diff options
Diffstat (limited to 'nixos/modules')
38 files changed, 441 insertions, 101 deletions
diff --git a/nixos/modules/config/pulseaudio.nix b/nixos/modules/config/pulseaudio.nix index 1654d31cfeb4..f2db428a4441 100644 --- a/nixos/modules/config/pulseaudio.nix +++ b/nixos/modules/config/pulseaudio.nix @@ -134,7 +134,7 @@ in { } (mkIf cfg.enable { - environment.systemPackages = [ cfg.package.out ]; + environment.systemPackages = [ cfg.package ]; environment.etc = singleton { target = "asound.conf"; @@ -158,7 +158,7 @@ in { wantedBy = [ "default.target" ]; serviceConfig = { Type = "notify"; - ExecStart = "${cfg.package}/bin/pulseaudio --daemonize=no"; + ExecStart = "${cfg.package.out}/bin/pulseaudio --daemonize=no"; Restart = "on-failure"; }; }; diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index d0d481f72a40..fb8e1ccab667 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -22,7 +22,11 @@ with lib; ###### implementation config = mkIf config.hardware.enableAllFirmware { - hardware.firmware = [ pkgs.firmwareLinuxNonfree pkgs.intel2200BGFirmware ]; + hardware.firmware = with pkgs; [ + firmwareLinuxNonfree + intel2200BGFirmware + rtl8723bs-firmware + ]; }; } diff --git a/nixos/modules/installer/cd-dvd/channel.nix b/nixos/modules/installer/cd-dvd/channel.nix index 1e5e2b2615c8..cd6e72755dea 100644 --- a/nixos/modules/installer/cd-dvd/channel.nix +++ b/nixos/modules/installer/cd-dvd/channel.nix @@ -34,7 +34,7 @@ in if ! [ -e /var/lib/nixos/did-channel-init ]; then echo "unpacking the NixOS/Nixpkgs sources..." mkdir -p /nix/var/nix/profiles/per-user/root - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \ + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \ -i ${channelSources} --quiet --option build-use-substitutes false mkdir -m 0700 -p /root/.nix-defexpr ln -s /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 5702e2d9a1e5..c31ded977e68 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -364,12 +364,12 @@ in '' # After booting, register the contents of the Nix store on the # CD in the Nix database in the tmpfs. - ${config.nix.package}/bin/nix-store --load-db < /nix/store/nix-path-registration + ${config.nix.package.out}/bin/nix-store --load-db < /nix/store/nix-path-registration # nixos-rebuild also requires a "system" profile and an # /etc/NIXOS tag. touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system ''; # Add vfat support to the initrd to enable people to copy the diff --git a/nixos/modules/installer/cd-dvd/sd-image.nix b/nixos/modules/installer/cd-dvd/sd-image.nix index 9eba542d8c91..23312c073d56 100644 --- a/nixos/modules/installer/cd-dvd/sd-image.nix +++ b/nixos/modules/installer/cd-dvd/sd-image.nix @@ -113,11 +113,11 @@ in ${pkgs.e2fsprogs}/bin/resize2fs $rootPart # Register the contents of the initial Nix store - ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration + ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration # nixos-rebuild also requires a "system" profile and an /etc/NIXOS tag. touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system # Prevents this from running on later boots. rm -f /nix-path-registration diff --git a/nixos/modules/installer/cd-dvd/system-tarball.nix b/nixos/modules/installer/cd-dvd/system-tarball.nix index 90e9b98a4575..1962a1959ead 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball.nix @@ -78,14 +78,14 @@ in # After booting, register the contents of the Nix store on the # CD in the Nix database in the tmpfs. if [ -f /nix-path-registration ]; then - ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration && + ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration && rm /nix-path-registration fi # nixos-rebuild also requires a "system" profile and an # /etc/NIXOS tag. touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system ''; }; diff --git a/nixos/modules/installer/netboot/netboot-base.nix b/nixos/modules/installer/netboot/netboot-base.nix new file mode 100644 index 000000000000..b12eaccf8707 --- /dev/null +++ b/nixos/modules/installer/netboot/netboot-base.nix @@ -0,0 +1,20 @@ +# This module contains the basic configuration for building netboot +# images + +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = + [ ./netboot.nix + + # Profiles of this basic netboot media + ../../profiles/all-hardware.nix + ../../profiles/base.nix + ../../profiles/installation-device.nix + ]; + + # Allow the user to log in as root without a password. + users.extraUsers.root.initialHashedPassword = ""; +} diff --git a/nixos/modules/installer/netboot/netboot-minimal.nix b/nixos/modules/installer/netboot/netboot-minimal.nix new file mode 100644 index 000000000000..8ad6234edc77 --- /dev/null +++ b/nixos/modules/installer/netboot/netboot-minimal.nix @@ -0,0 +1,10 @@ +# This module defines a small netboot environment. + +{ config, lib, ... }: + +{ + imports = + [ ./netboot-base.nix + ../../profiles/minimal.nix + ]; +} diff --git a/nixos/modules/installer/netboot/netboot.nix b/nixos/modules/installer/netboot/netboot.nix new file mode 100644 index 000000000000..366591a81148 --- /dev/null +++ b/nixos/modules/installer/netboot/netboot.nix @@ -0,0 +1,91 @@ +# This module creates netboot media containing the given NixOS +# configuration. + +{ config, lib, pkgs, ... }: + +with lib; + +{ + options = { + + netboot.storeContents = mkOption { + example = literalExample "[ pkgs.stdenv ]"; + description = '' + This option lists additional derivations to be included in the + Nix store in the generated netboot image. + ''; + }; + + }; + + config = { + + boot.loader.grub.version = 2; + + # Don't build the GRUB menu builder script, since we don't need it + # here and it causes a cyclic dependency. + boot.loader.grub.enable = false; + + boot.initrd.postMountCommands = '' + mkdir -p /mnt-root/nix/store + mount -t squashfs /nix-store.squashfs /mnt-root/nix/store + ''; + + # !!! Hack - attributes expected by other modules. + system.boot.loader.kernelFile = "bzImage"; + environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi pkgs.syslinux ]; + + boot.consoleLogLevel = mkDefault 7; + + fileSystems."/" = + { fsType = "tmpfs"; + options = [ "mode=0755" ]; + }; + + boot.initrd.availableKernelModules = [ "squashfs" ]; + + boot.initrd.kernelModules = [ "loop" ]; + + # Closures to be copied to the Nix store, namely the init + # script and the top-level system configuration directory. + netboot.storeContents = + [ config.system.build.toplevel ]; + + # Create the squashfs image that contains the Nix store. + system.build.squashfsStore = import ../../../lib/make-squashfs.nix { + inherit (pkgs) stdenv squashfsTools perl pathsFromGraph; + storeContents = config.netboot.storeContents; + }; + + + # Create the initrd + system.build.netbootRamdisk = pkgs.makeInitrd { + inherit (config.boot.initrd) compressor; + prepend = [ "${config.system.build.initialRamdisk}/initrd" ]; + + contents = + [ { object = config.system.build.squashfsStore; + symlink = "/nix-store.squashfs"; + } + ]; + }; + + system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" "#!ipxe\nkernel bzImage init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}\ninitrd initrd\nboot"; + + boot.loader.timeout = 10; + + boot.postBootCommands = + '' + # After booting, register the contents of the Nix store + # in the Nix database in the tmpfs. + ${config.nix.package}/bin/nix-store --load-db < /nix/store/nix-path-registration + + # nixos-rebuild also requires a "system" profile and an + # /etc/NIXOS tag. + touch /etc/NIXOS + ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ''; + + }; + +} diff --git a/nixos/modules/installer/tools/auto-upgrade.nix b/nixos/modules/installer/tools/auto-upgrade.nix index 79ccb5c3d18a..b21b80c666aa 100644 --- a/nixos/modules/installer/tools/auto-upgrade.nix +++ b/nixos/modules/installer/tools/auto-upgrade.nix @@ -78,7 +78,7 @@ let cfg = config.system.autoUpgrade; in HOME = "/root"; }; - path = [ pkgs.gnutar pkgs.xz.bin config.nix.package ]; + path = [ pkgs.gnutar pkgs.xz.bin config.nix.package.out ]; script = '' ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch ${toString cfg.flags} diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh index cd30958d9e8a..5ecdcdb3cdb5 100644 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixos/modules/installer/tools/nixos-rebuild.sh @@ -271,7 +271,7 @@ remotePATH= if [ -n "$buildNix" ]; then echo "building Nix..." >&2 nixDrv= - if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package "${extraBuildFlags[@]}")"; then + if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A nixFallback "${extraBuildFlags[@]}")"; then if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then nixStorePath="$(prebuiltNix "$(uname -m)")" diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 9ac3b7a5b16f..b8fd9deaf1e4 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -22,17 +22,17 @@ let src = ./nixos-install.sh; inherit (pkgs) perl pathsFromGraph; - nix = config.nix.package; + nix = config.nix.package.out; nixClosure = pkgs.runCommand "closure" - { exportReferencesGraph = ["refs" config.nix.package]; } + { exportReferencesGraph = ["refs" config.nix.package.out]; } "cp refs $out"; }; nixos-rebuild = makeProg { name = "nixos-rebuild"; src = ./nixos-rebuild.sh; - nix = config.nix.package; + nix = config.nix.package.out; }; nixos-generate-config = makeProg { diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 684ca132bc74..7e40c1366677 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -264,6 +264,7 @@ taskd = 240; factorio = 241; emby = 242; + graylog = 243; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b238003dd0ca..b92361f628be 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -183,6 +183,7 @@ ./services/hardware/thermald.nix ./services/logging/awstats.nix ./services/logging/fluentd.nix + ./services/logging/graylog.nix ./services/logging/klogd.nix ./services/logging/logcheck.nix ./services/logging/logrotate.nix @@ -338,6 +339,7 @@ ./services/networking/kippo.nix ./services/networking/lambdabot.nix ./services/networking/libreswan.nix + ./services/networking/logmein-hamachi.nix ./services/networking/mailpile.nix ./services/networking/mfi.nix ./services/networking/mjpg-streamer.nix diff --git a/nixos/modules/profiles/docker-container.nix b/nixos/modules/profiles/docker-container.nix index df762b7ac584..433492b96137 100644 --- a/nixos/modules/profiles/docker-container.nix +++ b/nixos/modules/profiles/docker-container.nix @@ -37,12 +37,12 @@ in { # After booting, register the contents of the Nix store in the Nix # database. if [ -f /nix-path-registration ]; then - ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration && + ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration && rm /nix-path-registration fi # nixos-rebuild also requires a "system" profile - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system ''; # Install new init script diff --git a/nixos/modules/services/backup/crashplan.nix b/nixos/modules/services/backup/crashplan.nix index 94aa3b17b663..a69526f968b0 100644 --- a/nixos/modules/services/backup/crashplan.nix +++ b/nixos/modules/services/backup/crashplan.nix @@ -50,11 +50,8 @@ with lib; ensureDir ${crashplan.vardir}/log 777 cp -avn ${crashplan}/conf.template/* ${crashplan.vardir}/conf for x in app.asar bin EULA.txt install.vars lang lib libjniwrap64.so libjniwrap.so libjtux64.so libjtux.so libmd564.so libmd5.so share skin upgrade; do - if [ -e ${crashplan.vardir}/$x ]; then - true; - else - ln -s ${crashplan}/$x ${crashplan.vardir}/$x; - fi; + rm -f ${crashplan.vardir}/$x; + ln -sf ${crashplan}/$x ${crashplan.vardir}/$x; done ''; diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 31ffe51c11ef..80ee32f4ee33 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -242,7 +242,7 @@ in if test -e "${cfg.dataDir}/.first_startup"; then ${optionalString (cfg.initialScript != null) '' - cat "${cfg.initialScript}" | psql --port=${toString cfg.port} postgres + psql -f "${cfg.initialScript}" --port=${toString cfg.port} postgres ''} rm -f "${cfg.dataDir}/.first_startup" fi diff --git a/nixos/modules/services/logging/graylog.nix b/nixos/modules/services/logging/graylog.nix new file mode 100644 index 000000000000..a7785decd19a --- /dev/null +++ b/nixos/modules/services/logging/graylog.nix @@ -0,0 +1,161 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.graylog; + configBool = b: if b then "true" else "false"; + + confFile = pkgs.writeText "graylog.conf" '' + is_master = ${configBool cfg.isMaster} + node_id_file = ${cfg.nodeIdFile} + password_secret = ${cfg.passwordSecret} + root_username = ${cfg.rootUsername} + root_password_sha2 = ${cfg.rootPasswordSha2} + elasticsearch_cluster_name = ${cfg.elasticsearchClusterName} + elasticsearch_discovery_zen_ping_multicast_enabled = ${configBool cfg.elasticsearchDiscoveryZenPingMulticastEnabled} + elasticsearch_discovery_zen_ping_unicast_hosts = ${cfg.elasticsearchDiscoveryZenPingUnicastHosts} + message_journal_dir = ${cfg.messageJournalDir} + mongodb_uri = ${cfg.mongodbUri} + + ${cfg.extraConfig} + ''; +in + +{ + ###### interface + + options = { + + services.graylog = { + + enable = mkEnableOption "Graylog"; + + package = mkOption { + type = types.package; + default = pkgs.graylog; + defaultText = "pkgs.graylog"; + example = literalExample "pkgs.graylog"; + description = "Graylog package to use."; + }; + + user = mkOption { + type = types.str; + default = "graylog"; + example = literalExample "graylog"; + description = "User account under which graylog runs"; + }; + + isMaster = mkOption { + type = types.bool; + default = true; + description = "Whether this is the master instance of your Graylog cluster"; + }; + + nodeIdFile = mkOption { + type = types.str; + default = "/var/lib/graylog/server/node-id"; + description = "Path of the file containing the graylog node-id"; + }; + + passwordSecret = mkOption { + type = types.str; + description = '' + You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters. + Generate one by using for example: pwgen -N 1 -s 96 + ''; + }; + + rootUsername = mkOption { + type = types.str; + default = "admin"; + description = "Name of the default administrator user"; + }; + + rootPasswordSha2 = mkOption { + type = types.str; + example = "e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e952"; + description = '' + You MUST specify a hash password for the root user (which you only need to initially set up the + system and in case you lose connectivity to your authentication backend) + This password cannot be changed using the API or via the web interface. If you need to change it, + modify it here. + Create one by using for example: echo -n yourpassword | shasum -a 256 + and use the resulting hash value as string for the option + ''; + }; + + elasticsearchClusterName = mkOption { + type = types.str; + example = "graylog"; + description = "This must be the same as for your Elasticsearch cluster"; + }; + + elasticsearchDiscoveryZenPingMulticastEnabled = mkOption { + type = types.bool; + default = false; + description = "Whether to use elasticsearch multicast discovery"; + }; + + elasticsearchDiscoveryZenPingUnicastHosts = mkOption { + type = types.str; + default = "127.0.0.1:9300"; + description = "Tells Graylogs Elasticsearch client how to find other cluster members. See Elasticsearch documentation for details"; + }; + + messageJournalDir = mkOption { + type = types.str; + default = "/var/lib/graylog/data/journal"; + description = "The directory which will be used to store the message journal. The directory must be exclusively used by Graylog and must not contain any other files than the ones created by Graylog itself"; + }; + + mongodbUri = mkOption { + type = types.str; + default = "mongodb://localhost/graylog"; + description = "MongoDB connection string. See http://docs.mongodb.org/manual/reference/connection-string/ for details"; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Any