diff options
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/rename.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/services/backup/postgresql-backup.nix | 62 | ||||
| -rw-r--r-- | nixos/modules/services/cluster/kubernetes/dashboard.nix | 138 | ||||
| -rw-r--r-- | nixos/modules/services/cluster/kubernetes/default.nix | 16 | ||||
| -rw-r--r-- | nixos/modules/services/logging/journaldriver.nix | 112 | ||||
| -rw-r--r-- | nixos/modules/services/misc/xmr-stak.nix | 60 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/mattermost.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/system/boot/loader/grub/grub.nix | 5 | ||||
| -rw-r--r-- | nixos/modules/system/boot/loader/grub/install-grub.pl | 2 | ||||
| -rw-r--r-- | nixos/modules/system/boot/stage-1.nix | 6 |
10 files changed, 347 insertions, 69 deletions
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 2df737452fbc..7b094fc14203 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -34,6 +34,7 @@ with lib; (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") + (mkRenamedOptionModule [ "services" "kubernetes" "addons" "dashboard" "enableRBAC" ] [ "services" "kubernetes" "addons" "dashboard" "rbac" "enable" ]) (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ]) (mkRenamedOptionModule [ "services" "mpd" "network" "host" ] [ "services" "mpd" "network" "listenAddress" ]) (mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "listenAddress" ]) @@ -199,6 +200,12 @@ with lib; (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "fonts" "fontconfig" "forceAutohint" ]) (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ]) + # postgresqlBackup + (mkRemovedOptionModule [ "services" "postgresqlBackup" "period" ] '' + A systemd timer is now used instead of cron. + The starting time can be configured via <literal>services.postgresqlBackup.startAt</literal>. + '') + # Profile splitting (mkRenamedOptionModule [ "virtualization" "growPartition" ] [ "boot" "growPartition" ]) diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix index 4a5ebebc682e..2ec78ce6f2cf 100644 --- a/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixos/modules/services/backup/postgresql-backup.nix @@ -3,18 +3,41 @@ with lib; let - inherit (pkgs) gzip; - location = config.services.postgresqlBackup.location; + cfg = config.services.postgresqlBackup; - postgresqlBackupCron = db: - '' - ${config.services.postgresqlBackup.period} root ${config.services.postgresql.package}/bin/pg_dump ${db} | ${gzip}/bin/gzip -c > ${location}/${db}.gz - ''; + postgresqlBackupService = db : + { + enable = true; -in + description = "Backup of database ${db}"; -{ + requires = [ "postgresql.service" ]; + + preStart = '' + mkdir -m 0700 -p ${cfg.location} + chown postgres ${cfg.location} + ''; + + script = '' + if [ -e ${cfg.location}/${db}.sql.gz ]; then + ${pkgs.coreutils}/bin/mv ${cfg.location}/${db}.sql.gz ${cfg.location}/${db}.prev.sql.gz + fi + + ${config.services.postgresql.package}/bin/pg_dump ${cfg.pgdumpOptions} ${db} | \ + ${pkgs.gzip}/bin/gzip -c > ${cfg.location}/${db}.sql.gz + ''; + + serviceConfig = { + Type = "oneshot"; + PermissionsStartOnly = "true"; + User = "postgres"; + }; + + startAt = cfg.startAt; + }; + +in { options = { @@ -27,10 +50,10 @@ in ''; }; - period = mkOption { - default = "15 01 * * *"; + startAt = mkOption { + default = "*-*-* 01:15:00"; description = '' - This option defines (in the format used by cron) when the + This option defines (see <literal>systemd.time</literal> for format) when the databases should be dumped. The default is to update at 01:15 (at night) every day. ''; @@ -49,18 +72,23 @@ in Location to put the gzipped PostgreSQL database dumps. ''; }; + + pgdumpOptions = mkOption { + type = types.string; + default = "-Cbo"; + description = '' + Command line options for pg_dump. + ''; + }; }; }; config = mkIf config.services.postgresqlBackup.enable { - services.cron.systemCronJobs = map postgresqlBackupCron config.services.postgresqlBackup.databases; - system.activationScripts.postgresqlBackup = stringAfter [ "stdio" "users" ] - '' - mkdir -m 0700 -p ${config.services.postgresqlBackup.location} - chown root ${config.services.postgresqlBackup.location} - ''; + systemd.services = listToAttrs (map (db : { + name = "postgresqlBackup-${db}"; + value = postgresqlBackupService db; } ) cfg.databases); }; } diff --git a/nixos/modules/services/cluster/kubernetes/dashboard.nix b/nixos/modules/services/cluster/kubernetes/dashboard.nix index 9c1f814b683c..6d9faada4401 