/btrfs scrub cancel ${fs}"; }; }; in listToAttrs (map scrubService cfgScrub.fileSystems); diff --git a/nixos/modules/virtualisation/kvmgt.nix b/nixos/modules/virtualisation/kvmgt.nix index 36ef6d17df69..0902d2dc2cb0 100644 --- a/nixos/modules/virtualisation/kvmgt.nix +++ b/nixos/modules/virtualisation/kvmgt.nix @@ -19,7 +19,8 @@ in { virtualisation.kvmgt = { enable = mkEnableOption '' KVMGT (iGVT-g) VGPU support. Allows Qemu/KVM guests to share host's Intel integrated graphics card. - Currently only one graphical device can be shared + Currently only one graphical device can be shared. To allow users to access the device without root add them + to the kvm group: <literal>users.extraUsers.<yourusername>.extraGroups = [ "kvm" ];</literal> ''; # multi GPU support is under the question device = mkOption { @@ -35,9 +36,7 @@ in { and find info about device via <command>cat /sys/bus/pci/devices/*/mdev_supported_types/i915-GVTg_V5_4/description</command> ''; example = { - i915-GVTg_V5_8 = { - uuid = "a297db4a-f4c2-11e6-90f6-d3b88d6c9525"; - }; + i915-GVTg_V5_8.uuid = "a297db4a-f4c2-11e6-90f6-d3b88d6c9525"; }; }; }; @@ -50,10 +49,7 @@ in { }; boot.kernelModules = [ "kvmgt" ]; - - boot.extraModprobeConfig = '' - options i915 enable_gvt=1 - ''; + boot.kernelParams = [ "i915.enable_gvt=1" ]; systemd.paths = mapAttrs' (name: value: nameValuePair "kvmgt-${name}" { @@ -65,6 +61,10 @@ in { } ) cfg.vgpus; + services.udev.extraRules = '' + SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm" + ''; + systemd.services = mapAttrs' (name: value: nameValuePair "kvmgt-${name}" { description = "KVMGT VGPU ${name}"; diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 54dd97e5b139..51b472fcf9ce 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -137,5 +137,22 @@ import ./make-test-python.nix ({ pkgs, ... }: { # Ensure the two output paths (ls and hello) are in the layer "docker run bulk-layer ls /bin/hello", ) + + with subtest("Ensure correct behavior when no store is needed"): + # This check tests two requirements simultaneously + # 1. buildLayeredImage can build images that don't need a store. + # 2. Layers of symlinks are eliminated by the customization layer. + # + docker.succeed( + "docker load --input='${pkgs.dockerTools.examples.no-store-paths}'" + ) + + # Busybox will not recognize argv[0] and print an error message with argv[0], + # but it confirms that the custom-true symlink is present. + docker.succeed("docker run --rm no-store-paths custom-true |& grep custom-true") + + # This check may be loosened to allow an *empty* store rather than *no* store. + docker.succeed("docker run --rm no-store-paths ls /") + docker.fail("docker run --rm no-store-paths ls /nix/store") ''; }) diff --git a/nixos/tests/kubernetes/dns.nix b/nixos/tests/kubernetes/dns.nix index 46bcb01a5265..638942e15407 100644 --- a/nixos/tests/kubernetes/dns.nix +++ b/nixos/tests/kubernetes/dns.nix @@ -3,8 +3,6 @@ with import ./base.nix { inherit system; }; let domain = "my.zyx"; - certs = import ./certs.nix { externalDomain = domain; kubelets = [ "machine1" "machine2" ]; }; - redisPod = pkgs.writeText "redis-pod.json" (builtins.toJSON { kind = "Pod"; apiVersion = "v1"; diff --git a/nixos/tests/nesting.nix b/nixos/tests/nesting.nix index 6388b67a6e40..a75806b24ff6 100644 --- a/nixos/tests/nesting.nix +++ b/nixos/tests/nesting.nix @@ -29,10 +29,10 @@ import ./make-test-python.nix { ) clone.succeed("cowsay hey") clone.succeed("hello") - - children.wait_for_unit("default.target") - children.succeed("cowsay hey") - children.fail("hello") + + children.wait_for_unit("default.target") + children.succeed("cowsay hey") + children.fail("hello") with subtest("Nested children do not inherit from parent"): children.succeed( diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 3d0d00bfbe63..4fc3668cfafb 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -224,7 +224,7 @@ let after = [ "postfix.service" ]; requires = [ "postfix.service" ]; preStart = '' - mkdir -p 0600 mail-exporter/new + mkdir -p -m 0700 mail-exporter/new ''; serviceConfig = { ProtectHome = true; @@ -245,6 +245,46 @@ let ''; }; + mikrotik = { + exporterConfig = { + enable = true; + extraFlags = [ "-timeout=1s" ]; + configuration = { + devices = [ + { + name = "router"; + address = "192.168.42.48"; + user = "prometheus"; + password = "shh"; + } + ]; + features = { + bgp = true; + dhcp = true; + dhcpl = true; + dhcpv6 = true; + health = true; + routes = true; + poe = true; + pools = true; + optics = true; + w60g = true; + wlansta = true; + wlanif = true; + monitor = true; + ipsec = true; + }; + }; + }; + exporterTest = '' + wait_for_unit("prometheus-mikrotik-exporter.service") + wait_for_open_port(9436) + succeed( + "curl -sSf http://localhost:9436/metrics | grep -q 'mikrotik_scrape_collector_success{device=\"router\"} 0'" + ) + ''; + }; + nextcloud = { exporterConfig = { enable = true; @@ -363,6 +403,7 @@ let }; metricProvider = { services.rspamd.enable = true; + virtualisation.memorySize = 1024; }; exporterTest = '' wait_for_unit("rspamd.service") diff --git a/nixos/tests/signal-desktop.nix b/nixos/tests/signal-desktop.nix index ae141fe116de..e4b830e9e237 100644 --- a/nixos/tests/signal-desktop.nix +++ b/nixos/tests/signal-desktop.nix @@ -17,6 +17,7 @@ import ./make-test-python.nix ({ pkgs, ...} : services.xserver.enable = true; test-support.displayManager.auto.user = "alice"; environment.systemPackages = [ pkgs.signal-desktop ]; + virtualisation.memorySize = 1024; }; enableOCR = true; |