diff options
Diffstat (limited to 'nixos/modules/services/misc')
-rw-r--r-- | nixos/modules/services/misc/apache-kafka.nix | 14 | ||||
-rw-r--r-- | nixos/modules/services/misc/nix-daemon.nix | 45 | ||||
-rw-r--r-- | nixos/modules/services/misc/nixos-manual.nix | 14 | ||||
-rw-r--r-- | nixos/modules/services/misc/octoprint.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/misc/ssm-agent.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/misc/taskserver/default.nix | 135 | ||||
-rw-r--r-- | nixos/modules/services/misc/taskserver/doc.xml | 6 | ||||
-rw-r--r-- | nixos/modules/services/misc/taskserver/helper-tool.py | 43 |
8 files changed, 163 insertions, 97 deletions
diff --git a/nixos/modules/services/misc/apache-kafka.nix b/nixos/modules/services/misc/apache-kafka.nix index cff053396885..82fa1cc2e7e5 100644 --- a/nixos/modules/services/misc/apache-kafka.nix +++ b/nixos/modules/services/misc/apache-kafka.nix @@ -19,13 +19,8 @@ let ${toString cfg.extraProperties} ''; - configDir = pkgs.buildEnv { - name = "apache-kafka-conf"; - paths = [ - (pkgs.writeTextDir "server.properties" serverProperties) - (pkgs.writeTextDir "log4j.properties" cfg.log4jProperties) - ]; - }; + serverConfig = pkgs.writeText "server.properties" serverProperties; + logConfig = pkgs.writeText "log4j.properties" cfg.log4jProperties; in { @@ -143,10 +138,11 @@ in { serviceConfig = { ExecStart = '' ${pkgs.jre}/bin/java \ - -cp "${cfg.package}/libs/*:${configDir}" \ + -cp "${cfg.package}/libs/*" \ + -Dlog4j.configuration=file:${logConfig} \ ${toString cfg.jvmOptions} \ kafka.Kafka \ - ${configDir}/server.properties + ${serverConfig} ''; User = "apache-kafka"; PermissionsStartOnly = true; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 7101cadfeed2..5088c4e60691 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -8,6 +8,8 @@ let nix = cfg.package.out; + isNix112 = versionAtLeast (getVersion nix) "1.12pre4997"; + makeNixBuildUser = nr: { name = "nixbld${toString nr}"; description = "Nix build user ${toString nr}"; @@ -162,22 +164,23 @@ in buildMachines = mkOption { type = types.listOf types.attrs; default = []; - example = [ - { hostName = "voila.labs.cs.uu.nl"; - sshUser = "nix"; - sshKey = "/root/.ssh/id_buildfarm"; - system = "powerpc-darwin"; - maxJobs = 1; - } - { hostName = "linux64.example.org"; - sshUser = "buildfarm"; - sshKey = "/root/.ssh/id_buildfarm"; - system = "x86_64-linux"; - maxJobs = 2; - supportedFeatures = [ "kvm" ]; - mandatoryFeatures = [ "perf" ]; - } - ]; + example = literalExample '' + [ { hostName = "voila.labs.cs.uu.nl"; + sshUser = "nix"; + sshKey = "/root/.ssh/id_buildfarm"; + system = "powerpc-darwin"; + maxJobs = 1; + } + { hostName = "linux64.example.org"; + sshUser = "buildfarm"; + sshKey = "/root/.ssh/id_buildfarm"; + system = "x86_64-linux"; + maxJobs = 2; + supportedFeatures = [ "kvm" ]; + mandatoryFeatures = [ "perf" ]; + } + ] + ''; description = '' This option lists the machines to be used if distributed builds are enabled (see @@ -380,7 +383,9 @@ in nix.envVars = { NIX_CONF_DIR = "/etc/nix"; + } + // optionalAttrs (!isNix112) { # Enable the copy-from-other-stores substituter, which allows # builds to be sped up by copying build results from remote # Nix stores. To do this, mount the remote file system on a @@ -389,9 +394,11 @@ in } // optionalAttrs cfg.distributedBuilds { - NIX_BUILD_HOOK = "${nix}/libexec/nix/build-remote.pl"; - NIX_REMOTE_SYSTEMS = "/etc/nix/machines"; - NIX_CURRENT_LOAD = "/run/nix/current-load"; + NIX_BUILD_HOOK = + if isNix112 then + "${nix}/libexec/nix/build-remote" + else + "${nix}/libexec/nix/build-remote.pl"; }; # Set up the environment variables for running Nix. diff --git