diff options
| author | Peter Simons <simons@cryp.to> | 2015-01-19 18:41:17 +0100 |
|---|---|---|
| committer | Peter Simons <simons@cryp.to> | 2015-01-19 18:41:17 +0100 |
| commit | ec6b82a0c2a6bffa2f76a9744105d6d7257c2636 (patch) | |
| tree | 9a8fd3d92fd40dc4fa0ca646bc351b8df16e370f /nixos | |
| parent | a0bf07827bbf031d90ecb03f4e7345576208214a (diff) | |
| parent | d957d9e6bc8c252123a921541ad17eb6041406cd (diff) | |
| download | nixlib-ec6b82a0c2a6bffa2f76a9744105d6d7257c2636.tar nixlib-ec6b82a0c2a6bffa2f76a9744105d6d7257c2636.tar.gz nixlib-ec6b82a0c2a6bffa2f76a9744105d6d7257c2636.tar.bz2 nixlib-ec6b82a0c2a6bffa2f76a9744105d6d7257c2636.tar.lz nixlib-ec6b82a0c2a6bffa2f76a9744105d6d7257c2636.tar.xz nixlib-ec6b82a0c2a6bffa2f76a9744105d6d7257c2636.tar.zst nixlib-ec6b82a0c2a6bffa2f76a9744105d6d7257c2636.zip | |
Merge branch 'master' into staging.
Diffstat (limited to 'nixos')
16 files changed, 247 insertions, 16 deletions
diff --git a/nixos/modules/hardware/video/bumblebee.nix b/nixos/modules/hardware/video/bumblebee.nix index 7b48d9d1fcf5..e20ebc3041e7 100644 --- a/nixos/modules/hardware/video/bumblebee.nix +++ b/nixos/modules/hardware/video/bumblebee.nix @@ -1,7 +1,13 @@ { config, lib, pkgs, ... }: -let kernel = config.boot.kernelPackages; in with lib; +let + kernel = config.boot.kernelPackages; + bumblebee = if config.hardware.bumblebee.connectDisplay + then pkgs.bumblebee_display + else pkgs.bumblebee; + +in { @@ -23,6 +29,17 @@ with lib; type = types.uniq types.str; description = ''Group for bumblebee socket''; }; + hardware.bumblebee.connectDisplay = mkOption { + default = false; + type = types.bool; + description = '' + Set to true if you intend to connect your discrete card to a + monitor. This option will set up your Nvidia card for EDID + discovery and to turn on the monitor signal. + + Only nvidia driver is supported so far. + ''; + }; }; config = mkIf config.hardware.bumblebee.enable { @@ -30,13 +47,13 @@ with lib; boot.kernelModules = [ "bbswitch" ]; boot.extraModulePackages = [ kernel.bbswitch kernel.nvidia_x11 ]; - environment.systemPackages = [ pkgs.bumblebee pkgs.primus ]; + environment.systemPackages = [ bumblebee pkgs.primus ]; systemd.services.bumblebeed = { description = "Bumblebee Hybrid Graphics Switcher"; wantedBy = [ "display-manager.service" ]; script = "bumblebeed --use-syslog -g ${config.hardware.bumblebee.group}"; - path = [ kernel.bbswitch pkgs.bumblebee ]; + path = [ kernel.bbswitch bumblebee ]; serviceConfig = { Restart = "always"; RestartSec = 60; diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 9dfc322b9f74..bfb42d40b06e 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -77,6 +77,7 @@ mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/et mkdir -m 01777 -p $mountPoint/tmp mkdir -m 0755 -p $mountPoint/tmp/root mkdir -m 0755 -p $mountPoint/var/setuid-wrappers +mkdir -m 0700 -p $mountPoint/root mount --rbind /dev $mountPoint/dev mount --rbind /proc $mountPoint/proc mount --rbind /sys $mountPoint/sys diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index bd9551fa1997..2a2a7b004163 100755 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -54,8 +54,8 @@ ./misc/version.nix ./programs/atop.nix ./programs/bash/bash.nix - ./programs/bash/command-not-found.nix ./programs/blcr.nix + ./programs/command-not-found/command-not-found.nix ./programs/dconf.nix ./programs/environment.nix ./programs/info.nix @@ -238,6 +238,7 @@ ./services/networking/dnscrypt-proxy.nix ./services/networking/dnsmasq.nix ./services/networking/ejabberd.nix + ./services/networking/firefox/sync-server.nix ./services/networking/firewall.nix ./services/networking/flashpolicyd.nix ./services/networking/freenet.nix diff --git a/nixos/modules/programs/bash/command-not-found.nix b/nixos/modules/programs/command-not-found/command-not-found.nix index 8c86d48b0808..bead2dcdcf90 100644 --- a/nixos/modules/programs/bash/command-not-found.nix +++ b/nixos/modules/programs/command-not-found/command-not-found.nix @@ -44,6 +44,26 @@ in } ''; + programs.zsh.interactiveShellInit = + '' + # This function is called whenever a command is not found. + command_not_found_handler() { + local p=/run/current-system/sw/bin/command-not-found + if [ -x $p -a -f /nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite ]; then + # Run the helper program. + $p "$1" + + # Retry the command if we just installed it. + if [ $? = 126 ]; then + "$@" + fi + else + # Indicate than there was an error so ZSH falls back to its default handler + return 127 + fi + } + ''; + environment.systemPackages = [ commandNotFound ]; # TODO: tab completion for uninstalled commands! :-) diff --git a/nixos/modules/programs/bash/command-not-found.pl b/nixos/modules/programs/command-not-found/command-not-found.pl index 916649059d37..916649059d37 100644 --- a/nixos/modules/programs/bash/command-not-found.pl +++ b/nixos/modules/programs/command-not-found/command-not-found.pl diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 1fb7102e7f3e..50ff1b38db12 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -45,8 +45,6 @@ let pop3_uidl_format = %08Xv%08Xu '' + cfg.extraConfig; - confFile = pkgs.writeText "dovecot.conf" dovecotConf; - in { @@ -88,6 +86,12 @@ in description = "Additional entries to put verbatim into Dovecot's config file."; }; + configFile = mkOption { + default = null; + description = "Config file used for the whole dovecot configuration."; + apply = v: if v != null then v else pkgs.writeText "dovecot.conf" dovecotConf; + }; + mailLocation = mkOption { default = "maildir:/var/spool/mail/%u"; /* Same as inbox, as postfix */ example = "maildir:~/mail:INBOX=/var/spool/mail/%u"; @@ -144,10 +148,11 @@ in gid = config.ids.gids.dovecot2; }; - jobs.dovecot2 = + systemd.services.dovecot2 = { description = "Dovecot IMAP/POP3 server"; - startOn = "started networking"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; preStart = '' @@ -155,7 +160,13 @@ in ${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} /var/run/dovecot2 ''; - exec = "${pkgs.dovecot}/sbin/dovecot -F -c ${confFile}"; + serviceConfig = { + ExecStart = "${pkgs.dovecot}/sbin/dovecot -F -c ${cfg.configFile}"; + Restart = "on-failure"; + RestartSec = "1s"; + StartLimitInterval = "1min"; + }; + }; environment.systemPackages = [ pkgs.dovecot ]; diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix new file mode 100644 index 000000000000..79f32f3358cb --- /dev/null +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -0,0 +1,142 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.firefox.syncserver; + syncServerIni = pkgs.writeText "syncserver.ini" '' + [DEFAULT] + overrides = ${cfg.privateConfig} + + [server:main] + use = egg:Paste#http + host = ${cfg.listen.address} + port = ${toString cfg.listen.port} + + [app:main] + use = egg:syncserver + + [syncserver] + public_url = ${cfg.publicUrl} + ${optionalString (cfg.sqlUri != "") "sqluri = ${cfg.sqlUri}"} + allow_new_users = ${if cfg.allowNewUsers then "true" else "false"} + + [browserid] + backend = tokenserver.verifiers.LocalVerifier + audiences = ${removeSuffix "/" cfg.publicUrl} + ''; +in + +{ + options = { + services.firefox.syncserver = { + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + Whether to enable a Firefox Sync Server, this give the opportunity to + Firefox users to store all synchronized data on their own server. To use this + server, Firefox users should visit the <option>about:config</option>, and + replicate the following change + + <screen> + services.sync.tokenServerURI: http://localhost:5000/token/1.0/sync/1.5 + </screen> + + where <option>http://localhost:5000/</option> corresponds to the + public url of the server. + ''; + }; + + listen.address = mkOption { + type = types.str; + default = "127.0.0.1"; + example = "0.0.0.0"; + description = '' + Address on which the sync server listen to. + ''; + }; + + listen.port = mkOption { + type = types.int; + default = 5000; + description = '' + Port on which the sync server listen to. + ''; + }; + + publicUrl = mkOption { + type = types.str; + default = "http://localhost:5000/"; + example = "http://sync.example.com/"; + description = '' + Public URL with which firefox users can use to access the sync server. + ''; + }; + + allowNewUsers = mkOption { + type = types.bool; + default = true; + example = false; + description = '' + Whether to allow new-user signups on the server. Only request by + existing accounts will be honored. + ''; + }; + + sqlUri = mkOption { + type = types.str; + default = "sqlite:////var/db/firefox-sync-server.db"; + example = "postgresql://scott:tiger@localhost/test"; + description = '' + The location of the database. This URL is composed of + <option>dialect[+driver]://user:password@host/dbname[?key=value..]</option>, + where <option>dialect</option> is a database name such as + <option>mysql</option>, <option>oracle</option>, <option>postgresql</option>, + etc., and <option>driver</option> the name of a DBAPI, such as + <option>psycopg2</option>, <option>pyodbc</option>, <option>cx_oracle</option>, + etc. The <link + xlink:href="http://docs.sqlalchemy.org/en/rel_0_9/core/engines.html#database-urls"> + SQLAlchemy documentation</link> provides more examples and describe the syntax of + the expected URL. + ''; + }; + + privateConfig = mkOption { + type = types.str; + default = "/etc/firefox/syncserver-secret.ini"; + description = '' + The private config file is used to extend the generated config with confidential + information, such as the <option>syncserver.sqlUri</option> setting if it contains a + password, and the <option>syncserver.secret</option> setting is used by the server to + generate cryptographically-signed authentication tokens. + + If this file does not exists, then it is created with a generated + <option>syncserver.secret</option> settings. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + systemd.services.syncserver = { + after = [ "network.target" ]; + description = "Firefox Sync Server"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.pythonPackages.pasteScript pkgs.coreutils ]; + environment.PYTHONPATH = "${pkgs.pythonPackages.syncserver}/lib/${pkgs.pythonPackages.python.libPrefix}/site-packages"; + preStart = '' + if ! test -e ${cfg.privateConfig}; then + umask u=rwx,g=x,o=x + mkdir -p $(dirname ${cfg.privateConfig}) + echo > ${cfg.privateConfig} '[syncserver]' + echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" + fi + ''; + serviceConfig.ExecStart = "paster serve ${syncServerIni}"; + }; + + }; +} diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index bb3bf2519d42..679aa81a13da 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -4,7 +4,7 @@ with lib; let - inherit (pkgs) cups; + inherit (pkgs) cups cups_filters; cfg = config.services.printing; @@ -123,6 +123,19 @@ in ''; }; + browsedConf = mkOption { + type = types.lines; + default = ""; + example = + '' + BrowsePoll cups.example.com + ''; + description = '' + The contents of the configuration. file of the CUPS Browsed daemon + (<filename>cups-browsed.conf</filename>) + ''; + }; + drivers = mkOption { type = types.listOf types.path; example = literalExample "[ pkgs.splix ]"; @@ -161,6 +174,7 @@ in environment.etc."cups/client.conf".text = cfg.clientConf; environment.etc."cups/cups-files.conf".text = cfg.cupsFilesConf; environment.etc."cups/cupsd.conf".text = cfg.cupsdConf; + environment.etc."cups/cups-browsed.conf".text = cfg.browsedConf; services.dbus.packages = [ cups ]; @@ -195,6 +209,22 @@ in ]; }; + systemd.services.cups-browsed = + { description = "Make remote CUPS printers available locally"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "cups.service" "avahi-daemon.service" ]; + after = [ "cups.service" "avahi-daemon.service" ]; + + path = [ cups ]; + + serviceConfig.ExecStart = "${cups_filters}/bin/cups-browsed"; + + restartTriggers = + [ config.environment.etc."cups/cups-browsed.conf".source + ]; + }; + services.printing.drivers = [ cups pkgs.ghostscript pkgs.cups_filters additionalBackends pkgs.perl pkgs.coreutils