diff options
Diffstat (limited to 'nixos/modules/services/misc')
-rw-r--r-- | nixos/modules/services/misc/airsonic.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/misc/docker-registry.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/misc/errbot.nix | 5 | ||||
-rw-r--r-- | nixos/modules/services/misc/gitea.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 202 | ||||
-rw-r--r-- | nixos/modules/services/misc/gollum.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/misc/home-assistant.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/misc/jellyfin.nix | 5 | ||||
-rw-r--r-- | nixos/modules/services/misc/lidarr.nix | 15 | ||||
-rw-r--r-- | nixos/modules/services/misc/matrix-synapse.nix | 40 | ||||
-rw-r--r-- | nixos/modules/services/misc/nix-daemon.nix | 93 | ||||
-rw-r--r-- | nixos/modules/services/misc/nix-optimise.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/misc/osrm.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/misc/pykms.nix | 39 |
14 files changed, 233 insertions, 182 deletions
diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index 919d3b2f6e64..c296e048cea4 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -148,6 +148,7 @@ in { name = cfg.user; home = cfg.home; createHome = true; + isSystemUser = true; }; }; } diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix index c87607d2666a..89bac4f47d73 100644 --- a/nixos/modules/services/misc/docker-registry.nix +++ b/nixos/modules/services/misc/docker-registry.nix @@ -145,11 +145,13 @@ in { }; users.users.docker-registry = - if cfg.storagePath != null + (if cfg.storagePath != null then { createHome = true; home = cfg.storagePath; } - else {}; + else {}) // { + isSystemUser = true; + }; }; } diff --git a/nixos/modules/services/misc/errbot.nix b/nixos/modules/services/misc/errbot.nix index 256adce2f02e..b447ba5d438d 100644 --- a/nixos/modules/services/misc/errbot.nix +++ b/nixos/modules/services/misc/errbot.nix @@ -76,7 +76,10 @@ in { }; config = mkIf (cfg.instances != {}) { - users.users.errbot.group = "errbot"; + users.users.errbot = { + group = "errbot"; + isSystemUser = true; + }; users.groups.errbot = {}; systemd.services = mapAttrs' (name: instanceCfg: nameValuePair "errbot-${name}" ( diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 59c1c104b9b9..c8c59fb256e8 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -322,6 +322,7 @@ in "d '${cfg.stateDir}/conf' - ${cfg.user} gitea - -" "d '${cfg.stateDir}/custom' - ${cfg.user} gitea - -" "d '${cfg.stateDir}/custom/conf' - ${cfg.user} gitea - -" + "d '${cfg.stateDir}/log' - ${cfg.user} gitea - -" "d '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" "Z '${cfg.stateDir}' - ${cfg.user} gitea - -" @@ -408,6 +409,7 @@ in home = cfg.stateDir; useDefaultShell = true; group = "gitea"; + isSystemUser = true; }; }; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index caef4ad4ea80..07ea9c458437 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, utils, ... }: -# TODO: support non-postgresql - with lib; let @@ -9,6 +7,11 @@ let ruby = cfg.packages.gitlab.ruby; + postgresqlPackage = if config.services.postgresql.enable then + config.services.postgresql.package + else + pkgs.postgresql; + gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket"; gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket"; pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url; @@ -24,6 +27,9 @@ let } // cfg.extraDatabaseConfig; }; + # We only want to create a database if we're actually going to connect to it. + databaseActuallyCreateLocally = cfg.databaseCreateLocally && cfg.databaseHost == ""; + gitalyToml = pkgs.writeText "gitaly.toml" '' socket_path = "${lib.escape ["\""] gitalySocket}" bin_dir = "${cfg.packages.gitaly}/bin" @@ -140,7 +146,7 @@ let mkdir -p $out/bin makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/rake $out/bin/gitlab-rake \ ${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \ - --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar config.services.postgresql.package