diff options
Diffstat (limited to 'nixos/modules')
36 files changed, 671 insertions, 607 deletions
diff --git a/nixos/modules/hardware/video/amdgpu-pro.nix b/nixos/modules/hardware/video/amdgpu-pro.nix index 06a405ee057f..5cc96d8bd074 100644 --- a/nixos/modules/hardware/video/amdgpu-pro.nix +++ b/nixos/modules/hardware/video/amdgpu-pro.nix @@ -21,6 +21,8 @@ in config = mkIf enabled { + nixpkgs.config.xorg.abiCompat = "1.18"; + services.xserver.drivers = singleton { name = "amdgpu"; modules = [ package ]; libPath = [ package ]; }; diff --git a/nixos/modules/hardware/video/ati.nix b/nixos/modules/hardware/video/ati.nix index bf91bcf0776b..022fdea0a0a3 100644 --- a/nixos/modules/hardware/video/ati.nix +++ b/nixos/modules/hardware/video/ati.nix @@ -18,7 +18,7 @@ in config = mkIf enabled { - nixpkgs.config.xorg.fglrxCompat = true; + nixpkgs.config.xorg.abiCompat = "1.17"; services.xserver.drivers = singleton { name = "fglrx"; modules = [ ati_x11 ]; libPath = [ "${ati_x11}/lib" ]; }; diff --git a/nixos/modules/hardware/video/bumblebee.nix b/nixos/modules/hardware/video/bumblebee.nix index 3ce97ad31c22..fbf3f20885b5 100644 --- a/nixos/modules/hardware/video/bumblebee.nix +++ b/nixos/modules/hardware/video/bumblebee.nix @@ -76,7 +76,7 @@ in config = mkIf cfg.enable { boot.blacklistedKernelModules = [ "nvidia-drm" "nvidia" "nouveau" ]; - boot.kernelModules = optional useBbswitch [ "bbswitch" ]; + boot.kernelModules = optional useBbswitch "bbswitch"; boot.extraModulePackages = optional useBbswitch kernel.bbswitch ++ optional useNvidia kernel.nvidia_x11; environment.systemPackages = [ bumblebee primus ]; diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index e17c02d13745..c920a2b52d89 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -208,9 +208,6 @@ foreach my $path (glob "/sys/bus/pci/devices/*") { pciCheck $path; } -push @attrs, "services.xserver.videoDrivers = [ \"$videoDriver\" ];" if $videoDriver; - - # Idem for USB devices. sub usbCheck { @@ -277,6 +274,12 @@ if ($virt eq "qemu" || $virt eq "kvm" || $virt eq "bochs") { push @imports, "<nixpkgs/nixos/modules/profiles/qemu-guest.nix>"; } +# Also for Hyper-V. +if ($virt eq "microsoft") { + push @initrdAvailableKernelModules, "hv_storvsc"; + $videoDriver = "fbdev"; +} + # Pull in NixOS configuration for containers. if ($virt eq "systemd-nspawn") { @@ -307,6 +310,7 @@ sub findStableDevPath { return $dev; } +push @attrs, "services.xserver.videoDrivers = [ \"$videoDriver\" ];" if $videoDriver; # Generate the swapDevices option from the currently activated swap # devices. @@ -588,6 +592,12 @@ $bootLoaderConfig # Enable the OpenSSH daemon. # services.openssh.enable = true; + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + # Enable CUPS to print documents. # services.printing.enable = true; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 0ed44f9d3d15..60e00ce874a8 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -286,6 +286,7 @@ gogs = 268; pdns-recursor = 269; kresd = 270; + rpc = 271; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -541,6 +542,7 @@ couchpotato = 267; gogs = 268; kresd = 270; + #rpc = 271; # unused # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index fed75053e567..ad823c755e27 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -197,6 +197,7 @@ ./services/hardware/bluetooth.nix ./services/hardware/brltty.nix ./services/hardware/freefall.nix + ./services/hardware/illum.nix ./services/hardware/irqbalance.nix ./services/hardware/nvidia-optimus.nix ./services/hardware/pcscd.nix @@ -205,6 +206,7 @@ ./services/hardware/tcsd.nix ./services/hardware/tlp.nix ./services/hardware/thinkfan.nix + ./services/hardware/trezord.nix ./services/hardware/udev.nix ./services/hardware/udisks2.nix ./services/hardware/upower.nix @@ -339,6 +341,7 @@ ./services/monitoring/zabbix-server.nix ./services/network-filesystems/cachefilesd.nix ./services/network-filesystems/drbd.nix + ./services/network-filesystems/glusterfs.nix ./services/network-filesystems/ipfs.nix ./services/network-filesystems/netatalk.nix ./services/network-filesystems/nfsd.nix diff --git a/nixos/modules/profiles/all-hardware.nix b/nixos/modules/profiles/all-hardware.nix index 99b45228ce4d..6b4d8c737eba 100644 --- a/nixos/modules/profiles/all-hardware.nix +++ b/nixos/modules/profiles/all-hardware.nix @@ -42,6 +42,9 @@ # Virtio (QEMU, KVM etc.) support. "virtio_net" "virtio_pci" "virtio_blk" "virtio_scsi" "virtio_balloon" "virtio_console" + # Hyper-V support. + "hv_storvsc" + # Keyboards "usbhid" "hid_apple" "hid_logitech_dj" "hid_lenovo_tpkbd" "hid_roccat" ]; diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 4e7f62fc8f5c..5ae3f4bd6e63 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -172,6 +172,10 @@ with lib; (mkRenamedOptionModule [ "services" "locate" "period" ] [ "services" "locate" "interval" ]) (mkRemovedOptionModule [ "services" "locate" "includeStore" ] "Use services.locate.prunePaths" ) + # nfs + (mkRenamedOptionModule [ "services" "nfs" "lockdPort" ] [ "services" "nfs" "server" "lockdPort" ]) + (mkRenamedOptionModule [ "services" "nfs" "statdPort" ] [ "services" "nfs" "server" "statdPort" ]) + # Options that are obsolete and have no replacement. (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "") (mkRemovedOptionModule [ "programs" "bash" "enable" ] "") diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml index a7bcf4924f01..ef0aab4a3f13 100644 --- a/nixos/modules/security/grsecurity.xml +++ b/nixos/modules/security/grsecurity.xml @@ -7,21 +7,20 @@ <title>Grsecurity/PaX</title> <para> - Grsecurity/PaX is a set of patches against the Linux kernel that make it - harder to exploit bugs. The patchset includes protections such as - enforcement of non-executable memory, address space layout randomization, - and chroot jail hardening. These and other + Grsecurity/PaX is a set of patches against the Linux kernel that + implements an extensive suite of <link xlink:href="https://grsecurity.net/features.php">features</link> - render entire classes of exploits inert without additional efforts on the - part of the adversary. + designed to increase the difficulty of exploiting kernel and + application bugs. </para> <para> The NixOS grsecurity/PaX module is designed with casual users in mind and is - intended to be compatible with normal desktop usage, without unnecessarily - compromising security. The following sections describe the configuration - and administration of a grsecurity/PaX enabled NixOS system. For - more comprehensive coverage, please refer to the + intended to be compatible with normal desktop usage, without + <emphasis>unnecessarily</emphasis> compromising security. The + following sections describe the configuration and administration of + a grsecurity/PaX enabled NixOS system. For more comprehensive + coverage, please refer to the <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link> and the <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch @@ -35,7 +34,7 @@ and each configuration requires quite a bit of testing to ensure that the resulting packages work as advertised. Defining additional package sets would likely result in a large number of functionally broken packages, to - nobody's benefit.