diff options
Diffstat (limited to 'nixos/modules')
34 files changed, 587 insertions, 299 deletions
diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 80ea7bc5d5c9..9f2360f41c6e 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -79,6 +79,14 @@ in ''; }; + hardware.nvidia.optimus_prime.allowExternalGpu = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Configure X to allow external NVIDIA GPUs when using optimus. + ''; + }; + hardware.nvidia.optimus_prime.nvidiaBusId = lib.mkOption { type = lib.types.string; default = ""; @@ -134,6 +142,7 @@ in deviceSection = optionalString optimusCfg.enable '' BusID "${optimusCfg.nvidiaBusId}" + ${optionalString optimusCfg.allowExternalGpu "Option \"AllowExternalGpus\""} ''; screenSection = '' diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index e78673514e3b..cd6bb9019b18 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -266,7 +266,7 @@ caddy = 239; taskd = 240; factorio = 241; - emby = 242; + # emby = 242; # unusued, removed 2019-05-01 graylog = 243; sniproxy = 244; nzbget = 245; @@ -567,7 +567,7 @@ caddy = 239; taskd = 240; factorio = 241; - emby = 242; + # emby = 242; # unused, removed 2019-05-01 sniproxy = 244; nzbget = 245; mosquitto = 246; diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index 3a717fddaba2..9d19dd2a7ff2 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -127,13 +127,14 @@ in default = []; example = literalExample '' - [ (self: super: { + [ + (self: super: { openssh = super.openssh.override { hpnSupport = true; kerberos = self.libkrb5; }; - }; - ) ] + }) + ] ''; type = types.listOf overlayType; description = '' diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index fca4a20eee63..a07461022a31 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -256,8 +256,7 @@ ./services/databases/virtuoso.nix ./services/desktops/accountsservice.nix ./services/desktops/bamf.nix - ./services/desktops/deepin/dde-daemon.nix - ./services/desktops/deepin/deepin-menu.nix + ./services/desktops/deepin/deepin.nix ./services/desktops/dleyna-renderer.nix ./services/desktops/dleyna-server.nix ./services/desktops/pantheon/contractor.nix @@ -392,9 +391,9 @@ ./services/misc/dysnomia.nix ./services/misc/disnix.nix ./services/misc/docker-registry.nix - ./services/misc/emby.nix ./services/misc/errbot.nix ./services/misc/etcd.nix + ./services/misc/ethminer.nix ./services/misc/exhibitor.nix ./services/misc/felix.nix ./services/misc/folding-at-home.nix @@ -414,6 +413,7 @@ ./services/misc/ihaskell.nix ./services/misc/irkerd.nix ./services/misc/jackett.nix + ./services/misc/jellyfin.nix ./services/misc/logkeys.nix ./services/misc/leaps.nix ./services/misc/lidarr.nix diff --git a/nixos/modules/programs/browserpass.nix b/nixos/modules/programs/browserpass.nix index 47b9d1ccb1f6..e1456d3c1848 100644 --- a/nixos/modules/programs/browserpass.nix +++ b/nixos/modules/programs/browserpass.nix @@ -26,16 +26,6 @@ with lib; # brave "opt/brave/native-messaging-hosts/${appId}".source = source "hosts/chromium"; "opt/brave/policies/managed/${appId}".source = source "policies/chromium"; - } - # As with the v2 backwards compatibility in the pkgs.browserpass - # declaration, this part can be removed once the browser extension - # auto-updates to v3 (planned 2019-04-13, see - # https://github.com/browserpass/browserpass-native/issues/31) - // { - "chromium/native-messaging-hosts/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-host.json"; - "chromium/policies/managed/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-policy.json"; - "opt/chrome/native-messaging-hosts/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-host.json"; - "opt/chrome/policies/managed/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-policy.json"; }; nixpkgs.config.firefox.enableBrowserpass = true; }; diff --git a/nixos/modules/programs/dconf.nix b/nixos/modules/programs/dconf.nix index 9c9765b06b6f..b7bfb8504b6f 100644 --- a/nixos/modules/programs/dconf.nix +++ b/nixos/modules/programs/dconf.nix @@ -38,7 +38,7 @@ in "${pkgs.gnome3.dconf.lib}/lib/gio/modules"; # https://github.com/NixOS/nixpkgs/pull/31891 #environment.variables.XDG_DATA_DIRS = optional cfg.enable - # "$(echo ${pkgs.gnome3.gsettings-desktop-schemas}/share/gsettings-schemas/gsettings-desktop-schemas-*)"; + # "$(echo ${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/gsettings-desktop-schemas-*)"; }; } diff --git a/nixos/modules/programs/sway.nix b/nixos/modules/programs/sway.nix index 457faaa3c102..b4f03151cdc1 100644 --- a/nixos/modules/programs/sway.nix +++ b/nixos/modules/programs/sway.nix @@ -78,9 +78,9 @@ in { environment = { systemPackages = [ swayJoined ] ++ cfg.extraPackages; etc = { - "sway/config".source = "${swayPackage}/etc/sway/config"; - #"sway/security.d".source = "${swayPackage}/etc/sway/security.d/"; - #"sway/config.d".source = "${swayPackage}/etc/sway/config.d/"; + "sway/config".source = mkOptionDefault "${swayPackage}/etc/sway/config"; + #"sway/security.d".source = mkOptionDefault "${swayPackage}/etc/sway/security.d/"; + #"sway/config.d".source = mkOptionDefault "${swayPackage}/etc/sway/config.d/"; }; }; security.pam.services.swaylock = {}; diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index d323a158a4df..4512a7a80f6d 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -33,7 +33,12 @@ in paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") ([ pkgs.apparmor-profiles ] ++ cfg.packages); in { - wantedBy = [ "local-fs.target" ]; + after = [ "local-fs.target" ]; + before = [ "sysinit.