diff options
author | Alyssa Ross <hi@alyssa.is> | 2020-01-26 23:38:55 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2020-01-26 23:38:55 +0000 |
commit | 02e12559a420f8c544b2facc4931904900a05518 (patch) | |
tree | ba39d8fa9e874b935d204e74accfed5caaccf0fa /nixpkgs/nixos | |
parent | 542f80867c380b0ac79250b6e5358dda8bc49e0d (diff) | |
parent | 3d085a399c436a41d875801619e8f976b8519196 (diff) | |
download | nixlib-02e12559a420f8c544b2facc4931904900a05518.tar nixlib-02e12559a420f8c544b2facc4931904900a05518.tar.gz nixlib-02e12559a420f8c544b2facc4931904900a05518.tar.bz2 nixlib-02e12559a420f8c544b2facc4931904900a05518.tar.lz nixlib-02e12559a420f8c544b2facc4931904900a05518.tar.xz nixlib-02e12559a420f8c544b2facc4931904900a05518.tar.zst nixlib-02e12559a420f8c544b2facc4931904900a05518.zip |
Merge commit '3d085a399c436a41d875801619e8f976b8519196'
Diffstat (limited to 'nixpkgs/nixos')
22 files changed, 482 insertions, 122 deletions
diff --git a/nixpkgs/nixos/doc/manual/man-nixos-install.xml b/nixpkgs/nixos/doc/manual/man-nixos-install.xml index 0752c397182f..9255ce763efe 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-install.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-install.xml @@ -210,7 +210,7 @@ The closure must be an appropriately configured NixOS system, with boot loader and partition configuration that fits the target host. Such a closure is typically obtained with a command such as <command>nix-build - -I nixos-config=./configuration.nix '<nixos>' -A system + -I nixos-config=./configuration.nix '<nixpkgs/nixos>' -A system --no-out-link</command> </para> </listitem> diff --git a/nixpkgs/nixos/modules/misc/version.nix b/nixpkgs/nixos/modules/misc/version.nix index ddbd3963cc57..8a85035ceb7c 100644 --- a/nixpkgs/nixos/modules/misc/version.nix +++ b/nixpkgs/nixos/modules/misc/version.nix @@ -6,6 +6,7 @@ let cfg = config.system.nixos; gitRepo = "${toString pkgs.path}/.git"; + gitRepoValid = lib.pathIsGitRepo gitRepo; gitCommitId = lib.substring 0 7 (commitIdFromGitRepo gitRepo); in @@ -91,8 +92,8 @@ in # These defaults are set here rather than up there so that # changing them would not rebuild the manual version = mkDefault (cfg.release + cfg.versionSuffix); - revision = mkIf (pathExists gitRepo) (mkDefault gitCommitId); - versionSuffix = mkIf (pathExists gitRepo) (mkDefault (".git." + gitCommitId)); + revision = mkIf gitRepoValid (mkDefault gitCommitId); + versionSuffix = mkIf gitRepoValid (mkDefault (".git." + gitCommitId)); }; # Generate /etc/os-release. See diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 58628cf8c0bd..2944c9868c9b 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -807,6 +807,7 @@ ./services/web-apps/codimd.nix ./services/web-apps/cryptpad.nix ./services/web-apps/documize.nix + ./services/web-apps/dokuwiki.nix ./services/web-apps/frab.nix ./services/web-apps/gotify-server.nix ./services/web-apps/icingaweb2/icingaweb2.nix diff --git a/nixpkgs/nixos/modules/programs/gnupg.nix b/nixpkgs/nixos/modules/programs/gnupg.nix index 2d262d906579..7a3cb588ee71 100644 --- a/nixpkgs/nixos/modules/programs/gnupg.nix +++ b/nixpkgs/nixos/modules/programs/gnupg.nix @@ -96,7 +96,7 @@ in # This overrides the systemd user unit shipped with the gnupg package systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) { serviceConfig.ExecStart = [ "" '' - ${pkgs.gnupg}/bin/gpg-agent --supervised \ + ${cfg.package}/bin/gpg-agent --supervised \ --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry '' ]; }; diff --git a/nixpkgs/nixos/modules/programs/sway.nix b/nixpkgs/nixos/modules/programs/sway.nix index 33e252be45f8..7e646f8737d6 100644 --- a/nixpkgs/nixos/modules/programs/sway.nix +++ b/nixpkgs/nixos/modules/programs/sway.nix @@ -87,7 +87,8 @@ in { type = with types; listOf package; default = with pkgs; [ swaylock swayidle - xwayland rxvt_unicode dmenu + xwayland alacritty dmenu + rxvt_unicode # For backward compatibility (old default terminal) ]; defaultText = literalExample '' with pkgs; [ swaylock swayidle xwayland rxvt_unicode dmenu ]; diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/at-spi2-core.