diff options
Diffstat (limited to 'nixos/modules')
57 files changed, 788 insertions, 581 deletions
diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index b79e16cd7979..a0a20228a742 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -122,7 +122,7 @@ in description = '' Include ~/bin/ in $PATH. ''; - default = true; + default = false; type = types.bool; }; diff --git a/nixos/modules/config/vpnc.nix b/nixos/modules/config/vpnc.nix deleted file mode 100644 index 356e007c0a3e..000000000000 --- a/nixos/modules/config/vpnc.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, lib, ... }: - -with lib; - -let - cfg = config.networking.vpnc; - mkServiceDef = name: value: - { - name = "vpnc/${name}.conf"; - value = { text = value; }; - }; - -in -{ - options = { - networking.vpnc = { - services = mkOption { - type = types.attrsOf types.str; - default = {}; - example = literalExample '' - { test = ''' - IPSec gateway 192.168.1.1 - IPSec ID someID - IPSec secret secretKey - Xauth username name - Xauth password pass - '''; - } - ''; - description = - '' - The names of cisco VPNs and their associated definitions - ''; - }; - }; - }; - - config.environment.etc = mapAttrs' mkServiceDef cfg.services; -} - - diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 1e18e927ec6e..fcb30187fa2f 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -111,9 +111,10 @@ in config = mkIf enabled { assertions = [ { - assertion = with config.services.xserver.displayManager; gdm.enable -> !gdm.wayland; - message = "NVIDIA drivers don't support wayland, set services.xserver.displayManager.gdm.wayland=false"; + assertion = with config.services.xserver.displayManager; gdm.nvidiaWayland -> cfg.modesetting.enable; + message = "You cannot use wayland with GDM without modesetting enabled for NVIDIA drivers, set `hardware.nvidia.modesetting.enable = true`"; } + { assertion = !optimusCfg.enable || (optimusCfg.nvidiaBusId != "" && optimusCfg.intelBusId != ""); diff --git a/nixos/modules/i18n/input-method/ibus.nix b/nixos/modules/i18n/input-method/ibus.nix index 8109ef76c402..956c521dde05 100644 --- a/nixos/modules/i18n/input-method/ibus.nix +++ b/nixos/modules/i18n/input-method/ibus.nix @@ -55,7 +55,7 @@ in # Without dconf enabled it is impossible to use IBus environment.systemPackages = with pkgs; [ - gnome3.dconf ibusAutostart + dconf ibusAutostart ]; environment.variables = { diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix index 6a10a6404e67..e00d3f7535b2 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix @@ -11,7 +11,6 @@ with lib; services.xserver = { desktopManager.plasma5 = { enable = true; - enableQt4Support = false; }; # Automatically login as nixos. diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index 773724ffbd5e..cf17f9aae38b 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -92,7 +92,7 @@ in VERSION="${cfg.version} (${cfg.codeName})" VERSION_CODENAME=${toLower cfg.codeName} VERSION_ID="${cfg.version}" - PRETTY_NAME="NixOS ${cfg.version} (${cfg.codeName})" + PRETTY_NAME="NixOS ${cfg.release} (${cfg.codeName})" LOGO="nix-snowflake" HOME_URL="https://nixos.org/" DOCUMENTATION_URL="https://nixos.org/nixos/manual/index.html" diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 6b578cd5619f..8e373550bb30 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -35,7 +35,6 @@ ./config/terminfo.nix ./config/unix-odbc-drivers.nix ./config/users-groups.nix - ./config/vpnc.nix ./config/vte.nix ./config/zram.nix ./hardware/acpilight.nix @@ -308,6 +307,7 @@ ./services/desktops/gnome3/sushi.nix ./services/desktops/gnome3/tracker.nix ./services/desktops/gnome3/tracker-miners.nix + ./services/desktops/neard.nix ./services/desktops/profile-sync-daemon.nix ./services/desktops/system-config-printer.nix ./services/desktops/telepathy.nix @@ -519,7 +519,6 @@ ./services/monitoring/munin.nix ./services/monitoring/nagios.nix ./services/monitoring/netdata.nix - ./services/monitoring/osquery.nix ./services/monitoring/prometheus/default.nix ./services/monitoring/prometheus/alertmanager.nix ./services/monitoring/prometheus/exporters.nix @@ -539,7 +538,6 @@ ./services/monitoring/zabbix-agent.nix ./services/monitoring/zabbix-proxy.nix ./services/monitoring/zabbix-server.nix - ./services/network-filesystems/beegfs.nix ./services/network-filesystems/cachefilesd.nix ./services/network-filesystems/davfs2.nix ./services/network-filesystems/drbd.nix @@ -724,6 +722,7 @@ ./services/networking/tvheadend.nix ./services/networking/unbound.nix ./services/networking/unifi.nix + ./services/networking/v2ray.nix ./services/networking/vsftpd.nix ./services/networking/wakeonlan.nix ./services/networking/websockify.nix diff --git a/nixos/modules/profiles/graphical.nix b/nixos/modules/profiles/graphical.nix index ac3c228b3c65..d80456cede56 100644 --- a/nixos/modules/profiles/graphical.nix +++ b/nixos/modules/profiles/graphical.nix @@ -9,7 +9,6 @@ displayManager.sddm.enable = true; desktopManager.plasma5 = { enable = true; - enableQt4Support = false; }; libinput.enable = true; # for touchpad support on many laptops }; diff --git a/nixos/modules/programs/dconf.nix b/nixos/modules/programs/dconf.nix index eeebc3558bdf..e0e2ffd80cff 100644 --- a/nixos/modules/programs/dconf.nix +++ b/nixos/modules/programs/dconf.nix @@ -32,13 +32,13 @@ in environment.etc = optionals (cfg.profiles != {}) (mapAttrsToList mkDconfProfile cfg.profiles); - services.dbus.packages = [ pkgs.gnome3.dconf ]; + services.dbus.packages = [ pkgs.dconf ]; # For dconf executable - environment.systemPackages = [ pkgs.gnome3.dconf ]; + environment.systemPackages = [ pkgs.dconf ]; # Needed for unwrapped applications - environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.gnome3.dconf.lib}/lib/gio/modules" ]; + environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.dconf.lib}/lib/gio/modules" ]; }; } diff --git a/nixos/modules/programs/ssmtp.nix b/nixos/modules/programs/ssmtp.nix index 0e060e3f5226..e45748af205a 100644 --- a/nixos/modules/programs/ssmtp.nix +++ b/nixos/modules/programs/ssmtp.nix @@ -8,18 +8,16 @@ with lib; let - - cfg = config.networking.defaultMailServer; + cfg = config.services.ssmtp; in - { options = { - networking.defaultMailServer = { + services.ssmtp = { - directDelivery = mkOption { + enable = mkOption { type = types.bool; default = false; description = '' @@ -29,7 +27,7 @@ in <command>sendmail</command> or <command>postfix</command> on your machine, set this option to <literal>true</literal>, and set the option - <option>networking.defaultMailServer.hostName</option> to the + <option>services.ssmtp.hostName</option> to the host name of your preferred mail server. ''; }; @@ -129,9 +127,9 @@ in }; - config = mkIf cfg.directDelivery { + config = mkIf cfg.enable { - networking.defaultMailServer.authPassFile = mkIf (cfg.authPass != "") + services.ssmtp.authPassFile = mkIf (cfg.authPass != "") (mkDefault (toString (pkgs.writeTextFile { name = "ssmtp-authpass"; text = cfg.authPass; diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 7d8cf55b827a..e392fef54dde 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -10,6 +10,9 @@ with lib; (mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) (mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) + (mkRenamedOptionModule [ "networking" "connman" ] [ "services" "connman" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" ] [ "services" "ssmtp" ]) + (mkRenamedOptionModule [ "services" "ssmtp" "directDelivery" ] [ "services" "ssmtp" "enable" ]) (mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ] (config: let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config; @@ -235,6 +238,7 @@ with lib; (mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.") (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.") (mkRemovedOptionModule [ "fonts" "enableCoreFonts" ] "Use fonts.fonts = [ pkgs.corefonts ]; instead.") + (mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.") # ZSH (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) @@ -279,6 +283,13 @@ with lib; # BLCR (mkRemovedOptionModule [ "environment.blcr.enable" ] "The BLCR module has been removed") + # beegfs + (mkRemovedOptionModule [ "services.beegfsEnable" ] "The BeeGFS module has been removed") + (mkRemovedOptionModule [ "services.beegfs" ] "The BeeGFS module has been removed") + + # osquery + (mkRemovedOptionModule [ "services.osquery" ] "The osquery module has been removed") + # Redis (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 4eda3c5708da..6aed485638cc 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -66,7 +66,8 @@ in { if cfg.user == "roon-server" then { isSystemUser = true; description = "Roon Server user"; - groups = [ cfg.group "audio" ]; + group = cfg.group; + extraGroups = [ "audio" ]; } else {}; }; diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 39192d059485..5549cfa5cf4d 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -8,15 +8,11 @@ let mysql = cfg.package; - isMariaDB = - let - pName = _p: (builtins.parseDrvName (_p.name)).name; - in pName mysql == pName pkgs.mariadb; + isMariaDB = lib.getName mysql == lib.getName pkgs.mariadb; + isMysqlAtLeast57 = - let - pName = _p: (builtins.parseDrvName (_p.name)).name; - in (pName mysql == pName pkgs.mysql57) - && ((builtins.compareVersions mysql.version "5.7") >= 0); + (lib.getName mysql == lib.getName pkgs.mysql57) + && (builtins.compareVersions mysql.version "5.7" >= 0); mysqldOptions = "--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${mysql}"; diff --git a/nixos/modules/services/desktops/neard.nix b/nixos/modules/services/desktops/neard.nix new file mode 100644 index 000000000000..9b0f8d1b3a77 --- /dev/null +++ b/nixos/modules/services/desktops/neard.nix @@ -0,0 +1,23 @@ +# neard service. +{ config, lib, pkgs, ... }: + +with lib; + +{ + ###### interface + options = { + services.neard = { + enable = mkEnableOption "neard, NFC daemon"; + }; + }; + + + ###### implementation + config = mkIf config.services.neard.enable { + environment.systemPackages = [ pkgs.neard ]; + + services.dbus.packages = [ pkgs.neard ]; + + systemd.packages = [ pkgs.neard ]; + }; +} diff --git a/nixos/modules/services/games/openarena.nix b/nixos/modules/services/games/openarena.nix index b7d1aea6b8d2..8c014d78809b 100644 --- a/nixos/modules/services/games/openarena.nix +++ b/nixos/modules/services/games/openarena.nix @@ -43,7 +43,7 @@ in serviceConfig = { DynamicUser = true; StateDirectory = "openarena"; - ExecStart = "${pkgs.openarena}/bin/openarena-server +set fs_basepath ${pkgs.openarena}/openarena-0.8.8 +set fs_homepath /var/lib/openarena ${concatStringsSep " " cfg.extraFlags}"; + ExecStart = "${pkgs.openarena}/bin/oa_ded +set fs_basepath ${pkgs.openarena}/openarena-0.8.8 +set fs_homepath /var/lib/openarena ${concatStringsSep " " cfg.extraFlags}"; Restart = "on-failure"; # Hardening diff --git a/nixos/modules/services/hardware/bluetooth.nix b/nixos/modules/services/hardware/bluetooth.nix index c5f9d1f9b725..11d67418a31e 100644 --- a/nixos/modules/services/hardware/bluetooth.nix +++ b/nixos/modules/services/hardware/bluetooth.nix @@ -36,17 +36,25 @@ in { ''; }; + config = mkOption { + type = with types; attrsOf (attrsOf (oneOf [ bool int str ])); + example = { + General = { + ControllerMode = "bredr"; + }; + }; + description = "Set configuration for system-wide bluetooth (/etc/bluetooth/main.conf)."; + }; + extraConfig = mkOption { - type = types.lines; - default = ""; + type = with types; nullOr lines; + default = null; example = '' [General] ControllerMode = bredr ''; description = '' Set additional configuration for system-wide bluetooth (/etc/bluetooth/main.conf). - - NOTE: We already include [Policy], so any configuration under the Policy group should come first. ''; }; }; @@ -56,16 +64,18 @@ in { ###### implementation config = mkIf cfg.enable { + warnings = optional (cfg.extraConfig != null) "hardware.bluetooth.`extraConfig` is deprecated, please use hardware.bluetooth.`config`."; - environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ]; + hardware.bluetooth.config = { + Policy = { + AutoEnable = mkDefault cfg.powerOnBoot; + }; + }; - environment.etc = singleton { - source = pkgs.writeText "main.conf" '' - [Policy] - AutoEnable=${lib.boolToString cfg.powerOnBoot} + environment.systemPackages = [ bluez-bluetooth ]; - ${cfg.extraConfig} - ''; + environment.etc = singleton { + source = pkgs.writeText "main.conf" (generators.toINI { } cfg.config + optionalString (cfg.extraConfig != null) cfg.extraConfig); target = "bluetooth/main.conf"; }; diff --git a/nixos/modules/services/misc/beanstalkd.nix b/nixos/modules/services/misc/beanstalkd.nix index 06e881406b52..bcd133c97411 100644 --- a/nixos/modules/services/misc/beanstalkd.nix +++ b/nixos/modules/services/misc/beanstalkd.nix @@ -44,7 +44,8 @@ in serviceConfig = { DynamicUser = true; Restart = "always"; - ExecStart = "${pkg}/bin/beanstalkd -l ${cfg.listen.address} -p ${toString cfg.listen.port}"; + ExecStart = "${pkg}/bin/beanstalkd -l ${cfg.listen.address} -p ${toString cfg.listen.port} -b $STATE_DIRECTORY"; + StateDirectory = "beanstalkd"; }; }; diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index c8c59fb256e8..b6f4d88adbef 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -394,6 +394,28 @@ in WorkingDirectory = cfg.stateDir; ExecStart = "${gitea.bin}/bin/gitea web"; Restart = "always"; + + # Filesystem + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ReadWritePaths = cfg.stateDir; + # Caps + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + MemoryDenyWriteExecute = true; + SystemCallFilter = "~@chown @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap"; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; }; environment = { diff --git a/nixos/modules/services/monitoring/osquery.nix b/nixos/modules/services/monitoring/osquery.nix deleted file mode 100644 index c8c625577d39..000000000000 --- a/nixos/modules/services/monitoring/osquery.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ config, lib, pkgs, ... }: - -with builtins; -with lib; - -let - cfg = config.services.osquery; - -in - -{ - - options = { - - services.osquery = { - - enable = mkEnableOption "osquery"; - - loggerPath = mkOption { - type = types.path; - description = "Base directory used for logging."; - default = "/var/log/osquery"; - }; - - pidfile = mkOption { - type = types.path; - description = "Path used for pid file."; - default = "/var/osquery/osqueryd.pidfile"; - }; - - utc = mkOption { - type = types.bool; - description = "Attempt to convert all UNIX calendar times to UTC."; - default = true; - }; - - databasePath = mkOption { - type = types.path; - description = "Path used for database file."; - default = "/var/osquery/osquery.db"; - }; - - extraConfig = mkOption { - type = types.attrs // { - merge = loc: foldl' (res: def: recursiveUpdate res def.value) {}; - }; - description = "Extra config to be recursively merged into the JSON config file."; - default = { }; - }; - }; - - }; - - config = mkIf cfg.enable { - - environment.systemPackages = [ pkgs.osquery ]; - - environment.etc."osquery/osquery.conf".text = toJSON ( - recursiveUpdate { - options = { - config_plugin = "filesystem"; - logger_plugin = "filesystem"; - logger_path = cfg.loggerPath; - database_path = cfg.databasePath; - utc = cfg.utc; - }; - } cfg.extraConfig - ); - - systemd.services.osqueryd = { - description = "The osquery Daemon"; - after = [ "network.target" "syslog.service" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.osquery ]; - preStart = '' - mkdir -p ${escapeShellArg cfg.loggerPath} - mkdir -p "$(dirname ${escapeShellArg cfg.pidfile})" - mkdir -p "$(dirname ${escapeShellArg cfg.databasePath})" - ''; - serviceConfig = { - TimeoutStartSec = "infinity"; - ExecStart = "${pkgs.osquery}/bin/osqueryd --logger_path ${escapeShellArg cfg.loggerPath} --pidfile ${escapeShellArg cfg.pidfile} --database_path ${escapeShellArg cfg.databasePath}"; - KillMode = "process"; - KillSignal = "SIGTERM"; - Restart = "on-failure"; - }; - }; - - }; - -} diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 35b513bac571..53f32b8fadc7 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -197,6 +197,9 @@ in services.prometheus.exporters.minio.minioAccessSecret = mkDefault config.services.minio.secretKey; })] ++ [(mkIf config.services.rspamd.enable { services.prometheus.exporters.rspamd.url = mkDefault "http://localhost:11334/stat"; + })] ++ [(mkIf config.services.nginx.enable { + systemd.services.prometheus-nginx-exporter.after = [ "nginx.service" ]; + systemd.services.prometheus-nginx-exporter.requires = [ "nginx.service" ]; })] ++ (mapAttrsToList (name: conf: mkExporterConf { inherit name; diff --git a/nixos/modules/services/network-filesystems/beegfs.nix b/nixos/modules/services/network-filesystems/beegfs.nix deleted file mode 100644 index 2e03a422665a..000000000000 --- a/nixos/modules/services/network-filesystems/beegfs.nix +++ /dev/null @@ -1,357 +0,0 @@ -{ config, lib, pkgs, ...} : - -with lib; - -let - cfg = config.services.beegfs; - - # functions for the generations of config files - - configMgmtd = name: cfg: pkgs.writeText "mgmt-${name}.conf" '' - storeMgmtdDirectory = ${cfg.mgmtd.storeDir} - storeAllowFirstRunInit = false - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - - ${cfg.mgmtd.extraConfig} - ''; - - configAdmon = name: cfg: pkgs.writeText "admon-${name}.conf" '' - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - - ${cfg.admon.extraConfig} - ''; - - configMeta = name: cfg: pkgs.writeText "meta-${name}.conf" '' - storeMetaDirectory = ${cfg.meta.storeDir} - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - storeAllowFirstRunInit = false - - ${cfg.meta.extraConfig} - ''; - - configStorage = name: cfg: pkgs.writeText "storage-${name}.conf" '' - storeStorageDirectory = ${cfg.storage.storeDir} - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - storeAllowFirstRunInit = false - - ${cfg.storage.extraConfig} - ''; - - configHelperd = name: cfg: pkgs.writeText "helperd-${name}.conf" '' - connAuthFile = ${cfg.connAuthFile} - ${cfg.helperd.extraConfig} - ''; - - configClientFilename = name : "/etc/beegfs/client-${name}.conf"; - - configClient = name: cfg: '' - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - - ${cfg.client.extraConfig} - ''; - - serviceList = [ - { service = "admon"; cfgFile = configAdmon; } - { service = "meta"; cfgFile = configMeta; } - { service = "mgmtd"; cfgFile = configMgmtd; } - { service = "storage"; cfgFile = configStorage; } - ]; - - # functions to generate systemd.service entries - - systemdEntry = service: cfgFile: (mapAttrs' ( name: cfg: - (nameValuePair "beegfs-${service}-${name}" (mkIf cfg.${service}.enable { - wantedBy = [ "multi-user.target" ]; - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - serviceConfig = rec { - ExecStart = '' - ${pkgs.beegfs}/bin/beegfs-${service} \ - cfgFile=${cfgFile name cfg} \ - pidFile=${PIDFile} - ''; - PIDFile = "/run/beegfs-${service}-${name}.pid"; - TimeoutStopSec = "300"; - }; - }))) cfg); - - systemdHelperd = mapAttrs' ( name: cfg: - (nameValuePair "beegfs-helperd-${name}" (mkIf cfg.client.enable { - wantedBy = [ "multi-user.target" ]; - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - serviceConfig = rec { - ExecStart = '' - ${pkgs.beegfs}/bin/beegfs-helperd \ - cfgFile=${configHelperd name cfg} \ - pidFile=${PIDFile} - ''; - PIDFile = "/run/beegfs-helperd-${name}.pid"; - TimeoutStopSec = "300"; - }; - }))) cfg; - - # wrappers to beegfs tools. Avoid typing path of config files - utilWrappers = mapAttrsToList ( name: cfg: - ( pkgs.runCommand "beegfs-utils-${name}" { - nativeBuildInputs = [ pkgs.makeWrapper ]; - preferLocalBuild = true; - } '' - mkdir -p $out/bin - - makeWrapper ${pkgs.beegfs}/bin/beegfs-check-servers \ - $out/bin/beegfs-check-servers-${name} \ - --add-flags "-c ${configClientFilename name}" \ - --prefix PATH : ${lib.makeBinPath [ pkgs.beegfs ]} - - makeWrapper ${pkgs.beegfs}/bin/beegfs-ctl \ - $out/bin/beegfs-ctl-${name} \ - --add-flags "--cfgFile=${configClientFilename name}" - - makeWrapper ${pkgs.beegfs}/bin/beegfs-ctl \ - $out/bin/beegfs-df-${name} \ - --add-flags "--cfgFile=${configClientFilename name}" \ - --add-flags --listtargets \ - --add-flags --hidenodeid \ - --add-flags --pools \ - --add-flags --spaceinfo - - makeWrapper ${pkgs.beegfs}/bin/beegfs-fsck \ - $out/bin/beegfs-fsck-${name} \ - --add-flags "--cfgFile=${configClientFilename name}" - '' - )) cfg; -in -{ - ###### interface - - options = { - services.beegfsEnable = mkEnableOption "BeeGFS"; - - services.beegfs = mkOption { - default = {}; - description = '' - BeeGFS configurations. Every mount point requires a separate configuration. - ''; - type = with types; attrsOf (submodule ({ ... } : { - options = { - mgmtdHost = mkOption { - type = types.str; - default = null; - example = "master"; - description = ''Hostname of managament host.''; - }; - - connAuthFile = mkOption { - type = types.str; - default = ""; - example = "/etc/my.key"; - description = "File containing shared secret authentication."; - }; - - connPortShift = mkOption { - type = types.int; - default = 0; - example = 5; - description = '' - For each additional beegfs configuration shift all - service TCP/UDP ports by at least 5. - ''; - }; - - client = { - enable = mkEnableOption "BeeGFS client"; - - mount = mkOption { - type = types.bool; - default = true; - description = "Create fstab entry automatically"; - }; - - mountPoint = mkOption { - type = types.str; - default = "/run/beegfs"; - description = '' - Mount point under which the beegfs filesytem should be mounted. - If mounted manually the mount option specifing the config file is needed: - cfgFile=/etc/beegfs/beegfs-client-<name>.conf - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-client.conf. - See documentation for further details. - ''; - }; - }; - - helperd = { - enable = mkOption { - type = types.bool; - default = true; - description = '' - Enable the BeeGFS helperd. - The helpered is need for logging purposes on the client. - Disabling <literal>helperd</literal> allows for runing the client - with <literal>allowUnfree = false</literal>. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-helperd.conf. See documentation - for further details. - ''; - }; - }; - - mgmtd = { - enable = mkEnableOption "BeeGFS mgmtd daemon"; - - storeDir = mkOption { - type = types.path; - default = null; - example = "/data/beegfs-mgmtd"; - description = '' - Data directory for mgmtd. - Must not be shared with other beegfs daemons. - This directory must exist and it must be initialized - with beegfs-setup-mgmtd, e.g. "beegfs-setup-mgmtd -C -p <storeDir>" - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-mgmtd.conf. See documentation - for further details. - ''; - }; - }; - - admon = { - enable = mkEnableOption "BeeGFS admon daemon"; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-admon.conf. See documentation - for further details. - ''; - }; - }; - - meta = { - enable = mkEnableOption "BeeGFS meta data daemon"; - - storeDir = mkOption { - type = types.path; - default = null; - example = "/data/beegfs-meta"; - description = '' - Data directory for meta data service. - Must not be shared with other beegfs daemons. - The underlying filesystem must be mounted with xattr turned on. - This directory must exist and it must be initialized - with beegfs-setup-meta, e.g. - "beegfs-setup-meta -C -s <serviceID> -p <storeDir>" - ''; - }; - - extraConfig = mkOption { - type = types.str; - default = ""; - description = '' - Additional lines for beegfs-meta.conf. See documentation - for further details. - ''; - }; - }; - - storage = { - enable = mkEnableOption "BeeGFS storage daemon"; - - storeDir = mkOption { - type = types.path; - default = null; - example = "/data/beegfs-storage"; - description = '' - Data directories for storage service. - Must not be shared with other beegfs daemons. - The underlying filesystem must be mounted with xattr turned on. - This directory must exist and it must be initialized - with beegfs-setup-storage, e.g. - "beegfs-setup-storage -C -s <serviceID> -i <storageTargetID> -p <storeDir>" - ''; - }; - - extraConfig = mkOption { - type = types.str; - default = ""; - description = '' - Addional lines for beegfs-storage.conf. See documentation - for further details. - ''; - }; - }; - }; - })); - }; - }; - - ###### implementation - - config = - mkIf config.services.beegfsEnable { - - environment.systemPackages = utilWrappers; - - # Put the client.conf files in /etc since they are needed - # by the commandline tools - environment.etc = mapAttrs' ( name: cfg: - (nameValuePair "beegfs/client-${name}.conf" (mkIf (cfg.client.enable) - { - enable = true; - text = configClient name cfg; - }))) cfg; - - # Kernel module, we need it only once per host. - boot = mkIf ( - foldr (a: b: a || b) false - (map (x: x.client.enable) (collect (x: x ? client) cfg))) - { - kernelModules = [ "beegfs" ]; - extraModulePackages = [ pkgs.linuxPackages.beegfs-module ]; - }; - - # generate fstab entries - fileSystems = mapAttrs' (name: cfg: - (nameValuePair cfg.client.mountPoint (optionalAttrs cfg.client.mount (mkIf cfg.client.enable { - device = "beegfs_nodev"; - fsType = "beegfs"; - mountPoint = cfg.client.mountPoint; - options = [ "cfgFile=${configClientFilename name}" "_netdev" ]; - })))) cfg; - - # generate systemd services - systemd.services = systemdHelperd // - foldr (a: b: a // b) {} - (map (x: systemdEntry x.service x.cfgFile) serviceList); - }; -} diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index c66011afccbe..875ab70bfc73 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -115,7 +115,7 @@ in type = types.package; default = pkgs.samba; defaultText = "pkgs.samba"; - example = literalExample "pkgs.samba3"; + example = literalExample "pkgs.samba4Full"; description = '' Defines which package should be used for the samba server. ''; diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix index 31127f790499..cac517f410e5 100644 --- a/nixos/modules/services/networking/connman.nix +++ b/nixos/modules/services/networking/connman.nix @@ -4,7 +4,7 @@ with pkgs; with lib; let - cfg = config.networking.connman; + cfg = config.services.connman; configFile = pkgs.writeText "connman.conf" '' [General] NetworkInterfaceBlacklist=${concatStringsSep "," cfg.networkInterfaceBlacklist} @@ -17,7 +17,7 @@ in { options = { - networking.connman = { + services.connman = { enable = mkOption { type = types.bool; @@ -71,13 +71,13 @@ in { assertions = [{ assertion = !config.networking.useDHCP; - message = "You can not use services.networking.connman with services.networking.useDHCP"; + message = "You can not use services.connman with networking.useDHCP"; }{ assertion = config.networking.wireless.enable; - message = "You must use services.networking.connman with services.networking.wireless"; + message = "You must use services.connman with networking.wireless"; }{ assertion = !config.networking.networkmanager.enable; - message = "You can not use services.networking.connman with services.networking.networkmanager"; + message = "You can not use services.connman with networking.networkmanager"; }]; environment.systemPackages = [ connman ]; diff --git a/nixos/modules/services/networking/dnschain.nix b/nixos/modules/services/networking/dnschain.nix index 5b58ea9b0c91..2586f2d74e9c 100644 --- a/nixos/modules/services/networking/dnschain.nix +++ b/nixos/modules/services/networking/dnschain.nix @@ -137,7 +137,7 @@ in ]; services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveDNSChainQueries { - forwardZones = + forwardZonesRecurse = { bit = "127.0.0.1:${toString cfg.dns.port}"; dns = "127.0.0.1:${toString cfg.dns.port}"; }; @@ -180,4 +180,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix index 79f9e1a43083..e53fb7a15782 100644 --- a/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -197,4 +197,7 @@ in { }; }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/fakeroute.nix b/nixos/modules/services/networking/fakeroute.nix index 82a9fb729d84..7916ad4098a7 100644 --- a/nixos/modules/services/networking/fakeroute.nix +++ b/nixos/modules/services/networking/fakeroute.nix @@ -60,4 +60,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/monero.nix b/nixos/modules/services/networking/monero.nix index 831e4d60d8da..98a3456f6396 100644 --- a/nixos/modules/services/networking/monero.nix +++ b/nixos/modules/services/networking/monero.nix @@ -224,15 +224,17 @@ in }; }; - assertions = singleton { - assertion = cfg.mining.enable -> cfg.mining.address != ""; - message = '' + assertions = singleton { + assertion = cfg.mining.enable -> cfg.mining.address != ""; + message = '' You need a Monero address to receive mining rewards: specify one using option monero.mining.address. - ''; - }; + ''; + }; }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/namecoind.nix b/nixos/modules/services/networking/namecoind.nix index c8ee0a2f5647..43a9a0b2598b 100644 --- a/nixos/modules/services/networking/namecoind.nix +++ b/nixos/modules/services/networking/namecoind.nix @@ -201,4 +201,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/pdns-recursor.nix b/nixos/modules/services/networking/pdns-recursor.nix index ebfdd9f35b72..6ff181377fcc 100644 --- a/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixos/modules/services/networking/pdns-recursor.nix @@ -91,10 +91,18 @@ in { forwardZones = mkOption { type = types.attrs; + default = {}; + description = '' + DNS zones to be forwarded to other authoritative servers. + ''; + }; + + forwardZonesRecurse = mkOption { + type = types.attrs; example = { eth = "127.0.0.1:5353"; }; default = {}; description = '' - DNS zones to be forwarded to other servers. + DNS zones to be forwarded to other recursive servers. ''; }; @@ -158,7 +166,8 @@ in { webserver-port = cfg.api.port; webserver-allow-from = cfg.api.allowFrom; - forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones; + forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones; + forward-zones-recurse = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZonesRecurse; export-etc-hosts = cfg.exportHosts; dnssec = cfg.dnssecValidation; serve-rfc1918 = cfg.serveRFC1918; @@ -210,4 +219,6 @@ in { "To change extra Recursor settings use services.pdns-recursor.settings instead.") ]; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/privoxy.nix b/nixos/modules/services/networking/privoxy.nix index 49ca839a2c37..1f41c720adf5 100644 --- a/nixos/modules/services/networking/privoxy.nix +++ b/nixos/modules/services/networking/privoxy.nix @@ -109,4 +109,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/searx.nix b/nixos/modules/services/networking/searx.nix index 9412d0ef8a62..60fb3d5d6d44 100644 --- a/nixos/modules/services/networking/searx.nix +++ b/nixos/modules/services/networking/searx.nix @@ -75,4 +75,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/v2ray.nix b/nixos/modules/services/networking/v2ray.nix new file mode 100644 index 000000000000..a1774cdffbb9 --- /dev/null +++ b/nixos/modules/services/networking/v2ray.