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + DefaultDependencies = "no"; + }; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; @@ -43,6 +48,9 @@ in ExecStop = map (p: ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' ) cfg.profiles; + ExecReload = map (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"'' + ) cfg.profiles; }; }; }; diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix index a54ef2e6fcad..60361d9960ed 100644 --- a/nixos/modules/security/rngd.nix +++ b/nixos/modules/security/rngd.nix @@ -2,20 +2,30 @@ with lib; +let + cfg = config.security.rngd; +in { options = { - security.rngd.enable = mkOption { - type = types.bool; - default = true; - description = '' - Whether to enable the rng daemon, which adds entropy from - hardware sources of randomness to the kernel entropy pool when - available. - ''; + security.rngd = { + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the rng daemon, which adds entropy from + hardware sources of randomness to the kernel entropy pool when + available. + ''; + }; + debug = mkOption { + type = types.bool; + default = false; + description = "Whether to enable debug output (-d)."; + }; }; }; - config = mkIf config.security.rngd.enable { + config = mkIf cfg.enable { services.udev.extraRules = '' KERNEL=="random", TAG+="systemd" SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" @@ -29,7 +39,10 @@ with lib; description = "Hardware RNG Entropy Gatherer Daemon"; - serviceConfig.ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"; + serviceConfig = { + ExecStart = "${pkgs.rng-tools}/sbin/rngd -f" + + optionalString cfg.debug " -d"; + }; }; }; } diff --git a/nixos/modules/services/backup/znapzend.nix b/nixos/modules/services/backup/znapzend.nix index fc8a424190f7..11b6215794ec 100644 --- a/nixos/modules/services/backup/znapzend.nix +++ b/nixos/modules/services/backup/znapzend.nix @@ -382,8 +382,10 @@ in | xargs -I{} ${pkgs.znapzend}/bin/znapzendzetup delete "{}" '' + concatStringsSep "\n" (mapAttrsToList (dataset: config: '' echo Importing znapzend zetup ${config} for dataset ${dataset} - ${pkgs.znapzend}/bin/znapzendzetup import --write ${dataset} ${config} - '') files); + ${pkgs.znapzend}/bin/znapzendzetup import --write ${dataset} ${config} & + '') files) + '' + wait + ''; serviceConfig = { ExecStart = let diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 192c893f8a16..5e46bfc4240f 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -273,11 +273,10 @@ in { wantedBy = [ "kube-control-plane-online.target" ]; after = [ "kube-scheduler.service" "kube-controller-manager.service" ]; before = [ "kube-control-plane-online.target" ]; - environment.KUBECONFIG = cfg.lib.mkKubeConfig "default" cfg.kubeconfig; - path = [ pkgs.kubectl ]; + path = [ pkgs.curl ]; preStart = '' - until kubectl get --raw=/healthz 2>/dev/null; do - echo kubectl get --raw=/healthz: exit status $? + until curl -Ssf ${cfg.apiserverAddress}/healthz do + echo curl -Ssf ${cfg.apiserverAddress}/healthz: exit status $? sleep 3 done ''; diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index c101e7375af9..c2f458c03794 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -18,7 +18,11 @@ let database ${cfg.database} suffix ${cfg.suffix} rootdn ${cfg.rootdn} - rootpw ${cfg.rootpw} + ${if (cfg.rootpw != null) then '' + rootpw ${cfg.rootpw} + '' else '' + include ${cfg.rootpwFile} + ''} directory ${cfg.dataDir} ${cfg.extraDatabaseConfig} ''); @@ -106,10 +110,23 @@ in }; rootpw = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; description = '' Password for the root user. This setting will be ignored if configDir is set. + Using this option will store the root password in plain text in the + world-readable nix store. To avoid this the <literal>rootpwFile</literal> can be used. + ''; + }; + + rootpwFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Password file for the root user. + The file should contain the string <literal>rootpw</literal> followed by the password. + e.g.: <literal>rootpw mysecurepassword</literal> ''; }; @@ -140,9 +157,9 @@ in include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema include ${pkgs.openldap.out}/etc/schema/nis.schema - database bdb - suffix dc=example,dc=org - rootdn cn=admin,dc=example,dc=org + database bdb + suffix dc=example,dc=org + rootdn