diff options
| author | Jan Tojnar <jtojnar@gmail.com> | 2018-12-16 22:55:06 +0100 |
|---|---|---|
| committer | Jan Tojnar <jtojnar@gmail.com> | 2018-12-16 22:55:06 +0100 |
| commit | aead6e12f96a76a2c1c6b64ba81b18d647e6e3d0 (patch) | |
| tree | aff35e8cfa837fd92319e23951493431b3d2dacc /nixos | |
| parent | 4027966602c1d3bfac7091e390c2cf678115d59f (diff) | |
| parent | eceb2b06a1bd012a938697718c5f3b7b6fd9249a (diff) | |
| download | nixlib-aead6e12f96a76a2c1c6b64ba81b18d647e6e3d0.tar nixlib-aead6e12f96a76a2c1c6b64ba81b18d647e6e3d0.tar.gz nixlib-aead6e12f96a76a2c1c6b64ba81b18d647e6e3d0.tar.bz2 nixlib-aead6e12f96a76a2c1c6b64ba81b18d647e6e3d0.tar.lz nixlib-aead6e12f96a76a2c1c6b64ba81b18d647e6e3d0.tar.xz nixlib-aead6e12f96a76a2c1c6b64ba81b18d647e6e3d0.tar.zst nixlib-aead6e12f96a76a2c1c6b64ba81b18d647e6e3d0.zip | |
Merge remote-tracking branch 'upstream/master' into staging
Diffstat (limited to 'nixos')
38 files changed, 386 insertions, 848 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index 65cc166c9a07..69e94fbccc5c 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -247,6 +247,65 @@ </listitem> <listitem> <para> + The <literal>nscd</literal> service now disables all caching of + <literal>passwd</literal> and <literal>group</literal> databases by + default. This was interferring with the correct functioning of the + <literal>libnss_systemd.so</literal> module which is used by + <literal>systemd</literal> to manage uids and usernames in the presence of + <literal>DynamicUser=</literal> in systemd services. This was already the + default behaviour in presence of <literal>services.sssd.enable = + true</literal> because nscd caching would interfere with + <literal>sssd</literal> in unpredictable ways as well. Because we're + using nscd not for caching, but for convincing glibc to find NSS modules + in the nix store instead of an absolute path, we have decided to disable + caching globally now, as it's usually not the behaviour the user wants and + can lead to surprising behaviour. Furthermore, negative caching of host + lookups is also disabled now by default. This should fix the issue of dns + lookups failing in the presence of an unreliable network. + </para> + <para> + If the old behaviour is desired, this can be restored by setting + the <literal>services.nscd.config</literal> option + with the desired caching parameters. + <programlisting> + services.nscd.config = + '' + server-user nscd + threads 1 + paranoia no + debug-level 0 + + enable-cache passwd yes + positive-time-to-live passwd 600 + negative-time-to-live passwd 20 + suggested-size passwd 211 + check-files passwd yes + persistent passwd no + shared passwd yes + + enable-cache group yes + positive-time-to-live group 3600 + negative-time-to-live group 60 + suggested-size group 211 + check-files group yes + persistent group no + shared group yes + + enable-cache hosts yes + positive-time-to-live hosts 600 + negative-time-to-live hosts 5 + suggested-size hosts 211 + check-files hosts yes + persistent hosts no + shared hosts yes + ''; + </programlisting> + See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link> + for details. + </para> + </listitem> + <listitem> + <para> GitLab Shell previously used the nix store paths for the <literal>gitlab-shell</literal> command in its <literal>authorized_keys</literal> file, which might stop working after @@ -299,6 +358,18 @@ <option>services.kubernetes.addons.dns.replicas</option>. </para> </listitem> + <listitem> + <para> + The quassel-webserver package and module was removed from nixpkgs due to the lack + of maintainers. + </para> + </listitem> + <listitem> + <para> + The owncloud server packages and httpd subservice module were removed + from nixpkgs due to the lack of maintainers. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 21e12395498c..b680c3c1ccb5 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -101,8 +101,8 @@ in config = mkIf enabled { assertions = [ { - assertion = config.services.xserver.displayManager.gdm.wayland; - message = "NVIDIA drivers don't support wayland"; + assertion = with config.services.xserver.displayManager; gdm.enable -> !gdm.wayland; + message = "NVIDIA drivers don't support wayland, set services.xserver.displayManager.gdm.wayland=false"; } { assertion = !optimusCfg.enable || diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index a02352a2b93c..d0f0844ba8a3 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -715,7 +715,6 @@ ./services/web-apps/restya-board.nix ./services/web-apps/tt-rss.nix ./services/web-apps/selfoss.nix - ./services/web-apps/quassel-webserver.nix ./services/web-apps/virtlyst.nix ./services/web-apps/youtrack.nix ./services/web-servers/apache-httpd/default.nix diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index d325fff6a572..2b01c9d26c41 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -98,7 +98,7 @@ in if [ "$TERM" != "dumb" -o -n "$INSIDE_EMACS" ]; then PROMPT_COLOR="1;31m" let $UID && PROMPT_COLOR="1;32m" - PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] " + PS1="\n\[\033[$PROMPT_COLOR\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\$\[\033[0m\] " if test "$TERM" = "xterm"; then PS1="\[\033]2;\h:\u:\w\007\]$PS1" fi diff --git a/nixos/modules/programs/zsh/zsh-autosuggestions.nix b/nixos/modules/programs/zsh/zsh-autosuggestions.nix index 416f4c9c6751..ded17f38a618 100644 --- a/nixos/modules/programs/zsh/zsh-autosuggestions.nix +++ b/nixos/modules/programs/zsh/zsh-autosuggestions.nix @@ -18,13 +18,13 @@ in }; strategy = mkOption { - type = types.enum [ "default" "match_prev_cmd" ]; - default = "default"; + type = types.enum [ "history" "match_prev_cmd" ]; + default = "history"; description = '' Set ZSH_AUTOSUGGEST_STRATEGY to choose the strategy for generating suggestions. There are currently two to choose from: - * default: Chooses the most recent match. + * history: Chooses the most recent match. * match_prev_cmd: Chooses the most recent match whose preceding history item matches the most recently executed command (more info). Note that this strategy won't work as expected with ZSH options that don't preserve the history order such as @@ -51,7 +51,7 @@ in source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh export ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE="${cfg.highlightStyle}" - export ZSH_AUTOSUGGEST_STRATEGY="${cfg.strategy}" + export ZSH_AUTOSUGGEST_STRATEGY=("${cfg.strategy}") ${concatStringsSep "\n" (mapAttrsToList (key: value: ''export ${key}="${value}"'') cfg.extraConfig)} ''; diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix index cd481212db2d..d1a1383e45b0 100644 --- a/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixos/modules/services/computing/slurm/slurm.nix @@ -46,7 +46,7 @@ let # in the same directory as slurm.conf etcSlurm = pkgs.symlinkJoin { name = "etc-slurm"; - paths = [ configFile cgroupConfig plugStackConfig ]; + paths = [ configFile cgroupConfig plugStackConfig ] ++ cfg.extraConfigPaths; }; in @@ -239,6 +239,17 @@ in ''; }; + extraConfigPaths = mkOption { + type = with types; listOf path; + default = []; + description = '' + Slurm expects config files for plugins in the same path + as <literal>slurm.conf</literal>. Add extra nix store + paths that should be merged into same directory as + <literal>slurm.conf</literal>. + ''; + }; + }; @@ -303,6 +314,7 @@ in serviceConfig = { Type = "forking"; + KillMode = "process"; ExecStart = "${wrappedSlurm}/bin/slurmd"; PIDFile = "/run/slurmd.pid"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 9f2bf5ef8a9c..e996211be7da 