diff options
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/admin/oxidized.nix | 116 | ||||
-rw-r--r-- | nixos/modules/services/backup/borgbackup.nix | 50 | ||||
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/dashboard.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/default.nix | 10 | ||||
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/dns.nix | 9 | ||||
-rw-r--r-- | nixos/modules/services/computing/slurm/slurm.nix | 27 | ||||
-rw-r--r-- | nixos/modules/services/databases/mysql.nix | 22 | ||||
-rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 13 | ||||
-rw-r--r-- | nixos/modules/services/misc/nixos-manual.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/dd-agent/dd-agent.nix | 12 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/prometheus/exporters/node.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/network-filesystems/ipfs.nix | 16 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/atlassian/crowd.nix | 5 |
13 files changed, 238 insertions, 48 deletions
diff --git a/nixos/modules/services/admin/oxidized.nix b/nixos/modules/services/admin/oxidized.nix new file mode 100644 index 000000000000..891ca6323c3c --- /dev/null +++ b/nixos/modules/services/admin/oxidized.nix @@ -0,0 +1,116 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.oxidized; +in +{ + options.services.oxidized = { + enable = mkEnableOption "the oxidized configuation backup service."; + + user = mkOption { + type = types.str; + default = "oxidized"; + description = '' + User under which the oxidized service runs. + ''; + }; + + group = mkOption { + type = types.str; + default = "oxidized"; + description = '' + Group under which the oxidized service runs. + ''; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/oxidized"; + description = "State directory for the oxidized service."; + }; + + configFile = mkOption { + type = types.path; + example = literalExample '' + pkgs.writeText "oxidized-config.yml" ''' + --- + debug: true + use_syslog: true + input: + default: ssh + ssh: + secure: true + interval: 3600 + model_map: + dell: powerconnect + hp: procurve + source: + default: csv + csv: + delimiter: !ruby/regexp /:/ + file: "/var/lib/oxidized/.config/oxidized/router.db" + map: + name: 0 + model: 1 + username: 2 + password: 3 + pid: "/var/lib/oxidized/.config/oxidized/pid" + rest: 127.0.0.1:8888 + retries: 3 + # ... additional config + '''; + ''; + description = '' + Path to the oxidized configuration file. + ''; + }; + + routerDB = mkOption { + type = types.path; + example = literalExample '' + pkgs.writeText "oxidized-router.db" ''' + hostname-sw1:powerconnect:username1:password2 + hostname-sw2:procurve:username2:password2 + # ... additional hosts + ''' + ''; + description = '' + Path to the file/database which contains the targets for oxidized. + ''; + }; + }; + + config = mkIf cfg.enable { + users.extraGroups.${cfg.group} = { }; + users.extraUsers.${cfg.user} = { + description = "Oxidized service user"; + group = cfg.group; + home = cfg.dataDir; + createHome = true; + }; + + systemd.services.oxidized = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = '' + mkdir -p ${cfg.dataDir}/.config/oxidized + cp -v ${cfg.routerDB} ${cfg.dataDir}/.config/oxidized/router.db + cp -v ${cfg.configFile} ${cfg.dataDir}/.config/oxidized/config + ''; + + serviceConfig = { + ExecStart = "${pkgs.oxidized}/bin/oxidized"; + User = cfg.user; + Group = cfg.group; + UMask = "0077"; + NoNewPrivileges = true; + Restart = "always"; + WorkingDirectory = cfg.dataDir; + KillSignal = "SIGKILL"; + }; + }; + }; +} diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index 1b730e0c2b76..0c3fc9af6f88 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -35,25 +35,26 @@ let ${cfg.preHook} '' + optionalString cfg.doInit '' # Run borg init if the repo doesn't exist yet - if ! borg list > /dev/null; then - borg init \ + if ! borg list $extraArgs > /dev/null; then + borg init $extraArgs \ --encryption ${cfg.encryption.mode} \ $extraInitArgs ${cfg.postInit} fi '' + '' - borg create \ + borg create $extraArgs \ --compression ${cfg.compression} \ --exclude-from ${mkExcludeFile cfg} \ $extraCreateArgs \ "::$archiveName$archiveSuffix" \ ${escapeShellArgs cfg.paths} '' + optionalString cfg.appendFailedSuffix '' - borg rename "::$archiveName$archiveSuffix" "$archiveName" + borg rename $extraArgs \ + "::$archiveName$archiveSuffix" "$archiveName" '' + '' ${cfg.postCreate} '' + optionalString (cfg.prune.keep != { }) '' - borg prune \ + borg prune $extraArgs \ ${mkKeepArgs cfg} \ --prefix ${escapeShellArg cfg.prune.prefix} \ $extraPruneArgs @@ -85,13 +86,14 @@ let ProtectSystem = "strict"; ReadWritePaths = [ "${userHome}/.config/borg" "${userHome}/.cache/borg" ] + ++ cfg.readWritePaths # Borg needs write access to repo if it is not remote ++ optional (isLocalPath cfg.repo) cfg.repo; - PrivateTmp = true; + PrivateTmp = cfg.privateTmp; }; environment = { BORG_REPO = cfg.repo; - inherit (cfg) extraInitArgs extraCreateArgs extraPruneArgs; + inherit (cfg) extraArgs extraInitArgs extraCreateArgs extraPruneArgs; } // (mkPassEnv cfg) // cfg.environment; inherit (cfg) startAt; }; @@ -318,6 +320,30 @@ in { ]; }; + readWritePaths = mkOption { + type = with types; listOf path; + description = '' + By default, borg cannot write anywhere on the system but + <literal>$HOME/.config/borg</literal> and <literal>$HOME/.cache/borg</literal>. + If, for example, your preHook script needs to dump files + somewhere, put those directories here. + ''; + default = [ ]; + example = [ + "/var/backup/mysqldump" + ]; + }; + + privateTmp = mkOption { + type = types.bool; + description = '' + Set the <literal>PrivateTmp</literal> option for + the systemd-service. Set to false if you need sockets + or other files from global /tmp. + ''; + default = true; + }; + doInit = mkOption { type = types.bool; description = '' @@ -430,6 +456,16 @@ in { default = ""; }; + extraArgs = mkOption { + type = types.str; + description = '' + Additional arguments for all <command>borg</command> calls the + service has. Handle with care. + ''; + default = ""; + example = "--remote-path=/path/to/borg"; + }; + extraInitArgs = mkOption { type = types.str; description = '' diff --git a/nixos/modules/services/cluster/kubernetes/dashboard.nix b/nixos/modules/services/cluster/kubernetes/dashboard.nix index d27389b6a1c7..3aa1dcceae31 100644 --- a/nixos/modules/services/cluster/kubernetes/dashboard.nix +++ b/nixos/modules/services/cluster/kubernetes/dashboard.nix @@ -10,8 +10,9 @@ let image = pkgs.dockerTools.pullImage { imageName = name; - imageTag = version; + finalImageTag = version; sha256 = "11h0fz3wxp0f10fsyqaxjm7l2qg7xws50dv5iwlck5gb1fjmajad"; + imageDigest = "sha256:e7984d10351601080bbc146635d51f0cfbea31ca6f0df323cf7a58cf2f6a68df"; }; in { options.services.kubernetes.addons.dashboard = { diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index aeb0a0d2432d..d0309ebd5b8a 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -279,7 +279,7 @@ in { tokenAuthFile = mkOption { description = '' Kubernetes apiserver token authentication file. See - <link xlink:href="https://kubernetes.io/docs/admin/authentication.html"/> + <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authentication"/> ''; default = null; type = types.nullOr types.path; @@ -288,7 +288,7 @@ in { basicAuthFile = mkOption { description = '' Kubernetes apiserver basic authentication file. See - <link