diff options
| author | Alyssa Ross <hi@alyssa.is> | 2019-09-11 15:24:55 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2019-09-16 22:14:45 +0000 |
| commit | 89c4dccbd5f33f71808d4b1baafe619696af1162 (patch) | |
| tree | fb1b8d3a2f171164a05d404ab2340cfb1a9d3e21 /nixpkgs/nixos | |
| parent | 8920a0e4d962a919238bab69ddc607d7f3396f70 (diff) | |
| parent | e19054ab3cd5b7cc9a01d0efc71c8fe310541065 (diff) | |
| download | nixlib-89c4dccbd5f33f71808d4b1baafe619696af1162.tar nixlib-89c4dccbd5f33f71808d4b1baafe619696af1162.tar.gz nixlib-89c4dccbd5f33f71808d4b1baafe619696af1162.tar.bz2 nixlib-89c4dccbd5f33f71808d4b1baafe619696af1162.tar.lz nixlib-89c4dccbd5f33f71808d4b1baafe619696af1162.tar.xz nixlib-89c4dccbd5f33f71808d4b1baafe619696af1162.tar.zst nixlib-89c4dccbd5f33f71808d4b1baafe619696af1162.zip | |
Merge commit 'e19054ab3cd5b7cc9a01d0efc71c8fe310541065'
Diffstat (limited to 'nixpkgs/nixos')
236 files changed, 2601 insertions, 2236 deletions
diff --git a/nixpkgs/nixos/doc/manual/Makefile b/nixpkgs/nixos/doc/manual/Makefile index 9ff599a0090f..b86a76005753 100644 --- a/nixpkgs/nixos/doc/manual/Makefile +++ b/nixpkgs/nixos/doc/manual/Makefile @@ -24,7 +24,7 @@ fix-misc-xml: clean: rm -f manual-combined.xml generated -generated: ./options-to-docbook.xsl +generated: nix-build ../../release.nix \ --attr manualGeneratedSources.x86_64-linux \ --out-link ./generated diff --git a/nixpkgs/nixos/doc/manual/configuration/customizing-packages.xml b/nixpkgs/nixos/doc/manual/configuration/customizing-packages.xml index 03b5bb53197b..34e6ab4b24d6 100644 --- a/nixpkgs/nixos/doc/manual/configuration/customizing-packages.xml +++ b/nixpkgs/nixos/doc/manual/configuration/customizing-packages.xml @@ -24,8 +24,8 @@ <para> Apart from high-level options, it’s possible to tweak a package in almost arbitrary ways, such as changing or disabling dependencies of a package. For - instance, the Emacs package in Nixpkgs by default has a dependency on GTK+ 2. - If you want to build it against GTK+ 3, you can specify that as follows: + instance, the Emacs package in Nixpkgs by default has a dependency on GTK 2. + If you want to build it against GTK 3, you can specify that as follows: <programlisting> <xref linkend="opt-environment.systemPackages"/> = [ (pkgs.emacs.override { gtk = pkgs.gtk3; }) ]; </programlisting> @@ -33,7 +33,7 @@ function that produces Emacs, with the original arguments amended by the set of arguments specified by you. So here the function argument <varname>gtk</varname> gets the value <literal>pkgs.gtk3</literal>, causing - Emacs to depend on GTK+ 3. (The parentheses are necessary because in Nix, + Emacs to depend on GTK 3. (The parentheses are necessary because in Nix, function application binds more weakly than list construction, so without them, <xref linkend="opt-environment.systemPackages"/> would be a list with two elements.) diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1703.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1703.xml index 86f4a1ccfb78..14b31b232e90 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1703.xml @@ -730,7 +730,7 @@ in </listitem> <listitem> <para> - <literal>jre</literal> now defaults to GTK+ UI by default. This improves + <literal>jre</literal> now defaults to GTK UI by default. This improves visual consistency and makes Java follow system font style, improving the situation on HighDPI displays. This has a cost of increased closure size; for server and other headless workloads it's recommended to use diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml index 11c13b8d942b..db4629443002 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml @@ -63,10 +63,10 @@ like games. <itemizedlist> <para>This can be achieved with the following options which the desktop manager default enables, excluding <literal>games</literal>.</para> - <listitem><para><link linkend="opt-services.gnome3.core-os-services.enable"><literal>services.gnome3.core-os-services.enable</literal></link></para></listitem> - <listitem><para><link linkend="opt-services.gnome3.core-shell.enable"><literal>services.gnome3.core-shell.enable</literal></link></para></listitem> - <listitem><para><link linkend="opt-services.gnome3.core-utilities.enable"><literal>services.gnome3.core-utilities.enable</literal></link></para></listitem> - <listitem><para><link linkend="opt-services.gnome3.games.enable"><literal>services.gnome3.games.enable</literal></link></para></listitem> + <listitem><para><xref linkend="opt-services.gnome3.core-os-services.enable"/></para></listitem> + <listitem><para><xref linkend="opt-services.gnome3.core-shell.enable"/></para></listitem> + <listitem><para><xref linkend="opt-services.gnome3.core-utilities.enable"/></para></listitem> + <listitem><para><xref linkend="opt-services.gnome3.games.enable"/></para></listitem> </itemizedlist> With these options we hope to give users finer grained control over their systems. Prior to this change you'd either have to manually disable options or use <option>environment.gnome3.excludePackages</option> which only excluded the optional applications. @@ -135,7 +135,43 @@ <literal>./programs/dwm-status.nix</literal> </para> </listitem> + <listitem> + <para> + The new <varname>hardware.printers</varname> module allows to declaratively configure CUPS printers + via the <varname>ensurePrinters</varname> and + <varname>ensureDefaultPrinter</varname> options. + <varname>ensurePrinters</varname> will never delete existing printers, + but will make sure that the given printers are configured as declared. + </para> + </listitem> + <listitem> + <para> + There is a new <xref linkend="opt-services.system-config-printer.enable"/> and <xref linkend="opt-programs.system-config-printer.enable"/> module + for the program of the same name. If you previously had <literal>system-config-printer</literal> enabled through some other + means you should migrate to using one of these modules. + </para> + <itemizedlist> + <para>If you're a user of the following desktopManager modules no action is needed:</para> + <listitem> + <para><option>services.xserver.desktopManager.plasma5</option></para> + </listitem> + <listitem> + <para><option>services.xserver.desktopManager.gnome3</option></para> + </listitem> + <listitem> + <para><option>services.xserver.desktopManager.pantheon</option></para> + </listitem> + <listitem> + <para><option>services.xserver.desktopManager.mate</option></para> + <para> + Note Mate uses <literal>programs.system-config-printer</literal> as it doesn't + use it as a service, but its graphical interface directly. + </para> + </listitem> + </itemizedlist> + </listitem> </itemizedlist> + </section> <section xmlns="http://docbook.org/ns/docbook" @@ -170,6 +206,11 @@ </listitem> <listitem> <para> + PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle and has been removed. + </para> + </listitem> + <listitem> + <para> The options <option>services.prometheus.alertmanager.user</option> and <option>services.prometheus.alertmanager.group</option> have been removed because the alertmanager service is now using systemd's <link @@ -412,7 +453,30 @@ It was not useful except for debugging purposes and was confusingly set as default in some circumstances. </para> </listitem> - + <listitem> + <para> + The WeeChat plugin <literal>pkgs.weechatScripts.weechat-xmpp</literal> has been removed as it doesn't receive + any updates from upstream and depends on outdated Python2-based modules. + </para> + </listitem> + <listitem> + <para> + Old unsupported versions (<literal>logstash5</literal>, + <literal>kibana5</literal>, + <literal>filebeat5</literal>, + <literal>heartbeat5</literal>, + <literal>metricbeat5</literal>, + <literal>packetbeat5</literal>) of the ELK-stack and Elastic beats have been removed. + </para> + </listitem> + <listitem> + <para> + For NixOS 19.03, both Prometheus 1 and 2 were available to allow for + a seamless transition from version 1 to 2 with existing setups. + Because Prometheus 1 is no longer developed, it was removed. + Prometheus 2 is now configured with <literal>services.prometheus</literal>. + </para> + </listitem> </itemizedlist> </section> @@ -700,6 +764,22 @@ <literal>nix-shell -p altcoins.dogecoin</literal>, etc. </para> </listitem> + <listitem> + <para> + Ceph has been upgraded to v14.2.1. + See the <link xlink:href="https://ceph.com/releases/v14-2-0-nautilus-released/">release notes</link> for details. + The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by the package and module. + Note: There's been some issues with python-cherrypy, which is used by the dashboard + and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.weechat</literal> is now compiled against <literal>pkgs.python3</literal>. + Weechat also recommends <link xlink:href="https://weechat.org/scripts/python3/">to use Python3 + in their docs.</link> + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixpkgs/nixos/lib/make-options-doc/default.nix b/nixpkgs/nixos/lib/make-options-doc/default.nix index 88e052106a28..35c8b543dece 100644 --- a/nixpkgs/nixos/lib/make-options-doc/default.nix +++ b/nixpkgs/nixos/lib/make-options-doc/default.nix @@ -126,7 +126,7 @@ let } ''; -in rec { +in { inherit optionsNix; optionsAsciiDoc = lib.concatStringsSep "\n" (lib.mapAttrsToList singleAsciiDoc optionsNix); diff --git a/nixpkgs/nixos/lib/qemu-flags.nix b/nixpkgs/nixos/lib/qemu-flags.nix index 779f0377a512..774f66b4804e 100644 --- a/nixpkgs/nixos/lib/qemu-flags.nix +++ b/nixpkgs/nixos/lib/qemu-flags.nix @@ -17,9 +17,9 @@ in else throw "Unknown QEMU serial device for system '${pkgs.stdenv.hostPlatform.system}'"; qemuBinary = qemuPkg: { - "x86_64-linux" = "${qemuPkg}/bin/qemu-kvm -cpu kvm64"; - "armv7l-linux" = "${qemuPkg}/bin/qemu-system-arm -enable-kvm -machine virt -cpu host"; - "aarch64-linux" = "${qemuPkg}/bin/qemu-system-aarch64 -enable-kvm -machine virt,gic-version=host -cpu host"; - "x86_64-darwin" = "${qemuPkg}/bin/qemu-kvm -cpu kvm64"; + x86_64-linux = "${qemuPkg}/bin/qemu-kvm -cpu kvm64"; + armv7l-linux = "${qemuPkg}/bin/qemu-system-arm -enable-kvm -machine virt -cpu host"; + aarch64-linux = "${qemuPkg}/bin/qemu-system-aarch64 -enable-kvm -machine virt,gic-version=host -cpu host"; + x86_64-darwin = "${qemuPkg}/bin/qemu-kvm -cpu kvm64"; }.${pkgs.stdenv.hostPlatform.system} or "${qemuPkg}/bin/qemu-kvm"; } diff --git a/nixpkgs/nixos/lib/utils.nix b/nixpkgs/nixos/lib/utils.nix index b68e55a40b90..a522834e4294 100644 --- a/nixpkgs/nixos/lib/utils.nix +++ b/nixpkgs/nixos/lib/utils.nix @@ -24,4 +24,116 @@ rec { throw "${shell} is not a shell package" else shell; + + /* Recurse into a list or an attrset, searching for attrs named like + the value of the "attr" parameter, and return an attrset where the + names are the corresponding jq path where the attrs were found and + the values are the values of the attrs. + + Example: + recursiveGetAttrWithJqPrefix { + example = [ + { + irrelevant = "not interesting"; + } + { + ignored = "ignored attr"; + relevant = { + secret = { + _secret = "/path/to/secret"; + }; + }; + } + ]; + } "_secret" -> { ".example[1].relevant.secret" = "/path/to/secret"; } + */ + recursiveGetAttrWithJqPrefix = item: attr: + let + recurse = prefix: item: + if item ? ${attr} then + nameValuePair prefix item.${attr} + else if isAttrs item then + map (name: recurse (prefix + "." + name) item.${name}) (attrNames item) + else if isList item then + imap0 (index: item: recurse (prefix + "[${toString index}]") item) item + else + []; + in listToAttrs (flatten (recurse "" item)); + + /* Takes an attrset and a file path and generates a bash snippet that + outputs a JSON file at the file path with all instances of + + { _secret = "/path/to/secret" } + + in the attrset replaced with the contents of the file + "/path/to/secret" in the output JSON. + + When a configuration option accepts an attrset that is finally + converted to JSON, this makes it possible to let the user define + arbitrary secret values. + + Example: + If the file "/path/to/secret" contains the string + "topsecretpassword1234", + + genJqSecretsReplacementSnippet { + example = [ + { + irrelevant = "not interesting"; + } + { + ignored = "ignored attr"; + relevant = { + secret = { + _secret = "/path/to/secret"; + }; + }; + } + ]; + } "/path/to/output.json" + + would generate a snippet that, when run, outputs the following + JSON file at "/path/to/output.json": + + { + "example": [ + { + "irrelevant": "not interesting" + }, + { + "ignored": "ignored attr", + "relevant": { + "secret": "topsecretpassword1234" + } + } + ] + } + */ + genJqSecretsReplacementSnippet = genJqSecretsReplacementSnippet' "_secret"; + + # Like genJqSecretsReplacementSnippet, but allows the name of the + # attr which identifies the secret to be changed. + genJqSecretsReplacementSnippet' = attr: set: output: + let + secrets = recursiveGetAttrWithJqPrefix set attr; + in '' + if [[ -h '${output}' ]]; then + rm '${output}' + fi + '' + + concatStringsSep + "\n" + (imap1 (index: name: "export secret${toString index}=$(<'${secrets.${name}}')") + (attrNames secrets)) + + "\n" + + "${pkgs.jq}/bin/jq >'${output}' '" + + concatStringsSep + " | " + (imap1 (index: name: ''${name} = $ENV.secret${toString index}'') + (attrNames secrets)) + + '' + ' <<'EOF' + ${builtins.toJSON set} + EOF + ''; } diff --git a/nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix b/nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix index 88d95e675447..31e15537179a 100644 --- a/nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix +++ b/nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix @@ -17,7 +17,7 @@ in { name = mkOption { type = types.str; description = "The name of the generated derivation"; - default = "nixos-disk-image"; + default = "nixos-amazon-image-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}"; }; contents = mkOption { @@ -42,7 +42,7 @@ in { format = mkOption { type = types.enum [ "raw" "qcow2" "vpc" ]; - default = "qcow2"; + default = "vpc"; description = "The image format to output"; }; }; @@ -51,7 +51,9 @@ in { inherit lib config; inherit (cfg) contents format name; pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package - partitionTableType = if config.ec2.hvm then "legacy" else "none"; + partitionTableType = if config.ec2.efi then "efi" + else if config.ec2.hvm then "legacy" + else "none"; diskSize = cfg.sizeMB; fsType = "ext4"; configFile = pkgs.writeText "configuration.nix" @@ -61,7 +63,27 @@ in { ${optionalString config.ec2.hvm '' ec2.hvm = true; ''} + ${optionalString config.ec2.efi '' + ec2.efi = true; + ''} } ''; + postVM = '' + extension=''${diskImage##*.} + friendlyName=$out/${cfg.name}.$extension + mv "$diskImage" "$friendlyName" + diskImage=$friendlyName + + mkdir -p $out/nix-support + echo "file ${cfg.format} $diskImage" >> $out/nix-support/hydra-build-products + + ${pkgs.jq}/bin/jq -n \ + --arg label ${lib.escapeShellArg config.system.nixos.label} \ + --arg system ${lib.escapeShellArg pkgs.stdenv.hostPlatform.system} \ + --arg logical_bytes "$(${pkgs.qemu}/bin/qemu-img info --output json "$diskImage" | ${pkgs.jq}/bin/jq '."virtual-size"')" \ + --arg file "$diskImage" \ + '$ARGS.named' \ + > $out/nix-support/image-info.json + ''; }; } diff --git a/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh b/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh index 790cc6cbc531..c4149e3e8ffe 100755 --- a/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh +++ b/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh @@ -1,279 +1,296 @@ #!/usr/bin/env nix-shell -#! nix-shell -i bash -p qemu ec2_ami_tools jq ec2_api_tools awscli +#!nix-shell -p awscli -p jq -p qemu -i bash + +# Uploads and registers NixOS images built from the +# <nixos/release.nix> amazonImage attribute. Images are uploaded and +# registered via a home region, and then copied to other regions. + +# The home region requires an s3 bucket, and a "vmimport" IAM role +# with access to the S3 bucket. Configuration of the vmimport role is +# documented in +# https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html + +# set -x +set -euo pipefail + +# configuration +state_dir=/home/deploy/amis/ec2-images +home_region=eu-west-1 +bucket=nixos-amis + +regions=(eu-west-1 eu-west-2 eu-west-3 eu-central-1 + us-east-1 us-east-2 us-west-1 us-west-2 + ca-central-1 + ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 + ap-south-1 ap-east-1 + sa-east-1) + +log() { + echo "$@" >&2 +} + +if [ -z "$1" ]; then + log "Usage: ./upload-amazon-image.sh IMAGE_OUTPUT" + exit 1 +fi + +# result of the amazon-image from nixos/release.nix +store_path=$1 + +if [ ! -e "$store_path" ]; then + log "Store path: $store_path does not exist, fetching..." + nix-store --realise "$store_path" +fi + +if [ ! -d "$store_path" ]; then + log "store_path: $store_path is not a directory. aborting" + exit 1 +fi + +read_image_info() { + if [ ! -e "$store_path/nix-support/image-info.json" ]; then + log "Image missing metadata" + exit 1 + fi + jq -r "$1" "$store_path/nix-support/image-info.json" +} + +# We handle a single image per invocation, store all attributes in +# globals for convenience. +image_label=$(read_image_info .label) +image_system=$(read_image_info .system) +image_file=$(read_image_info .file) +image_logical_bytes=$(read_image_info .logical_bytes) + +# Derived attributes + +image_logical_gigabytes=$((($image_logical_bytes-1)/1024/1024/1024+1)) # Round to the next GB + +case "$image_system" in + aarch64-linux) + amazon_arch=arm64 + ;; + x86_64-linux) + amazon_arch=x86_64 + ;; + *) + log "Unknown system: $image_system" + exit 1 +esac + +image_name="NixOS-${image_label}-${image_system}" +image_description="NixOS ${image_label} ${image_system}" + +log "Image Details:" +log " Name: $image_name" +log " Description: $image_description" +log " Size (gigabytes): $image_logical_gigabytes" +log " System: $image_system" +log " Amazon Arch: $amazon_arch" + +read_state() { + local state_key=$1 + local type=$2 + + cat "$state_dir/$state_key.$type" 2>/dev/null || true +} + +write_state() { + local state_key=$1 + local type=$2 + local val=$3 + + mkdir -p $state_dir + echo "$val" > "$state_dir/$state_key.$type" +} + +wait_for_import() { + local region=$1 + local task_id=$2 + local state snapshot_id + log "Waiting for import task $task_id to be completed" + while true; do + read state progress snapshot_id < <( + aws ec2 describe-import-snapshot-tasks --region $region --import-task-ids "$task_id" | \ + jq -r '.ImportSnapshotTasks[].SnapshotTaskDetail | "\(.Status) \(.Progress) \(.SnapshotId)"' + ) + log " ... state=$state progress=$progress snapshot_id=$snapshot_id" + case "$state" in + active) + sleep 10 + ;; + completed) + echo "$snapshot_id" + return + ;; + *) + log "Unexpected snapshot import state: '${state}'" + exit 1 + ;; + esac + done +} + +wait_for_image() { + local region=$1 + local ami_id=$2 + local state + log "Waiting for image $ami_id to be available" + + while true; do + read state < <( + aws ec2 describe-images --image-ids "$ami_id" --region $region | \ + jq -r ".Images[].State" + ) + log " ... state=$state" + case "$state" in + pending) + sleep 10 + ;; + available) + return + ;; + *) + log "Unexpected AMI state: '${state}'" + exit 1 + ;; + esac + done +} + + +make_image_public() { + local region=$1 + local ami_id=$2 -# To start with do: nix-shell -p awscli --run "aws configure" + wait_for_image $region "$ami_id" -set -e -set -o pipefail + log "Making image $ami_id public" -version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.version | sed s/'"'//g) -major=${version:0:5} -echo "NixOS version is $version ($major)" + aws ec2 modify-image-attribute \ + --image-id "$ami_id" --region "$region" --launch-permission 'Add={Group=all}' >&2 +} -stateDir=/home/deploy/amis/ec2-image-$version -echo "keeping state in $stateDir" -mkdir -p $stateDir +upload_image() { + local region=$1 -rm -f ec2-amis.nix + local aws_path=${image_file#/} -types="hvm" -stores="ebs" -regions="eu-west-1 eu-west-2 eu-west-3 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1" + local state_key="$region.$image_label.$image_system" + local task_id=$(read_state "$state_key" task_id) + local snapshot_id=$(read_state "$state_key" snapshot_id) + local ami_id=$(read_state "$state_key" ami_id) -for type in $types; do - link=$stateDir/$type - imageFile=$link/nixos.qcow2 - system=x86_64-linux - arch=x86_64 + if [ -z "$task_id" ]; then + log "Checking for image on S3" + if ! aws s3 ls --region "$region" "s3://${bucket}/${aws_path}" >&2; then + log "Image missing from aws, uploading" + aws s3 cp --region $region "$image_file" "s3://${bucket}/${aws_path}" >&2 + fi - # Build the image. - if ! [ -L $link ]; then - if [ $type = pv ]; then hvmFlag=false; else hvmFlag=true; fi + log "Importing image from S3 path s3://$bucket/$aws_path" - echo "building image type '$type'..." - nix-build -o $link \ - '<nixpkgs/nixos>' \ - -A config.system.build.amazonImage \ - --arg configuration "{ imports = [ <nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix> ]; ec2.hvm = $hvmFlag; }" + task_id=$(aws ec2 import-snapshot --disk-container "{ + \"Description\": \"nixos-image-${image_label}-${image_system}\", + \"Format\": \"vhd\", + \"UserBucket\": { + \"S3Bucket\": \"$bucket\", + \"S3Key\": \"$aws_path\" + } + }" --region $region | jq -r '.ImportTaskId') + + write_state "$state_key" task_id "$task_id" fi - for store in $stores; do - - bucket=nixos-amis - bucketDir="$version-$type-$store" - - prevAmi= - prevRegion= - - for region in $regions; do - - name=nixos-$version-$arch-$type-$store - description="NixOS $system $version ($type-$store)" - - amiFile=$stateDir/$region.$type.$store.ami-id - - if ! [ -e $amiFile ]; then - - echo "doing $name in $region..." - - if [ -n "$prevAmi" ]; then - ami=$(aws ec2 copy-image \ - --region "$region" \ - --source-region "$prevRegion" --source-image-id "$prevAmi" \ - --name "$name" --description "$description" | jq -r '.ImageId') - if [ "$ami" = null ]; then break; fi - else - - if [ $store = s3 ]; then - - # Bundle the image. - imageDir=$stateDir/$type-bundled - - # Convert the image to raw format. - rawFile=$stateDir/$type.raw - if ! [ -e $rawFile ]; then - qemu-img convert -f qcow2 -O raw $imageFile $rawFile.tmp - mv $rawFile.tmp $rawFile - fi - - if ! [ -d $imageDir ]; then - rm -rf $imageDir.tmp - mkdir -p $imageDir.tmp - ec2-bundle-image \ - -d $imageDir.tmp \ - -i $rawFile --arch $arch \ - --user "$AWS_ACCOUNT" -c "$EC2_CERT" -k "$EC2_PRIVATE_KEY" - mv $imageDir.tmp $imageDir - fi - - # Upload the bundle to S3. - if ! [ -e $imageDir/uploaded ]; then - echo "uploading bundle to S3..." - ec2-upload-bundle \ - -m $imageDir/$type.raw.manifest.xml \ - -b "$bucket/$bucketDir" \ - -a "$AWS_ACCESS_KEY_ID" -s "$AWS_SECRET_ACCESS_KEY" \ - --location EU - touch $imageDir/uploaded - fi - - extraFlags="--image-location $bucket/$bucketDir/$type.raw.manifest.xml" - - else - - # Convert the image to vhd format so we don't have - # to upload a huge raw image. - vhdFile=$stateDir/$type.vhd - if ! [ -e $vhdFile ]; then - qemu-img convert -f qcow2 -O vpc $imageFile $vhdFile.tmp - mv $vhdFile.tmp $vhdFile - fi - - vhdFileLogicalBytes="$(qemu-img info "$vhdFile" | grep ^virtual\ size: | cut -f 2 -d \( | cut -f 1 -d \ )" - vhdFileLogicalGigaBytes=$(((vhdFileLogicalBytes-1)/1024/1024/1024+1)) # Round to the next GB - - echo "Disk size is $vhdFileLogicalBytes bytes. Will be registered as $vhdFileLogicalGigaBytes GB." - - taskId=$(cat $stateDir/$region.$type.task-id 2> /dev/null || true) - volId=$(cat $stateDir/$region.$type.vol-id 2> /dev/null || true) - snapId=$(cat $stateDir/$region.$type.snap-id 2> /dev/null || true) - - # Import the VHD file. - if [ -z "$snapId" -a -z "$volId" -a -z "$taskId" ]; then - echo "importing $vhdFile..." - taskId=$(ec2-import-volume $vhdFile --no-upload -f vhd \ - -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \ - -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" \ - --region "$region" -z "${region}a" \ - --bucket "$bucket" --prefix "$bucketDir/" \ - | tee /dev/stderr \ - | sed 's/.*\(import-vol-[0-9a-z]\+\).*/\1/ ; t ; d') - echo -n "$taskId" > $stateDir/$region.$type.task-id - fi - - if [ -z "$snapId" -a -z "$volId" ]; then - ec2-resume-import $vhdFile -t "$taskId" --region "$region" \ - -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \ - -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" - fi - - # Wait for the volume creation to finish. - if [ -z "$snapId" -a -z "$volId" ]; then - echo "waiting for import to finish..." - while true; do - volId=$(aws ec2 describe-conversion-tasks --conversion-task-ids "$taskId" --region "$region" | jq -r .ConversionTasks[0].ImportVolume.Volume.Id) - if [ "$volId" != null ]; then break; fi - sleep 10 - done - - echo -n "$volId" > $stateDir/$region.$type.vol-id - fi - - # Delete the import task. - if [ -n "$volId" -a -n "$taskId" ]; then - echo "removing import task..." - ec2-delete-disk-image -t "$taskId" --region "$region" \ - -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \ - -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" || true - rm -f $stateDir/$region.$type.task-id - fi - - # Create a snapshot. - if [ -z "$snapId" ]; then - echo "creating snapshot..." - # FIXME: this can fail with InvalidVolume.NotFound. Eventual consistency yay. - snapId=$(aws ec2 create-snapshot --volume-id "$volId" --region "$region" --description "$description" | jq -r .SnapshotId) - if [ "$snapId" = null ]; then exit 1; fi - echo -n "$snapId" > $stateDir/$region.$type.snap-id - fi - - # Wait for the snapshot to finish. - echo "waiting for snapshot to finish..." - while true; do - status=$(aws ec2 describe-snapshots --snapshot-ids "$snapId" --region "$region" | jq -r .Snapshots[0].State) - if [ "$status" = completed ]; then break; fi - sleep 10 - done - - # Delete the volume. - if [ -n "$volId" ]; then - echo "deleting volume..." - aws ec2 delete-volume --volume-id "$volId" --region "$region" || true - rm -f $stateDir/$region.$type.vol-id - fi - - blockDeviceMappings="DeviceName=/dev/sda1,Ebs={SnapshotId=$snapId,VolumeSize=$vhdFileLogicalGigaBytes,DeleteOnTermination=true,VolumeType=gp2}" - extraFlags="" - - if [ $type = pv ]; then - extraFlags+=" --root-device-name /dev/sda1" - else - extraFlags+=" --root-device-name /dev/sda1" - extraFlags+=" --sriov-net-support simple" - extraFlags+=" --ena-support" - fi - - blockDeviceMappings+=" DeviceName=/dev/sdb,VirtualName=ephemeral0" - blockDeviceMappings+=" DeviceName=/dev/sdc,VirtualName=ephemeral1" - blockDeviceMappings+=" DeviceName=/dev/sdd,VirtualName=ephemeral2" - blockDeviceMappings+=" DeviceName=/dev/sde,VirtualName=ephemeral3" - fi - - if [ $type = hvm ]; then - extraFlags+=" --sriov-net-support simple" - extraFlags+=" --ena-support" - fi - - # Register the AMI. - if [ $type = pv ]; then - kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.05-$arch.gz" | jq -r .Images[0].ImageId) - if [ "$kernel" = null ]; then break; fi - echo "using PV-GRUB kernel $kernel" - extraFlags+=" --virtualization-type paravirtual --kernel $kernel" - else - extraFlags+=" --virtualization-type hvm" - fi - - ami=$(aws ec2 register-image \ - --name "$name" \ - --description "$description" \ - --region "$region" \ - --architecture "$arch" \ - --block-device-mappings $blockDeviceMappings \ - $extraFlags | jq -r .ImageId) - if [ "$ami" = null ]; then break; fi - fi - - echo -n "$ami" > $amiFile - echo "created AMI $ami of type '$type' in $region..." - - else - ami=$(cat $amiFile) - fi - - echo "region = $region, type = $type, store = $store, ami = $ami" - - if [ -z "$prevAmi" ]; then - prevAmi="$ami" - prevRegion="$region" - fi - done + if [ -z "$snapshot_id" ]; then + snapshot_id=$(wait_for_import "$region" "$task_id") + write_state "$state_key" snapshot_id "$snapshot_id" + fi - done + if [ -z "$ami_id" ]; then + log "Registering snapshot $snapshot_id as AMI" + + local block_device_mappings=( + "DeviceName=/dev/sda1,Ebs={SnapshotId=$snapshot_id,VolumeSize=$image_logical_gigabytes,DeleteOnTermination=true,VolumeType=gp2}" + ) + + local extra_flags=( + --root-device-name /dev/sda1 + --sriov-net-support simple + --ena-support + --virtualization-type hvm + ) + + block_device_mappings+=(DeviceName=/dev/sdb,VirtualName=ephemeral0) + block_device_mappings+=(DeviceName=/dev/sdc,VirtualName=ephemeral1) + block_device_mappings+=(DeviceName=/dev/sdd,VirtualName=ephemeral2) + block_device_mappings+=(DeviceName=/dev/sde,VirtualName=ephemeral3) + + ami_id=$( + aws ec2 register-image \ + --name "$image_name" \ + --description "$image_description" \ + --region $region \ + --architecture $amazon_arch \ + --block-device-mappings "${block_device_mappings[@]}" \ + "${extra_flags[@]}" \ + | jq -r '.ImageId' + ) + + write_state "$state_key" ami_id "$ami_id" + fi -done + make_image_public $region "$ami_id" -for type in $types; do - link=$stateDir/$type - system=x86_64-linux - arch=x86_64 + echo "$ami_id" +} - for store in $stores; do +copy_to_region() { + local region=$1 + local from_region=$2 + local from_ami_id=$3 - for region in $regions; do + state_key="$region.$image_label.$image_system" + ami_id=$(read_state "$state_key" ami_id) - name=nixos-$version-$arch-$type-$store - amiFile=$stateDir/$region.$type.$store.ami-id - ami=$(cat $amiFile) + if [ -z "$ami_id" ]; then + log "Copying $from_ami_id to $region" + ami_id=$( + aws ec2 copy-image \ + --region "$region" \ + --source-region "$from_region" \ + --source-image-id "$from_ami_id" \ + --name "$image_name" \ + --description "$image_description" \ + | jq -r '.ImageId' + ) - echo "region = $region, type = $type, store = $store, ami = $ami" + write_state "$state_key" ami_id "$ami_id" + fi - echo -n "waiting for AMI..." - while true; do - status=$(aws ec2 describe-images --image-ids "$ami" --region "$region" | jq -r .Images[0].State) - if [ "$status" = available ]; then break; fi - sleep 10 - echo -n '.' - done - echo + make_image_public $region "$ami_id" + + echo "$ami_id" +} - # Make the image public. - aws ec2 modify-image-attribute \ - --image-id "$ami" --region "$region" --launch-permission 'Add={Group=all}' +upload_all() { + home_image_id=$(upload_image "$home_region") + jq -n \ + --arg key "$home_region.$image_system" \ + --arg value "$home_image_id" \ + '$ARGS.named' - echo " \"$major\".$region.$type-$store = \"$ami\";" >> ec2-amis.nix - done + for region in "${regions[@]}"; do + if [ "$region" = "$home_region" ]; then + continue + fi + copied_image_id=$(copy_to_region "$region" "$home_region" "$home_image_id") + jq -n \ + --arg key "$region.$image_system" \ + --arg value "$copied_image_id" \ + '$ARGS.named' done +} -done +upload_all | jq --slurp from_entries diff --git a/nixpkgs/nixos/modules/config/fonts/fontconfig-penultimate.nix b/nixpkgs/nixos/modules/config/fonts/fontconfig-penultimate.nix index 7100f10dcfc8..7e311a21acf6 100644 --- a/nixpkgs/nixos/modules/config/fonts/fontconfig-penultimate.nix +++ b/nixpkgs/nixos/modules/config/fonts/fontconfig-penultimate.nix @@ -35,8 +35,8 @@ let then "fontconfig" else "fontconfig_${version}"; makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; }; - cache = makeCache pkgs."${fcPackage}"; - cache32 = makeCache pkgs.pkgsi686Linux."${fcPackage}"; + cache = makeCache pkgs.${fcPackage}; + cache32 = makeCache pkgs.pkgsi686Linux.${fcPackage}; in pkgs.writeText "fc-00-nixos-cache.conf" '' <?xml version='1.0'?> diff --git a/nixpkgs/nixos/modules/config/fonts/fontconfig-ultimate.nix b/nixpkgs/nixos/modules/config/fonts/fontconfig-ultimate.nix index 45328f3eaf13..84d90899dfff 100644 --- a/nixpkgs/nixos/modules/config/fonts/fontconfig-ultimate.nix +++ b/nixpkgs/nixos/modules/config/fonts/fontconfig-ultimate.nix @@ -79,7 +79,7 @@ in config = mkIf (config.fonts.fontconfig.enable && cfg.enable) { fonts.fontconfig.confPackages = [ confPkg ]; - environment.variables."INFINALITY_FT" = cfg.preset; + environment.variables.INFINALITY_FT = cfg.preset; }; diff --git a/nixpkgs/nixos/modules/config/gtk/gtk-icon-cache.nix b/nixpkgs/nixos/modules/config/gtk/gtk-icon-cache.nix index 9c5d993b9c59..86a6bfb5af41 100644 --- a/nixpkgs/nixos/modules/config/gtk/gtk-icon-cache.nix +++ b/nixpkgs/nixos/modules/config/gtk/gtk-icon-cache.nix @@ -7,7 +7,7 @@ with lib; type = types.bool; default = config.services.xserver.enable; description = '' - Whether to build icon theme caches for GTK+ applications. + Whether to build icon theme caches for GTK applications. ''; }; }; diff --git a/nixpkgs/nixos/modules/config/krb5/default.nix b/nixpkgs/nixos/modules/config/krb5/default.nix index 87021a27d34f..ff16ffcf9c65 100644 --- a/nixpkgs/nixos/modules/config/krb5/default.nix +++ b/nixpkgs/nixos/modules/config/krb5/default.nix @@ -15,7 +15,7 @@ let realms = optionalAttrs (lib.all (value: value != null) [ cfg.defaultRealm cfg.kdc cfg.kerberosAdminServer ]) { - "${cfg.defaultRealm}" = { + ${cfg.defaultRealm} = { kdc = cfg.kdc; admin_server = cfg.kerberosAdminServer; }; @@ -25,7 +25,7 @@ let cfg.domainRealm cfg.defaultRealm ]) { ".${cfg.domainRealm}" = cfg.defaultRealm; - "${cfg.domainRealm}" = cfg.defaultRealm; + ${cfg.domainRealm} = cfg.defaultRealm; }; }; diff --git a/nixpkgs/nixos/modules/config/malloc.nix b/nixpkgs/nixos/modules/config/malloc.nix index 65130454735c..31a659ee83fe 100644 --- a/nixpkgs/nixos/modules/config/malloc.nix +++ b/nixpkgs/nixos/modules/config/malloc.nix @@ -6,7 +6,7 @@ let # The set of alternative malloc(3) providers. providers = { - "graphene-hardened" = rec { + graphene-hardened = { libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so"; description = '' An allocator designed to mitigate memory corruption attacks, such as @@ -14,7 +14,7 @@ let ''; }; - "jemalloc" = { + jemalloc = { libPath = "${pkgs.jemalloc}/lib/libjemalloc.so"; description = '' A general purpose allocator that emphasizes fragmentation avoidance @@ -22,7 +22,7 @@ let ''; }; - "scudo" = { + scudo = { libPath = "${pkgs.llvmPackages.compiler-rt}/lib/linux/libclang_rt.scudo-x86_64.so"; description = '' A user-mode allocator based on LLVM Sanitizer’s CombinedAllocator, @@ -32,7 +32,7 @@ let }; }; - providerConf = providers."${cfg.provider}"; + providerConf = providers.${cfg.provider}; # An output that contains only the shared library, to avoid # needlessly bloating the system closure diff --git a/nixpkgs/nixos/modules/config/networking.nix b/nixpkgs/nixos/modules/config/networking.nix index 4b9086022ed5..a89667ea221c 100644 --- a/nixpkgs/nixos/modules/config/networking.nix +++ b/nixpkgs/nixos/modules/config/networking.nix @@ -171,13 +171,13 @@ in environment.etc = { # /etc/services: TCP/UDP port assignments. - "services".source = pkgs.iana-etc + "/etc/services"; + services.source = pkgs.iana-etc + "/etc/services"; # /etc/protocols: IP protocol numbers. - "protocols".source = pkgs.iana-etc + "/etc/protocols"; + protocols.source = pkgs.iana-etc + "/etc/protocols"; # /etc/hosts: Hostname-to-IP mappings. - "hosts".text = let + hosts.text = let oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip}; allToString = set: concatMapStringsSep "\n" (oneToString set) (attrNames set); in '' @@ -190,7 +190,7 @@ in } // optionalAttrs (pkgs.stdenv.hostPlatform.libc == "glibc") { # /etc/rpc: RPC program numbers. - "rpc".source = pkgs.glibc.out + "/etc/rpc"; + rpc.source = pkgs.glibc.out + "/etc/rpc"; }; networking.proxy.envVars = diff --git a/nixpkgs/nixos/modules/config/power-management.nix b/nixpkgs/nixos/modules/config/power-management.nix index 0277f1ad11e9..64cdf50f1413 100644 --- a/nixpkgs/nixos/modules/config/power-management.nix +++ b/nixpkgs/nixos/modules/config/power-management.nix @@ -78,7 +78,7 @@ in }; # Service executed before suspending/hibernating. - systemd.services."pre-sleep" = + systemd.services.pre-sleep = { description = "Pre-Sleep Actions"; wantedBy = [ "sleep.target" ]; before = [ "sleep.target" ]; @@ -89,7 +89,7 @@ in serviceConfig.Type = "oneshot"; }; - systemd.services."post-resume" = + systemd.services.post-resume = { description = "Post-Resume Actions"; after = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ]; script = diff --git a/nixpkgs/nixos/modules/config/shells-environment.nix b/nixpkgs/nixos/modules/config/shells-environment.nix index 6379b52870ea..9dfc1add8299 100644 --- a/nixpkgs/nixos/modules/config/shells-environment.nix +++ b/nixpkgs/nixos/modules/config/shells-environment.nix @@ -163,7 +163,7 @@ in l = "ls -alh"; }; - environment.etc."shells".text = + environment.etc.shells.text = '' ${concatStringsSep "\n" (map utils.toShellPath cfg.shells)} /bin/sh @@ -171,7 +171,7 @@ in # For resetting environment with `. /etc/set-environment` when needed # and discoverability (see motivation of #30418). - environment.etc."set-environment".source = config.system.build.setEnvironment; + environment.etc.set-environment.source = config.system.build.setEnvironment; system.build.setEnvironment = pkgs.writeText "set-environment" '' diff --git a/nixpkgs/nixos/modules/config/terminfo.nix b/nixpkgs/nixos/modules/config/terminfo.nix index 4fd6ba5ea605..b86ce2dbf057 100644 --- a/nixpkgs/nixos/modules/config/terminfo.nix +++ b/nixpkgs/nixos/modules/config/terminfo.nix @@ -8,7 +8,7 @@ "/share/terminfo" ]; - environment.etc."terminfo" = { + environment.etc.terminfo = { source = "${config.system.path}/share/terminfo"; }; diff --git a/nixpkgs/nixos/modules/config/users-groups.nix b/nixpkgs/nixos/modules/config/users-groups.nix index c91eb0ebb876..ba79bd3d6ecc 100644 --- a/nixpkgs/nixos/modules/config/users-groups.nix +++ b/nixpkgs/nixos/modules/config/users-groups.nix @@ -546,11 +546,11 @@ in { environment.systemPackages = systemShells; environment.etc = { - "subuid" = { + subuid = { text = subuidFile; mode = "0644"; }; - "subgid" = { + subgid = { text = subgidFile; mode = "0644"; }; diff --git a/nixpkgs/nixos/modules/hardware/nitrokey.nix b/nixpkgs/nixos/modules/hardware/nitrokey.nix index 60fc95a75828..02e4c3f46f8d 100644 --- a/nixpkgs/nixos/modules/hardware/nitrokey.nix +++ b/nixpkgs/nixos/modules/hardware/nitrokey.nix @@ -36,6 +36,6 @@ in { inherit (cfg) group; } )) ]; - users.groups."