cn=admin,dc=example,dc=org # NOTE: change after first start rootpw secret directory /var/db/openldap @@ -218,6 +235,12 @@ in ###### implementation config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.rootpwFile != null || cfg.rootpw != null; + message = "Either services.openldap.rootpw or services.openldap.rootpwFile must be set"; + } + ]; environment.systemPackages = [ openldap ]; diff --git a/nixos/modules/services/desktops/deepin/dde-daemon.nix b/nixos/modules/services/desktops/deepin/dde-daemon.nix deleted file mode 100644 index 057da4e2d7f2..000000000000 --- a/nixos/modules/services/desktops/deepin/dde-daemon.nix +++ /dev/null @@ -1,41 +0,0 @@ -# dde-daemon - -{ config, pkgs, lib, ... }: - -{ - - ###### interface - - options = { - - services.deepin.dde-daemon = { - - enable = lib.mkEnableOption - "A daemon for handling Deepin Desktop Environment session settings"; - - }; - - }; - - - ###### implementation - - config = lib.mkIf config.services.deepin.dde-daemon.enable { - - environment.systemPackages = [ pkgs.deepin.dde-daemon ]; - - services.dbus.packages = [ pkgs.deepin.dde-daemon ]; - - systemd.packages = [ pkgs.deepin.dde-daemon ]; - - users.groups.dde-daemon = { }; - - users.users.dde-daemon = { - description = "Deepin daemon user"; - group = "dde-daemon"; - isSystemUser = true; - }; - - }; - -} diff --git a/nixos/modules/services/desktops/deepin/deepin-menu.nix b/nixos/modules/services/desktops/deepin/deepin-menu.nix deleted file mode 100644 index 23fe5a741c42..000000000000 --- a/nixos/modules/services/desktops/deepin/deepin-menu.nix +++ /dev/null @@ -1,29 +0,0 @@ -# deepin-menu - -{ config, pkgs, lib, ... }: - -{ - - ###### interface - - options = { - - services.deepin.deepin-menu = { - - enable = lib.mkEnableOption - "DBus service for unified menus in Deepin Desktop Environment"; - - }; - - }; - - - ###### implementation - - config = lib.mkIf config.services.deepin.deepin-menu.enable { - - services.dbus.packages = [ pkgs.deepin.deepin-menu ]; - - }; - -} diff --git a/nixos/modules/services/desktops/deepin/deepin.nix b/nixos/modules/services/desktops/deepin/deepin.nix new file mode 100644 index 000000000000..7ec326e599e5 --- /dev/null +++ b/nixos/modules/services/desktops/deepin/deepin.nix @@ -0,0 +1,118 @@ +# deepin + +{ config, pkgs, lib, ... }: + +{ + + ###### interface + + options = { + + services.deepin.core.enable = lib.mkEnableOption " + Basic dbus and systemd services, groups and users needed by the + Deepin Desktop Environment. + "; + + services.deepin.deepin-menu.enable = lib.mkEnableOption " + DBus service for unified menus in Deepin Desktop Environment. + "; + + services.deepin.deepin-turbo.enable = lib.mkEnableOption " + Turbo service for the Deepin Desktop Environment. It is a daemon + that helps to launch applications faster. + "; + + }; + + + ###### implementation + + config = lib.mkMerge [ + + (lib.mkIf config.services.deepin.core.enable { + environment.systemPackages = [ + pkgs.deepin.dde-api + pkgs.deepin.dde-calendar + pkgs.deepin.dde-daemon + pkgs.deepin.dde-dock + pkgs.deepin.dde-session-ui + pkgs.deepin.deepin-anything + pkgs.deepin.deepin-image-viewer + pkgs.deepin.deepin-screenshot + ]; + + services.dbus.packages = [ + pkgs.deepin.dde-api + pkgs.deepin.dde-calendar + pkgs.deepin.dde-daemon + pkgs.deepin.dde-dock + pkgs.deepin.dde-session-ui + pkgs.deepin.deepin-anything + pkgs.deepin.deepin-image-viewer + pkgs.deepin.deepin-screenshot + ]; + + systemd.packages = [ + pkgs.deepin.dde-api + pkgs.deepin.dde-daemon + pkgs.deepin.deepin-anything + ]; + + boot.extraModulePackages = [ config.boot.kernelPackages.deepin-anything ]; + + boot.kernelModules = [ "vfs_monitor" ]; + + users.groups.deepin-sound-player = { }; + + users.users.deepin-sound-player = { + description = "Deepin sound player"; + group = "deepin-sound-player"; + isSystemUser = true; + }; + + users.groups.deepin-daemon = { }; + + users.users.deepin-daemon = { + description = "Deepin daemon user"; + group = "deepin-daemon"; + isSystemUser = true; + }; + + users.groups.deepin_anything_server = { }; + + users.users.deepin_anything_server = { + description = "Deepin Anything Server"; + group = "deepin_anything_server"; + isSystemUser = true; + }; + + security.pam.services.deepin-auth-keyboard.text = '' + # original at ${pkgs.deepin.dde-daemon}/etc/pam.d/deepin-auth-keyboard + auth [success=2 default=ignore] pam_lsass.so + auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass + auth requisite pam_deny.so + auth required pam_permit.so + ''; + + environment.etc = { + "polkit-1/localauthority/10-vendor.d/com.deepin.api.device.pkla".source = "${pkgs.deepin.dde-api}/etc/polkit-1/localauthority/10-vendor.d/com.deepin.api.device.pkla"; + "polkit-1/localauthority/10-vendor.d/com.deepin.daemon.Accounts.pkla".source = "${pkgs.deepin.dde-daemon}/etc/polkit-1/localauthority/10-vendor.d/com.deepin.daemon.Accounts.pkla"; + "polkit-1/localauthority/10-vendor.d/com.deepin.daemon.Grub2.pkla".source = "${pkgs.deepin.dde-daemon}/etc/polkit-1/localauthority/10-vendor.d/com.deepin.daemon.Grub2.pkla"; + }; + + services.deepin.deepin-menu.enable = true; + services.deepin.deepin-turbo.enable = true; + }) + + (lib.mkIf config.services.deepin.deepin-menu.enable { + services.dbus.packages = [ pkgs.deepin.deepin-menu ]; + }) + + (lib.mkIf config.services.deepin.deepin-turbo.enable { + environment.systemPackages = [ pkgs.deepin.deepin-turbo ]; + systemd.packages = [ pkgs.deepin.deepin-turbo ]; + }) + + ]; + +} diff --git a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix index 4c350d8bb1c6..db60445ef773 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix @@ -37,6 +37,11 @@ with lib; security.pam.services.login.enableGnomeKeyring = true; + security.wrappers.gnome-keyring-daemon = { + source = "${pkgs.gnome3.gnome-keyring}/bin/gnome-keyring-daemon"; + capabilities = "cap_ipc_lock=ep"; + }; + }; } diff --git a/nixos/modules/services/misc/emby.nix b/nixos/modules/services/misc/emby.nix deleted file mode 100644 index 0ad4a3f7376f..000000000000 --- a/nixos/modules/services/misc/emby.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.emby; -in -{ - options = { - services.emby = { - enable = mkEnableOption "Emby Media Server"; - - user = mkOption { - type = types.str; - default = "emby"; - description = "User account under which Emby runs."; - }; - - group = mkOption { - type = types.str; - default = "emby"; - description = "Group under which emby runs."; - }; - - dataDir = mkOption { - type = types.path; - default = "/var/lib/emby/ProgramData-Server"; - description = "Location where Emby stores its data."; - }; - }; - }; - - config = mkIf cfg.enable { - systemd.services.emby = { - description = "Emby Media Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - preStart = '' - if [ -d ${cfg.dataDir} ] - then - for plugin in ${cfg.dataDir}/plugins/* - do - echo "Correcting permissions of plugin: $plugin" - chmod u+w $plugin - done - else - echo "Creating initial Emby data directory in ${cfg.dataDir}" - mkdir -p ${cfg.dataDir} - chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} - fi - ''; - - serviceConfig = { - Type = "simple"; - User = cfg.user; - Group = cfg.group; - PermissionsStartOnly = "true"; - ExecStart = "${pkgs.emby}/bin/emby -programdata ${cfg.dataDir}"; - Restart = "on-failure"; - }; - }; - - users.users = mkIf (cfg.user == "emby") { - emby = { - group = cfg.group; - uid = config.ids.uids.emby; - }; - }; - - users.groups = mkIf (cfg.group == "emby") { - emby = { - gid = config.ids.gids.emby; - }; - }; - }; -} diff --git a/nixos/modules/services/misc/ethminer.nix b/nixos/modules/services/misc/ethminer.nix new file mode 100644 index 000000000000..2958cf214473 --- /dev/null +++ b/nixos/modules/services/misc/ethminer.nix @@ -0,0 +1,115 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.ethminer; + poolUrl = escapeShellArg "stratum1+tcp://${cfg.wallet}@${cfg.pool}:${toString cfg.stratumPort}/${cfg.rig}/${cfg.registerMail}"; +in + +{ + + ###### interface + + options = { + + services.ethminer = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Enable ethminer ether mining."; + }; + + recheckInterval = mkOption { + type = types.int; + default = 2000; + description = "Interval in milliseconds between farm rechecks."; + }; + + toolkit = mkOption { + type = types.enum [ "cuda" "opencl" ]; + default = "cuda"; + description = "Cuda or opencl toolkit."; + }; + + apiPort = mkOption { + type = types.int; + default = -3333; + description = "Ethminer api port. minus sign puts api in read-only mode."; + }; + + wallet = mkOption { + type = types.str; + example = "0x0123456789abcdef0123456789abcdef01234567"; + description = "Ethereum wallet address."; + }; + + pool = mkOption { + type = types.str; + example = "eth-us-east1.nanopool.org"; + description = "Mining pool address."; + }; + + stratumPort = mkOption { + type = types.port; + default = 9999; + description = "Stratum protocol tcp port."; + }; + + rig = mkOption { + type = types.str; + default = "mining-rig-name"; + description = "Mining rig name."; + }; + + registerMail = mkOption { + type = types.str; + example = "email%40example.org"; + description = "Url encoded email address to register with pool."; + }; + + maxPower = mkOption { + type = types.int; + default = 115; + description = "Miner max watt usage."; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.ethminer = { + path = [ pkgs.cudatoolkit ]; + description = "ethminer ethereum mining service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + DynamicUser = true; + ExecStartPost = optional (cfg.toolkit == "cuda") "+${getBin config.boot.kernelPackages.nvidia_x11}/bin/nvidia-smi -pl ${toString cfg.maxPower}"; + }; + + environment = { + LD_LIBRARY_PATH = "${config.boot.kernelPackages.nvidia_x11}/lib"; + }; + + script = '' + ${pkgs.ethminer}/bin/.ethminer-wrapped \ + --farm-recheck ${toString cfg.recheckInterval} \ + --report-hashrate \ + --${cfg.toolkit} \ + --api-port ${toString cfg.apiPort} \ + --pool ${poolUrl} + ''; + + }; + + }; + +} diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix new file mode 100644 index 000000000000..55559206568d --- /dev/null +++ b/nixos/modules/services/misc/jellyfin.nix @@ -0,0 +1,54 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.jellyfin; +in +{ + options = { + services.jellyfin = { + enable = mkEnableOption "Jellyfin Media Server"; + + user = mkOption { + type = types.str; + default = "jellyfin"; + description = "User account under which Jellyfin runs."; + }; + + group = mkOption { + type = types.str; + default = "jellyfin"; + description = "Group under which jellyfin runs."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.jellyfin = { + description = "Jellyfin Media Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = rec { + User = cfg.user; + Group = cfg.group; + StateDirectory = "jellyfin"; + CacheDirectory = "jellyfin"; + ExecStart = "${pkgs.jellyfin}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; + Restart = "on-failure"; + }; + }; + + users.users = mkIf (cfg.user == "jellyfin") { + jellyfin.group = cfg.group; + }; + + users.groups = mkIf (cfg.group == "jellyfin") { + jellyfin = {}; + }; + + }; + + meta.maintainers = with lib.maintainers; [ minijackson ]; +} diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 665215822af8..8db3c44246f3 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -60,6 +60,7 @@ let ${optionalString (isNix20 && !cfg.distributedBuilds) '' builders = ''} + system-features = ${toString cfg.systemFeatures} $extraOptions END '' + optionalString cfg.checkConfig ( @@ -360,6 +361,14 @@ in ''; }; + systemFeatures = mkOption { + type = types.listOf types.str; + example = [ "kvm" "big-parallel" "gccarch-skylake" ]; + description = '' + The supported features of a machine + ''; + }; + checkConfig = mkOption { type = types.bool; default = true; @@ -478,6 +487,21 @@ in /nix/var/nix/gcroots/tmp ''; + nix.systemFeatures = mkDefault ( + [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ + optionals (pkgs.stdenv.isx86_64 && pkgs.hostPlatform.platform ? gcc.arch) ( + # a x86_64 builder can run code for `platform.gcc.arch` and minor architectures: + [ "gccarch-${pkgs.hostPlatform.platform.gcc.arch}" ] ++ { + "sandybridge" = [ "gccarch-westmere" ]; + "ivybridge" = [ "gccarch-westmere" "gccarch-sandybridge" ]; + "haswell" = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" ]; + "broadwell" = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" ]; + "skylake" = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" "gccarch-broadwell" ]; + "skylake-avx512" = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" "gccarch-broadwell" "gccarch-skylake" ]; + }.${pkgs.hostPlatform.platform.gcc.arch} or [] + ) + ); + }; } diff --git a/nixos/modules/services/monitoring/grafana-reporter.nix b/nixos/modules/services/monitoring/grafana-reporter.nix index 149026d20188..827cf6322cfd 100644 --- a/nixos/modules/services/monitoring/grafana-reporter.nix +++ b/nixos/modules/services/monitoring/grafana-reporter.nix @@ -52,7 +52,7 @@ in { wantedBy = ["multi-user.target"]; after = ["network.target"]; serviceConfig = let - args = lib.concatSepString " " [ + args = lib.concatStringsSep " " [ "-proto ${cfg.grafana.protocol}://" "-ip ${cfg.grafana.addr}:${toString cfg.grafana.port}" "-port :${toString cfg.port}" diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 85879cfe0b33..5d3f2e6ac28f 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -177,7 +177,7 @@ let folder = mkOption { type = types.str; default = ""; - description = "Add dashboards to the speciied folder"; + description = "Add dashboards to the specified folder"; }; type = mkOption { type = types.str; diff --git a/nixos/modules/services/networking/ejabberd.nix b/nixos/modules/services/networking/ejabberd.nix index ef5e2cee6f20..6a38f85c48a2 100644 --- a/nixos/modules/services/networking/ejabberd.nix +++ b/nixos/modules/services/networking/ejabberd.nix @@ -11,7 +11,7 @@ let ${cfg.ctlConfig} ''; - ectl = ''${cfg.package}/bin/ejabberdctl ${if cfg.configFile == null then "" else "--config ${cfg.configFile}"} --ctl-config "${ctlcfg}" --spool "${cfg.spoolDir}" --logs "${cfg.logsDir}"''; + ectl = ''${cfg.package}/bin/ejabberdctl ${optionalString (cfg.configFile != null) "--config ${cfg.configFile}"} --ctl-config "${ctlcfg}" --spool "${cfg.spoolDir}" --logs "${cfg.logsDir}"''; dumps = lib.escapeShellArgs cfg.loadDumps; @@ -111,28 +111,17 @@ in { description = "ejabberd server"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - path = [ pkgs.findutils pkgs.coreutils pkgs.runit ] ++ lib.optional cfg.imagemagick pkgs.imagemagick; + path = [ pkgs.findutils pkgs.coreutils ] ++ lib.optional cfg.imagemagick pkgs.imagemagick; serviceConfig = { - ExecStart = ''${ectl} foreground''; - # FIXME: runit is used for `chpst` -- can we get rid of this? - ExecStop = ''${pkgs.runit}/bin/chpst -u "${cfg.user}:${cfg.group}" ${ectl} stop''; - ExecReload = ''${pkgs.runit}/bin/chpst -u "${cfg.user}:${cfg.group}" ${ectl} reload_config''; User = cfg.user; Group = cfg.group; - PermissionsStartOnly = true; + ExecStart = "${ectl} foreground"; + ExecStop = "${ectl} stop"; + ExecReload = "${ectl} reload_config"; }; preStart = '' - mkdir -p -m750 "${cfg.logsDir}" - chown "${cfg.user}:${cfg.group}" "${cfg.logsDir}" - - mkdir -p -m750 "/var/lock/ejabberdctl" - chown "${cfg.user}:${cfg.group}" "/var/lock/ejabberdctl" - - mkdir -p -m750 "${cfg.spoolDir}" - chown -R "${cfg.user}:${cfg.group}" "${cfg.spoolDir}" - if [ -z "$(ls -A '${cfg.spoolDir}')" ]; then touch "${cfg.spoolDir}/.firstRun" fi @@ -149,13 +138,18 @@ in { for src in ${dumps}; do find "$src" -type f | while read dump; do echo "Loading configuration dump at $dump" - chpst -u "${cfg.user}:${cfg.group}" ${ectl} load "$dump" + ${ectl} load "$dump" done done fi ''; }; + systemd.tmpfiles.rules = [ + "d '${cfg.logsDir}' 0750 ${cfg.user} ${cfg.group} -" + "d '${cfg.spoolDir}' 0700 ${cfg.user} ${cfg.group} -" + ]; + security.pam.services.ejabberd = {}; }; diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index 3fbc08e90607..7add48308f80 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: # TODO: # @@ -12,6 +12,8 @@ let cfg = config.services.hostapd; + escapedInterface = utils.escapeSystemdPath cfg.interface; + configFile = pkgs.writeText "hostapd.conf" '' interface=${cfg.interface} driver=${cfg.driver} @@ -157,8 +159,8 @@ in { description = "hostapd wireless AP"; path = [ pkgs.hostapd ]; - after = [ "sys-subsystem-net-devices-${cfg.interface}.device" ]; - bindsTo = [ "sys-subsystem-net-devices-${cfg.interface}.device" ]; + after = [ "sys-subsystem-net-devices-${escapedInterface}.device" ]; + bindsTo = [ "sys-subsystem-net-devices-${escapedInterface}.device" ]; requiredBy = [ "network-link-${cfg.interface}.service" ]; serviceConfig = diff --git a/nixos/modules/services/networking/softether.nix b/nixos/modules/services/networking/softether.nix index 65df93a00da9..0046dcd366fa 100644 --- a/nixos/modules/services/networking/softether.nix +++ b/nixos/modules/services/networking/softether.nix @@ -70,6 +70,8 @@ in systemd.services."softether-init" = { description = "SoftEther VPN services initial task"; + after = [ "keys.target" ]; + wants = [ "keys.target" ]; wantedBy = [ "network.target" ]; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/networking/znc/default.nix b/nixos/modules/services/networking/znc/default.nix index 1ad8855b86db..46bff6954cdd 100644 --- a/nixos/modules/services/networking/znc/default.nix +++ b/nixos/modules/services/networking/znc/default.nix @@ -47,11 +47,11 @@ let # Baz=baz # Qux=qux # </Foo> - set = concatMap (subname: [ + set = concatMap (subname: optionals (value.${subname} != null) ([ "<${name} ${subname}>" ] ++ map (line: "\t${line}") (toLines value.${subname}) ++ [ "</${name}>" - ]) (filter (v: v != null) (attrNames value)); + ])) (filter (v: v != null) (attrNames value)); }.${builtins.typeOf value}; diff --git a/nixos/modules/services/security/sks.nix b/nixos/modules/services/security/sks.nix index 2d717ac94746..1b7a2ad13980 100644 --- a/nixos/modules/services/security/sks.nix +++ b/nixos/modules/services/security/sks.nix @@ -116,20 +116,22 @@ in { ${lib.optionalString (cfg.webroot != null) "ln -sfT \"${cfg.webroot}\" web"} mkdir -p dump - # Check that both database configs are symlinks before overwriting them - if [ -e KDB/DB_CONFIG ] && [ ! -L KDB/DB_CONFIG ]; then - echo "KDB/DB_CONFIG exists but is not a symlink." >&2 - exit 1 - fi - if [ -e PTree/DB_CONFIG ] && [ ! -L PTree/DB_CONFIG ]; then - echo "PTree/DB_CONFIG exists but is not a symlink." >&2 - exit 1 - fi - ln -sf ${dbConfig} KDB/DB_CONFIG - ln -sf ${dbConfig} PTree/DB_CONFIG ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/ ${sksPkg}/bin/sks cleandb || true ${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true + # Check that both database configs are symlinks before overwriting them + # TODO: The initial build will be without DB_CONFIG, but this will + # hopefully not cause any significant problems. It might be better to + # create both directories manually but we have to check that this does + # not affect the initial build of the DB. + for CONFIG_FILE in KDB/DB_CONFIG PTree/DB_CONFIG; do + if [ -e $CONFIG_FILE ] && [ ! -L $CONFIG_FILE ]; then + echo "$CONFIG_FILE exists but is not a symlink." >&2 + echo "Please remove $PWD/$CONFIG_FILE manually to continue." >&2 + exit 1 + fi + ln -sf ${dbConfig} $CONFIG_FILE + done ''; serviceConfig = { WorkingDirectory = "~"; diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 61b751bb518b..6f4852c3ba1a 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -81,7 +81,7 @@ let ${optionalString (elem cfg.relay.role ["bridge" "private-bridge"]) '' BridgeRelay 1 - ServerTransportPlugin obfs2,obfs3 exec ${pkgs.pythonPackages.obfsproxy}/bin/obfsproxy managed + ServerTransportPlugin ${concatStringsSep "," cfg.relay.bridgeTransports} exec ${obfs4}/bin/obfs4proxy managed ExtORPort auto ${optionalString (cfg.relay.role == "private-bridge") '' ExtraInfoStatistics 0 @@ -355,7 +355,7 @@ in <para> Regular bridge. Works like a regular relay, but doesn't list you in the public relay directory and - hides your Tor node behind obfsproxy. + hides your Tor node behind obfs4proxy. </para> <para> @@ -424,6 +424,13 @@ in ''; }; + bridgeTransports = mkOption { + type = types.listOf types.str; + default = ["obfs4"]; + example = ["obfs2" "obfs3" "obfs4" "scramblesuit"]; + description = "List of pluggable transports"; + }; + nickname = mkOption { type = types.str; default = "anonymous"; diff --git a/nixos/modules/services/web-apps/documize.nix b/nixos/modules/services/web-apps/documize.nix index 206617b0e5ac..37359869cb64 100644 --- a/nixos/modules/services/web-apps/documize.nix +++ b/nixos/modules/services/web-apps/documize.nix @@ -3,65 +3,136 @@ with lib; let - cfg = config.services.documize; -in + mkParams = optional: concatMapStrings (name: let + predicate = optional -> cfg.${name} != null; + template = " -${name} '${toString cfg.${name}}'"; + in optionalString predicate template); - { - options.services.documize = { - enable = mkEnableOption "Documize Wiki"; +in { + options.services.documize = { + enable = mkEnableOption "Documize Wiki"; - offline = mkEnableOption "Documize offline mode"; + package = mkOption { + type = types.package; + default = pkgs.documize-community; + description = '' + Which package to use for documize. + ''; + }; - package = mkOption { - default = pkgs.documize-community; - type = types.package; - description = '' - Which package to use for documize. - ''; - }; + salt = mkOption { + type = types.nullOr types.str; + default = null; + example = "3edIYV6c8B28b19fh"; + description = '' + The salt string used to encode JWT tokens, if not set a random value will be generated. + ''; + }; - db = mkOption { - type = types.str; - example = "host=localhost port=5432 sslmode=disable user=admin password=secret dbname=documize"; - description = '' - The DB connection string to use for the database. - ''; - }; + cert = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The <filename>cert.pem</filename> file used for https. + ''; + }; - dbtype = mkOption { - type = types.enum [ "postgresql" "percona" "mariadb" "mysql" ]; - description = '' - Which database to use for storage. - ''; - }; + key = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The <filename>key.pem</filename> file used for https. + ''; + }; - port = mkOption { - type = types.port; - example = 3000; - description = '' - Which TCP port to serve. - ''; - }; + port = mkOption { + type = types.port; + default = 5001; + description = '' + The http/https port number. + ''; + }; + + forcesslport = mkOption { + type = types.nullOr types.port; + default = null; + description = '' + Redirect given http port number to TLS. + ''; + }; + + offline = mkOption { + type = types.bool; + default = false; + description = '' + Set <literal>true</literal> for offline mode. + ''; + apply = v: if true == v then 1 else 0; + }; + + dbtype = mkOption { + type = types.enum [ "mysql" "percona" "mariadb" "postgresql" "sqlserver" ]; + default = "postgresql"; + description = '' + Specify the database provider: + <simplelist type='inline'> + <member><literal>mysql</literal></member> + <member><literal>percona</literal></member> + <member><literal>mariadb</literal></member> + <member><literal>postgresql</literal></member> + <member><literal>sqlserver</literal></member> + </simplelist> + ''; }; - config = mkIf cfg.enable { - systemd.services.documize-server = { - wantedBy = [ "multi-user.target" ]; - - script = '' - ${cfg.package}/bin/documize \ - -db "${cfg.db}" \ - -dbtype ${cfg.dbtype} \ - -port ${toString cfg.port} \ - -offline ${if cfg.offline then "1" else "0"} - ''; - - serviceConfig = { - Restart = "always"; - DynamicUser = "yes"; - }; + db = mkOption { + type = types.str; + description = '' + Database specific connection string for example: + <itemizedlist> + <listitem><para>MySQL/Percona/MariaDB: + <literal>user:password@tcp(host:3306)/documize</literal> + </para></listitem> + <listitem><para>MySQLv8+: + <literal>user:password@tcp(host:3306)/documize?allowNativePasswords=true</literal> + </para></listitem> + <listitem><para>PostgreSQL: + <literal>host=localhost port=5432 dbname=documize user=admin password=secret sslmode=disable</literal> + </para></listitem> + <listitem><para>MSSQL: + <literal>sqlserver://username:password@localhost:1433?database=Documize</literal> or + <literal>sqlserver://sa@localhost/SQLExpress?database=Documize</literal> + </para></listitem> + </itemizedlist> + ''; + }; + + location = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + reserved + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.documize-server = { + description = "Documize Wiki"; + documentation = [ https://documize.com/ ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = concatStringsSep " " [ + "${cfg.package}/bin/documize" + (mkParams false [ "db" "dbtype" "port" ]) + (mkParams true [ "offline" "location" "forcesslport" "key" "cert" "salt" ]) + ]; + Restart = "always"; + DynamicUser = "yes"; }; }; - } + }; +} diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 3a154ab75ba9..c486d6c8613b 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -16,11 +16,11 @@ let } // (optionalAttrs vhostConfig.enableACME { sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem"; sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem"; - sslTrustedCertificate = "${acmeDirectory}/${serverName}/full.pem"; + sslTrustedCertificate = "${acmeDirectory}/${serverName}/fullchain.pem"; }) // (optionalAttrs (vhostConfig.useACMEHost != null) { sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem"; sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem"; - sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/full.pem"; + sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem"; }) ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 9bf03a494701..7b65f1b85c69 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -18,7 +18,7 @@ let nixos-gsettings-desktop-schemas = pkgs.runCommand "nixos-gsettings-desktop-schemas" { preferLocalBuild = true; } '' mkdir -p $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas - cp -rf ${pkgs.gnome3.gsettings-desktop-schemas}/share/gsettings-schemas/gsettings-desktop-schemas*/glib-2.0/schemas/*.xml $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas + cp -rf ${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/gsettings-desktop-schemas*/glib-2.0/schemas/*.xml $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas ${concatMapStrings (pkg: "cp -rf ${pkg}/share/gsettings-schemas/*/glib-2.0/schemas/*.xml $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas\n") cfg.extraGSettingsOverridePackages} diff --git a/nixos/modules/system/activation/switch-to-configuration.pl b/nixos/modules/system/activation/switch-to-configuration.pl index 397b308b7311..8ff00fa11dc7 100644 --- a/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixos/modules/system/activation/switch-to-configuration.pl @@ -166,24 +166,6 @@ while (my ($unit, $state) = each %{$activePrev}) { if (-e $prevUnitFile && ($state->{state} eq "active" || $state->{state} eq "activating")) { if (! -e $newUnitFile || abs_path($newUnitFile) eq "/dev/null") { - # Ignore (i.e. never stop) these units: - if ($unit eq "system.slice") { - # TODO: This can be removed a few months after 18.09 is out - # (i.e. after everyone switched away from 18.03). - # Problem: Restarting (stopping) system.slice would not only - # stop X11 but also most system units/services. We obviously - # don't want this happening to users when they switch from 18.03 - # to 18.09 or nixos-unstable. - # Reason: The following change in systemd: - # https://github.com/systemd/systemd/commit/d8e5a9338278d6602a0c552f01f298771a384798 - # The commit adds system.slice to the perpetual units, which - # means removing the unit file and adding it to the source code. - # This is done so that system.slice can't be stopped anymore but - # in our case it ironically would cause this script to stop - # system.slice because the unit was removed (and an older - # systemd version is still running). - next; - } my $unitInfo = parseUnit($prevUnitFile); $unitsToStop{$unit} = 1 if boolIsTrue($unitInfo->{'X-StopOnRemoval'} // "yes"); } diff --git a/nixos/modules/system/boot/kexec.nix b/nixos/modules/system/boot/kexec.nix index 61f9c6d0e7eb..fd2cb94b756b 100644 --- a/nixos/modules/system/boot/kexec.nix +++ b/nixos/modules/system/boot/kexec.nix @@ -13,8 +13,18 @@ path = [ pkgs.kexectools ]; script = '' + # Don't load the current system profile if we already have a kernel loaded + if [[ 1 = "$(</sys/kernel/kexec_loaded)" ]] ; then + echo "kexec kernel has already been loaded, prepare-kexec skipped" + exit 0 + fi + p=$(readlink -f /nix/var/nix/profiles/system) - if ! [ -d $p ]; then exit 1; fi + if ! [[ -d $p ]]; then + echo "Could not find system profile for prepare-kexec" + exit 1 + fi + echo "Loading NixOS system via kexec." exec kexec --load $p/kernel --initrd=$p/initrd --append="$(cat $p/kernel-params) init=$p/init" ''; }; diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index aa4a5f8abcce..3841074f0433 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -87,6 +87,9 @@ let mkdir -p /crypt-ramfs mount -t ramfs none /crypt-ramfs + # Cryptsetup locking directory + mkdir -p /run/cryptsetup + # For Yubikey salt storage mkdir -p /crypt-storage |