xlink:href="https://kubernetes.io/docs/admin/authentication.html"/> + <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authentication"/> ''; default = pkgs.writeText "users" '' kubernetes,admin,0 @@ -299,7 +299,7 @@ in { authorizationMode = mkOption { description = '' Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See - <link xlink:href="https://kubernetes.io/docs/admin/authorization.html"/> + <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/"/> ''; default = ["RBAC" "Node"]; type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]); @@ -308,7 +308,7 @@ in { authorizationPolicy = mkOption { description = '' Kubernetes apiserver authorization policy file. See - <link xlink:href="https://kubernetes.io/docs/admin/authorization.html"/> + <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/"/> ''; default = []; type = types.listOf types.attrs; @@ -332,7 +332,7 @@ in { runtimeConfig = mkOption { description = '' Api runtime configuration. See - <link xlink:href="https://kubernetes.io/docs/admin/cluster-management.html"/> + <link xlink:href="https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/"/> ''; default = "authentication.k8s.io/v1beta1=true"; example = "api/all=false,api/v1=true"; diff --git a/nixos/modules/services/cluster/kubernetes/dns.nix b/nixos/modules/services/cluster/kubernetes/dns.nix index 226fdadffd1a..939f58fc41b7 100644 --- a/nixos/modules/services/cluster/kubernetes/dns.nix +++ b/nixos/modules/services/cluster/kubernetes/dns.nix @@ -7,20 +7,23 @@ let k8s-dns-kube-dns = pkgs.dockerTools.pullImage { imageName = "gcr.io/google_containers/k8s-dns-kube-dns-amd64"; - imageTag = version; + finalImageTag = version; sha256 = "0q97xfqrigrfjl2a9cxl5in619py0zv44gch09jm8gqjkxl80imp"; + imageDigest = "sha256:40790881bbe9ef4ae4ff7fe8b892498eecb7fe6dcc22661402f271e03f7de344"; }; k8s-dns-dnsmasq-nanny = pkgs.dockerTools.pullImage { imageName = "gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64"; - imageTag = version; + finalImageTag = version; sha256 = "051w5ca4qb88mwva4hbnh9xzlsvv7k1mbk3wz50lmig2mqrqqx6c"; + imageDigest = "sha256:aeeb994acbc505eabc7415187cd9edb38cbb5364dc1c2fc748154576464b3dc2"; }; k8s-dns-sidecar = pkgs.dockerTools.pullImage { imageName = "gcr.io/google_containers/k8s-dns-sidecar-amd64"; - imageTag = version; + finalImageTag = version; sha256 = "1z0d129bcm8i2cqq36x5jhnrv9hirj8c6kjrmdav8vgf7py78vsm"; + imageDigest = "sha256:97074c951046e37d3cbb98b82ae85ed15704a290cce66a8314e7f846404edde9"; }; cfg = config.services.kubernetes.addons.dns; diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix index 45d34f5b76f5..3e513ab15717 100644 --- a/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixos/modules/services/computing/slurm/slurm.nix @@ -13,6 +13,7 @@ let ${optionalString (cfg.nodeName != null) ''nodeName=${cfg.nodeName}''} ${optionalString (cfg.partitionName != null) ''partitionName=${cfg.partitionName}''} PlugStackConfig=${plugStackConfig} + ProctrackType=${cfg.procTrackType} ${cfg.extraConfig} ''; @@ -31,12 +32,20 @@ in services.slurm = { server = { - enable = mkEnableOption "slurm control daemon"; - + enable = mkOption { + type = types.bool; + default = false; + description = '' + Wether to enable the slurm control daemon. + Note that the standard authentication method is "munge". + The "munge" service needs to be provided with a password file in order for + slurm to work properly (see <literal>services.munge.password</literal>). + ''; + }; }; client = { - enable = mkEnableOption "slurm rlient daemon"; + enable = mkEnableOption "slurm client daemon"; }; @@ -103,6 +112,16 @@ in ''; }; + procTrackType = mkOption { + type = types.string; + default = "proctrack/linuxproc"; + description = '' + Plugin to be used for process tracking