${cfg.group}" = {}; + users.groups.${cfg.group} = {}; }; } diff --git a/nixpkgs/nixos/modules/hardware/openrazer.nix b/nixpkgs/nixos/modules/hardware/openrazer.nix new file mode 100644 index 000000000000..883db7f2f4f1 --- /dev/null +++ b/nixpkgs/nixos/modules/hardware/openrazer.nix @@ -0,0 +1,133 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.hardware.openrazer; + kernelPackages = config.boot.kernelPackages; + + toPyBoolStr = b: if b then "True" else "False"; + + daemonExe = "${pkgs.openrazer-daemon}/bin/openrazer-daemon --config ${daemonConfFile}"; + + daemonConfFile = pkgs.writeTextFile { + name = "razer.conf"; + text = '' + [General] + verbose_logging = ${toPyBoolStr cfg.verboseLogging} + + [Startup] + sync_effects_enabled = ${toPyBoolStr cfg.syncEffectsEnabled} + devices_off_on_screensaver = ${toPyBoolStr cfg.devicesOffOnScreensaver} + mouse_battery_notifier = ${toPyBoolStr cfg.mouseBatteryNotifier} + + [Statistics] + key_statistics = ${toPyBoolStr cfg.keyStatistics} + ''; + }; + + dbusServiceFile = pkgs.writeTextFile rec { + name = "org.razer.service"; + destination = "/share/dbus-1/services/${name}"; + text = '' + [D-BUS Service] + Name=org.razer + Exec=${daemonExe} + SystemdService=openrazer-daemon.service + ''; + }; + + drivers = [ + "razerkbd" + "razermouse" + "razerfirefly" + "razerkraken" + "razermug" + "razercore" + ]; +in +{ + options = { + hardware.openrazer = { + enable = mkEnableOption "OpenRazer drivers and userspace daemon."; + + verboseLogging = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable verbose logging. Logs debug messages. + ''; + }; + + syncEffectsEnabled = mkOption { + type = types.bool; + default = true; + description = '' + Set the sync effects flag to true so any assignment of + effects will work across devices. + ''; + }; + + devicesOffOnScreensaver = mkOption { + type = types.bool; + default = true; + description = '' + Turn off the devices when the systems screensaver kicks in. + ''; + }; + + mouseBatteryNotifier = mkOption { + type = types.bool; + default = true; + description = '' + Mouse battery notifier. + ''; + }; + + keyStatistics = mkOption { + type = types.bool; + default = false; + description = '' + Collects number of keypresses per hour per key used to + generate a heatmap. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + boot.extraModulePackages = [ kernelPackages.openrazer ]; + boot.kernelModules = drivers; + + # Makes the man pages available so you can succesfully run + # > systemctl --user help openrazer-daemon + environment.systemPackages = [ pkgs.python3Packages.openrazer-daemon.man ]; + + services.udev.packages = [ kernelPackages.openrazer ]; + services.dbus.packages = [ dbusServiceFile ]; + + # A user must be a member of the plugdev group in order to start + # the openrazer-daemon. Therefore we make sure that the plugdev + # group exists. + users.groups.plugdev = {}; + + systemd.user.services.openrazer-daemon = { + description = "Daemon to manage razer devices in userspace"; + unitConfig.Documentation = "man:openrazer-daemon(8)"; + # Requires a graphical session so the daemon knows when the screensaver + # starts. See the 'devicesOffOnScreensaver' option. + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + serviceConfig = { + Type = "dbus"; + BusName = "org.razer"; + ExecStart = "${daemonExe} --foreground"; + Restart = "always"; + }; + }; + }; + + meta = { + maintainers = with lib.maintainers; [ roelvandijk ]; + }; +} diff --git a/nixpkgs/nixos/modules/hardware/printers.nix b/nixpkgs/nixos/modules/hardware/printers.nix new file mode 100644 index 000000000000..12ee5516d4ed --- /dev/null +++ b/nixpkgs/nixos/modules/hardware/printers.nix @@ -0,0 +1,135 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.hardware.printers; + ppdOptionsString = options: optionalString (options != {}) + (concatStringsSep " " + (mapAttrsToList (name: value: "-o '${name}'='${value}'") options) + ); + ensurePrinter = p: '' + ${pkgs.cups}/bin/lpadmin -p '${p.name}' -E \ + ${optionalString (p.location != null) "-L '${p.location}'"} \ + ${optionalString (p.description != null) "-D '${p.description}'"} \ + -v '${p.deviceUri}' \ + -m '${p.model}' \ + ${ppdOptionsString p.ppdOptions} + ''; + ensureDefaultPrinter = name: '' + ${pkgs.cups}/bin/lpoptions -d '${name}' + ''; + + # "graph but not # or /" can't be implemented as regex alone due to missing lookahead support + noInvalidChars = str: all (c: c != "#" && c != "/") (stringToCharacters str); + printerName = (types.addCheck (types.strMatching "[[:graph:]]+") noInvalidChars) + // { description = "printable string without spaces, # and /"; }; + + +in { + options = { + hardware.printers = { + ensureDefaultPrinter = mkOption { + type = types.nullOr printerName; + default = null; + description = '' + Ensures the named printer is the default CUPS printer / printer queue. + ''; + }; + ensurePrinters = mkOption { + description = '' + Will regularly ensure that the given CUPS printers are configured as declared here. + If a printer's options are manually changed afterwards, they will be overwritten eventually. + This option will never delete any printer, even if removed from this list. + You can check existing printers with <command>lpstat -s</command> + and remove printers with <command>lpadmin -x <printer-name></command>. + Printers not listed here can still be manually configured. + ''; + default = []; + type = types.listOf (types.submodule { + options = { + name = mkOption { + type = printerName; + example = "BrotherHL_Workroom"; + description = '' + Name of the printer / printer queue. + May contain any printable characters except "/", "#", and space. + ''; + }; + location = mkOption { + type = types.nullOr types.str; + default = null; + example = "Workroom"; + description = '' + Optional human-readable location. + ''; + }; + description = mkOption { + type = types.nullOr types.str; + default = null; + example = "Brother HL-5140"; + description = '' + Optional human-readable description. + ''; + }; + deviceUri = mkOption { + type = types.str; + example = [ + "ipp://printserver.local/printers/BrotherHL_Workroom" + "usb://HP/DESKJET%20940C?serial=CN16E6C364BH" + ]; + description = '' + How to reach the printer. + <command>lpinfo -v</command> shows a list of supported device URIs and schemes. + ''; + }; + model = mkOption { + type = types.str; + example = literalExample '' + gutenprint.''${lib.version.majorMinor (lib.getVersion pkgs.cups)}://brother-hl-5140/expert + ''; + description = '' + Location of the ppd driver file for the printer. + <command>lpinfo -m</command> shows a list of supported models. + ''; + }; + ppdOptions = mkOption { + type = types.attrsOf types.str; + example = { + "PageSize" = "A4"; + "Duplex" = "DuplexNoTumble"; + }; + default = {}; + description = '' + Sets PPD options for the printer. + <command>lpoptions [-p printername] -l</command> shows suported PPD options for the given printer. + ''; + }; + }; + }); + }; + }; + }; + + config = mkIf (cfg.ensurePrinters != [] && config.services.printing.enable) { + systemd.services."ensure-printers" = let + cupsUnit = if config.services.printing.startWhenNeeded then "cups.socket" else "cups.service"; + in { + description = "Ensure NixOS-configured CUPS printers"; + wantedBy = [ "multi-user.target" ]; + requires = [ cupsUnit ]; + # in contrast to cups.socket, for cups.service, this is actually not enough, + # as the cups service reports its activation before clients can actually interact with it. + # Because of this, commands like `lpinfo -v` will report a bad file descriptor + # due to the missing UNIX socket without sufficient sleep time. + after = [ cupsUnit ]; + + serviceConfig = { + Type = "oneshot"; + }; + + # sleep 10 is required to wait until cups.service is actually initialized and has created its UNIX socket file + script = (optionalString (!config.services.printing.startWhenNeeded) "sleep 10\n") + + (concatMapStringsSep "\n" ensurePrinter cfg.ensurePrinters) + + optionalString (cfg.ensureDefaultPrinter != null) (ensureDefaultPrinter cfg.ensureDefaultPrinter); + }; + }; +} diff --git a/nixpkgs/nixos/modules/hardware/video/ati.nix b/nixpkgs/nixos/modules/hardware/video/ati.nix index f867bba80630..0aab7bd6b92c 100644 --- a/nixpkgs/nixos/modules/hardware/video/ati.nix +++ b/nixpkgs/nixos/modules/hardware/video/ati.nix @@ -33,7 +33,7 @@ in boot.blacklistedKernelModules = [ "radeon" ]; - environment.etc."ati".source = "${ati_x11}/etc/ati"; + environment.etc.ati.source = "${ati_x11}/etc/ati"; }; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix index 2536ba73a1de..559899b0a3b1 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix @@ -13,9 +13,6 @@ with lib; enable = true; enableQt4Support = false; }; - - # Enable touchpad support for many laptops. - synaptics.enable = true; }; environment.systemPackages = with pkgs; [ diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-pc.nix b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-pc.nix index 5da5df81ede1..bf8b7deb59eb 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-pc.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-pc.nix @@ -129,7 +129,7 @@ in ]; nixpkgs.config = { - packageOverrides = p: rec { + packageOverrides = p: { linux_3_4 = p.linux_3_4.override { extraConfig = '' # Enable drivers in kernel for most NICs. diff --git a/nixpkgs/nixos/modules/installer/netboot/netboot.nix b/nixpkgs/nixos/modules/installer/netboot/netboot.nix index f9b8d95c684d..5146858cccf5 100644 --- a/nixpkgs/nixos/modules/installer/netboot/netboot.nix +++ b/nixpkgs/nixos/modules/installer/netboot/netboot.nix @@ -18,7 +18,7 @@ with lib; }; - config = rec { + config = { # Don't build the GRUB menu builder script, since we don't need it # here and it causes a cyclic dependency. boot.loader.grub.enable = false; diff --git a/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix index b9ab2053c41f..2673887d2b96 100644 --- a/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/hbhdjn5ik3byg642d1m11k3k3s0kn3py-nix-2.2.2"; - i686-linux = "/nix/store/fz5cikwvj3n0a6zl44h6l2z3cin64mda-nix-2.2.2"; - aarch64-linux = "/nix/store/2gba4cyl4wvxzfbhmli90jy4n5aj0kjj-nix-2.2.2"; - x86_64-darwin = "/nix/store/87i4fp46jfw9yl8c7i9gx75m5yph7irl-nix-2.2.2"; + x86_64-linux = "/nix/store/3ds3cgji9vjxdbgp10av6smyym1126d1-nix-2.3"; + i686-linux = "/nix/store/ln1ndqvfpc9cdl03vqxi6kvlxm9wfv9g-nix-2.3"; + aarch64-linux = "/nix/store/n8a1rwzrp20qcr2c4hvyn6c5q9zx8csw-nix-2.3"; + x86_64-darwin = "/nix/store/jq6npmpld02sz4rgniz0qrsdfnm6j17a-nix-2.3"; } diff --git a/nixpkgs/nixos/modules/misc/version.nix b/nixpkgs/nixos/modules/misc/version.nix index 3ae60cb79160..773724ffbd5e 100644 --- a/nixpkgs/nixos/modules/misc/version.nix +++ b/nixpkgs/nixos/modules/misc/version.nix @@ -85,7 +85,7 @@ in # Generate /etc/os-release. See # https://www.freedesktop.org/software/systemd/man/os-release.html for the # format. - environment.etc."os-release".text = + environment.etc.os-release.text = '' NAME=NixOS ID=nixos diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 48bfbd8bd6e1..a1476a8179b9 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -58,7 +58,9 @@ ./hardware/network/intel-2200bg.nix ./hardware/nitrokey.nix ./hardware/opengl.nix + ./hardware/openrazer.nix ./hardware/pcmcia.nix + ./hardware/printers.nix ./hardware/raid/hpsa.nix ./hardware/steam-hardware.nix ./hardware/usb-wwan.nix @@ -149,6 +151,7 @@ ./programs/sysdig.nix ./programs/systemtap.nix ./programs/sway.nix + ./programs/system-config-printer.nix ./programs/thefuck.nix ./programs/tmux.nix ./programs/tsm-client.nix @@ -281,6 +284,7 @@ ./services/databases/virtuoso.nix ./services/desktops/accountsservice.nix ./services/desktops/bamf.nix + ./services/desktops/blueman.nix ./services/desktops/deepin/deepin.nix ./services/desktops/dleyna-renderer.nix ./services/desktops/dleyna-server.nix @@ -306,6 +310,7 @@ ./services/desktops/gnome3/tracker.nix ./services/desktops/gnome3/tracker-miners.nix ./services/desktops/profile-sync-daemon.nix + ./services/desktops/system-config-printer.nix ./services/desktops/telepathy.nix ./services/desktops/tumbler.nix ./services/desktops/zeitgeist.nix @@ -699,6 +704,7 @@ ./services/networking/supybot.nix ./services/networking/syncthing.nix ./services/networking/syncthing-relay.nix + ./services/networking/syncplay.nix ./services/networking/tcpcrypt.nix ./services/networking/teamspeak3.nix ./services/networking/tedicross.nix @@ -848,6 +854,7 @@ ./services/x11/hardware/multitouch.nix ./services/x11/hardware/synaptics.nix ./services/x11/hardware/wacom.nix + ./services/x11/hardware/cmt.nix ./services/x11/gdk-pixbuf.nix ./services/x11/redshift.nix ./services/x11/urxvtd.nix @@ -945,6 +952,7 @@ ./virtualisation/openvswitch.nix ./virtualisation/parallels-guest.nix ./virtualisation/qemu-guest-agent.nix + ./virtualisation/railcar.nix ./virtualisation/rkt.nix ./virtualisation/virtualbox-guest.nix ./virtualisation/virtualbox-host.nix diff --git a/nixpkgs/nixos/modules/programs/atop.nix b/nixpkgs/nixos/modules/programs/atop.nix index 4651cdb76e0b..7ef8d687ca17 100644 --- a/nixpkgs/nixos/modules/programs/atop.nix +++ b/nixpkgs/nixos/modules/programs/atop.nix @@ -30,7 +30,7 @@ in }; config = mkIf (cfg.settings != {}) { - environment.etc."atoprc".text = + environment.etc.atoprc.text = concatStrings (mapAttrsToList (n: v: "${n} ${toString v}\n") cfg.settings); }; } diff --git a/nixpkgs/nixos/modules/programs/bash/bash.nix b/nixpkgs/nixos/modules/programs/bash/bash.nix index 99daec5ff5b7..548babac38ca 100644 --- a/nixpkgs/nixos/modules/programs/bash/bash.nix +++ b/nixpkgs/nixos/modules/programs/bash/bash.nix @@ -159,7 +159,7 @@ in }; - environment.etc."profile".text = + environment.etc.profile.text = '' # /etc/profile: DO NOT EDIT -- this file has been generated automatically. # This file is read for login shells. @@ -184,7 +184,7 @@ in fi ''; - environment.etc."bashrc".text = + environment.etc.bashrc.text = '' # /etc/bashrc: DO NOT EDIT -- this file has been generated automatically. @@ -212,7 +212,7 @@ in # Configuration for readline in bash. We use "option default" # priority to allow user override using both .text and .source. - environment.etc."inputrc".source = mkOptionDefault ./inputrc; + environment.etc.inputrc.source = mkOptionDefault ./inputrc; users.defaultUserShell = mkDefault pkgs.bashInteractive; diff --git a/nixpkgs/nixos/modules/programs/firejail.nix b/nixpkgs/nixos/modules/programs/firejail.nix index 46ee4bc0f7a0..74c3e4425a7c 100644 --- a/nixpkgs/nixos/modules/programs/firejail.nix +++ b/nixpkgs/nixos/modules/programs/firejail.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.programs.firejail; - wrappedBins = pkgs.stdenv.mkDerivation rec { + wrappedBins = pkgs.stdenv.mkDerivation { name = "firejail-wrapped-binaries"; nativeBuildInputs = with pkgs; [ makeWrapper ]; buildCommand = '' diff --git a/nixpkgs/nixos/modules/programs/less.nix b/nixpkgs/nixos/modules/programs/less.nix index 9fdf99e9c694..e19935b77caf 100644 --- a/nixpkgs/nixos/modules/programs/less.nix +++ b/nixpkgs/nixos/modules/programs/less.nix @@ -54,8 +54,8 @@ in type = types.attrsOf types.str; default = {}; example = { - "h" = "noaction 5\e("; - "l" = "noaction 5\e)"; + h = "noaction 5\e("; + l = "noaction 5\e)"; }; description = "Defines new command keys."; }; @@ -74,7 +74,7 @@ in type = types.attrsOf types.str; default = {}; example = { - "\e" = "abort"; + e = "abort"; }; description = "Defines new line-editing keys."; }; @@ -111,11 +111,11 @@ in environment.systemPackages = [ pkgs.less ]; environment.variables = { - "LESSKEY_SYSTEM" = toString lessKey; + LESSKEY_SYSTEM = toString lessKey; } // optionalAttrs (cfg.lessopen != null) { - "LESSOPEN" = cfg.lessopen; + LESSOPEN = cfg.lessopen; } // optionalAttrs (cfg.lessclose != null) { - "LESSCLOSE" = cfg.lessclose; + LESSCLOSE = cfg.lessclose; }; warnings = optional ( diff --git a/nixpkgs/nixos/modules/programs/nano.nix b/nixpkgs/nixos/modules/programs/nano.nix index 6a4d46338e19..5837dd46d7cd 100644 --- a/nixpkgs/nixos/modules/programs/nano.nix +++ b/nixpkgs/nixos/modules/programs/nano.nix @@ -35,7 +35,7 @@ in ###### implementation config = lib.mkIf (cfg.nanorc != "" || cfg.syntaxHighlight) { - environment.etc."nanorc".text = lib.concatStrings [ cfg.nanorc + environment.etc.nanorc.text = lib.concatStrings [ cfg.nanorc (lib.optionalString cfg.syntaxHighlight ''${LF}include "${pkgs.nano}/share/nano/*.nanorc"'') ]; }; diff --git a/nixpkgs/nixos/modules/programs/npm.nix b/nixpkgs/nixos/modules/programs/npm.nix index 5fdd4fa841a1..b351d80c7acf 100644 --- a/nixpkgs/nixos/modules/programs/npm.nix +++ b/nixpkgs/nixos/modules/programs/npm.nix @@ -36,7 +36,7 @@ in ###### implementation config = lib.mkIf cfg.enable { - environment.etc."npmrc".text = cfg.npmrc; + environment.etc.npmrc.text = cfg.npmrc; environment.variables.NPM_CONFIG_GLOBALCONFIG = "/etc/npmrc"; diff --git a/nixpkgs/nixos/modules/programs/plotinus.nix b/nixpkgs/nixos/modules/programs/plotinus.nix index 065e72d6c374..e3549c79588b 100644 --- a/nixpkgs/nixos/modules/programs/plotinus.nix +++ b/nixpkgs/nixos/modules/programs/plotinus.nix @@ -18,7 +18,7 @@ in enable = mkOption { default = false; description = '' - Whether to enable the Plotinus GTK+3 plugin. Plotinus provides a + Whether to enable the Plotinus GTK 3 plugin. Plotinus provides a popup (triggered by Ctrl-Shift-P) to search the menus of a compatible application. ''; diff --git a/nixpkgs/nixos/modules/programs/plotinus.xml b/nixpkgs/nixos/modules/programs/plotinus.xml index 902cd89e0c49..8fc8c22c6d76 100644 --- a/nixpkgs/nixos/modules/programs/plotinus.xml +++ b/nixpkgs/nixos/modules/programs/plotinus.xml @@ -13,10 +13,10 @@ <link xlink:href="https://github.com/p-e-w/plotinus"/> </para> <para> - Plotinus is a searchable command palette in every modern GTK+ application. + Plotinus is a searchable command palette in every modern GTK application. </para> <para> - When in a GTK+3 application and Plotinus is enabled, you can press + When in a GTK 3 application and Plotinus is enabled, you can press <literal>Ctrl+Shift+P</literal> to open the command palette. The command palette provides a searchable list of of all menu items in the application. </para> diff --git a/nixpkgs/nixos/modules/programs/screen.nix b/nixpkgs/nixos/modules/programs/screen.nix index c1daaa58f16f..4fd800dbae79 100644 --- a/nixpkgs/nixos/modules/programs/screen.nix +++ b/nixpkgs/nixos/modules/programs/screen.nix @@ -24,7 +24,7 @@ in ###### implementation config = mkIf (cfg.screenrc != "") { - environment.etc."screenrc".text = cfg.screenrc; + environment.etc.screenrc.text = cfg.screenrc; environment.systemPackages = [ pkgs.screen ]; }; diff --git a/nixpkgs/nixos/modules/programs/system-config-printer.nix b/nixpkgs/nixos/modules/programs/system-config-printer.nix new file mode 100644 index 000000000000..34592dd7064b --- /dev/null +++ b/nixpkgs/nixos/modules/programs/system-config-printer.nix @@ -0,0 +1,32 @@ +{ config, pkgs, lib, ... }: + +with lib; + +{ + + ###### interface + + options = { + + programs.system-config-printer = { + + enable = mkEnableOption "system-config-printer, a Graphical user interface for CUPS administration"; + + }; + + }; + + + ###### implementation + + config = mkIf config.programs.system-config-printer.enable { + + environment.systemPackages = [ + pkgs.system-config-printer + ]; + + services.system-config-printer.enable = true; + + }; + +} diff --git a/nixpkgs/nixos/modules/programs/xfs_quota.nix b/nixpkgs/nixos/modules/programs/xfs_quota.nix index 648fd9a8a94f..c03e59a5b4ab 100644 --- a/nixpkgs/nixos/modules/programs/xfs_quota.nix +++ b/nixpkgs/nixos/modules/programs/xfs_quota.nix @@ -61,7 +61,7 @@ in description = "Setup of xfs_quota projects. Make sure the filesystem is mounted with the pquota option."; example = { - "projname" = { + projname = { id = 50; path = "/xfsprojects/projname"; sizeHardLimit = "50g"; diff --git a/nixpkgs/nixos/modules/programs/xonsh.nix b/nixpkgs/nixos/modules/programs/xonsh.nix index 5cd2a49f8073..1590020f7b64 100644 --- a/nixpkgs/nixos/modules/programs/xonsh.nix +++ b/nixpkgs/nixos/modules/programs/xonsh.nix @@ -45,7 +45,7 @@ in config = mkIf cfg.enable { - environment.etc."xonshrc".text = cfg.config; + environment.etc.xonshrc.text = cfg.config; environment.systemPackages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh.nix b/nixpkgs/nixos/modules/programs/zsh/zsh.nix index 6e9eefd74d18..c66c29ed45fb 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh.nix @@ -133,7 +133,7 @@ in programs.zsh.shellAliases = mapAttrs (name: mkDefault) cfge.shellAliases; - environment.etc."zshenv".text = + environment.etc.zshenv.text = '' # /etc/zshenv: DO NOT EDIT -- this file has been generated automatically. # This file is read for all shells. @@ -157,7 +157,7 @@ in fi ''; - environment.etc."zprofile".text = + environment.etc.zprofile.text = '' # /etc/zprofile: DO NOT EDIT -- this file has been generated automatically. # This file is read for login shells. @@ -176,7 +176,7 @@ in fi ''; - environment.etc."zshrc".text = + environment.etc.zshrc.text = '' # /etc/zshrc: DO NOT EDIT -- this file has been generated automatically. # This file is read for interactive shells. @@ -225,7 +225,7 @@ in fi ''; - environment.etc."zinputrc".source = ./zinputrc; + environment.etc.zinputrc.source = ./zinputrc; environment.systemPackages = [ pkgs.zsh ] ++ optional cfg.enableCompletion pkgs.nix-zsh-completions; diff --git a/nixpkgs/nixos/modules/rename.nix b/nixpkgs/nixos/modules/rename.nix index 9e0ab60ca679..d1303f90ad8d 100644 --- a/nixpkgs/nixos/modules/rename.nix +++ b/nixpkgs/nixos/modules/rename.nix @@ -34,6 +34,7 @@ with lib; (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]) (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "applyManifests" ] "") (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "cadvisorPort" ] "") + (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "allowPrivileged" ] "") (mkRenamedOptionModule [ "services" "kubernetes" "proxy" "address" ] ["services" "kubernetes" "proxy" "bindAddress"]) (mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ]) @@ -51,10 +52,11 @@ with lib; (mkRemovedOptionModule [ "services" "misc" "nzbget" "openFirewall" ] "The port used by nzbget is managed through the web interface so you should adjust your firewall rules accordingly.") (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "user" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a user setting.") (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "group" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a group setting.") - (mkRemovedOptionModule [ "services" "prometheus2" "alertmanagerURL" ] '' + (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerURL" ] '' Due to incompatibility, the alertmanagerURL option has been removed, please use 'services.prometheus2.alertmanagers' instead. '') + (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) (mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ]) (mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ]) (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ]) diff --git a/nixpkgs/nixos/modules/security/acme.nix b/nixpkgs/nixos/modules/security/acme.nix index feb54affbf83..b321c04e574c 100644 --- a/nixpkgs/nixos/modules/security/acme.nix +++ b/nixpkgs/nixos/modules/security/acme.nix @@ -213,7 +213,7 @@ in StateDirectoryMode = rights; WorkingDirectory = "/var/lib/${lpath}"; ExecStart = "${pkgs.simp_le}/bin/simp_le ${escapeShellArgs cmdline}"; - ExecStopPost = + ExecStopPost = let script = pkgs.writeScript "acme-post-stop" '' #!${pkgs.runtimeShell} -e @@ -298,6 +298,9 @@ in }; }) ); + + systemd.targets.acme-selfsigned-certificates = mkIf cfg.preliminarySelfsigned {}; + systemd.targets.acme-certificates = {}; }) ]; diff --git a/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix b/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix index be6acb3f1f53..2255477f26e4 100644 --- a/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix +++ b/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix @@ -24,6 +24,6 @@ in config = mkIf cfg.enable { environment.systemPackages = [ sandbox ]; - security.wrappers."${sandbox.passthru.sandboxExecutableName}".source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}"; + security.wrappers.${sandbox.passthru.sandboxExecutableName}.source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}"; }; } diff --git a/nixpkgs/nixos/modules/security/polkit.nix b/nixpkgs/nixos/modules/security/polkit.nix index 7f1de81d5b70..f2b2df4004cb 100644 --- a/nixpkgs/nixos/modules/security/polkit.nix +++ b/nixpkgs/nixos/modules/security/polkit.nix @@ -85,7 +85,7 @@ in security.wrappers = { pkexec.source = "${pkgs.polkit.bin}/bin/pkexec"; - "polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; + polkit-agent-helper-1.source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; }; systemd.tmpfiles.rules = [ diff --git a/nixpkgs/nixos/modules/security/prey.nix b/nixpkgs/nixos/modules/security/prey.nix index 1c643f2e1a57..b899ccb6c3e2 100644 --- a/nixpkgs/nixos/modules/security/prey.nix +++ b/nixpkgs/nixos/modules/security/prey.nix @@ -4,7 +4,7 @@ with lib; let cfg = config.services.prey; - myPrey = pkgs."prey-bash-client".override { + myPrey = pkgs.prey-bash-client.override { apiKey = cfg.apiKey; deviceKey = cfg.deviceKey; }; diff --git a/nixpkgs/nixos/modules/security/wrappers/default.nix b/nixpkgs/nixos/modules/security/wrappers/default.nix index dcb9c8d4ed5f..47738e7962ea 100644 --- a/nixpkgs/nixos/modules/security/wrappers/default.nix +++ b/nixpkgs/nixos/modules/security/wrappers/default.nix @@ -7,7 +7,7 @@ let programs = (lib.mapAttrsToList - (n: v: (if v ? "program" then v else v // {program=n;})) + (n: v: (if v ? program then v else v // {program=n;})) wrappers); securityWrapper = pkgs.stdenv.mkDerivation { @@ -74,15 +74,15 @@ let mkWrappedPrograms = builtins.map - (s: if (s ? "capabilities") + (s: if (s ? capabilities) then mkSetcapProgram ({ owner = "root"; group = "root"; } // s) else if - (s ? "setuid" && s.setuid) || - (s ? "setgid" && s.setgid) || - (s ? "permissions") + (s ? setuid && s.setuid) || + (s ? setgid && s.setgid) || + (s ? permissions) then mkSetuidProgram s else mkSetuidProgram ({ owner = "root"; diff --git a/nixpkgs/nixos/modules/services/audio/alsa.nix b/nixpkgs/nixos/modules/services/audio/alsa.nix index 4939adc4ee65..f632644af09e 100644 --- a/nixpkgs/nixos/modules/services/audio/alsa.nix +++ b/nixpkgs/nixos/modules/services/audio/alsa.nix @@ -99,7 +99,7 @@ in boot.kernelModules = optional config.sound.enableOSSEmulation "snd_pcm_oss"; - systemd.services."alsa-store" = + systemd.services.alsa-store = { description = "Store Sound Card State"; wantedBy = [ "multi-user.target" ]; unitConfig.RequiresMountsFor = "/var/lib/alsa"; diff --git a/nixpkgs/nixos/modules/services/backup/mysql-backup.nix b/nixpkgs/nixos/modules/services/backup/mysql-backup.nix index ba6e154f6b3d..dbd5605143f6 100644 --- a/nixpkgs/nixos/modules/services/backup/mysql-backup.nix +++ b/nixpkgs/nixos/modules/services/backup/mysql-backup.nix @@ -103,7 +103,7 @@ in }]; systemd = { - timers."mysql-backup" = { + timers.mysql-backup = { description = "Mysql backup timer"; wantedBy = [ "timers.target" ]; timerConfig = { @@ -112,7 +112,7 @@ in Unit = "mysql-backup.service"; }; }; - services."mysql-backup" = { + services.mysql-backup = { description = "Mysql backup service"; enable = true; serviceConfig = { diff --git a/nixpkgs/nixos/modules/services/backup/tsm.nix b/nixpkgs/nixos/modules/services/backup/tsm.nix index 3b2bb37491b5..6c238745797e 100644 --- a/nixpkgs/nixos/modules/services/backup/tsm.nix +++ b/nixpkgs/nixos/modules/services/backup/tsm.nix @@ -78,7 +78,7 @@ in config = mkIf cfg.enable { inherit assertions; programs.tsmClient.enable = true; - programs.tsmClient.servers."${cfg.servername}".passwdDir = + programs.tsmClient.servers.${cfg.servername}.passwdDir = mkDefault "/var/lib/tsm-backup/password"; systemd.services.tsm-backup = { description = "IBM Spectrum Protect (Tivoli Storage Manager) Backup"; diff --git a/nixpkgs/nixos/modules/services/backup/zfs-replication.nix b/nixpkgs/nixos/modules/services/backup/zfs-replication.nix index 785cedb98694..5a64304275d5 100644 --- a/nixpkgs/nixos/modules/services/backup/zfs-replication.nix +++ b/nixpkgs/nixos/modules/services/backup/zfs-replication.nix @@ -60,7 +60,7 @@ in { pkgs.lz4 ]; - systemd.services."zfs-replication" = { + systemd.services.zfs-replication = { after = [ "zfs-snapshot-daily.service" "zfs-snapshot-frequent.service" diff --git a/nixpkgs/nixos/modules/services/backup/znapzend.nix b/nixpkgs/nixos/modules/services/backup/znapzend.nix index 9c7f84655727..f317078ddda2 100644 --- a/nixpkgs/nixos/modules/services/backup/znapzend.nix +++ b/nixpkgs/nixos/modules/services/backup/znapzend.nix @@ -361,7 +361,7 @@ in environment.systemPackages = [ pkgs.znapzend ]; systemd.services = { - "znapzend" = { + znapzend = { description = "ZnapZend - ZFS Backup System"; wantedBy = [ "zfs.target" ]; after = [ "zfs.target" ]; diff --git a/nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix b/nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix index a38b6a78d3a5..4f4b0a92108f 100644 --- a/nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix +++ b/nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix @@ -24,7 +24,7 @@ with lib; config = mkMerge [ (mkIf cfg.hdfs.namenode.enabled { - systemd.services."hdfs-namenode" = { + systemd.services.hdfs-namenode = { description = "Hadoop HDFS NameNode"; wantedBy = [ "multi-user.target" ]; @@ -44,7 +44,7 @@ with lib; }; }) (mkIf cfg.hdfs.datanode.enabled { - systemd.services."hdfs-datanode" = { + systemd.services.hdfs-datanode = { description = "Hadoop HDFS DataNode"; wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix b/nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix index 5345a2732d7e..c92020637e47 100644 --- a/nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix +++ b/nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix @@ -35,7 +35,7 @@ with lib; }) (mkIf cfg.yarn.resourcemanager.enabled { - systemd.services."yarn-resourcemanager" = { + systemd.services.yarn-resourcemanager = { description = "Hadoop YARN ResourceManager"; wantedBy = [ "multi-user.target" ]; @@ -53,7 +53,7 @@ with lib; }) (mkIf cfg.yarn.nodemanager.enabled { - systemd.services."yarn-nodemanager" = { + systemd.services.yarn-nodemanager = { description = "Hadoop YARN NodeManager"; wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/addon-manager.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/addon-manager.nix index ad7d17c9c283..17f2dde31a71 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/addon-manager.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/addon-manager.nix @@ -62,50 +62,19 @@ in ''; }; - enable = mkEnableOption "Kubernetes addon manager"; - - kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes addon manager"; - bootstrapAddonsKubeconfig = top.lib.mkKubeConfigOptions "Kubernetes addon manager bootstrap"; + enable = mkEnableOption "Whether to enable Kubernetes addon manager."; }; ###### implementation - config = let - - addonManagerPaths = filter (a: a != null) [ - cfg.kubeconfig.caFile - cfg.kubeconfig.certFile - cfg.kubeconfig.keyFile - ]; - bootstrapAddonsPaths = filter (a: a != null) [ - cfg.bootstrapAddonsKubeconfig.caFile - cfg.bootstrapAddonsKubeconfig.certFile - cfg.bootstrapAddonsKubeconfig.keyFile - ]; - - in mkIf cfg.enable { + config = mkIf cfg.enable { environment.etc."kubernetes/addons".source = "${addons}/"; - #TODO: Get rid of kube-addon-manager in the future for the following reasons - # - it is basically just a shell script wrapped around kubectl - # - it assumes that it is clusterAdmin or can gain clusterAdmin rights through serviceAccount - # - it is designed to be used with k8s system components only - # - it would be better with a more Nix-oriented way of managing addons systemd.services.kube-addon-manager = { description = "Kubernetes addon manager"; wantedBy = [ "kubernetes.target" ]; - after = [ "kube-node-online.target" ]; - before = [ "kubernetes.target" ]; - environment = { - ADDON_PATH = "/etc/kubernetes/addons/"; - KUBECONFIG = top.lib.mkKubeConfig "kube-addon-manager" cfg.kubeconfig; - }; - path = with pkgs; [ gawk kubectl ]; - preStart = '' - until kubectl -n kube-system get serviceaccounts/default 2>/dev/null; do - echo kubectl -n kube-system get serviceaccounts/default: exit status $? - sleep 2 - done - ''; + after = [ "kube-apiserver.service" ]; + environment.ADDON_PATH = "/etc/kubernetes/addons/"; + path = [ pkgs.gawk ]; serviceConfig = { Slice = "kubernetes.slice"; ExecStart = "${top.package}/bin/kube-addons"; @@ -115,52 +84,8 @@ in Restart = "on-failure"; RestartSec = 10; }; - unitConfig.ConditionPathExists = addonManagerPaths; }; - systemd.paths.kube-addon-manager = { - wantedBy = [ "kube-addon-manager.service" ]; - pathConfig = { - PathExists = addonManagerPaths; - PathChanged = addonManagerPaths; - }; - }; - - services.kubernetes.addonManager.kubeconfig.server = mkDefault top.apiserverAddress; - - systemd.services.kube-addon-manager-bootstrap = mkIf (top.apiserver.enable && top.addonManager.bootstrapAddons != {}) { - wantedBy = [ "kube-control-plane-online.target" ]; - after = [ "kube-apiserver.service" ]; - before = [ "kube-control-plane-online.target" ]; - path = [ pkgs.kubectl ]; - environment = { - KUBECONFIG = top.lib.mkKubeConfig "kube-addon-manager-bootstrap" cfg.bootstrapAddonsKubeconfig; - }; - preStart = with pkgs; let - files = mapAttrsToList (n: v: writeText "${n}.json" (builtins.toJSON v)) - cfg.bootstrapAddons; - in '' - until kubectl auth can-i '*' '*' -q 2>/dev/null; do - echo kubectl auth can-i '*' '*': exit status $? - sleep 2 - done - - kubectl apply -f ${concatStringsSep " \\\n -f " files} - ''; - script = "echo Ok"; - unitConfig.ConditionPathExists = bootstrapAddonsPaths; - }; - - systemd.paths.kube-addon-manager-bootstrap = { - wantedBy = [ "kube-addon-manager-bootstrap.service" ]; - pathConfig = { - PathExists = bootstrapAddonsPaths; - PathChanged = bootstrapAddonsPaths; - }; - }; - - services.kubernetes.addonManager.bootstrapAddonsKubeconfig.server = mkDefault top.apiserverAddress; - services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled (let name = system:kube-addon-manager; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix index 2295694ffc74..70f96d75a461 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix @@ -74,7 +74,7 @@ in { spec = { replicas = 1; revisionHistoryLimit = 10; - selector.matchLabels."k8s-app" = "kubernetes-dashboard"; + selector.matchLabels.k8s-app = "kubernetes-dashboard"; template = { metadata = { labels = { @@ -169,23 +169,6 @@ in { }; }; - kubernetes-dashboard-cm = { - apiVersion = "v1"; - kind = "ConfigMap"; - metadata = { - labels = { - k8s-app = "kubernetes-dashboard"; - # Allows editing resource and makes sure it is created first. - "addonmanager.kubernetes.io/mode" = "EnsureExists"; - }; - name = "kubernetes-dashboard-settings"; - namespace = "kube-system"; - }; - }; - }; - - services.kubernetes.addonManager.bootstrapAddons = mkMerge [{ - kubernetes-dashboard-sa = { apiVersion = "v1"; kind = "ServiceAccount"; @@ -227,9 +210,20 @@ in { }; type = "Opaque"; }; - } - - (optionalAttrs cfg.rbac.enable + kubernetes-dashboard-cm = { + apiVersion = "v1"; + kind = "ConfigMap"; + metadata = { + labels = { + k8s-app = "kubernetes-dashboard"; + # Allows editing resource and makes sure it is created first. + "addonmanager.kubernetes.io/mode" = "EnsureExists"; + }; + name = "kubernetes-dashboard-settings"; + namespace = "kube-system"; + }; + }; + } // (optionalAttrs cfg.rbac.enable (let subjects = [{ kind = "ServiceAccount"; @@ -329,6 +323,6 @@ in { inherit subjects; }; }) - ))]; + )); }; } diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix index ee0ac632ecf0..47e588de3c93 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix @@ -73,7 +73,7 @@ in { metadata = { labels = { "addonmanager.kubernetes.io/mode" = "Reconcile"; - "k8s-app" = "kube-dns"; + k8s-app = "kube-dns"; "kubernetes.io/cluster-service" = "true"; "kubernetes.io/bootstrapping" = "rbac-defaults"; }; @@ -102,7 +102,7 @@ in { }; labels = { "addonmanager.kubernetes.io/mode" = "Reconcile"; - "k8s-app" = "kube-dns"; + k8s-app = "kube-dns"; "kubernetes.io/cluster-service" = "true"; "kubernetes.io/bootstrapping" = "rbac-defaults"; }; @@ -130,7 +130,7 @@ in { metadata = { labels = { "addonmanager.kubernetes.io/mode" = "Reconcile"; - "k8s-app" = "kube-dns"; + k8s-app = "kube-dns"; "kubernetes.io/cluster-service" = "true"; }; name = "coredns"; @@ -144,7 +144,7 @@ in { metadata = { labels = { "addonmanager.kubernetes.io/mode" = cfg.reconcileMode; - "k8s-app" = "kube-dns"; + k8s-app = "kube-dns"; "kubernetes.io/cluster-service" = "true"; }; name = "coredns"; @@ -175,7 +175,7 @@ in { metadata = { labels = { "addonmanager.kubernetes.io/mode" = cfg.reconcileMode; - "k8s-app" = "kube-dns"; + k8s-app = "kube-dns"; "kubernetes.io/cluster-service" = "true"; "kubernetes.io/name" = "CoreDNS"; }; @@ -301,7 +301,7 @@ in { }; labels = { "addonmanager.kubernetes.io/mode" = "Reconcile"; - "k8s-app" = "kube-dns"; + k8s-app = "kube-dns"; "kubernetes.io/cluster-service" = "true"; "kubernetes.io/name" = "CoreDNS"; }; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix index f293dd79f42a..33796bf2e080 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -290,32 +290,11 @@ in ###### implementation config = mkMerge [ - (let - - apiserverPaths = filter (a: a != null) [ - cfg.clientCaFile - cfg.etcd.caFile - cfg.etcd.certFile - cfg.etcd.keyFile - cfg.kubeletClientCaFile - cfg.kubeletClientCertFile - cfg.kubeletClientKeyFile - cfg.serviceAccountKeyFile - cfg.tlsCertFile - cfg.tlsKeyFile - ]; - etcdPaths = filter (a: a != null) [ - config.services.etcd.trustedCaFile - config.services.etcd.certFile - config.services.etcd.keyFile - ]; - - in mkIf cfg.enable { + (mkIf cfg.enable { systemd.services.kube-apiserver = { description = "Kubernetes APIServer Service"; - wantedBy = [ "kube-control-plane-online.target" ]; - after = [ "certmgr.service" ]; - before = [ "kube-control-plane-online.target" ]; + wantedBy = [ "kubernetes.target" ]; + after = [ "network.target" ]; serviceConfig = { Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-apiserver \ @@ -386,15 +365,6 @@ in Restart = "on-failure"; RestartSec = 5; }; - unitConfig.ConditionPathExists = apiserverPaths; - }; - - systemd.paths.kube-apiserver = mkIf top.apiserver.enable { - wantedBy = [ "kube-apiserver.service" ]; - pathConfig = { - PathExists = apiserverPaths; - PathChanged = apiserverPaths; - }; }; services.etcd = { @@ -408,18 +378,6 @@ in initialAdvertisePeerUrls = mkDefault ["https://${top.masterAddress}:2380"]; }; - systemd.services.etcd = { - unitConfig.ConditionPathExists = etcdPaths; - }; - - systemd.paths.etcd = { - wantedBy = [ "etcd.service" ]; - pathConfig = { - PathExists = etcdPaths; - PathChanged = etcdPaths; - }; - }; - services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled { apiserver-kubelet-api-admin-crb = { diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix index b94e8bd86d4c..0b73d090f241 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -104,31 +104,11 @@ in }; ###### implementation - config = let - - controllerManagerPaths = filter (a: a != null) [ - cfg.kubeconfig.caFile - cfg.kubeconfig.certFile - cfg.kubeconfig.keyFile - cfg.rootCaFile - cfg.serviceAccountKeyFile - cfg.tlsCertFile - cfg.tlsKeyFile - ]; - - in mkIf cfg.enable { - systemd.services.kube-controller-manager = rec { + config = mkIf cfg.enable { + systemd.services.kube-controller-manager = { description = "Kubernetes Controller Manager Service"; - wantedBy = [ "kube-control-plane-online.target" ]; + wantedBy = [ "kubernetes.target" ]; after = [ "kube-apiserver.service" ]; - before = [ "kube-control-plane-online.target" ]; - environment.KUBECONFIG = top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig; - preStart = '' - until kubectl auth can-i get /api -q 2>/dev/null; do - echo kubectl auth can-i get /api: exit status $? - sleep 2 - done - ''; serviceConfig = { RestartSec = "30s"; Restart = "on-failure"; @@ -140,7 +120,7 @@ in "--cluster-cidr=${cfg.