diff options
Diffstat (limited to 'nixos/modules')
23 files changed, 260 insertions, 97 deletions
diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index 486fe7c1cd8f..c2c36f02a143 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -93,7 +93,7 @@ in hardware.opengl.extraPackages = mkOption { type = types.listOf types.package; default = []; - example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]"; + example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ]"; description = '' Additional packages to add to OpenGL drivers. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc. diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index c0df2977856e..7c737e84de0a 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -8,6 +8,7 @@ use File::Basename; use File::Slurp; use File::stat; +umask(0022); sub uniq { my %seen; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 44bcec5aec26..521e2c0ca241 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -185,7 +185,7 @@ ./services/databases/neo4j.nix ./services/databases/openldap.nix ./services/databases/opentsdb.nix - ./services/databases/postage.nix + ./services/databases/pgmanage.nix ./services/databases/postgresql.nix ./services/databases/redis.nix ./services/databases/riak.nix @@ -413,6 +413,7 @@ ./services/networking/asterisk.nix ./services/networking/atftpd.nix ./services/networking/avahi-daemon.nix + ./services/networking/babeld.nix ./services/networking/bind.nix ./services/networking/autossh.nix ./services/networking/bird.nix diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index e0fbba897fa4..0935bf0cae71 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -148,11 +148,11 @@ in [ { hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ]; - publicKeyFile = "./pubkeys/myhost_ssh_host_dsa_key.pub"; + publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub; } { hostNames = [ "myhost2" ]; - publicKeyFile = "./pubkeys/myhost2_ssh_host_dsa_key.pub"; + publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub; } ] ''; diff --git a/nixos/modules/programs/sway.nix b/nixos/modules/programs/sway.nix index 2934fba96dda..9070722c770b 100644 --- a/nixos/modules/programs/sway.nix +++ b/nixos/modules/programs/sway.nix @@ -10,7 +10,7 @@ let #! ${pkgs.stdenv.shell} ${cfg.extraSessionCommands} PATH="${sway}/bin:$PATH" - exec ${pkgs.dbus.dbus-launch} --exit-with-session "${sway}/bin/sway" + exec ${pkgs.dbus.dbus-launch} --exit-with-session sway-setcap ''; swayJoined = pkgs.symlinkJoin { name = "sway-wrapped"; @@ -53,7 +53,8 @@ in config = mkIf cfg.enable { environment.systemPackages = [ swayJoined ] ++ cfg.extraPackages; security.wrappers.sway = { - source = "${swayJoined}/bin/sway"; + program = "sway-setcap"; + source = "${sway}/bin/sway"; capabilities = "cap_sys_ptrace,cap_sys_tty_config=eip"; owner = "root"; group = "sway"; diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index a40c5ef9ebe1..fb011019f7f5 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -139,6 +139,20 @@ in ''; }; + production = mkOption { + type = types.bool; + default = true; + description = '' + If set to true, use Let's Encrypt's production environment + instead of the staging environment. The main benefit of the + staging environment is to get much higher rate limits. + + See + <literal>https://letsencrypt.org/docs/staging-environment</literal> + for more detail. + ''; + }; + certs = mkOption { default = { }; type = with types; attrsOf (submodule certOpts); @@ -177,7 +191,9 @@ in cmdline = [ "-v" "-d" domain "--default_root" data.webroot "--valid_min" cfg.validMin ] ++ optionals (data.email != null) [ "--email" data.email ] ++ concatMap (p: [ "-f" p ]) data.plugins - ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains); + ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains) + ++ (if cfg.production then [] + else ["--server" "https://acme-staging.api.letsencrypt.org/directory"]); acmeService = { description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" "network-online.target" ]; diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index 823806f4641b..6130ed82ed38 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -89,8 +89,5 @@ services.nginx = { }; } </programlisting> - -<para>At the moment you still have to restart Nginx after the ACME -certs arrive.