other configuration options you might want to add"; + }; + + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + users.extraUsers = mkIf (cfg.user == "graylog") { + graylog = { + uid = config.ids.uids.graylog; + description = "Graylog server daemon user"; + }; + }; + + systemd.services.graylog = with pkgs; { + description = "Graylog Server"; + wantedBy = [ "multi-user.target" ]; + environment = { + JAVA_HOME = jre; + GRAYLOG_CONF = "${confFile}"; + }; + path = [ pkgs.openjdk8 pkgs.which pkgs.procps ]; + preStart = '' + mkdir -p /var/lib/graylog -m 755 + chown -R ${cfg.user} /var/lib/graylog + + mkdir -p ${cfg.messageJournalDir} -m 755 + chown -R ${cfg.user} ${cfg.messageJournalDir} + ''; + serviceConfig = { + User="${cfg.user}"; + PermissionsStartOnly=true; + ExecStart = "${cfg.package}/bin/graylogctl run"; + }; + }; + }; +} diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix index 6069262b4705..3a85fa60fe7a 100644 --- a/nixos/modules/services/logging/logcheck.nix +++ b/nixos/modules/services/logging/logcheck.nix @@ -11,7 +11,10 @@ let rm $out/logcheck.* ''; - rulesDir = pkgs.symlinkJoin "logcheck-rules-dir" ([ defaultRules ] ++ cfg.extraRulesDirs); + rulesDir = pkgs.symlinkJoin + { name = "logcheck-rules-dir"; + paths = ([ defaultRules ] ++ cfg.extraRulesDirs); + }; configFile = pkgs.writeText "logcheck.conf" cfg.config; diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 127c3da69d14..47e374d8edc3 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -63,8 +63,10 @@ let cfg.extraConfig ]; - modulesDir = pkgs.symlinkJoin "dovecot-modules" - (map (pkg: "${pkg}/lib/dovecot") ([ dovecotPkg ] ++ map (module: module.override { dovecot = dovecotPkg; }) cfg.modules)); + modulesDir = pkgs.symlinkJoin { + name = "dovecot-modules"; + paths = map (pkg: "${pkg}/lib/dovecot") ([ dovecotPkg ] ++ map (module: module.override { dovecot = dovecotPkg; }) cfg.modules); + }; in { diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index c84c67ff2872..d71837737ab3 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -6,7 +6,7 @@ let cfg = config.nix; - nix = cfg.package; + nix = cfg.package.out; makeNixBuildUser = nr: { name = "nixbld${toString nr}"; @@ -65,8 +65,8 @@ in package = mkOption { type = types.package; - default = pkgs.nix.out; - defaultText = "pkgs.nix.out"; + default = pkgs.nix; + defaultText = "pkgs.nix"; description = '' This option specifies the Nix package instance to use throughout the system. ''; diff --git a/nixos/modules/services/misc/nix-gc.nix b/nixos/modules/services/misc/nix-gc.nix index 6a7a7f4cee72..5c13da6e83dd 100644 --- a/nixos/modules/services/misc/nix-gc.nix +++ b/nixos/modules/services/misc/nix-gc.nix @@ -52,7 +52,7 @@ in systemd.services.nix-gc = { description = "Nix Garbage Collector"; - script = "exec ${config.nix.package}/bin/nix-collect-garbage ${cfg.options}"; + script = "exec ${config.nix.package.out}/bin/nix-collect-garbage ${cfg.options}"; startAt = optionalString cfg.automatic cfg.dates; }; diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix index d70bd855c7ff..66148431709f 100644 --- a/nixos/modules/services/misc/nix-ssh-serve.nix +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -41,7 +41,7 @@ with lib; PermitTTY no PermitTunnel no X11Forwarding no - ForceCommand ${config.nix.package}/bin/nix-store --serve + ForceCommand ${config.nix.package.out}/bin/nix-store --serve Match All ''; diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index 8459aafeee73..b7d14e90a2b7 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -449,7 +449,7 @@ in { }; }; }) - (mkIf needToCreateCA { + (mkIf (cfg.enable && needToCreateCA) { systemd.services.taskserver-ca = { wantedBy = [ "taskserver.service" ]; after = [ "taskserver-init.service" ]; @@ -533,7 +533,7 @@ in { ''; }; }) - (mkIf (cfg.listenHost != "localhost") { + (mkIf (cfg.enable && cfg.listenHost != "localhost") { networking.firewall.allowedTCPPorts = [ cfg.listenPort ]; }) { meta.doc = ./taskserver.xml; } diff --git a/nixos/modules/services/networking/logmein-hamachi.nix b/nixos/modules/services/networking/logmein-hamachi.nix new file mode 100644 index 000000000000..406626a8a343 --- /dev/null +++ b/nixos/modules/services/networking/logmein-hamachi.