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${environment.KUBECONFIG} \ + --kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \ --leader-elect=${boolToString cfg.leaderElect} \ ${optionalString (cfg.rootCaFile!=null) "--root-ca-file=${cfg.rootCaFile}"} \ @@ -161,16 +141,7 @@ in User = "kubernetes"; Group = "kubernetes"; }; - path = top.path ++ [ pkgs.kubectl ]; - unitConfig.ConditionPathExists = controllerManagerPaths; - }; - - systemd.paths.kube-controller-manager = { - wantedBy = [ "kube-controller-manager.service" ]; - pathConfig = { - PathExists = controllerManagerPaths; - PathChanged = controllerManagerPaths; - }; + path = top.path; }; services.kubernetes.pki.certs = with top.lib; { diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix index 143b41f57f6a..3790ac9b6918 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix @@ -256,29 +256,6 @@ in { wantedBy = [ "multi-user.target" ]; }; - systemd.targets.kube-control-plane-online = { - wantedBy = [ "kubernetes.target" ]; - before = [ "kubernetes.target" ]; - }; - - systemd.services.kube-control-plane-online = rec { - description = "Kubernetes control plane is online"; - wantedBy = [ "kube-control-plane-online.target" ]; - after = [ "kube-scheduler.service" "kube-controller-manager.service" ]; - before = [ "kube-control-plane-online.target" ]; - path = [ pkgs.curl ]; - preStart = '' - until curl -Ssf ${cfg.apiserverAddress}/healthz do - echo curl -Ssf ${cfg.apiserverAddress}/healthz: exit status $? - sleep 3 - done - ''; - script = "echo Ok"; - serviceConfig = { - TimeoutSec = "500"; - }; - }; - systemd.tmpfiles.rules = [ "d /opt/cni/bin 0755 root root -" "d /run/kubernetes 0755 kubernetes kubernetes -" @@ -302,8 +279,6 @@ in { services.kubernetes.apiserverAddress = mkDefault ("https://${if cfg.apiserver.advertiseAddress != null then cfg.apiserver.advertiseAddress else "${cfg.masterAddress}:${toString cfg.apiserver.securePort}"}"); - - services.kubernetes.kubeconfig.server = mkDefault cfg.apiserverAddress; }) ]; } diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix index d9437427d6d1..74d10d684375 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix @@ -14,36 +14,25 @@ let buildInputs = [ pkgs.makeWrapper ]; } '' mkdir -p $out - cp ${pkgs.kubernetes.src}/cluster/centos/node/bin/mk-docker-opts.sh $out/mk-docker-opts.sh # bashInteractive needed for `compgen` - makeWrapper ${pkgs.bashInteractive}/bin/bash $out/mk-docker-opts --add-flags "$out/mk-docker-opts.sh" + makeWrapper ${pkgs.bashInteractive}/bin/bash $out/mk-docker-opts --add-flags "${pkgs.kubernetes}/bin/mk-docker-opts.sh" ''; in { ###### interface options.services.kubernetes.flannel = { - enable = mkEnableOption "flannel networking"; - kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes flannel"; + enable = mkEnableOption "enable flannel networking"; }; ###### implementation - config = let - - flannelPaths = filter (a: a != null) [ - cfg.kubeconfig.caFile - cfg.kubeconfig.certFile - cfg.kubeconfig.keyFile - ]; - kubeconfig = top.lib.mkKubeConfig "flannel" cfg.kubeconfig; - - in mkIf cfg.enable { + config = mkIf cfg.enable { services.flannel = { enable = mkDefault true; network = mkDefault top.clusterCidr; - inherit storageBackend kubeconfig; - nodeName = top.kubelet.hostname; + inherit storageBackend; + nodeName = config.services.kubernetes.kubelet.hostname; }; services.kubernetes.kubelet = { @@ -58,66 +47,24 @@ in }]; }; - systemd.services.mk-docker-opts = { + systemd.services."mk-docker-opts" = { description = "Pre-Docker Actions"; - wantedBy = [ "flannel.target" ]; - before = [ "flannel.target" ]; path = with pkgs; [ gawk gnugrep ]; script = '' ${mkDockerOpts}/mk-docker-opts -d /run/flannel/docker systemctl restart docker ''; - unitConfig.ConditionPathExists = [ "/run/flannel/subnet.env" ]; serviceConfig.Type = "oneshot"; }; - systemd.paths.flannel-subnet-env = { - wantedBy = [ "mk-docker-opts.service" ]; - pathConfig = { - PathExists = [ "/run/flannel/subnet.env" ]; - PathChanged = [ "/run/flannel/subnet.env" ]; - Unit = "mk-docker-opts.service"; - }; - }; - - systemd.targets.flannel = { - wantedBy = [ "kube-node-online.target" ]; - before = [ "kube-node-online.target" ]; - }; - - systemd.services.flannel = { - wantedBy = [ "flannel.target" ]; - after = [ "kubelet.target" ]; - before = [ "flannel.target" ]; - path = with pkgs; [ iptables kubectl ]; - environment.KUBECONFIG = kubeconfig; - preStart = let - args = [ - "--selector=kubernetes.io/hostname=${top.kubelet.hostname}" - # flannel exits if node is not registered yet, before that there is no podCIDR - "--output=jsonpath={.items[0].spec.podCIDR}" - # if jsonpath cannot be resolved exit with status 1 - "--allow-missing-template-keys=false" - ]; - in '' - until kubectl get nodes ${concatStringsSep " " args} 2>/dev/null; do - echo Waiting for ${top.kubelet.hostname} to be RegisteredNode - sleep 1 - done - ''; - unitConfig.ConditionPathExists = flannelPaths; - }; - - systemd.paths.flannel = { + systemd.paths."flannel-subnet-env" = { wantedBy = [ "flannel.service" ]; pathConfig = { - PathExists = flannelPaths; - PathChanged = flannelPaths; + PathModified = "/run/flannel/subnet.env"; + Unit = "mk-docker-opts.service"; }; }; - services.kubernetes.flannel.kubeconfig.server = mkDefault top.apiserverAddress; - systemd.services.docker = { environment.DOCKER_OPTS = "-b none"; serviceConfig.EnvironmentFile = "-/run/flannel/docker"; @@ -144,6 +91,7 @@ in # give flannel som kubernetes rbac permissions if applicable services.kubernetes.addonManager.bootstrapAddons = mkIf ((storageBackend == "kubernetes") && (elem "RBAC" top.apiserver.authorizationMode)) { + flannel-cr = { apiVersion = "rbac.authorization.k8s.io/v1beta1"; kind = "ClusterRole"; @@ -179,6 +127,7 @@ in name = "flannel-client"; }]; }; + }; }; } diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix index 4c5df96bcc6a..250da4c807ec 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -61,12 +61,6 @@ in type = str; }; - allowPrivileged = mkOption { - description = "Whether to allow Kubernetes containers to request privileged mode."; - default = false; - type = bool; - }; - clusterDns = mkOption { description = "Use alternative DNS."; default = "10.1.0.1"; @@ -234,28 +228,21 @@ in ###### implementation config = mkMerge [ - (let - - kubeletPaths = filter (a: a != null) [ - cfg.kubeconfig.caFile - cfg.kubeconfig.certFile - cfg.kubeconfig.keyFile - cfg.clientCaFile - cfg.tlsCertFile - cfg.tlsKeyFile - ]; - - in mkIf cfg.enable { + (mkIf cfg.enable { services.kubernetes.kubelet.seedDockerImages = [infraContainer]; systemd.services.kubelet = { description = "Kubernetes Kubelet Service"; - wantedBy = [ "kubelet.target" ]; - after = [ "kube-control-plane-online.target" ]; - before = [ "kubelet.target" ]; + wantedBy = [ "kubernetes.target" ]; + after = [ "network.target" "docker.service" "kube-apiserver.service" ]; path = with pkgs; [ gitMinimal openssh docker utillinux iproute ethtool thin-provisioning-tools iptables socat ] ++ top.path; preStart = '' - rm -f /opt/cni/bin/* || true + ${concatMapStrings (img: '' + echo "Seeding docker image: ${img}" + docker load <${img} + '') cfg.seedDockerImages} + + rm /opt/cni/bin/* || true ${concatMapStrings (package: '' echo "Linking cni package: ${package}" ln -fs ${package}/bin/* /opt/cni/bin @@ -269,7 +256,6 @@ in RestartSec = "1000ms"; ExecStart = ''${top.package}/bin/kubelet \ --address=${cfg.address} \ - --allow-privileged=${boolToString cfg.allowPrivileged} \ --authentication-token-webhook \ --authentication-token-webhook-cache-ttl="10s" \ --authorization-mode=Webhook \ @@ -308,56 +294,6 @@ in ''; WorkingDirectory = top.dataDir; }; - unitConfig.ConditionPathExists = kubeletPaths; - }; - - systemd.paths.kubelet = { - wantedBy = [ "kubelet.service" ]; - pathConfig = { - PathExists = kubeletPaths; - PathChanged = kubeletPaths; - }; - }; - - systemd.services.docker.before = [ "kubelet.service" ]; - - systemd.services.docker-seed-images = { - wantedBy = [ "docker.service" ]; - after = [ "docker.service" ]; - before = [ "kubelet.service" ]; - path = with pkgs; [ docker ]; - preStart = '' - ${concatMapStrings (img: '' - echo "Seeding docker image: ${img}" - docker load <${img} - '') cfg.seedDockerImages} - ''; - script = "echo Ok"; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - serviceConfig.Slice = "kubernetes.slice"; - }; - - systemd.services.kubelet-online = { - wantedBy = [ "kube-node-online.target" ]; - after = [ "flannel.target" "kubelet.target" ]; - before = [ "kube-node-online.target" ]; - # it is complicated. flannel needs kubelet to run the pause container before - # it discusses the node CIDR with apiserver and afterwards configures and restarts - # dockerd. Until then prevent creating any pods because they have to be recreated anyway - # because the network of docker0 has been changed by flannel. - script = let - docker-env = "/run/flannel/docker"; - flannel-date = "stat --print=%Y ${docker-env}"; - docker-date = "systemctl show --property=ActiveEnterTimestamp --value docker"; - in '' - until test -f ${docker-env} ; do sleep 1 ; done - while test `${flannel-date}` -gt `date +%s --date="$(${docker-date})"` ; do - sleep 1 - done - ''; - serviceConfig.Type = "oneshot"; - serviceConfig.Slice = "kubernetes.slice"; }; # Allways include cni plugins @@ -404,16 +340,5 @@ in }; }) - { - systemd.targets.kubelet = { - wantedBy = [ "kube-node-online.target" ]; - before = [ "kube-node-online.target" ]; - }; - - systemd.targets.kube-node-online = { - wantedBy = [ "kubernetes.target" ]; - before = [ "kubernetes.target" ]; - }; - } ]; } diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix index 47384ae50a07..733479e24c97 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix @@ -27,11 +27,12 @@ let certmgrAPITokenPath = "${top.secretsPath}/${cfsslAPITokenBaseName}"; cfsslAPITokenLength = 32; - clusterAdminKubeconfig = with cfg.certs.clusterAdmin; { - server = top.apiserverAddress; - certFile = cert; - keyFile = key; - }; + clusterAdminKubeconfig = with cfg.certs.clusterAdmin; + top.lib.mkKubeConfig "cluster-admin" { + server = top.apiserverAddress; + certFile = cert; + keyFile = key; + }; remote = with config.services; "https://${kubernetes.masterAddress}:${toString cfssl.port}"; in @@ -118,11 +119,6 @@ in cfsslCertPathPrefix = "${config.services.cfssl.dataDir}/cfssl"; cfsslCert = "${cfsslCertPathPrefix}.pem"; cfsslKey = "${cfsslCertPathPrefix}-key.pem"; - - certmgrPaths = [ - top.caFile - certmgrAPITokenPath - ]; in { @@ -172,40 +168,13 @@ in chown cfssl "${cfsslAPITokenPath}" && chmod 400 "${cfsslAPITokenPath}" '')]); - systemd.targets.cfssl-online = { - wantedBy = [ "network-online.target" ]; - after = [ "cfssl.service" "network-online.target" "cfssl-online.service" ]; - }; - - systemd.services.cfssl-online = { - description = "Wait for ${remote} to be reachable."; - wantedBy = [ "cfssl-online.target" ]; - before = [ "cfssl-online.target" ]; - path = [ pkgs.curl ]; - preStart = '' - until curl --fail-early -fskd '{}' ${remote}/api/v1/cfssl/info -o /dev/null; do - echo curl ${remote}/api/v1/cfssl/info: exit status $? - sleep 2 - done - ''; - script = "echo Ok"; - serviceConfig = { - TimeoutSec = "300"; - }; - }; - systemd.services.kube-certmgr-bootstrap = { description = "Kubernetes certmgr bootstrapper"; - wantedBy = [ "cfssl-online.target" ]; - after = [ "cfssl-online.target" ]; - before = [ "certmgr.service" ]; - path = with pkgs; [ curl cfssl ]; + wantedBy = [ "certmgr.service" ]; + after = [ "cfssl.target" ]; script = concatStringsSep "\n" ['' set -e - mkdir -p $(dirname ${certmgrAPITokenPath}) - mkdir -p $(dirname ${top.caFile}) - # If there's a cfssl (cert issuer) running locally, then don't rely on user to # manually paste it in place. Just symlink. # otherwise, create the target file, ready for users to insert the token @@ -217,18 +186,15 @@ in fi '' (optionalString (cfg.pkiTrustOnBootstrap) '' - if [ ! -s "${top.caFile}" ]; then - until test -s ${top.caFile}.json; do - sleep 2 - curl --fail-early -fskd '{}' ${remote}/api/v1/cfssl/info -o ${top.caFile}.json - done - cfssljson -f ${top.caFile}.json -stdout >${top.caFile} - rm ${top.caFile}.json + if [ ! -f "${top.caFile}" ] || [ $(cat "${top.caFile}" | wc -c) -lt 1 ]; then + ${pkgs.curl}/bin/curl --fail-early -f -kd '{}' ${remote}/api/v1/cfssl/info | \ + ${pkgs.cfssl}/bin/cfssljson -stdout >${top.caFile} fi '') ]; serviceConfig = { - TimeoutSec = "500"; + RestartSec = "10s"; + Restart = "on-failure"; }; }; @@ -264,28 +230,35 @@ in mapAttrs mkSpec cfg.certs; }; - systemd.services.certmgr = { - wantedBy = [ "cfssl-online.target" ]; - after = [ "cfssl-online.target" "kube-certmgr-bootstrap.service" ]; - preStart = '' - while ! test -s ${certmgrAPITokenPath} ; do - sleep 1 - echo Waiting for ${certmgrAPITokenPath} - done - ''; - unitConfig.ConditionPathExists = certmgrPaths; - }; - - systemd.paths.certmgr = { - wantedBy = [ "certmgr.service" ]; - pathConfig = { - PathExists = certmgrPaths; - PathChanged = certmgrPaths; - }; - }; - - environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (cfg.etcClusterAdminKubeconfig != null) - (top.lib.mkKubeConfig "cluster-admin" clusterAdminKubeconfig); + #TODO: Get rid of kube-addon-manager in the future for the following reasons + # - it is basically just a shell script wrapped around kubectl + # - it assumes that it is clusterAdmin or can gain clusterAdmin rights through serviceAccount + # - it is designed to be used with k8s system components only + # - it would be better with a more Nix-oriented way of managing addons + systemd.services.kube-addon-manager = mkIf top.addonManager.enable (mkMerge [{ + environment.KUBECONFIG = with cfg.certs.addonManager; + top.lib.mkKubeConfig "addon-manager" { + server = top.apiserverAddress; + certFile = cert; + keyFile = key; + }; + } + + (optionalAttrs (top.addonManager.bootstrapAddons != {}) { + serviceConfig.PermissionsStartOnly = true; + preStart = with pkgs; + let + files = mapAttrsToList (n: v: writeText "${n}.json" (builtins.toJSON v)) + top.addonManager.bootstrapAddons; + in + '' + export KUBECONFIG=${clusterAdminKubeconfig} + ${kubectl}/bin/kubectl apply -f ${concatStringsSep " \\\n -f " files} + ''; + })]); + + environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (!isNull cfg.etcClusterAdminKubeconfig) + clusterAdminKubeconfig; environment.systemPackages = mkIf (top.kubelet.enable || top.proxy.enable) [ (pkgs.writeScriptBin "nixos-kubernetes-node-join" '' @@ -311,22 +284,38 @@ in exit 1 fi - do_restart=$(test -s ${certmgrAPITokenPath} && echo -n y || echo -n n) - echo $token > ${certmgrAPITokenPath} chmod 600 ${certmgrAPITokenPath} - if [ y = $do_restart ]; then - echo "Restarting certmgr..." >&1 - systemctl restart certmgr - fi + echo "Restarting certmgr..." >&1 + systemctl restart certmgr + + echo "Waiting for certs to appear..." >&1 + + ${optionalString top.kubelet.enable '' + while [ ! -f ${cfg.certs.kubelet.cert} ]; do sleep 1; done + echo "Restarting kubelet..." >&1 + systemctl restart kubelet + ''} + + ${optionalString top.proxy.enable '' + while [ ! -f ${cfg.certs.kubeProxyClient.cert} ]; do sleep 1; done + echo "Restarting kube-proxy..." >&1 + systemctl restart kube-proxy + ''} - echo "Node joined succesfully" >&1 + ${optionalString top.flannel.enable '' + while [ ! -f ${cfg.certs.flannelClient.cert} ]; do sleep 1; done + echo "Restarting flannel..." >&1 + systemctl restart flannel + ''} + + echo "Node joined succesfully" '')]; # isolate etcd on loopback at the master node # easyCerts doesn't support multimaster clusters anyway atm. - services.etcd = mkIf top.apiserver.enable (with cfg.certs.etcd; { + services.etcd = with cfg.certs.etcd; { listenClientUrls = ["https://127.0.0.1:2379"]; listenPeerUrls = ["https://127.0.0.1:2380"]; advertiseClientUrls = ["https://etcd.local:2379"]; @@ -335,11 +324,19 @@ in certFile = mkDefault cert; keyFile = mkDefault key; trustedCaFile = mkDefault caCert; - }); + }; networking.extraHosts = mkIf (config.services.etcd.enable) '' 127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local ''; + services.flannel = with cfg.certs.flannelClient; { + kubeconfig = top.lib.mkKubeConfig "flannel" { + server = top.apiserverAddress; + certFile = cert; + keyFile = key; + }; + }; + services.kubernetes = { apiserver = mkIf top.apiserver.enable (with cfg.certs.apiServer; { @@ -359,13 +356,6 @@ in proxyClientCertFile = mkDefault cfg.certs.apiserverProxyClient.cert; proxyClientKeyFile = mkDefault cfg.certs.apiserverProxyClient.key; }); - addonManager = mkIf top.addonManager.enable { - kubeconfig = with cfg.certs.addonManager; { - certFile = mkDefault cert; - keyFile = mkDefault key; - }; - bootstrapAddonsKubeconfig = clusterAdminKubeconfig; - }; controllerManager = mkIf top.controllerManager.enable { serviceAccountKeyFile = mkDefault cfg.certs.serviceAccount.key; rootCaFile = cfg.certs.controllerManagerClient.caCert; @@ -374,12 +364,6 @@ in keyFile = mkDefault key; }; }; - flannel = mkIf top.flannel.enable { - kubeconfig = with cfg.certs.flannelClient; { - certFile = cert; - keyFile = key; - }; - }; scheduler = mkIf top.scheduler.enable { kubeconfig = with cfg.certs.schedulerClient; { certFile = mkDefault cert; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix index 23f4d97b7030..bd4bf04ea833 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -45,28 +45,12 @@ in }; ###### implementation - config = let - - proxyPaths = filter (a: a != null) [ - cfg.kubeconfig.caFile - cfg.kubeconfig.certFile - cfg.kubeconfig.keyFile - ]; - - in mkIf cfg.enable { - systemd.services.kube-proxy = rec { + config = mkIf cfg.enable { + systemd.services.kube-proxy = { description = "Kubernetes Proxy Service"; - wantedBy = [ "kube-node-online.target" ]; - after = [ "kubelet-online.service" ]; - before = [ "kube-node-online.target" ]; - environment.KUBECONFIG = top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig; - path = with pkgs; [ iptables conntrack_tools kubectl ]; - preStart = '' - until kubectl auth can-i get nodes/${top.kubelet.hostname} -q 2>/dev/null; do - echo kubectl auth can-i get nodes/${top.kubelet.hostname}: exit status $? - sleep 2 - done - ''; + wantedBy = [ "kubernetes.target" ]; + after = [ "kube-apiserver.service" ]; + path = with pkgs; [ iptables conntrack_tools ]; serviceConfig = { Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-proxy \ @@ -75,7 +59,7 @@ in "--cluster-cidr=${top.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${environment.KUBECONFIG} \ + --kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; @@ -83,15 +67,6 @@ in Restart = "on-failure"; RestartSec = 5; }; - unitConfig.ConditionPathExists = proxyPaths; - }; - - systemd.paths.kube-proxy = { - wantedBy = [ "kube-proxy.service" ]; - pathConfig = { - PathExists = proxyPaths; - PathChanged = proxyPaths; - }; }; services.kubernetes.pki.certs = { diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix index a0e484542951..5f6113227d9d 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -56,35 +56,18 @@ in }; ###### implementation - config = let - - schedulerPaths = filter (a: a != null) [ - cfg.kubeconfig.caFile - cfg.kubeconfig.certFile - cfg.kubeconfig.keyFile - ]; - - in mkIf cfg.enable { - systemd.services.kube-scheduler = rec { + config = mkIf cfg.enable { + systemd.services.kube-scheduler = { description = "Kubernetes Scheduler Service"; - wantedBy = [ "kube-control-plane-online.target" ]; + wantedBy = [ "kubernetes.target" ]; after = [ "kube-apiserver.service" ]; - before = [ "kube-control-plane-online.target" ]; - environment.KUBECONFIG = top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig; - path = [ pkgs.kubectl ]; - preStart = '' - until kubectl auth can-i get /api -q 2>/dev/null; do - echo kubectl auth can-i get /api: exit status $? - sleep 2 - done - ''; serviceConfig = { Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-scheduler \ --address=${cfg.address} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${environment.KUBECONFIG} \ + --kubeconfig=${top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \ --leader-elect=${boolToString cfg.leaderElect} \ --port=${toString cfg.port} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ @@ -96,15 +79,6 @@ in Restart = "on-failure"; RestartSec = 5; }; - unitConfig.ConditionPathExists = schedulerPaths; - }; - - systemd.paths.kube-scheduler = { - wantedBy = [ "kube-scheduler.service" ]; - pathConfig = { - PathExists = schedulerPaths; - PathChanged = schedulerPaths; - }; }; services.kubernetes.pki.certs = { diff --git a/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix b/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix index c7fe4eeeab99..500acb485620 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix @@ -43,7 +43,7 @@ in ###### interface options = { - services.hydra = rec { + services.hydra = { enable = mkOption { type = types.bool; diff --git a/nixpkgs/nixos/modules/services/databases/cassandra.nix b/nixpkgs/nixos/modules/services/databases/cassandra.nix index 9c8b6c50af14..90c094f68b61 100644 --- a/nixpkgs/nixos/modules/services/databases/cassandra.nix +++ b/nixpkgs/nixos/modules/services/databases/cassandra.nix @@ -397,14 +397,14 @@ in { } ]; users = mkIf (cfg.user == defaultUser) { - extraUsers."${defaultUser}" = + extraUsers.${defaultUser} = { group = cfg.group; home = cfg.homeDir; createHome = true; uid = config.ids.uids.cassandra; description = "Cassandra service user"; }; - extraGroups."${defaultUser}".gid = config.ids.gids.cassandra; + extraGroups.${defaultUser}.gid = config.ids.gids.cassandra; }; systemd.services.cassandra = diff --git a/nixpkgs/nixos/modules/services/databases/pgmanage.nix b/nixpkgs/nixos/modules/services/databases/pgmanage.nix index 1050c2dd481a..0f8634dab319 100644 --- a/nixpkgs/nixos/modules/services/databases/pgmanage.nix +++ b/nixpkgs/nixos/modules/services/databases/pgmanage.nix @@ -59,8 +59,8 @@ in { type = types.attrsOf types.str; default = {}; example = { - "nuc-server" = "hostaddr=192.168.0.100 port=5432 dbname=postgres"; - "mini-server" = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; + nuc-server = "hostaddr=192.168.0.100 port=5432 dbname=postgres"; + mini-server = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; }; description = '' pgmanage requires at least one PostgreSQL server be defined. @@ -192,13 +192,13 @@ in { }; }; users = { - users."${pgmanage}" = { + users.${pgmanage} = { name = pgmanage; group = pgmanage; home = cfg.sqlRoot; createHome = true; }; - groups."${pgmanage}" = { + groups.${pgmanage} = { name = pgmanage; }; }; diff --git a/nixpkgs/nixos/modules/services/databases/postgresql.nix b/nixpkgs/nixos/modules/services/databases/postgresql.nix index 10250bb5193a..7bba4dacddcc 100644 --- a/nixpkgs/nixos/modules/services/databases/postgresql.nix +++ b/nixpkgs/nixos/modules/services/databases/postgresql.nix @@ -81,6 +81,10 @@ in default = ""; description = '' Defines the mapping from system users to database users. + + The general form is: + + map-name system-username database-username ''; }; @@ -224,7 +228,7 @@ in # systems! mkDefault (if versionAtLeast config.system.stateVersion "17.09" then pkgs.postgresql_9_6 else if versionAtLeast config.system.stateVersion "16.03" then pkgs.postgresql_9_5 - else pkgs.postgresql_9_4); + else throw "postgresql_9_4 was removed, please upgrade your postgresql version."); services.postgresql.dataDir = mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}" diff --git a/nixpkgs/nixos/modules/services/desktops/blueman.nix b/nixpkgs/nixos/modules/services/desktops/blueman.nix new file mode 100644 index 000000000000..18ad610247ed --- /dev/null +++ b/nixpkgs/nixos/modules/services/desktops/blueman.nix @@ -0,0 +1,25 @@ +# blueman service +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.blueman; +in { + ###### interface + options = { + services.blueman = { + enable = mkEnableOption "blueman"; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.blueman ]; + + services.dbus.packages = [ pkgs.blueman ]; + + systemd.packages = [ pkgs.blueman ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/desktops/geoclue2.nix b/nixpkgs/nixos/modules/services/desktops/geoclue2.nix index 040fe157d52d..6007dddf50c0 100644 --- a/nixpkgs/nixos/modules/services/desktops/geoclue2.nix +++ b/nixpkgs/nixos/modules/services/desktops/geoclue2.nix @@ -202,14 +202,14 @@ in ]; # restart geoclue service when the configuration changes - systemd.services."geoclue".restartTriggers = [ + systemd.services.geoclue.restartTriggers = [ config.environment.etc."geoclue/geoclue.conf".source ]; # this needs to run as a user service, since it's associated with the # user who is making the requests systemd.user.services = mkIf cfg.enableDemoAgent { - "geoclue-agent" = { + geoclue-agent = { description = "Geoclue agent"; script = "${package}/libexec/geoclue-2.0/demos/agent"; # this should really be `partOf = [ "geoclue.service" ]`, but @@ -219,12 +219,12 @@ in }; }; - services.geoclue2.appConfig."epiphany" = { + services.geoclue2.appConfig.epiphany = { isAllowed = true; isSystem = false; }; - services.geoclue2.appConfig."firefox" = { + services.geoclue2.appConfig.firefox = { isAllowed = true; isSystem = false; }; diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix index 2740a22c7ca0..3d2b3ed85e3a 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix @@ -23,5 +23,7 @@ with lib; environment.systemPackages = [ pkgs.chrome-gnome-shell ]; services.dbus.packages = [ pkgs.chrome-gnome-shell ]; + + nixpkgs.config.firefox.enableGnomeExtensions = true; }; } diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/glib-networking.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/glib-networking.nix index 186668d7d385..fcd58509d6fc 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/glib-networking.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/glib-networking.nix @@ -22,11 +22,11 @@ with lib; config = mkIf config.services.gnome3.glib-networking.enable { - services.dbus.packages = [ pkgs.gnome3.glib-networking ]; + services.dbus.packages = [ pkgs.glib-networking ]; - systemd.packages = [ pkgs.gnome3.glib-networking ]; + systemd.packages = [ pkgs.glib-networking ]; - environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gnome3.glib-networking.out}/lib/gio/modules" ]; + environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.glib-networking.out}/lib/gio/modules" ]; }; diff --git a/nixpkgs/nixos/modules/services/desktops/system-config-printer.nix b/nixpkgs/nixos/modules/services/desktops/system-config-printer.nix new file mode 100644 index 000000000000..8a80be266b20 --- /dev/null +++ b/nixpkgs/nixos/modules/services/desktops/system-config-printer.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +with lib; + +{ + + ###### interface + + options = { + + services.system-config-printer = { + + enable = mkEnableOption "system-config-printer, a service for CUPS administration used by printing interfaces"; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.system-config-printer.enable { + + services.dbus.packages = [ + pkgs.system-config-printer + ]; + + systemd.packages = [ + pkgs.system-config-printer + ]; + + services.udev.packages = [ + pkgs.system-config-printer + ]; + + }; + +} diff --git a/nixpkgs/nixos/modules/services/editors/emacs.xml b/nixpkgs/nixos/modules/services/editors/emacs.xml index 8ced302bad1e..03483f69fa2f 100644 --- a/nixpkgs/nixos/modules/services/editors/emacs.xml +++ b/nixpkgs/nixos/modules/services/editors/emacs.xml @@ -59,7 +59,7 @@ <para> The latest stable version of Emacs 25 using the <link - xlink:href="http://www.gtk.org">GTK+ 2</link> + xlink:href="http://www.gtk.org">GTK 2</link> widget toolkit. </para> </listitem> @@ -321,7 +321,7 @@ https://nixos.org/nixpkgs/manual/#sec-modify-via-packageOverrides <para> If you want, you can tweak the Emacs package itself from your <filename>emacs.nix</filename>. For example, if you want to have a - GTK+3-based Emacs instead of the default GTK+2-based binary and remove the + GTK 3-based Emacs instead of the default GTK 2-based binary and remove the automatically generated <filename>emacs.desktop</filename> (useful is you only use <command>emacsclient</command>), you can change your file <filename>emacs.nix</filename> in this way: @@ -349,7 +349,7 @@ in [...] <para> After building this file as shown in <xref linkend="ex-emacsNix" />, you - will get an GTK3-based Emacs binary pre-loaded with your favorite packages. + will get an GTK 3-based Emacs binary pre-loaded with your favorite packages. </para> </section> </section> diff --git a/nixpkgs/nixos/modules/services/games/terraria.nix b/nixpkgs/nixos/modules/services/games/terraria.nix index 31f8edca20ce..a59b74c0b4c4 100644 --- a/nixpkgs/nixos/modules/services/games/terraria.nix +++ b/nixpkgs/nixos/modules/services/games/terraria.nix @@ -4,7 +4,7 @@ with lib; let cfg = config.services.terraria; - worldSizeMap = { "small" = 1; "medium" = 2; "large" = 3; }; + worldSizeMap = { small = 1; medium = 2; large = 3; }; valFlag = name: val: optionalString (val != null) "-${name} \"${escape ["\\" "\""] (toString val)}\""; boolFlag = name: val: optionalString val "-${name}"; flags = [ diff --git a/nixpkgs/nixos/modules/services/hardware/sane.nix b/nixpkgs/nixos/modules/services/hardware/sane.nix index 3f52658ff013..b344dfc20610 100644 --- a/nixpkgs/nixos/modules/services/hardware/sane.nix +++ b/nixpkgs/nixos/modules/services/hardware/sane.nix @@ -124,7 +124,7 @@ in environment.sessionVariables = env; services.udev.packages = backends; - users.groups."scanner".gid = config.ids.gids.scanner; + users.groups.scanner.gid = config.ids.gids.scanner; }) (mkIf config.services.saned.enable { @@ -152,7 +152,7 @@ in }; }; - users.users."scanner" = { + users.users.scanner = { uid = config.ids.uids.scanner; group = "scanner"; }; diff --git a/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix b/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix index fd19d8020fb8..6bf31982b71a 100644 --- a/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix +++ b/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix @@ -33,7 +33,7 @@ let addAllNetDev = xs: concatStringsSep "\n" (map addNetDev xs); in -stdenv.mkDerivation rec { +stdenv.mkDerivation { name = "brscan4-etc-files-0.4.3-3"; src = "${brscan4}/opt/brother/scanner/brscan4"; diff --git a/nixpkgs/nixos/modules/services/hardware/throttled.nix b/nixpkgs/nixos/modules/services/hardware/throttled.nix index 13fc5e4792e6..7617c4492d7c 100644 --- a/nixpkgs/nixos/modules/services/hardware/throttled.nix +++ b/nixpkgs/nixos/modules/services/hardware/throttled.nix @@ -20,7 +20,7 @@ in { config = mkIf cfg.enable { systemd.packages = [ pkgs.throttled ]; # The upstream package has this in Install, but that's not enough, see the NixOS manual - systemd.services."lenovo_fix".wantedBy = [ "multi-user.target" ]; + systemd.services.lenovo_fix.wantedBy = [ "multi-user.target" ]; environment.etc."lenovo_fix.conf".source = if cfg.extraConfig != "" diff --git a/nixpkgs/nixos/modules/services/hardware/tlp.nix b/nixpkgs/nixos/modules/services/hardware/tlp.nix index 092ff051a042..4f8af7978286 100644 --- a/nixpkgs/nixos/modules/services/hardware/tlp.nix +++ b/nixpkgs/nixos/modules/services/hardware/tlp.nix @@ -60,11 +60,11 @@ in powerManagement.cpufreq.max = null; powerManagement.cpufreq.min = null; - systemd.sockets."systemd-rfkill".enable = false; + systemd.sockets.systemd-rfkill.enable = false; systemd.services = { "systemd-rfkill@".enable = false; - "systemd-rfkill".enable = false; + systemd-rfkill.enable = false; tlp = { description = "TLP system startup/shutdown"; diff --git a/nixpkgs/nixos/modules/services/hardware/upower.nix b/nixpkgs/nixos/modules/services/hardware/upower.nix index 1da47349c077..5e7ac7a6e659 100644 --- a/nixpkgs/nixos/modules/services/hardware/upower.nix +++ b/nixpkgs/nixos/modules/services/hardware/upower.nix @@ -5,8 +5,11 @@ with lib; let + cfg = config.services.upower; + in + { ###### interface @@ -49,55 +52,7 @@ in services.udev.packages = [ cfg.package ]; - systemd.services.upower = - { description = "Power Management Daemon"; - path = [ pkgs.glib.out ]; # needed for gdbus - serviceConfig = - { Type = "dbus"; - BusName = "org.freedesktop.UPower"; - ExecStart = "@${cfg.package}/libexec/upowerd upowerd"; - Restart = "on-failure"; - # Upstream lockdown: - # Filesystem lockdown - ProtectSystem = "strict"; - # Needed by keyboard backlight support - ProtectKernelTunables = false; - ProtectControlGroups = true; - ReadWritePaths = "/var/lib/upower"; - ProtectHome = true; - PrivateTmp = true; - - # Network - # PrivateNetwork=true would block udev's netlink socket - RestrictAddressFamilies = "AF_UNIX AF_NETLINK"; - - # Execute Mappings - MemoryDenyWriteExecute = true; - - # Modules - ProtectKernelModules = true; - - # Real-time - RestrictRealtime = true; - - # Privilege escalation - NoNewPrivileges = true; - }; - }; - - system.activationScripts.upower = - '' - mkdir -m 0755 -p /var/lib/upower - ''; - - # The upower daemon seems to get stuck after doing a suspend - # (i.e. subsequent suspend requests will say "Sleep has already - # been requested and is pending"). So as a workaround, restart - # the daemon. - powerManagement.resumeCommands = - '' - ${config.systemd.package}/bin/systemctl try-restart upower - ''; + systemd.packages = [ cfg.package ]; }; diff --git a/nixpkgs/nixos/modules/services/logging/logcheck.nix b/nixpkgs/nixos/modules/services/logging/logcheck.nix index e7d6e3d62638..6d8be5b926d5 100644 --- a/nixpkgs/nixos/modules/services/logging/logcheck.nix +++ b/nixpkgs/nixos/modules/services/logging/logcheck.nix @@ -23,9 +23,9 @@ let flags = "-r ${rulesDir} -c ${configFile} -L ${logFiles} -${levelFlag} -m ${cfg.mailTo}"; levelFlag = getAttrFromPath [cfg.level] - { "paranoid" = "p"; - "server" = "s"; - "workstation" = "w"; + { paranoid = "p"; + server = "s"; + workstation = "w"; }; cronJob = '' diff --git a/nixpkgs/nixos/modules/services/logging/logstash.nix b/nixpkgs/nixos/modules/services/logging/logstash.nix index 9b707e9deb58..4943e8d7db3a 100644 --- a/nixpkgs/nixos/modules/services/logging/logstash.nix +++ b/nixpkgs/nixos/modules/services/logging/logstash.nix @@ -53,7 +53,7 @@ in type = types.package; default = pkgs.logstash; defaultText = "pkgs.logstash"; - example = literalExample "pkgs.logstash5"; + example = literalExample "pkgs.logstash"; description = "Logstash package to use."; }; diff --git a/nixpkgs/nixos/modules/services/mail/mlmmj.nix b/nixpkgs/nixos/modules/services/mail/mlmmj.nix index 11565bc02f89..7ae00f3e501e 100644 --- a/nixpkgs/nixos/modules/services/mail/mlmmj.nix +++ b/nixpkgs/nixos/modules/services/mail/mlmmj.nix @@ -137,7 +137,7 @@ in ${pkgs.postfix}/bin/postmap ${stateDir}/transports ''; - systemd.services."mlmmj-maintd" = { + systemd.services.mlmmj-maintd = { description = "mlmmj maintenance daemon"; serviceConfig = { User = cfg.user; @@ -146,7 +146,7 @@ in }; }; - systemd.timers."mlmmj-maintd" = { + systemd.timers.mlmmj-maintd = { description = "mlmmj maintenance timer"; timerConfig.OnUnitActiveSec = cfg.maintInterval; wantedBy = [ "timers.target" ]; diff --git a/nixpkgs/nixos/modules/services/mail/pfix-srsd.nix b/nixpkgs/nixos/modules/services/mail/pfix-srsd.nix index 9599854352c9..38984f896d6a 100644 --- a/nixpkgs/nixos/modules/services/mail/pfix-srsd.nix +++ b/nixpkgs/nixos/modules/services/mail/pfix-srsd.nix @@ -40,7 +40,7 @@ with lib; systemPackages = [ pkgs.pfixtools ]; }; - systemd.services."pfix-srsd" = { + systemd.services.pfix-srsd = { description = "Postfix sender rewriting scheme daemon"; before = [ "postfix.service" ]; #note that we use requires rather than wants because postfix diff --git a/nixpkgs/nixos/modules/services/mail/postfix.nix b/nixpkgs/nixos/modules/services/mail/postfix.nix index c9b3ff0c8f8a..d5fd76da970b 100644 --- a/nixpkgs/nixos/modules/services/mail/postfix.nix +++ b/nixpkgs/nixos/modules/services/mail/postfix.nix @@ -877,22 +877,22 @@ in } (mkIf haveAliases { - services.postfix.aliasFiles."aliases" = aliasesFile; + services.postfix.aliasFiles.aliases = aliasesFile; }) (mkIf haveTransport { - services.postfix.mapFiles."transport" = transportFile; + services.postfix.mapFiles.transport = transportFile; }) (mkIf haveVirtual { - services.postfix.mapFiles."virtual" = virtualFile; + services.postfix.mapFiles.virtual = virtualFile; }) (mkIf haveLocalRecipients { - services.postfix.mapFiles."local_recipients" = localRecipientMapFile; + services.postfix.mapFiles.local_recipients = localRecipientMapFile; }) (mkIf cfg.enableHeaderChecks { - services.postfix.mapFiles."header_checks" = headerChecksFile; + services.postfix.mapFiles.header_checks = headerChecksFile; }) (mkIf (cfg.dnsBlacklists != []) { - services.postfix.mapFiles."client_access" = checkClientAccessFile; + services.postfix.mapFiles.client_access = checkClientAccessFile; }) ]); } diff --git a/nixpkgs/nixos/modules/services/mail/postgrey.nix b/nixpkgs/nixos/modules/services/mail/postgrey.nix index 660c4ca74b10..88fb7f0b4ad1 100644 --- a/nixpkgs/nixos/modules/services/mail/postgrey.nix +++ b/nixpkgs/nixos/modules/services/mail/postgrey.nix @@ -7,7 +7,7 @@ with lib; let natural = with types; addCheck int (x: x >= 0); natural' = with types; addCheck int (x: x > 0); - socket = with types; addCheck (either (submodule unixSocket) (submodule inetSocket)) (x: x ? "path" || x ? "port"); + socket = with types; addCheck (either (submodule unixSocket) (submodule inetSocket)) (x: x ? path || x ? port); inetSocket = with types; { options = { @@ -151,7 +151,7 @@ in { }; systemd.services.postgrey = let - bind-flag = if cfg.socket ? "path" then + bind-flag = if cfg.socket ? path then ''--unix=${cfg.socket.path} --socketmode=${cfg.socket.mode}'' else ''--inet=${optionalString (cfg.socket.addr != null) (cfg.socket.addr + ":")}${toString cfg.socket.port}''; diff --git a/nixpkgs/nixos/modules/services/mail/rspamd.nix b/nixpkgs/nixos/modules/services/mail/rspamd.nix index e1ba63078111..89aa9d17ff7f 100644 --- a/nixpkgs/nixos/modules/services/mail/rspamd.nix +++ b/nixpkgs/nixos/modules/services/mail/rspamd.nix @@ -387,7 +387,7 @@ in gid = config.ids.gids.rspamd; }; - environment.etc."rspamd".source = rspamdDir; + environment.etc.rspamd.source = rspamdDir; systemd.services.rspamd = { description = "Rspamd Service"; diff --git a/nixpkgs/nixos/modules/services/misc/airsonic.nix b/nixpkgs/nixos/modules/services/misc/airsonic.nix index f449ccaa8d2c..919d3b2f6e64 100644 --- a/nixpkgs/nixos/modules/services/misc/airsonic.nix +++ b/nixpkgs/nixos/modules/services/misc/airsonic.nix @@ -138,8 +138,8 @@ in { services.nginx = mkIf (cfg.virtualHost != null) { enable = true; - virtualHosts."${cfg.virtualHost}" = { - locations."${cfg.contextPath}".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}"; + virtualHosts.${cfg.virtualHost} = { + locations.${cfg.contextPath}.proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}"; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/dysnomia.nix b/nixpkgs/nixos/modules/services/misc/dysnomia.nix index 61ea822890ed..9402d5cd801c 100644 --- a/nixpkgs/nixos/modules/services/misc/dysnomia.nix +++ b/nixpkgs/nixos/modules/services/misc/dysnomia.nix @@ -8,9 +8,9 @@ let printProperties = properties: concatMapStrings (propertyName: let - property = properties."${propertyName}"; + property = properties.${propertyName}; in - if isList property then "${propertyName}=(${lib.concatMapStrings (elem: "\"${toString elem}\" ") (properties."${propertyName}")})\n" + if isList property then "${propertyName}=(${lib.concatMapStrings (elem: "\"${toString elem}\" ") (properties.${propertyName})})\n" else "${propertyName}=\"${toString property}\"\n" ) (builtins.attrNames properties); @@ -31,7 +31,7 @@ let ${concatMapStrings (containerName: let - containerProperties = cfg.containers."${containerName}"; + containerProperties = cfg.containers.${containerName}; in '' cat > ${containerName} <<EOF @@ -49,10 +49,10 @@ let ${concatMapStrings (componentName: let - component = cfg.components."${containerName}"."${componentName}"; + component = cfg.components.${containerName}.${componentName}; in "ln -s ${component} ${containerName}/${componentName}\n" - ) (builtins.attrNames (cfg.components."${containerName}" or {}))} + ) (builtins.attrNames (cfg.components.${containerName} or {}))} ''; componentsDir = pkgs.stdenv.mkDerivation { diff --git a/nixpkgs/nixos/modules/services/misc/exhibitor.nix b/nixpkgs/nixos/modules/services/misc/exhibitor.nix index f526270cb4b3..74f4f671f460 100644 --- a/nixpkgs/nixos/modules/services/misc/exhibitor.nix +++ b/nixpkgs/nixos/modules/services/misc/exhibitor.nix @@ -58,7 +58,7 @@ let }; }; cliOptions = concatStringsSep " " (mapAttrsToList (k: v: "--${k} ${v}") (filterAttrs (k: v: v != null && v != "") (cliOptionsCommon // - cliOptionsPerConfig."${cfg.configType}" // + cliOptionsPerConfig.${cfg.configType} // s3CommonOptions // optionalAttrs cfg.s3Backup { s3backup = "true"; } // optionalAttrs cfg.fileSystemBackup { filesystembackup = "true"; } diff --git a/nixpkgs/nixos/modules/services/misc/gitlab.nix b/nixpkgs/nixos/modules/services/misc/gitlab.nix index 09c3a89d6a68..caef4ad4ea80 100644 --- a/nixpkgs/nixos/modules/services/misc/gitlab.nix +++ b/nixpkgs/nixos/modules/services/misc/gitlab.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: # TODO: support non-postgresql @@ -12,14 +12,12 @@ let gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket"; gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket"; pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url; - pgSuperUser = config.services.postgresql.superUser; databaseConfig = { production = { adapter = "postgresql"; database = cfg.databaseName; host = cfg.databaseHost; - password = cfg.databasePassword; username = cfg.databaseUsername; encoding = "utf8"; pool = cfg.databasePool; @@ -66,13 +64,6 @@ let redisConfig.production.url = "redis://localhost:6379/"; - secretsConfig.production = { - secret_key_base = cfg.secrets.secret; - otp_key_base = cfg.secrets.otp; - db_key_base = cfg.secrets.db; - openid_connect_signing_key = cfg.secrets.jws; - }; - gitlabConfig = { # These are the default settings from config/gitlab.example.yml production = flip recursiveUpdate cfg.extraConfig { @@ -140,7 +131,7 @@ let RAILS_ENV = "production"; }; - gitlab-rake = pkgs.stdenv.mkDerivation rec { + gitlab-rake = pkgs.stdenv.mkDerivation { name = "gitlab-rake"; buildInputs = [ pkgs.makeWrapper ]; dontBuild = true; @@ -155,7 +146,7 @@ let ''; }; - gitlab-rails = pkgs.stdenv.mkDerivation rec { + gitlab-rails = pkgs.stdenv.mkDerivation { name = "gitlab-rails"; buildInputs = [ pkgs.makeWrapper ]; dontBuild = true; @@ -180,10 +171,11 @@ let address: "${cfg.smtp.address}", port: ${toString cfg.smtp.port}, ${optionalString (cfg.smtp.username != null) ''user_name: "${cfg.smtp.username}",''} - ${optionalString (cfg.smtp.password != null) ''password: "${cfg.smtp.password}",''} + ${optionalString (cfg.smtp.passwordFile != null) ''password: "@smtpPassword@",''} domain: "${cfg.smtp.domain}", ${optionalString (cfg.smtp.authentication != null) "authentication: :${cfg.smtp.authentication},"} enable_starttls_auto: ${toString cfg.smtp.enableStartTLSAuto}, + ca_file: "/etc/ssl/certs/ca-certificates.crt", openssl_verify_mode: '${cfg.smtp.opensslVerifyMode}' } end @@ -244,13 +236,33 @@ in { databaseHost = mkOption { type = types.str; - default = "127.0.0.1"; - description = "Gitlab database hostname."; + default = ""; + description = '' + Gitlab database hostname. An empty string means <quote>use + local unix socket connection</quote>. + ''; }; - databasePassword = mkOption { - type = types.str; - description = "Gitlab database user password."; + databasePasswordFile = mkOption { + type = with types; nullOr path; + default = null; + description = '' + File containing the Gitlab database user password. + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. + ''; + }; + + databaseCreateLocally = mkOption { + type = types.bool; + default = true; + description = '' + Whether a database should be automatically created on the + local host. Set this to <literal>false</literal> if you plan + on provisioning a local database yourself or use an external + one. + ''; }; databaseName = mkOption { @@ -338,10 +350,15 @@ in { ''; }; - initialRootPassword = mkOption { - type = types.str; + initialRootPasswordFile = mkOption { + type = with types; nullOr path; + default = null; description = '' - Initial password of the root account if this is a new install. + File containing the initial password of the root account if + this is a new install. + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. ''; }; @@ -365,15 +382,20 @@ in { }; username = mkOption { - type = types.nullOr types.str; + type = with types; nullOr str; default = null; description = "Username of the SMTP server for Gitlab."; }; - password = mkOption { - type = types.nullOr types.str; + passwordFile = mkOption { + type = types.nullOr types.path; default = null; - description = "Password of the SMTP server for Gitlab."; + description = '' + File containing the password of the SMTP server for Gitlab. + + This should be a string, not a nix path, since nix paths + are copied into the world-readable nix store. + ''; }; domain = mkOption { @@ -383,7 +405,7 @@ in { }; authentication = mkOption { - type = types.nullOr types.str; + type = with types; nullOr str; default = null; description = "Authentitcation type to use, see http://api.rubyonrails.org/classes/ActionMailer/Base.html"; }; @@ -401,68 +423,125 @@ in { }; }; - secrets.secret = mkOption { - type = types.str; + secrets.secretFile = mkOption { + type = with types; nullOr path; + default = null; description = '' - The secret is used to encrypt variables in the DB. If - you change or lose this key you will be unable to access variables - stored in database. + A file containing the secret used to encrypt variables in + the DB. If you change or lose this key you will be unable to + access variables stored in database. Make sure the secret is at least 30 characters and all random, no regular words or you'll be exposed to dictionary attacks. + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. ''; }; - secrets.db = mkOption { - type = types.str; + secrets.dbFile = mkOption { + type = with types; nullOr path; + default = null; description = '' - The secret is used to encrypt variables in the DB. If - you change or lose this key you will be unable to access variables - stored in database. + A file containing the secret used to encrypt variables in + the DB. If you change or lose this key you will be unable to + access variables stored in database. Make sure the secret is at least 30 characters and all random, no regular words or you'll be exposed to dictionary attacks. + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. ''; }; - secrets.otp = mkOption { - type = types.str; + secrets.otpFile = mkOption { + type = with types; nullOr path; + default = null; description = '' - The secret is used to encrypt secrets for OTP tokens. If - you change or lose this key, users which have 2FA enabled for login - won't be able to login anymore. + A file containing the secret used to encrypt secrets for OTP + tokens. If you change or lose this key, users which have 2FA + enabled for login won't be able to login anymore. Make sure the secret is at least 30 characters and all random, no regular words or you'll be exposed to dictionary attacks. + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. ''; }; - secrets.jws = mkOption { - type = types.str; + secrets.jwsFile = mkOption { + type = with types; nullOr path; + default = null; description = '' - The secret is used to encrypt session keys. If you change or lose - this key, users will be disconnected. + A file containing the secret used to encrypt session + keys. If you change or lose this key, users will be + disconnected. Make sure the secret is an RSA private key in PEM format. You can generate one with openssl genrsa 2048 + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. ''; }; extraConfig = mkOption { type = types.attrs; default = {}; - example = { - gitlab = { - default_projects_features = { - builds = false; + example = literalExample '' + { + gitlab = { + default_projects_features = { + builds = false; + }; + }; + omniauth = { + enabled = true; + auto_sign_in_with_provider = "openid_connect"; + allow_single_sign_on = ["openid_connect"]; + block_auto_created_users = false; + providers = [ + { + name = "openid_connect"; + label = "OpenID Connect"; + args = { + name = "openid_connect"; + scope = ["openid" "profile"]; + response_type = "code"; + issuer = "https://keycloak.example.com/auth/realms/My%20Realm"; + discovery = true; + client_auth_method = "query"; + uid_field = "preferred_username"; + client_options = { + identifier = "gitlab"; + secret = { _secret = "/var/keys/gitlab_oidc_secret"; }; + redirect_uri = "https://git.example.com/users/auth/openid_connect/callback"; + }; + }; + } + ]; }; }; - }; + ''; description = '' - Extra options to be merged into config/gitlab.yml as nix - attribute set. + Extra options to be added under + <literal>production</literal> in + <filename>config/gitlab.yml</filename>, as a nix attribute + set. + + Options containing secret data should be set to an attribute + set containing the attribute <literal>_secret</literal> - a + string pointing to a file containing the value the option + should be set to. See the example to get a better picture of + this: in the resulting + <filename>config/gitlab.yml</filename> file, the + <literal>production.omniauth.providers[0].args.client_options.secret</literal> + key will be set to the contents of the + <filename>/var/keys/gitlab_oidc_secret</filename> file. ''; }; }; @@ -470,12 +549,66 @@ in { config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.databaseCreateLocally -> (cfg.user == cfg.databaseUsername); + message = "For local automatic database provisioning services.gitlab.user and services.gitlab.databaseUsername should be identical."; + } + { + assertion = (cfg.databaseHost != "") -> (cfg.databasePasswordFile != null); + message = "When services.gitlab.databaseHost is customized, services.gitlab.databasePasswordFile must be set!"; + } + { + assertion = cfg.initialRootPasswordFile != null; + message = "services.gitlab.initialRootPasswordFile must be set!"; + } + { + assertion = cfg.secrets.secretFile != null; + message = "services.gitlab.secrets.secretFile must be set!"; + } + { + assertion = cfg.secrets.dbFile != null; + message = "services.gitlab.secrets.dbFile must be set!"; + } + { + assertion = cfg.secrets.otpFile != null; + message = "services.gitlab.secrets.otpFile must be set!"; + } + { + assertion = cfg.secrets.jwsFile != null; + message = "services.gitlab.secrets.jwsFile must be set!"; + } + ]; + environment.systemPackages = [ pkgs.git gitlab-rake gitlab-rails cfg.packages.gitlab-shell ]; # Redis is required for the sidekiq queue runner. services.redis.enable = mkDefault true; + # We use postgres as the main data store. - services.postgresql.enable = mkDefault true; + services.postgresql = optionalAttrs cfg.databaseCreateLocally { + enable = true; + ensureUsers = singleton { name = cfg.databaseUsername; }; + }; + # The postgresql module doesn't currently support concepts like + # objects owners and extensions; for now we tack on what's needed + # here. + systemd.services.postgresql.postStart = mkAfter (optionalString cfg.databaseCreateLocally '' + $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${cfg.databaseName}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${cfg.databaseName}" OWNER "${cfg.databaseUsername}"' + current_owner=$($PSQL -tAc "SELECT pg_catalog.pg_get_userbyid(datdba) FROM pg_catalog.pg_database WHERE datname = '${cfg.databaseName}'") + if [[ "$current_owner" != "${cfg.databaseUsername}" ]]; then + $PSQL -tAc 'ALTER DATABASE "${cfg.databaseName}" OWNER TO "${cfg.databaseUsername}"' + if [[ -e "${config.services.postgresql.dataDir}/.reassigning_${cfg.databaseName}" ]]; then + echo "Reassigning ownership of database ${cfg.databaseName} to user ${cfg.databaseUsername} failed on last boot. Failing..." + exit 1 + fi + touch "${config.services.postgresql.dataDir}/.reassigning_${cfg.databaseName}" + $PSQL "${cfg.databaseName}" -tAc "REASSIGN OWNED BY \"$current_owner\" TO \"${cfg.databaseUsername}\"" + rm "${config.services.postgresql.dataDir}/.reassigning_${cfg.databaseName}" + fi + $PSQL '${cfg.databaseName}' -tAc "CREATE EXTENSION IF NOT EXISTS pg_trgm" + ''); + # Use postfix to send out mails. services.postfix.enable = mkDefault true; @@ -527,14 +660,9 @@ in { "L+ /run/gitlab/shell-config.yml - - - - ${pkgs.writeText "config.yml" (builtins.toJSON gitlabShellConfig)}" - "L+ ${cfg.statePath}/config/gitlab.yml - - - - ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)}" - "L+ ${cfg.statePath}/config/database.yml - - - - ${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)}" - "L+ ${cfg.statePath}/config/secrets.yml - - - - ${pkgs.writeText "secrets.yml" (builtins.toJSON secretsConfig)}" "L+ ${cfg.statePath}/config/unicorn.rb - - - - ${./defaultUnicornConfig.rb}" - "L+ ${cfg.statePath}/config/initializers/extra-gitlab.rb - - - - ${extraGitlabRb}" - ] ++ optional cfg.smtp.enable - "L+ ${cfg.statePath}/config/initializers/smtp_settings.rb - - - - ${smtpSettings}" ; + ]; systemd.services.gitlab-sidekiq = { after = [ "network.target" "redis.service" "gitlab.service" ]; @@ -626,46 +754,75 @@ in { gnupg ]; preStart = '' - ${pkgs.sudo}/bin/sudo -u ${cfg.user} cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION - ${pkgs.sudo}/bin/sudo -u ${cfg.user} rm -rf ${cfg.statePath}/db/* - ${pkgs.sudo}/bin/sudo -u ${cfg.user} cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config - ${pkgs.sudo}/bin/sudo -u ${cfg.user} cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db - - ${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret - - ${pkgs.sudo}/bin/sudo -u ${cfg.user} ${cfg.packages.gitlab-shell}/bin/install - - if ! test -e "${cfg.statePath}/db-created"; then - if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then - ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${cfg.databasePassword}'" - ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} ${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName} - - # enable required pg_trgm extension for gitlab - ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql ${cfg.databaseName} -c "CREATE EXTENSION IF NOT EXISTS pg_trgm" + cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION + rm -rf ${cfg.statePath}/db/* + cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config + cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db + + ${cfg.packages.gitlab-shell}/bin/install + + ${optionalString cfg.smtp.enable '' + install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb + ${optionalString (cfg.smtp.passwordFile != null) '' + smtp_password=$(<'${cfg.smtp.passwordFile}') + ${pkgs.replace}/bin/replace-literal -e '@smtpPassword@' "$smtp_password" '${cfg.statePath}/config/initializers/smtp_settings.rb' + ''} + ''} + + ( + umask u=rwx,g=,o= + + ${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret + + ${if cfg.databasePasswordFile != null then '' + export db_password="$(<'${cfg.databasePasswordFile}')" + + if [[ -z "$db_password" ]]; then + >&2 echo "Database password was an empty string!" + exit 1 + fi + + ${pkgs.jq}/bin/jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ + '.production.password = $ENV.db_password' \ + >'${cfg.statePath}/config/database.yml' + '' + else '' + ${pkgs.jq}/bin/jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ + >'${cfg.statePath}/config/database.yml' + '' + } + + ${utils.genJqSecretsReplacementSnippet + gitlabConfig + "${cfg.statePath}/config/gitlab.yml" + } + + if [[ -h '${cfg.statePath}/config/secrets.yml' ]]; then + rm '${cfg.statePath}/config/secrets.yml' fi - ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${gitlab-rake}/bin/gitlab-rake db:schema:load - - ${pkgs.sudo}/bin/sudo -u ${cfg.user} touch "${cfg.statePath}/db-created" - fi - - # Always do the db migrations just to be sure the database is up-to-date - ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${gitlab-rake}/bin/gitlab-rake db:migrate - - if ! test -e "${cfg.statePath}/db-seeded"; then - ${pkgs.sudo}/bin/sudo -u ${cfg.user} ${gitlab-rake}/bin/gitlab-rake db:seed_fu \ - GITLAB_ROOT_PASSWORD='${cfg.initialRootPassword}' GITLAB_ROOT_EMAIL='${cfg.initialRootEmail}' - ${pkgs.sudo}/bin/sudo -u ${cfg.user} touch "${cfg.statePath}/db-seeded" - fi + export secret="$(<'${cfg.secrets.secretFile}')" + export db="$(<'${cfg.secrets.dbFile}')" + export otp="$(<'${cfg.secrets.otpFile}')" + export jws="$(<'${cfg.secrets.jwsFile}')" + ${pkgs.jq}/bin/jq -n '{production: {secret_key_base: $ENV.secret, + otp_key_base: $ENV.db, + db_key_base: $ENV.otp, + openid_connect_signing_key: $ENV.jws}}' \ + > '${cfg.statePath}/config/secrets.yml' + ) + + initial_root_password="$(<'${cfg.initialRootPasswordFile}')" + ${gitlab-rake}/bin/gitlab-rake gitlab:db:configure GITLAB_ROOT_PASSWORD="$initial_root_password" \ + GITLAB_ROOT_EMAIL='${cfg.initialRootEmail}' # We remove potentially broken links to old gitlab-shell versions rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks - ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${pkgs.git}/bin/git config --global core.autocrlf "input" + ${pkgs.git}/bin/git config --global core.autocrlf "input" ''; serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root Type = "simple"; User = cfg.user; Group = cfg.group; diff --git a/nixpkgs/nixos/modules/services/misc/gitlab.xml b/nixpkgs/nixos/modules/services/misc/gitlab.xml index 5ff570a442f6..b6171a9a194c 100644 --- a/nixpkgs/nixos/modules/services/misc/gitlab.xml +++ b/nixpkgs/nixos/modules/services/misc/gitlab.xml @@ -54,8 +54,8 @@ <programlisting> services.gitlab = { <link linkend="opt-services.gitlab.enable">enable</link> = true; - <link linkend="opt-services.gitlab.databasePassword">databasePassword</link> = "eXaMpl3"; - <link linkend="opt-services.gitlab.initialRootPassword">initialRootPassword</link> = "UseNixOS!"; + <link linkend="opt-services.gitlab.databasePasswordFile">databasePasswordFile</link> = "/var/keys/gitlab/db_password"; + <link linkend="opt-services.gitlab.initialRootPasswordFile">initialRootPasswordFile</link> = "/var/keys/gitlab/root_password"; <link linkend="opt-services.gitlab.https">https</link> = true; <link linkend="opt-services.gitlab.host">host</link> = "git.example.com"; <link linkend="opt-services.gitlab.port">port</link> = 443; @@ -67,38 +67,10 @@ services.gitlab = { <link linkend="opt-services.gitlab.smtp.port">port</link> = 25; }; secrets = { - <link linkend="opt-services.gitlab.secrets.db">db</link> = "uPgq1gtwwHiatiuE0YHqbGa5lEIXH7fMsvuTNgdzJi8P0Dg12gibTzBQbq5LT7PNzcc3BP9P1snHVnduqtGF43PgrQtU7XL93ts6gqe9CBNhjtaqUwutQUDkygP5NrV6"; - <link linkend="opt-services.gitlab.secrets.secret">secret</link> = "devzJ0Tz0POiDBlrpWmcsjjrLaltyiAdS8TtgT9YNBOoUcDsfppiY3IXZjMVtKgXrFImIennFGOpPN8IkP8ATXpRgDD5rxVnKuTTwYQaci2NtaV1XxOQGjdIE50VGsR3"; - <link linkend="opt-services.gitlab.secrets.otp">otp</link> = "e1GATJVuS2sUh7jxiPzZPre4qtzGGaS22FR50Xs1TerRVdgI3CBVUi5XYtQ38W4xFeS4mDqi5cQjExE838iViSzCdcG19XSL6qNsfokQP9JugwiftmhmCadtsnHErBMI"; - <link linkend="opt-services.gitlab.secrets.jws">jws</link> = '' - -----BEGIN RSA PRIVATE KEY----- - MIIEpAIBAAKCAQEArrtx4oHKwXoqUbMNqnHgAklnnuDon3XG5LJB35yPsXKv/8GK - ke92wkI+s1Xkvsp8tg9BIY/7c6YK4SR07EWL+dB5qwctsWR2Q8z+/BKmTx9D99pm - hnsjuNIXTF7BXrx3RX6BxZpH5Vzzh9nCwWKT/JCFqtwH7afNGGL7aMf+hdaiUg/Q - SD05yRObioiO4iXDolsJOhrnbZvlzVHl1ZYxFJv0H6/Snc0BBA9Fl/3uj6ANpbjP - eXF1SnJCqT87bj46r5NdVauzaRxAsIfqHroHK4UZ98X5LjGQFGvSqTvyjPBS4I1i - s7VJU28ObuutHxIxSlH0ibn4HZqWmKWlTS652wIDAQABAoIBAGtPcUTTw2sJlR3x - 4k2wfAvLexkHNbZhBdKEa5JiO5mWPuLKwUiZEY2CU7Gd6csG3oqNWcm7/IjtC7dz - xV8p4yp8T4yq7vQIJ93B80NqTLtBD2QTvG2RCMJEPMzJUObWxkVmyVpLQyZo7KOd - KE/OM+aj94OUeEYLjRkSCScz1Gvq/qFG/nAy7KPCmN9JDHuhX26WHo2Rr1OnPNT/ - 7diph0bB9F3b8gjjNTqXDrpdAqVOgR/PsjEBz6DMY+bdyMIn87q2yfmMexxRofN6 - LulpzSaa6Yup8N8H6PzVO6KAkQuf1aQRj0sMwGk1IZEnj6I0KbuHIZkw21Nc6sf2 - ESFySDECgYEA1PnCNn5tmLnwe62Ttmrzl20zIS3Me1gUVJ1NTfr6+ai0I9iMYU21 - 5czuAjJPm9JKQF2vY8UAaCj2ZoObtHa/anb3xsCd8NXoM3iJq5JDoXI1ldz3Y+ad - U/bZUg1DLRvAniTuXmw9iOTwTwPxlDIGq5k+wG2Xmi1lk7zH8ezr9BMCgYEA0gfk - EhgcmPH8Z5cU3YYwOdt6HSJOM0OyN4k/5gnkv+HYVoJTj02gkrJmLr+mi1ugKj46 - 7huYO9TVnrKP21tmbaSv1dp5hS3letVRIxSloEtVGXmmdvJvBRzDWos+G+KcvADi - fFCz6w8v9NmO40CB7y/3SxTmSiSxDQeoi9LhDBkCgYEAsPgMWm25sfOnkY2NNUIv - wT8bAlHlHQT2d8zx5H9NttBpR3P0ShJhuF8N0sNthSQ7ULrIN5YGHYcUH+DyLAWU - TuomP3/kfa+xL7vUYb269tdJEYs4AkoppxBySoz8qenqpz422D0G8M6TpIS5Y5Qi - GMrQ6uLl21YnlpiCaFOfSQMCgYEAmZxj1kgEQmhZrnn1LL/D7czz1vMMNrpAUhXz - wg9iWmSXkU3oR1sDIceQrIhHCo2M6thwyU0tXjUft93pEQocM/zLDaGoVxtmRxxV - J08mg8IVD3jFoyFUyWxsBIDqgAKRl38eJsXvkO+ep3mm49Z+Ma3nM+apN3j2dQ0w - 3HLzXaECgYBFLMEAboVFwi5+MZjGvqtpg2PVTisfuJy2eYnPwHs+AXUgi/xRNFjI - YHEa7UBPb5TEPSzWImQpETi2P5ywcUYL1EbN/nqPWmjFnat8wVmJtV4sUpJhubF4 - Vqm9LxIWc1uQ1q1HDCejRIxIN3aSH+wgRS3Kcj8kCTIoXd1aERb04g== - -----END RSA PRIVATE KEY----- - ''; + <link linkend="opt-services.gitlab.secrets.dbFile">dbFile</link> = "/var/keys/gitlab/db"; + <link linkend="opt-services.gitlab.secrets.secretFile">secretFile</link> = "/var/keys/gitlab/secret"; + <link linkend="opt-services.gitlab.secrets.otpFile">otpFile</link> = "/var/keys/gitlab/otp"; + <link linkend="opt-services.gitlab.secrets.jwsFile">jwsFile</link> = "/var/keys/gitlab/jws"; }; <link linkend="opt-services.gitlab.extraConfig">extraConfig</link> = { gitlab = { @@ -113,12 +85,16 @@ services.gitlab = { </para> <para> - If you're setting up a new Gitlab instance, generate new secrets. You for - instance use <literal>tr -dc A-Za-z0-9 < /dev/urandom | head -c - 128</literal> to generate a new secret. Gitlab encrypts sensitive data - stored in the database. If you're restoring an existing Gitlab instance, you - must specify the secrets secret from <literal>config/secrets.yml</literal> - located in your Gitlab state folder. + If you're setting up a new Gitlab instance, generate new + secrets. You for instance use <literal>tr -dc A-Za-z0-9 < + /dev/urandom | head -c 128 > /var/keys/gitlab/db</literal> to + generate a new db secret. Make sure the files can be read by, and + only by, the user specified by <link + linkend="opt-services.gitlab.user">services.gitlab.user</link>. Gitlab + encrypts sensitive data stored in the database. If you're restoring + an existing Gitlab instance, you must specify the secrets secret + from <literal>config/secrets.yml</literal> located in your Gitlab + state folder. </para> <para> diff --git a/nixpkgs/nixos/modules/services/misc/gitolite.nix b/nixpkgs/nixos/modules/services/misc/gitolite.nix index cbe2c06ab651..cc69f81bbcc4 100644 --- a/nixpkgs/nixos/modules/services/misc/gitolite.nix +++ b/nixpkgs/nixos/modules/services/misc/gitolite.nix @@ -147,7 +147,7 @@ in group = cfg.group; useDefaultShell = true; }; - users.groups."${cfg.group}".gid = config.ids.gids.gitolite; + users.groups.${cfg.group}.gid = config.ids.gids.gitolite; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0750 ${cfg.user} ${cfg.group} - -" @@ -157,7 +157,7 @@ in "Z ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} - -" ]; - systemd.services."gitolite-init" = { + systemd.services.gitolite-init = { description = "Gitolite initialization"; wantedBy = [ "multi-user.target" ]; unitConfig.RequiresMountsFor = cfg.dataDir; diff --git a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix index 3eb649b08a2f..018fac386163 100644 --- a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix @@ -374,7 +374,7 @@ in { user = cfg.database_user; database = cfg.database_name; }; - }."${cfg.database_type}"; + }.${cfg.database_type}; description = '' Arguments to pass to the engine. ''; diff --git a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix index 088dfd71860b..3826f728afd0 100644 --- a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix +++ b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix @@ -500,12 +500,12 @@ in optionals (pkgs.stdenv.isx86_64 && pkgs.hostPlatform.platform ? gcc.arch) ( # a x86_64 builder can run code for `platform.gcc.arch` and minor architectures: [ "gccarch-${pkgs.hostPlatform.platform.gcc.arch}" ] ++ { - "sandybridge" = [ "gccarch-westmere" ]; - "ivybridge" = [ "gccarch-westmere" "gccarch-sandybridge" ]; - "haswell" = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" ]; - "broadwell" = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" ]; - "skylake" = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" "gccarch-broadwell" ]; - "skylake-avx512" = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" "gccarch-broadwell" "gccarch-skylake" ]; + sandybridge = [ "gccarch-westmere" ]; + ivybridge = [ "gccarch-westmere" "gccarch-sandybridge" ]; + haswell = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" ]; + broadwell = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" ]; + skylake = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" "gccarch-broadwell" ]; + skylake-avx512 = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" "gccarch-broadwell" "gccarch-skylake" ]; }.${pkgs.hostPlatform.platform.gcc.arch} or [] ) ); diff --git a/nixpkgs/nixos/modules/services/misc/nixos-manual.nix b/nixpkgs/nixos/modules/services/misc/nixos-manual.nix index df3e71c80dea..20ba3d8ef0bc 100644 --- a/nixpkgs/nixos/modules/services/misc/nixos-manual.nix +++ b/nixpkgs/nixos/modules/services/misc/nixos-manual.nix @@ -54,7 +54,7 @@ in (mkIf (cfg.showManual && cfgd.enable && cfgd.nixos.enable) { boot.extraTTYs = [ "tty${toString cfg.ttyNumber}" ]; - systemd.services."nixos-manual" = { + systemd.services.nixos-manual = { description = "NixOS Manual"; wantedBy = [ "multi-user.target" ]; serviceConfig = { diff --git a/nixpkgs/nixos/modules/services/misc/pykms.nix b/nixpkgs/nixos/modules/services/misc/pykms.nix index ef90d124a284..ab00086e591e 100644 --- a/nixpkgs/nixos/modules/services/misc/pykms.nix +++ b/nixpkgs/nixos/modules/services/misc/pykms.nix @@ -9,7 +9,7 @@ in { meta.maintainers = with lib.maintainers; [ peterhoeg ]; options = { - services.pykms = rec { + services.pykms = { enable = mkOption { type = types.bool; default = false; diff --git a/nixpkgs/nixos/modules/services/misc/snapper.nix b/nixpkgs/nixos/modules/services/misc/snapper.nix index 62b344d11b06..6f3aaa973a04 100644 --- a/nixpkgs/nixos/modules/services/misc/snapper.nix +++ b/nixpkgs/nixos/modules/services/misc/snapper.nix @@ -44,7 +44,7 @@ in configs = mkOption { default = { }; example = literalExample { - "home" = { + home = { subvolume = "/home"; extraConfig = '' ALLOW_USERS="alice" diff --git a/nixpkgs/nixos/modules/services/misc/synergy.nix b/nixpkgs/nixos/modules/services/misc/synergy.nix index b89cb41ac3ad..bfab8c534d8c 100644 --- a/nixpkgs/nixos/modules/services/misc/synergy.nix +++ b/nixpkgs/nixos/modules/services/misc/synergy.nix @@ -83,7 +83,7 @@ in config = mkMerge [ (mkIf cfgC.enable { - systemd.user.services."synergy-client" = { + systemd.user.services.synergy-client = { after = [ "network.target" "graphical-session.target" ]; description = "Synergy client"; wantedBy = optional cfgC.autoStart "graphical-session.target"; @@ -93,7 +93,7 @@ in }; }) (mkIf cfgS.enable { - systemd.user.services."synergy-server" = { + systemd.user.services.synergy-server = { after = [ "network.target" "graphical-session.target" ]; description = "Synergy server"; wantedBy = optional cfgS.autoStart "graphical-session.target"; diff --git a/nixpkgs/nixos/modules/services/misc/zoneminder.nix b/nixpkgs/nixos/modules/services/misc/zoneminder.nix index bf38b9ad7a2d..3bff04e7127d 100644 --- a/nixpkgs/nixos/modules/services/misc/zoneminder.nix +++ b/nixpkgs/nixos/modules/services/misc/zoneminder.nix @@ -11,7 +11,7 @@ let group = { nginx = config.services.nginx.group; none = user; - }."${cfg.webserver}"; + }.${cfg.webserver}; useNginx = cfg.webserver == "nginx"; @@ -225,7 +225,7 @@ in { nginx = lib.mkIf useNginx { enable = true; virtualHosts = { - "${cfg.hostname}" = { + ${cfg.hostname} = { default = true; root = "${pkg}/share/zoneminder/www"; listen = [ { addr = "0.0.0.0"; inherit (cfg) port; } ]; @@ -312,7 +312,7 @@ in { }; systemd.services = { - zoneminder = with pkgs; rec { + zoneminder = with pkgs; { inherit (zoneminder.meta) description; documentation = [ "https://zoneminder.readthedocs.org/en/latest/" ]; path = [ @@ -356,11 +356,11 @@ in { }; }; - users.groups."${user}" = { + users.groups.${user} = { gid = config.ids.gids.zoneminder; }; - users.users."${user}" = { + users.users.