pkgs.gnused pkgs.bc pkgs.gawk pkgs.gnugrep diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index 3762bda94a5c..356a440b17ac 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -91,6 +91,7 @@ mkdir -m 01777 -p /tmp mkdir -m 0755 -p /var /var/log /var/lib /var/db mkdir -m 0755 -p /nix/var mkdir -m 0700 -p /root +chmod 0700 /root mkdir -m 0755 -p /bin # for the /bin/sh symlink mkdir -m 0755 -p /home mkdir -m 0755 -p /etc/nixos diff --git a/nixos/modules/system/boot/systemd-unit-options.nix b/nixos/modules/system/boot/systemd-unit-options.nix index 20851c626d75..2f4786c78966 100644 --- a/nixos/modules/system/boot/systemd-unit-options.nix +++ b/nixos/modules/system/boot/systemd-unit-options.nix @@ -58,7 +58,7 @@ let "simple" "forking" "oneshot" "dbus" "notify" "idle" ]) (assertValueOneOf "Restart" [ - "no" "on-success" "on-failure" "on-abort" "always" + "no" "on-success" "on-failure" "on-abnormal" "on-abort" "always" ]) ]; diff --git a/nixos/modules/system/etc/setup-etc.pl b/nixos/modules/system/etc/setup-etc.pl index d7e15eccefcd..89a49b972ff9 100644 --- a/nixos/modules/system/etc/setup-etc.pl +++ b/nixos/modules/system/etc/setup-etc.pl @@ -12,8 +12,8 @@ sub atomicSymlink { my ($source, $target) = @_; my $tmp = "$target.tmp"; unlink $tmp; - symlink $source, $tmp or return 1; - rename $tmp, $target or return 1; + symlink $source, $tmp or return 0; + rename $tmp, $target or return 0; return 1; } diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 4b4284d85319..f37bbd0246da 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -38,6 +38,11 @@ let kernel = config.boot.kernelPackages.kernel; in systemd.services."serial-getty@ttyS0".enable = false; systemd.services."serial-getty@hvc0".enable = false; + # Don't use a pager when executing backdoor actions. Because we + # use a tty, commands like systemctl or nix-store get confused + # into thinking they're running interactively. + environment.variables.PAGER = ""; + boot.initrd.postDeviceCommands = '' # Using acpi_pm as a clock source causes the guest clock to diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 3b7f3e248d5a..075ec0ea2277 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -194,7 +194,7 @@ in script = '' mkdir -p -m 0755 "$root/etc" "$root/var/lib" - mkdir -p -m 0700 "$root/var/lib/private" + mkdir -p -m 0700 "$root/var/lib/private" "$root/root" if ! [ -e "$root/etc/os-release" ]; then touch "$root/etc/os-release" fi diff --git a/nixos/modules/virtualisation/ec2-data.nix b/nixos/modules/virtualisation/ec2-data.nix index 93a83a3e42af..15114b1e76ac 100644 --- a/nixos/modules/virtualisation/ec2-data.nix +++ b/nixos/modules/virtualisation/ec2-data.nix @@ -44,7 +44,7 @@ with lib; # into the image (a Nova feature). if ! [ -e /root/.ssh/authorized_keys ]; then echo "obtaining SSH key..." - mkdir -p /root/.ssh + mkdir -m 0700 -p /root/.ssh $wget http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key > /root/key.pub if [ $? -eq 0 -a -e /root/key.pub ]; then if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 41c7dd62f3ed..4d493b3896f2 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -139,7 +139,7 @@ in # Don't download the SSH key if it has already been downloaded if ! [ -e /root/.ssh/authorized_keys ]; then echo "obtaining SSH key..." - mkdir -p /root/.ssh + mkdir -m 0700 -p /root/.ssh ${wget} -O /root/authorized-keys-metadata http://metadata/0.1/meta-data/authorized-keys if [ $? -eq 0 -a -e /root/authorized-keys-metadata ]; then cat /root/authorized-keys-metadata | cut -d: -f2- > /root/key.pub diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 641ff924e14e..af9e6365a9fe 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -190,6 +190,9 @@ let $machine->succeed("test -e /boot/grub"); + # Check whether /root has correct permissions. + $machine->succeed("stat -c '%a' /root") =~ /700/ or die; + # Did the swap device get activated? # uncomment once https://bugs.freedesktop.org/show_bug.cgi?id=86930 is resolved #$machine->waitForUnit("swap.target"); |