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + options = { + + services.v2ray = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run v2ray server. + + Either <literal>configFile</literal> or <literal>config</literal> must be specified. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/etc/v2ray/config.json"; + description = '' + The absolute path to the configuration file. + + Either <literal>configFile</literal> or <literal>config</literal> must be specified. + + See <link xlink:href="https://v2ray.com/en/configuration/overview.html"/>. + ''; + }; + + config = mkOption { + type = types.nullOr (types.attrsOf types.unspecified); + default = null; + example = { + inbounds = [{ + port = 1080; + listen = "127.0.0.1"; + protocol = "http"; + }]; + outbounds = [{ + protocol = "freedom"; + }]; + }; + description = '' + The configuration object. + + Either `configFile` or `config` must be specified. + + See <link xlink:href="https://v2ray.com/en/configuration/overview.html"/>. + ''; + }; + }; + + }; + + config = let + cfg = config.services.v2ray; + configFile = if cfg.configFile != null + then cfg.configFile + else (pkgs.writeText "v2ray.json" (builtins.toJSON cfg.config)); + + in mkIf cfg.enable { + assertions = [ + { + assertion = (cfg.configFile == null) != (cfg.config == null); + message = "Either but not both `configFile` and `config` should be specified for v2ray."; + } + ]; + + systemd.services.v2ray = { + description = "v2ray Daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.v2ray ]; + script = '' + exec v2ray -config ${configFile} + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 294c0d70edea..8f05c3949fba 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -236,9 +236,12 @@ in { ${if ifaces == [] then '' for i in $(cd /sys/class/net && echo *); do DEVTYPE= - source /sys/class/net/$i/uevent - if [ "$DEVTYPE" = "wlan" -o -e /sys/class/net/$i/wireless ]; then - ifaces="$ifaces''${ifaces:+ -N} -i$i" + UEVENT_PATH=/sys/class/net/$i/uevent + if [ -e "$UEVENT_PATH" ]; then + source "$UEVENT_PATH" + if [ "$DEVTYPE" = "wlan" -o -e /sys/class/net/$i/wireless ]; then + ifaces="$ifaces''${ifaces:+ -N} -i$i" + fi fi done '' else '' diff --git a/nixos/modules/services/networking/znc/default.nix b/nixos/modules/services/networking/znc/default.nix index 05f97bfa539f..0a9848a49349 100644 --- a/nixos/modules/services/networking/znc/default.nix +++ b/nixos/modules/services/networking/znc/default.nix @@ -239,7 +239,7 @@ in services.znc = { configFile = mkDefault (pkgs.writeText "znc-generated.conf" semanticString); config = { - Version = (builtins.parseDrvName pkgs.znc.name).version; + Version = lib.getVersion pkgs.znc; Listener.l.Port = mkDefault 5000; Listener.l.SSL = mkDefault true; }; diff --git a/nixos/modules/services/torrent/magnetico.nix b/nixos/modules/services/torrent/magnetico.nix index 719827713ff9..7465c10e002c 100644 --- a/nixos/modules/services/torrent/magnetico.nix +++ b/nixos/modules/services/torrent/magnetico.nix @@ -213,4 +213,6 @@ in { }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/web-apps/matomo-doc.xml b/nixos/modules/services/web-apps/matomo-doc.xml index 79cece551d34..69d1170e4523 100644 --- a/nixos/modules/services/web-apps/matomo-doc.xml +++ b/nixos/modules/services/web-apps/matomo-doc.xml @@ -86,12 +86,6 @@ GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; <itemizedlist> <listitem> <para> - Matomo's file integrity check will warn you. This is due to the patches - necessary for NixOS, you can safely ignore this. - </para> - </listitem> - <listitem> - <para> Matomo will warn you that the JavaScript tracker is not writable. This is because it's located in the read-only nix store. You can safely ignore this, unless you need a plugin that needs JavaScript tracker access. diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index b9186a1dc07f..b67f08808786 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -390,6 +390,7 @@ in { in { wantedBy = [ "multi-user.target" ]; before = [ "phpfpm-nextcloud.service" ]; + path = [ occ ]; script = '' chmod og+x ${cfg.home} ln -sf ${pkgs.nextcloud}/apps ${cfg.home}/ diff --git a/nixos/modules/services/web-apps/wordpress.nix b/nixos/modules/services/web-apps/wordpress.nix index f1370c2854b8..13d21a0b4aed 100644 --- a/nixos/modules/services/web-apps/wordpress.nix +++ b/nixos/modules/services/web-apps/wordpress.nix @@ -127,7 +127,7 @@ let <note><para>These themes need to be packaged before use, see example.</para></note> ''; example = '' - # For shits and giggles, let's package the responsive theme + # Let's package the responsive theme responsiveTheme = pkgs.stdenv.mkDerivation { name = "responsive-theme"; # Download the theme from the wordpress site diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 7e488f33a419..455854e2a965 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -207,6 +207,7 @@ with lib; default = null; description = '' Basic Auth password file for a vhost. + Can be created via: <command>htpasswd -c <filename> <username></command> ''; }; diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix index 095de64dfb14..7698f8c3a263 100644 --- a/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixos/modules/services/web-servers/phpfpm/default.nix @@ -262,6 +262,7 @@ in { in { Slice = "phpfpm.slice"; PrivateDevices = true; + PrivateTmp = true; ProtectSystem = "full"; ProtectHome = true; # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work diff --git a/nixos/modules/services/x11/compton.nix b/nixos/modules/services/x11/compton.nix index a94a76ff0c0f..61174672e2dd 100644 --- a/nixos/modules/services/x11/compton.nix +++ b/nixos/modules/services/x11/compton.nix @@ -284,4 +284,6 @@ in { environment.systemPackages = [ pkgs.compton ]; }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index 80dab135ee26..25ef1cbfc67e 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -159,7 +159,7 @@ in # Override GSettings schemas environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; - environment.sessionVariables.GNOME_SESSION_DEBUG = optionalString cfg.debug "1"; + environment.sessionVariables.GNOME_SESSION_DEBUG = mkIf cfg.debug "1"; # Settings from elementary-default-settings environment.sessionVariables.GTK_CSD = "1"; diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index b48ca3fad939..56015874723c 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -27,20 +27,13 @@ in example = "vlc"; description = "Phonon audio backend to install."; }; - - enableQt4Support = mkOption { - type = types.bool; - default = true; - description = '' - Enable support for Qt 4-based applications. Particularly, install a - default backend for Phonon. - ''; - }; - }; }; + imports = [ + (mkRemovedOptionModule [ "services" "xserver" "desktopManager" "plasma5" "enableQt4Support" ] "Phonon no longer