pkgs.coreutils pkgs.procps ]}:$PATH' \ + --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar postgresqlPackage pkgs.coreutils pkgs.procps ]}:$PATH' \ --set RAKEOPT '-f ${cfg.packages.gitlab}/share/gitlab/Rakefile' \ --run 'cd ${cfg.packages.gitlab}/share/gitlab' ''; @@ -155,7 +161,7 @@ let mkdir -p $out/bin makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/rails $out/bin/gitlab-rails \ ${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \ - --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar config.services.postgresql.package pkgs.coreutils pkgs.procps ]}:$PATH' \ + --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar postgresqlPackage pkgs.coreutils pkgs.procps ]}:$PATH' \ --run 'cd ${cfg.packages.gitlab}/share/gitlab' ''; }; @@ -225,7 +231,15 @@ in { statePath = mkOption { type = types.str; default = "/var/gitlab/state"; - description = "Gitlab state directory, logs are stored here."; + description = '' + Gitlab state directory. Configuration, repositories and + logs, among other things, are stored here. + + The directory will be created automatically if it doesn't + exist already. Its parent directories must be owned by + either <literal>root</literal> or the user set in + <option>services.gitlab.user</option>. + ''; }; backupPath = mkOption { @@ -260,8 +274,8 @@ in { description = '' Whether a database should be automatically created on the local host. Set this to <literal>false</literal> if you plan - on provisioning a local database yourself or use an external - one. + on provisioning a local database yourself. This has no effect + if <option>services.gitlab.databaseHost</option> is customized. ''; }; @@ -551,8 +565,8 @@ in { assertions = [ { - assertion = cfg.databaseCreateLocally -> (cfg.user == cfg.databaseUsername); - message = "For local automatic database provisioning services.gitlab.user and services.gitlab.databaseUsername should be identical."; + assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.databaseUsername); + message = ''For local automatic database provisioning (services.gitlab.databaseCreateLocally == true) with peer authentication (services.gitlab.databaseHost == "") to work services.gitlab.user and services.gitlab.databaseUsername must be identical.''; } { assertion = (cfg.databaseHost != "") -> (cfg.databasePasswordFile != null); @@ -586,14 +600,16 @@ in { services.redis.enable = mkDefault true; # We use postgres as the main data store. - services.postgresql = optionalAttrs cfg.databaseCreateLocally { + services.postgresql = optionalAttrs databaseActuallyCreateLocally { enable = true; ensureUsers = singleton { name = cfg.databaseUsername; }; }; # The postgresql module doesn't currently support concepts like # objects owners and extensions; for now we tack on what's needed # here. - systemd.services.postgresql.postStart = mkAfter (optionalString cfg.databaseCreateLocally '' + systemd.services.postgresql.postStart = mkAfter (optionalString databaseActuallyCreateLocally '' + set -eu + $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${cfg.databaseName}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${cfg.databaseName}" OWNER "${cfg.databaseUsername}"' current_owner=$($PSQL -tAc "SELECT pg_catalog.pg_get_userbyid(datdba) FROM pg_catalog.pg_database WHERE datname = '${cfg.databaseName}'") if [[ "$current_owner" != "${cfg.databaseUsername}" ]]; then @@ -635,7 +651,7 @@ in { "d ${cfg.statePath} 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/builds 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/config 0750 ${cfg.user} ${cfg.group} -" - "D ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -" + "d ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/db 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/log 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/repositories 2770 ${cfg.user} ${cfg.group} -" @@ -652,7 +668,6 @@ in { "d ${gitlabConfig.production.shared.path}/artifacts 0750 ${cfg.user} ${cfg.group} -" "d ${gitlabConfig.production.shared.path}/lfs-objects 