diff options
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/miniupnpd.nix | 70 | ||||
-rw-r--r-- | nixos/modules/services/torrent/transmission.nix | 25 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/grub/grub.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/azure-agent.nix | 170 | ||||
-rw-r--r-- | nixos/modules/virtualisation/azure-common.nix | 3 | ||||
-rw-r--r-- | nixos/modules/virtualisation/azure-image.nix | 12 |
7 files changed, 266 insertions, 17 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 9bd35ded039c..963daf721ad3 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -312,6 +312,7 @@ ./services/networking/lambdabot.nix ./services/networking/mailpile.nix ./services/networking/minidlna.nix + ./services/networking/miniupnpd.nix ./services/networking/mstpd.nix ./services/networking/murmur.nix ./services/networking/namecoind.nix diff --git a/nixos/modules/services/networking/miniupnpd.nix b/nixos/modules/services/networking/miniupnpd.nix new file mode 100644 index 000000000000..e654eb80b177 --- /dev/null +++ b/nixos/modules/services/networking/miniupnpd.nix @@ -0,0 +1,70 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.miniupnpd; + configFile = pkgs.writeText "miniupnpd.conf" '' + ext_ifname=${cfg.externalInterface} + enable_natpmp=${if cfg.natpmp then "yes" else "no"} + enable_upnp=${if cfg.upnp then "yes" else "no"} + + ${concatMapStrings (range: '' + listening_ip=${range} + '') cfg.internalIPs} + + ${cfg.appendConfig} + ''; +in +{ + options = { + services.miniupnpd = { + enable = mkEnableOption "MiniUPnP daemon"; + + externalInterface = mkOption { + type = types.str; + description = '' + Name of the external interface. + ''; + }; + + internalIPs = mkOption { + type = types.listOf types.str; + example = [ "192.168.1.0/24" ]; + description = '' + The IP address ranges to listen on. + ''; + }; + + natpmp = mkEnableOption "NAT-PMP support"; + + upnp = mkOption { + default = true; + type = types.bool; + description = '' + Whether to enable UPNP support. + ''; + }; + + appendConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Configuration lines appended to the MiniUPnP config. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.miniupnpd = { + description = "MiniUPnP daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.miniupnpd ]; + serviceConfig = { + ExecStart = "${pkgs.miniupnpd}/bin/miniupnpd -d -f ${configFile}"; + }; + }; + }; +} diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 1c9149224049..b3f1f9066367 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -113,21 +113,26 @@ in #include <abstractions/base> #include <abstractions/nameservice> - ${pkgs.glibc}/lib/*.so mr, - ${pkgs.libevent}/lib/libevent*.so* mr, - ${pkgs.curl}/lib/libcurl*.so* mr, - ${pkgs.openssl}/lib/libssl*.so* mr, - ${pkgs.openssl}/lib/libcrypto*.so* mr, - ${pkgs.zlib}/lib/libz*.so* mr, - ${pkgs.libssh2}/lib/libssh2*.so* mr, - ${pkgs.systemd}/lib/libsystemd*.so* mr, - ${pkgs.xz}/lib/liblzma*.so* mr, - ${pkgs.libgcrypt}/lib/libgcrypt*.so* mr, + ${pkgs.glibc}/lib/*.so mr, + ${pkgs.libevent}/lib/libevent*.so* mr, + ${pkgs.curl}/lib/libcurl*.so* mr, + ${pkgs.openssl}/lib/libssl*.so* mr, + ${pkgs.openssl}/lib/libcrypto*.so* mr, + ${pkgs.zlib}/lib/libz*.so* mr, + ${pkgs.libssh2}/lib/libssh2*.so* mr, + ${pkgs.systemd}/lib/libsystemd*.so* mr, + ${pkgs.xz}/lib/liblzma*.so* mr, + ${pkgs.libgcrypt}/lib/libgcrypt*.so* mr, ${pkgs.libgpgerror}/lib/libgpg-error*.so* mr, + ${pkgs.libnghttp2}/lib/libnghttp2*.so* mr, + ${pkgs.c-ares}/lib/libcares*.so* mr, + ${pkgs.libcap}/lib/libcap*.so* mr, + ${pkgs.attr}/lib/libattr*.so* mr, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/vm/overcommit_memory