</para> </section> </chapter> diff --git a/nixos/modules/services/databases/postage.nix b/nixos/modules/services/databases/pgmanage.nix index d49c9a83a46f..86733a3e5a07 100644 --- a/nixos/modules/services/databases/postage.nix +++ b/nixos/modules/services/databases/pgmanage.nix @@ -3,16 +3,16 @@ with lib; let - cfg = config.services.postage; + cfg = config.services.pgmanage; confFile = pkgs.writeTextFile { - name = "postage.conf"; + name = "pgmanage.conf"; text = '' - connection_file = ${postageConnectionsFile} + connection_file = ${pgmanageConnectionsFile} allow_custom_connections = ${builtins.toJSON cfg.allowCustomConnections} - postage_port = ${toString cfg.port} + pgmanage_port = ${toString cfg.port} super_only = ${builtins.toJSON cfg.superOnly} @@ -20,7 +20,7 @@ let login_timeout = ${toString cfg.loginTimeout} - web_root = ${cfg.package}/etc/postage/web_root + web_root = ${cfg.package}/etc/pgmanage/web_root data_root = ${cfg.dataRoot} @@ -33,24 +33,23 @@ let ''; }; - postageConnectionsFile = pkgs.writeTextFile { - name = "postage-connections.conf"; + pgmanageConnectionsFile = pkgs.writeTextFile { + name = "pgmanage-connections.conf"; text = concatStringsSep "\n" (mapAttrsToList (name : conn : "${name}: ${conn}") cfg.connections); }; - postage = "postage"; -in { + pgmanage = "pgmanage"; - options.services.postage = { + pgmanageOptions = { enable = mkEnableOption "PostgreSQL Administration for the web"; package = mkOption { type = types.package; - default = pkgs.postage; - defaultText = "pkgs.postage"; + default = pkgs.pgmanage; + defaultText = "pkgs.pgmanage"; description = '' - The postage package to use. + The pgmanage package to use. ''; }; @@ -62,14 +61,14 @@ in { "mini-server" = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; }; description = '' - Postage requires at least one PostgreSQL server be defined. + pgmanage requires at least one PostgreSQL server be defined. </para><para> Detailed information about PostgreSQL connection strings is available at: <link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/> </para><para> Note that you should not specify your user name or password. That information will be entered on the login screen. If you specify a - username or password, it will be removed by Postage before attempting to + username or password, it will be removed by pgmanage before attempting to connect to a database. ''; }; @@ -78,7 +77,7 @@ in { type = types.bool; default = false; description = '' - This tells Postage whether or not to allow anyone to use a custom + This tells pgmanage whether or not to allow anyone to use a custom connection from the login screen. ''; }; @@ -87,7 +86,7 @@ in { type = types.int; default = 8080; description = '' - This tells Postage what port to listen on for browser requests. + This tells pgmanage what port to listen on for browser requests. ''; }; @@ -95,7 +94,7 @@ in { type = types.bool; default = true; description = '' - This tells Postage whether or not to set the listening socket to local + This tells pgmanage whether or not to set the listening socket to local addresses only. ''; }; @@ -104,10 +103,10 @@ in { type = types.bool; default = true; description = '' - This tells Postage whether or not to only allow super users to + This tells pgmanage whether or not to only allow super users to login. The recommended value is true and will restrict users who are not super users from logging in to any PostgreSQL instance through - Postage. Note that a connection will be made to PostgreSQL in order to + pgmanage. Note that a connection will be made to PostgreSQL in order to test if the user is a superuser. ''; }; @@ -116,8 +115,8 @@ in { type = types.nullOr types.str; default = null; description = '' - This tells Postage to only allow users in a certain PostgreSQL group to - login to Postage. Note that a connection will be made to PostgreSQL in + This tells pgmanage to only allow users in a certain PostgreSQL group to + login to pgmanage. Note