</para></note>. + nobody's benefit.</para></note> </para> <sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title> @@ -126,10 +125,10 @@ The NixOS kernel is built using upstream's recommended settings for a desktop deployment that generally favours security over performance. This section details deviations from upstream's recommendations that may - compromise operational security. + compromise security. <warning><para>There may be additional problems not covered here!</para> - </warning>. + </warning> </para> <itemizedlist> @@ -159,8 +158,8 @@ <listitem><para> The NixOS module conditionally weakens <command>chroot</command> restrictions to accommodate NixOS lightweight containers and sandboxed Nix - builds. This is problematic if the deployment also runs a privileged - network facing process that <emphasis>relies</emphasis> on + builds. This can be problematic if the deployment also runs privileged + network facing processes that <emphasis>rely</emphasis> on <command>chroot</command> for isolation. </para></listitem> @@ -221,15 +220,18 @@ </para> <para> - The wikibook provides an exhaustive listing of + The grsecurity/PaX wikibook provides an exhaustive listing of <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>. </para> <para> The NixOS module makes several assumptions about the kernel and so may be incompatible with your customised kernel. Currently, the only way - to work around incompatibilities is to eschew the NixOS module. + to work around these incompatibilities is to eschew the NixOS + module. + </para> + <para> If not using the NixOS module, a custom grsecurity package set can be specified inline instead, as in <programlisting> @@ -290,7 +292,7 @@ <listitem><para>User initiated autoloading of modules (e.g., when using fuse or loop devices) is disallowed; either load requisite modules - as root or add them to<option>boot.kernelModules</option>.</para></listitem> + as root or add them to <option>boot.kernelModules</option>.</para></listitem> <listitem><para>Virtualization: KVM is the preferred virtualization solution. Xen, Virtualbox, and VMWare are diff --git a/nixos/modules/services/hardware/bluetooth.nix b/nixos/modules/services/hardware/bluetooth.nix index 2c271b328179..f6cf2d01d809 100644 --- a/nixos/modules/services/hardware/bluetooth.nix +++ b/nixos/modules/services/hardware/bluetooth.nix @@ -2,41 +2,9 @@ with lib; let - bluez-bluetooth = if config.services.xserver.desktopManager.kde4.enable then pkgs.bluez else pkgs.bluez5; - - configBluez = { - description = "Bluetooth Service"; - serviceConfig = { - Type = "dbus"; - BusName = "org.bluez"; - ExecStart = "${getBin bluez-bluetooth}/bin/bluetoothd -n"; - }; - wantedBy = [ "bluetooth.target" ]; - }; - - configBluez5 = { - description = "Bluetooth Service"; - serviceConfig = { - Type = "dbus"; - BusName = "org.bluez"; - ExecStart = "${getBin bluez-bluetooth}/bin/bluetoothd -n"; - NotifyAccess="main"; - CapabilityBoundingSet="CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; - LimitNPROC=1; - }; - wantedBy = [ "bluetooth.target" ]; - }; + isBluez4 = config.services.xserver.desktopManager.kde4.enable; + bluez-bluetooth = if isBluez4 then pkgs.bluez4 else pkgs.bluez; - obexConfig = { - description = "Bluetooth OBEX service"; - serviceConfig = { - Type = "dbus"; - BusName = "org.bluez.obex"; - ExecStart = "${getBin bluez-bluetooth}/bin/obexd"; - }; - }; - - bluezConfig = if config.services.xserver.desktopManager.kde4.enable then configBluez else configBluez5; in { @@ -58,10 +26,21 @@ in config = mkIf config.hardware.bluetooth.enable { environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ]; + services.udev.packages = [ bluez-bluetooth ]; + services.dbus.packages = [ bluez-bluetooth ]; - systemd.services."dbus-org.bluez" = bluezConfig; - systemd.services."dbus-org.bluez.obex" = obexConfig; + + systemd.packages = [ bluez-bluetooth ]; + + systemd.services.bluetooth = { + wantedBy = [ "bluetooth.target" ]; + aliases = [ "dbus-org.bluez.service" ]; + }; + + systemd.user.services.obex = mkIf (!isBluez4) { + aliases = [ "dbus-org.bluez.obex.service" ]; + }; }; diff --git a/nixos/modules/services/hardware/illum.nix b/nixos/modules/services/hardware/illum.nix new file mode 100644 index 000000000000..ff73c99a6537 --- /dev/null +++ b/nixos/modules/services/hardware/illum.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.illum; +in { + + options = { + + services.illum = { + + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enable illum, a daemon for controlling screen brightness with brightness buttons. + ''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.illum = { + description = "Backlight Adjustment Service"; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${pkgs.illum}/bin/illum-d"; + }; + + }; + +} diff --git a/nixos/modules/services/hardware/sane.nix b/nixos/modules/services/hardware/sane.nix index 8ddb9ef9c53b..d651ccaa5776 100644 --- a/nixos/modules/services/hardware/sane.nix +++ b/nixos/modules/services/hardware/sane.nix @@ -51,7 +51,7 @@ in Enable support for SANE scanners. <note><para> - Users in the "scanner" group will gain access to the scanner. + Users in the "scanner" group will gain access to the scanner, or the "lp" group if it's also a printer. </para></note> ''; }; diff --git a/nixos/modules/services/hardware/trezord.nix b/nixos/modules/services/hardware/trezord.nix new file mode 100644 index 000000000000..38d0a3a1d752 --- /dev/null +++ b/nixos/modules/services/hardware/trezord.