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/at-spi2-core.nix index cca98c43dc7a..8fa108c4f9df 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/at-spi2-core.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/at-spi2-core.nix @@ -18,6 +18,9 @@ with lib; description = '' Whether to enable at-spi2-core, a service for the Assistive Technologies available on the GNOME platform. + + Enable this if you get the error or warning + <literal>The name org.a11y.Bus was not provided by any .service files</literal>. ''; }; diff --git a/nixpkgs/nixos/modules/services/mail/roundcube.nix b/nixpkgs/nixos/modules/services/mail/roundcube.nix index 36dda619ad06..0bb0eaedad50 100644 --- a/nixpkgs/nixos/modules/services/mail/roundcube.nix +++ b/nixpkgs/nixos/modules/services/mail/roundcube.nix @@ -5,6 +5,8 @@ with lib; let cfg = config.services.roundcube; fpm = config.services.phpfpm.pools.roundcube; + localDB = cfg.database.host == "localhost"; + user = cfg.database.username; in { options.services.roundcube = { @@ -44,7 +46,10 @@ in username = mkOption { type = types.str; default = "roundcube"; - description = "Username for the postgresql connection"; + description = '' + Username for the postgresql connection. + If <literal>database.host</literal> is set to <literal>localhost</literal>, a unix user and group of the same name will be created as well. + ''; }; host = mkOption { type = types.str; @@ -58,7 +63,12 @@ in }; password = mkOption { type = types.str; - description = "Password for the postgresql connection"; + description = "Password for the postgresql connection. Do not use: the password will be stored world readable in the store; use <literal>passwordFile</literal> instead."; + default = ""; + }; + passwordFile = mkOption { + type = types.str; + description = "Password file for the postgresql connection. Must be readable by user <literal>nginx</literal>. Ignored if <literal>database.host</literal> is set to <literal>localhost</literal>, as peer authentication will be used."; }; dbname = mkOption { type = types.str; @@ -83,14 +93,22 @@ in }; config = mkIf cfg.enable { + # backward compatibility: if password is set but not passwordFile, make one. + services.roundcube.database.passwordFile = mkIf (!localDB && cfg.database.password != "") (mkDefault ("${pkgs.writeText "roundcube-password" cfg.database.password}")); + warnings = lib.optional (!localDB && cfg.database.password != "") "services.roundcube.database.password is deprecated and insecure; use services.roundcube.database.passwordFile instead"; + environment.etc."roundcube/config.inc.php".text = '' <?php + ${lib.optionalString (!localDB) "$password = file_get_contents('${cfg.database.passwordFile}');"} + $config = array(); - $config['db_dsnw'] = 'pgsql://${cfg.database.username}:${cfg.database.password}@${cfg.database.host}/${cfg.database.dbname}'; + $config['db_dsnw'] = 'pgsql://${cfg.database.username}${lib.optionalString (!localDB) ":' . $password . '"}@${if localDB then "unix(/run/postgresql)" else cfg.database.host}/${cfg.database.dbname}'; $config['log_driver'] = 'syslog'; $config['max_message_size'] = '25M'; $config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}]; + $config['des_key'] = file_get_contents('/var/lib/roundcube/des_key'); + $config['mime_types'] = '${pkgs.nginx}/conf/mime.types'; ${cfg.extraConfig} ''; @@ -116,12 +134,26 @@ in }; }; - services.postgresql = mkIf (cfg.database.host == "localhost") { + services.postgresql = mkIf localDB { enable = true; + ensureDatabases = [ cfg.database.dbname ]; + ensureUsers = [ { + name = cfg.database.username; + ensurePermissions = { + "DATABASE ${cfg.database.username}" = "ALL PRIVILEGES"; + }; + } ]; + }; + + users.users.