diff options
Diffstat (limited to 'nixos/modules')
331 files changed, 2580 insertions, 2269 deletions
diff --git a/nixos/modules/config/fonts/fontconfig-penultimate.nix b/nixos/modules/config/fonts/fontconfig-penultimate.nix index 24ed9c97668b..7e311a21acf6 100644 --- a/nixos/modules/config/fonts/fontconfig-penultimate.nix +++ b/nixos/modules/config/fonts/fontconfig-penultimate.nix @@ -35,8 +35,8 @@ let then "fontconfig" else "fontconfig_${version}"; makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; }; - cache = makeCache pkgs."${fcPackage}"; - cache32 = makeCache pkgs.pkgsi686Linux."${fcPackage}"; + cache = makeCache pkgs.${fcPackage}; + cache32 = makeCache pkgs.pkgsi686Linux.${fcPackage}; in pkgs.writeText "fc-00-nixos-cache.conf" '' <?xml version='1.0'?> @@ -269,7 +269,7 @@ in penultimate = { enable = mkOption { type = types.bool; - default = true; + default = false; description = '' Enable fontconfig-penultimate settings to supplement the NixOS defaults by providing per-font rendering defaults and diff --git a/nixos/modules/config/fonts/fontconfig-ultimate.nix b/nixos/modules/config/fonts/fontconfig-ultimate.nix index 45328f3eaf13..84d90899dfff 100644 --- a/nixos/modules/config/fonts/fontconfig-ultimate.nix +++ b/nixos/modules/config/fonts/fontconfig-ultimate.nix @@ -79,7 +79,7 @@ in config = mkIf (config.fonts.fontconfig.enable && cfg.enable) { fonts.fontconfig.confPackages = [ confPkg ]; - environment.variables."INFINALITY_FT" = cfg.preset; + environment.variables.INFINALITY_FT = cfg.preset; }; diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index fe0b88cf4c26..8f227c423266 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -51,8 +51,8 @@ let then "fontconfig" else "fontconfig_${version}"; makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; }; - cache = makeCache pkgs."${fcPackage}"; - cache32 = makeCache pkgs.pkgsi686Linux."${fcPackage}"; + cache = makeCache pkgs.${fcPackage}; + cache32 = makeCache pkgs.pkgsi686Linux.${fcPackage}; in pkgs.writeText "fc-00-nixos-cache.conf" '' <?xml version='1.0'?> @@ -116,7 +116,7 @@ let defaultFontsConf = let genDefault = fonts: name: optionalString (fonts != []) '' - <alias> + <alias binding="same"> <family>${name}</family> <prefer> ${concatStringsSep "" @@ -139,6 +139,8 @@ let ${genDefault cfg.defaultFonts.monospace "monospace"} + ${genDefault cfg.defaultFonts.emoji "emoji"} + </fontconfig> ''; @@ -344,6 +346,21 @@ in in case multiple languages must be supported. ''; }; + + emoji = mkOption { + type = types.listOf types.str; + default = ["Noto Color Emoji"]; + description = '' + System-wide default emoji font(s). Multiple fonts may be listed + in case a font does not support all emoji. + + Note that fontconfig matches color emoji fonts preferentially, + so if you want to use a black and white font while having + a color font installed (eg. Noto Color Emoji installed alongside + Noto Emoji), fontconfig will still choose the color font even + when it is later in the list. + ''; + }; }; hinting = { diff --git a/nixos/modules/config/fonts/fonts.nix b/nixos/modules/config/fonts/fonts.nix index 0dd01df9da74..abb806b601a7 100644 --- a/nixos/modules/config/fonts/fonts.nix +++ b/nixos/modules/config/fonts/fonts.nix @@ -43,6 +43,7 @@ with lib; pkgs.xorg.fontmiscmisc pkgs.xorg.fontcursormisc pkgs.unifont + pkgs.noto-fonts-emoji ]; }; diff --git a/nixos/modules/config/gtk/gtk-icon-cache.nix b/nixos/modules/config/gtk/gtk-icon-cache.nix index 9c5d993b9c59..86a6bfb5af41 100644 --- a/nixos/modules/config/gtk/gtk-icon-cache.nix +++ b/nixos/modules/config/gtk/gtk-icon-cache.nix @@ -7,7 +7,7 @@ with lib; type = types.bool; default = config.services.xserver.enable; description = '' - Whether to build icon theme caches for GTK+ applications. + Whether to build icon theme caches for GTK applications. ''; }; }; diff --git a/nixos/modules/config/krb5/default.nix b/nixos/modules/config/krb5/default.nix index 87021a27d34f..ff16ffcf9c65 100644 --- a/nixos/modules/config/krb5/default.nix +++ b/nixos/modules/config/krb5/default.nix @@ -15,7 +15,7 @@ let realms = optionalAttrs (lib.all (value: value != null) [ cfg.defaultRealm cfg.kdc cfg.kerberosAdminServer ]) { - "${cfg.defaultRealm}" = { + ${cfg.defaultRealm} = { kdc = cfg.kdc; admin_server = cfg.kerberosAdminServer; }; @@ -25,7 +25,7 @@ let cfg.domainRealm cfg.defaultRealm ]) { ".${cfg.domainRealm}" = cfg.defaultRealm; - "${cfg.domainRealm}" = cfg.defaultRealm; + ${cfg.domainRealm} = cfg.defaultRealm; }; }; diff --git a/nixos/modules/config/malloc.nix b/nixos/modules/config/malloc.nix index 65130454735c..31a659ee83fe 100644 --- a/nixos/modules/config/malloc.nix +++ b/nixos/modules/config/malloc.nix @@ -6,7 +6,7 @@ let # The set of alternative malloc(3) providers. providers = { - "graphene-hardened" = rec { + graphene-hardened = { libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so"; description = '' An allocator designed to mitigate memory corruption attacks, such as @@ -14,7 +14,7 @@ let ''; }; - "jemalloc" = { + jemalloc = { libPath = "${pkgs.jemalloc}/lib/libjemalloc.so"; description = '' A general purpose allocator that emphasizes fragmentation avoidance @@ -22,7 +22,7 @@ let ''; }; - "scudo" = { + scudo = { libPath = "${pkgs.llvmPackages.compiler-rt}/lib/linux/libclang_rt.scudo-x86_64.so"; description = '' A user-mode allocator based on LLVM Sanitizer’s CombinedAllocator, @@ -32,7 +32,7 @@ let }; }; - providerConf = providers."${cfg.provider}"; + providerConf = providers.${cfg.provider}; # An output that contains only the shared library, to avoid # needlessly bloating the system closure diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix index 4b9086022ed5..a89667ea221c 100644 --- a/nixos/modules/config/networking.nix +++ b/nixos/modules/config/networking.nix @@ -171,13 +171,13 @@ in environment.etc = { # /etc/services: TCP/UDP port assignments. - "services".source = pkgs.iana-etc + "/etc/services"; + services.source = pkgs.iana-etc + "/etc/services"; # /etc/protocols: IP protocol numbers. - "protocols".source = pkgs.iana-etc + "/etc/protocols"; + protocols.source = pkgs.iana-etc + "/etc/protocols"; # /etc/hosts: Hostname-to-IP mappings. - "hosts".text = let + hosts.text = let oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip}; allToString = set: concatMapStringsSep "\n" (oneToString set) (attrNames set); in '' @@ -190,7 +190,7 @@ in } // optionalAttrs (pkgs.stdenv.hostPlatform.libc == "glibc") { # /etc/rpc: RPC program numbers. - "rpc".source = pkgs.glibc.out + "/etc/rpc"; + rpc.source = pkgs.glibc.out + "/etc/rpc"; }; networking.proxy.envVars = diff --git a/nixos/modules/config/power-management.nix b/nixos/modules/config/power-management.nix index 0277f1ad11e9..64cdf50f1413 100644 --- a/nixos/modules/config/power-management.nix +++ b/nixos/modules/config/power-management.nix @@ -78,7 +78,7 @@ in }; # Service executed before suspending/hibernating. - systemd.services."pre-sleep" = + systemd.services.pre-sleep = { description = "Pre-Sleep Actions"; wantedBy = [ "sleep.target" ]; before = [ "sleep.target" ]; @@ -89,7 +89,7 @@ in serviceConfig.Type = "oneshot"; }; - systemd.services."post-resume" = + systemd.services.post-resume = { description = "Post-Resume Actions"; after = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ]; script = diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index 6379b52870ea..9dfc1add8299 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -163,7 +163,7 @@ in l = "ls -alh"; }; - environment.etc."shells".text = + environment.etc.shells.text = '' ${concatStringsSep "\n" (map utils.toShellPath cfg.shells)} /bin/sh @@ -171,7 +171,7 @@ in # For resetting environment with `. /etc/set-environment` when needed # and discoverability (see motivation of #30418). - environment.etc."set-environment".source = config.system.build.setEnvironment; + environment.etc.set-environment.source = config.system.build.setEnvironment; system.build.setEnvironment = pkgs.writeText "set-environment" '' diff --git a/nixos/modules/config/terminfo.nix b/nixos/modules/config/terminfo.nix index 4fd6ba5ea605..b86ce2dbf057 100644 --- a/nixos/modules/config/terminfo.nix +++ b/nixos/modules/config/terminfo.nix @@ -8,7 +8,7 @@ "/share/terminfo" ]; - environment.etc."terminfo" = { + environment.etc.terminfo = { source = "${config.system.path}/share/terminfo"; }; diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 25f1c67ce830..ba79bd3d6ecc 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -181,7 +181,7 @@ let }; hashedPassword = mkOption { - type = with types; uniq (nullOr str); + type = with types; nullOr str; default = null; description = '' Specifies the hashed password for the user. @@ -191,7 +191,7 @@ let }; password = mkOption { - type = with types; uniq (nullOr str); + type = with types; nullOr str; default = null; description = '' Specifies the (clear text) password for the user. @@ -203,7 +203,7 @@ let }; passwordFile = mkOption { - type = with types; uniq (nullOr string); + type = with types; nullOr str; default = null; description = '' The full path to a file that contains the user's password. The password @@ -215,7 +215,7 @@ let }; initialHashedPassword = mkOption { - type = with types; uniq (nullOr str); + type = with types; nullOr str; default = null; description = '' Specifies the initial hashed password for the user, i.e. the @@ -230,7 +230,7 @@ let }; initialPassword = mkOption { - type = with types; uniq (nullOr str); + type = with types; nullOr str; default = null; description = '' Specifies the initial password for the user, i.e. the @@ -304,7 +304,7 @@ let }; members = mkOption { - type = with types; listOf string; + type = with types; listOf str; default = []; description = '' The user names of the group members, added to the @@ -546,11 +546,11 @@ in { environment.systemPackages = systemShells; environment.etc = { - "subuid" = { + subuid = { text = subuidFile; mode = "0644"; }; - "subgid" = { + subgid = { text = subgidFile; mode = "0644"; }; diff --git a/nixos/modules/hardware/nitrokey.nix b/nixos/modules/hardware/nitrokey.nix index 60fc95a75828..02e4c3f46f8d 100644 --- a/nixos/modules/hardware/nitrokey.nix +++ b/nixos/modules/hardware/nitrokey.nix @@ -36,6 +36,6 @@ in { inherit (cfg) group; } )) ]; - users.groups."${cfg.group}" = {}; + users.groups.${cfg.group} = {}; }; } diff --git a/nixos/modules/hardware/openrazer.nix b/nixos/modules/hardware/openrazer.nix new file mode 100644 index 000000000000..883db7f2f4f1 --- /dev/null +++ b/nixos/modules/hardware/openrazer.nix @@ -0,0 +1,133 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.hardware.openrazer; + kernelPackages = config.boot.kernelPackages; + + toPyBoolStr = b: if b then "True" else "False"; + + daemonExe = "${pkgs.openrazer-daemon}/bin/openrazer-daemon --config ${daemonConfFile}"; + + daemonConfFile = pkgs.writeTextFile { + name = "razer.conf"; + text = '' + [General] + verbose_logging = ${toPyBoolStr cfg.verboseLogging} + + [Startup] + sync_effects_enabled = ${toPyBoolStr cfg.syncEffectsEnabled} + devices_off_on_screensaver = ${toPyBoolStr cfg.devicesOffOnScreensaver} + mouse_battery_notifier = ${toPyBoolStr cfg.mouseBatteryNotifier} + + [Statistics] + key_statistics = ${toPyBoolStr cfg.keyStatistics} + ''; + }; + + dbusServiceFile = pkgs.writeTextFile rec { + name = "org.razer.service"; + destination = "/share/dbus-1/services/${name}"; + text = '' + [D-BUS Service] + Name=org.razer + Exec=${daemonExe} + SystemdService=openrazer-daemon.service + ''; + }; + + drivers = [ + "razerkbd" + "razermouse" + "razerfirefly" + "razerkraken" + "razermug" + "razercore" + ]; +in +{ + options = { + hardware.openrazer = { + enable = mkEnableOption "OpenRazer drivers and userspace daemon."; + + verboseLogging = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable verbose logging. Logs debug messages. + ''; + }; + + syncEffectsEnabled = mkOption { + type = types.bool; + default = true; + description = '' + Set the sync effects flag to true so any assignment of + effects will work across devices. + ''; + }; + + devicesOffOnScreensaver = mkOption { + type = types.bool; + default = true; + description = '' + Turn off the devices when the systems screensaver kicks in. + ''; + }; + + mouseBatteryNotifier = mkOption { + type = types.bool; + default = true; + description = '' + Mouse battery notifier. + ''; + }; + + keyStatistics = mkOption { + type = types.bool; + default = false; + description = '' + Collects number of keypresses per hour per key used to + generate a heatmap. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + boot.extraModulePackages = [ kernelPackages.openrazer ]; + boot.kernelModules = drivers; + + # Makes the man pages available so you can succesfully run + # > systemctl --user help openrazer-daemon + environment.systemPackages = [ pkgs.python3Packages.openrazer-daemon.man ]; + + services.udev.packages = [ kernelPackages.openrazer ]; + services.dbus.packages = [ dbusServiceFile ]; + + # A user must be a member of the plugdev group in order to start + # the openrazer-daemon. Therefore we make sure that the plugdev + # group exists. + users.groups.plugdev = {}; + + systemd.user.services.openrazer-daemon = { + description = "Daemon to manage razer devices in userspace"; + unitConfig.Documentation = "man:openrazer-daemon(8)"; + # Requires a graphical session so the daemon knows when the screensaver + # starts. See the 'devicesOffOnScreensaver' option. + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + serviceConfig = { + Type = "dbus"; + BusName = "org.razer"; + ExecStart = "${daemonExe} --foreground"; + Restart = "always"; + }; + }; + }; + + meta = { + maintainers = with lib.maintainers; [ roelvandijk ]; + }; +} diff --git a/nixos/modules/hardware/printers.nix b/nixos/modules/hardware/printers.nix new file mode 100644 index 000000000000..56b91933477d --- /dev/null +++ b/nixos/modules/hardware/printers.nix @@ -0,0 +1,135 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.hardware.printers; + ppdOptionsString = options: optionalString (options != {}) + (concatStringsSep " " + (mapAttrsToList (name: value: "-o '${name}'='${value}'") options) + ); + ensurePrinter = p: '' + ${pkgs.cups}/bin/lpadmin -p '${p.name}' -E \ + ${optionalString (p.location != null) "-L '${p.location}'"} \ + ${optionalString (p.description != null) "-D '${p.description}'"} \ + -v '${p.deviceUri}' \ + -m '${p.model}' \ + ${ppdOptionsString p.ppdOptions} + ''; + ensureDefaultPrinter = name: '' + ${pkgs.cups}/bin/lpoptions -d '${name}' + ''; + + # "graph but not # or /" can't be implemented as regex alone due to missing lookahead support + noInvalidChars = str: all (c: c != "#" && c != "/") (stringToCharacters str); + printerName = (types.addCheck (types.strMatching "[[:graph:]]+") noInvalidChars) + // { description = "printable string without spaces, # and /"; }; + + +in { + options = { + hardware.printers = { + ensureDefaultPrinter = mkOption { + type = types.nullOr printerName; + default = null; + description = '' + Ensures the named printer is the default CUPS printer / printer queue. + ''; + }; + ensurePrinters = mkOption { + description = '' + Will regularly ensure that the given CUPS printers are configured as declared here. + If a printer's options are manually changed afterwards, they will be overwritten eventually. + This option will never delete any printer, even if removed from this list. + You can check existing printers with <command>lpstat -s</command> + and remove printers with <command>lpadmin -x <printer-name></command>. + Printers not listed here can still be manually configured. + ''; + default = []; + type = types.listOf (types.submodule { + options = { + name = mkOption { + type = printerName; + example = "BrotherHL_Workroom"; + description = '' + Name of the printer / printer queue. + May contain any printable characters except "/", "#", and space. + ''; + }; + location = mkOption { + type = types.nullOr types.str; + default = null; + example = "Workroom"; + description = '' + Optional human-readable location. + ''; + }; + description = mkOption { + type = types.nullOr types.str; + default = null; + example = "Brother HL-5140"; + description = '' + Optional human-readable description. + ''; + }; + deviceUri = mkOption { + type = types.str; + example = [ + "ipp://printserver.local/printers/BrotherHL_Workroom" + "usb://HP/DESKJET%20940C?serial=CN16E6C364BH" + ]; + description = '' + How to reach the printer. + <command>lpinfo -v</command> shows a list of supported device URIs and schemes. + ''; + }; + model = mkOption { + type = types.str; + example = literalExample '' + gutenprint.''${lib.version.majorMinor (lib.getVersion pkgs.cups)}://brother-hl-5140/expert + ''; + description = '' + Location of the ppd driver file for the printer. + <command>lpinfo -m</command> shows a list of supported models. + ''; + }; + ppdOptions = mkOption { + type = types.attrsOf types.str; + example = { + PageSize = "A4"; + Duplex = "DuplexNoTumble"; + }; + default = {}; + description = '' + Sets PPD options for the printer. + <command>lpoptions [-p printername] -l</command> shows suported PPD options for the given printer. + ''; + }; + }; + }); + }; + }; + }; + + config = mkIf (cfg.ensurePrinters != [] && config.services.printing.enable) { + systemd.services.ensure-printers = let + cupsUnit = if config.services.printing.startWhenNeeded then "cups.socket" else "cups.service"; + in { + description = "Ensure NixOS-configured CUPS printers"; + wantedBy = [ "multi-user.target" ]; + requires = [ cupsUnit ]; + # in contrast to cups.socket, for cups.service, this is actually not enough, + # as the cups service reports its activation before clients can actually interact with it. + # Because of this, commands like `lpinfo -v` will report a bad file descriptor + # due to the missing UNIX socket without sufficient sleep time. + after = [ cupsUnit ]; + + serviceConfig = { + Type = "oneshot"; + }; + + # sleep 10 is required to wait until cups.service is actually initialized and has created its UNIX socket file + script = (optionalString (!config.services.printing.startWhenNeeded) "sleep 10\n") + + (concatMapStringsSep "\n" ensurePrinter cfg.ensurePrinters) + + optionalString (cfg.ensureDefaultPrinter != null) (ensureDefaultPrinter cfg.ensureDefaultPrinter); + }; + }; +} diff --git a/nixos/modules/hardware/raid/hpsa.nix b/nixos/modules/hardware/raid/hpsa.nix index 3a65cb800a98..4d7af138292c 100644 --- a/nixos/modules/hardware/raid/hpsa.nix +++ b/nixos/modules/hardware/raid/hpsa.nix @@ -4,11 +4,11 @@ with lib; let hpssacli = pkgs.stdenv.mkDerivation rec { - name = "hpssacli-${version}"; + pname = "hpssacli"; version = "2.40-13.0"; src = pkgs.fetchurl { - url = "https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/${name}_amd64.deb"; + url = "https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/${pname}-${version}_amd64.deb"; sha256 = "11w7fwk93lmfw0yya4jpjwdmgjimqxx6412sqa166g1pz4jil4sw"; }; diff --git a/nixos/modules/hardware/video/ati.nix b/nixos/modules/hardware/video/ati.nix index f867bba80630..0aab7bd6b92c 100644 --- a/nixos/modules/hardware/video/ati.nix +++ b/nixos/modules/hardware/video/ati.nix @@ -33,7 +33,7 @@ in boot.blacklistedKernelModules = [ "radeon" ]; - environment.etc."ati".source = "${ati_x11}/etc/ati"; + environment.etc.ati.source = "${ati_x11}/etc/ati"; }; diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index da3c8ee5a9fa..3ab2afc97407 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -88,7 +88,7 @@ in }; hardware.nvidia.optimus_prime.nvidiaBusId = lib.mkOption { - type = lib.types.string; + type = lib.types.str; default = ""; example = "PCI:1:0:0"; description = '' @@ -98,7 +98,7 @@ in }; hardware.nvidia.optimus_prime.intelBusId = lib.mkOption { - type = lib.types.string; + type = lib.types.str; default = ""; example = "PCI:0:2:0"; description = '' diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix index 2536ba73a1de..559899b0a3b1 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix @@ -13,9 +13,6 @@ with lib; enable = true; enableQt4Support = false; }; - - # Enable touchpad support for many laptops. - synaptics.enable = true; }; environment.systemPackages = with pkgs; [ diff --git a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix index a9241870fa71..2d34406a0320 100644 --- a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix +++ b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix @@ -59,4 +59,8 @@ in ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./files/boot ''; }; + + # the installation media is also the installation target, + # so we don't want to provide the installation configuration.nix. + installer.cloneConfig = false; } diff --git a/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix b/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix index dab092415316..651d1a36dc11 100644 --- a/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix +++ b/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix @@ -56,4 +56,8 @@ in ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./files/boot ''; }; + + # the installation media is also the installation target, + # so we don't want to provide the installation configuration.nix. + installer.cloneConfig = false; } diff --git a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix b/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix index 8c9090471dcd..2a131d9ce980 100644 --- a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix +++ b/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix @@ -45,4 +45,8 @@ in ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./files/boot ''; }; + + # the installation media is also the installation target, + # so we don't want to provide the installation configuration.nix. + installer.cloneConfig = false; } diff --git a/nixos/modules/installer/cd-dvd/sd-image.nix b/nixos/modules/installer/cd-dvd/sd-image.nix index 7f355a132496..0a0150441554 100644 --- a/nixos/modules/installer/cd-dvd/sd-image.nix +++ b/nixos/modules/installer/cd-dvd/sd-image.nix @@ -54,7 +54,7 @@ in }; firmwarePartitionID = mkOption { - type = types.string; + type = types.str; default = "0x2178694e"; description = '' Volume ID for the /boot/firmware partition on the SD card. This value @@ -63,7 +63,7 @@ in }; rootPartitionUUID = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "14e19a7b-0ae0-484d-9d54-43bd6fdc20c7"; description = '' diff --git a/nixos/modules/installer/cd-dvd/system-tarball-pc.nix b/nixos/modules/installer/cd-dvd/system-tarball-pc.nix index 5da5df81ede1..bf8b7deb59eb 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball-pc.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball-pc.nix @@ -129,7 +129,7 @@ in ]; nixpkgs.config = { - packageOverrides = p: rec { + packageOverrides = p: { linux_3_4 = p.linux_3_4.override { extraConfig = '' # Enable drivers in kernel for most NICs. diff --git a/nixos/modules/installer/netboot/netboot.nix b/nixos/modules/installer/netboot/netboot.nix index f9b8d95c684d..5146858cccf5 100644 --- a/nixos/modules/installer/netboot/netboot.nix +++ b/nixos/modules/installer/netboot/netboot.nix @@ -18,7 +18,7 @@ with lib; }; - config = rec { + config = { # Don't build the GRUB menu builder script, since we don't need it # here and it causes a cyclic dependency. boot.loader.grub.enable = false; diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index b9ab2053c41f..2673887d2b96 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/hbhdjn5ik3byg642d1m11k3k3s0kn3py-nix-2.2.2"; - i686-linux = "/nix/store/fz5cikwvj3n0a6zl44h6l2z3cin64mda-nix-2.2.2"; - aarch64-linux = "/nix/store/2gba4cyl4wvxzfbhmli90jy4n5aj0kjj-nix-2.2.2"; - x86_64-darwin = "/nix/store/87i4fp46jfw9yl8c7i9gx75m5yph7irl-nix-2.2.2"; + x86_64-linux = "/nix/store/3ds3cgji9vjxdbgp10av6smyym1126d1-nix-2.3"; + i686-linux = "/nix/store/ln1ndqvfpc9cdl03vqxi6kvlxm9wfv9g-nix-2.3"; + aarch64-linux = "/nix/store/n8a1rwzrp20qcr2c4hvyn6c5q9zx8csw-nix-2.3"; + x86_64-darwin = "/nix/store/jq6npmpld02sz4rgniz0qrsdfnm6j17a-nix-2.3"; } diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index efd8544d6a21..ac6af1ce8b77 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -340,7 +340,7 @@ cockroachdb = 313; zoneminder = 314; paperless = 315; - mailman = 316; + #mailman = 316; # removed 2019-08-30 # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -641,7 +641,7 @@ cockroachdb = 313; zoneminder = 314; paperless = 315; - mailman = 316; + #mailman = 316; # removed 2019-08-30 # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index 3ae60cb79160..773724ffbd5e 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -85,7 +85,7 @@ in # Generate /etc/os-release. See # https://www.freedesktop.org/software/systemd/man/os-release.html for the # format. - environment.etc."os-release".text = + environment.etc.os-release.text = '' NAME=NixOS ID=nixos diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 75df6c8d453c..5b7f391ed5a5 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -58,7 +58,9 @@ ./hardware/network/intel-2200bg.nix ./hardware/nitrokey.nix ./hardware/opengl.nix + ./hardware/openrazer.nix ./hardware/pcmcia.nix + ./hardware/printers.nix ./hardware/raid/hpsa.nix ./hardware/steam-hardware.nix ./hardware/usb-wwan.nix @@ -138,6 +140,7 @@ ./programs/qt5ct.nix ./programs/screen.nix ./programs/sedutil.nix + ./programs/seahorse.nix ./programs/slock.nix ./programs/shadow.nix ./programs/shell.nix @@ -148,16 +151,19 @@ ./programs/sysdig.nix ./programs/systemtap.nix ./programs/sway.nix + ./programs/system-config-printer.nix ./programs/thefuck.nix ./programs/tmux.nix ./programs/tsm-client.nix ./programs/udevil.nix + ./programs/usbtop.nix ./programs/venus.nix ./programs/vim.nix ./programs/wavemon.nix ./programs/way-cooler.nix ./programs/waybar.nix ./programs/wireshark.nix + ./programs/x2goserver.nix ./programs/xfs_quota.nix ./programs/xonsh.nix ./programs/xss-lock.nix @@ -214,8 +220,6 @@ ./services/backup/bacula.nix ./services/backup/borgbackup.nix ./services/backup/duplicati.nix - ./services/backup/crashplan.nix - ./services/backup/crashplan-small-business.nix ./services/backup/duplicity.nix ./services/backup/mysql-backup.nix ./services/backup/postgresql-backup.nix @@ -280,6 +284,7 @@ ./services/databases/virtuoso.nix ./services/desktops/accountsservice.nix ./services/desktops/bamf.nix + ./services/desktops/blueman.nix ./services/desktops/deepin/deepin.nix ./services/desktops/dleyna-renderer.nix ./services/desktops/dleyna-server.nix @@ -301,11 +306,11 @@ ./services/desktops/gnome3/gnome-settings-daemon.nix ./services/desktops/gnome3/gnome-user-share.nix ./services/desktops/gnome3/rygel.nix - ./services/desktops/gnome3/seahorse.nix ./services/desktops/gnome3/sushi.nix ./services/desktops/gnome3/tracker.nix ./services/desktops/gnome3/tracker-miners.nix ./services/desktops/profile-sync-daemon.nix + ./services/desktops/system-config-printer.nix ./services/desktops/telepathy.nix ./services/desktops/tumbler.nix ./services/desktops/zeitgeist.nix @@ -376,6 +381,7 @@ ./services/mail/mail.nix ./services/mail/mailcatcher.nix ./services/mail/mailhog.nix + ./services/mail/mailman.nix ./services/mail/mlmmj.nix ./services/mail/offlineimap.nix ./services/mail/opendkim.nix @@ -697,6 +703,7 @@ ./services/networking/supybot.nix ./services/networking/syncthing.nix ./services/networking/syncthing-relay.nix + ./services/networking/syncplay.nix ./services/networking/tcpcrypt.nix ./services/networking/teamspeak3.nix ./services/networking/tedicross.nix @@ -846,6 +853,7 @@ ./services/x11/hardware/multitouch.nix ./services/x11/hardware/synaptics.nix ./services/x11/hardware/wacom.nix + ./services/x11/hardware/cmt.nix ./services/x11/gdk-pixbuf.nix ./services/x11/redshift.nix ./services/x11/urxvtd.nix @@ -943,6 +951,7 @@ ./virtualisation/openvswitch.nix ./virtualisation/parallels-guest.nix ./virtualisation/qemu-guest-agent.nix + ./virtualisation/railcar.nix ./virtualisation/rkt.nix ./virtualisation/virtualbox-guest.nix ./virtualisation/virtualbox-host.nix diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 1a6e06995603..fd30220ce1c9 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -55,13 +55,16 @@ with lib; services.mingetty.autologinUser = "nixos"; # Some more help text. - services.mingetty.helpLine = - '' - - The "nixos" and "root" account have empty passwords. ${ - optionalString config.services.xserver.enable - "Type `sudo systemctl start display-manager' to\nstart the graphical user interface."} - ''; + services.mingetty.helpLine = '' + The "nixos" and "root" accounts have empty passwords. + + Type `sudo systemctl start sshd` to start the SSH daemon. + You then must set a password for either "root" or "nixos" + with `passwd` to be able to login. + '' + optionalString config.services.xserver.enable '' + Type `sudo systemctl start display-manager' to + start the graphical user interface. + ''; # Allow sshd to be started manually through "systemctl start sshd". services.openssh = { diff --git a/nixos/modules/programs/atop.nix b/nixos/modules/programs/atop.nix index 4651cdb76e0b..7ef8d687ca17 100644 --- a/nixos/modules/programs/atop.nix +++ b/nixos/modules/programs/atop.nix @@ -30,7 +30,7 @@ in }; config = mkIf (cfg.settings != {}) { - environment.etc."atoprc".text = + environment.etc.atoprc.text = concatStrings (mapAttrsToList (n: v: "${n} ${toString v}\n") cfg.settings); }; } diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 99daec5ff5b7..548babac38ca 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -159,7 +159,7 @@ in }; - environment.etc."profile".text = + environment.etc.profile.text = '' # /etc/profile: DO NOT EDIT -- this file has been generated automatically. # This file is read for login shells. @@ -184,7 +184,7 @@ in fi ''; - environment.etc."bashrc".text = + environment.etc.bashrc.text = '' # /etc/bashrc: DO NOT EDIT -- this file has been generated automatically. @@ -212,7 +212,7 @@ in # Configuration for readline in bash. We use "option default" # priority to allow user override using both .text and .source. - environment.etc."inputrc".source = mkOptionDefault ./inputrc; + environment.etc.inputrc.source = mkOptionDefault ./inputrc; users.defaultUserShell = mkDefault pkgs.bashInteractive; diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index 46ee4bc0f7a0..74c3e4425a7c 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.programs.firejail; - wrappedBins = pkgs.stdenv.mkDerivation rec { + wrappedBins = pkgs.stdenv.mkDerivation { name = "firejail-wrapped-binaries"; nativeBuildInputs = with pkgs; [ makeWrapper ]; buildCommand = '' diff --git a/nixos/modules/programs/less.nix b/nixos/modules/programs/less.nix index 9fdf99e9c694..e19935b77caf 100644 --- a/nixos/modules/programs/less.nix +++ b/nixos/modules/programs/less.nix @@ -54,8 +54,8 @@ in type = types.attrsOf types.str; default = {}; example = { - "h" = "noaction 5\e("; - "l" = "noaction 5\e)"; + h = "noaction 5\e("; + l = "noaction 5\e)"; }; description = "Defines new command keys."; }; @@ -74,7 +74,7 @@ in type = types.attrsOf types.str; default = {}; example = { - "\e" = "abort"; + e = "abort"; }; description = "Defines new line-editing keys."; }; @@ -111,11 +111,11 @@ in environment.systemPackages = [ pkgs.less ]; environment.variables = { - "LESSKEY_SYSTEM" = toString lessKey; + LESSKEY_SYSTEM = toString lessKey; } // optionalAttrs (cfg.lessopen != null) { - "LESSOPEN" = cfg.lessopen; + LESSOPEN = cfg.lessopen; } // optionalAttrs (cfg.lessclose != null) { - "LESSCLOSE" = cfg.lessclose; + LESSCLOSE = cfg.lessclose; }; warnings = optional ( diff --git a/nixos/modules/programs/nano.nix b/nixos/modules/programs/nano.nix index 6a4d46338e19..5837dd46d7cd 100644 --- a/nixos/modules/programs/nano.nix +++ b/nixos/modules/programs/nano.nix @@ -35,7 +35,7 @@ in ###### implementation config = lib.mkIf (cfg.nanorc != "" || cfg.syntaxHighlight) { - environment.etc."nanorc".text = lib.concatStrings [ cfg.nanorc + environment.etc.nanorc.text = lib.concatStrings [ cfg.nanorc (lib.optionalString cfg.syntaxHighlight ''${LF}include "${pkgs.nano}/share/nano/*.nanorc"'') ]; }; diff --git a/nixos/modules/programs/npm.nix b/nixos/modules/programs/npm.nix index 5fdd4fa841a1..b351d80c7acf 100644 --- a/nixos/modules/programs/npm.nix +++ b/nixos/modules/programs/npm.nix @@ -36,7 +36,7 @@ in ###### implementation config = lib.mkIf cfg.enable { - environment.etc."npmrc".text = cfg.npmrc; + environment.etc.npmrc.text = cfg.npmrc; environment.variables.NPM_CONFIG_GLOBALCONFIG = "/etc/npmrc"; diff --git a/nixos/modules/programs/plotinus.nix b/nixos/modules/programs/plotinus.nix index 065e72d6c374..e3549c79588b 100644 --- a/nixos/modules/programs/plotinus.nix +++ b/nixos/modules/programs/plotinus.nix @@ -18,7 +18,7 @@ in enable = mkOption { default = false; description = '' - Whether to enable the Plotinus GTK+3 plugin. Plotinus provides a + Whether to enable the Plotinus GTK 3 plugin. Plotinus provides a popup (triggered by Ctrl-Shift-P) to search the menus of a compatible application. ''; diff --git a/nixos/modules/programs/plotinus.xml b/nixos/modules/programs/plotinus.xml index 902cd89e0c49..8fc8c22c6d76 100644 --- a/nixos/modules/programs/plotinus.xml +++ b/nixos/modules/programs/plotinus.xml @@ -13,10 +13,10 @@ <link xlink:href="https://github.com/p-e-w/plotinus"/> </para> <para> - Plotinus is a searchable command palette in every modern GTK+ application. + Plotinus is a searchable command palette in every modern GTK application. </para> <para> - When in a GTK+3 application and Plotinus is enabled, you can press + When in a GTK 3 application and Plotinus is enabled, you can press <literal>Ctrl+Shift+P</literal> to open the command palette. The command palette provides a searchable list of of all menu items in the application. </para> diff --git a/nixos/modules/programs/screen.nix b/nixos/modules/programs/screen.nix index c1daaa58f16f..4fd800dbae79 100644 --- a/nixos/modules/programs/screen.nix +++ b/nixos/modules/programs/screen.nix @@ -24,7 +24,7 @@ in ###### implementation config = mkIf (cfg.screenrc != "") { - environment.etc."screenrc".text = cfg.screenrc; + environment.etc.screenrc.text = cfg.screenrc; environment.systemPackages = [ pkgs.screen ]; }; diff --git a/nixos/modules/programs/seahorse.nix b/nixos/modules/programs/seahorse.nix new file mode 100644 index 000000000000..c08b0a85374c --- /dev/null +++ b/nixos/modules/programs/seahorse.nix @@ -0,0 +1,44 @@ +# Seahorse. + +{ config, pkgs, lib, ... }: + +with lib; + +{ + + # Added 2019-08-27 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "seahorse" "enable" ] + [ "programs" "seahorse" "enable" ]) + ]; + + + ###### interface + + options = { + + programs.seahorse = { + + enable = mkEnableOption "Seahorse, a GNOME application for managing encryption keys and passwords in the GNOME Keyring"; + + }; + + }; + + + ###### implementation + + config = mkIf config.programs.seahorse.enable { + + environment.systemPackages = [ + pkgs.gnome3.seahorse + ]; + + services.dbus.packages = [ + pkgs.gnome3.seahorse + ]; + + }; + +} diff --git a/nixos/modules/programs/system-config-printer.nix b/nixos/modules/programs/system-config-printer.nix new file mode 100644 index 000000000000..34592dd7064b --- /dev/null +++ b/nixos/modules/programs/system-config-printer.nix @@ -0,0 +1,32 @@ +{ config, pkgs, lib, ... }: + +with lib; + +{ + + ###### interface + + options = { + + programs.system-config-printer = { + + enable = mkEnableOption "system-config-printer, a Graphical user interface for CUPS administration"; + + }; + + }; + + + ###### implementation + + config = mkIf config.programs.system-config-printer.enable { + + environment.systemPackages = [ + pkgs.system-config-printer + ]; + + services.system-config-printer.enable = true; + + }; + +} diff --git a/nixos/modules/programs/thefuck.nix b/nixos/modules/programs/thefuck.nix index 21ed6603c1bd..b909916158d3 100644 --- a/nixos/modules/programs/thefuck.nix +++ b/nixos/modules/programs/thefuck.nix @@ -17,7 +17,7 @@ in alias = mkOption { default = "fuck"; - type = types.string; + type = types.str; description = '' `thefuck` needs an alias to be configured. diff --git a/nixos/modules/programs/usbtop.nix b/nixos/modules/programs/usbtop.nix new file mode 100644 index 000000000000..c1b6ee38caa1 --- /dev/null +++ b/nixos/modules/programs/usbtop.nix @@ -0,0 +1,21 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.programs.usbtop; +in { + options = { + programs.usbtop.enable = mkEnableOption "usbtop and required kernel module"; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + usbtop + ]; + + boot.kernelModules = [ + "usbmon" + ]; + }; +} diff --git a/nixos/modules/programs/x2goserver.nix b/nixos/modules/programs/x2goserver.nix new file mode 100644 index 000000000000..77a1a0da7993 --- /dev/null +++ b/nixos/modules/programs/x2goserver.nix @@ -0,0 +1,148 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.x2goserver; + + defaults = { + superenicer = { enable = cfg.superenicer.enable; }; + }; + confText = generators.toINI {} (recursiveUpdate defaults cfg.settings); + x2goServerConf = pkgs.writeText "x2goserver.conf" confText; + + x2goAgentOptions = pkgs.writeText "x2goagent.options" '' + X2GO_NXOPTIONS="" + X2GO_NXAGENT_DEFAULT_OPTIONS="${concatStringsSep " " cfg.nxagentDefaultOptions}" + ''; + +in { + options.programs.x2goserver = { + enable = mkEnableOption "x2goserver" // { + description = '' + Enables the x2goserver module. + NOTE: This will create a good amount of symlinks in `/usr/local/bin` + ''; + }; + + superenicer = { + enable = mkEnableOption "superenicer" // { + description = '' + Enables the SupeReNicer code in x2gocleansessions, this will renice + suspended sessions to nice level 19 and renice them to level 0 if the + session becomes marked as running again + ''; + }; + }; + + nxagentDefaultOptions = mkOption { + type = types.listOf types.str; + default = [ "-extension GLX" "-nolisten tcp" ]; + example = [ "-extension GLX" "-nolisten tcp" ]; + description = '' + List of default nx agent options. + ''; + }; + + settings = mkOption { + type = types.attrsOf types.attrs; + default = {}; + description = '' + x2goserver.conf ini configuration as nix attributes. See + `x2goserver.conf(5)` for details + ''; + example = literalExample '' + superenicer = { + "enable" = "yes"; + "idle-nice-level" = 19; + }; + telekinesis = { "enable" = "no"; }; + ''; + }; + }; + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.x2goserver ]; + + users.groups.x2go = {}; + users.users.x2go = { + home = "/var/lib/x2go/db"; + group = "x2go"; + }; + + security.wrappers.x2gosqliteWrapper = { + source = "${pkgs.x2goserver}/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl"; + owner = "x2go"; + group = "x2go"; + setgid = true; + }; + security.wrappers.x2goprintWrapper = { + source = "${pkgs.x2goserver}/bin/x2goprint"; + owner = "x2go"; + group = "x2go"; + setgid = true; + }; + + systemd.tmpfiles.rules = with pkgs; [ + "d /var/lib/x2go/ - x2go x2go - -" + "d /var/lib/x2go/db - x2go x2go - -" + "d /var/lib/x2go/conf - x2go x2go - -" + "d /run/x2go 0755 x2go x2go - -" + ] ++ + # x2goclient sends SSH commands with preset PATH set to + # "/usr/local/bin;/usr/bin;/bin". Since we cannot filter arbitrary ssh + # commands, we have to make the following executables available. + map (f: "L+ /usr/local/bin/${f} - - - - ${x2goserver}/bin/${f}") [ + "x2goagent" "x2gobasepath" "x2gocleansessions" "x2gocmdexitmessage" + "x2godbadmin" "x2gofeature" "x2gofeaturelist" "x2gofm" "x2gogetapps" + "x2gogetservers" "x2golistdesktops" "x2golistmounts" "x2golistsessions" + "x2golistsessions_root" "x2golistshadowsessions" "x2gomountdirs" + "x2gopath" "x2goprint" "x2goresume-desktopsharing" "x2goresume-session" + "x2goruncommand" "x2goserver-run-extensions" "x2gosessionlimit" + "x2gosetkeyboard" "x2goshowblocks" "x2gostartagent" + "x2gosuspend-desktopsharing" "x2gosuspend-session" + "x2goterminate-desktopsharing" "x2goterminate-session" + "x2goumount-session" "x2goversion" + ] ++ [ + "L+ /usr/local/bin/awk - - - - ${gawk}/bin/awk" + "L+ /usr/local/bin/chmod - - - - ${coreutils}/bin/chmod" + "L+ /usr/local/bin/cp - - - - ${coreutils}/bin/cp" + "L+ /usr/local/bin/sed - - - - ${gnused}/bin/sed" + "L+ /usr/local/bin/setsid - - - - ${utillinux}/bin/setsid" + "L+ /usr/local/bin/xrandr - - - - ${xorg.xrandr}/bin/xrandr" + "L+ /usr/local/bin/xmodmap - - - - ${xorg.xmodmap}/bin/xmodmap" + ]; + + systemd.services.x2goserver = { + description = "X2Go Server Daemon"; + wantedBy = [ "multi-user.target" ]; + unitConfig.Documentation = "man:x2goserver.conf(5)"; + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.x2goserver}/bin/x2gocleansessions"; + PIDFile = "/run/x2go/x2goserver.pid"; + User = "x2go"; + Group = "x2go"; + RuntimeDirectory = "x2go"; + StateDirectory = "x2go"; + }; + preStart = '' + if [ ! -e /var/lib/x2go/setup_ran ] + then + mkdir -p /var/lib/x2go/conf + cp -r ${pkgs.x2goserver}/etc/x2go/* /var/lib/x2go/conf/ + ln -sf ${x2goServerConf} /var/lib/x2go/conf/x2goserver.conf + ln -sf ${x2goAgentOptions} /var/lib/x2go/conf/x2goagent.options + ${pkgs.x2goserver}/bin/x2godbadmin --createdb + touch /var/lib/x2go/setup_ran + fi + ''; + }; + + # https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=276 + security.sudo.extraConfig = '' + Defaults env_keep+=QT_GRAPHICSSYSTEM + ''; + }; +} diff --git a/nixos/modules/programs/xfs_quota.nix b/nixos/modules/programs/xfs_quota.nix index 648fd9a8a94f..c03e59a5b4ab 100644 --- a/nixos/modules/programs/xfs_quota.nix +++ b/nixos/modules/programs/xfs_quota.nix @@ -61,7 +61,7 @@ in description = "Setup of xfs_quota projects. Make sure the filesystem is mounted with the pquota option."; example = { - "projname" = { + projname = { id = 50; path = "/xfsprojects/projname"; sizeHardLimit = "50g"; diff --git a/nixos/modules/programs/xonsh.nix b/nixos/modules/programs/xonsh.nix index 5cd2a49f8073..1590020f7b64 100644 --- a/nixos/modules/programs/xonsh.nix +++ b/nixos/modules/programs/xonsh.nix @@ -45,7 +45,7 @@ in config = mkIf cfg.enable { - environment.etc."xonshrc".text = cfg.config; + environment.etc.xonshrc.text = cfg.config; environment.systemPackages = [ cfg.package ]; diff --git a/nixos/modules/programs/xss-lock.nix b/nixos/modules/programs/xss-lock.nix index 070463311db5..a7ad9b89db4d 100644 --- a/nixos/modules/programs/xss-lock.nix +++ b/nixos/modules/programs/xss-lock.nix @@ -12,7 +12,7 @@ in lockerCommand = mkOption { default = "${pkgs.i3lock}/bin/i3lock"; example = literalExample ''''${pkgs.i3lock-fancy}/bin/i3lock-fancy''; - type = types.string; + type = types.separatedString " "; description = "Locker to be used with xsslock"; }; diff --git a/nixos/modules/programs/yabar.nix b/nixos/modules/programs/yabar.nix index db085211366e..5de9331ac520 100644 --- a/nixos/modules/programs/yabar.nix +++ b/nixos/modules/programs/yabar.nix @@ -76,7 +76,7 @@ in font = mkOption { default = "sans bold 9"; example = "Droid Sans, FontAwesome Bold 9"; - type = types.string; + type = types.str; description = '' The font that will be used to draw the status bar. @@ -95,7 +95,7 @@ in extra = mkOption { default = {}; - type = types.attrsOf types.string; + type = types.attrsOf types.str; description = '' An attribute set which contains further attributes of a bar. @@ -107,7 +107,7 @@ in type = types.attrsOf(types.submodule { options.exec = mkOption { example = "YABAR_DATE"; - type = types.string; + type = types.str; description = '' The type of the indicator to be executed. ''; @@ -125,7 +125,7 @@ in options.extra = mkOption { default = {}; - type = types.attrsOf (types.either types.string types.int); + type = types.attrsOf (types.either types.str types.int); description = '' An attribute set which contains further attributes of a indicator. diff --git a/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix b/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix index 89087a229eb7..7184e5d9b9a8 100644 --- a/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix +++ b/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix @@ -33,7 +33,7 @@ in patterns = mkOption { default = {}; - type = types.attrsOf types.string; + type = types.attrsOf types.str; example = literalExample '' { @@ -50,7 +50,7 @@ in }; styles = mkOption { default = {}; - type = types.attrsOf types.string; + type = types.attrsOf types.str; example = literalExample '' { diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 6e9eefd74d18..c66c29ed45fb 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -133,7 +133,7 @@ in programs.zsh.shellAliases = mapAttrs (name: mkDefault) cfge.shellAliases; - environment.etc."zshenv".text = + environment.etc.zshenv.text = '' # /etc/zshenv: DO NOT EDIT -- this file has been generated automatically. # This file is read for all shells. @@ -157,7 +157,7 @@ in fi ''; - environment.etc."zprofile".text = + environment.etc.zprofile.text = '' # /etc/zprofile: DO NOT EDIT -- this file has been generated automatically. # This file is read for login shells. @@ -176,7 +176,7 @@ in fi ''; - environment.etc."zshrc".text = + environment.etc.zshrc.text = '' # /etc/zshrc: DO NOT EDIT -- this file has been generated automatically. # This file is read for interactive shells. @@ -225,7 +225,7 @@ in fi ''; - environment.etc."zinputrc".source = ./zinputrc; + environment.etc.zinputrc.source = ./zinputrc; environment.systemPackages = [ pkgs.zsh ] ++ optional cfg.enableCompletion pkgs.nix-zsh-completions; diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 1048c2af2ea8..d1303f90ad8d 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -34,6 +34,7 @@ with lib; (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]) (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "applyManifests" ] "") (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "cadvisorPort" ] "") + (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "allowPrivileged" ] "") (mkRenamedOptionModule [ "services" "kubernetes" "proxy" "address" ] ["services" "kubernetes" "proxy" "bindAddress"]) (mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ]) @@ -51,10 +52,11 @@ with lib; (mkRemovedOptionModule [ "services" "misc" "nzbget" "openFirewall" ] "The port used by nzbget is managed through the web interface so you should adjust your firewall rules accordingly.") (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "user" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a user setting.") (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "group" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a group setting.") - (mkRemovedOptionModule [ "services" "prometheus2" "alertmanagerURL" ] '' + (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerURL" ] '' Due to incompatibility, the alertmanagerURL option has been removed, please use 'services.prometheus2.alertmanagers' instead. '') + (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) (mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ]) (mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ]) (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ]) @@ -256,7 +258,7 @@ with lib; # binfmt (mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ]) - + # ACME (mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.") (mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") @@ -285,6 +287,13 @@ with lib; throw "services.redshift.longitude is set to null, you can remove this" else builtins.fromJSON value)) + # Redis + (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") + (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") + (mkRemovedOptionModule [ "services" "redis" "dbFilename" ] "The redis module now uses /var/lib/redis/dump.rdb as database dump location.") + (mkRemovedOptionModule [ "services" "redis" "appendOnlyFilename" ] "This option was never used.") + (mkRemovedOptionModule [ "services" "redis" "pidFile" ] "This option was removed.") + ] ++ (forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter" "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" "snmpExporter" "unifiExporter" "varnishExporter" ] diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index feb54affbf83..b321c04e574c 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -213,7 +213,7 @@ in StateDirectoryMode = rights; WorkingDirectory = "/var/lib/${lpath}"; ExecStart = "${pkgs.simp_le}/bin/simp_le ${escapeShellArgs cmdline}"; - ExecStopPost = + ExecStopPost = let script = pkgs.writeScript "acme-post-stop" '' #!