${user} = { uid = config.ids.uids.zoneminder; group = user; inherit home; diff --git a/nixpkgs/nixos/modules/services/misc/zookeeper.nix b/nixpkgs/nixos/modules/services/misc/zookeeper.nix index 50c84e3c6b80..5d91e44a199d 100644 --- a/nixpkgs/nixos/modules/services/misc/zookeeper.nix +++ b/nixpkgs/nixos/modules/services/misc/zookeeper.nix @@ -121,6 +121,7 @@ in { systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0700 zookeeper - - -" + "Z '${cfg.dataDir}' 0700 zookeeper - - -" ]; systemd.services.zookeeper = { diff --git a/nixpkgs/nixos/modules/services/monitoring/dd-agent/dd-agent.nix b/nixpkgs/nixos/modules/services/monitoring/dd-agent/dd-agent.nix index c0ea1eeb424f..5ee6b092a6a4 100644 --- a/nixpkgs/nixos/modules/services/monitoring/dd-agent/dd-agent.nix +++ b/nixpkgs/nixos/modules/services/monitoring/dd-agent/dd-agent.nix @@ -184,7 +184,7 @@ in { }; config = mkIf cfg.enable { - environment.systemPackages = [ pkgs."dd-agent" pkgs.sysstat pkgs.procps ]; + environment.systemPackages = [ pkgs.dd-agent pkgs.sysstat pkgs.procps ]; users.users.datadog = { description = "Datadog Agent User"; diff --git a/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix b/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix index 9c976c65ea49..b90579bb70c7 100644 --- a/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix +++ b/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix @@ -51,7 +51,7 @@ in { description = "FusionInventory user"; }; - systemd.services."fusion-inventory" = { + systemd.services.fusion-inventory = { description = "Fusion Inventory Agent"; wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/services/monitoring/monit.nix b/nixpkgs/nixos/modules/services/monitoring/monit.nix index 32e14ab21ffc..ca9352272174 100644 --- a/nixpkgs/nixos/modules/services/monitoring/monit.nix +++ b/nixpkgs/nixos/modules/services/monitoring/monit.nix @@ -23,7 +23,7 @@ in environment.systemPackages = [ pkgs.monit ]; - environment.etc."monitrc" = { + environment.etc.monitrc = { text = cfg.config; mode = "0400"; }; @@ -39,7 +39,7 @@ in KillMode = "process"; Restart = "always"; }; - restartTriggers = [ config.environment.etc."monitrc".source ]; + restartTriggers = [ config.environment.etc.monitrc.source ]; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix index 647d67533b89..191c0bff9c84 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix @@ -4,37 +4,14 @@ with lib; let cfg = config.services.prometheus; - cfg2 = config.services.prometheus2; - promUser = "prometheus"; - promGroup = "prometheus"; - - stateDir = - if cfg.stateDir != null - then cfg.stateDir - else - if cfg.dataDir != null - then - # This assumes /var/lib/ is a prefix of cfg.dataDir. - # This is checked as an assertion below. - removePrefix stateDirBase cfg.dataDir - else "prometheus"; - stateDirBase = "/var/lib/"; - workingDir = stateDirBase + stateDir; - workingDir2 = stateDirBase + cfg2.stateDir; - # a wrapper that verifies that the configuration is valid - promtoolCheck = what: name: file: pkgs.runCommand "${name}-${what}-checked" - { buildInputs = [ cfg.package ]; } '' - ln -s ${file} $out - promtool ${what} $out - ''; + workingDir = "/var/lib/" + cfg.stateDir; - # a wrapper that verifies that the configuration is valid for - # prometheus 2 - prom2toolCheck = what: name: file: + # a wrapper that verifies that the configuration is valid + promtoolCheck = what: name: file: pkgs.runCommand "${name}-${replaceStrings [" "] [""] what}-checked" - { buildInputs = [ cfg2.package ]; } '' + { buildInputs = [ cfg.package ]; } '' ln -s ${file} $out promtool ${what} $out ''; @@ -45,61 +22,34 @@ let echo '${builtins.toJSON x}' | ${pkgs.jq}/bin/jq . > $out ''; - # This becomes the main config file for Prometheus 1 + generatedPrometheusYml = writePrettyJSON "prometheus.yml" promConfig; + + # This becomes the main config file for Prometheus promConfig = { global = filterValidPrometheus cfg.globalConfig; - rule_files = map (promtoolCheck "check-rules" "rules") (cfg.ruleFiles ++ [ + rule_files = map (promtoolCheck "check rules" "rules") (cfg.ruleFiles ++ [ (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg.rules)) ]); scrape_configs = filterValidPrometheus cfg.scrapeConfigs; + alerting = { + inherit (cfg) alertmanagers; + }; }; - generatedPrometheusYml = writePrettyJSON "prometheus.yml" promConfig; - prometheusYml = let yml = if cfg.configText != null then pkgs.writeText "prometheus.yml" cfg.configText else generatedPrometheusYml; - in promtoolCheck "check-config" "prometheus.yml" yml; + in promtoolCheck "check config" "prometheus.yml" yml; cmdlineArgs = cfg.extraFlags ++ [ - "-storage.local.path=${workingDir}/metrics" - "-config.file=${prometheusYml}" - "-web.listen-address=${cfg.listenAddress}" - "-alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" - "-alertmanager.timeout=${toString cfg.alertmanagerTimeout}s" + "--storage.tsdb.path=${workingDir}/data/" + "--config.file=${prometheusYml}" + "--web.listen-address=${cfg.listenAddress}" + "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" + "--alertmanager.timeout=${toString cfg.alertmanagerTimeout}s" ] ++ - optional (cfg.alertmanagerURL != []) "-alertmanager.url=${concatStringsSep "," cfg.alertmanagerURL}" ++ - optional (cfg.webExternalUrl != null) "-web.external-url=${cfg.webExternalUrl}"; - - # This becomes the main config file for Prometheus 2 - promConfig2 = { - global = filterValidPrometheus cfg2.globalConfig; - rule_files = map (prom2toolCheck "check rules" "rules") (cfg2.ruleFiles ++ [ - (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg2.rules)) - ]); - scrape_configs = filterValidPrometheus cfg2.scrapeConfigs; - alerting = { - inherit (cfg2) alertmanagers; - }; - }; - - generatedPrometheus2Yml = writePrettyJSON "prometheus.yml" promConfig2; - - prometheus2Yml = let - yml = if cfg2.configText != null then - pkgs.writeText "prometheus.yml" cfg2.configText - else generatedPrometheus2Yml; - in prom2toolCheck "check config" "prometheus.yml" yml; - - cmdlineArgs2 = cfg2.extraFlags ++ [ - "--storage.tsdb.path=${workingDir2}/data/" - "--config.file=${prometheus2Yml}" - "--web.listen-address=${cfg2.listenAddress}" - "--alertmanager.notification-queue-capacity=${toString cfg2.alertmanagerNotificationQueueCapacity}" - "--alertmanager.timeout=${toString cfg2.alertmanagerTimeout}s" - ] ++ - optional (cfg2.webExternalUrl != null) "--web.external-url=${cfg2.webExternalUrl}"; + optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}"; filterValidPrometheus = filterAttrsListRecursive (n: v: !(n == "_module" || v == null)); filterAttrsListRecursive = pred: x: @@ -514,343 +464,159 @@ let }; in { - options = { - services.prometheus = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable the Prometheus monitoring daemon. - ''; - }; - - package = mkOption { - type = types.package; - default = pkgs.prometheus; - defaultText = "pkgs.prometheus"; - description = '' - The prometheus package that should be used. - ''; - }; - - listenAddress = mkOption { - type = types.str; - default = "0.0.0.0:9090"; - description = '' - Address to listen on for the web interface, API, and telemetry. - ''; - }; - - dataDir = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - Directory to store Prometheus metrics data. - This option is deprecated, please use <option>services.prometheus.stateDir</option>. - ''; - }; - - stateDir = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Directory below <literal>${stateDirBase}</literal> to store Prometheus metrics data. - This directory will be created automatically using systemd's StateDirectory mechanism. - Defaults to <literal>prometheus</literal>. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching Prometheus. - ''; - }; - - configText = mkOption { - type = types.nullOr types.lines; - default = null; - description = '' - If non-null, this option defines the text that is written to - prometheus.yml. If null, the contents of prometheus.yml is generated - from the structured config options. - ''; - }; - - globalConfig = mkOption { - type = promTypes.globalConfig; - default = {}; - description = '' - Parameters that are valid in all configuration contexts. They - also serve as defaults for other configuration sections - ''; - }; - - rules = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Alerting and/or Recording rules to evaluate at runtime. - ''; - }; - - ruleFiles = mkOption { - type = types.listOf types.path; - default = []; - description = '' - Any additional rules files to include in this configuration. - ''; - }; + options.services.prometheus = { - scrapeConfigs = mkOption { - type = types.listOf promTypes.scrape_config; - default = []; - description = '' - A list of scrape configurations. - ''; - }; - - alertmanagerURL = mkOption { - type = types.listOf types.str; - default = []; - description = '' - List of Alertmanager URLs to send notifications to. - ''; - }; - - alertmanagerNotificationQueueCapacity = mkOption { - type = types.int; - default = 10000; - description = '' - The capacity of the queue for pending alert manager notifications. - ''; - }; - - alertmanagerTimeout = mkOption { - type = types.int; - default = 10; - description = '' - Alert manager HTTP API timeout (in seconds). - ''; - }; - - webExternalUrl = mkOption { - type = types.nullOr types.str; - default = null; - example = "https://example.com/"; - description = '' - The URL under which Prometheus is externally reachable (for example, - if Prometheus is served via a reverse proxy). - ''; - }; + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable the Prometheus monitoring daemon. + ''; }; - services.prometheus2 = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable the Prometheus 2 monitoring daemon. - ''; - }; + package = mkOption { + type = types.package; + default = pkgs.prometheus; + defaultText = "pkgs.prometheus"; + description = '' + The prometheus package that should be used. + ''; + }; - package = mkOption { - type = types.package; - default = pkgs.prometheus_2; - defaultText = "pkgs.prometheus_2"; - description = '' - The prometheus2 package that should be used. - ''; - }; + listenAddress = mkOption { + type = types.str; + default = "0.0.0.0:9090"; + description = '' + Address to listen on for the web interface, API, and telemetry. + ''; + }; - listenAddress = mkOption { - type = types.str; - default = "0.0.0.0:9090"; - description = '' - Address to listen on for the web interface, API, and telemetry. - ''; - }; + stateDir = mkOption { + type = types.str; + default = "prometheus2"; + description = '' + Directory below <literal>/var/lib</literal> to store Prometheus metrics data. + This directory will be created automatically using systemd's StateDirectory mechanism. + ''; + }; - stateDir = mkOption { - type = types.str; - default = "prometheus2"; - description = '' - Directory below <literal>${stateDirBase}</literal> to store Prometheus metrics data. - This directory will be created automatically using systemd's StateDirectory mechanism. - Defaults to <literal>prometheus2</literal>. - ''; - }; + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra commandline options when launching Prometheus. + ''; + }; - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching Prometheus 2. - ''; - }; + configText = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + If non-null, this option defines the text that is written to + prometheus.yml. If null, the contents of prometheus.yml is generated + from the structured config options. + ''; + }; - configText = mkOption { - type = types.nullOr types.lines; - default = null; - description = '' - If non-null, this option defines the text that is written to - prometheus.yml. If null, the contents of prometheus.yml is generated - from the structured config options. - ''; - }; + globalConfig = mkOption { + type = promTypes.globalConfig; + default = {}; + description = '' + Parameters that are valid in all configuration contexts. They + also serve as defaults for other configuration sections + ''; + }; - globalConfig = mkOption { - type = promTypes.globalConfig; - default = {}; - description = '' - Parameters that are valid in all configuration contexts. They - also serve as defaults for other configuration sections - ''; - }; + rules = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Alerting and/or Recording rules to evaluate at runtime. + ''; + }; - rules = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Alerting and/or Recording rules to evaluate at runtime. - ''; - }; + ruleFiles = mkOption { + type = types.listOf types.path; + default = []; + description = '' + Any additional rules files to include in this configuration. + ''; + }; - ruleFiles = mkOption { - type = types.listOf types.path; - default = []; - description = '' - Any additional rules files to include in this configuration. - ''; - }; + scrapeConfigs = mkOption { + type = types.listOf promTypes.scrape_config; + default = []; + description = '' + A list of scrape configurations. + ''; + }; - scrapeConfigs = mkOption { - type = types.listOf promTypes.scrape_config; - default = []; - description = '' - A list of scrape configurations. - ''; - }; + alertmanagers = mkOption { + type = types.listOf types.attrs; + example = literalExample '' + [ { + scheme = "https"; + path_prefix = "/alertmanager"; + static_configs = [ { + targets = [ + "prometheus.domain.tld" + ]; + } ]; + } ] + ''; + default = []; + description = '' + A list of alertmanagers to send alerts to. + See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config">the official documentation</link> for more information. + ''; + }; - alertmanagers = mkOption { - type = types.listOf types.attrs; - example = literalExample '' - [ { - scheme = "https"; - path_prefix = "/alertmanager"; - static_configs = [ { - targets = [ - "prometheus.domain.tld" - ]; - } ]; - } ] - ''; - default = []; - description = '' - A list of alertmanagers to send alerts to. - See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config">the official documentation</link> for more information. - ''; - }; + alertmanagerNotificationQueueCapacity = mkOption { + type = types.int; + default = 10000; + description = '' + The capacity of the queue for pending alert manager notifications. + ''; + }; - alertmanagerNotificationQueueCapacity = mkOption { - type = types.int; - default = 10000; - description = '' - The capacity of the queue for pending alert manager notifications. - ''; - }; + alertmanagerTimeout = mkOption { + type = types.int; + default = 10; + description = '' + Alert manager HTTP API timeout (in seconds). + ''; + }; - alertmanagerTimeout = mkOption { - type = types.int; - default = 10; - description = '' - Alert manager HTTP API timeout (in seconds). - ''; - }; + webExternalUrl = mkOption { + type = types.nullOr types.str; + default = null; + example = "https://example.com/"; + description = '' + The URL under which Prometheus is externally reachable (for example, + if Prometheus is served via a reverse proxy). + ''; + }; + }; - webExternalUrl = mkOption { - type = types.nullOr types.str; - default = null; - example = "https://example.com/"; - description = '' - The URL under which Prometheus is externally reachable (for example, - if Prometheus is served via a reverse proxy). - ''; - }; + config = mkIf cfg.enable { + users.groups.prometheus.gid = config.ids.gids.prometheus; + users.users.prometheus = { + description = "Prometheus daemon user"; + uid = config.ids.uids.prometheus; + group = "prometheus"; }; - }; - - config = mkMerge [ - (mkIf (cfg.enable || cfg2.enable) { - users.groups.${promGroup}.gid = config.ids.gids.prometheus; - users.users.${promUser} = { - description = "Prometheus daemon user"; - uid = config.ids.uids.prometheus; - group = promGroup; + systemd.services.prometheus = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = "${cfg.package}/bin/prometheus" + + optionalString (length cmdlineArgs != 0) (" \\\n " + + concatStringsSep " \\\n " cmdlineArgs); + User = "prometheus"; + Restart = "always"; + WorkingDirectory = workingDir; + StateDirectory = cfg.stateDir; }; - }) - (mkIf cfg.enable { - warnings = - optional (cfg.dataDir != null) '' - The option services.prometheus.dataDir is deprecated, please use - services.prometheus.stateDir. - ''; - assertions = [ - { - assertion = !(cfg.dataDir != null && cfg.stateDir != null); - message = - "The options services.prometheus.dataDir and services.prometheus.stateDir" + - " can't both be set at the same time! It's recommended to only set the latter" + - " since the former is deprecated."; - } - { - assertion = cfg.dataDir != null -> hasPrefix stateDirBase cfg.dataDir; - message = - "The option services.prometheus.dataDir should have ${stateDirBase} as a prefix!"; - } - { - assertion = cfg.stateDir != null -> !hasPrefix "/" cfg.stateDir; - message = - "The option services.prometheus.stateDir shouldn't be an absolute directory." + - " It should be a directory relative to ${stateDirBase}."; - } - { - assertion = cfg2.stateDir != null -> !hasPrefix "/" cfg2.stateDir; - message = - "The option services.prometheus2.stateDir shouldn't be an absolute directory." + - " It should be a directory relative to ${stateDirBase}."; - } - ]; - systemd.services.prometheus = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - ExecStart = "${cfg.package}/bin/prometheus" + - optionalString (length cmdlineArgs != 0) (" \\\n " + - concatStringsSep " \\\n " cmdlineArgs); - User = promUser; - Restart = "always"; - WorkingDirectory = workingDir; - StateDirectory = stateDir; - }; - }; - }) - (mkIf cfg2.enable { - systemd.services.prometheus2 = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - ExecStart = "${cfg2.package}/bin/prometheus" + - optionalString (length cmdlineArgs2 != 0) (" \\\n " + - concatStringsSep " \\\n " cmdlineArgs2); - User = promUser; - Restart = "always"; - WorkingDirectory = workingDir2; - StateDirectory = cfg2.stateDir; - }; - }; - }) - ]; + }; + }; } diff --git a/nixpkgs/nixos/modules/services/monitoring/thanos.nix b/nixpkgs/nixos/modules/services/monitoring/thanos.nix index b41e99b76477..215cd43fd864 100644 --- a/nixpkgs/nixos/modules/services/monitoring/thanos.nix +++ b/nixpkgs/nixos/modules/services/monitoring/thanos.nix @@ -70,14 +70,14 @@ let } ''json2yaml -i $json -o $out''; thanos = cmd: "${cfg.package}/bin/thanos ${cmd}" + - (let args = cfg."${cmd}".arguments; + (let args = cfg.${cmd}.arguments; in optionalString (length args != 0) (" \\\n " + concatStringsSep " \\\n " args)); argumentsOf = cmd: concatLists (collect isList - (flip mapParamsRecursive params."${cmd}" (path: param: + (flip mapParamsRecursive params.${cmd} (path: param: let opt = concatStringsSep "." path; - v = getAttrFromPath path cfg."${cmd}"; + v = getAttrFromPath path cfg.${cmd}; in param.toArgs opt v))); mkArgumentsOption = cmd: mkOption { @@ -95,7 +95,7 @@ let }; mapParamsRecursive = - let noParam = attr: !(attr ? "toArgs" && attr ? "option"); + let noParam = attr: !(attr ? toArgs && attr ? option); in mapAttrsRecursiveCond noParam; paramsToOptions = mapParamsRecursive (_path: param: param.option); @@ -218,8 +218,8 @@ let toArgs = optionToArgs; option = mkOption { type = types.str; - default = "/var/lib/${config.services.prometheus2.stateDir}/data"; - defaultText = "/var/lib/\${config.services.prometheus2.stateDir}/data"; + default = "/var/lib/${config.services.prometheus.stateDir}/data"; + defaultText = "/var/lib/\${config.services.prometheus.stateDir}/data"; description = '' Data directory of TSDB. ''; @@ -607,7 +607,7 @@ let assertRelativeStateDir = cmd: { assertions = [ { - assertion = !hasPrefix "/" cfg."${cmd}".stateDir; + assertion = !hasPrefix "/" cfg.${cmd}.stateDir; message = "The option services.thanos.${cmd}.stateDir should not be an absolute directory." + " It should be a directory relative to /var/lib."; @@ -679,22 +679,22 @@ in { (mkIf cfg.sidecar.enable { assertions = [ { - assertion = config.services.prometheus2.enable; + assertion = config.services.prometheus.enable; message = - "Please enable services.prometheus2 when enabling services.thanos.sidecar."; + "Please enable services.prometheus when enabling services.thanos.sidecar."; } { - assertion = !(config.services.prometheus2.globalConfig.external_labels == null || - config.services.prometheus2.globalConfig.external_labels == {}); + assertion = !(config.services.prometheus.globalConfig.external_labels == null || + config.services.prometheus.globalConfig.external_labels == {}); message = "services.thanos.sidecar requires uniquely identifying external labels " + "to be configured in the Prometheus server. " + - "Please set services.prometheus2.globalConfig.external_labels."; + "Please set services.prometheus.globalConfig.external_labels."; } ]; systemd.services.thanos-sidecar = { wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "prometheus2.service" ]; + after = [ "network.target" "prometheus.service" ]; serviceConfig = { User = "prometheus"; Restart = "always"; diff --git a/nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix b/nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix index b1645f861101..856b9432892b 100644 --- a/nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix +++ b/nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix @@ -135,7 +135,7 @@ in users.groups.${group} = { }; - systemd.services."zabbix-agent" = { + systemd.services.zabbix-agent = { description = "Zabbix Agent"; wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix b/nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix index 90abed30db5d..9d214469c3b3 100644 --- a/nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix +++ b/nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix @@ -252,7 +252,7 @@ in fping.source = "${pkgs.fping}/bin/fping"; }; - systemd.services."zabbix-proxy" = { + systemd.services.zabbix-proxy = { description = "Zabbix Proxy"; wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix b/nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix index 11311b466c3f..4b4049ed360e 100644 --- a/nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix +++ b/nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix @@ -237,7 +237,7 @@ in fping.source = "${pkgs.fping}/bin/fping"; }; - systemd.services."zabbix-server" = { + systemd.services.zabbix-server = { description = "Zabbix Server"; wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/beegfs.nix b/nixpkgs/nixos/modules/services/network-filesystems/beegfs.nix index 86b1bb9160f1..2e03a422665a 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/beegfs.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/beegfs.nix @@ -69,7 +69,7 @@ let # functions to generate systemd.service entries systemdEntry = service: cfgFile: (mapAttrs' ( name: cfg: - (nameValuePair "beegfs-${service}-${name}" (mkIf cfg."${service}".enable { + (nameValuePair "beegfs-${service}-${name}" (mkIf cfg.${service}.enable { wantedBy = [ "multi-user.target" ]; requires = [ "network-online.target" ]; after = [ "network-online.target" ]; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix b/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix index 54841861c081..3dc5b8feef65 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix @@ -3,18 +3,18 @@ with lib; let - ceph = pkgs.ceph; cfg = config.services.ceph; + # function that translates "camelCaseOptions" to "camel case options", credits to tilpner in #nixos@freenode - translateOption = replaceStrings upperChars (map (s: " ${s}") lowerChars); - generateDaemonList = (daemonType: daemons: extraServiceConfig: - mkMerge ( - map (daemon: - { "ceph-${daemonType}-${daemon}" = generateServiceFile daemonType daemon cfg.global.clusterName ceph extraServiceConfig; } - ) daemons - ) - ); - generateServiceFile = (daemonType: daemonId: clusterName: ceph: extraServiceConfig: { + expandCamelCase = replaceStrings upperChars (map (s: " ${s}") lowerChars); + expandCamelCaseAttrs = mapAttrs' (name: value: nameValuePair (expandCamelCase name) value); + + makeServices = (daemonType: daemonIds: extraServiceConfig: + mkMerge (map (daemonId: + { "ceph-${daemonType}-${daemonId}" = makeService daemonType daemonId cfg.global.clusterName pkgs.ceph extraServiceConfig; }) + daemonIds)); + + makeService = (daemonType: daemonId: clusterName: ceph: extraServiceConfig: { enable = true; description = "Ceph ${builtins.replaceStrings lowerChars upperChars daemonType} daemon ${daemonId}"; after = [ "network-online.target" "time-sync.target" ] ++ optional (daemonType == "osd") "ceph-mon.target"; @@ -34,23 +34,29 @@ let Restart = "on-failure"; StartLimitBurst = "5"; StartLimitInterval = "30min"; - ExecStart = "${ceph.out}/bin/${if daemonType == "rgw" then "radosgw" else "ceph-${daemonType}"} -f --cluster ${clusterName} --id ${if daemonType == "rgw" then "client.${daemonId}" else daemonId} --setuser ceph --setgroup ceph"; + ExecStart = ''${ceph.out}/bin/${if daemonType == "rgw" then "radosgw" else "ceph-${daemonType}"} \ + -f --cluster ${clusterName} --id ${daemonId} --setuser ceph \ + --setgroup ${if daemonType == "osd" then "disk" else "ceph"}''; } // extraServiceConfig - // optionalAttrs (daemonType == "osd") { ExecStartPre = "${ceph.out}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}"; }; - } // optionalAttrs (builtins.elem daemonType [ "mds" "mon" "rgw" "mgr" ]) { preStart = '' + // optionalAttrs (daemonType == "osd") { ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh \ + --id ${daemonId} --cluster ${clusterName}''; }; + } // optionalAttrs (builtins.elem daemonType [ "mds" "mon" "rgw" "mgr" ]) { + preStart = '' daemonPath="/var/lib/ceph/${if daemonType == "rgw" then "radosgw" else daemonType}/${clusterName}-${daemonId}" - if [ ! -d ''$daemonPath ]; then - mkdir -m 755 -p ''$daemonPath - chown -R ceph:ceph ''$daemonPath + if [ ! -d $daemonPath ]; then + mkdir -m 755 -p $daemonPath + chown -R ceph:ceph $daemonPath fi ''; } // optionalAttrs (daemonType == "osd") { path = [ pkgs.getopt ]; } ); - generateTargetFile = (daemonType: + + makeTarget = (daemonType: { "ceph-${daemonType}" = { description = "Ceph target allowing to start/stop all ceph-${daemonType} services at once"; partOf = [ "ceph.target" ]; + wantedBy = [ "ceph.target" ]; before = [ "ceph.target" ]; }; } @@ -82,6 +88,14 @@ in ''; }; + mgrModulePath = mkOption { + type = types.path; + default = "${pkgs.ceph.lib}/lib/ceph/mgr"; + description = '' + Path at which to find ceph-mgr modules. + ''; + }; + monInitialMembers = mkOption { type = with types; nullOr commas; default = null; @@ -157,6 +171,27 @@ in A comma-separated list of subnets that will be used as cluster networks in the cluster. ''; }; + + rgwMimeTypesFile = mkOption { + type = with types; nullOr path; + default = "${pkgs.mime-types}/etc/mime.types"; + description = '' + Path to mime types used by radosgw. + ''; + }; + }; + + extraConfig = mkOption { + type = with types; attrsOf str; + default = {}; + example = '' + { + "ms bind ipv6" = "true"; + }; + ''; + description = '' + Extra configuration to add to the global section. Use for setting values that are common for all daemons in the cluster. + ''; }; mgr = { @@ -216,6 +251,7 @@ in to the id part in ceph i.e. [ "name1" ] would result in osd.name1 ''; }; + extraConfig = mkOption { type = with types; attrsOf str; default = { @@ -296,9 +332,6 @@ in { assertion = cfg.global.fsid != ""; message = "fsid has to be set to a valid uuid for the cluster to function"; } - { assertion = cfg.mgr.enable == true; - message = "ceph 12.x requires atleast 1 MGR daemon enabled for the cluster to function"; - } { assertion = cfg.mon.enable == true -> cfg.mon.daemons != []; message = "have to set id of atleast one MON if you're going to enable Monitor"; } @@ -317,17 +350,15 @@ in ''Not setting up a list of members in monInitialMembers requires that you set the host variable for each mon daemon or else the cluster won't function''; environment.etc."ceph/ceph.conf".text = let - # Translate camelCaseOptions to the expected camel case option for ceph.conf - translatedGlobalConfig = mapAttrs' (name: value: nameValuePair (translateOption name) value) cfg.global; # Merge the extraConfig set for mgr daemons, as mgr don't have their own section - globalAndMgrConfig = translatedGlobalConfig // optionalAttrs cfg.mgr.enable cfg.mgr.extraConfig; + globalSection = expandCamelCaseAttrs (cfg.global // cfg.extraConfig // optionalAttrs cfg.mgr.enable cfg.mgr.extraConfig); # Remove all name-value pairs with null values from the attribute set to avoid making empty sections in the ceph.conf - globalConfig = mapAttrs' (name: value: nameValuePair (translateOption name) value) (filterAttrs (name: value: value != null) globalAndMgrConfig); + globalSection' = filterAttrs (name: value: value != null) globalSection; totalConfig = { - "global" = globalConfig; - } // optionalAttrs (cfg.mon.enable && cfg.mon.extraConfig != {}) { "mon" = cfg.mon.extraConfig; } - // optionalAttrs (cfg.mds.enable && cfg.mds.extraConfig != {}) { "mds" = cfg.mds.extraConfig; } - // optionalAttrs (cfg.osd.enable && cfg.osd.extraConfig != {}) { "osd" = cfg.osd.extraConfig; } + global = globalSection'; + } // optionalAttrs (cfg.mon.enable && cfg.mon.extraConfig != {}) { mon = cfg.mon.extraConfig; } + // optionalAttrs (cfg.mds.enable && cfg.mds.extraConfig != {}) { mds = cfg.mds.extraConfig; } + // optionalAttrs (cfg.osd.enable && cfg.osd.extraConfig != {}) { osd = cfg.osd.extraConfig; } // optionalAttrs (cfg.client.enable && cfg.client.extraConfig != {}) cfg.client.extraConfig; in generators.toINI {} totalConfig; @@ -336,8 +367,9 @@ in name = "ceph"; uid = config.ids.uids.ceph; description = "Ceph daemon user"; + group = "ceph"; + extraGroups = [ "disk" ]; }; - users.groups = singleton { name = "ceph"; gid = config.ids.gids.ceph; @@ -345,22 +377,26 @@ in systemd.services = let services = [] - ++ optional cfg.mon.enable (generateDaemonList "mon" cfg.mon.daemons { RestartSec = "10"; }) - ++ optional cfg.mds.enable (generateDaemonList "mds" cfg.mds.daemons { StartLimitBurst = "3"; }) - ++ optional cfg.osd.enable (generateDaemonList "osd" cfg.osd.daemons { StartLimitBurst = "30"; RestartSec = "20s"; }) - ++ optional cfg.rgw.enable (generateDaemonList "rgw" cfg.rgw.daemons { }) - ++ optional cfg.mgr.enable (generateDaemonList "mgr" cfg.mgr.daemons { StartLimitBurst = "3"; }); + ++ optional cfg.mon.enable (makeServices "mon" cfg.mon.daemons { RestartSec = "10"; }) + ++ optional cfg.mds.enable (makeServices "mds" cfg.mds.daemons { StartLimitBurst = "3"; }) + ++ optional cfg.osd.enable (makeServices "osd" cfg.osd.daemons { StartLimitBurst = "30"; + RestartSec = "20s"; + PrivateDevices = "no"; # osd needs disk access + }) + ++ optional cfg.rgw.enable (makeServices "rgw" cfg.rgw.daemons { }) + ++ optional cfg.mgr.enable (makeServices "mgr" cfg.mgr.daemons { StartLimitBurst = "3"; }); in mkMerge services; systemd.targets = let targets = [ - { "ceph" = { description = "Ceph target allowing to start/stop all ceph service instances at once"; }; } - ] ++ optional cfg.mon.enable (generateTargetFile "mon") - ++ optional cfg.mds.enable (generateTargetFile "mds") - ++ optional cfg.osd.enable (generateTargetFile "osd") - ++ optional cfg.rgw.enable (generateTargetFile "rgw") - ++ optional cfg.mgr.enable (generateTargetFile "mgr"); + { "ceph" = { description = "Ceph target allowing to start/stop all ceph service instances at once"; + wantedBy = [ "multi-user.target" ]; }; } + ] ++ optional cfg.mon.enable (makeTarget "mon") + ++ optional cfg.mds.enable (makeTarget "mds") + ++ optional cfg.osd.enable (makeTarget "osd") + ++ optional cfg.rgw.enable (makeTarget "rgw") + ++ optional cfg.mgr.enable (makeTarget "mgr"); in mkMerge targets; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/openafs/lib.nix b/nixpkgs/nixos/modules/services/network-filesystems/openafs/lib.nix index 1cc9bed847ab..e068ee761c2a 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/openafs/lib.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/openafs/lib.nix @@ -3,7 +3,7 @@ let inherit (lib) concatStringsSep mkOption types; -in rec { +in { mkCellServDB = cellName: db: '' >${cellName} diff --git a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix index 69368441c62c..055508a32244 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix @@ -234,10 +234,10 @@ in # Refer to https://github.com/samba-team/samba/tree/master/packaging/systemd # for correct use with systemd services = { - "samba-smbd" = daemonService "smbd" ""; - "samba-nmbd" = mkIf cfg.enableNmbd (daemonService "nmbd" ""); - "samba-winbindd" = mkIf cfg.enableWinbindd (daemonService "winbindd" ""); - "samba-setup" = { + samba-smbd = daemonService "smbd" ""; + samba-nmbd = mkIf cfg.enableNmbd (daemonService "nmbd" ""); + samba-winbindd = mkIf cfg.enableWinbindd (daemonService "winbindd" ""); + samba-setup = { description = "Samba Setup Task"; script = setupScript; unitConfig.RequiresMountsFor = "/var/lib/samba"; diff --git a/nixpkgs/nixos/modules/services/networking/babeld.nix b/nixpkgs/nixos/modules/services/networking/babeld.nix index 3dfd80f6ff52..de863461eab2 100644 --- a/nixpkgs/nixos/modules/services/networking/babeld.nix +++ b/nixpkgs/nixos/modules/services/networking/babeld.nix @@ -52,7 +52,7 @@ in example = { type = "tunnel"; - "split-horizon" = true; + split-horizon = true; }; }; @@ -66,8 +66,8 @@ in example = { enp0s2 = { type = "wired"; - "hello-interval" = 5; - "split-horizon" = "auto"; + hello-interval = 5; + split-horizon = "auto"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/connman.nix b/nixpkgs/nixos/modules/services/networking/connman.nix index 1cd3fd2ade57..31127f790499 100644 --- a/nixpkgs/nixos/modules/services/networking/connman.nix +++ b/nixpkgs/nixos/modules/services/networking/connman.nix @@ -82,7 +82,7 @@ in { environment.systemPackages = [ connman ]; - systemd.services."connman" = { + systemd.services.connman = { description = "Connection service"; wantedBy = [ "multi-user.target" ]; after = [ "syslog.target" ]; @@ -95,7 +95,7 @@ in { }; }; - systemd.services."connman-vpn" = mkIf cfg.enableVPN { + systemd.services.connman-vpn = mkIf cfg.enableVPN { description = "ConnMan VPN service"; wantedBy = [ "multi-user.target" ]; after = [ "syslog.target" ]; @@ -108,7 +108,7 @@ in { }; }; - systemd.services."net-connman-vpn" = mkIf cfg.enableVPN { + systemd.services.net-connman-vpn = mkIf cfg.enableVPN { description = "D-BUS Service"; serviceConfig = { Name = "net.connman.vpn"; diff --git a/nixpkgs/nixos/modules/services/networking/consul.nix b/nixpkgs/nixos/modules/services/networking/consul.nix index f080f12eaccd..689cbc8a986d 100644 --- a/nixpkgs/nixos/modules/services/networking/consul.nix +++ b/nixpkgs/nixos/modules/services/networking/consul.nix @@ -156,7 +156,7 @@ in config = mkIf cfg.enable ( mkMerge [{ - users.users."consul" = { + users.users.consul = { description = "Consul agent daemon user"; uid = config.ids.uids.consul; # The shell is needed for health checks diff --git a/nixpkgs/nixos/modules/services/networking/firewall.nix b/nixpkgs/nixos/modules/services/networking/firewall.nix index 4ea891262e56..5b3aa19af3bb 100644 --- a/nixpkgs/nixos/modules/services/networking/firewall.nix +++ b/nixpkgs/nixos/modules/services/networking/firewall.nix @@ -58,7 +58,7 @@ let ${text} ''; in "${dir}/bin/${name}"; - defaultInterface = { default = mapAttrs (name: value: cfg."${name}") commonOptions; }; + defaultInterface = { default = mapAttrs (name: value: cfg.${name}) commonOptions; }; allInterfaces = defaultInterface // cfg.interfaces; startScript = writeShScript "firewall-start" '' diff --git a/nixpkgs/nixos/modules/services/networking/git-daemon.nix b/nixpkgs/nixos/modules/services/networking/git-daemon.nix index c0020349ec74..a638a3083fba 100644 --- a/nixpkgs/nixos/modules/services/networking/git-daemon.nix +++ b/nixpkgs/nixos/modules/services/networking/git-daemon.nix @@ -115,7 +115,7 @@ in gid = config.ids.gids.git; }; - systemd.services."git-daemon" = { + systemd.services.git-daemon = { after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; script = "${pkgs.git}/bin/git daemon --reuseaddr " diff --git a/nixpkgs/nixos/modules/services/networking/hylafax/systemd.nix b/nixpkgs/nixos/modules/services/networking/hylafax/systemd.nix index 0c6602e7f8ab..b9b9b9dca4f0 100644 --- a/nixpkgs/nixos/modules/services/networking/hylafax/systemd.nix +++ b/nixpkgs/nixos/modules/services/networking/hylafax/systemd.nix @@ -68,7 +68,7 @@ let inherit (cfg) spoolAreaPath; }; - sockets."hylafax-hfaxd" = { + sockets.hylafax-hfaxd = { description = "HylaFAX server socket"; documentation = [ "man:hfaxd(8)" ]; wantedBy = [ "multi-user.target" ]; @@ -77,7 +77,7 @@ let socketConfig.Accept = true; }; - paths."hylafax-faxq" = { + paths.hylafax-faxq = { description = "HylaFAX queue manager sendq watch"; documentation = [ "man:faxq(8)" "man:sendq(5)" ]; wantedBy = [ "multi-user.target" ]; @@ -87,11 +87,11 @@ let timers = mkMerge [ ( mkIf (cfg.faxcron.enable.frequency!=null) - { "hylafax-faxcron".timerConfig.Persistent = true; } + { hylafax-faxcron.timerConfig.Persistent = true; } ) ( mkIf (cfg.faxqclean.enable.frequency!