diff options
Diffstat (limited to 'nixos/modules')
361 files changed, 8695 insertions, 3268 deletions
diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 3bfa1893a8ba..6ac64b0ec9c6 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -45,6 +45,9 @@ let # generate the font cache setting file for a fontconfig version # use latest when no version is passed + # When cross-compiling, we can’t generate the cache, so we skip the + # <cachedir> part. fontconfig still works but is a little slower in + # looking things up. makeCacheConf = { version ? null }: let fcPackage = if version == null @@ -60,11 +63,13 @@ let <fontconfig> <!-- Font directories --> ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)} + ${optionalString (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) '' <!-- Pre-generated font caches --> <cachedir>${cache}</cachedir> ${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) '' <cachedir>${cache32}</cachedir> ''} + ''} </fontconfig> ''; diff --git a/nixos/modules/config/fonts/fontdir.nix b/nixos/modules/config/fonts/fontdir.nix index cc70fbf8744d..a6aa84ae8224 100644 --- a/nixos/modules/config/fonts/fontdir.nix +++ b/nixos/modules/config/fonts/fontdir.nix @@ -25,6 +25,7 @@ in fonts = { enableFontDir = mkOption { + type = types.bool; default = false; description = '' Whether to create a directory with links to all fonts in diff --git a/nixos/modules/config/fonts/ghostscript.nix b/nixos/modules/config/fonts/ghostscript.nix index 1c62a525de94..b1dd81bf2d2e 100644 --- a/nixos/modules/config/fonts/ghostscript.nix +++ b/nixos/modules/config/fonts/ghostscript.nix @@ -9,6 +9,7 @@ with lib; fonts = { enableGhostscriptFonts = mkOption { + type = types.bool; default = false; description = '' Whether to add the fonts provided by Ghostscript (such as diff --git a/nixos/modules/config/gtk/gtk-icon-cache.nix b/nixos/modules/config/gtk/gtk-icon-cache.nix index 86a6bfb5af41..7441f4de40eb 100644 --- a/nixos/modules/config/gtk/gtk-icon-cache.nix +++ b/nixos/modules/config/gtk/gtk-icon-cache.nix @@ -77,7 +77,7 @@ with lib; if [ -w "$themedir" ]; then rm -f "$themedir"/icon-theme.cache - ${pkgs.gtk3.out}/bin/gtk-update-icon-cache --ignore-theme-index "$themedir" + ${pkgs.buildPackages.gtk3.out}/bin/gtk-update-icon-cache --ignore-theme-index "$themedir" fi done ''; diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index b554f197dc4b..1a5dbcd4e26b 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -88,6 +88,7 @@ in }; useTLS = mkOption { + type = types.bool; default = false; description = '' If enabled, use TLS (encryption) over an LDAP (port 389) @@ -109,6 +110,7 @@ in daemon = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to let the nslcd daemon (nss-pam-ldapd) handle the @@ -242,6 +244,10 @@ in if cfg.daemon.enable then nss_pam_ldapd else nss_ldap ); + system.nssDatabases.group = optional cfg.nsswitch "ldap"; + system.nssDatabases.passwd = optional cfg.nsswitch "ldap"; + system.nssDatabases.shadow = optional cfg.nsswitch "ldap"; + users = mkIf cfg.daemon.enable { groups.nslcd = { gid = config.ids.gids.nslcd; diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix index dd36696b94d2..4cb7d81c9972 100644 --- a/nixos/modules/config/networking.nix +++ b/nixos/modules/config/networking.nix @@ -8,9 +8,6 @@ let cfg = config.networking; - localhostMapped4 = cfg.hosts ? "127.0.0.1" && elem "localhost" cfg.hosts."127.0.0.1"; - localhostMapped6 = cfg.hosts ? "::1" && elem "localhost" cfg.hosts."::1"; - localhostMultiple = any (elem "localhost") (attrValues (removeAttrs cfg.hosts [ "127.0.0.1" "::1" ])); in @@ -147,12 +144,6 @@ in config = { assertions = [{ - assertion = localhostMapped4; - message = ''`networking.hosts` doesn't map "127.0.0.1" to "localhost"''; - } { - assertion = !cfg.enableIPv6 || localhostMapped6; - message = ''`networking.hosts` doesn't map "::1" to "localhost"''; - } { assertion = !localhostMultiple; message = '' `networking.hosts` maps "localhost" to something other than "127.0.0.1" @@ -161,22 +152,34 @@ in ''; }]; - networking.hosts = { - "127.0.0.1" = [ "localhost" ]; - } // optionalAttrs (cfg.hostName != "") { - "127.0.1.1" = [ cfg.hostName ]; + # These entries are required for "hostname -f" and to resolve both the + # hostname and FQDN correctly: + networking.hosts = let + hostnames = # Note: The FQDN (canonical hostname) has to come first: + optional (cfg.hostName != "" && cfg.domain != null) "${cfg.hostName}.${cfg.domain}" + ++ optional (cfg.hostName != "") cfg.hostName; # Then the hostname (without the domain) + in { + "127.0.0.2" = hostnames; } // optionalAttrs cfg.enableIPv6 { - "::1" = [ "localhost" ]; + "::1" = hostnames; }; networking.hostFiles = let + # Note: localhostHosts has to appear first in /etc/hosts so that 127.0.0.1 + # resolves back to "localhost" (as some applications assume) instead of + # the FQDN! By default "networking.hosts" also contains entries for the + # FQDN so that e.g. "hostname -f" works correctly. + localhostHosts = pkgs.writeText "localhost-hosts" '' + 127.0.0.1 localhost + ${optionalString cfg.enableIPv6 "::1 localhost"} + ''; stringHosts = let oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip} + "\n"; allToString = set: concatMapStrings (oneToString set) (attrNames set); in pkgs.writeText "string-hosts" (allToString (filterAttrs (_: v: v != []) cfg.hosts)); extraHosts = pkgs.writeText "extra-hosts" cfg.extraHosts; - in mkBefore [ stringHosts extraHosts ]; + in mkBefore [ localhostHosts stringHosts extraHosts ]; environment.etc = { # /etc/services: TCP/UDP port assignments. @@ -197,7 +200,7 @@ in } // optionalAttrs (pkgs.stdenv.hostPlatform.libc == "glibc") { # /etc/rpc: RPC program numbers. - rpc.source = pkgs.glibc.out + "/etc/rpc"; + rpc.source = pkgs.stdenv.cc.libc.out + "/etc/rpc"; }; networking.proxy.envVars = diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index 13277fe56e42..d19d35a48906 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -4,43 +4,7 @@ with lib; -let - - # only with nscd up and running we can load NSS modules that are not integrated in NSS - canLoadExternalModules = config.services.nscd.enable; - myhostname = canLoadExternalModules; - mymachines = canLoadExternalModules; - nssmdns = canLoadExternalModules && config.services.avahi.nssmdns; - nsswins = canLoadExternalModules && config.services.samba.nsswins; - ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch); - sssd = canLoadExternalModules && config.services.sssd.enable; - resolved = canLoadExternalModules && config.services.resolved.enable; - googleOsLogin = canLoadExternalModules && config.security.googleOsLogin.enable; - - hostArray = [ "files" ] - ++ optional mymachines "mymachines" - ++ optional nssmdns "mdns_minimal [NOTFOUND=return]" - ++ optional nsswins "wins" - ++ optional resolved "resolve [!UNAVAIL=return]" - ++ [ "dns" ] - ++ optional nssmdns "mdns" - ++ optional myhostname "myhostname"; - - passwdArray = [ "files" ] - ++ optional sssd "sss" - ++ optional ldap "ldap" - ++ optional mymachines "mymachines" - ++ optional googleOsLogin "cache_oslogin oslogin" - ++ [ "systemd" ]; - - shadowArray = [ "files" ] - ++ optional sssd "sss" - ++ optional ldap "ldap"; - - servicesArray = [ "files" ] - ++ optional sssd "sss"; - -in { +{ options = { # NSS modules. Hacky! @@ -61,56 +25,109 @@ in { }; }; - system.nssHosts = mkOption { - type = types.listOf types.str; - default = []; - example = [ "mdns" ]; - description = '' - List of host entries to configure in <filename>/etc/nsswitch.conf</filename>. - ''; - }; + system.nssDatabases = { + passwd = mkOption { + type = types.listOf types.str; + description = '' + List of passwd entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended while "systemd" is appended if nscd is enabled. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + group = mkOption { + type = types.listOf types.str; + description = '' + List of group entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended while "systemd" is appended if nscd is enabled. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + shadow = mkOption { + type = types.listOf types.str; + description = '' + List of shadow entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + hosts = mkOption { + type = types.listOf types.str; + description = '' + List of hosts entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended, and "dns" and "myhostname" are always appended. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + services = mkOption { + type = types.listOf types.str; + description = '' + List of services entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + }; }; + imports = [ + (mkRenamedOptionModule [ "system" "nssHosts" ] [ "system" "nssDatabases" "hosts" ]) + ]; + config = { assertions = [ { - # generic catch if the NixOS module adding to nssModules does not prevent it with specific message. - assertion = config.system.nssModules.path != "" -> canLoadExternalModules; - message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled."; - } - { - # resolved does not need to add to nssModules, therefore needs an extra assertion - assertion = resolved -> canLoadExternalModules; - message = "Loading systemd-resolved's nss-resolve NSS module requires nscd being enabled."; + # Prevent users from disabling nscd, with nssModules being set. + # If disabling nscd is really necessary, it's still possible to opt out + # by forcing config.system.nssModules to []. + assertion = config.system.nssModules.path != "" -> config.services.nscd.enable; + message = "Loading NSS modules from system.nssModules (${config.system.nssModules.path}), requires services.nscd.enable being set to true."; } ]; # Name Service Switch configuration file. Required by the C - # library. !!! Factor out the mdns stuff. The avahi module - # should define an option used by this module. + # library. environment.etc."nsswitch.conf".text = '' - passwd: ${concatStringsSep " " passwdArray} - group: ${concatStringsSep " " passwdArray} - shadow: ${concatStringsSep " " shadowArray} + passwd: ${concatStringsSep " " config.system.nssDatabases.passwd} + group: ${concatStringsSep " " config.system.nssDatabases.group} + shadow: ${concatStringsSep " " config.system.nssDatabases.shadow} - hosts: ${concatStringsSep " " config.system.nssHosts} + hosts: ${concatStringsSep " " config.system.nssDatabases.hosts} networks: files ethers: files - services: ${concatStringsSep " " servicesArray} + services: ${concatStringsSep " " config.system.nssDatabases.services} protocols: files rpc: files ''; - system.nssHosts = hostArray; - - # Systemd provides nss-myhostname to ensure that our hostname - # always resolves to a valid IP address. It returns all locally - # configured IP addresses, or ::1 and 127.0.0.2 as - # fallbacks. Systemd also provides nss-mymachines to return IP - # addresses of local containers. - system.nssModules = (optionals canLoadExternalModules [ config.systemd.package.out ]) - ++ optional googleOsLogin pkgs.google-compute-engine-oslogin.out; + system.nssDatabases = { + passwd = mkBefore [ "files" ]; + group = mkBefore [ "files" ]; + shadow = mkBefore [ "files" ]; + hosts = mkMerge [ + (mkBefore [ "files" ]) + (mkAfter [ "dns" ]) + ]; + services = mkBefore [ "files" ]; + }; }; } diff --git a/nixos/modules/config/power-management.nix b/nixos/modules/config/power-management.nix index 64cdf50f1413..cc0ff732ffa5 100644 --- a/nixos/modules/config/power-management.nix +++ b/nixos/modules/config/power-management.nix @@ -94,7 +94,7 @@ in after = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ]; script = '' - ${config.systemd.package}/bin/systemctl try-restart post-resume.target + /run/current-system/systemd/bin/systemctl try-restart post-resume.target ${cfg.resumeCommands} ${cfg.powerUpCommands} ''; diff --git a/nixos/modules/config/qt5.nix b/nixos/modules/config/qt5.nix index d9dec74f1552..eabba9ad95f0 100644 --- a/nixos/modules/config/qt5.nix +++ b/nixos/modules/config/qt5.nix @@ -6,8 +6,8 @@ let cfg = config.qt5; - isQGnome = cfg.platformTheme == "gnome" && cfg.style == "adwaita"; - isQtStyle = cfg.platformTheme == "gtk2" && cfg.style != "adwaita"; + isQGnome = cfg.platformTheme == "gnome" && builtins.elem cfg.style ["adwaita" "adwaita-dark"]; + isQtStyle = cfg.platformTheme == "gtk2" && !(builtins.elem cfg.style ["adwaita" "adwaita-dark"]); packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ] else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins ] @@ -55,6 +55,7 @@ in style = mkOption { type = types.enum [ "adwaita" + "adwaita-dark" "cleanlooks" "gtk2" "motif" @@ -71,6 +72,7 @@ in <variablelist> <varlistentry> <term><literal>adwaita</literal></term> + <term><literal>adwaita-dark</literal></term> <listitem><para>Use Adwaita Qt style with <link xlink:href="https://github.com/FedoraQt/adwaita-qt">adwaita</link> </para></listitem> diff --git a/nixos/modules/config/resolvconf.nix b/nixos/modules/config/resolvconf.nix index cc202bca6c4e..cd0ed491383c 100644 --- a/nixos/modules/config/resolvconf.nix +++ b/nixos/modules/config/resolvconf.nix @@ -21,7 +21,7 @@ let '' + optionalString config.services.nscd.enable '' # Invalidate the nscd cache whenever resolv.conf is # regenerated. - libc_restart='${pkgs.systemd}/bin/systemctl try-restart --no-block nscd.service 2> /dev/null' + libc_restart='/run/current-system/systemd/bin/systemctl try-restart --no-block nscd.service 2> /dev/null' '' + optionalString (length resolvconfOptions > 0) '' # Options as described in resolv.conf(5) resolv_conf_options='${concatStringsSep " " resolvconfOptions}' diff --git a/nixos/modules/config/vte.nix b/nixos/modules/config/vte.nix index d4a8c926fef2..24d32a00fd45 100644 --- a/nixos/modules/config/vte.nix +++ b/nixos/modules/config/vte.nix @@ -16,6 +16,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + options = { programs.bash.vteIntegration = mkOption { diff --git a/nixos/modules/config/xdg/autostart.nix b/nixos/modules/config/xdg/autostart.nix index 0ee94fed818b..40984cb5ec53 100644 --- a/nixos/modules/config/xdg/autostart.nix +++ b/nixos/modules/config/xdg/autostart.nix @@ -2,19 +2,23 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.autostart.enable = mkOption { type = types.bool; default = true; description = '' - Whether to install files to support the + Whether to install files to support the <link xlink:href="https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html">XDG Autostart specification</link>. ''; }; }; config = mkIf config.xdg.autostart.enable { - environment.pathsToLink = [ + environment.pathsToLink = [ "/etc/xdg/autostart" ]; }; diff --git a/nixos/modules/config/xdg/icons.nix b/nixos/modules/config/xdg/icons.nix index 4677ce090b0b..c83fdc251ef0 100644 --- a/nixos/modules/config/xdg/icons.nix +++ b/nixos/modules/config/xdg/icons.nix @@ -2,6 +2,10 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.icons.enable = mkOption { type = types.bool; diff --git a/nixos/modules/config/xdg/menus.nix b/nixos/modules/config/xdg/menus.nix index c172692df5d7..6735a7a5c430 100644 --- a/nixos/modules/config/xdg/menus.nix +++ b/nixos/modules/config/xdg/menus.nix @@ -2,19 +2,23 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.menus.enable = mkOption { type = types.bool; default = true; description = '' - Whether to install files to support the + Whether to install files to support the <link xlink:href="https://specifications.freedesktop.org/menu-spec/menu-spec-latest.html">XDG Desktop Menu specification</link>. ''; }; }; config = mkIf config.xdg.menus.enable { - environment.pathsToLink = [ + environment.pathsToLink = [ "/share/applications" "/share/desktop-directories" "/etc/xdg/menus" diff --git a/nixos/modules/config/xdg/mime.nix b/nixos/modules/config/xdg/mime.nix index a5374c2b468d..4cdb3f30994b 100644 --- a/nixos/modules/config/xdg/mime.nix +++ b/nixos/modules/config/xdg/mime.nix @@ -2,6 +2,10 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.mime.enable = mkOption { type = types.bool; diff --git a/nixos/modules/config/xdg/portal.nix b/nixos/modules/config/xdg/portal.nix index 1330a08070c1..3c7cd729c60a 100644 --- a/nixos/modules/config/xdg/portal.nix +++ b/nixos/modules/config/xdg/portal.nix @@ -7,6 +7,10 @@ with lib; (mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ]) ]; + meta = { + maintainers = teams.freedesktop.members; + }; + options.xdg.portal = { enable = mkEnableOption "<link xlink:href='https://github.com/flatpak/xdg-desktop-portal'>xdg desktop integration</link>"//{ diff --git a/nixos/modules/config/xdg/sounds.nix b/nixos/modules/config/xdg/sounds.nix index 14d6340fc33b..0b94f550929b 100644 --- a/nixos/modules/config/xdg/sounds.nix +++ b/nixos/modules/config/xdg/sounds.nix @@ -2,6 +2,10 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.sounds.enable = mkOption { type = types.bool; diff --git a/nixos/modules/config/zram.nix b/nixos/modules/config/zram.nix index 5d411c73a560..5e9870bf6b1c 100644 --- a/nixos/modules/config/zram.nix +++ b/nixos/modules/config/zram.nix @@ -91,7 +91,7 @@ in }; algorithm = mkOption { - default = "lzo"; + default = "zstd"; example = "lz4"; type = with types; either (enum [ "lzo" "lz4" "zstd" ]) str; description = '' diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index 16be8bcfdd7d..b07edb0f6acd 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -51,6 +51,7 @@ in { rtlwifi_new-firmware zd1211fw alsa-firmware + sof-firmware openelec-dvb-firmware ] ++ optional (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) raspberrypiWirelessFirmware ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [ diff --git a/nixos/modules/hardware/device-tree.nix b/nixos/modules/hardware/device-tree.nix index f57502d4c83e..cf553497c89b 100644 --- a/nixos/modules/hardware/device-tree.nix +++ b/nixos/modules/hardware/device-tree.nix @@ -19,7 +19,7 @@ in { base = mkOption { default = "${config.boot.kernelPackages.kernel}/dtbs"; defaultText = "\${config.boot.kernelPackages.kernel}/dtbs"; - example = literalExample "pkgs.deviceTree_rpi"; + example = literalExample "pkgs.device-tree_rpi"; type = types.path; description = '' The package containing the base device-tree (.dtb) to boot. Contains @@ -30,7 +30,7 @@ in { overlays = mkOption { default = []; example = literalExample - "[\"\${pkgs.deviceTree_rpi.overlays}/w1-gpio.dtbo\"]"; + "[\"\${pkgs.device-tree_rpi.overlays}/w1-gpio.dtbo\"]"; type = types.listOf types.path; description = '' A path containing device tree overlays (.dtbo) to be applied to all diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index 28cddea8b79c..061528f4b1b5 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -10,14 +10,6 @@ let videoDrivers = config.services.xserver.videoDrivers; - makePackage = p: pkgs.buildEnv { - name = "mesa-drivers+txc-${p.mesa.version}"; - paths = - [ p.mesa.drivers - (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc) - ]; - }; - package = pkgs.buildEnv { name = "opengl-drivers"; paths = [ cfg.package ] ++ cfg.extraPackages; @@ -34,6 +26,9 @@ in imports = [ (mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ]) + (mkRemovedOptionModule [ "hardware" "opengl" "s3tcSupport" ] '' + S3TC support is now always enabled in Mesa. + '') ]; options = { @@ -74,17 +69,6 @@ in ''; }; - s3tcSupport = mkOption { - type = types.bool; - default = false; - description = '' - Make S3TC(S3 Texture Compression) via libtxc_dxtn available - to OpenGL drivers instead of the patent-free S2TC replacement. - - Using this library may require a patent license depending on your location. - ''; - }; - package = mkOption { type = types.package; internal = true; @@ -166,8 +150,8 @@ in environment.sessionVariables.LD_LIBRARY_PATH = mkIf cfg.setLdLibraryPath ([ "/run/opengl-driver/lib" ] ++ optional cfg.driSupport32Bit "/run/opengl-driver-32/lib"); - hardware.opengl.package = mkDefault (makePackage pkgs); - hardware.opengl.package32 = mkDefault (makePackage pkgs.pkgsi686Linux); + hardware.opengl.package = mkDefault pkgs.mesa.drivers; + hardware.opengl.package32 = mkDefault pkgs.pkgsi686Linux.mesa.drivers; boot.extraModulePackages = optional (elem "virtualbox" videoDrivers) kernelPackages.virtualboxGuestAdditions; }; diff --git a/nixos/modules/hardware/raid/hpsa.nix b/nixos/modules/hardware/raid/hpsa.nix index 4d7af138292c..c4977e3fd70a 100644 --- a/nixos/modules/hardware/raid/hpsa.nix +++ b/nixos/modules/hardware/raid/hpsa.nix @@ -34,7 +34,7 @@ let meta = with lib; { description = "HP Smart Array CLI"; - homepage = https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/; + homepage = "https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/"; license = licenses.unfreeRedistributable; platforms = [ "x86_64-linux" ]; maintainers = with maintainers; [ volth ]; diff --git a/nixos/modules/hardware/sensor/iio.nix b/nixos/modules/hardware/sensor/iio.nix index a8bc18800021..4c359c3b1725 100644 --- a/nixos/modules/hardware/sensor/iio.nix +++ b/nixos/modules/hardware/sensor/iio.nix @@ -8,7 +8,12 @@ with lib; options = { hardware.sensor.iio = { enable = mkOption { - description = "Enable this option to support IIO sensors."; + description = '' + Enable this option to support IIO sensors. + + IIO sensors are used for orientation and ambient light + sensors on some mobile devices. + ''; type = types.bool; default = false; }; diff --git a/nixos/modules/hardware/uinput.nix b/nixos/modules/hardware/uinput.nix new file mode 100644 index 000000000000..55e86bfa6bdb --- /dev/null +++ b/nixos/modules/hardware/uinput.nix @@ -0,0 +1,19 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.hardware.uinput; +in { + options.hardware.uinput = { + enable = lib.mkEnableOption "uinput support"; + }; + + config = lib.mkIf cfg.enable { + boot.kernelModules = [ "uinput" ]; + + users.groups.uinput = {}; + + services.udev.extraRules = '' + SUBSYSTEM=="misc", KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput" + ''; + }; +} diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 7461e231402a..6328971492c5 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -34,10 +34,12 @@ let enabled = nvidia_x11 != null; cfg = config.hardware.nvidia; + pCfg = cfg.prime; syncCfg = pCfg.sync; offloadCfg = pCfg.offload; primeEnabled = syncCfg.enable || offloadCfg.enable; + nvidiaPersistencedEnabled = cfg.nvidiaPersistenced; in { @@ -50,6 +52,15 @@ in ]; options = { + hardware.nvidia.powerManagement.enable = mkOption { + type = types.bool; + default = false; + description = '' + Experimental power management through systemd. For more information, see + the NVIDIA docs, on Chapter 21. Configuring Power Management Support. + ''; + }; + hardware.nvidia.modesetting.enable = mkOption { type = types.bool; default = false; @@ -129,6 +140,15 @@ in <option>hardware.nvidia.prime.intelBusId</option>). ''; }; + + hardware.nvidia.nvidiaPersistenced = mkOption { + default = false; + type = types.bool; + description = '' + Update for NVIDA GPU headless mode, i.e. nvidia-persistenced. It ensures all + GPUs stay awake even during headless mode. + ''; + }; }; config = mkIf enabled { @@ -215,6 +235,46 @@ in environment.systemPackages = [ nvidia_x11.bin nvidia_x11.settings ] ++ filter (p: p != null) [ nvidia_x11.persistenced ]; + systemd.packages = optional cfg.powerManagement.enable nvidia_x11.out; + + systemd.services = let + baseNvidiaService = state: { + description = "NVIDIA system ${state} actions"; + + path = with pkgs; [ kbd ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'"; + }; + }; + + nvidiaService = sleepState: (baseNvidiaService sleepState) // { + before = [ "systemd-${sleepState}.service" ]; + requiredBy = [ "systemd-${sleepState}.service" ]; + }; + + services = (builtins.listToAttrs (map (t: nameValuePair "nvidia-${t}" (nvidiaService t)) ["hibernate" "suspend"])) + // { + nvidia-resume = (baseNvidiaService "resume") // { + after = [ "systemd-suspend.service" "systemd-hibernate.service" ]; + requiredBy = [ "systemd-suspend.service" "systemd-hibernate.service" ]; + }; + }; + in optionalAttrs cfg.powerManagement.enable services + // optionalAttrs nvidiaPersistencedEnabled { + "nvidia-persistenced" = mkIf nvidiaPersistencedEnabled { + description = "NVIDIA Persistence Daemon"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "forking"; + Restart = "always"; + PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid"; + ExecStart = "${nvidia_x11.persistenced}/bin/nvidia-persistenced --verbose"; + ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced"; + }; + }; + }; + systemd.tmpfiles.rules = optional config.virtualisation.docker.enableNvidia "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin" ++ optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia) @@ -227,7 +287,8 @@ in optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ]; # If requested enable modesetting via kernel parameter. - boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1"; + boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1" + ++ optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1"; # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded. services.udev.extraRules = diff --git a/nixos/modules/hardware/wooting.nix b/nixos/modules/hardware/wooting.nix new file mode 100644 index 000000000000..ee550cbbf6b8 --- /dev/null +++ b/nixos/modules/hardware/wooting.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + options.hardware.wooting.enable = + mkEnableOption "Enable support for Wooting keyboards"; + + config = mkIf config.hardware.wooting.enable { + environment.systemPackages = [ pkgs.wootility ]; + services.udev.packages = [ pkgs.wooting-udev-rules ]; + }; +} diff --git a/nixos/modules/i18n/input-method/ibus.nix b/nixos/modules/i18n/input-method/ibus.nix index a3d97619fc45..b4746b21b653 100644 --- a/nixos/modules/i18n/input-method/ibus.nix +++ b/nixos/modules/i18n/input-method/ibus.nix @@ -75,5 +75,9 @@ in QT_IM_MODULE = "ibus"; XMODIFIERS = "@im=ibus"; }; + + xdg.portal.extraPortals = mkIf config.xdg.portal.enable [ + ibusPackage + ]; }; } diff --git a/nixos/modules/installer/cd-dvd/installation-cd-base.nix b/nixos/modules/installer/cd-dvd/installation-cd-base.nix index 24070a786945..6c7ea293e8ac 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-base.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-base.nix @@ -1,7 +1,7 @@ # This module contains the basic configuration for building a NixOS # installation CD. -{ config, lib, pkgs, ... }: +{ config, lib, options, pkgs, ... }: with lib; @@ -15,11 +15,12 @@ with lib; ../../profiles/installation-device.nix ]; + # Adds terminus_font for people with HiDPI displays + console.packages = options.console.packages.default ++ [ pkgs.terminus_font ]; + # ISO naming. isoImage.isoName = "${config.isoImage.isoBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.iso"; - isoImage.volumeID = substring 0 11 "NIXOS_ISO"; - # EFI booting isoImage.makeEfiBootable = true; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 62cbdbcfd17b..3707c4b7ec62 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -7,10 +7,9 @@ with lib; { imports = [ ./installation-cd-graphical-base.nix ]; - services.xserver.desktopManager.gnome3.enable = true; + isoImage.edition = "gnome"; - # Wayland can be problematic for some hardware like Nvidia graphics cards. - services.xserver.displayManager.defaultSession = "gnome-xorg"; + services.xserver.desktopManager.gnome3.enable = true; services.xserver.displayManager.gdm = { enable = true; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix index e00d3f7535b2..e76e06654aca 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix @@ -8,6 +8,8 @@ with lib; { imports = [ ./installation-cd-graphical-base.nix ]; + isoImage.edition = "plasma5"; + services.xserver = { desktopManager.plasma5 = { enable = true; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix b/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix index bcdbffdc20b7..97506045e0e1 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix @@ -8,5 +8,7 @@ [ ./installation-cd-base.nix ]; + isoImage.edition = "minimal"; + fonts.fontconfig.enable = false; } diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 4558b4dc9552..cce7cc235ec8 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -417,8 +417,17 @@ in ''; }; + isoImage.edition = mkOption { + default = ""; + description = '' + Specifies which edition string to use in the volume ID of the generated + ISO image. + ''; + }; + isoImage.volumeID = mkOption { - default = "NIXOS_BOOT_CD"; + # nixos-$EDITION-$RELEASE-$ARCH + default = "nixos${optionalString (config.isoImage.edition != "") "-${config.isoImage.edition}"}-${config.system.nixos.release}-${pkgs.stdenv.hostPlatform.uname.processor}"; description = '' Specifies the label or volume ID of the generated ISO image. Note that the label is used by stage 1 of the boot process to @@ -474,7 +483,7 @@ in isoImage.efiSplashImage = mkOption { default = pkgs.fetchurl { - url = https://raw.githubusercontent.com/NixOS/nixos-artwork/a9e05d7deb38a8e005a2b52575a3f59a63a4dba0/bootloader/efi-background.png; + url = "https://raw.githubusercontent.com/NixOS/nixos-artwork/a9e05d7deb38a8e005a2b52575a3f59a63a4dba0/bootloader/efi-background.png"; sha256 = "18lfwmp8yq923322nlb9gxrh5qikj1wsk6g5qvdh31c4h5b1538x"; }; description = '' @@ -484,7 +493,7 @@ in isoImage.splashImage = mkOption { default = pkgs.fetchurl { - url = https://raw.githubusercontent.com/NixOS/nixos-artwork/a9e05d7deb38a8e005a2b52575a3f59a63a4dba0/bootloader/isolinux/bios-boot.png; + url = "https://raw.githubusercontent.com/NixOS/nixos-artwork/a9e05d7deb38a8e005a2b52575a3f59a63a4dba0/bootloader/isolinux/bios-boot.png"; sha256 = "1wp822zrhbg4fgfbwkr7cbkr4labx477209agzc0hr6k62fr6rxd"; }; description = '' @@ -515,6 +524,19 @@ in }; config = { + assertions = [ + { + assertion = !(stringLength config.isoImage.volumeID > 32); + # https://wiki.osdev.org/ISO_9660#The_Primary_Volume_Descriptor + # Volume Identifier can only be 32 bytes + message = let + length = stringLength config.isoImage.volumeID; + howmany = toString length; + toomany = toString (length - 32); + in + "isoImage.volumeID ${config.isoImage.volumeID} is ${howmany} characters. That is ${toomany} characters longer than the limit of 32."; + } + ]; boot.loader.grub.version = 2; diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 2068f27f1c9f..bfd8970d2b2b 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/ddmmzn4ggz1f66lwxjy64n89864yj9w9-nix-2.3.3"; - i686-linux = "/nix/store/5axys7hsggb4282dsbps5k5p0v59yv13-nix-2.3.3"; - aarch64-linux = "/nix/store/k80nwvi19hxwbz3c9cxgp24f1jjxwmcc-nix-2.3.3"; - x86_64-darwin = "/nix/store/lrnvapsqmf0ja6zfyx4cpxr7ahdr7f9b-nix-2.3.3"; + x86_64-linux = "/nix/store/xb0nl3z356n0sfrhswfli2g19a19slys-nix-2.3.5"; + i686-linux = "/nix/store/k8kdd4yy1yap6lai5idyhmzcwsjh1fik-nix-2.3.5"; + aarch64-linux = "/nix/store/dr86cbipxqjcb8pf2k0v8wvw0h0adfpz-nix-2.3.5"; + x86_64-darwin = "/nix/store/n6dqdndkv9kac66kdr988kaiyavl44x8-nix-2.3.5"; } diff --git a/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix b/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix index 90f0702f7173..0c9f8522cc12 100644 --- a/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix +++ b/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix @@ -3,7 +3,12 @@ , networkExpr }: -let nodes = import networkExpr; in +let + nodes = builtins.mapAttrs (vm: module: { + _file = "${networkExpr}@node-${vm}"; + imports = [ module ]; + }) (import networkExpr); +in with import ../../../../lib/testing-python.nix { inherit system; diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index 629c56814a16..422c405054d5 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -91,9 +91,6 @@ sub hasCPUFeature { } -# Detect the number of CPU cores. -my $cpus = scalar (grep {/^processor\s*:/} (split '\n', $cpuinfo)); - # Determine CPU governor to use if (-e "/sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors") { @@ -183,7 +180,7 @@ sub pciCheck { ) ) { # we need e.g. brcmfmac43602-pcie.bin - push @imports, "<nixpkgs/nixos/modules/hardware/network/broadcom-43xx.nix>"; + push @imports, "(modulesPath + \"/hardware/network/broadcom-43xx.nix\")"; } # Can't rely on $module here, since the module may not be loaded @@ -282,7 +279,7 @@ if ($virt eq "oracle") { # Likewise for QEMU. if ($virt eq "qemu" || $virt eq "kvm" || $virt eq "bochs") { - push @imports, "<nixpkgs/nixos/modules/profiles/qemu-guest.nix>"; + push @imports, "(modulesPath + \"/profiles/qemu-guest.nix\")"; } # Also for Hyper-V. @@ -299,7 +296,7 @@ if ($virt eq "systemd-nspawn") { # Provide firmware for devices that are not detected by this script, # unless we're in a VM/container. -push @imports, "<nixpkgs/nixos/modules/installer/scan/not-detected.nix>" +push @imports, "(modulesPath + \"/installer/scan/not-detected.nix\")" if $virt eq "none"; @@ -552,7 +549,7 @@ my $hwConfig = <<EOF; # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { imports =${\multiLineList(" ", @imports)}; @@ -562,7 +559,6 @@ my $hwConfig = <<EOF; boot.kernelModules = [$kernelModules ]; boot.extraModulePackages = [$modulePackages ]; $fsAndSwap - nix.maxJobs = lib.mkDefault $cpus; ${\join "", (map { " $_\n" } (uniq @attrs))}} EOF diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index a3ff3fe2c0c1..1bccbbfaf245 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -15,7 +15,6 @@ mountPoint=/mnt channelPath= system= verbosity=() -buildLogs= while [ "$#" -gt 0 ]; do i="$1"; shift 1 @@ -60,9 +59,6 @@ while [ "$#" -gt 0 ]; do -v*|--verbose) verbosity+=("$i") ;; - -L|--print-build-logs) - buildLogs="$i" - ;; *) echo "$0: unknown option \`$i'" exit 1 @@ -91,8 +87,11 @@ if [[ ! -e $NIXOS_CONFIG && -z $system ]]; then fi # A place to drop temporary stuff. +tmpdir="$(mktemp -d -p $mountPoint)" trap "rm -rf $tmpdir" EXIT -tmpdir="$(mktemp -d)" + +# store temporary files on target filesystem by default +export TMPDIR=${TMPDIR:-$tmpdir} sub="auto?trusted=1" @@ -100,9 +99,9 @@ sub="auto?trusted=1" if [[ -z $system ]]; then echo "building the configuration in $NIXOS_CONFIG..." outLink="$tmpdir/system" - nix build --out-link "$outLink" --store "$mountPoint" "${extraBuildFlags[@]}" \ + nix-build --out-link "$outLink" --store "$mountPoint" "${extraBuildFlags[@]}" \ --extra-substituters "$sub" \ - -f '<nixpkgs/nixos>' system -I "nixos-config=$NIXOS_CONFIG" ${verbosity[@]} ${buildLogs} + '<nixpkgs/nixos>' -A system -I "nixos-config=$NIXOS_CONFIG" ${verbosity[@]} system=$(readlink -f $outLink) fi diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 833865e99bb3..111286214248 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -42,7 +42,10 @@ let inherit (config.system.nixos-generate-config) configuration; }; - nixos-option = pkgs.callPackage ./nixos-option { }; + nixos-option = + if lib.versionAtLeast (lib.getVersion pkgs.nix) "2.4pre" + then null + else pkgs.callPackage ./nixos-option { }; nixos-version = makeProg { name = "nixos-version"; @@ -108,10 +111,10 @@ in # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. - # i18n = { - # consoleFont = "Lat2-Terminus16"; - # consoleKeyMap = "us"; - # defaultLocale = "en_US.UTF-8"; + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; # }; # Set your time zone. @@ -184,10 +187,9 @@ in nixos-install nixos-rebuild nixos-generate-config - nixos-option nixos-version nixos-enter - ]; + ] ++ lib.optional (nixos-option != null) nixos-option; system.build = { inherit nixos-install nixos-generate-config nixos-option nixos-rebuild nixos-enter; diff --git a/nixos/modules/misc/documentation.nix b/nixos/modules/misc/documentation.nix index d09afadd6097..7ad4be9a02e6 100644 --- a/nixos/modules/misc/documentation.nix +++ b/nixos/modules/misc/documentation.nix @@ -17,6 +17,7 @@ let inherit pkgs config; version = config.system.nixos.release; revision = "release-${version}"; + extraSources = cfg.nixos.extraModuleSources; options = let scrubbedEval = evalModules { @@ -163,6 +164,19 @@ in ''; }; + nixos.extraModuleSources = mkOption { + type = types.listOf (types.either types.path types.str); + default = [ ]; + description = '' + Which extra NixOS module paths the generated NixOS's documentation should strip + from options. + ''; + example = literalExample '' + # e.g. with options from modules in ''${pkgs.customModules}/nix: + [ pkgs.customModules ] + ''; + }; + }; }; @@ -204,9 +218,7 @@ in ++ optionals config.services.xserver.enable [ desktopItem pkgs.nixos-icons ]); services.mingetty.helpLine = mkIf cfg.doc.enable ( - "\nRun `nixos-help` " - + optionalString config.services.nixosManual.showManual "or press <Alt-F${toString config.services.nixosManual.ttyNumber}> " - + "for the NixOS manual." + "\nRun 'nixos-help' for the NixOS manual." ); }) diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index 011d493c1538..4f5a9250eaae 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -236,8 +236,8 @@ in let nixosExpectedSystem = if config.nixpkgs.crossSystem != null - then config.nixpkgs.crossSystem.system - else config.nixpkgs.localSystem.system; + then config.nixpkgs.crossSystem.system or (lib.systems.parse.doubleFromSystem (lib.systems.parse.mkSystemFromString config.nixpkgs.crossSystem.config)) + else config.nixpkgs.localSystem.system or (lib.systems.parse.doubleFromSystem (lib.systems.parse.mkSystemFromString config.nixpkgs.localSystem.config)); nixosOption = if config.nixpkgs.crossSystem != null then "nixpkgs.crossSystem" diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index 9557def622d8..a6fffb76f6e8 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -76,7 +76,7 @@ in defaultChannel = mkOption { internal = true; type = types.str; - default = https://nixos.org/channels/nixos-unstable; + default = "https://nixos.org/channels/nixos-unstable"; description = "Default NixOS channel to which the root user is subscribed."; }; @@ -109,8 +109,8 @@ in PRETTY_NAME="NixOS ${cfg.release} (${cfg.codeName})" LOGO="nix-snowflake" HOME_URL="https://nixos.org/" - DOCUMENTATION_URL="https://nixos.org/nixos/manual/index.html" - SUPPORT_URL="https://nixos.org/nixos/support.html" + DOCUMENTATION_URL="https://nixos.org/learn.html" + SUPPORT_URL="https://nixos.org/community.html" BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues" ''; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 1ff5f5ff0c25..d4e6f753e9f9 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -64,6 +64,8 @@ ./hardware/tuxedo-keyboard.nix ./hardware/usb-wwan.nix ./hardware/onlykey.nix + ./hardware/wooting.nix + ./hardware/uinput.nix ./hardware/video/amdgpu.nix ./hardware/video/amdgpu-pro.nix ./hardware/video/ati.nix @@ -194,11 +196,11 @@ ./security/pam_usb.nix ./security/pam_mount.nix ./security/polkit.nix - ./security/prey.nix ./security/rngd.nix ./security/rtkit.nix ./security/wrappers/default.nix ./security/sudo.nix + ./security/doas.nix ./security/systemd-confinement.nix ./security/tpm2.nix ./services/admin/oxidized.nix @@ -236,6 +238,7 @@ ./services/backup/zfs-replication.nix ./services/backup/znapzend.nix ./services/cluster/hadoop/default.nix + ./services/cluster/k3s/default.nix ./services/cluster/kubernetes/addons/dns.nix ./services/cluster/kubernetes/addons/dashboard.nix ./services/cluster/kubernetes/addon-manager.nix @@ -293,7 +296,6 @@ ./services/desktops/deepin/deepin.nix ./services/desktops/dleyna-renderer.nix ./services/desktops/dleyna-server.nix - ./services/desktops/pantheon/contractor.nix ./services/desktops/pantheon/files.nix ./services/desktops/flatpak.nix ./services/desktops/geoclue2.nix @@ -367,6 +369,7 @@ ./services/hardware/thermald.nix ./services/hardware/undervolt.nix ./services/hardware/vdr.nix + ./services/hardware/xow.nix ./services/logging/SystemdJournal2Gelf.nix ./services/logging/awstats.nix ./services/logging/fluentd.nix @@ -412,6 +415,7 @@ ./services/misc/apache-kafka.nix ./services/misc/autofs.nix ./services/misc/autorandr.nix + ./services/misc/bazarr.nix ./services/misc/beanstalkd.nix ./services/misc/bees.nix ./services/misc/bepasty.nix @@ -468,7 +472,6 @@ ./services/misc/nix-daemon.nix ./services/misc/nix-gc.nix ./services/misc/nix-optimise.nix - ./services/misc/nixos-manual.nix ./services/misc/nix-ssh-serve.nix ./services/misc/novacomd.nix ./services/misc/nzbget.nix @@ -484,7 +487,6 @@ ./services/misc/redmine.nix ./services/misc/rippled.nix ./services/misc/ripple-data-api.nix - ./services/misc/rogue.nix ./services/misc/serviio.nix ./services/misc/safeeyes.nix ./services/misc/sickbeard.nix @@ -545,6 +547,7 @@ ./services/monitoring/teamviewer.nix ./services/monitoring/telegraf.nix ./services/monitoring/thanos.nix + ./services/monitoring/tuptime.nix ./services/monitoring/ups.nix ./services/monitoring/uptime.nix ./services/monitoring/vnstat.nix @@ -603,6 +606,7 @@ ./services/networking/dnsmasq.nix ./services/networking/ejabberd.nix ./services/networking/epmd.nix + ./services/networking/ergo.nix ./services/networking/eternal-terminal.nix ./services/networking/fakeroute.nix ./services/networking/ferm.nix @@ -643,6 +647,7 @@ ./services/networking/lldpd.nix ./services/networking/logmein-hamachi.nix ./services/networking/mailpile.nix + ./services/networking/magic-wormhole-mailbox-server.nix ./services/networking/matterbridge.nix ./services/networking/mjpg-streamer.nix ./services/networking/minidlna.nix @@ -653,6 +658,7 @@ ./services/networking/miredo.nix ./services/networking/mstpd.nix ./services/networking/mtprotoproxy.nix + ./services/networking/mullvad-vpn.nix ./services/networking/murmur.nix ./services/networking/mxisd.nix ./services/networking/namecoind.nix @@ -681,6 +687,7 @@ ./services/networking/ostinato.nix ./services/networking/owamp.nix ./services/networking/pdnsd.nix + ./services/networking/pixiecore.nix ./services/networking/polipo.nix ./services/networking/powerdns.nix ./services/networking/pdns-recursor.nix @@ -691,6 +698,7 @@ ./services/networking/prosody.nix ./services/networking/quagga.nix ./services/networking/quassel.nix + ./services/networking/quorum.nix ./services/networking/quicktun.nix ./services/networking/racoon.nix ./services/networking/radicale.nix @@ -786,6 +794,7 @@ ./services/security/nginx-sso.nix ./services/security/oauth2_proxy.nix ./services/security/oauth2_proxy_nginx.nix + ./services/security/privacyidea.nix ./services/security/physlock.nix ./services/security/shibboleth-sp.nix ./services/security/sks.nix @@ -809,6 +818,7 @@ ./services/torrent/magnetico.nix ./services/torrent/opentracker.nix ./services/torrent/peerflix.nix + ./services/torrent/rtorrent.nix ./services/torrent/transmission.nix ./services/ttys/agetty.nix ./services/ttys/gpm.nix @@ -821,7 +831,9 @@ ./services/web-apps/cryptpad.nix ./services/web-apps/documize.nix ./services/web-apps/dokuwiki.nix + ./services/web-apps/engelsystem.nix ./services/web-apps/frab.nix + ./services/web-apps/gerrit.nix ./services/web-apps/gotify-server.nix ./services/web-apps/grocy.nix ./services/web-apps/icingaweb2/icingaweb2.nix @@ -839,6 +851,7 @@ ./services/web-apps/matomo.nix ./services/web-apps/moinmoin.nix ./services/web-apps/restya-board.nix + ./services/web-apps/sogo.nix ./services/web-apps/tt-rss.nix ./services/web-apps/trac.nix ./services/web-apps/trilium.nix @@ -977,9 +990,10 @@ ./virtualisation/anbox.nix ./virtualisation/container-config.nix ./virtualisation/containers.nix + ./virtualisation/nixos-containers.nix + ./virtualisation/oci-containers.nix ./virtualisation/cri-o.nix ./virtualisation/docker.nix - ./virtualisation/docker-containers.nix ./virtualisation/ecs-agent.nix ./virtualisation/libvirtd.nix ./virtualisation/lxc.nix @@ -990,9 +1004,9 @@ ./virtualisation/kvmgt.nix ./virtualisation/openvswitch.nix ./virtualisation/parallels-guest.nix + ./virtualisation/podman.nix ./virtualisation/qemu-guest-agent.nix ./virtualisation/railcar.nix - ./virtualisation/rkt.nix ./virtualisation/virtualbox-guest.nix ./virtualisation/virtualbox-host.nix ./virtualisation/vmware-guest.nix diff --git a/nixos/modules/profiles/docker-container.nix b/nixos/modules/profiles/docker-container.nix index 5d6b11498b52..183645de36fb 100644 --- a/nixos/modules/profiles/docker-container.nix +++ b/nixos/modules/profiles/docker-container.nix @@ -2,6 +2,8 @@ with lib; +let inherit (pkgs) writeScript; in + let pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l; @@ -30,7 +32,12 @@ in { ]; # Some container managers like lxc need these - extraCommands = "mkdir -p proc sys dev"; + extraCommands = + let script = writeScript "extra-commands.sh" '' + rm etc + mkdir -p proc sys dev etc + ''; + in script; }; boot.isContainer = true; diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index f7b2f5c7fc1e..ef8c0d74f062 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -7,19 +7,20 @@ with lib; { meta = { - maintainers = [ maintainers.joachifm ]; + maintainers = [ maintainers.joachifm maintainers.emily ]; }; boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened; nix.allowedUsers = mkDefault [ "@users" ]; + environment.memoryAllocator.provider = mkDefault "scudo"; + environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; + security.hideProcessInformation = mkDefault true; security.lockKernelModules = mkDefault true; - security.allowUserNamespaces = mkDefault false; - security.protectKernelImage = mkDefault true; security.allowSimultaneousMultithreading = mkDefault false; @@ -34,15 +35,9 @@ with lib; # Slab/slub sanity checks, redzoning, and poisoning "slub_debug=FZP" - # Disable slab merging to make certain heap overflow attacks harder - "slab_nomerge" - # Overwrite free'd memory "page_poison=1" - # Disable legacy virtual syscalls - "vsyscall=none" - # Enable page allocator randomization "page_alloc.shuffle=1" ]; @@ -79,38 +74,12 @@ with lib; # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; - # Restrict access to kernel ring buffer (information leaks) - boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true; - # Hide kptrs even for processes with CAP_SYSLOG boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; - # Unprivileged access to bpf() has been used for privilege escalation in - # the past - boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true; - # Disable bpf() JIT (to eliminate spray attacks) boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; - # ... or at least apply some hardening to it - boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true; - - # Raise ASLR entropy for 64bit & 32bit, respectively. - # - # Note: mmap_rnd_compat_bits may not exist on 64bit. - boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32; - boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16; - - # Allowing users to mmap() memory starting at virtual address 0 can turn a - # NULL dereference bug in the kernel into code execution with elevated - # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory - # space. This breaks applications that require mapping the 0 page, such as - # dosemu or running 16bit applications under wine. It also breaks older - # versions of qemu. - # - # The value is taken from the KSPP recommendations (Debian uses 4096). - boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536; - # Disable ftrace debugging boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; @@ -137,7 +106,4 @@ with lib; # Ignore outgoing ICMP redirects (this is ipv4 only) boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; - - # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability - boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false; } diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 4596e163404c..d05c0c50e82c 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -26,10 +26,6 @@ with lib; # Show the manual. documentation.nixos.enable = mkForce true; - services.nixosManual.showManual = true; - - # Let the user play Rogue on TTY 8 during the installation. - #services.rogue.enable = true; # Use less privileged nixos user users.users.nixos = { diff --git a/nixos/modules/programs/captive-browser.nix b/nixos/modules/programs/captive-browser.nix index 55d474e5c9db..26db16750727 100644 --- a/nixos/modules/programs/captive-browser.nix +++ b/nixos/modules/programs/captive-browser.nix @@ -28,7 +28,7 @@ in browser = mkOption { type = types.str; default = concatStringsSep " " [ ''${pkgs.chromium}/bin/chromium'' - ''--user-data-dir=$HOME/.chromium-captive'' + ''--user-data-dir=''${XDG_DATA_HOME:-$HOME/.local/share}/chromium-captive'' ''--proxy-server="socks5://$PROXY"'' ''--host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"'' ''--no-first-run'' diff --git a/nixos/modules/programs/cdemu.nix b/nixos/modules/programs/cdemu.nix index 6a0185d362c5..a59cd93cadfc 100644 --- a/nixos/modules/programs/cdemu.nix +++ b/nixos/modules/programs/cdemu.nix @@ -8,6 +8,7 @@ in { options = { programs.cdemu = { enable = mkOption { + type = types.bool; default = false; description = '' <command>cdemu</command> for members of diff --git a/nixos/modules/programs/chromium.nix b/nixos/modules/programs/chromium.nix index 41c49db8c71c..16c063ebc89d 100644 --- a/nixos/modules/programs/chromium.nix +++ b/nixos/modules/programs/chromium.nix @@ -9,9 +9,7 @@ let HomepageLocation = cfg.homepageLocation; DefaultSearchProviderSearchURL = cfg.defaultSearchProviderSearchURL; DefaultSearchProviderSuggestURL = cfg.defaultSearchProviderSuggestURL; - ExtensionInstallForcelist = map (extension: - "${extension};https://clients2.google.com/service/update2/crx" - ) cfg.extensions; + ExtensionInstallForcelist = cfg.extensions; }; in @@ -28,7 +26,11 @@ in List of chromium extensions to install. For list of plugins ids see id in url of extensions on <link xlink:href="https://chrome.google.com/webstore/category/extensions">chrome web store</link> - page. + page. To install a chromium extension not included in the chrome web + store, append to the extension id a semicolon ";" followed by a URL + pointing to an Update Manifest XML file. See + <link xlink:href="https://www.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist">ExtensionInstallForcelist</link> + for additional details. ''; default = []; example = literalExample '' diff --git a/nixos/modules/programs/criu.nix b/nixos/modules/programs/criu.nix index 48cf5c88a9fc..1714e1331a48 100644 --- a/nixos/modules/programs/criu.nix +++ b/nixos/modules/programs/criu.nix @@ -8,6 +8,7 @@ in { options = { programs.criu = { enable = mkOption { + type = types.bool; default = false; description = '' Install <command>criu</command> along with necessary kernel options. diff --git a/nixos/modules/programs/fish.nix b/nixos/modules/programs/fish.nix index 87f6816e4ac0..48b324a0fe83 100644 --- a/nixos/modules/programs/fish.nix +++ b/nixos/modules/programs/fish.nix @@ -178,6 +178,10 @@ in set -l post (string join0 $fish_complete_path | string match --regex "[^\x00]*generated_completions.*" | string split0 | string match -er ".") set fish_complete_path $prev "/etc/fish/generated_completions" $post end + # prevent fish from generating completions on first run + if not test -d $__fish_user_data_dir/generated_completions + ${pkgs.coreutils}/bin/mkdir $__fish_user_data_dir/generated_completions + end ''; environment.etc."fish/generated_completions".source = diff --git a/nixos/modules/programs/geary.nix b/nixos/modules/programs/geary.nix index 01803bc411e5..5e441a75cb60 100644 --- a/nixos/modules/programs/geary.nix +++ b/nixos/modules/programs/geary.nix @@ -6,6 +6,10 @@ let cfg = config.programs.geary; in { + meta = { + maintainers = teams.gnome.members; + }; + options = { programs.geary.enable = mkEnableOption "Geary, a Mail client for GNOME 3"; }; diff --git a/nixos/modules/programs/gnome-disks.nix b/nixos/modules/programs/gnome-disks.nix index 1cf839a6ddb0..80dc2983ea50 100644 --- a/nixos/modules/programs/gnome-disks.nix +++ b/nixos/modules/programs/gnome-disks.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + # Added 2019-08-09 imports = [ (mkRenamedOptionModule diff --git a/nixos/modules/programs/gnome-documents.nix b/nixos/modules/programs/gnome-documents.nix index bfa3d409ee30..9dd53483055c 100644 --- a/nixos/modules/programs/gnome-documents.nix +++ b/nixos/modules/programs/gnome-documents.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + # Added 2019-08-09 imports = [ (mkRenamedOptionModule diff --git a/nixos/modules/programs/gnome-terminal.nix b/nixos/modules/programs/gnome-terminal.nix index 0036677a1576..f2617e5bc038 100644 --- a/nixos/modules/programs/gnome-terminal.nix +++ b/nixos/modules/programs/gnome-terminal.nix @@ -12,6 +12,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + # Added 2019-08-19 imports = [ (mkRenamedOptionModule @@ -20,9 +24,7 @@ in ]; options = { - programs.gnome-terminal.enable = mkEnableOption "GNOME Terminal"; - }; config = mkIf cfg.enable { diff --git a/nixos/modules/programs/nm-applet.nix b/nixos/modules/programs/nm-applet.nix index 1b806071c43c..273a6dec59a5 100644 --- a/nixos/modules/programs/nm-applet.nix +++ b/nixos/modules/programs/nm-applet.nix @@ -1,6 +1,10 @@ { config, lib, pkgs, ... }: { + meta = { + maintainers = lib.teams.freedesktop.members; + }; + options.programs.nm-applet.enable = lib.mkEnableOption "nm-applet"; config = lib.mkIf config.programs.nm-applet.enable { diff --git a/nixos/modules/programs/npm.nix b/nixos/modules/programs/npm.nix index b351d80c7acf..f101a44587a1 100644 --- a/nixos/modules/programs/npm.nix +++ b/nixos/modules/programs/npm.nix @@ -13,7 +13,14 @@ in programs.npm = { enable = mkEnableOption "<command>npm</command> global config"; - npmrc = lib.mkOption { + package = mkOption { + type = types.path; + description = "The npm package version / flavor to use"; + default = pkgs.nodePackages.npm; + example = literalExample "pkgs.nodePackages_13_x.npm"; + }; + + npmrc = mkOption { type = lib.types.lines; description = '' The system-wide npm configuration. @@ -40,7 +47,7 @@ in environment.variables.NPM_CONFIG_GLOBALCONFIG = "/etc/npmrc"; - environment.systemPackages = [ pkgs.nodePackages.npm ]; + environment.systemPackages = [ cfg.package ]; }; } diff --git a/nixos/modules/programs/singularity.nix b/nixos/modules/programs/singularity.nix index b27e122bd1d9..6ac64a81fc24 100644 --- a/nixos/modules/programs/singularity.nix +++ b/nixos/modules/programs/singularity.nix @@ -5,8 +5,8 @@ let cfg = config.programs.singularity; singularity = pkgs.singularity.overrideAttrs (attrs : { installPhase = attrs.installPhase + '' - mv $bin/libexec/singularity/bin/starter-suid $bin/libexec/singularity/bin/starter-suid.orig - ln -s /run/wrappers/bin/singularity-suid $bin/libexec/singularity/bin/starter-suid + mv $out/libexec/singularity/bin/starter-suid $out/libexec/singularity/bin/starter-suid.orig + ln -s /run/wrappers/bin/singularity-suid $out/libexec/singularity/bin/starter-suid ''; }); in { diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 80198990ed11..44e65ee8a9a0 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -61,12 +61,9 @@ in ''; }; - # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) pubkeyAcceptedKeyTypes = mkOption { type = types.listOf types.str; - default = [ - "+ssh-dss" - ]; + default = []; example = [ "ssh-ed25519" "ssh-rsa" ]; description = '' Specifies the key types that will be used for public key authentication. @@ -75,9 +72,7 @@ in hostKeyAlgorithms = mkOption { type = types.listOf types.str; - default = [ - "+ssh-dss" - ]; + default = []; example = [ "ssh-ed25519" "ssh-rsa" ]; description = '' Specifies the host key algorithms that the client wants to use in order of preference. diff --git a/nixos/modules/programs/ssmtp.nix b/nixos/modules/programs/ssmtp.nix index f794eac8af00..c7a947393496 100644 --- a/nixos/modules/programs/ssmtp.nix +++ b/nixos/modules/programs/ssmtp.nix @@ -14,8 +14,16 @@ in { imports = [ - (mkRenamedOptionModule [ "networking" "defaultMailServer" ] [ "services" "ssmtp" ]) - (mkRenamedOptionModule [ "services" "ssmtp" "directDelivery" ] [ "services" "ssmtp" "enable" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "directDelivery" ] [ "services" "ssmtp" "enable" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "hostName" ] [ "services" "ssmtp" "hostName" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "domain" ] [ "services" "ssmtp" "domain" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "root" ] [ "services" "ssmtp" "root" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "useTLS" ] [ "services" "ssmtp" "useTLS" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "useSTARTTLS" ] [ "services" "ssmtp" "useSTARTTLS" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "authUser" ] [ "services" "ssmtp" "authUser" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "authPass" ] [ "services" "ssmtp" "authPass" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "authPassFile" ] [ "services" "ssmtp" "authPassFile" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "setSendmail" ] [ "services" "ssmtp" "setSendmail" ]) ]; options = { diff --git a/nixos/modules/programs/systemtap.nix b/nixos/modules/programs/systemtap.nix index ca81e018c9dc..360e106678e6 100644 --- a/nixos/modules/programs/systemtap.nix +++ b/nixos/modules/programs/systemtap.nix @@ -8,6 +8,7 @@ in { options = { programs.systemtap = { enable = mkOption { + type = types.bool; default = false; description = '' Install <command>systemtap</command> along with necessary kernel options. diff --git a/nixos/modules/programs/venus.nix b/nixos/modules/programs/venus.nix index 110570ac3f06..58faf38777d0 100644 --- a/nixos/modules/programs/venus.nix +++ b/nixos/modules/programs/venus.nix @@ -75,7 +75,7 @@ in }; link = mkOption { - default = "http://planet.nixos.org"; + default = "https://planet.nixos.org"; type = types.str; description = '' Link to the main page. diff --git a/nixos/modules/programs/xonsh.nix b/nixos/modules/programs/xonsh.nix index 1590020f7b64..c06fd1655c20 100644 --- a/nixos/modules/programs/xonsh.nix +++ b/nixos/modules/programs/xonsh.nix @@ -45,7 +45,32 @@ in config = mkIf cfg.enable { - environment.etc.xonshrc.text = cfg.config; + environment.etc.xonshrc.text = '' + # /etc/xonshrc: DO NOT EDIT -- this file has been generated automatically. + + + if not ''${...}.get('__NIXOS_SET_ENVIRONMENT_DONE'): + # The NixOS environment and thereby also $PATH + # haven't been fully set up at this point. But + # `source-bash` below requires `bash` to be on $PATH, + # so add an entry with bash's location: + $PATH.add('${pkgs.bash}/bin') + + # Stash xonsh's ls alias, so that we don't get a collision + # with Bash's ls alias from environment.shellAliases: + _ls_alias = aliases.pop('ls', None) + + # Source the NixOS environment config. + source-bash "${config.system.build.setEnvironment}" + + # Restore xonsh's ls alias, overriding that from Bash (if any). + if _ls_alias is not None: + aliases['ls'] = _ls_alias + del _ls_alias + + + ${cfg.config} + ''; environment.systemPackages = [ cfg.package ]; diff --git a/nixos/modules/programs/zsh/oh-my-zsh.nix b/nixos/modules/programs/zsh/oh-my-zsh.nix index 932a780a356a..f24842a47919 100644 --- a/nixos/modules/programs/zsh/oh-my-zsh.nix +++ b/nixos/modules/programs/zsh/oh-my-zsh.nix @@ -39,6 +39,7 @@ in options = { programs.zsh.ohMyZsh = { enable = mkOption { + type = types.bool; default = false; description = '' Enable oh-my-zsh. diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 930cc1987a33..049a315c7622 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -135,6 +135,13 @@ in type = types.bool; }; + enableBashCompletion = mkOption { + default = false; + description = '' + Enable compatibility with bash's programmable completion system. + ''; + type = types.bool; + }; enableGlobalCompInit = mkOption { default = cfg.enableCompletion; @@ -239,6 +246,11 @@ in autoload -U compinit && compinit ''} + ${optionalString cfg.enableBashCompletion '' + # Enable compatibility with bash's completion system. + autoload -U bashcompinit && bashcompinit + ''} + # Setup custom interactive shell init stuff. ${cfge.interactiveShellInit} diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 410db8fd84e7..7776c648af8a 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -48,6 +48,11 @@ with lib; systemd-logind API). Instead of using the module you can now simply add the brightnessctl package to environment.systemPackages. '') + (mkRemovedOptionModule [ "virtualisation" "rkt" ] "The rkt module has been removed, it was archived by upstream") + + (mkRemovedOptionModule ["services" "prey" ] '' + prey-bash-client is deprecated upstream + '') # Do NOT add any option renames here, see top of the file ]; diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index b787a7675390..776ef07d716c 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -87,19 +87,19 @@ let default = {}; example = literalExample '' { - "example.org" = "/srv/http/nginx"; + "example.org" = null; "mydomain.org" = null; } ''; description = '' - A list of extra domain names, which are included in the one certificate to be issued, with their - own server roots if needed. + A list of extra domain names, which are included in the one certificate to be issued. + Setting a distinct server root is deprecated and not functional in 20.03+ ''; }; keyType = mkOption { type = types.str; - default = "ec384"; + default = "ec256"; description = '' Key type to use for private keys. For an up to date list of supported values check the --key-type option @@ -250,7 +250,7 @@ in "example.com" = { webroot = "/var/www/challenges/"; email = "foo@example.com"; - extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; }; + extraDomains = { "www.example.com" = null; "foo.example.com" = null; }; }; "bar.example.com" = { webroot = "/var/www/challenges/"; @@ -301,7 +301,7 @@ in # StateDirectory must be relative, and will be created under /var/lib by systemd lpath = "acme/${cert}"; apath = "/var/lib/${lpath}"; - spath = "/var/lib/acme/.lego"; + spath = "/var/lib/acme/.lego/${cert}"; fileMode = if data.allowKeysForGroup then "640" else "600"; globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ] ++ optionals (cfg.acceptTerms) [ "--accept-tos" ] @@ -318,25 +318,20 @@ in description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" "network-online.target" ]; wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = mkIf (!config.boot.isContainer) [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; - # With RemainAfterExit the service is considered active even - # after the main process having exited, which means when it - # gets changed, the activation phase restarts it, meaning - # the permissions of the StateDirectory get adjusted - # according to the specified group - RemainAfterExit = true; User = data.user; Group = data.group; PrivateTmp = true; - StateDirectory = "acme/.lego ${lpath}"; + StateDirectory = "acme/.lego/${cert} acme/.lego/accounts ${lpath}"; StateDirectoryMode = if data.allowKeysForGroup then "750" else "700"; WorkingDirectory = spath; # Only try loading the credentialsFile if the dns challenge is enabled EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null; ExecStart = pkgs.writeScript "acme-start" '' #!${pkgs.runtimeShell} -e + test -L ${spath}/accounts -o -d ${spath}/accounts || ln -s ../accounts ${spath}/accounts ${pkgs.lego}/bin/lego ${renewOpts} || ${pkgs.lego}/bin/lego ${runOpts} ''; ExecStartPost = @@ -348,7 +343,9 @@ in # Test that existing cert is older than new cert KEY=${spath}/certificates/${keyName}.key + KEY_CHANGED=no if [ -e $KEY -a $KEY -nt key.pem ]; then + KEY_CHANGED=yes cp -p ${spath}/certificates/${keyName}.key key.pem cp -p ${spath}/certificates/${keyName}.crt fullchain.pem cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem @@ -359,7 +356,10 @@ in chmod ${fileMode} *.pem chown '${data.user}:${data.group}' *.pem - ${data.postRun} + if [ "$KEY_CHANGED" = "yes" ]; then + : # noop in case postRun is empty + ${data.postRun} + fi ''; in "+${script}"; @@ -458,7 +458,7 @@ in ]; meta = { - maintainers = with lib.maintainers; [ abbradar fpletz globin m1cr0man ]; + maintainers = lib.teams.acme.members; doc = ./acme.xml; }; } diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index 2b29c1174845..f802faee9749 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -6,92 +6,249 @@ <title>SSL/TLS Certificates with ACME</title> <para> NixOS supports automatic domain validation & certificate retrieval and - renewal using the ACME protocol. This is currently only implemented by and - for Let's Encrypt. The alternative ACME client <literal>lego</literal> is - used under the hood. + renewal using the ACME protocol. Any provider can be used, but by default + NixOS uses Let's Encrypt. The alternative ACME client <literal>lego</literal> + is used under the hood. + </para> + <para> + Automatic cert validation and configuration for Apache and Nginx virtual + hosts is included in NixOS, however if you would like to generate a wildcard + cert or you are not using a web server you will have to configure DNS + based validation. </para> <section xml:id="module-security-acme-prerequisites"> <title>Prerequisites</title> <para> - You need to have a running HTTP server for verification. The server must - have a webroot defined that can serve + To use the ACME module, you must accept the provider's terms of service + by setting <literal><xref linkend="opt-security.acme.acceptTerms" /></literal> + to <literal>true</literal>. The Let's Encrypt ToS can be found + <link xlink:href="https://letsencrypt.org/repository/">here</link>. + </para> + + <para> + You must also set an email address to be used when creating accounts with + Let's Encrypt. You can set this for all certs with + <literal><xref linkend="opt-security.acme.email" /></literal> + and/or on a per-cert basis with + <literal><xref linkend="opt-security.acme.certs._name_.email" /></literal>. + This address is only used for registration and renewal reminders, + and cannot be used to administer the certificates in any way. + </para> + + <para> + Alternatively, you can use a different ACME server by changing the + <literal><xref linkend="opt-security.acme.server" /></literal> option + to a provider of your choosing, or just change the server for one cert with + <literal><xref linkend="opt-security.acme.certs._name_.server" /></literal>. + </para> + + <para> + You will need an HTTP server or DNS server for verification. For HTTP, + the server must have a webroot defined that can serve <filename>.well-known/acme-challenge</filename>. This directory must be - writeable by the user that will run the ACME client. + writeable by the user that will run the ACME client. For DNS, you must + set up credentials with your provider/server for use with lego. </para> + </section> + <section xml:id="module-security-acme-nginx"> + <title>Using ACME certificates in Nginx</title> <para> - For instance, this generic snippet could be used for Nginx: + NixOS supports fetching ACME certificates for you by setting + <literal><link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> + = true;</literal> in a virtualHost config. We first create self-signed + placeholder certificates in place of the real ACME certs. The placeholder + certs are overwritten when the ACME certs arrive. For + <literal>foo.example.com</literal> the config would look like. + </para> + <programlisting> -http { - server { - server_name _; - listen 80; - listen [::]:80; - - location /.well-known/acme-challenge { - root /var/www/challenges; - } +<xref linkend="opt-security.acme.acceptTerms" /> = true; +<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com"; +services.nginx = { + <link linkend="opt-services.nginx.enable">enable</link> = true; + <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { + "foo.example.com" = { + <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true; + # All serverAliases will be added as <link linkend="opt-security.acme.certs._name_.extraDomains">extra domains</link> on the certificate. + <link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ "bar.example.com" ]; + locations."/" = { + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www"; + }; + }; - location / { - return 301 https://$host$request_uri; - } - } + # We can also add a different vhost and reuse the same certificate + # but we have to append extraDomains manually. + <link linkend="opt-security.acme.certs._name_.extraDomains">security.acme.certs."foo.example.com".extraDomains."baz.example.com"</link> = null; + "baz.example.com" = { + <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.useACMEHost">useACMEHost</link> = "foo.example.com"; + locations."/" = { + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www"; + }; + }; + }; } </programlisting> + </section> + <section xml:id="module-security-acme-httpd"> + <title>Using ACME certificates in Apache/httpd</title> + + <para> + Using ACME certificates with Apache virtual hosts is identical + to using them with Nginx. The attribute names are all the same, just replace + "nginx" with "httpd" where appropriate. </para> </section> <section xml:id="module-security-acme-configuring"> - <title>Configuring</title> + <title>Manual configuration of HTTP-01 validation</title> <para> - To enable ACME certificate retrieval & renewal for a certificate for - <literal>foo.example.com</literal>, add the following in your - <filename>configuration.nix</filename>: + First off you will need to set up a virtual host to serve the challenges. + This example uses a vhost called <literal>certs.example.com</literal>, with + the intent that you will generate certs for all your vhosts and redirect + everyone to HTTPS. + </para> + +<programlisting> +<xref linkend="opt-security.acme.acceptTerms" /> = true; +<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com"; +services.nginx = { + <link linkend="opt-services.nginx.enable">enable</link> = true; + <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { + "acmechallenge.example.com" = { + # Catchall vhost, will redirect users to HTTPS for all vhosts + <link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ "*.example.com" ]; + # /var/lib/acme/.challenges must be writable by the ACME user + # and readable by the Nginx user. + # By default, this is the case. + locations."/.well-known/acme-challenge" = { + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/lib/acme/.challenges"; + }; + locations."/" = { + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.return">return</link> = "301 https://$host$request_uri"; + }; + }; + }; +} +# Alternative config for Apache +services.httpd = { + <link linkend="opt-services.httpd.enable">enable = true;</link> + <link linkend="opt-services.httpd.virtualHosts">virtualHosts</link> = { + "acmechallenge.example.com" = { + # Catchall vhost, will redirect users to HTTPS for all vhosts + <link linkend="opt-services.httpd.virtualHosts._name_.serverAliases">serverAliases</link> = [ "*.example.com" ]; + # /var/lib/acme/.challenges must be writable by the ACME user and readable by the Apache user. + # By default, this is the case. + <link linkend="opt-services.httpd.virtualHosts._name_.documentRoot">documentRoot</link> = "/var/lib/acme/.challenges"; + <link linkend="opt-services.httpd.virtualHosts._name_.extraConfig">extraConfig</link> = '' + RewriteEngine On + RewriteCond %{HTTPS} off + RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge [NC] + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301] + ''; + }; + }; +} +</programlisting> + + <para> + Now you need to configure ACME to generate a certificate. + </para> + <programlisting> <xref linkend="opt-security.acme.certs"/>."foo.example.com" = { - <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/challenges"; + <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/lib/acme/.challenges"; <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com"; + # Since we have a wildcard vhost to handle port 80, + # we can generate certs for anything! + # Just make sure your DNS resolves them. + <link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains</link> = [ "mail.example.com" ]; }; </programlisting> - </para> <para> The private key <filename>key.pem</filename> and certificate <filename>fullchain.pem</filename> will be put into <filename>/var/lib/acme/foo.example.com</filename>. </para> + <para> Refer to <xref linkend="ch-options" /> for all available configuration options for the <link linkend="opt-security.acme.certs">security.acme</link> module. </para> </section> - <section xml:id="module-security-acme-nginx"> - <title>Using ACME certificates in Nginx</title> + <section xml:id="module-security-acme-config-dns"> + <title>Configuring ACME for DNS validation</title> <para> - NixOS supports fetching ACME certificates for you by setting - <literal><link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> - = true;</literal> in a virtualHost config. We first create self-signed - placeholder certificates in place of the real ACME certs. The placeholder - certs are overwritten when the ACME certs arrive. For - <literal>foo.example.com</literal> the config would look like. + This is useful if you want to generate a wildcard certificate, since + ACME servers will only hand out wildcard certs over DNS validation. + There a number of supported DNS providers and servers you can utilise, + see the <link xlink:href="https://go-acme.github.io/lego/dns/">lego docs</link> + for provider/server specific configuration values. For the sake of these + docs, we will provide a fully self-hosted example using bind. </para> <programlisting> -services.nginx = { - <link linkend="opt-services.nginx.enable">enable = true;</link> - <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { - "foo.example.com" = { - <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; - <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true; - locations."/" = { - <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www"; - }; - }; - }; +services.bind = { + <link linkend="opt-services.bind.enable">enable</link> = true; + <link linkend="opt-services.bind.extraConfig">extraConfig</link> = '' + include "/var/lib/secrets/dnskeys.conf"; + ''; + <link linkend="opt-services.bind.zones">zones</link> = [ + rec { + name = "example.com"; + file = "/var/db/bind/${name}"; + master = true; + extraConfig = "allow-update { key rfc2136key.example.com.; };"; + } + ]; } + +# Now we can configure ACME +<xref linkend="opt-security.acme.acceptTerms" /> = true; +<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com"; +<xref linkend="opt-security.acme.certs" />."example.com" = { + <link linkend="opt-security.acme.certs._name_.domain">domain</link> = "*.example.com"; + <link linkend="opt-security.acme.certs._name_.dnsProvider">dnsProvider</link> = "rfc2136"; + <link linkend="opt-security.acme.certs._name_.credentialsFile">credentialsFile</link> = "/var/lib/secrets/certs.secret"; + # We don't need to wait for propagation since this is a local DNS server + <link linkend="opt-security.acme.certs._name_.dnsPropagationCheck">dnsPropagationCheck</link> = false; +}; </programlisting> + + <para> + The <filename>dnskeys.conf</filename> and <filename>certs.secret</filename> + must be kept secure and thus you should not keep their contents in your + Nix config. Instead, generate them one time with these commands: + </para> + +<programlisting> +mkdir -p /var/lib/secrets +tsig-keygen rfc2136key.example.com > /var/lib/secrets/dnskeys.conf +chown named:root /var/lib/secrets/dnskeys.conf +chmod 400 /var/lib/secrets/dnskeys.conf + +# Copy the secret value from the dnskeys.conf, and put it in +# RFC2136_TSIG_SECRET below + +cat > /var/lib/secrets/certs.secret << EOF +RFC2136_NAMESERVER='127.0.0.1:53' +RFC2136_TSIG_ALGORITHM='hmac-sha256.' +RFC2136_TSIG_KEY='rfc2136key.example.com' +RFC2136_TSIG_SECRET='your secret key' +EOF +chmod 400 /var/lib/secrets/certs.secret +</programlisting> + + <para> + Now you're all set to generate certs! You should monitor the first invokation + by running <literal>systemctl start acme-example.com.service & + journalctl -fu acme-example.com.service</literal> and watching its log output. + </para> </section> </chapter> diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix index 3c93f5440ab5..6c479e070e2b 100644 --- a/nixos/modules/security/apparmor-suid.nix +++ b/nixos/modules/security/apparmor-suid.nix @@ -9,6 +9,7 @@ with lib; ]; options.security.apparmor.confineSUIDApplications = mkOption { + type = types.bool; default = true; description = '' Install AppArmor profiles for commonly-used SUID application diff --git a/nixos/modules/security/doas.nix b/nixos/modules/security/doas.nix new file mode 100644 index 000000000000..b81f2d0c2d52 --- /dev/null +++ b/nixos/modules/security/doas.nix @@ -0,0 +1,274 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.security.doas; + + inherit (pkgs) doas; + + mkUsrString = user: toString user; + + mkGrpString = group: ":${toString group}"; + + mkOpts = rule: concatStringsSep " " [ + (optionalString rule.noPass "nopass") + (optionalString rule.persist "persist") + (optionalString rule.keepEnv "keepenv") + "setenv { SSH_AUTH_SOCK ${concatStringsSep " " rule.setEnv} }" + ]; + + mkArgs = rule: + if (isNull rule.args) then "" + else if (length rule.args == 0) then "args" + else "args ${concatStringsSep " " rule.args}"; + + mkRule = rule: + let + opts = mkOpts rule; + + as = optionalString (!isNull rule.runAs) "as ${rule.runAs}"; + + cmd = optionalString (!isNull rule.cmd) "cmd ${rule.cmd}"; + + args = mkArgs rule; + in + optionals (length cfg.extraRules > 0) [ + ( + optionalString (length rule.users > 0) + (map (usr: "permit ${opts} ${mkUsrString usr} ${as} ${cmd} ${args}") rule.users) + ) + ( + optionalString (length rule.groups > 0) + (map (grp: "permit ${opts} ${mkGrpString grp} ${as} ${cmd} ${args}") rule.groups) + ) + ]; +in +{ + + ###### interface + + options.security.doas = { + + enable = mkOption { + type = with types; bool; + default = false; + description = '' + Whether to enable the <command>doas</command> command, which allows + non-root users to execute commands as root. + ''; + }; + + wheelNeedsPassword = mkOption { + type = with types; bool; + default = true; + description = '' + Whether users of the <code>wheel</code> group must provide a password to + run commands as super user via <command>doas</command>. + ''; + }; + + extraRules = mkOption { + default = []; + description = '' + Define specific rules to be set in the + <filename>/etc/doas.conf</filename> file. More specific rules should + come after more general ones in order to yield the expected behavior. + You can use <code>mkBefore</code> and/or <code>mkAfter</code> to ensure + this is the case when configuration options are merged. + ''; + example = literalExample '' + [ + # Allow execution of any command by any user in group doas, requiring + # a password and keeping any previously-defined environment variables. + { groups = [ "doas" ]; noPass = false; keepEnv = true; } + + # Allow execution of "/home/root/secret.sh" by user `backup` OR user + # `database` OR any member of the group with GID `1006`, without a + # password. + { users = [ "backup" "database" ]; groups = [ 1006 ]; + cmd = "/home/root/secret.sh"; noPass = true; } + + # Allow any member of group `bar` to run `/home/baz/cmd1.sh` as user + # `foo` with argument `hello-doas`. + { groups = [ "bar" ]; runAs = "foo"; + cmd = "/home/baz/cmd1.sh"; args = [ "hello-doas" ]; } + + # Allow any member of group `bar` to run `/home/baz/cmd2.sh` as user + # `foo` with no arguments. + { groups = [ "bar" ]; runAs = "foo"; + cmd = "/home/baz/cmd2.sh"; args = [ ]; } + + # Allow user `abusers` to execute "nano" and unset the value of + # SSH_AUTH_SOCK, override the value of ALPHA to 1, and inherit the + # value of BETA from the current environment. + { users = [ "abusers" ]; cmd = "nano"; + setEnv = [ "-SSH_AUTH_SOCK" "ALPHA=1" "BETA" ]; } + ] + ''; + type = with types; listOf ( + submodule { + options = { + + noPass = mkOption { + type = with types; bool; + default = false; + description = '' + If <code>true</code>, the user is not required to enter a + password. + ''; + }; + + persist = mkOption { + type = with types; bool; + default = false; + description = '' + If <code>true</code>, do not ask for a password again for some + time after the user successfully authenticates. + ''; + }; + + keepEnv = mkOption { + type = with types; bool; + default = false; + description = '' + If <code>true</code>, environment variables other than those + listed in + <citerefentry><refentrytitle>doas</refentrytitle><manvolnum>1</manvolnum></citerefentry> + are kept when creating the environment for the new process. + ''; + }; + + setEnv = mkOption { + type = with types; listOf str; + default = []; + description = '' + Keep or set the specified variables. Variables may also be + removed with a leading '-' or set using + <code>variable=value</code>. If the first character of + <code>value</code> is a '$', the value to be set is taken from + the existing environment variable of the indicated name. This + option is processed after the default environment has been + created. + + NOTE: All rules have <code>setenv { SSH_AUTH_SOCK }</code> by + default. To prevent <code>SSH_AUTH_SOCK</code> from being + inherited, add <code>"-SSH_AUTH_SOCK"</code> anywhere in this + list. + ''; + }; + + users = mkOption { + type = with types; listOf (either str int); + default = []; + description = "The usernames / UIDs this rule should apply for."; + }; + + groups = mkOption { + type = with types; listOf (either str int); + default = []; + description = "The groups / GIDs this rule should apply for."; + }; + + runAs = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Which user or group the specified command is allowed to run as. + When set to <code>null</code> (the default), all users are + allowed. + + A user can be specified using just the username: + <code>"foo"</code>. It is also possible to only allow running as + a specific group with <code>":bar"</code>. + ''; + }; + + cmd = mkOption { + type = with types; nullOr str; + default = null; + description = '' + The command the user is allowed to run. When set to + <code>null</code> (the default), all commands are allowed. + + NOTE: It is best practice to specify absolute paths. If a + relative path is specified, only a restricted PATH will be + searched. + ''; + }; + + args = mkOption { + type = with types; nullOr (listOf str); + default = null; + description = '' + Arguments that must be provided to the command. When set to + <code>[]</code>, the command must be run without any arguments. + ''; + }; + }; + } + ); + }; + + extraConfig = mkOption { + type = with types; lines; + default = ""; + description = '' + Extra configuration text appended to <filename>doas.conf</filename>. + ''; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + security.doas.extraRules = mkOrder 600 [ + { + groups = [ "wheel" ]; + noPass = !cfg.wheelNeedsPassword; + } + ]; + + security.wrappers = { + doas.source = "${doas}/bin/doas"; + }; + + environment.systemPackages = [ + doas + ]; + + security.pam.services.doas = { + allowNullPassword = true; + sshAgentAuth = true; + }; + + environment.etc."doas.conf" = { + source = pkgs.runCommand "doas-conf" + { + src = pkgs.writeText "doas-conf-in" '' + # To modify this file, set the NixOS options + # `security.doas.extraRules` or `security.doas.extraConfig`. To + # completely replace the contents of this file, use + # `environment.etc."doas.conf"`. + + # "root" is allowed to do anything. + permit nopass keepenv root + + # extraRules + ${concatStringsSep "\n" (lists.flatten (map mkRule cfg.extraRules))} + + # extraConfig + ${cfg.extraConfig} + ''; + preferLocalBuild = true; + } + # Make sure that the doas.conf file is syntactically valid. + "${pkgs.buildPackages.doas}/bin/doas -C $src && cp $src $out"; + mode = "0440"; + }; + + }; + + meta.maintainers = with maintainers; [ cole-h ]; +} diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index c686a6861d0f..71428b82f5da 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -9,8 +9,7 @@ let configFilePam = '' [duo] - ikey=${cfg.ikey} - skey=${cfg.skey} + ikey=${cfg.integrationKey} host=${cfg.host} ${optionalString (cfg.groups != "") ("groups="+cfg.groups)} failmode=${cfg.failmode} @@ -24,26 +23,12 @@ let motd=${boolToStr cfg.motd} accept_env_factor=${boolToStr cfg.acceptEnvFactor} ''; - - loginCfgFile = optionalAttrs cfg.ssh.enable { - "duo/login_duo.conf" = - { source = pkgs.writeText "login_duo.conf" configFileLogin; - mode = "0600"; - user = "sshd"; - }; - }; - - pamCfgFile = optional cfg.pam.enable { - "duo/pam_duo.conf" = - { source = pkgs.writeText "pam_duo.conf" configFilePam; - mode = "0600"; - user = "sshd"; - }; - }; in { imports = [ (mkRenamedOptionModule [ "security" "duosec" "group" ] [ "security" "duosec" "groups" ]) + (mkRenamedOptionModule [ "security" "duosec" "ikey" ] [ "security" "duosec" "integrationKey" ]) + (mkRemovedOptionModule [ "security" "duosec" "skey" ] "The insecure security.duosec.skey option has been replaced by a new security.duosec.secretKeyFile option. Use this new option to store a secure copy of your key instead.") ]; options = { @@ -60,14 +45,18 @@ in description = "If enabled, protect logins with Duo Security using PAM support."; }; - ikey = mkOption { + integrationKey = mkOption { type = types.str; description = "Integration key."; }; - skey = mkOption { - type = types.str; - description = "Secret key."; + secretKeyFile = mkOption { + type = types.path; + default = null; + description = '' + A file containing your secret key. The security of your Duo application is tied to the security of your secret key. + ''; + example = "/run/keys/duo-skey"; }; host = mkOption { @@ -195,21 +184,52 @@ in }; config = mkIf (cfg.ssh.enable || cfg.pam.enable) { - environment.systemPackages = [ pkgs.duo-unix ]; - - security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; - environment.etc = loginCfgFile // pamCfgFile; - - /* If PAM *and* SSH are enabled, then don't do anything special. - If PAM isn't used, set the default SSH-only options. */ - services.openssh.extraConfig = mkIf (cfg.ssh.enable || cfg.pam.enable) ( - if cfg.pam.enable then "UseDNS no" else '' - # Duo Security configuration - ForceCommand ${config.security.wrapperDir}/login_duo - PermitTunnel no - ${optionalString (!cfg.allowTcpForwarding) '' - AllowTcpForwarding no - ''} - ''); + environment.systemPackages = [ pkgs.duo-unix ]; + + security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; + + system.activationScripts = { + login_duo = mkIf cfg.ssh.enable '' + if test -f "${cfg.secretKeyFile}"; then + mkdir -m 0755 -p /etc/duo + + umask 0077 + conf="$(mktemp)" + { + cat ${pkgs.writeText "login_duo.conf" configFileLogin} + printf 'skey = %s\n' "$(cat ${cfg.secretKeyFile})" + } >"$conf" + + chown sshd "$conf" + mv -fT "$conf" /etc/duo/login_duo.conf + fi + ''; + pam_duo = mkIf cfg.pam.enable '' + if test -f "${cfg.secretKeyFile}"; then + mkdir -m 0755 -p /etc/duo + + umask 0077 + conf="$(mktemp)" + { + cat ${pkgs.writeText "login_duo.conf" configFilePam} + printf 'skey = %s\n' "$(cat ${cfg.secretKeyFile})" + } >"$conf" + + mv -fT "$conf" /etc/duo/pam_duo.conf + fi + ''; + }; + + /* If PAM *and* SSH are enabled, then don't do anything special. + If PAM isn't used, set the default SSH-only options. */ + services.openssh.extraConfig = mkIf (cfg.ssh.enable || cfg.pam.enable) ( + if cfg.pam.enable then "UseDNS no" else '' + # Duo Security configuration + ForceCommand ${config.security.wrapperDir}/login_duo + PermitTunnel no + ${optionalString (!cfg.allowTcpForwarding) '' + AllowTcpForwarding no + ''} + ''); }; } diff --git a/nixos/modules/security/google_oslogin.nix b/nixos/modules/security/google_oslogin.nix index 6f9962e1d626..c2889a0f0d1d 100644 --- a/nixos/modules/security/google_oslogin.nix +++ b/nixos/modules/security/google_oslogin.nix @@ -49,6 +49,8 @@ in # enable the nss module, so user lookups etc. work system.nssModules = [ package ]; + system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ]; + system.nssDatabases.group = [ "cache_oslogin" "oslogin" ]; # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable. # So indirect by a symlink. diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index bfc2a881387f..e1a94b0121ac 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -54,7 +54,7 @@ let description = '' If set, users listed in <filename>~/.yubico/authorized_yubikeys</filename> - are able to log in with the asociated Yubikey tokens. + are able to log in with the associated Yubikey tokens. ''; }; @@ -219,6 +219,14 @@ let ''; }; + nodelay = mkOption { + default = false; + type = types.bool; + description = '' + Wheather the delay after typing a wrong password should be disabled. + ''; + }; + requireWheel = mkOption { default = false; type = types.bool; @@ -366,7 +374,7 @@ let || cfg.enableGnomeKeyring || cfg.googleAuthenticator.enable || cfg.duoSecurity.enable)) '' - auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth + auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth ${optionalString config.security.pam.enableEcryptfs "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} ${optionalString cfg.pamMount @@ -382,7 +390,7 @@ let "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"} '') + '' ${optionalString cfg.unixAuth - "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} + "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass"} ${optionalString cfg.otpwAuth "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} ${optionalString use_ldap @@ -545,6 +553,7 @@ in }; security.pam.enableSSHAgentAuth = mkOption { + type = types.bool; default = false; description = '' @@ -555,12 +564,7 @@ in ''; }; - security.pam.enableOTPW = mkOption { - default = false; - description = '' - Enable the OTPW (one-time password) PAM module. - ''; - }; + security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module"; security.pam.u2f = { enable = mkOption { @@ -719,12 +723,7 @@ in }; }; - security.pam.enableEcryptfs = mkOption { - default = false; - description = '' - Enable eCryptfs PAM module (mounting ecryptfs home directory on login). - ''; - }; + security.pam.enableEcryptfs = mkEnableOption "eCryptfs PAM module (mounting ecryptfs home directory on login)"; users.motd = mkOption { default = null; diff --git a/nixos/modules/security/prey.nix b/nixos/modules/security/prey.nix deleted file mode 100644 index b899ccb6c3e2..000000000000 --- a/nixos/modules/security/prey.