diff options
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/module-list.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/continuous-integration/hydra/default.nix | 20 | ||||
-rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 27 | ||||
-rw-r--r-- | nixos/modules/services/networking/ntp/chrony.nix (renamed from nixos/modules/services/networking/chrony.nix) | 11 | ||||
-rw-r--r-- | nixos/modules/services/networking/ntp/ntpd.nix (renamed from nixos/modules/services/networking/ntpd.nix) | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/ntp/openntpd.nix (renamed from nixos/modules/services/networking/openntpd.nix) | 1 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/restya-board.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/zabbix.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 1 |
10 files changed, 51 insertions, 27 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 5b7f391ed5a5..fb8453f1d537 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -567,7 +567,6 @@ ./services/networking/bird.nix ./services/networking/bitlbee.nix ./services/networking/charybdis.nix - ./services/networking/chrony.nix ./services/networking/cjdns.nix ./services/networking/cntlm.nix ./services/networking/connman.nix @@ -650,14 +649,15 @@ ./services/networking/nntp-proxy.nix ./services/networking/nsd.nix ./services/networking/ntopng.nix - ./services/networking/ntpd.nix + ./services/networking/ntp/chrony.nix + ./services/networking/ntp/ntpd.nix + ./services/networking/ntp/openntpd.nix ./services/networking/nullidentdmod.nix ./services/networking/nylon.nix ./services/networking/ocserv.nix ./services/networking/ofono.nix ./services/networking/oidentd.nix ./services/networking/openfire.nix - ./services/networking/openntpd.nix ./services/networking/openvpn.nix ./services/networking/ostinato.nix ./services/networking/owamp.nix diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix index 500acb485620..2da10a9a5e2a 100644 --- a/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixos/modules/services/continuous-integration/hydra/default.nix @@ -275,6 +275,7 @@ in ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createdb -O hydra hydra touch ${baseDir}/.db-created fi + echo "create extension if not exists pg_trgm" | ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} -- ${config.services.postgresql.package}/bin/psql hydra ''} if [ ! -e ${cfg.gcRootsDir} ]; then @@ -379,6 +380,23 @@ in }; }; + systemd.services.hydra-notify = + { wantedBy = [ "multi-user.target" ]; + requires = [ "hydra-init.service" ]; + after = [ "hydra-init.service" ]; + restartTriggers = [ hydraConf ]; + environment = env // { + PGPASSFILE = "${baseDir}/pgpass-queue-runner"; + }; + serviceConfig = + { ExecStart = "@${cfg.package}/bin/hydra-notify hydra-notify"; + # FIXME: run this under a less privileged user? + User = "hydra-queue-runner"; + Restart = "always"; + RestartSec = 5; + }; + }; + # If there is less than a certain amount of free disk space, stop # the queue/evaluator to prevent builds from failing or aborting. systemd.services.hydra-check-space = @@ -416,6 +434,8 @@ in hydra-users hydra-queue-runner hydra hydra-users hydra-www hydra hydra-users root hydra + # The postgres user is used to create the pg_trgm extension for the hydra database + hydra-users postgres postgres ''; services.postgresql.authentication = optionalString haveLocalDB diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index caef4ad4ea80..66da6864fca9 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, utils, ... }: -# TODO: support non-postgresql - with lib; let @@ -806,8 +804,8 @@ in { export otp="$(<'${cfg.secrets.otpFile}')" export jws="$(<'${cfg.secrets.jwsFile}')" ${pkgs.jq}/bin/jq -n '{production: {secret_key_base: $ENV.secret, - otp_key_base: $ENV.db, - db_key_base: $ENV.otp, + otp_key_base: $ENV.otp, + db_key_base: $ENV.db, openid_connect_signing_key: $ENV.jws}}' \ > '${cfg.statePath}/config/secrets.yml' ) diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 2061c02fffbd..db4d0e328e2d 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -8,6 +8,8 @@ let dynamicHostsEnabled = cfg.dynamicHosts.enable && cfg.dynamicHosts.hostsDirs != {}; + delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; + # /var/lib/misc is for dnsmasq.leases. stateDirs = "/var/lib/NetworkManager /var/lib/dhclient /var/lib/misc"; @@ -177,10 +179,11 @@ in { basePackages = mkOption { type = types.attrsOf types.package; default = { inherit (pkgs) - networkmanager modemmanager wpa_supplicant crda + networkmanager modemmanager crda networkmanager-openvpn networkmanager-vpnc networkmanager-openconnect networkmanager-fortisslvpn - networkmanager-l2tp networkmanager-iodine; }; + networkmanager-l2tp networkmanager-iodine; } + // optionalAttrs (!delegateWireless) { inherit (pkgs) wpa_supplicant; }; internal = true; }; @@ -377,8 +380,11 @@ in { config = mkIf cfg.enable { assertions = [ - { assertion = config.networking.wireless.enable == false; - message = "You can not use networking.networkmanager with networking.wireless"; + { assertion = config.networking.wireless.enable == true -> cfg.unmanaged != []; + message = '' + You can not use networking.networkmanager with networking.wireless. + Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager. + ''; } { assertion = !dynamicHostsEnabled || (dynamicHostsEnabled && cfg.dns == "dnsmasq"); message = '' @@ -491,18 +497,17 @@ in { path = [ pkgs.iproute pkgs.utillinux pkgs.coreutils ]; }; - # Turn off NixOS' network management - networking = { + # Turn off NixOS' network management when networking is managed entirely by NetworkManager + networking = (mkIf (!delegateWireless) { useDHCP = false; - # use mkDefault to trigger the assertion about the conflict above + # Use mkDefault to trigger the assertion about the conflict above wireless.enable = mkDefault false; - }; + }) // (mkIf cfg.enableStrongSwan { + networkmanager.packages = [ pkgs.networkmanager_strongswan ]; + }); security.polkit.extraConfig = polkitConf; - networking.networkmanager.packages = - mkIf cfg.enableStrongSwan [ pkgs.networkmanager_strongswan ]; - services.dbus.packages = optional cfg.enableStrongSwan pkgs.strongswanNM ++ cfg.packages; diff --git a/nixos/modules/services/networking/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index 77f702577000..c74476c7a155 100644 --- a/nixos/modules/services/networking/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -9,11 +9,11 @@ let keyFile = "${stateDir}/chrony.keys"; configFile = pkgs.writeText "chrony.conf" '' - ${concatMapStringsSep "\n" (server: "server " + server) cfg.servers} + ${concatMapStringsSep "\n" (server: "server " + server + " iburst") cfg.servers} ${optionalString (cfg.initstepslew.enabled && (cfg.servers != [])) - "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}" + "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.servers}" } driftfile ${stateDir}/chrony.drift @@ -24,7 +24,7 @@ let ${cfg.extraConfig} ''; - chronyFlags = "-m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; + chronyFlags = "-n -m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; in { options = { @@ -48,7 +48,6 @@ in default = { enabled = true; threshold = 1000; # by default, same threshold as 'ntpd -g' (1000s) - servers = cfg.servers; }; description = '' Allow chronyd to make a rapid measurement of the system clock error at @@ -76,6 +75,8 @@ in }; config = mkIf cfg.enable { + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; + environment.systemPackages = [ pkgs.chrony ]; users.groups = singleton @@ -115,7 +116,7 @@ in unitConfig.ConditionCapability = "CAP_SYS_TIME"; serviceConfig = - { Type = "forking"; + { Type = "simple"; ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}"; ProtectHome = "yes"; diff --git a/nixos/modules/services/networking/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix index 588d1c6edb07..1197c84f0459 100644 --- a/nixos/modules/services/networking/ntpd.nix +++ b/nixos/modules/services/networking/ntp/ntpd.nix @@ -96,6 +96,7 @@ in ###### implementation config = mkIf config.services.ntp.enable { + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; # Make tools such as ntpq available in the system path. environment.systemPackages = [ pkgs.ntp ]; diff --git a/nixos/modules/services/networking/openntpd.nix b/nixos/modules/services/networking/ntp/openntpd.nix index f3920aa80646..471d15b1687b 100644 --- a/nixos/modules/services/networking/openntpd.nix +++ b/nixos/modules/services/networking/ntp/openntpd.nix @@ -52,6 +52,7 @@ in ###### implementation config = mkIf cfg.enable { + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; services.timesyncd.enable = mkForce false; # Add ntpctl to the environment for status checking diff --git a/nixos/modules/services/web-apps/restya-board.nix b/nixos/modules/services/web-apps/restya-board.nix index f220669c9108..1e7882488ac6 100644 --- a/nixos/modules/services/web-apps/restya-board.nix +++ b/nixos/modules/services/web-apps/restya-board.nix @@ -216,7 +216,6 @@ in index index.html index.php; gzip on; - gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; diff --git a/nixos/modules/services/web-apps/zabbix.nix b/nixos/modules/services/web-apps/zabbix.nix index dac243b20e97..09538726b7cd 100644 --- a/nixos/modules/services/web-apps/zabbix.nix +++ b/nixos/modules/services/web-apps/zabbix.nix @@ -179,7 +179,7 @@ in '' + optionalString (cfg.database.type == "oracle") '' extension=${pkgs.phpPackages.oci8}/lib/php/extensions/oci8.so ''; - phpEnv.ZABBIX_CONFIG = zabbixConfig; + phpEnv.ZABBIX_CONFIG = "${zabbixConfig}"; settings = { "listen.owner" = config.services.httpd.user; "listen.group" = config.services.httpd.group; @@ -197,7 +197,7 @@ in <Directory "${cfg.package}/share/zabbix"> <FilesMatch "\.php$"> <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.listen}|fcgi://localhost/" + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" </If> </FilesMatch> AllowOverride all diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index b94b338fd4a6..e597f34700ae 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -94,7 +94,6 @@ let ${optionalString (cfg.recommendedGzipSettings) '' gzip on; - gzip_disable "msie6"; gzip_proxied any; gzip_comp_level 5; gzip_types |