${pkgs.runtimeShell} -e @@ -298,6 +298,9 @@ in }; }) ); + + systemd.targets.acme-selfsigned-certificates = mkIf cfg.preliminarySelfsigned {}; + systemd.targets.acme-certificates = {}; }) ]; diff --git a/nixos/modules/security/auditd.nix b/nixos/modules/security/auditd.nix index 6abac244dac2..9d26cfbcfb10 100644 --- a/nixos/modules/security/auditd.nix +++ b/nixos/modules/security/auditd.nix @@ -6,6 +6,10 @@ with lib; options.security.auditd.enable = mkEnableOption "the Linux Audit daemon"; config = mkIf config.security.auditd.enable { + boot.kernelParams = [ "audit=1" ]; + + environment.systemPackages = [ pkgs.audit ]; + systemd.services.auditd = { description = "Linux Audit daemon"; wantedBy = [ "basic.target" ]; diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix index be6acb3f1f53..2255477f26e4 100644 --- a/nixos/modules/security/chromium-suid-sandbox.nix +++ b/nixos/modules/security/chromium-suid-sandbox.nix @@ -24,6 +24,6 @@ in config = mkIf cfg.enable { environment.systemPackages = [ sandbox ]; - security.wrappers."${sandbox.passthru.sandboxExecutableName}".source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}"; + security.wrappers.${sandbox.passthru.sandboxExecutableName}.source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}"; }; } diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 89e71c5136e4..9c7ddc2f4eea 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -685,7 +685,7 @@ in }; id = mkOption { example = "42"; - type = types.string; + type = types.str; description = "client id"; }; diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index 7f1de81d5b70..f2b2df4004cb 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -85,7 +85,7 @@ in security.wrappers = { pkexec.source = "${pkgs.polkit.bin}/bin/pkexec"; - "polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; + polkit-agent-helper-1.source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; }; systemd.tmpfiles.rules = [ diff --git a/nixos/modules/security/prey.nix b/nixos/modules/security/prey.nix index 1c643f2e1a57..b899ccb6c3e2 100644 --- a/nixos/modules/security/prey.nix +++ b/nixos/modules/security/prey.nix @@ -4,7 +4,7 @@ with lib; let cfg = config.services.prey; - myPrey = pkgs."prey-bash-client".override { + myPrey = pkgs.prey-bash-client.override { apiKey = cfg.apiKey; deviceKey = cfg.deviceKey; }; diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 573588aaeecc..10ee036be84e 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -91,7 +91,7 @@ in type = with types; listOf (submodule { options = { users = mkOption { - type = with types; listOf (either string int); + type = with types; listOf (either str int); description = '' The usernames / UIDs this rule should apply for. ''; @@ -99,7 +99,7 @@ in }; groups = mkOption { - type = with types; listOf (either string int); + type = with types; listOf (either str int); description = '' The groups / GIDs this rule should apply for. ''; @@ -107,7 +107,7 @@ in }; host = mkOption { - type = types.string; + type = types.str; default = "ALL"; description = '' For what host this rule should apply. @@ -115,7 +115,7 @@ in }; runAs = mkOption { - type = with types; string; + type = with types; str; default = "ALL:ALL"; description = '' Under which user/group the specified command is allowed to run. @@ -130,11 +130,11 @@ in description = '' The commands for which the rule should apply. ''; - type = with types; listOf (either string (submodule { + type = with types; listOf (either str (submodule { options = { command = mkOption { - type = with types; string; + type = with types; str; description = '' A command being either just a path to a binary to allow any arguments, the full command with arguments pre-set or with <code>""</code> used as the argument, diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index dcb9c8d4ed5f..47738e7962ea 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -7,7 +7,7 @@ let programs = (lib.mapAttrsToList - (n: v: (if v ? "program" then v else v // {program=n;})) + (n: v: (if v ? program then v else v // {program=n;})) wrappers); securityWrapper = pkgs.stdenv.mkDerivation { @@ -74,15 +74,15 @@ let mkWrappedPrograms = builtins.map - (s: if (s ? "capabilities") + (s: if (s ? capabilities) then mkSetcapProgram ({ owner = "root"; group = "root"; } // s) else if - (s ? "setuid" && s.setuid) || - (s ? "setgid" && s.setgid) || - (s ? "permissions") + (s ? setuid && s.setuid) || + (s ? setgid && s.setgid) || + (s ? permissions) then mkSetuidProgram s else mkSetuidProgram ({ owner = "root"; diff --git a/nixos/modules/services/amqp/activemq/default.nix b/nixos/modules/services/amqp/activemq/default.nix index 27bfd91cd2d5..7729da27304b 100644 --- a/nixos/modules/services/amqp/activemq/default.nix +++ b/nixos/modules/services/amqp/activemq/default.nix @@ -40,7 +40,7 @@ in { ''; }; configurationURI = mkOption { - type = types.string; + type = types.str; default = "xbean:activemq.xml"; description = '' The URI that is passed along to the BrokerFactory to @@ -51,7 +51,7 @@ in { ''; }; baseDir = mkOption { - type = types.string; + type = types.str; default = "/var/activemq"; description = '' The base directory where ActiveMQ stores its persistent data and logs. @@ -81,7 +81,7 @@ in { ''; }; extraJavaOptions = mkOption { - type = types.string; + type = types.separatedString " "; default = ""; example = "-Xmx2G -Xms2G -XX:MaxPermSize=512M"; description = '' diff --git a/nixos/modules/services/audio/alsa.nix b/nixos/modules/services/audio/alsa.nix index 376aad66e236..f632644af09e 100644 --- a/nixos/modules/services/audio/alsa.nix +++ b/nixos/modules/services/audio/alsa.nix @@ -64,7 +64,7 @@ in }; volumeStep = mkOption { - type = types.string; + type = types.str; default = "1"; example = "1%"; description = '' @@ -99,7 +99,7 @@ in boot.kernelModules = optional config.sound.enableOSSEmulation "snd_pcm_oss"; - systemd.services."alsa-store" = + systemd.services.alsa-store = { description = "Store Sound Card State"; wantedBy = [ "multi-user.target" ]; unitConfig.RequiresMountsFor = "/var/lib/alsa"; diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index d4b0b098b78e..4eda3c5708da 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -61,8 +61,8 @@ in { }; - users.groups."${cfg.group}" = {}; - users.users."${cfg.user}" = + users.groups.${cfg.group} = {}; + users.users.${cfg.user} = if cfg.user == "roon-server" then { isSystemUser = true; description = "Roon Server user"; diff --git a/nixos/modules/services/audio/ympd.nix b/nixos/modules/services/audio/ympd.nix index 919b76622510..551bd941fe68 100644 --- a/nixos/modules/services/audio/ympd.nix +++ b/nixos/modules/services/audio/ympd.nix @@ -23,7 +23,7 @@ in { mpd = { host = mkOption { - type = types.string; + type = types.str; default = "localhost"; description = "The host where MPD is listening."; example = "localhost"; diff --git a/nixos/modules/services/backup/crashplan-small-business.nix b/nixos/modules/services/backup/crashplan-small-business.nix deleted file mode 100644 index 790dafefe66f..000000000000 --- a/nixos/modules/services/backup/crashplan-small-business.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - cfg = config.services.crashplansb; - crashplansb = pkgs.crashplansb.override { maxRam = cfg.maxRam; }; -in - -with lib; - -{ - options = { - services.crashplansb = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Starts crashplan for small business background service. - ''; - }; - maxRam = mkOption { - default = "1024m"; - example = "2G"; - type = types.str; - description = '' - Maximum amount of ram that the crashplan engine should use. - ''; - }; - openPorts = mkOption { - description = "Open ports in the firewall for crashplan."; - default = true; - type = types.bool; - }; - ports = mkOption { - # https://support.code42.com/Administrator/6/Planning_and_installing/TCP_and_UDP_ports_used_by_the_Code42_platform - # used ports can also be checked in the desktop app console using the command connection.info - description = "which ports to open."; - default = [ 4242 4243 4244 4247 ]; - type = types.listOf types.int; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ crashplansb ]; - networking.firewall.allowedTCPPorts = mkIf cfg.openPorts cfg.ports; - - systemd.services.crashplansb = { - description = "CrashPlan Backup Engine"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "local-fs.target" ]; - - preStart = '' - install -d -m 755 ${crashplansb.vardir} - install -d -m 700 ${crashplansb.vardir}/conf - install -d -m 700 ${crashplansb.manifestdir} - install -d -m 700 ${crashplansb.vardir}/cache - install -d -m 700 ${crashplansb.vardir}/backupArchives - install -d -m 777 ${crashplansb.vardir}/log - cp -avn ${crashplansb}/conf.template/* ${crashplansb.vardir}/conf - ''; - - serviceConfig = { - Type = "forking"; - EnvironmentFile = "${crashplansb}/bin/run.conf"; - ExecStart = "${crashplansb}/bin/CrashPlanEngine start"; - ExecStop = "${crashplansb}/bin/CrashPlanEngine stop"; - PIDFile = "${crashplansb.vardir}/CrashPlanEngine.pid"; - WorkingDirectory = crashplansb; - }; - }; - }; -} diff --git a/nixos/modules/services/backup/crashplan.nix b/nixos/modules/services/backup/crashplan.nix deleted file mode 100644 index c540cc6e2aee..000000000000 --- a/nixos/modules/services/backup/crashplan.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - cfg = config.services.crashplan; - crashplan = pkgs.crashplan; -in - -with lib; - -{ - options = { - services.crashplan = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Starts crashplan background service. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ crashplan ]; - - systemd.services.crashplan = { - description = "CrashPlan Backup Engine"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "local-fs.target" ]; - - preStart = '' - ensureDir() { - dir=$1 - mode=$2 - - if ! test -e $dir; then - ${pkgs.coreutils}/bin/mkdir -m $mode -p $dir - elif [ "$(${pkgs.coreutils}/bin/stat -c %a $dir)" != "$mode" ]; then - ${pkgs.coreutils}/bin/chmod $mode $dir - fi - } - - ensureDir ${crashplan.vardir} 755 - ensureDir ${crashplan.vardir}/conf 700 - ensureDir ${crashplan.manifestdir} 700 - ensureDir ${crashplan.vardir}/cache 700 - ensureDir ${crashplan.vardir}/backupArchives 700 - ensureDir ${crashplan.vardir}/log 777 - cp -avn ${crashplan}/conf.template/* ${crashplan.vardir}/conf - for x in app.asar bin install.vars lang lib libc42archive64.so libc52archive.so libjniwrap64.so libjniwrap.so libjtux64.so libjtux.so libleveldb64.so libleveldb.so libmd564.so libmd5.so share skin upgrade; do - rm -f ${crashplan.vardir}/$x; - ln -sf ${crashplan}/$x ${crashplan.vardir}/$x; - done - ''; - - serviceConfig = { - Type = "forking"; - EnvironmentFile = "${crashplan}/bin/run.conf"; - ExecStart = "${crashplan}/bin/CrashPlanEngine start"; - ExecStop = "${crashplan}/bin/CrashPlanEngine stop"; - PIDFile = "${crashplan.vardir}/CrashPlanEngine.pid"; - WorkingDirectory = crashplan; - }; - }; - }; -} diff --git a/nixos/modules/services/backup/mysql-backup.nix b/nixos/modules/services/backup/mysql-backup.nix index ba6e154f6b3d..dbd5605143f6 100644 --- a/nixos/modules/services/backup/mysql-backup.nix +++ b/nixos/modules/services/backup/mysql-backup.nix @@ -103,7 +103,7 @@ in }]; systemd = { - timers."mysql-backup" = { + timers.mysql-backup = { description = "Mysql backup timer"; wantedBy = [ "timers.target" ]; timerConfig = { @@ -112,7 +112,7 @@ in Unit = "mysql-backup.service"; }; }; - services."mysql-backup" = { + services.mysql-backup = { description = "Mysql backup service"; enable = true; serviceConfig = { diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix index 17b410a97f3e..13a36ae32ac0 100644 --- a/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixos/modules/services/backup/postgresql-backup.nix @@ -81,7 +81,7 @@ in { }; pgdumpOptions = mkOption { - type = types.string; + type = types.separatedString " "; default = "-Cbo"; description = '' Command line options for pg_dump. This options is not used diff --git a/nixos/modules/services/backup/rsnapshot.nix b/nixos/modules/services/backup/rsnapshot.nix index bb5dcab1dcf2..6635a51ec2c6 100644 --- a/nixos/modules/services/backup/rsnapshot.nix +++ b/nixos/modules/services/backup/rsnapshot.nix @@ -2,7 +2,7 @@ with lib; -let +let cfg = config.services.rsnapshot; cfgfile = pkgs.writeText "rsnapshot.conf" '' config_version 1.2 @@ -52,7 +52,7 @@ in cronIntervals = mkOption { default = {}; example = { hourly = "0 * * * *"; daily = "50 21 * * *"; }; - type = types.attrsOf types.string; + type = types.attrsOf types.str; description = '' Periodicity at which intervals should be run by cron. Note that the intervals also have to exist in configuration diff --git a/nixos/modules/services/backup/tsm.nix b/nixos/modules/services/backup/tsm.nix index 3b2bb37491b5..6c238745797e 100644 --- a/nixos/modules/services/backup/tsm.nix +++ b/nixos/modules/services/backup/tsm.nix @@ -78,7 +78,7 @@ in config = mkIf cfg.enable { inherit assertions; programs.tsmClient.enable = true; - programs.tsmClient.servers."${cfg.servername}".passwdDir = + programs.tsmClient.servers.${cfg.servername}.passwdDir = mkDefault "/var/lib/tsm-backup/password"; systemd.services.tsm-backup = { description = "IBM Spectrum Protect (Tivoli Storage Manager) Backup"; diff --git a/nixos/modules/services/backup/zfs-replication.nix b/nixos/modules/services/backup/zfs-replication.nix index 785cedb98694..5a64304275d5 100644 --- a/nixos/modules/services/backup/zfs-replication.nix +++ b/nixos/modules/services/backup/zfs-replication.nix @@ -60,7 +60,7 @@ in { pkgs.lz4 ]; - systemd.services."zfs-replication" = { + systemd.services.zfs-replication = { after = [ "zfs-snapshot-daily.service" "zfs-snapshot-frequent.service" diff --git a/nixos/modules/services/backup/znapzend.nix b/nixos/modules/services/backup/znapzend.nix index 9c7f84655727..f317078ddda2 100644 --- a/nixos/modules/services/backup/znapzend.nix +++ b/nixos/modules/services/backup/znapzend.nix @@ -361,7 +361,7 @@ in environment.systemPackages = [ pkgs.znapzend ]; systemd.services = { - "znapzend" = { + znapzend = { description = "ZnapZend - ZFS Backup System"; wantedBy = [ "zfs.target" ]; after = [ "zfs.target" ]; diff --git a/nixos/modules/services/cluster/hadoop/hdfs.nix b/nixos/modules/services/cluster/hadoop/hdfs.nix index a38b6a78d3a5..4f4b0a92108f 100644 --- a/nixos/modules/services/cluster/hadoop/hdfs.nix +++ b/nixos/modules/services/cluster/hadoop/hdfs.nix @@ -24,7 +24,7 @@ with lib; config = mkMerge [ (mkIf cfg.hdfs.namenode.enabled { - systemd.services."hdfs-namenode" = { + systemd.services.hdfs-namenode = { description = "Hadoop HDFS NameNode"; wantedBy = [ "multi-user.target" ]; @@ -44,7 +44,7 @@ with lib; }; }) (mkIf cfg.hdfs.datanode.enabled { - systemd.services."hdfs-datanode" = { + systemd.services.hdfs-datanode = { description = "Hadoop HDFS DataNode"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/cluster/hadoop/yarn.nix b/nixos/modules/services/cluster/hadoop/yarn.nix index 5345a2732d7e..c92020637e47 100644 --- a/nixos/modules/services/cluster/hadoop/yarn.nix +++ b/nixos/modules/services/cluster/hadoop/yarn.nix @@ -35,7 +35,7 @@ with lib; }) (mkIf cfg.yarn.resourcemanager.enabled { - systemd.services."yarn-resourcemanager" = { + systemd.services.yarn-resourcemanager = { description = "Hadoop YARN ResourceManager"; wantedBy = [ "multi-user.target" ]; @@ -53,7 +53,7 @@ with lib; }) (mkIf cfg.yarn.nodemanager.enabled { - systemd.services."yarn-nodemanager" = { + systemd.services.yarn-nodemanager = { description = "Hadoop YARN NodeManager"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/cluster/kubernetes/addon-manager.nix b/nixos/modules/services/cluster/kubernetes/addon-manager.nix index ad7d17c9c283..17f2dde31a71 100644 --- a/nixos/modules/services/cluster/kubernetes/addon-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/addon-manager.nix @@ -62,50 +62,19 @@ in ''; }; - enable = mkEnableOption "Kubernetes addon manager"; - - kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes addon manager"; - bootstrapAddonsKubeconfig = top.lib.mkKubeConfigOptions "Kubernetes addon manager bootstrap"; + enable = mkEnableOption "Whether to enable Kubernetes addon manager."; }; ###### implementation - config = let - - addonManagerPaths = filter (a: a != null) [ - cfg.kubeconfig.caFile - cfg.kubeconfig.certFile - cfg.kubeconfig.keyFile - ]; - bootstrapAddonsPaths = filter (a: a != null) [ - cfg.bootstrapAddonsKubeconfig.caFile - cfg.bootstrapAddonsKubeconfig.certFile - cfg.bootstrapAddonsKubeconfig.keyFile - ]; - - in mkIf cfg.enable { + config = mkIf cfg.enable { environment.etc."kubernetes/addons".source = "${addons}/"; - #TODO: Get rid of kube-addon-manager in the future for the following reasons - # - it is basically just a shell script wrapped around kubectl - # - it assumes that it is clusterAdmin or can gain clusterAdmin rights through serviceAccount - # - it is designed to be used with k8s system components only - # - it would be better with a more Nix-oriented way of managing addons systemd.services.kube-addon-manager = { description = "Kubernetes addon manager"; wantedBy = [ "kubernetes.target" ]; - after = [ "kube-node-online.target" ]; - before = [ "kubernetes.target" ]; - environment = { - ADDON_PATH = "/etc/kubernetes/addons/"; - KUBECONFIG = top.lib.mkKubeConfig "kube-addon-manager" cfg.kubeconfig; - }; - path = with pkgs; [ gawk kubectl ]; - preStart = '' - until kubectl -n kube-system get serviceaccounts/default 2>/dev/null; do - echo kubectl -n kube-system get serviceaccounts/default: exit status $? - sleep 2 - done - ''; + after = [ "kube-apiserver.service" ]; + environment.ADDON_PATH = "/etc/kubernetes/addons/"; + path = [ pkgs.gawk ]; serviceConfig = { Slice = "kubernetes.slice"; ExecStart = "${top.package}/bin/kube-addons"; @@ -115,52 +84,8 @@ in Restart = "on-failure"; RestartSec = 10; }; - unitConfig.ConditionPathExists = addonManagerPaths; }; - systemd.paths.kube-addon-manager = { - wantedBy = [ "kube-addon-manager.service" ]; - pathConfig = { - PathExists = addonManagerPaths; - PathChanged = addonManagerPaths; - }; - }; - - services.kubernetes.addonManager.kubeconfig.server = mkDefault top.apiserverAddress; - - systemd.services.kube-addon-manager-bootstrap = mkIf (top.apiserver.enable && top.addonManager.bootstrapAddons != {}) { - wantedBy = [ "kube-control-plane-online.target" ]; - after = [ "kube-apiserver.service" ]; - before = [ "kube-control-plane-online.target" ]; - path = [ pkgs.kubectl ]; - environment = { - KUBECONFIG = top.lib.mkKubeConfig "kube-addon-manager-bootstrap" cfg.bootstrapAddonsKubeconfig; - }; - preStart = with pkgs; let - files = mapAttrsToList (n: v: writeText "${n}.json" (builtins.toJSON v)) - cfg.bootstrapAddons; - in '' - until kubectl auth can-i '*' '*' -q 2>/dev/null; do - echo kubectl auth can-i '*' '*': exit status $? - sleep 2 - done - - kubectl apply -f ${concatStringsSep " \\\n -f " files} - ''; - script = "echo Ok"; - unitConfig.ConditionPathExists = bootstrapAddonsPaths; - }; - - systemd.paths.kube-addon-manager-bootstrap = { - wantedBy = [ "kube-addon-manager-bootstrap.service" ]; - pathConfig = { - PathExists = bootstrapAddonsPaths; - PathChanged = bootstrapAddonsPaths; - }; - }; - - services.kubernetes.addonManager.bootstrapAddonsKubeconfig.server = mkDefault top.apiserverAddress; - services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled (let name = system:kube-addon-manager; diff --git a/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix b/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix index 2295694ffc74..70f96d75a461 100644 --- a/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix +++ b/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix @@ -74,7 +74,7 @@ in { spec = { replicas = 1; revisionHistoryLimit = 10; - selector.matchLabels."k8s-app" = "kubernetes-dashboard"; + selector.matchLabels.k8s-app = "kubernetes-dashboard"; template = { metadata = { labels = { @@ -169,23 +169,6 @@ in { }; }; - kubernetes-dashboard-cm = { - apiVersion = "v1"; - kind = "ConfigMap"; - metadata = { - labels = { - k8s-app = "kubernetes-dashboard"; - # Allows editing resource and makes sure it is created first. - "addonmanager.kubernetes.io/mode" = "EnsureExists"; - }; - name = "kubernetes-dashboard-settings"; - namespace = "kube-system"; - }; - }; - }; - - services.kubernetes.addonManager.bootstrapAddons = mkMerge [{ - kubernetes-dashboard-sa = { apiVersion = "v1"; kind = "ServiceAccount"; @@ -227,9 +210,20 @@ in { }; type = "Opaque"; }; - } - - (optionalAttrs cfg.rbac.enable + kubernetes-dashboard-cm = { + apiVersion = "v1"; + kind = "ConfigMap"; + metadata = { + labels = { + k8s-app = "kubernetes-dashboard"; + # Allows editing resource and makes sure it is created first. + "addonmanager.kubernetes.io/mode" = "EnsureExists"; + }; + name = "kubernetes-dashboard-settings"; + namespace = "kube-system"; + }; + }; + } // (optionalAttrs cfg.rbac.enable (let subjects = [{ kind = "ServiceAccount"; @@ -329,6 +323,6 @@ in { inherit subjects; }; }) - ))]; + )); }; } diff --git a/nixos/modules/services/cluster/kubernetes/addons/dns.nix b/nixos/modules/services/cluster/kubernetes/addons/dns.nix index ee0ac632ecf0..47e588de3c93 100644 --- a/nixos/modules/services/cluster/kubernetes/addons/dns.nix +++ b/nixos/modules/services/cluster/kubernetes/addons/dns.nix @@ -73,7 +73,7 @@ in { metadata = { labels = { "addonmanager.kubernetes.io/mode" = "Reconcile"; - "k8s-app" = "kube-dns"; + k8s-app = "kube-dns"; "kubernetes.io/cluster-service" = "true"; "kubernetes.io/bootstrapping" = "rbac-defaults"; }; @@ -102,7 +102,7 @@ in { }; labels = { "addonmanager.kubernetes.io/mode" = "Reconcile"; - "k8s-app" = "kube-dns"; + k8s-app = "kube-dns"; "kubernetes.io/cluster-service" = "true"; "kubernetes.io/bootstrapping" = "rbac-defaults"; }; @@ -130,7 +130,7 @@ in { metadata = { labels = { "addonmanager.kubernetes.io/mode" = "Reconcile"; - "k8s-app" = "kube-dns"; + k8s-app = "kube-dns"; "kubernetes.io/cluster-service" = "true"; }; name = "coredns"; @@ -144,7 +144,7 @@ in { metadata = { labels = { "addonmanager.kubernetes.io/mode" = cfg.reconcileMode; - "k8s-app" = "kube-dns"; + k8s-app = "kube-dns"; "kubernetes.io/cluster-service" = "true"; }; name = "coredns"; @@ -175,7 +175,7 @@ in { metadata = { labels = { "addonmanager.kubernetes.io/mode" = cfg.reconcileMode; - "k8s-app" = "kube-dns"; + k8s-app = "kube-dns"; "kubernetes.io/cluster-service" = "true"; "kubernetes.io/name" = "CoreDNS"; }; @@ -301,7 +301,7 @@ in { }; labels = { "addonmanager.kubernetes.io/mode" = "Reconcile"; - "k8s-app" = "kube-dns"; + k8s-app = "kube-dns"; "kubernetes.io/cluster-service" = "true"; "kubernetes.io/name" = "CoreDNS"; }; diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index f293dd79f42a..33796bf2e080 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -290,32 +290,11 @@ in ###### implementation config = mkMerge [ - (let - - apiserverPaths = filter (a: a != null) [ - cfg.clientCaFile - cfg.etcd.caFile - cfg.etcd.certFile - cfg.etcd.keyFile - cfg.kubeletClientCaFile - cfg.kubeletClientCertFile - cfg.kubeletClientKeyFile - cfg.serviceAccountKeyFile - cfg.tlsCertFile - cfg.tlsKeyFile - ]; - etcdPaths = filter (a: a != null) [ - config.services.etcd.trustedCaFile - config.services.etcd.certFile - config.services.etcd.keyFile - ]; - - in mkIf cfg.enable { + (mkIf cfg.enable { systemd.services.kube-apiserver = { description = "Kubernetes APIServer Service"; - wantedBy = [ "kube-control-plane-online.target" ]; - after = [ "certmgr.service" ]; - before = [ "kube-control-plane-online.target" ]; + wantedBy = [ "kubernetes.target" ]; + after = [ "network.target" ]; serviceConfig = { Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-apiserver \ @@ -386,15 +365,6 @@ in Restart = "on-failure"; RestartSec = 5; }; - unitConfig.ConditionPathExists = apiserverPaths; - }; - - systemd.paths.kube-apiserver = mkIf top.apiserver.enable { - wantedBy = [ "kube-apiserver.service" ]; - pathConfig = { - PathExists = apiserverPaths; - PathChanged = apiserverPaths; - }; }; services.etcd = { @@ -408,18 +378,6 @@ in initialAdvertisePeerUrls = mkDefault ["https://${top.masterAddress}:2380"]; }; - systemd.services.etcd = { - unitConfig.ConditionPathExists = etcdPaths; - }; - - systemd.paths.etcd = { - wantedBy = [ "etcd.service" ]; - pathConfig = { - PathExists = etcdPaths; - PathChanged = etcdPaths; - }; - }; - services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled { apiserver-kubelet-api-admin-crb = { diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index b94e8bd86d4c..0b73d090f241 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -104,31 +104,11 @@ in }; ###### implementation - config = let - - controllerManagerPaths = filter (a: a != null) [ - cfg.kubeconfig.caFile - cfg.kubeconfig.certFile - cfg.kubeconfig.keyFile - cfg.rootCaFile - cfg.serviceAccountKeyFile - cfg.tlsCertFile - cfg.tlsKeyFile - ]; - - in mkIf cfg.enable { - systemd.services.kube-controller-manager = rec { + config = mkIf cfg.enable { + systemd.services.kube-controller-manager = { description = "Kubernetes Controller Manager Service"; - wantedBy = [ "kube-control-plane-online.target" ]; + wantedBy = [ "kubernetes.target" ]; after = [ "kube-apiserver.service" ]; - before = [ "kube-control-plane-online.target" ]; - environment.KUBECONFIG = top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig; - preStart = '' - until kubectl auth can-i get /api -q 2>/dev/null; do - echo kubectl auth can-i get /api: exit status $? - sleep 2 - done - ''; serviceConfig = { RestartSec = "30s"; Restart = "on-failure"; @@ -140,7 +120,7 @@ in "--cluster-cidr=${cfg.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${environment.KUBECONFIG} \ + --kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \ --leader-elect=${boolToString cfg.leaderElect} \ ${optionalString (cfg.rootCaFile!=null) "--root-ca-file=${cfg.rootCaFile}"} \ @@ -161,16 +141,7 @@ in User = "kubernetes"; Group = "kubernetes"; }; - path = top.path ++ [ pkgs.kubectl ]; - unitConfig.ConditionPathExists = controllerManagerPaths; - }; - - systemd.paths.kube-controller-manager = { - wantedBy = [ "kube-controller-manager.service" ]; - pathConfig = { - PathExists = controllerManagerPaths; - PathChanged = controllerManagerPaths; - }; + path = top.path; }; services.kubernetes.pki.certs = with top.lib; { diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 143b41f57f6a..3790ac9b6918 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -256,29 +256,6 @@ in { wantedBy = [ "multi-user.target" ]; }; - systemd.targets.kube-control-plane-online = { - wantedBy = [ "kubernetes.target" ]; - before = [ "kubernetes.target" ]; - }; - - systemd.services.kube-control-plane-online = rec { - description = "Kubernetes control plane is online"; - wantedBy = [ "kube-control-plane-online.target" ]; - after = [ "kube-scheduler.service" "kube-controller-manager.service" ]; - before = [ "kube-control-plane-online.target" ]; - path = [ pkgs.curl ]; - preStart = '' - until curl -Ssf ${cfg.apiserverAddress}/healthz do - echo curl -Ssf ${cfg.apiserverAddress}/healthz: exit status $? - sleep 3 - done - ''; - script = "echo Ok"; - serviceConfig = { - TimeoutSec = "500"; - }; - }; - systemd.tmpfiles.rules = [ "d /opt/cni/bin 0755 root root -" "d /run/kubernetes 0755 kubernetes kubernetes -" @@ -302,8 +279,6 @@ in { services.kubernetes.apiserverAddress = mkDefault ("https://${if cfg.apiserver.advertiseAddress != null then cfg.apiserver.advertiseAddress else "${cfg.masterAddress}:${toString cfg.apiserver.securePort}"}"); - - services.kubernetes.kubeconfig.server = mkDefault cfg.apiserverAddress; }) ]; } diff --git a/nixos/modules/services/cluster/kubernetes/flannel.nix b/nixos/modules/services/cluster/kubernetes/flannel.nix index d9437427d6d1..d799e638fc94 100644 --- a/nixos/modules/services/cluster/kubernetes/flannel.nix +++ b/nixos/modules/services/cluster/kubernetes/flannel.nix @@ -14,36 +14,25 @@ let buildInputs = [ pkgs.makeWrapper ]; } '' mkdir -p $out - cp ${pkgs.kubernetes.src}/cluster/centos/node/bin/mk-docker-opts.sh $out/mk-docker-opts.sh # bashInteractive needed for `compgen` - makeWrapper ${pkgs.bashInteractive}/bin/bash $out/mk-docker-opts --add-flags "$out/mk-docker-opts.sh" + makeWrapper ${pkgs.bashInteractive}/bin/bash $out/mk-docker-opts --add-flags "${pkgs.kubernetes}/bin/mk-docker-opts.sh" ''; in { ###### interface options.services.kubernetes.flannel = { - enable = mkEnableOption "flannel networking"; - kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes flannel"; + enable = mkEnableOption "enable flannel networking"; }; ###### implementation - config = let - - flannelPaths = filter (a: a != null) [ - cfg.kubeconfig.caFile - cfg.kubeconfig.certFile - cfg.kubeconfig.keyFile - ]; - kubeconfig = top.lib.mkKubeConfig "flannel" cfg.kubeconfig; - - in mkIf cfg.enable { + config = mkIf cfg.enable { services.flannel = { enable = mkDefault true; network = mkDefault top.clusterCidr; - inherit storageBackend kubeconfig; - nodeName = top.kubelet.hostname; + inherit storageBackend; + nodeName = config.services.kubernetes.kubelet.hostname; }; services.kubernetes.kubelet = { @@ -60,64 +49,22 @@ in systemd.services.mk-docker-opts = { description = "Pre-Docker Actions"; - wantedBy = [ "flannel.target" ]; - before = [ "flannel.target" ]; path = with pkgs; [ gawk gnugrep ]; script = '' ${mkDockerOpts}/mk-docker-opts -d /run/flannel/docker systemctl restart docker ''; - unitConfig.ConditionPathExists = [ "/run/flannel/subnet.env" ]; serviceConfig.Type = "oneshot"; }; systemd.paths.flannel-subnet-env = { - wantedBy = [ "mk-docker-opts.service" ]; - pathConfig = { - PathExists = [ "/run/flannel/subnet.env" ]; - PathChanged = [ "/run/flannel/subnet.env" ]; - Unit = "mk-docker-opts.service"; - }; - }; - - systemd.targets.flannel = { - wantedBy = [ "kube-node-online.target" ]; - before = [ "kube-node-online.target" ]; - }; - - systemd.services.flannel = { - wantedBy = [ "flannel.target" ]; - after = [ "kubelet.target" ]; - before = [ "flannel.target" ]; - path = with pkgs; [ iptables kubectl ]; - environment.KUBECONFIG = kubeconfig; - preStart = let - args = [ - "--selector=kubernetes.io/hostname=${top.kubelet.hostname}" - # flannel exits if node is not registered yet, before that there is no podCIDR - "--output=jsonpath={.items[0].spec.podCIDR}" - # if jsonpath cannot be resolved exit with status 1 - "--allow-missing-template-keys=false" - ]; - in '' - until kubectl get nodes ${concatStringsSep " " args} 2>/dev/null; do - echo Waiting for ${top.kubelet.hostname} to be RegisteredNode - sleep 1 - done - ''; - unitConfig.ConditionPathExists = flannelPaths; - }; - - systemd.paths.flannel = { wantedBy = [ "flannel.service" ]; pathConfig = { - PathExists = flannelPaths; - PathChanged = flannelPaths; + PathModified = "/run/flannel/subnet.env"; + Unit = "mk-docker-opts.service"; }; }; - services.kubernetes.flannel.kubeconfig.server = mkDefault top.apiserverAddress; - systemd.services.docker = { environment.DOCKER_OPTS = "-b none"; serviceConfig.EnvironmentFile = "-/run/flannel/docker"; @@ -144,6 +91,7 @@ in # give flannel som kubernetes rbac permissions if applicable services.kubernetes.addonManager.bootstrapAddons = mkIf ((storageBackend == "kubernetes") && (elem "RBAC" top.apiserver.authorizationMode)) { + flannel-cr = { apiVersion = "rbac.authorization.k8s.io/v1beta1"; kind = "ClusterRole"; @@ -179,6 +127,7 @@ in name = "flannel-client"; }]; }; + }; }; } diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index 4c5df96bcc6a..250da4c807ec 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -61,12 +61,6 @@ in type = str; }; - allowPrivileged = mkOption { - description = "Whether to allow Kubernetes containers to request privileged mode."; - default = false; - type = bool; - }; - clusterDns = mkOption { description = "Use alternative DNS."; default = "10.1.0.1"; @@ -234,28 +228,21 @@ in ###### implementation config = mkMerge [ - (let - - kubeletPaths = filter (a: a != null) [ - cfg.kubeconfig.caFile - cfg.kubeconfig.certFile - cfg.kubeconfig.keyFile - cfg.clientCaFile - cfg.tlsCertFile - cfg.tlsKeyFile - ]; - - in mkIf cfg.enable { + (mkIf cfg.enable { services.kubernetes.kubelet.seedDockerImages = [infraContainer]; systemd.services.kubelet = { description = "Kubernetes Kubelet Service"; - wantedBy = [ "kubelet.target" ]; - after = [ "kube-control-plane-online.target" ]; - before = [ "kubelet.target" ]; + wantedBy = [ "kubernetes.target" ]; + after = [ "network.target" "docker.service" "kube-apiserver.service" ]; path = with pkgs; [ gitMinimal openssh docker utillinux iproute ethtool thin-provisioning-tools iptables socat ] ++ top.path; preStart = '' - rm -f /opt/cni/bin/* || true + ${concatMapStrings (img: '' + echo "Seeding docker image: ${img}" + docker load <${img} + '') cfg.seedDockerImages} + + rm /opt/cni/bin/* || true ${concatMapStrings (package: '' echo "Linking cni package: ${package}" ln -fs ${package}/bin/* /opt/cni/bin @@ -269,7 +256,6 @@ in RestartSec = "1000ms"; ExecStart = ''${top.package}/bin/kubelet \ --address=${cfg.address} \ - --allow-privileged=${boolToString cfg.allowPrivileged} \ --authentication-token-webhook \ --authentication-token-webhook-cache-ttl="10s" \ --authorization-mode=Webhook \ @@ -308,56 +294,6 @@ in ''; WorkingDirectory = top.dataDir; }; - unitConfig.ConditionPathExists = kubeletPaths; - }; - - systemd.paths.kubelet = { - wantedBy = [ "kubelet.service" ]; - pathConfig = { - PathExists = kubeletPaths; - PathChanged = kubeletPaths; - }; - }; - - systemd.services.docker.before = [ "kubelet.service" ]; - - systemd.services.docker-seed-images = { - wantedBy = [ "docker.service" ]; - after = [ "docker.service" ]; - before = [ "kubelet.service" ]; - path = with pkgs; [ docker ]; - preStart = '' - ${concatMapStrings (img: '' - echo "Seeding docker image: ${img}" - docker load <${img} - '') cfg.seedDockerImages} - ''; - script = "echo Ok"; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - serviceConfig.Slice = "kubernetes.slice"; - }; - - systemd.services.kubelet-online = { - wantedBy = [ "kube-node-online.target" ]; - after = [ "flannel.target" "kubelet.target" ]; - before = [ "kube-node-online.target" ]; - # it is complicated. flannel needs kubelet to run the pause container before - # it discusses the node CIDR with apiserver and afterwards configures and restarts - # dockerd. Until then prevent creating any pods because they have to be recreated anyway - # because the network of docker0 has been changed by flannel. - script = let - docker-env = "/run/flannel/docker"; - flannel-date = "stat --print=%Y ${docker-env}"; - docker-date = "systemctl show --property=ActiveEnterTimestamp --value docker"; - in '' - until test -f ${docker-env} ; do sleep 1 ; done - while test `${flannel-date}` -gt `date +%s --date="$(${docker-date})"` ; do - sleep 1 - done - ''; - serviceConfig.Type = "oneshot"; - serviceConfig.Slice = "kubernetes.slice"; }; # Allways include cni plugins @@ -404,16 +340,5 @@ in }; }) - { - systemd.targets.kubelet = { - wantedBy = [ "kube-node-online.target" ]; - before = [ "kube-node-online.target" ]; - }; - - systemd.targets.kube-node-online = { - wantedBy = [ "kubernetes.target" ]; - before = [ "kubernetes.target" ]; - }; - } ]; } diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 47384ae50a07..733479e24c97 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -27,11 +27,12 @@ let certmgrAPITokenPath = "${top.secretsPath}/${cfsslAPITokenBaseName}"; cfsslAPITokenLength = 32; - clusterAdminKubeconfig = with cfg.certs.clusterAdmin; { - server = top.apiserverAddress; - certFile = cert; - keyFile = key; - }; + clusterAdminKubeconfig = with cfg.certs.clusterAdmin; + top.lib.mkKubeConfig "cluster-admin" { + server = top.apiserverAddress; + certFile = cert; + keyFile = key; + }; remote = with config.services; "https://${kubernetes.masterAddress}:${toString cfssl.port}"; in @@ -118,11 +119,6 @@ in cfsslCertPathPrefix = "${config.services.cfssl.dataDir}/cfssl"; cfsslCert = "${cfsslCertPathPrefix}.pem"; cfsslKey = "${cfsslCertPathPrefix}-key.pem"; - - certmgrPaths = [ - top.caFile - certmgrAPITokenPath - ]; in { @@ -172,40 +168,13 @@ in chown cfssl "${cfsslAPITokenPath}" && chmod 400 "${cfsslAPITokenPath}" '')]); - systemd.targets.cfssl-online = { - wantedBy = [ "network-online.target" ]; - after = [ "cfssl.service" "network-online.target" "cfssl-online.service" ]; - }; - - systemd.services.cfssl-online = { - description = "Wait for ${remote} to be reachable."; - wantedBy = [ "cfssl-online.target" ]; - before = [ "cfssl-online.target" ]; - path = [ pkgs.curl ]; - preStart = '' - until curl --fail-early -fskd '{}' ${remote}/api/v1/cfssl/info -o /dev/null; do - echo curl ${remote}/api/v1/cfssl/info: exit status $? - sleep 2 - done - ''; - script = "echo Ok"; - serviceConfig = { - TimeoutSec = "300"; - }; - }; - systemd.services.kube-certmgr-bootstrap = { description = "Kubernetes certmgr bootstrapper"; - wantedBy = [ "cfssl-online.target" ]; - after = [ "cfssl-online.target" ]; - before = [ "certmgr.service" ]; - path = with pkgs; [ curl cfssl ]; + wantedBy = [ "certmgr.service" ]; + after = [ "cfssl.target" ]; script = concatStringsSep "\n" ['' set -e - mkdir -p $(dirname ${certmgrAPITokenPath}) - mkdir -p $(dirname ${top.caFile}) - # If there's a cfssl (cert issuer) running locally, then don't rely on user to # manually paste it in place. Just symlink. # otherwise, create the target file, ready for users to insert the token @@ -217,18 +186,15 @@ in fi '' (optionalString (cfg.pkiTrustOnBootstrap) '' - if [ ! -s "${top.caFile}" ]; then - until test -s ${top.caFile}.json; do - sleep 2 - curl --fail-early -fskd '{}' ${remote}/api/v1/cfssl/info -o ${top.caFile}.json - done - cfssljson -f ${top.caFile}.json -stdout >${top.caFile} - rm ${top.caFile}.json + if [ ! -f "${top.caFile}" ] || [ $(cat "${top.caFile}" | wc -c) -lt 1 ]; then + ${pkgs.curl}/bin/curl --fail-early -f -kd '{}' ${remote}/api/v1/cfssl/info | \ + ${pkgs.cfssl}/bin/cfssljson -stdout >${top.caFile} fi '') ]; serviceConfig = { - TimeoutSec = "500"; + RestartSec = "10s"; + Restart = "on-failure"; }; }; @@ -264,28 +230,35 @@ in mapAttrs mkSpec cfg.certs; }; - systemd.services.certmgr = { - wantedBy = [ "cfssl-online.target" ]; - after = [ "cfssl-online.target" "kube-certmgr-bootstrap.service" ]; - preStart = '' - while ! test -s ${certmgrAPITokenPath} ; do - sleep 1 - echo Waiting for ${certmgrAPITokenPath} - done - ''; - unitConfig.ConditionPathExists = certmgrPaths; - }; - - systemd.paths.certmgr = { - wantedBy = [ "certmgr.service" ]; - pathConfig = { - PathExists = certmgrPaths; - PathChanged = certmgrPaths; - }; - }; - - environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (cfg.etcClusterAdminKubeconfig != null) - (top.lib.mkKubeConfig "cluster-admin" clusterAdminKubeconfig); + #TODO: Get rid of kube-addon-manager in the future for the following reasons + # - it is basically just a shell script wrapped around kubectl + # - it assumes that it is clusterAdmin or can gain clusterAdmin rights through serviceAccount + # - it is designed to be used with k8s system components only + # - it would be better with a more Nix-oriented way of managing addons + systemd.services.kube-addon-manager = mkIf top.addonManager.enable (mkMerge [{ + environment.KUBECONFIG = with cfg.certs.addonManager; + top.lib.mkKubeConfig "addon-manager" { + server = top.apiserverAddress; + certFile = cert; + keyFile = key; + }; + } + + (optionalAttrs (top.addonManager.bootstrapAddons != {}) { + serviceConfig.PermissionsStartOnly = true; + preStart = with pkgs; + let + files = mapAttrsToList (n: v: writeText "${n}.json" (builtins.toJSON v)) + top.addonManager.bootstrapAddons; + in + '' + export KUBECONFIG=${clusterAdminKubeconfig} + ${kubectl}/bin/kubectl apply -f ${concatStringsSep " \\\n -f " files} + ''; + })]); + + environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (!isNull cfg.etcClusterAdminKubeconfig) + clusterAdminKubeconfig; environment.systemPackages = mkIf (top.kubelet.enable || top.proxy.enable) [ (pkgs.writeScriptBin "nixos-kubernetes-node-join" '' @@ -311,22 +284,38 @@ in exit 1 fi - do_restart=$(test -s ${certmgrAPITokenPath} && echo -n y || echo -n n) - echo $token > ${certmgrAPITokenPath} chmod 600 ${certmgrAPITokenPath} - if [ y = $do_restart ]; then - echo "Restarting certmgr..." >&1 - systemctl restart certmgr - fi + echo "Restarting certmgr..." >&1 + systemctl restart certmgr + + echo "Waiting for certs to appear..." >&1 + + ${optionalString top.kubelet.enable '' + while [ ! -f ${cfg.certs.kubelet.cert} ]; do sleep 1; done + echo "Restarting kubelet..." >&1 + systemctl restart kubelet + ''} + + ${optionalString top.proxy.enable '' + while [ ! -f ${cfg.certs.kubeProxyClient.cert} ]; do sleep 1; done + echo "Restarting kube-proxy..." >&1 + systemctl restart kube-proxy + ''} - echo "Node joined succesfully" >&1 + ${optionalString top.flannel.enable '' + while [ ! -f ${cfg.certs.flannelClient.cert} ]; do sleep 1; done + echo "Restarting flannel..." >&1 + systemctl restart flannel + ''} + + echo "Node joined succesfully" '')]; # isolate etcd on loopback at the master node # easyCerts doesn't support multimaster clusters anyway atm. - services.etcd = mkIf top.apiserver.enable (with cfg.certs.etcd; { + services.etcd = with cfg.certs.etcd; { listenClientUrls = ["https://127.0.0.1:2379"]; listenPeerUrls = ["https://127.0.0.1:2380"]; advertiseClientUrls = ["https://etcd.local:2379"]; @@ -335,11 +324,19 @@ in certFile = mkDefault cert; keyFile = mkDefault key; trustedCaFile = mkDefault caCert; - }); + }; networking.extraHosts = mkIf (config.services.etcd.enable) '' 127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local ''; + services.flannel = with cfg.certs.flannelClient; { + kubeconfig = top.lib.mkKubeConfig "flannel" { + server = top.apiserverAddress; + certFile = cert; + keyFile = key; + }; + }; + services.kubernetes = { apiserver = mkIf top.apiserver.enable (with cfg.certs.apiServer; { @@ -359,13 +356,6 @@ in proxyClientCertFile = mkDefault cfg.certs.apiserverProxyClient.cert; proxyClientKeyFile = mkDefault cfg.certs.apiserverProxyClient.key; }); - addonManager = mkIf top.addonManager.enable { - kubeconfig = with cfg.certs.addonManager; { - certFile = mkDefault cert; - keyFile = mkDefault key; - }; - bootstrapAddonsKubeconfig = clusterAdminKubeconfig; - }; controllerManager = mkIf top.controllerManager.enable { serviceAccountKeyFile = mkDefault cfg.certs.serviceAccount.key; rootCaFile = cfg.certs.controllerManagerClient.caCert; @@ -374,12 +364,6 @@ in keyFile = mkDefault key; }; }; - flannel = mkIf top.flannel.enable { - kubeconfig = with cfg.certs.flannelClient; { - certFile = cert; - keyFile = key; - }; - }; scheduler = mkIf top.scheduler.enable { kubeconfig = with cfg.certs.schedulerClient; { certFile = mkDefault cert; diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix index 23f4d97b7030..bd4bf04ea833 100644 --- a/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -45,28 +45,12 @@ in }; ###### implementation - config = let - - proxyPaths = filter (a: a != null) [ - cfg.kubeconfig.caFile - cfg.kubeconfig.certFile - cfg.kubeconfig.keyFile - ]; - - in mkIf cfg.enable { - systemd.services.kube-proxy = rec { + config = mkIf cfg.enable { + systemd.services.kube-proxy = { description = "Kubernetes Proxy Service"; - wantedBy = [ "kube-node-online.target" ]; - after = [ "kubelet-online.service" ]; - before = [ "kube-node-online.target" ]; - environment.KUBECONFIG = top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig; - path = with pkgs; [ iptables conntrack_tools kubectl ]; - preStart = '' - until kubectl auth can-i get nodes/${top.kubelet.hostname} -q 2>/dev/null; do - echo kubectl auth can-i get nodes/${top.kubelet.hostname}: exit status $? - sleep 2 - done - ''; + wantedBy = [ "kubernetes.target" ]; + after = [ "kube-apiserver.service" ]; + path = with pkgs; [ iptables conntrack_tools ]; serviceConfig = { Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-proxy \ @@ -75,7 +59,7 @@ in "--cluster-cidr=${top.