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.prey; - myPrey = pkgs.prey-bash-client.override { - apiKey = cfg.apiKey; - deviceKey = cfg.deviceKey; - }; -in { - options = { - - services.prey = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enables the <link xlink:href="http://preyproject.com/" /> - shell client. Be sure to specify both API and device keys. - Once enabled, a <command>cron</command> job will run every 15 - minutes to report status information. - ''; - }; - - deviceKey = mkOption { - type = types.str; - description = '' - <literal>Device key</literal> obtained by visiting - <link xlink:href="https://panel.preyproject.com/devices" /> - and clicking on your device. - ''; - }; - - apiKey = mkOption { - type = types.str; - description = '' - <literal>API key</literal> obtained from - <link xlink:href="https://panel.preyproject.com/profile" />. - ''; - }; - }; - - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ myPrey ]; - services.cron.systemCronJobs = [ "*/15 * * * * root ${myPrey}/prey.sh" ]; - }; - -} diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix index cd4eb81dbe19..0a400f1d535b 100644 --- a/nixos/modules/security/systemd-confinement.nix +++ b/nixos/modules/security/systemd-confinement.nix @@ -160,6 +160,11 @@ in { + " the 'users.users' option instead as this combination is" + " currently not supported."; } + { assertion = !cfg.serviceConfig.ProtectSystem or false; + message = "${whatOpt "ProtectSystem"}. ProtectSystem is not compatible" + + " with service confinement as it fails to remount /usr within" + + " our chroot. Please disable the option."; + } ]) config.systemd.services); config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let diff --git a/nixos/modules/services/amqp/activemq/default.nix b/nixos/modules/services/amqp/activemq/default.nix index 7729da27304b..160dbddcd487 100644 --- a/nixos/modules/services/amqp/activemq/default.nix +++ b/nixos/modules/services/amqp/activemq/default.nix @@ -63,9 +63,11 @@ in { javaProperties = mkOption { type = types.attrs; default = { }; - example = { - "java.net.preferIPv4Stack" = "true"; - }; + example = literalExample '' + { + "java.net.preferIPv4Stack" = "true"; + } + ''; apply = attrs: { "activemq.base" = "${cfg.baseDir}"; "activemq.data" = "${cfg.baseDir}/data"; diff --git a/nixos/modules/services/amqp/rabbitmq.nix b/nixos/modules/services/amqp/rabbitmq.nix index f80d6b3f1ba5..646708e01c48 100644 --- a/nixos/modules/services/amqp/rabbitmq.nix +++ b/nixos/modules/services/amqp/rabbitmq.nix @@ -17,6 +17,7 @@ in { options = { services.rabbitmq = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to enable the RabbitMQ server, an Advanced Message diff --git a/nixos/modules/services/audio/mopidy.nix b/nixos/modules/services/audio/mopidy.nix index d30c227db429..6fd7eae5b892 100644 --- a/nixos/modules/services/audio/mopidy.nix +++ b/nixos/modules/services/audio/mopidy.nix @@ -13,11 +13,11 @@ let mopidyEnv = buildEnv { name = "mopidy-with-extensions-${mopidy.version}"; paths = closePropagation cfg.extensionPackages; - pathsToLink = [ "/${python3.sitePackages}" ]; + pathsToLink = [ "/${mopidyPackages.python.sitePackages}" ]; buildInputs = [ makeWrapper ]; postBuild = '' makeWrapper ${mopidy}/bin/mopidy $out/bin/mopidy \ - --prefix PYTHONPATH : $out/${python3.sitePackages} + --prefix PYTHONPATH : $out/${mopidyPackages.python.sitePackages} ''; }; in { diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index e20591b5beb4..f4eb4a265a46 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -18,8 +18,6 @@ let ''} state_file "${cfg.dataDir}/state" sticker_file "${cfg.dataDir}/sticker.sql" - user "${cfg.user}" - group "${cfg.group}" ${optionalString (cfg.network.listenAddress != "any") ''bind_to_address "${cfg.network.listenAddress}"''} ${optionalString (cfg.network.port != 6600) ''port "${toString cfg.network.port}"''} diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index a2eb80c55a8c..be661b201f0d 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -189,6 +189,7 @@ let in { meta.maintainers = with maintainers; [ dotlambda ]; + meta.doc = ./borgbackup.xml; ###### interface @@ -197,10 +198,11 @@ in { Deduplicating backups using BorgBackup. Adding a job will cause a borg-job-NAME wrapper to be added to your system path, so that you can perform maintenance easily. + See also the chapter about BorgBackup in the NixOS manual. ''; default = { }; example = literalExample '' - { + { # for a local backup rootBackup = { paths = "/"; exclude = [ "/nix" ]; @@ -213,6 +215,23 @@ in { startAt = "weekly"; }; } + { # Root backing each day up to a remote backup server. We assume that you have + # * created a password less key: ssh-keygen -N "" -t ed25519 -f /path/to/ssh_key + # best practices are: use -t ed25519, /path/to = /run/keys + # * the passphrase is in the file /run/keys/borgbackup_passphrase + # * you have initialized the repository manually + paths = [ "/etc" "/home" ]; + exclude = [ "/nix" "'**/.cache'" ]; + doInit = false; + repo = "user3@arep.repo.borgbase.com:repo"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /path/to/passphrase"; + }; + environment = { BORG_RSH = "ssh -i /path/to/ssh_key"; }; + compression = "auto,lzma"; + startAt = "daily"; + }; ''; type = types.attrsOf (types.submodule (let globalConfig = config; in { name, config, ... }: { @@ -268,6 +287,8 @@ in { <manvolnum>7</manvolnum></citerefentry>. If you do not want the backup to start automatically, use <literal>[ ]</literal>. + It will generate a systemd service borgbackup-job-NAME. + You may trigger it manually via systemctl restart borgbackup-job-NAME. ''; }; @@ -303,6 +324,10 @@ in { you to specify a <option>passCommand</option> or a <option>passphrase</option>. ''; + example = '' + encryption.mode = "repokey-blake2" ; + encryption.passphrase = "mySecretPassphrase" ; + ''; }; encryption.passCommand = mkOption { @@ -538,6 +563,7 @@ in { description = '' Serve BorgBackup repositories to given public SSH keys, restricting their access to the repository only. + See also the chapter about BorgBackup in the NixOS manual. Also, clients do not need to specify the absolute path when accessing the repository, i.e. <literal>user@machine:.</literal> is enough. (Note colon and dot.) ''; diff --git a/nixos/modules/services/backup/borgbackup.xml b/nixos/modules/services/backup/borgbackup.xml new file mode 100644 index 000000000000..bef7db608f82 --- /dev/null +++ b/nixos/modules/services/backup/borgbackup.xml @@ -0,0 +1,227 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-borgbase"> + <title>BorgBackup</title> + <para> + <emphasis>Source:</emphasis> + <filename>modules/services/backup/borgbackup.nix</filename> + </para> + <para> + <emphasis>Upstream documentation:</emphasis> + <link xlink:href="https://borgbackup.readthedocs.io/"/> + </para> + <para> + <link xlink:href="https://www.borgbackup.org/">BorgBackup</link> (short: Borg) + is a deduplicating backup program. Optionally, it supports compression and + authenticated encryption. + </para> + <para> + The main goal of Borg is to provide an efficient and secure way to backup + data. The data deduplication technique used makes Borg suitable for daily + backups since only changes are stored. The authenticated encryption technique + makes it suitable for backups to not fully trusted targets. + </para> + <section xml:id="module-services-backup-borgbackup-configuring"> + <title>Configuring</title> + <para> + A complete list of options for the Borgbase module may be found + <link linkend="opt-services.borgbackup.jobs">here</link>. + </para> +</section> + <section xml:id="opt-services-backup-borgbackup-local-directory"> + <title>Basic usage for a local backup</title> + + <para> + A very basic configuration for backing up to a locally accessible directory + is: +<programlisting> +{ + opt.services.borgbackup.jobs = { + { rootBackup = { + paths = "/"; + exclude = [ "/nix" "/path/to/local/repo" ]; + repo = "/path/to/local/repo"; + doInit = true; + encryption = { + mode = "repokey"; + passphrase = "secret"; + }; + compression = "auto,lzma"; + startAt = "weekly"; + }; + } + }; +}</programlisting> + </para> + <warning> + <para> + If you do not want the passphrase to be stored in the world-readable + Nix store, use passCommand. You find an example below. + </para> + </warning> + </section> +<section xml:id="opt-services-backup-create-server"> + <title>Create a borg backup server</title> + <para>You should use a different SSH key for each repository you write to, + because the specified keys are restricted to running borg serve and can only + access this single repository. You need the output of the generate pub file. + </para> + <para> + <programlisting> +# sudo ssh-keygen -N '' -t ed25519 -f /run/keys/id_ed25519_my_borg_repo +# cat /run/keys/id_ed25519_my_borg_repo +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID78zmOyA+5uPG4Ot0hfAy+sLDPU1L4AiIoRYEIVbbQ/ root@nixos</programlisting> + </para> + <para> + Add the following snippet to your NixOS configuration: + <programlisting> +{ + services.borgbackup.repos = { + my_borg_repo = { + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID78zmOyA+5uPG4Ot0hfAy+sLDPU1L4AiIoRYEIVbbQ/ root@nixos" + ] ; + path = "/var/lib/my_borg_repo" ; + }; + }; +}</programlisting> + </para> +</section> + + <section xml:id="opt-services-backup-borgbackup-remote-server"> + <title>Backup to the borg repository server</title> + <para>The following NixOS snippet creates an hourly backup to the service + (on the host nixos) as created in the section above. We assume + that you have stored a secret passphrasse in the file + <code>/run/keys/borgbackup_passphrase</code>, which should be only + accessible by root + </para> + <para> + <programlisting> +{ + services.borgbackup.jobs = { + backupToLocalServer = { + paths = [ "/etc/nixos" ]; + doInit = true; + repo = "borg@nixos:." ; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /run/keys/borgbackup_passphrase"; + }; + environment = { BORG_RSH = "ssh -i /run/keys/id_ed25519_my_borg_repo"; }; + compression = "auto,lzma"; + startAt = "hourly"; + }; + }; +};</programlisting> + </para> + <para>The following few commands (run as root) let you test your backup. + <programlisting> +> nixos-rebuild switch +...restarting the following units: polkit.service +> systemctl restart borgbackup-job-backupToLocalServer +> sleep 10 +> systemctl restart borgbackup-job-backupToLocalServer +> export BORG_PASSPHRASE=topSecrect +> borg list --rsh='ssh -i /run/keys/id_ed25519_my_borg_repo' borg@nixos:. +nixos-backupToLocalServer-2020-03-30T21:46:17 Mon, 2020-03-30 21:46:19 [84feb97710954931ca384182f5f3cb90665f35cef214760abd7350fb064786ac] +nixos-backupToLocalServer-2020-03-30T21:46:30 Mon, 2020-03-30 21:46:32 [e77321694ecd160ca2228611747c6ad1be177d6e0d894538898de7a2621b6e68]</programlisting> + </para> +</section> + + <section xml:id="opt-services-backup-borgbackup-borgbase"> + <title>Backup to a hosting service</title> + + <para> + Several companies offer <link + xlink:href="https://www.borgbackup.org/support/commercial.html">(paid) + hosting services</link> for Borg repositories. + </para> + <para> + To backup your home directory to borgbase you have to: + </para> + <itemizedlist> + <listitem> + <para> + Generate a SSH key without a password, to access the remote server. E.g. + </para> + <para> + <programlisting>sudo ssh-keygen -N '' -t ed25519 -f /run/keys/id_ed25519_borgbase</programlisting> + </para> + </listitem> + <listitem> + <para> + Create the repository on the server by following the instructions for your + hosting server. + </para> + </listitem> + <listitem> + <para> + Initialize the repository on the server. Eg. + <programlisting> +sudo borg init --encryption=repokey-blake2 \ + -rsh "ssh -i /run/keys/id_ed25519_borgbase" \ + zzz2aaaaa@zzz2aaaaa.repo.borgbase.com:repo</programlisting> + </para> + </listitem> + <listitem> +<para>Add it to your NixOS configuration, e.g. +<programlisting> +{ + services.borgbackup.jobs = { + my_Remote_Backup = { + paths = [ "/" ]; + exclude = [ "/nix" "'**/.cache'" ]; + repo = "zzz2aaaaa@zzz2aaaaa.repo.borgbase.com:repo"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /run/keys/borgbackup_passphrase"; + }; + BORG_RSH = "ssh -i /run/keys/id_ed25519_borgbase"; + compression = "auto,lzma"; + startAt = "daily"; + }; + }; +}}</programlisting> + </para> + </listitem> +</itemizedlist> + </section> + <section xml:id="opt-services-backup-borgbackup-vorta"> + <title>Vorta backup client for the desktop</title> + <para> + Vorta is a backup client for macOS and Linux desktops. It integrates the + mighty BorgBackup with your desktop environment to protect your data from + disk failure, ransomware and theft. + </para> + <para> + It is available as a flatpak package. To enable it you must set the + following two configuration items. + </para> + <para> + <programlisting> +services.flatpak.enable = true ; +# next line is needed to avoid the Error +# Error deploying: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: +services.accounts-daemon.enable = true; + </programlisting> + </para> + <para>As a normal user you must first install, then run vorta using the + following commands: + <programlisting> +flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +flatpak install flathub com.borgbase.Vorta +flatpak run --branch=stable --arch=x86_64 --command=vorta com.borgbase.Vorta +</programlisting> + After running <code>flatpak install</code> you can start Vorta also via + the KDE application menu. + </para> + <para> + Details about using Vorta can be found under <link + xlink:href="https://vorta.borgbase.com/usage">https://vorta.borgbase.com + </link>. + </para> + </section> +</chapter> diff --git a/nixos/modules/services/backup/mysql-backup.nix b/nixos/modules/services/backup/mysql-backup.nix index f58af82773f3..31d606b141a8 100644 --- a/nixos/modules/services/backup/mysql-backup.nix +++ b/nixos/modules/services/backup/mysql-backup.nix @@ -37,12 +37,7 @@ in services.mysqlBackup = { - enable = mkOption { - default = false; - description = '' - Whether to enable MySQL backups. - ''; - }; + enable = mkEnableOption "MySQL backups"; calendar = mkOption { type = types.str; diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix index 580c7ce68f1d..428861a7598a 100644 --- a/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixos/modules/services/backup/postgresql-backup.nix @@ -44,12 +44,7 @@ in { options = { services.postgresqlBackup = { - enable = mkOption { - default = false; - description = '' - Whether to enable PostgreSQL dumps. - ''; - }; + enable = mkEnableOption "PostgreSQL dumps"; startAt = mkOption { default = "*-*-* 01:15:00"; diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix index 53787a0182af..fff119c2cf00 100644 --- a/nixos/modules/services/backup/syncoid.nix +++ b/nixos/modules/services/backup/syncoid.nix @@ -138,7 +138,11 @@ in { }; })); default = {}; - example."pool/test".target = "root@target:pool/test"; + example = literalExample '' + { + "pool/test".target = "root@target:pool/test"; + } + ''; description = "Syncoid commands to run."; }; }; diff --git a/nixos/modules/services/backup/znapzend.nix b/nixos/modules/services/backup/znapzend.nix index 203631a577f0..8098617d11f3 100644 --- a/nixos/modules/services/backup/znapzend.nix +++ b/nixos/modules/services/backup/znapzend.nix @@ -268,7 +268,8 @@ let mkSrcAttrs = srcCfg: with srcCfg; { enabled = onOff enable; - mbuffer = with mbuffer; if enable then "${pkgs.mbuffer}/bin/mbuffer" + # mbuffer is not referenced by its full path to accomodate non-NixOS systems or differing mbuffer versions between source and target + mbuffer = with mbuffer; if enable then "mbuffer" + optionalString (port != null) ":${toString port}" else "off"; mbuffer_size = mbuffer.size; post_znap_cmd = nullOff postsnap; @@ -357,6 +358,12 @@ in default = false; }; + features.oracleMode = mkEnableOption '' + Destroy snapshots one by one instead of using one long argument list. + If source and destination are out of sync for a long time, you may have + so many snapshots to destroy that the argument gets is too long and the + command fails. + ''; features.recvu = mkEnableOption '' recvu feature which uses <literal>-u</literal> on the receiving end to keep the destination filesystem unmounted. @@ -372,6 +379,41 @@ in and <citerefentry><refentrytitle>zfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more info. ''; + features.sendRaw = mkEnableOption '' + sendRaw feature which adds the options <literal>-w</literal> to the + <command>zfs send</command> command. For encrypted source datasets this + instructs zfs not to decrypt before sending which results in a remote + backup that can't be read without the encryption key/passphrase, useful + when the remote isn't fully trusted or not physically secure. This + option must be used consistently, raw incrementals cannot be based on + non-raw snapshots and vice versa. + ''; + features.skipIntermediates = mkEnableOption '' + Enable the skipIntermediates feature to send a single increment + between latest common snapshot and the newly made one. It may skip + several source snaps if the destination was offline for some time, and + it should skip snapshots not managed by znapzend. Normally for online + destinations, the new snapshot is sent as soon as it is created on the + source, so there are no automatic increments to skip. + ''; + features.lowmemRecurse = mkEnableOption '' + use lowmemRecurse on systems where you have too many datasets, so a + recursive listing of attributes to find backup plans exhausts the + memory available to <command>znapzend</command>: instead, go the slower + way to first list all impacted dataset names, and then query their + configs one by one. + ''; + features.zfsGetType = mkEnableOption '' + use zfsGetType if your <command>zfs get</command> supports a + <literal>-t</literal> argument for filtering by dataset type at all AND + lists properties for snapshots by default when recursing, so that there + is too much data to process while searching for backup plans. + If these two conditions apply to your system, the time needed for a + <literal>--recursive</literal> search for backup plans can literally + differ by hundreds of times (depending on the amount of snapshots in + that dataset tree... and a decent backup plan will ensure you have a lot + of those), so you would benefit from requesting this feature. + ''; }; }; @@ -423,5 +465,5 @@ in }; }; - meta.maintainers = with maintainers; [ infinisil ]; + meta.maintainers = with maintainers; [ infinisil SlothOfAnarchy ]; } diff --git a/nixos/modules/services/cluster/hadoop/default.nix b/nixos/modules/services/cluster/hadoop/default.nix index f0f5a6ecbfc5..bfb73f683715 100644 --- a/nixos/modules/services/cluster/hadoop/default.nix +++ b/nixos/modules/services/cluster/hadoop/default.nix @@ -7,33 +7,41 @@ with lib; options.services.hadoop = { coreSite = mkOption { default = {}; - example = { - "fs.defaultFS" = "hdfs://localhost"; - }; + example = literalExample '' + { + "fs.defaultFS" = "hdfs://localhost"; + } + ''; description = "Hadoop core-site.xml definition"; }; hdfsSite = mkOption { default = {}; - example = { - "dfs.nameservices" = "namenode1"; - }; + example = literalExample '' + { + "dfs.nameservices" = "namenode1"; + } + ''; description = "Hadoop hdfs-site.xml definition"; }; mapredSite = mkOption { default = {}; - example = { - "mapreduce.map.cpu.vcores" = "1"; - }; + example = literalExample '' + { + "mapreduce.map.cpu.vcores" = "1"; + } + ''; description = "Hadoop mapred-site.xml definition"; }; yarnSite = mkOption { default = {}; - example = { - "yarn.resourcemanager.ha.id" = "resourcemanager1"; - }; + example = literalExample '' + { + "yarn.resourcemanager.ha.id" = "resourcemanager1"; + } + ''; description = "Hadoop yarn-site.xml definition"; }; diff --git a/nixos/modules/services/cluster/k3s/default.nix b/nixos/modules/services/cluster/k3s/default.nix new file mode 100644 index 000000000000..2e8bf20a68fc --- /dev/null +++ b/nixos/modules/services/cluster/k3s/default.nix @@ -0,0 +1,101 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.k3s; +in +{ + # interface + options.services.k3s = { + enable = mkEnableOption "k3s"; + + package = mkOption { + type = types.package; + default = pkgs.k3s; + defaultText = "pkgs.k3s"; + example = literalExample "pkgs.k3s"; + description = "Package that should be used for k3s"; + }; + + role = mkOption { + description = '' + Whether k3s should run as a server or agent. + Note that the server, by default, also runs as an agent. + ''; + default = "server"; + type = types.enum [ "server" "agent" ]; + }; + + serverAddr = mkOption { + type = types.str; + description = "The k3s server to connect to. This option only makes sense for an agent."; + example = "https://10.0.0.10:6443"; + default = ""; + }; + + token = mkOption { + type = types.str; + description = "The k3s token to use when connecting to the server. This option only makes sense for an agent."; + default = ""; + }; + + docker = mkOption { + type = types.bool; + default = false; + description = "Use docker to run containers rather than the built-in containerd."; + }; + + extraFlags = mkOption { + description = "Extra flags to pass to the k3s command."; + default = ""; + example = "--no-deploy traefik --cluster-cidr 10.24.0.0/16"; + }; + + disableAgent = mkOption { + type = types.bool; + default = false; + description = "Only run the server. This option only makes sense for a server."; + }; + }; + + # implementation + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.role == "agent" -> cfg.serverAddr != ""; + message = "serverAddr should be set if role is 'agent'"; + } + { + assertion = cfg.role == "agent" -> cfg.token != ""; + message = "token should be set if role is 'agent'"; + } + ]; + + virtualisation.docker = mkIf cfg.docker { + enable = mkDefault true; + }; + + systemd.services.k3s = { + description = "k3s service"; + after = mkIf cfg.docker [ "docker.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + # See: https://github.com/rancher/k3s/blob/dddbd16305284ae4bd14c0aade892412310d7edc/install.sh#L197 + Type = if cfg.role == "agent" then "exec" else "notify"; + KillMode = "process"; + Delegate = "yes"; + Restart = "always"; + RestartSec = "5s"; + ExecStart = concatStringsSep " \\\n " ( + [ + "${cfg.package}/bin/k3s ${cfg.role}" + ] ++ (optional cfg.docker "--docker") + ++ (optional cfg.disableAgent "--disable-agent") + ++ (optional (cfg.role == "agent") "--server ${cfg.serverAddr} --token ${cfg.token}") + ++ [ cfg.extraFlags ] + ); + }; + }; + }; +} diff --git a/nixos/modules/services/cluster/kubernetes/addon-manager.nix b/nixos/modules/services/cluster/kubernetes/addon-manager.nix index 17f2dde31a71..f55079300b15 100644 --- a/nixos/modules/services/cluster/kubernetes/addon-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/addon-manager.nix @@ -88,7 +88,7 @@ in services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled (let - name = system:kube-addon-manager; + name = "system:kube-addon-manager"; namespace = "kube-system"; in { diff --git a/nixos/modules/services/computing/boinc/client.nix b/nixos/modules/services/computing/boinc/client.nix index a7edac025384..7becf6240710 100644 --- a/nixos/modules/services/computing/boinc/client.nix +++ b/nixos/modules/services/computing/boinc/client.nix @@ -99,14 +99,16 @@ in environment.systemPackages = [cfg.package]; users.users.boinc = { + group = "boinc"; createHome = false; description = "BOINC Client"; home = cfg.dataDir; isSystemUser = true; }; + users.groups.boinc = {}; systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - boinc - - -" + "d '${cfg.dataDir}' - boinc boinc - -" ]; systemd.services.boinc = { @@ -114,7 +116,7 @@ in after = ["network.target"]; wantedBy = ["multi-user.target"]; script = '' - ${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag} + ${fhsEnvExecutable} --dir ${cfg.dataDir} ${allowRemoteGuiRpcFlag} ''; serviceConfig = { User = "boinc"; diff --git a/nixos/modules/services/continuous-integration/buildkite-agents.nix b/nixos/modules/services/continuous-integration/buildkite-agents.nix index c17d89c387a1..b0045409ae60 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agents.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agents.nix @@ -208,8 +208,12 @@ in description = "Buildkite agent user"; extraGroups = [ "keys" ]; isSystemUser = true; + group = "buildkite-agent-${name}"; }; }); + config.users.groups = mapAgents (name: cfg: { + "buildkite-agent-${name}" = {}; + }); config.systemd.services = mapAgents (name: cfg: { "buildkite-agent-${name}" = diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix index 3d307b1abcf8..eacfed85ddff 100644 --- a/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -1,151 +1,494 @@ { config, lib, pkgs, ... }: - with lib; - let cfg = config.services.gitlab-runner; - configFile = - if (cfg.configFile == null) then - (pkgs.runCommand "config.toml" { - buildInputs = [ pkgs.remarshal ]; - preferLocalBuild = true; - } '' - remarshal -if json -of toml \ - < ${pkgs.writeText "config.json" (builtins.toJSON cfg.configOptions)} \ - > $out - '') - else - cfg.configFile; hasDocker = config.virtualisation.docker.enable; + hashedServices = with builtins; (mapAttrs' (name: service: nameValuePair + "${name}_${config.networking.hostName}_${ + substring 0 12 + (hashString "md5" (unsafeDiscardStringContext (toJSON service)))}" + service) + cfg.services); + configPath = "$HOME/.gitlab-runner/config.toml"; + configureScript = pkgs.writeShellScriptBin "gitlab-runner-configure" ( + if (cfg.configFile != null) then '' + mkdir -p $(dirname ${configPath}) + cp ${cfg.configFile} ${configPath} + # make config file readable by service + chown -R --reference=$HOME $(dirname ${configPath}) + '' else '' + export CONFIG_FILE=${configPath} + + mkdir -p $(dirname ${configPath}) + + # remove no longer existing services + gitlab-runner verify --delete + + # current and desired state + NEEDED_SERVICES=$(echo ${concatStringsSep " " (attrNames hashedServices)} | tr " " "\n") + REGISTERED_SERVICES=$(gitlab-runner list 2>&1 | grep 'Executor' | awk '{ print $1 }') + + # difference between current and desired state + NEW_SERVICES=$(grep -vxF -f <(echo "$REGISTERED_SERVICES") <(echo "$NEEDED_SERVICES") || true) + OLD_SERVICES=$(grep -vxF -f <(echo "$NEEDED_SERVICES") <(echo "$REGISTERED_SERVICES") || true) + + # register new services + ${concatStringsSep "\n" (mapAttrsToList (name: service: '' + if echo "$NEW_SERVICES" | grep -xq ${name}; then + bash -c ${escapeShellArg (concatStringsSep " \\\n " ([ + "set -a && source ${service.registrationConfigFile} &&" + "gitlab-runner register" + "--non-interactive" + "--name ${name}" + "--executor ${service.executor}" + "--limit ${toString service.limit}" + "--request-concurrency ${toString service.requestConcurrency}" + "--maximum-timeout ${toString service.maximumTimeout}" + ] ++ service.registrationFlags + ++ optional (service.buildsDir != null) + "--builds-dir ${service.buildsDir}" + ++ optional (service.preCloneScript != null) + "--pre-clone-script ${service.preCloneScript}" + ++ optional (service.preBuildScript != null) + "--pre-build-script ${service.preBuildScript}" + ++ optional (service.postBuildScript != null) + "--post-build-script ${service.postBuildScript}" + ++ optional (service.tagList != [ ]) + "--tag-list ${concatStringsSep "," service.tagList}" + ++ optional service.runUntagged + "--run-untagged" + ++ optional service.protected + "--access-level ref_protected" + ++ optional service.debugTraceDisabled + "--debug-trace-disabled" + ++ map (e: "--env ${escapeShellArg e}") (mapAttrsToList (name: value: "${name}=${value}") service.environmentVariables) + ++ optionals (service.executor == "docker") ( + assert ( + assertMsg (service.dockerImage != null) + "dockerImage option is required for docker executor (${name})"); + [ "--docker-image ${service.dockerImage}" ] + ++ optional service.dockerDisableCache + "--docker-disable-cache" + ++ optional service.dockerPrivileged + "--docker-privileged" + ++ map (v: "--docker-volumes ${escapeShellArg v}") service.dockerVolumes + ++ map (v: "--docker-extra-hosts ${escapeShellArg v}") service.dockerExtraHosts + ++ map (v: "--docker-allowed-images ${escapeShellArg v}") service.dockerAllowedImages + ++ map (v: "--docker-allowed-services ${escapeShellArg v}") service.dockerAllowedServices + ) + ))} && sleep 1 + fi + '') hashedServices)} + + # unregister old services + for NAME in $(echo "$OLD_SERVICES") + do + [ ! -z "$NAME" ] && gitlab-runner unregister \ + --name "$NAME" && sleep 1 + done + + # update global options + remarshal --if toml --of json ${configPath} \ + | jq -cM '.check_interval = ${toString cfg.checkInterval} | + .concurrent = ${toString cfg.concurrent}' \ + | remarshal --if json --of toml \ + | sponge ${configPath} + + # make config file readable by service + chown -R --reference=$HOME $(dirname ${configPath}) + ''); + startScript = pkgs.writeShellScriptBin "gitlab-runner-start" '' + export CONFIG_FILE=${configPath} + exec gitlab-runner run --working-directory $HOME + ''; in { options.services.gitlab-runner = { enable = mkEnableOption "Gitlab Runner"; - configFile = mkOption { + type = types.nullOr types.path; default = null; description = '' Configuration file for gitlab-runner. - Use this option in favor of configOptions to avoid placing CI tokens in the nix store. - <option>configFile</option> takes precedence over <option>configOptions</option>. + <option>configFile</option> takes precedence over <option>services</option>. + <option>checkInterval</option> and <option>concurrent</option> will be ignored too. - Warning: Not using <option>configFile</option> will potentially result in secrets - leaking into the WORLD-READABLE nix store. + This option is deprecated, please use <option>services</option> instead. + You can use <option>registrationConfigFile</option> and + <option>registrationFlags</option> + for settings not covered by this module. ''; - type = types.nullOr types.path; }; - - configOptions = mkOption { + checkInterval = mkOption { + type = types.int; + default = 0; + example = literalExample "with lib; (length (attrNames config.services.gitlab-runner.services)) * 3"; description = '' - Configuration for gitlab-runner - <option>configFile</option> will take precedence over this option. - - Warning: all Configuration, especially CI token, will be stored in a - WORLD-READABLE file in the Nix Store. - - If you want to protect your CI token use <option>configFile</option> instead. + Defines the interval length, in seconds, between new jobs check. + The default value is 3; + if set to 0 or lower, the default value will be used. + See <link xlink:href="https://docs.gitlab.com/runner/configuration/advanced-configuration.html#how-check_interval-works">runner documentation</link> for more information. + ''; + }; + concurrent = mkOption { + type = types.int; + default = 1; + example = literalExample "config.nix.maxJobs"; + description = '' + Limits how many jobs globally can be run concurrently. + The most upper limit of jobs using all defined runners. + 0 does not mean unlimited. ''; - type = types.attrs; - example = { - concurrent = 2; - runners = [{ - name = "docker-nix-1.11"; - url = "https://CI/"; - token = "TOKEN"; - executor = "docker"; - builds_dir = ""; - docker = { - host = ""; - image = "nixos/nix:1.11"; - privileged = true; - disable_cache = true; - cache_dir = ""; - }; - }]; - }; }; - gracefulTermination = mkOption { - default = false; type = types.bool; + default = false; description = '' - Finish all remaining jobs before stopping, restarting or reconfiguring. - If not set gitlab-runner will stop immediatly without waiting for jobs to finish, - which will lead to failed builds. + Finish all remaining jobs before stopping. + If not set gitlab-runner will stop immediatly without waiting + for jobs to finish, which will lead to failed builds. ''; }; - gracefulTimeout = mkOption { - default = "infinity"; type = types.str; + default = "infinity"; example = "5min 20s"; - description = ''Time to wait until a graceful shutdown is turned into a forceful one.''; - }; - - workDir = mkOption { - default = "/var/lib/gitlab-runner"; - type = types.path; - description = "The working directory used"; + description = '' + Time to wait until a graceful shutdown is turned into a forceful one. + ''; }; - package = mkOption { - description = "Gitlab Runner package to use"; + type = types.package; default = pkgs.gitlab-runner; defaultText = "pkgs.gitlab-runner"; - type = types.package; example = literalExample "pkgs.gitlab-runner_1_11"; + description = "Gitlab Runner package to use."; }; - - packages = mkOption { - default = [ pkgs.bash pkgs.docker-machine ]; - defaultText = "[ pkgs.bash pkgs.docker-machine ]"; + extraPackages = mkOption { type = types.listOf types.package; + default = [ ]; description = '' - Packages to add to PATH for the gitlab-runner process. + Extra packages to add to PATH for the gitlab-runner process. ''; }; + services = mkOption { + description = "GitLab Runner services."; + default = { }; + example = literalExample '' + { + # runner for building in docker via host's nix-daemon + # nix store will be readable in runner, might be insecure + nix = { + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `REGISTRATION_TOKEN` + registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + dockerImage = "alpine"; + dockerVolumes = [ + "/nix/store:/nix/store:ro" + "/nix/var/nix/db:/nix/var/nix/db:ro" + "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" + ]; + dockerDisableCache = true; + preBuildScript = pkgs.writeScript "setup-container" ''' + mkdir -p -m 0755 /nix/var/log/nix/drvs + mkdir -p -m 0755 /nix/var/nix/gcroots + mkdir -p -m 0755 /nix/var/nix/profiles + mkdir -p -m 0755 /nix/var/nix/temproots + mkdir -p -m 0755 /nix/var/nix/userpool + mkdir -p -m 1777 /nix/var/nix/gcroots/per-user + mkdir -p -m 1777 /nix/var/nix/profiles/per-user + mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root + mkdir -p -m 0700 "$HOME/.nix-defexpr" - }; + . ''${pkgs.nix}/etc/profile.d/nix.sh + + ''${pkgs.nix}/bin/nix-env -i ''${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} + + ''${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable + ''${pkgs.nix}/bin/nix-channel --update nixpkgs + '''; + environmentVariables = { + ENV = "/etc/profile"; + USER = "root"; + NIX_REMOTE = "daemon"; + PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; + NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; + }; + tagList = [ "nix" ]; + }; + # runner for building docker images + docker-images = { + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `REGISTRATION_TOKEN` + registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + dockerImage = "docker:stable"; + dockerVolumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ]; + tagList = [ "docker-images" ]; + }; + # runner for executing stuff on host system (very insecure!) + # make sure to add required packages (including git!) + # to `environment.systemPackages` + shell = { + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `REGISTRATION_TOKEN` + registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + executor = "shell"; + tagList = [ "shell" ]; + }; + # runner for everything else + default = { + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `REGISTRATION_TOKEN` + registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + dockerImage = "debian:stable"; + }; + } + ''; + type = types.attrsOf (types.submodule { + options = { + registrationConfigFile = mkOption { + type = types.path; + description = '' + Absolute path to a file with environment variables + used for gitlab-runner registration. + A list of all supported environment variables can be found in + <literal>gitlab-runner register --help</literal>. + + Ones that you probably want to set is + + <literal>CI_SERVER_URL=<CI server URL></literal> + <literal>REGISTRATION_TOKEN=<registration secret></literal> + ''; + }; + registrationFlags = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "--docker-helper-image my/gitlab-runner-helper" ]; + description = '' + Extra command-line flags passed to + <literal>gitlab-runner register</literal>. + Execute <literal>gitlab-runner register --help</literal> + for a list of supported flags. + ''; + }; + environmentVariables = mkOption { + type = types.attrsOf types.str; + default = { }; + example = { NAME = "value"; }; + description = '' + Custom environment variables injected to build environment. + For secrets you can use <option>registrationConfigFile</option> + with <literal>RUNNER_ENV</literal> variable set. + ''; + }; + executor = mkOption { + type = types.str; + default = "docker"; + description = '' + Select executor, eg. shell, docker, etc. + See <link xlink:href="https://docs.gitlab.com/runner/executors/README.html">runner documentation</link> for more information. + ''; + }; + buildsDir = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/gitlab-runner/builds"; + description = '' + Absolute path to a directory where builds will be stored + in context of selected executor (Locally, Docker, SSH). + ''; + }; + dockerImage = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Docker image to be used. + ''; + }; + dockerVolumes = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "/var/run/docker.sock:/var/run/docker.sock" ]; + description = '' + Bind-mount a volume and create it + if it doesn't exist prior to mounting. + ''; + }; + dockerDisableCache = mkOption { + type = types.bool; + default = false; + description = '' + Disable all container caching. + ''; + }; + dockerPrivileged = mkOption { + type = types.bool; + default = false; + description = '' + Give extended privileges to container. + ''; + }; + dockerExtraHosts = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "other-host:127.0.0.1" ]; + description = '' + Add a custom host-to-IP mapping. + ''; + }; + dockerAllowedImages = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "ruby:*" "python:*" "php:*" "my.registry.tld:5000/*:*" ]; + description = '' + Whitelist allowed images. + ''; + }; + dockerAllowedServices = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "postgres:9" "redis:*" "mysql:*" ]; + description = '' + Whitelist allowed services. + ''; + }; + preCloneScript = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Runner-specific command script executed before code is pulled. + ''; + }; + preBuildScript = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Runner-specific command script executed after code is pulled, + just before build executes. + ''; + }; + postBuildScript = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Runner-specific command script executed after code is pulled + and just after build executes. + ''; + }; + tagList = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Tag list. + ''; + }; + runUntagged = mkOption { + type = types.bool; + default = false; + description = '' + Register to run untagged builds; defaults to + <literal>true</literal> when <option>tagList</option> is empty. + ''; + }; + limit = mkOption { + type = types.int; + default = 0; + description = '' + Limit how many jobs can be handled concurrently by this service. + 0 (default) simply means don't limit. + ''; + }; + requestConcurrency = mkOption { + type = types.int; + default = 0; + description = '' + Limit number of concurrent requests for new jobs from GitLab. + ''; + }; + maximumTimeout = mkOption { + type = types.int; + default = 0; + description = '' + What is the maximum timeout (in seconds) that will be set for + job when using this Runner. 