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.trezord; +in { + + ### interface + + options = { + services.trezord = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable Trezor bridge daemon, for use with Trezor hardware bitcoin wallets. + ''; + }; + }; + }; + + ### implementation + + config = mkIf cfg.enable { + services.udev.packages = lib.singleton (pkgs.writeTextFile { + name = "trezord-udev-rules"; + destination = "/etc/udev/rules.d/51-trezor.rules"; + text = '' + SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0666", GROUP="dialout", SYMLINK+="trezor%n" + KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0666", GROUP="dialout" + ''; + }); + + systemd.services.trezord = { + description = "TREZOR Bridge"; + after = [ "systemd-udev-settle.service" "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = []; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.trezord}/bin/trezord -f"; + User = "trezord"; + }; + }; + + users.users.trezord = { + group = "trezord"; + description = "Trezor bridge daemon user"; + }; + + users.groups.trezord = {}; + }; +} + diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index cdde41446224..caaa87b94d61 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -79,8 +79,6 @@ let relay_domains = ${concatStringsSep ", " cfg.relayDomains} '' + '' - local_recipient_maps = - relayhost = ${if cfg.lookupMX || cfg.relayHost == "" then cfg.relayHost else diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix index 09e5c4fe1ff1..ca8fc06e4835 100644 --- a/nixos/modules/services/misc/gogs.nix +++ b/nixos/modules/services/misc/gogs.nix @@ -208,6 +208,7 @@ in group = "gogs"; home = cfg.stateDir; createHome = true; + shell = pkgs.bash; }; extraGroups.gogs.gid = config.ids.gids.gogs; }; diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index ca82a733f6fc..d28c5dc7af85 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -125,10 +125,10 @@ let server.key = ${cfg.dataDir}/keys/server.key server.crl = ${cfg.dataDir}/keys/server.crl '' else '' - ca.cert = ${cfg.pki.ca.cert} - server.cert = ${cfg.pki.server.cert} - server.key = ${cfg.pki.server.key} - server.crl = ${cfg.pki.server.crl} + ca.cert = ${cfg.pki.manual.ca.cert} + server.cert = ${cfg.pki.manual.server.cert} + server.key = ${cfg.pki.manual.server.key} + server.crl = ${cfg.pki.manual.server.crl} ''} '' + cfg.extraConfig); diff --git a/nixos/modules/services/network-filesystems/glusterfs.nix b/nixos/modules/services/network-filesystems/glusterfs.nix new file mode 100644 index 000000000000..a2f2c0339515 --- /dev/null +++ b/nixos/modules/services/network-filesystems/glusterfs.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + inherit (pkgs) glusterfs; + + cfg = config.services.glusterfs; + +in + +{ + + ###### interface + + options = { + + services.glusterfs = { + + enable = mkEnableOption "GlusterFS Daemon"; + + logLevel = mkOption { + type = types.enum ["DEBUG" "INFO" "WARNING" "ERROR" "CRITICAL" "TRACE" "NONE"]; + description = "Log level used by the GlusterFS daemon"; + default = "INFO"; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + description = "Extra flags passed to the GlusterFS daemon"; + default = []; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.glusterfs ]; + + services.rpcbind.enable = true; + + systemd.services.glusterd = { + + description = "GlusterFS, a clustered file-system server"; + + wantedBy = [ "multi-user.target" ]; + + requires = [ "rpcbind.service" ]; + after = [ "rpcbind.service" "network.target" "local-fs.target" ]; + before = [ "network-online.target" ]; + + preStart = '' + install -m 0755 -d /var/log/glusterfs + ''; + + serviceConfig = { + Type="forking"; + PIDFile="/run/glusterd.pid"; + LimitNOFILE=65536; + ExecStart="${glusterfs}/sbin/glusterd -p /run/glusterd.pid --log-level=${cfg.logLevel} ${toString cfg.extraFlags}"; + KillMode="process"; + }; + }; + + systemd.services.glustereventsd = { + + description = "Gluster Events Notifier"; + + wantedBy = [ "multi-user.target" ]; + + after = [ "syslog.target" "network.target" ]; + + serviceConfig = { + Type="simple"; + Environment="PYTHONPATH=${glusterfs}/usr/lib/python2.7/site-packages"; + PIDFile="/run/glustereventsd.pid"; + ExecStart="${glusterfs}/sbin/glustereventsd --pid-file /run/glustereventsd.pid"; + ExecReload="/bin/kill -SIGUSR2 $MAINPID"; + KillMode="control-group"; + }; + }; + }; +} diff --git a/nixos/modules/services/network-filesystems/nfsd.nix b/nixos/modules/services/network-filesystems/nfsd.nix index ddc7258ce0b4..7d127145101b 100644 --- a/nixos/modules/services/network-filesystems/nfsd.nix +++ b/nixos/modules/services/network-filesystems/nfsd.nix @@ -20,6 +20,7 @@ in server = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to enable the kernel's NFS server. @@ -27,6 +28,7 @@ in }; exports = mkOption { + type = types.lines; default = ""; description = '' Contents of the /etc/exports file. See @@ -36,6 +38,7 @@ in }; hostName = mkOption { + type = types.nullOr types.str; default = null; description = '' Hostname or address on which NFS requests will be accepted. @@ -46,6 +49,7 @@ in }; nproc = mkOption { + type = types.int; default = 8; description = '' Number of NFS server threads. Defaults to the recommended value of 8. @@ -53,11 +57,13 @@ in }; createMountPoints = mkOption { + type = types.bool; default = false; description = "Whether to create the mount points in the exports file at startup time."; }; mountdPort = mkOption { + type = types.nullOr types.int; default = null; example = 4002; description = '' @@ -66,11 +72,26 @@ in }; lockdPort = mkOption { - default = 0; + type = types.nullOr types.int; + default = null; + example = 4001; + description = '' + Use a fixed port for the NFS lock manager kernel module + (<literal>lockd/nlockmgr</literal>). This is useful if the + NFS server is behind a firewall. + ''; + }; + + statdPort = mkOption { + type = types.nullOr types.int; + default = null; + example = 4000; description = '' - Fix the lockd port number. This can help setting firewall rules for NFS. + Use a fixed port for <command>rpc.statd</command>. This is + useful if the NFS server is behind a firewall. ''; }; + }; }; @@ -82,60 +103,47 @@ in config = mkIf cfg.enable { - services.rpcbind.enable = true; + services.nfs.extraConfig = '' + [nfsd] + threads=${toString cfg.nproc} + ${optionalString (cfg.hostName != null) "host=${cfg.hostName}"} - boot.supportedFilesystems = [ "nfs" ]; # needed for statd and idmapd - - environment.systemPackages = [ pkgs.nfs-utils ]; + [mountd] + ${optionalString (cfg.mountdPort != null) "port=${toString cfg.mountdPort}"} - environment.etc.exports.source = exports; + [statd] + ${optionalString (cfg.statdPort != null) "port=${toString cfg.statdPort}"} - boot.kernelModules = [ "nfsd" ]; + [lockd] + ${optionalString (cfg.lockdPort != null) '' + port=${toString cfg.lockdPort} + udp-port=${toString cfg.lockdPort} + ''} + ''; - systemd.services.nfsd = - { description = "NFS Server"; + services.rpcbind.enable = true; - wantedBy = [ "multi-user.target" ]; + boot.supportedFilesystems = [ "nfs" ]; # needed for statd and idmapd - requires = [ "rpcbind.service" "mountd.service" ]; - after = [ "rpcbind.service" "mountd.service" "idmapd.service" ]; - before = [ "statd.service" ]; + environment.etc.exports.source = exports; - path = [ pkgs.nfs-utils ]; + systemd.services.nfs-server = + { enable = true; + wantedBy = [ "multi-user.target" ]; - script = + preStart = '' - # Create a state directory required by NFSv4. mkdir -p /var/lib/nfs/v4recovery - - ${pkgs.procps}/sbin/sysctl -w fs.nfs.nlm_tcpport=${builtins.toString cfg.lockdPort} - ${pkgs.procps}/sbin/sysctl -w fs.nfs.nlm_udpport=${builtins.toString cfg.lockdPort} - - rpc.nfsd \ - ${if cfg.hostName != null then "-H ${cfg.hostName}" else ""} \ - ${builtins.toString cfg.nproc} ''; - - postStop = "rpc.nfsd 