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${environment.KUBECONFIG} \ + --kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; @@ -83,15 +67,6 @@ in Restart = "on-failure"; RestartSec = 5; }; - unitConfig.ConditionPathExists = proxyPaths; - }; - - systemd.paths.kube-proxy = { - wantedBy = [ "kube-proxy.service" ]; - pathConfig = { - PathExists = proxyPaths; - PathChanged = proxyPaths; - }; }; services.kubernetes.pki.certs = { diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index a0e484542951..5f6113227d9d 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -56,35 +56,18 @@ in }; ###### implementation - config = let - - schedulerPaths = filter (a: a != null) [ - cfg.kubeconfig.caFile - cfg.kubeconfig.certFile - cfg.kubeconfig.keyFile - ]; - - in mkIf cfg.enable { - systemd.services.kube-scheduler = rec { + config = mkIf cfg.enable { + systemd.services.kube-scheduler = { description = "Kubernetes Scheduler Service"; - wantedBy = [ "kube-control-plane-online.target" ]; + wantedBy = [ "kubernetes.target" ]; after = [ "kube-apiserver.service" ]; - before = [ "kube-control-plane-online.target" ]; - environment.KUBECONFIG = top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig; - path = [ pkgs.kubectl ]; - preStart = '' - until kubectl auth can-i get /api -q 2>/dev/null; do - echo kubectl auth can-i get /api: exit status $? - sleep 2 - done - ''; serviceConfig = { Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-scheduler \ --address=${cfg.address} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${environment.KUBECONFIG} \ + --kubeconfig=${top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \ --leader-elect=${boolToString cfg.leaderElect} \ --port=${toString cfg.port} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ @@ -96,15 +79,6 @@ in Restart = "on-failure"; RestartSec = 5; }; - unitConfig.ConditionPathExists = schedulerPaths; - }; - - systemd.paths.kube-scheduler = { - wantedBy = [ "kube-scheduler.service" ]; - pathConfig = { - PathExists = schedulerPaths; - PathChanged = schedulerPaths; - }; }; services.kubernetes.pki.certs = { diff --git a/nixos/modules/services/computing/boinc/client.nix b/nixos/modules/services/computing/boinc/client.nix index 7022751b3f01..a7edac025384 100644 --- a/nixos/modules/services/computing/boinc/client.nix +++ b/nixos/modules/services/computing/boinc/client.nix @@ -111,7 +111,7 @@ in systemd.services.boinc = { description = "BOINC Client"; - after = ["network.target" "local-fs.target"]; + after = ["network.target"]; wantedBy = ["multi-user.target"]; script = '' ${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag} diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix index c7fe4eeeab99..500acb485620 100644 --- a/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixos/modules/services/continuous-integration/hydra/default.nix @@ -43,7 +43,7 @@ in ###### interface options = { - services.hydra = rec { + services.hydra = { enable = mkOption { type = types.bool; diff --git a/nixos/modules/services/databases/cassandra.nix b/nixos/modules/services/databases/cassandra.nix index a9da3a3c5620..90c094f68b61 100644 --- a/nixos/modules/services/databases/cassandra.nix +++ b/nixos/modules/services/databases/cassandra.nix @@ -259,7 +259,7 @@ in { ''; }; incrementalRepairOptions = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = []; example = [ "--partitioner-range" ]; description = '' @@ -267,7 +267,7 @@ in { ''; }; maxHeapSize = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "4G"; description = '' @@ -287,7 +287,7 @@ in { ''; }; heapNewSize = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "800M"; description = '' @@ -352,11 +352,11 @@ in { type = types.listOf (types.submodule { options = { username = mkOption { - type = types.string; + type = types.str; description = "Username for JMX"; }; password = mkOption { - type = types.string; + type = types.str; description = "Password for JMX"; }; }; @@ -397,14 +397,14 @@ in { } ]; users = mkIf (cfg.user == defaultUser) { - extraUsers."${defaultUser}" = + extraUsers.${defaultUser} = { group = cfg.group; home = cfg.homeDir; createHome = true; uid = config.ids.uids.cassandra; description = "Cassandra service user"; }; - extraGroups."${defaultUser}".gid = config.ids.gids.cassandra; + extraGroups.${defaultUser}.gid = config.ids.gids.cassandra; }; systemd.services.cassandra = diff --git a/nixos/modules/services/databases/couchdb.nix b/nixos/modules/services/databases/couchdb.nix index 77e404116c8a..53224db1d896 100644 --- a/nixos/modules/services/databases/couchdb.nix +++ b/nixos/modules/services/databases/couchdb.nix @@ -56,7 +56,7 @@ in { user = mkOption { - type = types.string; + type = types.str; default = "couchdb"; description = '' User account under which couchdb runs. @@ -64,7 +64,7 @@ in { }; group = mkOption { - type = types.string; + type = types.str; default = "couchdb"; description = '' Group account under which couchdb runs. @@ -106,7 +106,7 @@ in { }; bindAddress = mkOption { - type = types.string; + type = types.str; default = "127.0.0.1"; description = '' Defines the IP address by which CouchDB will be accessible. @@ -138,7 +138,7 @@ in { }; configFile = mkOption { - type = types.string; + type = types.path; description = '' Configuration file for persisting runtime changes. File needs to be readable and writable from couchdb user/group. diff --git a/nixos/modules/services/databases/foundationdb.nix b/nixos/modules/services/databases/foundationdb.nix index 3746b875c7f2..8f8d0da7c8d3 100644 --- a/nixos/modules/services/databases/foundationdb.nix +++ b/nixos/modules/services/databases/foundationdb.nix @@ -140,7 +140,7 @@ in }; logSize = mkOption { - type = types.string; + type = types.str; default = "10MiB"; description = '' Roll over to a new log file after the current log file @@ -149,7 +149,7 @@ in }; maxLogSize = mkOption { - type = types.string; + type = types.str; default = "100MiB"; description = '' Delete the oldest log file when the total size of all log @@ -171,7 +171,7 @@ in }; memory = mkOption { - type = types.string; + type = types.str; default = "8GiB"; description = '' Maximum memory used by the process. The default value is @@ -193,7 +193,7 @@ in }; storageMemory = mkOption { - type = types.string; + type = types.str; default = "1GiB"; description = '' Maximum memory used for data storage. The default value is diff --git a/nixos/modules/services/databases/hbase.nix b/nixos/modules/services/databases/hbase.nix index 589c8cf5ec80..2d1a47bbaa31 100644 --- a/nixos/modules/services/databases/hbase.nix +++ b/nixos/modules/services/databases/hbase.nix @@ -53,7 +53,7 @@ in { user = mkOption { - type = types.string; + type = types.str; default = "hbase"; description = '' User account under which HBase runs. @@ -61,7 +61,7 @@ in { }; group = mkOption { - type = types.string; + type = types.str; default = "hbase"; description = '' Group account under which HBase runs. diff --git a/nixos/modules/services/databases/influxdb.nix b/nixos/modules/services/databases/influxdb.nix index 6868050c8446..2f176a038729 100644 --- a/nixos/modules/services/databases/influxdb.nix +++ b/nixos/modules/services/databases/influxdb.nix @@ -129,13 +129,13 @@ in user = mkOption { default = "influxdb"; description = "User account under which influxdb runs"; - type = types.string; + type = types.str; }; group = mkOption { default = "influxdb"; description = "Group under which influxdb runs"; - type = types.string; + type = types.str; }; dataDir = mkOption { diff --git a/nixos/modules/services/databases/mongodb.nix b/nixos/modules/services/databases/mongodb.nix index c458a1d648a0..12879afed477 100644 --- a/nixos/modules/services/databases/mongodb.nix +++ b/nixos/modules/services/databases/mongodb.nix @@ -65,9 +65,9 @@ in default = false; description = "Enable client authentication. Creates a default superuser with username root!"; }; - + initialRootPassword = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; description = "Password for the root user if auth is enabled."; }; diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index d8e2c715afb9..5bf57a1bf9cb 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -47,26 +47,26 @@ in }; user = mkOption { - type = types.string; + type = types.str; default = "openldap"; description = "User account under which slapd runs."; }; group = mkOption { - type = types.string; + type = types.str; default = "openldap"; description = "Group account under which slapd runs."; }; urlList = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = [ "ldap:///" ]; description = "URL list slapd should listen on."; example = [ "ldaps:///" ]; }; dataDir = mkOption { - type = types.string; + type = types.path; default = "/var/db/openldap"; description = "The database directory."; }; diff --git a/nixos/modules/services/databases/opentsdb.nix b/nixos/modules/services/databases/opentsdb.nix index b26fa9093ef4..c4bd71f3d60e 100644 --- a/nixos/modules/services/databases/opentsdb.nix +++ b/nixos/modules/services/databases/opentsdb.nix @@ -34,7 +34,7 @@ in { }; user = mkOption { - type = types.string; + type = types.str; default = "opentsdb"; description = '' User account under which OpenTSDB runs. @@ -42,7 +42,7 @@ in { }; group = mkOption { - type = types.string; + type = types.str; default = "opentsdb"; description = '' Group account under which OpenTSDB runs. diff --git a/nixos/modules/services/databases/pgmanage.nix b/nixos/modules/services/databases/pgmanage.nix index 1050c2dd481a..0f8634dab319 100644 --- a/nixos/modules/services/databases/pgmanage.nix +++ b/nixos/modules/services/databases/pgmanage.nix @@ -59,8 +59,8 @@ in { type = types.attrsOf types.str; default = {}; example = { - "nuc-server" = "hostaddr=192.168.0.100 port=5432 dbname=postgres"; - "mini-server" = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; + nuc-server = "hostaddr=192.168.0.100 port=5432 dbname=postgres"; + mini-server = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; }; description = '' pgmanage requires at least one PostgreSQL server be defined. @@ -192,13 +192,13 @@ in { }; }; users = { - users."${pgmanage}" = { + users.${pgmanage} = { name = pgmanage; group = pgmanage; home = cfg.sqlRoot; createHome = true; }; - groups."${pgmanage}" = { + groups.${pgmanage} = { name = pgmanage; }; }; diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 10250bb5193a..7bba4dacddcc 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -81,6 +81,10 @@ in default = ""; description = '' Defines the mapping from system users to database users. + + The general form is: + + map-name system-username database-username ''; }; @@ -224,7 +228,7 @@ in # systems! mkDefault (if versionAtLeast config.system.stateVersion "17.09" then pkgs.postgresql_9_6 else if versionAtLeast config.system.stateVersion "16.03" then pkgs.postgresql_9_5 - else pkgs.postgresql_9_4); + else throw "postgresql_9_4 was removed, please upgrade your postgresql version."); services.postgresql.dataDir = mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}" diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index c04cc1283b2e..9c389d80a6df 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -8,17 +8,19 @@ let condOption = name: value: if value != null then "${name} ${toString value}" else ""; redisConfig = pkgs.writeText "redis.conf" '' - pidfile ${cfg.pidFile} port ${toString cfg.port} ${condOption "bind" cfg.bind} ${condOption "unixsocket" cfg.unixSocket} + daemonize yes + supervised systemd loglevel ${cfg.logLevel} logfile ${cfg.logfile} syslog-enabled ${redisBool cfg.syslog} + pidfile /run/redis/redis.pid databases ${toString cfg.databases} ${concatMapStrings (d: "save ${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}\n") cfg.save} - dbfilename ${cfg.dbFilename} - dir ${toString cfg.dbpath} + dbfilename dump.rdb + dir /var/lib/redis ${if cfg.slaveOf != null then "slaveof ${cfg.slaveOf.ip} ${toString cfg.slaveOf.port}" else ""} ${condOption "masterauth" cfg.masterAuth} ${condOption "requirepass" cfg.requirePass} @@ -40,7 +42,12 @@ in enable = mkOption { type = types.bool; default = false; - description = "Whether to enable the Redis server."; + description = '' + Whether to enable the Redis server. Note that the NixOS module for + Redis disables kernel support for Transparent Huge Pages (THP), + because this features causes major performance problems for Redis, + e.g. (https://redis.io/topics/latency). + ''; }; package = mkOption { @@ -50,18 +57,6 @@ in description = "Which Redis derivation to use."; }; - user = mkOption { - type = types.str; - default = "redis"; - description = "User account under which Redis runs."; - }; - - pidFile = mkOption { - type = types.path; - default = "/var/lib/redis/redis.pid"; - description = ""; - }; - port = mkOption { type = types.int; default = 6379; @@ -95,7 +90,7 @@ in type = with types; nullOr path; default = null; description = "The path to the socket to bind to."; - example = "/run/redis.sock"; + example = "/run/redis/redis.sock"; }; logLevel = mkOption { @@ -131,18 +126,6 @@ in example = [ [900 1] [300 10] [60 10000] ]; }; - dbFilename = mkOption { - type = types.str; - default = "dump.rdb"; - description = "The filename where to dump the DB."; - }; - - dbpath = mkOption { - type = types.path; - default = "/var/lib/redis"; - description = "The DB will be written inside this directory, with the filename specified using the 'dbFilename' configuration."; - }; - slaveOf = mkOption { default = null; # { ip, port } description = "An attribute set with two attributes: ip and port to which this redis instance acts as a slave."; @@ -170,12 +153,6 @@ in description = "By default data is only periodically persisted to disk, enable this option to use an append-only file for improved persistence."; }; - appendOnlyFilename = mkOption { - type = types.str; - default = "appendonly.aof"; - description = "Filename for the append-only file (stored inside of dbpath)"; - }; - appendFsync = mkOption { type = types.str; default = "everysec"; # no, always, everysec @@ -217,26 +194,17 @@ in allowedTCPPorts = [ cfg.port ]; }; - users.users.redis = - { name = cfg.user; - description = "Redis database user"; - }; + users.users.redis.description = "Redis database user"; environment.systemPackages = [ cfg.package ]; - systemd.services.redis_init = - { description = "Redis Server Initialisation"; - - wantedBy = [ "redis.service" ]; - before = [ "redis.service" ]; - - serviceConfig.Type = "oneshot"; - - script = '' - install -d -m0700 -o ${cfg.user} ${cfg.dbpath} - chown -R ${cfg.user} ${cfg.dbpath} - ''; - }; + systemd.services.disable-transparent-huge-pages = { + description = "Disable Transparent Huge Pages (required by Redis)"; + before = [ "redis.service" ]; + wantedBy = [ "redis.service" ]; + script = "echo never > /sys/kernel/mm/transparent_hugepage/enabled"; + serviceConfig.Type = "oneshot"; + }; systemd.services.redis = { description = "Redis Server"; @@ -246,7 +214,10 @@ in serviceConfig = { ExecStart = "${cfg.package}/bin/redis-server ${redisConfig}"; - User = cfg.user; + RuntimeDirectory = "redis"; + StateDirectory = "redis"; + Type = "notify"; + User = "redis"; }; }; diff --git a/nixos/modules/services/databases/riak.nix b/nixos/modules/services/databases/riak.nix index ac086cf55996..885215209bdf 100644 --- a/nixos/modules/services/databases/riak.nix +++ b/nixos/modules/services/databases/riak.nix @@ -29,7 +29,7 @@ in }; nodeName = mkOption { - type = types.string; + type = types.str; default = "riak@127.0.0.1"; description = '' Name of the Erlang node. @@ -37,7 +37,7 @@ in }; distributedCookie = mkOption { - type = types.string; + type = types.str; default = "riak"; description = '' Cookie for distributed node communication. All nodes in the diff --git a/nixos/modules/services/desktops/blueman.nix b/nixos/modules/services/desktops/blueman.nix new file mode 100644 index 000000000000..18ad610247ed --- /dev/null +++ b/nixos/modules/services/desktops/blueman.nix @@ -0,0 +1,25 @@ +# blueman service +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.blueman; +in { + ###### interface + options = { + services.blueman = { + enable = mkEnableOption "blueman"; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.blueman ]; + + services.dbus.packages = [ pkgs.blueman ]; + + systemd.packages = [ pkgs.blueman ]; + }; +} diff --git a/nixos/modules/services/desktops/geoclue2.nix b/nixos/modules/services/desktops/geoclue2.nix index 040fe157d52d..6007dddf50c0 100644 --- a/nixos/modules/services/desktops/geoclue2.nix +++ b/nixos/modules/services/desktops/geoclue2.nix @@ -202,14 +202,14 @@ in ]; # restart geoclue service when the configuration changes - systemd.services."geoclue".restartTriggers = [ + systemd.services.geoclue.restartTriggers = [ config.environment.etc."geoclue/geoclue.conf".source ]; # this needs to run as a user service, since it's associated with the # user who is making the requests systemd.user.services = mkIf cfg.enableDemoAgent { - "geoclue-agent" = { + geoclue-agent = { description = "Geoclue agent"; script = "${package}/libexec/geoclue-2.0/demos/agent"; # this should really be `partOf = [ "geoclue.service" ]`, but @@ -219,12 +219,12 @@ in }; }; - services.geoclue2.appConfig."epiphany" = { + services.geoclue2.appConfig.epiphany = { isAllowed = true; isSystem = false; }; - services.geoclue2.appConfig."firefox" = { + services.geoclue2.appConfig.firefox = { isAllowed = true; isSystem = false; }; diff --git a/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix b/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix index 2740a22c7ca0..3d2b3ed85e3a 100644 --- a/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix +++ b/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix @@ -23,5 +23,7 @@ with lib; environment.systemPackages = [ pkgs.chrome-gnome-shell ]; services.dbus.packages = [ pkgs.chrome-gnome-shell ]; + + nixpkgs.config.firefox.enableGnomeExtensions = true; }; } diff --git a/nixos/modules/services/desktops/gnome3/glib-networking.nix b/nixos/modules/services/desktops/gnome3/glib-networking.nix index 186668d7d385..fcd58509d6fc 100644 --- a/nixos/modules/services/desktops/gnome3/glib-networking.nix +++ b/nixos/modules/services/desktops/gnome3/glib-networking.nix @@ -22,11 +22,11 @@ with lib; config = mkIf config.services.gnome3.glib-networking.enable { - services.dbus.packages = [ pkgs.gnome3.glib-networking ]; + services.dbus.packages = [ pkgs.glib-networking ]; - systemd.packages = [ pkgs.gnome3.glib-networking ]; + systemd.packages = [ pkgs.glib-networking ]; - environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gnome3.glib-networking.out}/lib/gio/modules" ]; + environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.glib-networking.out}/lib/gio/modules" ]; }; diff --git a/nixos/modules/services/desktops/gnome3/seahorse.nix b/nixos/modules/services/desktops/gnome3/seahorse.nix deleted file mode 100644 index 9631157934f9..000000000000 --- a/nixos/modules/services/desktops/gnome3/seahorse.nix +++ /dev/null @@ -1,38 +0,0 @@ -# Seahorse daemon. - -{ config, pkgs, lib, ... }: - -with lib; - -{ - - ###### interface - - options = { - - services.gnome3.seahorse = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable Seahorse search provider for the GNOME Shell activity search. - ''; - }; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.gnome3.seahorse.enable { - - environment.systemPackages = [ pkgs.gnome3.seahorse pkgs.gnome3.dconf ]; - - services.dbus.packages = [ pkgs.gnome3.seahorse ]; - - }; - -} diff --git a/nixos/modules/services/desktops/profile-sync-daemon.nix b/nixos/modules/services/desktops/profile-sync-daemon.nix index e4e47cfbd438..a8ac22ac1276 100644 --- a/nixos/modules/services/desktops/profile-sync-daemon.nix +++ b/nixos/modules/services/desktops/profile-sync-daemon.nix @@ -34,7 +34,7 @@ in { psd = { enable = true; description = "Profile Sync daemon"; - wants = [ "psd-resync.service" "local-fs.target" ]; + wants = [ "psd-resync.service" ]; wantedBy = [ "default.target" ]; path = with pkgs; [ rsync kmod gawk nettools utillinux profile-sync-daemon ]; unitConfig = { diff --git a/nixos/modules/services/desktops/system-config-printer.nix b/nixos/modules/services/desktops/system-config-printer.nix new file mode 100644 index 000000000000..8a80be266b20 --- /dev/null +++ b/nixos/modules/services/desktops/system-config-printer.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +with lib; + +{ + + ###### interface + + options = { + + services.system-config-printer = { + + enable = mkEnableOption "system-config-printer, a service for CUPS administration used by printing interfaces"; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.system-config-printer.enable { + + services.dbus.packages = [ + pkgs.system-config-printer + ]; + + systemd.packages = [ + pkgs.system-config-printer + ]; + + services.udev.packages = [ + pkgs.system-config-printer + ]; + + }; + +} diff --git a/nixos/modules/services/editors/emacs.xml b/nixos/modules/services/editors/emacs.xml index acd69f18376c..03483f69fa2f 100644 --- a/nixos/modules/services/editors/emacs.xml +++ b/nixos/modules/services/editors/emacs.xml @@ -9,6 +9,7 @@ Damien Cassou @DamienCassou Thomas Tuegel @ttuegel Rodney Lorrimar @rvl + Adam Hoese @adisbladis --> <para> <link xlink:href="https://www.gnu.org/software/emacs/">Emacs</link> is an @@ -58,7 +59,7 @@ <para> The latest stable version of Emacs 25 using the <link - xlink:href="http://www.gtk.org">GTK+ 2</link> + xlink:href="http://www.gtk.org">GTK 2</link> widget toolkit. </para> </listitem> @@ -130,15 +131,6 @@ Emacs packages through nixpkgs. </para> - <note> - <para> - This documentation describes the new Emacs packages framework in NixOS - 16.03 (<varname>emacsPackagesNg</varname>) which should not be confused - with the previous and deprecated framework - (<varname>emacs24Packages</varname>). - </para> - </note> - <para> The first step to declare the list of packages you want in your Emacs installation is to create a dedicated derivation. This can be done in a @@ -164,7 +156,7 @@ $ ./result/bin/emacs let myEmacs = pkgs.emacs; <co xml:id="ex-emacsNix-2" /> - emacsWithPackages = (pkgs.emacsPackagesNgGen myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" /> + emacsWithPackages = (pkgs.emacsPackagesGen myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" /> in emacsWithPackages (epkgs: (with epkgs.melpaStablePackages; [ <co xml:id="ex-emacsNix-4" /> magit # ; Integrate git <C-x g> @@ -262,10 +254,10 @@ in <example xml:id="module-services-emacs-querying-packages"> <title>Querying Emacs packages</title> <programlisting><![CDATA[ -nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.elpaPackages -nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.melpaPackages -nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.melpaStablePackages -nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.orgPackages +nix-env -f "<nixpkgs>" -qaP -A emacsPackages.elpaPackages +nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaPackages +nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaStablePackages +nix-env -f "<nixpkgs>" -qaP -A emacsPackages.orgPackages ]]></programlisting> </example> </para> @@ -329,7 +321,7 @@ https://nixos.org/nixpkgs/manual/#sec-modify-via-packageOverrides <para> If you want, you can tweak the Emacs package itself from your <filename>emacs.nix</filename>. For example, if you want to have a - GTK+3-based Emacs instead of the default GTK+2-based binary and remove the + GTK 3-based Emacs instead of the default GTK 2-based binary and remove the automatically generated <filename>emacs.desktop</filename> (useful is you only use <command>emacsclient</command>), you can change your file <filename>emacs.nix</filename> in this way: @@ -357,7 +349,7 @@ in [...] <para> After building this file as shown in <xref linkend="ex-emacsNix" />, you - will get an GTK3-based Emacs binary pre-loaded with your favorite packages. + will get an GTK 3-based Emacs binary pre-loaded with your favorite packages. </para> </section> </section> diff --git a/nixos/modules/services/games/factorio.nix b/nixos/modules/services/games/factorio.nix index d04673a6c8b8..f3831156f453 100644 --- a/nixos/modules/services/games/factorio.nix +++ b/nixos/modules/services/games/factorio.nix @@ -55,7 +55,7 @@ in ''; }; saveName = mkOption { - type = types.string; + type = types.str; default = "default"; description = '' The name of the savegame that will be used by the server. @@ -81,7 +81,7 @@ in ''; }; stateDirName = mkOption { - type = types.string; + type = types.str; default = "factorio"; description = '' Name of the directory under /var/lib holding the server's data. @@ -102,14 +102,14 @@ in ''; }; game-name = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = "Factorio Game"; description = '' Name of the game as it will appear in the game listing. ''; }; description = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = ""; description = '' Description of the game that will appear in the listing. @@ -130,28 +130,28 @@ in ''; }; username = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; description = '' Your factorio.com login credentials. Required for games with visibility public. ''; }; password = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; description = '' Your factorio.com login credentials. Required for games with visibility public. ''; }; token = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; description = '' Authentication token. May be used instead of 'password' above. ''; }; game-password = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; description = '' Game password. diff --git a/nixos/modules/services/games/terraria.nix b/nixos/modules/services/games/terraria.nix index 31f8edca20ce..a59b74c0b4c4 100644 --- a/nixos/modules/services/games/terraria.nix +++ b/nixos/modules/services/games/terraria.nix @@ -4,7 +4,7 @@ with lib; let cfg = config.services.terraria; - worldSizeMap = { "small" = 1; "medium" = 2; "large" = 3; }; + worldSizeMap = { small = 1; medium = 2; large = 3; }; valFlag = name: val: optionalString (val != null) "-${name} \"${escape ["\\" "\""] (toString val)}\""; boolFlag = name: val: optionalString val "-${name}"; flags = [ diff --git a/nixos/modules/services/hardware/freefall.nix b/nixos/modules/services/hardware/freefall.nix index 066ccaa4d7cf..83f1e8c84f28 100644 --- a/nixos/modules/services/hardware/freefall.nix +++ b/nixos/modules/services/hardware/freefall.nix @@ -28,7 +28,7 @@ in { }; devices = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = [ "/dev/sda" ]; description = '' Device paths to all internal spinning hard drives. diff --git a/nixos/modules/services/hardware/fwupd.nix b/nixos/modules/services/hardware/fwupd.nix index cad9fa20de0f..6c341bcbf240 100644 --- a/nixos/modules/services/hardware/fwupd.nix +++ b/nixos/modules/services/hardware/fwupd.nix @@ -8,8 +8,8 @@ let cfg = config.services.fwupd; originalEtc = let - mkEtcFile = n: nameValuePair n { source = "${pkgs.fwupd}/etc/${n}"; }; - in listToAttrs (map mkEtcFile pkgs.fwupd.filesInstalledToEtc); + mkEtcFile = n: nameValuePair n { source = "${cfg.package}/etc/${n}"; }; + in listToAttrs (map mkEtcFile cfg.package.filesInstalledToEtc); extraTrustedKeys = let mkName = p: "pki/fwupd/${baseNameOf (toString p)}"; @@ -24,7 +24,7 @@ let "fwupd/remotes.d/fwupd-tests.conf" = { source = pkgs.runCommand "fwupd-tests-enabled.conf" {} '' sed "s,^Enabled=false,Enabled=true," \ - "${pkgs.fwupd.installedTests}/etc/fwupd/remotes.d/fwupd-tests.conf" > "$out" + "${cfg.package.installedTests}/etc/fwupd/remotes.d/fwupd-tests.conf" > "$out" ''; }; } else {}; @@ -43,7 +43,7 @@ in { }; blacklistDevices = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = []; example = [ "2082b5e0-7a64-478a-b1b2-e3404fab6dad" ]; description = '' @@ -52,7 +52,7 @@ in { }; blacklistPlugins = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = [ "test" ]; example = [ "udev" ]; description = '' @@ -77,13 +77,21 @@ in { <link xlink:href="https://github.com/hughsie/fwupd/blob/master/data/installed-tests/README.md">installed tests</link>. ''; }; + + package = mkOption { + type = types.package; + default = pkgs.fwupd; + description = '' + Which fwupd package to use. + ''; + }; }; }; ###### implementation config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.fwupd ]; + environment.systemPackages = [ cfg.package ]; environment.etc = { "fwupd/daemon.conf" = { @@ -102,11 +110,11 @@ in { } // originalEtc // extraTrustedKeys // testRemote; - services.dbus.packages = [ pkgs.fwupd ]; + services.dbus.packages = [ cfg.package ]; - services.udev.packages = [ pkgs.fwupd ]; + services.udev.packages = [ cfg.package ]; - systemd.packages = [ pkgs.fwupd ]; + systemd.packages = [ cfg.package ]; systemd.tmpfiles.rules = [ "d /var/lib/fwupd 0755 root root -" diff --git a/nixos/modules/services/hardware/sane.nix b/nixos/modules/services/hardware/sane.nix index fe05c5a5c06f..b344dfc20610 100644 --- a/nixos/modules/services/hardware/sane.nix +++ b/nixos/modules/services/hardware/sane.nix @@ -76,7 +76,7 @@ in }; hardware.sane.configDir = mkOption { - type = types.string; + type = types.str; internal = true; description = "The value of SANE_CONFIG_DIR."; }; @@ -124,7 +124,7 @@ in environment.sessionVariables = env; services.udev.packages = backends; - users.groups."scanner".gid = config.ids.gids.scanner; + users.groups.scanner.gid = config.ids.gids.scanner; }) (mkIf config.services.saned.enable { @@ -152,7 +152,7 @@ in }; }; - users.users."scanner" = { + users.users.scanner = { uid = config.ids.uids.scanner; group = "scanner"; }; diff --git a/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix b/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix index fd19d8020fb8..6bf31982b71a 100644 --- a/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix +++ b/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix @@ -33,7 +33,7 @@ let addAllNetDev = xs: concatStringsSep "\n" (map addNetDev xs); in -stdenv.mkDerivation rec { +stdenv.mkDerivation { name = "brscan4-etc-files-0.4.3-3"; src = "${brscan4}/opt/brother/scanner/brscan4"; diff --git a/nixos/modules/services/hardware/tcsd.nix b/nixos/modules/services/hardware/tcsd.nix index d4b0a9495d75..3876280ee6bc 100644 --- a/nixos/modules/services/hardware/tcsd.nix +++ b/nixos/modules/services/hardware/tcsd.nix @@ -49,13 +49,13 @@ in user = mkOption { default = "tss"; - type = types.string; + type = types.str; description = "User account under which tcsd runs."; }; group = mkOption { default = "tss"; - type = types.string; + type = types.str; description = "Group account under which tcsd runs."; }; @@ -65,19 +65,19 @@ in description = '' The location of the system persistent storage file. The system persistent storage file holds keys and data across - restarts of the TCSD and system reboots. + restarts of the TCSD and system reboots. ''; }; firmwarePCRs = mkOption { default = "0,1,2,3,4,5,6,7"; - type = types.string; + type = types.str; description = "PCR indices used in the TPM for firmware measurements."; }; kernelPCRs = mkOption { default = "8,9,10,11,12"; - type = types.string; + type = types.str; description = "PCR indices used in the TPM for kernel measurements."; }; diff --git a/nixos/modules/services/hardware/throttled.nix b/nixos/modules/services/hardware/throttled.nix index 13fc5e4792e6..7617c4492d7c 100644 --- a/nixos/modules/services/hardware/throttled.nix +++ b/nixos/modules/services/hardware/throttled.nix @@ -20,7 +20,7 @@ in { config = mkIf cfg.enable { systemd.packages = [ pkgs.throttled ]; # The upstream package has this in Install, but that's not enough, see the NixOS manual - systemd.services."lenovo_fix".wantedBy = [ "multi-user.target" ]; + systemd.services.lenovo_fix.wantedBy = [ "multi-user.target" ]; environment.etc."lenovo_fix.conf".source = if cfg.extraConfig != "" diff --git a/nixos/modules/services/hardware/tlp.nix b/nixos/modules/services/hardware/tlp.nix index 092ff051a042..4f8af7978286 100644 --- a/nixos/modules/services/hardware/tlp.nix +++ b/nixos/modules/services/hardware/tlp.nix @@ -60,11 +60,11 @@ in powerManagement.cpufreq.max = null; powerManagement.cpufreq.min = null; - systemd.sockets."systemd-rfkill".enable = false; + systemd.sockets.systemd-rfkill.enable = false; systemd.services = { "systemd-rfkill@".enable = false; - "systemd-rfkill".enable = false; + systemd-rfkill.enable = false; tlp = { description = "TLP system startup/shutdown"; diff --git a/nixos/modules/services/hardware/triggerhappy.nix b/nixos/modules/services/hardware/triggerhappy.nix index a500cb4fc367..f9f5234bdc3f 100644 --- a/nixos/modules/services/hardware/triggerhappy.nix +++ b/nixos/modules/services/hardware/triggerhappy.nix @@ -102,7 +102,6 @@ in systemd.services.triggerhappy = { wantedBy = [ "multi-user.target" ]; - after = [ "local-fs.target" ]; description = "Global hotkey daemon"; serviceConfig = { ExecStart = "${pkgs.triggerhappy}/bin/thd ${optionalString (cfg.user != "root") "--user ${cfg.user}"} --socket ${socket} --triggers ${configFile} --deviceglob /dev/input/event*"; diff --git a/nixos/modules/services/hardware/upower.nix b/nixos/modules/services/hardware/upower.nix index 1da47349c077..5e7ac7a6e659 100644 --- a/nixos/modules/services/hardware/upower.nix +++ b/nixos/modules/services/hardware/upower.nix @@ -5,8 +5,11 @@ with lib; let + cfg = config.services.upower; + in + { ###### interface @@ -49,55 +52,7 @@ in services.udev.packages = [ cfg.package ]; - systemd.services.upower = - { description = "Power Management Daemon"; - path = [ pkgs.glib.out ]; # needed for gdbus - serviceConfig = - { Type = "dbus"; - BusName = "org.freedesktop.UPower"; - ExecStart = "@${cfg.package}/libexec/upowerd upowerd"; - Restart = "on-failure"; - # Upstream lockdown: - # Filesystem lockdown - ProtectSystem = "strict"; - # Needed by keyboard backlight support - ProtectKernelTunables = false; - ProtectControlGroups = true; - ReadWritePaths = "/var/lib/upower"; - ProtectHome = true; - PrivateTmp = true; - - # Network - # PrivateNetwork=true would block udev's netlink socket - RestrictAddressFamilies = "AF_UNIX AF_NETLINK"; - - # Execute Mappings - MemoryDenyWriteExecute = true; - - # Modules - ProtectKernelModules = true; - - # Real-time - RestrictRealtime = true; - - # Privilege escalation - NoNewPrivileges = true; - }; - }; - - system.activationScripts.upower = - '' - mkdir -m 0755 -p /var/lib/upower - ''; - - # The upower daemon seems to get stuck after doing a suspend - # (i.e. subsequent suspend requests will say "Sleep has already - # been requested and is pending"). So as a workaround, restart - # the daemon. - powerManagement.resumeCommands = - '' - ${config.systemd.package}/bin/systemctl try-restart upower - ''; + systemd.packages = [ cfg.package ]; }; diff --git a/nixos/modules/services/logging/SystemdJournal2Gelf.nix b/nixos/modules/services/logging/SystemdJournal2Gelf.nix index e90d9e7a12b6..f26aef7262ba 100644 --- a/nixos/modules/services/logging/SystemdJournal2Gelf.nix +++ b/nixos/modules/services/logging/SystemdJournal2Gelf.nix @@ -16,7 +16,7 @@ in }; graylogServer = mkOption { - type = types.string; + type = types.str; example = "graylog2.example.com:11201"; description = '' Host and port of your graylog2 input. This should be a GELF @@ -25,7 +25,7 @@ in }; extraOptions = mkOption { - type = types.string; + type = types.separatedString " "; default = ""; description = '' Any extra flags to pass to SystemdJournal2Gelf. Note that @@ -56,4 +56,4 @@ in }; }; }; -} \ No newline at end of file +} diff --git a/nixos/modules/services/logging/awstats.nix b/nixos/modules/services/logging/awstats.nix index 54799d699a74..a92ff3bee490 100644 --- a/nixos/modules/services/logging/awstats.nix +++ b/nixos/modules/services/logging/awstats.nix @@ -32,7 +32,7 @@ in }; updateAt = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "hourly"; description = '' @@ -50,7 +50,7 @@ in description = ''Enable the awstats web service. This switches on httpd.''; }; urlPrefix = mkOption { - type = types.string; + type = types.str; default = "/awstats"; description = "The URL prefix under which the awstats service appears."; }; diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix index f139190a1709..6d8be5b926d5 100644 --- a/nixos/modules/services/logging/logcheck.nix +++ b/nixos/modules/services/logging/logcheck.nix @@ -23,9 +23,9 @@ let flags = "-r ${rulesDir} -c ${configFile} -L ${logFiles} -${levelFlag} -m ${cfg.mailTo}"; levelFlag = getAttrFromPath [cfg.level] - { "paranoid" = "p"; - "server" = "s"; - "workstation" = "w"; + { paranoid = "p"; + server = "s"; + workstation = "w"; }; cronJob = '' @@ -155,7 +155,7 @@ in config = mkOption { default = "FQDN=1"; - type = types.string; + type = types.lines; description = '' Config options that you would like in logcheck.conf. ''; diff --git a/nixos/modules/services/logging/logstash.nix b/nixos/modules/services/logging/logstash.nix index 9b707e9deb58..4943e8d7db3a 100644 --- a/nixos/modules/services/logging/logstash.nix +++ b/nixos/modules/services/logging/logstash.nix @@ -53,7 +53,7 @@ in type = types.package; default = pkgs.logstash; defaultText = "pkgs.logstash"; - example = literalExample "pkgs.logstash5"; + example = literalExample "pkgs.logstash"; description = "Logstash package to use."; }; diff --git a/nixos/modules/services/logging/rsyslogd.nix b/nixos/modules/services/logging/rsyslogd.nix index 1ea96b8f1325..b924d94e0b0d 100644 --- a/nixos/modules/services/logging/rsyslogd.nix +++ b/nixos/modules/services/logging/rsyslogd.nix @@ -46,7 +46,7 @@ in }; defaultConfig = mkOption { - type = types.string; + type = types.lines; default = defaultConf; description = '' The default <filename>syslog.conf</filename> file configures a @@ -56,7 +56,7 @@ in }; extraConfig = mkOption { - type = types.string; + type = types.lines; default = ""; example = "news.