0 (default) simply means don't limit. + ''; + }; + protected = mkOption { + type = types.bool; + default = false; + description = '' + When set to true Runner will only run on pipelines + triggered on protected branches. + ''; + }; + debugTraceDisabled = mkOption { + type = types.bool; + default = false; + description = '' + When set to true Runner will disable the possibility of + using the <literal>CI_DEBUG_TRACE</literal> feature. + ''; + }; + }; + }); + }; + }; config = mkIf cfg.enable { + warnings = optional (cfg.configFile != null) "services.gitlab-runner.`configFile` is deprecated, please use services.gitlab-runner.`services`."; + environment.systemPackages = [ cfg.package ]; systemd.services.gitlab-runner = { - path = cfg.packages; - environment = config.networking.proxy.envVars // { - # Gitlab runner will not start if the HOME variable is not set - HOME = cfg.workDir; - }; description = "Gitlab Runner"; + documentation = [ "https://docs.gitlab.com/runner/" ]; after = [ "network.target" ] ++ optional hasDocker "docker.service"; requires = optional hasDocker "docker.service"; wantedBy = [ "multi-user.target" ]; + environment = config.networking.proxy.envVars // { + HOME = "/var/lib/gitlab-runner"; + }; + path = with pkgs; [ + bash + gawk + jq + moreutils + remarshal + utillinux + cfg.package + ] ++ cfg.extraPackages; + reloadIfChanged = true; serviceConfig = { - ExecStart = ''${cfg.package.bin}/bin/gitlab-runner run \ - --working-directory ${cfg.workDir} \ - --config ${configFile} \ - --service gitlab-runner \ - --user gitlab-runner \ - ''; - - } // optionalAttrs (cfg.gracefulTermination) { + # Set `DynamicUser` under `systemd.services.gitlab-runner.serviceConfig` + # to `lib.mkForce false` in your configuration to run this service as root. + # You can also set `User` and `Group` options to run this service as desired user. + # Make sure to restart service or changes won't apply. + DynamicUser = true; + StateDirectory = "gitlab-runner"; + SupplementaryGroups = optional hasDocker "docker"; + ExecStartPre = "!${configureScript}/bin/gitlab-runner-configure"; + ExecStart = "${startScript}/bin/gitlab-runner-start"; + ExecReload = "!${configureScript}/bin/gitlab-runner-configure"; + } // optionalAttrs (cfg.gracefulTermination) { TimeoutStopSec = "${cfg.gracefulTimeout}"; KillSignal = "SIGQUIT"; KillMode = "process"; }; }; - - # Make the gitlab-runner command availabe so users can query the runner - environment.systemPackages = [ cfg.package ]; - - users.users.gitlab-runner = { - group = "gitlab-runner"; - extraGroups = optional hasDocker "docker"; - uid = config.ids.uids.gitlab-runner; - home = cfg.workDir; - createHome = true; - }; - - users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner; + # Enable docker if `docker` executor is used in any service + virtualisation.docker.enable = mkIf ( + any (s: s.executor == "docker") (attrValues cfg.services) + ) (mkDefault true); }; + imports = [ + (mkRenamedOptionModule [ "services" "gitlab-runner" "packages" ] [ "services" "gitlab-runner" "extraPackages" ] ) + (mkRemovedOptionModule [ "services" "gitlab-runner" "configOptions" ] "Use services.gitlab-runner.services option instead" ) + (mkRemovedOptionModule [ "services" "gitlab-runner" "workDir" ] "You should move contents of workDir (if any) to /var/lib/gitlab-runner" ) + ]; } diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix index 8b56207590a1..502a5898a5de 100644 --- a/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixos/modules/services/continuous-integration/hydra/default.nix @@ -37,6 +37,38 @@ let haveLocalDB = cfg.dbi == localDB; + inherit (config.system) stateVersion; + + hydra-package = + let + makeWrapperArgs = concatStringsSep " " (mapAttrsToList (key: value: "--set \"${key}\" \"${value}\"") hydraEnv); + in pkgs.buildEnv rec { + name = "hydra-env"; + buildInputs = [ pkgs.makeWrapper ]; + paths = [ cfg.package ]; + + postBuild = '' + if [ -L "$out/bin" ]; then + unlink "$out/bin" + fi + mkdir -p "$out/bin" + + for path in ${concatStringsSep " " paths}; do + if [ -d "$path/bin" ]; then + cd "$path/bin" + for prg in *; do + if [ -f "$prg" ]; then + rm -f "$out/bin/$prg" + if [ -x "$prg" ]; then + makeWrapper "$path/bin/$prg" "$out/bin/$prg" ${makeWrapperArgs} + fi + fi + done + fi + done + ''; + }; + in { @@ -63,8 +95,7 @@ in }; package = mkOption { - type = types.path; - default = pkgs.hydra; + type = types.package; defaultText = "pkgs.hydra"; description = "The Hydra package."; }; @@ -194,6 +225,34 @@ in config = mkIf cfg.enable { + warnings = optional (cfg.package.migration or false) '' + You're currently deploying an older version of Hydra which is needed to + make some required database changes[1]. As soon as this is done, it's recommended + to run `hydra-backfill-ids` and set `services.hydra.package` to `pkgs.hydra-unstable` + after that. + + [1] https://github.com/NixOS/hydra/pull/711 + ''; + + services.hydra.package = with pkgs; + mkDefault ( + if pkgs ? hydra + then throw '' + The Hydra package doesn't exist anymore in `nixpkgs`! It probably exists + due to an overlay. To upgrade Hydra, you need to take two steps as some + bigger changes in the database schema were implemented recently[1]. You first + need to deploy `pkgs.hydra-migration`, run `hydra-backfill-ids` on the server + and then deploy `pkgs.hydra-unstable`. + + If you want to use `pkgs.hydra` from your overlay, please set `services.hydra.package` + explicitly to `pkgs.hydra` and make sure you know what you're doing. + + [1] https://github.com/NixOS/hydra/pull/711 + '' + else if versionOlder stateVersion "20.03" then hydra-migration + else hydra-unstable + ); + users.groups.hydra = { gid = config.ids.gids.hydra; }; @@ -237,7 +296,7 @@ in use-substitutes = ${if cfg.useSubstitutes then "1" else "0"} ''; - environment.systemPackages = [ cfg.package ]; + environment.systemPackages = [ hydra-package ]; environment.variables = hydraEnv; @@ -298,7 +357,7 @@ in chown hydra.hydra ${cfg.gcRootsDir} chmod 2775 ${cfg.gcRootsDir} ''; - serviceConfig.ExecStart = "${cfg.package}/bin/hydra-init"; + serviceConfig.ExecStart = "${hydra-package}/bin/hydra-init"; serviceConfig.PermissionsStartOnly = true; serviceConfig.User = "hydra"; serviceConfig.Type = "oneshot"; @@ -313,7 +372,7 @@ in restartTriggers = [ hydraConf ]; serviceConfig = { ExecStart = - "@${cfg.package}/bin/hydra-server hydra-server -f -h '${cfg.listenHost}' " + "@${hydra-package}/bin/hydra-server hydra-server -f -h '${cfg.listenHost}' " + "-p ${toString cfg.port} --max_spare_servers 5 --max_servers 25 " + "--max_requests 100 ${optionalString cfg.debugServer "-d"}"; User = "hydra-www"; @@ -326,15 +385,15 @@ in { wantedBy = [ "multi-user.target" ]; requires = [ "hydra-init.service" ]; after = [ "hydra-init.service" "network.target" ]; - path = [ cfg.package pkgs.nettools pkgs.openssh pkgs.bzip2 config.nix.package ]; + path = [ hydra-package pkgs.nettools pkgs.openssh pkgs.bzip2 config.nix.package ]; restartTriggers = [ hydraConf ]; environment = env // { PGPASSFILE = "${baseDir}/pgpass-queue-runner"; # grrr IN_SYSTEMD = "1"; # to get log severity levels }; serviceConfig = - { ExecStart = "@${cfg.package}/bin/hydra-queue-runner hydra-queue-runner -v"; - ExecStopPost = "${cfg.package}/bin/hydra-queue-runner --unlock"; + { ExecStart = "@${hydra-package}/bin/hydra-queue-runner hydra-queue-runner -v"; + ExecStopPost = "${hydra-package}/bin/hydra-queue-runner --unlock"; User = "hydra-queue-runner"; Restart = "always"; @@ -348,11 +407,11 @@ in { wantedBy = [ "multi-user.target" ]; requires = [ "hydra-init.service" ]; after = [ "hydra-init.service" "network.target" ]; - path = with pkgs; [ cfg.package nettools jq ]; + path = with pkgs; [ hydra-package nettools jq ]; restartTriggers = [ hydraConf ]; environment = env; serviceConfig = - { ExecStart = "@${cfg.package}/bin/hydra-evaluator hydra-evaluator"; + { ExecStart = "@${hydra-package}/bin/hydra-evaluator hydra-evaluator"; User = "hydra"; Restart = "always"; WorkingDirectory = baseDir; @@ -364,7 +423,7 @@ in after = [ "hydra-init.service" ]; environment = env; serviceConfig = - { ExecStart = "@${cfg.package}/bin/hydra-update-gc-roots hydra-update-gc-roots"; + { ExecStart = "@${hydra-package}/bin/hydra-update-gc-roots hydra-update-gc-roots"; User = "hydra"; }; startAt = "2,14:15"; @@ -375,7 +434,7 @@ in after = [ "hydra-init.service" ]; environment = env; serviceConfig = - { ExecStart = "@${cfg.package}/bin/hydra-send-stats hydra-send-stats"; + { ExecStart = "@${hydra-package}/bin/hydra-send-stats hydra-send-stats"; User = "hydra"; }; }; @@ -389,7 +448,7 @@ in PGPASSFILE = "${baseDir}/pgpass-queue-runner"; }; serviceConfig = - { ExecStart = "@${cfg.package}/bin/hydra-notify hydra-notify"; + { ExecStart = "@${hydra-package}/bin/hydra-notify hydra-notify"; # FIXME: run this under a less privileged user? User = "hydra-queue-runner"; Restart = "always"; diff --git a/nixos/modules/services/databases/clickhouse.nix b/nixos/modules/services/databases/clickhouse.nix index dbabcae43ee5..27440fec4e10 100644 --- a/nixos/modules/services/databases/clickhouse.nix +++ b/nixos/modules/services/databases/clickhouse.nix @@ -11,10 +11,7 @@ with lib; services.clickhouse = { - enable = mkOption { - default = false; - description = "Whether to enable ClickHouse database server."; - }; + enable = mkEnableOption "ClickHouse database server"; }; diff --git a/nixos/modules/services/databases/cockroachdb.nix b/nixos/modules/services/databases/cockroachdb.nix index b6f94a4881a0..35fb46d69d8e 100644 --- a/nixos/modules/services/databases/cockroachdb.nix +++ b/nixos/modules/services/databases/cockroachdb.nix @@ -153,7 +153,7 @@ in defaultText = "pkgs.cockroachdb"; description = '' The CockroachDB derivation to use for running the service. - + This would primarily be useful to enable Enterprise Edition features in your own custom CockroachDB build (Nixpkgs CockroachDB binaries only contain open source features and open source code). diff --git a/nixos/modules/services/databases/firebird.nix b/nixos/modules/services/databases/firebird.nix index 042c9841df54..95837aa1cea6 100644 --- a/nixos/modules/services/databases/firebird.nix +++ b/nixos/modules/services/databases/firebird.nix @@ -40,12 +40,7 @@ in services.firebird = { - enable = mkOption { - default = false; - description = '' - Whether to enable the Firebird super server. - ''; - }; + enable = mkEnableOption "the Firebird super server"; package = mkOption { default = pkgs.firebirdSuper; diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix index 89ff957babf5..f54bb6cc9b18 100644 --- a/nixos/modules/services/databases/memcached.nix +++ b/nixos/modules/services/databases/memcached.nix @@ -18,12 +18,7 @@ in services.memcached = { - enable = mkOption { - default = false; - description = " - Whether to enable Memcached. - "; - }; + enable = mkEnableOption "Memcached"; user = mkOption { default = "memcached"; diff --git a/nixos/modules/services/databases/mongodb.nix b/nixos/modules/services/databases/mongodb.nix index 12879afed477..4453a182990d 100644 --- a/nixos/modules/services/databases/mongodb.nix +++ b/nixos/modules/services/databases/mongodb.nix @@ -29,12 +29,7 @@ in services.mongodb = { - enable = mkOption { - default = false; - description = " - Whether to enable the MongoDB server. - "; - }; + enable = mkEnableOption "the MongoDB server"; package = mkOption { default = pkgs.mongodb; diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 248bf0ebc915..51885881cf73 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -10,16 +10,8 @@ let isMariaDB = lib.getName mysql == lib.getName pkgs.mariadb; - isMysqlAtLeast57 = - (lib.getName mysql == lib.getName pkgs.mysql57) - && (builtins.compareVersions mysql.version "5.7" >= 0); - mysqldOptions = "--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${mysql}"; - # For MySQL 5.7+, --insecure creates the root user without password - # (earlier versions and MariaDB do this by default). - installOptions = - "${mysqldOptions} ${lib.optionalString isMysqlAtLeast57 "--insecure"}"; settingsFile = pkgs.writeText "my.cnf" ( generators.toINI { listsAsDuplicateKeys = true; } cfg.settings + @@ -40,13 +32,7 @@ in services.mysql = { - enable = mkOption { - type = types.bool; - default = false; - description = " - Whether to enable the MySQL server. - "; - }; + enable = mkEnableOption "MySQL server"; package = mkOption { type = types.package; @@ -95,7 +81,6 @@ in datadir = /var/lib/mysql bind-address = 127.0.0.1 port = 3336 - plugin-load-add = auth_socket.so !includedir /etc/mysql/conf.d/ '''; @@ -323,13 +308,16 @@ in datadir = cfg.dataDir; bind-address = mkIf (cfg.bind != null) cfg.bind; port = cfg.port; - plugin-load-add = optional (cfg.ensureUsers != []) "auth_socket.so"; } (mkIf (cfg.replication.role == "master" || cfg.replication.role == "slave") { log-bin = "mysql-bin-${toString cfg.replication.serverId}"; log-bin-index = "mysql-bin-${toString cfg.replication.serverId}.index"; relay-log = "mysql-relay-bin"; server-id = cfg.replication.serverId; + binlog-ignore-db = [ "information_schema" "performance_schema" "mysql" ]; + }) + (mkIf (!isMariaDB) { + plugin-load-add = optional (cfg.ensureUsers != []) "auth_socket.so"; }) ]; @@ -366,9 +354,14 @@ in pkgs.nettools ]; - preStart = '' + preStart = if isMariaDB then '' + if ! test -e ${cfg.dataDir}/mysql; then + ${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${mysqldOptions} + touch /tmp/mysql_init + fi + '' else '' if ! test -e ${cfg.dataDir}/mysql; then - ${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${installOptions} + ${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} --initialize-insecure touch /tmp/mysql_init fi ''; @@ -447,7 +440,6 @@ in ( echo "stop slave;" echo "change master to master_host='${cfg.replication.masterHost}', master_user='${cfg.replication.masterUser}', master_password='${cfg.replication.masterPassword}';" - echo "set global slave_exec_mode='IDEMPOTENT';" echo "start slave;" ) | ${mysql}/bin/mysql -u root -N ''} diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 809f61cfa818..8c2851c37ac2 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -231,6 +231,10 @@ in }; + meta = { + maintainers = lib.maintainers.mic92; + }; + ###### implementation diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 0b79a996dc78..579b6a4d9c67 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -17,6 +17,7 @@ let hba_file = '${pkgs.writeText "pg_hba.conf" cfg.authentication}' ident_file = '${pkgs.writeText "pg_ident.conf" cfg.identMap}' log_destination = 'stderr' + log_line_prefix = '${cfg.logLinePrefix}' listen_addresses = '${if cfg.enableTCPIP then "*" else "localhost"}' port = ${toString cfg.port} ${cfg.extraConfig} @@ -34,13 +35,7 @@ in services.postgresql = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to run PostgreSQL. - ''; - }; + enable = mkEnableOption "PostgreSQL Server"; package = mkOption { type = types.package; @@ -192,6 +187,17 @@ in ''; }; + logLinePrefix = mkOption { + type = types.str; + default = "[%p] "; + example = "%m [%p] "; + description = '' + A printf-style string that is output at the beginning of each log line. + Upstream default is <literal>'%m [%p] '</literal>, i.e. it includes the timestamp. We do + not include the timestamp, because journal has it anyway. + ''; + }; + extraPlugins = mkOption { type = types.listOf types.path; default = []; @@ -337,7 +343,7 @@ in # Wait for PostgreSQL to be ready to accept connections. postStart = '' - PSQL="${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql --port=${toString cfg.port}" + PSQL="${pkgs.utillinux}/bin/runuser -u ${cfg.superUser} -- psql --port=${toString cfg.port}" while ! $PSQL -d postgres -c "" 2> /dev/null; do if ! kill -0 "$MAINPID"; then exit 1; fi diff --git a/nixos/modules/services/databases/postgresql.xml b/nixos/modules/services/databases/postgresql.xml index 72d4a8249a32..07af4c937f03 100644 --- a/nixos/modules/services/databases/postgresql.xml +++ b/nixos/modules/services/databases/postgresql.xml @@ -7,12 +7,10 @@ <!-- FIXME: render nicely --> <!-- FIXME: source can be added automatically --> <para> - <emphasis>Source:</emphasis> - <filename>modules/services/databases/postgresql.nix</filename> + <emphasis>Source:</emphasis> <filename>modules/services/databases/postgresql.nix</filename> </para> <para> - <emphasis>Upstream documentation:</emphasis> - <link xlink:href="http://www.postgresql.org/docs/"/> + <emphasis>Upstream documentation:</emphasis> <link xlink:href="http://www.postgresql.org/docs/"/> </para> <!-- FIXME: more stuff, like maintainer? --> <para> @@ -23,18 +21,12 @@ <title>Configuring</title> <para> - To enable PostgreSQL, add the following to your - <filename>configuration.nix</filename>: + To enable PostgreSQL, add the following to your <filename>configuration.nix</filename>: <programlisting> <xref linkend="opt-services.postgresql.enable"/> = true; <xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_11; </programlisting> - Note that you are required to specify the desired version of PostgreSQL - (e.g. <literal>pkgs.postgresql_11</literal>). Since upgrading your - PostgreSQL version requires a database dump and reload (see below), NixOS - cannot provide a default value for - <xref linkend="opt-services.postgresql.package"/> such as the most recent - release of PostgreSQL. + Note that you are required to specify the desired version of PostgreSQL (e.g. <literal>pkgs.postgresql_11</literal>). Since upgrading your PostgreSQL version requires a database dump and reload (see below), NixOS cannot provide a default value for <xref linkend="opt-services.postgresql.package"/> such as the most recent release of PostgreSQL. </para> <!-- @@ -51,9 +43,7 @@ Type "help" for help. --> <para> - By default, PostgreSQL stores its databases in - <filename>/var/lib/postgresql/$psqlSchema</filename>. You can override this using - <xref linkend="opt-services.postgresql.dataDir"/>, e.g. + By default, PostgreSQL stores its databases in <filename>/var/lib/postgresql/$psqlSchema</filename>. You can override this using <xref linkend="opt-services.postgresql.dataDir"/>, e.g. <programlisting> <xref linkend="opt-services.postgresql.dataDir"/> = "/data/postgresql"; </programlisting> @@ -63,25 +53,83 @@ Type "help" for help. <title>Upgrading</title> <para> - FIXME: document dump/upgrade/load cycle. + Major PostgreSQL upgrade requires PostgreSQL downtime and a few imperative steps to be called. To simplify this process, use the following NixOS module: +<programlisting> + containers.temp-pg.config.services.postgresql = { + enable = true; + package = pkgs.postgresql_12; + ## set a custom new dataDir + # dataDir = "/some/data/dir"; + }; + environment.systemPackages = + let newpg = config.containers.temp-pg.config.services.postgresql; + in [ + (pkgs.writeScriptBin "upgrade-pg-cluster" '' + set -x + export OLDDATA="${config.services.postgresql.dataDir}" + export NEWDATA="${newpg.dataDir}" + export OLDBIN="${config.services.postgresql.package}/bin" + export NEWBIN="${newpg.package}/bin" + + install -d -m 0700 -o postgres -g postgres "$NEWDATA" + cd "$NEWDATA" + sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" + + systemctl stop postgresql # old one + + sudo -u postgres $NEWBIN/pg_upgrade \ + --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \ + --old-bindir $OLDBIN --new-bindir $NEWBIN \ + "$@" + '') + ]; +</programlisting> </para> + + <para> + The upgrade process is: + </para> + + <orderedlist> + <listitem> + <para> + Rebuild nixos configuration with the configuration above added to your <filename>configuration.nix</filename>. Alternatively, add that into separate file and reference it in <literal>imports</literal> list. + </para> + </listitem> + <listitem> + <para> + Login as root (<literal>sudo su -</literal>) + </para> + </listitem> + <listitem> + <para> + Run <literal>upgrade-pg-cluster</literal>. It will stop old postgresql, initialize new one and migrate old one to new one. You may supply arguments like <literal>--jobs 4</literal> and <literal>--link</literal> to speedup migration process. See <link xlink:href="https://www.postgresql.org/docs/current/pgupgrade.html" /> for details. + </para> + </listitem> + <listitem> + <para> + Change postgresql package in NixOS configuration to the one you were upgrading to, and change <literal>dataDir</literal> to the one you have migrated to. Rebuild NixOS. This should start new postgres using upgraded data directory. + </para> + </listitem> + <listitem> + <para> + After upgrade you may want to <literal>ANALYZE</literal> new db. + </para> + </listitem> + </orderedlist> </section> <section xml:id="module-services-postgres-options"> <title>Options</title> <para> - A complete list of options for the PostgreSQL module may be found - <link linkend="opt-services.postgresql.enable">here</link>. + A complete list of options for the PostgreSQL module may be found <link linkend="opt-services.postgresql.enable">here</link>. </para> </section> <section xml:id="module-services-postgres-plugins"> <title>Plugins</title> <para> - Plugins collection for each PostgreSQL version can be accessed with - <literal>.pkgs</literal>. For example, for - <literal>pkgs.postgresql_11</literal> package, its plugin collection is - accessed by <literal>pkgs.postgresql_11.pkgs</literal>: + Plugins collection for each PostgreSQL version can be accessed with <literal>.pkgs</literal>. For example, for <literal>pkgs.postgresql_11</literal> package, its plugin collection is accessed by <literal>pkgs.postgresql_11.pkgs</literal>: <screen> <prompt>$ </prompt>nix repl '<nixpkgs>' @@ -98,8 +146,9 @@ postgresql_11.pkgs.pg_partman postgresql_11.pkgs.pgroonga ... </screen> </para> + <para> - To add plugins via NixOS configuration, set <literal>services.postgresql.extraPlugins</literal>: + To add plugins via NixOS configuration, set <literal>services.postgresql.extraPlugins</literal>: <programlisting> <xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_11; <xref linkend="opt-services.postgresql.extraPlugins"/> = with pkgs.postgresql_11.pkgs; [ @@ -108,10 +157,9 @@ postgresql_11.pkgs.pg_partman postgresql_11.pkgs.pgroonga ]; </programlisting> </para> + <para> - You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using - function <literal>.withPackages</literal>. For example, creating a custom - PostgreSQL package in an overlay can look like: + You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using function <literal>.withPackages</literal>. For example, creating a custom PostgreSQL package in an overlay can look like: <programlisting> self: super: { postgresql_custom = self.postgresql_11.withPackages (ps: [ @@ -121,8 +169,9 @@ self: super: { } </programlisting> </para> + <para> - Here's a recipe on how to override a particular plugin through an overlay: + Here's a recipe on how to override a particular plugin through an overlay: <programlisting> self: super: { postgresql_11 = super.postgresql_11.override { this = self.postgresql_11; } // { diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 5c817422aae5..799c3db62166 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -11,12 +11,11 @@ let port ${toString cfg.port} ${condOption "bind" cfg.bind} ${condOption "unixsocket" cfg.unixSocket} - daemonize yes + daemonize no supervised systemd loglevel ${cfg.logLevel} logfile ${cfg.logfile} syslog-enabled ${redisBool cfg.syslog} - pidfile /run/redis/redis.pid databases ${toString cfg.databases} ${concatMapStrings (d: "save ${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}\n") cfg.save} dbfilename dump.rdb diff --git a/nixos/modules/services/databases/rethinkdb.nix b/nixos/modules/services/databases/rethinkdb.nix index f18fbaf5b062..c764d6c21c6c 100644 --- a/nixos/modules/services/databases/rethinkdb.nix +++ b/nixos/modules/services/databases/rethinkdb.nix @@ -15,10 +15,7 @@ in services.rethinkdb = { - enable = mkOption { - default = false; - description = "Whether to enable the RethinkDB server."; - }; + enable = mkEnableOption "RethinkDB server"; #package = mkOption { # default = pkgs.rethinkdb; diff --git a/nixos/modules/services/databases/virtuoso.nix b/nixos/modules/services/databases/virtuoso.nix index 0cc027cb1d74..6eb09e0a58fc 100644 --- a/nixos/modules/services/databases/virtuoso.nix +++ b/nixos/modules/services/databases/virtuoso.nix @@ -13,10 +13,7 @@ with lib; services.virtuoso = { - enable = mkOption { - default = false; - description = "Whether to enable Virtuoso Opensource database server."; - }; + enable = mkEnableOption "Virtuoso Opensource database server"; config = mkOption { default = ""; diff --git a/nixos/modules/services/desktops/accountsservice.nix b/nixos/modules/services/desktops/accountsservice.nix index c48036a99e8f..ae2ecb5ffeb7 100644 --- a/nixos/modules/services/desktops/accountsservice.nix +++ b/nixos/modules/services/desktops/accountsservice.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/bamf.nix b/nixos/modules/services/desktops/bamf.nix index 0928ee81a648..4b35146d0844 100644 --- a/nixos/modules/services/desktops/bamf.nix +++ b/nixos/modules/services/desktops/bamf.nix @@ -5,6 +5,10 @@ with lib; { + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/deepin/deepin.nix b/nixos/modules/services/desktops/deepin/deepin.nix index 931bac58aceb..f8fb73701af6 100644 --- a/nixos/modules/services/desktops/deepin/deepin.nix +++ b/nixos/modules/services/desktops/deepin/deepin.nix @@ -41,7 +41,6 @@ pkgs.deepin.dde-session-ui pkgs.deepin.deepin-anything pkgs.deepin.deepin-image-viewer - pkgs.deepin.deepin-screenshot ]; services.dbus.packages = [ @@ -55,7 +54,6 @@ pkgs.deepin.dde-session-ui pkgs.deepin.deepin-anything pkgs.deepin.deepin-image-viewer - pkgs.deepin.deepin-screenshot ]; systemd.packages = [ diff --git a/nixos/modules/services/desktops/gnome3/at-spi2-core.nix b/nixos/modules/services/desktops/gnome3/at-spi2-core.nix index 8fa108c4f9df..492242e3296d 100644 --- a/nixos/modules/services/desktops/gnome3/at-spi2-core.nix +++ b/nixos/modules/services/desktops/gnome3/at-spi2-core.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix b/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix index 3d2b3ed85e3a..3c7f217b18df 100644 --- a/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix +++ b/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix @@ -4,6 +4,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { services.gnome3.chrome-gnome-shell.enable = mkEnableOption '' diff --git a/nixos/modules/services/desktops/gnome3/evolution-data-server.nix b/nixos/modules/services/desktops/gnome3/evolution-data-server.nix index 7e312a1b81eb..bd62d16f61ce 100644 --- a/nixos/modules/services/desktops/gnome3/evolution-data-server.nix +++ b/nixos/modules/services/desktops/gnome3/evolution-data-server.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { @@ -16,7 +20,7 @@ with lib; type = types.bool; default = false; description = '' - Whether to enable Evolution Data Server, a collection of services for + Whether to enable Evolution Data Server, a collection of services for storing addressbooks and calendars. ''; }; diff --git a/nixos/modules/services/desktops/gnome3/glib-networking.nix b/nixos/modules/services/desktops/gnome3/glib-networking.nix index fcd58509d6fc..7e667b6b1f04 100644 --- a/nixos/modules/services/desktops/gnome3/glib-networking.nix +++ b/nixos/modules/services/desktops/gnome3/glib-networking.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix b/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix index d715d52c2d06..c391ad9694c9 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix @@ -44,6 +44,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix index db60445ef773..2916a3c82b34 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { @@ -35,6 +39,8 @@ with lib; services.dbus.packages = [ pkgs.gnome3.gnome-keyring pkgs.gcr ]; + xdg.portal.extraPortals = [ pkgs.gnome3.gnome-keyring ]; + security.pam.services.login.enableGnomeKeyring = true; security.wrappers.gnome-keyring-daemon = { diff --git a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix b/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix index 748a025414a7..3f9ced5e86b1 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix b/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix index d406bf6f5e39..39d669e8b30f 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix b/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix index 021f4f9534b4..164a0a44f8c8 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix @@ -4,6 +4,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { services.gnome3.gnome-remote-desktop = { @@ -13,6 +17,8 @@ with lib; ###### implementation config = mkIf config.services.gnome3.gnome-remote-desktop.enable { + services.pipewire.enable = true; + systemd.packages = [ pkgs.gnome3.gnome-remote-desktop ]; }; } diff --git a/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix b/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix index 2f83fd653bde..1c33ed064a19 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix @@ -12,6 +12,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + imports = [ (mkRemovedOptionModule ["services" "gnome3" "gnome-settings-daemon" "package"] diff --git a/nixos/modules/services/desktops/gnome3/gnome-user-share.nix b/nixos/modules/services/desktops/gnome3/gnome-user-share.nix index f83962877700..f2fe8b41a9e2 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-user-share.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-user-share.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/rygel.nix b/nixos/modules/services/desktops/gnome3/rygel.nix index 55d5e703aa19..917a1d6541e0 100644 --- a/nixos/modules/services/desktops/gnome3/rygel.nix +++ b/nixos/modules/services/desktops/gnome3/rygel.nix @@ -4,6 +4,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { services.gnome3.rygel = { @@ -26,5 +30,7 @@ with lib; services.dbus.packages = [ pkgs.gnome3.rygel ]; systemd.packages = [ pkgs.gnome3.rygel ]; + + environment.etc."rygel.conf".source = "${pkgs.gnome3.rygel}/etc/rygel.conf"; }; } diff --git a/nixos/modules/services/desktops/gnome3/sushi.nix b/nixos/modules/services/desktops/gnome3/sushi.nix index 7a4389038b22..83b17365d5dd 100644 --- a/nixos/modules/services/desktops/gnome3/sushi.nix +++ b/nixos/modules/services/desktops/gnome3/sushi.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/tracker-miners.nix b/nixos/modules/services/desktops/gnome3/tracker-miners.nix index b390d8368c65..f2af40249271 100644 --- a/nixos/modules/services/desktops/gnome3/tracker-miners.nix +++ b/nixos/modules/services/desktops/gnome3/tracker-miners.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { @@ -25,7 +29,6 @@ with lib; }; - ###### implementation config = mkIf config.services.gnome3.tracker-miners.enable { diff --git a/nixos/modules/services/desktops/gnome3/tracker.nix b/nixos/modules/services/desktops/gnome3/tracker.nix index 2e8292742264..cd196e385539 100644 --- a/nixos/modules/services/desktops/gnome3/tracker.nix +++ b/nixos/modules/services/desktops/gnome3/tracker.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gvfs.nix b/nixos/modules/services/desktops/gvfs.nix index 1d002eac41de..250ea6d4575f 100644 --- a/nixos/modules/services/desktops/gvfs.nix +++ b/nixos/modules/services/desktops/gvfs.nix @@ -12,6 +12,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + # Added 2019-08-19 imports = [ (mkRenamedOptionModule diff --git a/nixos/modules/services/desktops/malcontent.nix b/nixos/modules/services/desktops/malcontent.nix index 416464cbe08f..5d6912595b52 100644 --- a/nixos/modules/services/desktops/malcontent.nix +++ b/nixos/modules/services/desktops/malcontent.nix @@ -12,7 +12,7 @@ with lib; services.malcontent = { - enable = mkEnableOption "Malcontent"; + enable = mkEnableOption "Malcontent, parental control support for applications"; }; @@ -23,10 +23,15 @@ with lib; config = mkIf config.services.malcontent.enable { - environment.systemPackages = [ pkgs.malcontent ]; + environment.systemPackages = with pkgs; [ + malcontent + malcontent-ui + ]; services.dbus.packages = [ pkgs.malcontent ]; + services.accounts-daemon.enable = true; + }; } diff --git a/nixos/modules/services/desktops/pantheon/contractor.nix b/nixos/modules/services/desktops/pantheon/contractor.nix deleted file mode 100644 index c76145191a70..000000000000 --- a/nixos/modules/services/desktops/pantheon/contractor.nix +++ /dev/null @@ -1,18 +0,0 @@ -# Contractor - -{ config, pkgs, lib, ... }: - -with lib; - -{ - - - ###### implementation - - config = mkIf config.services.pantheon.contractor.enable { - - - - }; - -} diff --git a/nixos/modules/services/desktops/pipewire.nix b/nixos/modules/services/desktops/pipewire.nix index 13f3d61e84ca..5aee59cfdcce 100644 --- a/nixos/modules/services/desktops/pipewire.nix +++ b/nixos/modules/services/desktops/pipewire.nix @@ -8,6 +8,11 @@ let packages = with pkgs; [ pipewire ]; in { + + meta = { + maintainers = teams.freedesktop.members; + }; + ###### interface options = { services.pipewire = { @@ -33,5 +38,4 @@ in { systemd.user.sockets.pipewire.wantedBy = lib.mkIf cfg.socketActivation [ "sockets.target" ]; }; - meta.maintainers = with lib.maintainers; [ jtojnar ]; } diff --git a/nixos/modules/services/desktops/telepathy.nix b/nixos/modules/services/desktops/telepathy.nix index f5401c180984..34596bf78184 100644 --- a/nixos/modules/services/desktops/telepathy.nix +++ b/nixos/modules/services/desktops/telepathy.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/tumbler.nix b/nixos/modules/services/desktops/tumbler.nix index a833e99ff8c6..a09079517f04 100644 --- a/nixos/modules/services/desktops/tumbler.nix +++ b/nixos/modules/services/desktops/tumbler.nix @@ -18,6 +18,10 @@ in "") ]; + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/zeitgeist.nix b/nixos/modules/services/desktops/zeitgeist.nix index 20c82ccdd56c..cf7dd5fe3a13 100644 --- a/nixos/modules/services/desktops/zeitgeist.nix +++ b/nixos/modules/services/desktops/zeitgeist.nix @@ -5,6 +5,11 @@ with lib; { + + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + ###### interface options = { diff --git a/nixos/modules/services/editors/emacs.xml b/nixos/modules/services/editors/emacs.xml index 03483f69fa2f..74c60014dcea 100644 --- a/nixos/modules/services/editors/emacs.xml +++ b/nixos/modules/services/editors/emacs.xml @@ -294,7 +294,7 @@ https://nixos.org/nixpkgs/manual/#sec-modify-via-packageOverrides If you are not on NixOS or want to install this particular Emacs only for yourself, you can do so by adding it to your <filename>~/.config/nixpkgs/config.nix</filename> (see - <link xlink:href="http://nixos.org/nixpkgs/manual/#sec-modify-via-packageOverrides">Nixpkgs + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-modify-via-packageOverrides">Nixpkgs manual</link>): <example xml:id="module-services-emacs-config-nix"> <title>Custom Emacs in <filename>~/.config/nixpkgs/config.nix</filename></title> diff --git a/nixos/modules/services/games/factorio.nix b/nixos/modules/services/games/factorio.nix index f3831156f453..4b2e1a3c07f0 100644 --- a/nixos/modules/services/games/factorio.nix +++ b/nixos/modules/services/games/factorio.nix @@ -4,14 +4,13 @@ with lib; let cfg = config.services.factorio; - factorio = pkgs.factorio-headless; name = "Factorio"; stateDir = "/var/lib/${cfg.stateDirName}"; mkSavePath = name: "${stateDir}/saves/${name}.zip"; configFile = pkgs.writeText "factorio.conf" '' use-system-read-write-data-directories=true [path] - read-data=${factorio}/share/factorio/data + read-data=${cfg.package}/share/factorio/data write-data=${stateDir} ''; serverSettings = { @@ -37,7 +36,7 @@ let only_admins_can_pause_the_game = true; autosave_only_on_server = true; admins = []; - }; + } // cfg.extraSettings; serverSettingsFile = pkgs.writeText "server-settings.json" (builtins.toJSON (filterAttrsRecursive (n: v: v != null) serverSettings)); modDir = pkgs.factorio-utils.mkModDirDrv cfg.mods; in @@ -115,6 +114,14 @@ in Description of the game that will appear in the listing. ''; }; + extraSettings = mkOption { + type = types.attrs; + default = {}; + example = { admins = [ "username" ];}; + description = '' + Extra game configuration that will go into server-settings.json + ''; + }; public = mkOption { type = types.bool; default = false; @@ -136,6 +143,15 @@ in Your factorio.com login credentials. Required for games with visibility public. ''; }; + package = mkOption { + type = types.package; + default = pkgs.factorio-headless; + defaultText = "pkgs.factorio-headless"; + example = "pkgs.factorio-headless-experimental"; + description = '' + Factorio version to use. This defaults to the stable channel. + ''; + }; password = mkOption { type = types.nullOr types.str; default = null; @@ -184,7 +200,7 @@ in preStart = toString [ "test -e ${stateDir}/saves/${cfg.saveName}.zip" "||" - "${factorio}/bin/factorio" + "${cfg.package}/bin/factorio" "--config=${cfg.configFile}" "--create=${mkSavePath cfg.saveName}" (optionalString (cfg.mods != []) "--mod-directory=${modDir}") @@ -197,7 +213,7 @@ in StateDirectory = cfg.stateDirName; UMask = "0007"; ExecStart = toString [ - "${factorio}/bin/factorio" + "${cfg.package}/bin/factorio" "--config=${cfg.configFile}" "--port=${toString cfg.port}" "--start-server=${mkSavePath cfg.saveName}" diff --git a/nixos/modules/services/hardware/ratbagd.nix b/nixos/modules/services/hardware/ratbagd.nix index 103e1d2315ae..01a8276750f2 100644 --- a/nixos/modules/services/hardware/ratbagd.nix +++ b/nixos/modules/services/hardware/ratbagd.nix @@ -10,12 +10,7 @@ in options = { services.ratbagd = { - enable = mkOption { - default = false; - description = '' - Whether to enable ratbagd for configuring gaming mice. - ''; - }; + enable = mkEnableOption "ratbagd for configuring gaming mice"; }; }; diff --git a/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix b/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix index 6bf31982b71a..ec0457bbd583 100644 --- a/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix +++ b/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix @@ -63,7 +63,7 @@ stdenv.mkDerivation { meta = { description = "Brother brscan4 sane backend driver etc files"; - homepage = http://www.brother.com; + homepage = "http://www.brother.com"; platforms = stdenv.lib.platforms.linux; license = stdenv.lib.licenses.unfree; maintainers = with stdenv.lib.maintainers; [ jraygauthier ]; diff --git a/nixos/modules/services/hardware/thermald.nix b/nixos/modules/services/hardware/thermald.nix index 69577bbe0181..ecb529e9bf01 100644 --- a/nixos/modules/services/hardware/thermald.nix +++ b/nixos/modules/services/hardware/thermald.nix @@ -8,12 +8,7 @@ in { ###### interface options = { services.thermald = { - enable = mkOption { - default = false; - description = '' - Whether to enable thermald, the temperature management daemon. - ''; - }; + enable = mkEnableOption "thermald, the temperature management daemon"; debug = mkOption { type = types.bool; diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 168056a475e5..587b9b0234aa 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -83,6 +83,10 @@ let run_progs=$(grep -v '^[[:space:]]*#' $out/* | grep 'RUN+="/' | sed -e 's/.*RUN+="\([^ "]*\)[ "].