diff options
Diffstat (limited to 'nixos/modules')
35 files changed, 681 insertions, 228 deletions
diff --git a/nixos/modules/installer/cd-dvd/channel.nix b/nixos/modules/installer/cd-dvd/channel.nix index ddb00f174d1a..4a1983167957 100644 --- a/nixos/modules/installer/cd-dvd/channel.nix +++ b/nixos/modules/installer/cd-dvd/channel.nix @@ -12,7 +12,7 @@ let # CD. These are installed into the "nixos" channel of the root # user, as expected by nixos-rebuild/nixos-install. FIXME: merge # with make-channel.nix. - channelSources = pkgs.runCommand "nixos-${config.system.nixosVersion}" + channelSources = pkgs.runCommand "nixos-${config.system.nixos.version}" { } '' mkdir -p $out @@ -21,7 +21,7 @@ let if [ ! -e $out/nixos/nixpkgs ]; then ln -s . $out/nixos/nixpkgs fi - echo -n ${config.system.nixosVersionSuffix} > $out/nixos/.version-suffix + echo -n ${config.system.nixos.versionSuffix} > $out/nixos/.version-suffix ''; in diff --git a/nixos/modules/installer/cd-dvd/installation-cd-base.nix b/nixos/modules/installer/cd-dvd/installation-cd-base.nix index 2569860a098f..756c8751d00e 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-base.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-base.nix @@ -16,7 +16,7 @@ with lib; ]; # ISO naming. - isoImage.isoName = "${config.isoImage.isoBaseName}-${config.system.nixosLabel}-${pkgs.stdenv.system}.iso"; + isoImage.isoName = "${config.isoImage.isoBaseName}-${config.system.nixos.label}-${pkgs.stdenv.system}.iso"; isoImage.volumeID = substring 0 11 "NIXOS_ISO"; diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index a039f7fdcb6e..811449e9fe7e 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -39,31 +39,31 @@ let DEFAULT boot LABEL boot - MENU LABEL NixOS ${config.system.nixosLabel}${config.isoImage.appendToMenuLabel} - LINUX /boot/bzImage + MENU LABEL NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} + LINUX /boot/${config.system.boot.loader.kernelFile} APPEND init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} - INITRD /boot/initrd + INITRD /boot/${config.system.boot.loader.initrdFile} # A variant to boot with 'nomodeset' LABEL boot-nomodeset - MENU LABEL NixOS ${config.system.nixosVersion}${config.isoImage.appendToMenuLabel} (nomodeset) - LINUX /boot/bzImage + MENU LABEL NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (nomodeset) + LINUX /boot/${config.system.boot.loader.kernelFile} APPEND init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} nomodeset - INITRD /boot/initrd + INITRD /boot/${config.system.boot.loader.initrdFile} # A variant to boot with 'copytoram' LABEL boot-copytoram - MENU LABEL NixOS ${config.system.nixosVersion}${config.isoImage.appendToMenuLabel} (copytoram) - LINUX /boot/bzImage + MENU LABEL NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (copytoram) + LINUX /boot/${config.system.boot.loader.kernelFile} APPEND init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} copytoram - INITRD /boot/initrd + INITRD /boot/${config.system.boot.loader.initrdFile} # A variant to boot with verbose logging to the console LABEL boot-nomodeset - MENU LABEL NixOS ${config.system.nixosVersion}${config.isoImage.appendToMenuLabel} (debug) - LINUX /boot/bzImage + MENU LABEL NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (debug) + LINUX /boot/${config.system.boot.loader.kernelFile} APPEND init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} loglevel=7 - INITRD /boot/initrd + INITRD /boot/${config.system.boot.loader.initrdFile} ''; isolinuxMemtest86Entry = '' @@ -82,35 +82,35 @@ let mkdir -p $out/loader/entries cat << EOF > $out/loader/entries/nixos-iso.conf - title NixOS ${config.system.nixosVersion}${config.isoImage.appendToMenuLabel} - linux /boot/bzImage - initrd /boot/initrd + title NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} + linux /boot/${config.system.boot.loader.kernelFile} + initrd /boot/${config.system.boot.loader.initrdFile} options init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} EOF # A variant to boot with 'nomodeset' cat << EOF > $out/loader/entries/nixos-iso-nomodeset.conf - title NixOS ${config.system.nixosVersion}${config.isoImage.appendToMenuLabel} + title NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} version nomodeset - linux /boot/bzImage - initrd /boot/initrd + linux /boot/${config.system.boot.loader.kernelFile} + initrd /boot/${config.system.boot.loader.initrdFile} options init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} nomodeset EOF # A variant to boot with 'copytoram' cat << EOF > $out/loader/entries/nixos-iso-copytoram.conf - title NixOS ${config.system.nixosVersion}${config.isoImage.appendToMenuLabel} + title NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} version copytoram - linux /boot/bzImage - initrd /boot/initrd + linux /boot/${config.system.boot.loader.kernelFile} + initrd /boot/${config.system.boot.loader.initrdFile} options init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} copytoram EOF # A variant to boot with verbose logging to the console cat << EOF > $out/loader/entries/nixos-iso-debug.conf - title NixOS ${config.system.nixosVersion}${config.isoImage.appendToMenuLabel} (debug) - linux /boot/bzImage - initrd /boot/initrd + title NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (debug) + linux /boot/${config.system.boot.loader.kernelFile} + initrd /boot/${config.system.boot.loader.initrdFile} options init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} loglevel=7 EOF @@ -127,8 +127,8 @@ let mkdir ./contents && cd ./contents cp -rp "${efiDir}"/* . mkdir ./boot - cp -p "${config.boot.kernelPackages.kernel}/bzImage" \ - "${config.system.build.initialRamdisk}/initrd" ./boot/ + cp -p "${config.boot.kernelPackages.kernel}/${config.system.boot.loader.kernelFile}" \ + "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}" ./boot/ touch --date=@0 ./* usage_size=$(du -sb --apparent-size . | tr -cd '[:digit:]') @@ -346,11 +346,11 @@ in }; target = "/isolinux/isolinux.cfg"; } - { source = config.boot.kernelPackages.kernel + "/bzImage"; - target = "/boot/bzImage"; + { source = config.boot.kernelPackages.kernel + "/" + config.system.boot.loader.kernelFile; + target = "/boot/" + config.system.boot.loader.kernelFile; } - { source = config.system.build.initialRamdisk + "/initrd"; - target = "/boot/initrd"; + { source = config.system.build.initialRamdisk + "/" + config.system.boot.loader.initrdFile; + target = "/boot/" + config.system.boot.loader.initrdFile; } { source = config.system.build.squashfsStore; target = "/nix-store.squashfs"; @@ -361,7 +361,7 @@ in { source = config.isoImage.splashImage; target = "/isolinux/background.png"; } - { source = pkgs.writeText "version" config.system.nixosVersion; + { source = pkgs.writeText "version" config.system.nixos.label; target = "/version.txt"; } ] ++ optionals config.isoImage.makeEfiBootable [ diff --git a/nixos/modules/installer/cd-dvd/system-tarball.nix b/nixos/modules/installer/cd-dvd/system-tarball.nix index 1962a1959ead..e72d4a5b4910 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball.nix @@ -8,7 +8,7 @@ with lib; let - versionFile = pkgs.writeText "nixos-version" config.system.nixosVersion; + versionFile = pkgs.writeText "nixos-label" config.system.nixos.label; in @@ -58,8 +58,8 @@ in # Individual files to be included on the CD, outside of the Nix # store on the CD. tarball.contents = - [ { source = config.system.build.initialRamdisk + "/initrd"; - target = "/boot/initrd"; + [ { source = config.system.build.initialRamdisk + "/" + config.system.boot.loader.initrdFile; + target = "/boot/" + config.system.boot.loader.initrdFile; } { source = versionFile; target = "/nixos-version.txt"; diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index 7c737e84de0a..a82ee63fd0cd 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -625,7 +625,7 @@ $bootLoaderConfig # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. - system.stateVersion = "${\(qw(@nixosRelease@))}"; # Did you read the comment? + system.stateVersion = "${\(qw(@release@))}"; # Did you read the comment? } EOF diff --git a/nixos/modules/installer/tools/nixos-version.sh b/nixos/modules/installer/tools/nixos-version.sh index 77a1b458a342..190c49a33ec6 100644 --- a/nixos/modules/installer/tools/nixos-version.sh +++ b/nixos/modules/installer/tools/nixos-version.sh @@ -6,9 +6,9 @@ case "$1" in exit 1 ;; --hash|--revision) - echo "@nixosRevision@" + echo "@revision@" ;; *) - echo "@nixosVersion@ (@nixosCodeName@)" + echo "@version@ (@codeName@)" ;; esac diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index a3bae78c0ffc..eab5f1147667 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -55,7 +55,7 @@ let src = ./nixos-generate-config.pl; path = [ pkgs.btrfs-progs ]; perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/lib/perl5/site_perl"; - inherit (config.system) nixosRelease; + inherit (config.system.nixos) release; }; nixos-option = makeProg { @@ -66,7 +66,7 @@ let nixos-version = makeProg { name = "nixos-version"; src = ./nixos-version.sh; - inherit (config.system) nixosVersion nixosCodeName nixosRevision; + inherit (config.system.nixos) version codeName revision; }; in diff --git a/nixos/modules/misc/label.nix b/nixos/modules/misc/label.nix new file mode 100644 index 000000000000..250914e8f82e --- /dev/null +++ b/nixos/modules/misc/label.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.system.nixos; +in + +{ + + options.system = { + + nixos.label = mkOption { + type = types.str; + description = '' + NixOS version name to be used in the names of generated + outputs and boot labels. + + If you ever wanted to influence the labels in your GRUB menu, + this is the option for you. + + The default is <option>system.nixos.tags</option> separated by + "-" + "-" + <envar>NIXOS_LABEL_VERSION</envar> environment + variable (defaults to the value of + <option>system.nixos.version</option>). + + Can be overriden by setting <envar>NIXOS_LABEL</envar>. + + Useful for not loosing track of configurations built from different + nixos branches/revisions, e.g.: + + <screen> + #!/bin/sh + today=`date +%Y%m%d` + branch=`(cd nixpkgs ; git branch 2>/dev/null | sed -n '/^\* / { s|^\* ||; p; }')` + revision=`(cd nixpkgs ; git rev-parse HEAD)` + export NIXOS_LABEL_VERSION="$today.$branch-''${revision:0:7}" + nixos-rebuild switch</screen> + ''; + }; + + nixos.tags = mkOption { + type = types.listOf types.str; + default = []; + example = [ "with-xen" ]; + description = '' + Strings to prefix to the default + <option>system.nixos.label</option>. + + Useful for not loosing track of configurations built with + different options, e.g.: + + <screen> + { + system.nixos.tags = [ "with-xen" ]; + virtualisation.xen.enable = true; + } + </screen> + ''; + }; + + }; + + config = { + # This is set here rather than up there so that changing it would + # not rebuild the manual + system.nixos.label = mkDefault (maybeEnv "NIXOS_LABEL" + (concatStringsSep "-" (sort (x: y: x < y) cfg.tags) + + "-" + maybeEnv "NIXOS_LABEL_VERSION" cfg.version)); + }; + +} diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index 48cde2ebbc8a..6af584250a70 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -3,7 +3,7 @@ with lib; let - cfg = config.system; + cfg = config.system.nixos; releaseFile = "${toString pkgs.path}/.version"; suffixFile = "${toString pkgs.path}/.version-suffix"; @@ -16,51 +16,27 @@ in options.system = { - stateVersion = mkOption { - type = types.str; - default = cfg.nixosRelease; - description = '' - Every once in a while, a new NixOS release may change - configuration defaults in a way incompatible with stateful - data. For instance, if the default version of PostgreSQL - changes, the new version will probably be unable to read your - existing databases. To prevent such breakage, you can set the - value of this option to the NixOS release with which you want - to be compatible. The effect is that NixOS will option - defaults corresponding to the specified release (such as using - an older version of PostgreSQL). - ''; - }; - - nixosLabel = mkOption { - type = types.str; - description = '' - Label to be used in the names of generated outputs and boot - labels. - ''; - }; - - nixosVersion = mkOption { + nixos.version = mkOption { internal = true; type = types.str; description = "The full NixOS version (e.g. <literal>16.03.1160.f2d4ee1</literal>)."; }; - nixosRelease = mkOption { + nixos.release = mkOption { readOnly = true; type = types.str; default = fileContents releaseFile; description = "The NixOS release (e.g. <literal>16.03</literal>)."; }; - nixosVersionSuffix = mkOption { + nixos.versionSuffix = mkOption { internal = true; type = types.str; default = if pathExists