0750 ${cfg.user} ${cfg.group} -" "d ${gitlabConfig.production.shared.path}/pages 0750 ${cfg.user} ${cfg.group} -" - "L+ ${cfg.statePath}/lib - - - - ${cfg.packages.gitlab}/share/gitlab/lib" "L+ /run/gitlab/config - - - - ${cfg.statePath}/config" "L+ /run/gitlab/log - - - - ${cfg.statePath}/log" "L+ /run/gitlab/tmp - - - - ${cfg.statePath}/tmp" @@ -669,12 +684,16 @@ in { wantedBy = [ "multi-user.target" ]; environment = gitlabEnv; path = with pkgs; [ - config.services.postgresql.package + postgresqlPackage gitAndTools.git ruby openssh nodejs gnupg + + # Needed for GitLab project imports + gnutar + gzip ]; serviceConfig = { Type = "simple"; @@ -722,7 +741,6 @@ in { gitlab-workhorse ]; serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root Type = "simple"; User = cfg.user; Group = cfg.group; @@ -746,89 +764,109 @@ in { wantedBy = [ "multi-user.target" ]; environment = gitlabEnv; path = with pkgs; [ - config.services.postgresql.package + postgresqlPackage gitAndTools.git openssh nodejs procps gnupg ]; - preStart = '' - cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION - rm -rf ${cfg.statePath}/db/* - cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config - cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db - - ${cfg.packages.gitlab-shell}/bin/install - - ${optionalString cfg.smtp.enable '' - install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb - ${optionalString (cfg.smtp.passwordFile != null) '' - smtp_password=$(<'${cfg.smtp.passwordFile}') - ${pkgs.replace}/bin/replace-literal -e '@smtpPassword@' "$smtp_password" '${cfg.statePath}/config/initializers/smtp_settings.rb' - ''} - ''} - ( - umask u=rwx,g=,o= + serviceConfig = { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + TimeoutSec = "infinity"; + Restart = "on-failure"; + WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; + ExecStartPre = let + preStartFullPrivileges = '' + shopt -s dotglob nullglob + set -eu - ${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret + chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/* + chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/config/* + ''; + preStart = '' + set -eu - ${if cfg.databasePasswordFile != null then '' - export db_password="$(<'${cfg.databasePasswordFile}')" + cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION + rm -rf ${cfg.statePath}/db/* + rm -rf ${cfg.statePath}/config/initializers/* + rm -f ${cfg.statePath}/lib + cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config + cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db - if [[ -z "$db_password" ]]; then - >&2 echo "Database password was an empty string!" - exit 1 - fi + ${cfg.packages.gitlab-shell}/bin/install - ${pkgs.jq}/bin/jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ - '.production.password = $ENV.db_password' \ - >'${cfg.statePath}/config/database.yml' - '' - else '' - ${pkgs.jq}/bin/jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ - >'${cfg.statePath}/config/database.yml' - '' - } - - ${utils.genJqSecretsReplacementSnippet - gitlabConfig - "${cfg.statePath}/config/gitlab.yml" - } - - if [[ -h '${cfg.statePath}/config/secrets.yml' ]]; then - rm '${cfg.statePath}/config/secrets.yml' - fi + ${optionalString cfg.smtp.enable '' + install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb + ${optionalString (cfg.smtp.passwordFile != null) '' + smtp_password=$(<'${cfg.smtp.passwordFile}') + ${pkgs.replace}/bin/replace-literal -e '@smtpPassword@' "$smtp_password" '${cfg.statePath}/config/initializers/smtp_settings.rb' + ''} + ''} - export secret="$(<'${cfg.secrets.secretFile}')" - export db="$(<'${cfg.secrets.dbFile}')" - export otp="$(<'${cfg.secrets.otpFile}')" - export jws="$(<'${cfg.secrets.jwsFile}')" - ${pkgs.jq}/bin/jq -n '{production: {secret_key_base: $ENV.secret, - otp_key_base: $ENV.db, - db_key_base: $ENV.otp, - openid_connect_signing_key: $ENV.jws}}' \ - > '${cfg.statePath}/config/secrets.yml' - ) + ( + umask