* -/var/log/news"; description = '' diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index c05811291359..47812dd1e40e 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -21,7 +21,7 @@ in }; config = mkOption { - type = types.string; + type = types.lines; default = ""; description = '' Verbatim Exim configuration. This should not contain exim_user, @@ -30,7 +30,7 @@ in }; user = mkOption { - type = types.string; + type = types.str; default = "exim"; description = '' User to use when no root privileges are required. @@ -42,7 +42,7 @@ in }; group = mkOption { - type = types.string; + type = types.str; default = "exim"; description = '' Group to use when no root privileges are required. @@ -50,7 +50,7 @@ in }; spoolDir = mkOption { - type = types.string; + type = types.path; default = "/var/spool/exim"; description = '' Location of the spool directory of exim. diff --git a/nixos/modules/services/mail/mailman.nix b/nixos/modules/services/mail/mailman.nix new file mode 100644 index 000000000000..11dd5cb48db0 --- /dev/null +++ b/nixos/modules/services/mail/mailman.nix @@ -0,0 +1,114 @@ +{ config, pkgs, lib, ... }: # mailman.nix + +with lib; + +let + + cfg = config.services.mailman; + + pythonEnv = pkgs.python3.withPackages (ps: [ps.mailman]); + + mailmanExe = with pkgs; stdenv.mkDerivation { + name = "mailman-" + python3Packages.mailman.version; + unpackPhase = ":"; + installPhase = '' + mkdir -p $out/bin + sed >"$out/bin/mailman" <"${pythonEnv}/bin/mailman" \ + -e "2 iexport MAILMAN_CONFIG_FILE=/etc/mailman.cfg" + chmod +x $out/bin/mailman + ''; + }; + + mailmanCfg = '' + [mailman] + site_owner: ${cfg.siteOwner} + layout: fhs + + [paths.fhs] + bin_dir: ${pkgs.python3Packages.mailman}/bin + var_dir: /var/lib/mailman + queue_dir: $var_dir/queue + log_dir: $var_dir/log + lock_dir: $var_dir/lock + etc_dir: /etc + ext_dir: $etc_dir/mailman.d + pid_file: /run/mailman/master.pid + ''; + +in { + + ###### interface + + options = { + + services.mailman = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Enable Mailman on this host. Requires an active Postfix installation."; + }; + + siteOwner = mkOption { + type = types.str; + default = "postmaster"; + description = '' + Certain messages that must be delivered to a human, but which can't + be delivered to a list owner (e.g. a bounce from a list owner), will + be sent to this address. It should point to a human. + ''; + }; + + + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + assertions = [ + { assertion = cfg.enable -> config.services.postfix.enable; + message = "Mailman requires Postfix"; + } + { assertion = config.services.postfix.recipientDelimiter == "+"; + message = "Postfix's recipientDelimiter must be set to '+'."; + } + ]; + + users.users.mailman = { description = "GNU Mailman"; isSystemUser = true; }; + + environment = { + systemPackages = [ mailmanExe ]; + etc."mailman.cfg".text = mailmanCfg; + }; + + services.postfix = { + relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; + config = { + transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; + local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; + # Mailman uses recipient delimiters, so we don't need special handling. + owner_request_special = "no"; + }; + }; + + systemd.services.mailman = { + description = "GNU Mailman Master Process"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${mailmanExe}/bin/mailman start"; + ExecStop = "${mailmanExe}/bin/mailman stop"; + User = "mailman"; + Type = "forking"; + StateDirectory = "mailman"; + StateDirectoryMode = "0700"; + RuntimeDirectory = "mailman"; + PIDFile = "/run/mailman/master.pid"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/mail/mlmmj.nix b/nixos/modules/services/mail/mlmmj.nix index 11565bc02f89..7ae00f3e501e 100644 --- a/nixos/modules/services/mail/mlmmj.nix +++ b/nixos/modules/services/mail/mlmmj.nix @@ -137,7 +137,7 @@ in ${pkgs.postfix}/bin/postmap ${stateDir}/transports ''; - systemd.services."mlmmj-maintd" = { + systemd.services.mlmmj-maintd = { description = "mlmmj maintenance daemon"; serviceConfig = { User = cfg.user; @@ -146,7 +146,7 @@ in }; }; - systemd.timers."mlmmj-maintd" = { + systemd.timers.mlmmj-maintd = { description = "mlmmj maintenance timer"; timerConfig.OnUnitActiveSec = cfg.maintInterval; wantedBy = [ "timers.target" ]; diff --git a/nixos/modules/services/mail/nullmailer.nix b/nixos/modules/services/mail/nullmailer.nix index 9997d287013e..2c2910e0aa9b 100644 --- a/nixos/modules/services/mail/nullmailer.nix +++ b/nixos/modules/services/mail/nullmailer.nix @@ -14,7 +14,7 @@ with lib; }; user = mkOption { - type = types.string; + type = types.str; default = "nullmailer"; description = '' User to use to run nullmailer-send. @@ -22,7 +22,7 @@ with lib; }; group = mkOption { - type = types.string; + type = types.str; default = "nullmailer"; description = '' Group to use to run nullmailer-send. diff --git a/nixos/modules/services/mail/pfix-srsd.nix b/nixos/modules/services/mail/pfix-srsd.nix index 9599854352c9..38984f896d6a 100644 --- a/nixos/modules/services/mail/pfix-srsd.nix +++ b/nixos/modules/services/mail/pfix-srsd.nix @@ -40,7 +40,7 @@ with lib; systemPackages = [ pkgs.pfixtools ]; }; - systemd.services."pfix-srsd" = { + systemd.services.pfix-srsd = { description = "Postfix sender rewriting scheme daemon"; before = [ "postfix.service" ]; #note that we use requires rather than wants because postfix diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 2b08ab1e6aa6..d5fd76da970b 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -509,7 +509,7 @@ in }; localRecipients = mkOption { - type = with types; nullOr (listOf string); + type = with types; nullOr (listOf str); default = null; description = '' List of accepted local users. Specify a bare username, an @@ -530,7 +530,7 @@ in dnsBlacklists = mkOption { default = []; - type = with types; listOf string; + type = with types; listOf str; description = "dns blacklist servers to use with smtpd_client_restrictions"; }; @@ -877,22 +877,22 @@ in } (mkIf haveAliases { - services.postfix.aliasFiles."aliases" = aliasesFile; + services.postfix.aliasFiles.aliases = aliasesFile; }) (mkIf haveTransport { - services.postfix.mapFiles."transport" = transportFile; + services.postfix.mapFiles.transport = transportFile; }) (mkIf haveVirtual { - services.postfix.mapFiles."virtual" = virtualFile; + services.postfix.mapFiles.virtual = virtualFile; }) (mkIf haveLocalRecipients { - services.postfix.mapFiles."local_recipients" = localRecipientMapFile; + services.postfix.mapFiles.local_recipients = localRecipientMapFile; }) (mkIf cfg.enableHeaderChecks { - services.postfix.mapFiles."header_checks" = headerChecksFile; + services.postfix.mapFiles.header_checks = headerChecksFile; }) (mkIf (cfg.dnsBlacklists != []) { - services.postfix.mapFiles."client_access" = checkClientAccessFile; + services.postfix.mapFiles.client_access = checkClientAccessFile; }) ]); } diff --git a/nixos/modules/services/mail/postgrey.nix b/nixos/modules/services/mail/postgrey.nix index 8e2b9c5dbc56..88fb7f0b4ad1 100644 --- a/nixos/modules/services/mail/postgrey.nix +++ b/nixos/modules/services/mail/postgrey.nix @@ -7,12 +7,12 @@ with lib; let natural = with types; addCheck int (x: x >= 0); natural' = with types; addCheck int (x: x > 0); - socket = with types; addCheck (either (submodule unixSocket) (submodule inetSocket)) (x: x ? "path" || x ? "port"); + socket = with types; addCheck (either (submodule unixSocket) (submodule inetSocket)) (x: x ? path || x ? port); inetSocket = with types; { options = { addr = mkOption { - type = nullOr string; + type = nullOr str; default = null; example = "127.0.0.1"; description = "The address to bind to. Localhost if null"; @@ -34,7 +34,7 @@ with lib; let }; mode = mkOption { - type = string; + type = str; default = "0777"; description = "Mode of the unix socket"; }; @@ -63,17 +63,17 @@ in { description = "Socket to bind to"; }; greylistText = mkOption { - type = string; + type = str; default = "Greylisted for %%s seconds"; description = "Response status text for greylisted messages; use %%s for seconds left until greylisting is over and %%r for mail domain of recipient"; }; greylistAction = mkOption { - type = string; + type = str; default = "DEFER_IF_PERMIT"; description = "Response status for greylisted messages (see access(5))"; }; greylistHeader = mkOption { - type = string; + type = str; default = "X-Greylist: delayed %%t seconds by postgrey-%%v at %%h; %%d"; description = "Prepend header to greylisted mails; use %%t for seconds delayed due to greylisting, %%v for the version of postgrey, %%d for the date, and %%h for the host"; }; @@ -88,7 +88,7 @@ in { description = "Delete entries from whitelist if they haven't been seen for N days"; }; retryWindow = mkOption { - type = either string natural; + type = either str natural; default = 2; example = "12h"; description = "Allow N days for the first retry. Use string with appended 'h' to specify time in hours"; @@ -151,7 +151,7 @@ in { }; systemd.services.postgrey = let - bind-flag = if cfg.socket ? "path" then + bind-flag = if cfg.socket ? path then ''--unix=${cfg.socket.path} --socketmode=${cfg.socket.mode}'' else ''--inet=${optionalString (cfg.socket.addr != null) (cfg.socket.addr + ":")}${toString cfg.socket.port}''; diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index e59d5715de05..89aa9d17ff7f 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -308,7 +308,7 @@ in }; user = mkOption { - type = types.string; + type = types.str; default = "rspamd"; description = '' User to use when no root privileges are required. @@ -316,7 +316,7 @@ in }; group = mkOption { - type = types.string; + type = types.str; default = "rspamd"; description = '' Group to use when no root privileges are required. @@ -387,7 +387,7 @@ in gid = config.ids.gids.rspamd; }; - environment.etc."rspamd".source = rspamdDir; + environment.etc.rspamd.source = rspamdDir; systemd.services.rspamd = { description = "Rspamd Service"; diff --git a/nixos/modules/services/mail/rss2email.nix b/nixos/modules/services/mail/rss2email.nix index df454abc8267..c1e5964c4536 100644 --- a/nixos/modules/services/mail/rss2email.nix +++ b/nixos/modules/services/mail/rss2email.nix @@ -43,9 +43,8 @@ in { <literal>[DEFAULT]</literal> block along with the <literal>to</literal> parameter. - See - <literal>https://github.com/rss2email/rss2email/blob/master/r2e.1</literal> - for more information on which parameters are accepted. + See <literal>man r2e</literal> for more information on which + parameters are accepted. ''; }; diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index 8b2ec82c7705..919d3b2f6e64 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -34,7 +34,7 @@ in { }; listenAddress = mkOption { - type = types.string; + type = types.str; default = "127.0.0.1"; description = '' The host name or IP address on which to bind Airsonic. @@ -105,7 +105,7 @@ in { config = mkIf cfg.enable { systemd.services.airsonic = { description = "Airsonic Media Server"; - after = [ "local-fs.target" "network.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' @@ -138,8 +138,8 @@ in { services.nginx = mkIf (cfg.virtualHost != null) { enable = true; - virtualHosts."${cfg.virtualHost}" = { - locations."${cfg.contextPath}".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}"; + virtualHosts.${cfg.virtualHost} = { + locations.${cfg.contextPath}.proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}"; }; }; diff --git a/nixos/modules/services/misc/apache-kafka.nix b/nixos/modules/services/misc/apache-kafka.nix index 9eeae9556992..798e902ccae4 100644 --- a/nixos/modules/services/misc/apache-kafka.nix +++ b/nixos/modules/services/misc/apache-kafka.nix @@ -46,7 +46,7 @@ in { hostname = mkOption { description = "Hostname the broker should bind to."; default = "localhost"; - type = types.string; + type = types.str; }; logDirs = mkOption { @@ -54,13 +54,13 @@ in { default = [ "/tmp/kafka-logs" ]; type = types.listOf types.path; }; - + zookeeper = mkOption { description = "Zookeeper connection string"; default = "localhost:2181"; - type = types.string; + type = types.str; }; - + extraProperties = mkOption { description = "Extra properties for server.properties."; type = types.nullOr types.lines; @@ -79,8 +79,8 @@ in { log4jProperties = mkOption { description = "Kafka log4j property configuration."; default = '' - log4j.rootLogger=INFO, stdout - + log4j.rootLogger=INFO, stdout + log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n diff --git a/nixos/modules/services/misc/cpuminer-cryptonight.nix b/nixos/modules/services/misc/cpuminer-cryptonight.nix index f31526f8d107..907b9d90da29 100644 --- a/nixos/modules/services/misc/cpuminer-cryptonight.nix +++ b/nixos/modules/services/misc/cpuminer-cryptonight.nix @@ -28,15 +28,15 @@ in ''; }; url = mkOption { - type = types.string; + type = types.str; description = "URL of mining server"; }; user = mkOption { - type = types.string; + type = types.str; description = "Username for mining server"; }; pass = mkOption { - type = types.string; + type = types.str; default = "x"; description = "Password for mining server"; }; @@ -63,4 +63,4 @@ in }; -} \ No newline at end of file +} diff --git a/nixos/modules/services/misc/dysnomia.nix b/nixos/modules/services/misc/dysnomia.nix index 61ea822890ed..9402d5cd801c 100644 --- a/nixos/modules/services/misc/dysnomia.nix +++ b/nixos/modules/services/misc/dysnomia.nix @@ -8,9 +8,9 @@ let printProperties = properties: concatMapStrings (propertyName: let - property = properties."${propertyName}"; + property = properties.${propertyName}; in - if isList property then "${propertyName}=(${lib.concatMapStrings (elem: "\"${toString elem}\" ") (properties."${propertyName}")})\n" + if isList property then "${propertyName}=(${lib.concatMapStrings (elem: "\"${toString elem}\" ") (properties.${propertyName})})\n" else "${propertyName}=\"${toString property}\"\n" ) (builtins.attrNames properties); @@ -31,7 +31,7 @@ let ${concatMapStrings (containerName: let - containerProperties = cfg.containers."${containerName}"; + containerProperties = cfg.containers.${containerName}; in '' cat > ${containerName} <<EOF @@ -49,10 +49,10 @@ let ${concatMapStrings (componentName: let - component = cfg.components."${containerName}"."${componentName}"; + component = cfg.components.${containerName}.${componentName}; in "ln -s ${component} ${containerName}/${componentName}\n" - ) (builtins.attrNames (cfg.components."${containerName}" or {}))} + ) (builtins.attrNames (cfg.components.${containerName} or {}))} ''; componentsDir = pkgs.stdenv.mkDerivation { diff --git a/nixos/modules/services/misc/exhibitor.nix b/nixos/modules/services/misc/exhibitor.nix index 665084a8ae05..74f4f671f460 100644 --- a/nixos/modules/services/misc/exhibitor.nix +++ b/nixos/modules/services/misc/exhibitor.nix @@ -58,7 +58,7 @@ let }; }; cliOptions = concatStringsSep " " (mapAttrsToList (k: v: "--${k} ${v}") (filterAttrs (k: v: v != null && v != "") (cliOptionsCommon // - cliOptionsPerConfig."${cfg.configType}" // + cliOptionsPerConfig.${cfg.configType} // s3CommonOptions // optionalAttrs cfg.s3Backup { s3backup = "true"; } // optionalAttrs cfg.fileSystemBackup { filesystembackup = "true"; } @@ -252,7 +252,7 @@ in example = ["host1:2181" "host2:2181"]; }; zkConfigExhibitorPath = mkOption { - type = types.string; + type = types.str; description = '' If the ZooKeeper shared config is also running Exhibitor, the URI path for the REST call ''; diff --git a/nixos/modules/services/misc/fstrim.nix b/nixos/modules/services/misc/fstrim.nix index 15f283f093c0..b8841a7fe74c 100644 --- a/nixos/modules/services/misc/fstrim.nix +++ b/nixos/modules/services/misc/fstrim.nix @@ -14,7 +14,7 @@ in { enable = mkEnableOption "periodic SSD TRIM of mounted partitions in background"; interval = mkOption { - type = types.string; + type = types.str; default = "weekly"; description = '' How often we run fstrim. For most desktop and server systems diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 09c3a89d6a68..caef4ad4ea80 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: # TODO: support non-postgresql @@ -12,14 +12,12 @@ let gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket"; gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket"; pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url; - pgSuperUser = config.services.postgresql.superUser; databaseConfig = { production = { adapter = "postgresql"; database = cfg.databaseName; host = cfg.databaseHost; - password = cfg.databasePassword; username = cfg.databaseUsername; encoding = "utf8"; pool = cfg.databasePool; @@ -66,13 +64,6 @@ let redisConfig.production.url = "redis://localhost:6379/"; - secretsConfig.production = { - secret_key_base = cfg.secrets.secret; - otp_key_base = cfg.secrets.otp; - db_key_base = cfg.secrets.db; - openid_connect_signing_key = cfg.secrets.jws; - }; - gitlabConfig = { # These are the default settings from config/gitlab.example.yml production = flip recursiveUpdate cfg.extraConfig { @@ -140,7 +131,7 @@ let RAILS_ENV = "production"; }; - gitlab-rake = pkgs.stdenv.mkDerivation rec { + gitlab-rake = pkgs.stdenv.mkDerivation { name = "gitlab-rake"; buildInputs = [ pkgs.makeWrapper ]; dontBuild = true; @@ -155,7 +146,7 @@ let ''; }; - gitlab-rails = pkgs.stdenv.mkDerivation rec { + gitlab-rails = pkgs.stdenv.mkDerivation { name = "gitlab-rails"; buildInputs = [ pkgs.makeWrapper ]; dontBuild = true; @@ -180,10 +171,11 @@ let address: "${cfg.smtp.address}", port: ${toString cfg.smtp.port}, ${optionalString (cfg.smtp.username != null) ''user_name: "${cfg.smtp.username}",''} - ${optionalString (cfg.smtp.password != null) ''password: "${cfg.smtp.password}",''} + ${optionalString (cfg.smtp.passwordFile != null) ''password: "@smtpPassword@",''} domain: "${cfg.smtp.domain}", ${optionalString (cfg.smtp.authentication != null) "authentication: :${cfg.smtp.authentication},"} enable_starttls_auto: ${toString cfg.smtp.enableStartTLSAuto}, + ca_file: "/etc/ssl/certs/ca-certificates.crt", openssl_verify_mode: '${cfg.smtp.opensslVerifyMode}' } end @@ -244,13 +236,33 @@ in { databaseHost = mkOption { type = types.str; - default = "127.0.0.1"; - description = "Gitlab database hostname."; + default = ""; + description = '' + Gitlab database hostname. An empty string means <quote>use + local unix socket connection</quote>. + ''; }; - databasePassword = mkOption { - type = types.str; - description = "Gitlab database user password."; + databasePasswordFile = mkOption { + type = with types; nullOr path; + default = null; + description = '' + File containing the Gitlab database user password. + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. + ''; + }; + + databaseCreateLocally = mkOption { + type = types.bool; + default = true; + description = '' + Whether a database should be automatically created on the + local host. Set this to <literal>false</literal> if you plan + on provisioning a local database yourself or use an external + one. + ''; }; databaseName = mkOption { @@ -338,10 +350,15 @@ in { ''; }; - initialRootPassword = mkOption { - type = types.str; + initialRootPasswordFile = mkOption { + type = with types; nullOr path; + default = null; description = '' - Initial password of the root account if this is a new install. + File containing the initial password of the root account if + this is a new install. + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. ''; }; @@ -365,15 +382,20 @@ in { }; username = mkOption { - type = types.nullOr types.str; + type = with types; nullOr str; default = null; description = "Username of the SMTP server for Gitlab."; }; - password = mkOption { - type = types.nullOr types.str; + passwordFile = mkOption { + type = types.nullOr types.path; default = null; - description = "Password of the SMTP server for Gitlab."; + description = '' + File containing the password of the SMTP server for Gitlab. + + This should be a string, not a nix path, since nix paths + are copied into the world-readable nix store. + ''; }; domain = mkOption { @@ -383,7 +405,7 @@ in { }; authentication = mkOption { - type = types.nullOr types.str; + type = with types; nullOr str; default = null; description = "Authentitcation type to use, see http://api.rubyonrails.org/classes/ActionMailer/Base.html"; }; @@ -401,68 +423,125 @@ in { }; }; - secrets.secret = mkOption { - type = types.str; + secrets.secretFile = mkOption { + type = with types; nullOr path; + default = null; description = '' - The secret is used to encrypt variables in the DB. If - you change or lose this key you will be unable to access variables - stored in database. + A file containing the secret used to encrypt variables in + the DB. If you change or lose this key you will be unable to + access variables stored in database. Make sure the secret is at least 30 characters and all random, no regular words or you'll be exposed to dictionary attacks. + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. ''; }; - secrets.db = mkOption { - type = types.str; + secrets.dbFile = mkOption { + type = with types; nullOr path; + default = null; description = '' - The secret is used to encrypt variables in the DB. If - you change or lose this key you will be unable to access variables - stored in database. + A file containing the secret used to encrypt variables in + the DB. If you change or lose this key you will be unable to + access variables stored in database. Make sure the secret is at least 30 characters and all random, no regular words or you'll be exposed to dictionary attacks. + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. ''; }; - secrets.otp = mkOption { - type = types.str; + secrets.otpFile = mkOption { + type = with types; nullOr path; + default = null; description = '' - The secret is used to encrypt secrets for OTP tokens. If - you change or lose this key, users which have 2FA enabled for login - won't be able to login anymore. + A file containing the secret used to encrypt secrets for OTP + tokens. If you change or lose this key, users which have 2FA + enabled for login won't be able to login anymore. Make sure the secret is at least 30 characters and all random, no regular words or you'll be exposed to dictionary attacks. + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. ''; }; - secrets.jws = mkOption { - type = types.str; + secrets.jwsFile = mkOption { + type = with types; nullOr path; + default = null; description = '' - The secret is used to encrypt session keys. If you change or lose - this key, users will be disconnected. + A file containing the secret used to encrypt session + keys. If you change or lose this key, users will be + disconnected. Make sure the secret is an RSA private key in PEM format. You can generate one with openssl genrsa 2048 + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. ''; }; extraConfig = mkOption { type = types.attrs; default = {}; - example = { - gitlab = { - default_projects_features = { - builds = false; + example = literalExample '' + { + gitlab = { + default_projects_features = { + builds = false; + }; + }; + omniauth = { + enabled = true; + auto_sign_in_with_provider = "openid_connect"; + allow_single_sign_on = ["openid_connect"]; + block_auto_created_users = false; + providers = [ + { + name = "openid_connect"; + label = "OpenID Connect"; + args = { + name = "openid_connect"; + scope = ["openid" "profile"]; + response_type = "code"; + issuer = "https://keycloak.example.com/auth/realms/My%20Realm"; + discovery = true; + client_auth_method = "query"; + uid_field = "preferred_username"; + client_options = { + identifier = "gitlab"; + secret = { _secret = "/var/keys/gitlab_oidc_secret"; }; + redirect_uri = "https://git.example.com/users/auth/openid_connect/callback"; + }; + }; + } + ]; }; }; - }; + ''; description = '' - Extra options to be merged into config/gitlab.yml as nix - attribute set. + Extra options to be added under + <literal>production</literal> in + <filename>config/gitlab.yml</filename>, as a nix attribute + set. + + Options containing secret data should be set to an attribute + set containing the attribute <literal>_secret</literal> - a + string pointing to a file containing the value the option + should be set to. See the example to get a better picture of + this: in the resulting + <filename>config/gitlab.yml</filename> file, the + <literal>production.omniauth.providers[0].args.client_options.secret</literal> + key will be set to the contents of the + <filename>/var/keys/gitlab_oidc_secret</filename> file. ''; }; }; @@ -470,12 +549,66 @@ in { config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.databaseCreateLocally -> (cfg.user == cfg.databaseUsername); + message = "For local automatic database provisioning services.gitlab.user and services.gitlab.databaseUsername should be identical."; + } + { + assertion = (cfg.databaseHost != "") -> (cfg.databasePasswordFile != null); + message = "When services.gitlab.databaseHost is customized, services.gitlab.databasePasswordFile must be set!"; + } + { + assertion = cfg.initialRootPasswordFile != null; + message = "services.gitlab.initialRootPasswordFile must be set!"; + } + { + assertion = cfg.secrets.secretFile != null; + message = "services.gitlab.secrets.secretFile must be set!"; + } + { + assertion = cfg.secrets.dbFile != null; + message = "services.gitlab.secrets.dbFile must be set!"; + } + { + assertion = cfg.secrets.otpFile != null; + message = "services.gitlab.secrets.otpFile must be set!"; + } + { + assertion = cfg.secrets.jwsFile != null; + message = "services.gitlab.secrets.jwsFile must be set!"; + } + ]; + environment.systemPackages = [ pkgs.git gitlab-rake gitlab-rails cfg.packages.gitlab-shell ]; # Redis is required for the sidekiq queue runner. services.redis.enable = mkDefault true; + # We use postgres as the main data store. - services.postgresql.enable = mkDefault true; + services.postgresql = optionalAttrs cfg.databaseCreateLocally { + enable = true; + ensureUsers = singleton { name = cfg.databaseUsername; }; + }; + # The postgresql module doesn't currently support concepts like + # objects owners and extensions; for now we tack on what's needed + # here. + systemd.services.postgresql.postStart = mkAfter (optionalString cfg.databaseCreateLocally '' + $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${cfg.databaseName}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${cfg.databaseName}" OWNER "${cfg.databaseUsername}"' + current_owner=$($PSQL -tAc "SELECT pg_catalog.pg_get_userbyid(datdba) FROM pg_catalog.pg_database WHERE datname = '${cfg.databaseName}'") + if [[ "$current_owner" != "${cfg.databaseUsername}" ]]; then + $PSQL -tAc 'ALTER DATABASE "${cfg.databaseName}" OWNER TO "${cfg.databaseUsername}"' + if [[ -e "${config.services.postgresql.dataDir}/.reassigning_${cfg.databaseName}" ]]; then + echo "Reassigning ownership of database ${cfg.databaseName} to user ${cfg.databaseUsername} failed on last boot. Failing..." + exit 1 + fi + touch "${config.services.postgresql.dataDir}/.reassigning_${cfg.databaseName}" + $PSQL "${cfg.databaseName}" -tAc "REASSIGN OWNED BY \"$current_owner\" TO \"${cfg.databaseUsername}\"" + rm "${config.services.postgresql.dataDir}/.reassigning_${cfg.databaseName}" + fi + $PSQL '${cfg.databaseName}' -tAc "CREATE EXTENSION IF NOT EXISTS pg_trgm" + ''); + # Use postfix to send out mails. services.postfix.enable = mkDefault true; @@ -527,14 +660,9 @@ in { "L+ /run/gitlab/shell-config.yml - - - - ${pkgs.writeText "config.yml" (builtins.toJSON gitlabShellConfig)}" - "L+ ${cfg.statePath}/config/gitlab.yml - - - - ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)}" - "L+ ${cfg.statePath}/config/database.yml - - - - ${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)}" - "L+ ${cfg.statePath}/config/secrets.yml - - - - ${pkgs.writeText "secrets.yml" (builtins.toJSON secretsConfig)}" "L+ ${cfg.statePath}/config/unicorn.rb - - - - ${./defaultUnicornConfig.rb}" - "L+ ${cfg.statePath}/config/initializers/extra-gitlab.rb - - - - ${extraGitlabRb}" - ] ++ optional cfg.smtp.enable - "L+ ${cfg.statePath}/config/initializers/smtp_settings.rb - - - - ${smtpSettings}" ; + ]; systemd.services.gitlab-sidekiq = { after = [ "network.target" "redis.service" "gitlab.service" ]; @@ -626,46 +754,75 @@ in { gnupg ]; preStart = '' - ${pkgs.sudo}/bin/sudo -u ${cfg.user} cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION - ${pkgs.sudo}/bin/sudo -u ${cfg.user} rm -rf ${cfg.statePath}/db/* - ${pkgs.sudo}/bin/sudo -u ${cfg.user} cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config - ${pkgs.sudo}/bin/sudo -u ${cfg.user} cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db - - ${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret - - ${pkgs.sudo}/bin/sudo -u ${cfg.user} ${cfg.packages.gitlab-shell}/bin/install - - if ! test -e "${cfg.statePath}/db-created"; then - if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then - ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${cfg.databasePassword}'" - ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} ${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName} - - # enable required pg_trgm extension for gitlab - ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql ${cfg.databaseName} -c "CREATE EXTENSION IF NOT EXISTS pg_trgm" + cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION + rm -rf ${cfg.statePath}/db/* + cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config + cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db + + ${cfg.packages.gitlab-shell}/bin/install + + ${optionalString cfg.smtp.enable '' + install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb + ${optionalString (cfg.smtp.passwordFile != null) '' + smtp_password=$(<'${cfg.smtp.passwordFile}') + ${pkgs.replace}/bin/replace-literal -e '@smtpPassword@' "$smtp_password" '${cfg.statePath}/config/initializers/smtp_settings.rb' + ''} + ''} + + ( + umask u=rwx,g=,o= + + ${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret + + ${if cfg.databasePasswordFile != null then '' + export db_password="$(<'${cfg.databasePasswordFile}')" + + if [[ -z "$db_password" ]]; then + >&2 echo "Database password was an empty string!" + exit 1 + fi + + ${pkgs.jq}/bin/jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ + '.production.password = $ENV.db_password' \ + >'${cfg.statePath}/config/database.yml' + '' + else '' + ${pkgs.jq}/bin/jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ + >'${cfg.statePath}/config/database.yml' + '' + } + + ${utils.genJqSecretsReplacementSnippet + gitlabConfig + "${cfg.statePath}/config/gitlab.yml" + } + + if [[ -h '${cfg.statePath}/config/secrets.yml' ]]; then + rm '${cfg.statePath}/config/secrets.yml' fi - ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${gitlab-rake}/bin/gitlab-rake db:schema:load - - ${pkgs.sudo}/bin/sudo -u ${cfg.user} touch "${cfg.statePath}/db-created" - fi - - # Always do the db migrations just to be sure the database is up-to-date - ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${gitlab-rake}/bin/gitlab-rake db:migrate - - if ! test -e "${cfg.statePath}/db-seeded"; then - ${pkgs.sudo}/bin/sudo -u ${cfg.user} ${gitlab-rake}/bin/gitlab-rake db:seed_fu \ - GITLAB_ROOT_PASSWORD='${cfg.initialRootPassword}' GITLAB_ROOT_EMAIL='${cfg.initialRootEmail}' - ${pkgs.sudo}/bin/sudo -u ${cfg.user} touch "${cfg.statePath}/db-seeded" - fi + export secret="$(<'${cfg.secrets.secretFile}')" + export db="$(<'${cfg.secrets.dbFile}')" + export otp="$(<'${cfg.secrets.otpFile}')" + export jws="$(<'${cfg.secrets.jwsFile}')" + ${pkgs.jq}/bin/jq -n '{production: {secret_key_base: $ENV.secret, + otp_key_base: $ENV.db, + db_key_base: $ENV.otp, + openid_connect_signing_key: $ENV.jws}}' \ + > '${cfg.statePath}/config/secrets.yml' + ) + + initial_root_password="$(<'${cfg.initialRootPasswordFile}')" + ${gitlab-rake}/bin/gitlab-rake gitlab:db:configure GITLAB_ROOT_PASSWORD="$initial_root_password" \ + GITLAB_ROOT_EMAIL='${cfg.initialRootEmail}' # We remove potentially broken links to old gitlab-shell versions rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks - ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${pkgs.git}/bin/git config --global core.autocrlf "input" + ${pkgs.git}/bin/git config --global core.autocrlf "input" ''; serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root Type = "simple"; User = cfg.user; Group = cfg.group; diff --git a/nixos/modules/services/misc/gitlab.xml b/nixos/modules/services/misc/gitlab.xml index 5ff570a442f6..b6171a9a194c 100644 --- a/nixos/modules/services/misc/gitlab.xml +++ b/nixos/modules/services/misc/gitlab.xml @@ -54,8 +54,8 @@ <programlisting> services.gitlab = { <link linkend="opt-services.gitlab.enable">enable</link> = true; - <link linkend="opt-services.gitlab.databasePassword">databasePassword</link> = "eXaMpl3"; - <link linkend="opt-services.gitlab.initialRootPassword">initialRootPassword</link> = "UseNixOS!"; + <link linkend="opt-services.gitlab.databasePasswordFile">databasePasswordFile</link> = "/var/keys/gitlab/db_password"; + <link linkend="opt-services.gitlab.initialRootPasswordFile">initialRootPasswordFile</link> = "/var/keys/gitlab/root_password"; <link linkend="opt-services.gitlab.https">https</link> = true; <link linkend="opt-services.gitlab.host">host</link> = "git.example.com"; <link linkend="opt-services.gitlab.port">port</link> = 443; @@ -67,38 +67,10 @@ services.gitlab = { <link linkend="opt-services.gitlab.smtp.port">port</link> = 25; }; secrets = { - <link linkend="opt-services.gitlab.secrets.db">db</link> = "uPgq1gtwwHiatiuE0YHqbGa5lEIXH7fMsvuTNgdzJi8P0Dg12gibTzBQbq5LT7PNzcc3BP9P1snHVnduqtGF43PgrQtU7XL93ts6gqe9CBNhjtaqUwutQUDkygP5NrV6"; - <link linkend="opt-services.gitlab.secrets.secret">secret</link> = "devzJ0Tz0POiDBlrpWmcsjjrLaltyiAdS8TtgT9YNBOoUcDsfppiY3IXZjMVtKgXrFImIennFGOpPN8IkP8ATXpRgDD5rxVnKuTTwYQaci2NtaV1XxOQGjdIE50VGsR3"; - <link linkend="opt-services.gitlab.secrets.otp">otp</link> = "e1GATJVuS2sUh7jxiPzZPre4qtzGGaS22FR50Xs1TerRVdgI3CBVUi5XYtQ38W4xFeS4mDqi5cQjExE838iViSzCdcG19XSL6qNsfokQP9JugwiftmhmCadtsnHErBMI"; - <link linkend="opt-services.gitlab.secrets.jws">jws</link> = '' - -----BEGIN RSA PRIVATE KEY----- - MIIEpAIBAAKCAQEArrtx4oHKwXoqUbMNqnHgAklnnuDon3XG5LJB35yPsXKv/8GK - ke92wkI+s1Xkvsp8tg9BIY/7c6YK4SR07EWL+dB5qwctsWR2Q8z+/BKmTx9D99pm - hnsjuNIXTF7BXrx3RX6BxZpH5Vzzh9nCwWKT/JCFqtwH7afNGGL7aMf+hdaiUg/Q - SD05yRObioiO4iXDolsJOhrnbZvlzVHl1ZYxFJv0H6/Snc0BBA9Fl/3uj6ANpbjP - eXF1SnJCqT87bj46r5NdVauzaRxAsIfqHroHK4UZ98X5LjGQFGvSqTvyjPBS4I1i - s7VJU28ObuutHxIxSlH0ibn4HZqWmKWlTS652wIDAQABAoIBAGtPcUTTw2sJlR3x - 4k2wfAvLexkHNbZhBdKEa5JiO5mWPuLKwUiZEY2CU7Gd6csG3oqNWcm7/IjtC7dz - xV8p4yp8T4yq7vQIJ93B80NqTLtBD2QTvG2RCMJEPMzJUObWxkVmyVpLQyZo7KOd - KE/OM+aj94OUeEYLjRkSCScz1Gvq/qFG/nAy7KPCmN9JDHuhX26WHo2Rr1OnPNT/ - 7diph0bB9F3b8gjjNTqXDrpdAqVOgR/PsjEBz6DMY+bdyMIn87q2yfmMexxRofN6 - LulpzSaa6Yup8N8H6PzVO6KAkQuf1aQRj0sMwGk1IZEnj6I0KbuHIZkw21Nc6sf2 - ESFySDECgYEA1PnCNn5tmLnwe62Ttmrzl20zIS3Me1gUVJ1NTfr6+ai0I9iMYU21 - 5czuAjJPm9JKQF2vY8UAaCj2ZoObtHa/anb3xsCd8NXoM3iJq5JDoXI1ldz3Y+ad - U/bZUg1DLRvAniTuXmw9iOTwTwPxlDIGq5k+wG2Xmi1lk7zH8ezr9BMCgYEA0gfk - EhgcmPH8Z5cU3YYwOdt6HSJOM0OyN4k/5gnkv+HYVoJTj02gkrJmLr+mi1ugKj46 - 7huYO9TVnrKP21tmbaSv1dp5hS3letVRIxSloEtVGXmmdvJvBRzDWos+G+KcvADi - fFCz6w8v9NmO40CB7y/3SxTmSiSxDQeoi9LhDBkCgYEAsPgMWm25sfOnkY2NNUIv - wT8bAlHlHQT2d8zx5H9NttBpR3P0ShJhuF8N0sNthSQ7ULrIN5YGHYcUH+DyLAWU - TuomP3/kfa+xL7vUYb269tdJEYs4AkoppxBySoz8qenqpz422D0G8M6TpIS5Y5Qi - GMrQ6uLl21YnlpiCaFOfSQMCgYEAmZxj1kgEQmhZrnn1LL/D7czz1vMMNrpAUhXz - wg9iWmSXkU3oR1sDIceQrIhHCo2M6thwyU0tXjUft93pEQocM/zLDaGoVxtmRxxV - J08mg8IVD3jFoyFUyWxsBIDqgAKRl38eJsXvkO+ep3mm49Z+Ma3nM+apN3j2dQ0w - 3HLzXaECgYBFLMEAboVFwi5+MZjGvqtpg2PVTisfuJy2eYnPwHs+AXUgi/xRNFjI - YHEa7UBPb5TEPSzWImQpETi2P5ywcUYL1EbN/nqPWmjFnat8wVmJtV4sUpJhubF4 - Vqm9LxIWc1uQ1q1HDCejRIxIN3aSH+wgRS3Kcj8kCTIoXd1aERb04g== - -----END RSA PRIVATE KEY----- - ''; + <link linkend="opt-services.gitlab.secrets.dbFile">dbFile</link> = "/var/keys/gitlab/db"; + <link linkend="opt-services.gitlab.secrets.secretFile">secretFile</link> = "/var/keys/gitlab/secret"; + <link linkend="opt-services.gitlab.secrets.otpFile">otpFile</link> = "/var/keys/gitlab/otp"; + <link linkend="opt-services.gitlab.secrets.jwsFile">jwsFile</link> = "/var/keys/gitlab/jws"; }; <link linkend="opt-services.gitlab.extraConfig">extraConfig</link> = { gitlab = { @@ -113,12 +85,16 @@ services.gitlab = { </para> <para> - If you're setting up a new Gitlab instance, generate new secrets. You for - instance use <literal>tr -dc A-Za-z0-9 < /dev/urandom | head -c - 128</literal> to generate a new secret. Gitlab encrypts sensitive data - stored in the database. If you're restoring an existing Gitlab instance, you - must specify the secrets secret from <literal>config/secrets.yml</literal> - located in your Gitlab state folder. + If you're setting up a new Gitlab instance, generate new + secrets. You for instance use <literal>tr -dc A-Za-z0-9 < + /dev/urandom | head -c 128 > /var/keys/gitlab/db</literal> to + generate a new db secret. Make sure the files can be read by, and + only by, the user specified by <link + linkend="opt-services.gitlab.user">services.gitlab.user</link>. Gitlab + encrypts sensitive data stored in the database. If you're restoring + an existing Gitlab instance, you must specify the secrets secret + from <literal>config/secrets.yml</literal> located in your Gitlab + state folder. </para> <para> diff --git a/nixos/modules/services/misc/gitolite.nix b/nixos/modules/services/misc/gitolite.nix index cbe2c06ab651..cc69f81bbcc4 100644 --- a/nixos/modules/services/misc/gitolite.nix +++ b/nixos/modules/services/misc/gitolite.nix @@ -147,7 +147,7 @@ in group = cfg.group; useDefaultShell = true; }; - users.groups."${cfg.group}".gid = config.ids.gids.gitolite; + users.groups.${cfg.group}.gid = config.ids.gids.gitolite; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0750 ${cfg.user} ${cfg.group} - -" @@ -157,7 +157,7 @@ in "Z ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} - -" ]; - systemd.services."gitolite-init" = { + systemd.services.gitolite-init = { description = "Gitolite initialization"; wantedBy = [ "multi-user.target" ]; unitConfig.RequiresMountsFor = cfg.dataDir; diff --git a/nixos/modules/services/misc/logkeys.nix b/nixos/modules/services/misc/logkeys.nix index ad13d9eaa674..0082db63a06a 100644 --- a/nixos/modules/services/misc/logkeys.nix +++ b/nixos/modules/services/misc/logkeys.nix @@ -11,7 +11,7 @@ in { device = mkOption { description = "Use the given device as keyboard input event device instead of /dev/input/eventX default."; default = null; - type = types.nullOr types.string; + type = types.nullOr types.str; example = "/dev/input/event15"; }; }; diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 3eb649b08a2f..018fac386163 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -374,7 +374,7 @@ in { user = cfg.database_user; database = cfg.database_name; }; - }."${cfg.database_type}"; + }.${cfg.database_type}; description = '' Arguments to pass to the engine. ''; diff --git a/nixos/modules/services/misc/mediatomb.nix b/nixos/modules/services/misc/mediatomb.nix index e8e9c0946d7f..107fb57fe1c4 100644 --- a/nixos/modules/services/misc/mediatomb.nix +++ b/nixos/modules/services/misc/mediatomb.nix @@ -163,7 +163,7 @@ in { }; serverName = mkOption { - type = types.string; + type = types.str; default = "mediatomb"; description = '' How to identify the server on the network. @@ -259,7 +259,7 @@ in { config = mkIf cfg.enable { systemd.services.mediatomb = { description = "MediaTomb media Server"; - after = [ "local-fs.target" "network.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.mediatomb ]; serviceConfig.ExecStart = "${pkgs.mediatomb}/bin/mediatomb -p ${toString cfg.port} ${if cfg.interface!="" then "-e ${cfg.interface}" else ""} ${if cfg.customCfg then "" else "-c ${mtConf}"} -m ${cfg.dataDir}"; diff --git a/nixos/modules/services/misc/mwlib.nix b/nixos/modules/services/misc/mwlib.nix index a8edecff2a1e..6b41b552a86d 100644 --- a/nixos/modules/services/misc/mwlib.nix +++ b/nixos/modules/services/misc/mwlib.nix @@ -165,7 +165,7 @@ in }; # options.services - config = { + config = { systemd.services.mwlib-nserve = mkIf cfg.nserve.enable { @@ -191,7 +191,6 @@ in description = "mwlib job queue server"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "local-fs.target" ]; preStart = '' mkdir -pv '${cfg.qserve.datadir}' @@ -218,7 +217,7 @@ in description = "mwlib worker"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "local-fs.target" ]; + after = [ "network.target" ]; preStart = '' mkdir -pv '${cfg.nslave.cachedir}' diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 088dfd71860b..3826f728afd0 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -500,12 +500,12 @@ in optionals (pkgs.stdenv.isx86_64 && pkgs.hostPlatform.platform ? gcc.arch) ( # a x86_64 builder can run code for `platform.gcc.arch` and minor architectures: [ "gccarch-${pkgs.hostPlatform.platform.gcc.arch}" ] ++ { - "sandybridge" = [ "gccarch-westmere" ]; - "ivybridge" = [ "gccarch-westmere" "gccarch-sandybridge" ]; - "haswell" = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" ]; - "broadwell" = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" ]; - "skylake" = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" "gccarch-broadwell" ]; - "skylake-avx512" = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" "gccarch-broadwell" "gccarch-skylake" ]; + sandybridge = [ "gccarch-westmere" ]; + ivybridge = [ "gccarch-westmere" "gccarch-sandybridge" ]; + haswell = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" ]; + broadwell = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" ]; + skylake = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" "gccarch-broadwell" ]; + skylake-avx512 = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" "gccarch-broadwell" "gccarch-skylake" ]; }.${pkgs.hostPlatform.platform.gcc.arch} or [] ) ); diff --git a/nixos/modules/services/misc/nixos-manual.nix b/nixos/modules/services/misc/nixos-manual.nix index df3e71c80dea..20ba3d8ef0bc 100644 --- a/nixos/modules/services/misc/nixos-manual.nix +++ b/nixos/modules/services/misc/nixos-manual.nix @@ -54,7 +54,7 @@ in (mkIf (cfg.showManual && cfgd.enable && cfgd.nixos.enable) { boot.extraTTYs = [ "tty${toString cfg.ttyNumber}" ]; - systemd.services."nixos-manual" = { + systemd.services.nixos-manual = { description = "NixOS Manual"; wantedBy = [ "multi-user.target" ]; serviceConfig = { diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 4e6cd80e2425..3985dc0b303c 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -50,7 +50,7 @@ in }; ocrLanguages = mkOption { - type = with types; nullOr (listOf string); + type = with types; nullOr (listOf str); default = null; description = '' Languages available for OCR via Tesseract, specified as diff --git a/nixos/modules/services/misc/pykms.nix b/nixos/modules/services/misc/pykms.nix index ef90d124a284..ab00086e591e 100644 --- a/nixos/modules/services/misc/pykms.nix +++ b/nixos/modules/services/misc/pykms.nix @@ -9,7 +9,7 @@ in { meta.maintainers = with lib.maintainers; [ peterhoeg ]; options = { - services.pykms = rec { + services.pykms = { enable = mkOption { type = types.bool; default = false; diff --git a/nixos/modules/services/misc/serviio.nix b/nixos/modules/services/misc/serviio.nix index 8808f2d21931..9868192724b5 100644 --- a/nixos/modules/services/misc/serviio.nix +++ b/nixos/modules/services/misc/serviio.nix @@ -10,7 +10,7 @@ let #!${pkgs.bash}/bin/sh SERVIIO_HOME=${pkgs.serviio} - + # Setup the classpath SERVIIO_CLASS_PATH="$SERVIIO_HOME/lib/*:$SERVIIO_HOME/config" @@ -21,13 +21,13 @@ let # Execute the JVM in the foreground exec ${pkgs.jre}/bin/java -Xmx512M -Xms20M -XX:+UseG1GC -XX:GCTimeRatio=1 -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 $JAVA_OPTS -classpath "$SERVIIO_CLASS_PATH" org.serviio.MediaServer "$@" ''; - + in { ###### interface options = { services.serviio = { - + enable = mkOption { type = types.bool; default = false; @@ -52,7 +52,7 @@ in { config = mkIf cfg.enable { systemd.services.serviio = { description = "Serviio Media Server"; - after = [ "local-fs.target" "network.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.serviio ]; serviceConfig = { @@ -64,7 +64,7 @@ in { }; users.users = [ - { + { name = "serviio"; group = "serviio"; home = cfg.dataDir; @@ -75,16 +75,16 @@ in { ]; users.groups = [ - { name = "serviio";} + { name = "serviio";} ]; networking.firewall = { - allowedTCPPorts = [ + allowedTCPPorts = [ 8895 # serve UPnP responses 23423 # console 23424 # mediabrowser ]; - allowedUDPPorts = [ + allowedUDPPorts = [ 1900 # UPnP service discovey ]; }; diff --git a/nixos/modules/services/misc/snapper.nix b/nixos/modules/services/misc/snapper.nix index 62b344d11b06..6f3aaa973a04 100644 --- a/nixos/modules/services/misc/snapper.nix +++ b/nixos/modules/services/misc/snapper.nix @@ -44,7 +44,7 @@ in configs = mkOption { default = { }; example = literalExample { - "home" = { + home = { subvolume = "/home"; extraConfig = '' ALLOW_USERS="alice" diff --git a/nixos/modules/services/misc/subsonic.nix b/nixos/modules/services/misc/subsonic.nix index 1612b197f35f..152917d345cc 100644 --- a/nixos/modules/services/misc/subsonic.nix +++ b/nixos/modules/services/misc/subsonic.nix @@ -17,7 +17,7 @@ let cfg = config.services.subsonic; in { }; listenAddress = mkOption { - type = types.string; + type = types.str; default = "0.0.0.0"; description = '' The host name or IP address on which to bind Subsonic. @@ -105,7 +105,7 @@ let cfg = config.services.subsonic; in { config = mkIf cfg.enable { systemd.services.subsonic = { description = "Personal media streamer"; - after = [ "local-fs.target" "network.