supports Qt 4.") + ]; config = mkMerge [ (mkIf cfg.enable { @@ -173,12 +166,10 @@ in # Phonon audio backend ++ lib.optional (cfg.phononBackend == "gstreamer") libsForQt5.phonon-backend-gstreamer - ++ lib.optional (cfg.phononBackend == "gstreamer" && cfg.enableQt4Support) pkgs.phonon-backend-gstreamer ++ lib.optional (cfg.phononBackend == "vlc") libsForQt5.phonon-backend-vlc - ++ lib.optional (cfg.phononBackend == "vlc" && cfg.enableQt4Support) pkgs.phonon-backend-vlc # Optional hardware support features - ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt ] + ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt openobex obexftp ] ++ lib.optional config.networking.networkmanager.enable plasma-nm ++ lib.optional config.hardware.pulseaudio.enable plasma-pa ++ lib.optional config.powerManagement.enable powerdevil diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index e5990aec4b9c..29a80aac6e68 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -31,6 +31,44 @@ let load-module module-position-event-sounds ''; + dmDefault = config.services.xserver.desktopManager.default; + wmDefault = config.services.xserver.windowManager.default; + hasDefaultUserSession = dmDefault != "none" || wmDefault != "none"; + defaultSessionName = dmDefault + optionalString (wmDefault != "none") ("+" + wmDefault); + + setSessionScript = pkgs.python3.pkgs.buildPythonApplication { + name = "set-session"; + + format = "other"; + + src = ./set-session.py; + + dontUnpack = true; + + strictDeps = false; + + nativeBuildInputs = with pkgs; [ + wrapGAppsHook + gobject-introspection + ]; + + buildInputs = with pkgs; [ + accountsservice + glib + ]; + + propagatedBuildInputs = with pkgs.python3.pkgs; [ + pygobject3 + ordered-set + ]; + + installPhase = '' + mkdir -p $out/bin + cp $src $out/bin/set-session + chmod +x $out/bin/set-session + ''; + }; + in { @@ -88,11 +126,21 @@ in wayland = mkOption { default = true; description = '' - Allow GDM run on Wayland instead of Xserver + Allow GDM to run on Wayland instead of Xserver. + Note to enable Wayland with Nvidia you need to + enable the <option>nvidiaWayland</option>. ''; type = types.bool; }; + nvidiaWayland = mkOption { + default = false; + description = '' + Whether to allow wayland to be used with the proprietary + NVidia graphics driver. + ''; + }; + autoSuspend = mkOption { default = true; description = '' @@ -156,6 +204,8 @@ in cat - > /run/gdm/.config/gnome-initial-setup-done <<- EOF yes EOF + '' + optionalString hasDefaultUserSession '' + ${setSessionScript}/bin/set-session ${defaultSessionName} ''; }; @@ -197,6 +247,19 @@ in services.dbus.packages = [ gdm ]; + # We duplicate upstream's udev rules manually to make wayland with nvidia configurable + services.udev.extraRules = '' + # disable Wayland on Cirrus chipsets + ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-disable-wayland" + # disable Wayland on Hi1710 chipsets + ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-disable-wayland" + ${optionalString (!cfg.gdm.nvidiaWayland) '' + DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-disable-wayland" + ''} + # disable Wayland when modesetting is disabled + IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-disable-wayland" + ''; + systemd.user.services.dbus.wantedBy = [ "default.target" ]; programs.dconf.profiles.gdm = @@ -218,7 +281,7 @@ in customDconfDb = pkgs.stdenv.mkDerivation { name = "gdm-dconf-db"; buildCommand = '' - ${pkgs.gnome3.dconf}/bin/dconf compile $out ${customDconf}/dconf + ${pkgs.dconf}/bin/dconf compile $out ${customDconf}/dconf ''; }; in pkgs.stdenv.mkDerivation { diff --git a/nixos/modules/services/x11/display-managers/set-session.py b/nixos/modules/services/x11/display-managers/set-session.py new file mode 100755 index 000000000000..0cca80af44e8 --- /dev/null +++ b/nixos/modules/services/x11/display-managers/set-session.py @@ -0,0 +1,86 @@ +#!/usr/bin/env python + +import gi, argparse, os, logging, sys + +gi.require_version("AccountsService", "1.0") +from gi.repository import AccountsService, GLib +from ordered_set import OrderedSet + + +def get_session_file(session): + system_data_dirs = GLib.get_system_data_dirs() + + session_dirs = OrderedSet( + os.path.join(data_dir, session) + for data_dir in system_data_dirs + for session in {"wayland-sessions", "xsessions"} + ) + + session_files = OrderedSet( + os.path.join(dir, session + ".desktop") + for dir in session_dirs + if os.path.exists(os.path.join(dir, session + ".desktop")) + ) + + # Deal with duplicate wayland-sessions and xsessions. + # Needed for the situation in gnome-session, where there's + # a xsession named the same as a wayland session. + if any(map(is_session_wayland, session_files)): + session_files = OrderedSet( + session for session in session_files if is_session_wayland(session) + ) + else: + session_files = OrderedSet( + session for session in session_files if is_session_xsession(session) + ) + + if len(session_files) == 0: + logging.warning("No session files are found.") + sys.exit(0) + else: + return session_files[0] + + +def is_session_xsession(session_file): + return "/xsessions/" in session_file + + +def is_session_wayland(session_file): + return "/wayland-sessions/" in session_file + + +def main(): + parser = argparse.ArgumentParser( + description="Set session type for all normal users." + ) + parser.add_argument("session", help="Name of session to set.") + + args = parser.parse_args() + + session = getattr(args, "session") + session_file = get_session_file(session) + + user_manager = AccountsService.UserManager.get_default() + users = user_manager.list_users() + + for user in users: + if user.is_system_account(): + continue + else: + if is_session_wayland(session_file): + logging.debug( + f"Setting session name: {session}, as we found the existing wayland-session: {session_file}" + ) + user.set_session(session) + elif is_session_xsession(session_file): + logging.debug( + f"Setting session name: {session}, as we found the existing xsession: {session_file}" + ) + user.set_x_session(session) + else: + logging.error(f"Couldn't figure out session type for {session_file}") + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/nixos/modules/services/x11/unclutter.nix b/nixos/modules/services/x11/unclutter.nix index 5f16a680050d..2478aaabb799 100644 --- a/nixos/modules/services/x11/unclutter.nix +++ b/nixos/modules/services/x11/unclutter.nix @@ -71,4 +71,7 @@ in { serviceConfig.Restart = "always"; }; }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/x11/urxvtd.nix b/nixos/modules/services/x11/urxvtd.nix index d916fa5bb393..9bfcfa9b065d 100644 --- a/nixos/modules/services/x11/urxvtd.nix +++ b/nixos/modules/services/x11/urxvtd.nix @@ -45,4 +45,6 @@ in { environment.variables.RXVT_SOCKET = "/run/user/$(id -u)/urxvtd-socket"; }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index e13f0421d38f..9a4db84f7b73 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -47,8 +47,8 @@ let grub = f grub; grubTarget = f (grub.grubTarget or ""); shell = "${pkgs.runtimeShell}"; - fullName = (builtins.parseDrvName realGrub.name).name; - fullVersion = (builtins.parseDrvName realGrub.name).version; + fullName = lib.getName realGrub; + fullVersion = lib.getVersion realGrub; grubEfi = f grubEfi; grubTargetEfi = if cfg.efiSupport && (cfg.version == 2) then f (grubEfi.grubTarget or "") else ""; bootPath = args.path; diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index c091d8630349..226769f10597 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -201,7 +201,7 @@ let (assertValueOneOf "IPv6AcceptRA" boolValues) (assertValueOneOf "IPv4ProxyARP" boolValues) (assertValueOneOf "IPv6ProxyNDP" boolValues) - (assertValueOneOf "IPv6PrefixDelegation" boolValues) + (assertValueOneOf "IPv6PrefixDelegation" (boolValues ++ [ "dhcpv6" "static" ])) (assertValueOneOf "ActiveSlave" boolValues) (assertValueOneOf "PrimarySlave" boolValues) (assertValueOneOf "ConfigureWithoutCarrier" boolValues) @@ -924,6 +924,8 @@ in config = mkIf config.systemd.network.enable { + users.users.systemd-network.group = "systemd-network"; + systemd.additionalUpstreamSystemUnits = [ "systemd-networkd.service" "systemd-networkd-wait-online.service" ]; diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 3ea96f8e4645..da61c64faf8b 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -136,6 +136,8 @@ in } ]; + users.users.resolved.group = "systemd-resolve"; + systemd.additionalUpstreamSystemUnits = [ "systemd-resolved.service" ]; diff --git a/nixos/modules/system/boot/timesyncd.nix b/nixos/modules/system/boot/timesyncd.nix index 0b1d0ff6c22b..9e2f36ca01f8 100644 --- a/nixos/modules/system/boot/timesyncd.nix +++ b/nixos/modules/system/boot/timesyncd.nix @@ -50,7 +50,10 @@ with lib; ${config.services.timesyncd.extraConfig} ''; - users.users.systemd-timesync.uid = config.ids.uids.systemd-timesync; + users.users.systemd-timesync = { + uid = config.ids.uids.systemd-timesync; + group = "systemd-timesync"; + }; users.groups.systemd-timesync.gid = config.ids.gids.systemd-timesync; system.activationScripts.systemd-timesyncd-migration = mkIf (versionOlder config.system.stateVersion "19.09") '' diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 691ee2c136ec..09678ce9ea71 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -149,7 +149,7 @@ let --setenv PATH="$PATH" \ ${optionalString cfg.ephemeral "--ephemeral"} \ ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then - ''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else "" + ''--capability="${concatStringsSep "," cfg.additionalCapabilities}"'' else "" } \ ${if cfg.tmpfs != null && cfg.tmpfs != [] then ''--tmpfs=${concatStringsSep " --tmpfs=" cfg.tmpfs}'' else "" diff --git a/nixos/modules/virtualisation/digital-ocean-config.nix b/nixos/modules/virtualisation/digital-ocean-config.nix new file mode 100644 index 000000000000..88cb0cd450e8 --- /dev/null +++ b/nixos/modules/virtualisation/digital-ocean-config.nix @@ -0,0 +1,197 @@ +{ config, pkgs, lib, modulesPath, ... }: +with lib; +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/virtualisation/digital-ocean-init.nix") + ]; + options.virtualisation.digitalOcean = with types; { + setRootPassword = mkOption { + type = bool; + default = false; + example = true; + description = "Whether to set the root password from the Digital Ocean metadata"; + }; + setSshKeys = mkOption { + type = bool; + default = true; + example = true; + description = "Whether to fetch ssh keys from Digital Ocean"; + }; + seedEntropy = mkOption { + type = bool; + default = true; + example = true; + description = "Whether to run the kernel RNG entropy seeding script from the Digital Ocean vendor data"; + }; + }; + config = + let + cfg = config.virtualisation.digitalOcean; + hostName = config.networking.hostName; + doMetadataFile = "/run/do-metadata/v1.json"; + in mkMerge [{ + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + boot = { + growPartition = true; + kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; + initrd.kernelModules = [ "virtio_scsi" ]; + kernelModules = [ "virtio_pci" "virtio_net" ]; + loader = { + grub.device = "/dev/vda"; + timeout = 0; + grub.configurationLimit = 0; + }; + }; + services.openssh = { + enable = mkDefault true; + passwordAuthentication = mkDefault false; + }; + services.do-agent.enable = mkDefault true; + networking = { + hostName = mkDefault ""; # use Digital Ocean metadata server + }; + + /* Check for and wait for the metadata server to become reachable. + * This serves as a dependency for all the other metadata services. */ + systemd.services.digitalocean-metadata = { + path = [ pkgs.curl ]; + description = "Get host metadata provided by Digitalocean"; + script = '' + set -eu + DO_DELAY_ATTEMPTS=0 + while ! curl -fsSL -o $RUNTIME_DIRECTORY/v1.json http://169.254.169.254/metadata/v1.json; do + DO_DELAY_ATTEMPTS=$((DO_DELAY_ATTEMPTS + 1)) + if (( $DO_DELAY_ATTEMPTS >= $DO_DELAY_ATTEMPTS_MAX )); then + echo "giving up" + exit 1 + fi + + echo "metadata unavailable, trying again in 1s..." + sleep 1 + done + chmod 600 $RUNTIME_DIRECTORY/v1.json + ''; + environment = { + DO_DELAY_ATTEMPTS_MAX = "10"; + }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + RuntimeDirectory = "do-metadata"; + RuntimeDirectoryPreserve = "yes"; + }; + unitConfig = { + ConditionPathExists = "!${doMetadataFile}"; + After = [ "network-pre.target" ] ++ + optional config.networking.dhcpcd.enable "dhcpcd.service" ++ + optional config.systemd.network.enable "systemd-networkd.service"; + }; + }; + + /* Fetch the root password from the digital ocean metadata. + * There is no specific route for this, so we use jq to get + * it from the One Big JSON metadata blob */ + systemd.services.digitalocean-set-root-password = mkIf cfg.setRootPassword { + path = [ pkgs.shadow pkgs.jq ]; + description = "Set root password provided by Digitalocean"; + wantedBy = [ "multi-user.target" ]; + script = '' + set -eo pipefail + ROOT_PASSWORD=$(jq -er '.auth_key' ${doMetadataFile}) + echo "root:$ROOT_PASSWORD" | chpasswd + mkdir -p /etc/do-metadata/set-root-password + ''; + unitConfig = { + ConditionPathExists = "!/etc/do-metadata/set-root-password"; + Before = optional config.services.openssh.enable "sshd.service"; + After = [ "digitalocean-metadata.service" ]; + Requires = [ "digitalocean-metadata.service" ]; + }; + serviceConfig = { + Type = "oneshot"; + }; + }; + + /* Set the hostname from Digital Ocean, unless the user configured it in + * the NixOS configuration. The cached metadata file isn't used here + * because the hostname is a mutable part of the droplet. */ + systemd.services.digitalocean-set-hostname = mkIf (hostName == "") { + path = [ pkgs.curl pkgs.nettools ]; + description = "Set hostname provided by Digitalocean"; + wantedBy = [ "network.target" ]; + script = '' + set -e + DIGITALOCEAN_HOSTNAME=$(curl -fsSL http://169.254.169.254/metadata/v1/hostname) + hostname "$DIGITALOCEAN_HOSTNAME" + if [[ ! -e /etc/hostname || -w /etc/hostname ]]; then + printf "%s\n" "$DIGITALOCEAN_HOSTNAME" > /etc/hostname + fi + ''; + unitConfig = { + Before = [ "network.target" ]; + After = [ "digitalocean-metadata.service" ]; + Wants = [ "digitalocean-metadata.service" ]; + }; + serviceConfig = { + Type = "oneshot"; + }; + }; + + /* Fetch the ssh keys for root from Digital Ocean */ + systemd.services.digitalocean-ssh-keys = mkIf cfg.setSshKeys { + description = "Set root ssh keys provided by Digital Ocean"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.jq ]; + script = '' + set -e + mkdir -m 0700 -p /root/.ssh + jq -er '.public_keys[]' ${doMetadataFile} > /root/.ssh/authorized_keys + chmod 600 /root/.ssh/authorized_keys + ''; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + unitConfig = { + ConditionPathExists = "!