${user} = mkIf localDB { + group = user; + isSystemUser = true; + createHome = false; }; + users.groups.${user} = mkIf localDB {}; services.phpfpm.pools.roundcube = { - user = "nginx"; + user = if localDB then user else "nginx"; phpOptions = '' error_log = 'stderr' log_errors = on @@ -143,9 +175,7 @@ in }; systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ]; - systemd.services.roundcube-setup = let - pgSuperUser = config.services.postgresql.superUser; - in mkMerge [ + systemd.services.roundcube-setup = mkMerge [ (mkIf (cfg.database.host == "localhost") { requires = [ "postgresql.service" ]; after = [ "postgresql.service" ]; @@ -153,22 +183,31 @@ in }) { wantedBy = [ "multi-user.target" ]; - script = '' - mkdir -p /var/lib/roundcube - if [ ! -f /var/lib/roundcube/db-created ]; then - if [ "${cfg.database.host}" = "localhost" ]; then - ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create role ${cfg.database.username} with login password '${cfg.database.password}'"; - ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create database ${cfg.database.dbname} with owner ${cfg.database.username}"; - fi - PGPASSWORD="${cfg.database.password}" ${pkgs.postgresql}/bin/psql -U ${cfg.database.username} \ - -f ${cfg.package}/SQL/postgres.initial.sql \ - -h ${cfg.database.host} ${cfg.database.dbname} - touch /var/lib/roundcube/db-created + script = let + psql = "${lib.optionalString (!localDB) "PGPASSFILE=${cfg.database.passwordFile}"} ${pkgs.postgresql}/bin/psql ${lib.optionalString (!localDB) "-h ${cfg.database.host} -U ${cfg.database.username} "} ${cfg.database.dbname}"; + in + '' + version="$(${psql} -t <<< "select value from system where name = 'roundcube-version';" || true)" + if ! (grep -E '[a-zA-Z0-9]' <<< "$version"); then + ${psql} -f ${cfg.package}/SQL/postgres.initial.sql + fi + + if [ ! -f /var/lib/roundcube/des_key ]; then + base64 /dev/urandom | head -c 24 > /var/lib/roundcube/des_key; + # we need to log out everyone in case change the des_key + # from the default when upgrading from nixos 19.09 + ${psql} <<< 'TRUNCATE TABLE session;' fi ${pkgs.php}/bin/php ${cfg.package}/bin/update.sh ''; - serviceConfig.Type = "oneshot"; + serviceConfig = { + Type = "oneshot"; + StateDirectory = "roundcube"; + User = if localDB then user else "nginx"; + # so that the des_key is not world readable + StateDirectoryMode = "0700"; + }; } ]; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix index 9af6b1d94f37..2e8433fbc888 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix @@ -18,7 +18,7 @@ let in checkedConfig yml; cmdlineArgs = cfg.extraFlags ++ [ - "--config.file ${alertmanagerYml}" + "--config.file /tmp/alert-manager-substituted.yaml" "--web.listen-address ${cfg.listenAddress}:${toString cfg.port}" "--log.level ${cfg.logLevel}" ] ++ (optional (cfg.webExternalUrl != null) @@ -127,6 +127,18 @@ in { Extra commandline options when launching the Alertmanager. ''; }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/root/alertmanager.env"; + description = '' + File to load as environment file. Environment variables + from this file will be interpolated into the config file + using envsubst with this syntax: + <literal>$ENVIRONMENT ''${VARIABLE}</literal> + ''; + }; }; }; @@ -144,9 +156,14 @@ in { systemd.services.alertmanager = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + preStart = '' + ${lib.getBin pkgs.envsubst}/bin/envsubst -o /tmp/alert-manager-substituted.yaml" \ + -i ${alertmanagerYml}" + ''; serviceConfig = { Restart = "always"; - DynamicUser = true; + DynamicUser = true; # implies PrivateTmp + EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; WorkingDirectory = "/tmp"; ExecStart = "${cfg.package}/bin/alertmanager" + optionalString (length cmdlineArgs != 0) (" \\\n " + diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix index f40819e826b0..d50564717eaf 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix @@ -74,7 +74,7 @@ in then "--systemd.slice ${cfg.systemd.slice}" else "--systemd.unit ${cfg.systemd.unit}") ++ optional (cfg.systemd.enable && (cfg.systemd.journalPath != null)) - "--systemd.jounal_path ${cfg.systemd.journalPath}" + "--systemd.journal_path ${cfg.systemd.journalPath}" ++ optional (!cfg.systemd.enable) "--postfix.logfile_path ${cfg.logfilePath}")} ''; }; diff --git a/nixpkgs/nixos/modules/services/networking/knot.nix b/nixpkgs/nixos/modules/services/networking/knot.nix index 1cc1dd3f2f62..47364ecb8464 100644 --- a/nixpkgs/nixos/modules/services/networking/knot.nix +++ b/nixpkgs/nixos/modules/services/networking/knot.nix @@ -56,6 +56,7 @@ in { package = mkOption { type = types.package; default = pkgs.knot-dns; + defaultText = "pkgs.knot-dns"; description = '' Which Knot DNS package to use ''; @@ -92,4 +93,3 @@ in { environment.systemPackages = [ knot-cli-wrappers ]; }; } - diff --git a/nixpkgs/nixos/modules/services/networking/kresd.nix b/nixpkgs/nixos/modules/services/networking/kresd.nix index 5eb50a13ca9a..bb941e93e150 100644 --- a/nixpkgs/nixos/modules/services/networking/kresd.nix +++ b/nixpkgs/nixos/modules/services/networking/kresd.nix @@ -5,12 +5,15 @@ with lib; let cfg = config.services.kresd; - package = pkgs.knot-resolver; + configFile = pkgs.writeText "kresd.conf" '' + ${optionalString (cfg.listenDoH != []) "modules.load('http')"} + ${cfg.extraConfig}; + ''; - configFile = pkgs.writeText "kresd.conf" cfg.extraConfig; -in - -{ + package = pkgs.knot-resolver.override { + extraFeatures = cfg.listenDoH != []; + }; +in { meta.maintainers = [ maintainers.vcunat /* upstream developer */ ]; imports = [ @@ -67,6 +70,15 @@ in For detailed syntax see ListenStream in man systemd.socket. ''; }; + listenDoH = mkOption { + type = with types; listOf str; + default = []; + example = [ "198.51.100.1:443" "[2001:db8::1]:443" "443" ]; + description = '' + Addresses and ports on which kresd should provide DNS over HTTPS (see RFC 7858). + For detailed syntax see ListenStream in man systemd.socket. + ''; + }; # TODO: perhaps options for more common stuff like cache size or forwarding }; @@ -104,6 +116,18 @@ in }; }; + systemd.sockets.kresd-doh = mkIf (cfg.listenDoH != []) rec { + wantedBy = [ "sockets.target" ]; + before = wantedBy; + partOf = [ "kresd.socket" ]; + listenStreams = cfg.listenDoH; + socketConfig = { + FileDescriptorName = "doh"; + FreeBind = true; + Service = "kresd.service"; + }; + }; + systemd.sockets.kresd-control = rec { wantedBy = [ "sockets.target" ]; before = wantedBy; diff --git a/nixpkgs/nixos/modules/services/search/solr.nix b/nixpkgs/nixos/modules/services/search/solr.nix index b2176225493e..a8615a20a1cf 100644 --- a/nixpkgs/nixos/modules/services/search/solr.nix +++ b/nixpkgs/nixos/modules/services/search/solr.nix @@ -13,19 +13,11 @@ in services.solr = { enable = mkEnableOption "Solr"; - # default to the 8.x series not forcing major version upgrade of those on the 7.x series package = mkOption { type = types.package; - default = if versionAtLeast config.system.stateVersion "19.09" - then pkgs.solr_8 - else pkgs.solr_7 - ; + default = pkgs.solr; defaultText = "pkgs.solr"; - description = '' - Which Solr package to use. This defaults to version 7.x if - <literal>system.stateVersion < 19.09</literal> and version 8.x - otherwise. - ''; + description = "Which Solr package to use."; }; port = mkOption { diff --git a/nixpkgs/nixos/modules/services/security/vault.nix b/nixpkgs/nixos/modules/services/security/vault.nix index b0ab8fadcbec..6a8a3a93327e 100644 --- a/nixpkgs/nixos/modules/services/security/vault.nix +++ b/nixpkgs/nixos/modules/services/security/vault.nix @@ -135,6 +135,7 @@ in User = "vault"; Group = "vault"; ExecStart = "${cfg.package}/bin/vault