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; script = '' ${pkgs.jre}/bin/java -Xmx${toString cfg.maxMemory}m \ diff --git a/nixos/modules/services/misc/synergy.nix b/nixos/modules/services/misc/synergy.nix index b89cb41ac3ad..bfab8c534d8c 100644 --- a/nixos/modules/services/misc/synergy.nix +++ b/nixos/modules/services/misc/synergy.nix @@ -83,7 +83,7 @@ in config = mkMerge [ (mkIf cfgC.enable { - systemd.user.services."synergy-client" = { + systemd.user.services.synergy-client = { after = [ "network.target" "graphical-session.target" ]; description = "Synergy client"; wantedBy = optional cfgC.autoStart "graphical-session.target"; @@ -93,7 +93,7 @@ in }; }) (mkIf cfgS.enable { - systemd.user.services."synergy-server" = { + systemd.user.services.synergy-server = { after = [ "network.target" "graphical-session.target" ]; description = "Synergy server"; wantedBy = optional cfgS.autoStart "graphical-session.target"; diff --git a/nixos/modules/services/misc/uhub.nix b/nixos/modules/services/misc/uhub.nix index 005951b9231e..753580c3e404 100644 --- a/nixos/modules/services/misc/uhub.nix +++ b/nixos/modules/services/misc/uhub.nix @@ -51,7 +51,7 @@ in }; address = mkOption { - type = types.string; + type = types.str; default = "any"; description = "Address to bind the hub to."; }; @@ -83,7 +83,7 @@ in description = "Whether to enable the Sqlite authentication database plugin"; }; file = mkOption { - type = types.string; + type = types.path; example = "/var/db/uhub-users"; description = "Path to user database. Use the uhub-passwd utility to create the database and add/remove users."; }; @@ -96,7 +96,7 @@ in description = "Whether to enable the logging plugin."; }; file = mkOption { - type = types.string; + type = types.str; default = ""; description = "Path of log file."; }; @@ -117,7 +117,7 @@ in default = ""; type = types.lines; description = '' - Welcome message displayed to clients after connecting + Welcome message displayed to clients after connecting and with the <literal>!motd</literal> command. ''; }; @@ -183,4 +183,4 @@ in }; }; -} \ No newline at end of file +} diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index bf38b9ad7a2d..3bff04e7127d 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -11,7 +11,7 @@ let group = { nginx = config.services.nginx.group; none = user; - }."${cfg.webserver}"; + }.${cfg.webserver}; useNginx = cfg.webserver == "nginx"; @@ -225,7 +225,7 @@ in { nginx = lib.mkIf useNginx { enable = true; virtualHosts = { - "${cfg.hostname}" = { + ${cfg.hostname} = { default = true; root = "${pkg}/share/zoneminder/www"; listen = [ { addr = "0.0.0.0"; inherit (cfg) port; } ]; @@ -312,7 +312,7 @@ in { }; systemd.services = { - zoneminder = with pkgs; rec { + zoneminder = with pkgs; { inherit (zoneminder.meta) description; documentation = [ "https://zoneminder.readthedocs.org/en/latest/" ]; path = [ @@ -356,11 +356,11 @@ in { }; }; - users.groups."${user}" = { + users.groups.${user} = { gid = config.ids.gids.zoneminder; }; - users.users."${user}" = { + users.users.${user} = { uid = config.ids.uids.zoneminder; group = user; inherit home; diff --git a/nixos/modules/services/misc/zookeeper.nix b/nixos/modules/services/misc/zookeeper.nix index 50c84e3c6b80..5d91e44a199d 100644 --- a/nixos/modules/services/misc/zookeeper.nix +++ b/nixos/modules/services/misc/zookeeper.nix @@ -121,6 +121,7 @@ in { systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0700 zookeeper - - -" + "Z '${cfg.dataDir}' 0700 zookeeper - - -" ]; systemd.services.zookeeper = { diff --git a/nixos/modules/services/monitoring/apcupsd.nix b/nixos/modules/services/monitoring/apcupsd.nix index 49957e652900..75218aa1d46b 100644 --- a/nixos/modules/services/monitoring/apcupsd.nix +++ b/nixos/modules/services/monitoring/apcupsd.nix @@ -91,7 +91,7 @@ in BATTERYLEVEL 50 MINUTES 5 ''; - type = types.string; + type = types.lines; description = '' Contents of the runtime configuration file, apcupsd.conf. The default settings makes apcupsd autodetect USB UPSes, limit network access to @@ -106,7 +106,7 @@ in example = { doshutdown = ''# shell commands to notify that the computer is shutting down''; }; - type = types.attrsOf types.string; + type = types.attrsOf types.lines; description = '' Each attribute in this option names an apcupsd event and the string value it contains will be executed in a shell, in response to that diff --git a/nixos/modules/services/monitoring/bosun.nix b/nixos/modules/services/monitoring/bosun.nix index 8bf741adb6e3..b1c12cce1f80 100644 --- a/nixos/modules/services/monitoring/bosun.nix +++ b/nixos/modules/services/monitoring/bosun.nix @@ -41,7 +41,7 @@ in { }; user = mkOption { - type = types.string; + type = types.str; default = "bosun"; description = '' User account under which bosun runs. @@ -49,7 +49,7 @@ in { }; group = mkOption { - type = types.string; + type = types.str; default = "bosun"; description = '' Group account under which bosun runs. @@ -57,7 +57,7 @@ in { }; opentsdbHost = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = "localhost:4242"; description = '' Host and port of the OpenTSDB database that stores bosun data. @@ -66,7 +66,7 @@ in { }; influxHost = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "localhost:8086"; description = '' @@ -75,7 +75,7 @@ in { }; listenAddress = mkOption { - type = types.string; + type = types.str; default = ":8070"; description = '' The host address and port that bosun's web interface will listen on. diff --git a/nixos/modules/services/monitoring/datadog-agent.nix b/nixos/modules/services/monitoring/datadog-agent.nix index 7f78db74677c..02a9f316fc32 100644 --- a/nixos/modules/services/monitoring/datadog-agent.nix +++ b/nixos/modules/services/monitoring/datadog-agent.nix @@ -87,7 +87,7 @@ in { description = "The hostname to show in the Datadog dashboard (optional)"; default = null; example = "mymachine.mydomain"; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; }; logLevel = mkOption { diff --git a/nixos/modules/services/monitoring/dd-agent/dd-agent.nix b/nixos/modules/services/monitoring/dd-agent/dd-agent.nix index abc8d65d58f2..5ee6b092a6a4 100644 --- a/nixos/modules/services/monitoring/dd-agent/dd-agent.nix +++ b/nixos/modules/services/monitoring/dd-agent/dd-agent.nix @@ -145,47 +145,46 @@ in { description = "The hostname to show in the Datadog dashboard (optional)"; default = null; example = "mymachine.mydomain"; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; }; postgresqlConfig = mkOption { description = "Datadog PostgreSQL integration configuration"; default = null; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.lines; }; nginxConfig = mkOption { description = "Datadog nginx integration configuration"; default = null; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.lines; }; mongoConfig = mkOption { description = "MongoDB integration configuration"; default = null; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.lines; }; jmxConfig = mkOption { description = "JMX integration configuration"; default = null; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.lines; }; processConfig = mkOption { description = '' Process integration configuration - - See http://docs.datadoghq.com/integrations/process/ + See <link xlink:href="https://docs.datadoghq.com/integrations/process/"/> ''; default = null; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.lines; }; }; config = mkIf cfg.enable { - environment.systemPackages = [ pkgs."dd-agent" pkgs.sysstat pkgs.procps ]; + environment.systemPackages = [ pkgs.dd-agent pkgs.sysstat pkgs.procps ]; users.users.datadog = { description = "Datadog Agent User"; diff --git a/nixos/modules/services/monitoring/fusion-inventory.nix b/nixos/modules/services/monitoring/fusion-inventory.nix index 9c976c65ea49..b90579bb70c7 100644 --- a/nixos/modules/services/monitoring/fusion-inventory.nix +++ b/nixos/modules/services/monitoring/fusion-inventory.nix @@ -51,7 +51,7 @@ in { description = "FusionInventory user"; }; - systemd.services."fusion-inventory" = { + systemd.services.fusion-inventory = { description = "Fusion Inventory Agent"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix index d6473220c140..64cb6c3da1e5 100644 --- a/nixos/modules/services/monitoring/graphite.nix +++ b/nixos/modules/services/monitoring/graphite.nix @@ -11,7 +11,7 @@ let graphiteLocalSettingsDir = pkgs.runCommand "graphite_local_settings" { inherit graphiteLocalSettings; - preferLocalBuild = true; + preferLocalBuild = true; } '' mkdir -p $out ln -s $graphiteLocalSettings $out/graphite_local_settings.py @@ -215,7 +215,7 @@ in { storageAggregation = mkOption { description = "Defines how to aggregate data to lower-precision retentions."; default = null; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; example = '' [all_min] pattern = \.min$ @@ -227,7 +227,7 @@ in { storageSchemas = mkOption { description = "Defines retention rates for storing metrics."; default = ""; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; example = '' [apache_busyWorkers] pattern = ^servers\.www.*\.workers\.busyWorkers$ @@ -238,14 +238,14 @@ in { blacklist = mkOption { description = "Any metrics received which match one of the experssions will be dropped."; default = null; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; example = "^some\.noisy\.metric\.prefix\..*"; }; whitelist = mkOption { description = "Only metrics received which match one of the experssions will be persisted."; default = null; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; example = ".*"; }; @@ -255,7 +255,7 @@ in { in a search and replace fashion. ''; default = null; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; example = '' [post] _sum$ = @@ -272,7 +272,7 @@ in { relayRules = mkOption { description = "Relay rules are used to send certain metrics to a certain backend."; default = null; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; example = '' [example] pattern = ^mydata\.foo\..+ @@ -289,7 +289,7 @@ in { aggregationRules = mkOption { description = "Defines if and how received metrics will be aggregated."; default = null; - type = types.uniq (types.nullOr types.string); + type = types.nullOr types.str; example = '' <env>.applications.<app>.all.requests (60) = sum <env>.applications.<app>.*.requests <env>.applications.<app>.all.latency (60) = avg <env>.applications.<app>.*.latency diff --git a/nixos/modules/services/monitoring/heapster.nix b/nixos/modules/services/monitoring/heapster.nix index fbdff2eb5dbe..6da0831b4c5f 100644 --- a/nixos/modules/services/monitoring/heapster.nix +++ b/nixos/modules/services/monitoring/heapster.nix @@ -15,19 +15,19 @@ in { source = mkOption { description = "Heapster metric source"; example = "kubernetes:https://kubernetes.default"; - type = types.string; + type = types.str; }; sink = mkOption { description = "Heapster metic sink"; example = "influxdb:http://localhost:8086"; - type = types.string; + type = types.str; }; extraOpts = mkOption { description = "Heapster extra options"; default = ""; - type = types.string; + type = types.separatedString " "; }; package = mkOption { diff --git a/nixos/modules/services/monitoring/kapacitor.nix b/nixos/modules/services/monitoring/kapacitor.nix index 0f236d25c9ed..9b4ff3c56124 100644 --- a/nixos/modules/services/monitoring/kapacitor.nix +++ b/nixos/modules/services/monitoring/kapacitor.nix @@ -116,17 +116,17 @@ in url = mkOption { description = "The URL to an InfluxDB server that serves as the default database"; example = "http://localhost:8086"; - type = types.string; + type = types.str; }; username = mkOption { description = "The username to connect to the remote InfluxDB server"; - type = types.string; + type = types.str; }; password = mkOption { description = "The password to connect to the remote InfluxDB server"; - type = types.string; + type = types.str; }; }; @@ -137,7 +137,7 @@ in description = "The URL to the Alerta REST API"; default = "http://localhost:5000"; example = "http://localhost:5000"; - type = types.string; + type = types.str; }; token = mkOption { diff --git a/nixos/modules/services/monitoring/monit.nix b/nixos/modules/services/monitoring/monit.nix index 32e14ab21ffc..ca9352272174 100644 --- a/nixos/modules/services/monitoring/monit.nix +++ b/nixos/modules/services/monitoring/monit.nix @@ -23,7 +23,7 @@ in environment.systemPackages = [ pkgs.monit ]; - environment.etc."monitrc" = { + environment.etc.monitrc = { text = cfg.config; mode = "0400"; }; @@ -39,7 +39,7 @@ in KillMode = "process"; Restart = "always"; }; - restartTriggers = [ config.environment.etc."monitrc".source ]; + restartTriggers = [ config.environment.etc.monitrc.source ]; }; }; diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index ffe223fedbe1..8af0650c7380 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -233,7 +233,7 @@ in # In the meantime this at least suppresses a useless graph full of # NaNs in the output. default = [ "munin_stats" ]; - type = with types; listOf string; + type = with types; listOf str; description = '' Munin plugins to disable, even if <literal>munin-node-configure --suggest</literal> tries to enable diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index 647d67533b89..191c0bff9c84 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -4,37 +4,14 @@ with lib; let cfg = config.services.prometheus; - cfg2 = config.services.prometheus2; - promUser = "prometheus"; - promGroup = "prometheus"; - - stateDir = - if cfg.stateDir != null - then cfg.stateDir - else - if cfg.dataDir != null - then - # This assumes /var/lib/ is a prefix of cfg.dataDir. - # This is checked as an assertion below. - removePrefix stateDirBase cfg.dataDir - else "prometheus"; - stateDirBase = "/var/lib/"; - workingDir = stateDirBase + stateDir; - workingDir2 = stateDirBase + cfg2.stateDir; - # a wrapper that verifies that the configuration is valid - promtoolCheck = what: name: file: pkgs.runCommand "${name}-${what}-checked" - { buildInputs = [ cfg.package ]; } '' - ln -s ${file} $out - promtool ${what} $out - ''; + workingDir = "/var/lib/" + cfg.stateDir; - # a wrapper that verifies that the configuration is valid for - # prometheus 2 - prom2toolCheck = what: name: file: + # a wrapper that verifies that the configuration is valid + promtoolCheck = what: name: file: pkgs.runCommand "${name}-${replaceStrings [" "] [""] what}-checked" - { buildInputs = [ cfg2.package ]; } '' + { buildInputs = [ cfg.package ]; } '' ln -s ${file} $out promtool ${what} $out ''; @@ -45,61 +22,34 @@ let echo '${builtins.toJSON x}' | ${pkgs.jq}/bin/jq . > $out ''; - # This becomes the main config file for Prometheus 1 + generatedPrometheusYml = writePrettyJSON "prometheus.yml" promConfig; + + # This becomes the main config file for Prometheus promConfig = { global = filterValidPrometheus cfg.globalConfig; - rule_files = map (promtoolCheck "check-rules" "rules") (cfg.ruleFiles ++ [ + rule_files = map (promtoolCheck "check rules" "rules") (cfg.ruleFiles ++ [ (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg.rules)) ]); scrape_configs = filterValidPrometheus cfg.scrapeConfigs; + alerting = { + inherit (cfg) alertmanagers; + }; }; - generatedPrometheusYml = writePrettyJSON "prometheus.yml" promConfig; - prometheusYml = let yml = if cfg.configText != null then pkgs.writeText "prometheus.yml" cfg.configText else generatedPrometheusYml; - in promtoolCheck "check-config" "prometheus.yml" yml; + in promtoolCheck "check config" "prometheus.yml" yml; cmdlineArgs = cfg.extraFlags ++ [ - "-storage.local.path=${workingDir}/metrics" - "-config.file=${prometheusYml}" - "-web.listen-address=${cfg.listenAddress}" - "-alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" - "-alertmanager.timeout=${toString cfg.alertmanagerTimeout}s" + "--storage.tsdb.path=${workingDir}/data/" + "--config.file=${prometheusYml}" + "--web.listen-address=${cfg.listenAddress}" + "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" + "--alertmanager.timeout=${toString cfg.alertmanagerTimeout}s" ] ++ - optional (cfg.alertmanagerURL != []) "-alertmanager.url=${concatStringsSep "," cfg.alertmanagerURL}" ++ - optional (cfg.webExternalUrl != null) "-web.external-url=${cfg.webExternalUrl}"; - - # This becomes the main config file for Prometheus 2 - promConfig2 = { - global = filterValidPrometheus cfg2.globalConfig; - rule_files = map (prom2toolCheck "check rules" "rules") (cfg2.ruleFiles ++ [ - (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg2.rules)) - ]); - scrape_configs = filterValidPrometheus cfg2.scrapeConfigs; - alerting = { - inherit (cfg2) alertmanagers; - }; - }; - - generatedPrometheus2Yml = writePrettyJSON "prometheus.yml" promConfig2; - - prometheus2Yml = let - yml = if cfg2.configText != null then - pkgs.writeText "prometheus.yml" cfg2.configText - else generatedPrometheus2Yml; - in prom2toolCheck "check config" "prometheus.yml" yml; - - cmdlineArgs2 = cfg2.extraFlags ++ [ - "--storage.tsdb.path=${workingDir2}/data/" - "--config.file=${prometheus2Yml}" - "--web.listen-address=${cfg2.listenAddress}" - "--alertmanager.notification-queue-capacity=${toString cfg2.alertmanagerNotificationQueueCapacity}" - "--alertmanager.timeout=${toString cfg2.alertmanagerTimeout}s" - ] ++ - optional (cfg2.webExternalUrl != null) "--web.external-url=${cfg2.webExternalUrl}"; + optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}"; filterValidPrometheus = filterAttrsListRecursive (n: v: !(n == "_module" || v == null)); filterAttrsListRecursive = pred: x: @@ -514,343 +464,159 @@ let }; in { - options = { - services.prometheus = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable the Prometheus monitoring daemon. - ''; - }; - - package = mkOption { - type = types.package; - default = pkgs.prometheus; - defaultText = "pkgs.prometheus"; - description = '' - The prometheus package that should be used. - ''; - }; - - listenAddress = mkOption { - type = types.str; - default = "0.0.0.0:9090"; - description = '' - Address to listen on for the web interface, API, and telemetry. - ''; - }; - - dataDir = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - Directory to store Prometheus metrics data. - This option is deprecated, please use <option>services.prometheus.stateDir</option>. - ''; - }; - - stateDir = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Directory below <literal>${stateDirBase}</literal> to store Prometheus metrics data. - This directory will be created automatically using systemd's StateDirectory mechanism. - Defaults to <literal>prometheus</literal>. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching Prometheus. - ''; - }; - - configText = mkOption { - type = types.nullOr types.lines; - default = null; - description = '' - If non-null, this option defines the text that is written to - prometheus.yml. If null, the contents of prometheus.yml is generated - from the structured config options. - ''; - }; - - globalConfig = mkOption { - type = promTypes.globalConfig; - default = {}; - description = '' - Parameters that are valid in all configuration contexts. They - also serve as defaults for other configuration sections - ''; - }; - - rules = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Alerting and/or Recording rules to evaluate at runtime. - ''; - }; - - ruleFiles = mkOption { - type = types.listOf types.path; - default = []; - description = '' - Any additional rules files to include in this configuration. - ''; - }; + options.services.prometheus = { - scrapeConfigs = mkOption { - type = types.listOf promTypes.scrape_config; - default = []; - description = '' - A list of scrape configurations. - ''; - }; - - alertmanagerURL = mkOption { - type = types.listOf types.str; - default = []; - description = '' - List of Alertmanager URLs to send notifications to. - ''; - }; - - alertmanagerNotificationQueueCapacity = mkOption { - type = types.int; - default = 10000; - description = '' - The capacity of the queue for pending alert manager notifications. - ''; - }; - - alertmanagerTimeout = mkOption { - type = types.int; - default = 10; - description = '' - Alert manager HTTP API timeout (in seconds). - ''; - }; - - webExternalUrl = mkOption { - type = types.nullOr types.str; - default = null; - example = "https://example.com/"; - description = '' - The URL under which Prometheus is externally reachable (for example, - if Prometheus is served via a reverse proxy). - ''; - }; + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable the Prometheus monitoring daemon. + ''; }; - services.prometheus2 = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable the Prometheus 2 monitoring daemon. - ''; - }; + package = mkOption { + type = types.package; + default = pkgs.prometheus; + defaultText = "pkgs.prometheus"; + description = '' + The prometheus package that should be used. + ''; + }; - package = mkOption { - type = types.package; - default = pkgs.prometheus_2; - defaultText = "pkgs.prometheus_2"; - description = '' - The prometheus2 package that should be used. - ''; - }; + listenAddress = mkOption { + type = types.str; + default = "0.0.0.0:9090"; + description = '' + Address to listen on for the web interface, API, and telemetry. + ''; + }; - listenAddress = mkOption { - type = types.str; - default = "0.0.0.0:9090"; - description = '' - Address to listen on for the web interface, API, and telemetry. - ''; - }; + stateDir = mkOption { + type = types.str; + default = "prometheus2"; + description = '' + Directory below <literal>/var/lib</literal> to store Prometheus metrics data. + This directory will be created automatically using systemd's StateDirectory mechanism. + ''; + }; - stateDir = mkOption { - type = types.str; - default = "prometheus2"; - description = '' - Directory below <literal>${stateDirBase}</literal> to store Prometheus metrics data. - This directory will be created automatically using systemd's StateDirectory mechanism. - Defaults to <literal>prometheus2</literal>. - ''; - }; + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra commandline options when launching Prometheus. + ''; + }; - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching Prometheus 2. - ''; - }; + configText = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + If non-null, this option defines the text that is written to + prometheus.yml. If null, the contents of prometheus.yml is generated + from the structured config options. + ''; + }; - configText = mkOption { - type = types.nullOr types.lines; - default = null; - description = '' - If non-null, this option defines the text that is written to - prometheus.yml. If null, the contents of prometheus.yml is generated - from the structured config options. - ''; - }; + globalConfig = mkOption { + type = promTypes.globalConfig; + default = {}; + description = '' + Parameters that are valid in all configuration contexts. They + also serve as defaults for other configuration sections + ''; + }; - globalConfig = mkOption { - type = promTypes.globalConfig; - default = {}; - description = '' - Parameters that are valid in all configuration contexts. They - also serve as defaults for other configuration sections - ''; - }; + rules = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Alerting and/or Recording rules to evaluate at runtime. + ''; + }; - rules = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Alerting and/or Recording rules to evaluate at runtime. - ''; - }; + ruleFiles = mkOption { + type = types.listOf types.path; + default = []; + description = '' + Any additional rules files to include in this configuration. + ''; + }; - ruleFiles = mkOption { - type = types.listOf types.path; - default = []; - description = '' - Any additional rules files to include in this configuration. - ''; - }; + scrapeConfigs = mkOption { + type = types.listOf promTypes.scrape_config; + default = []; + description = '' + A list of scrape configurations. + ''; + }; - scrapeConfigs = mkOption { - type = types.listOf promTypes.scrape_config; - default = []; - description = '' - A list of scrape configurations. - ''; - }; + alertmanagers = mkOption { + type = types.listOf types.attrs; + example = literalExample '' + [ { + scheme = "https"; + path_prefix = "/alertmanager"; + static_configs = [ { + targets = [ + "prometheus.domain.tld" + ]; + } ]; + } ] + ''; + default = []; + description = '' + A list of alertmanagers to send alerts to. + See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config">the official documentation</link> for more information. + ''; + }; - alertmanagers = mkOption { - type = types.listOf types.attrs; - example = literalExample '' - [ { - scheme = "https"; - path_prefix = "/alertmanager"; - static_configs = [ { - targets = [ - "prometheus.domain.tld" - ]; - } ]; - } ] - ''; - default = []; - description = '' - A list of alertmanagers to send alerts to. - See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config">the official documentation</link> for more information. - ''; - }; + alertmanagerNotificationQueueCapacity = mkOption { + type = types.int; + default = 10000; + description = '' + The capacity of the queue for pending alert manager notifications. + ''; + }; - alertmanagerNotificationQueueCapacity = mkOption { - type = types.int; - default = 10000; - description = '' - The capacity of the queue for pending alert manager notifications. - ''; - }; + alertmanagerTimeout = mkOption { + type = types.int; + default = 10; + description = '' + Alert manager HTTP API timeout (in seconds). + ''; + }; - alertmanagerTimeout = mkOption { - type = types.int; - default = 10; - description = '' - Alert manager HTTP API timeout (in seconds). - ''; - }; + webExternalUrl = mkOption { + type = types.nullOr types.str; + default = null; + example = "https://example.com/"; + description = '' + The URL under which Prometheus is externally reachable (for example, + if Prometheus is served via a reverse proxy). + ''; + }; + }; - webExternalUrl = mkOption { - type = types.nullOr types.str; - default = null; - example = "https://example.com/"; - description = '' - The URL under which Prometheus is externally reachable (for example, - if Prometheus is served via a reverse proxy). - ''; - }; + config = mkIf cfg.enable { + users.groups.prometheus.gid = config.ids.gids.prometheus; + users.users.prometheus = { + description = "Prometheus daemon user"; + uid = config.ids.uids.prometheus; + group = "prometheus"; }; - }; - - config = mkMerge [ - (mkIf (cfg.enable || cfg2.enable) { - users.groups.${promGroup}.gid = config.ids.gids.prometheus; - users.users.${promUser} = { - description = "Prometheus daemon user"; - uid = config.ids.uids.prometheus; - group = promGroup; + systemd.services.prometheus = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = "${cfg.package}/bin/prometheus" + + optionalString (length cmdlineArgs != 0) (" \\\n " + + concatStringsSep " \\\n " cmdlineArgs); + User = "prometheus"; + Restart = "always"; + WorkingDirectory = workingDir; + StateDirectory = cfg.stateDir; }; - }) - (mkIf cfg.enable { - warnings = - optional (cfg.dataDir != null) '' - The option services.prometheus.dataDir is deprecated, please use - services.prometheus.stateDir. - ''; - assertions = [ - { - assertion = !(cfg.dataDir != null && cfg.stateDir != null); - message = - "The options services.prometheus.dataDir and services.prometheus.stateDir" + - " can't both be set at the same time! It's recommended to only set the latter" + - " since the former is deprecated."; - } - { - assertion = cfg.dataDir != null -> hasPrefix stateDirBase cfg.dataDir; - message = - "The option services.prometheus.dataDir should have ${stateDirBase} as a prefix!"; - } - { - assertion = cfg.stateDir != null -> !hasPrefix "/" cfg.stateDir; - message = - "The option services.prometheus.stateDir shouldn't be an absolute directory." + - " It should be a directory relative to ${stateDirBase}."; - } - { - assertion = cfg2.stateDir != null -> !hasPrefix "/" cfg2.stateDir; - message = - "The option services.prometheus2.stateDir shouldn't be an absolute directory." + - " It should be a directory relative to ${stateDirBase}."; - } - ]; - systemd.services.prometheus = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - ExecStart = "${cfg.package}/bin/prometheus" + - optionalString (length cmdlineArgs != 0) (" \\\n " + - concatStringsSep " \\\n " cmdlineArgs); - User = promUser; - Restart = "always"; - WorkingDirectory = workingDir; - StateDirectory = stateDir; - }; - }; - }) - (mkIf cfg2.enable { - systemd.services.prometheus2 = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - ExecStart = "${cfg2.package}/bin/prometheus" + - optionalString (length cmdlineArgs2 != 0) (" \\\n " + - concatStringsSep " \\\n " cmdlineArgs2); - User = promUser; - Restart = "always"; - WorkingDirectory = workingDir2; - StateDirectory = cfg2.stateDir; - }; - }; - }) - ]; + }; + }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 2ab8910ff9db..b69310c34ff5 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -132,14 +132,10 @@ let in mkIf conf.enable { warnings = conf.warnings or []; - users.users = (mkIf (conf.user == "${name}-exporter" && !enableDynamicUser) { - "${name}-exporter" = { - description = '' - Prometheus ${name} exporter service user - ''; - isSystemUser = true; - inherit (conf) group; - }; + users.users."${name}-exporter" = (mkIf (conf.user == "${name}-exporter" && !enableDynamicUser) { + description = "Prometheus ${name} exporter service user"; + isSystemUser = true; + inherit (conf) group; }); users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) { "${name}-exporter" = {}; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/node.nix b/nixos/modules/services/monitoring/prometheus/exporters/node.nix index 7e394e8463e0..adc2abe0b91c 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/node.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/node.nix @@ -9,7 +9,7 @@ in port = 9100; extraOpts = { enabledCollectors = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = []; example = ''[ "systemd" ]''; description = '' diff --git a/nixos/modules/services/monitoring/riemann-tools.nix b/nixos/modules/services/monitoring/riemann-tools.nix index 2b647b6b1ade..86a11694e7b4 100644 --- a/nixos/modules/services/monitoring/riemann-tools.nix +++ b/nixos/modules/services/monitoring/riemann-tools.nix @@ -35,7 +35,7 @@ in { ''; }; extraArgs = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = []; description = '' A list of commandline-switches forwarded to a riemann-tool. diff --git a/nixos/modules/services/monitoring/scollector.nix b/nixos/modules/services/monitoring/scollector.nix index dc0899c7e684..38cd2213de76 100644 --- a/nixos/modules/services/monitoring/scollector.nix +++ b/nixos/modules/services/monitoring/scollector.nix @@ -51,7 +51,7 @@ in { }; user = mkOption { - type = types.string; + type = types.str; default = "scollector"; description = '' User account under which scollector runs. @@ -59,7 +59,7 @@ in { }; group = mkOption { - type = types.string; + type = types.str; default = "scollector"; description = '' Group account under which scollector runs. @@ -67,7 +67,7 @@ in { }; bosunHost = mkOption { - type = types.string; + type = types.str; default = "localhost:8070"; description = '' Host and port of the bosun server that will store the collected diff --git a/nixos/modules/services/monitoring/thanos.nix b/nixos/modules/services/monitoring/thanos.nix index b41e99b76477..215cd43fd864 100644 --- a/nixos/modules/services/monitoring/thanos.nix +++ b/nixos/modules/services/monitoring/thanos.nix @@ -70,14 +70,14 @@ let } ''json2yaml -i $json -o $out''; thanos = cmd: "${cfg.package}/bin/thanos ${cmd}" + - (let args = cfg."${cmd}".arguments; + (let args = cfg.${cmd}.arguments; in optionalString (length args != 0) (" \\\n " + concatStringsSep " \\\n " args)); argumentsOf = cmd: concatLists (collect isList - (flip mapParamsRecursive params."${cmd}" (path: param: + (flip mapParamsRecursive params.${cmd} (path: param: let opt = concatStringsSep "." path; - v = getAttrFromPath path cfg."${cmd}"; + v = getAttrFromPath path cfg.${cmd}; in param.toArgs opt v))); mkArgumentsOption = cmd: mkOption { @@ -95,7 +95,7 @@ let }; mapParamsRecursive = - let noParam = attr: !(attr ? "toArgs" && attr ? "option"); + let noParam = attr: !(attr ? toArgs && attr ? option); in mapAttrsRecursiveCond noParam; paramsToOptions = mapParamsRecursive (_path: param: param.option); @@ -218,8 +218,8 @@ let toArgs = optionToArgs; option = mkOption { type = types.str; - default = "/var/lib/${config.services.prometheus2.stateDir}/data"; - defaultText = "/var/lib/\${config.services.prometheus2.stateDir}/data"; + default = "/var/lib/${config.services.prometheus.stateDir}/data"; + defaultText = "/var/lib/\${config.services.prometheus.stateDir}/data"; description = '' Data directory of TSDB. ''; @@ -607,7 +607,7 @@ let assertRelativeStateDir = cmd: { assertions = [ { - assertion = !hasPrefix "/" cfg."${cmd}".stateDir; + assertion = !hasPrefix "/" cfg.${cmd}.stateDir; message = "The option services.thanos.${cmd}.stateDir should not be an absolute directory." + " It should be a directory relative to /var/lib."; @@ -679,22 +679,22 @@ in { (mkIf cfg.sidecar.enable { assertions = [ { - assertion = config.services.prometheus2.enable; + assertion = config.services.prometheus.enable; message = - "Please enable services.prometheus2 when enabling services.thanos.sidecar."; + "Please enable services.prometheus when enabling services.thanos.sidecar."; } { - assertion = !(config.services.prometheus2.globalConfig.external_labels == null || - config.services.prometheus2.globalConfig.external_labels == {}); + assertion = !(config.services.prometheus.globalConfig.external_labels == null || + config.services.prometheus.globalConfig.external_labels == {}); message = "services.thanos.sidecar requires uniquely identifying external labels " + "to be configured in the Prometheus server. " + - "Please set services.prometheus2.globalConfig.external_labels."; + "Please set services.prometheus.globalConfig.external_labels."; } ]; systemd.services.thanos-sidecar = { wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "prometheus2.service" ]; + after = [ "network.target" "prometheus.service" ]; serviceConfig = { User = "prometheus"; Restart = "always"; diff --git a/nixos/modules/services/monitoring/ups.nix b/nixos/modules/services/monitoring/ups.nix index 429b40227d47..1bdc4e4410f1 100644 --- a/nixos/modules/services/monitoring/ups.nix +++ b/nixos/modules/services/monitoring/ups.nix @@ -55,7 +55,7 @@ let description = mkOption { default = ""; - type = types.string; + type = types.str; description = '' Description of the UPS. ''; @@ -71,7 +71,7 @@ let summary = mkOption { default = ""; - type = types.string; + type = types.lines; description = '' Lines which would be added inside ups.conf for handling this UPS. ''; diff --git a/nixos/modules/services/monitoring/uptime.nix b/nixos/modules/services/monitoring/uptime.nix index c0993f3bc2e7..245badc3e44f 100644 --- a/nixos/modules/services/monitoring/uptime.nix +++ b/nixos/modules/services/monitoring/uptime.nix @@ -57,7 +57,7 @@ in { nodeEnv = mkOption { description = "The node environment to run in (development, production, etc.)"; - type = types.string; + type = types.str; default = "production"; }; diff --git a/nixos/modules/services/monitoring/zabbix-agent.nix b/nixos/modules/services/monitoring/zabbix-agent.nix index b1645f861101..856b9432892b 100644 --- a/nixos/modules/services/monitoring/zabbix-agent.nix +++ b/nixos/modules/services/monitoring/zabbix-agent.nix @@ -135,7 +135,7 @@ in users.groups.${group} = { }; - systemd.services."zabbix-agent" = { + systemd.services.zabbix-agent = { description = "Zabbix Agent"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/monitoring/zabbix-proxy.nix b/nixos/modules/services/monitoring/zabbix-proxy.nix index 90abed30db5d..9d214469c3b3 100644 --- a/nixos/modules/services/monitoring/zabbix-proxy.nix +++ b/nixos/modules/services/monitoring/zabbix-proxy.nix @@ -252,7 +252,7 @@ in fping.source = "${pkgs.fping}/bin/fping"; }; - systemd.services."zabbix-proxy" = { + systemd.services.zabbix-proxy = { description = "Zabbix Proxy"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/monitoring/zabbix-server.nix b/nixos/modules/services/monitoring/zabbix-server.nix index 11311b466c3f..4b4049ed360e 100644 --- a/nixos/modules/services/monitoring/zabbix-server.nix +++ b/nixos/modules/services/monitoring/zabbix-server.nix @@ -237,7 +237,7 @@ in fping.source = "${pkgs.fping}/bin/fping"; }; - systemd.services."zabbix-server" = { + systemd.services.zabbix-server = { description = "Zabbix Server"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/network-filesystems/beegfs.nix b/nixos/modules/services/network-filesystems/beegfs.nix index 86b1bb9160f1..2e03a422665a 100644 --- a/nixos/modules/services/network-filesystems/beegfs.nix +++ b/nixos/modules/services/network-filesystems/beegfs.nix @@ -69,7 +69,7 @@ let # functions to generate systemd.service entries systemdEntry = service: cfgFile: (mapAttrs' ( name: cfg: - (nameValuePair "beegfs-${service}-${name}" (mkIf cfg."${service}".enable { + (nameValuePair "beegfs-${service}-${name}" (mkIf cfg.${service}.enable { wantedBy = [ "multi-user.target" ]; requires = [ "network-online.target" ]; after = [ "network-online.target" ]; diff --git a/nixos/modules/services/network-filesystems/ceph.nix b/nixos/modules/services/network-filesystems/ceph.nix index 4e3bc839d400..656a2d21b868 100644 --- a/nixos/modules/services/network-filesystems/ceph.nix +++ b/nixos/modules/services/network-filesystems/ceph.nix @@ -3,22 +3,22 @@ with lib; let - ceph = pkgs.ceph; cfg = config.services.ceph; + # function that translates "camelCaseOptions" to "camel case options", credits to tilpner in #nixos@freenode - translateOption = replaceStrings upperChars (map (s: " ${s}") lowerChars); - generateDaemonList = (daemonType: daemons: extraServiceConfig: - mkMerge ( - map (daemon: - { "ceph-${daemonType}-${daemon}" = generateServiceFile daemonType daemon cfg.global.clusterName ceph extraServiceConfig; } - ) daemons - ) - ); - generateServiceFile = (daemonType: daemonId: clusterName: ceph: extraServiceConfig: { + expandCamelCase = replaceStrings upperChars (map (s: " ${s}") lowerChars); + expandCamelCaseAttrs = mapAttrs' (name: value: nameValuePair (expandCamelCase name) value); + + makeServices = (daemonType: daemonIds: extraServiceConfig: + mkMerge (map (daemonId: + { "ceph-${daemonType}-${daemonId}" = makeService daemonType daemonId cfg.global.clusterName pkgs.ceph extraServiceConfig; }) + daemonIds)); + + makeService = (daemonType: daemonId: clusterName: ceph: extraServiceConfig: { enable = true; description = "Ceph ${builtins.replaceStrings lowerChars upperChars daemonType} daemon ${daemonId}"; - after = [ "network-online.target" "local-fs.target" "time-sync.target" ] ++ optional (daemonType == "osd") "ceph-mon.target"; - wants = [ "network-online.target" "local-fs.target" "time-sync.target" ]; + after = [ "network-online.target" "time-sync.target" ] ++ optional (daemonType == "osd") "ceph-mon.target"; + wants = [ "network-online.target" "time-sync.target" ]; partOf = [ "ceph-${daemonType}.target" ]; wantedBy = [ "ceph-${daemonType}.target" ]; @@ -34,28 +34,34 @@ let Restart = "on-failure"; StartLimitBurst = "5"; StartLimitInterval = "30min"; - ExecStart = "${ceph.out}/bin/${if daemonType == "rgw" then "radosgw" else "ceph-${daemonType}"} -f --cluster ${clusterName} --id ${if daemonType == "rgw" then "client.