*/\1/' | uniq) for i in $import_progs $run_progs; do + # if the path refers to /run/current-system/systemd, replace with config.systemd.package + if [[ $i == /run/current-system/systemd* ]]; then + i="${config.systemd.package}/''${i#/run/current-system/systemd/}" + fi if [[ ! -x $i ]]; then echo "FAIL" echo "$i is called in udev rules but is not executable or does not exist" diff --git a/nixos/modules/services/hardware/xow.nix b/nixos/modules/services/hardware/xow.nix new file mode 100644 index 000000000000..a18d60ad83be --- /dev/null +++ b/nixos/modules/services/hardware/xow.nix @@ -0,0 +1,17 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.services.hardware.xow; +in { + options.services.hardware.xow = { + enable = lib.mkEnableOption "xow as a systemd service"; + }; + + config = lib.mkIf cfg.enable { + hardware.uinput.enable = true; + + systemd.packages = [ pkgs.xow ]; + + services.udev.packages = [ pkgs.xow ]; + }; +} diff --git a/nixos/modules/services/logging/awstats.nix b/nixos/modules/services/logging/awstats.nix index 5939d7808f7f..896f52302ff3 100644 --- a/nixos/modules/services/logging/awstats.nix +++ b/nixos/modules/services/logging/awstats.nix @@ -24,7 +24,7 @@ let logFile = mkOption { type = types.str; - example = "/var/spool/nginx/logs/access.log"; + example = "/var/log/nginx/access.log"; description = '' The log file to be scanned. @@ -110,7 +110,7 @@ in { "mysite" = { domain = "example.com"; - logFile = "/var/spool/nginx/logs/access.log"; + logFile = "/var/log/nginx/access.log"; }; } ''; diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix index fdd9f0f3e5c2..565618b27a87 100644 --- a/nixos/modules/services/logging/logrotate.nix +++ b/nixos/modules/services/logging/logrotate.nix @@ -5,26 +5,85 @@ with lib; let cfg = config.services.logrotate; - configFile = pkgs.writeText "logrotate.conf" - cfg.config; + pathOptions = { + options = { + path = mkOption { + type = types.str; + description = "The path to log files to be rotated"; + }; + user = mkOption { + type = types.str; + description = "The user account to use for rotation"; + }; + group = mkOption { + type = types.str; + description = "The group to use for rotation"; + }; + frequency = mkOption { + type = types.enum [ + "daily" "weekly" "monthly" "yearly" + ]; + default = "daily"; + description = "How often to rotate the logs"; + }; + keep = mkOption { + type = types.int; + default = 20; + description = "How many rotations to keep"; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Extra logrotate config options for this path"; + }; + }; + }; + + pathConfig = options: '' + "${options.path}" { + su ${options.user} ${options.group} + ${options.frequency} + missingok + notifempty + rotate ${toString options.keep} + ${options.extraConfig} + } + ''; + + configFile = pkgs.writeText "logrotate.conf" ( + (concatStringsSep "\n" ((map pathConfig cfg.paths) ++ [cfg.extraConfig])) + ); in { + imports = [ + (mkRenamedOptionModule [ "services" "logrotate" "config" ] [ "services" "logrotate" "extraConfig" ]) + ]; + options = { services.logrotate = { - enable = mkOption { - type = lib.types.bool; - default = false; - description = '' - Enable the logrotate cron job - ''; + enable = mkEnableOption "the logrotate systemd service"; + + paths = mkOption { + type = types.listOf (types.submodule pathOptions); + default = []; + description = "List of attribute sets with paths to rotate"; + example = { + "/var/log/myapp/*.log" = { + user = "myuser"; + group = "mygroup"; + rotate = "weekly"; + keep = 5; + }; + }; }; - config = mkOption { + extraConfig = mkOption { default = ""; type = types.lines; description = '' - The contents of the logrotate config file + Extra contents to add to the logrotate config file. + See https://linux.die.net/man/8/logrotate ''; }; }; diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 230a2ae3f825..9fbf0c19752c 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -407,7 +407,7 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - restartTriggers = [ cfg.configFile ]; + restartTriggers = [ cfg.configFile modulesDir ]; serviceConfig = { ExecStart = "${dovecotPkg}/sbin/dovecot -F"; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 19e11b31d9ca..608f64a68fb0 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -269,6 +269,7 @@ in }; enableSmtp = mkOption { + type = types.bool; default = true; description = "Whether to enable smtp in master.cf."; }; diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix index 0bb0eaedad50..ed1439745ac9 100644 --- a/nixos/modules/services/mail/roundcube.nix +++ b/nixos/modules/services/mail/roundcube.nix @@ -7,6 +7,7 @@ let fpm = config.services.phpfpm.pools.roundcube; localDB = cfg.database.host == "localhost"; user = cfg.database.username; + phpWithPspell = pkgs.php.withExtensions ({ enabled, all }: [ all.pspell ] ++ enabled); in { options.services.roundcube = { @@ -85,6 +86,15 @@ in ''; }; + dicts = mkOption { + type = types.listOf types.package; + default = []; + example = literalExample "with pkgs.aspellDicts; [ en fr de ]"; + description = '' + List of aspell dictionnaries for spell checking. If empty, spell checking is disabled. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -109,6 +119,11 @@ in $config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}]; $config['des_key'] = file_get_contents('/var/lib/roundcube/des_key'); $config['mime_types'] = '${pkgs.nginx}/conf/mime.types'; + $config['enable_spellcheck'] = ${if cfg.dicts == [] then "false" else "true"}; + # by default, spellchecking uses a third-party cloud services + $config['spellcheck_engine'] = 'pspell'; + $config['spellcheck_languages'] = array(${lib.concatMapStringsSep ", " (dict: let p = builtins.parseDrvName dict.shortName; in "'${p.name}' => '${dict.fullName}'") cfg.dicts}); + ${cfg.extraConfig} ''; @@ -172,6 +187,8 @@ in "pm.max_requests" = 500; "catch_workers_output" = true; }; + phpPackage = phpWithPspell; + phpEnv.ASPELL_CONF = "dict-dir ${pkgs.aspellWithDicts (_: cfg.dicts)}/lib/aspell"; }; systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ]; @@ -199,7 +216,7 @@ in ${psql} <<< 'TRUNCATE TABLE session;' fi - ${pkgs.php}/bin/php ${cfg.package}/bin/update.sh + ${phpWithPspell}/bin/php ${cfg.package}/bin/update.sh ''; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/mail/rss2email.nix b/nixos/modules/services/mail/rss2email.nix index c1e5964c4536..7f8d2adac648 100644 --- a/nixos/modules/services/mail/rss2email.nix +++ b/nixos/modules/services/mail/rss2email.nix @@ -91,6 +91,8 @@ in { }; }; + environment.systemPackages = with pkgs; [ rss2email ]; + services.rss2email.config.to = cfg.to; systemd.tmpfiles.rules = [ diff --git a/nixos/modules/services/mail/spamassassin.nix b/nixos/modules/services/mail/spamassassin.nix index 2d5fb40fad35..4e642542ec66 100644 --- a/nixos/modules/services/mail/spamassassin.nix +++ b/nixos/modules/services/mail/spamassassin.nix @@ -12,12 +12,10 @@ in options = { services.spamassassin = { - enable = mkOption { - default = false; - description = "Whether to run the SpamAssassin daemon"; - }; + enable = mkEnableOption "the SpamAssassin daemon"; debug = mkOption { + type = types.bool; default = false; description = "Whether to run the SpamAssassin daemon in debug mode"; }; diff --git a/nixos/modules/services/mail/sympa.nix b/nixos/modules/services/mail/sympa.nix index c3ae9d4255b0..0cad09927b2f 100644 --- a/nixos/modules/services/mail/sympa.nix +++ b/nixos/modules/services/mail/sympa.nix @@ -25,8 +25,6 @@ let StateDirectory = "sympa"; ProtectHome = true; ProtectSystem = "full"; - ProtectKernelTunables = true; - ProtectKernelModules = true; ProtectControlGroups = true; }; @@ -415,7 +413,7 @@ in # force-copy static_content so it's up to date with package # set permissions for wwsympa which needs write access (...) "R ${dataDir}/static_content - - - - -" - "C ${dataDir}/static_content 0711 ${user} ${group} - ${pkg}/static_content" + "C ${dataDir}/static_content 0711 ${user} ${group} - ${pkg}/var/lib/sympa/static_content" "e ${dataDir}/static_content/* 0711 ${user} ${group} - -" "d /run/sympa 0755 ${user} ${group} - -" @@ -497,7 +495,7 @@ in -F ${toString cfg.web.fcgiProcs} \ -P /run/sympa/wwsympa.pid \ -s /run/sympa/wwsympa.socket \ - -- ${pkg}/bin/wwsympa.fcgi + -- ${pkg}/lib/sympa/cgi/wwsympa.fcgi ''; } // commonServiceConfig; @@ -518,7 +516,7 @@ in fastcgi_split_path_info ^(${loc})(.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param SCRIPT_FILENAME ${pkg}/bin/wwsympa.fcgi; + fastcgi_param SCRIPT_FILENAME ${pkg}/lib/sympa/cgi/wwsympa.fcgi; ''; }) // { "/static-sympa/".alias = "${dataDir}/static_content/"; @@ -550,7 +548,7 @@ in args = [ "flags=hqRu" "user=${user}" - "argv=${pkg}/bin/queue" + "argv=${pkg}/libexec/queue" "\${nexthop}" ]; }; @@ -562,7 +560,7 @@ in args = [ "flags=hqRu" "user=${user}" - "argv=${pkg}/bin/bouncequeue" + "argv=${pkg}/libexec/bouncequeue" "\${nexthop}" ]; }; diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index c296e048cea4..5cc2ff7f4bd1 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -138,6 +138,7 @@ in { services.nginx = mkIf (cfg.virtualHost != null) { enable = true; + recommendedProxySettings = true; virtualHosts.${cfg.virtualHost} = { locations.${cfg.contextPath}.proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}"; }; diff --git a/nixos/modules/services/misc/autofs.nix b/nixos/modules/services/misc/autofs.nix index f1742177326a..5e7c1e668288 100644 --- a/nixos/modules/services/misc/autofs.nix +++ b/nixos/modules/services/misc/autofs.nix @@ -19,6 +19,7 @@ in services.autofs = { enable = mkOption { + type = types.bool; default = false; description = '' Mount filesystems on demand. Unmount them automatically. @@ -56,6 +57,7 @@ in }; debug = mkOption { + type = types.bool; default = false; description = '' Pass -d and -7 to automount and write log to the system journal. diff --git a/nixos/modules/services/misc/bazarr.nix b/nixos/modules/services/misc/bazarr.nix new file mode 100644 index 000000000000..d3fd5b08cc84 --- /dev/null +++ b/nixos/modules/services/misc/bazarr.nix @@ -0,0 +1,76 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.bazarr; +in +{ + options = { + services.bazarr = { + enable = mkEnableOption "bazarr, a subtitle manager for Sonarr and Radarr"; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Open ports in the firewall for the bazarr web interface."; + }; + + listenPort = mkOption { + type = types.port; + default = 6767; + description = "Port on which the bazarr web interface should listen"; + }; + + user = mkOption { + type = types.str; + default = "bazarr"; + description = "User account under which bazarr runs."; + }; + + group = mkOption { + type = types.str; + default = "bazarr"; + description = "Group under which bazarr runs."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.bazarr = { + description = "bazarr"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = rec { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + StateDirectory = "bazarr"; + SyslogIdentifier = "bazarr"; + ExecStart = pkgs.writeShellScript "start-bazarr" '' + ${pkgs.bazarr}/bin/bazarr \ + --config '/var/lib/${StateDirectory}' \ + --port ${toString cfg.listenPort} \ + --no-update True + ''; + Restart = "on-failure"; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.listenPort ]; + }; + + users.users = mkIf (cfg.user == "bazarr") { + bazarr = { + group = cfg.group; + home = "/var/lib/${config.systemd.services.bazarr.serviceConfig.StateDirectory}"; + }; + }; + + users.groups = mkIf (cfg.group == "bazarr") { + bazarr = {}; + }; + }; +} diff --git a/nixos/modules/services/misc/cgminer.nix b/nixos/modules/services/misc/cgminer.nix index 9fcae6452696..7635c2a0f4e9 100644 --- a/nixos/modules/services/misc/cgminer.nix +++ b/nixos/modules/services/misc/cgminer.nix @@ -31,13 +31,7 @@ in services.cgminer = { - enable = mkOption { - default = false; - description = '' - Whether to enable cgminer, an ASIC/FPGA/GPU miner for bitcoin and - litecoin. - ''; - }; + enable = mkEnableOption "cgminer, an ASIC/FPGA/GPU miner for bitcoin and litecoin"; package = mkOption { default = pkgs.cgminer; diff --git a/nixos/modules/services/misc/confd.nix b/nixos/modules/services/misc/confd.nix index 8e9bec15dd4f..c1ebdb3dde91 100755 --- a/nixos/modules/services/misc/confd.nix +++ b/nixos/modules/services/misc/confd.nix @@ -75,7 +75,7 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - ExecStart = "${cfg.package.bin}/bin/confd"; + ExecStart = "${cfg.package}/bin/confd"; }; }; diff --git a/nixos/modules/services/misc/devmon.nix b/nixos/modules/services/misc/devmon.nix index 9dc8fee2964b..e4a3348646b1 100644 --- a/nixos/modules/services/misc/devmon.nix +++ b/nixos/modules/services/misc/devmon.nix @@ -8,12 +8,7 @@ let in { options = { services.devmon = { - enable = mkOption { - default = false; - description = '' - Whether to enable devmon, an automatic device mounting daemon. - ''; - }; + enable = mkEnableOption "devmon, an automatic device mounting daemon"; }; }; diff --git a/nixos/modules/services/misc/disnix.nix b/nixos/modules/services/misc/disnix.nix index b7b6eb7cd66e..69386cdbb381 100644 --- a/nixos/modules/services/misc/disnix.nix +++ b/nixos/modules/services/misc/disnix.nix @@ -17,10 +17,7 @@ in services.disnix = { - enable = mkOption { - default = false; - description = "Whether to enable Disnix"; - }; + enable = mkEnableOption "Disnix"; enableMultiUser = mkOption { type = types.bool; @@ -28,10 +25,7 @@ in description = "Whether to support multi-user mode by enabling the Disnix D-Bus service"; }; - useWebServiceInterface = mkOption { - default = false; - description = "Whether to enable the DisnixWebService interface running on Apache Tomcat"; - }; + useWebServiceInterface = mkEnableOption "the DisnixWebService interface running on Apache Tomcat"; package = mkOption { type = types.path; diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix index 89bac4f47d73..1c2e2cc53590 100644 --- a/nixos/modules/services/misc/docker-registry.nix +++ b/nixos/modules/services/misc/docker-registry.nix @@ -138,7 +138,7 @@ in { script = '' ${pkgs.docker-distribution}/bin/registry garbage-collect ${configFile} - ${pkgs.systemd}/bin/systemctl restart docker-registry.service + /run/current-system/systemd/bin/systemctl restart docker-registry.service ''; startAt = optional cfg.enableGarbageCollect cfg.garbageCollectDates; diff --git a/nixos/modules/services/misc/dysnomia.nix b/nixos/modules/services/misc/dysnomia.nix index 33a6fb152641..4b52963500d1 100644 --- a/nixos/modules/services/misc/dysnomia.nix +++ b/nixos/modules/services/misc/dysnomia.nix @@ -177,7 +177,7 @@ in wrapper = {}; } // lib.optionalAttrs (config.services.httpd.enable) { apache-webapplication = { - documentRoot = config.services.httpd.documentRoot; + documentRoot = config.services.httpd.virtualHosts.localhost.documentRoot; }; } // lib.optionalAttrs (config.services.tomcat.axis2.enable) { axis2-webservice = {}; } // lib.optionalAttrs (config.services.ejabberd.enable) { ejabberd-dump = { diff --git a/nixos/modules/services/misc/etcd.nix b/nixos/modules/services/misc/etcd.nix index 7322e1c080be..32360d43768a 100644 --- a/nixos/modules/services/misc/etcd.nix +++ b/nixos/modules/services/misc/etcd.nix @@ -178,7 +178,7 @@ in { serviceConfig = { Type = "notify"; - ExecStart = "${pkgs.etcd.bin}/bin/etcd"; + ExecStart = "${pkgs.etcd}/bin/etcd"; User = "etcd"; LimitNOFILE = 40000; }; diff --git a/nixos/modules/services/misc/felix.nix b/nixos/modules/services/misc/felix.nix index 188e45abc58b..21740c8c0b72 100644 --- a/nixos/modules/services/misc/felix.nix +++ b/nixos/modules/services/misc/felix.nix @@ -17,10 +17,7 @@ in services.felix = { - enable = mkOption { - default = false; - description = "Whether to enable the Apache Felix OSGi service"; - }; + enable = mkEnableOption "the Apache Felix OSGi service"; bundles = mkOption { type = types.listOf types.package; diff --git a/nixos/modules/services/misc/freeswitch.nix b/nixos/modules/services/misc/freeswitch.nix index 0de5ba428110..d27dbe220d3c 100644 --- a/nixos/modules/services/misc/freeswitch.nix +++ b/nixos/modules/services/misc/freeswitch.nix @@ -78,7 +78,7 @@ in { wantedBy = [ "multi-user.target" ]; restartTriggers = [ configDirectory ]; serviceConfig = { - ExecStart = "${pkgs.systemd}/bin/systemctl try-reload-or-restart freeswitch.service"; + ExecStart = "/run/current-system/systemd/bin/systemctl try-reload-or-restart freeswitch.service"; RemainAfterExit = true; Type = "oneshot"; }; diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 38910a5a005d..f8bcedc94fe2 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -14,53 +14,9 @@ let RUN_USER = ${cfg.user} RUN_MODE = prod - [database] - DB_TYPE = ${cfg.database.type} - ${optionalString (usePostgresql || useMysql) '' - HOST = ${if cfg.database.socket != null then cfg.database.socket else cfg.database.host + ":" + toString cfg.database.port} - NAME = ${cfg.database.name} - USER = ${cfg.database.user} - PASSWD = #dbpass# - ''} - ${optionalString useSqlite '' - PATH = ${cfg.database.path} - ''} - ${optionalString usePostgresql '' - SSL_MODE = disable - ''} - - [repository] - ROOT = ${cfg.repositoryRoot} - - [server] - DOMAIN = ${cfg.domain} - HTTP_ADDR = ${cfg.httpAddress} - HTTP_PORT = ${toString cfg.httpPort} - ROOT_URL = ${cfg.rootUrl} - STATIC_ROOT_PATH = ${cfg.staticRootPath} - LFS_JWT_SECRET = #jwtsecret# - - [session] - COOKIE_NAME = session - COOKIE_SECURE = ${boolToString cfg.cookieSecure} - - [security] - SECRET_KEY = #secretkey# - INSTALL_LOCK = true - - [log] - ROOT_PATH = ${cfg.log.rootPath} - LEVEL = ${cfg.log.level} - - [service] - DISABLE_REGISTRATION = ${boolToString cfg.disableRegistration} - - ${optionalString (cfg.mailerPasswordFile != null) '' - [mailer] - PASSWD = #mailerpass# - ''} - - ${cfg.extraConfig} + ${generators.toINI {} cfg.settings} + + ${optionalString (cfg.extraConfig != null) cfg.extraConfig} ''; in @@ -279,9 +235,36 @@ in ''; }; + settings = mkOption { + type = with types; attrsOf (attrsOf (oneOf [ bool int str ])); + default = {}; + description = '' + Gitea configuration. Refer to <link xlink:href="https://docs.gitea.io/en-us/config-cheat-sheet/"/> + for details on supported values. + ''; + example = literalExample '' + { + "cron.sync_external_users" = { + RUN_AT_START = true; + SCHEDULE = "@every 24h"; + UPDATE_EXISTING = true; + }; + mailer = { + ENABLED = true; + MAILER_TYPE = "sendmail"; + FROM = "do-not-reply@example.org"; + SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail"; + }; + other = { + SHOW_FOOTER_VERSION = false; + }; + } + ''; + }; + extraConfig = mkOption { - type = types.str; - default = ""; + type = with types; nullOr str; + default = null; description = "Configuration lines appended to the generated gitea configuration file."; }; }; @@ -294,6 +277,62 @@ in } ]; + services.gitea.settings = { + database = mkMerge [ + { + DB_TYPE = cfg.database.type; + } + (mkIf (useMysql || usePostgresql) { + HOST = if cfg.database.socket != null then cfg.database.socket else cfg.database.host + ":" + toString cfg.database.port; + NAME = cfg.database.name; + USER = cfg.database.user; + PASSWD = "#dbpass#"; + }) + (mkIf useSqlite { + PATH = cfg.database.path; + }) + (mkIf usePostgresql { + SSL_MODE = "disable"; + }) + ]; + + repository = { + ROOT = cfg.repositoryRoot; + }; + + server = { + DOMAIN = cfg.domain; + HTTP_ADDR = cfg.httpAddress; + HTTP_PORT = cfg.httpPort; + ROOT_URL = cfg.rootUrl; + STATIC_ROOT_PATH = cfg.staticRootPath; + LFS_JWT_SECRET = "#jwtsecret#"; + }; + + session = { + COOKIE_NAME = "session"; + COOKIE_SECURE = cfg.cookieSecure; + }; + + security = { + SECRET_KEY = "#secretkey#"; + INSTALL_LOCK = true; + }; + + log = { + ROOT_PATH = cfg.log.rootPath; + LEVEL = cfg.log.level; + }; + + service = { + DISABLE_REGISTRATION = cfg.disableRegistration; + }; + + mailer = mkIf (cfg.mailerPasswordFile != null) { + PASSWD = "#mailerpass#"; + }; + }; + services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) { enable = mkDefault true; @@ -335,7 +374,7 @@ in description = "gitea"; after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service"; wantedBy = [ "multi-user.target" ]; - path = [ gitea.bin pkgs.gitAndTools.git ]; + path = [ gitea pkgs.gitAndTools.git ]; preStart = let runConfig = "${cfg.stateDir}/custom/conf/app.ini"; @@ -347,11 +386,11 @@ in cp -f ${configFile} ${runConfig} if [ ! -e ${secretKey} ]; then - ${gitea.bin}/bin/gitea generate secret SECRET_KEY > ${secretKey} + ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} fi if [ ! -e ${jwtSecret} ]; then - ${gitea.bin}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret} + ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret} fi KEY="$(head -n1 ${secretKey})" @@ -374,7 +413,7 @@ in HOOKS=$(find ${cfg.repositoryRoot} -mindepth 4 -maxdepth 6 -type f -wholename "*git/hooks/*") if [ "$HOOKS" ] then - sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea.bin}/bin/gitea,g' $HOOKS + sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea}/bin/gitea,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/env,${pkgs.coreutils}/bin/env,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/bash,${pkgs.bash}/bin/bash,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/perl,${pkgs.perl}/bin/perl,g' $HOOKS @@ -383,7 +422,7 @@ in # update command option in authorized_keys if [ -r ${cfg.stateDir}/.ssh/authorized_keys ] then - sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea.bin}/bin/gitea,g' ${cfg.stateDir}/.ssh/authorized_keys + sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea}/bin/gitea,g' ${cfg.stateDir}/.ssh/authorized_keys fi ''; @@ -392,7 +431,7 @@ in User = cfg.user; Group = "gitea"; WorkingDirectory = cfg.stateDir; - ExecStart = "${gitea.bin}/bin/gitea web"; + ExecStart = "${gitea}/bin/gitea web"; Restart = "always"; # Filesystem @@ -435,9 +474,12 @@ in users.groups.gitea = {}; - warnings = optional (cfg.database.password != "") - ''config.services.gitea.database.password will be stored as plaintext - in the Nix store. Use database.passwordFile instead.''; + warnings = + optional (cfg.database.password != "") '' + config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead.'' ++ + optional (cfg.extraConfig != null) '' + services.gitea.`extraConfig` is deprecated, please use services.gitea.`settings`. + ''; # Create database passwordFile default when password is configured. services.gitea.database.passwordFile = @@ -450,7 +492,7 @@ in description = "gitea dump"; after = [ "gitea.service" ]; wantedBy = [ "default.target" ]; - path = [ gitea.bin ]; + path = [ gitea ]; environment = { USER = cfg.user; @@ -461,7 +503,7 @@ in serviceConfig = { Type = "oneshot"; User = cfg.user; - ExecStart = "${gitea.bin}/bin/gitea dump"; + ExecStart = "${gitea}/bin/gitea dump"; WorkingDirectory = cfg.stateDir; }; }; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index aa9589853797..7b2bbf89a446 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -129,7 +129,7 @@ let HOME = "${cfg.statePath}/home"; UNICORN_PATH = "${cfg.statePath}/"; GITLAB_PATH = "${cfg.packages.gitlab}/share/gitlab/"; - SCHEMA = "${cfg.statePath}/db/schema.rb"; + SCHEMA = "${cfg.statePath}/db/structure.sql"; GITLAB_UPLOADS_PATH = "${cfg.statePath}/uploads"; GITLAB_LOG_PATH = "${cfg.statePath}/log"; GITLAB_REDIS_CONFIG_FILE = pkgs.writeText "redis.yml" (builtins.toJSON redisConfig); @@ -180,7 +180,7 @@ let ${optionalString (cfg.smtp.passwordFile != null) ''password: "@smtpPassword@",''} domain: "${cfg.smtp.domain}", ${optionalString (cfg.smtp.authentication != null) "authentication: :${cfg.smtp.authentication},"} - enable_starttls_auto: ${toString cfg.smtp.enableStartTLSAuto}, + enable_starttls_auto: ${boolToString cfg.smtp.enableStartTLSAuto}, ca_file: "/etc/ssl/certs/ca-certificates.crt", openssl_verify_mode: '${cfg.smtp.opensslVerifyMode}' } diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix index ee99967c261b..c5070aaa356a 100644 --- a/nixos/modules/services/misc/gogs.nix +++ b/nixos/modules/services/misc/gogs.nix @@ -200,7 +200,7 @@ in description = "Gogs (Go Git Service)"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.gogs.bin ]; + path = [ pkgs.gogs ]; preStart = let runConfig = "${cfg.stateDir}/custom/conf/app.ini"; @@ -230,7 +230,7 @@ in HOOKS=$(find ${cfg.repositoryRoot} -mindepth 4 -maxdepth 4 -type f -wholename "*git/hooks/*") if [ "$HOOKS" ] then - sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gogs,${pkgs.gogs.bin}/bin/gogs,g' $HOOKS + sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gogs,${pkgs.gogs}/bin/gogs,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/env,${pkgs.coreutils}/bin/env,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/bash,${pkgs.bash}/bin/bash,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/perl,${pkgs.perl}/bin/perl,g' $HOOKS @@ -242,7 +242,7 @@ in User = cfg.user; Group = cfg.group; WorkingDirectory = cfg.stateDir; - ExecStart = "${pkgs.gogs.bin}/bin/gogs web"; + ExecStart = "${pkgs.gogs}/bin/gogs web"; Restart = "always"; }; diff --git a/nixos/modules/services/misc/ihaskell.nix b/nixos/modules/services/misc/ihaskell.nix index 11597706d0d1..684a242d7385 100644 --- a/nixos/modules/services/misc/ihaskell.nix +++ b/nixos/modules/services/misc/ihaskell.nix @@ -15,6 +15,7 @@ in options = { services.ihaskell = { enable = mkOption { + type = types.bool; default = false; description = "Autostart an IHaskell notebook service."; }; diff --git a/nixos/modules/services/misc/leaps.nix b/nixos/modules/services/misc/leaps.nix index d4e88ecbebdb..ef89d3e64d0c 100644 --- a/nixos/modules/services/misc/leaps.nix +++ b/nixos/modules/services/misc/leaps.nix @@ -55,7 +55,7 @@ in Restart = "on-failure"; WorkingDirectory = stateDir; PrivateTmp = true; - ExecStart = "${pkgs.leaps.bin}/bin/leaps -path ${toString cfg.path} -address ${cfg.address}:${toString cfg.port}"; + ExecStart = "${pkgs.leaps}/bin/leaps -path ${toString cfg.path} -address ${cfg.address}:${toString cfg.port}"; }; }; }; diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index d02fa13bb99c..703bc9416f88 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -31,7 +31,6 @@ bind_host: "${cfg.bind_host}" ''} server_name: "${cfg.server_name}" pid_file: "/run/matrix-synapse.pid" -web_client: ${boolToString cfg.web_client} ${optionalString (cfg.public_baseurl != null) '' public_baseurl: "${cfg.public_baseurl}" ''} @@ -202,13 +201,6 @@ in { This is also the last part of your UserID. ''; }; - web_client = mkOption { - type = types.bool; - default = false; - description = '' - Whether to serve a web client from the HTTP/HTTPS root resource. - ''; - }; public_baseurl = mkOption { type = types.nullOr types.str; default = null; @@ -719,6 +711,7 @@ in { Database configuration must be done manually. An exemplary setup is demonstrated in <nixpkgs/nixos/tests/matrix-synapse.nix> '') + (mkRemovedOptionModule [ "services" "matrix-synapse" "web_client" ] "") ]; meta.doc = ./matrix-synapse.xml; diff --git a/nixos/modules/services/misc/matrix-synapse.xml b/nixos/modules/services/misc/matrix-synapse.xml index 053a3b2a563f..2f2ac27eeb9d 100644 --- a/nixos/modules/services/misc/matrix-synapse.xml +++ b/nixos/modules/services/misc/matrix-synapse.xml @@ -33,6 +33,7 @@ <link xlink:href="https://github.com/matrix-org/synapse#synapse-installation"> installation instructions of Synapse </link>. <programlisting> +{ pkgs, ... }: let fqdn = let @@ -46,7 +47,7 @@ in { <link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ]; <link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true; - <link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link> = '' + <link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link> = pkgs.writeText "synapse-init.sql" '' CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 17c3582db0f6..2577cb78e96e 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -92,13 +92,14 @@ in maxJobs = mkOption { type = types.either types.int (types.enum ["auto"]); - default = 1; + default = "auto"; example = 64; description = '' - This option defines the maximum number of jobs that Nix will try - to build in parallel. The default is 1. You should generally - set it to the total number of logical cores in your system (e.g., 16 - for two CPUs with 4 cores each and hyper-threading). + This option defines the maximum number of jobs that Nix will try to + build in parallel. The default is auto, which means it will use all + available logical cores. It is recommend to set it to the total + number of logical cores in your system (e.g., 16 for two CPUs with 4 + cores each and hyper-threading). ''; }; @@ -282,7 +283,7 @@ in trustedBinaryCaches = mkOption { type = types.listOf types.str; default = [ ]; - example = [ http://hydra.nixos.org/ ]; + example = [ "https://hydra.nixos.org/" ]; description = '' List of binary cache URLs that non-root users can use (in addition to those specified using @@ -376,6 +377,59 @@ in If enabled (the default), checks that Nix can parse the generated nix.conf. ''; }; + + registry = mkOption { + type = types.attrsOf (types.submodule ( + let + inputAttrs = types.attrsOf (types.oneOf [types.str types.int types.bool types.package]); + in + { config, name, ... }: + { options = { + from = mkOption { + type = inputAttrs; + example = { type = "indirect"; id = "nixpkgs"; }; + description = "The flake reference to be rewritten."; + }; + to = mkOption { + type = inputAttrs; + example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; + description = "The flake reference to which <option>from></option> is to be rewritten."; + }; + flake = mkOption { + type = types.unspecified; + default = null; + example = literalExample "nixpkgs"; + description = '' + The flake input to which <option>from></option> is to be rewritten. + ''; + }; + exact = mkOption { + type = types.bool; + default = true; + description = '' + Whether the <option>from</option> reference needs to match exactly. If set, + a <option>from</option> reference like <literal>nixpkgs</literal> does not + match with a reference like <literal>nixpkgs/nixos-20.03</literal>. + ''; + }; + }; + config = { + from = mkDefault { type = "indirect"; id = name; }; + to = mkIf (config.flake != null) + ({ type = "path"; + path = config.flake.outPath; + } // lib.filterAttrs + (n: v: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") + config.flake); + }; + } + )); + default = {}; + description = '' + A system-wide flake registry. + ''; + }; + }; }; @@ -390,6 +444,11 @@ in environment.etc."nix/nix.conf".source = nixConf; + environment.etc."nix/registry.json".text = builtins.toJSON { + version = 2; + flakes = mapAttrsToList (n: v: { inherit (v) from to exact; }) cfg.registry; + }; + # List of machines for distributed Nix builds in the format # expected by build-remote.pl. environment.etc."nix/machines" = @@ -451,8 +510,7 @@ in system.activationScripts.nix = stringAfter [ "etc" "users" ] '' - # Create directories in /nix. - ${nix}/bin/nix ping-store --no-net + install -m 0755 -d /nix/var/nix/{gcroots,profiles}/per-user # Subscribe the root user to the NixOS channel by default. if [ ! -e "/root/.nix-channels" ]; then diff --git a/nixos/modules/services/misc/nixos-manual.nix b/nixos/modules/services/misc/nixos-manual.nix deleted file mode 100644 index ab73f49d4be5..000000000000 --- a/nixos/modules/services/misc/nixos-manual.nix +++ /dev/null @@ -1,73 +0,0 @@ -# This module optionally starts a browser that shows the NixOS manual -# on one of the virtual consoles which is useful for the installation -# CD. - -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.nixosManual; - cfgd = config.documentation; -in - -{ - - options = { - - # TODO(@oxij): rename this to `.enable` eventually. - services.nixosManual.showManual = mkOption { - type = types.bool; - default = false; - description = '' - Whether to show the NixOS manual on one of the virtual - consoles. - ''; - }; - - services.nixosManual.ttyNumber = mkOption { - type = types.int; - default = 8; - description = '' - Virtual console on which to show the manual. - ''; - }; - - services.nixosManual.browser = mkOption { - type = types.path; - default = "${pkgs.w3m-nographics}/bin/w3m"; - description = '' - Browser used to show the manual. - ''; - }; - - }; - - - config = mkMerge [ - (mkIf cfg.showManual { - assertions = singleton { - assertion = cfgd.enable && cfgd.nixos.enable; - message = "Can't enable `services.nixosManual.showManual` without `documentation.nixos.enable`"; - }; - }) - (mkIf (cfg.showManual && cfgd.enable && cfgd.nixos.enable) { - console.extraTTYs = [ "tty${toString cfg.ttyNumber}" ]; - - systemd.services.nixos-manual = { - description = "NixOS Manual"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = "${cfg.browser} ${config.system.build.manual.manualHTMLIndex}"; - StandardInput = "tty"; - StandardOutput = "tty"; - TTYPath = "/dev/tty${toString cfg.ttyNumber}"; - TTYReset = true; - TTYVTDisallocate = true; - Restart = "always"; - }; - }; - }) - ]; - -} diff --git a/nixos/modules/services/misc/octoprint.nix b/nixos/modules/services/misc/octoprint.nix index 651ed3743884..7a71d2c8c6aa 100644 --- a/nixos/modules/services/misc/octoprint.nix +++ b/nixos/modules/services/misc/octoprint.nix @@ -17,9 +17,9 @@ let cfgUpdate = pkgs.writeText "octoprint-config.yaml" (builtins.toJSON fullConfig); - pluginsEnv = pkgs.python.buildEnv.override { - extraLibs = cfg.plugins pkgs.octoprint-plugins; - }; + pluginsEnv = package.python.withPackages (ps: [ps.octoprint] ++ (cfg.plugins ps)); + + package = pkgs.octoprint; in { @@ -106,7 +106,6 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; path = [ pluginsEnv ]; - environment.PYTHONPATH = makeSearchPathOutput "lib" pkgs.python.sitePackages [ pluginsEnv ]; preStart = '' if [ -e "${cfg.stateDir}/config.yaml" ]; then @@ -119,7 +118,7 @@ in ''; serviceConfig = { - ExecStart = "${pkgs.octoprint}/bin/octoprint serve -b ${cfg.stateDir}"; + ExecStart = "${pluginsEnv}/bin/octoprint serve -b ${cfg.stateDir}"; User = cfg.user; Group = cfg.group; }; diff --git a/nixos/modules/services/misc/pykms.nix b/nixos/modules/services/misc/pykms.nix index 25aa27ae7673..d6aeae48ccb6 100644 --- a/nixos/modules/services/misc/pykms.nix +++ b/nixos/modules/services/misc/pykms.nix @@ -82,6 +82,7 @@ in { ]); ProtectHome = "tmpfs"; WorkingDirectory = libDir; + SyslogIdentifier = "pykms"; Restart = "on-failure"; MemoryLimit = cfg.memoryLimit; }; diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix index 3b8c14d196f8..0e71cf925692 100644 --- a/nixos/modules/services/misc/redmine.nix +++ b/nixos/modules/services/misc/redmine.nix @@ -26,7 +26,7 @@ let scm_mercurial_command: ${pkgs.mercurial}/bin/hg scm_git_command: ${pkgs.gitAndTools.git}/bin/git scm_cvs_command: ${pkgs.cvs}/bin/cvs - scm_bazaar_command: ${pkgs.bazaar}/bin/bzr + scm_bazaar_command: ${pkgs.breezy}/bin/bzr scm_darcs_command: ${pkgs.darcs}/bin/darcs ${cfg.extraConfig} @@ -132,7 +132,7 @@ in example = literalExample '' { dkuk-redmine_alex_skin = builtins.fetchurl { - url = https://bitbucket.org/dkuk/redmine_alex_skin/get/1842ef675ef3.zip; + url = "https://bitbucket.org/dkuk/redmine_alex_skin/get/1842ef675ef3.zip"; sha256 = "0hrin9lzyi50k4w2bd2b30vrf1i4fi1c0gyas5801wn8i7kpm9yl"; }; } @@ -146,7 +146,7 @@ in example = literalExample '' { redmine_env_auth = builtins.fetchurl { - url = https://github.com/Intera/redmine_env_auth/archive/0.6.zip; + url = "https://github.com/Intera/redmine_env_auth/archive/0.6.zip"; sha256 = "0yyr1yjd8gvvh832wdc8m3xfnhhxzk2pk3gm2psg5w9jdvd6skak"; }; } @@ -297,7 +297,7 @@ in environment.SCHEMA = "${cfg.stateDir}/cache/schema.db"; path = with pkgs; [ imagemagick - bazaar + breezy cvs darcs gitAndTools.git diff --git a/nixos/modules/services/misc/rogue.nix b/nixos/modules/services/misc/rogue.nix deleted file mode 100644 index d56d103b5f34..000000000000 --- a/nixos/modules/services/misc/rogue.nix +++ /dev/null @@ -1,62 +0,0 @@ -# Execute the game `rogue' on tty 9. Mostly used by the NixOS -# installation CD. - -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.rogue; - -in - -{ - ###### interface - - options = { - - services.rogue.enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable the Rogue game on one of the virtual - consoles. - ''; - }; - - services.rogue.tty = mkOption { - type = types.str; - default = "tty9"; - description = '' - Virtual console on which to run Rogue. - ''; - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - console.extraTTYs = [ cfg.tty ]; - - systemd.services.rogue = - { description = "Rogue dungeon crawling game"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = - { ExecStart = "${pkgs.rogue}/bin/rogue"; - StandardInput = "tty"; - StandardOutput = "tty"; - TTYPath = "/dev/${cfg.tty}"; - TTYReset = true; - TTYVTDisallocate = true; - WorkingDirectory = "/tmp"; - Restart = "always"; - }; - }; - - }; - -} diff --git a/nixos/modules/services/misc/safeeyes.nix b/nixos/modules/services/misc/safeeyes.nix index 1a33971d9227..6ecb0d13187c 100644 --- a/nixos/modules/services/misc/safeeyes.nix +++ b/nixos/modules/services/misc/safeeyes.nix @@ -16,10 +16,7 @@ in services.safeeyes = { - enable = mkOption { - default = false; - description = "Whether to enable the safeeyes OSGi service"; - }; + enable = mkEnableOption "the safeeyes OSGi service"; }; diff --git a/nixos/modules/services/misc/ssm-agent.nix b/nixos/modules/services/misc/ssm-agent.nix index e951a4c7ffa8..f7c05deeecb5 100644 --- a/nixos/modules/services/misc/ssm-agent.nix +++ b/nixos/modules/services/misc/ssm-agent.nix @@ -35,7 +35,7 @@ in { path = [ fake-lsb-release ]; serviceConfig = { - ExecStart = "${cfg.package.bin}/bin/agent"; + ExecStart = "${cfg.package}/bin/agent"; KillMode = "process"; Restart = "on-failure"; RestartSec = "15min"; @@ -43,4 +43,3 @@ in { }; }; } - diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index 36008d257410..3da99a3b38c1 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -42,11 +42,6 @@ in { }; config = mkMerge [ (mkIf cfg.enable { - assertions = singleton { - assertion = nscd.enable; - message = "nscd must be enabled through `services.nscd.enable` for SSSD to work."; - }; - systemd.services.sssd = { description = "System Security Services Daemon"; wantedBy = [ "multi-user.target" ]; @@ -74,7 +69,13 @@ in { mode = "0400"; }; - system.nssModules = optional cfg.enable pkgs.sssd; + system.nssModules = pkgs.sssd; + system.nssDatabases = { + group = [ "sss" ]; + passwd = [ "sss" ]; + services = [ "sss" ]; + shadow = [ "sss" ]; + }; services.dbus.packages = [ pkgs.sssd ]; }) diff --git a/nixos/modules/services/misc/svnserve.nix b/nixos/modules/services/misc/svnserve.nix index 6292bc52b1e3..3335ed09d40e 100644 --- a/nixos/modules/services/misc/svnserve.nix +++ b/nixos/modules/services/misc/svnserve.nix @@ -18,6 +18,7 @@ in services.svnserve = { enable = mkOption { + type = types.bool; default = false; description = "Whether to enable svnserve to serve Subversion repositories through the SVN protocol."; }; diff --git a/nixos/modules/services/misc/synergy.nix b/nixos/modules/services/misc/synergy.nix index bfab8c534d8c..5b7cf3ac46c3 100644 --- a/nixos/modules/services/misc/synergy.nix +++ b/nixos/modules/services/misc/synergy.nix @@ -19,12 +19,8 @@ in # !!! All these option descriptions needs to be cleaned up. client = { - enable = mkOption { - default = false; - description = " - Whether to enable the Synergy client (receive keyboard and mouse events from a Synergy server). - "; - }; + enable = mkEnableOption "the Synergy client (receive keyboard and mouse events from a Synergy server)"; + screenName = mkOption { default = ""; description = '' @@ -47,12 +43,8 @@ in }; server = { - enable = mkOption { - default = false; - description = '' - Whether to enable the Synergy server (send keyboard and mouse events). - ''; - }; + enable = mkEnableOption "the Synergy server (send keyboard and mouse events)"; + configFile = mkOption { default = "/etc/synergy-server.conf"; description = "The Synergy server configuration file."; diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index d5b3537068d3..d9d34b7fac9b 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -63,10 +63,6 @@ let ${cfg.extraConfig} ''; - phpExtensions = with pkgs.phpPackages; [ - { pkg = apcu; name = "apcu"; } - ]; - in { options = { services.zoneminder = with lib; { @@ -289,11 +285,9 @@ in { phpfpm = lib.mkIf useNginx { pools.zoneminder = { inherit user group; + phpPackage = pkgs.php.withExtensions ({ enabled, all }: enabled ++ [ all.apcu ]); phpOptions = '' date.timezone = "${config.time.timeZone}" - - ${lib.concatStringsSep "\n" (map (e: - "extension=${e.pkg}/lib/php/extensions/${e.name}.so") phpExtensions)} ''; settings = lib.mapAttrs (name: lib.mkDefault) { "listen.owner" = user; diff --git a/nixos/modules/services/monitoring/bosun.nix b/nixos/modules/services/monitoring/bosun.nix index b1c12cce1f80..04e9da1c81a3 100644 --- a/nixos/modules/services/monitoring/bosun.nix +++ b/nixos/modules/services/monitoring/bosun.nix @@ -148,7 +148,7 @@ in { User = cfg.user; Group = cfg.group; ExecStart = '' - ${cfg.package.bin}/bin/bosun -c ${configFile} + ${cfg.package}/bin/bosun -c ${configFile} ''; }; }; diff --git a/nixos/modules/services/monitoring/datadog-agent.nix b/nixos/modules/services/monitoring/datadog-agent.nix index 2c5fe47242e7..f1cb890794e1 100644 --- a/nixos/modules/services/monitoring/datadog-agent.nix +++ b/nixos/modules/services/monitoring/datadog-agent.nix @@ -225,7 +225,7 @@ in { Restart = "always"; RestartSec = 2; }; - restartTriggers = [ datadogPkg ] ++ attrNames etcfiles; + restartTriggers = [ datadogPkg ] ++ map (x: x.source) (attrValues etcfiles); } attrs; in { datadog-agent = makeService { diff --git a/nixos/modules/services/monitoring/grafana-reporter.nix b/nixos/modules/services/monitoring/grafana-reporter.nix index b5a78e4583e1..893c15d568bd 100644 --- a/nixos/modules/services/monitoring/grafana-reporter.nix +++ b/nixos/modules/services/monitoring/grafana-reporter.nix @@ -59,7 +59,7 @@ in { "-templates ${cfg.templateDir}" ]; in { - ExecStart = "${pkgs.grafana_reporter.bin}/bin/grafana-reporter ${args}"; + ExecStart = "${pkgs.grafana_reporter}/bin/grafana-reporter ${args}"; }; }; }; diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 0f8bc2471e33..b0c81a46d4d8 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -535,7 +535,7 @@ in { ${optionalString cfg.provision.enable '' export GF_PATHS_PROVISIONING=${provisionConfDir}; ''} - exec ${cfg.package.bin}/bin/grafana-server -homepath ${cfg.dataDir} + exec ${cfg.package}/bin/grafana-server -homepath ${cfg.dataDir} ''; serviceConfig = { WorkingDirectory = cfg.dataDir; diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix index dd147bb37930..64d9d61950da 100644 --- a/nixos/modules/services/monitoring/graphite.nix +++ b/nixos/modules/services/monitoring/graphite.nix @@ -39,8 +39,6 @@ let GRAPHITE_URL = cfg.seyren.graphiteUrl; } // cfg.seyren.extraConfig; - pagerConfig = pkgs.writeText "alarms.yaml" cfg.pager.alerts; - configDir = pkgs.buildEnv { name = "graphite-config"; paths = lists.filter (el: el != null) [ @@ -61,12 +59,10 @@ let carbonEnv = { PYTHONPATH = let - cenv = pkgs.python.buildEnv.override { - extraLibs = [ pkgs.python27Packages.carbon ]; + cenv = pkgs.python3.buildEnv.override { + extraLibs = [ pkgs.python3Packages.carbon ]; }; - cenvPack = "${cenv}/${pkgs.python.sitePackages}"; - # opt/graphite/lib contains twisted.plugins.carbon-cache - in "${cenvPack}/opt/graphite/lib:${cenvPack}"; + in "${cenv}/${pkgs.python3.sitePackages}"; GRAPHITE_ROOT = dataDir; GRAPHITE_CONF_DIR = configDir; GRAPHITE_STORAGE_DIR = dataDir; @@ -74,6 +70,10 @@ let in { + imports = [ + (mkRemovedOptionModule ["services" "graphite" "pager"] "") + ]; + ###### interface options.services.graphite = { @@ -132,7 +132,7 @@ in { finders = mkOption { description = "List of finder plugins to load."; default = []; - example = literalExample "[ pkgs.python27Packages.influxgraph ]"; + example = literalExample "[ pkgs.python3Packages.influxgraph ]"; type = types.listOf types.package; }; @@ -159,8 +159,8 @@ in { package = mkOption { description = "Package to use for graphite api."; - default = pkgs.python27Packages.graphite_api; - defaultText = "pkgs.python27Packages.graphite_api"; + default = pkgs.python3Packages.graphite_api; + defaultText = "pkgs.python3Packages.graphite_api"; type = types.package; }; @@ -344,49 +344,6 @@ in { }; }; - pager = { - enable = mkOption { - description = '' - Whether to enable graphite-pager service. For more information visit - <link xlink:href="https://github.com/seatgeek/graphite-pager"/> - ''; - default = false; - type = types.bool; - }; - - redisUrl = mkOption { - description = "Redis connection string."; - default = "redis://localhost:${toString config.services.redis.port}/"; - type = types.str; - }; - - graphiteUrl = mkOption { - description = "URL to your graphite service."; - default = "http://${cfg.web.listenAddress}:${toString cfg.web.port}"; - type = types.str; - }; - - alerts = mkOption { - description = "Alerts configuration for graphite-pager."; - default = '' - alerts: - - target: constantLine(100) - warning: 90 - critical: 200 - name: Test - ''; - example = '' - pushbullet_key: pushbullet_api_key - alerts: - - target: stats.seatgeek.app.deal_quality.venue_info_cache.hit - warning: .5 - critical: 1 - name: Deal quality venue cache hits - ''; - type = types.lines; - }; - }; - beacon = { enable = mkEnableOption "graphite beacon"; @@ -409,7 +366,7 @@ in { environment = carbonEnv; serviceConfig = { RuntimeDirectory = name; - ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd ${carbonOpts name}"; + ExecStart = "${pkgs.python3Packages.twisted}/bin/twistd ${carbonOpts name}"; User = "graphite"; Group = "graphite"; PermissionsStartOnly = true; @@ -431,7 +388,7 @@ in { environment = carbonEnv; serviceConfig = { RuntimeDirectory = name; - ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd ${carbonOpts name}"; + ExecStart = "${pkgs.python3Packages.twisted}/bin/twistd ${carbonOpts name}"; User = "graphite"; Group = "graphite"; PIDFile="/run/${name}/${name}.pid"; @@ -447,7 +404,7 @@ in { environment = carbonEnv; serviceConfig = { RuntimeDirectory = name; - ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd ${carbonOpts name}"; + ExecStart = "${pkgs.python3Packages.twisted}/bin/twistd ${carbonOpts name}"; User = "graphite"; Group = "graphite"; PIDFile="/run/${name}/${name}.pid"; @@ -457,19 +414,11 @@ in { (mkIf (cfg.carbon.enableCache || cfg.carbon.enableAggregator || cfg.carbon.enableRelay) { environment.systemPackages = [ - pkgs.pythonPackages.carbon + pkgs.python3Packages.carbon ]; }) - (mkIf cfg.web.enable (let - python27' = pkgs.python27.override { - packageOverrides = self: super: { - django = self.django_1_8; - django_tagging = self.django_tagging_0_4_3; - }; - }; - pythonPackages = python27'.pkgs; - in { + (mkIf cfg.web.enable ({ systemd.services.graphiteWeb = { description = "Graphite Web Interface"; wantedBy = [ "multi-user.target" ]; @@ -477,28 +426,27 @@ in { path = [ pkgs.perl ]; environment = { PYTHONPATH = let - penv = pkgs.python.buildEnv.override { + penv = pkgs.python3.buildEnv.override { extraLibs = [ - pythonPackages.graphite-web - pythonPackages.pysqlite + pkgs.python3Packages.graphite-web ]; }; - penvPack = "${penv}/${pkgs.python.sitePackages}"; + penvPack = "${penv}/${pkgs.python3.sitePackages}"; in concatStringsSep ":" [ "${graphiteLocalSettingsDir}" - "${penvPack}/opt/graphite/webapp" "${penvPack}" # explicitly adding pycairo in path because it cannot be imported via buildEnv - "${pkgs.pythonPackages.pycairo}/${pkgs.python.sitePackages}" + "${pkgs.python3Packages.pycairo}/${pkgs.python3.sitePackages}" ]; DJANGO_SETTINGS_MODULE = "graphite.settings"; + GRAPHITE_SETTINGS_MODULE = "graphite_local_settings"; GRAPHITE_CONF_DIR = configDir; GRAPHITE_STORAGE_DIR = dataDir; LD_LIBRARY_PATH = "${pkgs.cairo.out}/lib"; }; serviceConfig = { ExecStart = '' - ${pkgs.python27Packages.waitress-django}/bin/waitress-serve-django \ + ${pkgs.python3Packages.waitress-django}/bin/waitress-serve-django \ --host=${cfg.web.listenAddress} --port=${toString cfg.web.port} ''; User = "graphite"; @@ -510,7 +458,7 @@ in { mkdir -p ${dataDir}/{whisper/,log/webapp/} chmod 0700 ${dataDir}/{whisper/,log/webapp/} - ${pkgs.pythonPackages.django_1_8}/bin/django-admin.py migrate --noinput + ${pkgs.python3Packages.django}/bin/django-admin.py migrate --noinput chown -R graphite:graphite ${dataDir} @@ -518,16 +466,16 @@ in { fi # Only collect static files when graphite_web changes. - if ! [ "${dataDir}/current_graphite_web" -ef "${pythonPackages.graphite-web}" ]; then + if ! [ "${dataDir}/current_graphite_web" -ef "${pkgs.python3Packages.graphite-web}" ]; then mkdir -p ${staticDir} - ${pkgs.pythonPackages.django_1_8}/bin/django-admin.py collectstatic --noinput --clear + ${pkgs.python3Packages.django}/bin/django-admin.py collectstatic --noinput --clear chown -R graphite:graphite ${staticDir} - ln -sfT "${pythonPackages.graphite-web}" "${dataDir}/current_graphite_web" + ln -sfT "${pkgs.python3Packages.graphite-web}" "${dataDir}/current_graphite_web" fi ''; }; - environment.systemPackages = [ pythonPackages.graphite-web ]; + environment.systemPackages = [ pkgs.python3Packages.graphite-web ]; })) (mkIf cfg.api.enable { @@ -537,16 +485,16 @@ in { after = [ "network.target" ]; environment = { PYTHONPATH = let - aenv = pkgs.python.buildEnv.override { - extraLibs = [ cfg.api.package pkgs.cairo pkgs.pythonPackages.cffi ] ++ cfg.api.finders; + aenv = pkgs.python3.buildEnv.override { + extraLibs = [ cfg.api.package pkgs.cairo pkgs.python3Packages.cffi ] ++ cfg.api.finders; }; - in "${aenv}/${pkgs.python.sitePackages}"; + in "${aenv}/${pkgs.python3.sitePackages}"; GRAPHITE_API_CONFIG = graphiteApiConfig; LD_LIBRARY_PATH = "${pkgs.cairo.out}/lib"; }; serviceConfig = { ExecStart = '' - ${pkgs.python27Packages.waitress}/bin/waitress-serve \ + ${pkgs.python3Packages.waitress}/bin/waitress-serve \ --host=${cfg.api.listenAddress} --port=${toString cfg.api.port} \ graphite_api.app:app ''; @@ -591,34 +539,13 @@ in { services.mongodb.enable = mkDefault true; }) - (mkIf cfg.pager.enable { - systemd.services.graphitePager = { - description = "Graphite Pager Alerting Daemon"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "redis.service" ]; - environment = { - REDIS_URL = cfg.pager.redisUrl; - GRAPHITE_URL = cfg.pager.graphiteUrl; - }; - serviceConfig = { - ExecStart = "${pkgs.pythonPackages.graphitepager}/bin/graphite-pager --config ${pagerConfig}"; - User = "graphite"; - Group = "graphite"; - }; - }; - - services.redis.enable = mkDefault true; - - environment.systemPackages = [ pkgs.pythonPackages.graphitepager ]; - }) - (mkIf cfg.beacon.enable { systemd.services.graphite-beacon = { description = "Grpahite Beacon Alerting Daemon"; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = '' - ${pkgs.pythonPackages.graphite_beacon}/bin/graphite-beacon \ + ${pkgs.python3Packages.graphite_beacon}/bin/graphite-beacon \ --config=${pkgs.writeText "graphite-beacon.json" (builtins.toJSON cfg.beacon.config)} ''; User = "graphite"; @@ -630,7 +557,7 @@ in { (mkIf ( cfg.carbon.enableCache || cfg.carbon.enableAggregator || cfg.carbon.enableRelay || cfg.web.enable || cfg.api.enable || - cfg.seyren.enable || cfg.pager.enable || cfg.beacon.enable + cfg.seyren.enable || cfg.beacon.enable ) { users.users.graphite = { uid = config.ids.uids.graphite; diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index f8225af20428..a5233a46e341 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -9,10 +9,12 @@ let mkdir -p $out/libexec/netdata/plugins.d ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin + ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin + ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin ''; plugins = [ - "${pkgs.netdata}/libexec/netdata/plugins.d" + "${cfg.package}/libexec/netdata/plugins.d" "${wrappedPlugins}/libexec/netdata/plugins.d" ] ++ cfg.extraPluginPaths; @@ -35,6 +37,13 @@ in { services.netdata = { enable = mkEnableOption "netdata"; + package = mkOption { + type = types.package; + default = pkgs.netdata; + defaultText = "pkgs.netdata"; + description = "Netdata package to use."; + }; + user = mkOption { type = types.str; default = "netdata"; @@ -141,10 +150,11 @@ in { path = (with pkgs; [ curl gawk which ]) ++ lib.optional cfg.python.enable (pkgs.python3.withPackages cfg.python.extraPackages); serviceConfig = { - Environment="PYTHONPATH=${pkgs.netdata}/libexec/netdata/python.d/python_modules"; - ExecStart = "${pkgs.netdata}/bin/netdata -P /run/netdata/netdata.pid -D -c ${configFile}"; + Environment="PYTHONPATH=${cfg.package}/libexec/netdata/python.d/python_modules"; + ExecStart = "${cfg.package}/bin/netdata -P /run/netdata/netdata.pid -D -c ${configFile}"; ExecReload = "${pkgs.utillinux}/bin/kill -s HUP -s USR1 -s USR2 $MAINPID"; TimeoutStopSec = 60; + Restart = "on-failure"; # User and group User = cfg.user; Group = cfg.group; @@ -159,7 +169,7 @@ in { systemd.enableCgroupAccounting = true; security.wrappers."apps.plugin" = { - source = "${pkgs.netdata}/libexec/netdata/plugins.d/apps.plugin.org"; + source = "${cfg.package}/libexec/netdata/plugins.d/apps.plugin.org"; capabilities = "cap_dac_read_search,cap_sys_ptrace+ep"; owner = cfg.user; group = cfg.group; @@ -167,13 +177,29 @@ in { }; security.wrappers."freeipmi.plugin" = { - source = "${pkgs.netdata}/libexec/netdata/plugins.d/freeipmi.plugin.org"; + source = "${cfg.package}/libexec/netdata/plugins.d/freeipmi.plugin.org"; capabilities = "cap_dac_override,cap_fowner+ep"; owner = cfg.user; group = cfg.group; permissions = "u+rx,g+rx,o-rwx"; }; + security.wrappers."perf.plugin" = { + source = "${cfg.package}/libexec/netdata/plugins.d/perf.plugin.org"; + capabilities = "cap_sys_admin+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+rx,o-rx"; + }; + + security.wrappers."slabinfo.plugin" = { + source = "${cfg.package}/libexec/netdata/plugins.d/slabinfo.plugin.org"; + capabilities = "cap_dac_override+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+rx,o-rx"; + }; + security.pam.loginLimits = [ { domain = "netdata"; type = "soft"; item = "nofile"; value = "10000"; } { domain = "netdata"; type = "hard"; item = "nofile"; value = "30000"; } diff --git a/nixos/modules/services/monitoring/prometheus/alertmanager.nix b/nixos/modules/services/monitoring/prometheus/alertmanager.nix index 4534d150885e..1b02ebf37045 100644 --- a/nixos/modules/services/monitoring/prometheus/alertmanager.nix +++ b/nixos/modules/services/monitoring/prometheus/alertmanager.nix @@ -21,6 +21,8 @@ let "--config.file /tmp/alert-manager-substituted.yaml" "--web.listen-address ${cfg.listenAddress}:${toString cfg.port}" "--log.level ${cfg.logLevel}" + "--storage.path /var/lib/alertmanager" + (toString (map (peer: "--cluster.peer ${peer}:9094") cfg.clusterPeers)) ] ++ (optional (cfg.webExternalUrl != null) "--web.external-url ${cfg.webExternalUrl}" ) ++ (optional (cfg.logFormat != null) @@ -120,6 +122,14 @@ in { ''; }; + clusterPeers = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Initial peers for HA cluster. + ''; + }; + extraFlags = mkOption { type = types.listOf types.str; default = []; @@ -155,13 +165,14 @@ in { systemd.services.alertmanager = { wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + after = [ "network-online.target" ]; preStart = '' ${lib.getBin pkgs.envsubst}/bin/envsubst -o "/tmp/alert-manager-substituted.yaml" \ -i "${alertmanagerYml}" ''; serviceConfig = { Restart = "always"; + StateDirectory = "alertmanager"; DynamicUser = true; # implies PrivateTmp EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; WorkingDirectory = "/tmp"; diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index 6b1a4be44d1d..84a72afac2f7 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -10,7 +10,7 @@ let # a wrapper that verifies that the configuration is valid promtoolCheck = what: name: file: if cfg.checkConfig then - pkgs.runCommand + pkgs.runCommandNoCCLocal "${name}-${replaceStrings [" "] [""] what}-checked" { buildInputs = [ cfg.package ]; } '' ln -s ${file} $out @@ -19,7 +19,7 @@ let # Pretty-print JSON to a file writePrettyJSON = name: x: - pkgs.runCommand name { preferLocalBuild = true; } '' + pkgs.runCommandNoCCLocal name {} '' echo '${builtins.toJSON x}' | ${pkgs.jq}/bin/jq . > $out ''; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix index 045e48a3d0f8..01276366e97b 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix @@ -58,7 +58,7 @@ in in { serviceConfig = { ExecStart = '' - ${pkgs.prometheus-snmp-exporter.bin}/bin/snmp_exporter \ + ${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter \ --config.file=${escapeShellArg configFile} \ --log.format=${escapeShellArg cfg.logFormat} \ --log.level=${cfg.logLevel} \ diff --git a/nixos/modules/services/monitoring/scollector.nix b/nixos/modules/services/monitoring/scollector.nix index 38cd2213de76..6f13ce889cba 100644 --- a/nixos/modules/services/monitoring/scollector.nix +++ b/nixos/modules/services/monitoring/scollector.nix @@ -118,7 +118,7 @@ in { serviceConfig = { User = cfg.user; Group = cfg.group; - ExecStart = "${cfg.package.bin}/bin/scollector -conf=${conf} ${lib.concatStringsSep " " cfg.extraOpts}"; + ExecStart = "${cfg.package}/bin/scollector -conf=${conf} ${lib.concatStringsSep " " cfg.extraOpts}"; }; }; diff --git a/nixos/modules/services/monitoring/tuptime.nix b/nixos/modules/services/monitoring/tuptime.nix new file mode 100644 index 000000000000..731260a5c20a --- /dev/null +++ b/nixos/modules/services/monitoring/tuptime.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.tuptime; + +in { + + options.services.tuptime = { + + enable = mkEnableOption "the total uptime service"; + + timer = { + enable = mkOption { + type = types.bool; + default = true; + description = "Whether to regularly log uptime to detect bad shutdowns."; + }; + + period = mkOption { + type = types.str; + default = "*:0/5"; + description = "systemd calendar event"; + }; + }; + }; + + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.tuptime ]; + + users.users.tuptime.description = "tuptime database owner"; + + systemd = { + services = { + + tuptime = { + description = "the total uptime service"; + documentation = [ "man:tuptime(1)" ]; + after = [ "time-sync.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + StateDirectory = "tuptime"; + Type = "oneshot"; + User = "tuptime"; + RemainAfterExit = true; + ExecStart = "${pkgs.tuptime}/bin/tuptime -x"; + ExecStop = "${pkgs.tuptime}/bin/tuptime -xg"; + }; + }; + + tuptime-oneshot = mkIf cfg.timer.enable { + description = "the tuptime scheduled execution unit"; + serviceConfig = { + StateDirectory = "tuptime"; + Type = "oneshot"; + User = "tuptime"; + ExecStart = "${pkgs.tuptime}/bin/tuptime -x"; + }; + }; + }; + + timers.tuptime = mkIf cfg.timer.enable { + description = "the tuptime scheduled execution timer"; + # this timer should be started if the service is started + # even if the timer was previously stopped + wantedBy = [ "tuptime.service" "timers.target" ]; + # this timer should be stopped if the service is stopped + partOf = [ "tuptime.service" ]; + timerConfig = { + OnBootSec = "1min"; + OnCalendar = cfg.timer.period; + Unit = "tuptime-oneshot.service"; + }; + }; + }; + }; + + meta.maintainers = [ maintainers.evils ]; + +} diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index b6d881afd7bd..1f5c14d777d7 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -37,9 +37,7 @@ let baseService = recursiveUpdate commonEnv { wants = [ "ipfs-init.service" ]; # NB: migration must be performed prior to pre-start, else we get the failure message! - preStart = '' - ipfs repo fsck # workaround for BUG #4212 (https://github.com/ipfs/go-ipfs/issues/4214) - '' + optionalString cfg.autoMount '' + preStart = optionalString cfg.autoMount '' ipfs --local config Mounts.FuseAllowOther --json true ipfs --local config Mounts.IPFS ${cfg.ipfsMountDir} ipfs --local config Mounts.IPNS ${cfg.ipnsMountDir} @@ -219,6 +217,9 @@ in { createHome = false; uid = config.ids.uids.ipfs; description = "IPFS daemon user"; + packages = [ + pkgs.ipfs-migrator + ]; }; }; diff --git a/nixos/modules/services/network-filesystems/netatalk.nix b/nixos/modules/services/network-filesystems/netatalk.nix index 1dd869043f0c..7674c8f7fa8d 100644 --- a/nixos/modules/services/network-filesystems/netatalk.nix +++ b/nixos/modules/services/network-filesystems/netatalk.nix @@ -43,10 +43,7 @@ in options = { services.netatalk = { - enable = mkOption { - default = false; - description = "Whether to enable the Netatalk AFP fileserver."; - }; + enable = mkEnableOption "the Netatalk AFP fileserver"; port = mkOption { default = 548; @@ -65,6 +62,7 @@ in homes = { enable = mkOption { + type = types.bool; default = false; description = "Enable sharing of the UNIX server user home directories."; }; @@ -98,13 +96,14 @@ in Set of AFP volumes to export. See <literal>man apf.conf</literal> for more information. ''; - example = + example = literalExample '' { srv = { path = "/srv"; "read only" = true; "hosts allow" = "10.1.0.0/16 10.2.1.100 2001:0db8:1234::/48"; }; - }; + } + ''; }; extmap = mkOption { diff --git a/nixos/modules/services/network-filesystems/openafs/client.nix b/nixos/modules/services/network-filesystems/openafs/client.nix index 79c4b7aee066..677111814a01 100644 --- a/nixos/modules/services/network-filesystems/openafs/client.nix +++ b/nixos/modules/services/network-filesystems/openafs/client.nix @@ -9,7 +9,7 @@ let cfg = config.services.openafsClient; cellServDB = pkgs.fetchurl { - url = http://dl.central.org/dl/cellservdb/CellServDB.2018-05-14; + url = "http://dl.central.org/dl/cellservdb/CellServDB.2018-05-14"; sha256 = "1wmjn6mmyy2r8p10nlbdzs4nrqxy8a9pjyrdciy5nmppg4053rk2"; }; diff --git a/nixos/modules/services/network-filesystems/rsyncd.nix b/nixos/modules/services/network-filesystems/rsyncd.nix index b17ec3aa9300..fa29e18a9395 100644 --- a/nixos/modules/services/network-filesystems/rsyncd.nix +++ b/nixos/modules/services/network-filesystems/rsyncd.nix @@ -29,10 +29,7 @@ in options = { services.rsyncd = { - enable = mkOption { - default = false; - description = "Whether to enable the rsync daemon."; - }; + enable = mkEnableOption "the rsync daemon"; motd = mkOption { type = types.str; @@ -74,13 +71,14 @@ in See <command>man rsyncd.conf</command> for options. ''; type = types.attrsOf (types.attrsOf types.str); - example = + example = literalExample '' { srv = { path = "/srv"; "read only" = "yes"; comment = "Public rsync share."; }; - }; + } + ''; }; user = mkOption { diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index a3c22ce69484..08c912e0fcd4 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -189,7 +189,7 @@ in See <command>man smb.conf</command> for options. ''; type = types.attrsOf (types.attrsOf types.unspecified); - example = + example = literalExample '' { public = { path = "/srv/public"; "read only" = true; @@ -197,7 +197,8 @@ in "guest ok" = "yes"; comment = "Public samba share."; }; - }; + } + ''; }; }; @@ -223,6 +224,7 @@ in (mkIf cfg.enable { system.nssModules = optional cfg.nsswins samba; + system.nssDatabases.hosts = optional cfg.nsswins "wins"; systemd = { targets.samba = { diff --git a/nixos/modules/services/network-filesystems/xtreemfs.nix b/nixos/modules/services/network-filesystems/xtreemfs.nix index c93e201da56c..b8f8c1d71174 100644 --- a/nixos/modules/services/network-filesystems/xtreemfs.nix +++ b/nixos/modules/services/network-filesystems/xtreemfs.nix @@ -100,11 +100,13 @@ in dir = { enable = mkOption { + type = types.bool; default = true; description = '' Whether to enable XtreemFS DIR service. ''; }; + uuid = mkOption { example = "eacb6bab-f444-4ebf-a06a-3f72d7465e40"; description = '' @@ -218,11 +220,13 @@ in mrc = { enable = mkOption { + type = types.bool; default = true; description = '' Whether to enable XtreemFS MRC service. ''; }; + uuid = mkOption { example = "eacb6bab-f444-4ebf-a06a-3f72d7465e41"; description = '' @@ -354,11 +358,13 @@ in osd = { enable = mkOption { + type = types.bool; default = true; description = '' Whether to enable XtreemFS OSD service. ''; }; + uuid = mkOption { example = "eacb6bab-f444-4ebf-a06a-3f72d7465e42"; description = '' diff --git a/nixos/modules/services/network-filesystems/yandex-disk.nix b/nixos/modules/services/network-filesystems/yandex-disk.nix index 0aa01ef9e6d9..cc73f13bf77a 100644 --- a/nixos/modules/services/network-filesystems/yandex-disk.nix +++ b/nixos/modules/services/network-filesystems/yandex-disk.nix @@ -21,6 +21,7 @@ in services.yandex-disk = { enable = mkOption { + type = types.bool; default = false; description = " Whether to enable Yandex-disk client. See https://disk.yandex.ru/ diff --git a/nixos/modules/services/networking/3proxy.nix b/nixos/modules/services/networking/3proxy.nix index 26aa16679467..ae8a4958ca96 100644 --- a/nixos/modules/services/networking/3proxy.nix +++ b/nixos/modules/services/networking/3proxy.nix @@ -334,10 +334,12 @@ in { nsrecord = mkOption { type = types.attrsOf types.str; default = { }; - example = { - "files.local" = "192.168.1.12"; - "site.local" = "192.168.1.43"; - }; + example = literalExample '' + { + "files.local" = "192.168.1.12"; + "site.local" = "192.168.1.43"; + } + ''; description = "Adds static nsrecords."; }; }; diff --git a/nixos/modules/services/networking/amuled.nix b/nixos/modules/services/networking/amuled.nix index 57f02542eafd..1128ee2c3e61 100644 --- a/nixos/modules/services/networking/amuled.nix +++ b/nixos/modules/services/networking/amuled.nix @@ -16,6 +16,7 @@ in services.amule = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to run the AMule daemon. You need to manually run "amuled --ec-config" to configure the service for the first time. diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index ddcfe3d77e2f..c876b252e8cd 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -238,6 +238,10 @@ in users.groups.avahi = {}; system.nssModules = optional cfg.nssmdns pkgs.nssmdns; + system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [ + [ "mdns_minimal [NOTFOUND=return]" ] + (mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns + ]); environment.systemPackages = [ pkgs.avahi ]; diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix index de863461eab2..e62c74d0069d 100644 --- a/nixos/modules/services/networking/babeld.nix +++ b/nixos/modules/services/networking/babeld.nix @@ -35,12 +35,7 @@ in services.babeld = { - enable = mkOption { - default = false; - description = '' - Whether to run the babeld network routing daemon. - ''; - }; + enable = mkEnableOption "the babeld network routing daemon"; interfaceDefaults = mkOption { default = null; diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index e3b95afb3d86..faad88635759 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -68,12 +68,7 @@ in services.bind = { - enable = mkOption { - default = false; - description = " - Whether to enable BIND domain name server. - "; - }; + enable = mkEnableOption "BIND domain name server"; cacheNetworks = mkOption { default = ["127.0.0.0/24"]; diff --git a/nixos/modules/services/networking/bitlbee.nix b/nixos/modules/services/networking/bitlbee.nix index 01a16698384a..9ebf382fce42 100644 --- a/nixos/modules/services/networking/bitlbee.nix +++ b/nixos/modules/services/networking/bitlbee.nix @@ -48,6 +48,7 @@ in services.bitlbee = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to run the BitlBee IRC to other chat network gateway. diff --git a/nixos/modules/services/networking/cntlm.nix b/nixos/modules/services/networking/cntlm.nix index 4e4e3104c3a8..5b5068e43d7c 100644 --- a/nixos/modules/services/networking/cntlm.nix +++ b/nixos/modules/services/networking/cntlm.nix @@ -33,12 +33,7 @@ in options.services.cntlm = { - enable = mkOption { - default = false; - description = '' - Whether to enable the cntlm, which start a local proxy. - ''; - }; + enable = mkEnableOption "cntlm, which starts a local proxy"; username = mkOption { description = '' diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix index e8eadc4e187d..6ccc2dffb267 100644 --- a/nixos/modules/services/networking/connman.nix +++ b/nixos/modules/services/networking/connman.nix @@ -77,6 +77,13 @@ in { ''; }; + package = mkOption { + type = types.path; + description = "The connman package / build flavor"; + default = connman; + example = literalExample "pkgs.connmanFull"; + }; + }; }; @@ -89,11 +96,13 @@ in { assertion = !config.networking.useDHCP; message = "You can not use services.connman with networking.useDHCP"; }{ + # TODO: connman seemingly can be used along network manager and + # connmanFull supports this - so this should be worked out somehow assertion = !config.networking.networkmanager.enable; message = "You can not use services.connman with networking.networkmanager"; }]; - environment.systemPackages = [ connman ]; + environment.systemPackages = [ cfg.package ]; systemd.services.connman = { description = "Connection service"; @@ -105,7 +114,7 @@ in { BusName = "net.connman"; Restart = "on-failure"; ExecStart = toString ([ - "${pkgs.connman}/sbin/connmand" + "${cfg.package}/sbin/connmand" "--config=${configFile}" "--nodaemon" ] ++ optional enableIwd "--wifi=iwd_agent" @@ -122,7 +131,7 @@ in { serviceConfig = { Type = "dbus"; BusName = "net.connman.vpn"; - ExecStart = "${pkgs.connman}/sbin/connman-vpnd -n"; + ExecStart = "${cfg.package}/sbin/connman-vpnd -n"; StandardOutput = "null"; }; }; @@ -132,7 +141,7 @@ in { serviceConfig = { Name = "net.connman.vpn"; before = [ "connman" ]; - ExecStart = "${pkgs.connman}/sbin/connman-vpnd -n"; + ExecStart = "${cfg.package}/sbin/connman-vpnd -n"; User = "root"; SystemdService = "connman-vpn.service"; }; diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index 689cbc8a986d..f7d2afead06c 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -179,15 +179,15 @@ in (filterAttrs (n: _: hasPrefix "consul.d/" n) config.environment.etc); serviceConfig = { - ExecStart = "@${cfg.package.bin}/bin/consul consul agent -config-dir /etc/consul.d" + ExecStart = "@${cfg.package}/bin/consul consul agent -config-dir /etc/consul.d" + concatMapStrings (n: " -config-file ${n}") configFiles; - ExecReload = "${cfg.package.bin}/bin/consul reload"; + ExecReload = "${cfg.package}/bin/consul reload"; PermissionsStartOnly = true; User = if cfg.dropPrivileges then "consul" else null; Restart = "on-failure"; TimeoutStartSec = "infinity"; } // (optionalAttrs (cfg.leaveOnStop) { - ExecStop = "${cfg.package.bin}/bin/consul leave"; + ExecStop = "${cfg.package}/bin/consul leave"; }); path = with pkgs; [ iproute gnugrep gawk consul ]; @@ -238,7 +238,7 @@ in serviceConfig = { ExecStart = '' - ${cfg.alerts.package.bin}/bin/consul-alerts start \ + ${cfg.alerts.package}/bin/consul-alerts start \ --alert-addr=${cfg.alerts.listenAddr} \ --consul-addr=${cfg.alerts.consulAddr} \ ${optionalString cfg.alerts.watchChecks "--watch-checks"} \ diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix index c0619211c2fe..0507b739d499 100644 --- a/nixos/modules/services/networking/dhcpcd.nix +++ b/nixos/modules/services/networking/dhcpcd.nix @@ -81,7 +81,7 @@ let # anything ever again ("couldn't resolve ..., giving up on # it"), so we silently lose time synchronisation. This also # applies to openntpd. - ${config.systemd.package}/bin/systemctl try-reload-or-restart ntpd.service openntpd.service chronyd.service || true + /run/current-system/systemd/bin/systemctl try-reload-or-restart ntpd.service openntpd.service chronyd.service || true fi ${cfg.runHook} @@ -217,7 +217,7 @@ in powerManagement.resumeCommands = mkIf config.systemd.services.dhcpcd.enable '' # Tell dhcpcd to rebind its interfaces if it's running. - ${config.systemd.package}/bin/systemctl reload dhcpcd.service + /run/current-system/systemd/bin/systemctl reload dhcpcd.service ''; }; diff --git a/nixos/modules/services/networking/dnscache.nix b/nixos/modules/services/networking/dnscache.nix index d123bca93219..d06032daecc7 100644 --- a/nixos/modules/services/networking/dnscache.nix +++ b/nixos/modules/services/networking/dnscache.nix @@ -61,10 +61,12 @@ in { Table of {hostname: server} pairs to use as authoritative servers for hosts (and subhosts). If entry for @ is not specified predefined list of root servers is used. ''; - example = { - "@" = ["8.8.8.8" "8.8.4.4"]; - "example.com" = ["192.168.100.100"]; - }; + example = literalExample '' + { + "@" = ["8.8.8.8" "8.8.4.4"]; + "example.com" = ["192.168.100.100"]; + } + ''; }; forwardOnly = mkOption { diff --git a/nixos/modules/services/networking/dnscrypt-proxy2.nix b/nixos/modules/services/networking/dnscrypt-proxy2.nix index e48eb729103b..28691e838277 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy2.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy2.nix @@ -55,6 +55,7 @@ in AmbientCapabilities = "CAP_NET_BIND_SERVICE"; DynamicUser = true; ExecStart = "${pkgs.dnscrypt-proxy2}/bin/dnscrypt-proxy -config ${cfg.configFile}"; + Restart = "always"; }; }; }; diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix index e53fb7a15782..b9333cd19a2a 100644 --- a/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -5,12 +5,20 @@ let cfg = config.services.dnscrypt-wrapper; dataDir = "/var/lib/dnscrypt-wrapper"; + mkPath = path: default: + if path != null + then toString path + else default; + + publicKey = mkPath cfg.providerKey.public "${dataDir}/public.key"; + secretKey = mkPath cfg.providerKey.secret "${dataDir}/secret.key"; + daemonArgs = with cfg; [ "--listen-address=${address}:${toString port}" "--resolver-address=${upstream.address}:${toString upstream.port}" "--provider-name=${providerName}" - "--provider-publickey-file=public.key" - "--provider-secretkey-file=secret.key" + "--provider-publickey-file=${publicKey}" + "--provider-secretkey-file=${secretKey}" "--provider-cert-file=${providerName}.crt" "--crypt-secretkey-file=${providerName}.key" ]; @@ -24,17 +32,19 @@ let dnscrypt-wrapper --gen-cert-file \ --crypt-secretkey-file=${cfg.providerName}.key \ --provider-cert-file=${cfg.providerName}.crt \ - --provider-publickey-file=public.key \ - --provider-secretkey-file=secret.key \ + --provider-publickey-file=${publicKey} \ + --provider-secretkey-file=${secretKey} \ --cert-file-expire-days=${toString cfg.keys.expiration} } cd ${dataDir} # generate provider keypair (first run only) - if [ ! -f public.key ] || [ ! -f secret.key ]; then - dnscrypt-wrapper --gen-provider-keypair - fi + ${optionalString (cfg.providerKey.public == null || cfg.providerKey.secret == null) '' + if [ ! -f ${publicKey} ] || [ ! -f ${secretKey} ]; then + dnscrypt-wrapper --gen-provider-keypair + fi + ''} # generate new keys for rotation if [ ! -f ${cfg.providerName}.key ] || [ ! -f ${cfg.providerName}.crt ]; then @@ -64,6 +74,47 @@ let fi ''; + + # This is the fork of the original dnscrypt-proxy maintained by Dyne.org. + # dnscrypt-proxy2 doesn't provide the `--test` feature that is needed to + # correctly implement key rotation of dnscrypt-wrapper ephemeral keys. + dnscrypt-proxy1 = pkgs.callPackage + ({ stdenv, fetchFromGitHub, autoreconfHook + , pkgconfig, libsodium, ldns, openssl, systemd }: + + stdenv.mkDerivation rec { + pname = "dnscrypt-proxy"; + version = "2019-08-20"; + + src = fetchFromGitHub { + owner = "dyne"; + repo = "dnscrypt-proxy"; + rev = "07ac3825b5069adc28e2547c16b1d983a8ed8d80"; + sha256 = "0c4mq741q4rpmdn09agwmxap32kf0vgfz7pkhcdc5h54chc3g3xy"; + }; + + configureFlags = optional stdenv.isLinux "--with-systemd"; + + nativeBuildInputs = [ autoreconfHook pkgconfig ]; + + # <ldns/ldns.h> depends on <openssl/ssl.h> + buildInputs = [ libsodium openssl.dev ldns ] ++ optional stdenv.isLinux systemd; + + postInstall = '' + # Previous versions required libtool files to load plugins; they are + # now strictly optional. + rm $out/lib/dnscrypt-proxy/*.la + ''; + + meta = { + description = "A tool for securing communications between a client and a DNS resolver"; + homepage = "https://github.com/dyne/dnscrypt-proxy"; + license = licenses.isc; + maintainers = with maintainers; [ rnhmjoj ]; + platforms = platforms.linux; + }; + }) { }; + in { @@ -98,6 +149,26 @@ in { ''; }; + providerKey.public = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/secrets/public.key"; + description = '' + The filepath to the provider public key. If not given a new + provider key pair will be generated on the first run. + ''; + }; + + providerKey.secret = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/secrets/secret.key"; + description = '' + The filepath to the provider secret key. If not given a new + provider key pair will be generated on the first run. + ''; + }; + upstream.address = mkOption { type = types.str; default = "127.0.0.1"; @@ -179,7 +250,7 @@ in { requires = [ "dnscrypt-wrapper.service" ]; description = "Rotates DNSCrypt wrapper keys if soon to expire"; - path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy gawk ]; + path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk ]; script = rotateKeys; serviceConfig.User = "dnscrypt-wrapper"; }; @@ -196,6 +267,13 @@ in { }; }; + assertions = with cfg; [ + { assertion = (providerKey.public == null && providerKey.secret == null) || + (providerKey.secret != null && providerKey.public != null); + message = "The secret and public provider key must be set together."; + } + ]; + }; meta.maintainers = with lib.maintainers; [ rnhmjoj ]; diff --git a/nixos/modules/services/networking/ergo.nix b/nixos/modules/services/networking/ergo.nix new file mode 100644 index 000000000000..c52de30dc361 --- /dev/null +++ b/nixos/modules/services/networking/ergo.nix @@ -0,0 +1,141 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.ergo; + + inherit (lib) mkEnableOption mkIf mkOption optionalString types; + + configFile = pkgs.writeText "ergo.conf" ('' +ergo { + directory = "${cfg.dataDir}" + node { + mining = false + } + wallet.secretStorage.secretDir = "${cfg.dataDir}/wallet/keystore" +} + +scorex { + network { + bindAddress = "${cfg.listen.ip}:${toString cfg.listen.port}" + } +'' + optionalString (cfg.api.keyHash != null) '' + restApi { + apiKeyHash = "${cfg.api.keyHash}" + bindAddress = "${cfg.api.listen.ip}:${toString cfg.api.listen.port}" + } +'' + '' +} +''); + +in { + + options = { + + services.ergo = { + enable = mkEnableOption "Ergo service"; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/ergo"; + description = "The data directory for the Ergo node."; + }; + + listen = { + ip = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IP address on which the Ergo node should listen."; + }; + + port = mkOption { + type = types.port; + default = 9006; + description = "Listen port for the Ergo node."; + }; + }; + + api = { + keyHash = mkOption { + type = types.nullOr types.str; + default = null; + example = "324dcf027dd4a30a932c441f365a25e86b173defa4b8e58948253471b81b72cf"; + description = "Hex-encoded Blake2b256 hash of an API key as a 64-chars long Base16 string."; + }; + + listen = { + ip = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IP address that the Ergo node API should listen on if <option>api.keyHash</option> is defined."; + }; + + port = mkOption { + type = types.port; + default = 9052; + description = "Listen port for the API endpoint if <option>api.keyHash</option> is defined."; + }; + }; + }; + + testnet = mkOption { + type = types.bool; + default = false; + description = "Connect to testnet network instead of the default mainnet."; + }; + + user = mkOption { + type = types.str; + default = "ergo"; + description = "The user as which to run the Ergo node."; + }; + + group = mkOption { + type = types.str; + default = cfg.user; + description = "The group as which to run the Ergo node."; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Open ports in the firewall for the Ergo node as well as the API."; + }; + }; + }; + + config = mkIf cfg.enable { + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 '${cfg.user}' '${cfg.group}' - -" + ]; + + systemd.services.ergo = { + description = "ergo server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = ''${pkgs.ergo}/bin/ergo \ + ${optionalString (!cfg.testnet) + "--mainnet"} \ + -c ${configFile}''; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.listen.port ] ++ [ cfg.api.listen.port ]; + }; + + users.users.${cfg.user} = { + name = cfg.user; + group = cfg.group; + description = "Ergo daemon user"; + home = cfg.dataDir; + isSystemUser = true; + }; + + users.groups.${cfg.group} = {}; + + }; +} diff --git a/nixos/modules/services/networking/flannel.nix b/nixos/modules/services/networking/flannel.nix index dd2f6454e954..4c040112d28d 100644 --- a/nixos/modules/services/networking/flannel.nix +++ b/nixos/modules/services/networking/flannel.nix @@ -19,8 +19,8 @@ in { package = mkOption { description = "Package to use for flannel"; type = types.package; - default = pkgs.flannel.bin; - defaultText = "pkgs.flannel.bin"; + default = pkgs.flannel; + defaultText = "pkgs.flannel"; }; publicIp = mkOption { @@ -167,7 +167,7 @@ in { touch /run/flannel/docker '' + optionalString (cfg.storageBackend == "etcd") '' echo "setting network configuration" - until ${pkgs.etcdctl.bin}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' + until ${pkgs.etcdctl}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' do echo "setting network configuration, retry" sleep 1 diff --git a/nixos/modules/services/networking/flashpolicyd.nix b/nixos/modules/services/networking/flashpolicyd.nix index 9c51b88ef677..7f25083307c7 100644 --- a/nixos/modules/services/networking/flashpolicyd.nix +++ b/nixos/modules/services/networking/flashpolicyd.nix @@ -39,6 +39,7 @@ in services.flashpolicyd = { enable = mkOption { + type = types.bool; default = false; description = '' diff --git a/nixos/modules/services/networking/gogoclient.nix b/nixos/modules/services/networking/gogoclient.nix index c9b03bca7112..99455b183144 100644 --- a/nixos/modules/services/networking/gogoclient.nix +++ b/nixos/modules/services/networking/gogoclient.nix @@ -19,6 +19,7 @@ in ''; }; autorun = mkOption { + type = types.bool; default = true; description = '' Whether to automatically start the tunnel. diff --git a/nixos/modules/services/networking/gvpe.nix b/nixos/modules/services/networking/gvpe.nix index 3ef3548e0a08..92e87cd4640d 100644 --- a/nixos/modules/services/networking/gvpe.nix +++ b/nixos/modules/services/networking/gvpe.nix @@ -42,12 +42,8 @@ in { options = { services.gvpe = { - enable = mkOption { - default = false; - description = '' - Whether to run gvpe - ''; - }; + enable = lib.mkEnableOption "gvpe"; + nodename = mkOption { default = null; description ='' diff --git a/nixos/modules/services/networking/haproxy.nix b/nixos/modules/services/networking/haproxy.nix index 4678829986c6..e9d72b35499d 100644 --- a/nixos/modules/services/networking/haproxy.nix +++ b/nixos/modules/services/networking/haproxy.nix @@ -56,6 +56,9 @@ with lib; message = "You must provide services.haproxy.config."; }]; + # configuration file indirection is needed to support reloading + environment.etc."haproxy.cfg".source = haproxyCfg; + systemd.services.haproxy = { description = "HAProxy"; after = [ "network.target" ]; @@ -64,11 +67,32 @@ with lib; User = cfg.user; Group = cfg.group; Type = "notify"; - # when running the config test, don't be quiet so we can see what goes wrong - ExecStartPre = "${pkgs.haproxy}/sbin/haproxy -c -f ${haproxyCfg}"; - ExecStart = "${pkgs.haproxy}/sbin/haproxy -Ws -f ${haproxyCfg}"; - Restart = "on-failure"; + ExecStartPre = [ + # when the master process receives USR2, it reloads itself using exec(argv[0]), + # so we create a symlink there and update it before reloading + "${pkgs.coreutils}/bin/ln -sf ${pkgs.haproxy}/sbin/haproxy /run/haproxy/haproxy" + # when running the config test, don't be quiet so we can see what goes wrong + "/run/haproxy/haproxy -c -f ${haproxyCfg}" + ]; + ExecStart = "/run/haproxy/haproxy -Ws -f /etc/haproxy.cfg -p /run/haproxy/haproxy.pid"; + # support reloading + ExecReload = [ + "${pkgs.haproxy}/sbin/haproxy -c -f ${haproxyCfg}" + "${pkgs.coreutils}/bin/ln -sf ${pkgs.haproxy}/sbin/haproxy /run/haproxy/haproxy" + "${pkgs.coreutils}/bin/kill -USR2 $MAINPID" + ]; + KillMode = "mixed"; + SuccessExitStatus = "143"; + Restart = "always"; RuntimeDirectory = "haproxy"; + # upstream hardening options + NoNewPrivileges = true; + ProtectHome = true; + ProtectSystem = "strict"; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + SystemCallFilter= "~@cpu-emulation @keyring @module @obsolete @raw-io @reboot @swap @sync"; # needed in case we bind to port < 1024 AmbientCapabilities = "CAP_NET_BIND_SERVICE"; }; diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index 2915b54f05b4..5d73038363a9 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -20,12 +20,14 @@ let ssid=${cfg.ssid} hw_mode=${cfg.hwMode} channel=${toString cfg.channel} + ${optionalString (cfg.countryCode != null) ''country_code=${cfg.countryCode}''} + ${optionalString (cfg.countryCode != null) ''ieee80211d=1''} # logging (debug level) logger_syslog=-1 - logger_syslog_level=2 + logger_syslog_level=${toString cfg.logLevel} logger_stdout=-1 - logger_stdout_level=2 + logger_stdout_level=${toString cfg.logLevel} ctrl_interface=/run/hostapd ctrl_interface_group=${cfg.group} @@ -49,6 +51,7 @@ in services.hostapd = { enable = mkOption { + type = types.bool; default = false; description = '' Enable putting a wireless interface into infrastructure mode, @@ -71,6 +74,7 @@ in }; noScan = mkOption { + type = types.bool; default = false; description = '' Do not scan for overlapping BSSs in HT40+/- mode. @@ -126,6 +130,7 @@ in }; wpa = mkOption { + type = types.bool; default = true; description = '' Enable WPA (IEEE 802.11i/D3.0) to authenticate with the access point. @@ -144,6 +149,35 @@ in ''; }; + logLevel = mkOption { + default = 2; + type = types.int; + description = '' + Levels (minimum value for logged events): + 0 = verbose debugging + 1 = debugging + 2 = informational messages + 3 = notification + 4 = warning + ''; + }; + + countryCode = mkOption { + default = null; + example = "US"; + type = with types; nullOr str; + description = '' + Country code (ISO/IEC 3166-1). Used to set regulatory domain. + Set as needed to indicate country in which device is operating. + This can limit available channels and transmit power. + These two octets are used as the first two octets of the Country String + (dot11CountryString). + If set this enables IEEE 802.11d. This advertises the countryCode and + the set of allowed channels and transmit power levels based on the + regulatory limits. + ''; + }; + extraConfig = mkOption { default = ""; example = '' @@ -164,6 +198,8 @@ in environment.systemPackages = [ pkgs.hostapd ]; + services.udev.packages = optional (cfg.countryCode != null) [ pkgs.crda ]; + systemd.services.hostapd = { description = "hostapd wireless AP"; diff --git a/nixos/modules/services/networking/ircd-hybrid/default.nix b/nixos/modules/services/networking/ircd-hybrid/default.nix index b236552eb653..91d0bf437d69 100644 --- a/nixos/modules/services/networking/ircd-hybrid/default.nix +++ b/nixos/modules/services/networking/ircd-hybrid/default.nix @@ -36,12 +36,7 @@ in services.ircdHybrid = { - enable = mkOption { - default = false; - description = " - Enable IRCD. - "; - }; + enable = mkEnableOption "IRCD"; serverName = mkOption { default = "hades.arpa"; diff --git a/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix b/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix new file mode 100644 index 000000000000..09d357cd2b6e --- /dev/null +++ b/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.magic-wormhole-mailbox-server; + dataDir = "/var/lib/magic-wormhole-mailbox-server;"; + python = pkgs.python3.withPackages (py: [ py.magic-wormhole-mailbox-server py.twisted ]); +in +{ + options.services.magic-wormhole-mailbox-server = { + enable = mkEnableOption "Enable Magic Wormhole Mailbox Server"; + }; + + config = mkIf cfg.enable { + systemd.services.magic-wormhole-mailbox-server = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + ExecStart = "${python}/bin/twistd --nodaemon wormhole-mailbox"; + WorkingDirectory = dataDir; + StateDirectory = baseNameOf dataDir; + }; + }; + + }; +} diff --git a/nixos/modules/services/networking/mailpile.nix b/nixos/modules/services/networking/mailpile.nix index c42d3d5a44cb..b79ee11d17db 100644 --- a/nixos/modules/services/networking/mailpile.nix +++ b/nixos/modules/services/networking/mailpile.nix @@ -18,12 +18,8 @@ in options = { services.mailpile = { - enable = mkOption { - default = false; - description = " - Whether to enable Mailpile the mail client. - "; - }; + enable = mkEnableOption "Mailpile the mail client"; + hostname = mkOption { default = "localhost"; description = "Listen to this hostname or ip."; diff --git a/nixos/modules/services/networking/monero.nix b/nixos/modules/services/networking/monero.nix index b95364308682..97af29978397 100644 --- a/nixos/modules/services/networking/monero.nix +++ b/nixos/modules/services/networking/monero.nix @@ -26,7 +26,7 @@ let rpc-login=${rpc.user}:${rpc.password} ''} ${optionalString rpc.restricted '' - restrict-rpc=1 + restricted-rpc=1 ''} limit-rate-up=${toString limits.upload} diff --git a/nixos/modules/services/networking/mullvad-vpn.nix b/nixos/modules/services/networking/mullvad-vpn.nix new file mode 100644 index 000000000000..cc98414257ca --- /dev/null +++ b/nixos/modules/services/networking/mullvad-vpn.