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -54,6 +54,13 @@ in description = "The database directory."; }; + logLevel = mkOption { + type = types.str; + default = "0"; + example = "acl trace"; + description = "The log level selector of slapd."; + }; + configDir = mkOption { type = types.nullOr types.path; default = null; @@ -139,7 +146,7 @@ in chown -R "${cfg.user}:${cfg.group}" "${cfg.dataDir}" ''; serviceConfig.ExecStart = - "${openldap.out}/libexec/slapd -d 0 " + + "${openldap.out}/libexec/slapd -d ${cfg.logLevel} " + "-u '${cfg.user}' -g '${cfg.group}' " + "-h '${concatStringsSep " " cfg.urlList}' " + "${configOpts}"; diff --git a/nixos/modules/services/hardware/lirc.nix b/nixos/modules/services/hardware/lirc.nix index 5635d6f09715..0072406a438c 100644 --- a/nixos/modules/services/hardware/lirc.nix +++ b/nixos/modules/services/hardware/lirc.nix @@ -49,6 +49,7 @@ in { description = "LIRC daemon socket"; wantedBy = [ "sockets.target" ]; socketConfig = { + # default search path ListenStream = "/run/lirc/lircd"; SocketUser = "lirc"; SocketMode = "0660"; @@ -66,9 +67,19 @@ in { serviceConfig = { RuntimeDirectory = "lirc"; - # socket lives in runtime directory; we have to keep is available + # Service runtime directory and socket share same folder. + # Following hacks are necessary to get everything right: + + # 1. prevent socket deletion during stop and restart RuntimeDirectoryPreserve = true; + # 2. fix runtime folder owner-ship, happens when socket activation + # creates the folder + PermissionsStartOnly = true; + ExecStartPre = [ + "${pkgs.coreutils}/bin/chown lirc /run/lirc/" + ]; + ExecStart = '' ${pkgs.lirc}/bin/lircd --nodaemon \ ${escapeShellArgs cfg.extraArguments} \ diff --git a/nixos/modules/services/misc/nscd-sssd.conf b/nixos/modules/services/misc/nscd-sssd.conf deleted file mode 100644 index 92380f3e4ba4..000000000000 --- a/nixos/modules/services/misc/nscd-sssd.conf +++ /dev/null @@ -1,36 +0,0 @@ -server-user nscd -threads 1 -paranoia no -debug-level 0 - -enable-cache passwd yes -positive-time-to-live passwd 0 -negative-time-to-live passwd 0 -suggested-size passwd 211 -check-files passwd yes -persistent passwd no -shared passwd yes - -enable-cache group yes -positive-time-to-live group 0 -negative-time-to-live group 0 -suggested-size group 211 -check-files group yes -persistent group no -shared group yes - -enable-cache hosts yes -positive-time-to-live hosts 600 -negative-time-to-live hosts 5 -suggested-size hosts 211 -check-files hosts yes -persistent hosts no -shared hosts yes - -enable-cache services yes -positive-time-to-live services 0 -negative-time-to-live services 0 -suggested-size services 211 -check-files services yes -persistent services no -shared services yes diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index e818f4a4804d..fe472a6c68e5 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -75,7 +75,6 @@ in { }; system.nssModules = optional cfg.enable pkgs.sssd; - services.nscd.config = builtins.readFile ./nscd-sssd.conf; services.dbus.packages = [ pkgs.sssd ]; }) diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index c0c16a429d89..5fb3e3771221 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -169,8 +169,9 @@ in { Sets the maximum amount of time (in seconds) a connection may be reused. For MySQL this setting should be shorter than the `wait_timeout' variable. ''; - default = 14400; - type = types.int; + default = "unlimited"; + example = 14400; + type = types.either types.int (types.enum [ "unlimited" ]); }; }; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 2d76e0676b24..d372dfd8f412 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -488,7 +488,7 @@ in { '') cfg.dynamicHosts.hostsDirs); serviceConfig = { Type = "oneshot"; - RemainAfterExist = true; + RemainAfterExit = true; }; }; diff --git a/nixos/modules/services/system/nscd.conf b/nixos/modules/services/system/nscd.conf index 6d0dcacf9778..603a5d01acce 100644 --- a/nixos/modules/services/system/nscd.conf +++ b/nixos/modules/services/system/nscd.conf @@ -1,28 +1,52 @@ +# We basically use nscd as a proxy for forwarding nss requests to appropriate +# nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory +# containing all such modules +# Note that we can not use `enable-cache no` As this will actually cause nscd +# to just reject the nss requests it receives, which then causes glibc to +# fallback to trying to handle the request by itself. Which won't work as glibc +# is not aware of the path in which the nss modules live. As a workaround, we +# have `enable-cache yes` with an explicit ttl of 0 server-user nscd threads 1 paranoia no debug-level 0 enable-cache passwd yes -positive-time-to-live passwd 600 -negative-time-to-live passwd 20 +positive-time-to-live passwd 0 +negative-time-to-live passwd 0 suggested-size passwd 211 check-files passwd yes persistent passwd no shared passwd yes enable-cache group yes -positive-time-to-live group 3600 -negative-time-to-live group 60 +positive-time-to-live group 0 +negative-time-to-live group 0 suggested-size group 211 check-files group yes persistent group no shared group yes +enable-cache netgroup yes +positive-time-to-live netgroup 0 +negative-time-to-live netgroup 0 +suggested-size netgroup 211 +check-files netgroup yes +persistent netgroup no +shared netgroup yes + enable-cache hosts yes positive-time-to-live hosts 600 -negative-time-to-live hosts 5 +negative-time-to-live hosts 0 suggested-size hosts 211 check-files hosts yes persistent hosts no shared hosts yes + +enable-cache services yes +positive-time-to-live services 0 +negative-time-to-live services 0 +suggested-size services 211 +check-files services yes +persistent services no +shared services yes diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index d0efdf88d73c..ecb1c5615d58 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -484,4 +484,6 @@ in { }; }) ]); + + meta.doc = ./nextcloud.xml; } diff --git a/nixos/modules/services/web-apps/nextcloud.xml b/nixos/modules/services/web-apps/nextcloud.xml new file mode 100644 index 000000000000..9600d1be7c88 --- /dev/null +++ b/nixos/modules/services/web-apps/nextcloud.xml @@ -0,0 +1,99 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-nextcloud"> + <title>Nextcloud</title> + + <para> + <link xlink:href="https://nextcloud.com/">Nextcloud</link> is an open-source, self-hostable cloud + platform. The server setup can be automated using + <link linkend="opt-services.nextcloud.enable">services.nextcloud</link>. A desktop client is packaged + at <literal>pkgs.nextcloud-client</literal>. + </para> + + <section xml:id="module-services-nextcloud-basic-usage"> + <title>Basic usage</title> + <para> + Nextcloud is a PHP-based application which requires an HTTP server + (<literal><link linkend="opt-services.nextcloud.enable">services.nextcloud</link></literal> optionally supports + <literal><link linkend="opt-services.nginx.enable">services.nginx</link></literal>) and a database + (it's recommended to use <literal><link linkend="opt-services.postgresql.enable">services.postgresql</link></literal>). + </para> + <para> + A very basic configuration may look like this: +<programlisting>{ pkgs, ... }: +{ + services.nextcloud = { + <link linkend="opt-services.nextcloud.enable">enable</link> = true; + <link linkend="opt-services.nextcloud.hostName">hostName</link> = "nextcloud.tld"; + <link linkend="opt-services.nextcloud.nginx.enable">nginx.enable</link> = true; + config = { + <link linkend="opt-services.nextcloud.config.dbtype">dbtype</link> = "pgsql"; + <link