=null) - { "hylafax-faxqclean".timerConfig.Persistent = true; } + { hylafax-faxqclean.timerConfig.Persistent = true; } ) ]; @@ -121,7 +121,7 @@ let in service: service // { serviceConfig = apply service; }; - services."hylafax-spool" = { + services.hylafax-spool = { description = "HylaFAX spool area preparation"; documentation = [ "man:hylafax-server(4)" ]; script = '' @@ -140,7 +140,7 @@ let unitConfig.RequiresMountsFor = [ cfg.spoolAreaPath ]; }; - services."hylafax-faxq" = { + services.hylafax-faxq = { description = "HylaFAX queue manager"; documentation = [ "man:faxq(8)" ]; requires = [ "hylafax-spool.service" ]; @@ -178,7 +178,7 @@ let serviceConfig.PrivateNetwork = null; }; - services."hylafax-faxcron" = rec { + services.hylafax-faxcron = rec { description = "HylaFAX spool area maintenance"; documentation = [ "man:faxcron(8)" ]; after = [ "hylafax-spool.service" ]; @@ -194,7 +194,7 @@ let ]; }; - services."hylafax-faxqclean" = rec { + services.hylafax-faxqclean = rec { description = "HylaFAX spool area queue cleaner"; documentation = [ "man:faxqclean(8)" ]; after = [ "hylafax-spool.service" ]; diff --git a/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix b/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix index 2bd898edf897..f5abe61a1baf 100644 --- a/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix +++ b/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix @@ -121,7 +121,7 @@ in users.groups.ircd.gid = config.ids.gids.ircd; - systemd.services."ircd-hybrid" = { + systemd.services.ircd-hybrid = { description = "IRCD Hybrid server"; after = [ "started networking" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/services/networking/iwd.nix b/nixpkgs/nixos/modules/services/networking/iwd.nix index 18ed20e28886..839fa48d9a42 100644 --- a/nixpkgs/nixos/modules/services/networking/iwd.nix +++ b/nixpkgs/nixos/modules/services/networking/iwd.nix @@ -26,6 +26,7 @@ in { systemd.tmpfiles.rules = [ "d /var/lib/iwd 0700 root root -" + "d /var/lib/ead 0700 root root -" ]; }; diff --git a/nixpkgs/nixos/modules/services/networking/jormungandr.nix b/nixpkgs/nixos/modules/services/networking/jormungandr.nix index 68f1e9af9fff..85e804d6cf25 100644 --- a/nixpkgs/nixos/modules/services/networking/jormungandr.nix +++ b/nixpkgs/nixos/modules/services/networking/jormungandr.nix @@ -82,6 +82,9 @@ in { description = "jormungandr server"; wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; + environment = { + RUST_BACKTRACE = "full"; + }; serviceConfig = { DynamicUser = true; StateDirectory = baseNameOf dataDir; diff --git a/nixpkgs/nixos/modules/services/networking/kippo.nix b/nixpkgs/nixos/modules/services/networking/kippo.nix index 7ef989b2a78e..bdea6a1d1caa 100644 --- a/nixpkgs/nixos/modules/services/networking/kippo.nix +++ b/nixpkgs/nixos/modules/services/networking/kippo.nix @@ -11,7 +11,7 @@ with lib; let cfg = config.services.kippo; in -rec { +{ options = { services.kippo = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/services/networking/mtprotoproxy.nix b/nixpkgs/nixos/modules/services/networking/mtprotoproxy.nix index 24bf33815da8..d896f227b82c 100644 --- a/nixpkgs/nixos/modules/services/networking/mtprotoproxy.nix +++ b/nixpkgs/nixos/modules/services/networking/mtprotoproxy.nix @@ -50,8 +50,8 @@ in users = mkOption { type = types.attrsOf types.str; example = { - "tg" = "00000000000000000000000000000000"; - "tg2" = "0123456789abcdef0123456789abcdef"; + tg = "00000000000000000000000000000000"; + tg2 = "0123456789abcdef0123456789abcdef"; }; description = '' Allowed users and their secrets. A secret is a 32 characters long hex string. @@ -80,7 +80,7 @@ in type = types.attrs; default = {}; example = { - "STATS_PRINT_PERIOD" = 600; + STATS_PRINT_PERIOD = 600; }; description = '' Extra configuration options for mtprotoproxy. diff --git a/nixpkgs/nixos/modules/services/networking/murmur.nix b/nixpkgs/nixos/modules/services/networking/murmur.nix index 7ac4d0c6419d..082953d2f6ab 100644 --- a/nixpkgs/nixos/modules/services/networking/murmur.nix +++ b/nixpkgs/nixos/modules/services/networking/murmur.nix @@ -234,7 +234,7 @@ in extraConfig = mkOption { type = types.lines; default = ""; - description = "Extra configuration to put into mumur.ini."; + description = "Extra configuration to put into murmur.ini."; }; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/ndppd.nix b/nixpkgs/nixos/modules/services/networking/ndppd.nix index ba17f1ba825a..92088623517f 100644 --- a/nixpkgs/nixos/modules/services/networking/ndppd.nix +++ b/nixpkgs/nixos/modules/services/networking/ndppd.nix @@ -142,7 +142,7 @@ in { messages, and respond to them according to a set of rules. ''; default = {}; - example = { "eth0".rules."1111::/64" = {}; }; + example = { eth0.rules."1111::/64" = {}; }; }; }; @@ -153,7 +153,7 @@ in { '' ]; services.ndppd.proxies = mkIf (cfg.interface != null && cfg.network != null) { - "${cfg.interface}".rules."${cfg.network}" = {}; + ${cfg.interface}.rules.${cfg.network} = {}; }; systemd.services.ndppd = { diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index 0042a7df8e11..2061c02fffbd 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -81,9 +81,9 @@ let ''; dispatcherTypesSubdirMap = { - "basic" = ""; - "pre-up" = "pre-up.d/"; - "pre-down" = "pre-down.d/"; + basic = ""; + pre-up = "pre-up.d/"; + pre-down = "pre-down.d/"; }; macAddressOpt = mkOption { @@ -453,7 +453,7 @@ in { systemd.packages = cfg.packages; - systemd.services."NetworkManager" = { + systemd.services.NetworkManager = { wantedBy = [ "network.target" ]; restartTriggers = [ configFile ]; @@ -483,7 +483,7 @@ in { }; }; - systemd.services."NetworkManager-dispatcher" = { + systemd.services.NetworkManager-dispatcher = { wantedBy = [ "network.target" ]; restartTriggers = [ configFile ]; diff --git a/nixpkgs/nixos/modules/services/networking/nsd.nix b/nixpkgs/nixos/modules/services/networking/nsd.nix index c69b77f9deec..bc0966e6b8e6 100644 --- a/nixpkgs/nixos/modules/services/networking/nsd.nix +++ b/nixpkgs/nixos/modules/services/networking/nsd.nix @@ -954,7 +954,7 @@ in ''; }; - systemd.timers."nsd-dnssec" = mkIf dnssec { + systemd.timers.nsd-dnssec = mkIf dnssec { description = "Automatic DNSSEC key rollover"; wantedBy = [ "nsd.service" ]; @@ -965,7 +965,7 @@ in }; }; - systemd.services."nsd-dnssec" = mkIf dnssec { + systemd.services.nsd-dnssec = mkIf dnssec { description = "DNSSEC key rollover"; wantedBy = [ "nsd.service" ]; diff --git a/nixpkgs/nixos/modules/services/networking/quicktun.nix b/nixpkgs/nixos/modules/services/networking/quicktun.nix index 5bcf923f909c..fb783c836464 100644 --- a/nixpkgs/nixos/modules/services/networking/quicktun.nix +++ b/nixpkgs/nixos/modules/services/networking/quicktun.nix @@ -93,18 +93,18 @@ with lib; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; environment = { - "INTERFACE" = name; - "TUN_MODE" = toString qtcfg.tunMode; - "REMOTE_ADDRESS" = qtcfg.remoteAddress; - "LOCAL_ADDRESS" = qtcfg.localAddress; - "LOCAL_PORT" = toString qtcfg.localPort; - "REMOTE_PORT" = toString qtcfg.remotePort; - "REMOTE_FLOAT" = toString qtcfg.remoteFloat; - "PRIVATE_KEY" = qtcfg.privateKey; - "PUBLIC_KEY" = qtcfg.publicKey; - "TIME_WINDOW" = toString qtcfg.timeWindow; - "TUN_UP_SCRIPT" = pkgs.writeScript "quicktun-${name}-up.sh" qtcfg.upScript; - "SUID" = "nobody"; + INTERFACE = name; + TUN_MODE = toString qtcfg.tunMode; + REMOTE_ADDRESS = qtcfg.remoteAddress; + LOCAL_ADDRESS = qtcfg.localAddress; + LOCAL_PORT = toString qtcfg.localPort; + REMOTE_PORT = toString qtcfg.remotePort; + REMOTE_FLOAT = toString qtcfg.remoteFloat; + PRIVATE_KEY = qtcfg.privateKey; + PUBLIC_KEY = qtcfg.publicKey; + TIME_WINDOW = toString qtcfg.timeWindow; + TUN_UP_SCRIPT = pkgs.writeScript "quicktun-${name}-up.sh" qtcfg.upScript; + SUID = "nobody"; }; serviceConfig = { Type = "simple"; diff --git a/nixpkgs/nixos/modules/services/networking/smokeping.nix b/nixpkgs/nixos/modules/services/networking/smokeping.nix index 20228ceaaff8..d4d0594a9cdd 100644 --- a/nixpkgs/nixos/modules/services/networking/smokeping.nix +++ b/nixpkgs/nixos/modules/services/networking/smokeping.nix @@ -277,7 +277,7 @@ in ]; security.wrappers = { fping.source = "${pkgs.fping}/bin/fping"; - "fping6".source = "${pkgs.fping}/bin/fping6"; + fping6.source = "${pkgs.fping}/bin/fping6"; }; environment.systemPackages = [ pkgs.fping ]; users.users = singleton { diff --git a/nixpkgs/nixos/modules/services/networking/softether.nix b/nixpkgs/nixos/modules/services/networking/softether.nix index 669c69d832b8..2dc73d81b258 100644 --- a/nixpkgs/nixos/modules/services/networking/softether.nix +++ b/nixpkgs/nixos/modules/services/networking/softether.nix @@ -68,7 +68,7 @@ in mkMerge [{ environment.systemPackages = [ package ]; - systemd.services."softether-init" = { + systemd.services.softether-init = { description = "SoftEther VPN services initial task"; wantedBy = [ "network.target" ]; serviceConfig = { diff --git a/nixpkgs/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix b/nixpkgs/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix index 95a174122d04..dfdfc50d8ae2 100644 --- a/nixpkgs/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix +++ b/nixpkgs/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix @@ -63,7 +63,7 @@ rec { StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal> ''; - single = f: name: value: { "${name}" = f value; }; + single = f: name: value: { ${name} = f value; }; mkStrParam = mkParamOfType types.str; mkOptionalStrParam = mkStrParam null; diff --git a/nixpkgs/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix b/nixpkgs/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix index 193ad27f035a..2bbb39a76049 100644 --- a/nixpkgs/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix +++ b/nixpkgs/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix @@ -21,7 +21,7 @@ rec { mkConf = indent : ps : concatMapStringsSep "\n" (name: - let value = ps."${name}"; + let value = ps.${name}; indentation = replicate indent " "; in indentation + ( @@ -58,7 +58,7 @@ rec { ) set); # Recursively map over every parameter in the given attribute set. - mapParamsRecursive = mapAttrsRecursiveCond' (as: (!(as ? "_type" && as._type == "param"))); + mapParamsRecursive = mapAttrsRecursiveCond' (as: (!(as ? _type && as._type == "param"))); mapAttrsRecursiveCond' = cond: f: set: let @@ -67,7 +67,7 @@ rec { g = name: value: if isAttrs value && cond value - then { "${name}" = recurse (path ++ [name]) value; } + then { ${name} = recurse (path ++ [name]) value; } else f (path ++ [name]) name value; in mapAttrs'' g set; in recurse [] set; @@ -77,6 +77,6 @@ rec { # Extract the options from the given set of parameters. paramsToOptions = ps : - mapParamsRecursive (_path: name: param: { "${name}" = param.option; }) ps; + mapParamsRecursive (_path: name: param: { ${name} = param.option; }) ps; } diff --git a/nixpkgs/nixos/modules/services/networking/syncplay.nix b/nixpkgs/nixos/modules/services/networking/syncplay.nix new file mode 100644 index 000000000000..e3147c10502c --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/syncplay.nix @@ -0,0 +1,80 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.syncplay; + + cmdArgs = + [ "--port" cfg.port ] + ++ optionals (cfg.salt != null) [ "--salt" cfg.salt ] + ++ optionals (cfg.certDir != null) [ "--tls" cfg.certDir ]; + +in +{ + options = { + services.syncplay = { + enable = mkOption { + type = types.bool; + default = false; + description = "If enabled, start the Syncplay server."; + }; + + port = mkOption { + type = types.int; + default = 8999; + description = '' + TCP port to bind to. + ''; + }; + + salt = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Salt to allow room operator passwords generated by this server + instance to still work when the server is restarted. + ''; + }; + + certDir = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + TLS certificates directory to use for encryption. See + <link xlink:href="https://github.com/Syncplay/syncplay/wiki/TLS-support"/>. + ''; + }; + + user = mkOption { + type = types.str; + default = "nobody"; + description = '' + User to use when running Syncplay. + ''; + }; + + group = mkOption { + type = types.str; + default = "nogroup"; + description = '' + Group to use when running Syncplay. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.syncplay = { + description = "Syncplay Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target "]; + + serviceConfig = { + ExecStart = "${pkgs.syncplay}/bin/syncplay-server ${escapeShellArgs cmdArgs}"; + User = cfg.user; + Group = cfg.group; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/syncthing.nix b/nixpkgs/nixos/modules/services/networking/syncthing.nix index 126f5b7b527b..165fd5970cf8 100644 --- a/nixpkgs/nixos/modules/services/networking/syncthing.nix +++ b/nixpkgs/nixos/modules/services/networking/syncthing.nix @@ -373,7 +373,7 @@ in { systemd.packages = [ pkgs.syncthing ]; users.users = mkIf (cfg.systemService && cfg.user == defaultUser) { - "${defaultUser}" = + ${defaultUser} = { group = cfg.group; home = cfg.dataDir; createHome = true; @@ -383,7 +383,7 @@ in { }; users.groups = mkIf (cfg.systemService && cfg.group == defaultUser) { - "${defaultUser}".gid = + ${defaultUser}.gid = config.ids.gids.syncthing; }; diff --git a/nixpkgs/nixos/modules/services/networking/websockify.nix b/nixpkgs/nixos/modules/services/networking/websockify.nix index 4b76350ecf8a..d9177df65bd6 100644 --- a/nixpkgs/nixos/modules/services/networking/websockify.nix +++ b/nixpkgs/nixos/modules/services/networking/websockify.nix @@ -44,9 +44,9 @@ let cfg = config.services.networking.websockify; in { scriptArgs = "%i"; }; - systemd.targets."default-websockify" = { + systemd.targets.default-websockify = { description = "Target to start all default websockify@ services"; - unitConfig."X-StopOnReconfiguration" = true; + unitConfig.X-StopOnReconfiguration = true; wants = mapAttrsToList (name: value: "websockify@${name}:${toString value}.service") cfg.portMap; wantedBy = [ "multi-user.target" ]; }; diff --git a/nixpkgs/nixos/modules/services/networking/zerobin.nix b/nixpkgs/nixos/modules/services/networking/zerobin.nix index 06ccd7032e6c..78de246a816f 100644 --- a/nixpkgs/nixos/modules/services/networking/zerobin.nix +++ b/nixpkgs/nixos/modules/services/networking/zerobin.nix @@ -74,7 +74,7 @@ in }; config = mkIf (cfg.enable) { - users.users."${cfg.user}" = + users.users.${cfg.user} = if cfg.user == "zerobin" then { isSystemUser = true; group = cfg.group; @@ -82,7 +82,7 @@ in createHome = true; } else {}; - users.groups."${cfg.group}" = {}; + users.groups.${cfg.group} = {}; systemd.services.zerobin = { enable = true; diff --git a/nixpkgs/nixos/modules/services/printing/cupsd.nix b/nixpkgs/nixos/modules/services/printing/cupsd.nix index 42c1b9482cb2..7f1e793b980e 100644 --- a/nixpkgs/nixos/modules/services/printing/cupsd.nix +++ b/nixpkgs/nixos/modules/services/printing/cupsd.nix @@ -287,7 +287,7 @@ in }; environment.systemPackages = [ cups.out ] ++ optional polkitEnabled cups-pk-helper; - environment.etc."cups".source = "/var/lib/cups"; + environment.etc.cups.source = "/var/lib/cups"; services.dbus.packages = [ cups.out ] ++ optional polkitEnabled cups-pk-helper; diff --git a/nixpkgs/nixos/modules/services/search/kibana.nix b/nixpkgs/nixos/modules/services/search/kibana.nix index c096af731ad4..43a63aa8fdc2 100644 --- a/nixpkgs/nixos/modules/services/search/kibana.nix +++ b/nixpkgs/nixos/modules/services/search/kibana.nix @@ -9,7 +9,7 @@ let lt6_6 = builtins.compareVersions cfg.package.version "6.6" < 0; cfgFile = pkgs.writeText "kibana.json" (builtins.toJSON ( - (filterAttrsRecursive (n: v: v != null) ({ + (filterAttrsRecursive (n: v: v != null && v != []) ({ server.host = cfg.listenAddress; server.port = cfg.port; server.ssl.certificate = cfg.cert; @@ -150,7 +150,7 @@ in { description = "Kibana package to use"; default = pkgs.kibana; defaultText = "pkgs.kibana"; - example = "pkgs.kibana5"; + example = "pkgs.kibana"; type = types.package; }; diff --git a/nixpkgs/nixos/modules/services/security/fprot.nix b/nixpkgs/nixos/modules/services/security/fprot.nix index b1ca4ab23452..474490391463 100644 --- a/nixpkgs/nixos/modules/services/security/fprot.nix +++ b/nixpkgs/nixos/modules/services/security/fprot.nix @@ -67,7 +67,7 @@ in { services.cron.systemCronJobs = [ "*/${toString cfg.updater.frequency} * * * * root start fprot-updater" ]; - systemd.services."fprot-updater" = { + systemd.services.fprot-updater = { serviceConfig = { Type = "oneshot"; RemainAfterExit = false; diff --git a/nixpkgs/nixos/modules/services/security/physlock.nix b/nixpkgs/nixos/modules/services/security/physlock.nix index 97fbd6aae6e0..61bcd84f2e64 100644 --- a/nixpkgs/nixos/modules/services/security/physlock.nix +++ b/nixpkgs/nixos/modules/services/security/physlock.nix @@ -99,7 +99,7 @@ in # for physlock -l and physlock -L environment.systemPackages = [ pkgs.physlock ]; - systemd.services."physlock" = { + systemd.services.physlock = { enable = true; description = "Physlock"; wantedBy = optional cfg.lockOn.suspend "suspend.target" diff --git a/nixpkgs/nixos/modules/services/security/sks.nix b/nixpkgs/nixos/modules/services/security/sks.nix index 1b7a2ad13980..a91060dc659a 100644 --- a/nixpkgs/nixos/modules/services/security/sks.nix +++ b/nixpkgs/nixos/modules/services/security/sks.nix @@ -108,7 +108,7 @@ in { hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ; hkpPort = builtins.toString cfg.hkpPort; in { - "sks-db" = { + sks-db = { description = "SKS database server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/services/system/dbus.nix b/nixpkgs/nixos/modules/services/system/dbus.nix index e04580218442..936646a5fd78 100644 --- a/nixpkgs/nixos/modules/services/system/dbus.nix +++ b/nixpkgs/nixos/modules/services/system/dbus.nix @@ -44,8 +44,10 @@ in message bus. Specifically, files in the following directories will be included into their respective DBus configuration paths: <filename><replaceable>pkg</replaceable>/etc/dbus-1/system.d</filename> + <filename><replaceable>pkg</replaceable>/share/dbus-1/system.d</filename> <filename><replaceable>pkg</replaceable>/share/dbus-1/system-services</filename> <filename><replaceable>pkg</replaceable>/etc/dbus-1/session.d</filename> + <filename><replaceable>pkg</replaceable>/share/dbus-1/session.d</filename> <filename><replaceable>pkg</replaceable>/share/dbus-1/services</filename> ''; }; diff --git a/nixpkgs/nixos/modules/services/system/localtime.nix b/nixpkgs/nixos/modules/services/system/localtime.nix index 04595fc82fbb..c3c0b432b494 100644 --- a/nixpkgs/nixos/modules/services/system/localtime.nix +++ b/nixpkgs/nixos/modules/services/system/localtime.nix @@ -22,7 +22,7 @@ in { config = mkIf cfg.enable { services.geoclue2 = { enable = true; - appConfig."localtime" = { + appConfig.localtime = { isAllowed = true; isSystem = true; }; diff --git a/nixpkgs/nixos/modules/services/torrent/deluge.nix b/nixpkgs/nixos/modules/services/torrent/deluge.nix index d8810a4481b1..0c72505395dd 100644 --- a/nixpkgs/nixos/modules/services/torrent/deluge.nix +++ b/nixpkgs/nixos/modules/services/torrent/deluge.nix @@ -178,11 +178,11 @@ in { "d '${cfg.dataDir}/.config' 0770 ${cfg.user} ${cfg.group}" "d '${cfg.dataDir}/.config/deluge' 0770 ${cfg.user} ${cfg.group}" ] - ++ optional (cfg.config ? "download_location") + ++ optional (cfg.config ? download_location) "d '${cfg.config.download_location}' 0770 ${cfg.user} ${cfg.group}" - ++ optional (cfg.config ? "torrentfiles_location") + ++ optional (cfg.config ? torrentfiles_location) "d '${cfg.config.torrentfiles_location}' 0770 ${cfg.user} ${cfg.group}" - ++ optional (cfg.config ? "move_completed_path") + ++ optional (cfg.config ? move_completed_path) "d '${cfg.config.move_completed_path}' 0770 ${cfg.user} ${cfg.group}"; systemd.services.deluged = { diff --git a/nixpkgs/nixos/modules/services/ttys/agetty.nix b/nixpkgs/nixos/modules/services/ttys/agetty.nix index 448b7c59e2ac..47eb3ab8206a 100644 --- a/nixpkgs/nixos/modules/services/ttys/agetty.nix +++ b/nixpkgs/nixos/modules/services/ttys/agetty.nix @@ -114,7 +114,7 @@ in restartIfChanged = false; }; - systemd.services."console-getty" = + systemd.services.console-getty = { serviceConfig.ExecStart = [ "" # override upstream default with an empty ExecStart (gettyCmd "--noclear --keep-baud console 115200,38400,9600 $TERM") diff --git a/nixpkgs/nixos/modules/services/web-apps/atlassian/confluence.nix b/nixpkgs/nixos/modules/services/web-apps/atlassian/confluence.nix index cf163271d276..59185fdbd36f 100644 --- a/nixpkgs/nixos/modules/services/web-apps/atlassian/confluence.nix +++ b/nixpkgs/nixos/modules/services/web-apps/atlassian/confluence.nix @@ -142,12 +142,12 @@ in }; config = mkIf cfg.enable { - users.users."${cfg.user}" = { + users.users.${cfg.user} = { isSystemUser = true; group = cfg.group; }; - users.groups."${cfg.group}" = {}; + users.groups.${cfg.group} = {}; systemd.tmpfiles.rules = [ "d '${cfg.home}' - ${cfg.user} - - -" diff --git a/nixpkgs/nixos/modules/services/web-apps/atlassian/crowd.nix b/nixpkgs/nixos/modules/services/web-apps/atlassian/crowd.nix index 020ca8d89dbb..ceab656b15e8 100644 --- a/nixpkgs/nixos/modules/services/web-apps/atlassian/crowd.nix +++ b/nixpkgs/nixos/modules/services/web-apps/atlassian/crowd.nix @@ -110,12 +110,12 @@ in }; config = mkIf cfg.enable { - users.users."${cfg.user}" = { + users.users.${cfg.user} = { isSystemUser = true; group = cfg.group; }; - users.groups."${cfg.group}" = {}; + users.groups.${cfg.group} = {}; systemd.tmpfiles.rules = [ "d '${cfg.home}' - ${cfg.user} ${cfg.group} - -" diff --git a/nixpkgs/nixos/modules/services/web-apps/atlassian/jira.nix b/nixpkgs/nixos/modules/services/web-apps/atlassian/jira.nix index b0019e77ac27..ce04982e8a9e 100644 --- a/nixpkgs/nixos/modules/services/web-apps/atlassian/jira.nix +++ b/nixpkgs/nixos/modules/services/web-apps/atlassian/jira.nix @@ -148,12 +148,12 @@ in }; config = mkIf cfg.enable { - users.users."${cfg.user}" = { + users.users.${cfg.user} = { isSystemUser = true; group = cfg.group; }; - users.groups."${cfg.group}" = {}; + users.groups.${cfg.group} = {}; systemd.tmpfiles.rules = [ "d '${cfg.home}' - ${cfg.user} - - -" diff --git a/nixpkgs/nixos/modules/services/web-apps/frab.nix b/nixpkgs/nixos/modules/services/web-apps/frab.nix index e885dc69b3c0..7914e5cc0ee1 100644 --- a/nixpkgs/nixos/modules/services/web-apps/frab.nix +++ b/nixpkgs/nixos/modules/services/web-apps/frab.nix @@ -19,7 +19,7 @@ let RAILS_SERVE_STATIC_FILES = "1"; } // cfg.extraEnvironment; - frab-rake = pkgs.stdenv.mkDerivation rec { + frab-rake = pkgs.stdenv.mkDerivation { name = "frab-rake"; buildInputs = [ package.env pkgs.makeWrapper ]; phases = "installPhase fixupPhase"; diff --git a/nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix b/nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix index 95c8fb160510..195ee76ff4e3 100644 --- a/nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix +++ b/nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix @@ -189,7 +189,7 @@ in { services.nginx = { enable = true; virtualHosts = mkIf (cfg.virtualHost != null) { - "${cfg.virtualHost}" = { + ${cfg.virtualHost} = { root = "${pkgs.icingaweb2}/public"; extraConfig = '' @@ -216,7 +216,7 @@ in { # /etc/icingaweb2 environment.etc = let - doModule = name: optionalAttrs (cfg.modules."${name}".enable) { "icingaweb2/enabledModules/${name}".source = "${pkgs.icingaweb2}/modules/${name}"; }; + doModule = name: optionalAttrs (cfg.modules.${name}.enable) { "icingaweb2/enabledModules/${name}".source = "${pkgs.icingaweb2}/modules/${name}"; }; in {} # Module packages // (mapAttrs' (k: v: nameValuePair "icingaweb2/enabledModules/${k}" { source = v; }) cfg.modulePackages) diff --git a/nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix b/nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix index 167e5e389568..e9c1d4ffe5ea 100644 --- a/nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix +++ b/nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix @@ -58,7 +58,7 @@ in { }; backends = mkOption { - default = { "icinga" = { resource = "icinga_ido"; }; }; + default = { icinga = { resource = "icinga_ido"; }; }; description = "Monitoring backends to define"; type = attrsOf (submodule ({ name, ... }: { options = { diff --git a/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix b/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix index 2797feb32ebf..68b57a9b90dd 100644 --- a/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix @@ -277,7 +277,7 @@ in systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; - users.users."${user}".group = group; + users.users.${user}.group = group; }; } diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix index ada14ad39291..5f5469e48507 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix @@ -102,10 +102,10 @@ in { phpOptions = mkOption { type = types.attrsOf types.str; default = { - "short_open_tag" = "Off"; - "expose_php" = "Off"; - "error_reporting" = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; - "display_errors" = "stderr"; + short_open_tag = "Off"; + expose_php = "Off"; + error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; + display_errors = "stderr"; "opcache.enable_cli" = "1"; "opcache.interned_strings_buffer" = "8"; "opcache.max_accelerated_files" = "10000"; @@ -113,7 +113,7 @@ in { "opcache.revalidate_freq" = "1"; "opcache.fast_shutdown" = "1"; "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; - "catch_workers_output" = "yes"; + catch_workers_output = "yes"; }; description = '' Options for PHP's php.ini file for nextcloud. @@ -289,7 +289,7 @@ in { ]; } - { systemd.timers."nextcloud-cron" = { + { systemd.timers.nextcloud-cron = { wantedBy = [ "timers.target" ]; timerConfig.OnBootSec = "5m"; timerConfig.OnUnitActiveSec = "15m"; @@ -297,7 +297,7 @@ in { }; systemd.services = { - "nextcloud-setup" = let + nextcloud-setup = let c = cfg.config; writePhpArrary = a: "[${concatMapStringsSep "," (val: ''"${toString val}"'') a}]"; overrideConfig = pkgs.writeText "nextcloud-config.php" '' @@ -397,13 +397,13 @@ in { ''; serviceConfig.Type = "oneshot"; }; - "nextcloud-cron" = { + nextcloud-cron = { environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config"; serviceConfig.Type = "oneshot"; serviceConfig.User = "nextcloud"; serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${pkgs.nextcloud}/cron.php"; }; - "nextcloud-update-plugins" = mkIf cfg.autoUpdateApps.enable { + nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable { serviceConfig.Type = "oneshot"; serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all"; startAt = cfg.autoUpdateApps.startAt; @@ -441,7 +441,7 @@ in { services.nginx = { enable = true; virtualHosts = { - "${cfg.hostName}" = { + ${cfg.hostName} = { root = pkgs.nextcloud; locations = { "= /robots.txt" = { diff --git a/nixpkgs/nixos/modules/services/web-apps/nexus.nix b/nixpkgs/nixos/modules/services/web-apps/nexus.nix index 052dbed6d4f8..3af97e146d0a 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nexus.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nexus.nix @@ -80,14 +80,14 @@ in }; config = mkIf cfg.enable { - users.users."${cfg.user}" = { + users.users.${cfg.user} = { isSystemUser = true; group = cfg.group; home = cfg.home; createHome = true; }; - users.groups."${cfg.group}" = {}; + users.groups.${cfg.group} = {}; systemd.services.nexus = { description = "Sonatype Nexus3"; diff --git a/nixpkgs/nixos/modules/services/web-apps/pgpkeyserver-lite.nix b/nixpkgs/nixos/modules/services/web-apps/pgpkeyserver-lite.nix index 93f69bd12651..ad70ba70bbef 100644 --- a/nixpkgs/nixos/modules/services/web-apps/pgpkeyserver-lite.nix +++ b/nixpkgs/nixos/modules/services/web-apps/pgpkeyserver-lite.nix @@ -60,7 +60,7 @@ in services.nginx.virtualHosts = let hkpPort = builtins.toString cfg.hkpPort; in { - "${cfg.hostname}" = { + ${cfg.hostname} = { root = webPkg; locations = { "/pks".extraConfig = '' diff --git a/nixpkgs/nixos/modules/services/web-apps/restya-board.nix b/nixpkgs/nixos/modules/services/web-apps/restya-board.nix index 6a1b4143bc16..11272ed591b8 100644 --- a/nixpkgs/nixos/modules/services/web-apps/restya-board.nix +++ b/nixpkgs/nixos/modules/services/web-apps/restya-board.nix @@ -181,6 +181,7 @@ in services.phpfpm.pools = { "${poolName}" = { inherit (cfg) user group; + phpOptions = '' date.timezone = "CET" @@ -207,7 +208,7 @@ in }; services.nginx.enable = true; - services.nginx.virtualHosts."${cfg.virtualHost.serverName}" = { + services.nginx.virtualHosts.${cfg.virtualHost.serverName} = { listen = [ { addr = cfg.virtualHost.listenHost; port = cfg.virtualHost.listenPort; } ]; serverName = cfg.virtualHost.serverName; root = runDir; diff --git a/nixpkgs/nixos/modules/services/web-apps/selfoss.nix b/nixpkgs/nixos/modules/services/web-apps/selfoss.nix index 56b7cafffe8b..d693c401565f 100644 --- a/nixpkgs/nixos/modules/services/web-apps/selfoss.nix +++ b/nixpkgs/nixos/modules/services/web-apps/selfoss.nix @@ -114,7 +114,6 @@ in }; config = mkIf cfg.enable { - services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") { "${poolName}" = { user = "nginx"; diff --git a/nixpkgs/nixos/modules/services/web-apps/tt-rss.nix b/nixpkgs/nixos/modules/services/web-apps/tt-rss.nix index 59b0ee1addc6..4daf3ff9f991 100644 --- a/nixpkgs/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixpkgs/nixos/modules/services/web-apps/tt-rss.nix @@ -541,7 +541,7 @@ let services.nginx = mkIf (cfg.virtualHost != null) { enable = true; virtualHosts = { - "${cfg.virtualHost}" = { + ${cfg.virtualHost} = { root = "${cfg.root}"; locations."/" = { diff --git a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix index 98dc84588189..884754370587 100644 --- a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix +++ b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix @@ -133,7 +133,7 @@ let ''; }; - database = rec { + database = { host = mkOption { type = types.str; default = "localhost"; diff --git a/nixpkgs/nixos/modules/services/web-apps/zabbix.nix b/nixpkgs/nixos/modules/services/web-apps/zabbix.nix index fa358ffafbc3..dac243b20e97 100644 --- a/nixpkgs/nixos/modules/services/web-apps/zabbix.nix +++ b/nixpkgs/nixos/modules/services/web-apps/zabbix.nix @@ -16,7 +16,7 @@ let <?php // Zabbix GUI configuration file. global $DB; - $DB['TYPE'] = '${ { "mysql" = "MYSQL"; "pgsql" = "POSTGRESQL"; "oracle" = "ORACLE"; }.${cfg.database.type} }'; + $DB['TYPE'] = '${ { mysql = "MYSQL"; pgsql = "POSTGRESQL"; oracle = "ORACLE"; }.${cfg.database.type} }'; $DB['SERVER'] = '${cfg.database.host}'; $DB['PORT'] = '${toString cfg.database.port}'; $DB['DATABASE'] = '${cfg.database.name}'; diff --git a/nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix b/nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix index 80870118c334..d6649fd472d9 100644 --- a/nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix +++ b/nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix @@ -67,7 +67,7 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig = { DynamicUser = true; - ExecStart = "${cfg.package}/bin/darkhttpd ${args}"; + ExecStart = "${pkgs.darkhttpd}/bin/darkhttpd ${args}"; AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; Restart = "on-failure"; RestartSec = "2s"; diff --git a/nixpkgs/nixos/modules/services/x11/clight.nix b/nixpkgs/nixos/modules/services/x11/clight.nix index 6ec395bb05ec..4daf6d8d9db7 100644 --- a/nixpkgs/nixos/modules/services/x11/clight.nix +++ b/nixpkgs/nixos/modules/services/x11/clight.nix @@ -75,7 +75,7 @@ in { longitude = mkDefault config.location.longitude; }); - services.geoclue2.appConfig."clightc" = { + services.geoclue2.appConfig.clightc = { isAllowed = true; isSystem = true; }; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 527e4b18045b..9914b6687090 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -31,7 +31,7 @@ in e.efl e.enlightenment e.terminology e.econnman pkgs.xorg.xauth # used by kdesu - pkgs.gtk2 # To get GTK+'s themes. + pkgs.gtk2 # To get GTK's themes. pkgs.tango-icon-theme pkgs.gnome2.gnome_icon_theme @@ -48,7 +48,7 @@ in services.xserver.desktopManager.session = [ { name = "Enlightenment"; start = '' - # Set GTK_DATA_PREFIX so that GTK+ can find the themes + # Set GTK_DATA_PREFIX so that GTK can find the themes export GTK_DATA_PREFIX=${config.system.path} # find theme engines export GTK_PATH=${config.system.path}/lib/gtk-3.0:${config.system.path}/lib/gtk-2.0 diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix index 6f344f4121ba..a21d22261ba3 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -227,16 +227,16 @@ in (mkIf serviceCfg.core-shell.enable { services.colord.enable = mkDefault true; + services.gnome3.chrome-gnome-shell.enable = mkDefault true; services.gnome3.glib-networking.enable = true; services.gnome3.gnome-remote-desktop.enable = mkDefault true; services.gnome3.gnome-settings-daemon.enable = true; services.gnome3.gnome-user-share.enable = mkDefault true; services.gnome3.rygel.enable = mkDefault true; services.gvfs.enable = true; + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.telepathy.enable = mkDefault true; systemd.packages = [ pkgs.gnome3.vino ]; - services.dbus.packages = - optional config.services.printing.enable pkgs.system-config-printer; services.avahi.enable = mkDefault true; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix index e1084b0053cc..d7a871c9c704 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix @@ -48,7 +48,7 @@ in name = "mate"; bgSupport = true; start = '' - # Set GTK_DATA_PREFIX so that GTK+ can find the themes + # Set GTK_DATA_PREFIX so that GTK can find the themes export GTK_DATA_PREFIX=${config.system.path} # Find theme engines @@ -98,6 +98,9 @@ in programs.bash.vteIntegration = mkDefault true; programs.zsh.vteIntegration = mkDefault true; + # Mate uses this for printing + programs.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + services.gnome3.at-spi2-core.enable = true; services.gnome3.gnome-keyring.enable = true; services.gnome3.gnome-settings-daemon.enable = true; @@ -105,7 +108,7 @@ in services.gvfs.enable = true; services.upower.enable = config.powerManagement.enable; - security.pam.services."mate-screensaver".unixAuth = true; + security.pam.services.mate-screensaver.unixAuth = true; environment.pathsToLink = [ "/share" ]; }; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix index 5b82cb1f0262..e313a194c345 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -113,9 +113,9 @@ in services.colord.enable = mkDefault true; services.pantheon.files.enable = mkDefault true; services.tumbler.enable = mkDefault true; - services.dbus.packages = mkMerge [ - ([ pkgs.pantheon.switchboard-plug-power ]) - (mkIf config.services.printing.enable ([pkgs.system-config-printer]) ) + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + services.dbus.packages = [ + pkgs.pantheon.switchboard-plug-power ]; services.pantheon.contractor.enable = mkDefault true; services.gnome3.at-spi2-core.enable = true; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix index 94a307ae1007..b10755df4dc2 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -72,7 +72,7 @@ in security.wrappers = { kcheckpass.source = "${lib.getBin plasma5.kscreenlocker}/libexec/kcheckpass"; - "start_kdeinit".source = "${lib.getBin pkgs.kinit}/libexec/kf5/start_kdeinit"; + start_kdeinit.source = "${lib.getBin pkgs.kinit}/libexec/kf5/start_kdeinit"; kwin_wayland = { source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland"; capabilities = "cap_sys_nice+ep"; @@ -210,8 +210,8 @@ in # Enable helpful DBus services. services.udisks2.enable = true; services.upower.enable = config.powerManagement.enable; - services.dbus.packages = - mkIf config.services.printing.enable [ pkgs.system-config-printer ]; + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + services.xserver.libinput.enable = mkDefault true; # Extra UDEV rules used by Solid services.udev.packages = [ diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix index 1102f73d1ac3..e3249aef50c7 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -48,7 +48,7 @@ in config = mkIf cfg.enable { environment.systemPackages = with pkgs.xfce // pkgs; [ - # Get GTK+ themes and gtk-update-icon-cache + # Get GTK themes and gtk-update-icon-cache gtk2.out # Supplies some abstract icons such as: @@ -107,10 +107,10 @@ in start = '' ${cfg.extraSessionCommands} - # Set GTK_PATH so that GTK+ can find the theme engines. + # Set GTK_PATH so that GTK can find the theme engines. export GTK_PATH="${config.system.path}/lib/gtk-2.0:${config.system.path}/lib/gtk-3.0" - # Set GTK_DATA_PREFIX so that GTK+ can find the Xfce themes. + # Set GTK_DATA_PREFIX so that GTK can find the Xfce themes. export GTK_DATA_PREFIX=${config.system.path} ${pkgs.runtimeShell} ${pkgs.xfce.xinitrc} & diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce4-14.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce4-14.nix index 16329c093f98..57d1268d655a 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce4-14.