0"; - - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; }; - systemd.services.mountd = - { description = "NFSv3 Mount Daemon"; - - requires = [ "rpcbind.service" ]; - after = [ "rpcbind.service" "local-fs.target" ]; - - path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ]; + systemd.services.nfs-mountd = + { enable = true; + restartTriggers = [ exports ]; preStart = '' mkdir -p /var/lib/nfs - touch /var/lib/nfs/rmtab - - mountpoint -q /proc/fs/nfsd || mount -t nfsd none /proc/fs/nfsd ${optionalString cfg.createMountPoints '' @@ -146,18 +154,7 @@ in | xargs -d '\n' mkdir -p '' } - - exportfs -rav ''; - - restartTriggers = [ exports ]; - - serviceConfig.Type = "forking"; - serviceConfig.ExecStart = '' - @${pkgs.nfs-utils}/sbin/rpc.mountd rpc.mountd \ - ${if cfg.mountdPort != null then "-p ${toString cfg.mountdPort}" else ""} - ''; - serviceConfig.Restart = "always"; }; }; diff --git a/nixos/modules/services/networking/chrony.nix b/nixos/modules/services/networking/chrony.nix index f2ff11633b1b..9bf266b38054 100644 --- a/nixos/modules/services/networking/chrony.nix +++ b/nixos/modules/services/networking/chrony.nix @@ -12,6 +12,25 @@ let cfg = config.services.chrony; + configFile = pkgs.writeText "chrony.conf" '' + ${concatMapStringsSep "\n" (server: "server " + server) cfg.servers} + + ${optionalString + cfg.initstepslew.enabled + "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}" + } + + driftfile ${stateDir}/chrony.drift + + keyfile ${keyFile} + + ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} + + ${cfg.extraConfig} + ''; + + chronyFlags = "-n -m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; + in { @@ -58,6 +77,13 @@ in <literal>chrony.conf</literal> ''; }; + + extraFlags = mkOption { + default = []; + example = [ "-s" ]; + type = types.listOf types.str; + description = "Extra flags passed to the chronyd command."; + }; }; }; @@ -70,25 +96,6 @@ in # Make chronyc available in the system path environment.systemPackages = [ pkgs.chrony ]; - environment.etc."chrony.conf".text = - '' - ${concatMapStringsSep "\n" (server: "server " + server) cfg.servers} - - ${optionalString - cfg.initstepslew.enabled - "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}" - } - - driftfile ${stateDir}/chrony.drift - - keyfile ${keyFile} - generatecommandkey - - ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} - - ${cfg.extraConfig} - ''; - users.extraGroups = singleton { name = "chrony"; gid = config.ids.gids.chrony; @@ -124,7 +131,7 @@ in ''; serviceConfig = - { ExecStart = "${pkgs.chrony}/bin/chronyd -n -m -u chrony"; + { ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}"; }; }; diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index a10851c16523..12c2677c3368 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -258,9 +258,8 @@ in Restart = "always"; StartLimitInterval = 0; RestartSec = 1; - CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; - AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW"; - ProtectSystem = "full"; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID"; + ProtectSystem = true; MemoryDenyWriteExecute = true; ProtectHome = true; PrivateTmp = true; diff --git a/nixos/modules/services/networking/dnschain.nix b/nixos/modules/services/networking/dnschain.nix index f17f8c832ee4..b64929960576 100644 --- a/nixos/modules/services/networking/dnschain.nix +++ b/nixos/modules/services/networking/dnschain.nix @@ -3,23 +3,28 @@ with lib; let - cfg = config.services; + cfgs = config.services; + cfg = cfgs.dnschain; - dnschainConf = pkgs.writeText "dnschain.conf" '' + dataDir = "/var/lib/dnschain"; + username = "dnschain"; + + configFile = pkgs.writeText "dnschain.conf" '' [log] - level=info + level = info [dns] - host = 127.0.0.1 - port = 5333 + host = ${cfg.dns.address} + port = ${toString cfg.dns.port} oldDNSMethod = NO_OLD_DNS - # TODO: check what that address is acutally used for - externalIP = 127.0.0.1 + externalIP = ${cfg.dns.address} [http] - host = 127.0.0.1 - port=8088 - tlsPort=4443 + host = ${cfg.api.hostname} + port = ${toString cfg.api.port} + tlsPort = ${toString cfg.api.tlsPort} + + ${cfg.extraConfig} ''; in @@ -32,28 +37,81 @@ in services.dnschain = { - enable = mkOption { - type = types.bool; - default = false; + enable = mkEnableOption '' + DNSChain, a blockchain based DNS + HTTP server. + To resolve .bit domains set <literal>services.namecoind.enable = true;</literal> + and an RPC username/password. + ''; + + dns.address = mkOption { + type = types.str; + default = "127.0.0.1"; description = '' - Whether to run dnschain. That implies running - namecoind as well, so make sure to configure - it appropriately. + The IP address that will be used to reach this machine. + Leave this unchanged if you do not wish to directly expose the DNSChain resolver. ''; }; - }; + dns.port = mkOption { + type = types.int; + default = 5333; + description = '' + The port the DNSChain resolver will bind to. + ''; + }; + + api.hostname = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + The hostname (or IP address) the DNSChain API server will bind to. + ''; + }; + + api.port = mkOption { + type = types.int; + default = 8080; + description = '' + The port the DNSChain API server (HTTP) will bind to. + ''; + }; - services.dnsmasq = { - resolveDnschainQueries = mkOption { - type = types.bool; - default = false; + api.tlsPort = mkOption { + type = types.int; + default = 4433; description = '' - Resolve <literal>.bit</literal> top-level domains - with dnschain and namecoind. + The port the DNSChain API server (HTTPS) will bind to. ''; }; + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + [log] + level = debug + ''; + description = '' + Additional options that will be appended to the configuration file. + ''; + }; + + }; + + services.dnsmasq.resolveDNSChainQueries = mkOption { + type = types.bool; + default = false; + description = '' + Resolve <literal>.bit</literal> top-level domains using DNSChain and namecoin. + ''; + }; + + services.pdns-recursor.resolveDNSChainQueries = mkOption { + type = types.bool; + default = false; + description = '' + Resolve <literal>.bit</literal> top-level domains using DNSChain and namecoin. + ''; }; }; @@ -61,48 +119,47 @@ in ###### implementation - config = mkIf cfg.dnschain.enable { - - services.namecoind.enable = true; + config = mkIf cfg.enable { - services.dnsmasq.servers = optionals cfg.dnsmasq.resolveDnschainQueries [ "/.bit/127.0.0.1#5333" ]; + services.dnsmasq.servers = optionals cfgs.dnsmasq.resolveDNSChainQueries + [ "/.bit/127.0.0.1#${toString cfg.dns.port}" + "/.dns/127.0.0.1#${toString cfg.dns.port}" + ]; - users.extraUsers = singleton - { name = "dnschain"; - uid = config.ids.uids.dnschain; - extraGroups = [ "namecoin" ]; - description = "Dnschain daemon user"; - home = "/var/lib/dnschain"; - createHome = true; + services.pdns-recursor.forwardZones = mkIf cfgs.pdns-recursor.resolveDNSChainQueries + { bit = "127.0.0.1:${toString cfg.dns.port}"; + dns = "127.0.0.1:${toString cfg.dns.port}"; }; + users.extraUsers = singleton { + name = username; + description = "DNSChain daemon user"; + home = dataDir; + createHome = true; + uid = config.ids.uids.dnschain; + extraGroups = optional cfgs.namecoind.enable "namecoin"; + }; + systemd.services.dnschain = { - description = "Dnschain Daemon"; - after = [ "namecoind.