${daemonId}" else daemonId} --setuser ceph --setgroup ceph"; + ExecStart = ''${ceph.out}/bin/${if daemonType == "rgw" then "radosgw" else "ceph-${daemonType}"} \ + -f --cluster ${clusterName} --id ${daemonId} --setuser ceph \ + --setgroup ${if daemonType == "osd" then "disk" else "ceph"}''; } // extraServiceConfig - // optionalAttrs (daemonType == "osd") { ExecStartPre = "${ceph.out}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}"; }; - } // optionalAttrs (builtins.elem daemonType [ "mds" "mon" "rgw" "mgr" ]) { preStart = '' + // optionalAttrs (daemonType == "osd") { ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh \ + --id ${daemonId} --cluster ${clusterName}''; }; + } // optionalAttrs (builtins.elem daemonType [ "mds" "mon" "rgw" "mgr" ]) { + preStart = '' daemonPath="/var/lib/ceph/${if daemonType == "rgw" then "radosgw" else daemonType}/${clusterName}-${daemonId}" - if [ ! -d ''$daemonPath ]; then - mkdir -m 755 -p ''$daemonPath - chown -R ceph:ceph ''$daemonPath + if [ ! -d $daemonPath ]; then + mkdir -m 755 -p $daemonPath + chown -R ceph:ceph $daemonPath fi ''; } // optionalAttrs (daemonType == "osd") { path = [ pkgs.getopt ]; } ); - generateTargetFile = (daemonType: + + makeTarget = (daemonType: { "ceph-${daemonType}" = { description = "Ceph target allowing to start/stop all ceph-${daemonType} services at once"; partOf = [ "ceph.target" ]; + wantedBy = [ "ceph.target" ]; before = [ "ceph.target" ]; }; } ); -in +in { options.services.ceph = { # Ceph has a monolithic configuration file but different sections for @@ -82,11 +88,19 @@ in ''; }; + mgrModulePath = mkOption { + type = types.path; + default = "${pkgs.ceph.lib}/lib/ceph/mgr"; + description = '' + Path at which to find ceph-mgr modules. + ''; + }; + monInitialMembers = mkOption { type = with types; nullOr commas; default = null; example = '' - node0, node1, node2 + node0, node1, node2 ''; description = '' List of hosts that will be used as monitors at startup. @@ -157,6 +171,27 @@ in A comma-separated list of subnets that will be used as cluster networks in the cluster. ''; }; + + rgwMimeTypesFile = mkOption { + type = with types; nullOr path; + default = "${pkgs.mime-types}/etc/mime.types"; + description = '' + Path to mime types used by radosgw. + ''; + }; + }; + + extraConfig = mkOption { + type = with types; attrsOf str; + default = {}; + example = '' + { + "ms bind ipv6" = "true"; + }; + ''; + description = '' + Extra configuration to add to the global section. Use for setting values that are common for all daemons in the cluster. + ''; }; mgr = { @@ -216,6 +251,7 @@ in to the id part in ceph i.e. [ "name1" ] would result in osd.name1 ''; }; + extraConfig = mkOption { type = with types; attrsOf str; default = { @@ -296,9 +332,6 @@ in { assertion = cfg.global.fsid != ""; message = "fsid has to be set to a valid uuid for the cluster to function"; } - { assertion = cfg.mgr.enable == true; - message = "ceph 12.x requires atleast 1 MGR daemon enabled for the cluster to function"; - } { assertion = cfg.mon.enable == true -> cfg.mon.daemons != []; message = "have to set id of atleast one MON if you're going to enable Monitor"; } @@ -313,21 +346,19 @@ in } ]; - warnings = optional (cfg.global.monInitialMembers == null) + warnings = optional (cfg.global.monInitialMembers == null) ''Not setting up a list of members in monInitialMembers requires that you set the host variable for each mon daemon or else the cluster won't function''; - + environment.etc."ceph/ceph.conf".text = let - # Translate camelCaseOptions to the expected camel case option for ceph.conf - translatedGlobalConfig = mapAttrs' (name: value: nameValuePair (translateOption name) value) cfg.global; # Merge the extraConfig set for mgr daemons, as mgr don't have their own section - globalAndMgrConfig = translatedGlobalConfig // optionalAttrs cfg.mgr.enable cfg.mgr.extraConfig; + globalSection = expandCamelCaseAttrs (cfg.global // cfg.extraConfig // optionalAttrs cfg.mgr.enable cfg.mgr.extraConfig); # Remove all name-value pairs with null values from the attribute set to avoid making empty sections in the ceph.conf - globalConfig = mapAttrs' (name: value: nameValuePair (translateOption name) value) (filterAttrs (name: value: value != null) globalAndMgrConfig); + globalSection' = filterAttrs (name: value: value != null) globalSection; totalConfig = { - "global" = globalConfig; - } // optionalAttrs (cfg.mon.enable && cfg.mon.extraConfig != {}) { "mon" = cfg.mon.extraConfig; } - // optionalAttrs (cfg.mds.enable && cfg.mds.extraConfig != {}) { "mds" = cfg.mds.extraConfig; } - // optionalAttrs (cfg.osd.enable && cfg.osd.extraConfig != {}) { "osd" = cfg.osd.extraConfig; } + global = globalSection'; + } // optionalAttrs (cfg.mon.enable && cfg.mon.extraConfig != {}) { mon = cfg.mon.extraConfig; } + // optionalAttrs (cfg.mds.enable && cfg.mds.extraConfig != {}) { mds = cfg.mds.extraConfig; } + // optionalAttrs (cfg.osd.enable && cfg.osd.extraConfig != {}) { osd = cfg.osd.extraConfig; } // optionalAttrs (cfg.client.enable && cfg.client.extraConfig != {}) cfg.client.extraConfig; in generators.toINI {} totalConfig; @@ -336,31 +367,36 @@ in name = "ceph"; uid = config.ids.uids.ceph; description = "Ceph daemon user"; + group = "ceph"; + extraGroups = [ "disk" ]; }; - users.groups = singleton { name = "ceph"; gid = config.ids.gids.ceph; }; systemd.services = let - services = [] - ++ optional cfg.mon.enable (generateDaemonList "mon" cfg.mon.daemons { RestartSec = "10"; }) - ++ optional cfg.mds.enable (generateDaemonList "mds" cfg.mds.daemons { StartLimitBurst = "3"; }) - ++ optional cfg.osd.enable (generateDaemonList "osd" cfg.osd.daemons { StartLimitBurst = "30"; RestartSec = "20s"; }) - ++ optional cfg.rgw.enable (generateDaemonList "rgw" cfg.rgw.daemons { }) - ++ optional cfg.mgr.enable (generateDaemonList "mgr" cfg.mgr.daemons { StartLimitBurst = "3"; }); - in + services = [] + ++ optional cfg.mon.enable (makeServices "mon" cfg.mon.daemons { RestartSec = "10"; }) + ++ optional cfg.mds.enable (makeServices "mds" cfg.mds.daemons { StartLimitBurst = "3"; }) + ++ optional cfg.osd.enable (makeServices "osd" cfg.osd.daemons { StartLimitBurst = "30"; + RestartSec = "20s"; + PrivateDevices = "no"; # osd needs disk access + }) + ++ optional cfg.rgw.enable (makeServices "rgw" cfg.rgw.daemons { }) + ++ optional cfg.mgr.enable (makeServices "mgr" cfg.mgr.daemons { StartLimitBurst = "3"; }); + in mkMerge services; systemd.targets = let targets = [ - { "ceph" = { description = "Ceph target allowing to start/stop all ceph service instances at once"; }; } - ] ++ optional cfg.mon.enable (generateTargetFile "mon") - ++ optional cfg.mds.enable (generateTargetFile "mds") - ++ optional cfg.osd.enable (generateTargetFile "osd") - ++ optional cfg.rgw.enable (generateTargetFile "rgw") - ++ optional cfg.mgr.enable (generateTargetFile "mgr"); + { ceph = { description = "Ceph target allowing to start/stop all ceph service instances at once"; + wantedBy = [ "multi-user.target" ]; }; } + ] ++ optional cfg.mon.enable (makeTarget "mon") + ++ optional cfg.mds.enable (makeTarget "mds") + ++ optional cfg.osd.enable (makeTarget "osd") + ++ optional cfg.rgw.enable (makeTarget "rgw") + ++ optional cfg.mgr.enable (makeTarget "mgr"); in mkMerge targets; diff --git a/nixos/modules/services/network-filesystems/davfs2.nix b/nixos/modules/services/network-filesystems/davfs2.nix index c16e12378d75..100d458d536c 100644 --- a/nixos/modules/services/network-filesystems/davfs2.nix +++ b/nixos/modules/services/network-filesystems/davfs2.nix @@ -21,7 +21,7 @@ in }; davUser = mkOption { - type = types.string; + type = types.str; default = "davfs2"; description = '' When invoked by root the mount.davfs daemon will run as this user. @@ -30,7 +30,7 @@ in }; davGroup = mkOption { - type = types.string; + type = types.str; default = "davfs2"; description = '' The group of the running mount.davfs daemon. Ordinary users must be diff --git a/nixos/modules/services/network-filesystems/drbd.nix b/nixos/modules/services/network-filesystems/drbd.nix index 57b1fbb597c7..4ab74ed8e1c0 100644 --- a/nixos/modules/services/network-filesystems/drbd.nix +++ b/nixos/modules/services/network-filesystems/drbd.nix @@ -23,7 +23,7 @@ let cfg = config.services.drbd; in services.drbd.config = mkOption { default = ""; - type = types.string; + type = types.lines; description = '' Contents of the <filename>drbd.conf</filename> configuration file. ''; diff --git a/nixos/modules/services/network-filesystems/glusterfs.nix b/nixos/modules/services/network-filesystems/glusterfs.nix index 00875c6c4a18..d70092999f67 100644 --- a/nixos/modules/services/network-filesystems/glusterfs.nix +++ b/nixos/modules/services/network-filesystems/glusterfs.nix @@ -156,7 +156,7 @@ in wantedBy = [ "multi-user.target" ]; requires = lib.optional cfg.useRpcbind "rpcbind.service"; - after = [ "network.target" "local-fs.target" ] ++ lib.optional cfg.useRpcbind "rpcbind.service"; + after = [ "network.target" ] ++ lib.optional cfg.useRpcbind "rpcbind.service"; preStart = '' install -m 0755 -d /var/log/glusterfs diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index bbbfcf6a4738..b6d881afd7bd 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -236,7 +236,6 @@ in { systemd.services.ipfs-init = recursiveUpdate commonEnv { description = "IPFS Initializer"; - after = [ "local-fs.target" ]; before = [ "ipfs.service" "ipfs-offline.service" "ipfs-norouting.service" ]; script = '' @@ -263,21 +262,21 @@ in { systemd.services.ipfs = recursiveUpdate baseService { description = "IPFS Daemon"; wantedBy = mkIf (cfg.defaultMode == "online") [ "multi-user.target" ]; - after = [ "network.target" "local-fs.target" "ipfs-init.service" ]; + after = [ "network.target" "ipfs-init.service" ]; conflicts = [ "ipfs-offline.service" "ipfs-norouting.service"]; }; systemd.services.ipfs-offline = recursiveUpdate baseService { description = "IPFS Daemon (offline mode)"; wantedBy = mkIf (cfg.defaultMode == "offline") [ "multi-user.target" ]; - after = [ "local-fs.target" "ipfs-init.service" ]; + after = [ "ipfs-init.service" ]; conflicts = [ "ipfs.service" "ipfs-norouting.service"]; }; systemd.services.ipfs-norouting = recursiveUpdate baseService { description = "IPFS Daemon (no routing mode)"; wantedBy = mkIf (cfg.defaultMode == "norouting") [ "multi-user.target" ]; - after = [ "local-fs.target" "ipfs-init.service" ]; + after = [ "ipfs-init.service" ]; conflicts = [ "ipfs.service" "ipfs-offline.service"]; }; diff --git a/nixos/modules/services/network-filesystems/openafs/lib.nix b/nixos/modules/services/network-filesystems/openafs/lib.nix index 1cc9bed847ab..e068ee761c2a 100644 --- a/nixos/modules/services/network-filesystems/openafs/lib.nix +++ b/nixos/modules/services/network-filesystems/openafs/lib.nix @@ -3,7 +3,7 @@ let inherit (lib) concatStringsSep mkOption types; -in rec { +in { mkCellServDB = cellName: db: '' >${cellName} diff --git a/nixos/modules/services/network-filesystems/rsyncd.nix b/nixos/modules/services/network-filesystems/rsyncd.nix index 054057d52ab1..b17ec3aa9300 100644 --- a/nixos/modules/services/network-filesystems/rsyncd.nix +++ b/nixos/modules/services/network-filesystems/rsyncd.nix @@ -35,7 +35,7 @@ in }; motd = mkOption { - type = types.string; + type = types.str; default = ""; description = '' Message of the day to display to clients on each connect. diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 69368441c62c..055508a32244 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -234,10 +234,10 @@ in # Refer to https://github.com/samba-team/samba/tree/master/packaging/systemd # for correct use with systemd services = { - "samba-smbd" = daemonService "smbd" ""; - "samba-nmbd" = mkIf cfg.enableNmbd (daemonService "nmbd" ""); - "samba-winbindd" = mkIf cfg.enableWinbindd (daemonService "winbindd" ""); - "samba-setup" = { + samba-smbd = daemonService "smbd" ""; + samba-nmbd = mkIf cfg.enableNmbd (daemonService "nmbd" ""); + samba-winbindd = mkIf cfg.enableWinbindd (daemonService "winbindd" ""); + samba-setup = { description = "Samba Setup Task"; script = setupScript; unitConfig.RequiresMountsFor = "/var/lib/samba"; diff --git a/nixos/modules/services/network-filesystems/yandex-disk.nix b/nixos/modules/services/network-filesystems/yandex-disk.nix index e93f45b49867..0aa01ef9e6d9 100644 --- a/nixos/modules/services/network-filesystems/yandex-disk.nix +++ b/nixos/modules/services/network-filesystems/yandex-disk.nix @@ -29,7 +29,7 @@ in username = mkOption { default = ""; - type = types.string; + type = types.str; description = '' Your yandex.com login name. ''; @@ -37,7 +37,7 @@ in password = mkOption { default = ""; - type = types.string; + type = types.str; description = '' Your yandex.com password. Warning: it will be world-readable in /nix/store. ''; @@ -57,7 +57,7 @@ in excludes = mkOption { default = ""; - type = types.string; + type = types.commas; example = "data,backup"; description = '' Comma-separated list of directories which are excluded from synchronization. diff --git a/nixos/modules/services/networking/aria2.nix b/nixos/modules/services/networking/aria2.nix index 53829bf18863..156fef144791 100644 --- a/nixos/modules/services/networking/aria2.nix +++ b/nixos/modules/services/networking/aria2.nix @@ -47,8 +47,8 @@ in ''; }; downloadDir = mkOption { - type = types.string; - default = "${downloadDir}"; + type = types.path; + default = downloadDir; description = '' Directory to store downloaded files. ''; @@ -66,7 +66,7 @@ in description = "Specify a port number for JSON-RPC/XML-RPC server to listen to. Possible Values: 1024-65535"; }; rpcSecret = mkOption { - type = types.string; + type = types.str; default = "aria2rpc"; description = '' Set RPC secret authorization token. @@ -74,7 +74,7 @@ in ''; }; extraArguments = mkOption { - type = types.string; + type = types.separatedString " "; example = "--rpc-listen-all --remote-time=true"; default = ""; description = '' @@ -109,7 +109,7 @@ in systemd.services.aria2 = { description = "aria2 Service"; - after = [ "local-fs.target" "network.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' if [[ ! -e "${sessionFile}" ]] diff --git a/nixos/modules/services/networking/autossh.nix b/nixos/modules/services/networking/autossh.nix index a098a155e991..a8d9a027e9fa 100644 --- a/nixos/modules/services/networking/autossh.nix +++ b/nixos/modules/services/networking/autossh.nix @@ -20,12 +20,12 @@ in type = types.listOf (types.submodule { options = { name = mkOption { - type = types.string; + type = types.str; example = "socks-peer"; description = "Name of the local AutoSSH session"; }; user = mkOption { - type = types.string; + type = types.str; example = "bill"; description = "Name of the user the AutoSSH session should run as"; }; @@ -40,7 +40,7 @@ in ''; }; extraArguments = mkOption { - type = types.string; + type = types.separatedString " "; example = "-N -D4343 bill@socks.example.net"; description = '' Arguments to be passed to AutoSSH and retransmitted to SSH diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix index 3dfd80f6ff52..de863461eab2 100644 --- a/nixos/modules/services/networking/babeld.nix +++ b/nixos/modules/services/networking/babeld.nix @@ -52,7 +52,7 @@ in example = { type = "tunnel"; - "split-horizon" = true; + split-horizon = true; }; }; @@ -66,8 +66,8 @@ in example = { enp0s2 = { type = "wired"; - "hello-interval" = 5; - "split-horizon" = "auto"; + hello-interval = 5; + split-horizon = "auto"; }; }; }; diff --git a/nixos/modules/services/networking/bitcoind.nix b/nixos/modules/services/networking/bitcoind.nix index d3501636b41d..1439d739da9d 100644 --- a/nixos/modules/services/networking/bitcoind.nix +++ b/nixos/modules/services/networking/bitcoind.nix @@ -59,8 +59,8 @@ in { package = mkOption { type = types.package; - default = pkgs.altcoins.bitcoind; - defaultText = "pkgs.altcoins.bitcoind"; + default = pkgs.bitcoind; + defaultText = "pkgs.bitcoind"; description = "The package providing bitcoin binaries."; }; configFile = mkOption { diff --git a/nixos/modules/services/networking/charybdis.nix b/nixos/modules/services/networking/charybdis.nix index e3aba063f87b..da26246e703e 100644 --- a/nixos/modules/services/networking/charybdis.nix +++ b/nixos/modules/services/networking/charybdis.nix @@ -21,14 +21,14 @@ in enable = mkEnableOption "Charybdis IRC daemon"; config = mkOption { - type = types.string; + type = types.str; description = '' Charybdis IRC daemon configuration file. ''; }; statedir = mkOption { - type = types.string; + type = types.path; default = "/var/lib/charybdis"; description = '' Location of the state directory of charybdis. @@ -36,7 +36,7 @@ in }; user = mkOption { - type = types.string; + type = types.str; default = "ircd"; description = '' Charybdis IRC daemon user. @@ -44,7 +44,7 @@ in }; group = mkOption { - type = types.string; + type = types.str; default = "ircd"; description = '' Charybdis IRC daemon group. @@ -101,7 +101,7 @@ in }; } - + (mkIf (cfg.motd != null) { environment.etc."charybdis/ircd.motd".text = cfg.motd; }) diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix index c3ca6fbe725e..31127f790499 100644 --- a/nixos/modules/services/networking/connman.nix +++ b/nixos/modules/services/networking/connman.nix @@ -45,7 +45,7 @@ in { }; networkInterfaceBlacklist = mkOption { - type = with types; listOf string; + type = with types; listOf str; default = [ "vmnet" "vboxnet" "virbr" "ifb" "ve" ]; description = '' Default blacklisted interfaces, this includes NixOS containers interfaces (ve). @@ -53,7 +53,7 @@ in { }; extraFlags = mkOption { - type = with types; listOf string; + type = with types; listOf str; default = [ ]; example = [ "--nodnsproxy" ]; description = '' @@ -82,7 +82,7 @@ in { environment.systemPackages = [ connman ]; - systemd.services."connman" = { + systemd.services.connman = { description = "Connection service"; wantedBy = [ "multi-user.target" ]; after = [ "syslog.target" ]; @@ -95,7 +95,7 @@ in { }; }; - systemd.services."connman-vpn" = mkIf cfg.enableVPN { + systemd.services.connman-vpn = mkIf cfg.enableVPN { description = "ConnMan VPN service"; wantedBy = [ "multi-user.target" ]; after = [ "syslog.target" ]; @@ -108,7 +108,7 @@ in { }; }; - systemd.services."net-connman-vpn" = mkIf cfg.enableVPN { + systemd.services.net-connman-vpn = mkIf cfg.enableVPN { description = "D-BUS Service"; serviceConfig = { Name = "net.connman.vpn"; diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index f080f12eaccd..689cbc8a986d 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -156,7 +156,7 @@ in config = mkIf cfg.enable ( mkMerge [{ - users.users."consul" = { + users.users.consul = { description = "Consul agent daemon user"; uid = config.ids.uids.consul; # The shell is needed for health checks diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 4ea891262e56..5b3aa19af3bb 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -58,7 +58,7 @@ let ${text} ''; in "${dir}/bin/${name}"; - defaultInterface = { default = mapAttrs (name: value: cfg."${name}") commonOptions; }; + defaultInterface = { default = mapAttrs (name: value: cfg.${name}) commonOptions; }; allInterfaces = defaultInterface // cfg.interfaces; startScript = writeShScript "firewall-start" '' diff --git a/nixos/modules/services/networking/git-daemon.nix b/nixos/modules/services/networking/git-daemon.nix index c0020349ec74..a638a3083fba 100644 --- a/nixos/modules/services/networking/git-daemon.nix +++ b/nixos/modules/services/networking/git-daemon.nix @@ -115,7 +115,7 @@ in gid = config.ids.gids.git; }; - systemd.services."git-daemon" = { + systemd.services.git-daemon = { after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; script = "${pkgs.git}/bin/git daemon --reuseaddr " diff --git a/nixos/modules/services/networking/gogoclient.nix b/nixos/modules/services/networking/gogoclient.nix index 9d16f0efb435..c9b03bca7112 100644 --- a/nixos/modules/services/networking/gogoclient.nix +++ b/nixos/modules/services/networking/gogoclient.nix @@ -34,7 +34,7 @@ in password = mkOption { default = ""; - type = types.string; + type = types.str; description = '' Path to a file (as a string), containing your gogoNET password, if any. ''; diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index 54a5bed2563f..2915b54f05b4 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -81,7 +81,7 @@ in driver = mkOption { default = "nl80211"; example = "hostapd"; - type = types.string; + type = types.str; description = '' Which driver <command>hostapd</command> will use. Most applications will probably use the default. @@ -91,7 +91,7 @@ in ssid = mkOption { default = "nixos"; example = "mySpecialSSID"; - type = types.string; + type = types.str; description = "SSID to be used in IEEE 802.11 management frames."; }; @@ -119,7 +119,7 @@ in group = mkOption { default = "wheel"; example = "network"; - type = types.string; + type = types.str; description = '' Members of this group can control <command>hostapd</command>. ''; @@ -135,7 +135,7 @@ in wpaPassphrase = mkOption { default = "my_sekret"; example = "any_64_char_string"; - type = types.string; + type = types.str; description = '' WPA-PSK (pre-shared-key) passphrase. Clients will need this passphrase to associate with this access point. diff --git a/nixos/modules/services/networking/hylafax/systemd.nix b/nixos/modules/services/networking/hylafax/systemd.nix index 0c6602e7f8ab..b9b9b9dca4f0 100644 --- a/nixos/modules/services/networking/hylafax/systemd.nix +++ b/nixos/modules/services/networking/hylafax/systemd.nix @@ -68,7 +68,7 @@ let inherit (cfg) spoolAreaPath; }; - sockets."hylafax-hfaxd" = { + sockets.hylafax-hfaxd = { description = "HylaFAX server socket"; documentation = [ "man:hfaxd(8)" ]; wantedBy = [ "multi-user.target" ]; @@ -77,7 +77,7 @@ let socketConfig.Accept = true; }; - paths."hylafax-faxq" = { + paths.hylafax-faxq = { description = "HylaFAX queue manager sendq watch"; documentation = [ "man:faxq(8)" "man:sendq(5)" ]; wantedBy = [ "multi-user.target" ]; @@ -87,11 +87,11 @@ let timers = mkMerge [ ( mkIf (cfg.faxcron.enable.frequency!=null) - { "hylafax-faxcron".timerConfig.Persistent = true; } + { hylafax-faxcron.timerConfig.Persistent = true; } ) ( mkIf (cfg.faxqclean.enable.frequency!=null) - { "hylafax-faxqclean".timerConfig.Persistent = true; } + { hylafax-faxqclean.timerConfig.Persistent = true; } ) ]; @@ -121,7 +121,7 @@ let in service: service // { serviceConfig = apply service; }; - services."hylafax-spool" = { + services.hylafax-spool = { description = "HylaFAX spool area preparation"; documentation = [ "man:hylafax-server(4)" ]; script = '' @@ -140,7 +140,7 @@ let unitConfig.RequiresMountsFor = [ cfg.spoolAreaPath ]; }; - services."hylafax-faxq" = { + services.hylafax-faxq = { description = "HylaFAX queue manager"; documentation = [ "man:faxq(8)" ]; requires = [ "hylafax-spool.service" ]; @@ -178,7 +178,7 @@ let serviceConfig.PrivateNetwork = null; }; - services."hylafax-faxcron" = rec { + services.hylafax-faxcron = rec { description = "HylaFAX spool area maintenance"; documentation = [ "man:faxcron(8)" ]; after = [ "hylafax-spool.service" ]; @@ -194,7 +194,7 @@ let ]; }; - services."hylafax-faxqclean" = rec { + services.hylafax-faxqclean = rec { description = "HylaFAX spool area queue cleaner"; documentation = [ "man:faxqclean(8)" ]; after = [ "hylafax-spool.service" ]; diff --git a/nixos/modules/services/networking/ircd-hybrid/default.nix b/nixos/modules/services/networking/ircd-hybrid/default.nix index 2bd898edf897..f5abe61a1baf 100644 --- a/nixos/modules/services/networking/ircd-hybrid/default.nix +++ b/nixos/modules/services/networking/ircd-hybrid/default.nix @@ -121,7 +121,7 @@ in users.groups.ircd.gid = config.ids.gids.ircd; - systemd.services."ircd-hybrid" = { + systemd.services.ircd-hybrid = { description = "IRCD Hybrid server"; after = [ "started networking" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/networking/iwd.nix b/nixos/modules/services/networking/iwd.nix index 18ed20e28886..839fa48d9a42 100644 --- a/nixos/modules/services/networking/iwd.nix +++ b/nixos/modules/services/networking/iwd.nix @@ -26,6 +26,7 @@ in { systemd.tmpfiles.rules = [ "d /var/lib/iwd 0700 root root -" + "d /var/lib/ead 0700 root root -" ]; }; diff --git a/nixos/modules/services/networking/jormungandr.nix b/nixos/modules/services/networking/jormungandr.nix index 0c66b85fe8a5..85e804d6cf25 100644 --- a/nixos/modules/services/networking/jormungandr.nix +++ b/nixos/modules/services/networking/jormungandr.nix @@ -54,7 +54,7 @@ in { }; genesisBlockHash = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "d70495af81ae8600aca3e642b2427327cb6001ec4d7a0037e96a00dabed163f9"; description = '' @@ -82,6 +82,9 @@ in { description = "jormungandr server"; wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; + environment = { + RUST_BACKTRACE = "full"; + }; serviceConfig = { DynamicUser = true; StateDirectory = baseNameOf dataDir; diff --git a/nixos/modules/services/networking/kippo.nix b/nixos/modules/services/networking/kippo.nix index 40c38254a57c..bdea6a1d1caa 100644 --- a/nixos/modules/services/networking/kippo.nix +++ b/nixos/modules/services/networking/kippo.nix @@ -11,7 +11,7 @@ with lib; let cfg = config.services.kippo; in -rec { +{ options = { services.kippo = { enable = mkOption { @@ -26,22 +26,22 @@ rec { }; hostname = mkOption { default = "nas3"; - type = types.string; + type = types.str; description = ''Hostname for kippo to present to SSH login''; }; varPath = mkOption { default = "/var/lib/kippo"; - type = types.string; + type = types.path; description = ''Path of read/write files needed for operation and configuration.''; }; logPath = mkOption { default = "/var/log/kippo"; - type = types.string; + type = types.path; description = ''Path of log files needed for operation and configuration.''; }; pidPath = mkOption { default = "/run/kippo"; - type = types.string; + type = types.path; description = ''Path of pid files needed for operation.''; }; extraConfig = mkOption { @@ -109,8 +109,8 @@ rec { serviceConfig.ExecStart = "${pkgs.kippo.twisted}/bin/twistd -y ${pkgs.kippo}/src/kippo.tac --syslog --rundir=${cfg.varPath}/ --pidfile=${cfg.pidPath}/kippo.pid --prefix=kippo -n"; serviceConfig.PermissionsStartOnly = true; - serviceConfig.User = "kippo"; - serviceConfig.Group = "kippo"; + serviceConfig.User = "kippo"; + serviceConfig.Group = "kippo"; }; }; } diff --git a/nixos/modules/services/networking/logmein-hamachi.nix b/nixos/modules/services/networking/logmein-hamachi.nix index 406626a8a343..11cbdda2f845 100644 --- a/nixos/modules/services/networking/logmein-hamachi.nix +++ b/nixos/modules/services/networking/logmein-hamachi.nix @@ -35,7 +35,7 @@ in description = "LogMeIn Hamachi Daemon"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "local-fs.target" ]; + after = [ "network.target" ]; serviceConfig = { Type = "forking"; diff --git a/nixos/modules/services/networking/minidlna.nix b/nixos/modules/services/networking/minidlna.nix index ed0c1044a570..0947471adbc9 100644 --- a/nixos/modules/services/networking/minidlna.nix +++ b/nixos/modules/services/networking/minidlna.nix @@ -96,7 +96,7 @@ in { description = "MiniDLNA Server"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "local-fs.target" ]; + after = [ "network.target" ]; serviceConfig = { User = "minidlna"; diff --git a/nixos/modules/services/networking/morty.nix b/nixos/modules/services/networking/morty.nix index cc81e27e9399..1b3084fe9abb 100644 --- a/nixos/modules/services/networking/morty.nix +++ b/nixos/modules/services/networking/morty.nix @@ -27,7 +27,7 @@ in }; key = mkOption { - type = types.string; + type = types.str; default = ""; description = "HMAC url validation key (hexadecimal encoded). Leave blank to disable. Without validation key, anyone can @@ -56,7 +56,7 @@ in }; listenAddress = mkOption { - type = types.string; + type = types.str; default = "127.0.0.1"; description = "The address on which the service listens"; defaultText = "127.0.0.1 (localhost)"; diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 1d49c137723c..d2feb93e2b72 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -49,7 +49,7 @@ in host = mkOption { default = "127.0.0.1"; example = "0.0.0.0"; - type = types.string; + type = types.str; description = '' Host to listen on without SSL. ''; @@ -88,7 +88,7 @@ in host = mkOption { default = "0.0.0.0"; example = "localhost"; - type = types.string; + type = types.str; description = '' Host to listen on with SSL. ''; @@ -135,7 +135,7 @@ in }; acl = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; example = [ "topic read A/B" "topic A/#" ]; description = '' Control client access to topics on the broker. diff --git a/nixos/modules/services/networking/mtprotoproxy.nix b/nixos/modules/services/networking/mtprotoproxy.nix index 24bf33815da8..d896f227b82c 100644 --- a/nixos/modules/services/networking/mtprotoproxy.nix +++ b/nixos/modules/services/networking/mtprotoproxy.nix @@ -50,8 +50,8 @@ in users = mkOption { type = types.attrsOf types.str; example = { - "tg" = "00000000000000000000000000000000"; - "tg2" = "0123456789abcdef0123456789abcdef"; + tg = "00000000000000000000000000000000"; + tg2 = "0123456789abcdef0123456789abcdef"; }; description = '' Allowed users and their secrets. A secret is a 32 characters long hex string. @@ -80,7 +80,7 @@ in type = types.attrs; default = {}; example = { - "STATS_PRINT_PERIOD" = 600; + STATS_PRINT_PERIOD = 600; }; description = '' Extra configuration options for mtprotoproxy. diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index 7ac4d0c6419d..082953d2f6ab 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -234,7 +234,7 @@ in extraConfig = mkOption { type = types.lines; default = ""; - description = "Extra configuration to put into mumur.ini."; + description = "Extra configuration to put into murmur.ini."; }; }; }; diff --git a/nixos/modules/services/networking/namecoind.nix b/nixos/modules/services/networking/namecoind.nix index a569ca87e262..c8ee0a2f5647 100644 --- a/nixos/modules/services/networking/namecoind.nix +++ b/nixos/modules/services/networking/namecoind.nix @@ -175,7 +175,7 @@ in serviceConfig = { User = "namecoin"; Group = "namecoin"; - ExecStart = "${pkgs.altcoins.namecoind}/bin/namecoind -conf=${configFile} -datadir=${dataDir} -printtoconsole"; + ExecStart = "${pkgs.namecoind}/bin/namecoind -conf=${configFile} -datadir=${dataDir} -printtoconsole"; ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Nice = "10"; diff --git a/nixos/modules/services/networking/ndppd.nix b/nixos/modules/services/networking/ndppd.nix index ba17f1ba825a..92088623517f 100644 --- a/nixos/modules/services/networking/ndppd.nix +++ b/nixos/modules/services/networking/ndppd.nix @@ -142,7 +142,7 @@ in { messages, and respond to them according to a set of rules. ''; default = {}; - example = { "eth0".rules."1111::/64" = {}; }; + example = { eth0.rules."1111::/64" = {}; }; }; }; @@ -153,7 +153,7 @@ in { '' ]; services.ndppd.proxies = mkIf (cfg.interface != null && cfg.network != null) { - "${cfg.interface}".rules."${cfg.network}" = {}; + ${cfg.interface}.rules.${cfg.network} = {}; }; systemd.services.ndppd = { diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 551636a33d25..2061c02fffbd 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -81,9 +81,9 @@ let ''; dispatcherTypesSubdirMap = { - "basic" = ""; - "pre-up" = "pre-up.d/"; - "pre-down" = "pre-down.d/"; + basic = ""; + pre-up = "pre-up.d/"; + pre-down = "pre-down.d/"; }; macAddressOpt = mkOption { @@ -156,7 +156,7 @@ in { }; unmanaged = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = []; description = '' List of interfaces that will not be managed by NetworkManager. @@ -453,7 +453,7 @@ in { systemd.packages = cfg.packages; - systemd.services."NetworkManager" = { + systemd.services.NetworkManager = { wantedBy = [ "network.target" ]; restartTriggers = [ configFile ]; @@ -483,7 +483,7 @@ in { }; }; - systemd.services."NetworkManager-dispatcher" = { + systemd.services.NetworkManager-dispatcher = { wantedBy = [ "network.target" ]; restartTriggers = [ configFile ]; diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix index ca458d089dcc..347d87b3f385 100644 --- a/nixos/modules/services/networking/nix-serve.nix +++ b/nixos/modules/services/networking/nix-serve.nix @@ -19,7 +19,7 @@ in }; bindAddress = mkOption { - type = types.string; + type = types.str; default = "0.0.0.0"; description = '' IP address where nix-serve will bind its listening socket. @@ -44,7 +44,7 @@ in }; extraParams = mkOption { - type = types.string; + type = types.separatedString " "; default = ""; description = '' Extra command line parameters for nix-serve. diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index c69b77f9deec..bc0966e6b8e6 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -954,7 +954,7 @@ in ''; }; - systemd.timers."nsd-dnssec" = mkIf dnssec { + systemd.timers.nsd-dnssec = mkIf dnssec { description = "Automatic DNSSEC key rollover"; wantedBy = [ "nsd.service" ]; @@ -965,7 +965,7 @@ in }; }; - systemd.services."nsd-dnssec" = mkIf dnssec { + systemd.services.nsd-dnssec = mkIf dnssec { description = "DNSSEC key rollover"; wantedBy = [ "nsd.service" ]; diff --git a/nixos/modules/services/networking/nylon.nix b/nixos/modules/services/networking/nylon.nix index b061ce34ed2c..7c171281a926 100644 --- a/nixos/modules/services/networking/nylon.nix +++ b/nixos/modules/services/networking/nylon.nix @@ -65,7 +65,7 @@ let }; acceptInterface = mkOption { - type = types.string; + type = types.str; default = "lo"; description = '' Tell nylon which interface to listen for client requests on, default is "lo". @@ -73,7 +73,7 @@ let }; bindInterface = mkOption { - type = types.string; + type = types.str; default = "enp3s0f0"; description = '' Tell nylon which interface to use as an uplink, default is "enp3s0f0". @@ -89,7 +89,7 @@ let }; allowedIPRanges = mkOption { - type = with types; listOf string; + type = with types; listOf str; default = [ "192.168.0.0/16" "127.0.0.1/8" "172.16.0.1/12" "10.0.0.0/8" ]; description = '' Allowed client IP ranges are evaluated first, defaults to ARIN IPv4 private ranges: @@ -98,7 +98,7 @@ let }; deniedIPRanges = mkOption { - type = with types; listOf string; + type = with types; listOf str; default = [ "0.0.0.0/0" ]; description = '' Denied client IP ranges, these gets evaluated after the allowed IP ranges, defaults to all IPv4 addresses: diff --git a/nixos/modules/services/networking/openntpd.nix b/nixos/modules/services/networking/openntpd.nix index 57638ebc9c01..f3920aa80646 100644 --- a/nixos/modules/services/networking/openntpd.nix +++ b/nixos/modules/services/networking/openntpd.nix @@ -40,7 +40,7 @@ in }; extraOptions = mkOption { - type = with types; string; + type = with types; separatedString " "; default = ""; example = "-s"; description = '' diff --git a/nixos/modules/services/networking/openvpn.nix b/nixos/modules/services/networking/openvpn.nix index f47122ee70bf..05be97e66a3d 100644 --- a/nixos/modules/services/networking/openvpn.nix +++ b/nixos/modules/services/networking/openvpn.nix @@ -182,12 +182,12 @@ in options = { username = mkOption { description = "The username to store inside the credentials file."; - type = types.string; + type = types.str; }; password = mkOption { description = "The password to store inside the credentials file."; - type = types.string; + type = types.str; }; }; }); diff --git a/nixos/modules/services/networking/ostinato.nix b/nixos/modules/services/networking/ostinato.nix index 13f784dc53c1..5e8cce5b89aa 100644 --- a/nixos/modules/services/networking/ostinato.nix +++ b/nixos/modules/services/networking/ostinato.nix @@ -50,7 +50,7 @@ in rpcServer = { address = mkOption { - type = types.string; + type = types.str; default = "0.0.0.0"; description = '' By default, the Drone RPC server will listen on all interfaces and @@ -63,7 +63,7 @@ in portList = { include = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = []; example = ''[ "eth*" "lo*" ]''; description = '' diff --git a/nixos/modules/services/networking/pdns-recursor.nix b/nixos/modules/services/networking/pdns-recursor.nix index ec69cc838da9..ebfdd9f35b72 100644 --- a/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixos/modules/services/networking/pdns-recursor.nix @@ -168,7 +168,7 @@ in { disable-syslog = true; }; - users.users."${username}" = { + users.users.${username} = { home = dataDir; createHome = true; uid = config.ids.uids.pdns-recursor; diff --git a/nixos/modules/services/networking/polipo.nix b/nixos/modules/services/networking/polipo.nix index 529115a1c6e1..dbe3b7380970 100644 --- a/nixos/modules/services/networking/polipo.nix +++ b/nixos/modules/services/networking/polipo.nix @@ -30,7 +30,7 @@ in }; proxyAddress = mkOption { - type = types.string; + type = types.str; default = "127.0.0.1"; description = "IP address on which Polipo will listen."; }; @@ -51,7 +51,7 @@ in }; parentProxy = mkOption { - type = types.string; + type = types.str; default = ""; example = "localhost:8124"; description = '' @@ -61,7 +61,7 @@ in }; socksParentProxy = mkOption { - type = types.string; + type = types.str; default = ""; example = "localhost:9050"; description = '' @@ -74,7 +74,7 @@ in type = types.lines; default = ""; description = '' - Polio configuration. Contents will be added + Polio configuration. Contents will be added verbatim to the configuration file. ''; }; @@ -111,4 +111,4 @@ in }; -} \ No newline at end of file +} diff --git a/nixos/modules/services/networking/pptpd.nix b/nixos/modules/services/networking/pptpd.nix index d8b9e8f8341a..3e7753b9dd35 100644 --- a/nixos/modules/services/networking/pptpd.nix +++ b/nixos/modules/services/networking/pptpd.nix @@ -8,13 +8,13 @@ with lib; enable = mkEnableOption "pptpd, the Point-to-Point Tunneling Protocol daemon"; serverIp = mkOption { - type = types.string; + type = types.str; description = "The server-side IP address."; default = "10.124.124.1"; }; clientIpRange = mkOption { - type = types.string; + type = types.str; description = "The range from which client IPs are drawn."; default = "10.124.124.2-11"; }; diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix index 40bd9015b1eb..1ae063aa6bb5 100644 --- a/nixos/modules/services/networking/prosody.nix +++ b/nixos/modules/services/networking/prosody.nix @@ -297,7 +297,7 @@ in }; dataDir = mkOption { - type = types.string; + type = types.path; description = "Directory where Prosody stores its data"; default = "/var/lib/prosody"; }; diff --git a/nixos/modules/services/networking/quicktun.nix b/nixos/modules/services/networking/quicktun.nix index 5bcf923f909c..fb783c836464 100644 --- a/nixos/modules/services/networking/quicktun.nix +++ b/nixos/modules/services/networking/quicktun.nix @@ -93,18 +93,18 @@ with lib; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; environment = { - "INTERFACE" = name; - "TUN_MODE" = toString qtcfg.tunMode; - "REMOTE_ADDRESS" = qtcfg.remoteAddress; - "LOCAL_ADDRESS" = qtcfg.localAddress; - "LOCAL_PORT" = toString qtcfg.localPort; - "REMOTE_PORT" = toString qtcfg.remotePort; - "REMOTE_FLOAT" = toString qtcfg.remoteFloat; - "PRIVATE_KEY" = qtcfg.privateKey; - "PUBLIC_KEY" = qtcfg.publicKey; - "TIME_WINDOW" = toString qtcfg.timeWindow; - "TUN_UP_SCRIPT" = pkgs.writeScript "quicktun-${name}-up.sh" qtcfg.upScript; - "SUID" = "nobody"; + INTERFACE = name; + TUN_MODE = toString qtcfg.tunMode; + REMOTE_ADDRESS = qtcfg.remoteAddress; + LOCAL_ADDRESS = qtcfg.localAddress; + LOCAL_PORT = toString qtcfg.localPort; + REMOTE_PORT = toString qtcfg.remotePort; + REMOTE_FLOAT = toString qtcfg.remoteFloat; + PRIVATE_KEY = qtcfg.privateKey; + PUBLIC_KEY = qtcfg.publicKey; + TIME_WINDOW = toString qtcfg.timeWindow; + TUN_UP_SCRIPT = pkgs.writeScript "quicktun-${name}-up.sh" qtcfg.upScript; + SUID = "nobody"; }; serviceConfig = { Type = "simple"; diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix index d6fabbcd4700..1daced4a6c70 100644 --- a/nixos/modules/services/networking/radicale.nix +++ b/nixos/modules/services/networking/radicale.nix @@ -41,7 +41,7 @@ in }; services.radicale.config = mkOption { - type = types.string; + type = types.str; default = ""; description = '' Radicale configuration, this will set the service @@ -50,7 +50,7 @@ in }; services.radicale.extraArgs = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = []; description = "Extra arguments passed to the Radicale daemon."; }; diff --git a/nixos/modules/services/networking/resilio.nix b/nixos/modules/services/networking/resilio.nix index ee7f82ac7bee..9b25aa575837 100644 --- a/nixos/modules/services/networking/resilio.nix +++ b/nixos/modules/services/networking/resilio.nix @@ -249,7 +249,7 @@ in systemd.services.resilio = with pkgs; { description = "Resilio Sync Service"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "local-fs.target" ]; + after = [ "network.target" ]; serviceConfig = { Restart = "on-abort"; UMask = "0002"; diff --git a/nixos/modules/services/networking/shout.nix b/nixos/modules/services/networking/shout.nix index f511a9af2562..e548ec66962a 100644 --- a/nixos/modules/services/networking/shout.nix +++ b/nixos/modules/services/networking/shout.nix @@ -35,7 +35,7 @@ in { }; listenAddress = mkOption { - type = types.string; + type = types.str; default = "0.0.0.0"; description = "IP interface to listen on for http connections."; }; diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index c41d0edaf17f..d4d0594a9cdd 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -55,7 +55,7 @@ in description = "Enable the smokeping service"; }; alertConfig = mkOption { - type = types.string; + type = types.lines; default = '' to = root@localhost from = smokeping@localhost @@ -73,19 +73,20 @@ in description = "Configuration for alerts."; }; cgiUrl = mkOption { - type = types.string; - default = "http://${cfg.hostName}:${builtins.toString cfg.port}/smokeping.cgi"; + type = types.str; + default = "http://${cfg.hostName}:${toString cfg.port}/smokeping.cgi"; + defaultText = "http://\${hostName}:\${toString port}/smokeping.cgi"; example = "https://somewhere.example.com/smokeping.cgi"; description = "URL to the smokeping cgi."; }; config = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.lines; default = null; description = "Full smokeping config supplied by the user. Overrides " + "and replaces any other configuration supplied."; }; databaseConfig = mkOption { - type = types.string; + type = types.lines; default = '' step = 300 pings = 20 @@ -122,14 +123,15 @@ in description = "Any additional customization not already included."; }; hostName = mkOption { - type = types.string; + type = types.str; default = config.networking.hostName; example = "somewhere.example.com"; description = "DNS name for the urls generated in the cgi."; }; imgUrl = mkOption { - type = types.string; - default = "http://${cfg.hostName}:${builtins.toString cfg.port}/cache"; + type = types.str; + default = "http://${cfg.hostName}:${toString cfg.port}/cache"; + defaultText = "http://\${hostName}:\${toString port}/cache"; example = "https://somewhere.example.com/cache"; description = "Base url for images generated in the cgi."; }; @@ -140,19 +142,19 @@ in description = "DNS name for the urls generated in the cgi."; }; mailHost = mkOption { - type = types.string; + type = types.str; default = ""; example = "localhost"; description = "Use this SMTP server to send alerts"; }; owner = mkOption { - type = types.string; + type = types.str; default = "nobody"; example = "Joe Admin"; description = "Real name of the owner of the instance"; }; ownerEmail = mkOption { - type = types.string; + type = types.str; default = "no-reply@${cfg.hostName}"; example = "no-reply@yourdomain.com"; description = "Email contact for owner"; @@ -170,7 +172,7 @@ in description = "TCP port to use for the web server."; }; presentationConfig = mkOption { - type = types.string; + type = types.lines; default = '' + charts menu = Charts @@ -211,12 +213,12 @@ in description = "presentation graph style"; }; presentationTemplate = mkOption { - type = types.string; + type = types.str; default = "${pkgs.smokeping}/etc/basepage.html.dist"; description = "Default page layout for the web UI."; }; probeConfig = mkOption { - type = types.string; + type = types.lines; default = '' + FPing binary = ${config.security.wrapperDir}/fping @@ -230,12 +232,12 @@ in description = "Use this sendmail compatible script to deliver alerts"; }; smokeMailTemplate = mkOption { - type = types.string; + type = types.str; default = "${cfg.package}/etc/smokemail.dist"; description = "Specify the smokemail template for alerts."; }; targetConfig = mkOption { - type = types.string; + type = types.lines; default = '' probe = FPing menu = Top @@ -253,7 +255,7 @@ in description = "Target configuration"; }; user = mkOption { - type = types.string; + type = types.str; default = "smokeping"; description = "User that runs smokeping and (optionally) thttpd"; }; @@ -275,7 +277,7 @@ in ]; security.wrappers = { fping.source = "${pkgs.fping}/bin/fping"; - "fping6".source = "${pkgs.fping}/bin/fping6"; + fping6.source = "${pkgs.fping}/bin/fping6"; }; environment.systemPackages = [ pkgs.fping ]; users.users = singleton { diff --git a/nixos/modules/services/networking/softether.nix b/nixos/modules/services/networking/softether.nix index 65df93a00da9..2dc73d81b258 100644 --- a/nixos/modules/services/networking/softether.nix +++ b/nixos/modules/services/networking/softether.nix @@ -50,7 +50,7 @@ in }; dataDir = mkOption { - type = types.string; + type = types.path; default = "/var/lib/softether"; description = '' Data directory for SoftEther VPN. @@ -68,7 +68,7 @@ in mkMerge [{ environment.systemPackages = [ package ]; - systemd.services."softether-init" = { + systemd.services.softether-init = { description = "SoftEther VPN services initial task"; wantedBy = [ "network.target" ]; serviceConfig = { diff --git a/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix b/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix index 95a174122d04..dfdfc50d8ae2 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix @@ -63,7 +63,7 @@ rec { StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal> ''; - single = f: name: value: { "${name}" = f value; }; + single = f: name: value: { ${name} = f value; }; mkStrParam = mkParamOfType types.str; mkOptionalStrParam = mkStrParam null; diff --git a/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix b/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix index 193ad27f035a..2bbb39a76049 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix @@ -21,7 +21,7 @@ rec { mkConf = indent : ps : concatMapStringsSep "\n" (name: - let value = ps."${name}"; + let value = ps.${name}; indentation = replicate indent " "; in indentation + ( @@ -58,7 +58,7 @@ rec { ) set); # Recursively map over every parameter in the given attribute set. - mapParamsRecursive = mapAttrsRecursiveCond' (as: (!(as ? "_type" && as._type == "param"))); + mapParamsRecursive = mapAttrsRecursiveCond' (as: (!(as ? _type && as._type == "param"))); mapAttrsRecursiveCond' = cond: f: set: let @@ -67,7 +67,7 @@ rec { g = name: value: if isAttrs value && cond value - then { "${name}" = recurse (path ++ [name]) value; } + then { ${name} = recurse (path ++ [name]) value; } else f (path ++ [name]) name value; in mapAttrs'' g set; in recurse [] set; @@ -77,6 +77,6 @@ rec { # Extract the options from the given set of parameters. paramsToOptions = ps : - mapParamsRecursive (_path: name: param: { "${name}" = param.option; }) ps; + mapParamsRecursive (_path: name: param: { ${name} = param.option; }) ps; } diff --git a/nixos/modules/services/networking/stunnel.nix b/nixos/modules/services/networking/stunnel.nix index 89a14966eca7..cbc899f2b4d7 100644 --- a/nixos/modules/services/networking/stunnel.nix +++ b/nixos/modules/services/networking/stunnel.nix @@ -35,12 +35,12 @@ let clientConfig = { options = { accept = mkOption { - type = types.string; + type = types.str; description = "IP:Port on which connections should be accepted."; }; connect = mkOption { - type = types.string; + type = types.str; description = "IP:Port destination to connect to."; }; @@ -63,7 +63,7 @@ let }; verifyHostname = mkOption { - type = with types; nullOr string; + type = with types; nullOr str; default = null; description = "If set, stunnel checks if the provided certificate is valid for the given hostname."; }; @@ -88,13 +88,13 @@ in }; user = mkOption { - type = with types; nullOr string; + type = with types; nullOr str; default = "nobody"; description = "The user under which stunnel runs."; }; group = mkOption { - type = with types; nullOr string; + type = with types; nullOr str; default = "nogroup"; description = "The group under which stunnel runs."; }; diff --git a/nixos/modules/services/networking/syncplay.nix b/nixos/modules/services/networking/syncplay.nix new file mode 100644 index 000000000000..e3147c10502c --- /dev/null +++ b/nixos/modules/services/networking/syncplay.nix @@ -0,0 +1,80 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.syncplay; + + cmdArgs = + [ "--port" cfg.port ] + ++ optionals (cfg.salt != null) [ "--salt" cfg.salt ] + ++ optionals (cfg.certDir != null) [ "--tls" cfg.certDir ]; + +in +{ + options = { + services.syncplay = { + enable = mkOption { + type = types.bool; + default = false; + description = "If enabled, start the Syncplay server."; + }; + + port = mkOption { + type = types.int; + default = 8999; + description = '' + TCP port to bind to. + ''; + }; + + salt = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Salt to allow room operator passwords generated by this server + instance to still work when the server is restarted. + ''; + }; + + certDir = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + TLS certificates directory to use for encryption. See + <link xlink:href="https://github.com/Syncplay/syncplay/wiki/TLS-support"/>. + ''; + }; + + user = mkOption { + type = types.str; + default = "nobody"; + description = '' + User to use when running Syncplay. + ''; + }; + + group = mkOption { + type = types.str; + default = "nogroup"; + description = '' + Group to use when running Syncplay. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.syncplay = { + description = "Syncplay Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target "]; + + serviceConfig = { + ExecStart = "${pkgs.syncplay}/bin/syncplay-server ${escapeShellArgs cmdArgs}"; + User = cfg.user; + Group = cfg.group; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index 126f5b7b527b..165fd5970cf8 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -373,7 +373,7 @@ in { systemd.packages = [ pkgs.syncthing ]; users.users = mkIf (cfg.systemService && cfg.user == defaultUser) { - "${defaultUser}" = + ${defaultUser} = { group = cfg.group; home = cfg.dataDir; createHome = true; @@ -383,7 +383,7 @@ in { }; users.groups = mkIf (cfg.systemService && cfg.group == defaultUser) { - "${defaultUser}".gid = + ${defaultUser}.gid = config.ids.gids.syncthing; }; diff --git a/nixos/modules/services/networking/toxvpn.nix b/nixos/modules/services/networking/toxvpn.nix index 7830dfb1834c..7daacba185fe 100644 --- a/nixos/modules/services/networking/toxvpn.nix +++ b/nixos/modules/services/networking/toxvpn.nix @@ -8,7 +8,7 @@ with lib; enable = mkEnableOption "toxvpn running on startup"; localip = mkOption { - type = types.string; + type = types.str; default = "10.123.123.1"; description = "your ip on the vpn"; }; @@ -20,7 +20,7 @@ with lib; }; auto_add_peers = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = []; example = ''[ "toxid1" "toxid2" ]''; description = "peers to automacally connect to on startup"; diff --git a/nixos/modules/services/networking/vsftpd.nix b/nixos/modules/services/networking/vsftpd.nix index 31e1e65fa9ca..67be60da5673 100644 --- a/nixos/modules/services/networking/vsftpd.nix +++ b/nixos/modules/services/networking/vsftpd.nix @@ -164,7 +164,7 @@ in }; anonymousUmask = mkOption { - type = types.string; + type = types.str; default = "077"; example = "002"; description = "Anonymous write umask."; diff --git a/nixos/modules/services/networking/websockify.nix b/nixos/modules/services/networking/websockify.nix index 4b76350ecf8a..d9177df65bd6 100644 --- a/nixos/modules/services/networking/websockify.nix +++ b/nixos/modules/services/networking/websockify.nix @@ -44,9 +44,9 @@ let cfg = config.services.networking.websockify; in { scriptArgs = "%i"; }; - systemd.targets."default-websockify" = { + systemd.targets.default-websockify = { description = "Target to start all default websockify@ services"; - unitConfig."X-StopOnReconfiguration" = true; + unitConfig.X-StopOnReconfiguration = true; wants = mapAttrsToList (name: value: "websockify@${name}:${toString value}.service") cfg.portMap; wantedBy = [ "multi-user.target" ]; }; diff --git a/nixos/modules/services/networking/xinetd.nix b/nixos/modules/services/networking/xinetd.nix index 2d7cd5cebb48..8dc6f845ed85 100644 --- a/nixos/modules/services/networking/xinetd.nix +++ b/nixos/modules/services/networking/xinetd.nix @@ -53,7 +53,7 @@ in services.xinetd.extraDefaults = mkOption { default = ""; - type = types.string; + type = types.lines; description = '' Additional configuration lines added to the default section of xinetd's configuration. ''; @@ -70,13 +70,13 @@ in options = { name = mkOption { - type = types.string; + type = types.str; example = "login"; description = "Name of the service."; }; protocol = mkOption { - type = types.string; + type = types.str; default = "tcp"; description = "Protocol of the service. Usually <literal>tcp</literal> or <literal>udp</literal>."; @@ -90,25 +90,25 @@ in }; user = mkOption { - type = types.string; + type = types.str; default = "nobody"; description = "User account for the service"; }; server = mkOption { - type = types.string; + type = types.str; example = "/foo/bin/ftpd"; description = "Path of the program that implements the service."; }; serverArgs = mkOption { - type = types.string; + type = types.separatedString " "; default = ""; description = "Command-line arguments for the server program."; }; flags = mkOption { - type = types.string; + type = types.str; default = ""; description = ""; }; diff --git a/nixos/modules/services/networking/xl2tpd.nix b/nixos/modules/services/networking/xl2tpd.nix index d0a3ed7bb5e0..7dbe51422d96 100644 --- a/nixos/modules/services/networking/xl2tpd.nix +++ b/nixos/modules/services/networking/xl2tpd.nix @@ -8,13 +8,13 @@ with lib; enable = mkEnableOption "xl2tpd, the Layer 2 Tunnelling Protocol Daemon"; serverIp = mkOption { - type = types.string; + type = types.str; description = "The server-side IP address."; default = "10.125.125.1"; }; clientIpRange = mkOption { - type = types.string; + type = types.str; description = "The range from which client IPs are drawn."; default = "10.125.125.2-11"; }; diff --git a/nixos/modules/services/networking/zerobin.nix b/nixos/modules/services/networking/zerobin.nix index 06ccd7032e6c..78de246a816f 100644 --- a/nixos/modules/services/networking/zerobin.nix +++ b/nixos/modules/services/networking/zerobin.nix @@ -74,7 +74,7 @@ in }; config = mkIf (cfg.enable) { - users.users."${cfg.user}" = + users.users.${cfg.user} = if cfg.user == "zerobin" then { isSystemUser = true; group = cfg.group; @@ -82,7 +82,7 @@ in createHome = true; } else {}; - users.groups."${cfg.group}" = {}; + users.groups.${cfg.group} = {}; systemd.services.zerobin = { enable = true; diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index 42c1b9482cb2..3fcae611dc79 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -287,10 +287,20 @@ in }; environment.systemPackages = [ cups.out ] ++ optional polkitEnabled cups-pk-helper; - environment.etc."cups".source = "/var/lib/cups"; + environment.etc.cups.source = "/var/lib/cups"; services.dbus.packages = [ cups.out ] ++ optional polkitEnabled cups-pk-helper; + # Allow asswordless printer admin for members of wheel group + security.polkit.extraConfig = mkIf polkitEnabled '' + polkit.addRule(function(action, subject) { + if (action.id == "org.opensuse.cupspkhelper.mechanism.all-edit" && + subject.isInGroup("wheel")){ + return polkit.Result.YES; + } + }); + ''; + # Cups uses libusb to talk to printers, and does not use the # linux kernel driver. If the driver is not in a black list, it # gets loaded, and then cups cannot access the printers. diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index f77b3bcd5921..e43ca014e148 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -143,7 +143,6 @@ in }; systemd.services.fcron = { description = "fcron daemon"; - after = [ "local-fs.target" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.fcron ]; diff --git a/nixos/modules/services/search/kibana.nix b/nixos/modules/services/search/kibana.nix index c096af731ad4..43a63aa8fdc2 100644 --- a/nixos/modules/services/search/kibana.nix +++ b/nixos/modules/services/search/kibana.nix @@ -9,7 +9,7 @@ let lt6_6 = builtins.compareVersions cfg.package.version "6.6" < 0; cfgFile = pkgs.writeText "kibana.json" (builtins.toJSON ( - (filterAttrsRecursive (n: v: v != null) ({ + (filterAttrsRecursive (n: v: v != null && v != []) ({ server.host = cfg.listenAddress; server.port = cfg.port; server.ssl.certificate = cfg.cert; @@ -150,7 +150,7 @@ in { description = "Kibana package to use"; default = pkgs.kibana; defaultText = "pkgs.kibana"; - example = "pkgs.kibana5"; + example = "pkgs.kibana"; type = types.package; }; diff --git a/nixos/modules/services/security/fprot.nix b/nixos/modules/services/security/fprot.nix index b1ca4ab23452..474490391463 100644 --- a/nixos/modules/services/security/fprot.nix +++ b/nixos/modules/services/security/fprot.nix @@ -67,7 +67,7 @@ in { services.cron.systemCronJobs = [ "*/${toString cfg.updater.frequency} * * * * root start fprot-updater" ]; - systemd.services."fprot-updater" = { + systemd.services.fprot-updater = { serviceConfig = { Type = "oneshot"; RemainAfterExit = false; diff --git a/nixos/modules/services/security/haka.nix b/nixos/modules/services/security/haka.nix index b64a1b4d03e0..618e689924fd 100644 --- a/nixos/modules/services/security/haka.nix +++ b/nixos/modules/services/security/haka.nix @@ -69,7 +69,7 @@ in configFile = mkOption { default = "empty.lua"; example = "/srv/haka/myfilter.lua"; - type = types.string; + type = types.str; description = '' Specify which configuration file Haka uses. It can be absolute path or a path relative to the sample directory of @@ -80,7 +80,7 @@ in interfaces = mkOption { default = [ "eth0" ]; example = [ "any" ]; - type = with types; listOf string; + type = with types; listOf str; description = '' Specify which interface(s) Haka listens to. Use 'any' to listen to all interfaces. diff --git a/nixos/modules/services/security/munge.nix b/nixos/modules/services/security/munge.nix index 1c4f8e20552f..891788864710 100644 --- a/nixos/modules/services/security/munge.nix +++ b/nixos/modules/services/security/munge.nix @@ -19,7 +19,7 @@ in password = mkOption { default = "/etc/munge/munge.key"; - type = types.string; + type = types.path; description = '' The path to a daemon's secret key. ''; diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 61f203ef9e7d..bb03f7fc9e43 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -284,7 +284,7 @@ in #################################################### # UPSTREAM Configuration upstream = mkOption { - type = with types; coercedTo string (x: [x]) (listOf string); + type = with types; coercedTo str (x: [x]) (listOf str); default = []; description = '' The http url(s) of the upstream endpoint or <literal>file://</literal> @@ -523,7 +523,7 @@ in }; keyFile = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.path; default = null; description = '' oauth2_proxy allows passing sensitive configuration via environment variables. diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix index a9ad5497a657..be6734f439f3 100644 --- a/nixos/modules/services/security/oauth2_proxy_nginx.nix +++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix @@ -6,14 +6,14 @@ in { options.services.oauth2_proxy.nginx = { proxy = mkOption { - type = types.string; + type = types.str; default = config.services.oauth2_proxy.httpAddress; description = '' The address of the reverse proxy endpoint for oauth2_proxy ''; }; virtualHosts = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = []; description = '' A list of nginx virtual hosts to put behind the oauth2 proxy diff --git a/nixos/modules/services/security/physlock.nix b/nixos/modules/services/security/physlock.nix index 97fbd6aae6e0..61bcd84f2e64 100644 --- a/nixos/modules/services/security/physlock.nix +++ b/nixos/modules/services/security/physlock.nix @@ -99,7 +99,7 @@ in # for physlock -l and physlock -L environment.systemPackages = [ pkgs.physlock ]; - systemd.services."physlock" = { + systemd.services.physlock = { enable = true; description = "Physlock"; wantedBy = optional cfg.lockOn.suspend "suspend.target" diff --git a/nixos/modules/services/security/sks.nix b/nixos/modules/services/security/sks.nix index 1b7a2ad13980..a91060dc659a 100644 --- a/nixos/modules/services/security/sks.nix +++ b/nixos/modules/services/security/sks.nix @@ -108,7 +108,7 @@ in { hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ; hkpPort = builtins.toString cfg.hkpPort; in { - "sks-db" = { + sks-db = { description = "SKS database server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index abdc0cd78b4d..ed862387cce1 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -722,7 +722,6 @@ in systemd.services.tor-init = { description = "Tor Daemon Init"; wantedBy = [ "tor.service" ]; - after = [ "local-fs.target" ]; script = '' install -m 0700 -o tor -g tor -d ${torDirectory} ${torDirectory}/onion install -m 0750 -o tor -g tor -d ${torRunDirectory} diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index 20d5e3b28eb9..4ced5acd9bd9 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -195,7 +195,7 @@ in { description = "USBGuard daemon"; wantedBy = [ "basic.target" ]; - wants = [ "systemd-udevd.service" "local-fs.target" ]; + wants = [ "systemd-udevd.service" ]; # make sure an empty rule file and required directories exist preStart = '' diff --git a/nixos/modules/services/system/cgmanager.nix b/nixos/modules/services/system/cgmanager.nix index 59d3deced867..d3d57aa76928 100644 --- a/nixos/modules/services/system/cgmanager.nix +++ b/nixos/modules/services/system/cgmanager.nix @@ -14,7 +14,6 @@ in { config = mkIf cfg.enable { systemd.services.cgmanager = { wantedBy = [ "multi-user.target" ]; - after = [ "local-fs.target" ]; description = "Cgroup management daemon"; restartIfChanged = false; serviceConfig = { diff --git a/nixos/modules/services/system/cloud-init.nix b/nixos/modules/services/system/cloud-init.nix index 3ad555f78ef8..15fe822aec67 100644 --- a/nixos/modules/services/system/cloud-init.nix +++ b/nixos/modules/services/system/cloud-init.nix @@ -112,8 +112,6 @@ in systemd.services.cloud-init-local = { description = "Initial cloud-init job (pre-networking)"; wantedBy = [ "multi-user.target" ]; - wants = [ "local-fs.target" ]; - after = [ "local-fs.target" ]; path = path; serviceConfig = { Type = "oneshot"; @@ -127,9 +125,9 @@ in systemd.services.cloud-init = { description = "Initial cloud-init job (metadata service crawler)"; wantedBy = [ "multi-user.target" ]; - wants = [ "local-fs.target" "network-online.target" "cloud-init-local.service" + wants = [ "network-online.target" "cloud-init-local.service" "sshd.service" "sshd-keygen.service" ]; - after = [ "local-fs.target" "network-online.target" "cloud-init-local.service" ]; + after = [ "network-online.target" "cloud-init-local.service" ]; before = [ "sshd.service" "sshd-keygen.service" ]; requires = [ "network.target "]; path = path; diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index e04580218442..936646a5fd78 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -44,8 +44,10 @@ in message bus. Specifically, files in the following directories will be included into their respective DBus configuration paths: <filename><replaceable>pkg</replaceable>/etc/dbus-1/system.d</filename> + <filename><replaceable>pkg</replaceable>/share/dbus-1/system.d</filename> <filename><replaceable>pkg</replaceable>/share/dbus-1/system-services</filename> <filename><replaceable>pkg</replaceable>/etc/dbus-1/session.d</filename> + <filename><replaceable>pkg</replaceable>/share/dbus-1/session.d</filename> <filename><replaceable>pkg</replaceable>/share/dbus-1/services</filename> ''; }; diff --git a/nixos/modules/services/system/localtime.nix b/nixos/modules/services/system/localtime.nix index 04595fc82fbb..c3c0b432b494 100644 --- a/nixos/modules/services/system/localtime.nix +++ b/nixos/modules/services/system/localtime.nix @@ -22,7 +22,7 @@ in { config = mkIf cfg.enable { services.geoclue2 = { enable = true; - appConfig."localtime" = { + appConfig.localtime = { isAllowed = true; isSystem = true; }; diff --git a/nixos/modules/services/torrent/deluge.nix b/nixos/modules/services/torrent/deluge.nix index 48ec4d692e2f..0c72505395dd 100644 --- a/nixos/modules/services/torrent/deluge.nix +++ b/nixos/modules/services/torrent/deluge.nix @@ -173,12 +173,16 @@ in { # Provide a default set of `extraPackages`. services.deluge.extraPackages = with pkgs; [ unzip gnutar xz p7zip bzip2 ]; - systemd.tmpfiles.rules = [ "d '${configDir}' 0770 ${cfg.user} ${cfg.group}" ] - ++ optional (cfg.config ? "download_location") + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group}" + "d '${cfg.dataDir}/.config' 0770 ${cfg.user} ${cfg.group}" + "d '${cfg.dataDir}/.config/deluge' 0770 ${cfg.user} ${cfg.group}" + ] + ++ optional (cfg.config ? download_location) "d '${cfg.config.download_location}' 0770 ${cfg.user} ${cfg.group}" - ++ optional (cfg.config ? "torrentfiles_location") + ++ optional (cfg.config ? torrentfiles_location) "d '${cfg.config.torrentfiles_location}' 0770 ${cfg.user} ${cfg.group}" - ++ optional (cfg.config ? "move_completed_path") + ++ optional (cfg.config ? move_completed_path) "d '${cfg.config.move_completed_path}' 0770 ${cfg.user} ${cfg.group}"; systemd.services.deluged = { @@ -237,7 +241,6 @@ in { group = cfg.group; uid = config.ids.uids.deluge; home = cfg.dataDir; - createHome = true; description = "Deluge Daemon user"; }; }; diff --git a/nixos/modules/services/torrent/flexget.nix b/nixos/modules/services/torrent/flexget.nix index ca63f529a5df..6ac85f8fa178 100644 --- a/nixos/modules/services/torrent/flexget.nix +++ b/nixos/modules/services/torrent/flexget.nix @@ -19,7 +19,7 @@ in { user = mkOption { default = "deluge"; example = "some_user"; - type = types.string; + type = types.str; description = "The user under which to run flexget."; }; @@ -33,7 +33,7 @@ in { interval = mkOption { default = "10m"; example = "1h"; - type = types.string; + type = types.str; description = "When to perform a <command>flexget</command> run. See <command>man 7 systemd.time</command> for the format."; }; diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index a94a471361ef..7409eb8cdcbe 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -102,7 +102,7 @@ in config = mkIf cfg.enable { systemd.services.transmission = { description = "Transmission BitTorrent Service"; - after = [ "local-fs.target" "network.target" ] ++ optional apparmor "apparmor.service"; + after = [ "network.target" ] ++ optional apparmor "apparmor.service"; requires = mkIf apparmor [ "apparmor.service" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/ttys/agetty.nix b/nixos/modules/services/ttys/agetty.nix index b50de496e975..f127d8a0276d 100644 --- a/nixos/modules/services/ttys/agetty.nix +++ b/nixos/modules/services/ttys/agetty.nix @@ -92,7 +92,7 @@ in restartIfChanged = false; }; - systemd.services."console-getty" = + systemd.services.console-getty = { serviceConfig.ExecStart = [ "" # override upstream default with an empty ExecStart (gettyCmd "--noclear --keep-baud console 115200,38400,9600 $TERM") diff --git a/nixos/modules/services/web-apps/atlassian/confluence.nix b/nixos/modules/services/web-apps/atlassian/confluence.nix index cf163271d276..59185fdbd36f 100644 --- a/nixos/modules/services/web-apps/atlassian/confluence.nix +++ b/nixos/modules/services/web-apps/atlassian/confluence.nix @@ -142,12 +142,12 @@ in }; config = mkIf cfg.enable { - users.users."${cfg.user}" = { + users.users.${cfg.user} = { isSystemUser = true; group = cfg.group; }; - users.groups."${cfg.group}" = {}; + users.groups.${cfg.group} = {}; systemd.tmpfiles.rules = [ "d '${cfg.home}' - ${cfg.user} - - -" diff --git a/nixos/modules/services/web-apps/atlassian/crowd.nix b/nixos/modules/services/web-apps/atlassian/crowd.nix index 020ca8d89dbb..ceab656b15e8 100644 --- a/nixos/modules/services/web-apps/atlassian/crowd.nix +++ b/nixos/modules/services/web-apps/atlassian/crowd.nix @@ -110,12 +110,12 @@ in }; config = mkIf cfg.enable { - users.users."${cfg.user}" = { + users.users.${cfg.user} = { isSystemUser = true; group = cfg.group; }; - users.groups."${cfg.group}" = {}; + users.groups.${cfg.group} = {}; systemd.tmpfiles.rules = [ "d '${cfg.home}' - ${cfg.user} ${cfg.group} - -" diff --git a/nixos/modules/services/web-apps/atlassian/jira.nix b/nixos/modules/services/web-apps/atlassian/jira.nix index b0019e77ac27..ce04982e8a9e 100644 --- a/nixos/modules/services/web-apps/atlassian/jira.nix +++ b/nixos/modules/services/web-apps/atlassian/jira.nix @@ -148,12 +148,12 @@ in }; config = mkIf cfg.enable { - users.users."${cfg.user}" = { + users.users.${cfg.user} = { isSystemUser = true; group = cfg.group; }; - users.groups."${cfg.group}" = {}; + users.groups.${cfg.group} = {}; systemd.tmpfiles.rules = [ "d '${cfg.home}' - ${cfg.user} - - -" diff --git a/nixos/modules/services/web-apps/frab.nix b/nixos/modules/services/web-apps/frab.nix index e885dc69b3c0..7914e5cc0ee1 100644 --- a/nixos/modules/services/web-apps/frab.nix +++ b/nixos/modules/services/web-apps/frab.nix @@ -19,7 +19,7 @@ let RAILS_SERVE_STATIC_FILES = "1"; } // cfg.extraEnvironment; - frab-rake = pkgs.stdenv.mkDerivation rec { + frab-rake = pkgs.stdenv.mkDerivation { name = "frab-rake"; buildInputs = [ package.env pkgs.makeWrapper ]; phases = "installPhase fixupPhase"; diff --git a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix index 95c8fb160510..d9ad7e9e3d39 100644 --- a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix +++ b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix @@ -165,7 +165,7 @@ in { config = mkIf cfg.enable { services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") { - "${poolName}" = { + ${poolName} = { user = "icingaweb2"; phpOptions = '' extension = ${pkgs.phpPackages.imagick}/lib/php/extensions/imagick.so @@ -189,7 +189,7 @@ in { services.nginx = { enable = true; virtualHosts = mkIf (cfg.virtualHost != null) { - "${cfg.virtualHost}" = { + ${cfg.virtualHost} = { root = "${pkgs.icingaweb2}/public"; extraConfig = '' @@ -216,7 +216,7 @@ in { # /etc/icingaweb2 environment.etc = let - doModule = name: optionalAttrs (cfg.modules."${name}".enable) { "icingaweb2/enabledModules/${name}".source = "${pkgs.icingaweb2}/modules/${name}"; }; + doModule = name: optionalAttrs (cfg.modules.${name}.enable) { "icingaweb2/enabledModules/${name}".source = "${pkgs.icingaweb2}/modules/${name}"; }; in {} # Module packages // (mapAttrs' (k: v: nameValuePair "icingaweb2/enabledModules/${k}" { source = v; }) cfg.modulePackages) diff --git a/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix b/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix index 167e5e389568..e9c1d4ffe5ea 100644 --- a/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix +++ b/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix @@ -58,7 +58,7 @@ in { }; backends = mkOption { - default = { "icinga" = { resource = "icinga_ido"; }; }; + default = { icinga = { resource = "icinga_ido"; }; }; description = "Monitoring backends to define"; type = attrsOf (submodule ({ name, ... }: { options = { diff --git a/nixos/modules/services/web-apps/limesurvey.nix b/nixos/modules/services/web-apps/limesurvey.nix index 2797feb32ebf..68b57a9b90dd 100644 --- a/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixos/modules/services/web-apps/limesurvey.nix @@ -277,7 +277,7 @@ in systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; - users.users."${user}".group = group; + users.users.${user}.group = group; }; } diff --git a/nixos/modules/services/web-apps/moodle.nix b/nixos/modules/services/web-apps/moodle.nix index f2516c67c6b3..7f71b86a6fe6 100644 --- a/nixos/modules/services/web-apps/moodle.nix +++ b/nixos/modules/services/web-apps/moodle.nix @@ -18,7 +18,7 @@ let global $CFG; $CFG = new stdClass(); - $CFG->dbtype = '${ { "mysql" = "mariadb"; "pgsql" = "pgsql"; }.${cfg.database.type} }'; + $CFG->dbtype = '${ { mysql = "mariadb"; pgsql = "pgsql"; }.${cfg.database.type} }'; $CFG->dblibrary = 'native'; $CFG->dbhost = '${cfg.database.host}'; $CFG->dbname = '${cfg.database.name}'; @@ -92,8 +92,8 @@ in type = types.int; description = "Database host port."; default = { - "mysql" = 3306; - "pgsql" = 5432; + mysql = 3306; + pgsql = 5432; }.${cfg.database.type}; defaultText = "3306"; }; @@ -294,7 +294,7 @@ in systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; - users.users."${user}".group = group; + users.users.${user}.group = group; }; } diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index ada14ad39291..5f5469e48507 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -102,10 +102,10 @@ in { phpOptions = mkOption { type = types.attrsOf types.str; default = { - "short_open_tag" = "Off"; - "expose_php" = "Off"; - "error_reporting" = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; - "display_errors" = "stderr"; + short_open_tag = "Off"; + expose_php = "Off"; + error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; + display_errors = "stderr"; "opcache.enable_cli" = "1"; "opcache.interned_strings_buffer" = "8"; "opcache.max_accelerated_files" = "10000"; @@ -113,7 +113,7 @@ in { "opcache.revalidate_freq" = "1"; "opcache.fast_shutdown" = "1"; "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; - "catch_workers_output" = "yes"; + catch_workers_output = "yes"; }; description = '' Options for PHP's php.ini file for nextcloud. @@ -289,7 +289,7 @@ in { ]; } - { systemd.timers."nextcloud-cron" = { + { systemd.timers.nextcloud-cron = { wantedBy = [ "timers.target" ]; timerConfig.OnBootSec = "5m"; timerConfig.OnUnitActiveSec = "15m"; @@ -297,7 +297,7 @@ in { }; systemd.services = { - "nextcloud-setup" = let + nextcloud-setup = let c = cfg.config; writePhpArrary = a: "[${concatMapStringsSep "," (val: ''"${toString val}"'') a}]"; overrideConfig = pkgs.writeText "nextcloud-config.php" '' @@ -397,13 +397,13 @@ in { ''; serviceConfig.Type = "oneshot"; }; - "nextcloud-cron" = { + nextcloud-cron = { environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config"; serviceConfig.Type = "oneshot"; serviceConfig.User = "nextcloud"; serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${pkgs.nextcloud}/cron.php"; }; - "nextcloud-update-plugins" = mkIf cfg.autoUpdateApps.enable { + nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable { serviceConfig.Type = "oneshot"; serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all"; startAt = cfg.autoUpdateApps.startAt; @@ -441,7 +441,7 @@ in { services.nginx = { enable = true; virtualHosts = { - "${cfg.hostName}" = { + ${cfg.hostName} = { root = pkgs.nextcloud; locations = { "= /robots.txt" = { diff --git a/nixos/modules/services/web-apps/nexus.nix b/nixos/modules/services/web-apps/nexus.nix index 052dbed6d4f8..3af97e146d0a 100644 --- a/nixos/modules/services/web-apps/nexus.nix +++ b/nixos/modules/services/web-apps/nexus.nix @@ -80,14 +80,14 @@ in }; config = mkIf cfg.enable { - users.users."${cfg.user}" = { + users.users.${cfg.user} = { isSystemUser = true; group = cfg.group; home = cfg.home; createHome = true; }; - users.groups."${cfg.group}" = {}; + users.groups.${cfg.group} = {}; systemd.services.nexus = { description = "Sonatype Nexus3"; diff --git a/nixos/modules/services/web-apps/pgpkeyserver-lite.nix b/nixos/modules/services/web-apps/pgpkeyserver-lite.nix index 93f69bd12651..ad70ba70bbef 100644 --- a/nixos/modules/services/web-apps/pgpkeyserver-lite.nix +++ b/nixos/modules/services/web-apps/pgpkeyserver-lite.nix @@ -60,7 +60,7 @@ in services.nginx.virtualHosts = let hkpPort = builtins.toString cfg.hkpPort; in { - "${cfg.hostname}" = { + ${cfg.hostname} = { root = webPkg; locations = { "/pks".extraConfig = '' diff --git a/nixos/modules/services/web-apps/restya-board.nix b/nixos/modules/services/web-apps/restya-board.nix index 6a1b4143bc16..f220669c9108 100644 --- a/nixos/modules/services/web-apps/restya-board.nix +++ b/nixos/modules/services/web-apps/restya-board.nix @@ -179,8 +179,9 @@ in config = mkIf cfg.enable { services.phpfpm.pools = { - "${poolName}" = { + ${poolName} = { inherit (cfg) user group; + phpOptions = '' date.timezone = "CET" @@ -207,7 +208,7 @@ in }; services.nginx.enable = true; - services.nginx.virtualHosts."${cfg.virtualHost.serverName}" = { + services.nginx.virtualHosts.${cfg.virtualHost.serverName} = { listen = [ { addr = cfg.virtualHost.listenHost; port = cfg.virtualHost.listenPort; } ]; serverName = cfg.virtualHost.serverName; root = runDir; diff --git a/nixos/modules/services/web-apps/selfoss.nix b/nixos/modules/services/web-apps/selfoss.nix index 56b7cafffe8b..d5a660ebf289 100644 --- a/nixos/modules/services/web-apps/selfoss.nix +++ b/nixos/modules/services/web-apps/selfoss.nix @@ -114,9 +114,8 @@ in }; config = mkIf cfg.enable { - services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") { - "${poolName}" = { + ${poolName} = { user = "nginx"; settings = mapAttrs (name: mkDefault) { "listen.owner" = "nginx"; diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index 59b0ee1addc6..abe4748591e9 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -520,7 +520,7 @@ let ]; services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") { - "${poolName}" = { + ${poolName} = { inherit (cfg) user; settings = mapAttrs (name: mkDefault) { "listen.owner" = "nginx"; @@ -541,7 +541,7 @@ let services.nginx = mkIf (cfg.virtualHost != null) { enable = true; virtualHosts = { - "${cfg.virtualHost}" = { + ${cfg.virtualHost} = { root = "${cfg.root}"; locations."/" = { diff --git a/nixos/modules/services/web-apps/wordpress.nix b/nixos/modules/services/web-apps/wordpress.nix index 98dc84588189..884754370587 100644 --- a/nixos/modules/services/web-apps/wordpress.nix +++ b/nixos/modules/services/web-apps/wordpress.nix @@ -133,7 +133,7 @@ let ''; }; - database = rec { + database = { host = mkOption { type = types.str; default = "localhost"; diff --git a/nixos/modules/services/web-apps/youtrack.nix b/nixos/modules/services/web-apps/youtrack.nix index 691cbdc8d1d5..830edac20bac 100644 --- a/nixos/modules/services/web-apps/youtrack.nix +++ b/nixos/modules/services/web-apps/youtrack.nix @@ -28,28 +28,28 @@ in The interface youtrack will listen on. ''; default = "127.0.0.1"; - type = types.string; + type = types.str; }; baseUrl = mkOption { description = '' Base URL for youtrack. Will be auto-detected and stored in database. ''; - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; }; extraParams = mkOption { default = {}; description = '' - Extra parameters to pass to youtrack. See + Extra parameters to pass to youtrack. See https://www.jetbrains.com/help/youtrack/standalone/YouTrack-Java-Start-Parameters.html for more information. ''; example = { "jetbrains.youtrack.overrideRootPassword" = "tortuga"; }; - type = types.attrsOf types.string; + type = types.attrsOf types.str; }; package = mkOption { @@ -73,7 +73,7 @@ in description = '' Where to keep the youtrack database. ''; - type = types.string; + type = types.path; default = "/var/lib/youtrack"; }; @@ -83,7 +83,7 @@ in If null, do not setup anything. ''; default = null; - type = types.nullOr types.string; + type = types.nullOr types.str; }; jvmOpts = mkOption { @@ -92,7 +92,7 @@ in See https://www.jetbrains.com/help/youtrack/standalone/Configure-JVM-Options.html for more information. ''; - type = types.string; + type = types.separatedString " "; example = "-XX:MetaspaceSize=250m"; default = ""; }; @@ -101,7 +101,7 @@ in description = '' Maximum Java heap size ''; - type = types.string; + type = types.str; default = "1g"; }; @@ -109,7 +109,7 @@ in description = '' Maximum java Metaspace memory. ''; - type = types.string; + type = types.str; default = "350m"; }; }; diff --git a/nixos/modules/services/web-apps/zabbix.nix b/nixos/modules/services/web-apps/zabbix.nix index fa358ffafbc3..dac243b20e97 100644 --- a/nixos/modules/services/web-apps/zabbix.nix +++ b/nixos/modules/services/web-apps/zabbix.nix @@ -16,7 +16,7 @@ let <?php // Zabbix GUI configuration file. global $DB; - $DB['TYPE'] = '${ { "mysql" = "MYSQL"; "pgsql" = "POSTGRESQL"; "oracle" = "ORACLE"; }.${cfg.database.type} }'; + $DB['TYPE'] = '${ { mysql = "MYSQL"; pgsql = "POSTGRESQL"; oracle = "ORACLE"; }.${cfg.database.type} }'; $DB['SERVER'] = '${cfg.database.host}'; $DB['PORT'] = '${toString cfg.database.port}'; $DB['DATABASE'] = '${cfg.database.name}'; diff --git a/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix b/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix index 536e707137c6..9d747549c274 100644 --- a/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix +++ b/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix @@ -33,7 +33,7 @@ with lib; description = "port to listen on"; }; ip = mkOption { - type = types.string; + type = types.str; default = "*"; description = "Ip to listen on. 0.0.0.0 for ipv4 only, * for all."; }; diff --git a/nixos/modules/services/web-servers/caddy.nix b/nixos/modules/services/web-servers/caddy.nix index 6a1db6087840..132c50735d96 100644 --- a/nixos/modules/services/web-servers/caddy.nix +++ b/nixos/modules/services/web-servers/caddy.nix @@ -27,13 +27,13 @@ in { ca = mkOption { default = "https://acme-v02.api.letsencrypt.org/directory"; example = "https://acme-staging-v02.api.letsencrypt.org/directory"; - type = types.string; + type = types.str; description = "Certificate authority ACME server. The default (Let's Encrypt production server) should be fine for most people."; }; email = mkOption { default = ""; - type = types.string; + type = types.str; description = "Email address (for Let's Encrypt certificate)"; }; diff --git a/nixos/modules/services/web-servers/darkhttpd.nix b/nixos/modules/services/web-servers/darkhttpd.nix index 80870118c334..d6649fd472d9 100644 --- a/nixos/modules/services/web-servers/darkhttpd.nix +++ b/nixos/modules/services/web-servers/darkhttpd.nix @@ -67,7 +67,7 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig = { DynamicUser = true; - ExecStart = "${cfg.package}/bin/darkhttpd ${args}"; + ExecStart = "${pkgs.darkhttpd}/bin/darkhttpd ${args}"; AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; Restart = "on-failure"; RestartSec = "2s"; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 5c65a2388d6f..b94b338fd4a6 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -473,7 +473,7 @@ in }; clientMaxBodySize = mkOption { - type = types.string; + type = types.str; default = "10m"; description = "Set nginx global client_max_body_size."; }; diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix index e95e71e0d997..4ab7e3f0c0a9 100644 --- a/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixos/modules/services/web-servers/phpfpm/default.nix @@ -36,7 +36,7 @@ let poolOpts = { name, ... }: let - poolOpts = cfg.pools."${name}"; + poolOpts = cfg.pools.${name}; in { options = { diff --git a/nixos/modules/services/web-servers/traefik.nix b/nixos/modules/services/web-servers/traefik.nix index 5bac895d43ac..8de7df0d446c 100644 --- a/nixos/modules/services/web-servers/traefik.nix +++ b/nixos/modules/services/web-servers/traefik.nix @@ -67,7 +67,7 @@ in { group = mkOption { default = "traefik"; - type = types.string; + type = types.str; example = "docker"; description = '' Set the group that traefik runs under. diff --git a/nixos/modules/services/web-servers/uwsgi.nix b/nixos/modules/services/web-servers/uwsgi.nix index 3f858d90fa46..af70f32f32d0 100644 --- a/nixos/modules/services/web-servers/uwsgi.nix +++ b/nixos/modules/services/web-servers/uwsgi.nix @@ -72,7 +72,7 @@ in { }; runDir = mkOption { - type = types.string; + type = types.path; default = "/run/uwsgi"; description = "Where uWSGI communication sockets can live"; }; diff --git a/nixos/modules/services/web-servers/zope2.nix b/nixos/modules/services/web-servers/zope2.nix index 4cad2a2ff777..3abd506827c0 100644 --- a/nixos/modules/services/web-servers/zope2.nix +++ b/nixos/modules/services/web-servers/zope2.nix @@ -11,7 +11,7 @@ let name = mkOption { default = "${name}"; - type = types.string; + type = types.str; description = "The name of the zope2 instance. If undefined, the name of the attribute set will be used."; }; @@ -23,19 +23,19 @@ let http_address = mkOption { default = "localhost:8080"; - type = types.string; + type = types.str; description = "Give a port and address for the HTTP server."; }; user = mkOption { default = "zope2"; - type = types.string; + type = types.str; description = "The name of the effective user for the Zope process."; }; clientHome = mkOption { default = "/var/lib/zope2/${name}"; - type = types.string; + type = types.path; description = "Home directory of zope2 instance."; }; extra = mkOption { @@ -52,7 +52,7 @@ let </blobstorage> </zodb_db> ''; - type = types.string; + type = types.lines; description = "Extra zope.conf"; }; diff --git a/nixos/modules/services/x11/clight.nix b/nixos/modules/services/x11/clight.nix index 6ec395bb05ec..4daf6d8d9db7 100644 --- a/nixos/modules/services/x11/clight.nix +++ b/nixos/modules/services/x11/clight.nix @@ -75,7 +75,7 @@ in { longitude = mkDefault config.location.longitude; }); - services.geoclue2.appConfig."clightc" = { + services.geoclue2.appConfig.clightc = { isAllowed = true; isSystem = true; }; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 527e4b18045b..9914b6687090 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -31,7 +31,7 @@ in e.efl e.enlightenment e.terminology e.econnman pkgs.xorg.xauth # used by kdesu - pkgs.gtk2 # To get GTK+'s themes. + pkgs.gtk2 # To get GTK's themes. pkgs.tango-icon-theme pkgs.gnome2.gnome_icon_theme @@ -48,7 +48,7 @@ in services.xserver.desktopManager.session = [ { name = "Enlightenment"; start = '' - # Set GTK_DATA_PREFIX so that GTK+ can find the themes + # Set GTK_DATA_PREFIX so that GTK can find the themes export GTK_DATA_PREFIX=${config.system.path} # find theme engines export GTK_PATH=${config.system.path}/lib/gtk-3.0:${config.system.path}/lib/gtk-2.0 diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 0caa93ad217f..71df4e8f0a4d 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -37,7 +37,7 @@ let picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom}/share/artwork/gnome/nix-wallpaper-simple-dark-gray_bottom.png' [org.gnome.shell] - favorite-apps=[ 'org.gnome.Epiphany.desktop', 'evolution.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop', 'org.gnome.Software.desktop' ] + favorite-apps=[ 'org.gnome.Epiphany.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop', 'org.gnome.Software.desktop' ] ${cfg.extraGSettingsOverrides} EOF @@ -227,25 +227,27 @@ in (mkIf serviceCfg.core-shell.enable { services.colord.enable = mkDefault true; + services.gnome3.chrome-gnome-shell.enable = mkDefault true; services.gnome3.glib-networking.enable = true; services.gnome3.gnome-remote-desktop.enable = mkDefault true; services.gnome3.gnome-settings-daemon.enable = true; services.gnome3.gnome-user-share.enable = mkDefault true; services.gnome3.rygel.enable = mkDefault true; services.gvfs.enable = true; + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.telepathy.enable = mkDefault true; systemd.packages = [ pkgs.gnome3.vino ]; - services.dbus.packages = - optional config.services.printing.enable pkgs.system-config-printer; + + services.avahi.enable = mkDefault true; services.geoclue2.enable = mkDefault true; services.geoclue2.enableDemoAgent = false; # GNOME has its own geoclue agent - services.geoclue2.appConfig."gnome-datetime-panel" = { + services.geoclue2.appConfig.gnome-datetime-panel = { isAllowed = true; isSystem = true; }; - services.geoclue2.appConfig."gnome-color-panel" = { + services.geoclue2.appConfig.gnome-color-panel = { isAllowed = true; isSystem = true; }; @@ -261,16 +263,19 @@ in source-sans-pro ]; + # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-32/elements/core/meta-gnome-core-shell.bst environment.systemPackages = with pkgs.gnome3; [ adwaita-icon-theme gnome-backgrounds gnome-bluetooth + gnome-color-manager gnome-control-center gnome-getting-started-docs gnome-shell gnome-shell-extensions gnome-themes-extra gnome-user-docs + pkgs.orca pkgs.glib # for gsettings pkgs.gnome-menus pkgs.gtk3.out # for gtk-launch @@ -281,23 +286,43 @@ in ]; }) + # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-32/elements/core/meta-gnome-core-utilities.bst (mkIf serviceCfg.core-utilities.enable { environment.systemPackages = (with pkgs.gnome3; removePackagesByName [ - baobab eog epiphany evince gucharmap nautilus totem yelp gnome-calculator - gnome-contacts gnome-font-viewer gnome-screenshot gnome-system-monitor simple-scan - gnome-terminal evolution file-roller gedit gnome-clocks gnome-music gnome-tweaks - pkgs.gnome-photos nautilus-sendto dconf-editor vinagre gnome-weather gnome-logs - gnome-maps gnome-characters gnome-calendar accerciser gnome-nettool gnome-packagekit - gnome-software gnome-power-manager gnome-todo pkgs.gnome-usage + baobab + cheese + eog + epiphany + geary + gedit + gnome-calculator + gnome-calendar + gnome-characters + gnome-clocks + gnome-contacts + gnome-font-viewer + gnome-logs + gnome-maps + gnome-music + gnome-photos + gnome-screenshot + gnome-software + gnome-system-monitor + gnome-weather + nautilus + simple-scan + totem + yelp + # Unsure if sensible for NixOS + /* gnome-boxes */ ] config.environment.gnome3.excludePackages); # Enable default programs programs.evince.enable = mkDefault true; programs.file-roller.enable = mkDefault true; programs.gnome-disks.enable = mkDefault true; - programs.gnome-documents.enable = mkDefault true; programs.gnome-terminal.enable = mkDefault true; - services.gnome3.seahorse.enable = mkDefault true; + programs.seahorse.enable = mkDefault true; services.gnome3.sushi.enable = mkDefault true; # Let nautilus find extensions diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index e1084b0053cc..d7a871c9c704 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -48,7 +48,7 @@ in name = "mate"; bgSupport = true; start = '' - # Set GTK_DATA_PREFIX so that GTK+ can find the themes + # Set GTK_DATA_PREFIX so that GTK can find the themes export GTK_DATA_PREFIX=${config.system.path} # Find theme engines @@ -98,6 +98,9 @@ in programs.bash.vteIntegration = mkDefault true; programs.zsh.vteIntegration = mkDefault true; + # Mate uses this for printing + programs.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + services.gnome3.at-spi2-core.enable = true; services.gnome3.gnome-keyring.enable = true; services.gnome3.gnome-settings-daemon.enable = true; @@ -105,7 +108,7 @@ in services.gvfs.enable = true; services.upower.enable = config.powerManagement.enable; - security.pam.services."mate-screensaver".unixAuth = true; + security.pam.services.mate-screensaver.unixAuth = true; environment.pathsToLink = [ "/share" ]; }; diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index ae23015d2005..e313a194c345 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -113,9 +113,9 @@ in services.colord.enable = mkDefault true; services.pantheon.files.enable = mkDefault true; services.tumbler.enable = mkDefault true; - services.dbus.packages = mkMerge [ - ([ pkgs.pantheon.switchboard-plug-power ]) - (mkIf config.services.printing.enable ([pkgs.system-config-printer]) ) + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + services.dbus.packages = [ + pkgs.pantheon.switchboard-plug-power ]; services.pantheon.contractor.enable = mkDefault true; services.gnome3.at-spi2-core.enable = true; @@ -145,6 +145,9 @@ in programs.dconf.enable = true; programs.evince.enable = mkDefault true; programs.file-roller.enable = mkDefault true; + # Otherwise you can't store NetworkManager Secrets with + # "Store the password only for this user" + programs.nm-applet.enable = true; # Shell integration for VTE terminals programs.bash.vteIntegration = mkDefault true; @@ -191,6 +194,7 @@ in gtk3.out hicolor-icon-theme lightlocker + onboard plank qgnomeplatform shared-mime-info diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 94a307ae1007..b10755df4dc2 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -72,7 +72,7 @@ in security.wrappers = { kcheckpass.source = "${lib.getBin plasma5.kscreenlocker}/libexec/kcheckpass"; - "start_kdeinit".source = "${lib.getBin pkgs.kinit}/libexec/kf5/start_kdeinit"; + start_kdeinit.source = "${lib.getBin pkgs.kinit}/libexec/kf5/start_kdeinit"; kwin_wayland = { source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland"; capabilities = "cap_sys_nice+ep"; @@ -210,8 +210,8 @@ in # Enable helpful DBus services. services.udisks2.enable = true; services.upower.enable = config.powerManagement.enable; - services.dbus.packages = - mkIf config.services.printing.enable [ pkgs.system-config-printer ]; + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + services.xserver.libinput.enable = mkDefault true; # Extra UDEV rules used by Solid services.udev.packages = [ diff --git a/nixos/modules/services/x11/desktop-managers/surf-display.nix b/nixos/modules/services/x11/desktop-managers/surf-display.nix index 232bbf5c55d4..140dde828daa 100644 --- a/nixos/modules/services/x11/desktop-managers/surf-display.nix +++ b/nixos/modules/services/x11/desktop-managers/surf-display.nix @@ -48,7 +48,7 @@ in { enable = mkEnableOption "surf-display as a kiosk browser session"; defaultWwwUri = mkOption { - type = types.string; + type = types.str; default = "${pkgs.surf-display}/share/surf-display/empty-page.html"; example = "https://www.example.com/"; description = "Default URI to display."; @@ -69,7 +69,7 @@ in { }; screensaverSettings = mkOption { - type = types.string; + type = types.separatedString " "; default = ""; description = '' Screensaver settings, see <literal>man 1 xset</literal> for possible options. @@ -77,7 +77,7 @@ in { }; pointerButtonMap = mkOption { - type = types.string; + type = types.str; default = "1 0 0 4 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"; description = '' Disable right and middle pointer device click in browser sessions @@ -87,14 +87,14 @@ in { }; hideIdlePointer = mkOption { - type = types.string; + type = types.str; default = "yes"; example = "no"; description = "Hide idle mouse pointer."; }; extraConfig = mkOption { - type = types.string; + type = types.lines; default = ""; example = '' # Enforce fixed resolution for all displays (default: not set): diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index 1102f73d1ac3..e3249aef50c7 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -48,7 +48,7 @@ in config = mkIf cfg.enable { environment.systemPackages = with pkgs.xfce // pkgs; [ - # Get GTK+ themes and gtk-update-icon-cache + # Get GTK themes and gtk-update-icon-cache gtk2.out # Supplies some abstract icons such as: @@ -107,10 +107,10 @@ in start = '' ${cfg.extraSessionCommands} - # Set GTK_PATH so that GTK+ can find the theme engines. + # Set GTK_PATH so that GTK can find the theme engines. export GTK_PATH="${config.system.path}/lib/gtk-2.0:${config.system.path}/lib/gtk-3.0" - # Set GTK_DATA_PREFIX so that GTK+ can find the Xfce themes. + # Set GTK_DATA_PREFIX so that GTK can find the Xfce themes. export GTK_DATA_PREFIX=${config.system.path} ${pkgs.runtimeShell} ${pkgs.xfce.xinitrc} & diff --git a/nixos/modules/services/x11/desktop-managers/xfce4-14.nix b/nixos/modules/services/x11/desktop-managers/xfce4-14.nix index 16329c093f98..57d1268d655a 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce4-14.