100644 --- a/nixos/modules/services/cluster/kubernetes/dashboard.nix +++ b/nixos/modules/services/cluster/kubernetes/dashboard.nix @@ -8,10 +8,25 @@ in { options.services.kubernetes.addons.dashboard = { enable = mkEnableOption "kubernetes dashboard addon"; - enableRBAC = mkOption { - description = "Whether to enable role based access control is enabled for kubernetes dashboard"; - type = types.bool; - default = elem "RBAC" config.services.kubernetes.apiserver.authorizationMode; + rbac = mkOption { + description = "Role-based access control (RBAC) options"; + type = types.submodule { + + options = { + enable = mkOption { + description = "Whether to enable role based access control is enabled for kubernetes dashboard"; + type = types.bool; + default = elem "RBAC" config.services.kubernetes.apiserver.authorizationMode; + }; + + clusterAdmin = mkOption { + description = "Whether to assign cluster admin rights to the kubernetes dashboard"; + type = types.bool; + default = false; + }; + + }; + }; }; version = mkOption { @@ -202,29 +217,106 @@ in { namespace = "kube-system"; }; }; - } // (optionalAttrs cfg.enableRBAC { - kubernetes-dashboard-crb = { - apiVersion = "rbac.authorization.k8s.io/v1"; - kind = "ClusterRoleBinding"; - metadata = { - name = "kubernetes-dashboard"; - labels = { - k8s-app = "kubernetes-dashboard"; - k8s-addon = "kubernetes-dashboard.addons.k8s.io"; - "addonmanager.kubernetes.io/mode" = "Reconcile"; - }; - }; - roleRef = { - apiGroup = "rbac.authorization.k8s.io"; - kind = "ClusterRole"; - name = "cluster-admin"; - }; + } // (optionalAttrs cfg.rbac.enable + (let subjects = [{ kind = "ServiceAccount"; name = "kubernetes-dashboard"; namespace = "kube-system"; }]; - }; - }); + labels = { + k8s-app = "kubernetes-dashboard"; + k8s-addon = "kubernetes-dashboard.addons.k8s.io"; + "addonmanager.kubernetes.io/mode" = "Reconcile"; + }; + in + (if cfg.rbac.clusterAdmin then { + kubernetes-dashboard-crb = { + apiVersion = "rbac.authorization.k8s.io/v1"; + kind = "ClusterRoleBinding"; + metadata = { + name = "kubernetes-dashboard"; + inherit labels; + }; + roleRef = { + apiGroup = "rbac.authorization.k8s.io"; + kind = "ClusterRole"; + name = "cluster-admin"; + }; + inherit subjects; + }; + } + else + { + # Upstream role- and rolebinding as per: + # https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml + kubernetes-dashboard-role = { + apiVersion = "rbac.authorization.k8s.io/v1"; + kind = "Role"; + metadata = { + name = "kubernetes-dashboard-minimal"; + namespace = "kube-system"; + inherit labels; + }; + rules = [ + # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. + { + apiGroups = [""]; + resources = ["secrets"]; + verbs = ["create"]; + } + # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. + { + apiGroups = [""]; + resources = ["configmaps"]; + verbs = ["create"]; + } + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. + { + apiGroups = [""]; + resources = ["secrets"]; + resourceNames = ["kubernetes-dashboard-key-holder"]; + verbs = ["get" "update" "delete"]; + } + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. + { + apiGroups = [""]; + resources = ["configmaps"]; + resourceNames = ["kubernetes-dashboard-settings"]; + verbs = ["get" "update"]; + } + # Allow Dashboard to get metrics from heapster. + { + apiGroups = [""]; + resources = ["services"]; + resourceNames = ["heapster"]; + verbs = ["proxy"]; + } + { + apiGroups = [""]; + resources = ["services/proxy"]; + resourceNames = ["heapster" "http:heapster:" "https:heapster:"]; + verbs = ["get"]; + } + ]; + }; + + kubernetes-dashboard-rb = { + apiVersion = "rbac.authorization.k8s.io/v1"; + kind = "RoleBinding"; + metadata = { + name = "kubernetes-dashboard-minimal"; + namespace = "kube-system"; + inherit labels; + }; + roleRef = { + apiGroup = "rbac.authorization.k8s.io"; + kind = "Role"; + name = "kubernetes-dashboard-minimal"; + }; + inherit subjects; + }; + }) + )); }; } diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 20f2308508c6..5e87ae88f5a8 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -332,11 +332,11 @@ in { authorizationMode = mkOption { description = '' - Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See + Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node). See <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/"/> ''; default = ["RBAC" "Node"]; - type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]); + type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "Webhook" "RBAC" "Node"]); }; authorizationPolicy = mkOption { @@ -348,6 +348,15 @@ in { type = types.listOf types.attrs; }; + webhookConfig = mkOption { + description = '' + Kubernetes apiserver Webhook config file. It uses the kubeconfig file format. + See <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/webhook/"/> + ''; + default = null; + type = types.nullOr types.path; + }; + allowPrivileged = mkOption { description = "Whether to allow privileged containers on Kubernetes."; default = true; @@ -943,6 +952,9 @@ in { (concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.apiserver.authorizationPolicy) }" } \ + ${optionalString (elem "Webhook" cfg.apiserver.authorizationMode) + "--authorization-webhook-config-file=${cfg.apiserver.webhookConfig}" + } \ --secure-port=${toString cfg.apiserver.securePort} \ --service-cluster-ip-range=${cfg.apiserver.serviceClusterIpRange} \ ${optionalString (cfg.apiserver.runtimeConfig != "") diff --git a/nixos/modules/services/logging/journaldriver.nix b/nixos/modules/services/logging/journaldriver.nix new file mode 100644 index 000000000000..74ac3d4c2365 --- /dev/null +++ b/nixos/modules/services/logging/journaldriver.nix @@ -0,0 +1,112 @@ +# This module implements a systemd service for running journaldriver, +# a log forwarding agent that sends logs from journald to Stackdriver +# Logging. +# +# It can be enabled without extra configuration when running on GCP. +# On machines hosted elsewhere, the other configuration options need +# to be set. +# +# For further information please consult the documentation in the +# upstream repository at: https://github.com/aprilabank/journaldriver/ + +{ config, lib, pkgs, ...}: + +with lib; let cfg = config.services.journaldriver; +in { + options.services.journaldriver = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable journaldriver to forward journald logs to + Stackdriver Logging. + ''; + }; + + logLevel = mkOption { + type = types.str; + default = "info"; + description = '' + Log level at which journaldriver logs its own output. + ''; + }; + + logName = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Configures the name of the target log in Stackdriver Logging. + This option can be set to, for example, the hostname of a + machine to improve the user experience in the logging + overview. + ''; + }; + + googleCloudProject = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Configures the name of the Google Cloud project to which to + forward journald logs. + + This option is required on non-GCP machines, but should not be + set on GCP instances. + ''; + }; + + logStream = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Configures the name of the Stackdriver Logging log stream into + which to write journald entries. + + This option is required on non-GCP machines, but should not be + set on GCP instances. + ''; + }; + + applicationCredentials = mkOption { + type = with types; nullOr path; + default = null; + description = '' + Path to the service account private key (in JSON-format) used + to forward log entries to Stackdriver Logging on non-GCP + instances. + + This option is required on non-GCP machines, but should not be + set on GCP instances. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.journaldriver = { + description = "Stackdriver Logging journal forwarder"; + script = "${pkgs.journaldriver}/bin/journaldriver"; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "always"; + DynamicUser = true; + + # This directive lets systemd automatically configure + # permissions on /var/lib/journaldriver, the directory in + # which journaldriver persists its cursor state. + StateDirectory = "journaldriver"; + + # This group is required for accessing journald. + SupplementaryGroups = "systemd-journal"; + }; + + environment = { + RUST_LOG = cfg.logLevel; + LOG_NAME = cfg.logName; + LOG_STREAM = cfg.logStream; + GOOGLE_CLOUD_PROJECT = cfg.googleCloudProject; + GOOGLE_APPLICATION_CREDENTIALS = cfg.applicationCredentials; + }; + }; + }; +} diff --git a/nixos/modules/services/misc/xmr-stak.nix b/nixos/modules/services/misc/xmr-stak.nix index 57f439365471..a87878c31e0d 100644 --- a/nixos/modules/services/misc/xmr-stak.nix +++ b/nixos/modules/services/misc/xmr-stak.nix @@ -10,9 +10,6 @@ let inherit (cfg) openclSupport cudaSupport; }; - xmrConfArg = optionalString (cfg.configText != "") ("-c " + - pkgs.writeText "xmr-stak-config.txt" cfg.configText); - in { @@ -29,22 +26,34 @@ in description = "List of parameters to pass to