diff options
Diffstat (limited to 'nixos/modules/services')
6 files changed, 68 insertions, 36 deletions
diff --git a/nixos/modules/services/continuous-integration/jenkins/job-builder.nix b/nixos/modules/services/continuous-integration/jenkins/job-builder.nix index 861b46a2d642..5d1bfe4ec407 100644 --- a/nixos/modules/services/continuous-integration/jenkins/job-builder.nix +++ b/nixos/modules/services/continuous-integration/jenkins/job-builder.nix @@ -42,6 +42,18 @@ in { type = types.str; description = '' User token in Jenkins used to reload config. + WARNING: This token will be world readable in the Nix store. To keep + it secret, use the <option>accessTokenFile</option> option instead. + ''; + }; + + accessTokenFile = mkOption { + default = ""; + type = types.str; + example = "/run/keys/jenkins-job-builder-access-token"; + description = '' + File containing the API token for the <option>accessUser</option> + user. ''; }; @@ -103,6 +115,21 @@ in { }; config = mkIf (jenkinsCfg.enable && cfg.enable) { + assertions = [ + { assertion = + if cfg.accessUser != "" + then (cfg.accessToken != "" && cfg.accessTokenFile == "") || + (cfg.accessToken == "" && cfg.accessTokenFile != "") + else true; + message = '' + One of accessToken and accessTokenFile options must be non-empty + strings, but not both. Current values: + services.jenkins.jobBuilder.accessToken = "${cfg.accessToken}" + services.jenkins.jobBuilder.accessTokenFile = "${cfg.accessTokenFile}" + ''; + } + ]; + systemd.services.jenkins-job-builder = { description = "Jenkins Job Builder Service"; # JJB can run either before or after jenkins. We chose after, so we can @@ -128,8 +155,13 @@ in { ownerStamp = ".config-xml-managed-by-nixos-jenkins-job-builder"; reloadScript = '' echo "Asking Jenkins to reload config" - CRUMB=$(curl -s 'http://${cfg.accessUser}:${cfg.accessToken}@${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') - curl --silent -X POST -H "$CRUMB" http://${cfg.accessUser}:${cfg.accessToken}@${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}/reload + curl_opts="--silent --fail --show-error" + access_token=${if cfg.accessTokenFile != "" + then "$(cat '${cfg.accessTokenFile}')" + else cfg.accessToken} + jenkins_url="http://${cfg.accessUser}:$access_token@${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}" + crumb=$(curl $curl_opts "$jenkins_url"'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') + curl $curl_opts -X POST -H "$crumb" "$jenkins_url"/reload ''; in '' diff --git a/nixos/modules/services/databases/cockroachdb.nix b/nixos/modules/services/databases/cockroachdb.nix index 8de1e78633d5..e977751b21ef 100644 --- a/nixos/modules/services/databases/cockroachdb.nix +++ b/nixos/modules/services/databases/cockroachdb.nix @@ -13,7 +13,7 @@ let [ # Basic startup "${crdb}/bin/cockroach start" "--logtostderr" - "--store=${cfg.dataDir}" + "--store=/var/lib/cockroachdb" (ifNotNull cfg.locality "--locality='${cfg.locality}'") # WebUI settings @@ -41,7 +41,7 @@ let }; port = mkOption { - type = types.int; + type = types.port; default = defaultPort; description = "Port to bind to for ${descr}"; }; @@ -70,10 +70,12 @@ in like datacenter. The tiers and order must be the same on all nodes. Including more tiers is better than including fewer. For example: + <literal> country=us,region=us-west,datacenter=us-west-1b,rack=12 country=ca,region=ca-east,datacenter=ca-east-2,rack=4 planet=earth,province=manitoba,colo=secondary,power=3 + </literal> ''; }; @@ -83,12 +85,6 @@ in description = "The addresses for connecting the node to a cluster."; }; - dataDir = mkOption { - type = types.path; - default = "/var/lib/cockroachdb"; - description = "Location where CockroachDB stores its table files"; - }; - insecure = mkOption { type = types.bool; default = false; @@ -126,9 +122,12 @@ in The total size for caches. This can be a percentage, expressed with a fraction sign or as a - decimal-point number, or any bytes-based unit. For example, "25%", - "0.25" both represent 25% of the available system memory. The values - "1000000000" and "1GB" both represent 1 gigabyte of memory. + decimal-point number, or any bytes-based unit. For