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.mullvad-vpn; +in +with lib; +{ + options.services.mullvad-vpn.enable = mkOption { + type = types.bool; + default = false; + description = '' + This option enables Mullvad VPN daemon. + ''; + }; + + config = mkIf cfg.enable { + boot.kernelModules = [ "tun" ]; + + systemd.services.mullvad-daemon = { + description = "Mullvad VPN daemon"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network.target" ]; + after = [ + "network-online.target" + "NetworkManager.service" + "systemd-resolved.service" + ]; + path = [ + pkgs.iproute + # Needed for ping + "/run/wrappers" + ]; + serviceConfig = { + StartLimitBurst = 5; + StartLimitIntervalSec = 20; + ExecStart = "${pkgs.mullvad-vpn}/bin/mullvad-daemon -v --disable-stdout-timestamps"; + Restart = "always"; + RestartSec = 1; + }; + }; + }; + + meta.maintainers = [ maintainers.xfix ]; +} diff --git a/nixos/modules/services/networking/ndppd.nix b/nixos/modules/services/networking/ndppd.nix index e015f76f622b..77e979a8a424 100644 --- a/nixos/modules/services/networking/ndppd.nix +++ b/nixos/modules/services/networking/ndppd.nix @@ -43,7 +43,7 @@ let timeout = mkOption { type = types.int; description = '' - Controls how long to wait for a Neighbor Advertisment Message before + Controls how long to wait for a Neighbor Advertisment Message before invalidating the entry, in milliseconds. ''; default = 500; @@ -51,7 +51,7 @@ let ttl = mkOption { type = types.int; description = '' - Controls how long a valid or invalid entry remains in the cache, in + Controls how long a valid or invalid entry remains in the cache, in milliseconds. ''; default = 30000; @@ -142,7 +142,11 @@ in { messages, and respond to them according to a set of rules. ''; default = {}; - example = { eth0.rules."1111::/64" = {}; }; + example = literalExample '' + { + eth0.rules."1111::/64" = {}; + } + ''; }; }; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index e817f295a445..cc789897b29f 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -131,6 +131,10 @@ let in { + meta = { + maintainers = teams.freedesktop.members; + }; + ###### interface options = { @@ -445,6 +449,13 @@ in { systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; + # override unit as recommended by upstream - see https://github.com/NixOS/nixpkgs/issues/88089 + # TODO: keep an eye on modem-manager releases as this will eventually be added to the upstream unit + systemd.services.ModemManager.serviceConfig.ExecStart = [ + "" + "${pkgs.modemmanager}/sbin/ModemManager --filter-policy=STRICT" + ]; + systemd.services.NetworkManager-dispatcher = { wantedBy = [ "network.target" ]; restartTriggers = [ configFile ]; diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index ad7c013a5449..ec9d9753cfe2 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -52,7 +52,7 @@ in ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept # allow "ping" - ip6 nexthdr icmp icmpv6 type echo-request accept + ip6 nexthdr icmpv6 icmpv6 type echo-request accept ip protocol icmp icmp type echo-request accept # accept SSH connections (required for a server) diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index 429580e5c6c4..6e3eed0c5570 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -252,7 +252,7 @@ let Use imports or pkgs.lib.readFile if you don't want this data in your config file. ''; }; - + dnssec = mkEnableOption "DNSSEC"; dnssecPolicy = { @@ -970,7 +970,7 @@ in script = signZones; postStop = '' - ${pkgs.systemd}/bin/systemctl kill -s SIGHUP nsd.service + /run/current-system/systemd/bin/systemctl kill -s SIGHUP nsd.service ''; }; diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index da9d960cc142..b7e4c89a155c 100644 --- a/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -30,6 +30,7 @@ in options = { services.chrony = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to synchronise your machine's time using chrony. @@ -92,6 +93,11 @@ in systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "chronyd.service"; }; + systemd.tmpfiles.rules = [ + "d ${stateDir} 0755 chrony chrony - -" + "f ${keyFile} 0640 chrony chrony -" + ]; + systemd.services.chronyd = { description = "chrony NTP daemon"; @@ -103,13 +109,6 @@ in path = [ pkgs.chrony ]; - preStart = '' - mkdir -m 0755 -p ${stateDir} - touch ${keyFile} - chmod 0640 ${keyFile} - chown chrony:chrony ${stateDir} ${keyFile} - ''; - unitConfig.ConditionCapability = "CAP_SYS_TIME"; serviceConfig = { Type = "simple"; @@ -118,7 +117,7 @@ in ProtectHome = "yes"; ProtectSystem = "full"; PrivateTmp = "yes"; - + StateDirectory = "chrony"; }; }; diff --git a/nixos/modules/services/networking/ntp/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix index 54ff054d84c7..51398851adc6 100644 --- a/nixos/modules/services/networking/ntp/ntpd.nix +++ b/nixos/modules/services/networking/ntp/ntpd.nix @@ -40,6 +40,7 @@ in services.ntp = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to synchronise your machine's time using ntpd, as a peer in diff --git a/nixos/modules/services/networking/openfire.nix b/nixos/modules/services/networking/openfire.nix index 4059eb3db83d..fe0499d52323 100644 --- a/nixos/modules/services/networking/openfire.nix +++ b/nixos/modules/services/networking/openfire.nix @@ -9,14 +9,10 @@ with lib; services.openfire = { - enable = mkOption { - default = false; - description = " - Whether to enable OpenFire XMPP server. - "; - }; + enable = mkEnableOption "OpenFire XMPP server"; usePostgreSQL = mkOption { + type = types.bool; default = true; description = " Whether you use PostgreSQL service for your storage back-end. diff --git a/nixos/modules/services/networking/pixiecore.nix b/nixos/modules/services/networking/pixiecore.nix new file mode 100644 index 000000000000..85aa40784af8 --- /dev/null +++ b/nixos/modules/services/networking/pixiecore.nix @@ -0,0 +1,134 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.pixiecore; +in +{ + meta.maintainers = with maintainers; [ bbigras danderson ]; + + options = { + services.pixiecore = { + enable = mkEnableOption "Pixiecore"; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open ports (67, 69 UDP and 4011, 'port', 'statusPort' TCP) in the firewall for Pixiecore. + ''; + }; + + mode = mkOption { + description = "Which mode to use"; + default = "boot"; + type = types.enum [ "api" "boot" ]; + }; + + debug = mkOption { + type = types.bool; + default = false; + description = "Log more things that aren't directly related to booting a recognized client"; + }; + + dhcpNoBind = mkOption { + type = types.bool; + default = false; + description = "Handle DHCP traffic without binding to the DHCP server port"; + }; + + kernel = mkOption { + type = types.str or types.path; + default = ""; + description = "Kernel path. Ignored unless mode is set to 'boot'"; + }; + + initrd = mkOption { + type = types.str or types.path; + default = ""; + description = "Initrd path. Ignored unless mode is set to 'boot'"; + }; + + cmdLine = mkOption { + type = types.str; + default = ""; + description = "Kernel commandline arguments. Ignored unless mode is set to 'boot'"; + }; + + listen = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IPv4 address to listen on"; + }; + + port = mkOption { + type = types.port; + default = 80; + description = "Port to listen on for HTTP"; + }; + + statusPort = mkOption { + type = types.port; + default = 80; + description = "HTTP port for status information (can be the same as --port)"; + }; + + apiServer = mkOption { + type = types.str; + example = "localhost:8080"; + description = "host:port to connect to the API. Ignored unless mode is set to 'api'"; + }; + + extraArguments = mkOption { + type = types.listOf types.str; + default = []; + description = "Additional command line arguments to pass to Pixiecore"; + }; + }; + }; + + config = mkIf cfg.enable { + users.groups.pixiecore = {}; + users.users.pixiecore = { + description = "Pixiecore daemon user"; + group = "pixiecore"; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ 4011 cfg.port cfg.statusPort ]; + allowedUDPPorts = [ 67 69 ]; + }; + + systemd.services.pixiecore = { + description = "Pixiecore server"; + after = [ "network.target"]; + wants = [ "network.target"]; + wantedBy = [ "multi-user.target"]; + serviceConfig = { + User = "pixiecore"; + Restart = "always"; + AmbientCapabilities = [ "cap_net_bind_service" ] ++ optional cfg.dhcpNoBind "cap_net_raw"; + ExecStart = + let + argString = + if cfg.mode == "boot" + then [ "boot" cfg.kernel ] + ++ optional (cfg.initrd != "") cfg.initrd + ++ optionals (cfg.cmdLine != "") [ "--cmdline" cfg.cmdLine ] + else [ "api" cfg.apiServer ]; + in + '' + ${pkgs.pixiecore}/bin/pixiecore \ + ${lib.escapeShellArgs argString} \ + ${optionalString cfg.debug "--debug"} \ + ${optionalString cfg.dhcpNoBind "--dhcp-no-bind"} \ + --listen-addr ${lib.escapeShellArg cfg.listen} \ + --port ${toString cfg.port} \ + --status-port ${toString cfg.statusPort} \ + ${escapeShellArgs cfg.extraArguments} + ''; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix index 9c9eeba23da2..f04dac01d9b8 100644 --- a/nixos/modules/services/networking/prayer.nix +++ b/nixos/modules/services/networking/prayer.nix @@ -41,12 +41,7 @@ in services.prayer = { - enable = mkOption { - default = false; - description = '' - Whether to run the prayer webmail http server. - ''; - }; + enable = mkEnableOption "the prayer webmail http server"; port = mkOption { default = "2080"; diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix index 7a503e711665..cdd341c9fb62 100644 --- a/nixos/modules/services/networking/prosody.nix +++ b/nixos/modules/services/networking/prosody.nix @@ -1,9 +1,7 @@ { config, lib, pkgs, ... }: with lib; - let - cfg = config.services.prosody; sslOpts = { ... }: { @@ -30,8 +28,21 @@ let }; }; + discoOpts = { + options = { + url = mkOption { + type = types.str; + description = "URL of the endpoint you want to make discoverable"; + }; + description = mkOption { + type = types.str; + description = "A short description of the endpoint you want to advertise"; + }; + }; + }; + moduleOpts = { - # Generally required + # Required for compliance with https://compliance.conversations.im/about/ roster = mkOption { type = types.bool; default = true; @@ -69,6 +80,18 @@ let description = "Keep multiple clients in sync"; }; + csi = mkOption { + type = types.bool; + default = true; + description = "Implements the CSI protocol that allows clients to report their active/inactive state to the server"; + }; + + cloud_notify = mkOption { + type = types.bool; + default = true; + description = "Push notifications to inform users of new messages or other pertinent information even when they have no XMPP clients online"; + }; + pep = mkOption { type = types.bool; default = true; @@ -89,10 +112,22 @@ let vcard = mkOption { type = types.bool; - default = true; + default = false; description = "Allow users to set vCards"; }; + vcard_legacy = mkOption { + type = types.bool; + default = true; + description = "Converts users profiles and Avatars between old and new formats"; + }; + + bookmarks = mkOption { + type = types.bool; + default = true; + description = "Allows interop between older clients that use XEP-0048: Bookmarks in its 1.0 version and recent clients which use it in PEP"; + }; + # Nice to have version = mkOption { type = types.bool; @@ -126,10 +161,16 @@ let mam = mkOption { type = types.bool; - default = false; + default = true; description = "Store messages in an archive and allow users to access it"; }; + smacks = mkOption { + type = types.bool; + default = true; + description = "Allow a client to resume a disconnected session, and prevent message loss"; + }; + # Admin interfaces admin_adhoc = mkOption { type = types.bool; @@ -137,6 +178,18 @@ let description = "Allows administration via an XMPP client that supports ad-hoc commands"; }; + http_files = mkOption { + type = types.bool; + default = true; + description = "Serve static files from a directory over HTTP"; + }; + + proxy65 = mkOption { + type = types.bool; + default = true; + description = "Enables a file transfer proxy service which clients behind NAT can use"; + }; + admin_telnet = mkOption { type = types.bool; default = false; @@ -156,12 +209,6 @@ let description = "Enable WebSocket support"; }; - http_files = mkOption { - type = types.bool; - default = false; - description = "Serve static files from a directory over HTTP"; - }; - # Other specific functionality limits = mkOption { type = types.bool; @@ -210,13 +257,6 @@ let default = false; description = "Legacy authentication. Only used by some old clients and bots"; }; - - proxy65 = mkOption { - type = types.bool; - default = false; - description = "Enables a file transfer proxy service which clients behind NAT can use"; - }; - }; toLua = x: @@ -235,6 +275,158 @@ let }; ''; + mucOpts = { ... }: { + options = { + domain = mkOption { + type = types.str; + description = "Domain name of the MUC"; + }; + name = mkOption { + type = types.str; + description = "The name to return in service discovery responses for the MUC service itself"; + default = "Prosody Chatrooms"; + }; + restrictRoomCreation = mkOption { + type = types.enum [ true false "admin" "local" ]; + default = false; + description = "Restrict room creation to server admins"; + }; + maxHistoryMessages = mkOption { + type = types.int; + default = 20; + description = "Specifies a limit on what each room can be configured to keep"; + }; + roomLocking = mkOption { + type = types.bool; + default = true; + description = '' + Enables room locking, which means that a room must be + configured before it can be used. Locked rooms are invisible + and cannot be entered by anyone but the creator + ''; + }; + roomLockTimeout = mkOption { + type = types.int; + default = 300; + description = '' + Timout after which the room is destroyed or unlocked if not + configured, in seconds + ''; + }; + tombstones = mkOption { + type = types.bool; + default = true; + description = '' + When a room is destroyed, it leaves behind a tombstone which + prevents the room being entered or recreated. It also allows + anyone who was not in the room at the time it was destroyed + to learn about it, and to update their bookmarks. Tombstones + prevents the case where someone could recreate a previously + semi-anonymous room in order to learn the real JIDs of those + who often join there. + ''; + }; + tombstoneExpiry = mkOption { + type = types.int; + default = 2678400; + description = '' + This settings controls how long a tombstone is considered + valid. It defaults to 31 days. After this time, the room in + question can be created again. + ''; + }; + + vcard_muc = mkOption { + type = types.bool; + default = true; + description = "Adds the ability to set vCard for Multi User Chat rooms"; + }; + + # Extra parameters. Defaulting to prosody default values. + # Adding them explicitly to make them visible from the options + # documentation. + # + # See https://prosody.im/doc/modules/mod_muc for more details. + roomDefaultPublic = mkOption { + type = types.bool; + default = true; + description = "If set, the MUC rooms will be public by default."; + }; + roomDefaultMembersOnly = mkOption { + type = types.bool; + default = false; + description = "If set, the MUC rooms will only be accessible to the members by default."; + }; + roomDefaultModerated = mkOption { + type = types.bool; + default = false; + description = "If set, the MUC rooms will be moderated by default."; + }; + roomDefaultPublicJids = mkOption { + type = types.bool; + default = false; + description = "If set, the MUC rooms will display the public JIDs by default."; + }; + roomDefaultChangeSubject = mkOption { + type = types.bool; + default = false; + description = "If set, the rooms will display the public JIDs by default."; + }; + roomDefaultHistoryLength = mkOption { + type = types.int; + default = 20; + description = "Number of history message sent to participants by default."; + }; + roomDefaultLanguage = mkOption { + type = types.str; + default = "en"; + description = "Default room language."; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional MUC specific configuration"; + }; + }; + }; + + uploadHttpOpts = { ... }: { + options = { + domain = mkOption { + type = types.nullOr types.str; + description = "Domain name for the http-upload service"; + }; + uploadFileSizeLimit = mkOption { + type = types.str; + default = "50 * 1024 * 1024"; + description = "Maximum file size, in bytes. Defaults to 50MB."; + }; + uploadExpireAfter = mkOption { + type = types.str; + default = "60 * 60 * 24 * 7"; + description = "Max age of a file before it gets deleted, in seconds."; + }; + userQuota = mkOption { + type = types.nullOr types.int; + default = null; + example = 1234; + description = '' + Maximum size of all uploaded files per user, in bytes. There + will be no quota if this option is set to null. + ''; + }; + httpUploadPath = mkOption { + type = types.str; + description = '' + Directory where the uploaded files will be stored. By + default, uploaded files are put in a sub-directory of the + default Prosody storage path (usually /var/lib/prosody). + ''; + default = "/var/lib/prosody"; + }; + }; + }; + vHostOpts = { ... }: { options = { @@ -283,6 +475,27 @@ in description = "Whether to enable the prosody server"; }; + xmppComplianceSuite = mkOption { + type = types.bool; + default = true; + description = '' + The XEP-0423 defines a set of recommended XEPs to implement + for a server. It's generally a good idea to implement this + set of extensions if you want to provide your users with a + good XMPP experience. + + This NixOS module aims to provide a "advanced server" + experience as per defined in the XEP-0423[1] specification. + + Setting this option to true will prevent you from building a + NixOS configuration which won't comply with this standard. + You can explicitely decide to ignore this standard if you + know what you are doing by setting this option to false. + + [1] https://xmpp.org/extensions/xep-0423.html + ''; + }; + package = mkOption { type = types.package; description = "Prosody package to use"; @@ -302,6 +515,12 @@ in default = "/var/lib/prosody"; }; + disco_items = mkOption { + type = types.listOf (types.submodule discoOpts); + default = []; + description = "List of discoverable items you want to advertise."; + }; + user = mkOption { type = types.str; default = "prosody"; @@ -320,6 +539,31 @@ in description = "Allow account creation"; }; + # HTTP server-related options + httpPorts = mkOption { + type = types.listOf types.int; + description = "Listening HTTP ports list for this service."; + default = [ 5280 ]; + }; + + httpInterfaces = mkOption { + type = types.listOf types.str; + default = [ "*" "::" ]; + description = "Interfaces on which the HTTP server will listen on."; + }; + + httpsPorts = mkOption { + type = types.listOf types.int; + description = "Listening HTTPS ports list for this service."; + default = [ 5281 ]; + }; + + httpsInterfaces = mkOption { + type = types.listOf types.str; + default = [ "*" "::" ]; + description = "Interfaces on which the HTTPS server will listen on."; + }; + c2sRequireEncryption = mkOption { type = types.bool; default = true; @@ -387,6 +631,26 @@ in description = "Addtional path in which to look find plugins/modules"; }; + uploadHttp = mkOption { + description = '' + Configures the Prosody builtin HTTP server to handle user uploads. + ''; + type = types.nullOr (types.submodule uploadHttpOpts); + default = null; + example = { + domain = "uploads.my-xmpp-example-host.org"; + }; + }; + + muc = mkOption { + type = types.listOf (types.submodule mucOpts); + default = [ ]; + example = [ { + domain = "conference.my-xmpp-example-host.org"; + } ]; + description = "Multi User Chat (MUC) configuration"; + }; + virtualHosts = mkOption { description = "Define the virtual hosts"; @@ -443,9 +707,44 @@ in config = mkIf cfg.enable { + assertions = let + genericErrMsg = '' + + Having a server not XEP-0423-compliant might make your XMPP + experience terrible. See the NixOS manual for further + informations. + + If you know what you're doing, you can disable this warning by + setting config.services.prosody.xmppComplianceSuite to false. + ''; + errors = [ + { assertion = (builtins.length cfg.muc > 0) || !cfg.xmppComplianceSuite; + message = '' + You need to setup at least a MUC domain to comply with + XEP-0423. + '' + genericErrMsg;} + { assertion = cfg.uploadHttp != null || !cfg.xmppComplianceSuite; + message = '' + You need to setup the uploadHttp module through + config.services.prosody.uploadHttp to comply with + XEP-0423. + '' + genericErrMsg;} + ]; + in errors; + environment.systemPackages = [ cfg.package ]; - environment.etc."prosody/prosody.cfg.lua".text = '' + environment.etc."prosody/prosody.cfg.lua".text = + let + httpDiscoItems = if (cfg.uploadHttp != null) + then [{ url = cfg.uploadHttp.domain; description = "HTTP upload endpoint";}] + else []; + mucDiscoItems = builtins.foldl' + (acc: muc: [{ url = muc.domain; description = "${muc.domain} MUC endpoint";}] ++ acc) + [] + cfg.muc; + discoItems = cfg.disco_items ++ httpDiscoItems ++ mucDiscoItems; + in '' pidfile = "/run/prosody/prosody.pid" @@ -472,6 +771,10 @@ in ${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.extraModules)} }; + disco_items = { + ${ lib.concatStringsSep "\n" (builtins.map (x: ''{ "${x.url}", "${x.description}"};'') discoItems)} + }; + allow_registration = ${toLua cfg.allowRegistration} c2s_require_encryption = ${toLua cfg.c2sRequireEncryption} @@ -486,8 +789,44 @@ in authentication = ${toLua cfg.authentication} + http_interfaces = ${toLua cfg.httpInterfaces} + + https_interfaces = ${toLua cfg.httpsInterfaces} + + http_ports = ${toLua cfg.httpPorts} + + https_ports = ${toLua cfg.httpsPorts} + ${ cfg.extraConfig } + ${lib.concatMapStrings (muc: '' + Component ${toLua muc.domain} "muc" + modules_enabled = { "muc_mam"; ${optionalString muc.vcard_muc ''"vcard_muc";'' } } + name = ${toLua muc.name} + restrict_room_creation = ${toLua muc.restrictRoomCreation} + max_history_messages = ${toLua muc.maxHistoryMessages} + muc_room_locking = ${toLua muc.roomLocking} + muc_room_lock_timeout = ${toLua muc.roomLockTimeout} + muc_tombstones = ${toLua muc.tombstones} + muc_tombstone_expiry = ${toLua muc.tombstoneExpiry} + muc_room_default_public = ${toLua muc.roomDefaultPublic} + muc_room_default_members_only = ${toLua muc.roomDefaultMembersOnly} + muc_room_default_moderated = ${toLua muc.roomDefaultModerated} + muc_room_default_public_jids = ${toLua muc.roomDefaultPublicJids} + muc_room_default_change_subject = ${toLua muc.roomDefaultChangeSubject} + muc_room_default_history_length = ${toLua muc.roomDefaultHistoryLength} + muc_room_default_language = ${toLua muc.roomDefaultLanguage} + ${ muc.extraConfig } + '') cfg.muc} + + ${ lib.optionalString (cfg.uploadHttp != null) '' + Component ${toLua cfg.uploadHttp.domain} "http_upload" + http_upload_file_size_limit = ${cfg.uploadHttp.uploadFileSizeLimit} + http_upload_expire_after = ${cfg.uploadHttp.uploadExpireAfter} + ${lib.optionalString (cfg.uploadHttp.userQuota != null) "http_upload_quota = ${toLua cfg.uploadHttp.userQuota}"} + http_upload_path = ${toLua cfg.uploadHttp.httpUploadPath} + ''} + ${ lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: '' VirtualHost "${v.domain}" enabled = ${boolToString v.enabled}; @@ -522,9 +861,22 @@ in PIDFile = "/run/prosody/prosody.pid"; ExecStart = "${cfg.package}/bin/prosodyctl start"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; }; }; }; - + meta.doc = ./prosody.xml; } diff --git a/nixos/modules/services/networking/prosody.xml b/nixos/modules/services/networking/prosody.xml new file mode 100644 index 000000000000..7859cb1578b7 --- /dev/null +++ b/nixos/modules/services/networking/prosody.xml @@ -0,0 +1,88 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-prosody"> + <title>Prosody</title> + <para> + <link xlink:href="https://prosody.im/">Prosody</link> is an open-source, modern XMPP server. + </para> + <section xml:id="module-services-prosody-basic-usage"> + <title>Basic usage</title> + + <para> + A common struggle for most XMPP newcomers is to find the right set + of XMPP Extensions (XEPs) to setup. Forget to activate a few of + those and your XMPP experience might turn into a nightmare! + </para> + + <para> + The XMPP community tackles this problem by creating a meta-XEP + listing a decent set of XEPs you should implement. This meta-XEP + is issued every year, the 2020 edition being + <link xlink:href="https://xmpp.org/extensions/xep-0423.html">XEP-0423</link>. + </para> + <para> + The NixOS Prosody module will implement most of these recommendend XEPs out of + the box. That being said, two components still require some + manual configuration: the + <link xlink:href="https://xmpp.org/extensions/xep-0045.html">Multi User Chat (MUC)</link> + and the <link xlink:href="https://xmpp.org/extensions/xep-0363.html">HTTP File Upload</link> ones. + You'll need to create a DNS subdomain for each of those. The current convention is to name your + MUC endpoint <literal>conference.example.org</literal> and your HTTP upload domain <literal>upload.example.org</literal>. + </para> + <para> + A good configuration to start with, including a + <link xlink:href="https://xmpp.org/extensions/xep-0045.html">Multi User Chat (MUC)</link> + endpoint as well as a <link xlink:href="https://xmpp.org/extensions/xep-0363.html">HTTP File Upload</link> + endpoint will look like this: + <programlisting> +services.prosody = { + <link linkend="opt-services.prosody.enable">enable</link> = true; + <link linkend="opt-services.prosody.admins">admins</link> = [ "root@example.org" ]; + <link linkend="opt-services.prosody.ssl.cert">ssl.cert</link> = "/var/lib/acme/example.org/fullchain.pem"; + <link linkend="opt-services.prosody.ssl.key">ssl.key</link> = "/var/lib/acme/example.org/key.pem"; + <link linkend="opt-services.prosody.virtualHosts">virtualHosts</link>."example.org" = { + <link linkend="opt-services.prosody.virtualHosts._name__.enabled">enabled</link> = true; + <link linkend="opt-services.prosody.virtualHosts._name__.domain">domain</link> = "example.org"; + <link linkend="opt-services.prosody.virtualHosts._name__.ssl.cert">ssl.cert</link> = "/var/lib/acme/example.org/fullchain.pem"; + <link linkend="opt-services.prosody.virtualHosts._name__.ssl.key">ssl.key</link> = "/var/lib/acme/example.org/key.pem"; + }; + <link linkend="opt-services.prosody.muc">muc</link> = [ { + <link linkend="opt-services.prosody.muc">domain</link> = "conference.example.org"; + } ]; + <link linkend="opt-services.prosody.uploadHttp">uploadHttp</link> = { + <link linkend="opt-services.prosody.uploadHttp.domain">domain</link> = "upload.example.org"; + }; +};</programlisting> + </para> + </section> + <section xml:id="module-services-prosody-letsencrypt"> + <title>Let's Encrypt Configuration</title> + <para> + As you can see in the code snippet from the + <link linkend="module-services-prosody-basic-usage">previous section</link>, + you'll need a single TLS certificate covering your main endpoint, + the MUC one as well as the HTTP Upload one. We can generate such a + certificate by leveraging the ACME + <link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains</link> module option. + </para> + <para> + Provided the setup detailed in the previous section, you'll need the following acme configuration to generate + a TLS certificate for the three endponits: + <programlisting> +security.acme = { + <link linkend="opt-security.acme.email">email</link> = "root@example.org"; + <link linkend="opt-security.acme.acceptTerms">acceptTerms</link> = true; + <link linkend="opt-security.acme.certs">certs</link> = { + "example.org" = { + <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/example.org"; + <link linkend="opt-security.acme.certs._name_.email">email</link> = "root@example.org"; + <link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains."conference.example.org"</link> = null; + <link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains."upload.example.org"</link> = null; + }; + }; +};</programlisting> + </para> +</section> +</chapter> diff --git a/nixos/modules/services/networking/quassel.nix b/nixos/modules/services/networking/quassel.nix index 52ecd90b7c69..da723ec86adf 100644 --- a/nixos/modules/services/networking/quassel.nix +++ b/nixos/modules/services/networking/quassel.nix @@ -16,12 +16,7 @@ in services.quassel = { - enable = mkOption { - default = false; - description = '' - Whether to run the Quassel IRC client daemon. - ''; - }; + enable = mkEnableOption "the Quassel IRC client daemon"; certificateFile = mkOption { type = types.nullOr types.str; diff --git a/nixos/modules/services/networking/quorum.nix b/nixos/modules/services/networking/quorum.nix new file mode 100644 index 000000000000..2f612c9db686 --- /dev/null +++ b/nixos/modules/services/networking/quorum.nix @@ -0,0 +1,229 @@ +{ config, pkgs, lib, ... }: +let + + inherit (lib) mkEnableOption mkIf mkOption literalExample types optionalString; + + cfg = config.services.quorum; + dataDir = "/var/lib/quorum"; + genesisFile = pkgs.writeText "genesis.json" (builtins.toJSON cfg.genesis); + staticNodesFile = pkgs.writeText "static-nodes.json" (builtins.toJSON cfg.staticNodes); + +in { + options = { + + services.quorum = { + enable = mkEnableOption "Quorum blockchain daemon"; + + user = mkOption { + type = types.str; + default = "quorum"; + description = "The user as which to run quorum."; + }; + + group = mkOption { + type = types.str; + default = cfg.user; + description = "The group as which to run quorum."; + }; + + port = mkOption { + type = types.port; + default = 21000; + description = "Override the default port on which to listen for connections."; + }; + + nodekeyFile = mkOption { + type = types.path; + default = "${dataDir}/nodekey"; + description = "Path to the nodekey."; + }; + + staticNodes = mkOption { + type = types.listOf types.str; + default = []; + example = [ "enode://dd333ec28f0a8910c92eb4d336461eea1c20803eed9cf2c056557f986e720f8e693605bba2f4e8f289b1162e5ac7c80c914c7178130711e393ca76abc1d92f57@0.0.0.0:30303?discport=0" ]; + description = "List of validator nodes."; + }; + + privateconfig = mkOption { + type = types.str; + default = "ignore"; + description = "Configuration of privacy transaction manager."; + }; + + syncmode = mkOption { + type = types.enum [ "fast" "full" "light" ]; + default = "full"; + description = "Blockchain sync mode."; + }; + + blockperiod = mkOption { + type = types.int; + default = 5; + description = "Default minimum difference between two consecutive block's timestamps in seconds."; + }; + + permissioned = mkOption { + type = types.bool; + default = true; + description = "Allow only a defined list of nodes to connect."; + }; + + rpc = { + enable = mkOption { + type = types.bool; + default = true; + description = "Enable RPC interface."; + }; + + address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "Listening address for RPC connections."; + }; + + port = mkOption { + type = types.port; + default = 22004; + description = "Override the default port on which to listen for RPC connections."; + }; + + api = mkOption { + type = types.str; + default = "admin,db,eth,debug,miner,net,shh,txpool,personal,web3,quorum,istanbul"; + description = "API's offered over the HTTP-RPC interface."; + }; + }; + + ws = { + enable = mkOption { + type = types.bool; + default = true; + description = "Enable WS-RPC interface."; + }; + + address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "Listening address for WS-RPC connections."; + }; + + port = mkOption { + type = types.port; + default = 8546; + description = "Override the default port on which to listen for WS-RPC connections."; + }; + + api = mkOption { + type = types.str; + default = "admin,db,eth,debug,miner,net,shh,txpool,personal,web3,quorum,istanbul"; + description = "API's offered over the WS-RPC interface."; + }; + + origins = mkOption { + type = types.str; + default = "*"; + description = "Origins from which to accept websockets requests"; + }; + }; + + genesis = mkOption { + type = types.nullOr types.attrs; + default = null; + example = literalExample '' { + alloc = { + a47385db68718bdcbddc2d2bb7c54018066ec111 = { + balance = "1000000000000000000000000000"; + }; + }; + coinbase = "0x0000000000000000000000000000000000000000"; + config = { + byzantiumBlock = 4; + chainId = 494702925; + eip150Block = 2; + eip155Block = 3; + eip158Block = 3; + homesteadBlock = 1; + isQuorum = true; + istanbul = { + epoch = 30000; + policy = 0; + }; + }; + difficulty = "0x1"; + extraData = "0x0000000000000000000000000000000000000000000000000000000000000000f85ad59438f0508111273d8e482f49410ca4078afc86a961b8410000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0"; + gasLimit = "0x2FEFD800"; + mixHash = "0x63746963616c2062797a616e74696e65201111756c7420746f6c6572616e6365"; + nonce = "0x0"; + parentHash = "0x0000000000000000000000000000000000000000000000000000000000000000"; + timestamp = "0x00"; + }''; + description = "Blockchain genesis settings."; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.quorum ]; + systemd.tmpfiles.rules = [ + "d '${dataDir}' 0770 '${cfg.user}' '${cfg.group}' - -" + ]; + systemd.services.quorum = { + description = "Quorum daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + PRIVATE_CONFIG = "${cfg.privateconfig}"; + }; + preStart = '' + if [ ! -d ${dataDir}/geth ]; then + if [ ! -d ${dataDir}/keystore ]; then + echo ERROR: You need to create a wallet before initializing your genesis file, run: + echo # su -s /bin/sh - quorum + echo $ geth --datadir ${dataDir} account new + echo and configure your genesis file accordingly. + exit 1; + fi + ln -s ${staticNodesFile} ${dataDir}/static-nodes.json + ${pkgs.quorum}/bin/geth --datadir ${dataDir} init ${genesisFile} + fi + ''; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = ''${pkgs.quorum}/bin/geth \ + --nodiscover \ + --verbosity 5 \ + --nodekey ${cfg.nodekeyFile} \ + --istanbul.blockperiod ${toString cfg.blockperiod} \ + --syncmode ${cfg.syncmode} \ + ${optionalString (cfg.permissioned) + "--permissioned"} \ + --mine --minerthreads 1 \ + ${optionalString (cfg.rpc.enable) + "--rpc --rpcaddr ${cfg.rpc.address} --rpcport ${toString cfg.rpc.port} --rpcapi ${cfg.rpc.api}"} \ + ${optionalString (cfg.ws.enable) + "--ws --wsaddr ${cfg.ws.address} --wsport ${toString cfg.ws.port} --wsapi ${cfg.ws.api} --wsorigins ${cfg.ws.origins}"} \ + --emitcheckpoints \ + --datadir ${dataDir} \ + --port ${toString cfg.port}''; + Restart = "on-failure"; + + # Hardening measures + PrivateTmp = "true"; + ProtectSystem = "full"; + NoNewPrivileges = "true"; + PrivateDevices = "true"; + MemoryDenyWriteExecute = "true"; + }; + }; + users.users.${cfg.user} = { + name = cfg.user; + group = cfg.group; + description = "Quorum daemon user"; + home = dataDir; + isSystemUser = true; + }; + users.groups.