server -config ${configFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; PrivateDevices = true; PrivateTmp = true; ProtectSystem = "full"; diff --git a/nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix b/nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix new file mode 100644 index 000000000000..07af7aa0dfec --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix @@ -0,0 +1,272 @@ +{ config, lib, pkgs, ... }: + +let + + inherit (lib) mkEnableOption mkForce mkIf mkMerge mkOption optionalAttrs recursiveUpdate types; + + cfg = config.services.dokuwiki; + + user = config.services.nginx.user; + group = config.services.nginx.group; + + dokuwikiAclAuthConfig = pkgs.writeText "acl.auth.php" '' + # acl.auth.php + # <?php exit()?> + # + # Access Control Lists + # + ${toString cfg.acl} + ''; + + dokuwikiLocalConfig = pkgs.writeText "local.php" '' + <?php + $conf['savedir'] = '${cfg.stateDir}'; + $conf['superuser'] = '${toString cfg.superUser}'; + $conf['useacl'] = '${toString cfg.aclUse}'; + ${toString cfg.extraConfig} + ''; + + dokuwikiPluginsLocalConfig = pkgs.writeText "plugins.local.php" '' + <?php + ${cfg.pluginsConfig} + ''; + +in +{ + options.services.dokuwiki = { + enable = mkEnableOption "DokuWiki web application."; + + hostName = mkOption { + type = types.str; + default = "localhost"; + description = "FQDN for the instance."; + }; + + stateDir = mkOption { + type = types.path; + default = "/var/lib/dokuwiki/data"; + description = "Location of the dokuwiki state directory."; + }; + + acl = mkOption { + type = types.nullOr types.lines; + default = null; + example = "* @ALL 8"; + description = '' + Access Control Lists: see <link xlink:href="https://www.dokuwiki.org/acl"/> + Mutually exclusive with services.dokuwiki.aclFile + Set this to a value other than null to take precedence over aclFile option. + ''; + }; + + aclFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl + Mutually exclusive with services.dokuwiki.acl which is preferred. + Consult documentation <link xlink:href="https://www.dokuwiki.org/acl"/> for further instructions. + Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/acl.auth.php.dist"/> + ''; + }; + + aclUse = mkOption { + type = types.bool; + default = true; + description = '' + Necessary for users to log in into the system. + Also limits anonymous users. When disabled, + everyone is able to create and edit content. + ''; + }; + + pluginsConfig = mkOption { + type = types.lines; + default = '' + $plugins['authad'] = 0; + $plugins['authldap'] = 0; + $plugins['authmysql'] = 0; + $plugins['authpgsql'] = 0; + ''; + description = '' + List of the dokuwiki (un)loaded plugins. + ''; + }; + + superUser = mkOption { + type = types.nullOr types.str; + default = "@admin"; + description = '' + You can set either a username, a list of usernames (“admin1,admin2”), + or the name of a group by prepending an @ char to the groupname + Consult documentation <link xlink:href="https://www.dokuwiki.org/config:superuser"/> for further instructions. + ''; + }; + + usersFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Location of the dokuwiki users file. List of users. Format: + login:passwordhash:Real Name:email:groups,comma,separated + Create passwordHash easily by using:$ mkpasswd -5 password `pwgen 8 1` + Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/users.auth.php.dist"/> + ''; + }; + + extraConfig = mkOption { + type = types.nullOr types.lines; + default = null; + example = '' + $conf['title'] = 'My Wiki'; + $conf['userewrite'] = 1; + ''; + description = '' + DokuWiki configuration. Refer to + <link xlink:href="https://www.dokuwiki.org/config"/> + for details on supported values. + ''; + }; + + poolConfig = mkOption { + type = with types; attrsOf (oneOf [ str int bool ]); + default = { + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 4; + "pm.max_requests" = 500; + }; + description = '' + Options for the dokuwiki PHP pool. See the documentation on <literal>php-fpm.conf</literal> + for details on configuration directives. + ''; + }; + + nginx = mkOption { + type = types.submodule ( + recursiveUpdate + (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) + { + # Enable encryption by default, + options.forceSSL.default = true; + options.enableACME.default = true; + } + ); + default = {forceSSL = true; enableACME = true;}; + example = { + serverAliases = [ + "wiki.