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.openssl ]; - preStart = '' - # Link configuration file into dnschain HOME directory - if [ "$(${pkgs.coreutils}/bin/realpath /var/lib/dnschain/.dnschain.conf)" != "${dnschainConf}" ]; then - rm -rf /var/lib/dnschain/.dnschain.conf - ln -s ${dnschainConf} /var/lib/dnschain/.dnschain.conf - fi - - # Create empty namecoin.conf so that dnschain is not - # searching for /etc/namecoin/namecoin.conf - if [ ! -e /var/lib/dnschain/.namecoin/namecoin.conf ]; then - mkdir -p /var/lib/dnschain/.namecoin - touch /var/lib/dnschain/.namecoin/namecoin.conf - fi - ''; - serviceConfig = { - Type = "simple"; - User = "dnschain"; - EnvironmentFile = config.services.namecoind.userFile; - ExecStart = "${pkgs.dnschain}/bin/dnschain --rpcuser=\${USER} --rpcpassword=\${PASSWORD} --rpcport=8336"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID"; - }; + description = "DNSChain daemon"; + after = optional cfgs.namecoind.enable "namecoind.target"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "dnschain"; + Restart = "on-failure"; + ExecStart = "${pkgs.dnschain}/bin/dnschain"; + }; + + preStart = '' + # Link configuration file into dnschain home directory + configPath=${dataDir}/.dnschain/dnschain.conf + mkdir -p ${dataDir}/.dnschain + if [ "$(realpath $configPath)" != "${configFile}" ]; then + rm -f $configPath + ln -s ${configFile} $configPath + fi + ''; }; }; diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 34b731ad35c9..243cd04c96c2 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -38,9 +38,9 @@ let cfg = config.networking.firewall; - kernelPackages = config.boot.kernelPackages; + inherit (config.boot.kernelPackages) kernel; - kernelHasRPFilter = kernelPackages.kernel.features.netfilterRPFilter or false; + kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false); helpers = '' diff --git a/nixos/modules/services/networking/namecoind.nix b/nixos/modules/services/networking/namecoind.nix index 83fc1ec66679..9df9f67cde83 100644 --- a/nixos/modules/services/networking/namecoind.nix +++ b/nixos/modules/services/networking/namecoind.nix @@ -3,25 +3,35 @@ with lib; let - cfg = config.services.namecoind; + cfg = config.services.namecoind; + dataDir = "/var/lib/namecoind"; + useSSL = (cfg.rpc.certificate != null) && (cfg.rpc.key != null); + useRPC = (cfg.rpc.user != null) && (cfg.rpc.password != null); - namecoinConf = - let - useSSL = (cfg.rpcCertificate != null) && (cfg.rpcKey != null); - in - pkgs.writeText "namecoin.conf" '' + listToConf = option: list: + concatMapStrings (value :"${option}=${value}\n") list; + + configFile = pkgs.writeText "namecoin.conf" ('' server=1 daemon=0 - rpcallowip=127.0.0.1 - walletpath=${cfg.wallet} - gen=${if cfg.generate then "1" else "0"} - rpcssl=${if useSSL then "1" else "0"} - ${optionalString useSSL "rpcsslcertificatechainfile=${cfg.rpcCertificate}"} - ${optionalString useSSL "rpcsslprivatekeyfile=${cfg.rpcKey}"} - ${optionalString useSSL "rpcsslciphers=TLSv1.2+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH"} txindex=1 txprevcache=1 - ''; + walletpath=${cfg.wallet} + gen=${if cfg.generate then "1" else "0"} + ${listToConf "addnode" cfg.extraNodes} + ${listToConf "connect" cfg.trustedNodes} + '' + optionalString useRPC '' + rpcbind=${cfg.rpc.address} + rpcport=${toString cfg.rpc.port} + rpcuser=${cfg.rpc.user} + rpcpassword=${cfg.rpc.password} + ${listToConf "rpcallowip" cfg.rpc.allowFrom} + '' + optionalString useSSL '' + rpcssl=1 + rpcsslcertificatechainfile=${cfg.rpc.certificate} + rpcsslprivatekeyfile=${cfg.rpc.key} + rpcsslciphers=TLSv1.2+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH + ''); in @@ -33,66 +43,102 @@ in services.namecoind = { - enable = mkOption { + enable = mkEnableOption "namecoind, Namecoin client."; + + wallet = mkOption { + type = types.path; + default = "${dataDir}/wallet.dat"; + description = '' + Wallet file. The ownership of the file has to be + namecoin:namecoin, and the permissions must be 0640. + ''; + }; + + generate = mkOption { type = types.bool; default = false; description = '' - Whether to run namecoind. + Whether to generate (mine) Namecoins. ''; }; - wallet = mkOption { - type = types.path; - example = "/etc/namecoin/wallet.dat"; + extraNodes = mkOption { + type = types.listOf types.str; + default = [ ]; description = '' - Wallet file. The ownership of the file has to be - namecoin:namecoin, and the permissions must be 0640. + List of additional peer IP addresses to connect to. ''; }; - userFile = mkOption { - type = types.nullOr types.path; + trustedNodes = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + List of the only peer IP addresses to connect to. If specified + no other connection will be made. + ''; + }; + + rpc.user = mkOption { + type = types.nullOr types.str; default = null; - example = "/etc/namecoin/user"; description = '' - File containing the user name and user password to - authenticate RPC connections to namecoind. - The content of the file is of the form: - <literal> - USER=namecoin - PASSWORD=secret - </literal> - The ownership of the file has to be namecoin:namecoin, - and the permissions must be 0640. + User name for RPC connections. ''; }; - generate = mkOption { - type = types.bool; - default = false; + rpc.password = mkOption { + type = types.str; + default = null; description = '' - Whether to generate (mine) Namecoins. + Password for RPC connections. ''; }; - rpcCertificate = mkOption { + rpc.address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + IP address the RPC server will bind to. + ''; + }; + + rpc.port = mkOption { + type = types.int; + default = 8332; + description = '' + Port the RPC server will bind to. + ''; + }; + + rpc.certificate = mkOption { type = types.nullOr types.path; default = null; - example = "/etc/namecoin/server.cert"; + example = "/var/lib/namecoind/server.cert"; description = '' Certificate file for securing RPC connections. ''; }; - rpcKey = mkOption { + rpc.key = mkOption { type = types.nullOr types.path; default = null; - example = "/etc/namecoin/server.pem"; + example = "/var/lib/namecoind/server.pem"; description = '' Key file for securing RPC connections. ''; }; + + rpc.allowFrom = mkOption { + type = types.listOf types.str; + default = [ "127.0.0.1" ]; + description = '' + List of IP address ranges allowed to use the RPC API. + Wiledcards (*) can be user to specify a range. + ''; + }; + }; }; @@ -102,47 +148,54 @@ in config = mkIf cfg.enable { - users.extraUsers = singleton - { name = "namecoin"; - uid = config.ids.uids.namecoin; - description = "Namecoin daemon user"; - home = "/var/lib/namecoin"; - createHome = true; - }; + services.dnschain.extraConfig = '' + [namecoin] + config = ${configFile} + ''; + + users.extraUsers = singleton { + name = "namecoin"; + uid = config.ids.uids.namecoin; + description = "Namecoin daemon user"; + home = dataDir; + createHome = true; + }; - users.extraGroups = singleton - { name = "namecoin"; - gid = config.ids.gids.namecoin; - }; + users.extraGroups = singleton { + name = "namecoin"; + gid = config.ids.gids.namecoin; + }; systemd.services.namecoind = { - description = "Namecoind Daemon"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - preStart = '' - if [ "$(stat --printf '%u' ${cfg.userFile})" != "${toString config.ids.uids.namecoin}" \ - -o "$(stat --printf '%g' ${cfg.userFile})" != "${toString config.ids.gids.namecoin}" \ - -o "$(stat --printf '%a' ${cfg.userFile})" != "640" ]; then - echo "ERROR: bad ownership or rights on ${cfg.userFile}" >&2 - exit 1 - fi - if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \ - -o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \ - -o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then - echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2 - exit 1 - fi - ''; - serviceConfig = { - Type = "simple"; - User = "namecoin"; - EnvironmentFile = cfg.userFile; - ExecStart = "${pkgs.altcoins.namecoind}/bin/namecoind -conf=${namecoinConf} -rpcuser=\${USER} -rpcpassword=\${PASSWORD} -printtoconsole"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID"; - StandardOutput = "null"; - Nice = "10"; - }; + description = "Namecoind daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "namecoin"; + Griup = "namecoin"; + ExecStart = "${pkgs.altcoins.namecoind}/bin/namecoind -conf=${configFile} -datadir=${dataDir} -printtoconsole"; + ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Nice = "10"; + PrivateTmp = true; + TimeoutStopSec = "60s"; + TimeoutStartSec = "2s"; + Restart = "always"; + StartLimitInterval = "120s"; + StartLimitBurst = "5"; + }; + + preStart = optionalString (cfg.wallet != "${dataDir}/wallet.dat") '' + # check wallet file permissions + if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \ + -o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \ + -o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then + echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2 + exit 1 + fi + ''; + }; }; diff --git a/nixos/modules/services/networking/rpcbind.nix b/nixos/modules/services/networking/rpcbind.nix index eef1e8e8cd88..cddcb09054e0 100644 --- a/nixos/modules/services/networking/rpcbind.nix +++ b/nixos/modules/services/networking/rpcbind.nix @@ -2,35 +2,6 @@ with lib; -let - - netconfigFile = { - target = "netconfig"; - source = pkgs.writeText "netconfig" '' - # - # The network configuration file. This file is currently only used in - # conjunction with the TI-RPC code in the libtirpc library. - # - # Entries consist of: - # - # <network_id> <semantics> <flags> <protofamily> <protoname> \ - # <device> <nametoaddr_libs> - # - # The <device> and <nametoaddr_libs> fields are always empty in this - # implementation. - # - udp tpi_clts v inet udp - - - tcp tpi_cots_ord v inet tcp - - - udp6 tpi_clts v inet6 udp - - - tcp6 tpi_cots_ord v inet6 tcp - - - rawip tpi_raw - inet - - - - local tpi_cots_ord - loopback - - - - unix tpi_cots_ord - loopback - - - - ''; - }; - -in - { ###### interface @@ -58,25 +29,18 @@ in ###### implementation config = mkIf config.services.rpcbind.enable { - environment.systemPackages = [ pkgs.rpcbind ]; - environment.etc = [ netconfigFile ]; - - systemd.services.rpcbind = - { description = "ONC RPC Directory Service"; + systemd.packages = [ pkgs.rpcbind ]; - wantedBy = [ "multi-user.target" ]; - - requires = [ "basic.target" ]; - after = [ "basic.target" ]; - - unitConfig.DefaultDependencies = false; # don't stop during shutdown - - serviceConfig.Type = "forking"; - serviceConfig.ExecStart = "@${pkgs.rpcbind}/bin/rpcbind rpcbind"; - }; + systemd.services.rpcbind = { + wantedBy = [ "multi-user.target" ]; + }; + users.extraUsers.rpc = { + group = "nogroup"; + uid = config.ids.uids.rpc; + }; }; } diff --git a/nixos/modules/services/networking/supplicant.nix b/nixos/modules/services/networking/supplicant.nix index 0c459fb1dd0c..31d11548f195 100644 --- a/nixos/modules/services/networking/supplicant.nix +++ b/nixos/modules/services/networking/supplicant.nix @@ -82,7 +82,8 @@ in configFile = { path = mkOption { - type = types.path; + type = types.nullOr types.path; + default = null; example = literalExample "/etc/wpa_supplicant.conf"; description = '' External <literal>wpa_supplicant.conf</literal> configuration file. diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index dc0ca501a484..ed77e0844769 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -63,6 +63,8 @@ let let svcFunction = if svc ? function then svc.function + # instead of using serviceType="mediawiki"; you can copy mediawiki.nix to any location outside nixpkgs, modify it at will, and use serviceExpression=./mediawiki.nix; + else if svc ? serviceExpression then import (toString svc.serviceExpression) else import (toString "${toString ./.}/${if svc ? serviceType then svc.serviceType else svc.serviceName}.nix"); config = (evalModules { modules = [ { options = res.options; config = svc.config or svc; } ]; diff --git a/nixos/modules/services/web-servers/apache-httpd/moodle.nix b/nixos/modules/services/web-servers/apache-httpd/moodle.nix deleted file mode 100644 index d525348d5c7e..000000000000 --- a/nixos/modules/services/web-servers/apache-httpd/moodle.nix +++ /dev/null @@ -1,198 +0,0 @@ -{ config, lib, pkgs, serverInfo, php, ... }: - -with lib; - -let - - httpd = serverInfo.serverConfig.package; - - version24 = !versionOlder httpd.version "2.4"; - - allGranted = if version24 then '' - Require all granted - '' else '' - Order allow,deny - Allow from all - ''; - - moodleConfig = pkgs.writeText "config.php" - '' - <?php - unset($CFG); - global $CFG; - $CFG = new stdClass(); - $CFG->dbtype = '${config.dbType}'; - $CFG->dblibrary = 'native'; - $CFG->dbhost = '${config.dbHost}'; - $CFG->dbname = '${config.dbName}'; - $CFG->dbuser = '${config.dbUser}'; - $CFG->dbpass = '${config.dbPassword}'; - $CFG->prefix = '${config.dbPrefix}'; - $CFG->dboptions = array( - 'dbpersist' => false, - 'dbsocket' => false, - 'dbport' => "${config.dbPort}", - ); - $CFG->wwwroot = '${config.wwwRoot}'; - $CFG->dataroot = '${config.dataRoot}'; - $CFG->directorypermissions = 02777; - $CFG->admin = 'admin'; - ${optionalString (config.debug.noEmailEver == true) '' - $CFG->noemailever = true; - ''} - - ${config.extraConfig} - require_once(dirname(__FILE__) . '/lib/setup.php'); // Do not edit - ''; - # Unpack Moodle and put the config file in its root directory. - moodleRoot = pkgs.stdenv.mkDerivation rec { - name= "moodle-2.8.10"; - - src = pkgs.fetchurl { - url = "https://download.moodle.org/stable28/${name}.tgz"; - sha256 = "0c3r5081ipcwc9s6shakllnrkd589y2ln5z5m1q09l4h6a7cy4z2"; - }; - - buildPhase = - '' - ''; - - installPhase = - '' - mkdir -p $out - cp -r * $out - cp ${moodleConfig} $out/config.php - ''; - # Marked as broken due to needing an update for security issues. - # See: https://github.com/NixOS/nixpkgs/issues/18856 - meta.broken = true; - - }; - -in - -{ - - extraConfig = - '' - # this should be config.urlPrefix instead of / - Alias / ${moodleRoot}/ - <Directory ${moodleRoot}> - DirectoryIndex index.php - </Directory> - ''; - - documentRoot = moodleRoot; # TODO: fix this, should be config.urlPrefix - - enablePHP = true; - - options = { - - id = mkOption { - default = "main"; - description = '' - A unique identifier necessary to keep multiple Moodle server - instances on the same machine apart. - ''; - }; - - dbType = mkOption { - default = "postgres"; - example = "mysql"; - description = "Database type."; - }; - - dbName = mkOption { - default = "moodle"; - description = "Name of the database that holds the Moodle data."; - }; - - dbHost = mkOption { - default = "localhost"; - example = "10.0.2.2"; - description = '' - The location of the database server. - ''; - }; - - dbPort = mkOption { - default = ""; # use the default port - example = "12345"; - description = '' - The port that is used to connect to the database server. - ''; - }; - - dbUser = mkOption { - default = "moodle"; - description = "The user name for accessing the database."; - }; - - dbPassword = mkOption { - default = ""; - example = "password"; - description = '' - The password of the database user. Warning: this is stored in - cleartext in the Nix store! - ''; - }; - - dbPrefix = mkOption { - default = "mdl_"; - example = "my_other_mdl_"; - description = '' - A prefix for each table, if multiple moodles should run in a single database. - ''; - }; - - wwwRoot = mkOption { - type = types.string; - example = "http://my.machine.com/my-moodle"; - description = '' - The full web address where moodle has been installed. - ''; - }; - - dataRoot = mkOption { - default = "/var/lib/moodledata"; - example = "/var/lib/moodledata"; - description = '' - The data directory for moodle. Needs to be writable! - ''; - type = types.path; - }; - - - extraConfig = mkOption { - type = types.lines; - default = ""; - example = - '' - ''; - description = '' - Any additional text to be appended to Moodle's - configuration file. This is a PHP script. - ''; - }; - - debug = { - noEmailEver = mkOption { - default = false; - example = "true"; - description = '' - Set this to true to prevent Moodle from ever sending any email. - ''; - }; - }; - }; - - startupScript = pkgs.writeScript "moodle_startup.sh" '' - echo "Checking for existence of ${config.dataRoot}" - if [ ! -e "${config.dataRoot}" ] - then - mkdir -p "${config.dataRoot}" - chown ${serverInfo.serverConfig.user}.${serverInfo.serverConfig.group} "${config.dataRoot}" - fi - ''; - -} diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index c9eacdd85dcd..aa11a5d5e80a 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -16,7 +16,20 @@ let ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; - configFile = pkgs.writeText "nginx.conf" '' + configFile = pkgs.runCommand "nginx.conf" { + inherit configFileUnformatted; + passAsFile = [ "configFileUnformatted" ]; + # configFileUnformatted is created locally, therefore so should this be. + preferLocalBuild = true; + allowSubstitutes = false; + } '' + cp ${configFileUnformatted} nginx.conf + chmod u+w nginx.conf + ${pkgs.nginx-config-formatter}/bin/nginxfmt nginx.conf + cp nginx.conf $out + ''; + + configFileUnformatted = pkgs.writeText "nginx.unformatted.conf" '' user ${cfg.user} ${cfg.group}; error_log stderr; daemon off; @@ -403,7 +416,7 @@ in acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME) vhostsConfigs; acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = { user = cfg.user; - group = cfg.group; + group = lib.mkDefault cfg.group; webroot = vhostConfig.acmeRoot; extraDomains = genAttrs vhostConfig.serverAliases (alias: null); postRun = '' diff --git a/nixos/modules/system/boot/systemd-lib.nix b/nixos/modules/system/boot/systemd-lib.nix index 997770b8beca..7dbf3b25cdb0 100644 --- a/nixos/modules/system/boot/systemd-lib.nix +++ b/nixos/modules/system/boot/systemd-lib.nix @@ -159,7 +159,13 @@ rec { fi done - # Created .wants and .requires symlinks from the wantedBy and + # Create service aliases from aliases option. + ${concatStrings (mapAttrsToList (name: unit: + concatMapStrings (name2: '' + ln -sfn '${name}' $out/'${name2}' + '') unit.aliases) units)} + + # Create .wants and .requires symlinks from the wantedBy and # requiredBy options. ${concatStrings (mapAttrsToList (name: unit: concatMapStrings (name2: '' diff --git a/nixos/modules/system/boot/systemd-unit-options.nix b/nixos/modules/system/boot/systemd-unit-options.nix index 69af23981485..904e41b019fb 100644 --- a/nixos/modules/system/boot/systemd-unit-options.nix +++ b/nixos/modules/system/boot/systemd-unit-options.nix @@ -52,6 +52,12 @@ in rec { description = "Units that want (i.e. depend on) this unit."; }; + aliases = mkOption { + default = []; + type = types.listOf types.str; + description = "Aliases of that unit."; + }; + }; concreteUnitOptions = sharedOptions // { diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index ace1545b96e6..904404e1e472 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -42,7 +42,8 @@ let "systemd-udevd.service" "systemd-udev-settle.service" "systemd-udev-trigger.service" - "systemd-hwdb-update.service" + # hwdb.bin is managed by NixOS + # "systemd-hwdb-update.service" # Consoles. "getty.target" @@ -61,7 +62,6 @@ let # Login stuff. "systemd-logind.service" "autovt@.service" - #"systemd-vconsole-setup.service" "systemd-user-sessions.service" "dbus-org.freedesktop.login1.service" "dbus-org.freedesktop.machine1.service" @@ -313,7 +313,7 @@ let ''; targetToUnit = name: def: - { inherit (def) wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable; text = '' [Unit] @@ -322,7 +322,7 @@ let }; serviceToUnit = name: def: - { inherit (def) wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable; text = commonUnitText def + '' [Service] @@ -342,7 +342,7 @@ let }; socketToUnit = name: def: - { inherit (def) wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable; text = commonUnitText def + '' [Socket] @@ -352,7 +352,7 @@ let }; timerToUnit = name: def: - { inherit (def) wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable; text = commonUnitText