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce4-14.nix @@ -114,10 +114,10 @@ in name = "xfce4-14"; bgSupport = true; start = '' - # Set GTK_PATH so that GTK+ can find the theme engines. + # Set GTK_PATH so that GTK can find the theme engines. export GTK_PATH="${config.system.path}/lib/gtk-2.0:${config.system.path}/lib/gtk-3.0" - # Set GTK_DATA_PREFIX so that GTK+ can find the Xfce themes. + # Set GTK_DATA_PREFIX so that GTK can find the Xfce themes. export GTK_DATA_PREFIX=${config.system.path} ${pkgs.runtimeShell} ${pkgs.xfce4-14.xinitrc} & @@ -137,8 +137,7 @@ in services.gvfs.enable = true; services.gvfs.package = pkgs.xfce.gvfs; services.tumbler.enable = true; - services.dbus.packages = - optional config.services.printing.enable pkgs.system-config-printer; + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager # Enable default programs diff --git a/nixos/modules/services/x11/desktop-managers/xterm.nix b/nixos/modules/services/x11/desktop-managers/xterm.nix index ea441fbbe715..93987bd1dfc5 100644 --- a/nixos/modules/services/x11/desktop-managers/xterm.nix +++ b/nixos/modules/services/x11/desktop-managers/xterm.nix @@ -5,7 +5,6 @@ with lib; let cfg = config.services.xserver.desktopManager.xterm; - xserverEnabled = config.services.xserver.enable; in @@ -14,7 +13,7 @@ in services.xserver.desktopManager.xterm.enable = mkOption { type = types.bool; - default = xserverEnabled; + default = false; defaultText = "config.services.xserver.enable"; description = "Enable a xterm terminal as a desktop manager."; }; diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index afa0cebbc527..c26a5b615353 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -6,7 +6,7 @@ let xcfg = config.services.xserver; dmcfg = xcfg.displayManager; - xEnv = config.systemd.services."display-manager".environment; + xEnv = config.systemd.services.display-manager.environment; cfg = dmcfg.lightdm; dmDefault = xcfg.desktopManager.default; @@ -114,7 +114,7 @@ in }; name = mkOption { - type = types.string; + type = types.str; description = '' The name of a .desktop file in the directory specified in the 'package' option. @@ -232,36 +232,41 @@ in # Enable the accounts daemon to find lightdm's dbus interface environment.systemPackages = [ lightdm ]; - security.pam.services.lightdm = { - allowNullPassword = true; - startSession = true; - }; - security.pam.services.lightdm-greeter = { - allowNullPassword = true; - startSession = true; - text = '' - auth required pam_env.so envfile=${config.system.build.pamEnvironment} - auth required pam_permit.so + security.pam.services.lightdm.text = '' + auth substack login + account include login + password substack login + session include login + ''; - account required pam_permit.so + security.pam.services.lightdm-greeter.text = '' + auth required pam_succeed_if.so audit quiet_success user = lightdm + auth optional pam_permit.so - password required pam_deny.so + account required pam_succeed_if.so audit quiet_success user = lightdm + account sufficient pam_unix.so + + password required pam_deny.so + + session required pam_succeed_if.so audit quiet_success user = lightdm + session required pam_env.so envfile=${config.system.build.pamEnvironment} + session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional pam_keyinit.so force revoke + session optional pam_permit.so + ''; - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so - ''; - }; security.pam.services.lightdm-autologin.text = '' - auth requisite pam_nologin.so - auth required pam_succeed_if.so uid >= 1000 quiet - auth required pam_permit.so + auth requisite pam_nologin.so + + auth required pam_succeed_if.so uid >= 1000 quiet + auth required pam_permit.so - account include lightdm + account sufficient pam_unix.so - password include lightdm + password requisite pam_unix.so nullok sha512 - session include lightdm + session optional pam_keyinit.so revoke + session include login ''; users.users.lightdm = { diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index d1ed345ac579..c6cb281c2cc2 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -7,7 +7,7 @@ let xcfg = config.services.xserver; dmcfg = xcfg.displayManager; cfg = dmcfg.sddm; - xEnv = config.systemd.services."display-manager".environment; + xEnv = config.systemd.services.display-manager.environment; inherit (pkgs) sddm; diff --git a/nixos/modules/services/x11/extra-layouts.nix b/nixos/modules/services/x11/extra-layouts.nix index 5523dd2bf023..1af98a1318bb 100644 --- a/nixos/modules/services/x11/extra-layouts.nix +++ b/nixos/modules/services/x11/extra-layouts.nix @@ -158,7 +158,10 @@ in }); - services.xserver.xkbDir = "${pkgs.xkb_patched}/etc/X11/xkb"; + services.xserver = { + xkbDir = "${pkgs.xkb_patched}/etc/X11/xkb"; + exportConfiguration = config.services.xserver.displayManager.startx.enable; + }; }; diff --git a/nixos/modules/services/x11/hardware/cmt.nix b/nixos/modules/services/x11/hardware/cmt.nix new file mode 100644 index 000000000000..95353e92098e --- /dev/null +++ b/nixos/modules/services/x11/hardware/cmt.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + +cfg = config.services.xserver.cmt; +etcPath = "X11/xorg.conf.d"; + +in { + + options = { + + services.xserver.cmt = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable chrome multitouch input (cmt). Touchpad drivers that are configured for chromebooks."; + }; + models = mkOption { + type = types.enum [ "atlas" "banjo" "candy" "caroline" "cave" "celes" "clapper" "cyan" "daisy" "elan" "elm" "enguarde" "eve" "expresso" "falco" "gandof" "glimmer" "gnawty" "heli" "kevin" "kip" "leon" "lulu" "orco" "pbody" "peppy" "pi" "pit" "puppy" "quawks" "rambi" "samus" "snappy" "spring" "squawks" "swanky" "winky" "wolf" "auron_paine" "auron_yuna" "daisy_skate" "nyan_big" "nyan_blaze" "veyron_jaq" "veyron_jerry" "veyron_mighty" "veyron_minnie" "veyron_speedy" ]; + example = "banjo"; + description = '' + Which models to enable cmt for. Enter the Code Name for your Chromebook. + Code Name can be found at <link xlink:href="https://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices" />. + ''; + }; + }; #closes services + }; #closes options + + config = mkIf cfg.enable { + + services.xserver.modules = [ pkgs.xf86_input_cmt ]; + + environment.etc = { + "${etcPath}/40-touchpad-cmt.conf" = { + source = "${pkgs.chromium-xorg-conf}/40-touchpad-cmt.conf"; + }; + "${etcPath}/50-touchpad-cmt-${cfg.models}.conf" = { + source = "${pkgs.chromium-xorg-conf}/50-touchpad-cmt-${cfg.models}.conf"; + }; + "${etcPath}/60-touchpad-cmt-${cfg.models}.conf" = { + source = "${pkgs.chromium-xorg-conf}/60-touchpad-cmt-${cfg.models}.conf"; + }; + }; + + assertions = [ + { + assertion = !config.services.xserver.libinput.enable; + message = "cmt and libinput are incompatible, you cannot enable both (in services.xserver)."; + } + ]; + }; +} diff --git a/nixos/modules/services/x11/hardware/libinput.nix b/nixos/modules/services/x11/hardware/libinput.nix index a0a5e2656852..bd289976532b 100644 --- a/nixos/modules/services/x11/hardware/libinput.nix +++ b/nixos/modules/services/x11/hardware/libinput.nix @@ -41,13 +41,13 @@ in { }; accelSpeed = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; description = "Cursor acceleration (how fast speed increases from minSpeed to maxSpeed)."; }; buttonMapping = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; description = '' @@ -61,7 +61,7 @@ in { }; calibrationMatrix = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; description = '' diff --git a/nixos/modules/services/x11/hardware/synaptics.nix b/nixos/modules/services/x11/hardware/synaptics.nix index f032c5938852..22af869f1f8a 100644 --- a/nixos/modules/services/x11/hardware/synaptics.nix +++ b/nixos/modules/services/x11/hardware/synaptics.nix @@ -44,19 +44,19 @@ in { }; accelFactor = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = "0.001"; description = "Cursor acceleration (how fast speed increases from minSpeed to maxSpeed)."; }; minSpeed = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = "0.6"; description = "Cursor speed factor for precision finger motion."; }; maxSpeed = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = "1.0"; description = "Cursor speed factor for highest-speed finger motion."; }; @@ -167,7 +167,7 @@ in { services.xserver.modules = [ pkg.out ]; - environment.etc."${etcFile}".source = + environment.etc.${etcFile}.source = "${pkg.out}/share/X11/xorg.conf.d/70-synaptics.conf"; environment.systemPackages = [ pkg ]; diff --git a/nixos/modules/services/x11/redshift.nix b/nixos/modules/services/x11/redshift.nix index 55f8f75021bc..6ddb4c83764a 100644 --- a/nixos/modules/services/x11/redshift.nix +++ b/nixos/modules/services/x11/redshift.nix @@ -81,7 +81,7 @@ in { # needed so that .desktop files are installed, which geoclue cares about environment.systemPackages = [ cfg.package ]; - services.geoclue2.appConfig."redshift" = { + services.geoclue2.appConfig.redshift = { isAllowed = true; isSystem = true; }; diff --git a/nixos/modules/services/x11/window-managers/xmonad.nix b/nixos/modules/services/x11/window-managers/xmonad.nix index a6055f26789e..0e1314122767 100644 --- a/nixos/modules/services/x11/window-managers/xmonad.nix +++ b/nixos/modules/services/x11/window-managers/xmonad.nix @@ -59,7 +59,7 @@ in config = mkOption { default = null; - type = with lib.types; nullOr (either path string); + type = with lib.types; nullOr (either path str); description = '' Configuration from which XMonad gets compiled. If no value is specified, the xmonad config from $HOME/.xmonad is taken. diff --git a/nixos/modules/services/x11/xautolock.nix b/nixos/modules/services/x11/xautolock.nix index 10eef8aefbcd..3e03131ca114 100644 --- a/nixos/modules/services/x11/xautolock.nix +++ b/nixos/modules/services/x11/xautolock.nix @@ -132,7 +132,7 @@ in ] ++ (lib.forEach [ "locker" "notifier" "nowlocker" "killer" ] (option: { - assertion = cfg."${option}" != null -> builtins.substring 0 1 cfg."${option}" == "/"; + assertion = cfg.${option} != null -> builtins.substring 0 1 cfg.${option} == "/"; message = "Please specify a canonical path for `services.xserver.xautolock.${option}`"; }) ); diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index c94a06438315..a8406544a72f 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -659,7 +659,7 @@ in systemd.services.display-manager = { description = "X11 Server"; - after = [ "systemd-udev-settle.service" "local-fs.target" "acpid.service" "systemd-logind.service" ]; + after = [ "systemd-udev-settle.service" "acpid.service" "systemd-logind.service" ]; wants = [ "systemd-udev-settle.service" ]; restartIfChanged = false; diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index a550ffd6320f..a32c9dc1f2b4 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -239,7 +239,7 @@ in { List of systems to emulate. Will also configure Nix to support your new systems. ''; - type = types.listOf types.string; + type = types.listOf types.str; }; }; }; diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index baa8c602a99e..50dbf2f83651 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -261,7 +261,7 @@ in source = kernelModulesConf; }; - systemd.services."systemd-modules-load" = + systemd.services.systemd-modules-load = { wantedBy = [ "multi-user.target" ]; restartTriggers = [ kernelModulesConf ]; serviceConfig = diff --git a/nixos/modules/system/boot/kexec.nix b/nixos/modules/system/boot/kexec.nix index fd2cb94b756b..27a8e0217c55 100644 --- a/nixos/modules/system/boot/kexec.nix +++ b/nixos/modules/system/boot/kexec.nix @@ -4,7 +4,7 @@ config = lib.mkIf (lib.any (lib.meta.platformMatch pkgs.stdenv.hostPlatform) pkgs.kexectools.meta.platforms) { environment.systemPackages = [ pkgs.kexectools ]; - systemd.services."prepare-kexec" = + systemd.services.prepare-kexec = { description = "Preparation for kexec"; wantedBy = [ "kexec.target" ]; before = [ "systemd-kexec.service" ]; diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index eca9dad64222..e13f0421d38f 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -8,7 +8,7 @@ let efi = config.boot.loader.efi; - grubPkgs = + grubPkgs = # Package set of targeted architecture if cfg.forcei686 then pkgs.pkgsi686Linux else pkgs; @@ -72,7 +72,7 @@ let else "${convertedFont}"); }); - bootDeviceCounters = fold (device: attr: attr // { "${device}" = (attr."${device}" or 0) + 1; }) {} + bootDeviceCounters = fold (device: attr: attr // { ${device} = (attr.${device} or 0) + 1; }) {} (concatMap (args: args.devices) cfg.mirroredBoots); convertedFont = (pkgs.runCommand "grub-font-converted.pf2" {} @@ -333,7 +333,7 @@ in }; backgroundColor = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; example = "#7EBAE4"; default = null; description = '' @@ -399,7 +399,7 @@ in example = "text"; type = types.str; description = '' - The gfxpayload to pass to GRUB when loading a graphical boot interface under EFI. + The gfxpayload to pass to GRUB when loading a graphical boot interface under EFI. ''; }; @@ -408,7 +408,7 @@ in example = "keep"; type = types.str; description = '' - The gfxpayload to pass to GRUB when loading a graphical boot interface under BIOS. + The gfxpayload to pass to GRUB when loading a graphical boot interface under BIOS. ''; }; @@ -535,7 +535,7 @@ in default = false; type = types.bool; description = '' - Whether to force the use of a ia32 boot loader on x64 systems. Required + Whether to force the use of a ia32 boot loader on x64 systems. Required to install and run NixOS on 64bit x86 systems with 32bit (U)EFI. ''; }; @@ -554,7 +554,7 @@ in systemHasTPM = mkOption { default = ""; example = "YES_TPM_is_activated"; - type = types.string; + type = types.str; description = '' Assertion that the target system has an activated TPM. It is a safety check before allowing the activation of 'trustedBoot.enable'. TrustedBoot diff --git a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix index 7db60daa60b8..1c8354e52696 100644 --- a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix +++ b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix @@ -10,7 +10,7 @@ let builderUboot = import ./uboot-builder.nix { inherit pkgs configTxt; inherit (cfg) version; }; builderGeneric = import ./raspberrypi-builder.nix { inherit pkgs configTxt; }; - builder = + builder = if cfg.uboot.enable then "${builderUboot} -g ${toString cfg.uboot.configurationLimit} -t ${timeoutStr} -c" else @@ -86,7 +86,7 @@ in firmwareConfig = mkOption { default = null; - type = types.nullOr types.string; + type = types.nullOr types.lines; description = '' Extra options that will be appended to <literal>/boot/config.txt</literal> file. For possible values, see: https://www.raspberrypi.org/documentation/configuration/config-txt/ diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index b5c8d5241a3d..a4029d766b05 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -476,7 +476,7 @@ in boot.initrd.luks.devices = mkOption { default = { }; - example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; + example = { luksroot.device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; description = '' The encrypted disk that should be opened before the root filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM diff --git a/nixos/modules/system/boot/systemd-nspawn.nix b/nixos/modules/system/boot/systemd-nspawn.nix index 34a34091a7dc..db6e06b41072 100644 --- a/nixos/modules/system/boot/systemd-nspawn.nix +++ b/nixos/modules/system/boot/systemd-nspawn.nix @@ -117,7 +117,7 @@ in { environment.etc."systemd/nspawn".source = generateUnits "nspawn" units [] []; - systemd.targets."multi-user".wants = [ "machines.target" ]; + systemd.targets.multi-user.wants = [ "machines.target" ]; }; } diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index a79513850624..2287a82418fe 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -328,7 +328,7 @@ let [Service] ${let env = cfg.globalEnvironment // def.environment; in concatMapStrings (n: - let s = optionalString (env."${n}" != null) + let s = optionalString (env.${n} != null) "Environment=${builtins.toJSON "${n}=${env.${n}}"}\n"; # systemd max line length is now 1MiB # https://github.com/systemd/systemd/commit/e6dde451a51dc5aaa7f4d98d39b8fe735f73d2af @@ -496,7 +496,7 @@ in systemd.generators = mkOption { type = types.attrsOf types.path; default = {}; - example = { "systemd-gpt-auto-generator" = "/dev/null"; }; + example = { systemd-gpt-auto-generator = "/dev/null"; }; description = '' Definition of systemd generators. For each <literal>NAME = VALUE</literal> pair of the attrSet, a link is generated from diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 43764bb82f1f..688c77cb22d1 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -12,7 +12,7 @@ let fileSystems' = toposort fsBefore (attrValues config.fileSystems); - fileSystems = if fileSystems' ? "result" + fileSystems = if fileSystems' ? result then # use topologically sorted fileSystems everywhere fileSystems'.result else # the assertion below will catch this, @@ -211,7 +211,7 @@ in ls = sep: concatMapStringsSep sep (x: x.mountPoint); notAutoResizable = fs: fs.autoResize && !(hasPrefix "ext" fs.fsType || fs.fsType == "f2fs"); in [ - { assertion = ! (fileSystems' ? "cycle"); + { assertion = ! (fileSystems' ? cycle); message = "The ‘fileSystems’ option can't be topologically sorted: mountpoint dependency path ${ls " -> " fileSystems'.cycle} loops to ${ls ", " fileSystems'.loops}"; } { assertion = ! (any notAutoResizable fileSystems); diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index ac06b6caee30..2ed8c5aa2927 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -469,7 +469,7 @@ in map createSyncService allPools ++ map createZfsService [ "zfs-mount" "zfs-share" "zfs-zed" ]); - systemd.targets."zfs-import" = + systemd.targets.zfs-import = let services = map (pool: "zfs-import-${pool}.service") dataPools; in @@ -479,7 +479,7 @@ in wantedBy = [ "zfs.target" ]; }; - systemd.targets."zfs".wantedBy = [ "multi-user.target" ]; + systemd.targets.zfs.wantedBy = [ "multi-user.target" ]; }) (mkIf enableAutoSnapshots { diff --git a/nixos/modules/tasks/kbd.nix b/nixos/modules/tasks/kbd.nix index 6d34f897d189..c6ba998b19e6 100644 --- a/nixos/modules/tasks/kbd.nix +++ b/nixos/modules/tasks/kbd.nix @@ -73,7 +73,7 @@ in config = mkMerge [ (mkIf (!setVconsole) { - systemd.services."systemd-vconsole-setup".enable = false; + systemd.services.systemd-vconsole-setup.enable = false; }) (mkIf setVconsole (mkMerge [ @@ -83,7 +83,7 @@ in # virtual consoles. environment.etc."vconsole.conf".source = vconsoleConf; # Provide kbd with additional packages. - environment.etc."kbd".source = "${kbdEnv}/share"; + environment.etc.kbd.source = "${kbdEnv}/share"; boot.initrd.preLVMCommands = mkBefore '' kbd_mode ${if isUnicode then "-u" else "-a"} -C /dev/console @@ -99,7 +99,7 @@ in '') config.i18n.consoleColors} ''; - systemd.services."systemd-vconsole-setup" = + systemd.services.systemd-vconsole-setup = { before = [ "display-manager.service" ]; after = [ "systemd-udev-settle.service" ]; restartTriggers = [ vconsoleConf kbdEnv ]; diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 2b8a7944dc36..1726d05115ea 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -498,8 +498,8 @@ let // mapAttrs' createSitDevice cfg.sits // mapAttrs' createVlanDevice cfg.vlans // { - "network-setup" = networkSetup; - "network-local-commands" = networkLocalCommands; + network-setup = networkSetup; + network-local-commands = networkLocalCommands; }; services.udev.extraRules = diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index fbca54978e5b..34e270667151 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -72,7 +72,15 @@ in }; in mkMerge [ { enable = true; - networks."99-main" = genericNetwork mkDefault; + networks."99-main" = (genericNetwork mkDefault) // { + # We keep the "broken" behaviour of applying this to all interfaces. + # In general we want to get rid of this workaround but there hasn't + # been any work on that. + # See the following issues for details: + # - https://github.com/NixOS/nixpkgs/issues/18962 + # - https://github.com/NixOS/nixpkgs/issues/61629 + matchConfig = mkDefault { Name = "*"; }; + }; } (mkMerge (forEach interfaces (i: { netdevs = mkIf i.virtual ({ @@ -160,14 +168,14 @@ in (mapAttrsToList (k: _: k) do); ""; # get those driverOptions that have been set filterSystemdOptions = filterAttrs (sysDOpt: kOpts: - any (kOpt: do ? "${kOpt}") kOpts.optNames); + any (kOpt: do ? ${kOpt}) kOpts.optNames); # build final set of systemd options to bond values buildOptionSet = mapAttrs (_: kOpts: with kOpts; # we simply take the first set kernel bond option # (one option has multiple names, which is silly) - head (map (optN: valTransform (do."${optN}")) + head (map (optN: valTransform (do.${optN})) # only map those that exist - (filter (o: do ? "${o}") optNames))); + (filter (o: do ? ${o}) optNames))); in seq assertNoUnknownOption (buildOptionSet (filterSystemdOptions driverOptionMapping)); diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 5ac753c92a78..5bf7b0d227f0 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -799,19 +799,19 @@ in networking.wlanInterfaces = mkOption { default = { }; example = literalExample { - "wlan-station0" = { + wlan-station0 = { device = "wlp6s0"; }; - "wlan-adhoc0" = { + wlan-adhoc0 = { type = "ibss"; device = "wlp6s0"; mac = "02:00:00:00:00:01"; }; - "wlan-p2p0" = { + wlan-p2p0 = { device = "wlp6s0"; mac = "02:00:00:00:00:02"; }; - "wlan-ap0" = { + wlan-ap0 = { device = "wlp6s0"; mac = "02:00:00:00:00:03"; }; @@ -836,7 +836,7 @@ in options = { device = mkOption { - type = types.string; + type = types.str; example = "wlp6s0"; description = "The name of the underlying hardware WLAN device as assigned by <literal>udev</literal>."; }; @@ -852,7 +852,7 @@ in }; meshID = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; description = "MeshID of interface with type <literal>mesh</literal>."; }; @@ -994,7 +994,7 @@ in domainname "${cfg.domain}" ''; - environment.etc."hostid" = mkIf (cfg.hostId != null) + environment.etc.hostid = mkIf (cfg.hostId != null) { source = pkgs.runCommand "gen-hostid" { preferLocalBuild = true; } '' hi="${cfg.hostId}" ${if pkgs.stdenv.isBigEndian then '' @@ -1007,7 +1007,7 @@ in # static hostname configuration needed for hostnamectl and the # org.freedesktop.hostname1 dbus service (both provided by systemd) - environment.etc."hostname" = mkIf (cfg.hostName != "") + environment.etc.hostname = mkIf (cfg.hostName != "") { text = cfg.hostName + "\n"; }; @@ -1027,7 +1027,7 @@ in # The network-interfaces target is kept for backwards compatibility. # New modules must NOT use it. - systemd.targets."network-interfaces" = + systemd.targets.network-interfaces = { description = "All Network Interfaces (deprecated)"; wantedBy = [ "network.target" ]; before = [ "network.target" ]; @@ -1162,13 +1162,13 @@ in in flip (concatMapStringsSep "\n") (attrNames wlanDeviceInterfaces) (device: let - interfaces = wlanListDeviceFirst device wlanDeviceInterfaces."${device}"; + interfaces = wlanListDeviceFirst device wlanDeviceInterfaces.${device}; curInterface = elemAt interfaces 0; newInterfaces = drop 1 interfaces; in '' # It is important to have that rule first as overwriting the NAME attribute also prevents the # next rules from matching. - ${flip (concatMapStringsSep "\n") (wlanListDeviceFirst device wlanDeviceInterfaces."${device}") (interface: + ${flip (concatMapStringsSep "\n") (wlanListDeviceFirst device wlanDeviceInterfaces.${device}) (interface: ''ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", ENV{INTERFACE}=="${interface._iName}", ${systemdAttrs interface._iName}, RUN+="${newInterfaceScript device interface}"'')} # Add the required, new WLAN interfaces to the default WLAN interface with the diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index 0c4ad90b4eb6..aadfc5add350 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -25,6 +25,9 @@ in { assertion = cfg.hvm; message = "Paravirtualized EC2 instances are no longer supported."; } + { assertion = cfg.efi -> cfg.hvm; + message = "EC2 instances using EFI must be HVM instances."; + } ]; boot.growPartition = cfg.hvm; @@ -35,6 +38,11 @@ in autoResize = true; }; + fileSystems."/boot" = mkIf cfg.efi { + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; + boot.extraModulePackages = [ config.boot.kernelPackages.ena ]; @@ -50,8 +58,10 @@ in # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. boot.loader.grub.version = if cfg.hvm then 2 else 1; - boot.loader.grub.device = if cfg.hvm then "/dev/xvda" else "nodev"; + boot.loader.grub.device = if (cfg.hvm && !cfg.efi) then "/dev/xvda" else "nodev"; boot.loader.grub.extraPerEntryConfig = mkIf (!cfg.hvm) "root (hd0)"; + boot.loader.grub.efiSupport = cfg.efi; + boot.loader.grub.efiInstallAsRemovable = cfg.efi; boot.loader.timeout = 0; boot.initrd.network.enable = true; @@ -137,7 +147,7 @@ in networking.timeServers = [ "169.254.169.123" ]; # udisks has become too bloated to have in a headless system - # (e.g. it depends on GTK+). + # (e.g. it depends on GTK). services.udisks2.enable = false; }; } diff --git a/nixos/modules/virtualisation/amazon-options.nix b/nixos/modules/virtualisation/amazon-options.nix index 15de8638bbab..2e807131e938 100644 --- a/nixos/modules/virtualisation/amazon-options.nix +++ b/nixos/modules/virtualisation/amazon-options.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: { options = { ec2 = { @@ -9,6 +9,13 @@ Whether the EC2 instance is a HVM instance. ''; }; + efi = lib.mkOption { + default = pkgs.stdenv.hostPlatform.isAarch64; + internal = true; + description = '' + Whether the EC2 instance is using EFI. + ''; + }; }; }; } diff --git a/nixos/modules/virtualisation/anbox.nix b/nixos/modules/virtualisation/anbox.nix index c63b971ead02..da5df3580734 100644 --- a/nixos/modules/virtualisation/anbox.nix +++ b/nixos/modules/virtualisation/anbox.nix @@ -56,7 +56,7 @@ in dns = mkOption { default = "1.1.1.1"; - type = types.string; + type = types.str; description = '' Container DNS server. ''; diff --git a/nixos/modules/virtualisation/azure-agent.nix b/nixos/modules/virtualisation/azure-agent.nix index 770cefbcd511..036b1036f92a 100644 --- a/nixos/modules/virtualisation/azure-agent.nix +++ b/nixos/modules/virtualisation/azure-agent.nix @@ -166,7 +166,6 @@ in wantedBy = [ "sshd.service" "waagent.service" ]; before = [ "sshd.service" "waagent.service" ]; - after = [ "local-fs.target" ]; path = [ pkgs.coreutils ]; script = diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index dd2108ccc379..e91dd72ff5d4 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -26,7 +26,6 @@ in wantedBy = [ "sshd.service" "waagent.service" ]; before = [ "sshd.service" "waagent.service" ]; - after = [ "local-fs.target" ]; path = [ pkgs.coreutils ]; script = diff --git a/nixos/modules/virtualisation/brightbox-image.nix b/nixos/modules/virtualisation/brightbox-image.nix index e716982c510a..d0efbcc808aa 100644 --- a/nixos/modules/virtualisation/brightbox-image.nix +++ b/nixos/modules/virtualisation/brightbox-image.nix @@ -111,7 +111,7 @@ in # Always include cryptsetup so that NixOps can use it. environment.systemPackages = [ pkgs.cryptsetup ]; - systemd.services."fetch-ec2-data" = + systemd.services.fetch-ec2-data = { description = "Fetch EC2 Data"; wantedBy = [ "multi-user.target" "sshd.service" ]; diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index b61558b22019..9c9f8fc0c215 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -337,7 +337,7 @@ let networkOptions = { hostBridge = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "br0"; description = '' @@ -387,7 +387,7 @@ let }; hostAddress6 = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "fc00::1"; description = '' @@ -409,7 +409,7 @@ let }; localAddress6 = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "fc00::2"; description = '' @@ -565,7 +565,7 @@ in }; interfaces = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = []; example = [ "eth1" "eth2" ]; description = '' @@ -729,7 +729,7 @@ in serviceConfig = serviceDirectives dummyConfig; }; in { - systemd.targets."multi-user".wants = [ "machines.target" ]; + systemd.targets.multi-user.wants = [ "machines.target" ]; systemd.services = listToAttrs (filter (x: x.value != null) ( # The generic container template used by imperative containers diff --git a/nixos/modules/virtualisation/ec2-data.nix b/nixos/modules/virtualisation/ec2-data.nix index db3dd9949c12..82451787e8a1 100644 --- a/nixos/modules/virtualisation/ec2-data.nix +++ b/nixos/modules/virtualisation/ec2-data.nix @@ -64,7 +64,7 @@ with lib; serviceConfig.RemainAfterExit = true; }; - systemd.services."print-host-key" = + systemd.services.print-host-key = { description = "Print SSH Host Key"; wantedBy = [ "multi-user.target" ]; after = [ "sshd.service" ]; diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 79766970c757..327324f2921d 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -21,7 +21,7 @@ in boot.initrd.kernelModules = [ "virtio_scsi" ]; boot.kernelModules = [ "virtio_pci" "virtio_net" ]; - # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. + # Generate a GRUB menu. boot.loader.grub.device = "/dev/sda"; boot.loader.timeout = 0; @@ -29,12 +29,16 @@ in # way to select them anyway. boot.loader.grub.configurationLimit = 0; - # Allow root logins only using the SSH key that the user specified - # at instance creation time. + # Allow root logins only using SSH keys + # and disable password authentication in general services.openssh.enable = true; services.openssh.permitRootLogin = "prohibit-password"; services.openssh.passwordAuthentication = mkDefault false; + # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on + # instance or project level + security.googleOsLogin.enable = true; + # Use GCE udev rules for dynamic disk volumes services.udev.packages = [ gce ]; @@ -65,165 +69,80 @@ in # GC has 1460 MTU networking.interfaces.eth0.mtu = 1460; - security.googleOsLogin.enable = true; - - systemd.services.google-clock-skew-daemon = { - description = "Google Compute Engine Clock Skew Daemon"; - after = [ - "network.target" - "google-instance-setup.service" - "google-network-setup.service" - ]; - requires = ["network.target"]; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "simple"; - ExecStart = "${gce}/bin/google_clock_skew_daemon --debug"; - }; - }; - systemd.services.google-instance-setup = { description = "Google Compute Engine Instance Setup"; - after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service"]; - before = ["sshd.service"]; - wants = ["local-fs.target" "network-online.target" "network.target"]; - wantedBy = [ "sshd.service" "multi-user.target" ]; - path = with pkgs; [ ethtool openssh ]; + after = [ "network-online.target" "network.target" "rsyslog.service" ]; + before = [ "sshd.service" ]; + path = with pkgs; [ coreutils ethtool openssh ]; serviceConfig = { - ExecStart = "${gce}/bin/google_instance_setup --debug"; + ExecStart = "${gce}/bin/google_instance_setup"; + StandardOutput="journal+console"; Type = "oneshot"; }; + wantedBy = [ "sshd.service" "multi-user.target" ]; }; systemd.services.google-network-daemon = { description = "Google Compute Engine Network Daemon"; - after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service" "google-instance-setup.service"]; - wants = ["local-fs.target" "network-online.target" "network.target"]; - requires = ["network.target"]; - partOf = ["network.target"]; - wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" "network.target" "google-instance-setup.service" ]; path = with pkgs; [ iproute ]; serviceConfig = { - ExecStart = "${gce}/bin/google_network_daemon --debug"; + ExecStart = "${gce}/bin/google_network_daemon"; + StandardOutput="journal+console"; + Type="simple"; }; + wantedBy = [ "multi-user.target" ]; }; + systemd.services.google-clock-skew-daemon = { + description = "Google Compute Engine Clock Skew Daemon"; + after = [ "network.target" "google-instance-setup.service" "google-network-daemon.service" ]; + serviceConfig = { + ExecStart = "${gce}/bin/google_clock_skew_daemon"; + StandardOutput="journal+console"; + Type = "simple"; + }; + wantedBy = ["multi-user.target"]; + }; + + systemd.services.google-shutdown-scripts = { description = "Google Compute Engine Shutdown Scripts"; after = [ - "local-fs.target" "network-online.target" "network.target" "rsyslog.service" - "systemd-resolved.service" "google-instance-setup.service" "google-network-daemon.service" ]; - wants = [ "local-fs.target" "network-online.target" "network.target"]; - wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.coreutils}/bin/true"; - ExecStop = "${gce}/bin/google_metadata_script_runner --debug --script-type shutdown"; - Type = "oneshot"; + ExecStop = "${gce}/bin/google_metadata_script_runner --script-type shutdown"; RemainAfterExit = true; - TimeoutStopSec = "infinity"; + StandardOutput="journal+console"; + TimeoutStopSec = "0"; + Type = "oneshot"; }; + wantedBy = [ "multi-user.target" ]; }; systemd.services.google-startup-scripts = { description = "Google Compute Engine Startup Scripts"; after = [ - "local-fs.target" "network-online.target" "network.target" "rsyslog.service" "google-instance-setup.service" "google-network-daemon.service" ]; - wants = ["local-fs.target" "network-online.target" "network.target"]; - wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${gce}/bin/google_metadata_script_runner --debug --script-type startup"; + ExecStart = "${gce}/bin/google_metadata_script_runner --script-type startup"; KillMode = "process"; + StandardOutput = "journal+console"; Type = "oneshot"; }; + wantedBy = [ "multi-user.target" ]; }; - - # Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf - boot.kernel.sysctl = { - # Turn on SYN-flood protections. Starting with 2.6.26, there is no loss - # of TCP functionality/features under normal conditions. When flood - # protections kick in under high unanswered-SYN load, the system - # should remain more stable, with a trade off of some loss of TCP - # functionality/features (e.g. TCP Window scaling). - "net.ipv4.tcp_syncookies" = mkDefault "1"; - - # ignores ICMP redirects - "net.ipv4.conf.all.accept_redirects" = mkDefault "0"; - - # ignores ICMP redirects - "net.ipv4.conf.default.accept_redirects" = mkDefault "0"; - - # ignores ICMP redirects from non-GW hosts - "net.ipv4.conf.all.secure_redirects" = mkDefault "1"; - - # ignores ICMP redirects from non-GW hosts - "net.ipv4.conf.default.secure_redirects" = mkDefault "1"; - - # don't allow traffic between networks or act as a router - "net.ipv4.ip_forward" = mkDefault "0"; - - # don't allow traffic between networks or act as a router - "net.ipv4.conf.all.send_redirects" = mkDefault "0"; - - # don't allow traffic between networks or act as a router - "net.ipv4.conf.default.send_redirects" = mkDefault "0"; - - # strict reverse path filtering - IP spoofing protection - "net.ipv4.conf.all.rp_filter" = mkDefault "1"; - - # strict path filtering - IP spoofing protection - "net.ipv4.conf.default.rp_filter" = mkDefault "1"; - - # ignores ICMP broadcasts to avoid participating in Smurf attacks - "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1"; - - # ignores bad ICMP errors - "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1"; - - # logs spoofed, source-routed, and redirect packets - "net.ipv4.conf.all.log_martians" = mkDefault "1"; - - # log spoofed, source-routed, and redirect packets - "net.ipv4.conf.default.log_martians" = mkDefault "1"; - - # implements RFC 1337 fix - "net.ipv4.tcp_rfc1337" = mkDefault "1"; - - # randomizes addresses of mmap base, heap, stack and VDSO page - "kernel.randomize_va_space" = mkDefault "2"; - - # Reboot the machine soon after a kernel panic. - "kernel.panic" = mkDefault "10"; - - ## Not part of the original config - - # provides protection from ToCToU races - "fs.protected_hardlinks" = mkDefault "1"; - - # provides protection from ToCToU races - "fs.protected_symlinks" = mkDefault "1"; - - # makes locating kernel addresses more difficult - "kernel.kptr_restrict" = mkDefault "1"; - - # set ptrace protections - "kernel.yama.ptrace_scope" = mkOverride 500 "1"; - - # set perf only available to root - "kernel.perf_event_paranoid" = mkDefault "2"; - - }; - + environment.etc."sysctl.d/11-gce-network-security.conf".source = "${gce}/sysctl.d/11-gce-network-security.conf"; } diff --git a/nixos/modules/virtualisation/kvmgt.nix b/nixos/modules/virtualisation/kvmgt.nix index 289e26e17035..36ef6d17df69 100644 --- a/nixos/modules/virtualisation/kvmgt.nix +++ b/nixos/modules/virtualisation/kvmgt.nix @@ -9,7 +9,7 @@ let vgpuOptions = { uuid = mkOption { - type = types.string; + type = types.str; description = "UUID of VGPU device. You can generate one with <package>libossp_uuid</package>."; }; }; @@ -23,7 +23,7 @@ in { ''; # multi GPU support is under the question device = mkOption { - type = types.string; + type = types.str; default = "0000:00:02.0"; description = "PCI ID of graphics card. You can figure it with <command>ls /sys/class/mdev_bus</command>."; }; @@ -35,7 +35,7 @@ in { and find info about device via <command>cat /sys/bus/pci/devices/*/mdev_supported_types/i915-GVTg_V5_4/description</command> ''; example = { - "i915-GVTg_V5_8" = { + i915-GVTg_V5_8 = { uuid = "a297db4a-f4c2-11e6-90f6-d3b88d6c9525"; }; }; diff --git a/nixos/modules/virtualisation/railcar.nix b/nixos/modules/virtualisation/railcar.nix new file mode 100644 index 000000000000..12da1c75fc38 --- /dev/null +++ b/nixos/modules/virtualisation/railcar.nix @@ -0,0 +1,125 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.railcar; + generateUnit = name: containerConfig: + let + container = pkgs.ociTools.buildContainer { + args = [ + (pkgs.writeShellScript "run.sh" containerConfig.cmd).outPath + ]; + }; + in + nameValuePair "railcar-${name}" { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = '' + ${cfg.package}/bin/railcar -r ${cfg.stateDir} run ${name} -b ${container} + ''; + Type = containerConfig.runType; + }; + }; + mount = with types; (submodule { + options = { + type = mkOption { + type = str; + default = "none"; + description = '' + The type of the filesystem to be mounted. + Linux: filesystem types supported by the kernel as listed in + `/proc/filesystems` (e.g., "minix", "ext2", "ext3", "jfs", "xfs", + "reiserfs", "msdos", "proc", "nfs", "iso9660"). For bind mounts + (when options include either bind or rbind), the type is a dummy, + often "none" (not listed in /proc/filesystems). + ''; + }; + source = mkOption { + type = str; + description = "Source for the in-container mount"; + }; + options = mkOption { + type = loaOf (str); + default = [ "bind" ]; + description = '' + Mount options of the filesystem to be used. + + Support optoions are listed in the mount(8) man page. Note that + both filesystem-independent and filesystem-specific options + are listed. + ''; + }; + }; + }); +in +{ + options.services.railcar = { + enable = mkEnableOption "railcar"; + + containers = mkOption { + default = {}; + description = "Declarative container configuration"; + type = with types; loaOf (submodule ({ name, config, ... }: { + options = { + cmd = mkOption { + type = types.lines; + description = "Command or script to run inside the container"; + }; + + mounts = mkOption { + type = with types; attrsOf mount; + default = {}; + description = '' + A set of mounts inside the container. + + The defaults have been chosen for simple bindmounts, meaning + that you only need to provide the "source" parameter. + ''; + example = '' + { "/data" = { source = "/var/lib/data"; }; } + ''; + }; + + runType = mkOption { + type = types.str; + default = "oneshot"; + description = "The systemd service run type"; + }; + + os = mkOption { + type = types.str; + default = "linux"; + description = "OS type of the container"; + }; + + arch = mkOption { + type = types.str; + default = "x86_64"; + description = "Computer architecture type of the container"; + }; + }; + })); + }; + + stateDir = mkOption { + type = types.path; + default = ''/var/railcar''; + description = "Railcar persistent state directory"; + }; + + package = mkOption { + type = types.package; + default = pkgs.railcar; + description = "Railcar package to use"; + }; + }; + + config = mkIf cfg.enable { + systemd.services = flip mapAttrs' cfg.containers (name: containerConfig: + generateUnit name containerConfig + ); + }; +} + diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix index 41bcb909fb5c..6081d4153a6c 100644 --- a/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixos/modules/virtualisation/virtualbox-host.nix @@ -122,7 +122,7 @@ in # Since we lack the right setuid/setcap binaries, set up a host-only network by default. } (mkIf cfg.addNetworkInterface { - systemd.services."vboxnet0" = + systemd.services.vboxnet0 = { description = "VirtualBox vboxnet0 Interface"; requires = [ "dev-vboxnetctl.device" ]; after = [ "dev-vboxnetctl.device" ]; diff --git a/nixos/modules/virtualisation/vmware-guest.nix b/nixos/modules/virtualisation/vmware-guest.nix index d18778f81588..f418f849759f 100644 --- a/nixos/modules/virtualisation/vmware-guest.nix +++ b/nixos/modules/virtualisation/vmware-guest.nix @@ -33,7 +33,7 @@ in serviceConfig.ExecStart = "${open-vm-tools}/bin/vmtoolsd"; }; - environment.etc."vmware-tools".source = "${open-vm-tools}/etc/vmware-tools/*"; + environment.etc.vmware-tools.source = "${open-vm-tools}/etc/vmware-tools/*"; services.xserver = mkIf (!cfg.headless) { videoDrivers = mkOverride 50 [ "vmware" ]; diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index 70e575b6c0d2..06d5c63476f9 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -119,7 +119,7 @@ in virtualisation.xen.domains = { extraConfig = mkOption { - type = types.string; + type = types.lines; default = ""; description = '' |