suffixFile then fileContents suffixFile else "pre-git"; description = "The NixOS version suffix (e.g. <literal>1160.f2d4ee1</literal>)."; }; - nixosRevision = mkOption { + nixos.revision = mkOption { internal = true; type = types.str; default = if pathIsDirectory gitRepo then commitIdFromGitRepo gitRepo @@ -69,12 +45,28 @@ in description = "The Git revision from which this NixOS configuration was built."; }; - nixosCodeName = mkOption { + nixos.codeName = mkOption { readOnly = true; type = types.str; description = "The NixOS release code name (e.g. <literal>Emu</literal>)."; }; + stateVersion = mkOption { + type = types.str; + default = cfg.release; + description = '' + Every once in a while, a new NixOS release may change + configuration defaults in a way incompatible with stateful + data. For instance, if the default version of PostgreSQL + changes, the new version will probably be unable to read your + existing databases. To prevent such breakage, you can set the + value of this option to the NixOS release with which you want + to be compatible. The effect is that NixOS will option + defaults corresponding to the specified release (such as using + an older version of PostgreSQL). + ''; + }; + defaultChannel = mkOption { internal = true; type = types.str; @@ -86,16 +78,15 @@ in config = { - system = { + system.nixos = { # These defaults are set here rather than up there so that # changing them would not rebuild the manual - nixosLabel = mkDefault cfg.nixosVersion; - nixosVersion = mkDefault (cfg.nixosRelease + cfg.nixosVersionSuffix); - nixosRevision = mkIf (pathIsDirectory gitRepo) (mkDefault gitCommitId); - nixosVersionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId)); + version = mkDefault (cfg.release + cfg.versionSuffix); + revision = mkIf (pathIsDirectory gitRepo) (mkDefault gitCommitId); + versionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId)); # Note: code names must only increase in alphabetical order. - nixosCodeName = "Impala"; + codeName = "Impala"; }; # Generate /etc/os-release. See @@ -105,10 +96,10 @@ in '' NAME=NixOS ID=nixos - VERSION="${config.system.nixosVersion} (${config.system.nixosCodeName})" - VERSION_CODENAME=${toLower config.system.nixosCodeName} - VERSION_ID="${config.system.nixosVersion}" - PRETTY_NAME="NixOS ${config.system.nixosVersion} (${config.system.nixosCodeName})" + VERSION="${cfg.version} (${cfg.codeName})" + VERSION_CODENAME=${toLower cfg.codeName} + VERSION_ID="${cfg.version}" + PRETTY_NAME="NixOS ${cfg.version} (${cfg.codeName})" HOME_URL="https://nixos.org/" SUPPORT_URL="https://nixos.org/nixos/support.html" BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues" diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 35f5e87d7e5e..795f6fda3053 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -60,6 +60,7 @@ ./misc/extra-arguments.nix ./misc/ids.nix ./misc/lib.nix + ./misc/label.nix ./misc/locate.nix ./misc/meta.nix ./misc/nixpkgs.nix @@ -509,6 +510,7 @@ ./services/networking/ngircd.nix ./services/networking/nghttpx/default.nix ./services/networking/nix-serve.nix + ./services/networking/nixops-dns.nix ./services/networking/nntp-proxy.nix ./services/networking/nsd.nix ./services/networking/ntopng.nix @@ -694,6 +696,7 @@ ./services/x11/xserver.nix ./system/activation/activation-script.nix ./system/activation/top-level.nix + ./system/boot/binfmt.nix ./system/boot/coredump.nix ./system/boot/emergency-mode.nix ./system/boot/grow-partition.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 7351482f957f..da83baed3719 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -189,6 +189,14 @@ with lib; # Profile splitting (mkRenamedOptionModule [ "virtualization" "growPartition" ] [ "boot" "growPartition" ]) + # misc/version.nix + (mkRenamedOptionModule [ "config" "system" "nixosVersion" ] [ "config" "system" "nixos" "version" ]) + (mkRenamedOptionModule [ "config" "system" "nixosRelease" ] [ "config" "system" "nixos" "release" ]) + (mkRenamedOptionModule [ "config" "system" "nixosVersionSuffix" ] [ "config" "system" "nixos" "versionSuffix" ]) + (mkRenamedOptionModule [ "config" "system" "nixosRevision" ] [ "config" "system" "nixos" "revision" ]) + (mkRenamedOptionModule [ "config" "system" "nixosCodeName" ] [ "config" "system" "nixos" "codeName" ]) + (mkRenamedOptionModule [ "config" "system" "nixosLabel" ] [ "config" "system" "nixos" "label" ]) + # Options that are obsolete and have no replacement. (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "") (mkRemovedOptionModule [ "programs" "bash" "enable" ] "") @@ -205,6 +213,8 @@ with lib; "See the 16.09 release notes for more information.") (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "") (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "") + (mkRemovedOptionModule [ "services" "firefox" "syncserver" "user" ] "") + (mkRemovedOptionModule [ "services" "firefox" "syncserver" "group" ] "") (mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "") (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ] "Set the option `services.xserver.displayManager.sddm.package' instead.") diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 22af7e876af2..5ab331ac067f 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -414,7 +414,10 @@ in postmasterAlias = mkOption { type = types.str; default = "root"; - description = "Who should receive postmaster e-mail."; + description = " + Who should receive postmaster e-mail. Multiple values can be added by + separating values with comma. + "; }; rootAlias = mkOption { @@ -422,6 +425,7 @@ in default = ""; description = " Who should receive root e-mail. Blank for no redirection. + Multiple values can be added by separating values with comma. "; }; diff --git a/nixos/modules/services/misc/nixos-manual.nix b/nixos/modules/services/misc/nixos-manual.nix index 41cadb4a6de0..5d0f2abd13a9 100644 --- a/nixos/modules/services/misc/nixos-manual.nix +++ b/nixos/modules/services/misc/nixos-manual.nix @@ -16,10 +16,10 @@ let It isn't perfect, but it seems to cover a vast majority of use cases. Caveat: even if the package is reached by a different means, the path above will be shown and not e.g. `${config.services.foo.package}`. */ - manual = import ../../../doc/manual { + manual = import ../../../doc/manual rec { inherit pkgs config; - version = config.system.nixosRelease; - revision = "release-${config.system.nixosRelease}"; + version = config.system.nixos.release; + revision = "release-${version}"; options = let scrubbedEval = evalModules { diff --git a/nixos/modules/services/misc/ssm-agent.nix b/nixos/modules/services/misc/ssm-agent.nix index c1e1f0903539..a57fbca86fb6 100644 --- a/nixos/modules/services/misc/ssm-agent.nix +++ b/nixos/modules/services/misc/ssm-agent.nix @@ -12,7 +12,7 @@ let case "$1" in -i) echo "nixos";; - -r) echo "${config.system.nixosVersion}";; + -r) echo "${config.system.nixos.version}";; esac ''; in { diff --git a/nixos/modules/services/networking/dante.nix b/nixos/modules/services/networking/dante.nix index a9a77f3412af..32acce51e692 100644 --- a/nixos/modules/services/networking/dante.nix +++ b/nixos/modules/services/networking/dante.nix @@ -47,7 +47,7 @@ in systemd.services.dante = { description = "Dante SOCKS v4 and v5 compatible proxy server"; - after = [ "network.target" ]; + after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix index d283c7624335..d10b72ecf058 100644 --- a/nixos/modules/services/networking/dhcpcd.nix +++ b/nixos/modules/services/networking/dhcpcd.nix @@ -16,7 +16,7 @@ let # Don't start dhcpcd on explicitly configured interfaces or on # interfaces that are part of a bridge, bond or sit device. ignoredInterfaces = - map (i: i.name) (filter (i: if i.useDHCP != null then !i.useDHCP else i.ip4 != [ ] || i.ipAddress != null) interfaces) + map (i: i.name) (filter (i: if i.useDHCP != null then !i.useDHCP else i.ipv4.addresses != [ ]) interfaces) ++ mapAttrsToList (i: _: i) config.networking.sits ++ concatLists (attrValues (mapAttrs (n: v: v.interfaces) config.networking.bridges)) ++ concatLists (attrValues (mapAttrs (n: v: v.interfaces) config.networking.vswitches)) diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix index a9f3fd65d76b..97d223a56cab 100644 --- a/nixos/modules/services/networking/firefox/sync-server.nix +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -33,6 +33,8 @@ let in { + meta.maintainers = with lib.maintainers; [ nadrieril ]; + options = { services.firefox.syncserver = { enable = mkOption { @@ -70,18 +72,6 @@ in ''; }; - user = mkOption { - type = types.str; - default = "syncserver"; - description = "User account under which syncserver runs."; - }; - - group = mkOption { - type = types.str; - default = "syncserver"; - description = "Group account under which syncserver runs."; - }; - publicUrl = mkOption { type = types.str; default = "http://localhost:5000/"; @@ -137,7 +127,9 @@ in config = mkIf cfg.enable { systemd.services.syncserver = let - syncServerEnv = pkgs.python.withPackages(ps: with ps; [ syncserver pasteScript ]); + syncServerEnv = pkgs.python.withPackages(ps: with ps; [ syncserver pasteScript requests ]); + user = "syncserver"; + group = "syncserver"; in { after = [ "network.target" ]; description = "Firefox Sync Server"; @@ -145,43 +137,43 @@ in path = [ pkgs.coreutils syncServerEnv ]; serviceConfig = { - User = cfg.user; - Group = cfg.group; + User = user; + Group = group; PermissionsStartOnly = true; }; preStart = '' if ! test -e ${cfg.privateConfig}; then - mkdir -m 700 -p $(dirname ${cfg.privateConfig}) + mkdir -p $(dirname ${cfg.privateConfig}) echo > ${cfg.privateConfig} '[syncserver]' + chmod 600 ${cfg.privateConfig} echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" fi - chown ${cfg.user}:${cfg.group} ${cfg.privateConfig} + chmod 600 ${cfg.privateConfig} + chmod 755 $(dirname ${cfg.privateConfig}) + chown ${user}:${group} ${cfg.privateConfig} + '' + optionalString (cfg.sqlUri == defaultSqlUri) '' if ! test -e $(dirname ${defaultDbLocation}); then mkdir -m 700 -p $(dirname ${defaultDbLocation}) - chown ${cfg.user}:${cfg.group} $(dirname ${defaultDbLocation}) + chown ${user}:${group} $(dirname ${defaultDbLocation}) fi + # Move previous database file if it exists oldDb="/var/db/firefox-sync-server.db" if test -f $oldDb; then mv $oldDb ${defaultDbLocation} - chown ${cfg.user}:${cfg.group} ${defaultDbLocation} + chown ${user}:${group} ${defaultDbLocation} fi ''; serviceConfig.ExecStart = "${syncServerEnv}/bin/paster serve ${syncServerIni}"; }; - users.extraUsers = optionalAttrs (cfg.user == "syncserver") - (singleton { - name = "syncserver"; - group = cfg.group; - isSystemUser = true; - }); - - users.extraGroups = optionalAttrs (cfg.group == "syncserver") - (singleton { - name = "syncserver"; - }); + users.users.syncserver = { + group = "syncserver"; + isSystemUser = true; + }; + + users.groups.syncserver = {}; }; } diff --git a/nixos/modules/services/networking/freeradius.nix b/nixos/modules/services/networking/freeradius.nix new file mode 100644 index 000000000000..45cba1ce2770 --- /dev/null +++ b/nixos/modules/services/networking/freeradius.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.freeradius; + + freeradiusService = cfg: + { + description = "FreeRadius server"; + wantedBy = ["multi-user.target"]; + after = ["network-online.target"]; + wants = ["network-online.target"]; + preStart = '' + ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout + ''; + + serviceConfig = { + ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout -xx"; + ExecReload = [ + "${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout" + "${pkgs.coreutils}/bin/kill -HUP $MAINPID" + ]; + User = "radius"; + ProtectSystem = "full"; + ProtectHome = "on"; + Restart = "on-failure"; + RestartSec = 2; + }; + }; + + freeradiusConfig = { + enable = mkEnableOption "the freeradius server"; + + configDir = mkOption { + type = types.path; + default = "/etc/raddb"; + description = '' + The path of the freeradius server configuration directory. + ''; + }; + + }; + +in + +{ + + ###### interface + + options = { + services.freeradius = freeradiusConfig; + }; + + + ###### implementation + + config = mkIf (cfg.enable) { + + users = { + extraUsers.radius = { + /*uid = config.ids.uids.radius;*/ + description = "Radius daemon user"; + }; + }; + + systemd.services.freeradius = freeradiusService cfg; + + }; + +} diff --git a/nixos/modules/services/networking/nixops-dns.nix b/nixos/modules/services/networking/nixops-dns.nix new file mode 100644 index 000000000000..2bb1263b7fa2 --- /dev/null +++ b/nixos/modules/services/networking/nixops-dns.nix @@ -0,0 +1,79 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + pkg = pkgs.nixops-dns; + cfg = config.services.nixops-dns; +in + +{ + options = { + services.nixops-dns = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the nixops-dns resolution + of NixOps virtual machines via dnsmasq and fake domain name. + ''; + }; + + user = mkOption { + type = types.str; + description = '' + The user the nixops-dns daemon should run as. + This should be the user, which is also used for nixops and + have the .nixops directory in its home. + ''; + }; + + domain = mkOption { + type = types.str; + description = '' + Fake domain name to resolve to NixOps virtual machines. + + For example "ops" will resolve "vm.ops". + ''; + example = "ops"; + default = "ops"; + }; + + dnsmasq = mkOption { + type = types.bool; + default = true; + description = '' + Enable dnsmasq forwarding to nixops-dns. This allows to use + nixops-dns for `services.nixops-dns.domain` resolution + while forwarding the rest of the queries to original resolvers. + ''; + }; + + }; + }; + + config = mkIf cfg.enable { + systemd.services.nixops-dns = { + description = "nixops-dns: DNS server for resolving NixOps machines"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + User = cfg.user; + ExecStart="${pkg}/bin/nixops-dns --domain=.${cfg.domain}"; + }; + }; + + services.dnsmasq = mkIf cfg.dnsmasq { + enable = true; + resolveLocalQueries = true; + servers = [ + "/${cfg.domain}/127.0.0.1#5300" + ]; + extraConfig = '' + bind-interfaces + listen-address=127.0.0.1 + ''; + }; + + }; +} diff --git a/nixos/modules/services/security/hologram-agent.nix b/nixos/modules/services/security/hologram-agent.nix index 6c53a2df6306..39ed506f7617 100644 --- a/nixos/modules/services/security/hologram-agent.nix +++ b/nixos/modules/services/security/hologram-agent.nix @@ -35,10 +35,9 @@ in { config = mkIf cfg.enable { boot.kernelModules = [ "dummy" ]; - networking.interfaces.dummy0 = { - ipAddress = "169.254.169.254"; - prefixLength = 32; - }; + networking.interfaces.dummy0.ipv4.addresses = [ + { address = "169.254.169.254"; prefixLength = 32; } + ]; systemd.services.hologram-agent = { description = "Provide EC2 instance credentials to machines outside of EC2"; diff --git a/nixos/modules/services/ttys/agetty.nix b/nixos/modules/services/ttys/agetty.nix index 3429397d2cc2..b50de496e975 100644 --- a/nixos/modules/services/ttys/agetty.nix +++ b/nixos/modules/services/ttys/agetty.nix @@ -64,8 +64,8 @@ in config = { # Note: this is set here rather than up there so that changing - # nixosLabel would not rebuild manual pages - services.mingetty.greetingLine = mkDefault ''<<< Welcome to NixOS ${config.system.nixosLabel} (\m) - \l >>>''; + # nixos.label would not rebuild manual pages + services.mingetty.greetingLine = mkDefault ''<<< Welcome to NixOS ${config.system.nixos.label} (\m) - \l >>>''; systemd.services."getty@" = { serviceConfig.ExecStart = [ diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 100fabf902f8..dee877f1c114 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -578,6 +578,7 @@ in mkdir -p ${cfg.stateDir}/logs chmod 700 ${cfg.stateDir} chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir} + ${cfg.package}/bin/nginx -c ${configFile} -p ${cfg.stateDir} -t ''; serviceConfig = { ExecStart = "${cfg.package}/bin/nginx -c ${configFile} -p ${cfg.stateDir}"; diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 0c50241f2edf..091a2e412eed 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -30,6 +30,8 @@ let let kernelPath = "${config.boot.kernelPackages.kernel}/" + "${config.system.boot.loader.kernelFile}"; + initrdPath = "${config.system.build.initialRamdisk}/" + + "${config.system.boot.loader.initrdFile}"; in '' mkdir $out @@ -50,7 +52,7 @@ let echo -n "$kernelParams" > $out/kernel-params - ln -s ${config.system.build.initialRamdisk}/initrd $out/initrd + ln -s ${initrdPath} $out/initrd ln -s ${config.system.build.initialRamdiskSecretAppender}/bin/append-initrd-secrets $out @@ -106,7 +108,7 @@ let if [] == failed then pkgs.stdenvNoCC.mkDerivation { name = let hn = config.networking.hostName; nn = if (hn != "") then hn else "unnamed"; - in "nixos-system-${nn}-${config.system.nixosLabel}"; + in "nixos-system-${nn}-${config.system.nixos.label}"; preferLocalBuild = true; allowSubstitutes = false; buildCommand = systemBuilder; @@ -120,7 +122,7 @@ let config.system.build.installBootLoader or "echo 'Warning: do not know how to make this configuration bootable; please enable a boot loader.' 1>&2; true"; activationScript = config.system.activationScripts.script; - nixosLabel = config.system.nixosLabel; + nixosLabel = config.system.nixos.label; configurationName = config.boot.loader.grub.configurationName; @@ -179,6 +181,15 @@ in ''; }; + system.boot.loader.initrdFile = mkOption { + internal = true; + default = "initrd"; + type = types.str; + description = '' + Name of the initrd file to be passed to the bootloader. + ''; + }; + system.copySystemConfiguration = mkOption { type = types.bool; default = false; diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix new file mode 100644 index 000000000000..15e84dc021e2 --- /dev/null +++ b/nixos/modules/system/boot/binfmt.nix @@ -0,0 +1,139 @@ +{ config, lib, ... }: +let + inherit (lib) mkOption types optionalString; + + cfg = config.boot.binfmtMiscRegistrations; + + makeBinfmtLine = name: { recognitionType, offset, magicOrExtension + , mask, preserveArgvZero, openBinary + , matchCredentials, fixBinary, ... + }: let + type = if recognitionType == "magic" then "M" else "E"; + offset' = toString offset; + mask' = toString mask; + interpreter = "/run/binfmt/${name}"; + flags = if !(matchCredentials -> openBinary) + then throw "boot.binfmtMiscRegistrations.