linkend="opt-services.nextcloud.config.dbuser">dbuser</link> = "nextcloud"; + <link linkend="opt-services.nextcloud.config.dbhost">dbhost</link> = "/tmp"; # nextcloud will add /.s.PGSQL.5432 by itself + <link linkend="opt-services.nextcloud.config.dbname">dbname</link> = "nextcloud"; + <link linkend="opt-services.nextcloud.config.adminpassFile">adminpassFile</link> = "/path/to/admin-pass-file"; + <link linkend="opt-services.nextcloud.config.adminuser">adminuser</link> = "root"; + }; + }; + + services.postgresql = { + <link linkend="opt-services.postgresql.enable">enable</link> = true; + <link linkend="opt-services.postgresql.initialScript">initialScript</link> = pkgs.writeText "psql-init" '' + CREATE ROLE nextcloud WITH LOGIN; + CREATE DATABASE nextcloud WITH OWNER nextcloud; + ''; + }; + + # ensure that postgres is running *before* running the setup + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; + + <link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ]; +}</programlisting> + </para> + <para> + The options <literal>hostName</literal> and <literal>nginx.enable</literal> are used internally to configure an + HTTP server using <literal><link xlink:href="https://php-fpm.org/">PHP-FPM</link></literal> and <literal>nginx</literal>. + The <literal>config</literal> attribute set is used for the <literal>config.php</literal> which is used + for the application's configuration. + <emphasis>Beware: this isn't entirely pure since the config is modified by the application's runtime!</emphasis> + </para> + <para> + In case the application serves multiple hosts (those are checked with + <literal><link xlink:href="http://php.net/manual/en/reserved.variables.server.php">$_SERVER['HTTP_HOST']</link></literal>) + those can be added using + <literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>. + </para> + </section> + + <section xml:id="module-services-nextcloud-pitfalls-during-upgrade"> + <title>Pitfalls</title> + <para> + Unfortunately Nextcloud appears to be very stateful when it comes to managing its own configuration. The + config file lives in the home directory of the <literal>nextcloud</literal> user (by default + <literal>/var/lib/nextcloud/config/config.php</literal>) and is also used to track several + states of the application (e.g. whether installed or not). + </para> + <para> + Right now changes to the <literal>services.nextcloud.config</literal> attribute set won't take effect + after the first install + (except <literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>) since the actual configuration + file is generated by the NextCloud installer which also sets up critical parts such as the database + structure. + </para> + <para> + <emphasis>Warning: don't delete <literal>config.php</literal>! This file tracks the application's state and a deletion can cause unwanted side-effects!</emphasis> + </para> + <para> + <emphasis>Warning: don't rerun <literal>nextcloud-occ maintenance:install</literal>! This command tries to install the application and can cause unwanted side-effects!</emphasis> + </para> + <para> + The issues are known and reported in <link xlink:href="https://github.com/NixOS/nixpkgs/issues/49783">#49783</link>, for now it's unfortunately necessary to manually work around these issues. + </para> + </section> + +</chapter> diff --git a/nixos/modules/services/web-apps/quassel-webserver.nix b/nixos/modules/services/web-apps/quassel-webserver.nix deleted file mode 100644 index 2ba5698d6cb1..000000000000 --- a/nixos/modules/services/web-apps/quassel-webserver.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.quassel-webserver; - quassel-webserver = cfg.pkg; - settings = '' - module.exports = { - default: { - host: '${cfg.quasselCoreHost}', // quasselcore host - port: ${toString cfg.quasselCorePort}, // quasselcore port - initialBacklogLimit: ${toString cfg.initialBacklogLimit}, // Amount of backlogs to fetch per buffer on connection - backlogLimit: ${toString cfg.backlogLimit}, // Amount of backlogs to fetch per buffer after first retrieval - securecore: ${boolToString cfg.secureCore}, // Connect to the core using SSL - theme: '${cfg.theme}' // Default UI theme - }, - themes: ['default', 'darksolarized'], // Available themes - forcedefault: ${boolToString cfg.forceHostAndPort}, // Will force default host and port to be used, and will hide the corresponding fields in the UI - prefixpath: '${cfg.prefixPath}' // Configure this if you use a reverse proxy - }; - ''; - settingsFile = pkgs.writeText "settings-user.js" settings; -in { - options = { - services.quassel-webserver = { - enable = mkOption { - default = false; - type = types.bool; - description = "Whether to enable the quassel webclient service"; - }; - pkg = mkOption { - default = pkgs.quassel-webserver; - defaultText = "pkgs.quassel-webserver"; - type = types.package; - description = "The quassel-webserver package"; - }; - quasselCoreHost = mkOption { - default = ""; - type = types.str; - description = "The default host of the quassel core"; - }; - quasselCorePort = mkOption { - default = 4242; - type = types.int; - description = "The default quassel core port"; - }; - initialBacklogLimit = mkOption { - default = 20; - type = types.int; - description = "Amount of backlogs to fetch per buffer on connection"; - }; - backlogLimit = mkOption { - default = 100; - type = types.int; - description = "Amount of backlogs to fetch per buffer after first retrieval"; - }; - secureCore = mkOption { - default = true; - type = types.bool; - description = "Connect to the core using SSL"; - }; - theme = mkOption { - default = "default"; - type = types.str; - description = "default or darksolarized"; - }; - prefixPath = mkOption { - default = ""; - type = types.str; - description = "Configure this if you use a reverse proxy. Must start with a '/'"; - example = "/quassel"; - }; - port = mkOption { - default = 60443; - type = types.int; - description = "The port the quassel webserver should listen on"; - }; - useHttps = mkOption { - default = true; - type = types.bool; - description = "Whether the quassel webserver connection should be a https connection"; - }; - forceHostAndPort = mkOption { - default = false; - type = types.bool; - description = "Force the users to use the quasselCoreHost and quasselCorePort defaults"; - }; - }; - }; - - config = mkIf cfg.enable { - systemd.services.quassel-webserver = { - description = "A web server/client for Quassel"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = "${quassel-webserver}/lib/node_modules/quassel-webserver/bin/www -p ${toString cfg.port} -m ${if cfg.useHttps == true then "https" else "http"} -c ${settingsFile}"; - }; - }; - }; -} diff --git a/nixos/modules/services/web-servers/apache-httpd/limesurvey.nix b/nixos/modules/services/web-servers/apache-httpd/limesurvey.nix index 77194f347492..5c387700a5d5 100644 --- a/nixos/modules/services/web-servers/apache-httpd/limesurvey.nix +++ b/nixos/modules/services/web-servers/apache-httpd/limesurvey.nix @@ -85,7 +85,7 @@ in rec { id = mkOption { default = "main"; description = '' - A unique identifier necessary to keep multiple owncloud server + A unique identifier necessary to keep multiple Limesurvey server instances on the same machine apart. This is used to disambiguate the administrative scripts, which get names like mediawiki-$id-change-password. diff --git a/nixos/modules/services/web-servers/apache-httpd/owncloud.nix b/nixos/modules/services/web-servers/apache-httpd/owncloud.nix deleted file mode 100644 index 6345a9a56935..000000000000 --- a/nixos/modules/services/web-servers/apache-httpd/owncloud.nix +++ /dev/null @@ -1,608 +0,0 @@ -{ config, lib, pkgs, serverInfo, php, ... }: - -with lib; - -let - - owncloudConfig = pkgs.writeText "config.php" - '' - <?php - - /* Only enable this for local development and not in productive environments */ - /* This will disable the minifier and outputs some additional debug informations */ - define("DEBUG", false); - - $CONFIG = array( - /* Flag to indicate ownCloud is successfully installed (true = installed) */ - "installed" => true, - - /* Type of database, can be sqlite, mysql or pgsql */ - "dbtype" => "${config.dbType}", - - /* Name of the ownCloud database */ - "dbname" => "${config.dbName}", - - /* User to access the ownCloud database */ - "dbuser" => "${config.dbUser}", - - /* Password to access the ownCloud database */ - "dbpassword" => "${config.dbPassword}", - - /* Host running the ownCloud database. To specify a port use "HOSTNAME:####"; to specify a unix sockets use "localhost:/path/to/socket". */ - "dbhost" => "${config.dbServer}", - - /* Prefix for the ownCloud tables in the database */ - "dbtableprefix" => "", - - /* Force use of HTTPS connection (true = use HTTPS) */ - "forcessl" => ${config.forceSSL}, - - /* Blacklist a specific file and disallow the upload of files with this name - WARNING: USE THIS ONLY IF YOU KNOW WHAT YOU ARE DOING. */ - "blacklisted_files" => array('.htaccess'), - - /* The automatic hostname detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to manually override the automatic detection. You can also add a port. For example "www.example.com:88" */ - "overwritehost" => "${config.overwriteHost}", - - /* The automatic protocol detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to manually override the protocol detection. For example "https" */ - "overwriteprotocol" => "${config.overwriteProtocol}", - - /* The automatic webroot detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to manually override the automatic detection. For example "/domain.tld/ownCloud". The value "/" can be used to remove the root. */ - "overwritewebroot" => "${config.overwriteWebRoot}", - - /* The automatic detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to define a manually override condition as regular expression for the remote ip address. For example "^10\.0\.0\.[1-3]$" */ - "overwritecondaddr" => "", - - /* A proxy to use to connect to the internet. For example "myproxy.org:88" */ - "proxy" => "", - - /* The optional authentication for the proxy to use to connect to the internet. The format is: [username]:[password] */ - "proxyuserpwd" => "", - - /* List of trusted domains, to prevent host header poisoning ownCloud is only using these Host headers */ - ${if config.trustedDomain != "" then "'trusted_domains' => array('${config.trustedDomain}')," else ""} - - /* Theme to use for ownCloud */ - "theme" => "", - - /* Optional ownCloud default language - overrides automatic language detection on public pages like login or shared items. This has no effect on the user's language preference configured under "personal -> language" once they have logged in */ - "default_language" => "${config.defaultLang}", - - /* Path to the parent directory of the 3rdparty directory */ - "3rdpartyroot" => "", - - /* URL to the parent directory of the 3rdparty directory, as seen by the browser */ - "3rdpartyurl" => "", - - /* Default app to open on login. - * This can be a comma-separated list of app ids. - * If the first app is not enabled for the current user, - * it will try with the second one and so on. If no enabled app could be found, - * the "files" app will be displayed instead. */ - "defaultapp" => "${config.defaultApp}", - - /* Enable the help menu item in the settings */ - "knowledgebaseenabled" => true, - - /* Enable installing apps from the appstore */ - "appstoreenabled" => ${config.appStoreEnable}, - - /* URL of the appstore to use, server should understand OCS */ - "appstoreurl" => "https://api.owncloud.com/v1", - - /* Domain name used by ownCloud for the sender mail address, e.g. no-reply@example.com */ - "mail_domain" => "${config.mailFromDomain}", - - /* FROM address used by ownCloud for the sender mail address, e.g. owncloud@example.com - This setting overwrites the built in 'sharing-noreply' and 'lostpassword-noreply' - FROM addresses, that ownCloud uses - */ - "mail_from_address" => "${config.mailFrom}", - - /* Enable SMTP class debugging */ - "mail_smtpdebug" => false, - - /* Mode to use for sending mail, can be sendmail, smtp, qmail or php, see PHPMailer docs */ - "mail_smtpmode" => "${config.SMTPMode}", - - /* Host to use for sending mail, depends on mail_smtpmode if this is used */ - "mail_smtphost" => "${config.SMTPHost}", - - /* Port to use for sending mail, depends on mail_smtpmode if this is used */ - "mail_smtpport" => ${config.SMTPPort}, - - /* SMTP server timeout in seconds for sending mail, depends on mail_smtpmode if this is used */ - "mail_smtptimeout" => ${config.SMTPTimeout}, - - /* SMTP connection prefix or sending mail, depends on mail_smtpmode if this is used. - Can be "", ssl or tls */ - "mail_smtpsecure" => "${config.SMTPSecure}", - - /* authentication needed to send mail, depends on mail_smtpmode if this is used - * (false = disable authentication) - */ - "mail_smtpauth" => ${config.SMTPAuth}, - - /* authentication type needed to send mail, depends on mail_smtpmode if this is used - * Can be LOGIN (default), PLAIN or NTLM */ - "mail_smtpauthtype" => "${config.SMTPAuthType}", - - /* Username to use for sendmail mail, depends on mail_smtpauth if this is used */ - "mail_smtpname" => "${config.SMTPUser}", - - /* Password to use for sendmail mail, depends on mail_smtpauth if this is used */ - "mail_smtppassword" => "${config.SMTPPass}", - - /* memcached servers (Only used when xCache, APC and APCu are absent.) */ - "memcached_servers" => array( - // hostname, port and optional weight. Also see: - // http://www.php.net/manual/en/memcached.addservers.php - // http://www.php.net/manual/en/memcached.addserver.php - //array('localhost', 11211), - //array('other.host.local', 11211), - ), - - /* How long should ownCloud keep deleted files in the trash bin, default value: 30 days */ - 'trashbin_retention_obligation' => 30, - - /* Disable/Enable auto expire for the trash bin, by default auto expire is enabled */ - 'trashbin_auto_expire' => true, - - /* allow user to change his display name, if it is supported by the back-end */ - 'allow_user_to_change_display_name' => true, - - /* Check 3rdparty apps for malicious code fragments */ - "appcodechecker" => true, - - /* Check if ownCloud is up to date */ - "updatechecker" => true, - - /* Are we connected to the internet or are we running in a closed network? */ - "has_internet_connection" => true, - - /* Check if the ownCloud WebDAV server is working correctly. Can be disabled if not needed in special situations*/ - "check_for_working_webdav" => true, - - /* Check if .htaccess protection of data is working correctly. Can be disabled if not needed in special situations*/ - "check_for_working_htaccess" => true, - - /* Place to log to, can be owncloud and syslog (owncloud is log menu item in admin menu) */ - "log_type" => "owncloud", - - /* File for the owncloud logger to log to, (default is ownloud.log in the data dir) */ - "logfile" => "${config.dataDir}/owncloud.log", - - /* Loglevel to start logging at. 0=DEBUG, 1=INFO, 2=WARN, 3=ERROR (default is WARN) */ - "loglevel" => "2", - - /* date format to be used while writing to the owncloud logfile */ - 