diff options
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/default.nix | 8 | ||||
-rw-r--r-- | nixos/modules/services/databases/postgresql.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/networking/ntpd.nix | 38 | ||||
-rw-r--r-- | nixos/modules/services/x11/urxvtd.nix | 30 |
4 files changed, 53 insertions, 26 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index e63d91eb9aca..6f3c45b29bf2 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -784,7 +784,7 @@ in { clusterCidr = mkOption { description = "Kubernetes controller manager and proxy CIDR Range for Pods in cluster."; default = "10.1.0.0/16"; - type = types.str; + type = types.nullOr types.str; }; flannel.enable = mkOption { @@ -1018,9 +1018,9 @@ in { ${if (cfg.controllerManager.rootCaFile!=null) then "--root-ca-file=${cfg.controllerManager.rootCaFile}" else "--root-ca-file=/var/run/kubernetes/apiserver.crt"} \ - ${optionalString (cfg.clusterCidr!=null) - "--cluster-cidr=${cfg.clusterCidr}"} \ - --allocate-node-cidrs=true \ + ${if (cfg.clusterCidr!=null) + then "--cluster-cidr=${cfg.clusterCidr} --allocate-node-cidrs=true" + else "--allocate-node-cidrs=false"} \ ${optionalString (cfg.controllerManager.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.controllerManager.featureGates}"} \ ${optionalString cfg.verbose "--v=6"} \ diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index f592be0e768b..aeab445a9983 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -238,6 +238,9 @@ in User = "postgres"; Group = "postgres"; PermissionsStartOnly = true; + Type = if lib.versionAtLeast cfg.package.version "9.6" + then "notify" + else "simple"; # Shut down Postgres using SIGINT ("Fast Shutdown mode"). See # http://www.postgresql.org/docs/current/static/server-shutdown.html diff --git a/nixos/modules/services/networking/ntpd.nix b/nixos/modules/services/networking/ntpd.nix index 32174100b0f7..588d1c6edb07 100644 --- a/nixos/modules/services/networking/ntpd.nix +++ b/nixos/modules/services/networking/ntpd.nix @@ -15,6 +15,10 @@ let configFile = pkgs.writeText "ntp.conf" '' driftfile ${stateDir}/ntp.drift + restrict default ${toString cfg.restrictDefault} + restrict -6 default ${toString cfg.restrictDefault} + restrict source ${toString cfg.restrictSource} + restrict 127.0.0.1 restrict -6 ::1 @@ -36,9 +40,38 @@ in enable = mkOption { default = false; description = '' - Whether to synchronise your machine's time using the NTP - protocol. + Whether to synchronise your machine's time using ntpd, as a peer in + the NTP network. + </para> + <para> + Disables <literal>systemd.timesyncd</literal> if enabled. + ''; + }; + + restrictDefault = mkOption { + type = types.listOf types.str; + description = '' + The restriction flags to be set by default. + </para> + <para> + The default flags prevent external hosts from using ntpd as a DDoS + reflector, setting system time, and querying OS/ntpd version. As + recommended in section 6.5.1.1.3, answer "No" of + http://support.ntp.org/bin/view/Support/AccessRestrictions + ''; + default = [ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ]; + }; + + restrictSource = mkOption { + type = types.listOf types.str; + description = '' + The restriction flags to be set on source. + </para> + <para> + The default flags allow peers to be added by ntpd from configured + pool(s), but not by other means. ''; + default = [ "limited" "kod" "nomodify" "notrap" "noquery" ]; }; servers = mkOption { @@ -51,6 +84,7 @@ in extraFlags = mkOption { type = types.listOf types.str; description = "Extra flags passed to the ntpd command."; + example = literalExample ''[ "--interface=eth0" ]''; default = []; }; diff --git a/nixos/modules/services/x11/urxvtd.nix b/nixos/modules/services/x11/urxvtd.nix index f2ce089ce19a..5531d7f153c2 100644 --- a/nixos/modules/services/x11/urxvtd.nix +++ b/nixos/modules/services/x11/urxvtd.nix @@ -18,27 +18,17 @@ in { }; config = mkIf cfg.enable { - systemd.user = { - sockets.urxvtd = { - description = "socket for urxvtd, the urxvt terminal daemon"; - wantedBy = [ "graphical-session.target" ]; - partOf = [ "graphical-session.target" ]; - socketConfig = { - ListenStream = "%t/urxvtd-socket"; - }; + systemd.user.services.urxvtd = { + description = "urxvt terminal daemon"; + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + path = [ pkgs.xsel ]; + serviceConfig = { + ExecStart = "${pkgs.rxvt_unicode-with-plugins}/bin/urxvtd -o"; + Environment = "RXVT_SOCKET=%t/urxvtd-socket"; + Restart = "on-failure"; + RestartSec = "5s"; }; - - services.urxvtd = { - description = "urxvt terminal daemon"; - path = [ pkgs.xsel ]; - serviceConfig = { - ExecStart = "${pkgs.rxvt_unicode-with-plugins}/bin/urxvtd -o"; - Environment = "RXVT_SOCKET=%t/urxvtd-socket"; - Restart = "on-failure"; - RestartSec = "5s"; - }; - }; - }; environment.systemPackages = [ pkgs.rxvt_unicode-with-plugins ]; |