diff options
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/hardware/video/nvidia.nix | 9 | ||||
-rw-r--r-- | nixos/modules/misc/ids.nix | 4 | ||||
-rw-r--r-- | nixos/modules/misc/nixpkgs.nix | 7 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/backup/znapzend.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/databases/openldap.nix | 33 | ||||
-rw-r--r-- | nixos/modules/services/desktops/gnome3/gnome-keyring.nix | 5 | ||||
-rw-r--r-- | nixos/modules/services/misc/emby.nix | 76 | ||||
-rw-r--r-- | nixos/modules/services/misc/ethminer.nix | 115 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/grafana-reporter.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/hostapd.nix | 8 | ||||
-rw-r--r-- | nixos/modules/services/networking/softether.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/znc/default.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/security/tor.nix | 11 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 4 |
15 files changed, 189 insertions, 99 deletions
diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 80ea7bc5d5c9..9f2360f41c6e 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -79,6 +79,14 @@ in ''; }; + hardware.nvidia.optimus_prime.allowExternalGpu = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Configure X to allow external NVIDIA GPUs when using optimus. + ''; + }; + hardware.nvidia.optimus_prime.nvidiaBusId = lib.mkOption { type = lib.types.string; default = ""; @@ -134,6 +142,7 @@ in deviceSection = optionalString optimusCfg.enable '' BusID "${optimusCfg.nvidiaBusId}" + ${optionalString optimusCfg.allowExternalGpu "Option \"AllowExternalGpus\""} ''; screenSection = '' diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index e78673514e3b..cd6bb9019b18 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -266,7 +266,7 @@ caddy = 239; taskd = 240; factorio = 241; - emby = 242; + # emby = 242; # unusued, removed 2019-05-01 graylog = 243; sniproxy = 244; nzbget = 245; @@ -567,7 +567,7 @@ caddy = 239; taskd = 240; factorio = 241; - emby = 242; + # emby = 242; # unused, removed 2019-05-01 sniproxy = 244; nzbget = 245; mosquitto = 246; diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index 3a717fddaba2..9d19dd2a7ff2 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -127,13 +127,14 @@ in default = []; example = literalExample '' - [ (self: super: { + [ + (self: super: { openssh = super.openssh.override { hpnSupport = true; kerberos = self.libkrb5; }; - }; - ) ] + }) + ] ''; type = types.listOf overlayType; description = '' diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 56c44a43c6e3..05b4b7296396 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -392,9 +392,9 @@ ./services/misc/dysnomia.nix ./services/misc/disnix.nix ./services/misc/docker-registry.nix - ./services/misc/emby.nix ./services/misc/errbot.nix ./services/misc/etcd.nix + ./services/misc/ethminer.nix ./services/misc/exhibitor.nix ./services/misc/felix.nix ./services/misc/folding-at-home.nix diff --git a/nixos/modules/services/backup/znapzend.nix b/nixos/modules/services/backup/znapzend.nix index fc8a424190f7..11b6215794ec 100644 --- a/nixos/modules/services/backup/znapzend.nix +++ b/nixos/modules/services/backup/znapzend.nix @@ -382,8 +382,10 @@ in | xargs -I{} ${pkgs.znapzend}/bin/znapzendzetup delete "{}" '' + concatStringsSep "\n" (mapAttrsToList (dataset: config: '' echo Importing znapzend zetup ${config} for dataset ${dataset} - ${pkgs.znapzend}/bin/znapzendzetup import --write ${dataset} ${config} - '') files); + ${pkgs.znapzend}/bin/znapzendzetup import --write ${dataset} ${config} & + '') files) + '' + wait + ''; serviceConfig = { ExecStart = let diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index c101e7375af9..c2f458c03794 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -18,7 +18,11 @@ let database ${cfg.database} suffix ${cfg.suffix} rootdn ${cfg.rootdn} - rootpw ${cfg.rootpw} + ${if (cfg.rootpw != null) then '' + rootpw ${cfg.rootpw} + '' else '' + include ${cfg.rootpwFile} + ''} directory ${cfg.dataDir} ${cfg.extraDatabaseConfig} ''); @@ -106,10 +110,23 @@ in }; rootpw = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; description = '' Password for the root user. This setting will be ignored if configDir is set. + Using this option will store the root password in plain text in the + world-readable nix store. To avoid this the <literal>rootpwFile</literal> can be used. + ''; + }; + + rootpwFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Password file for the root user. + The file should contain the string <literal>rootpw</literal> followed by the password. + e.g.: <literal>rootpw mysecurepassword</literal> ''; }; @@ -140,9 +157,9 @@ in include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema include ${pkgs.openldap.out}/etc/schema/nis.schema - database bdb - suffix dc=example,dc=org - rootdn cn=admin,dc=example,dc=org + database bdb + suffix dc=example,dc=org + rootdn cn=admin,dc=example,dc=org # NOTE: change after first start rootpw secret directory /var/db/openldap @@ -218,6 +235,12 @@ in ###### implementation config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.rootpwFile != null || cfg.rootpw != null; + message = "Either services.openldap.rootpw or services.openldap.rootpwFile must be set"; + } + ]; environment.systemPackages = [ openldap ]; diff --git a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix index 4c350d8bb1c6..db60445ef773 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix @@ -37,6 +37,11 @@ with lib; security.pam.services.login.enableGnomeKeyring = true; + security.wrappers.gnome-keyring-daemon = { + source = "${pkgs.gnome3.gnome-keyring}/bin/gnome-keyring-daemon"; + capabilities = "cap_ipc_lock=ep"; + }; + }; } diff --git a/nixos/modules/services/misc/emby.nix b/nixos/modules/services/misc/emby.nix deleted file mode 100644 index 0ad4a3f7376f..000000000000 --- a/nixos/modules/services/misc/emby.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.emby; -in -{ - options = { - services.emby = { - enable = mkEnableOption "Emby Media Server"; - - user = mkOption { - type = types.str; - default = "emby"; - description = "User account under which Emby runs."; - }; - - group = mkOption { - type = types.str; - default = "emby"; - description = "Group under which emby runs."; - }; - - dataDir = mkOption { - type = types.path; - default = "/var/lib/emby/ProgramData-Server"; - description = "Location where Emby stores its data."; - }; - }; - }; - - config = mkIf cfg.enable { - systemd.services.emby = { - description = "Emby Media Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - preStart = '' - if [ -d ${cfg.dataDir} ] - then - for plugin in ${cfg.dataDir}/plugins/* - do - echo "Correcting permissions of plugin: $plugin" - chmod u+w $plugin - done - else - echo "Creating initial Emby data directory in ${cfg.dataDir}" - mkdir -p ${cfg.dataDir} - chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} - fi - ''; - - serviceConfig = { - Type = "simple"; - User = cfg.user; - Group = cfg.group; - PermissionsStartOnly = "true"; - ExecStart = "${pkgs.emby}/bin/emby -programdata ${cfg.dataDir}"; - Restart = "on-failure"; - }; - }; - - users.users = mkIf (cfg.user == "emby") { - emby = { - group = cfg.group; - uid = config.ids.uids.emby; - }; - }; - - users.groups = mkIf (cfg.group == "emby") { - emby = { - gid = config.ids.gids.emby; - }; - }; - }; -} diff --git a/nixos/modules/services/misc/ethminer.nix b/nixos/modules/services/misc/ethminer.nix new file mode 100644 index 000000000000..2958cf214473 --- /dev/null +++ b/nixos/modules/services/misc/ethminer.nix @@ -0,0 +1,115 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.ethminer; + poolUrl = escapeShellArg "stratum1+tcp://${cfg.wallet}@${cfg.pool}:${toString cfg.stratumPort}/${cfg.rig}/${cfg.registerMail}"; +in + +{ + + ###### interface + + options = { + + services.ethminer = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Enable ethminer ether mining."; + }; + + recheckInterval = mkOption { + type = types.int; + default = 2000; + description = "Interval in milliseconds between farm rechecks."; + }; + + toolkit = mkOption { + type = types.enum [ "cuda" "opencl" ]; + default = "cuda"; + description = "Cuda or opencl toolkit."; + }; + + apiPort = mkOption { + type = types.int; + default = -3333; + description = "Ethminer api port. minus sign puts api in read-only mode."; + }; + + wallet = mkOption { + type = types.str; + example = "0x0123456789abcdef0123456789abcdef01234567"; + description = "Ethereum wallet address."; + }; + + pool = mkOption { + type = types.str; + example = "eth-us-east1.nanopool.org"; + description = "Mining pool address."; + }; + + stratumPort = mkOption { + type = types.port; + default = 9999; + description = "Stratum protocol tcp port."; + }; + + rig = mkOption { + type = types.str; + default = "mining-rig-name"; + description = "Mining rig name."; + }; + + registerMail = mkOption { + type = types.str; + example = "email%40example.org"; + description = "Url encoded email address to register with pool."; + }; + + maxPower = mkOption { + type = types.int; + default = 115; + description = "Miner max watt usage."; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.ethminer = { + path = [ pkgs.cudatoolkit ]; + description = "ethminer ethereum mining service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + DynamicUser = true; + ExecStartPost = optional (cfg.toolkit == "cuda") "+${getBin config.boot.kernelPackages.nvidia_x11}/bin/nvidia-smi -pl ${toString cfg.maxPower}"; + }; + + environment = { + LD_LIBRARY_PATH = "${config.boot.kernelPackages.nvidia_x11}/lib"; + }; + + script = '' + ${pkgs.ethminer}/bin/.ethminer-wrapped \ + --farm-recheck ${toString cfg.recheckInterval} \ + --report-hashrate \ + --${cfg.toolkit} \ + --api-port ${toString cfg.apiPort} \ + --pool ${poolUrl} + ''; + + }; + + }; + +} diff --git a/nixos/modules/services/monitoring/grafana-reporter.nix b/nixos/modules/services/monitoring/grafana-reporter.nix index 149026d20188..827cf6322cfd 100644 --- a/nixos/modules/services/monitoring/grafana-reporter.nix +++ b/nixos/modules/services/monitoring/grafana-reporter.nix @@ -52,7 +52,7 @@ in { wantedBy = ["multi-user.target"]; after = ["network.target"]; serviceConfig = let - args = lib.concatSepString " " [ + args = lib.concatStringsSep " " [ "-proto ${cfg.grafana.protocol}://" "-ip ${cfg.grafana.addr}:${toString cfg.grafana.port}" "-port :${toString cfg.port}" diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index 3fbc08e90607..7add48308f80 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: # TODO: # @@ -12,6 +12,8 @@ let cfg = config.services.hostapd; + escapedInterface = utils.escapeSystemdPath cfg.interface; + configFile = pkgs.writeText "hostapd.conf" '' interface=${cfg.interface} driver=${cfg.driver} @@ -157,8 +159,8 @@ in { description = "hostapd wireless AP"; path = [ pkgs.hostapd ]; - after = [ "sys-subsystem-net-devices-${cfg.interface}.device" ]; - bindsTo = [ "sys-subsystem-net-devices-${cfg.interface}.device" ]; + after = [ "sys-subsystem-net-devices-${escapedInterface}.device" ]; + bindsTo = [ "sys-subsystem-net-devices-${escapedInterface}.device" ]; requiredBy = [ "network-link-${cfg.interface}.service" ]; serviceConfig = diff --git a/nixos/modules/services/networking/softether.nix b/nixos/modules/services/networking/softether.nix index 65df93a00da9..0046dcd366fa 100644 --- a/nixos/modules/services/networking/softether.nix +++ b/nixos/modules/services/networking/softether.nix @@ -70,6 +70,8 @@ in systemd.services."softether-init" = { description = "SoftEther VPN services initial task"; + after = [ "keys.target" ]; + wants = [ "keys.target" ]; wantedBy = [ "network.target" ]; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/networking/znc/default.nix b/nixos/modules/services/networking/znc/default.nix index 1ad8855b86db..46bff6954cdd 100644 --- a/nixos/modules/services/networking/znc/default.nix +++ b/nixos/modules/services/networking/znc/default.nix @@ -47,11 +47,11 @@ let # Baz=baz # Qux=qux # </Foo> - set = concatMap (subname: [ + set = concatMap (subname: optionals (value.${subname} != null) ([ "<${name} ${subname}>" ] ++ map (line: "\t${line}") (toLines value.${subname}) ++ [ "</${name}>" - ]) (filter (v: v != null) (attrNames value)); + ])) (filter (v: v != null) (attrNames value)); }.${builtins.typeOf value}; diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 61b751bb518b..6f4852c3ba1a 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -81,7 +81,7 @@ let ${optionalString (elem cfg.relay.role ["bridge" "private-bridge"]) '' BridgeRelay 1 - ServerTransportPlugin obfs2,obfs3 exec ${pkgs.pythonPackages.obfsproxy}/bin/obfsproxy managed + ServerTransportPlugin ${concatStringsSep "," cfg.relay.bridgeTransports} exec ${obfs4}/bin/obfs4proxy managed ExtORPort auto ${optionalString (cfg.relay.role == "private-bridge") '' ExtraInfoStatistics 0 @@ -355,7 +355,7 @@ in <para> Regular bridge. Works like a regular relay, but doesn't list you in the public relay directory and - hides your Tor node behind obfsproxy. + hides your Tor node behind obfs4proxy. </para> <para> @@ -424,6 +424,13 @@ in ''; }; + bridgeTransports = mkOption { + type = types.listOf types.str; + default = ["obfs4"]; + example = ["obfs2" "obfs3" "obfs4" "scramblesuit"]; + description = "List of pluggable transports"; + }; + nickname = mkOption { type = types.str; default = "anonymous"; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 3a154ab75ba9..c486d6c8613b 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -16,11 +16,11 @@ let } // (optionalAttrs vhostConfig.enableACME { sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem"; sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem"; - sslTrustedCertificate = "${acmeDirectory}/${serverName}/full.pem"; + sslTrustedCertificate = "${acmeDirectory}/${serverName}/fullchain.pem"; }) // (optionalAttrs (vhostConfig.useACMEHost != null) { sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem"; sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem"; - sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/full.pem"; + sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem"; }) ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; |