r, + ${pkgs.openssl}/etc/** r, ${pkgs.transmission}/share/transmission/** r, owner ${settingsDir}/** rw, diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 5f09e937537f..87dbbd7cd51f 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -470,7 +470,7 @@ in ] ++ flip concatMap cfg.mirroredBoots (args: [ { assertion = args.devices != [ ]; - message = "A boot path cannot have an empty devices string in ${arg.path}"; + message = "A boot path cannot have an empty devices string in ${args.path}"; } { assertion = hasPrefix "/" args.path; diff --git a/nixos/modules/virtualisation/azure-agent.nix b/nixos/modules/virtualisation/azure-agent.nix new file mode 100644 index 000000000000..e657cc519396 --- /dev/null +++ b/nixos/modules/virtualisation/azure-agent.nix @@ -0,0 +1,170 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.virtualisation.azure.agent; + + waagent = with pkgs; stdenv.mkDerivation rec { + name = "waagent-2.0"; + src = pkgs.fetchgit { + url = https://github.com/Phreedom/WALinuxAgent.git; + rev = "9dba81c7b1239c7971ec96e405e403c7cd224e6b"; + sha256 = "0khxk3ns3z37v26f2qj6m3m698a0vqpc9bxg5p7fyr3xza5gzwhs"; + }; + buildInputs = [ makeWrapper python pythonPackages.wrapPython ]; + runtimeDeps = [ findutils gnugrep gawk coreutils openssl openssh + nettools # for hostname + procps # for pidof + shadow # for useradd, usermod + utillinux # for (u)mount, fdisk, sfdisk, mkswap + parted + ]; + pythonPath = [ pythonPackages.pyasn1 ]; + + configurePhase = false; + buildPhase = false; + + installPhase = '' + substituteInPlace config/99-azure-product-uuid.rules \ + --replace /bin/chmod "${coreutils}/bin/chmod" + mkdir -p $out/lib/udev/rules.d + cp config/*.rules $out/lib/udev/rules.d + + mkdir -p $out/bin + cp waagent $out/bin/ + chmod +x $out/bin/waagent + + wrapProgram "$out/bin/waagent" \ + --prefix PYTHONPATH : $PYTHONPATH \ + --prefix PATH : "${makeSearchPath "bin" runtimeDeps}" + ''; + }; + + provisionedHook = pkgs.writeScript "provisioned-hook" '' + #!${pkgs.stdenv.shell} + ${config.systemd.package}/bin/systemctl start provisioned.target + ''; + +in + +{ + + ###### interface + + options.virtualisation.azure.agent.enable = mkOption { + default = false; + description = "Whether to enable the Windows Azure Linux Agent."; + }; + + ###### implementation + + config = mkIf cfg.enable { + assertions = [ { + assertion = pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64; + message = "Azure not currently supported on ${pkgs.stdenv.system}"; + } { + assertion = config.networking.networkmanager.enable == false; + message = "Windows Azure Linux Agent is not compatible with NetworkManager"; + } ]; + + boot.initrd.kernelModules = [ "ata_piix" ]; + networking.firewall.allowedUDPPorts = [ 68 ]; + + + environment.etc."waagent.conf".text = '' + # + # Windows Azure Linux Agent Configuration + # + + Role.StateConsumer=${provisionedHook} + + # Enable instance creation + Provisioning.Enabled=y + + # Password authentication for root account will be unavailable. + Provisioning.DeleteRootPassword=n + + # Generate fresh host key pair. + Provisioning.RegenerateSshHostKeyPair=y + + # Supported values are "rsa", "dsa" and "ecdsa". + Provisioning.SshHostKeyPairType=ed25519 + + # Monitor host name changes and publish changes