on a job step basis. + The slurmd daemon uses this mechanism to identify all processes + which are children of processes it spawns for a user job step. + ''; + }; + extraConfig = mkOption { default = ""; type = types.lines; @@ -150,6 +169,8 @@ in environment.systemPackages = [ wrappedSlurm ]; + services.munge.enable = mkDefault true; + systemd.services.slurmd = mkIf (cfg.client.enable) { path = with pkgs; [ wrappedSlurm coreutils ] ++ lib.optional cfg.enableSrunX11 slurm-spank-x11; diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 66c9330c3550..15b9c788e872 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -231,8 +231,10 @@ in environment.systemPackages = [mysql]; - systemd.services.mysql = - { description = "MySQL Server"; + systemd.services.mysql = let + hasNotify = (cfg.package == pkgs.mariadb); + in { + description = "MySQL Server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; @@ -256,17 +258,16 @@ in mkdir -m 0755 -p ${cfg.pidDir} chown -R ${cfg.user} ${cfg.pidDir} - - # Make the socket directory - mkdir -p /run/mysqld - chmod 0755 /run/mysqld - chown -R ${cfg.user} /run/mysqld ''; - serviceConfig.ExecStart = "${mysql}/bin/mysqld --defaults-extra-file=${myCnf} ${mysqldOptions}"; + serviceConfig = { + Type = if hasNotify then "notify" else "simple"; + RuntimeDirectory = "mysqld"; + ExecStart = "${mysql}/bin/mysqld --defaults-extra-file=${myCnf} ${mysqldOptions}"; + }; - postStart = - '' + postStart = '' + ${lib.optionalString (!hasNotify) '' # Wait until the MySQL server is available for use count=0 while [ ! -e /run/mysqld/mysqld.sock ] @@ -281,6 +282,7 @@ in count=$((count++)) sleep 1 done + ''} if [ -f /tmp/mysql_init ] then diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index be13fed860bd..e80abf96da48 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -129,6 +129,7 @@ let }; }; extra = {}; + uploads.storage_path = cfg.statePath; }; }; @@ -565,13 +566,9 @@ in { ${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/config/gitlab_shell_secret - # The uploads directory is hardcoded somewhere deep in rails. It is - # symlinked in the gitlab package to /run/gitlab/uploads to make it - # configurable mkdir -p /run/gitlab - mkdir -p ${cfg.statePath}/{log,uploads} + mkdir -p ${cfg.statePath}/log ln -sf ${cfg.statePath}/log /run/gitlab/log - ln -sf ${cfg.statePath}/uploads /run/gitlab/uploads ln -sf ${cfg.statePath}/tmp /run/gitlab/tmp ln -sf $GITLAB_SHELL_CONFIG_PATH /run/gitlab/shell-config.yml chown -R ${cfg.user}:${cfg.group} /run/gitlab @@ -587,6 +584,8 @@ in { ln -sf ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb ''} ln -sf ${cfg.statePath}/config /run/gitlab/config + rm ${cfg.statePath}/lib + ln -sf ${pkgs.gitlab}/share/gitlab/lib ${cfg.statePath}/lib cp ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION # JSON is a subset of YAML @@ -638,10 +637,6 @@ in { chmod -R ug+rwX,o-rwx ${cfg.statePath}/repositories chmod -R ug-s ${cfg.statePath}/repositories find ${cfg.statePath}/repositories -type d -print0 | xargs -0 chmod g+s - chmod 770 ${cfg.statePath}/uploads - chown -R ${cfg.user} ${cfg.statePath}/uploads - find ${cfg.statePath}/uploads -type f -exec chmod 0644 {} \; - find ${cfg.statePath}/uploads -type d -not -path ${cfg.statePath}/uploads -exec chmod 0770 {} \; ''; serviceConfig = { diff --git a/nixos/modules/services/misc/nixos-manual.nix b/nixos/modules/services/misc/nixos-manual.nix index 4bd1c20edf71..3916c3052e8b 100644 --- a/nixos/modules/services/misc/nixos-manual.nix +++ b/nixos/modules/services/misc/nixos-manual.nix @@ -99,7 +99,7 @@ in services.nixosManual.browser = mkOption { type = types.path; - default = "${pkgs.w3m-nox}/bin/w3m"; + default = "${pkgs.w3m-nographics}/bin/w3m"; description = '' Browser used to show the manual. ''; diff --git a/nixos/modules/services/monitoring/dd-agent/dd-agent.nix b/nixos/modules/services/monitoring/dd-agent/dd-agent.nix index beaa2c01b298..6367c8245f71 100644 --- a/nixos/modules/services/monitoring/dd-agent/dd-agent.nix +++ b/nixos/modules/services/monitoring/dd-agent/dd-agent.nix @@ -57,7 +57,7 @@ let instances: - use_mount: no ''; - + networkConfig = pkgs.writeText "network.yaml" '' init_config: @@ -68,13 +68,13 @@ let - lo - lo0 ''; - + postgresqlConfig = pkgs.writeText "postgres.yaml" cfg.postgresqlConfig; nginxConfig = pkgs.writeText "nginx.yaml" cfg.nginxConfig; mongoConfig = pkgs.writeText "mongo.yaml" cfg.mongoConfig; jmxConfig = pkgs.writeText "jmx.yaml" cfg.jmxConfig; processConfig = pkgs.writeText "process.yaml" cfg.processConfig; - + etcfiles = let defaultConfd = import ./dd-agent-defaults.nix; @@ -150,7 +150,7 @@ in { default = null; type = types.uniq (types.nullOr types.string); }; - + mongoConfig = mkOption { description = "MongoDB integration configuration"; default = null; @@ -166,7 +166,7 @@ in { processConfig = mkOption { description = '' Process integration configuration - + See http://docs.datadoghq.com/integrations/process/ ''; default = null; @@ -190,7 +190,7 @@ in { systemd.services.dd-agent = { description = "Datadog agent monitor"; - path = [ pkgs."dd-agent" pkgs.python pkgs.sysstat pkgs.procps ]; + path = [ pkgs."dd-agent" pkgs.python pkgs.sysstat pkgs.procps pkgs.gohai ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.dd-agent}/bin/dd-agent foreground"; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/node.nix b/nixos/modules/services/monitoring/prometheus/exporters/node.nix index c85f5f9cfb2d..ee7bf39f199a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/node.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/node.nix @@ -27,6 +27,7 @@ in }; serviceOpts = { serviceConfig = { + RuntimeDirectory = "prometheus-node-exporter"; ExecStart = '' ${pkgs.prometheus-node-exporter}/bin/node_exporter \ ${concatMapStringsSep " " (x: "--collector." + x) cfg.enabledCollectors} \ diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index e2122ddb8ede..ab6d3a3d2fa4 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -186,6 +186,14 @@ in { default = []; }; + localDiscovery = mkOption { + type = types.bool; + description = ''Whether to enable local discovery for the ipfs daemon. + This will allow ipfs to scan ports on your local network. Some hosting services will ban you if you do this. + ''; + default = true; + }; + serviceFdlimit = mkOption { type = types.nullOr types.int; default = null; @@ -232,7 +240,13 @@ in { ''; script = '' if [[ ! -f ${cfg.dataDir}/config ]]; then - ipfs init ${optionalString cfg.emptyRepo "-e"} + ipfs init ${optionalString cfg.emptyRepo "-e"} \ + ${optionalString (! cfg.localDiscovery) "--profile=server"} + else + ${if cfg.localDiscovery + then "ipfs config profile apply local-discovery" + else "ipfs config profile apply server" + } fi ''; diff --git a/nixos/modules/services/web-apps/atlassian/crowd.nix b/nixos/modules/services/web-apps/atlassian/crowd.nix index 0ac941b6ec99..778e4afa1e0b 100644 --- a/nixos/modules/services/web-apps/atlassian/crowd.nix +++ b/nixos/modules/services/web-apps/atlassian/crowd.nix @@ -126,12 +126,13 @@ in }; preStart = '' - mkdir -p ${cfg.home}/{logs,work,database} + rm -rf ${cfg.home}/work + mkdir -p ${cfg.home}/{logs,database,work} mkdir -p /run/atlassian-crowd ln -sf ${cfg.home}/{database,work,server.xml} /run/atlassian-crowd - chown -R ${cfg.user} ${cfg.home} + chown -R ${cfg.user}:${cfg.group} ${cfg.home} sed -e 's,port="8095",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ '' + (lib.optionalString cfg.proxy.enable '' |