/root/.ssh/authorized_keys"; + Before = optional config.services.openssh.enable "sshd.service"; + After = [ "digitalocean-metadata.service" ]; + Requires = [ "digitalocean-metadata.service" ]; + }; + }; + + /* Initialize the RNG by running the entropy-seed script from the + * Digital Ocean metadata + */ + systemd.services.digitalocean-entropy-seed = mkIf cfg.seedEntropy { + description = "Run the kernel RNG entropy seeding script from the Digital Ocean vendor data"; + wantedBy = [ "network.target" ]; + path = [ pkgs.jq pkgs.mpack ]; + script = '' + set -eo pipefail + TEMPDIR=$(mktemp -d) + jq -er '.vendor_data' ${doMetadataFile} | munpack -tC $TEMPDIR + ENTROPY_SEED=$(grep -rl "DigitalOcean Entropy Seed script" $TEMPDIR) + ${pkgs.runtimeShell} $ENTROPY_SEED + rm -rf $TEMPDIR + ''; + unitConfig = { + Before = [ "network.target" ]; + After = [ "digitalocean-metadata.service" ]; + Requires = [ "digitalocean-metadata.service" ]; + }; + serviceConfig = { + Type = "oneshot"; + }; + }; + + } + ]; + meta.maintainers = with maintainers; [ arianvp eamsden ]; +} + diff --git a/nixos/modules/virtualisation/digital-ocean-image.nix b/nixos/modules/virtualisation/digital-ocean-image.nix new file mode 100644 index 000000000000..b582e235d435 --- /dev/null +++ b/nixos/modules/virtualisation/digital-ocean-image.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.virtualisation.digitalOceanImage; +in +{ + + imports = [ ./digital-ocean-config.nix ]; + + options = { + virtualisation.digitalOceanImage.diskSize = mkOption { + type = with types; int; + default = 4096; + description = '' + Size of disk image. Unit is MB. + ''; + }; + + virtualisation.digitalOceanImage.configFile = mkOption { + type = with types; nullOr path; + default = null; + description = '' + A path to a configuration file which will be placed at + <literal>/etc/nixos/configuration.nix</literal> and be used when switching + to a new configuration. If set to <literal>null</literal>, a default + configuration is used that imports + <literal>(modulesPath + "/virtualisation/digital-ocean-config.nix")</literal>. + ''; + }; + + virtualisation.digitalOceanImage.compressionMethod = mkOption { + type = types.enum [ "gzip" "bzip2" ]; + default = "gzip"; + example = "bzip2"; + description = '' + Disk image compression method. Choose bzip2 to generate smaller images that + take longer to generate but will consume less metered storage space on your + Digital Ocean account. + ''; + }; + }; + + #### implementation + config = { + + system.build.digitalOceanImage = import ../../lib/make-disk-image.nix { + name = "digital-ocean-image"; + format = "qcow2"; + postVM = let + compress = { + "gzip" = "${pkgs.gzip}/bin/gzip"; + "bzip2" = "${pkgs.bzip2}/bin/bzip2"; + }.${cfg.compressionMethod}; + in '' + ${compress} $diskImage + ''; + configFile = if cfg.configFile == null + then config.virtualisation.digitalOcean.defaultConfigFile + else cfg.configFile; + inherit (cfg) diskSize; + inherit config lib pkgs; + }; + + }; + + meta.maintainers = with maintainers; [ arianvp eamsden ]; + +} diff --git a/nixos/modules/virtualisation/digital-ocean-init.nix b/nixos/modules/virtualisation/digital-ocean-init.nix new file mode 100644 index 000000000000..02f4de009fa8 --- /dev/null +++ b/nixos/modules/virtualisation/digital-ocean-init.nix @@ -0,0 +1,95 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.virtualisation.digitalOcean; + defaultConfigFile = pkgs.writeText "digitalocean-configuration.nix" '' + { modulesPath, lib, ... }: + { + imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [ + (modulesPath + "/virtualisation/digital-ocean-config.nix") + ]; + } + ''; +in { + options.virtualisation.digitalOcean.rebuildFromUserData = mkOption { + type = types.bool; + default = true; + example = true; + description = "Whether to reconfigure the system from Digital Ocean user data"; + }; + options.virtualisation.digitalOcean.defaultConfigFile = mkOption { + type = types.path; + default = defaultConfigFile; + defaultText = '' + The default configuration imports user-data if applicable and + <literal>(modulesPath + "/virtualisation/digital-ocean-config.nix")</literal>. + ''; + description = '' + A path to a configuration file which will be placed at + <literal>/etc/nixos/configuration.nix</literal> and be used when switching to + a new configuration. + ''; + }; + + config = { + systemd.services.digitalocean-init = mkIf cfg.rebuildFromUserData { + description = "Reconfigure the system from Digital Ocean userdata on startup"; + wantedBy = [ "network-online.target" ]; + unitConfig = { + ConditionPathExists = "!/etc/nixos/do-userdata.nix"; + After = [ "digitalocean-metadata.service" "network-online.target" ]; + Requires = [ "digitalocean-metadata.service" ]; + X-StopOnRemoval = false; + }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + restartIfChanged = false; + path = [ pkgs.jq pkgs.gnused pkgs.gnugrep pkgs.systemd config.nix.package config.system.build.nixos-rebuild ]; + environment = { + HOME = "/root"; + NIX_PATH = concatStringsSep ":" [ + "/nix/var/nix/profiles/per-user/root/channels/nixos" + "nixos-config=/etc/nixos/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ]; + }; + script = '' + set -e + echo "attempting to fetch configuration from Digital Ocean user data..." + userData=$(mktemp) + if jq -er '.user_data' /run/do-metadata/v1.json > $userData; then + # If the user-data looks like it could be a nix expression, + # copy it over. Also, look for a magic three-hash comment and set + # that as the channel. + if nix-instantiate --parse $userData > /dev/null; then + channels="$(grep '^###' "$userData" | sed 's|###\s*||')" + printf "%s" "$channels" | while read channel; do + echo "writing channel: $channel" + done + + if [[ -n "$channels" ]]; then + printf "%s" "$channels" > /root/.nix-channels + nix-channel --update + fi + + echo "setting configuration from Digital Ocean user data" + cp "$userData" /etc/nixos/do-userdata.nix + if [[ ! -e /etc/nixos/configuration.nix ]]; then + install -m0644 ${cfg.defaultConfigFile} /etc/nixos/configuration.nix + fi + else + echo "user data does not appear to be a Nix expression; ignoring" + exit + fi + + nixos-rebuild switch + else + echo "no user data is available" + fi + ''; + }; + }; + meta.maintainers = with maintainers; [ arianvp eamsden ]; +} diff --git a/nixos/modules/virtualisation/openvswitch.nix b/nixos/modules/virtualisation/openvswitch.nix index edec37402308..6b8ad83661fe 100644 --- a/nixos/modules/virtualisation/openvswitch.nix +++ b/nixos/modules/virtualisation/openvswitch.nix @@ -42,6 +42,9 @@ in { default = false; description = '' Whether to start racoon service for openvswitch. + Supported only if openvswitch version is less than 2.6.0. + Use <literal>virtualisation.vswitch.package = pkgs.openvswitch-lts</literal> + for a version that supports ipsec over GRE. ''; }; }; @@ -89,6 +92,13 @@ in { "${cfg.package}/share/openvswitch/vswitch.ovsschema" fi chmod -R +w /var/db/openvswitch + if ${cfg.package}/bin/ovsdb-tool needs-conversion /var/db/openvswitch/conf.db | grep -q "yes" + then + echo "Performing database upgrade" + ${cfg.package}/bin/ovsdb-tool convert /var/db/openvswitch/conf.db + else + echo "Database already up to date" + fi ''; serviceConfig = { ExecStart = @@ -133,7 +143,7 @@ in { }; } - (mkIf cfg.ipsec { + (mkIf (cfg.ipsec && (versionOlder cfg.package.version "2.6.0")) { services.racoon.enable = true; services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf"; @@ -172,5 +182,4 @@ in { ''; }; })])); - } diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index e313d2b411bb..31d332e9f07a 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -620,7 +620,7 @@ in # Wireless won't work in the VM. networking.wireless.enable = mkVMOverride false; - networking.connman.enable = mkVMOverride false; + services.connman.enable = mkVMOverride false; # Speed up booting by not waiting for ARP. networking.dhcpcd.extraConfig = "noarp"; |