def + '' [Timer] @@ -361,7 +361,7 @@ let }; pathToUnit = name: def: - { inherit (def) wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable; text = commonUnitText def + '' [Path] @@ -370,7 +370,7 @@ let }; mountToUnit = name: def: - { inherit (def) wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable; text = commonUnitText def + '' [Mount] @@ -379,7 +379,7 @@ let }; automountToUnit = name: def: - { inherit (def) wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable; text = commonUnitText def + '' [Automount] @@ -388,7 +388,7 @@ let }; sliceToUnit = name: def: - { inherit (def) wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable; text = commonUnitText def + '' [Slice] @@ -753,7 +753,8 @@ in # Keep a persistent journal. Note that systemd-tmpfiles will # set proper ownership/permissions. - mkdir -m 0700 -p /var/log/journal + # FIXME: revert to 0700 with systemd v233. + mkdir -m 0750 -p /var/log/journal ''; users.extraUsers.systemd-network.uid = config.ids.uids.systemd-network; diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 49ba66ad50af..8bd35385739e 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -216,7 +216,7 @@ in environment.etc.fstab.text = let - fsToSkipCheck = [ "none" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" ]; + fsToSkipCheck = [ "none" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" ]; skipCheck = fs: fs.noCheck || fs.device == "none" || builtins.elem fs.fsType fsToSkipCheck; in '' # This is a generated file. Do not edit! diff --git a/nixos/modules/tasks/filesystems/glusterfs.nix b/nixos/modules/tasks/filesystems/glusterfs.nix new file mode 100644 index 000000000000..e8c7fa8efbae --- /dev/null +++ b/nixos/modules/tasks/filesystems/glusterfs.nix @@ -0,0 +1,11 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + config = mkIf (any (fs: fs == "glusterfs") config.boot.supportedFilesystems) { + + system.fsPackages = [ pkgs.glusterfs ]; + + }; +} diff --git a/nixos/modules/tasks/filesystems/nfs.nix b/nixos/modules/tasks/filesystems/nfs.nix index e9a7ccc721a9..73cf18384bd4 100644 --- a/nixos/modules/tasks/filesystems/nfs.nix +++ b/nixos/modules/tasks/filesystems/nfs.nix @@ -24,6 +24,8 @@ let Method = nsswitch ''; + nfsConfFile = pkgs.writeText "nfs.conf" cfg.extraConfig; + cfg = config.services.nfs; in @@ -32,23 +34,12 @@ in ###### interface options = { - services.nfs = { - statdPort = mkOption { - default = null; - example = 4000; - description = '' - Use a fixed port for <command>rpc.statd</command>. This is - useful if the NFS server is behind a firewall. - ''; - }; - lockdPort = mkOption { - default = null; - example = 4001; + extraConfig = mkOption { + type = types.lines; + default = ""; description = '' - Use a fixed port for the NFS lock manager kernel module - (<literal>lockd/nlockmgr</literal>). This is useful if the - NFS server is behind a firewall. + Extra nfs-utils configuration. ''; }; }; @@ -62,69 +53,49 @@ in system.fsPackages = [ pkgs.nfs-utils ]; - boot.extraModprobeConfig = mkIf (cfg.lockdPort != null) '' - options lockd nlm_udpport=${toString cfg.lockdPort} nlm_tcpport=${toString cfg.lockdPort} - ''; - - boot.kernelModules = [ "sunrpc" ]; - boot.initrd.kernelModules = mkIf inInitrd [ "nfs" ]; - # FIXME: should use upstream units from nfs-utils. - - systemd.services.statd = - { description = "NFSv3 Network Status Monitor"; + systemd.packages = [ pkgs.nfs-utils ]; + systemd.generator-packages = [ pkgs.nfs-utils ]; - path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ]; + environment.etc = { + "idmapd.conf".source = idmapdConfFile; + "nfs.conf".source = nfsConfFile; + }; - wants = [ "remote-fs-pre.target" ]; - before = [ "remote-fs-pre.target" ]; - wantedBy = [ "remote-fs.target" ]; - requires = [ "basic.target" "rpcbind.service" ]; - after = [ "basic.target" "rpcbind.service" ]; + systemd.services.nfs-blkmap = + { restartTriggers = [ nfsConfFile ]; + }; - unitConfig.DefaultDependencies = false; # don't stop during shutdown + systemd.targets.nfs-client = + { wantedBy = [ "multi-user.target" "remote-fs.target" ]; + }; - preStart = - '' - mkdir -p ${nfsStateDir}/sm - mkdir -p ${nfsStateDir}/sm.bak - sm-notify -d - ''; + systemd.services.nfs-idmapd = + { restartTriggers = [ idmapdConfFile ]; + }; - serviceConfig.Type = "forking"; - serviceConfig.ExecStart = '' - @${pkgs.nfs-utils}/sbin/rpc.statd rpc.statd --no-notify \ - ${if cfg.statdPort != null then "-p ${toString cfg.statdPort}" else ""} - ''; - serviceConfig.Restart = "always"; + systemd.services.nfs-mountd = + { restartTriggers = [ nfsConfFile ]; + enable = mkDefault false; }; - systemd.services.idmapd = - { description = "NFSv4 ID Mapping Daemon"; + systemd.services.nfs-server = + { restartTriggers = [ nfsConfFile ]; + enable = mkDefault false; + }; - path = [ pkgs.sysvtools pkgs.utillinux ]; + systemd.services.rpc-gssd = + { restartTriggers = [ nfsConfFile ]; + }; - wants = [ "remote-fs-pre.target" ]; - before = [ "remote-fs-pre.target" ]; - wantedBy = [ "remote-fs.target" ]; - requires = [ "rpcbind.service" ]; - after = [ "rpcbind.service" ]; + systemd.services.rpc-statd = + { restartTriggers = [ nfsConfFile ]; preStart = '' - mkdir -p ${rpcMountpoint} - mount -t rpc_pipefs rpc_pipefs ${rpcMountpoint} + mkdir -p /var/lib/nfs/{sm,sm.bak} ''; - - postStop = - '' - umount ${rpcMountpoint} - ''; - - serviceConfig.Type = "forking"; - serviceConfig.ExecStart = "@${pkgs.nfs-utils}/sbin/rpc.idmapd rpc.idmapd -c ${idmapdConfFile}"; - serviceConfig.Restart = "always"; }; }; diff --git a/nixos/modules/tasks/kbd.nix b/nixos/modules/tasks/kbd.nix index e001832ec2eb..0af376a90bcf 100644 --- a/nixos/modules/tasks/kbd.nix +++ b/nixos/modules/tasks/kbd.nix @@ -100,15 +100,12 @@ in } (mkIf (!config.boot.earlyVconsoleSetup) { - # This is identical to the systemd-vconsole-setup.service unit - # shipped with systemd, except that it uses /dev/tty1 instead of - # /dev/tty0 to prevent putting the X server in non-raw mode, and - # it has a restart trigger. systemd.services."systemd-vconsole-setup" = { wantedBy = [ "sysinit.target" ]; before = [ "display-manager.service" ]; after = [ "systemd-udev-settle.service" ]; restartTriggers = [ vconsoleConf kbdEnv ]; + restartIfChanged = false; # fails when tty is inactive }; }) diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index a1212c905560..cd599d8b8941 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -62,9 +62,9 @@ in genericNetwork = override: { DHCP = override (dhcpStr cfg.useDHCP); } // optionalAttrs (cfg.defaultGateway != null) { - gateway = override [ cfg.defaultGateway ]; + gateway = override [ cfg.defaultGateway.address ]; } // optionalAttrs (cfg.defaultGateway6 != null) { - gateway = override [ cfg.defaultGateway6 ]; + gateway = override [ cfg.defaultGateway6.address ]; } // optionalAttrs (domains != [ ]) { domains = override domains; }; |