${name}: you can't specify openBinary = false when matchCredentials = true." + else optionalString preserveArgvZero "P" + + optionalString (openBinary && !matchCredentials) "O" + + optionalString matchCredentials "C" + + optionalString fixBinary "F"; + in ":${name}:${type}:${offset'}:${magicOrExtension}:${mask'}:${interpreter}:${flags}"; + + binfmtFile = builtins.toFile "binfmt_nixos.conf" + (lib.concatStringsSep "\n" (lib.mapAttrsToList makeBinfmtLine cfg)); + + activationSnippet = name: { interpreter, ... }: + "ln -sf ${interpreter} /run/binfmt/${name}"; + activationScript = '' + mkdir -p -m 0755 /run/binfmt + ${lib.concatStringsSep "\n" (lib.mapAttrsToList activationSnippet cfg)} + ''; +in { + options = { + boot.binfmtMiscRegistrations = mkOption { + default = {}; + + description = '' + Extra binary formats to register with the kernel. + See https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html for more details. + ''; + + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + recognitionType = mkOption { + default = "magic"; + description = "Whether to recognize executables by magic number or extension."; + type = types.enum [ "magic" "extension" ]; + }; + + offset = mkOption { + default = null; + description = "The byte offset of the magic number used for recognition."; + type = types.nullOr types.int; + }; + + magicOrExtension = mkOption { + description = "The magic number or extension to match on."; + type = types.str; + }; + + mask = mkOption { + default = null; + description = + "A mask to be ANDed with the byte sequence of the file before matching"; + type = types.nullOr types.str; + }; + + interpreter = mkOption { + description = '' + The interpreter to invoke to run the program. + + Note that the actual registration will point to + /run/binfmt/''${name}, so the kernel interpreter length + limit doesn't apply. + ''; + type = types.path; + }; + + preserveArgvZero = mkOption { + default = false; + description = '' + Whether to pass the original argv[0] to the interpreter. + + See the description of the 'P' flag in the kernel docs + for more details; + ''; + type = types.bool; + }; + + openBinary = mkOption { + default = config.matchCredentials; + description = '' + Whether to pass the binary to the interpreter as an open + file descriptor, instead of a path. + ''; + type = types.bool; + }; + + matchCredentials = mkOption { + default = false; + description = '' + Whether to launch with the credentials and security + token of the binary, not the interpreter (e.g. setuid + bit). + + See the description of the 'C' flag in the kernel docs + for more details. + + Implies/requires openBinary = true. + ''; + type = types.bool; + }; + + fixBinary = mkOption { + default = false; + description = '' + Whether to open the interpreter file as soon as the + registration is loaded, rather than waiting for a + relevant file to be invoked. + + See the description of the 'F' flag in the kernel docs + for more details. + ''; + type = types.bool; + }; + }; + })); + }; + }; + + config = lib.mkIf (cfg != {}) { + environment.etc."binfmt.d/nixos.conf".source = binfmtFile; + system.activationScripts.binfmt = activationScript; + systemd.additionalUpstreamSystemUnits = + [ "proc-sys-fs-binfmt_misc.automount" + "proc-sys-fs-binfmt_misc.mount" + ]; + }; +} diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index d78f9d9389c6..3bd7d3558269 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -184,7 +184,7 @@ in [ "loglevel=${toString config.boot.consoleLogLevel}" ] ++ optionals config.boot.vesa [ "vga=0x317" ]; - boot.kernel.sysctl."kernel.printk" = config.boot.consoleLogLevel; + boot.kernel.sysctl."kernel.printk" = mkDefault config.boot.consoleLogLevel; boot.kernelModules = [ "loop" "atkbd" ]; diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 051c55393816..eea10613ea58 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -94,7 +94,7 @@ let checkNetwork = checkUnitConfig "Network" [ (assertOnlyFields [ "Description" "DHCP" "DHCPServer" "IPForward" "IPMasquerade" "IPv4LL" "IPv4LLRoute" - "LLMNR" "MulticastDNS" "Domains" "Bridge" "Bond" + "LLMNR" "MulticastDNS" "Domains" "Bridge" "Bond" "IPv6PrivacyExtensions" ]) (assertValueOneOf "DHCP" ["both" "none" "v4" "v6"]) (assertValueOneOf "DHCPServer" boolValues) @@ -104,6 +104,7 @@ let (assertValueOneOf "IPv4LLRoute" boolValues) (assertValueOneOf "LLMNR" boolValues) (assertValueOneOf "MulticastDNS" boolValues) + (assertValueOneOf "IPv6PrivacyExtensions" ["yes" "no" "prefer-public" "kernel"]) ]; checkAddress = checkUnitConfig "Address" [ diff --git a/nixos/modules/system/boot/plymouth.nix b/nixos/modules/system/boot/plymouth.nix index e78fdf1311d3..f8fb8a64cb9b 100644 --- a/nixos/modules/system/boot/plymouth.nix +++ b/nixos/modules/system/boot/plymouth.nix @@ -10,7 +10,7 @@ let breezePlymouth = pkgs.breeze-plymouth.override { nixosBranding = true; - nixosVersion = config.system.nixosRelease; + nixosVersion = config.system.nixos.release; }; themesEnv = pkgs.buildEnv { diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 63d07832d105..66732ce7732e 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -20,14 +20,8 @@ let "sys-subsystem-net-devices-${escapeSystemdPath interface}.device"; interfaceIps = i: - i.ip4 ++ optionals cfg.enableIPv6 i.ip6 - ++ optional (i.ipAddress != null) { - address = i.ipAddress; - prefixLength = i.prefixLength; - } ++ optional (cfg.enableIPv6 && i.ipv6Address != null) { - address = i.ipv6Address; - prefixLength = i.ipv6PrefixLength; - }; + i.ipv4.addresses + ++ optionals cfg.enableIPv6 i.ipv6.addresses; destroyBond = i: '' while true; do @@ -185,33 +179,58 @@ let path = [ pkgs.iproute ]; script = '' - # FIXME: shouldn't this be done in network-link? - echo "bringing up interface..." - ip link set "${i.name}" up - state="/run/nixos/network/addresses/${i.name}" + mkdir -p $(dirname "$state") + ${flip concatMapStrings ips (ip: + let + cidr = "${ip.address}/${toString ip.prefixLength}"; + in + '' + echo "${cidr}" >> $state + echo -n "adding address ${cidr}... " + if out=$(ip addr add "${cidr}" dev "${i.name}" 2>&1); then + echo "done" + elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then + echo "failed" + exit 1 + fi + '' + )} + + state="/run/nixos/network/routes/${i.name}" mkdir -p $(dirname "$state") - '' + flip concatMapStrings (ips) (ip: - let - address = "${ip.address}/${toString ip.prefixLength}"; - in - '' - echo "${address}" >> $state - if out=$(ip addr add "${address}" dev "${i.name}" 2>&1); then - echo "added ip ${address}" - elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then - echo "failed to add ${address}" - exit 1 - fi - ''); + ${flip concatMapStrings (i.ipv4.routes ++ i.ipv6.routes) (route: + let + cidr = "${route.address}/${toString route.prefixLength}"; + via = optionalString (route.via != null) ''via "${route.via}"''; + options = concatStrings (mapAttrsToList (name: val: "${name} ${val} ") route.options); + in + '' + echo "${cidr}" >> $state + echo -n "adding route ${cidr}... " + if out=$(ip route add "${cidr}" ${options} ${via} dev "${i.name}" 2>&1); then + echo "done" + elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then + echo "failed" + exit 1 + fi + '' + )} + ''; preStop = '' + state="/run/nixos/network/routes/${i.name}" + while read cidr; do + echo -n "deleting route $cidr... " + ip route del "$cidr" dev "${i.name}" >/dev/null 2>&1 && echo "done" || echo "failed" + done < "$state" + rm -f "$state" + state="/run/nixos/network/addresses/${i.name}" - while read address; do - echo -n "deleting $address..." - ip addr del "$address" dev "${i.name}" >/dev/null 2>&1 || echo -n " Failed" - echo "" + while read cidr; do + echo -n "deleting address $cidr... " + ip addr del "$cidr" dev "${i.name}" >/dev/null 2>&1 && echo "done" || echo "failed" done < "$state" rm -f "$state" ''; diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 5d72ad0f1bde..c640e886fca8 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -9,14 +9,8 @@ let interfaces = attrValues cfg.interfaces; interfaceIps = i: - i.ip4 ++ optionals cfg.enableIPv6 i.ip6 - ++ optional (i.ipAddress != null) { - address = i.ipAddress; - prefixLength = i.prefixLength; - } ++ optional (cfg.enableIPv6 && i.ipv6Address != null) { - address = i.ipv6Address; - prefixLength = i.ipv6PrefixLength; - }; + i.ipv4.addresses + ++ optionals cfg.enableIPv6 i.ipv6.addresses; dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "none"; @@ -91,6 +85,7 @@ in (if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ])); address = flip map (interfaceIps i) (ip: "${ip.address}/${toString ip.prefixLength}"); + networkConfig.IPv6PrivacyExtensions = "kernel"; } ]; }))) (mkMerge (flip mapAttrsToList cfg.bridges (name: bridge: { diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index f4851988d63d..5036b701bd86 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, utils, stdenv, ... }: +{ config, options, lib, pkgs, utils, stdenv, ... }: with lib; with utils; @@ -101,7 +101,7 @@ let address = mkOption { type = types.str; description = '' - IPv${toString v} address of the interface. Leave empty to configure the + IPv${toString v} address of the interface. Leave empty to configure the interface using DHCP. ''; }; @@ -116,6 +116,40 @@ let }; }; + routeOpts = v: + { options = { + address = mkOption { + type = types.str; + description = "IPv${toString v} address of the network."; + }; + + prefixLength = mkOption { + type = types.addCheck types.int (n: n >= 0 && n <= (if v == 4 then 32 else 128)); + description = '' + Subnet mask of the network, specified as the number of + bits in the prefix (<literal>${if v == 4 then "24" else "64"}</literal>). + ''; + }; + + via = mkOption { + type = types.nullOr types.str; + default = null; + description = "IPv${toString v} address of the next hop."; + }; + + options = mkOption { + type = types.attrsOf types.str; + default = { }; + example = { mtu = "1492"; window = "524288"; }; + description = '' + Other route options. See the symbol <literal>OPTION</literal> + in the <literal>ip-route(8)</literal> manual page for the details. + ''; + }; + + }; + }; + gatewayCoerce = address: { inherit address; }; gatewayOpts = { ... }: { @@ -148,13 +182,22 @@ let interfaceOpts = { name, ... }: { options = { - name = mkOption { example = "eth0"; type = types.str; description = "Name of the interface."; }; + preferTempAddress = mkOption { + type = types.bool; + default = cfg.enableIPv6; + defaultText = literalExample "config.networking.enableIpv6"; + description = '' + When using SLAAC prefer a temporary (IPv6) address over the EUI-64 + address for originating connections. This is used to reduce tracking. + ''; + }; + useDHCP = mkOption { type = types.nullOr types.bool; default = null; @@ -165,7 +208,7 @@ let ''; }; - ip4 = mkOption { + ipv4.addresses = mkOption { default = [ ]; example = [ { address = "10.0.0.1"; prefixLength = 16; } @@ -177,7 +220,7 @@ let ''; }; - ip6 = mkOption { + ipv6.addresses = mkOption { default = [ ]; example = [ { address = "fdfd:b3f0:482::1"; prefixLength = 48; } @@ -189,50 +232,27 @@ let ''; }; - ipAddress = mkOption { - default = null; - example = "10.0.0.1"; - type = types.nullOr types.str; - description = '' - IP address of the interface. Leave empty to configure the - interface using DHCP. - ''; - }; - - prefixLength = mkOption { - default = null; - example = 24; - type = types.nullOr types.int; - description = '' - Subnet mask of the interface, specified as the number of - bits in the prefix (<literal>24</literal>). - ''; - }; - - subnetMask = mkOption { - default = null; - description = '' - Defunct, supply the prefix length instead. - ''; - }; - - ipv6Address = mkOption { - default = null; - example = "2001:1470:fffd:2098::e006"; - type = types.nullOr types.str; + ipv4.routes = mkOption { + default = []; + example = [ + { address = "10.0.0.0"; prefixLength = 16; } + { address = "192.168.2.0"; prefixLength = 24; via = "192.168.1.1"; } + ]; + type = with types; listOf (submodule (routeOpts 4)); description = '' - IPv6 address of the interface. Leave empty to configure the - interface using NDP. + List of extra IPv4 static routes that will be assigned to the interface. ''; }; - ipv6PrefixLength = mkOption { - default = 64; - example = 64; - type = types.int; + ipv6.routes = mkOption { + default = []; + example = [ + { address = "fdfd:b3f0::"; prefixLength = 48; } + { address = "2001:1470:fffd:2098::"; prefixLength = 64; via = "fdfd:b3f0::1"; } + ]; + type = with types; listOf (submodule (routeOpts 6)); description = '' - Subnet mask of the interface, specified as the number of - bits in the prefix (<literal>64</literal>). + List of extra IPv6 static routes that will be assigned to the interface. ''; }; @@ -307,6 +327,32 @@ let name = mkDefault name; }; + # Renamed or removed options + imports = + let + defined = x: x != "_mkMergedOptionModule"; + in [ + (mkRenamedOptionModule [ "ip4" ] [ "ipv4" "addresses"]) + (mkRenamedOptionModule [ "ip6" ] [ "ipv6" "addresses"]) + (mkRemovedOptionModule [ "subnetMask" ] '' + Supply a prefix length instead; use option + networking.interfaces.