diff options
Diffstat (limited to 'nixos/modules/services')
9 files changed, 135 insertions, 15 deletions
diff --git a/nixos/modules/services/monitoring/incron.nix b/nixos/modules/services/monitoring/incron.nix new file mode 100644 index 000000000000..1789fd9f2051 --- /dev/null +++ b/nixos/modules/services/monitoring/incron.nix @@ -0,0 +1,98 @@ + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.incron; + +in + +{ + options = { + + services.incron = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the incron daemon. + + Note that commands run under incrontab only support common Nix profiles for the <envar>PATH</envar> provided variable. + ''; + }; + + allow = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + description = '' + Users allowed to use incrontab. + + If empty then no user will be allowed to have their own incrontab. + If <literal>null</literal> then will defer to <option>deny</option>. + If both <option>allow</option> and <option>deny</option> are null + then all users will be allowed to have their own incrontab. + ''; + }; + + deny = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + description = "Users forbidden from using incrontab."; + }; + + systab = mkOption { + type = types.lines; + default = ""; + description = "The system incrontab contents."; + example = '' + /var/mail IN_CLOSE_WRITE abc $@/$# + /tmp IN_ALL_EVENTS efg $@/$# $& + ''; + }; + + extraPackages = mkOption { + type = types.listOf types.package; + default = []; + example = literalExample "[ pkgs.rsync ]"; + description = "Extra packages available to the system incrontab."; + }; + + }; + + }; + + config = mkIf cfg.enable { + + warnings = optional (cfg.allow != null && cfg.deny != null) + ''If `services.incron.allow` is set then `services.incron.deny` will be ignored.''; + + environment.systemPackages = [ pkgs.incron ]; + + security.wrappers.incrontab.source = "${pkgs.incron}/bin/incrontab"; + + # incron won't read symlinks + environment.etc."incron.d/system" = { + mode = "0444"; + text = cfg.systab; + }; + environment.etc."incron.allow" = mkIf (cfg.allow != null) { + text = concatStringsSep "\n" cfg.allow; + }; + environment.etc."incron.deny" = mkIf (cfg.deny != null) { + text = concatStringsSep "\n" cfg.deny; + }; + + systemd.services.incron = { + description = "File System Events Scheduler"; + wantedBy = [ "multi-user.target" ]; + path = cfg.extraPackages; + serviceConfig.PIDFile = "/run/incrond.pid"; + serviceConfig.ExecStartPre = "${pkgs.coreutils}/bin/mkdir -m 710 -p /var/spool/incron"; + serviceConfig.ExecStart = "${pkgs.incron}/bin/incrond --foreground"; + }; + }; + +} diff --git a/nixos/modules/services/networking/xrdp.nix b/nixos/modules/services/networking/xrdp.nix index 0e882873b4ba..61f22a366a02 100644 --- a/nixos/modules/services/networking/xrdp.nix +++ b/nixos/modules/services/networking/xrdp.nix @@ -93,10 +93,14 @@ in config = mkIf cfg.enable { - # copied from <nixos/modules/services/x11/xserver.nix> # xrdp can run X11 program even if "services.xserver.enable = false" - environment.pathsToLink = - [ "/etc/xdg" "/share/xdg" "/share/applications" "/share/icons" "/share/pixmaps" ]; + xdg = { + autostart.enable = true; + menus.enable = true; + mime.enable = true; + icons.enable = true; + }; + fonts.enableDefaultFonts = mkDefault true; systemd = { diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 17b169f7c696..b231ee5a3f01 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -16,9 +16,11 @@ let } // (optionalAttrs vhostConfig.enableACME { sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem"; sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem"; + sslTrustedCertificate = "${acmeDirectory}/${serverName}/full.pem"; }) // (optionalAttrs (vhostConfig.useACMEHost != null) { sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem"; sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem"; + sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/full.pem"; }) ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; @@ -228,6 +230,9 @@ let ssl_certificate ${vhost.sslCertificate}; ssl_certificate_key ${vhost.sslCertificateKey}; ''} + ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) '' + ssl_trusted_certificate ${vhost.sslTrustedCertificate}; + ''} ${optionalString (vhost.basicAuthFile != null || vhost.basicAuth != {}) '' auth_basic secured; diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 1075b00768fd..6954d932eed4 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -129,6 +129,13 @@ with lib; description = "Path to server SSL certificate key."; }; + sslTrustedCertificate = mkOption { + type = types.path; + default = null; + example = "/var/root.cert"; + description = "Path to root SSL certificate for stapling and client certificates."; + }; + http2 = mkOption { type = types.bool; default = true; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index da3287aaea6e..6fa3ec3b9255 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -33,12 +33,17 @@ in pkgs.xorg.xauth # used by kdesu pkgs.gtk2 # To get GTK+'s themes. pkgs.tango-icon-theme - pkgs.shared-mime-info + pkgs.gnome2.gnomeicontheme pkgs.xorg.xcursorthemes ]; - environment.pathsToLink = [ "/etc/enlightenment" "/etc/xdg" "/share/enlightenment" "/share/elementary" "/share/applications" "/share/locale" "/share/icons" "/share/themes" "/share/mime" "/share/desktop-directories" ]; + environment.pathsToLink = [ + "/etc/enlightenment" + "/share/enlightenment" + "/share/elementary" + "/share/locale" + ]; services.xserver.desktopManager.session = [ { name = "Enlightenment"; diff --git a/nixos/modules/services/x11/desktop-managers/lumina.nix b/nixos/modules/services/x11/desktop-managers/lumina.nix index 5fe84cfb82ec..43fed2572b51 100644 --- a/nixos/modules/services/x11/desktop-managers/lumina.nix +++ b/nixos/modules/services/x11/desktop-managers/lumina.nix @@ -41,9 +41,8 @@ in # Link some extra directories in /run/current-system/software/share environment.pathsToLink = [ - "/share/desktop-directories" - "/share/icons" "/share/lumina" + # FIXME: modules should link subdirs of `/share` rather than relying on this "/share" ]; diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 83d1957a646a..d1cb962f6ff8 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -174,7 +174,10 @@ in ++ lib.optional config.services.colord.enable colord-kde ++ lib.optionals config.services.samba.enable [ kdenetwork-filesharing pkgs.samba ]; - environment.pathsToLink = [ "/share" ]; + environment.pathsToLink = [ + # FIXME: modules should link subdirs of `/share` rather than relying on this + "/share" + ]; environment.etc = singleton { source = xcfg.xkbDir; diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index ae155470419d..75b9a76e1924 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -59,9 +59,6 @@ in tango-icon-theme xfce4-icon-theme - desktop-file-utils - shared-mime-info - # Needed by Xfce's xinitrc script # TODO: replace with command -v which @@ -100,8 +97,6 @@ in environment.pathsToLink = [ "/share/xfce4" "/share/themes" - "/share/mime" - "/share/desktop-directories" "/share/gtksourceview-2.0" ]; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index b45e510f6b83..0237dd6f5604 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -616,8 +616,12 @@ in ] ++ optional (elem "virtualbox" cfg.videoDrivers) xorg.xrefresh; - environment.pathsToLink = - [ "/etc/xdg" "/share/xdg" "/share/applications" "/share/icons" "/share/pixmaps" ]; + xdg = { + autostart.enable = true; + menus.enable = true; + mime.enable = true; + icons.enable = true; + }; # The default max inotify watches is 8192. # Nowadays most apps require a good number of inotify watches, |