'logdateformat' => 'F d, Y H:i:s', - - ${tzSetting} - - /* Append all database queries and parameters to the log file. - (watch out, this option can increase the size of your log file)*/ - "log_query" => false, - - /* Whether ownCloud should log the last successfull cron exec */ - "cron_log" => true, - - /* - * Configure the size in bytes log rotation should happen, 0 or false disables the rotation. - * This rotates the current owncloud logfile to a new name, this way the total log usage - * will stay limited and older entries are available for a while longer. The - * total disk usage is twice the configured size. - * WARNING: When you use this, the log entries will eventually be lost. - */ - 'log_rotate_size' => "104857600", // 104857600, // 100 MiB - - /* Lifetime of the remember login cookie, default is 15 days */ - "remember_login_cookie_lifetime" => 1296000, - - /* Life time of a session after inactivity */ - "session_lifetime" => 86400, - - /* - * Enable/disable session keep alive when a user is logged in in the Web UI. - * This is achieved by sending a "heartbeat" to the server to prevent - * the session timing out. - */ - "session_keepalive" => true, - - /* Custom CSP policy, changing this will overwrite the standard policy */ - "custom_csp_policy" => "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *", - - /* Enable/disable X-Frame-Restriction */ - /* HIGH SECURITY RISK IF DISABLED*/ - "xframe_restriction" => true, - - /* The directory where the user data is stored, default to data in the owncloud - * directory. The sqlite database is also stored here, when sqlite is used. - */ - "datadirectory" => "${config.dataDir}/storage", - - /* The directory where the skeleton files are located. These files will be copied to the data - * directory of new users. Leave empty to not copy any skeleton files. - */ - // "skeletondirectory" => "", - - /* Enable maintenance mode to disable ownCloud - If you want to prevent users to login to ownCloud before you start doing some maintenance work, - you need to set the value of the maintenance parameter to true. - Please keep in mind that users who are already logged-in are kicked out of ownCloud instantly. - */ - "maintenance" => false, - - "apps_paths" => array( - - /* Set an array of path for your apps directories - key 'path' is for the fs path and the key 'url' is for the http path to your - applications paths. 'writable' indicates whether the user can install apps in this folder. - You must have at least 1 app folder writable or you must set the parameter 'appstoreenabled' to false - */ - array( - 'path'=> '${config.dataDir}/apps', - 'url' => '/apps', - 'writable' => true, - ), - ), - 'user_backends'=>array( - /* - array( - 'class'=>'OC_User_IMAP', - 'arguments'=>array('{imap.gmail.com:993/imap/ssl}INBOX') - ) - */ - ), - //links to custom clients - 'customclient_desktop' => ''', //http://owncloud.org/sync-clients/ - 'customclient_android' => ''', //https://play.google.com/store/apps/details?id=com.owncloud.android - 'customclient_ios' => ''', //https://itunes.apple.com/us/app/owncloud/id543672169?mt=8 - - // PREVIEW - 'enable_previews' => true, - /* the max width of a generated preview, if value is null, there is no limit */ - 'preview_max_x' => null, - /* the max height of a generated preview, if value is null, there is no limit */ - 'preview_max_y' => null, - /* the max factor to scale a preview, default is set to 10 */ - 'preview_max_scale_factor' => 10, - /* custom path for libreoffice / openoffice binary */ - 'preview_libreoffice_path' => '${config.libreofficePath}', - /* cl parameters for libreoffice / openoffice */ - 'preview_office_cl_parameters' => ''', - - /* whether avatars should be enabled */ - 'enable_avatars' => true, - - // Extra SSL options to be used for configuration - 'openssl' => array( - 'config' => '/etc/ssl/openssl.cnf', - ), - - // default cipher used for file encryption, currently we support AES-128-CFB and AES-256-CFB - 'cipher' => 'AES-256-CFB', - - /* whether usage of the instance should be restricted to admin users only */ - 'singleuser' => false, - - /* all css and js files will be served by the web server statically in one js file and ons css file*/ - 'asset-pipeline.enabled' => false, - - /* where mount.json file should be stored, defaults to data/mount.json */ - 'mount_file' => ''', - - /* - * Location of the cache folder, defaults to "data/$user/cache" where "$user" is the current user. - * - * When specified, the format will change to "$cache_path/$user" where "$cache_path" is the configured - * cache directory and "$user" is the user. - * - */ - 'cache_path' => ''', - - /* EXPERIMENTAL: option whether to include external storage in quota calculation, defaults to false */ - 'quota_include_external_storage' => false, - - /* - * specifies how often the filesystem is checked for changes made outside owncloud - * 0 -> never check the filesystem for outside changes, provides a performance increase when it's certain that no changes are made directly to the filesystem - * 1 -> check each file or folder at most once per request, recomended for general use if outside changes might happen - * 2 -> check every time the filesystem is used, causes a performance hit when using external storages, not recomended for regular use - */ - 'filesystem_check_changes' => 1, - - /* If true, prevent owncloud from changing the cache due to changes in the filesystem for all storage */ - 'filesystem_cache_readonly' => false, - - /** - * define default folder for shared files and folders - */ - 'share_folder' => '/', - - 'version' => '${config.package.version}', - - 'openssl' => '${pkgs.openssl.bin}/bin/openssl' - - ); - - ''; - - tzSetting = let tz = serverInfo.fullConfig.time.timeZone; in optionalString (!isNull tz) '' - /* timezone used while writing to the owncloud logfile (default: UTC) */ - 'logtimezone' => '${tz}', - ''; - - postgresql = serverInfo.fullConfig.services.postgresql.package; - - setupDb = pkgs.writeScript "setup-owncloud-db" '' - #!${pkgs.runtimeShell} - PATH="${postgresql}/bin" - createuser --no-superuser --no-createdb --no-createrole "${config.dbUser}" || true - createdb "${config.dbName}" -O "${config.dbUser}" || true - psql -U postgres -d postgres -c "alter user ${config.dbUser} with password '${config.dbPassword}';" || true - - QUERY="CREATE TABLE appconfig - ( appid VARCHAR( 255 ) NOT NULL - , configkey VARCHAR( 255 ) NOT NULL - , configvalue VARCHAR( 255 ) NOT NULL - ); - GRANT ALL ON appconfig TO ${config.dbUser}; - ALTER TABLE appconfig OWNER TO ${config.dbUser};" - - psql -h "/tmp" -U postgres -d ${config.dbName} -Atw -c "$QUERY" || true - ''; - -in - -rec { - - extraConfig = - '' - ${if config.urlPrefix != "" then "Alias ${config.urlPrefix} ${config.package}" else '' - - RewriteEngine On - RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f - RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d - ''} - - <Directory ${config.package}> - Include ${config.package}/.htaccess - </Directory> - ''; - - globalEnvVars = [ - { name = "OC_CONFIG_PATH"; value = "${config.dataDir}/config/"; } - ]; - - documentRoot = if config.urlPrefix == "" then config.package else null; - - enablePHP = true; - - options = { - - package = mkOption { - type = types.package; - default = pkgs.owncloud70; - defaultText = "pkgs.owncloud70"; - example = literalExample "pkgs.owncloud70"; - description = '' - ownCloud package to use. - ''; - }; - - urlPrefix = mkOption { - default = ""; - example = "/owncloud"; - description = '' - The URL prefix under which the