u=rwx,g=,o= - initial_root_password="$(<'${cfg.initialRootPasswordFile}')" - ${gitlab-rake}/bin/gitlab-rake gitlab:db:configure GITLAB_ROOT_PASSWORD="$initial_root_password" \ - GITLAB_ROOT_EMAIL='${cfg.initialRootEmail}' + ${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret - # We remove potentially broken links to old gitlab-shell versions - rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks + if [[ -h '${cfg.statePath}/config/database.yml' ]]; then + rm '${cfg.statePath}/config/database.yml' + fi - ${pkgs.git}/bin/git config --global core.autocrlf "input" - ''; + ${if cfg.databasePasswordFile != null then '' + export db_password="$(<'${cfg.databasePasswordFile}')" + + if [[ -z "$db_password" ]]; then + >&2 echo "Database password was an empty string!" + exit 1 + fi + + ${pkgs.jq}/bin/jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ + '.production.password = $ENV.db_password' \ + >'${cfg.statePath}/config/database.yml' + '' + else '' + ${pkgs.jq}/bin/jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ + >'${cfg.statePath}/config/database.yml' + '' + } + + ${utils.genJqSecretsReplacementSnippet + gitlabConfig + "${cfg.statePath}/config/gitlab.yml" + } + + if [[ -h '${cfg.statePath}/config/secrets.yml' ]]; then + rm '${cfg.statePath}/config/secrets.yml' + fi - serviceConfig = { - Type = "simple"; - User = cfg.user; - Group = cfg.group; - TimeoutSec = "infinity"; - Restart = "on-failure"; - WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; + export secret="$(<'${cfg.secrets.secretFile}')" + export db="$(<'${cfg.secrets.dbFile}')" + export otp="$(<'${cfg.secrets.otpFile}')" + export jws="$(<'${cfg.secrets.jwsFile}')" + ${pkgs.jq}/bin/jq -n '{production: {secret_key_base: $ENV.secret, + otp_key_base: $ENV.otp, + db_key_base: $ENV.db, + openid_connect_signing_key: $ENV.jws}}' \ + > '${cfg.statePath}/config/secrets.yml' + ) + + initial_root_password="$(<'${cfg.initialRootPasswordFile}')" + ${gitlab-rake}/bin/gitlab-rake gitlab:db:configure GITLAB_ROOT_PASSWORD="$initial_root_password" \ + GITLAB_ROOT_EMAIL='${cfg.initialRootEmail}' > /dev/null + + # We remove potentially broken links to old gitlab-shell versions + rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks + + ${pkgs.git}/bin/git config --global core.autocrlf "input" + ''; + in [ + "+${pkgs.writeShellScript "gitlab-pre-start-full-privileges" preStartFullPrivileges}" + "${pkgs.writeShellScript "gitlab-pre-start" preStart}" + ]; ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/unicorn -c ${cfg.statePath}/config/unicorn.rb -E production"; }; diff --git a/nixos/modules/services/misc/gollum.nix b/nixos/modules/services/misc/gollum.nix index 7653b415bf09..f4a9c72b1545 100644 --- a/nixos/modules/services/misc/gollum.nix +++ b/nixos/modules/services/misc/gollum.nix @@ -71,6 +71,7 @@ in group = config.users.users.gollum.name; description = "Gollum user"; createHome = false; + isSystemUser = true; }; users.groups.gollum = { }; diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index f1b351246740..74702c97f551 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -224,6 +224,7 @@ in { KillSignal = "SIGINT"; PrivateTmp = true; RemoveIPC = true; + AmbientCapabilities = "cap_net_raw,cap_net_admin+eip"; }; path = [ "/run/wrappers" # needed for ping diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 55559206568d..6ecdfb57dc35 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -41,7 +41,10 @@ in }; users.users = mkIf (cfg.user == "jellyfin") { - jellyfin.group = cfg.group; + jellyfin = { + group = cfg.group; + isSystemUser = true; + }; }; users.groups = mkIf (cfg.group == "jellyfin") { diff --git a/nixos/modules/services/misc/lidarr.nix b/nixos/modules/services/misc/lidarr.nix index 40755c162171..8ff1adadcf23 100644 --- a/nixos/modules/services/misc/lidarr.nix +++ b/nixos/modules/services/misc/lidarr.nix @@ -10,6 +10,12 @@ in services.lidarr = { enable = mkEnableOption "Lidarr"; + dataDir = mkOption { + type = types.str; + default = "/var/lib/lidarr/.config/Lidarr"; + description = "The