<name>.ipv{4,6}.addresses'') + (mkMergedOptionModule + [ [ "ipAddress" ] [ "prefixLength" ] ] + [ "ipv4" "addresses" ] + (cfg: with cfg; + optional (defined ipAddress && defined prefixLength) + { address = ipAddress; prefixLength = prefixLength; })) + (mkMergedOptionModule + [ [ "ipv6Address" ] [ "ipv6PrefixLength" ] ] + [ "ipv6" "addresses" ] + (cfg: with cfg; + optional (defined ipv6Address && defined ipv6PrefixLength) + { address = ipv6Address; prefixLength = ipv6PrefixLength; })) + + ({ options.warnings = options.warnings; }) + ]; + }; hexChars = stringToCharacters "0123456789abcdef"; @@ -443,7 +489,7 @@ in networking.interfaces = mkOption { default = {}; example = - { eth0.ip4 = [ { + { eth0.ipv4 = [ { address = "131.211.84.78"; prefixLength = 25; } ]; @@ -922,13 +968,10 @@ in config = { + warnings = concatMap (i: i.warnings) interfaces; + assertions = (flip map interfaces (i: { - assertion = i.subnetMask == null; - message = '' - The networking.interfaces."${i.name}".subnetMask option is defunct. Use prefixLength instead. - ''; - })) ++ (flip map interfaces (i: { # With the linux kernel, interface name length is limited by IFNAMSIZ # to 16 bytes, including the trailing null byte. # See include/linux/if.h in the kernel sources @@ -937,10 +980,15 @@ in The name of networking.interfaces."${i.name}" is too long, it needs to be less than 16 characters. ''; })) ++ (flip map slaveIfs (i: { - assertion = i.ip4 == [ ] && i.ipAddress == null && i.ip6 == [ ] && i.ipv6Address == null; + assertion = i.ipv4.addresses == [ ] && i.ipv6.addresses == [ ]; message = '' The networking.interfaces."${i.name}" must not have any defined ips when it is a slave. ''; + })) ++ (flip map interfaces (i: { + assertion = i.preferTempAddress -> cfg.enableIPv6; + message = '' + Temporary addresses are only needed when IPv6 is enabled. + ''; })) ++ [ { assertion = cfg.hostId == null || (stringLength cfg.hostId == 8 && isHexString cfg.hostId); @@ -963,9 +1011,10 @@ in "net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); - } // listToAttrs (concatLists (flip map (filter (i: i.proxyARP) interfaces) - (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true)) - )); + } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) + (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) + // listToAttrs (flip map (filter (i: i.preferTempAddress) interfaces) + (i: nameValuePair "net.ipv6.conf.${i.name}.use_tempaddr" 2)); # Capabilities won't work unless we have at-least a 4.3 Linux # kernel because we need the ambient capability @@ -1073,6 +1122,9 @@ in '' + optionalString (i.mtu != null) '' echo "setting MTU to ${toString i.mtu}..." ip link set "${i.name}" mtu "${toString i.mtu}" + '' + '' + echo -n "bringing up interface... " + ip link set "${i.name}" up && echo "done" || (echo "failed"; exit 1) ''; }))); diff --git a/nixos/modules/virtualisation/brightbox-image.nix b/nixos/modules/virtualisation/brightbox-image.nix index 08bbcfd9d7c2..39a655b4c104 100644 --- a/nixos/modules/virtualisation/brightbox-image.nix +++ b/nixos/modules/virtualisation/brightbox-image.nix @@ -26,7 +26,7 @@ in rm $diskImageBase popd ''; - diskImageBase = "nixos-image-${config.system.nixosLabel}-${pkgs.stdenv.system}.raw"; + diskImageBase = "nixos-image-${config.system.nixos.label}-${pkgs.stdenv.system}.raw"; buildInputs = [ pkgs.utillinux pkgs.perl ]; exportReferencesGraph = [ "closure" config.system.build.toplevel ]; diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 2fb38059b261..155a33b3bb37 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -14,7 +14,7 @@ in PATH=$PATH:${pkgs.stdenv.lib.makeBinPath [ pkgs.gnutar pkgs.gzip ]} pushd $out mv $diskImage disk.raw - tar -Szcf nixos-image-${config.system.nixosLabel}-${pkgs.stdenv.system}.raw.tar.gz disk.raw + tar -Szcf nixos-image-${config.system.nixos.label}-${pkgs.stdenv.system}.raw.tar.gz disk.raw rm $out/disk.raw popd ''; diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index b1ff0337994e..4988886baf60 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -38,6 +38,15 @@ in environment.systemPackages = [ pkgs.lxd ]; + security.apparmor = { + enable = true; + profiles = [ + "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start" + "${pkgs.lxc}/etc/apparmor.d/lxc-containers" + ]; + packages = [ pkgs.lxc ]; + }; + systemd.services.lxd = { description = "LXD Container Management Daemon"; @@ -47,6 +56,10 @@ in # TODO(wkennington): Add lvm2 and thin-provisioning-tools path = with pkgs; [ acl rsync gnutar xz btrfs-progs gzip dnsmasq squashfsTools iproute iptables ]; + preStart = '' + mkdir -m 0755 -p /var/lib/lxc/rootfs + ''; + serviceConfig.ExecStart = "@${pkgs.lxd.bin}/bin/lxd lxd --syslog --group lxd"; serviceConfig.Type = "simple"; serviceConfig.KillMode = "process"; # when stopping, leave the containers alone diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix index bb0c38bd4eb8..7413e12c8f3d 100644 --- a/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixos/modules/virtualisation/virtualbox-host.nix @@ -124,7 +124,7 @@ in ''; }; - networking.interfaces.vboxnet0.ip4 = [ { address = "192.168.56.1"; prefixLength = 24; } ]; + networking.interfaces.vboxnet0.ipv4.addresses = [{ address = "192.168.56.1"; prefixLength = 24; }]; # Make sure NetworkManager won't assume this interface being up # means we have internet access. networking.networkmanager.unmanaged = ["vboxnet0"]; diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix index a544403e6bed..64f145f77ca3 100644 --- a/nixos/modules/virtualisation/virtualbox-image.nix +++ b/nixos/modules/virtualisation/virtualbox-image.nix @@ -22,7 +22,7 @@ in { config = { system.build.virtualBoxOVA = import ../../lib/make-disk-image.nix { - name = "nixos-ova-${config.system.nixosLabel}-${pkgs.stdenv.system}"; + name = "nixos-ova-${config.system.nixos.label}-${pkgs.stdenv.system}"; inherit pkgs lib config; partitionTableType = "legacy"; @@ -37,7 +37,7 @@ in { VBoxManage internalcommands createrawvmdk -filename disk.vmdk -rawdisk $diskImage echo "creating VirtualBox VM..." - vmName="NixOS ${config.system.nixosLabel} (${pkgs.stdenv.system})" + vmName="NixOS ${config.system.nixos.label} (${pkgs.stdenv.system})" VBoxManage createvm --name "$vmName" --register \ --ostype ${if pkgs.stdenv.system == "x86_64-linux" then "Linux26_64" else "Linux26"} VBoxManage modifyvm "$vmName" \ @@ -53,7 +53,7 @@ in { echo "exporting VirtualBox VM..." mkdir -p $out - fn="$out/nixos-${config.system.nixosLabel}-${pkgs.stdenv.system}.ova" + fn="$out/nixos-${config.system.nixos.label}-${pkgs.stdenv.system}.ova" VBoxManage export "$vmName" --output "$fn" rm -v $diskImage |