diff options
Diffstat (limited to 'nixos/modules/services')
| -rw-r--r-- | nixos/modules/services/backup/crashplan.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy.nix | 25 | ||||
| -rw-r--r-- | nixos/modules/services/networking/iodined.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/services/networking/radicale.nix | 15 | ||||
| -rw-r--r-- | nixos/modules/services/x11/display-managers/default.nix | 11 | ||||
| -rw-r--r-- | nixos/modules/services/x11/window-managers/default.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/x11/xserver.nix | 20 |
7 files changed, 42 insertions, 41 deletions
diff --git a/nixos/modules/services/backup/crashplan.nix b/nixos/modules/services/backup/crashplan.nix index 74643d1d4635..46d4c5192d9e 100644 --- a/nixos/modules/services/backup/crashplan.nix +++ b/nixos/modules/services/backup/crashplan.nix @@ -48,6 +48,14 @@ with lib; ensureDir ${crashplan.vardir}/cache 700 ensureDir ${crashplan.vardir}/backupArchives 700 ensureDir ${crashplan.vardir}/log 777 + cp -avn ${crashplan}/conf.template/* ${crashplan.vardir}/conf + for x in app.asar bin EULA.txt install.vars lang lib libjniwrap64.so libjniwrap.so libjtux64.so libjtux.so libmd564.so libmd5.so share skin upgrade; do + if [ -e $x ]; then + true; + else + ln -s ${crashplan}/$x ${crashplan.vardir}/$x; + fi; + done ''; serviceConfig = { diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index a6b5b1deed76..886bfc30468e 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -5,14 +5,17 @@ let apparmorEnabled = config.security.apparmor.enable; dnscrypt-proxy = pkgs.dnscrypt-proxy; cfg = config.services.dnscrypt-proxy; + resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"; localAddress = "${cfg.localAddress}:${toString cfg.localPort}"; + daemonArgs = [ "--local-address=${localAddress}" (optionalString cfg.tcpOnly "--tcp-only") (optionalString cfg.ephemeralKeys "-E") ] ++ resolverArgs; + resolverArgs = if (cfg.customResolver != null) then [ "--resolver-address=${cfg.customResolver.address}:${toString cfg.customResolver.port}" @@ -50,7 +53,7 @@ in services.dnsmasq.resolveLocalQueries = true; # this is the default } </programlisting> - ''; }; + ''; }; localAddress = mkOption { default = "127.0.0.1"; type = types.string; @@ -71,13 +74,13 @@ in ''; }; resolverName = mkOption { - default = "cisco"; + default = "dnscrypt.eu-nl"; type = types.nullOr types.string; description = '' The name of the upstream DNSCrypt resolver to use. See - <filename>${resolverListFile}</filename> for alternative resolvers - (e.g., if you are concerned about logging and/or server - location). + <filename>${resolverListFile}</filename> for alternative resolvers. + The default resolver is located in Holland, supports DNS security + extensions, and claims to not keep logs. ''; }; customResolver = mkOption { @@ -170,11 +173,12 @@ in } '')); - users.extraUsers.dnscrypt-proxy = { - uid = config.ids.uids.dnscrypt-proxy; + users.users.dnscrypt-proxy = { description = "dnscrypt-proxy daemon user"; + isSystemUser = true; + group = "dnscrypt-proxy"; }; - users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy; + users.groups.dnscrypt-proxy = {}; systemd.sockets.dnscrypt-proxy = { description = "dnscrypt-proxy listening socket"; @@ -187,16 +191,21 @@ in systemd.services.dnscrypt-proxy = { description = "dnscrypt-proxy daemon"; + after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service"; requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service"; + serviceConfig = { Type = "simple"; NonBlocking = "true"; ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}"; + User = "dnscrypt-proxy"; Group = "dnscrypt-proxy"; + PrivateTmp = true; PrivateDevices = true; + ProtectHome = true; }; }; }; diff --git a/nixos/modules/services/networking/iodined.nix b/nixos/modules/services/networking/iodined.nix index 6bfe62e6261c..20d371c4e2d1 100644 --- a/nixos/modules/services/networking/iodined.nix +++ b/nixos/modules/services/networking/iodined.nix @@ -64,8 +64,7 @@ in systemd.services.iodined = { description = "iodine, ip over dns daemon"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = [ "ip-up.target" ]; serviceConfig.ExecStart = "${pkgs.iodine}/sbin/iodined -f -u ${iodinedUser} ${cfg.extraConfig} ${cfg.ip} ${cfg.domain}"; }; diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix index 4b77ef22ac12..19762f4e570c 100644 --- a/nixos/modules/services/networking/radicale.nix +++ b/nixos/modules/services/networking/radicale.nix @@ -35,12 +35,27 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.pythonPackages.radicale ]; + users.extraUsers = singleton + { name = "radicale"; + uid = config.ids.uids.radicale; + description = "radicale user"; + home = "/var/lib/radicale"; + createHome = true; + }; + + users.extraGroups = singleton + { name = "radicale"; + gid = config.ids.gids.radicale; + }; + systemd.services.radicale = { description = "A Simple Calendar and Contact Server"; after = [ "network-interfaces.target" ]; wantedBy = [ "multi-user.target" ]; script = "${pkgs.pythonPackages.radicale}/bin/radicale -C ${confFile} -d"; serviceConfig.Type = "forking"; + serviceConfig.User = "radicale"; + serviceConfig.Group = "radicale"; }; }; } diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 533b03aff08d..7dffdfc2b36c 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -49,17 +49,6 @@ let fi ''} - ${optionalString cfg.startGnuPGAgent '' - if test -z "$SSH_AUTH_SOCK"; then - # Restart this script as a child of the GnuPG agent. - exec "${pkgs.gnupg}/bin/gpg-agent" \ - --enable-ssh-support --daemon \ - --pinentry-program "${pkgs.pinentry}/bin/pinentry-gtk-2" \ - --write-env-file "$HOME/.gpg-agent-info" \ - "$0" "$sessionType" - fi - ''} - # Handle being called by kdm. if test "''${1:0:1}" = /; then eval exec "$1"; fi diff --git a/nixos/modules/services/x11/window-managers/default.nix b/nixos/modules/services/x11/window-managers/default.nix index 63136beac710..fce71bbda7e2 100644 --- a/nixos/modules/services/x11/window-managers/default.nix +++ b/nixos/modules/services/x11/window-managers/default.nix @@ -10,7 +10,6 @@ in imports = [ ./afterstep.nix ./bspwm.nix - ./clfswm.nix ./compiz.nix ./dwm.nix ./exwm.nix diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index abbe00cc8881..0fcea6ce5e4f 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -219,17 +219,6 @@ in ''; }; - startGnuPGAgent = mkOption { - type = types.bool; - default = false; - description = '' - Whether to start the GnuPG agent when you log in. The GnuPG agent - remembers private keys for you so that you don't have to type in - passphrases every time you make an SSH connection or sign/encrypt - data. Use <command>ssh-add</command> to add a key to the agent. - ''; - }; - startDbusSession = mkOption { type = types.bool; default = true; @@ -444,14 +433,7 @@ in in optional (driver != null) ({ inherit name; driverName = name; } // driver)); assertions = - [ { assertion = !(config.programs.ssh.startAgent && cfg.startGnuPGAgent); - message = - '' - The OpenSSH agent and GnuPG agent cannot be started both. Please - choose between ‘programs.ssh.startAgent’ and ‘services.xserver.startGnuPGAgent’. - ''; - } - { assertion = config.security.polkit.enable; + [ { assertion = config.security.polkit.enable; message = "X11 requires Polkit to be enabled (‘security.polkit.enable = true’)."; } ]; |