directory where Lidarr stores its data files."; + }; + package = mkOption { type = types.package; default = pkgs.lidarr; @@ -44,6 +50,10 @@ in }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.lidarr = { description = "Lidarr"; after = [ "network.target" ]; @@ -53,11 +63,8 @@ in Type = "simple"; User = cfg.user; Group = cfg.group; - ExecStart = "${cfg.package}/bin/Lidarr"; + ExecStart = "${cfg.package}/bin/Lidarr -nobrowser -data='${cfg.dataDir}'"; Restart = "on-failure"; - - StateDirectory = "lidarr"; - StateDirectoryMode = "0770"; }; }; diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 018fac386163..0f4eb2ccfcad 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -79,7 +79,11 @@ turn_user_lifetime: "${cfg.turn_user_lifetime}" user_creation_max_duration: ${cfg.user_creation_max_duration} bcrypt_rounds: ${cfg.bcrypt_rounds} allow_guest_access: ${boolToString cfg.allow_guest_access} -trusted_third_party_id_servers: ${builtins.toJSON cfg.trusted_third_party_id_servers} + +account_threepid_delegates: + ${optionalString (cfg.account_threepid_delegates.email != null) "email: ${cfg.account_threepid_delegates.email}"} + ${optionalString (cfg.account_threepid_delegates.msisdn != null) "msisdn: ${cfg.account_threepid_delegates.msisdn}"} + room_invite_state_types: ${builtins.toJSON cfg.room_invite_state_types} ${optionalString (cfg.macaroon_secret_key != null) '' macaroon_secret_key: "${cfg.macaroon_secret_key}" @@ -102,6 +106,7 @@ perspectives: '') cfg.servers)} } } +redaction_retention_period: ${toString cfg.redaction_retention_period} app_service_config_files: ${builtins.toJSON cfg.app_service_config_files} ${cfg.extraConfig} @@ -552,14 +557,18 @@ in { accessible to anonymous users. ''; }; - trusted_third_party_id_servers = mkOption { - type = types.listOf types.str; - default = [ - "matrix.org" - "vector.im" - ]; + account_threepid_delegates.email = mkOption { + type = types.nullOr types.str; + default = null; description = '' - The list of identity servers trusted to verify third party identifiers by this server. + Delegate email sending to https://example.org + ''; + }; + account_threepid_delegates.msisdn = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Delegate SMS sending to this local process (https://localhost:8090) ''; }; room_invite_state_types = mkOption { @@ -600,6 +609,13 @@ in { A list of application service config file to use ''; }; + redaction_retention_period = mkOption { + type = types.int; + default = 7; + description = '' + How long to keep redacted events in unredacted form in the database. + ''; + }; extraConfig = mkOption { type = types.lines; default = ""; @@ -699,4 +715,12 @@ in { }; }; }; + + imports = [ + (mkRemovedOptionModule [ "services" "matrix-synapse" "trusted_third_party_id_servers" ] '' + The `trusted_third_party_id_servers` option as been removed in `matrix-synapse` v1.4.0 + as the behavior is now obsolete. + '') + ]; + } diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 3826f728afd0..dcec4d4fc6cd 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -10,7 +10,7 @@ let nixVersion = getVersion nix; - isNix20 = versionAtLeast nixVersion "2.0pre"; + isNix23 = versionAtLeast nixVersion "2.3pre"; makeNixBuildUser = nr: { name = "nixbld${toString nr}"; @@ -27,43 +27,30 @@ let nixbldUsers = map makeNixBuildUser (range 1 cfg.nrBuildUsers); nixConf = - let - # In Nix < 2.0, If we're using sandbox for builds, then provide - # /bin/sh in the sandbox as a bind-mount to bash. This means we - # also need to include the entire closure of bash. Nix >= 2.0 - # provides a /bin/sh by default. - sh = pkgs.runtimeShell; - binshDeps = pkgs.writeReferencesToFile sh; - in - pkgs.runCommand "nix.conf" { preferLocalBuild = true; extraOptions = cfg.extraOptions; } ('' - ${optionalString (!isNix20) '' - extraPaths=$(for i in $(cat ${binshDeps}); do if test -d $i; then echo $i; fi; done) - ''} + assert versionAtLeast nixVersion "2.2"; + pkgs.runCommand "nix.conf" { preferLocalBuild = true; extraOptions = cfg.extraOptions; } ( + '' cat > $out <<END # WARNING: this file is generated from the nix.