a/nixos/modules/services/misc/nixos-manual.nix b/nixos/modules/services/misc/nixos-manual.nix index 306ee346523d..622607f3b32d 100644 --- a/nixos/modules/services/misc/nixos-manual.nix +++ b/nixos/modules/services/misc/nixos-manual.nix @@ -41,7 +41,7 @@ let entry = "${manual.manual}/share/doc/nixos/index.html"; - help = pkgs.writeScriptBin "nixos-help" + helpScript = pkgs.writeScriptBin "nixos-help" '' #! ${pkgs.stdenv.shell} -e browser="$BROWSER" @@ -58,6 +58,15 @@ let exec "$browser" ${entry} ''; + desktopItem = pkgs.makeDesktopItem { + name = "nixos-manual"; + desktopName = "NixOS Manual"; + genericName = "View NixOS documentation in a web browser"; + # TODO: find a better icon (Nix logo + help overlay?) + icon = "system-help"; + exec = "${helpScript}/bin/nixos-help"; + categories = "System"; + }; in { @@ -105,7 +114,8 @@ in system.build.manual = manual; environment.systemPackages = - [ manual.manual help ] + [ manual.manual helpScript ] + ++ optional config.services.xserver.enable desktopItem ++ optional config.programs.man.enable manual.manpages; boot.extraTTYs = mkIf cfg.showManual ["tty${toString cfg.ttyNumber}"]; diff --git a/nixos/modules/services/misc/octoprint.nix b/nixos/modules/services/misc/octoprint.nix index c2b3f63be7d4..8faad46a49f1 100644 --- a/nixos/modules/services/misc/octoprint.nix +++ b/nixos/modules/services/misc/octoprint.nix @@ -7,7 +7,7 @@ let cfg = config.services.octoprint; baseConfig = { - plugins.cura.cura_engine = "${pkgs.curaengine}/bin/CuraEngine"; + plugins.cura.cura_engine = "${pkgs.curaengine_stable}/bin/CuraEngine"; server.host = cfg.host; server.port = cfg.port; webcam.ffmpeg = "${pkgs.ffmpeg.bin}/bin/ffmpeg"; diff --git a/nixos/modules/services/misc/ssm-agent.nix b/nixos/modules/services/misc/ssm-agent.nix index b04959a9686a..c1e1f0903539 100644 --- a/nixos/modules/services/misc/ssm-agent.nix +++ b/nixos/modules/services/misc/ssm-agent.nix @@ -23,6 +23,7 @@ in { type = types.path; description = "The SSM agent package to use"; default = pkgs.ssm-agent; + defaultText = "pkgs.ssm-agent"; }; }; diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index d28c5dc7af85..826f463bbd75 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -94,44 +94,6 @@ let in flatten (mapAttrsToList mkSublist attrs); in all isNull (findPkiDefinitions [] manualPkiOptions); - configFile = pkgs.writeText "taskdrc" ('' - # systemd related - daemon = false - log = - - - # logging - ${mkConfLine "debug" cfg.debug} - ${mkConfLine "ip.log" cfg.ipLog} - - # general - ${mkConfLine "ciphers" cfg.ciphers} - ${mkConfLine "confirmation" cfg.confirmation} - ${mkConfLine "extensions" cfg.extensions} - ${mkConfLine "queue.size" cfg.queueSize} - ${mkConfLine "request.limit" cfg.requestLimit} - - # client - ${mkConfLine "client.allow" cfg.allowedClientIDs} - ${mkConfLine "client.deny" cfg.disallowedClientIDs} - - # server - server = ${cfg.listenHost}:${toString cfg.listenPort} - ${mkConfLine "trust" cfg.trust} - - # PKI options - ${if needToCreateCA then '' - ca.cert = ${cfg.dataDir}/keys/ca.cert - server.cert = ${cfg.dataDir}/keys/server.cert - server.key = ${cfg.dataDir}/keys/server.key - server.crl = ${cfg.dataDir}/keys/server.crl - '' else '' - ca.cert = ${cfg.pki.manual.ca.cert} - server.cert = ${cfg.pki.manual.server.cert} - server.key = ${cfg.pki.manual.server.key} - server.crl = ${cfg.pki.manual.server.crl} - ''} - '' + cfg.extraConfig); - orgOptions = { name, ... }: { options.users = mkOption { type = types.uniq (types.listOf types.str); @@ -154,9 +116,8 @@ let certtool = "${pkgs.gnutls.bin}/bin/certtool"; - nixos-taskserver = pkgs.pythonPackages.buildPythonPackage { + nixos-taskserver = pkgs.pythonPackages.buildPythonApplication { name = "nixos-taskserver"; - namePrefix = ""; src = pkgs.runCommand "nixos-taskserver-src" {} '' mkdir -p "$out" @@ -167,6 +128,7 @@ let certBits = cfg.pki.auto.bits; clientExpiration = cfg.pki.auto.expiration.client; crlExpiration = cfg.pki.auto.expiration.crl; + isAutoConfig = if needToCreateCA then "True" else "False"; }}" > "$out/main.py" cat > "$out/setup.py" <<EOF from setuptools import setup @@ -365,20 +327,57 @@ in { pki.manual = manualPkiOptions; pki.auto = autoPkiOptions; - extraConfig = mkOption { - type = types.lines; - default = ""; - example = "client.cert = /tmp/debugging.cert"; + config = mkOption { + type = types.attrs; + example.client.cert = "/tmp/debugging.cert"; description = '' - Extra lines to append to the taskdrc configuration file. + Configuration options to pass to Taskserver. + + The options here are the same as described in <citerefentry> + <refentrytitle>taskdrc</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry>, but with one difference: + + The <literal>server</literal> option is + <literal>server.listen</literal> here, because the + <literal>server</literal> option would collide with other options + like <literal>server.cert</literal> and we would run in a type error + (attribute set versus string). + + Nix types like integers or booleans are automatically converted to + the right values Taskserver would expect. ''; + apply = let + mkKey = path: if path == ["server" "listen"] then "server" + else concatStringsSep "." path; + recurse = path: attrs: let + mapper = name: val: let + newPath = path ++ [ name ]; + scalar = if val == true then "true" + else if val == false then "false" + else toString val; + in if isAttrs val then recurse newPath val + else [ "${mkKey newPath}=${scalar}" ]; + in concatLists (mapAttrsToList mapper attrs); + in recurse []; }; }; }; + imports = [ + (mkRemovedOptionModule ["services" "taskserver" "extraConfig"] '' + This option was removed in favor of `services.taskserver.config` with + different semantics (it's now a list of attributes instead of lines). + + Please look up the documentation of `services.taskserver.config' to get + more information about the new way to pass additional configuration + options. + '') + ]; + config = mkMerge [ (mkIf cfg.enable { - environment.systemPackages = [ pkgs.taskserver nixos-taskserver ]; + environment.systemPackages = [ nixos-taskserver ]; users.users = optional (cfg.user == "taskd") { name = "taskd"; @@ -392,6 +391,44 @@ in { gid = config.ids.gids.taskd; }; + services.taskserver.config = { + # systemd related + daemon = false; + log = "-"; + + # logging + debug = cfg.debug; + ip.log = cfg.ipLog; + + # general + ciphers = cfg.ciphers; + confirmation = cfg.confirmation; + extensions = cfg.extensions; + queue.size = cfg.queueSize; + request.limit = cfg.requestLimit; + + # client + client.allow = cfg.allowedClientIDs; + client.deny = cfg.disallowedClientIDs; + + # server + trust = cfg.trust; + server = { + listen = "${cfg.listenHost}:${toString cfg.listenPort}"; + } // (if needToCreateCA then { + cert = "${cfg.dataDir}/keys/server.cert"; + key = "${cfg.dataDir}/keys/server.key"; + crl = "${cfg.dataDir}/keys/server.crl"; + } else { + cert = "${cfg.pki.manual.server.cert}"; + key = "${cfg.pki.manual.server.key}"; + crl = "${cfg.pki.manual.server.crl}"; + }); + + ca.cert = if needToCreateCA then "${cfg.dataDir}/keys/ca.cert" + else "${cfg.pki.manual.ca.cert}"; + }; + systemd.services.taskserver-init = { wantedBy = [ "taskserver.service" ]; before = [ "taskserver.service" ]; @@ -404,7 +441,6 @@ in { script = '' ${taskd} init - echo "include ${configFile}" > "${cfg.dataDir}/config" touch "${cfg.dataDir}/.is_initialized" ''; @@ -436,7 +472,10 @@ in { in "${helperTool} process-json '${jsonFile}'"; serviceConfig = { - ExecStart = "@${taskd} taskd server"; + ExecStart = let + mkCfgFlag = flag: escapeShellArg "--${flag}"; + cfgFlags = concatMapStringsSep " " mkCfgFlag cfg.config; + in "@${taskd} taskd server ${cfgFlags}"; ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; Restart = "on-failure"; PermissionsStartOnly = true; diff --git a/nixos/modules/services/misc/taskserver/doc.xml b/nixos/modules/services/misc/taskserver/doc.xml index 48591129264a..6d4d2a9b488c 100644 --- a/nixos/modules/services/misc/taskserver/doc.xml +++ b/nixos/modules/services/misc/taskserver/doc.xml @@ -136,9 +136,9 @@ $ ssh server nixos-taskserver user export my-company alice | sh <para> If you set any options within - <option>service.taskserver.pki.manual.*</option>, the automatic user and - CA management by the <command>nixos-taskserver</command> is disabled and - you need to create certificates and keys by yourself. + <option>service.taskserver.pki.manual.*</option>, + <command>nixos-taskserver</command> won't issue certificates, but you can + still use it for adding or removing user accounts. </para> </section> </chapter> diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py index 03e7cdf8987a..b97bc1df74f7 100644 --- a/nixos/modules/services/misc/taskserver/helper-tool.py +++ b/nixos/modules/services/misc/taskserver/helper-tool.py @@ -13,6 +13,7 @@ from tempfile import NamedTemporaryFile import click +IS_AUTO_CONFIG = @isAutoConfig@ # NOQA CERTTOOL_COMMAND = "@certtool@" CERT_BITS = "@certBits@" CLIENT_EXPIRATION = "@clientExpiration@" @@ -149,6 +150,12 @@ def create_template(contents): def generate_key(org, user): + if not IS_AUTO_CONFIG: + msg = "Automatic PKI handling is disabled, you need to " \ + "manually issue a client certificate for user {}.\n" + sys.stderr.write(msg.format(user)) + return + basedir = os.path.join(TASKD_DATA_DIR, "keys", org, user) if os.path.exists(basedir): raise OSError("Keyfile directory for {} already exists.".format(user)) @@ -243,26 +250,32 @@ class User(object): self.key = key def export(self): - pubcert = getkey(self.__org, self.name, "public.cert") - privkey = getkey(self.__org, self.name, "private.key") - cacert = getkey("ca.cert") - - keydir = "${TASKDATA:-$HOME/.task}/keys" - credentials = '/'.join([self.__org, self.name, self.key]) allow_unquoted = string.ascii_letters + string.digits + "/-_." if not all((c in allow_unquoted) for c in credentials): credentials = "'" + credentials.replace("'", r"'\''") + "'" - script = [ - "umask 0077", - 'mkdir -p "{}"'.format(keydir), - mktaskkey("certificate", os.path.join(keydir, "public.cert"), - pubcert), - mktaskkey("key", os.path.join(keydir, "private.key"), privkey), - mktaskkey("ca", os.path.join(keydir, "ca.cert"), cacert), + script = [] + + if IS_AUTO_CONFIG: + pubcert = getkey(self.__org, self.name, "public.cert") + privkey = getkey(self.__org, self.name, "private.key") + cacert = getkey("ca.cert") + + keydir = "${TASKDATA:-$HOME/.task}/keys" + + script += [ + "umask 0077", + 'mkdir -p "{}"'.format(keydir), + mktaskkey("certificate", os.path.join(keydir, "public.cert"), + pubcert), + mktaskkey("key", os.path.join(keydir, "private.key"), privkey), + mktaskkey("ca", os.path.join(keydir, "ca.cert"), cacert) + ] + + script.append( "task config taskd.credentials -- {}".format(credentials) - ] + ) return "\n".join(script) + "\n" @@ -526,7 +539,7 @@ def export_user(organisation, user): userobj = organisation.get_user(user) if userobj is None: msg = "User {} doesn't exist in organisation {}." - sys.exit(msg.format(userobj.name, organisation.name)) + sys.exit(msg.format(user, organisation.name)) sys.stdout.write(userobj.export()) |