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce4-14.nix @@ -114,10 +114,10 @@ in name = "xfce4-14"; bgSupport = true; start = '' - # Set GTK_PATH so that GTK+ can find the theme engines. + # Set GTK_PATH so that GTK can find the theme engines. export GTK_PATH="${config.system.path}/lib/gtk-2.0:${config.system.path}/lib/gtk-3.0" - # Set GTK_DATA_PREFIX so that GTK+ can find the Xfce themes. + # Set GTK_DATA_PREFIX so that GTK can find the Xfce themes. export GTK_DATA_PREFIX=${config.system.path} ${pkgs.runtimeShell} ${pkgs.xfce4-14.xinitrc} & @@ -137,8 +137,7 @@ in services.gvfs.enable = true; services.gvfs.package = pkgs.xfce.gvfs; services.tumbler.enable = true; - services.dbus.packages = - optional config.services.printing.enable pkgs.system-config-printer; + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager # Enable default programs diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix index 9aed255f878a..c26a5b615353 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix @@ -6,7 +6,7 @@ let xcfg = config.services.xserver; dmcfg = xcfg.displayManager; - xEnv = config.systemd.services."display-manager".environment; + xEnv = config.systemd.services.display-manager.environment; cfg = dmcfg.lightdm; dmDefault = xcfg.desktopManager.default; @@ -232,36 +232,41 @@ in # Enable the accounts daemon to find lightdm's dbus interface environment.systemPackages = [ lightdm ]; - security.pam.services.lightdm = { - allowNullPassword = true; - startSession = true; - }; - security.pam.services.lightdm-greeter = { - allowNullPassword = true; - startSession = true; - text = '' - auth required pam_env.so envfile=${config.system.build.pamEnvironment} - auth required pam_permit.so + security.pam.services.lightdm.text = '' + auth substack login + account include login + password substack login + session include login + ''; - account required pam_permit.so + security.pam.services.lightdm-greeter.text = '' + auth required pam_succeed_if.so audit quiet_success user = lightdm + auth optional pam_permit.so - password required pam_deny.so + account required pam_succeed_if.so audit quiet_success user = lightdm + account sufficient pam_unix.so + + password required pam_deny.so + + session required pam_succeed_if.so audit quiet_success user = lightdm + session required pam_env.so envfile=${config.system.build.pamEnvironment} + session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional pam_keyinit.so force revoke + session optional pam_permit.so + ''; - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so - ''; - }; security.pam.services.lightdm-autologin.text = '' - auth requisite pam_nologin.so - auth required pam_succeed_if.so uid >= 1000 quiet - auth required pam_permit.so + auth requisite pam_nologin.so + + auth required pam_succeed_if.so uid >= 1000 quiet + auth required pam_permit.so - account include lightdm + account sufficient pam_unix.so - password include lightdm + password requisite pam_unix.so nullok sha512 - session include lightdm + session optional pam_keyinit.so revoke + session include login ''; users.users.lightdm = { diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix index d1ed345ac579..c6cb281c2cc2 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix @@ -7,7 +7,7 @@ let xcfg = config.services.xserver; dmcfg = xcfg.displayManager; cfg = dmcfg.sddm; - xEnv = config.systemd.services."display-manager".environment; + xEnv = config.systemd.services.display-manager.environment; inherit (pkgs) sddm; diff --git a/nixpkgs/nixos/modules/services/x11/hardware/cmt.nix b/nixpkgs/nixos/modules/services/x11/hardware/cmt.nix new file mode 100644 index 000000000000..95353e92098e --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/hardware/cmt.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + +cfg = config.services.xserver.cmt; +etcPath = "X11/xorg.conf.d"; + +in { + + options = { + + services.xserver.cmt = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable chrome multitouch input (cmt). Touchpad drivers that are configured for chromebooks."; + }; + models = mkOption { + type = types.enum [ "atlas" "banjo" "candy" "caroline" "cave" "celes" "clapper" "cyan" "daisy" "elan" "elm" "enguarde" "eve" "expresso" "falco" "gandof" "glimmer" "gnawty" "heli" "kevin" "kip" "leon" "lulu" "orco" "pbody" "peppy" "pi" "pit" "puppy" "quawks" "rambi" "samus" "snappy" "spring" "squawks" "swanky" "winky" "wolf" "auron_paine" "auron_yuna" "daisy_skate" "nyan_big" "nyan_blaze" "veyron_jaq" "veyron_jerry" "veyron_mighty" "veyron_minnie" "veyron_speedy" ]; + example = "banjo"; + description = '' + Which models to enable cmt for. Enter the Code Name for your Chromebook. + Code Name can be found at <link xlink:href="https://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices" />. + ''; + }; + }; #closes services + }; #closes options + + config = mkIf cfg.enable { + + services.xserver.modules = [ pkgs.xf86_input_cmt ]; + + environment.etc = { + "${etcPath}/40-touchpad-cmt.conf" = { + source = "${pkgs.chromium-xorg-conf}/40-touchpad-cmt.conf"; + }; + "${etcPath}/50-touchpad-cmt-${cfg.models}.conf" = { + source = "${pkgs.chromium-xorg-conf}/50-touchpad-cmt-${cfg.models}.conf"; + }; + "${etcPath}/60-touchpad-cmt-${cfg.models}.conf" = { + source = "${pkgs.chromium-xorg-conf}/60-touchpad-cmt-${cfg.models}.conf"; + }; + }; + + assertions = [ + { + assertion = !config.services.xserver.libinput.enable; + message = "cmt and libinput are incompatible, you cannot enable both (in services.xserver)."; + } + ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix b/nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix index e39a56528e82..22af869f1f8a 100644 --- a/nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix +++ b/nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix @@ -167,7 +167,7 @@ in { services.xserver.modules = [ pkg.out ]; - environment.etc."${etcFile}".source = + environment.etc.${etcFile}.source = "${pkg.out}/share/X11/xorg.conf.d/70-synaptics.conf"; environment.systemPackages = [ pkg ]; diff --git a/nixpkgs/nixos/modules/services/x11/redshift.nix b/nixpkgs/nixos/modules/services/x11/redshift.nix index 55f8f75021bc..6ddb4c83764a 100644 --- a/nixpkgs/nixos/modules/services/x11/redshift.nix +++ b/nixpkgs/nixos/modules/services/x11/redshift.nix @@ -81,7 +81,7 @@ in { # needed so that .desktop files are installed, which geoclue cares about environment.systemPackages = [ cfg.package ]; - services.geoclue2.appConfig."redshift" = { + services.geoclue2.appConfig.redshift = { isAllowed = true; isSystem = true; }; diff --git a/nixpkgs/nixos/modules/services/x11/xautolock.nix b/nixpkgs/nixos/modules/services/x11/xautolock.nix index 10eef8aefbcd..3e03131ca114 100644 --- a/nixpkgs/nixos/modules/services/x11/xautolock.nix +++ b/nixpkgs/nixos/modules/services/x11/xautolock.nix @@ -132,7 +132,7 @@ in ] ++ (lib.forEach [ "locker" "notifier" "nowlocker" "killer" ] (option: { - assertion = cfg."${option}" != null -> builtins.substring 0 1 cfg."${option}" == "/"; + assertion = cfg.${option} != null -> builtins.substring 0 1 cfg.${option} == "/"; message = "Please specify a canonical path for `services.xserver.xautolock.${option}`"; }) ); diff --git a/nixpkgs/nixos/modules/system/boot/kernel.nix b/nixpkgs/nixos/modules/system/boot/kernel.nix index baa8c602a99e..50dbf2f83651 100644 --- a/nixpkgs/nixos/modules/system/boot/kernel.nix +++ b/nixpkgs/nixos/modules/system/boot/kernel.nix @@ -261,7 +261,7 @@ in source = kernelModulesConf; }; - systemd.services."systemd-modules-load" = + systemd.services.systemd-modules-load = { wantedBy = [ "multi-user.target" ]; restartTriggers = [ kernelModulesConf ]; serviceConfig = diff --git a/nixpkgs/nixos/modules/system/boot/kexec.nix b/nixpkgs/nixos/modules/system/boot/kexec.nix index fd2cb94b756b..27a8e0217c55 100644 --- a/nixpkgs/nixos/modules/system/boot/kexec.nix +++ b/nixpkgs/nixos/modules/system/boot/kexec.nix @@ -4,7 +4,7 @@ config = lib.mkIf (lib.any (lib.meta.platformMatch pkgs.stdenv.hostPlatform) pkgs.kexectools.meta.platforms) { environment.systemPackages = [ pkgs.kexectools ]; - systemd.services."prepare-kexec" = + systemd.services.prepare-kexec = { description = "Preparation for kexec"; wantedBy = [ "kexec.target" ]; before = [ "systemd-kexec.service" ]; diff --git a/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix b/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix index d8f347a54d6c..e13f0421d38f 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix @@ -72,7 +72,7 @@ let else "${convertedFont}"); }); - bootDeviceCounters = fold (device: attr: attr // { "${device}" = (attr."${device}" or 0) + 1; }) {} + bootDeviceCounters = fold (device: attr: attr // { ${device} = (attr.${device} or 0) + 1; }) {} (concatMap (args: args.devices) cfg.mirroredBoots); convertedFont = (pkgs.runCommand "grub-font-converted.pf2" {} diff --git a/nixpkgs/nixos/modules/system/boot/luksroot.nix b/nixpkgs/nixos/modules/system/boot/luksroot.nix index b5c8d5241a3d..a4029d766b05 100644 --- a/nixpkgs/nixos/modules/system/boot/luksroot.nix +++ b/nixpkgs/nixos/modules/system/boot/luksroot.nix @@ -476,7 +476,7 @@ in boot.initrd.luks.devices = mkOption { default = { }; - example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; + example = { luksroot.device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; description = '' The encrypted disk that should be opened before the root filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM diff --git a/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix b/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix index 34a34091a7dc..db6e06b41072 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix @@ -117,7 +117,7 @@ in { environment.etc."systemd/nspawn".source = generateUnits "nspawn" units [] []; - systemd.targets."multi-user".wants = [ "machines.target" ]; + systemd.targets.multi-user.wants = [ "machines.target" ]; }; } diff --git a/nixpkgs/nixos/modules/system/boot/systemd.nix b/nixpkgs/nixos/modules/system/boot/systemd.nix index a79513850624..2287a82418fe 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd.nix @@ -328,7 +328,7 @@ let [Service] ${let env = cfg.globalEnvironment // def.environment; in concatMapStrings (n: - let s = optionalString (env."${n}" != null) + let s = optionalString (env.${n} != null) "Environment=${builtins.toJSON "${n}=${env.${n}}"}\n"; # systemd max line length is now 1MiB # https://github.com/systemd/systemd/commit/e6dde451a51dc5aaa7f4d98d39b8fe735f73d2af @@ -496,7 +496,7 @@ in systemd.generators = mkOption { type = types.attrsOf types.path; default = {}; - example = { "systemd-gpt-auto-generator" = "/dev/null"; }; + example = { systemd-gpt-auto-generator = "/dev/null"; }; description = '' Definition of systemd generators. For each <literal>NAME = VALUE</literal> pair of the attrSet, a link is generated from diff --git a/nixpkgs/nixos/modules/tasks/filesystems.nix b/nixpkgs/nixos/modules/tasks/filesystems.nix index 43764bb82f1f..688c77cb22d1 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems.nix @@ -12,7 +12,7 @@ let fileSystems' = toposort fsBefore (attrValues config.fileSystems); - fileSystems = if fileSystems' ? "result" + fileSystems = if fileSystems' ? result then # use topologically sorted fileSystems everywhere fileSystems'.result else # the assertion below will catch this, @@ -211,7 +211,7 @@ in ls = sep: concatMapStringsSep sep (x: x.mountPoint); notAutoResizable = fs: fs.autoResize && !(hasPrefix "ext" fs.fsType || fs.fsType == "f2fs"); in [ - { assertion = ! (fileSystems' ? "cycle"); + { assertion = ! (fileSystems' ? cycle); message = "The ‘fileSystems’ option can't be topologically sorted: mountpoint dependency path ${ls " -> " fileSystems'.cycle} loops to ${ls ", " fileSystems'.loops}"; } { assertion = ! (any notAutoResizable fileSystems); diff --git a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix index ac06b6caee30..2ed8c5aa2927 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix @@ -469,7 +469,7 @@ in map createSyncService allPools ++ map createZfsService [ "zfs-mount" "zfs-share" "zfs-zed" ]); - systemd.targets."zfs-import" = + systemd.targets.zfs-import = let services = map (pool: "zfs-import-${pool}.service") dataPools; in @@ -479,7 +479,7 @@ in wantedBy = [ "zfs.target" ]; }; - systemd.targets."zfs".wantedBy = [ "multi-user.target" ]; + systemd.targets.zfs.wantedBy = [ "multi-user.target" ]; }) (mkIf enableAutoSnapshots { diff --git a/nixpkgs/nixos/modules/tasks/kbd.nix b/nixpkgs/nixos/modules/tasks/kbd.nix index 6d34f897d189..c6ba998b19e6 100644 --- a/nixpkgs/nixos/modules/tasks/kbd.nix +++ b/nixpkgs/nixos/modules/tasks/kbd.nix @@ -73,7 +73,7 @@ in config = mkMerge [ (mkIf (!setVconsole) { - systemd.services."systemd-vconsole-setup".enable = false; + systemd.services.systemd-vconsole-setup.enable = false; }) (mkIf setVconsole (mkMerge [ @@ -83,7 +83,7 @@ in # virtual consoles. environment.etc."vconsole.conf".source = vconsoleConf; # Provide kbd with additional packages. - environment.etc."kbd".source = "${kbdEnv}/share"; + environment.etc.kbd.source = "${kbdEnv}/share"; boot.initrd.preLVMCommands = mkBefore '' kbd_mode ${if isUnicode then "-u" else "-a"} -C /dev/console @@ -99,7 +99,7 @@ in '') config.i18n.consoleColors} ''; - systemd.services."systemd-vconsole-setup" = + systemd.services.systemd-vconsole-setup = { before = [ "display-manager.service" ]; after = [ "systemd-udev-settle.service" ]; restartTriggers = [ vconsoleConf kbdEnv ]; diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces-scripted.nix b/nixpkgs/nixos/modules/tasks/network-interfaces-scripted.nix index 2b8a7944dc36..1726d05115ea 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces-scripted.nix @@ -498,8 +498,8 @@ let // mapAttrs' createSitDevice cfg.sits // mapAttrs' createVlanDevice cfg.vlans // { - "network-setup" = networkSetup; - "network-local-commands" = networkLocalCommands; + network-setup = networkSetup; + network-local-commands = networkLocalCommands; }; services.udev.extraRules = diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix index fbca54978e5b..f5a593211efc 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix @@ -160,14 +160,14 @@ in (mapAttrsToList (k: _: k) do); ""; # get those driverOptions that have been set filterSystemdOptions = filterAttrs (sysDOpt: kOpts: - any (kOpt: do ? "${kOpt}") kOpts.optNames); + any (kOpt: do ? ${kOpt}) kOpts.optNames); # build final set of systemd options to bond values buildOptionSet = mapAttrs (_: kOpts: with kOpts; # we simply take the first set kernel bond option # (one option has multiple names, which is silly) - head (map (optN: valTransform (do."${optN}")) + head (map (optN: valTransform (do.${optN})) # only map those that exist - (filter (o: do ? "${o}") optNames))); + (filter (o: do ? ${o}) optNames))); in seq assertNoUnknownOption (buildOptionSet (filterSystemdOptions driverOptionMapping)); diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces.nix b/nixpkgs/nixos/modules/tasks/network-interfaces.nix index 16dde9175150..5bf7b0d227f0 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces.nix @@ -799,19 +799,19 @@ in networking.wlanInterfaces = mkOption { default = { }; example = literalExample { - "wlan-station0" = { + wlan-station0 = { device = "wlp6s0"; }; - "wlan-adhoc0" = { + wlan-adhoc0 = { type = "ibss"; device = "wlp6s0"; mac = "02:00:00:00:00:01"; }; - "wlan-p2p0" = { + wlan-p2p0 = { device = "wlp6s0"; mac = "02:00:00:00:00:02"; }; - "wlan-ap0" = { + wlan-ap0 = { device = "wlp6s0"; mac = "02:00:00:00:00:03"; }; @@ -994,7 +994,7 @@ in domainname "${cfg.domain}" ''; - environment.etc."hostid" = mkIf (cfg.hostId != null) + environment.etc.hostid = mkIf (cfg.hostId != null) { source = pkgs.runCommand "gen-hostid" { preferLocalBuild = true; } '' hi="${cfg.hostId}" ${if pkgs.stdenv.isBigEndian then '' @@ -1007,7 +1007,7 @@ in # static hostname configuration needed for hostnamectl and the # org.freedesktop.hostname1 dbus service (both provided by systemd) - environment.etc."hostname" = mkIf (cfg.hostName != "") + environment.etc.hostname = mkIf (cfg.hostName != "") { text = cfg.hostName + "\n"; }; @@ -1027,7 +1027,7 @@ in # The network-interfaces target is kept for backwards compatibility. # New modules must NOT use it. - systemd.targets."network-interfaces" = + systemd.targets.network-interfaces = { description = "All Network Interfaces (deprecated)"; wantedBy = [ "network.target" ]; before = [ "network.target" ]; @@ -1162,13 +1162,13 @@ in in flip (concatMapStringsSep "\n") (attrNames wlanDeviceInterfaces) (device: let - interfaces = wlanListDeviceFirst device wlanDeviceInterfaces."${device}"; + interfaces = wlanListDeviceFirst device wlanDeviceInterfaces.${device}; curInterface = elemAt interfaces 0; newInterfaces = drop 1 interfaces; in '' # It is important to have that rule first as overwriting the NAME attribute also prevents the # next rules from matching. - ${flip (concatMapStringsSep "\n") (wlanListDeviceFirst device wlanDeviceInterfaces."${device}") (interface: + ${flip (concatMapStringsSep "\n") (wlanListDeviceFirst device wlanDeviceInterfaces.${device}) (interface: ''ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", ENV{INTERFACE}=="${interface._iName}", ${systemdAttrs interface._iName}, RUN+="${newInterfaceScript device interface}"'')} # Add the required, new WLAN interfaces to the default WLAN interface with the diff --git a/nixpkgs/nixos/modules/virtualisation/amazon-image.nix b/nixpkgs/nixos/modules/virtualisation/amazon-image.nix index 0c4ad90b4eb6..aadfc5add350 100644 --- a/nixpkgs/nixos/modules/virtualisation/amazon-image.nix +++ b/nixpkgs/nixos/modules/virtualisation/amazon-image.nix @@ -25,6 +25,9 @@ in { assertion = cfg.hvm; message = "Paravirtualized EC2 instances are no longer supported."; } + { assertion = cfg.efi -> cfg.hvm; + message = "EC2 instances using EFI must be HVM instances."; + } ]; boot.growPartition = cfg.hvm; @@ -35,6 +38,11 @@ in autoResize = true; }; + fileSystems."/boot" = mkIf cfg.efi { + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; + boot.extraModulePackages = [ config.boot.kernelPackages.ena ]; @@ -50,8 +58,10 @@ in # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. boot.loader.grub.version = if cfg.hvm then 2 else 1; - boot.loader.grub.device = if cfg.hvm then "/dev/xvda" else "nodev"; + boot.loader.grub.device = if (cfg.hvm && !cfg.efi) then "/dev/xvda" else "nodev"; boot.loader.grub.extraPerEntryConfig = mkIf (!cfg.hvm) "root (hd0)"; + boot.loader.grub.efiSupport = cfg.efi; + boot.loader.grub.efiInstallAsRemovable = cfg.efi; boot.loader.timeout = 0; boot.initrd.network.enable = true; @@ -137,7 +147,7 @@ in networking.timeServers = [ "169.254.169.123" ]; # udisks has become too bloated to have in a headless system - # (e.g. it depends on GTK+). + # (e.g. it depends on GTK). services.udisks2.enable = false; }; } diff --git a/nixpkgs/nixos/modules/virtualisation/amazon-options.nix b/nixpkgs/nixos/modules/virtualisation/amazon-options.nix index 15de8638bbab..2e807131e938 100644 --- a/nixpkgs/nixos/modules/virtualisation/amazon-options.nix +++ b/nixpkgs/nixos/modules/virtualisation/amazon-options.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: { options = { ec2 = { @@ -9,6 +9,13 @@ Whether the EC2 instance is a HVM instance. ''; }; + efi = lib.mkOption { + default = pkgs.stdenv.hostPlatform.isAarch64; + internal = true; + description = '' + Whether the EC2 instance is using EFI. + ''; + }; }; }; } diff --git a/nixpkgs/nixos/modules/virtualisation/brightbox-image.nix b/nixpkgs/nixos/modules/virtualisation/brightbox-image.nix index e716982c510a..d0efbcc808aa 100644 --- a/nixpkgs/nixos/modules/virtualisation/brightbox-image.nix +++ b/nixpkgs/nixos/modules/virtualisation/brightbox-image.nix @@ -111,7 +111,7 @@ in # Always include cryptsetup so that NixOps can use it. environment.systemPackages = [ pkgs.cryptsetup ]; - systemd.services."fetch-ec2-data" = + systemd.services.fetch-ec2-data = { description = "Fetch EC2 Data"; wantedBy = [ "multi-user.target" "sshd.service" ]; diff --git a/nixpkgs/nixos/modules/virtualisation/containers.nix b/nixpkgs/nixos/modules/virtualisation/containers.nix index 0c0d8551e4aa..9c9f8fc0c215 100644 --- a/nixpkgs/nixos/modules/virtualisation/containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/containers.nix @@ -729,7 +729,7 @@ in serviceConfig = serviceDirectives dummyConfig; }; in { - systemd.targets."multi-user".wants = [ "machines.target" ]; + systemd.targets.multi-user.wants = [ "machines.target" ]; systemd.services = listToAttrs (filter (x: x.value != null) ( # The generic container template used by imperative containers diff --git a/nixpkgs/nixos/modules/virtualisation/ec2-data.nix b/nixpkgs/nixos/modules/virtualisation/ec2-data.nix index db3dd9949c12..82451787e8a1 100644 --- a/nixpkgs/nixos/modules/virtualisation/ec2-data.nix +++ b/nixpkgs/nixos/modules/virtualisation/ec2-data.nix @@ -64,7 +64,7 @@ with lib; serviceConfig.RemainAfterExit = true; }; - systemd.services."print-host-key" = + systemd.services.print-host-key = { description = "Print SSH Host Key"; wantedBy = [ "multi-user.target" ]; after = [ "sshd.service" ]; diff --git a/nixpkgs/nixos/modules/virtualisation/kvmgt.nix b/nixpkgs/nixos/modules/virtualisation/kvmgt.nix index 78753da55328..36ef6d17df69 100644 --- a/nixpkgs/nixos/modules/virtualisation/kvmgt.nix +++ b/nixpkgs/nixos/modules/virtualisation/kvmgt.nix @@ -35,7 +35,7 @@ in { and find info about device via <command>cat /sys/bus/pci/devices/*/mdev_supported_types/i915-GVTg_V5_4/description</command> ''; example = { - "i915-GVTg_V5_8" = { + i915-GVTg_V5_8 = { uuid = "a297db4a-f4c2-11e6-90f6-d3b88d6c9525"; }; }; diff --git a/nixpkgs/nixos/modules/virtualisation/railcar.nix b/nixpkgs/nixos/modules/virtualisation/railcar.nix new file mode 100644 index 000000000000..12da1c75fc38 --- /dev/null +++ b/nixpkgs/nixos/modules/virtualisation/railcar.nix @@ -0,0 +1,125 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.railcar; + generateUnit = name: containerConfig: + let + container = pkgs.ociTools.buildContainer { + args = [ + (pkgs.writeShellScript "run.sh" containerConfig.cmd).outPath + ]; + }; + in + nameValuePair "railcar-${name}" { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = '' + ${cfg.package}/bin/railcar -r ${cfg.stateDir} run ${name} -b ${container} + ''; + Type = containerConfig.runType; + }; + }; + mount = with types; (submodule { + options = { + type = mkOption { + type = str; + default = "none"; + description = '' + The type of the filesystem to be mounted. + Linux: filesystem types supported by the kernel as listed in + `/proc/filesystems` (e.g., "minix", "ext2", "ext3", "jfs", "xfs", + "reiserfs", "msdos", "proc", "nfs", "iso9660"). For bind mounts + (when options include either bind or rbind), the type is a dummy, + often "none" (not listed in /proc/filesystems). + ''; + }; + source = mkOption { + type = str; + description = "Source for the in-container mount"; + }; + options = mkOption { + type = loaOf (str); + default = [ "bind" ]; + description = '' + Mount options of the filesystem to be used. + + Support optoions are listed in the mount(8) man page. Note that + both filesystem-independent and filesystem-specific options + are listed. + ''; + }; + }; + }); +in +{ + options.services.railcar = { + enable = mkEnableOption "railcar"; + + containers = mkOption { + default = {}; + description = "Declarative container configuration"; + type = with types; loaOf (submodule ({ name, config, ... }: { + options = { + cmd = mkOption { + type = types.lines; + description = "Command or script to run inside the container"; + }; + + mounts = mkOption { + type = with types; attrsOf mount; + default = {}; + description = '' + A set of mounts inside the container. + + The defaults have been chosen for simple bindmounts, meaning + that you only need to provide the "source" parameter. + ''; + example = '' + { "/data" = { source = "/var/lib/data"; }; } + ''; + }; + + runType = mkOption { + type = types.str; + default = "oneshot"; + description = "The systemd service run type"; + }; + + os = mkOption { + type = types.str; + default = "linux"; + description = "OS type of the container"; + }; + + arch = mkOption { + type = types.str; + default = "x86_64"; + description = "Computer architecture type of the container"; + }; + }; + })); + }; + + stateDir = mkOption { + type = types.path; + default = ''/var/railcar''; + description = "Railcar persistent state directory"; + }; + + package = mkOption { + type = types.package; + default = pkgs.railcar; + description = "Railcar package to use"; + }; + }; + + config = mkIf cfg.enable { + systemd.services = flip mapAttrs' cfg.containers (name: containerConfig: + generateUnit name containerConfig + ); + }; +} + diff --git a/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix b/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix index 41bcb909fb5c..6081d4153a6c 100644 --- a/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix @@ -122,7 +122,7 @@ in # Since we lack the right setuid/setcap binaries, set up a host-only network by default. } (mkIf cfg.addNetworkInterface { - systemd.services."vboxnet0" = + systemd.services.vboxnet0 = { description = "VirtualBox vboxnet0 Interface"; requires = [ "dev-vboxnetctl.device" ]; after = [ "dev-vboxnetctl.device" ]; diff --git a/nixpkgs/nixos/modules/virtualisation/vmware-guest.nix b/nixpkgs/nixos/modules/virtualisation/vmware-guest.nix index d18778f81588..f418f849759f 100644 --- a/nixpkgs/nixos/modules/virtualisation/vmware-guest.nix +++ b/nixpkgs/nixos/modules/virtualisation/vmware-guest.nix @@ -33,7 +33,7 @@ in serviceConfig.ExecStart = "${open-vm-tools}/bin/vmtoolsd"; }; - environment.etc."vmware-tools".source = "${open-vm-tools}/etc/vmware-tools/*"; + environment.etc.vmware-tools.source = "${open-vm-tools}/etc/vmware-tools/*"; services.xserver = mkIf (!cfg.headless) { videoDrivers = mkOverride 50 [ "vmware" ]; diff --git a/nixpkgs/nixos/release.nix b/nixpkgs/nixos/release.nix index df2c52ccd0b6..c7c609658909 100644 --- a/nixpkgs/nixos/release.nix +++ b/nixpkgs/nixos/release.nix @@ -196,6 +196,22 @@ in rec { ); + # A disk image that can be imported to Amazon EC2 and registered as an AMI + amazonImage = forMatchingSystems [ "x86_64-linux" "aarch64-linux" ] (system: + + with import nixpkgs { inherit system; }; + + hydraJob ((import lib/eval-config.nix { + inherit system; + modules = + [ versionModule + ./maintainers/scripts/ec2/amazon-image.nix + ]; + }).config.system.build.amazonImage) + + ); + + # Ensure that all packages used by the minimal NixOS config end up in the channel. dummy = forAllSystems (system: pkgs.runCommand "dummy" { toplevel = (import lib/eval-config.nix { diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index 8ee4dfbf13bc..5eb8111aa6d3 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -224,7 +224,6 @@ in predictable-interface-names = handleTest ./predictable-interface-names.nix {}; printing = handleTest ./printing.nix {}; prometheus = handleTest ./prometheus.nix {}; - prometheus2 = handleTest ./prometheus-2.nix {}; prometheus-exporters = handleTest ./prometheus-exporters.nix {}; prosody = handleTest ./xmpp/prosody.nix {}; prosodyMysql = handleTest ./xmpp/prosody-mysql.nix {}; diff --git a/nixpkgs/nixos/tests/beegfs.nix b/nixpkgs/nixos/tests/beegfs.nix index 9c241fd2301a..3465272f5599 100644 --- a/nixpkgs/nixos/tests/beegfs.nix +++ b/nixpkgs/nixos/tests/beegfs.nix @@ -23,7 +23,7 @@ let } ]; - environment.etc."${connAuthFile}" = { + environment.etc.${connAuthFile} = { enable = true; text = "ThisIsALousySecret"; mode = "0600"; @@ -47,7 +47,7 @@ let ]; environment.systemPackages = with pkgs; [ beegfs ]; - environment.etc."${connAuthFile}" = { + environment.etc.${connAuthFile} = { enable = true; text = "ThisIsALousySecret"; mode = "0600"; @@ -57,7 +57,7 @@ let services.beegfs.default = { mgmtdHost = "mgmt"; connAuthFile = "/etc/${connAuthFile}"; - "${service}" = { + ${service} = { enable = true; storeDir = "/data"; }; diff --git a/nixpkgs/nixos/tests/borgbackup.nix b/nixpkgs/nixos/tests/borgbackup.nix index fdb87dbea438..165f64b0d6dc 100644 --- a/nixpkgs/nixos/tests/borgbackup.nix +++ b/nixpkgs/nixos/tests/borgbackup.nix @@ -44,7 +44,7 @@ in { client = { ... }: { services.borgbackup.jobs = { - local = rec { + local = { paths = dataDir; repo = localRepo; preHook = '' diff --git a/nixpkgs/nixos/tests/ceph.nix b/nixpkgs/nixos/tests/ceph.nix index 7408029c460e..57120ff978f7 100644 --- a/nixpkgs/nixos/tests/ceph.nix +++ b/nixpkgs/nixos/tests/ceph.nix @@ -1,12 +1,13 @@ -import ./make-test.nix ({pkgs, ...}: rec { +import ./make-test.nix ({pkgs, lib, ...}: { name = "All-in-one-basic-ceph-cluster"; meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ lejonet ]; + maintainers = [ johanot lejonet ]; }; nodes = { aio = { pkgs, ... }: { virtualisation = { + memorySize = 1536; emptyDiskImages = [ 20480 20480 ]; vlans = [ 1 ]; }; @@ -24,9 +25,6 @@ import ./make-test.nix ({pkgs, ...}: rec { ceph xfsprogs ]; - nixpkgs.config.packageOverrides = super: { - ceph = super.ceph.override({ nss = super.nss; libxfs = super.libxfs; libaio = super.libaio; jemalloc = super.jemalloc; }); - }; boot.kernelModules = [ "xfs" ]; @@ -51,6 +49,9 @@ import ./make-test.nix ({pkgs, ...}: rec { enable = true; daemons = [ "0" "1" ]; }; + + # So that we don't have to battle systemd when bootstraping + systemd.targets.ceph.wantedBy = lib.mkForce []; }; }; @@ -61,24 +62,26 @@ import ./make-test.nix ({pkgs, ...}: rec { # Create the ceph-related directories $aio->mustSucceed( - "mkdir -p /var/lib/ceph/mgr/ceph-aio/", - "mkdir -p /var/lib/ceph/mon/ceph-aio/", - "mkdir -p /var/lib/ceph/osd/ceph-{0..1}/", - "chown ceph:ceph -R /var/lib/ceph/" + "mkdir -p /var/lib/ceph/mgr/ceph-aio", + "mkdir -p /var/lib/ceph/mon/ceph-aio", + "mkdir -p /var/lib/ceph/osd/ceph-{0,1}", + "chown ceph:ceph -R /var/lib/ceph/", + "mkdir -p /etc/ceph", + "chown ceph:ceph -R /etc/ceph" ); # Bootstrap ceph-mon daemon $aio->mustSucceed( - "mkdir -p /var/lib/ceph/bootstrap-osd && chown ceph:ceph /var/lib/ceph/bootstrap-osd", "sudo -u ceph ceph-authtool --create-keyring /tmp/ceph.mon.keyring --gen-key -n mon. --cap mon 'allow *'", - "ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --set-uid=0 --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'", - "ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/ceph.client.admin.keyring", - "monmaptool --create --add aio 192.168.1.1 --fsid 066ae264-2a5d-4729-8001-6ad265f50b03 /tmp/monmap", + "sudo -u ceph ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'", + "sudo -u ceph ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/ceph.client.admin.keyring", + "monmaptool --create --add aio 192.168.1.1 --fsid 066ae264-2a5d-4729-8001-6ad265f50b03 /tmp/monmap", "sudo -u ceph ceph-mon --mkfs -i aio --monmap /tmp/monmap --keyring /tmp/ceph.mon.keyring", - "touch /var/lib/ceph/mon/ceph-aio/done", + "sudo -u ceph touch /var/lib/ceph/mon/ceph-aio/done", "systemctl start ceph-mon-aio" ); $aio->waitForUnit("ceph-mon-aio"); + $aio->mustSucceed("ceph mon enable-msgr2"); # Can't check ceph status until a mon is up $aio->succeed("ceph -s | grep 'mon: 1 daemons'"); @@ -90,6 +93,7 @@ import ./make-test.nix ({pkgs, ...}: rec { ); $aio->waitForUnit("ceph-mgr-aio"); $aio->waitUntilSucceeds("ceph -s | grep 'quorum aio'"); + $aio->waitUntilSucceeds("ceph -s | grep 'mgr: aio(active,'"); # Bootstrap both OSDs $aio->mustSucceed( @@ -112,8 +116,8 @@ import ./make-test.nix ({pkgs, ...}: rec { "systemctl start ceph-osd-1" ); - $aio->waitUntilSucceeds("ceph osd stat | grep '2 osds: 2 up, 2 in'"); - $aio->waitUntilSucceeds("ceph -s | grep 'mgr: aio(active)'"); + $aio->waitUntilSucceeds("ceph osd stat | grep -e '2 osds: 2 up[^,]*, 2 in'"); + $aio->waitUntilSucceeds("ceph -s | grep 'mgr: aio(active,'"); $aio->waitUntilSucceeds("ceph -s | grep 'HEALTH_OK'"); $aio->mustSucceed( @@ -135,5 +139,23 @@ import ./make-test.nix ({pkgs, ...}: rec { "ceph osd pool ls | grep 'aio-test'", "ceph osd pool delete aio-other-test aio-other-test --yes-i-really-really-mean-it" ); + + # As we disable the target in the config, we still want to test that it works as intended + $aio->mustSucceed( + "systemctl stop ceph-osd-0", + "systemctl stop ceph-osd-1", + "systemctl stop ceph-mgr-aio", + "systemctl stop ceph-mon-aio" + ); + $aio->succeed("systemctl start ceph.target"); + $aio->waitForUnit("ceph-mon-aio"); + $aio->waitForUnit("ceph-mgr-aio"); + $aio->waitForUnit("ceph-osd-0"); + $aio->waitForUnit("ceph-osd-1"); + $aio->succeed("ceph -s | grep 'mon: 1 daemons'"); + $aio->waitUntilSucceeds("ceph -s | grep 'quorum aio'"); + $aio->waitUntilSucceeds("ceph osd stat | grep -e '2 osds: 2 up[^,]*, 2 in'"); + $aio->waitUntilSucceeds("ceph -s | grep 'mgr: aio(active,'"); + $aio->waitUntilSucceeds("ceph -s | grep 'HEALTH_OK'"); ''; }) diff --git a/nixpkgs/nixos/tests/cjdns.nix b/nixpkgs/nixos/tests/cjdns.nix index e03bb9882540..6660eecf05b9 100644 --- a/nixpkgs/nixos/tests/cjdns.nix +++ b/nixpkgs/nixos/tests/cjdns.nix @@ -23,8 +23,7 @@ import ./make-test.nix ({ pkgs, ...} : { maintainers = [ ehmry ]; }; - nodes = rec - { # Alice finds peers over over ETHInterface. + nodes = { # Alice finds peers over over ETHInterface. alice = { ... }: { imports = [ basicConfig ]; diff --git a/nixpkgs/nixos/tests/cockroachdb.nix b/nixpkgs/nixos/tests/cockroachdb.nix index 56c624d8cf2f..496283fddc7b 100644 --- a/nixpkgs/nixos/tests/cockroachdb.nix +++ b/nixpkgs/nixos/tests/cockroachdb.nix @@ -100,7 +100,7 @@ in import ./make-test.nix ({ pkgs, ...} : { meta.maintainers = with pkgs.stdenv.lib.maintainers; [ thoughtpolice ]; - nodes = rec { + nodes = { node1 = makeNode "country=us,region=east,dc=1" "192.168.1.1" null; node2 = makeNode "country=us,region=west,dc=2b" "192.168.1.2" "192.168.1.1"; node3 = makeNode "country=eu,region=west,dc=2" "192.168.1.3" "192.168.1.1"; diff --git a/nixpkgs/nixos/tests/containers-reloadable.nix b/nixpkgs/nixos/tests/containers-reloadable.nix index 9726ca0cb0e7..f41dea91b1e4 100644 --- a/nixpkgs/nixos/tests/containers-reloadable.nix +++ b/nixpkgs/nixos/tests/containers-reloadable.nix @@ -1,11 +1,11 @@ import ./make-test.nix ({ pkgs, lib, ...} : let - client_base = rec { + client_base = { containers.test1 = { autoStart = true; config = { - environment.etc."check".text = "client_base"; + environment.etc.check.text = "client_base"; }; }; @@ -29,7 +29,7 @@ in { imports = [ client_base ]; containers.test1.config = { - environment.etc."check".text = lib.mkForce "client_c1"; + environment.etc.check.text = lib.mkForce "client_c1"; services.httpd.enable = true; services.httpd.adminAddr = "nixos@example.com"; }; @@ -38,7 +38,7 @@ in { imports = [ client_base ]; containers.test1.config = { - environment.etc."check".text = lib.mkForce "client_c2"; + environment.etc.check.text = lib.mkForce "client_c2"; services.nginx.enable = true; }; }; diff --git a/nixpkgs/nixos/tests/containers-restart_networking.nix b/nixpkgs/nixos/tests/containers-restart_networking.nix index 0fb3b591e9f9..df15f5b2f455 100644 --- a/nixpkgs/nixos/tests/containers-restart_networking.nix +++ b/nixpkgs/nixos/tests/containers-restart_networking.nix @@ -1,7 +1,7 @@ # Test for NixOS' container support. let - client_base = rec { + client_base = { networking.firewall.enable = false; containers.webserver = { diff --git a/nixpkgs/nixos/tests/containers-tmpfs.nix b/nixpkgs/nixos/tests/containers-tmpfs.nix index 05c21f4907bf..e29fe6bbf032 100644 --- a/nixpkgs/nixos/tests/containers-tmpfs.nix +++ b/nixpkgs/nixos/tests/containers-tmpfs.nix @@ -3,7 +3,7 @@ import ./make-test.nix ({ pkgs, ...} : { name = "containers-tmpfs"; meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ ckampka ]; + maintainers = [ kampka ]; }; machine = diff --git a/nixpkgs/nixos/tests/elk.nix b/nixpkgs/nixos/tests/elk.nix index 95371ef44436..b33d98b85d69 100644 --- a/nixpkgs/nixos/tests/elk.nix +++ b/nixpkgs/nixos/tests/elk.nix @@ -178,13 +178,7 @@ let ''; }; in mapAttrs mkElkTest { - "ELK-5" = { - elasticsearch = pkgs.elasticsearch5; - logstash = pkgs.logstash5; - kibana = pkgs.kibana5; - journalbeat = pkgs.journalbeat5; - }; - "ELK-6" = + ELK-6 = if enableUnfree then { elasticsearch = pkgs.elasticsearch6; @@ -198,7 +192,7 @@ in mapAttrs mkElkTest { kibana = pkgs.kibana6-oss; journalbeat = pkgs.journalbeat6; }; - "ELK-7" = + ELK-7 = if enableUnfree then { elasticsearch = pkgs.elasticsearch7; diff --git a/nixpkgs/nixos/tests/env.nix b/nixpkgs/nixos/tests/env.nix index 064c498204ae..6c681905b19f 100644 --- a/nixpkgs/nixos/tests/env.nix +++ b/nixpkgs/nixos/tests/env.nix @@ -7,7 +7,7 @@ import ./make-test.nix ({ pkgs, ...} : { machine = { pkgs, ... }: { boot.kernelPackages = pkgs.linuxPackages; - environment.etc."plainFile".text = '' + environment.etc.plainFile.text = '' Hello World ''; environment.etc."folder/with/file".text = '' diff --git a/nixpkgs/nixos/tests/flannel.nix b/nixpkgs/nixos/tests/flannel.nix index 0b261a684772..9991c5eaa329 100644 --- a/nixpkgs/nixos/tests/flannel.nix +++ b/nixpkgs/nixos/tests/flannel.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : rec { +import ./make-test.nix ({ pkgs, ...} : { name = "flannel"; meta = with pkgs.stdenv.lib.maintainers; { diff --git a/nixpkgs/nixos/tests/gitlab.nix b/nixpkgs/nixos/tests/gitlab.nix index ac733461932d..be0b3c8746a9 100644 --- a/nixpkgs/nixos/tests/gitlab.nix +++ b/nixpkgs/nixos/tests/gitlab.nix @@ -21,7 +21,7 @@ import ./make-test.nix ({ pkgs, lib, ...} : with lib; { enable = true; recommendedProxySettings = true; virtualHosts = { - "localhost" = { + localhost = { locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; }; }; @@ -29,44 +29,14 @@ import ./make-test.nix ({ pkgs, lib, ...