* options in # your NixOS configuration, typically # /etc/nixos/configuration.nix. Do not edit it! build-users-group = nixbld - ${if isNix20 then "max-jobs" else "build-max-jobs"} = ${toString (cfg.maxJobs)} - ${if isNix20 then "cores" else "build-cores"} = ${toString (cfg.buildCores)} - ${if isNix20 then "sandbox" else "build-use-sandbox"} = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox} - ${if isNix20 then "extra-sandbox-paths" else "build-sandbox-paths"} = ${toString cfg.sandboxPaths} ${optionalString (!isNix20) "/bin/sh=${sh} $(echo $extraPaths)"} - ${if isNix20 then "substituters" else "binary-caches"} = ${toString cfg.binaryCaches} - ${if isNix20 then "trusted-substituters" else "trusted-binary-caches"} = ${toString cfg.trustedBinaryCaches} - ${if isNix20 then "trusted-public-keys" else "binary-cache-public-keys"} = ${toString cfg.binaryCachePublicKeys} + max-jobs = ${toString (cfg.maxJobs)} + cores = ${toString (cfg.buildCores)} + sandbox = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox} + extra-sandbox-paths = ${toString cfg.sandboxPaths} + substituters = ${toString cfg.binaryCaches} + trusted-substituters = ${toString cfg.trustedBinaryCaches} + trusted-public-keys = ${toString cfg.binaryCachePublicKeys} auto-optimise-store = ${boolToString cfg.autoOptimiseStore} - ${if isNix20 then '' - require-sigs = ${if cfg.requireSignedBinaryCaches then "true" else "false"} - '' else '' - signed-binary-caches = ${if cfg.requireSignedBinaryCaches then "*" else ""} - ''} + require-sigs = ${if cfg.requireSignedBinaryCaches then "true" else "false"} trusted-users = ${toString cfg.trustedUsers} allowed-users = ${toString cfg.allowedUsers} - ${optionalString (isNix20 && !cfg.distributedBuilds) '' + ${optionalString (!cfg.distributedBuilds) '' builders = ''} system-features = ${toString cfg.systemFeatures} - ${optionalString (versionAtLeast nixVersion "2.3pre") '' + ${optionalString isNix23 '' sandbox-fallback = false ''} $extraOptions @@ -74,7 +61,7 @@ let '' else '' echo "Checking that Nix can read nix.conf..." ln -s $out ./nix.conf - NIX_CONF_DIR=$PWD ${cfg.package}/bin/nix show-config >/dev/null + NIX_CONF_DIR=$PWD ${cfg.package}/bin/nix show-config ${optionalString isNix23 "--no-net --option experimental-features nix-command"} >/dev/null '') ); @@ -165,8 +152,8 @@ in type = types.lines; default = ""; example = '' - gc-keep-outputs = true - gc-keep-derivations = true + keep-outputs = true + keep-derivations = true ''; description = "Additional text appended to <filename>nix.conf</filename>."; }; @@ -421,8 +408,7 @@ in systemd.services.nix-daemon = { path = [ nix pkgs.utillinux config.programs.ssh.package ] - ++ optionals cfg.distributedBuilds [ pkgs.gzip ] - ++ optionals (!isNix20) [ pkgs.openssl.bin ]; + ++ optionals cfg.distributedBuilds [ pkgs.gzip ]; environment = cfg.envVars // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; } @@ -439,34 +425,13 @@ in restartTriggers = [ nixConf ]; }; - nix.envVars = - optionalAttrs (!isNix20) { - NIX_CONF_DIR = "/etc/nix"; - - # Enable the copy-from-other-stores substituter, which allows - # builds to be sped up by copying build results from remote - # Nix stores. To do this, mount the remote file system on a - # subdirectory of /run/nix/remote-stores. - NIX_OTHER_STORES = "/run/nix/remote-stores/*/nix"; - } - - // optionalAttrs (cfg.distributedBuilds && !isNix20) { - NIX_BUILD_HOOK = "${nix}/libexec/nix/build-remote.pl"; - }; - # Set up the environment variables for running Nix. environment.sessionVariables = cfg.envVars // { NIX_PATH = cfg.nixPath; }; - environment.extraInit = optionalString (!isNix20) + environment.extraInit = '' - # Set up secure multi-user builds: non-root users build through the - # Nix daemon. - if [ "$USER" != root -o ! -w /nix/var/nix/db ]; then - export NIX_REMOTE=daemon - fi - '' + '' if [ -e "$HOME/.nix-defexpr/channels" ]; then export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}" fi @@ -478,21 +443,15 @@ in services.xserver.displayManager.hiddenUsers = map ({ name, ... }: name) nixbldUsers; - # FIXME: use systemd-tmpfiles to create Nix directories. system.activationScripts.nix = stringAfter [ "etc" "users" ] '' - # Nix initialisation. - install -m 0755 -d \ - /nix/var/nix/gcroots \ - /nix/var/nix/temproots \ - /nix/var/nix/userpool \ - /nix/var/nix/profiles \ - /nix/var/nix/db \ - /nix/var/log/nix/drvs - install -m 1777 -d \ - /nix/var/nix/gcroots/per-user \ - /nix/var/nix/profiles/per-user \ - /nix/var/nix/gcroots/tmp + # Create directories in /nix. + ${nix}/bin/nix ping-store --no-net + + # Subscribe the root user to the NixOS channel by default. + if [ ! -e "/root/.nix-channels" ]; then + echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels" + fi ''; nix.systemFeatures = mkDefault ( diff --git a/nixos/modules/services/misc/nix-optimise.nix b/nixos/modules/services/misc/nix-optimise.nix index 416529f690e0..e02026d5f76c 100644 --- a/nixos/modules/services/misc/nix-optimise.nix +++ b/nixos/modules/services/misc/nix-optimise.nix @@ -40,8 +40,8 @@ in systemd.services.nix-optimise = { description = "Nix Store Optimiser"; - # No point running it inside a nixos-container. It should be on the host instead. - unitConfig.ConditionVirtualization = "!container"; + # No point this if the nix daemon (and thus the nix store) is outside + unitConfig.ConditionPathIsReadWrite = "/nix/var/nix/daemon-socket"; serviceConfig.ExecStart = "${config.nix.package}/bin/nix-store --optimise"; startAt = optionals cfg.automatic cfg.dates; }; diff --git a/nixos/modules/services/misc/osrm.nix b/nixos/modules/services/misc/osrm.nix index f89f37ccd9df..79c347ab7e0e 100644 --- a/nixos/modules/services/misc/osrm.nix +++ b/nixos/modules/services/misc/osrm.nix @@ -59,6 +59,7 @@ in group = config.users.users.osrm.name; description = "OSRM user"; createHome = false; + isSystemUser = true; }; users.groups.osrm = { }; diff --git a/nixos/modules/services/misc/pykms.nix b/nixos/modules/services/misc/pykms.nix index ab00086e591e..e2d1254602b0 100644 --- a/nixos/modules/services/misc/pykms.nix +++ b/nixos/modules/services/misc/pykms.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.services.pykms; + libDir = "/var/lib/pykms"; in { meta.maintainers = with lib.maintainers; [ peterhoeg ]; @@ -28,12 +29,6 @@ in { description = "The port on which to listen."; }; - verbose = mkOption { - type = types.bool; - default = false; - description = "Show verbose output."; - }; - openFirewallPort = mkOption { type = types.bool; default = false; @@ -45,30 +40,44 @@ in { default = "64M"; description = "How much memory to use at most."; }; + + logLevel = mkOption { + type = types.enum [ "CRITICAL" "ERROR" "WARNING" "INFO" "DEBUG" "MINI" ]; + default = "INFO"; + description = "How much to log"; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = "Additional arguments"; + }; }; }; config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewallPort [ cfg.port ]; - systemd.services.pykms = let - home = "/var/lib/pykms"; - in { + systemd.services.pykms = { description = "Python KMS"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; # python programs with DynamicUser = true require HOME to be set - environment.HOME = home; + environment.HOME = libDir; serviceConfig = with pkgs; { DynamicUser = true; - StateDirectory = baseNameOf home; - ExecStartPre = "${getBin pykms}/bin/create_pykms_db.sh ${home}/clients.db"; + StateDirectory = baseNameOf libDir; + ExecStartPre = "${getBin pykms}/libexec/create_pykms_db.sh ${libDir}/clients.db"; ExecStart = lib.concatStringsSep " " ([ - "${getBin pykms}/bin/server.py" + "${getBin pykms}/bin/server" + "--logfile STDOUT" + "--loglevel ${cfg.logLevel}" + ] ++ cfg.extraArgs ++ [ cfg.listenAddress (toString cfg.port) - ] ++ lib.optional cfg.verbose "--verbose"); - WorkingDirectory = home; + ]); + ProtectHome = "tmpfs"; + WorkingDirectory = libDir; Restart = "on-failure"; MemoryLimit = cfg.memoryLimit; }; |