owncloud service appears. - ''; - }; - - id = mkOption { - default = "main"; - description = '' - A unique identifier necessary to keep multiple owncloud server - instances on the same machine apart. This is used to - disambiguate the administrative scripts, which get names like - mediawiki-$id-change-password. - ''; - }; - - adminUser = mkOption { - default = "owncloud"; - description = "The admin user name for accessing owncloud."; - }; - - adminPassword = mkOption { - description = "The admin password for accessing owncloud."; - }; - - dbType = mkOption { - default = "pgsql"; - description = "Type of database, in NixOS, for now, only pgsql."; - }; - - dbName = mkOption { - default = "owncloud"; - description = "Name of the database that holds the owncloud data."; - }; - - dbServer = mkOption { - default = "localhost:5432"; - description = '' - The location of the database server. - ''; - }; - - dbUser = mkOption { - default = "owncloud"; - description = "The user name for accessing the database."; - }; - - dbPassword = mkOption { - example = "foobar"; - description = '' - The password of the database user. Warning: this is stored in - cleartext in the Nix store! - ''; - }; - - forceSSL = mkOption { - default = "false"; - description = "Force use of HTTPS connection."; - }; - - adminAddr = mkOption { - default = serverInfo.serverConfig.adminAddr; - example = "admin@example.com"; - description = '' - Emergency contact e-mail address. Defaults to the Apache - admin address. - ''; - }; - - siteName = mkOption { - default = "owncloud"; - example = "Foobar owncloud"; - description = "Name of the owncloud"; - }; - - trustedDomain = mkOption { - default = ""; - description = "Trusted domain"; - }; - - defaultLang = mkOption { - default = ""; - description = "Default language"; - }; - - defaultApp = mkOption { - default = ""; - description = "Default application"; - }; - - appStoreEnable = mkOption { - default = "true"; - description = "Enable app store"; - }; - - mailFrom = mkOption { - default = "no-reply"; - description = "Mail from"; - }; - - mailFromDomain = mkOption { - default = "example.xyz"; - description = "Mail from domain"; - }; - - SMTPMode = mkOption { - default = "smtp"; - description = "Which mode to use for sending mail: sendmail, smtp, qmail or php."; - }; - - SMTPHost = mkOption { - default = ""; - description = "SMTP host"; - }; - - SMTPPort = mkOption { - default = "25"; - description = "SMTP port"; - }; - - SMTPTimeout = mkOption { - default = "10"; - description = "SMTP mode"; - }; - - SMTPSecure = mkOption { - default = "ssl"; - description = "SMTP secure"; - }; - - SMTPAuth = mkOption { - default = "true"; - description = "SMTP auth"; - }; - - SMTPAuthType = mkOption { - default = "LOGIN"; - description = "SMTP auth type"; - }; - - SMTPUser = mkOption { - default = ""; - description = "SMTP user"; - }; - - SMTPPass = mkOption { - default = ""; - description = "SMTP pass"; - }; - - dataDir = mkOption { - default = "/var/lib/owncloud"; - description = "Data dir"; - }; - - libreofficePath = mkOption { - default = "/usr/bin/libreoffice"; - description = "Path for LibreOffice/OpenOffice binary."; - }; - - overwriteHost = mkOption { - default = ""; - description = "The automatic hostname detection of ownCloud can fail in - certain reverse proxy and CLI/cron situations. This option allows to - manually override the automatic detection. You can also add a port."; - }; - - overwriteProtocol = mkOption { - default = ""; - description = "The automatic protocol detection of ownCloud can fail in - certain reverse proxy and CLI/cron situations. This option allows to - manually override the protocol detection."; - }; - - overwriteWebRoot = mkOption { - default = ""; - description = "The automatic webroot detection of ownCloud can fail in - certain reverse proxy and CLI/cron situations. This option allows to - manually override the automatic detection."; - }; - - }; - - startupScript = pkgs.writeScript "owncloud_startup.sh" '' - - if [ ! -d ${config.dataDir}/config ]; then - mkdir -p ${config.dataDir}/config - cp ${owncloudConfig} ${config.dataDir}/config/config.php - mkdir -p ${config.dataDir}/storage - mkdir -p ${config.dataDir}/apps - cp -r ${config.package}/apps/* ${config.dataDir}/apps/ - chmod -R ug+rw ${config.dataDir} - chmod -R o-rwx ${config.dataDir} - chown -R wwwrun:wwwrun ${config.dataDir} - - ${pkgs.sudo}/bin/sudo -u postgres ${setupDb} - fi - - if [ -e ${config.package}/config/ca-bundle.crt ]; then - cp -f ${config.package}/config/ca-bundle.crt ${config.dataDir}/config/ - fi - - ${php}/bin/php ${config.package}/occ upgrade >> ${config.dataDir}/upgrade.log || true - - chown wwwrun:wwwrun ${config.dataDir}/owncloud.log || true - - QUERY="INSERT INTO groups (gid) values('admin'); - INSERT INTO users (uid,password) - values('${config.adminUser}','${builtins.hashString "sha1" config.adminPassword}'); - INSERT INTO group_user (gid,uid) - values('admin','${config.adminUser}');" - ${pkgs.sudo}/bin/sudo -u postgres ${postgresql}/bin/psql -h "/tmp" -U postgres -d ${config.dbName} -Atw -c "$QUERY" || true - ''; -} diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 8e2b8819e71b..6a50d8ed5cd4 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -69,7 +69,7 @@ with lib; acmeRoot = mkOption { type = types.str; default = "/var/lib/acme/acme-challenge"; - description = "Directory to store certificates and keys managed by the ACME service."; + description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here"; }; acmeFallbackHost = mkOption { diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 72109cf31af3..ba6d333b534e 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -136,19 +136,17 @@ in { services.xserver.displayManager.extraSessionFilePackages = [ pkgs.gnome3.gnome-session ]; - services.xserver.displayManager.sessionCommands = '' - if test "$XDG_CURRENT_DESKTOP" = "GNOME"; then - ${concatMapStrings (p: '' - if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then - export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} - fi - - if [ -d "${p}/lib/girepository-1.0" ]; then - export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib - fi - '') cfg.sessionPath} - fi + environment.extraInit = '' + ${concatMapStrings (p: '' + if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then + export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} + fi + + if [ -d "${p}/lib/girepository-1.0" ]; then + export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib + fi + '') cfg.sessionPath} ''; environment.variables.GNOME_SESSION_DEBUG = optionalString cfg.debug "1"; diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 26b79730dd38..035029150c81 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -78,8 +78,7 @@ let # This is required by user units using the session bus. ${config.systemd.package}/bin/systemctl --user import-environment DISPLAY XAUTHORITY DBUS_SESSION_BUS_ADDRESS - # Load X defaults. - # FIXME: Check XDG_SESSION_TYPE against x11 + # Load X defaults. This should probably be safe on wayland too. ${xorg.xrdb}/bin/xrdb -merge ${xresourcesXft} if test -e ~/.Xresources; then ${xorg.xrdb}/bin/xrdb -merge ~/.Xresources @@ -194,6 +193,11 @@ let ${concatMapStrings (pkg: '' ${xorg.lndir}/bin/lndir ${pkg}/share/xsessions $out/share/xsessions '') cfg.displayManager.extraSessionFilePackages} + + mkdir -p "$out/share/wayland-sessions" + ${concatMapStrings (pkg: '' + ${xorg.lndir}/bin/lndir ${pkg}/share/wayland-sessions $out/share/wayland-sessions + '') cfg.displayManager.extraSessionFilePackages} ''; in @@ -240,7 +244,10 @@ in '' xmessage "Hello World!" & ''; - description = "Shell commands executed just before the window or desktop manager is started."; + description = '' + Shell commands executed just before the window or desktop manager is + started. These commands are not currently sourced for Wayland sessions. + ''; }; hiddenUsers = mkOption { diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index e1688c451045..567c3ac34549 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -196,7 +196,7 @@ in { assertion = cfg.autoLogin.enable -> dmDefault != "none" || wmDefault != "none"; message = '' LightDM auto-login requires that services.xserver.desktopManager.default and - services.xserver.windowMananger.default are set to valid values. The current + services.xserver.windowManager.default are set to valid values. The current default session: ${defaultSessionName} is not valid. ''; } diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index b7511dfd5a8b..05830e325d51 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -59,6 +59,7 @@ let [Wayland] EnableHidpi=${if cfg.enableHidpi then "true" else "false"} + SessionDir=${dmcfg.session.desktops}/share/wayland-sessions ${optionalString cfg.autoLogin.enable '' [Autologin] @@ -202,7 +203,7 @@ in { assertion = cfg.autoLogin.enable -> elem defaultSessionName dmcfg.session.names; message = '' SDDM auto-login requires that services.xserver.desktopManager.default and - services.xserver.windowMananger.default are set to valid values. The current + services.xserver.windowManager.default are set to valid values. The current default session: ${defaultSessionName} is not valid. ''; } diff --git a/nixos/modules/system/boot/systemd-nspawn.nix b/nixos/modules/system/boot/systemd-nspawn.nix index 649453418b53..34a34091a7dc 100644 --- a/nixos/modules/system/boot/systemd-nspawn.nix +++ b/nixos/modules/system/boot/systemd-nspawn.nix @@ -10,8 +10,13 @@ let checkExec = checkUnitConfig "Exec" [ (assertOnlyFields [ "Boot" "ProcessTwo" "Parameters" "Environment" "User" "WorkingDirectory" - "Capability" "DropCapability" "KillSignal" "Personality" "MachineId" - "PrivateUsers" "NotifyReady" + "PivotRoot" "Capability" "DropCapability" "NoNewPrivileges" "KillSignal" + "Personality" "MachineId" "PrivateUsers" "NotifyReady" "SystemCallFilter" + "LimitCPU" "LimitFSIZE" "LimitDATA" "LimitSTACK" "LimitCORE" "LimitRSS" + "LimitNOFILE" "LimitAS" "LimitNPROC" "LimitMEMLOCK" "LimitLOCKS" + "LimitSIGPENDING" "LimitMSGQUEUE" "LimitNICE" "LimitRTPRIO" "LimitRTTIME" + "OOMScoreAdjust" "CPUAffinity" "Hostname" "ResolvConf" "Timezone" + "LinkJournal" ]) (assertValueOneOf "Boot" boolValues) (assertValueOneOf "ProcessTwo" boolValues) @@ -20,8 +25,8 @@ let checkFiles = checkUnitConfig "Files" [ (assertOnlyFields [ - "ReadOnly" "Volatile" "Bind" "BindReadOnly" "TemporaryFileSystems" - "PrivateUsersChown" + "ReadOnly" "Volatile" "Bind" "BindReadOnly" "TemporaryFileSystem" + "Overlay" "OverlayReadOnly" "PrivateUsersChown" ]) (assertValueOneOf "ReadOnly" boolValues) (assertValueOneOf "Volatile" (boolValues ++ [ "state" ])) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 89f8e8153550..d1029bb57982 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -601,8 +601,27 @@ in type = types.lines; example = "IdleAction=lock"; description = '' - Extra config options for systemd-logind. See man logind.conf for - available options. + Extra config options for systemd-logind. See + <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html"> + logind.conf(5)</link> for available options. + ''; + }; + + services.logind.killUserProcesses = mkOption { + default = false; + type = types.bool; + description = '' + Specifies whether the processes of a user should be killed + when the user logs out. If true, the scope unit corresponding + to the session and all processes inside that scope will be + terminated. If false, the scope is "abandoned" (see + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.scope.html#"> + systemd.scope(5)</link>), and processes are not killed. + </para> + + <para> + See <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=">logind.conf(5)</link> + for more details. ''; }; @@ -771,7 +790,7 @@ in "systemd/logind.conf".text = '' [Login] - KillUserProcesses=no + KillUserProcesses=${if config.services.logind.killUserProcesses then "yes" else "no"} HandleLidSwitch=${config.services.logind.lidSwitch} HandleLidSwitchDocked=${config.services.logind.lidSwitchDocked} ${config.services.logind.extraConfig} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index eddd6496bf47..0c8520d15dac 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -39,6 +39,7 @@ in cfssl = handleTestOn ["x86_64-linux"] ./cfssl.nix {}; chromium = (handleTestOn ["x86_64-linux"] ./chromium.nix {}).stable or {}; cjdns = handleTest ./cjdns.nix {}; + clamav = handleTest ./clamav.nix {}; cloud-init = handleTest ./cloud-init.nix {}; codimd = handleTest ./codimd.nix {}; containers-bridge = handleTest ./containers-bridge.nix {}; @@ -106,7 +107,7 @@ in installer = handleTest ./installer.nix {}; ipv6 = handleTest ./ipv6.nix {}; jenkins = handleTest ./jenkins.nix {}; - kafka = handleTest ./kafka.nix {}; + #kafka = handleTest ./kafka.nix {}; # broken since openjdk: 8u181 -> 8u192 kerberos = handleTest tests/kerberos/default.nix {}; kernel-latest = handleTest ./kernel-latest.nix {}; kernel-lts = handleTest ./kernel-lts.nix {}; @@ -157,7 +158,6 @@ in openssh = handleTest ./openssh.nix {}; osquery = handleTest ./osquery.nix {}; ostree = handleTest ./ostree.nix {}; - owncloud = handleTest ./owncloud.nix {}; pam-oath-login = handleTest ./pam-oath-login.nix {}; peerflix = handleTest ./peerflix.nix {}; pgjwt = handleTest ./pgjwt.nix {}; diff --git a/nixos/tests/borgbackup.nix b/nixos/tests/borgbackup.nix index 9b39abdfa8ed..fdb87dbea438 100644 --- a/nixos/tests/borgbackup.nix +++ b/nixos/tests/borgbackup.nix @@ -130,6 +130,9 @@ in { # Make sure keepFile has the correct content $client->succeed("$borg extract '${localRepo}::${archiveName}'"); $client->succeed('c=$(cat ${dataDir}/${keepFile}) && [[ "$c" == "${keepFileData}" ]]'); + # Make sure the same is true when using `borg mount` + $client->succeed("mkdir -p /mnt/borg && $borg mount '${localRepo}::${archiveName}' /mnt/borg"); + $client->succeed('c=$(cat /mnt/borg/${dataDir}/${keepFile}) && [[ "$c" == "${keepFileData}" ]]'); }; subtest "remote", sub { diff --git a/nixos/tests/clamav.nix b/nixos/tests/clamav.nix new file mode 100644 index 000000000000..84a08bcc49f3 --- /dev/null +++ b/nixos/tests/clamav.nix @@ -0,0 +1,37 @@ +import ./make-test.nix ({ pkgs, ... }: let + + eicarTestFile = pkgs.fetchurl { + url = "http://2016.eicar.org/download/eicar.com.txt"; + sha256 = "03zxa7vap2jkqjif4bzcjp33yrnip5yrz2bisia9wj5npwdh4ni7"; + }; + + clamavMain = builtins.fetchurl "http://database.clamav.net/main.cvd"; + clamavDaily = builtins.fetchurl "http://database.clamav.net/daily.cvd"; + clamavBytecode = builtins.fetchurl "http://database.clamav.net/bytecode.cvd"; + +in { + name = "clamav"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ fpletz ]; + }; + + nodes.machine = { ... }: { + virtualisation.memorySize = 1024; + + services.clamav.daemon.enable = true; + systemd.services.clamav-daemon.preStart = '' + mkdir -p /var/lib/clamav + ln -sf ${clamavMain} /var/lib/clamav/main.cvd + ln -sf ${clamavDaily} /var/lib/clamav/daily.cvd + ln -sf ${clamavBytecode} /var/lib/clamav/bytecode.cvd + ''; + }; + + testScript = '' + startAll; + $machine->waitForUnit("multi-user.target"); + $machine->waitForUnit("clamav-daemon.service"); + $machine->waitForFile("/run/clamav/clamd.ctl"); + $machine->fail("clamdscan ${eicarTestFile}"); + ''; +}) diff --git a/nixos/tests/gitlab.nix b/nixos/tests/gitlab.nix index f401fe098dcc..16e0dd723ecf 100644 --- a/nixos/tests/gitlab.nix +++ b/nixos/tests/gitlab.nix @@ -8,7 +8,7 @@ import ./make-test.nix ({ pkgs, lib, ...