example, + <literal>"25%"</literal>, <literal>"0.25"</literal> both represent + 25% of the available system memory. The values + <literal>"1000000000"</literal> and <literal>"1GB"</literal> both + represent 1 gigabyte of memory. + ''; }; @@ -140,9 +139,11 @@ in data for SQL queries. This can be a percentage, expressed with a fraction sign or as a - decimal-point number, or any bytes-based unit. For example, "25%", - "0.25" both represent 25% of the available system memory. The values - "1000000000" and "1GB" both represent 1 gigabyte of memory. + decimal-point number, or any bytes-based unit. For example, + <literal>"25%"</literal>, <literal>"0.25"</literal> both represent + 25% of the available system memory. The values + <literal>"1000000000"</literal> and <literal>"1GB"</literal> both + represent 1 gigabyte of memory. ''; }; @@ -193,27 +194,21 @@ in requires = [ "time-sync.target" ]; wantedBy = [ "multi-user.target" ]; - unitConfig.RequiresMountsFor = "${cfg.dataDir}"; - - preStart = '' - if ! test -e ${cfg.dataDir}; then - mkdir -m 0700 -p ${cfg.dataDir} - chown -R ${cfg.user} ${cfg.dataDir} - fi - ''; + unitConfig.RequiresMountsFor = "/var/lib/cockroachdb"; serviceConfig = { ExecStart = startupCommand; Type = "notify"; User = cfg.user; - PermissionsStartOnly = true; + StateDirectory = "cockroachdb"; + StateDirectoryMode = "0700"; Restart = "always"; - TimeoutStopSec="60"; - RestartSec="10"; - StandardOutput="syslog"; - StandardError="syslog"; - SyslogIdentifier="cockroach"; + + # A conservative-ish timeout is alright here, because for Type=notify + # cockroach will send systemd pings during startup to keep it alive + TimeoutStopSec = 60; + RestartSec = 10; }; }; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 950af848c0f6..5308c9c4ee08 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -127,7 +127,7 @@ let serviceConfig.Restart = mkDefault "always"; serviceConfig.PrivateTmp = mkDefault true; serviceConfig.WorkingDirectory = mkDefault /tmp; - } serviceOpts ] ++ optional (serviceOpts.serviceConfig.DynamicUser or false) { + } serviceOpts ] ++ optional (!(serviceOpts.serviceConfig.DynamicUser or false)) { serviceConfig.User = conf.user; serviceConfig.Group = conf.group; }); diff --git a/nixos/modules/services/monitoring/prometheus/exporters/tor.nix b/nixos/modules/services/monitoring/prometheus/exporters/tor.nix index 0e2a13c44ab7..e0ae83802425 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/tor.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/tor.nix @@ -36,5 +36,10 @@ in ${concatStringsSep " \\\n " cfg.extraFlags} ''; }; + + # CPython requires a process to either have $HOME defined or run as a UID + # defined in /etc/passwd. The latter is false with DynamicUser, so define a + # dummy $HOME. https://bugs.python.org/issue10496 + environment = { HOME = "/var/empty"; }; }; } diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 564632a85ae5..41aff1480a05 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -202,7 +202,7 @@ let }; script = '' - modprobe wireguard + ${optionalString (!config.boot.isContainer) "modprobe wireguard"} ${values.preSetup} diff --git a/nixos/modules/services/web-servers/apache-httpd/mediawiki.nix b/nixos/modules/services/web-servers/apache-httpd/mediawiki.nix index 4269f6cfb088..e871ae6ff15a 100644 --- a/nixos/modules/services/web-servers/apache-httpd/mediawiki.nix +++ b/nixos/modules/services/web-servers/apache-httpd/mediawiki.nix @@ -83,11 +83,11 @@ let # Unpack Mediawiki and put the config file in its root directory. mediawikiRoot = pkgs.stdenv.mkDerivation rec { - name= "mediawiki-1.29.1"; + name= "mediawiki-1.31.1"; src = pkgs.fetchurl { - url = "https://releases.wikimedia.org/mediawiki/1.29/${name}.tar.gz"; - sha256 = "03mpazbxvb011s2nmlw5p6dc43yjgl5yrsilmj1imyykm57bwb3m"; + url = "https://releases.wikimedia.org/mediawiki/1.31/${name}.tar.gz"; + sha256 = "13x48clij21cmysjkpnx68vggchrdasqp7b290j87xlfgjhdhnnf"; }; skins = config.skins; @@ -111,7 +111,7 @@ let sed -i \ -e 's|/bin/bash|${pkgs.bash}/bin/bash|g' \ -e 's|/usr/bin/timeout|${pkgs.coreutils}/bin/timeout|g' \ - $out/includes/limit.sh \ + $out/includes/shell/limit.sh \ $out/includes/GlobalFunctions.php ''; }; |