that a connection will be made to PostgreSQL in order to test if the user is a member of the login group. ''; }; @@ -133,10 +132,10 @@ in { dataRoot = mkOption { type = types.str; - default = "/var/lib/postage"; + default = "/var/lib/pgmanage"; description = '' - This tells Postage where to put the SQL file history. All tabs are saved - to this location so that if you get disconnected from Postage you + This tells pgmanage where to put the SQL file history. All tabs are saved + to this location so that if you get disconnected from pgmanage you don't lose your work. ''; }; @@ -156,15 +155,15 @@ in { }); default = null; description = '' - These options tell Postage where the TLS Certificate and Key files + These options tell pgmanage where the TLS Certificate and Key files reside. If you use these options then you'll only be able to access - Postage through a secure TLS connection. These options are only - necessary if you wish to connect directly to Postage using a secure TLS - connection. As an alternative, you can set up Postage in a reverse proxy + pgmanage through a secure TLS connection. These options are only + necessary if you wish to connect directly to pgmanage using a secure TLS + connection. As an alternative, you can set up pgmanage in a reverse proxy configuration. This allows your web server to terminate the secure - connection and pass on the request to Postage. You can find help to set + connection and pass on the request to pgmanage. You can find help to set up this configuration in: - <link xlink:href="https://github.com/workflowproducts/postage/blob/master/INSTALL_NGINX.md"/> + <link xlink:href="https://github.com/pgManage/pgManage/blob/master/INSTALL_NGINX.md"/> ''; }; @@ -177,29 +176,47 @@ in { }; }; - config = mkIf cfg.enable { - systemd.services.postage = { - description = "postage - PostgreSQL Administration for the web"; - wants = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = postage; - Group = postage; - ExecStart = "${pkgs.postage}/sbin/postage -c ${confFile}" + - optionalString cfg.localOnly " --local-only=true"; - }; - }; - users = { - users."${postage}" = { - name = postage; - group = postage; - home = cfg.dataRoot; - createHome = true; + +in { + + options.services.pgmanage = pgmanageOptions; + + # This is deprecated and should be removed for NixOS-18.03. + options.services.postage = pgmanageOptions; + + config = mkMerge [ + { assertions = [ + { assertion = !config.services.postage.enable; + message = + "services.postage is deprecated in favour of pgmanage. " + + "They have the same options so just substitute postage for pgmanage." ; + } + ]; + } + (mkIf cfg.enable { + systemd.services.pgmanage = { + description = "pgmanage - PostgreSQL Administration for the web"; + wants = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = pgmanage; + Group = pgmanage; + ExecStart = "${pkgs.pgmanage}/sbin/pgmanage -c ${confFile}" + + optionalString cfg.localOnly " --local-only=true"; + }; }; - groups."${postage}" = { - name = postage; + users = { + users."${pgmanage}" = { + name = pgmanage; + group = pgmanage; + home = cfg.dataRoot; + createHome = true; + }; + groups."${pgmanage}" = { + name = pgmanage; + }; }; - }; - }; + }) + ]; } diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 1fef9ac6ec90..867c0ea6761c 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -60,11 +60,11 @@ let manpage_directory = "${pkgs.postfix}/share/man"; html_directory = "${pkgs.postfix}/share/postfix/doc/html"; shlib_directory = false; - relayhost = if cfg.lookupMX || cfg.relayHost == "" - then cfg.relayHost - else - "[${cfg.relayHost}]" - + optionalString (cfg.relayPort != null) ":${toString cfg.relayPort}"; + relayhost = if cfg.relayHost == "" then "" else + if cfg.lookupMX + then "${cfg.relayHost}:${toString cfg.relayPort}" + else "[${cfg.relayHost}]:${toString cfg.relayPort}"; + mail_spool_directory = "/var/spool/mail/"; setgid_group = setgidGroup; } @@ -461,13 +461,10 @@ in }; relayPort = mkOption { - type = types.nullOr types.int; - default = null; - example = 587; + type = types.int; + default = 25; description = " - Specify an optional port for