} : with lib; { nodes = { gitlab = { ... }: { - virtualisation.memorySize = 2047; + virtualisation.memorySize = if pkgs.stdenv.is64bit then 4096 else 2047; systemd.services.gitlab.serviceConfig.Restart = mkForce "no"; systemd.services.gitlab-workhorse.serviceConfig.Restart = mkForce "no"; systemd.services.gitaly.serviceConfig.Restart = mkForce "no"; diff --git a/nixos/tests/gnome3-gdm.nix b/nixos/tests/gnome3-gdm.nix index 959030d59880..c2808d87d99d 100644 --- a/nixos/tests/gnome3-gdm.nix +++ b/nixos/tests/gnome3-gdm.nix @@ -23,11 +23,21 @@ import ./make-test.nix ({ pkgs, ...} : { virtualisation.memorySize = 1024; }; - testScript = - '' - # wait for gdm to start and bring up X + testScript = let + # Keep line widths somewhat managable + bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus"; + gdbus = "${bus} gdbus"; + # Call javascript in gnome shell, returns a tuple (success, output), where + # `success` is true if the dbus call was successful and output is what the + # javascript evaluates to. + eval = "call --session -d org.gnome.Shell -o /org/gnome/Shell -m org.gnome.Shell.Eval"; + # False when startup is done + startingUp = "${gdbus} ${eval} Main.layoutManager._startingUp"; + # Hopefully gnome-terminal's wm class + wmClass = "${gdbus} ${eval} global.display.focus_window.wm_class"; + in '' + # wait for gdm to start $machine->waitForUnit("display-manager.service"); - $machine->waitForX; # wait for alice to be logged in $machine->waitForUnit("default.target","alice"); @@ -35,10 +45,16 @@ import ./make-test.nix ({ pkgs, ...} : { # Check that logging in has given the user ownership of devices. $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); - # open a terminal and check it's there - $machine->succeed("su - alice -c 'DISPLAY=:0.0 XAUTHORITY=/run/user/\$UID/gdm/Xauthority gnome-terminal'"); - $machine->succeed("xauth merge /run/user/1000/gdm/Xauthority"); - $machine->waitForWindow(qr/Terminal/); + # Wait for the wayland server + $machine->waitForFile("/run/user/1000/wayland-0"); + + # Wait for gnome shell, correct output should be "(true, 'false')" + $machine->waitUntilSucceeds("su - alice -c '${startingUp} | grep -q true,..false'"); + + # open a terminal + $machine->succeed("su - alice -c '${bus} gnome-terminal'"); + # and check it's there + $machine->waitUntilSucceeds("su - alice -c '${wmClass} | grep -q gnome-terminal-server'"); # wait to get a nice screenshot $machine->sleep(20); diff --git a/nixos/tests/gnome3.nix b/nixos/tests/gnome3.nix index 3f0368592b8d..95694ea4828d 100644 --- a/nixos/tests/gnome3.nix +++ b/nixos/tests/gnome3.nix @@ -16,7 +16,7 @@ import ./make-test.nix ({ pkgs, ...} : { services.xserver.displayManager.lightdm.autoLogin.enable = true; services.xserver.displayManager.lightdm.autoLogin.user = "alice"; services.xserver.desktopManager.gnome3.enable = true; - services.xserver.desktopManager.default = "gnome"; + services.xserver.desktopManager.default = "gnome-xorg"; virtualisation.memorySize = 1024; }; @@ -33,7 +33,7 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'"); $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow(qr/Terminal/); + $machine->waitForWindow(qr/alice.*machine/); $machine->succeed("timeout 900 bash -c 'while read msg; do if [[ \$msg =~ \"GNOME Shell started\" ]]; then break; fi; done < <(journalctl -f)'"); $machine->sleep(10); $machine->screenshot("screen"); diff --git a/nixos/tests/i3wm.nix b/nixos/tests/i3wm.nix index e51aee30fdb0..d309f19a0b4a 100644 --- a/nixos/tests/i3wm.nix +++ b/nixos/tests/i3wm.nix @@ -28,7 +28,7 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->waitForFile("/home/alice/.config/i3/config"); $machine->sleep(2); $machine->sendKeys("alt-ret"); - $machine->waitForWindow(qr/machine.*alice/); + $machine->waitForWindow(qr/alice.*machine/); $machine->sleep(2); $machine->screenshot("terminal"); ''; diff --git a/nixos/tests/kubernetes/base.nix b/nixos/tests/kubernetes/base.nix index b77da3414b34..9d77be131751 100644 --- a/nixos/tests/kubernetes/base.nix +++ b/nixos/tests/kubernetes/base.nix @@ -1,6 +1,6 @@ { system ? builtins.currentSystem, config ? {}, - pkgs ? import ../.. { inherit system config; } + pkgs ? import ../../.. { inherit system config; } }: with import ../../lib/testing.nix { inherit system pkgs; }; diff --git a/nixos/tests/kubernetes/kubernetes-common.nix b/nixos/tests/kubernetes/kubernetes-common.nix index 125c176f1132..87c65b883659 100644 --- a/nixos/tests/kubernetes/kubernetes-common.nix +++ b/nixos/tests/kubernetes/kubernetes-common.nix @@ -3,7 +3,6 @@ with pkgs.lib; let base = { inherit roles; - featureGates = ["AllAlpha"]; flannel.enable = true; addons.dashboard.enable = true; diff --git a/nixos/tests/owncloud.nix b/nixos/tests/owncloud.nix deleted file mode 100644 index c968569f2008..000000000000 --- a/nixos/tests/owncloud.nix +++ /dev/null @@ -1,39 +0,0 @@ -import ./make-test.nix ({ ... }: - -{ - name = "owncloud"; - nodes = - { web = - { ... }: - { - services.postgresql.enable = true; - services.httpd = { - enable = true; - logPerVirtualHost = true; - adminAddr = "example@example.com"; - virtualHosts = [ - { - hostName = "owncloud"; - extraSubservices = - [ - { - serviceType = "owncloud"; - adminPassword = "secret"; - dbPassword = "secret"; - } - ]; - } - ]; - }; - }; - }; - - testScript = '' - startAll; - - $web->waitForUnit("postgresql"); - $web->waitForUnit("httpd"); - - $web->succeed("curl -L 127.0.0.1:80"); - ''; -}) diff --git a/nixos/tests/slurm.nix b/nixos/tests/slurm.nix index 7f9c266cbff6..b4458d8d0954 100644 --- a/nixos/tests/slurm.nix +++ b/nixos/tests/slurm.nix @@ -63,6 +63,12 @@ in { ensurePermissions = { "slurm_acct_db.*" = "ALL PRIVILEGES"; }; name = "slurm"; }]; + extraOptions = '' + # recommendations from: https://slurm.schedmd.com/accounting.html#mysql-configuration + innodb_buffer_pool_size=1024M + innodb_log_file_size=64M + innodb_lock_wait_timeout=900 + ''; }; }; @@ -95,6 +101,7 @@ in { subtest "can_start_slurmdbd", sub { $dbd->succeed("systemctl restart slurmdbd"); $dbd->waitForUnit("slurmdbd.service"); + $dbd->waitForOpenPort(6819); }; # there needs to be an entry for the current diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index 65aa553b3148..4d470126abee 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -56,6 +56,11 @@ import ./make-test.nix { $machine->succeed('test -z $(ls -1 /var/log/journal)'); }; + # Regression test for https://github.com/NixOS/nixpkgs/issues/50273 + subtest "DynamicUser actually allocates a user", sub { + $machine->succeed('systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami | grep iamatest'); + }; + # Regression test for https://github.com/NixOS/nixpkgs/issues/35268 subtest "file system with x-initrd.mount is not unmounted", sub { $machine->shutdown; diff --git a/nixos/tests/xmonad.nix b/nixos/tests/xmonad.nix index 61fa7c1a67d3..6d6db6b0ea97 100644 --- a/nixos/tests/xmonad.nix +++ b/nixos/tests/xmonad.nix @@ -22,7 +22,7 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->waitUntilSucceeds("xmonad --restart"); $machine->sleep(3); $machine->sendKeys("alt-shift-ret"); - $machine->waitForWindow(qr/machine.*alice/); + $machine->waitForWindow(qr/alice.*machine/); $machine->sleep(1); $machine->screenshot("terminal"); ''; |