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.logmein-hamachi; + +in + +{ + + ###### interface + + options = { + + services.logmein-hamachi.enable = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to enable LogMeIn Hamachi, a proprietary + (closed source) commercial VPN software. + ''; + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.logmein-hamachi = { + description = "LogMeIn Hamachi Daemon"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "local-fs.target" ]; + + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.logmein-hamachi}/bin/hamachid"; + }; + }; + + environment.systemPackages = [ pkgs.logmein-hamachi ]; + + }; + +} diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix index 8f6881441cf7..3e865e3b76a8 100644 --- a/nixos/modules/services/networking/nix-serve.nix +++ b/nixos/modules/services/networking/nix-serve.nix @@ -50,7 +50,7 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = [ config.nix.package pkgs.bzip2.bin ]; + path = [ config.nix.package.out pkgs.bzip2.bin ]; environment.NIX_REMOTE = "daemon"; environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile; diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index c51a42b8e9c1..17ac8fe7e245 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -145,6 +145,7 @@ in { # Install plugins ln -sfT ${esPlugins}/plugins ${cfg.dataDir}/plugins ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib + ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules if [ "$(id -u)" = 0 ]; then chown -R elasticsearch ${cfg.dataDir}; fi ''; postStart = mkBefore '' diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index afbd81be91f2..33c4910fc0ce 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -99,34 +99,32 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + partOf = optional config.networking.firewall.enable "firewall.service"; restartTriggers = [ fail2banConf jailConf ]; path = [ pkgs.fail2ban pkgs.iptables ]; preStart = '' - mkdir -p /run/fail2ban -m 0755 mkdir -p /var/lib/fail2ban ''; + unitConfig.Documentation = "man:fail2ban(1)"; + serviceConfig = - { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; + { Type = "forking"; + ExecStart = "${pkgs.fail2ban}/bin/fail2ban-client -x start"; + ExecStop = "${pkgs.fail2ban}/bin/fail2ban-client stop"; + ExecReload = "${pkgs.fail2ban}/bin/fail2ban-client reload"; + PIDFile = "/run/fail2ban/fail2ban.pid"; + Restart = "always"; + ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run /var/tmp /var/lib"; + ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib"; + PrivateTmp = "true"; + RuntimeDirectory = "fail2ban"; CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; }; - - postStart = - '' - # Wait for the server to start listening. - for ((n = 0; n < 20; n++)); do - if fail2ban-client ping; then break; fi - sleep 0.5 - done - - # Reload its configuration. - fail2ban-client reload - ''; }; # Add some reasonable default jails. The special "DEFAULT" jail diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index 2e29ef6a8f53..59c2e482e1ad 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -121,7 +121,7 @@ in security.setuidOwners = singleton { program = "dbus-daemon-launch-helper"; - source = "${pkgs.dbus_daemon.lib}/libexec/dbus-daemon-launch-helper"; + source = "${pkgs.dbus_daemon.out}/libexec/dbus-daemon-launch-helper"; owner = "root"; group = "messagebus"; setuid = true; diff --git a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix index 6c201eb8212f..69ad2c6d44f4 100644 --- a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix +++ b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix @@ -14,7 +14,7 @@ let inherit (pkgs) python gummiboot; - nix = config.nix.package; + nix = config.nix.package.out; timeout = if cfg.timeout != null then cfg.timeout else ""; diff --git a/nixos/modules/system/etc/etc.nix b/nixos/modules/system/etc/etc.nix index 9d5b3db472c3..163f4f4106e8 100644 --- a/nixos/modules/system/etc/etc.nix +++ b/nixos/modules/system/etc/etc.nix @@ -36,7 +36,7 @@ in type = types.loaOf types.optionSet; default = {}; example = literalExample '' - { hosts = + { example-configuration-file = { source = "/nix/store/.../etc/dir/file.conf.example"; mode = "0440"; }; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 0528012adfd8..c52bd904caec 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -523,7 +523,7 @@ in networking.bonds = mkOption { default = { }; - example = { + example = literalExample { bond0 = { interfaces = [ "eth0" "wlan0" ]; miimon = 100; @@ -598,7 +598,7 @@ in networking.macvlans = mkOption { type = types.attrsOf types.optionSet; default = { }; - example = { + example = literalExample { wan = { interface = "enp2s0"; mode = "vepa"; @@ -629,7 +629,7 @@ in networking.sits = mkOption { type = types.attrsOf types.optionSet; default = { }; - example = { + example = literalExample { hurricane = { remote = "10.0.0.1"; local = "10.0.0.22"; @@ -688,7 +688,7 @@ in networking.vlans = mkOption { default = { }; - example = { + example = literalExample { vlan0 = { id = 3; interface = "enp3s0"; @@ -727,7 +727,7 @@ in networking.wlanInterfaces = mkOption { default = { }; - example = { + example = literalExample { "wlan-station0" = { device = "wlp6s0"; }; diff --git a/nixos/modules/virtualisation/amazon-init.nix b/nixos/modules/virtualisation/amazon-init.nix index 886552f33c2c..c9356c9b4eaa 100644 --- a/nixos/modules/virtualisation/amazon-init.nix +++ b/nixos/modules/virtualisation/amazon-init.nix @@ -8,7 +8,7 @@ let echo "attempting to fetch configuration from EC2 user data..." - export PATH=${config.nix.package}/bin:${pkgs.systemd}/bin:${pkgs.gnugrep}/bin:${pkgs.gnused}/bin:${config.system.build.nixos-rebuild}/bin:$PATH + export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.gnused config.system.build.nixos-rebuild]}:$PATH export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels userData=/etc/ec2-metadata/user-data diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index 9dc0ce119929..9fac543b03d5 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -62,10 +62,10 @@ in echo Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" + chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group "" echo Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env \ + chroot /mnt ${config.nix.package.out}/bin/nix-env \ -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} --option build-users-group "" echo nixos-rebuild requires an /etc/NIXOS. diff --git a/nixos/modules/virtualisation/brightbox-image.nix b/nixos/modules/virtualisation/brightbox-image.nix index b6b2bd4f69be..bcafc06e47c0 100644 --- a/nixos/modules/virtualisation/brightbox-image.nix +++ b/nixos/modules/virtualisation/brightbox-image.nix @@ -62,10 +62,10 @@ in # Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" + chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group "" # Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env \ + chroot /mnt ${config.nix.package.out}/bin/nix-env \ -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \ --option build-users-group "" diff --git a/nixos/modules/virtualisation/ec2-amis.nix b/nixos/modules/virtualisation/ec2-amis.nix index e0aad5e42f20..5257aaf62025 100644 --- a/nixos/modules/virtualisation/ec2-amis.nix +++ b/nixos/modules/virtualisation/ec2-amis.nix @@ -90,40 +90,40 @@ "15.09".us-west-2.pv-ebs = "ami-005fb160"; "15.09".us-west-2.pv-s3 = "ami-cd55bbad"; - "16.03".ap-northeast-1.hvm-ebs = "ami-885040e6"; - "16.03".ap-northeast-1.hvm-s3 = "ami-d15a4abf"; - "16.03".ap-northeast-1.pv-ebs = "ami-7f455511"; - "16.03".ap-northeast-1.pv-s3 = "ami-6d7d6d03"; - "16.03".ap-southeast-1.hvm-ebs = "ami-478a5f24"; - "16.03".ap-southeast-1.hvm-s3 = "ami-b2885dd1"; - "16.03".ap-southeast-1.pv-ebs = "ami-55b46136"; - "16.03".ap-southeast-1.pv-s3 = "ami-92b762f1"; - "16.03".ap-southeast-2.hvm-ebs = "ami-26b09345"; - "16.03".ap-southeast-2.hvm-s3 = "ami-52ac8f31"; - "16.03".ap-southeast-2.pv-ebs = "ami-1fb3907c"; - "16.03".ap-southeast-2.pv-s3 = "ami-49b1922a"; - "16.03".eu-central-1.hvm-ebs = "ami-2bd63744"; - "16.03".eu-central-1.hvm-s3 = "ami-82d435ed"; - "16.03".eu-central-1.pv-ebs = "ami-b729c8d8"; - "16.03".eu-central-1.pv-s3 = "ami-a12dccce"; - "16.03".eu-west-1.hvm-ebs = "ami-87c242f4"; - "16.03".eu-west-1.hvm-s3 = "ami-b6c343c5"; - "16.03".eu-west-1.pv-ebs = "ami-6bc94918"; - "16.03".eu-west-1.pv-s3 = "ami-00cb4b73"; - "16.03".sa-east-1.hvm-ebs = "ami-845cd3e8"; - "16.03".sa-east-1.hvm-s3 = "ami-8142cded"; - "16.03".sa-east-1.pv-ebs = "ami-1643cc7a"; - "16.03".sa-east-1.pv-s3 = "ami-1646c97a"; - "16.03".us-east-1.hvm-ebs = "ami-2cc4d046"; - "16.03".us-east-1.hvm-s3 = "ami-9bc9ddf1"; - "16.03".us-east-1.pv-ebs = "ami-7df4e017"; - "16.03".us-east-1.pv-s3 = "ami-90f2e6fa"; - "16.03".us-west-1.hvm-ebs = "ami-d8116db8"; - "16.03".us-west-1.hvm-s3 = "ami-a7166ac7"; - "16.03".us-west-1.pv-ebs = "ami-e90c7089"; - "16.03".us-west-1.pv-s3 = "ami-5b0c703b"; - "16.03".us-west-2.hvm-ebs = "ami-b339ccd3"; - "16.03".us-west-2.hvm-s3 = "ami-2c3bce4c"; - "16.03".us-west-2.pv-ebs = "ami-0625d066"; - "16.03".us-west-2.pv-s3 = "ami-7414e114"; + "16.03".ap-northeast-1.hvm-ebs = "ami-b6edf5d8"; + "16.03".ap-northeast-1.hvm-s3 = "ami-b1e3fbdf"; + "16.03".ap-northeast-1.pv-ebs = "ami-6190880f"; + "16.03".ap-northeast-1.pv-s3 = "ami-908d95fe"; + "16.03".ap-southeast-1.hvm-ebs = "ami-35b16656"; + "16.03".ap-southeast-1.hvm-s3 = "ami-41be6922"; + "16.03".ap-southeast-1.pv-ebs = "ami-4cb96e2f"; + "16.03".ap-southeast-1.pv-s3 = "ami-3bb96e58"; + "16.03".ap-southeast-2.hvm-ebs = "ami-debc91bd"; + "16.03".ap-southeast-2.hvm-s3 = "ami-55bc9136"; + "16.03".ap-southeast-2.pv-ebs = "ami-b38ba6d0"; + "16.03".ap-southeast-2.pv-s3 = "ami-9e8ba6fd"; + "16.03".eu-central-1.hvm-ebs = "ami-7c967413"; + "16.03".eu-central-1.hvm-s3 = "ami-b29072dd"; + "16.03".eu-central-1.pv-ebs = "ami-7a947615"; + "16.03".eu-central-1.pv-s3 = "ami-729b791d"; + "16.03".eu-west-1.hvm-ebs = "ami-ff27a98c"; + "16.03".eu-west-1.hvm-s3 = "ami-6c21af1f"; + "16.03".eu-west-1.pv-ebs = "ami-a33cb2d0"; + "16.03".eu-west-1.pv-s3 = "ami-ec38b69f"; + "16.03".sa-east-1.hvm-ebs = "ami-5bef6637"; + "16.03".sa-east-1.hvm-s3 = "ami-55f87139"; + "16.03".sa-east-1.pv-ebs = "ami-76e56c1a"; + "16.03".sa-east-1.pv-s3 = "ami-e1f8718d"; + "16.03".us-east-1.hvm-ebs = "ami-4bfd1926"; + "16.03".us-east-1.hvm-s3 = "ami-60c5210d"; + "16.03".us-east-1.pv-ebs = "ami-c0c92dad"; + "16.03".us-east-1.pv-s3 = "ami-f9d63294"; + "16.03".us-west-1.hvm-ebs = "ami-13aad473"; + "16.03".us-west-1.hvm-s3 = "ami-e1a8d681"; + "16.03".us-west-1.pv-ebs = "ami-c0a6d8a0"; + "16.03".us-west-1.pv-s3 = "ami-6aa9d70a"; + "16.03".us-west-2.hvm-ebs = "ami-265dad46"; + "16.03".us-west-2.hvm-s3 = "ami-cd40b0ad"; + "16.03".us-west-2.pv-ebs = "ami-7b4aba1b"; + "16.03".us-west-2.pv-s3 = "ami-0849b968"; } diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 77074b882468..38417315df5b 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -66,10 +66,10 @@ in # Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" + chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group "" # Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env \ + chroot /mnt ${config.nix.package.out}/bin/nix-env \ -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \ --option build-users-group "" diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index d9b866d2e55e..8aa643687557 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -403,7 +403,7 @@ in boot.postBootCommands = '' if [[ "$(cat /proc/cmdline)" =~ regInfo=([^ ]*) ]]; then - ${config.nix.package}/bin/nix-store --load-db < ''${BASH_REMATCH[1]} + ${config.nix.package.out}/bin/nix-store --load-db < ''${BASH_REMATCH[1]} fi ''; |