outbound mail relay. (Note: - only used if an explicit <option>relayHost</option> is - defined.) + SMTP port for relay mail relay. "; }; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 740cbc141b53..7b2b40e59232 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -572,7 +572,7 @@ in { rm -rf ${cfg.statePath}/config ${cfg.statePath}/shell/hooks mkdir -p ${cfg.statePath}/config - tr -dc A-Za-z0-9 < /dev/urandom | head -c 32 > ${cfg.statePath}/config/gitlab_shell_secret + ${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/config/gitlab_shell_secret # The uploads directory is hardcoded somewhere deep in rails. It is # symlinked in the gitlab package to /run/gitlab/uploads to make it @@ -619,7 +619,7 @@ in { fi # enable required pg_trgm extension for gitlab - ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql gitlab -c "CREATE EXTENSION IF NOT EXISTS pg_trgm" + ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql ${cfg.databaseName} -c "CREATE EXTENSION IF NOT EXISTS pg_trgm" # Always do the db migrations just to be sure the database is up-to-date ${gitlab-rake}/bin/gitlab-rake db:migrate RAILS_ENV=production @@ -634,7 +634,7 @@ in { # The gitlab:shell:create_hooks task seems broken for fixing links # so we instead delete all the hooks and create them anew - rm ${cfg.statePath}/repositories/**/*.git/hooks + rm -f ${cfg.statePath}/repositories/**/*.git/hooks ${gitlab-rake}/bin/gitlab-rake gitlab:shell:create_hooks RAILS_ENV=production # Change permissions in the last step because some of the diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix index 01b4aca91731..4b1ad34b3a4e 100644 --- a/nixos/modules/services/monitoring/graphite.nix +++ b/nixos/modules/services/monitoring/graphite.nix @@ -22,8 +22,8 @@ let ); graphiteApiConfig = pkgs.writeText "graphite-api.yaml" '' - time_zone: ${config.time.timeZone} search_index: ${dataDir}/index + ${optionalString (!isNull config.time.timeZone) ''time_zone: ${config.time.timeZone}''} ${optionalString (cfg.api.finders != []) ''finders:''} ${concatMapStringsSep "\n" (f: " - " + f.moduleName) cfg.api.finders} ${optionalString (cfg.api.functions != []) ''functions:''} @@ -467,7 +467,15 @@ in { ]; }) - (mkIf cfg.web.enable { + (mkIf cfg.web.enable (let + python27' = pkgs.python27.override { + packageOverrides = self: super: { + django = self.django_1_8; + django_tagging = self.django_tagging_0_4_3; + }; + }; + pythonPackages = python27'.pkgs; + in { systemd.services.graphiteWeb = { description = "Graphite Web Interface"; wantedBy = [ "multi-user.target" ]; @@ -477,8 +485,8 @@ in { PYTHONPATH = let penv = pkgs.python.buildEnv.override { extraLibs = [ - pkgs.python27Packages.graphite_web - pkgs.python27Packages.pysqlite + pythonPackages.graphite_web + pythonPackages.pysqlite ]; }; penvPack = "${penv}/${pkgs.python.sitePackages}"; @@ -516,17 +524,17 @@ in { fi # Only collect static files when graphite_web changes. - if ! [ "${dataDir}/current_graphite_web" -ef "${pkgs.python27Packages.graphite_web}" ]; then + if ! [ "${dataDir}/current_graphite_web" -ef "${pythonPackages.graphite_web}" ]; then mkdir -p ${staticDir} ${pkgs.pythonPackages.django_1_8}/bin/django-admin.py collectstatic --noinput --clear chown -R graphite:graphite ${staticDir} - ln -sfT "${pkgs.python27Packages.graphite_web}" "${dataDir}/current_graphite_web" + ln -sfT "${pythonPackages.graphite_web}" "${dataDir}/current_graphite_web" fi ''; }; - environment.systemPackages = [ pkgs.python27Packages.graphite_web ]; - }) + environment.systemPackages = [ pythonPackages.graphite_web ]; + })) (mkIf cfg.api.enable { systemd.services.graphiteApi = { @@ -536,7 +544,7 @@ in { environment = { PYTHONPATH = let aenv = pkgs.python.buildEnv.override { - extraLibs = [ cfg.api.package pkgs.cairo ] ++ cfg.api.finders; + extraLibs = [ cfg.api.package pkgs.cairo pkgs.pythonPackages.cffi ] ++ cfg.api.finders; }; in "${aenv}/${pkgs.python.sitePackages}"; GRAPHITE_API_CONFIG = graphiteApiConfig; diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix new file mode 100644 index 000000000000..dd76bac9df76 --- /dev/null +++ b/nixos/modules/services/networking/babeld.nix @@ -0,0 +1,98 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.babeld; + + paramsString = params: + concatMapStringsSep "" (name: "${name} ${boolToString (getAttr name params)}") + (attrNames params); + + interfaceConfig = name: + let + interface = getAttr name cfg.interfaces; + in + "interface ${name} ${paramsString interface}\n"; + + configFile = with cfg; pkgs.writeText "babeld.conf" ( + (optionalString (cfg.interfaceDefaults != null) '' + default ${paramsString cfg.interfaceDefaults} + '') + + (concatMapStrings interfaceConfig (attrNames cfg.interfaces)) + + extraConfig); + +in + +{ + + ###### interface + + options = { + + services.babeld = { + + enable = mkOption { + default = false; + description = '' + Whether to run the babeld network routing daemon. + ''; + }; + + interfaceDefaults = mkOption { + default = null; + description = '' + A set describing default parameters for babeld interfaces. + See <citerefentry><refentrytitle>babeld</refentrytitle><manvolnum>8</manvolnum></citerefentry> for options. + ''; + type = types.nullOr (types.attrsOf types.unspecified); + example = + { + wired = true; + "split-horizon" = true; + }; + }; + + interfaces = mkOption { + default = {}; + description = '' + A set describing babeld interfaces. + See <citerefentry><refentrytitle>babeld</refentrytitle><manvolnum>8</manvolnum></citerefentry> for options. + ''; + type = types.attrsOf (types.attrsOf types.unspecified); + example = + { enp0s2 = + { wired = true; + "hello-interval" = 5; + "split-horizon" = "auto"; + }; + }; + }; + + extraConfig = mkOption { + default = ""; + description = '' + Options that will be copied to babeld.conf. + See <citerefentry><refentrytitle>babeld</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details. + ''; + }; + }; + + }; + + + ###### implementation + + config = mkIf config.services.babeld.enable { + + systemd.services.babeld = { + description = "Babel routing daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile}"; + }; + + }; + +} diff --git a/nixos/modules/services/networking/dnschain.nix b/nixos/modules/services/networking/dnschain.nix index ab7bbb15ad4f..ee1cd3600039 100644 --- a/nixos/modules/services/networking/dnschain.nix +++ b/nixos/modules/services/networking/dnschain.nix @@ -158,7 +158,7 @@ in serviceConfig = { User = "dnschain"; Restart = "on-failure"; - ExecStart = "${pkgs.dnschain}/bin/dnschain"; + ExecStart = "${pkgs.nodePackages.dnschain}/bin/dnschain"; }; preStart = '' diff --git a/nixos/modules/services/networking/keybase.nix b/nixos/modules/services/networking/keybase.nix index 7c7982ee8eac..a149f16a84cb 100644 --- a/nixos/modules/services/networking/keybase.nix +++ b/nixos/modules/services/networking/keybase.nix @@ -28,7 +28,7 @@ in { description = "Keybase service"; serviceConfig = { ExecStart = '' - ${pkgs.keybase}/bin/keybase -d service --auto-forked + ${pkgs.keybase}/bin/keybase service --auto-forked ''; Restart = "on-failure"; PrivateTmp = true; diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index b0eb0460b9ba..3a3f64221c42 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -32,8 +32,10 @@ let ${caConf} ''; - strongswanConf = {setup, connections, ca, secrets}: toFile "strongswan.conf" '' + strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' charon { + ${if managePlugins then "load_modular = no" else ""} + ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""} plugins { stroke { secrets_file = ${ipsecSecrets secrets} @@ -112,6 +114,25 @@ in file. ''; }; + + managePlugins = mkOption { + type = types.bool; + default = false; + description = '' + If set to true, this option will disable automatic plugin loading and + then tell strongSwan to enable the plugins specified in the + <option>enabledPlugins</option> option. + ''; + }; + + enabledPlugins = mkOption { + type = types.listOf types.str; + default = []; + description = '' + A list of additional plugins to enable if + <option>managePlugins</option> is true. + ''; + }; }; config = with cfg; mkIf enable { @@ -122,7 +143,7 @@ in wants = [ "keys.target" ]; after = [ "network-online.target" "keys.target" ]; environment = { - STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets; }; + STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; }; }; serviceConfig = { ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork"; diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index bcce4accdd6e..545ee327d596 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -8,9 +8,9 @@ let stateDir = "/var/lib/unbound"; - access = concatMapStrings (x: " access-control: ${x} allow\n") cfg.allowedAccess; + access = concatMapStringsSep "\n " (x: "access-control: ${x} allow") cfg.allowedAccess; - interfaces = concatMapStrings (x: " interface: ${x}\n") cfg.interfaces; + interfaces = concatMapStringsSep "\n " (x: "interface: ${x}") cfg.interfaces; isLocalAddress = x: substring 0 3 x == "::1" || substring 0 9 x == "127.0.0.1"; diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index eb08e7f90c0d..24accd41511c 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -195,6 +195,7 @@ let description = "WireGuard Tunnel - ${name}"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + environment.DEVICE = name; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 1c3c7835d961..f9f2511f45dc 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -676,6 +676,7 @@ in '' ; Needed for PHP's mail() function. sendmail_path = sendmail -t -i + '' + optionalString (!isNull config.time.timeZone) '' ; Apparently PHP doesn't use $TZ. date.timezone = "${config.time.timeZone}" diff --git a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix index c6f4bcd0f666..1c654667dfc7 100644 --- a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix +++ b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix @@ -13,6 +13,7 @@ let define('DB_HOST', '${config.dbHost}'); define('DB_CHARSET', 'utf8'); $table_prefix = '${config.tablePrefix}'; + define('AUTOMATIC_UPDATER_DISABLED', true); ${config.extraConfig} if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/'); diff --git a/nixos/modules/services/x11/desktop-managers/lxqt.nix b/nixos/modules/services/x11/desktop-managers/lxqt.nix index 89ad2882363d..fb907618d35b 100644 --- a/nixos/modules/services/x11/desktop-managers/lxqt.nix +++ b/nixos/modules/services/x11/desktop-managers/lxqt.nix @@ -41,7 +41,7 @@ in name = "lxqt"; bgSupport = true; start = '' - exec ${pkgs.lxqt.lxqt-common}/bin/startlxqt + exec ${pkgs.lxqt.lxqt-session}/bin/startlxqt ''; }; diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 45a67ac040b8..e83f26516f5f 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -125,6 +125,8 @@ in "getty@tty1.service" ]; + systemd.services."getty@tty1".enable = false; + systemd.services.display-manager.conflicts = [ "getty@tty1.service" ]; systemd.services.display-manager.serviceConfig = { # Restart = "always"; - already defined in xserver.nix KillMode = "mixed"; diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index e92c9bc27def..1f424f84c6e0 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -93,6 +93,7 @@ let after = [ "network-pre.target" "systemd-udevd.service" "systemd-sysctl.service" ]; before = [ "network.target" "shutdown.target" ]; wants = [ "network.target" ]; + partOf = map (i: "network-addresses-${i.name}.service") interfaces; conflicts = [ "shutdown.target" ]; wantedBy = [ "multi-user.target" ] ++ optional hasDefaultGatewaySet "network-online.target"; @@ -171,8 +172,6 @@ let "network-link-${i.name}.service" "network.target" ]; - # propagate stop and reload from network-setup - partOf = [ "network-setup.service" ]; # order before network-setup because the routes that are configured # there may need ip addresses configured before = [ "network-setup.service" ]; diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 82dfc1c9f1ce..e68bfd860601 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -537,7 +537,7 @@ in type = types.bool; default = false; description = '' - Wether the container is automatically started at boot-time. + Whether the container is automatically started at boot-time. ''; }; @@ -596,6 +596,8 @@ in { config, pkgs, ... }: { services.postgresql.enable = true; services.postgresql.package = pkgs.postgresql96; + + system.stateVersion = "17.03"; }; }; } |