xmr-stak."; }; - configText = mkOption { - type = types.lines; - default = ""; - example = '' - "currency" : "monero", - "pool_list" : - [ { "pool_address" : "pool.supportxmr.com:5555", - "wallet_address" : "<long-hash>", - "pool_password" : "minername", - "pool_weight" : 1, - }, - ], + configFiles = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample '' + { + "config.txt" = ''' + "verbose_level" : 4, + "h_print_time" : 60, + "tls_secure_algo" : true, + '''; + "pools.txt" = ''' + "currency" : "monero7", + "pool_list" : + [ { "pool_address" : "pool.supportxmr.com:443", + "wallet_address" : "my-wallet-address", + "rig_id" : "", + "pool_password" : "nixos", + "use_nicehash" : false, + "use_tls" : true, + "tls_fingerprint" : "", + "pool_weight" : 23 + }, + ], + '''; + } ''; description = '' - Verbatim xmr-stak config.txt. If empty, the <literal>-c</literal> - parameter will not be added to the xmr-stak command. + Content of config files like config.txt, pools.txt or cpu.txt. ''; }; }; @@ -58,10 +67,13 @@ in environment = mkIf cfg.cudaSupport { LD_LIBRARY_PATH = "${pkgs.linuxPackages_latest.nvidia_x11}/lib"; }; - script = '' - exec ${pkg}/bin/xmr-stak ${xmrConfArg} ${concatStringsSep " " cfg.extraArgs} - ''; + + preStart = concatStrings (flip mapAttrsToList cfg.configFiles (fn: content: '' + ln -sf '${pkgs.writeText "xmr-stak-${fn}" content}' '${fn}' + '')); + serviceConfig = let rootRequired = cfg.openclSupport || cfg.cudaSupport; in { + ExecStart = "${pkg}/bin/xmr-stak ${concatStringsSep " " cfg.extraArgs}"; # xmr-stak generates cpu and/or gpu configuration files WorkingDirectory = "/tmp"; PrivateTmp = true; @@ -70,4 +82,12 @@ in }; }; }; + + imports = [ + (mkRemovedOptionModule ["services" "xmr-stak" "configText"] '' + This option was removed in favour of `services.xmr-stak.configFiles` + because the new config file `pools.txt` was introduced. You are + now able to define all other config files like cpu.txt or amd.txt. + '') + ]; } diff --git a/nixos/modules/services/web-apps/mattermost.nix b/nixos/modules/services/web-apps/mattermost.nix index be74a2b1955b..96792c47cd24 100644 --- a/nixos/modules/services/web-apps/mattermost.nix +++ b/nixos/modules/services/web-apps/mattermost.nix @@ -25,7 +25,7 @@ in { options = { services.mattermost = { - enable = mkEnableOption "Mattermost chat platform"; + enable = mkEnableOption "Mattermost chat server"; statePath = mkOption { type = types.str; @@ -167,7 +167,7 @@ in ''; systemd.services.mattermost = { - description = "Mattermost chat platform service"; + description = "Mattermost chat service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" "postgresql.service" ]; @@ -201,13 +201,13 @@ in PermissionsStartOnly = true; User = cfg.user; Group = cfg.group; - ExecStart = "${pkgs.mattermost}/bin/mattermost-platform"; + ExecStart = "${pkgs.mattermost}/bin/mattermost"; WorkingDirectory = "${cfg.statePath}"; - JoinsNamespaceOf = mkIf cfg.localDatabaseCreate "postgresql.service"; Restart = "always"; RestartSec = "10"; LimitNOFILE = "49152"; }; + unitConfig.JoinsNamespaceOf = mkIf cfg.localDatabaseCreate "postgresql.service"; }; }) (mkIf cfg.matterircd.enable { diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 2e497ff9f2c4..42da65857221 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -385,8 +385,9 @@ in }; default = mkOption { - default = 0; - type = types.int; + default = "0"; + type = types.either types.int types.str; + apply = toString; description = '' Index of the default menu item to be booted. ''; diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index 872261d0edfa..d1ff6e6bf525 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -54,7 +54,7 @@ my $splashImage = get("splashImage"); my $configurationLimit = int(get("configurationLimit")); my $copyKernels = get("copyKernels") eq "true"; my $timeout = int(get("timeout")); -my $defaultEntry = int(get("default")); +my $defaultEntry = get("default"); my $fsIdentifier = get("fsIdentifier"); my $grubEfi = get("grubEfi"); my $grubTargetEfi = get("grubTargetEfi"); diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 55bb6d3449c5..6756f68cdf72 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -56,6 +56,12 @@ let left=("''${left[@]:3}") if [ -z ''${seen[$next]+x} ]; then seen[$next]=1 + + # Ignore the dynamic linker which for some reason appears as a DT_NEEDED of glibc but isn't in glibc's RPATH. + case "$next" in + ld*.so.?) continue;; + esac + IFS=: read -ra paths <<< $rpath res= for path in "''${paths[@]}"; do |