} : with lib; { services.gitlab = { enable = true; - databasePassword = "dbPassword"; - inherit initialRootPassword; + databasePasswordFile = pkgs.writeText "dbPassword" "xo0daiF4"; + initialRootPasswordFile = pkgs.writeText "rootPassword" initialRootPassword; smtp.enable = true; secrets = { - secret = "secret"; - otp = "otpsecret"; - db = "dbsecret"; - - # nix-shell -p openssl --run "openssl genrsa 2048" - jws = '' - -----BEGIN RSA PRIVATE KEY----- - MIIEpAIBAAKCAQEA13/qEio76OWUtWO0WIz9lWnsTWOU8Esv4sQHDq9PCEFsLt21 - PAXrlWhLjjWcxGfsrDwnh7YErGHYL62BMSxMdFJolaknlQK/O/V8UETDe45VoHM+ - Znk270RfUcfYFgiihnXUZXVmL0om9TsQSk646wCcjCY9LxtxUyKNhvT7KjgYw2aX - z34aw7M+Js3T2p1TjZPSC82GtmtKkJEKFMi5EjprLTDE7EdcUzr9Xuw+kQ+gRm9k - 7FE+JQqSoprwE3Q0v2OAn3UhLMgg0gNFRnsc5l6IAshDzV+H22RPqKKlJjVjjfPY - 0TQSvYLVApigHbDPH0BoCXfjFfQazbbP3OUHrwIDAQABAoIBAQCMU+tkcMQaYIV5 - qLdjgkwO467QpivyXcOM8wF1eosIYTHFQvIlZ+WEoSmyLQ8shlADyBgls01Pw1c3 - lNAv6RzQEmmwKzpvOh61OKH+0whIiOMRXHoh2IUBQZCgfHYlwvGyhUAN4WjtGmhM - AG4XNTQNM5S9Xpkw97nP3Qwz+YskbbkrfqtCEVy9ro+4nhbjqPsuO3adbnkva4zR - cyurRhrHgHU6LPjn5NHnHH4qw2faY2oAsL8pmpkTbO5IqWDvOcbjNfjVPgVoq26O - bbaa1qs4nmc80qQgMjRPJef535xyf3eLsSlDvpf6O8sPrJzVR1zaqEqixpQCZDac - +kRiSBrhAoGBAOwHiq0PuyJh6VzBu7ybqX6+gF/wA4Jkwzx6mbfaBgurvU1aospp - kisIonAkxSbxllZMnjbkShZEdATYKeT9o5NEhnU4YnHfc5bJZbiWOZAzYGLcY7g8 - vDQ31pBItyY4pFgPbSpNlbUvUsoPVJ45RasRADDTNCzMzdjFQQXst2V9AoGBAOm7 - sSpzYfFPLEAhieAkuhtbsX58Boo46djiKVfzGftfp6F9aHTOfzGORU5jrZ16mSbS - qkkC6BEFrATX2051dzzXC89fWoJYALrsffE5I3KlKXsCAWSnCP1MMxOfH+Ls61Mr - 7pK/LKfvJt53mUH4jIdbmmFUDwbg18oBEH+x9PmbAoGAS/+JqXu9N67rIxDGUE6W - 3tacI0f2+U9Uhe67/DTZaXyc8YFTlXU0uWKIWy+bw5RaYeM9tlL/f/f+m2i25KK+ - vrZ7zNag7CWU5GJovGyykDnauTpZaYM03mN0VPT08/uc/zXIYqyknbhlIeaZynCK - fDB3LUF0NVCknz20WCIGU0kCgYEAkxY0ZXx61Dp4pFr2wwEZxQGs7uXpz64FKyEX - 12r6nMATY4Lh6y/Px0W6w5vis8lk+5Ny6cNUevHQ0LNuJS+yu6ywl+1vrbrnqroM - f3LvpcPeGLSoX8jl1VDQi7aFgG6LoKly1xJLbdsH4NPutB9PgBbbTghx9GgmI88L - rPA2M6UCgYBOmkYJocNgxg6B1/n4Tb9fN1Q/XuJrFDE6NxVUoke+IIyMPRH7FC3m - VMYzu+b7zTVJjaBb1cmJemxl/xajziWDofJYPefhdbOVU7HXtmJFY0IG3pVxU1zW - 3bmDj5QAtCUDpuuNa6GEIT0YR4+D/V7o3DmlZ0tVIwKJmVJoQ2f5dw== - -----END RSA PRIVATE KEY----- - ''; + secretFile = pkgs.writeText "secret" "Aig5zaic"; + otpFile = pkgs.writeText "otpsecret" "Riew9mue"; + dbFile = pkgs.writeText "dbsecret" "we2quaeZ"; + jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out"; }; }; }; diff --git a/nixpkgs/nixos/tests/hardened.nix b/nixpkgs/nixos/tests/hardened.nix index 1ff329bd98de..90f9793b370c 100644 --- a/nixpkgs/nixos/tests/hardened.nix +++ b/nixpkgs/nixos/tests/hardened.nix @@ -28,7 +28,7 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = let - hardened-malloc-tests = pkgs.stdenv.mkDerivation rec { + hardened-malloc-tests = pkgs.stdenv.mkDerivation { name = "hardened-malloc-tests-${pkgs.graphene-hardened-malloc.version}"; src = pkgs.graphene-hardened-malloc.src; buildPhase = '' diff --git a/nixpkgs/nixos/tests/initrd-network-ssh/default.nix b/nixpkgs/nixos/tests/initrd-network-ssh/default.nix index b2209f297a4f..796c50c610e3 100644 --- a/nixpkgs/nixos/tests/initrd-network-ssh/default.nix +++ b/nixpkgs/nixos/tests/initrd-network-ssh/default.nix @@ -6,7 +6,7 @@ import ../make-test.nix ({ lib, ... }: maintainers = [ willibutz ]; }; - nodes = with lib; rec { + nodes = with lib; { server = { config, ... }: { diff --git a/nixpkgs/nixos/tests/jackett.nix b/nixpkgs/nixos/tests/jackett.nix index 399a0c272327..c749c32ad04e 100644 --- a/nixpkgs/nixos/tests/jackett.nix +++ b/nixpkgs/nixos/tests/jackett.nix @@ -2,7 +2,7 @@ import ./make-test.nix ({ lib, ... }: with lib; -rec { +{ name = "jackett"; meta.maintainers = with maintainers; [ etu ]; diff --git a/nixpkgs/nixos/tests/kubernetes/base.nix b/nixpkgs/nixos/tests/kubernetes/base.nix index 212023859f6d..f21634c4ffbf 100644 --- a/nixpkgs/nixos/tests/kubernetes/base.nix +++ b/nixpkgs/nixos/tests/kubernetes/base.nix @@ -30,10 +30,7 @@ let { config, pkgs, lib, nodes, ... }: mkMerge [ { - boot = { - postBootCommands = "rm -fr /var/lib/kubernetes/secrets /tmp/shared/*"; - kernel.sysctl = { "fs.inotify.max_user_instances" = 256; }; - }; + boot.postBootCommands = "rm -fr /var/lib/kubernetes/secrets /tmp/shared/*"; virtualisation.memorySize = mkDefault 1536; virtualisation.diskSize = mkDefault 4096; networking = { @@ -71,7 +68,7 @@ let 443 # kubernetes apiserver ]; }) - (optionalAttrs (machine ? "extraConfiguration") (machine.extraConfiguration { inherit config pkgs lib nodes; })) + (optionalAttrs (machine ? extraConfiguration) (machine.extraConfiguration { inherit config pkgs lib nodes; })) (optionalAttrs (extraConfiguration != null) (extraConfiguration { inherit config pkgs lib nodes; })) ] ) machines; diff --git a/nixpkgs/nixos/tests/kubernetes/dns.nix b/nixpkgs/nixos/tests/kubernetes/dns.nix index e7db0a58ab61..46bcb01a5265 100644 --- a/nixpkgs/nixos/tests/kubernetes/dns.nix +++ b/nixpkgs/nixos/tests/kubernetes/dns.nix @@ -77,7 +77,6 @@ let singleNodeTest = { test = '' # prepare machine1 for test - $machine1->waitForUnit("kubernetes.target"); $machine1->waitUntilSucceeds("kubectl get node machine1.${domain} | grep -w Ready"); $machine1->waitUntilSucceeds("docker load < ${redisImage}"); $machine1->waitUntilSucceeds("kubectl create -f ${redisPod}"); @@ -103,8 +102,6 @@ let # Node token exchange $machine1->waitUntilSucceeds("cp -f /var/lib/cfssl/apitoken.secret /tmp/shared/apitoken.secret"); $machine2->waitUntilSucceeds("cat /tmp/shared/apitoken.secret | nixos-kubernetes-node-join"); - $machine1->waitForUnit("kubernetes.target"); - $machine2->waitForUnit("kubernetes.target"); # prepare machines for test $machine1->waitUntilSucceeds("kubectl get node machine2.${domain} | grep -w Ready"); diff --git a/nixpkgs/nixos/tests/kubernetes/rbac.nix b/nixpkgs/nixos/tests/kubernetes/rbac.nix index 967fe506004f..3ce7adcd0d71 100644 --- a/nixpkgs/nixos/tests/kubernetes/rbac.nix +++ b/nixpkgs/nixos/tests/kubernetes/rbac.nix @@ -94,8 +94,6 @@ let singlenode = base // { test = '' - $machine1->waitForUnit("kubernetes.target"); - $machine1->waitUntilSucceeds("kubectl get node machine1.my.zyx | grep -w Ready"); $machine1->waitUntilSucceeds("docker load < ${kubectlImage}"); @@ -118,8 +116,6 @@ let # Node token exchange $machine1->waitUntilSucceeds("cp -f /var/lib/cfssl/apitoken.secret /tmp/shared/apitoken.secret"); $machine2->waitUntilSucceeds("cat /tmp/shared/apitoken.secret | nixos-kubernetes-node-join"); - $machine1->waitForUnit("kubernetes.target"); - $machine2->waitForUnit("kubernetes.target"); $machine1->waitUntilSucceeds("kubectl get node machine2.my.zyx | grep -w Ready"); diff --git a/nixpkgs/nixos/tests/ldap.nix b/nixpkgs/nixos/tests/ldap.nix index fe859876ed25..665b9ee09b55 100644 --- a/nixpkgs/nixos/tests/ldap.nix +++ b/nixpkgs/nixos/tests/ldap.nix @@ -115,7 +115,7 @@ in ); slapdDatabases = { - "${dbSuffix}" = { + ${dbSuffix} = { conf = '' dn: olcBackend={1}mdb,cn=config objectClass: olcBackendConfig diff --git a/nixpkgs/nixos/tests/lidarr.nix b/nixpkgs/nixos/tests/lidarr.nix index 58bf82503f8c..85fcbd21d8c0 100644 --- a/nixpkgs/nixos/tests/lidarr.nix +++ b/nixpkgs/nixos/tests/lidarr.nix @@ -2,7 +2,7 @@ import ./make-test.nix ({ lib, ... }: with lib; -rec { +{ name = "lidarr"; meta.maintainers = with maintainers; [ etu ]; diff --git a/nixpkgs/nixos/tests/mosquitto.nix b/nixpkgs/nixos/tests/mosquitto.nix index bd5447de15ff..b4c897c3ab5d 100644 --- a/nixpkgs/nixos/tests/mosquitto.nix +++ b/nixpkgs/nixos/tests/mosquitto.nix @@ -16,7 +16,7 @@ let "-t ${topic}" ]; -in rec { +in { name = "mosquitto"; meta = with pkgs.stdenv.lib; { maintainers = with maintainers; [ peterhoeg ]; @@ -34,7 +34,7 @@ in rec { enable = true; host = "0.0.0.0"; checkPasswords = true; - users."${username}" = { + users.${username} = { inherit password; acl = [ "topic readwrite ${topic}" diff --git a/nixpkgs/nixos/tests/ndppd.nix b/nixpkgs/nixos/tests/ndppd.nix index c53ff93a91f9..6a6f602726de 100644 --- a/nixpkgs/nixos/tests/ndppd.nix +++ b/nixpkgs/nixos/tests/ndppd.nix @@ -37,7 +37,7 @@ import ./make-test.nix ({ pkgs, lib, ...} : { }; services.ndppd = { enable = true; - proxies."eth1".rules."fd42::/112" = {}; + proxies.eth1.rules."fd42::/112" = {}; }; containers.client = { autoStart = true; diff --git a/nixpkgs/nixos/tests/networking.nix b/nixpkgs/nixos/tests/networking.nix index 6ce64dcebea0..7452768033ab 100644 --- a/nixpkgs/nixos/tests/networking.nix +++ b/nixpkgs/nixos/tests/networking.nix @@ -440,12 +440,12 @@ let virtual = { name = "Virtual"; machine = { - networking.interfaces."tap0" = { + networking.interfaces.tap0 = { ipv4.addresses = [ { address = "192.168.1.1"; prefixLength = 24; } ]; ipv6.addresses = [ { address = "2001:1470:fffd:2096::"; prefixLength = 64; } ]; virtual = true; }; - networking.interfaces."tun0" = { + networking.interfaces.tun0 = { ipv4.addresses = [ { address = "192.168.1.2"; prefixLength = 24; } ]; ipv6.addresses = [ { address = "2001:1470:fffd:2097::"; prefixLength = 64; } ]; virtual = true; @@ -561,7 +561,7 @@ let name = "routes"; machine = { networking.useDHCP = false; - networking.interfaces."eth0" = { + networking.interfaces.eth0 = { ipv4.addresses = [ { address = "192.168.1.2"; prefixLength = 24; } ]; ipv6.addresses = [ { address = "2001:1470:fffd:2097::"; prefixLength = 64; } ]; ipv6.routes = [ diff --git a/nixpkgs/nixos/tests/nextcloud/with-mysql-and-memcached.nix b/nixpkgs/nixos/tests/nextcloud/with-mysql-and-memcached.nix index c0d347238b47..aaf37ee4c810 100644 --- a/nixpkgs/nixos/tests/nextcloud/with-mysql-and-memcached.nix +++ b/nixpkgs/nixos/tests/nextcloud/with-mysql-and-memcached.nix @@ -50,7 +50,7 @@ in { ''; }; - systemd.services."nextcloud-setup"= { + systemd.services.nextcloud-setup= { requires = ["mysql.service"]; after = ["mysql.service"]; }; diff --git a/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix b/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix index 8a840a608753..81c269c23788 100644 --- a/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix +++ b/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix @@ -51,7 +51,7 @@ in { serviceConfig.PermissionsStartOnly = true; }; - systemd.services."nextcloud-setup"= { + systemd.services.nextcloud-setup= { requires = ["postgresql.service"]; after = [ "postgresql.service" @@ -62,7 +62,7 @@ in { # At the time of writing, redis creates its socket with the "nobody" # group. I figure this is slightly less bad than making the socket world # readable. - systemd.services."chown-redis-socket" = { + systemd.services.chown-redis-socket = { enable = true; script = '' until ${pkgs.redis}/bin/redis-cli ping; do diff --git a/nixpkgs/nixos/tests/nghttpx.nix b/nixpkgs/nixos/tests/nghttpx.nix index d41fa01aa9a8..11611bfe1063 100644 --- a/nixpkgs/nixos/tests/nghttpx.nix +++ b/nixpkgs/nixos/tests/nghttpx.nix @@ -15,7 +15,7 @@ in services.nginx = { enable = true; - virtualHosts."server" = { + virtualHosts.server = { locations."/".root = nginxRoot; }; }; diff --git a/nixpkgs/nixos/tests/pgmanage.nix b/nixpkgs/nixos/tests/pgmanage.nix index 110cbd5c5b40..bacaf3f41588 100644 --- a/nixpkgs/nixos/tests/pgmanage.nix +++ b/nixpkgs/nixos/tests/pgmanage.nix @@ -21,7 +21,7 @@ in pgmanage = { enable = true; connections = { - "${conn}" = "hostaddr=127.0.0.1 port=${toString config.services.postgresql.port} dbname=postgres"; + ${conn} = "hostaddr=127.0.0.1 port=${toString config.services.postgresql.port} dbname=postgres"; }; }; }; diff --git a/nixpkgs/nixos/tests/printing.nix b/nixpkgs/nixos/tests/printing.nix index 74583ae55623..4d0df289cf75 100644 --- a/nixpkgs/nixos/tests/printing.nix +++ b/nixpkgs/nixos/tests/printing.nix @@ -1,99 +1,114 @@ # Test printing via CUPS. -import ./make-test.nix ({pkgs, ... }: { +import ./make-test.nix ({pkgs, ... }: +let + printingServer = startWhenNeeded: { + services.printing.enable = true; + services.printing.startWhenNeeded = startWhenNeeded; + services.printing.listenAddresses = [ "*:631" ]; + services.printing.defaultShared = true; + services.printing.extraConf = + '' + <Location /> + Order allow,deny + Allow from all + </Location> + ''; + networking.firewall.allowedTCPPorts = [ 631 ]; + # Add a HP Deskjet printer connected via USB to the server. + hardware.printers.ensurePrinters = [{ + name = "DeskjetLocal"; + deviceUri = "usb://foobar/printers/foobar"; + model = "drv:///sample.drv/deskjet.ppd"; + }]; + }; + printingClient = startWhenNeeded: { + services.printing.enable = true; + services.printing.startWhenNeeded = startWhenNeeded; + # Add printer to the client as well, via IPP. + hardware.printers.ensurePrinters = [{ + name = "DeskjetRemote"; + deviceUri = "ipp://${if startWhenNeeded then "socketActivatedServer" else "serviceServer"}/printers/DeskjetLocal"; + model = "drv:///sample.drv/deskjet.ppd"; + }]; + hardware.printers.ensureDefaultPrinter = "DeskjetRemote"; + }; + +in + +{ name = "printing"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ domenkozar eelco matthewbauer ]; }; nodes = { + socketActivatedServer = { ... }: (printingServer true); + serviceServer = { ... }: (printingServer false); - server = - { ... }: - { services.printing.enable = true; - services.printing.listenAddresses = [ "*:631" ]; - services.printing.defaultShared = true; - services.printing.extraConf = - '' - <Location /> - Order allow,deny - Allow from all - </Location> - ''; - networking.firewall.allowedTCPPorts = [ 631 ]; - }; - - client = - { ... }: - { services.printing.enable = true; - }; - + socketActivatedClient = { ... }: (printingClient true); + serviceClient = { ... }: (printingClient false); }; testScript = '' startAll; - $client->succeed("lpstat -r") =~ /scheduler is running/ or die; - # check local encrypted connections work without error - $client->succeed("lpstat -E -r") =~ /scheduler is running/ or die; - # Test that UNIX socket is used for connections. - $client->succeed("lpstat -H") =~ "/run/cups/cups.sock" or die; - # Test that HTTP server is available too. - $client->succeed("curl --fail http://localhost:631/"); - $client->succeed("curl --fail http://server:631/"); - $server->fail("curl --fail --connect-timeout 2 http://client:631/"); - - # Add a HP Deskjet printer connected via USB to the server. - $server->succeed("lpadmin -p DeskjetLocal -E -v usb://foobar/printers/foobar"); - - # Add it to the client as well via IPP. - $client->succeed("lpadmin -p DeskjetRemote -E -v ipp://server/printers/DeskjetLocal"); - $client->succeed("lpadmin -d DeskjetRemote"); - - # Do some status checks. - $client->succeed("lpstat -a") =~ /DeskjetRemote accepting requests/ or die; - $client->succeed("lpstat -h server:631 -a") =~ /DeskjetLocal accepting requests/ or die; - $client->succeed("cupsdisable DeskjetRemote"); - $client->succeed("lpq") =~ /DeskjetRemote is not ready.*no entries/s or die; - $client->succeed("cupsenable DeskjetRemote"); - $client->succeed("lpq") =~ /DeskjetRemote is ready.*no entries/s or die; - - # Test printing various file types. - foreach my $file ("${pkgs.groff.doc}/share/doc/*/examples/mom/penguin.pdf", - "${pkgs.groff.doc}/share/doc/*/meref.ps", - "${pkgs.cups.out}/share/doc/cups/images/cups.png", - "${pkgs.pcre.doc}/share/doc/pcre/pcre.txt") - { - $file =~ /([^\/]*)$/; my $fn = $1; - - subtest "print $fn", sub { - - # Print the file on the client. - $client->succeed("lp $file"); - $client->sleep(10); - $client->succeed("lpq") =~ /active.*root.*$fn/ or die; - - # Ensure that a raw PCL file appeared in the server's queue - # (showing that the right filters have been applied). Of - # course, since there is no actual USB printer attached, the - # file will stay in the queue forever. - $server->waitForFile("/var/spool/cups/d*-001"); - $server->sleep(10); - $server->succeed("lpq -a") =~ /$fn/ or die; - - # Delete the job on the client. It should disappear on the - # server as well. - $client->succeed("lprm"); - $client->sleep(10); - $client->succeed("lpq -a") =~ /no entries/; - Machine::retry sub { - return 1 if $server->succeed("lpq -a") =~ /no entries/; + # Make sure that cups is up on both sides. + $serviceServer->waitForUnit("cups.service"); + $serviceClient->waitForUnit("cups.service"); + # wait until cups is fully initialized and ensure-printers has executed with 10s delay + $serviceClient->sleep(20); + $socketActivatedClient->waitUntilSucceeds("systemctl status ensure-printers | grep -q -E 'code=exited, status=0/SUCCESS'"); + sub testPrinting { + my ($client, $server) = (@_); + my $clientHostname = $client->name(); + my $serverHostname = $server->name(); + $client->succeed("lpstat -r") =~ /scheduler is running/ or die; + # Test that UNIX socket is used for connections. + $client->succeed("lpstat -H") =~ "/var/run/cups/cups.sock" or die; + # Test that HTTP server is available too. + $client->succeed("curl --fail http://localhost:631/"); + $client->succeed("curl --fail http://$serverHostname:631/"); + $server->fail("curl --fail --connect-timeout 2 http://$clientHostname:631/"); + # Do some status checks. + $client->succeed("lpstat -a") =~ /DeskjetRemote accepting requests/ or die; + $client->succeed("lpstat -h $serverHostname:631 -a") =~ /DeskjetLocal accepting requests/ or die; + $client->succeed("cupsdisable DeskjetRemote"); + $client->succeed("lpq") =~ /DeskjetRemote is not ready.*no entries/s or die; + $client->succeed("cupsenable DeskjetRemote"); + $client->succeed("lpq") =~ /DeskjetRemote is ready.*no entries/s or die; + # Test printing various file types. + foreach my $file ("${pkgs.groff.doc}/share/doc/*/examples/mom/penguin.pdf", + "${pkgs.groff.doc}/share/doc/*/meref.ps", + "${pkgs.cups.out}/share/doc/cups/images/cups.png", + "${pkgs.pcre.doc}/share/doc/pcre/pcre.txt") + { + $file =~ /([^\/]*)$/; my $fn = $1; + subtest "print $fn", sub { + # Print the file on the client. + $client->succeed("lp $file"); + $client->waitUntilSucceeds("lpq | grep -q -E 'active.*root.*$fn'"); + # Ensure that a raw PCL file appeared in the server's queue + # (showing that the right filters have been applied). Of + # course, since there is no actual USB printer attached, the + # file will stay in the queue forever. + $server->waitForFile("/var/spool/cups/d*-001"); + $server->waitUntilSucceeds("lpq -a | grep -q -E '$fn'"); + # Delete the job on the client. It should disappear on the + # server as well. + $client->succeed("lprm"); + $client->waitUntilSucceeds("lpq -a | grep -q -E 'no entries'"); + Machine::retry sub { + return 1 if $server->succeed("lpq -a") =~ /no entries/; + }; + # The queue is empty already, so this should be safe. + # Otherwise, pairs of "c*"-"d*-001" files might persist. + $server->execute("rm /var/spool/cups/*"); }; - # The queue is empty already, so this should be safe. - # Otherwise, pairs of "c*"-"d*-001" files might persist. - $server->execute("rm /var/spool/cups/*"); - }; + } } - ''; + testPrinting($serviceClient, $serviceServer); + testPrinting($socketActivatedClient, $socketActivatedServer); + ''; }) diff --git a/nixpkgs/nixos/tests/prometheus-2.nix b/nixpkgs/nixos/tests/prometheus-2.nix deleted file mode 100644 index 219c47c73d95..000000000000 --- a/nixpkgs/nixos/tests/prometheus-2.nix +++ /dev/null @@ -1,239 +0,0 @@ -let - grpcPort = 19090; - queryPort = 9090; - minioPort = 9000; - pushgwPort = 9091; - - s3 = { - accessKey = "BKIKJAA5BMMU2RHO6IBB"; - secretKey = "V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12"; - }; - - objstore.config = { - type = "S3"; - config = { - bucket = "thanos-bucket"; - endpoint = "s3:${toString minioPort}"; - region = "us-east-1"; - access_key = s3.accessKey; - secret_key = s3.secretKey; - insecure = true; - signature_version2 = false; - encrypt_sse = false; - put_user_metadata = {}; - http_config = { - idle_conn_timeout = "0s"; - insecure_skip_verify = false; - }; - trace = { - enable = false; - }; - }; - }; - -in import ./make-test.nix { - name = "prometheus-2"; - - nodes = { - prometheus = { pkgs, ... }: { - virtualisation.diskSize = 2 * 1024; - environment.systemPackages = [ pkgs.jq ]; - networking.firewall.allowedTCPPorts = [ grpcPort ]; - services.prometheus2 = { - enable = true; - scrapeConfigs = [ - { - job_name = "prometheus"; - static_configs = [ - { - targets = [ "127.0.0.1:${toString queryPort}" ]; - labels = { instance = "localhost"; }; - } - ]; - } - { - job_name = "pushgateway"; - scrape_interval = "1s"; - static_configs = [ - { - targets = [ "127.0.0.1:${toString pushgwPort}" ]; - } - ]; - } - ]; - rules = [ - '' - groups: - - name: test - rules: - - record: testrule - expr: count(up{job="prometheus"}) - '' - ]; - globalConfig = { - external_labels = { - some_label = "required by thanos"; - }; - }; - extraFlags = [ - # Required by thanos - "--storage.tsdb.min-block-duration=5s" - "--storage.tsdb.max-block-duration=5s" - ]; - }; - services.prometheus.pushgateway = { - enable = true; - web.listen-address = ":${toString pushgwPort}"; - persistMetrics = true; - persistence.interval = "1s"; - stateDir = "prometheus-pushgateway"; - }; - services.thanos = { - sidecar = { - enable = true; - grpc-address = "0.0.0.0:${toString grpcPort}"; - inherit objstore; - }; - - # TODO: Add some tests for these services: - #rule = { - # enable = true; - # http-address = "0.0.0.0:19194"; - # grpc-address = "0.0.0.0:19193"; - # query.addresses = [ - # "localhost:19191" - # ]; - # labels = { - # just = "some"; - # nice = "labels"; - # }; - #}; - # - #receive = { - # http-address = "0.0.0.0:19195"; - # enable = true; - # labels = { - # just = "some"; - # nice = "labels"; - # }; - #}; - }; - }; - - query = { pkgs, ... }: { - environment.systemPackages = [ pkgs.jq ]; - services.thanos.query = { - enable = true; - http-address = "0.0.0.0:${toString queryPort}"; - store.addresses = [ - "prometheus:${toString grpcPort}" - ]; - }; - }; - - store = { pkgs, ... }: { - virtualisation.diskSize = 2 * 1024; - environment.systemPackages = with pkgs; [ jq thanos ]; - services.thanos.store = { - enable = true; - http-address = "0.0.0.0:10902"; - grpc-address = "0.0.0.0:${toString grpcPort}"; - inherit objstore; - sync-block-duration = "1s"; - }; - services.thanos.compact = { - enable = true; - http-address = "0.0.0.0:10903"; - inherit objstore; - consistency-delay = "5s"; - }; - services.thanos.query = { - enable = true; - http-address = "0.0.0.0:${toString queryPort}"; - store.addresses = [ - "localhost:${toString grpcPort}" - ]; - }; - }; - - s3 = { pkgs, ... } : { - # Minio requires at least 1GiB of free disk space to run. - virtualisation.diskSize = 2 * 1024; - networking.firewall.allowedTCPPorts = [ minioPort ]; - - services.minio = { - enable = true; - inherit (s3) accessKey secretKey; - }; - - environment.systemPackages = [ pkgs.minio-client ]; - }; - }; - - testScript = { nodes, ... } : '' - # Before starting the other machines we first make sure that our S3 service is online - # and has a bucket added for thanos: - $s3->start; - $s3->waitForUnit("minio.service"); - $s3->waitForOpenPort(${toString minioPort}); - $s3->succeed( - "mc config host add minio " . - "http://localhost:${toString minioPort} ${s3.accessKey} ${s3.secretKey} S3v4"); - $s3->succeed("mc mb minio/thanos-bucket"); - - # Now that s3 has started we can start the other machines: - $prometheus->start; - $query->start; - $store->start; - - # Check if prometheus responds to requests: - $prometheus->waitForUnit("prometheus2.service"); - $prometheus->waitForOpenPort(${toString queryPort}); - $prometheus->succeed("curl -s http://127.0.0.1:${toString queryPort}/metrics"); - - # Let's test if pushing a metric to the pushgateway succeeds: - $prometheus->waitForUnit("pushgateway.service"); - $prometheus->succeed( - "echo 'some_metric 3.14' | " . - "curl --data-binary \@- http://127.0.0.1:${toString pushgwPort}/metrics/job/some_job"); - - # Now check whether that metric gets ingested by prometheus. - # Since we'll check for the metric several times on different machines - # we abstract the test using the following function: - - # Function to check if the metric "some_metric" has been received and returns the correct value. - local *Machine::waitForMetric = sub { - my ($self) = @_; - $self->waitUntilSucceeds( - "curl -sf 'http://127.0.0.1:${toString queryPort}/api/v1/query?query=some_metric' " . - "| jq '.data.result[0].value[1]' | grep '\"3.14\"'"); - }; - - $prometheus->waitForMetric; - - # Let's test if the pushgateway persists metrics to the configured location. - $prometheus->waitUntilSucceeds("test -e /var/lib/prometheus-pushgateway/metrics"); - - # Test thanos - $prometheus->waitForUnit("thanos-sidecar.service"); - - # Test if the Thanos query service can correctly retrieve the metric that was send above. - $query->waitForUnit("thanos-query.service"); - $query->waitForMetric; - - # Test if the Thanos sidecar has correctly uploaded its TSDB to S3, if the - # Thanos storage service has correctly downloaded it from S3 and if the Thanos - # query service running on $store can correctly retrieve the metric: - $store->waitForUnit("thanos-store.service"); - $store->waitForMetric; - - $store->waitForUnit("thanos-compact.service"); - - # Test if the Thanos bucket command is able to retrieve blocks from the S3 bucket - # and check if the blocks have the correct labels: - $store->succeed( - "thanos bucket ls" . - " --objstore.config-file=${nodes.store.config.services.thanos.store.objstore.config-file}" . - " --output=json | jq .thanos.labels.some_label | grep 'required by thanos'"); - ''; -} diff --git a/nixpkgs/nixos/tests/prometheus.nix b/nixpkgs/nixos/tests/prometheus.nix index f1b20a33d71e..52f61046be39 100644 --- a/nixpkgs/nixos/tests/prometheus.nix +++ b/nixpkgs/nixos/tests/prometheus.nix @@ -1,48 +1,239 @@ -import ./make-test.nix { +let + grpcPort = 19090; + queryPort = 9090; + minioPort = 9000; + pushgwPort = 9091; + + s3 = { + accessKey = "BKIKJAA5BMMU2RHO6IBB"; + secretKey = "V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12"; + }; + + objstore.config = { + type = "S3"; + config = { + bucket = "thanos-bucket"; + endpoint = "s3:${toString minioPort}"; + region = "us-east-1"; + access_key = s3.accessKey; + secret_key = s3.secretKey; + insecure = true; + signature_version2 = false; + encrypt_sse = false; + put_user_metadata = {}; + http_config = { + idle_conn_timeout = "0s"; + insecure_skip_verify = false; + }; + trace = { + enable = false; + }; + }; + }; + +in import ./make-test.nix { name = "prometheus"; nodes = { - one = { ... }: { + prometheus = { pkgs, ... }: { + virtualisation.diskSize = 2 * 1024; + environment.systemPackages = [ pkgs.jq ]; + networking.firewall.allowedTCPPorts = [ grpcPort ]; services.prometheus = { enable = true; - scrapeConfigs = [{ - job_name = "prometheus"; - static_configs = [{ - targets = [ "127.0.0.1:9090" ]; - labels = { instance = "localhost"; }; - }]; - }]; - rules = [ ''testrule = count(up{job="prometheus"})'' ]; - - # a very simple version of the alertmanager configuration just to see if - # configuration checks & service startup are working - alertmanager = { - enable = true; - listenAddress = "[::1]"; - port = 9093; - configuration = { - route.receiver = "webhook"; - receivers = [ + scrapeConfigs = [ + { + job_name = "prometheus"; + static_configs = [ + { + targets = [ "127.0.0.1:${toString queryPort}" ]; + labels = { instance = "localhost"; }; + } + ]; + } + { + job_name = "pushgateway"; + scrape_interval = "1s"; + static_configs = [ { - name = "webhook"; - webhook_configs = [ - { url = "http://localhost"; } - ]; + targets = [ "127.0.0.1:${toString pushgwPort}" ]; } ]; + } + ]; + rules = [ + '' + groups: + - name: test + rules: + - record: testrule + expr: count(up{job="prometheus"}) + '' + ]; + globalConfig = { + external_labels = { + some_label = "required by thanos"; }; }; + extraFlags = [ + # Required by thanos + "--storage.tsdb.min-block-duration=5s" + "--storage.tsdb.max-block-duration=5s" + ]; + }; + services.prometheus.pushgateway = { + enable = true; + web.listen-address = ":${toString pushgwPort}"; + persistMetrics = true; + persistence.interval = "1s"; + stateDir = "prometheus-pushgateway"; + }; + services.thanos = { + sidecar = { + enable = true; + grpc-address = "0.0.0.0:${toString grpcPort}"; + inherit objstore; + }; + + # TODO: Add some tests for these services: + #rule = { + # enable = true; + # http-address = "0.0.0.0:19194"; + # grpc-address = "0.0.0.0:19193"; + # query.addresses = [ + # "localhost:19191" + # ]; + # labels = { + # just = "some"; + # nice = "labels"; + # }; + #}; + # + #receive = { + # http-address = "0.0.0.0:19195"; + # enable = true; + # labels = { + # just = "some"; + # nice = "labels"; + # }; + #}; + }; + }; + + query = { pkgs, ... }: { + environment.systemPackages = [ pkgs.jq ]; + services.thanos.query = { + enable = true; + http-address = "0.0.0.0:${toString queryPort}"; + store.addresses = [ + "prometheus:${toString grpcPort}" + ]; }; }; + + store = { pkgs, ... }: { + virtualisation.diskSize = 2 * 1024; + environment.systemPackages = with pkgs; [ jq thanos ]; + services.thanos.store = { + enable = true; + http-address = "0.0.0.0:10902"; + grpc-address = "0.0.0.0:${toString grpcPort}"; + inherit objstore; + sync-block-duration = "1s"; + }; + services.thanos.compact = { + enable = true; + http-address = "0.0.0.0:10903"; + inherit objstore; + consistency-delay = "5s"; + }; + services.thanos.query = { + enable = true; + http-address = "0.0.0.0:${toString queryPort}"; + store.addresses = [ + "localhost:${toString grpcPort}" + ]; + }; + }; + + s3 = { pkgs, ... } : { + # Minio requires at least 1GiB of free disk space to run. + virtualisation.diskSize = 2 * 1024; + networking.firewall.allowedTCPPorts = [ minioPort ]; + + services.minio = { + enable = true; + inherit (s3) accessKey secretKey; + }; + + environment.systemPackages = [ pkgs.minio-client ]; + }; }; - testScript = '' - startAll; - $one->waitForUnit("prometheus.service"); - $one->waitForOpenPort(9090); - $one->succeed("curl -s http://127.0.0.1:9090/metrics"); - $one->waitForUnit("alertmanager.service"); - $one->waitForOpenPort("9093"); - $one->succeed("curl -f -s http://localhost:9093/"); + testScript = { nodes, ... } : '' + # Before starting the other machines we first make sure that our S3 service is online + # and has a bucket added for thanos: + $s3->start; + $s3->waitForUnit("minio.service"); + $s3->waitForOpenPort(${toString minioPort}); + $s3->succeed( + "mc config host add minio " . + "http://localhost:${toString minioPort} ${s3.accessKey} ${s3.secretKey} S3v4"); + $s3->succeed("mc mb minio/thanos-bucket"); + + # Now that s3 has started we can start the other machines: + $prometheus->start; + $query->start; + $store->start; + + # Check if prometheus responds to requests: + $prometheus->waitForUnit("prometheus.service"); + $prometheus->waitForOpenPort(${toString queryPort}); + $prometheus->succeed("curl -s http://127.0.0.1:${toString queryPort}/metrics"); + + # Let's test if pushing a metric to the pushgateway succeeds: + $prometheus->waitForUnit("pushgateway.service"); + $prometheus->succeed( + "echo 'some_metric 3.14' | " . + "curl --data-binary \@- http://127.0.0.1:${toString pushgwPort}/metrics/job/some_job"); + + # Now check whether that metric gets ingested by prometheus. + # Since we'll check for the metric several times on different machines + # we abstract the test using the following function: + + # Function to check if the metric "some_metric" has been received and returns the correct value. + local *Machine::waitForMetric = sub { + my ($self) = @_; + $self->waitUntilSucceeds( + "curl -sf 'http://127.0.0.1:${toString queryPort}/api/v1/query?query=some_metric' " . + "| jq '.data.result[0].value[1]' | grep '\"3.14\"'"); + }; + + $prometheus->waitForMetric; + + # Let's test if the pushgateway persists metrics to the configured location. + $prometheus->waitUntilSucceeds("test -e /var/lib/prometheus-pushgateway/metrics"); + + # Test thanos + $prometheus->waitForUnit("thanos-sidecar.service"); + + # Test if the Thanos query service can correctly retrieve the metric that was send above. + $query->waitForUnit("thanos-query.service"); + $query->waitForMetric; + + # Test if the Thanos sidecar has correctly uploaded its TSDB to S3, if the + # Thanos storage service has correctly downloaded it from S3 and if the Thanos + # query service running on $store can correctly retrieve the metric: + $store->waitForUnit("thanos-store.service"); + $store->waitForMetric; + + $store->waitForUnit("thanos-compact.service"); + + # Test if the Thanos bucket command is able to retrieve blocks from the S3 bucket + # and check if the blocks have the correct labels: + $store->succeed( + "thanos bucket ls" . + " --objstore.config-file=${nodes.store.config.services.thanos.store.objstore.config-file}" . + " --output=json | jq .thanos.labels.some_label | grep 'required by thanos'"); ''; } diff --git a/nixpkgs/nixos/tests/quake3.nix b/nixpkgs/nixos/tests/quake3.nix index fbb798515e1a..4253ce4a8672 100644 --- a/nixpkgs/nixos/tests/quake3.nix +++ b/nixpkgs/nixos/tests/quake3.nix @@ -4,7 +4,7 @@ let # Build Quake with coverage instrumentation. overrides = pkgs: - rec { + { quake3game = pkgs.quake3game.override (args: { stdenv = pkgs.stdenvAdapters.addCoverageInstrumentation args.stdenv; }); @@ -12,9 +12,9 @@ let # Only allow the demo data to be used (only if it's unfreeRedistributable). unfreePredicate = pkg: with pkgs.lib; let - allowDrvPredicates = [ "quake3-demo" "quake3-pointrelease" ]; + allowPackageNames = [ "quake3-demodata" "quake3-pointrelease" ]; allowLicenses = [ pkgs.lib.licenses.unfreeRedistributable ]; - in any (flip hasPrefix pkg.name) allowDrvPredicates && + in elem pkg.pname allowPackageNames && elem (pkg.meta.license or null) allowLicenses; in @@ -42,7 +42,7 @@ rec { { server = { pkgs, ... }: - { systemd.services."quake3-server" = + { systemd.services.quake3-server = { wantedBy = [ "multi-user.target" ]; script = "${pkgs.quake3demo}/bin/quake3-server +set g_gametype 0 " + diff --git a/nixpkgs/nixos/tests/radarr.nix b/nixpkgs/nixos/tests/radarr.nix index 6b9a909e44b5..9bc5607ccd5a 100644 --- a/nixpkgs/nixos/tests/radarr.nix +++ b/nixpkgs/nixos/tests/radarr.nix @@ -2,7 +2,7 @@ import ./make-test.nix ({ lib, ... }: with lib; -rec { +{ name = "radarr"; meta.maintainers = with maintainers; [ etu ]; diff --git a/nixpkgs/nixos/tests/sonarr.nix b/nixpkgs/nixos/tests/sonarr.nix index 3d5c3b19b6ea..3e84445099ab 100644 --- a/nixpkgs/nixos/tests/sonarr.nix +++ b/nixpkgs/nixos/tests/sonarr.nix @@ -2,7 +2,7 @@ import ./make-test.nix ({ lib, ... }: with lib; -rec { +{ name = "sonarr"; meta.maintainers = with maintainers; [ etu ]; diff --git a/nixpkgs/nixos/tests/strongswan-swanctl.nix b/nixpkgs/nixos/tests/strongswan-swanctl.nix index 8bbebd423003..9bab9349ea73 100644 --- a/nixpkgs/nixos/tests/strongswan-swanctl.nix +++ b/nixpkgs/nixos/tests/strongswan-swanctl.nix @@ -65,16 +65,16 @@ in { enable = true; swanctl = { connections = { - "rw" = { + rw = { local_addrs = [ moonIp ]; - local."main" = { + local.main = { auth = "psk"; }; - remote."main" = { + remote.main = { auth = "psk"; }; children = { - "net" = { + net = { local_ts = [ vlan0 ]; updown = "${strongswan}/libexec/ipsec/_updown iptables"; inherit esp_proposals; @@ -85,8 +85,8 @@ in { }; }; secrets = { - ike."carol" = { - id."main" = carolIp; + ike.carol = { + id.main = carolIp; inherit secret; }; }; @@ -107,19 +107,19 @@ in { enable = true; swanctl = { connections = { - "home" = { + home = { local_addrs = [ carolIp ]; remote_addrs = [ moonIp ]; - local."main" = { + local.main = { auth = "psk"; id = carolIp; }; - remote."main" = { + remote.main = { auth = "psk"; id = moonIp; }; children = { - "home" = { + home = { remote_ts = [ vlan0 ]; start_action = "trap"; updown = "${strongswan}/libexec/ipsec/_updown iptables"; @@ -131,8 +131,8 @@ in { }; }; secrets = { - ike."moon" = { - id."main" = moonIp; + ike.moon = { + id.main = moonIp; inherit secret; }; }; diff --git a/nixpkgs/nixos/tests/virtualbox.nix b/nixpkgs/nixos/tests/virtualbox.nix index 844ce47d743f..32637d2c1efe 100644 --- a/nixpkgs/nixos/tests/virtualbox.nix +++ b/nixpkgs/nixos/tests/virtualbox.nix @@ -10,17 +10,10 @@ # to run 32-bit guests. useKvmNestedVirt ? false, # Whether to run 64-bit guests instead of 32-bit. Requires nested KVM. - use64bitGuest ? false, - # Whether to enable the virtual UART in VirtualBox guests, allowing to see - # the guest console. There is currently a bug in VirtualBox where this will - # cause a crash if running with SW virtualization - # (https://www.virtualbox.org/ticket/18632). If you need to debug the tests - # then enable this and nested KVM to work around the crash (see above). - enableVBoxUART ? false + use64bitGuest ? false }: assert use64bitGuest -> useKvmNestedVirt; -assert enableVBoxUART -> useKvmNestedVirt; # VirtualBox bug, see above with import ../lib/testing.nix { inherit system pkgs; }; with pkgs.lib; @@ -65,9 +58,6 @@ let "init=${pkgs.writeScript "mini-init.sh" miniInit}" ]; - # XXX: Remove this once TSS location detection has been fixed in VirtualBox - boot.kernelPackages = pkgs.linuxPackages_4_9; - fileSystems."/" = { device = "vboxshare"; fsType = "vboxsf"; @@ -162,11 +152,9 @@ let "--register" ]; - vmFlags = mkFlags ( - (optionals enableVBoxUART [ - "--uart1 0x3F8 4" - "--uartmode1 client /run/virtualbox-log-${name}.sock" - ]) ++ [ + vmFlags = mkFlags ([ + "--uart1 0x3F8 4" + "--uartmode1 client /run/virtualbox-log-${name}.sock" "--memory 768" "--audio none" ] ++ (attrs.vmFlags or [])); @@ -199,7 +187,7 @@ let ]; in { machine = { - systemd.sockets."vboxtestlog-${name}" = mkIf enableVBoxUART { + systemd.sockets."vboxtestlog-${name}" = { description = "VirtualBox Test Machine Log Socket For ${name}"; wantedBy = [ "sockets.target" ]; before = [ "multi-user.target" ]; @@ -207,7 +195,7 @@ let socketConfig.Accept = true; }; - systemd.services."vboxtestlog-${name}@" = mkIf enableVBoxUART { + systemd.services."vboxtestlog-${name}@" = { description = "VirtualBox Test Machine Log For ${name}"; serviceConfig.StandardInput = "socket"; serviceConfig.StandardOutput = "syslog"; |