via DHCP requests. + Provisioning.MonitorHostName=y + + # Decode CustomData from Base64. + Provisioning.DecodeCustomData=n + + # Execute CustomData after provisioning. + Provisioning.ExecuteCustomData=n + + # Format if unformatted. If 'n', resource disk will not be mounted. + ResourceDisk.Format=y + + # File system on the resource disk + # Typically ext3 or ext4. FreeBSD images should use 'ufs2' here. + ResourceDisk.Filesystem=ext4 + + # Mount point for the resource disk + ResourceDisk.MountPoint=/mnt/resource + + # Respond to load balancer probes if requested by Windows Azure. + LBProbeResponder=y + + # Enable logging to serial console (y|n) + # When stdout is not enough... + # 'y' if not set + Logs.Console=y + + # Enable verbose logging (y|n) + Logs.Verbose=n + + # Root device timeout in seconds. + OS.RootDeviceScsiTimeout=300 + ''; + + services.udev.packages = [ waagent ]; + + networking.dhcpcd.persistent = true; + + services.logrotate = { + enable = true; + config = '' + /var/log/waagent.log { + compress + monthly + rotate 6 + notifempty + missingok + } + ''; + }; + + systemd.targets.provisioned = { + description = "Services Requiring Azure VM provisioning to have finished"; + wantedBy = [ "sshd.service" ]; + before = [ "sshd.service" ]; + }; + + + systemd.services.waagent = { + wantedBy = [ "sshd.service" ]; + before = [ "sshd.service" ]; + after = [ "ip-up.target" ]; + wants = [ "ip-up.target" ]; + + path = [ pkgs.e2fsprogs ]; + description = "Windows Azure Agent Service"; + unitConfig.ConditionPathExists = "/etc/waagent.conf"; + serviceConfig = { + ExecStart = "${waagent}/bin/waagent -daemon"; + Type = "simple"; + }; + }; + + }; + +} diff --git a/nixos/modules/virtualisation/azure-common.nix b/nixos/modules/virtualisation/azure-common.nix index 47022c6887c3..eedf115ee150 100644 --- a/nixos/modules/virtualisation/azure-common.nix +++ b/nixos/modules/virtualisation/azure-common.nix @@ -4,6 +4,9 @@ with lib; { imports = [ ../profiles/headless.nix ]; + require = [ ./azure-agent.nix ]; + virtualisation.azure.agent.enable = true; + boot.kernelParams = [ "console=ttyS0" "earlyprintk=ttyS0" "rootdelay=300" "panic=1" "boot.panic_on_fail" ]; boot.initrd.kernelModules = [ "hv_vmbus" "hv_netvsc" "hv_utils" "hv_storvsc" ]; diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index 1013396c0498..024be4a51163 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -98,8 +98,8 @@ in systemd.services.fetch-ssh-keys = { description = "Fetch host keys and authorized_keys for root user"; - wantedBy = [ "sshd.service" ]; - before = [ "sshd.service" ]; + wantedBy = [ "sshd.service" "waagent.service" ]; + before = [ "sshd.service" "waagent.service" ]; after = [ "local-fs.target" ]; path = [ pkgs.coreutils ]; @@ -108,14 +108,14 @@ in eval "$(base64 --decode /metadata/CustomData.bin)" if ! [ -z "$ssh_host_ecdsa_key" ]; then echo "downloaded ssh_host_ecdsa_key" - echo "$ssh_host_ecdsa_key" > /etc/ssh/ssh_host_ecdsa_key - chmod 600 /etc/ssh/ssh_host_ecdsa_key + echo "$ssh_host_ecdsa_key" > /etc/ssh/ssh_host_ed25519_key + chmod 600 /etc/ssh/ssh_host_ed25519_key fi if ! [ -z "$ssh_host_ecdsa_key_pub" ]; then echo "downloaded ssh_host_ecdsa_key_pub" - echo "$ssh_host_ecdsa_key_pub" > /etc/ssh/ssh_host_ecdsa_key.pub - chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub + echo "$ssh_host_ecdsa_key_pub" > /etc/ssh/ssh_host_ed25519_key.pub + chmod 644 /etc/ssh/ssh_host_ed25519_key.pub fi if ! [ -z "$ssh_root_auth_key" ]; then |