\${config.networking.domain}" + ]; + enableACME = false; + }; + description = '' + With this option, you can customize the nginx virtualHost which already has sensible defaults for DokuWiki. + ''; + }; + }; + + # implementation + + config = mkIf cfg.enable { + + warnings = mkIf (cfg.superUser == null) ["Not setting services.dokuwiki.superUser will impair your ability to administer DokuWiki"]; + + assertions = [ + { + assertion = cfg.aclUse -> (cfg.acl != null || cfg.aclFile != null); + message = "Either services.dokuwiki.acl or services.dokuwiki.aclFile is mandatory when aclUse is true"; + } + { + assertion = cfg.usersFile != null -> cfg.aclUse != false; + message = "services.dokuwiki.aclUse must be true when usersFile is not null"; + } + ]; + + services.phpfpm.pools.dokuwiki = { + inherit user; + inherit group; + phpEnv = { + DOKUWIKI_LOCAL_CONFIG = "${dokuwikiLocalConfig}"; + DOKUWIKI_PLUGINS_LOCAL_CONFIG = "${dokuwikiPluginsLocalConfig}"; + } //optionalAttrs (cfg.usersFile != null) { + DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; + } //optionalAttrs (cfg.aclUse) { + DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig}" else "${toString cfg.aclFile}"; + }; + + settings = { + "listen.mode" = "0660"; + "listen.owner" = user; + "listen.group" = group; + } // cfg.poolConfig; + }; + + services.nginx = { + enable = true; + + virtualHosts = { + ${cfg.hostName} = mkMerge [ cfg.nginx { + root = mkForce "${pkgs.dokuwiki}/share/dokuwiki/"; + extraConfig = "fastcgi_param HTTPS on;"; + + locations."~ /(conf/|bin/|inc/|install.php)" = { + extraConfig = "deny all;"; + }; + + locations."~ ^/data/" = { + root = "${cfg.stateDir}"; + extraConfig = "internal;"; + }; + + locations."~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { + extraConfig = "expires 365d;"; + }; + + locations."/" = { + priority = 1; + index = "doku.php"; + extraConfig = ''try_files $uri $uri/ @dokuwiki;''; + }; + + locations."@dokuwiki" = { + extraConfig = '' + # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1&$args last; + ''; + }; + + locations."~ \.php$" = { + extraConfig = '' + try_files $uri $uri/ /doku.php; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param REDIRECT_STATUS 200; + fastcgi_pass unix:${config.services.phpfpm.pools.dokuwiki.socket}; + fastcgi_param HTTPS on; + ''; + }; + }]; + }; + + }; + + systemd.tmpfiles.rules = [ + "d ${cfg.stateDir}/attic 0750 ${user} ${group} - -" + "d ${cfg.stateDir}/cache 0750 ${user} ${group} - -" + "d ${cfg.stateDir}/index 0750 ${user} ${group} - -" + "d ${cfg.stateDir}/locks 0750 ${user} ${group} - -" + "d ${cfg.stateDir}/media 0750 ${user} ${group} - -" + "d ${cfg.stateDir}/media_attic 0750 ${user} ${group} - -" + "d ${cfg.stateDir}/media_meta 0750 ${user} ${group} - -" + "d ${cfg.stateDir}/meta 0750 ${user} ${group} - -" + "d ${cfg.stateDir}/pages 0750 ${user} ${group} - -" + "d ${cfg.stateDir}/tmp 0750 ${user} ${group} - -" + ]; + + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix index b0b837cd1929..f8a18954fc99 100644 --- a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix @@ -130,8 +130,10 @@ in { }; users.users = optionalAttrs (cfg.user == "unit") { - unit.group = cfg.group; - isSystemUser = true; + unit = { + group = cfg.group; + isSystemUser = true; + }; }; users.groups = optionalAttrs (cfg.group == "unit") { diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix index a08b1947f65b..21f59074f3ae 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -127,14 +127,9 @@ in "/share/gtksourceview-4.0" ]; - services.xserver.desktopManager.session = [{ - name = "xfce"; - bgSupport = true; - start = '' - ${pkgs.runtimeShell} ${pkgs.xfce.xfce4-session.xinitrc} & - waitPID=$! - ''; - }]; + services.xserver.displayManager.sessionPackages = [ + pkgs.xfce.xfce4-session + ]; services.xserver.updateDbusEnvironment = true; services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; diff --git a/nixpkgs/nixos/modules/virtualisation/amazon-init.nix b/nixpkgs/nixos/modules/virtualisation/amazon-init.nix index 8032b2c6d7ca..8c12e0e49bf5 100644 --- a/nixpkgs/nixos/modules/virtualisation/amazon-init.nix +++ b/nixpkgs/nixos/modules/virtualisation/amazon-init.nix @@ -7,8 +7,8 @@ let echo "attempting to fetch configuration from EC2 user data..." export HOME=/root - export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.gnused config.system.build.nixos-rebuild]}:$PATH - export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels + export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.git pkgs.gnutar pkgs.gzip pkgs.gnused config.system.build.nixos-rebuild]}:$PATH + export NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels userData=/etc/ec2-metadata/user-data @@ -18,9 +18,9 @@ let # that as the channel. if sed '/^\(#\|SSH_HOST_.*\)/d' < "$userData" | grep -q '\S'; then channels="$(grep '^###' "$userData" | sed 's|###\s*||')" - printf "%s" "$channels" | while read channel; do + while IFS= read -r channel; do echo "writing channel: $channel" - done + done < <(printf "%s\n" "$channels") if [[ -n "$channels" ]]; then printf "%s" "$channels" > /root/.nix-channels @@ -48,7 +48,7 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "multi-user.target" ]; requires = [ "network-online.target" ]; - + restartIfChanged = false; unitConfig.X-StopOnRemoval = false; @@ -58,4 +58,3 @@ in { }; }; } - diff --git a/nixpkgs/nixos/release.nix b/nixpkgs/nixos/release.nix index f40b5fa9bd7f..9109f5751eb5 100644 --- a/nixpkgs/nixos/release.nix +++ b/nixpkgs/nixos/release.nix @@ -209,7 +209,8 @@ in rec { hydraJob ((import lib/eval-config.nix { inherit system; modules = - [ versionModule + [ configuration + versionModule ./maintainers/scripts/ec2/amazon-image.nix ]; }).config.system.build.amazonImage) diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index eb69457fb7e9..8c11464f9d68 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -75,6 +75,7 @@ in docker-tools = handleTestOn ["x86_64-linux"] ./docker-tools.nix {}; docker-tools-overlay = handleTestOn ["x86_64-linux"] ./docker-tools-overlay.nix {}; documize = handleTest ./documize.nix {}; + dokuwiki = handleTest ./dokuwiki.nix {}; dovecot = handleTest ./dovecot.nix {}; # ec2-config doesn't work in a sandbox as the simulated ec2 instance needs network access #ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {}; diff --git a/nixpkgs/nixos/tests/corerad.nix b/nixpkgs/nixos/tests/corerad.nix index 68b698857b4e..950c9abc8994 100644 --- a/nixpkgs/nixos/tests/corerad.nix +++ b/nixpkgs/nixos/tests/corerad.nix @@ -18,8 +18,7 @@ import ./make-test-python.nix ( [[interfaces]] name = "eth1" send_advertisements = true - [[interfaces.plugins]] - name = "prefix" + [[interfaces.prefix]] prefix = "::/64" ''; }; diff --git a/nixpkgs/nixos/tests/dokuwiki.nix b/nixpkgs/nixos/tests/dokuwiki.nix new file mode 100644 index 000000000000..38bde10f47ed --- /dev/null +++ b/nixpkgs/nixos/tests/dokuwiki.nix @@ -0,0 +1,29 @@ +import ./make-test-python.nix ({ lib, ... }: + +with lib; + +{ + name = "dokuwiki"; + meta.maintainers = with maintainers; [ maintainers."1000101" ]; + + nodes.machine = + { pkgs, ... }: + { services.dokuwiki = { + enable = true; + acl = " "; + superUser = null; + nginx = { + forceSSL = false; + enableACME = false; + }; + }; + }; + + testScript = '' + machine.start() + machine.wait_for_unit("phpfpm-dokuwiki.service") + machine.wait_for_unit("nginx.service") + machine.wait_for_open_port(80) + machine.succeed("curl -sSfL http://localhost/ | grep 'DokuWiki'") + ''; +}) diff --git a/nixpkgs/nixos/tests/solr.nix b/nixpkgs/nixos/tests/solr.nix index 2108e851bc59..23e1a960fb37 100644 --- a/nixpkgs/nixos/tests/solr.nix +++ b/nixpkgs/nixos/tests/solr.nix @@ -1,65 +1,48 @@ -{ system ? builtins.currentSystem, - config ? {}, - pkgs ? import ../.. { inherit system config; } -}: +import ./make-test.nix ({ pkgs, ... }: -with import ../lib/testing.nix { inherit system pkgs; }; -with pkgs.lib; - -let - solrTest = package: makeTest { - machine = - { config, pkgs, ... }: - { - # Ensure the virtual machine has enough memory for Solr to avoid the following error: - # - # OpenJDK 64-Bit Server VM warning: - # INFO: os::commit_memory(0x00000000e8000000, 402653184, 0) - # failed; error='Cannot allocate memory' (errno=12) - # - # There is insufficient memory for the Java Runtime Environment to continue. - # Native memory allocation (mmap) failed to map 402653184 bytes for committing reserved memory. - virtualisation.memorySize = 2000; +{ + name = "solr"; + meta.maintainers = [ pkgs.stdenv.lib.maintainers.aanderse ]; - services.solr.enable = true; - services.solr.package = package; - }; + machine = + { config, pkgs, ... }: + { + # Ensure the virtual machine has enough memory for Solr to avoid the following error: + # + # OpenJDK 64-Bit Server VM warning: + # INFO: os::commit_memory(0x00000000e8000000, 402653184, 0) + # failed; error='Cannot allocate memory' (errno=12) + # + # There is insufficient memory for the Java Runtime Environment to continue. + # Native memory allocation (mmap) failed to map 402653184 bytes for committing reserved memory. + virtualisation.memorySize = 2000; - testScript = '' - startAll; + services.solr.enable = true; + }; - $machine->waitForUnit('solr.service'); - $machine->waitForOpenPort('8983'); - $machine->succeed('curl --fail http://localhost:8983/solr/'); + testScript = '' + startAll; - # adapted from pkgs.solr/examples/films/README.txt - $machine->succeed('sudo -u solr solr create -c films'); - $machine->succeed(q(curl http://localhost:8983/solr/films/schema -X POST -H 'Content-type:application/json' --data-binary '{ - "add-field" : { - "name":"name", - "type":"text_general", - "multiValued":false, - "stored":true - }, - "add-field" : { - "name":"initial_release_date", - "type":"pdate", - "stored":true - } - }')) =~ /"status":0/ or die; - $machine->succeed('sudo -u solr post -c films ${pkgs.solr}/example/films/films.json'); - $machine->succeed('curl http://localhost:8983/solr/films/query?q=name:batman') =~ /"name":"Batman Begins"/ or die; - ''; - }; -in -{ - solr_7 = solrTest pkgs.solr_7 // { - name = "solr_7"; - meta.maintainers = [ lib.maintainers.aanderse ]; - }; + $machine->waitForUnit('solr.service'); + $machine->waitForOpenPort('8983'); + $machine->succeed('curl --fail http://localhost:8983/solr/'); - solr_8 = solrTest pkgs.solr_8 // { - name = "solr_8"; - meta.maintainers = [ lib.maintainers.aanderse ]; - }; -} + # adapted from pkgs.solr/examples/films/README.txt + $machine->succeed('sudo -u solr solr create -c films'); + $machine->succeed(q(curl http://localhost:8983/solr/films/schema -X POST -H 'Content-type:application/json' --data-binary '{ + "add-field" : { + "name":"name", + "type":"text_general", + "multiValued":false, + "stored":true + }, + "add-field" : { + "name":"initial_release_date", + "type":"pdate", + "stored":true + } + }')) =~ /"status":0/ or die; + $machine->succeed('sudo -u solr post -c films ${pkgs.solr}/example/films/films.json'); + $machine->succeed('curl http://localhost:8983/solr/films/query?q=name:batman') =~ /"name":"Batman Begins"/ or die; + ''; +}) |