${cfg.group} = {}; + }; +} diff --git a/nixos/modules/services/networking/radvd.nix b/nixos/modules/services/networking/radvd.nix index 020faa34922a..f4b00c9b356e 100644 --- a/nixos/modules/services/networking/radvd.nix +++ b/nixos/modules/services/networking/radvd.nix @@ -19,6 +19,7 @@ in options = { services.radvd.enable = mkOption { + type = types.bool; default = false; description = '' diff --git a/nixos/modules/services/networking/rdnssd.nix b/nixos/modules/services/networking/rdnssd.nix index bccab805beeb..469504c43172 100644 --- a/nixos/modules/services/networking/rdnssd.nix +++ b/nixos/modules/services/networking/rdnssd.nix @@ -17,6 +17,7 @@ in options = { services.rdnssd.enable = mkOption { + type = types.bool; default = false; #default = config.networking.enableIPv6; description = diff --git a/nixos/modules/services/networking/resilio.nix b/nixos/modules/services/networking/resilio.nix index 9b25aa575837..e74e03fc0b07 100644 --- a/nixos/modules/services/networking/resilio.nix +++ b/nixos/modules/services/networking/resilio.nix @@ -244,7 +244,7 @@ in group = "rslsync"; }; - users.groups = [ { name = "rslsync"; } ]; + users.groups.rslsync = {}; systemd.services.resilio = with pkgs; { description = "Resilio Sync Service"; diff --git a/nixos/modules/services/networking/rxe.nix b/nixos/modules/services/networking/rxe.nix index a6a069ec50c0..c7d174a00de2 100644 --- a/nixos/modules/services/networking/rxe.nix +++ b/nixos/modules/services/networking/rxe.nix @@ -5,20 +5,6 @@ with lib; let cfg = config.networking.rxe; - runRxeCmd = cmd: ifcs: - concatStrings ( map (x: "${pkgs.rdma-core}/bin/rxe_cfg -n ${cmd} ${x};") ifcs); - - startScript = pkgs.writeShellScriptBin "rxe-start" '' - ${pkgs.rdma-core}/bin/rxe_cfg -n start - ${runRxeCmd "add" cfg.interfaces} - ${pkgs.rdma-core}/bin/rxe_cfg - ''; - - stopScript = pkgs.writeShellScriptBin "rxe-stop" '' - ${runRxeCmd "remove" cfg.interfaces } - ${pkgs.rdma-core}/bin/rxe_cfg -n stop - ''; - in { ###### interface @@ -31,9 +17,8 @@ in { example = [ "eth0" ]; description = '' Enable RDMA on the listed interfaces. The corresponding virtual - RDMA interfaces will be named rxe0 ... rxeN where the ordering - will be as they are named in the list. UDP port 4791 must be - open on the respective ethernet interfaces. + RDMA interfaces will be named rxe_<interface>. + UDP port 4791 must be open on the respective ethernet interfaces. ''; }; }; @@ -44,7 +29,6 @@ in { config = mkIf cfg.enable { systemd.services.rxe = { - path = with pkgs; [ kmod rdma-core ]; description = "RoCE interfaces"; wantedBy = [ "multi-user.target" ]; @@ -54,8 +38,13 @@ in { serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStart = "${startScript}/bin/rxe-start"; - ExecStop = "${stopScript}/bin/rxe-stop"; + ExecStart = map ( x: + "${pkgs.iproute}/bin/rdma link add rxe_${x} type rxe netdev ${x}" + ) cfg.interfaces; + + ExecStop = map ( x: + "${pkgs.iproute}/bin/rdma link delete rxe_${x}" + ) cfg.interfaces; }; }; }; diff --git a/nixos/modules/services/networking/sabnzbd.nix b/nixos/modules/services/networking/sabnzbd.nix index 62b24d4377f8..ff5aef7d1cb4 100644 --- a/nixos/modules/services/networking/sabnzbd.nix +++ b/nixos/modules/services/networking/sabnzbd.nix @@ -15,10 +15,8 @@ in options = { services.sabnzbd = { - enable = mkOption { - default = false; - description = "Whether to enable the sabnzbd server."; - }; + enable = mkEnableOption "the sabnzbd server"; + configFile = mkOption { default = "/var/lib/sabnzbd/sabnzbd.ini"; description = "Path to config file."; diff --git a/nixos/modules/services/networking/shairport-sync.nix b/nixos/modules/services/networking/shairport-sync.nix index 2e988e0ca2e0..b4b86a2d55be 100644 --- a/nixos/modules/services/networking/shairport-sync.nix +++ b/nixos/modules/services/networking/shairport-sync.nix @@ -17,6 +17,7 @@ in services.shairport-sync = { enable = mkOption { + type = types.bool; default = false; description = '' Enable the shairport-sync daemon. diff --git a/nixos/modules/services/networking/skydns.nix b/nixos/modules/services/networking/skydns.nix index 6ad18bb22403..e79d6de92644 100644 --- a/nixos/modules/services/networking/skydns.nix +++ b/nixos/modules/services/networking/skydns.nix @@ -83,7 +83,7 @@ in { SKYDNS_NAMESERVERS = concatStringsSep "," cfg.nameservers; }; serviceConfig = { - ExecStart = "${cfg.package.bin}/bin/skydns"; + ExecStart = "${cfg.package}/bin/skydns"; }; }; diff --git a/nixos/modules/services/networking/ssh/lshd.nix b/nixos/modules/services/networking/ssh/lshd.nix index eca599afb33b..41d0584080e4 100644 --- a/nixos/modules/services/networking/ssh/lshd.nix +++ b/nixos/modules/services/networking/ssh/lshd.nix @@ -19,6 +19,7 @@ in services.lshd = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to enable the GNU lshd SSH2 daemon, which allows @@ -53,21 +54,25 @@ in }; syslog = mkOption { + type = types.bool; default = true; description = ''Whether to enable syslog output.''; }; passwordAuthentication = mkOption { + type = types.bool; default = true; description = ''Whether to enable password authentication.''; }; publicKeyAuthentication = mkOption { + type = types.bool; default = true; description = ''Whether to enable public key authentication.''; }; rootLogin = mkOption { + type = types.bool; default = false; description = ''Whether to enable remote root login.''; }; @@ -89,11 +94,13 @@ in }; tcpForwarding = mkOption { + type = types.bool; default = true; description = ''Whether to enable TCP/IP forwarding.''; }; x11Forwarding = mkOption { + type = types.bool; default = true; description = ''Whether to enable X11 forwarding.''; }; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 464e9ed38c42..17f31e3a488d 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -9,8 +9,8 @@ let # This middle-ground solution ensures *an* sshd can do their basic validation # on the configuration. validationPackage = if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform - then [ cfgc.package ] - else [ pkgs.buildPackages.openssh ]; + then cfgc.package + else pkgs.buildPackages.openssh; sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ validationPackage ]; } '' cat >$out <<EOL diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 4ff9c486059c..13a1a897c5ed 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -4,7 +4,7 @@ let inherit (builtins) toFile; inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList - mkIf mkEnableOption mkOption types; + mkIf mkEnableOption mkOption types literalExample; cfg = config.services.strongswan; @@ -79,19 +79,21 @@ in connections = mkOption { type = types.attrsOf (types.attrsOf types.str); default = {}; - example = { - "%default" = { - keyexchange = "ikev2"; - keyingtries = "1"; - }; - roadwarrior = { - auto = "add"; - leftcert = "/run/keys/moonCert.pem"; - leftid = "@moon.strongswan.org"; - leftsubnet = "10.1.0.0/16"; - right = "%any"; - }; - }; + example = literalExample '' + { + "%default" = { + keyexchange = "ikev2"; + keyingtries = "1"; + }; + roadwarrior = { + auto = "add"; + leftcert = "/run/keys/moonCert.pem"; + leftid = "@moon.strongswan.org"; + leftsubnet = "10.1.0.0/16"; + right = "%any"; + }; + } + ''; description = '' A set of connections and their options for the ‘conn xxx’ sections of the <filename>ipsec.conf</filename> file. diff --git a/nixos/modules/services/networking/supplicant.nix b/nixos/modules/services/networking/supplicant.nix index 35c1e649e2e1..b5b9989ce186 100644 --- a/nixos/modules/services/networking/supplicant.nix +++ b/nixos/modules/services/networking/supplicant.nix @@ -39,8 +39,6 @@ let bindsTo = deps; after = deps; before = [ "network.target" ]; - # Receive restart event after resume - partOf = [ "post-resume.target" ]; path = [ pkgs.coreutils ]; diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index 5b3eb6f04b42..e717d78feed5 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -169,12 +169,14 @@ in { description = '' folders which should be shared by syncthing. ''; - example = { - "/home/user/sync" = { - id = "syncme"; - devices = [ "bigbox" ]; - }; - }; + example = literalExample '' + { + "/home/user/sync" = { + id = "syncme"; + devices = [ "bigbox" ]; + }; + } + ''; type = types.attrsOf (types.submodule ({ name, ... }: { options = { diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index 513c42b40117..4d6aeb75ebd1 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -37,7 +37,10 @@ in { RuntimeDirectoryMode = 755; StateDirectory = "tailscale"; - StateDirectoryMode = 700; + StateDirectoryMode = 750; + + CacheDirectory = "tailscale"; + CacheDirectoryMode = 750; Restart = "on-failure"; }; diff --git a/nixos/modules/services/networking/tcpcrypt.nix b/nixos/modules/services/networking/tcpcrypt.nix index 18f2e135124b..5a91054e1668 100644 --- a/nixos/modules/services/networking/tcpcrypt.nix +++ b/nixos/modules/services/networking/tcpcrypt.nix @@ -15,6 +15,7 @@ in options = { networking.tcpcrypt.enable = mkOption { + type = types.bool; default = false; description = '' Whether to enable opportunistic TCP encryption. If the other end diff --git a/nixos/modules/services/networking/thelounge.nix b/nixos/modules/services/networking/thelounge.nix index 875d8f661697..a1b06703484b 100644 --- a/nixos/modules/services/networking/thelounge.nix +++ b/nixos/modules/services/networking/thelounge.nix @@ -62,7 +62,6 @@ in { systemd.services.thelounge = { description = "The Lounge web IRC client"; wantedBy = [ "multi-user.target" ]; - environment = { THELOUNGE_HOME = dataDir; }; preStart = "ln -sf ${pkgs.writeText "config.js" configJsData} ${dataDir}/config.js"; serviceConfig = { User = "thelounge"; diff --git a/nixos/modules/services/networking/vsftpd.nix b/nixos/modules/services/networking/vsftpd.nix index b3e201844236..c57994533c17 100644 --- a/nixos/modules/services/networking/vsftpd.nix +++ b/nixos/modules/services/networking/vsftpd.nix @@ -116,7 +116,8 @@ let userlist_file=${cfg.userlistFile} ''} background=YES - listen=YES + listen=NO + listen_ipv6=YES nopriv_user=vsftpd secure_chroot_dir=/var/empty ${optionalString (cfg.localRoot != null) '' diff --git a/nixos/modules/services/networking/wg-quick.nix b/nixos/modules/services/networking/wg-quick.nix index b770d47d269e..ff1bdeed9f48 100644 --- a/nixos/modules/services/networking/wg-quick.nix +++ b/nixos/modules/services/networking/wg-quick.nix @@ -302,7 +302,7 @@ in { ###### implementation config = mkIf (cfg.interfaces != {}) { - boot.extraModulePackages = [ kernel.wireguard ]; + boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard; environment.systemPackages = [ pkgs.wireguard-tools ]; # This is forced to false for now because the default "--validmark" rpfilter we apply on reverse path filtering # breaks the wg-quick routing because wireguard packets leave with a fwmark from wireguard. diff --git a/nixos/modules/services/networking/wicd.nix b/nixos/modules/services/networking/wicd.nix index 03c6bd28aaba..aa10a50f876a 100644 --- a/nixos/modules/services/networking/wicd.nix +++ b/nixos/modules/services/networking/wicd.nix @@ -9,6 +9,7 @@ with lib; options = { networking.wicd.enable = mkOption { + type = types.bool; default = false; description = '' Whether to start <command>wicd</command>. Wired and diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index de0f11595a94..a7dea95056a0 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -253,12 +253,12 @@ in { }; powerManagement.resumeCommands = '' - ${config.systemd.package}/bin/systemctl try-restart wpa_supplicant + /run/current-system/systemd/bin/systemctl try-restart wpa_supplicant ''; # Restart wpa_supplicant when a wlan device appears or disappears. services.udev.extraRules = '' - ACTION=="add|remove", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", RUN+="${config.systemd.package}/bin/systemctl try-restart wpa_supplicant.service" + ACTION=="add|remove", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", RUN+="/run/current-system/systemd/bin/systemctl try-restart wpa_supplicant.service" ''; }; diff --git a/nixos/modules/services/networking/xinetd.nix b/nixos/modules/services/networking/xinetd.nix index 8dc6f845ed85..2f527ab156aa 100644 --- a/nixos/modules/services/networking/xinetd.nix +++ b/nixos/modules/services/networking/xinetd.nix @@ -44,12 +44,7 @@ in options = { - services.xinetd.enable = mkOption { - default = false; - description = '' - Whether to enable the xinetd super-server daemon. - ''; - }; + services.xinetd.enable = mkEnableOption "the xinetd super-server daemon"; services.xinetd.extraDefaults = mkOption { default = ""; diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix index 9e675ecd6f4b..0fe9a200a1b6 100644 --- a/nixos/modules/services/networking/yggdrasil.nix +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -1,55 +1,17 @@ { config, lib, pkgs, ... }: with lib; let + keysPath = "/var/lib/yggdrasil/keys.json"; + cfg = config.services.yggdrasil; - configProvided = (cfg.config != {}); - configAsFile = (if configProvided then - toString (pkgs.writeTextFile { - name = "yggdrasil-conf"; - text = builtins.toJSON cfg.config; - }) - else null); - configFileProvided = (cfg.configFile != null); - generateConfig = ( - if configProvided && configFileProvided then - "${pkgs.jq}/bin/jq -s add ${configAsFile} ${cfg.configFile}" - else if configProvided then - "cat ${configAsFile}" - else if configFileProvided then - "cat ${cfg.configFile}" - else - "${cfg.package}/bin/yggdrasil -genconf" - ); + configProvided = cfg.config != { }; + configFileProvided = cfg.configFile != null; in { options = with types; { services.yggdrasil = { enable = mkEnableOption "the yggdrasil system service"; - configFile = mkOption { - type = nullOr str; - default = null; - example = "/run/keys/yggdrasil.conf"; - description = '' - A file which contains JSON configuration for yggdrasil. - - You do not have to supply a complete configuration, as - yggdrasil will use default values for anything which is - omitted. If the encryption and signing keys are omitted, - yggdrasil will generate new ones each time the service is - started, resulting in a random IPv6 address on the yggdrasil - network each time. - - If both this option and <option>config</option> are - supplied, they will be combined, with values from - <option>config</option> taking precedence. - - You can use the command <code>nix-shell -p yggdrasil --run - "yggdrasil -genconf -json"</code> to generate a default - JSON configuration. - ''; - }; - config = mkOption { type = attrs; default = {}; @@ -66,16 +28,21 @@ in { Configuration for yggdrasil, as a Nix attribute set. Warning: this is stored in the WORLD-READABLE Nix store! - Therefore, it is not appropriate for private keys. If you - do not specify the keys, yggdrasil will generate a new set - each time the service is started, creating a random IPv6 - address on the yggdrasil network each time. + Therefore, it is not appropriate for private keys. If you + wish to specify the keys, use <option>configFile</option>. + + If the <option>persistentKeys</option> is enabled then the + keys that are generated during activation will override + those in <option>config</option> or + <option>configFile</option>. - If you wish to specify the keys, use - <option>configFile</option>. If both - <option>configFile</option> and <option>config</option> are - supplied, they will be combined, with values from - <option>config</option> taking precedence. + If no keys are specified then ephemeral keys are generated + and the Yggdrasil interface will have a random IPv6 address + each time the service is started, this is the default. + + If both <option>configFile</option> and <option>config</option> + are supplied, they will be combined, with values from + <option>configFile</option> taking precedence. You can use the command <code>nix-shell -p yggdrasil --run "yggdrasil -genconf"</code> to generate default @@ -83,6 +50,23 @@ in { ''; }; + configFile = mkOption { + type = nullOr path; + default = null; + example = "/run/keys/yggdrasil.conf"; + description = '' + A file which contains JSON configuration for yggdrasil. + See the <option>config</option> option for more information. + ''; + }; + + group = mkOption { + type = types.str; + default = "root"; + example = "wheel"; + description = "Group to grant acces to the Yggdrasil control socket."; + }; + openMulticastPort = mkOption { type = bool; default = false; @@ -118,36 +102,64 @@ in { defaultText = "pkgs.yggdrasil"; description = "Yggdrasil package to use."; }; + + persistentKeys = mkEnableOption '' + If enabled then keys will be generated once and Yggdrasil + will retain the same IPv6 address when the service is + restarted. Keys are stored at ${keysPath}. + ''; + }; }; - config = mkIf cfg.enable { - assertions = [ - { assertion = config.networking.enableIPv6; - message = "networking.enableIPv6 must be true for yggdrasil to work"; - } - ]; + config = mkIf cfg.enable (let binYggdrasil = cfg.package + "/bin/yggdrasil"; + in { + assertions = [{ + assertion = config.networking.enableIPv6; + message = "networking.enableIPv6 must be true for yggdrasil to work"; + }]; + + system.activationScripts.yggdrasil = mkIf cfg.persistentKeys '' + if [ ! -e ${keysPath} ] + then + mkdir -p ${builtins.dirOf keysPath} + ${binYggdrasil} -genconf -json \ + | ${pkgs.jq}/bin/jq \ + 'to_entries|map(select(.key|endswith("Key")))|from_entries' \ + > ${keysPath} + chmod 600 ${keysPath} + fi + ''; systemd.services.yggdrasil = { description = "Yggdrasil Network Service"; - path = [ cfg.package ] ++ optional (configProvided && configFileProvided) pkgs.jq; bindsTo = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - ${generateConfig} | yggdrasil -normaliseconf -useconf > /run/yggdrasil/yggdrasil.conf - ''; + preStart = + (if configProvided || configFileProvided || cfg.persistentKeys then + "echo " + + + (lib.optionalString configProvided + "'${builtins.toJSON cfg.config}'") + + (lib.optionalString configFileProvided "$(cat ${cfg.configFile})") + + (lib.optionalString cfg.persistentKeys "$(cat ${keysPath})") + + " | ${pkgs.jq}/bin/jq -s add | ${binYggdrasil} -normaliseconf -useconf" + else + "${binYggdrasil} -genconf") + " > /run/yggdrasil/yggdrasil.conf"; serviceConfig = { - ExecStart = "${cfg.package}/bin/yggdrasil -useconffile /run/yggdrasil/yggdrasil.conf"; + ExecStart = + "${binYggdrasil} -useconffile /run/yggdrasil/yggdrasil.conf"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Restart = "always"; + Group = cfg.group; RuntimeDirectory = "yggdrasil"; - RuntimeDirectoryMode = "0700"; - BindReadOnlyPaths = mkIf configFileProvided - [ "${cfg.configFile}" ]; + RuntimeDirectoryMode = "0750"; + BindReadOnlyPaths = lib.optional configFileProvided cfg.configFile + ++ lib.optional cfg.persistentKeys keysPath; # TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails # to set up the network adapter when DynamicUser is set. See @@ -182,6 +194,6 @@ in { # Make yggdrasilctl available on the command line. environment.systemPackages = [ cfg.package ]; - }; - meta.maintainers = with lib.maintainers; [ gazally ]; + }); + meta.maintainers = with lib.maintainers; [ gazally ehmry ]; } diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index 59306d625e6b..e67badfcd29e 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -153,6 +153,16 @@ in ''; }; + allowFrom = mkOption { + type = types.listOf types.str; + default = [ "localhost" ]; + example = [ "all" ]; + apply = concatMapStringsSep "\n" (x: "Allow ${x}"); + description = '' + From which hosts to allow unconditional access. + ''; + }; + bindirCmds = mkOption { type = types.lines; internal = true; @@ -403,19 +413,19 @@ in <Location /> Order allow,deny - Allow localhost + ${cfg.allowFrom} </Location> <Location /admin> Order allow,deny - Allow localhost + ${cfg.allowFrom} </Location> <Location /admin/conf> AuthType Basic Require user @SYSTEM Order allow,deny - Allow localhost + ${cfg.allowFrom} </Location> <Policy default> diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index 93ed9231d3c5..cefe72b0e999 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -67,8 +67,6 @@ in systemd.services.atd = { description = "Job Execution Daemon (atd)"; - after = [ "systemd-udev-settle.service" ]; - wants = [ "systemd-udev-settle.service" ]; wantedBy = [ "multi-user.target" ]; path = [ at ]; diff --git a/nixos/modules/services/security/bitwarden_rs/default.nix b/nixos/modules/services/security/bitwarden_rs/default.nix index a63be0ee766e..903a53270377 100644 --- a/nixos/modules/services/security/bitwarden_rs/default.nix +++ b/nixos/modules/services/security/bitwarden_rs/default.nix @@ -58,7 +58,7 @@ in { default = {}; example = literalExample '' { - domain = https://bw.domain.tld:8443; + domain = "https://bw.domain.tld:8443"; signupsAllowed = true; rocketPort = 8222; rocketLog = "critical"; diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index cb748c93d24e..3f84f9c2560c 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -216,6 +216,10 @@ in config = mkIf cfg.enable { + warnings = mkIf (config.networking.firewall.enable == false && config.networking.nftables.enable == false) [ + "fail2ban can not be used without a firewall" + ]; + environment.systemPackages = [ cfg.package ]; environment.etc = { diff --git a/nixos/modules/services/security/fprintd.nix b/nixos/modules/services/security/fprintd.nix index 8ece1ca19013..cbac4ef05b8d 100644 --- a/nixos/modules/services/security/fprintd.nix +++ b/nixos/modules/services/security/fprintd.nix @@ -29,7 +29,6 @@ in type = types.package; default = pkgs.fprintd; defaultText = "pkgs.fprintd"; - example = "pkgs.fprintd-thinkpad"; description = '' fprintd package to use. ''; diff --git a/nixos/modules/services/security/fprot.nix b/nixos/modules/services/security/fprot.nix index f203f2abc033..3a0b08b3c6d8 100644 --- a/nixos/modules/services/security/fprot.nix +++ b/nixos/modules/services/security/fprot.nix @@ -10,12 +10,7 @@ in { services.fprot = { updater = { - enable = mkOption { - default = false; - description = '' - Whether to enable automatic F-Prot virus definitions database updates. - ''; - }; + enable = mkEnableOption "automatic F-Prot virus definitions database updates"; productData = mkOption { description = '' diff --git a/nixos/modules/services/security/hologram-agent.nix b/nixos/modules/services/security/hologram-agent.nix index a5087b0a99b4..e37334b3cf5e 100644 --- a/nixos/modules/services/security/hologram-agent.nix +++ b/nixos/modules/services/security/hologram-agent.nix @@ -43,12 +43,12 @@ in { description = "Provide EC2 instance credentials to machines outside of EC2"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - requires = [ "network-link-dummy0.service" "network-addresses-dummy0.service" ]; + requires = [ "network-link-dummy0.service" "network-addresses-dummy0.service" ]; preStart = '' /run/current-system/sw/bin/rm -fv /run/hologram.sock ''; serviceConfig = { - ExecStart = "${pkgs.hologram.bin}/bin/hologram-agent -debug -conf ${cfgFile} -port ${cfg.httpPort}"; + ExecStart = "${pkgs.hologram}/bin/hologram-agent -debug -conf ${cfgFile} -port ${cfg.httpPort}"; }; }; diff --git a/nixos/modules/services/security/hologram-server.nix b/nixos/modules/services/security/hologram-server.nix index bad02c7440ba..4acf6ae0e218 100644 --- a/nixos/modules/services/security/hologram-server.nix +++ b/nixos/modules/services/security/hologram-server.nix @@ -123,7 +123,7 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${pkgs.hologram.bin}/bin/hologram-server --debug --conf ${cfgFile}"; + ExecStart = "${pkgs.hologram}/bin/hologram-server --debug --conf ${cfgFile}"; }; }; }; diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 2abb9ec32aca..d5c5437329ea 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -12,7 +12,7 @@ let # command-line to launch oauth2_proxy. providerSpecificOptions = { azure = cfg: { - azure.tenant = cfg.azure.tenant; + azure-tenant = cfg.azure.tenant; resource = cfg.azure.resource; }; @@ -44,6 +44,7 @@ let pass-access-token = passAccessToken; pass-basic-auth = passBasicAuth; pass-host-header = passHostHeader; + reverse-proxy = reverseProxy; proxy-prefix = proxyPrefix; profile-url = profileURL; redeem-url = redeemURL; @@ -65,8 +66,8 @@ let } // lib.optionalAttrs (cfg.htpasswd.file != null) { display-htpasswd-file = cfg.htpasswd.displayForm; } // lib.optionalAttrs tls.enable { - tls-cert = tls.certificate; - tls-key = tls.key; + tls-cert-file = tls.certificate; + tls-key-file = tls.key; https-address = tls.httpsAddress; } // (getProviderOptions cfg cfg.provider) // cfg.extraConfig; @@ -98,14 +99,21 @@ in ############################################## # PROVIDER configuration + # Taken from: https://github.com/pusher/oauth2_proxy/blob/master/providers/providers.go provider = mkOption { type = types.enum [ "google" - "github" "azure" + "facebook" + "github" + "keycloak" "gitlab" "linkedin" - "myusa" + "login.gov" + "bitbucket" + "nextcloud" + "digitalocean" + "oidc" ]; default = "google"; description = '' @@ -433,6 +441,17 @@ in ''; }; + reverseProxy = mkOption { + type = types.bool; + default = false; + description = '' + In case when running behind a reverse proxy, controls whether headers + like <literal>X-Real-Ip</literal> are accepted. Usage behind a reverse + proxy will require this flag to be set to avoid logging the reverse + proxy IP address. + ''; + }; + proxyPrefix = mkOption { type = types.str; default = "/oauth2"; @@ -558,7 +577,7 @@ in serviceConfig = { User = "oauth2_proxy"; Restart = "always"; - ExecStart = "${cfg.package.bin}/bin/oauth2_proxy ${configString}"; + ExecStart = "${cfg.package}/bin/oauth2_proxy ${configString}"; EnvironmentFile = mkIf (cfg.keyFile != null) cfg.keyFile; }; }; diff --git a/nixos/modules/services/security/privacyidea.nix b/nixos/modules/services/security/privacyidea.nix new file mode 100644 index 000000000000..d6abfd0e2718 --- /dev/null +++ b/nixos/modules/services/security/privacyidea.nix @@ -0,0 +1,279 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.privacyidea; + + uwsgi = pkgs.uwsgi.override { plugins = [ "python3" ]; }; + python = uwsgi.python3; + penv = python.withPackages (ps: [ ps.privacyidea ]); + logCfg = pkgs.writeText "privacyidea-log.cfg" '' + [formatters] + keys=detail + + [handlers] + keys=stream + + [formatter_detail] + class=privacyidea.lib.log.SecureFormatter + format=[%(asctime)s][%(process)d][%(thread)d][%(levelname)s][%(name)s:%(lineno)d] %(message)s + + [handler_stream] + class=StreamHandler + level=NOTSET + formatter=detail + args=(sys.stdout,) + + [loggers] + keys=root,privacyidea + + [logger_privacyidea] + handlers=stream + qualname=privacyidea + level=INFO + + [logger_root] + handlers=stream + level=ERROR + ''; + + piCfgFile = pkgs.writeText "privacyidea.cfg" '' + SUPERUSER_REALM = [ '${concatStringsSep "', '" cfg.superuserRealm}' ] + SQLALCHEMY_DATABASE_URI = 'postgresql:///privacyidea' + SECRET_KEY = '${cfg.secretKey}' + PI_PEPPER = '${cfg.pepper}' + PI_ENCFILE = '${cfg.encFile}' + PI_AUDIT_KEY_PRIVATE = '${cfg.auditKeyPrivate}' + PI_AUDIT_KEY_PUBLIC = '${cfg.auditKeyPublic}' + PI_LOGCONFIG = '${logCfg}' + ${cfg.extraConfig} + ''; + +in + +{ + options = { + services.privacyidea = { + enable = mkEnableOption "PrivacyIDEA"; + + stateDir = mkOption { + type = types.str; + default = "/var/lib/privacyidea"; + description = '' + Directory where all PrivacyIDEA files will be placed by default. + ''; + }; + + superuserRealm = mkOption { + type = types.listOf types.str; + default = [ "super" "administrators" ]; + description = '' + The realm where users are allowed to login as administrators. + ''; + }; + + secretKey = mkOption { + type = types.str; + example = "t0p s3cr3t"; + description = '' + This is used to encrypt the auth_token. + ''; + }; + + pepper = mkOption { + type = types.str; + example = "Never know..."; + description = '' + This is used to encrypt the admin passwords. + ''; + }; + + encFile = mkOption { + type = types.str; + default = "${cfg.stateDir}/enckey"; + description = '' + This is used to encrypt the token data and token passwords + ''; + }; + + auditKeyPrivate = mkOption { + type = types.str; + default = "${cfg.stateDir}/private.pem"; + description = '' + Private Key for signing the audit log. + ''; + }; + + auditKeyPublic = mkOption { + type = types.str; + default = "${cfg.stateDir}/public.pem"; + description = '' + Public key for checking signatures of the audit log. + ''; + }; + + adminPasswordFile = mkOption { + type = types.path; + description = "File containing password for the admin user"; + }; + + adminEmail = mkOption { + type = types.str; + example = "admin@example.com"; + description = "Mail address for the admin user"; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration options for pi.cfg. + ''; + }; + + user = mkOption { + type = types.str; + default = "privacyidea"; + description = "User account under which PrivacyIDEA runs."; + }; + + group = mkOption { + type = types.str; + default = "privacyidea"; + description = "Group account under which PrivacyIDEA runs."; + }; + + ldap-proxy = { + enable = mkEnableOption "PrivacyIDEA LDAP Proxy"; + + configFile = mkOption { + type = types.path; + default = ""; + description = '' + Path to PrivacyIDEA LDAP Proxy configuration (proxy.ini). + ''; + }; + + user = mkOption { + type = types.str; + default = "pi-ldap-proxy"; + description = "User account under which PrivacyIDEA LDAP proxy runs."; + }; + + group = mkOption { + type = types.str; + default = "pi-ldap-proxy"; + description = "Group account under which PrivacyIDEA LDAP proxy runs."; + }; + }; + }; + }; + + config = mkMerge [ + + (mkIf cfg.enable { + + environment.systemPackages = [ python.pkgs.privacyidea ]; + + services.postgresql.enable = mkDefault true; + + systemd.services.privacyidea = let + piuwsgi = pkgs.writeText "uwsgi.json" (builtins.toJSON { + uwsgi = { + plugins = [ "python3" ]; + pythonpath = "${penv}/${uwsgi.python3.sitePackages}"; + socket = "/run/privacyidea/socket"; + uid = cfg.user; + gid = cfg.group; + chmod-socket = 770; + chown-socket = "${cfg.user}:nginx"; + chdir = cfg.stateDir; + wsgi-file = "${penv}/etc/privacyidea/privacyideaapp.wsgi"; + processes = 4; + harakiri = 60; + reload-mercy = 8; + stats = "/run/privacyidea/stats.socket"; + max-requests = 2000; + limit-as = 1024; + reload-on-as = 512; + reload-on-rss = 256; + no-orphans = true; + vacuum = true; + }; + }); + in { + wantedBy = [ "multi-user.target" ]; + after = [ "postgresql.service" ]; + path = with pkgs; [ openssl ]; + environment.PRIVACYIDEA_CONFIGFILE = piCfgFile; + preStart = let + pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage"; + pgsu = config.services.postgresql.superUser; + psql = config.services.postgresql.package; + in '' + mkdir -p ${cfg.stateDir} /run/privacyidea + chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} /run/privacyidea + if ! test -e "${cfg.stateDir}/db-created"; then + ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user} + ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea + ${pi-manage} create_enckey + ${pi-manage} create_audit_keys + ${pi-manage} createdb + ${pi-manage} admin add admin -e ${cfg.adminEmail} -p "$(cat ${cfg.adminPasswordFile})" + ${pi-manage} db stamp head -d ${penv}/lib/privacyidea/migrations + touch "${cfg.stateDir}/db-created" + chmod g+r "${cfg.stateDir}/enckey" "${cfg.stateDir}/private.pem" + fi + ${pi-manage} db upgrade -d ${penv}/lib/privacyidea/migrations + ''; + serviceConfig = { + Type = "notify"; + ExecStart = "${uwsgi}/bin/uwsgi --json ${piuwsgi}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; + NotifyAccess = "main"; + KillSignal = "SIGQUIT"; + StandardError = "syslog"; + }; + }; + + users.users.privacyidea = mkIf (cfg.user == "privacyidea") { + group = cfg.group; + }; + + users.groups.privacyidea = mkIf (cfg.group == "privacyidea") {}; + }) + + (mkIf cfg.ldap-proxy.enable { + + systemd.services.privacyidea-ldap-proxy = let + ldap-proxy-env = pkgs.python2.withPackages (ps: [ ps.privacyidea-ldap-proxy ]); + in { + description = "privacyIDEA LDAP proxy"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.ldap-proxy.user; + Group = cfg.ldap-proxy.group; + ExecStart = '' + ${ldap-proxy-env}/bin/twistd \ + --nodaemon \ + --pidfile= \ + -u ${cfg.ldap-proxy.user} \ + -g ${cfg.ldap-proxy.group} \ + ldap-proxy \ + -c ${cfg.ldap-proxy.configFile} + ''; + Restart = "always"; + }; + }; + + users.users.pi-ldap-proxy = mkIf (cfg.ldap-proxy.user == "pi-ldap-proxy") { + group = cfg.ldap-proxy.group; + }; + + users.groups.pi-ldap-proxy = mkIf (cfg.ldap-proxy.group == "pi-ldap-proxy") {}; + }) + ]; + +} diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index 4ced5acd9bd9..f4118eb87fc7 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -207,6 +207,29 @@ in { Type = "simple"; ExecStart = ''${cfg.package}/bin/usbguard-daemon -P -k -c ${daemonConfFile}''; Restart = "on-failure"; + + AmbientCapabilities = ""; + CapabilityBoundingSet = "CAP_CHOWN CAP_FOWNER"; + DeviceAllow = "/dev/null rw"; + DevicePolicy = "strict"; + IPAddressDeny = "any"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectKernelModules = true; + ProtectSystem = true; + ReadOnlyPaths = "-/"; + ReadWritePaths = "-/dev/shm -${dirOf cfg.auditFilePath} -/tmp -${dirOf cfg.ruleFile}"; + RestrictAddressFamilies = "AF_UNIX AF_NETLINK"; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + UMask = "0077"; }; }; }; diff --git a/nixos/modules/services/system/earlyoom.nix b/nixos/modules/services/system/earlyoom.nix index 39d1bf274bd2..c6a001d30eeb 100644 --- a/nixos/modules/services/system/earlyoom.nix +++ b/nixos/modules/services/system/earlyoom.nix @@ -67,9 +67,19 @@ in notificationsCommand = mkOption { type = types.nullOr types.str; default = null; - example = "sudo -u example_user DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus notify-send"; description = '' - Command used to send notifications. + This option is deprecated and ignored by earlyoom since 1.6. + Use <option>services.earlyoom.enableNotifications</option> instead. + ''; + }; + + enableNotifications = mkOption { + type = types.bool; + default = false; + description = '' + Send notifications about killed processes via the system d-bus. + To actually see the notifications in your GUI session, you need to have + <literal>systembus-notify</literal> running as your user. See <link xlink:href="https://github.com/rfjakob/earlyoom#notifications">README</link> for details. ''; @@ -87,9 +97,13 @@ in message = "Both options in conjunction do not make sense"; } ]; + warnings = optional (ecfg.notificationsCommand != null) + "`services.earlyoom.notificationsCommand` is deprecated and ignored by earlyoom since 1.6."; + systemd.services.earlyoom = { description = "Early OOM Daemon for Linux"; wantedBy = [ "multi-user.target" ]; + path = optional ecfg.enableNotifications pkgs.dbus; serviceConfig = { StandardOutput = "null"; StandardError = "syslog"; @@ -100,10 +114,11 @@ in ${optionalString ecfg.useKernelOOMKiller "-k"} \ ${optionalString ecfg.ignoreOOMScoreAdjust "-i"} \ ${optionalString ecfg.enableDebugInfo "-d"} \ - ${optionalString (ecfg.notificationsCommand != null) - "-N ${escapeShellArg ecfg.notificationsCommand}"} + ${optionalString ecfg.enableNotifications "-n"} ''; }; }; + + environment.systemPackages = optional ecfg.enableNotifications pkgs.systembus-notify; }; } diff --git a/nixos/modules/services/system/kerberos/default.nix b/nixos/modules/services/system/kerberos/default.nix index c55241c4cff1..9a1e67399010 100644 --- a/nixos/modules/services/system/kerberos/default.nix +++ b/nixos/modules/services/system/kerberos/default.nix @@ -51,12 +51,7 @@ in ###### interface options = { services.kerberos_server = { - enable = mkOption { - default = false; - description = '' - Enable the kerberos authentification server. - ''; - }; + enable = lib.mkEnableOption "the kerberos authentification server"; realms = mkOption { type = types.attrsOf (types.submodule realm); diff --git a/nixos/modules/services/system/localtime.nix b/nixos/modules/services/system/localtime.nix index 74925c5e2c47..8f8e2e2e9339 100644 --- a/nixos/modules/services/system/localtime.nix +++ b/nixos/modules/services/system/localtime.nix @@ -8,6 +8,7 @@ in { options = { services.localtime = { enable = mkOption { + type = types.bool; default = false; description = '' Enable <literal>localtime</literal>, simple daemon for keeping the system diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix index e11f7e049d8f..d720f254b813 100644 --- a/nixos/modules/services/system/nscd.nix +++ b/nixos/modules/services/system/nscd.nix @@ -7,6 +7,10 @@ let nssModulesPath = config.system.nssModules.path; cfg = config.services.nscd; + nscd = if pkgs.stdenv.hostPlatform.libc == "glibc" + then pkgs.stdenv.cc.libc.bin + else pkgs.glibc.bin; + in { @@ -20,7 +24,11 @@ in enable = mkOption { type = types.bool; default = true; - description = "Whether to enable the Name Service Cache Daemon."; + description = '' + Whether to enable the Name Service Cache Daemon. + Disabling this is strongly discouraged, as this effectively disables NSS Lookups + from all non-glibc NSS modules, including the ones provided by systemd. + ''; }; config = mkOption { @@ -59,16 +67,16 @@ in # files. So prefix the ExecStart command with "!" to prevent systemd # from dropping privileges early. See ExecStart in systemd.service(5). serviceConfig = - { ExecStart = "!@${pkgs.glibc.bin}/sbin/nscd nscd"; + { ExecStart = "!@${nscd}/sbin/nscd nscd"; Type = "forking"; DynamicUser = true; RuntimeDirectory = "nscd"; PIDFile = "/run/nscd/nscd.pid"; Restart = "always"; ExecReload = - [ "${pkgs.glibc.bin}/sbin/nscd --invalidate passwd" - "${pkgs.glibc.bin}/sbin/nscd --invalidate group" - "${pkgs.glibc.bin}/sbin/nscd --invalidate hosts" + [ "${nscd}/sbin/nscd --invalidate passwd" + "${nscd}/sbin/nscd --invalidate group" + "${nscd}/sbin/nscd --invalidate hosts" ]; }; }; diff --git a/nixos/modules/services/system/uptimed.nix b/nixos/modules/services/system/uptimed.nix index 3c9978ab2269..1e256c51408e 100644 --- a/nixos/modules/services/system/uptimed.nix +++ b/nixos/modules/services/system/uptimed.nix @@ -10,6 +10,7 @@ in options = { services.uptimed = { enable = mkOption { + type = types.bool; default = false; description = '' Enable <literal>uptimed</literal>, allowing you to track diff --git a/nixos/modules/services/torrent/deluge.nix b/nixos/modules/services/torrent/deluge.nix index 0c72505395dd..45398cb26138 100644 --- a/nixos/modules/services/torrent/deluge.nix +++ b/nixos/modules/services/torrent/deluge.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.deluge; cfg_web = config.services.deluge.web; + isDeluge1 = versionOlder cfg.package.version "2.0.0"; openFilesLimit = 4096; listenPortsDefault = [ 6881 6889 ]; @@ -18,11 +19,11 @@ let preStart = if cfg.declarative then '' if [ -e ${declarativeLockFile} ]; then # Was declarative before, no need to back up anything - ln -sf ${configFile} ${configDir}/core.conf + ${if isDeluge1 then "ln -sf" else "cp"} ${configFile} ${configDir}/core.conf ln -sf ${cfg.authFile} ${configDir}/auth else # Declarative for the first time, backup stateful files - ln -sb --suffix=.stateful ${configFile} ${configDir}/core.conf + ${if isDeluge1 then "ln -s" else "cp"} -b --suffix=.stateful ${configFile} ${configDir}/core.conf ln -sb --suffix=.stateful ${cfg.authFile} ${configDir}/auth echo "Autogenerated file that signifies that this server configuration is managed declaratively by NixOS" \ > ${declarativeLockFile} @@ -141,7 +142,15 @@ in { description = '' Extra packages available at runtime to enable Deluge's plugins. For example, extraction utilities are required for the built-in "Extractor" plugin. - This always contains unzip, gnutar, xz, p7zip and bzip2. + This always contains unzip, gnutar, xz and bzip2. + ''; + }; + + package = mkOption { + type = types.package; + example = literalExample "pkgs.deluge-1_x"; + description = '' + Deluge package to use. ''; }; }; @@ -170,8 +179,15 @@ in { config = mkIf cfg.enable { + services.deluge.package = mkDefault ( + if versionAtLeast config.system.stateVersion "20.09" then + pkgs.deluge-2_x + else + pkgs.deluge-1_x + ); + # Provide a default set of `extraPackages`. - services.deluge.extraPackages = with pkgs; [ unzip gnutar xz p7zip bzip2 ]; + services.deluge.extraPackages = with pkgs; [ unzip gnutar xz bzip2 ]; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group}" @@ -189,10 +205,10 @@ in { after = [ "network.target" ]; description = "Deluge BitTorrent Daemon"; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.deluge ] ++ cfg.extraPackages; + path = [ cfg.package ] ++ cfg.extraPackages; serviceConfig = { ExecStart = '' - ${pkgs.deluge}/bin/deluged \ + ${cfg.package}/bin/deluged \ --do-not-daemonize \ --config ${configDir} ''; @@ -212,10 +228,11 @@ in { requires = [ "deluged.service" ]; description = "Deluge BitTorrent WebUI"; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.deluge ]; + path = [ cfg.package ]; serviceConfig = { ExecStart = '' - ${pkgs.deluge}/bin/deluge-web \ + ${cfg.package}/bin/deluge-web \ + ${optionalString (!isDeluge1) "--do-not-daemonize"} \ --config ${configDir} \ --port ${toString cfg.web.port} ''; @@ -234,7 +251,7 @@ in { }) ]; - environment.systemPackages = [ pkgs.deluge ]; + environment.systemPackages = [ cfg.package ]; users.users = mkIf (cfg.user == "deluge") { deluge = { diff --git a/nixos/modules/services/torrent/rtorrent.nix b/nixos/modules/services/torrent/rtorrent.nix new file mode 100644 index 000000000000..be57c03b1721 --- /dev/null +++ b/nixos/modules/services/torrent/rtorrent.nix @@ -0,0 +1,209 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + + cfg = config.services.rtorrent; + +in { + options.services.rtorrent = { + enable = mkEnableOption "rtorrent"; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/rtorrent"; + description = '' + The directory where rtorrent stores its data files. + ''; + }; + + downloadDir = mkOption { + type = types.str; + default = "${cfg.dataDir}/download"; + description = '' + Where to put downloaded files. + ''; + }; + + user = mkOption { + type = types.str; + default = "rtorrent"; + description = '' + User account under which rtorrent runs. + ''; + }; + + group = mkOption { + type = types.str; + default = "rtorrent"; + description = '' + Group under which rtorrent runs. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.rtorrent; + defaultText = "pkgs.rtorrent"; + description = '' + The rtorrent package to use. + ''; + }; + + port = mkOption { + type = types.port; + default = 50000; + description = '' + The rtorrent port. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the firewall for the port in <option>services.rtorrent.port</option>. + ''; + }; + + rpcSocket = mkOption { + type = types.str; + readOnly = true; + default = "/run/rtorrent/rpc.sock"; + description = '' + RPC socket path. + ''; + }; + + configText = mkOption { + type = types.lines; + default = ""; + description = '' + The content of <filename>rtorrent.rc</filename>. The <link xlink:href="https://rtorrent-docs.readthedocs.io/en/latest/cookbook.html#modernized-configuration-template">modernized configuration template</link> with the values specified in this module will be prepended using mkBefore. You can use mkForce to overwrite the config completly. + ''; + }; + }; + + config = mkIf cfg.enable { + + users.groups = mkIf (cfg.group == "rtorrent") { + rtorrent = {}; + }; + + users.users = mkIf (cfg.user == "rtorrent") { + rtorrent = { + group = cfg.group; + shell = pkgs.bashInteractive; + home = cfg.dataDir; + description = "rtorrent Daemon user"; + isSystemUser = true; + }; + }; + + networking.firewall.allowedTCPPorts = mkIf (cfg.openFirewall) [ cfg.port ]; + + services.rtorrent.configText = mkBefore '' + # Instance layout (base paths) + method.insert = cfg.basedir, private|const|string, (cat,"${cfg.dataDir}/") + method.insert = cfg.watch, private|const|string, (cat,(cfg.basedir),"watch/") + method.insert = cfg.logs, private|const|string, (cat,(cfg.basedir),"log/") + method.insert = cfg.logfile, private|const|string, (cat,(cfg.logs),(system.time),".log") + method.insert = cfg.rpcsock, private|const|string, (cat,"${cfg.rpcSocket}") + + # Create instance directories + execute.throw = sh, -c, (cat, "mkdir -p ", (cfg.basedir), "/session ", (cfg.watch), " ", (cfg.logs)) + + # Listening port for incoming peer traffic (fixed; you can also randomize it) + network.port_range.set = ${toString cfg.port}-${toString cfg.port} + network.port_random.set = no + + # Tracker-less torrent and UDP tracker support + # (conservative settings for 'private' trackers, change for 'public') + dht.mode.set = disable + protocol.pex.set = no + trackers.use_udp.set = no + + # Peer settings + throttle.max_uploads.set = 100 + throttle.max_uploads.global.set = 250 + + throttle.min_peers.normal.set = 20 + throttle.max_peers.normal.set = 60 + throttle.min_peers.seed.set = 30 + throttle.max_peers.seed.set = 80 + trackers.numwant.set = 80 + + protocol.encryption.set = allow_incoming,try_outgoing,enable_retry + + # Limits for file handle resources, this is optimized for + # an `ulimit` of 1024 (a common default). You MUST leave + # a ceiling of handles reserved for rTorrent's internal needs! + network.http.max_open.set = 50 + network.max_open_files.set = 600 + network.max_open_sockets.set = 3000 + + # Memory resource usage (increase if you have a large number of items loaded, + # and/or the available resources to spend) + pieces.memory.max.set = 1800M + network.xmlrpc.size_limit.set = 4M + + # Basic operational settings (no need to change these) + session.path.set = (cat, (cfg.basedir), "session/") + directory.default.set = "${cfg.downloadDir}" + log.execute = (cat, (cfg.logs), "execute.log") + ##log.xmlrpc = (cat, (cfg.logs), "xmlrpc.log") + execute.nothrow = sh, -c, (cat, "echo >", (session.path), "rtorrent.pid", " ", (system.pid)) + + # Other operational settings (check & adapt) + encoding.add = utf8 + system.umask.set = 0027 + system.cwd.set = (cfg.basedir) + network.http.dns_cache_timeout.set = 25 + schedule2 = monitor_diskspace, 15, 60, ((close_low_diskspace, 1000M)) + + # Watch directories (add more as you like, but use unique schedule names) + #schedule2 = watch_start, 10, 10, ((load.start, (cat, (cfg.watch), "start/*.torrent"))) + #schedule2 = watch_load, 11, 10, ((load.normal, (cat, (cfg.watch), "load/*.torrent"))) + + # Logging: + # Levels = critical error warn notice info debug + # Groups = connection_* dht_* peer_* rpc_* storage_* thread_* tracker_* torrent_* + print = (cat, "Logging to ", (cfg.logfile)) + log.open_file = "log", (cfg.logfile) + log.add_output = "info", "log" + ##log.add_output = "tracker_debug", "log" + + # XMLRPC + scgi_local = (cfg.rpcsock) + schedule = scgi_group,0,0,"execute.nothrow=chown,\":rtorrent\",(cfg.rpcsock)" + schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"g+w,o=\",(cfg.rpcsock)" + ''; + + systemd = { + services = { + rtorrent = let + rtorrentConfigFile = pkgs.writeText "rtorrent.rc" cfg.configText; + in { + description = "rTorrent system service"; + after = [ "network.target" ]; + path = [ cfg.package pkgs.bash ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "simple"; + Restart = "on-failure"; + WorkingDirectory = cfg.dataDir; + ExecStartPre=''${pkgs.bash}/bin/bash -c "if test -e ${cfg.dataDir}/session/rtorrent.lock && test -z $(${pkgs.procps}/bin/pidof rtorrent); then rm -f ${cfg.dataDir}/session/rtorrent.lock; fi"''; + ExecStart="${cfg.package}/bin/rtorrent -n -o system.daemon.set=true -o import=${rtorrentConfigFile}"; + RuntimeDirectory = "rtorrent"; + RuntimeDirectoryMode = 755; + }; + }; + }; + + tmpfiles.rules = [ "d '${cfg.dataDir}' 0750 ${cfg.user} ${cfg.group} -" ]; + }; + }; +} diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index fd28b94f7be3..e7f5aaed844e 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -11,7 +11,7 @@ let downloadDir = "${homeDir}/Downloads"; incompleteDir = "${homeDir}/.incomplete"; - settingsDir = "${homeDir}/.config/transmission-daemon"; + settingsDir = "${homeDir}/config"; settingsFile = pkgs.writeText "settings.json" (builtins.toJSON fullSettings); # for users in group "transmission" to have access to torrents @@ -20,12 +20,6 @@ let preStart = pkgs.writeScript "transmission-pre-start" '' #!${pkgs.runtimeShell} set -ex - for DIR in "${homeDir}" "${settingsDir}" "${fullSettings.download-dir}" "${fullSettings.incomplete-dir}"; do - mkdir -p "$DIR" - done - chmod 755 "${homeDir}" - chmod 700 "${settingsDir}" - chmod ${downloadDirPermissions} "${fullSettings.download-dir}" "${fullSettings.incomplete-dir}" cp -f ${settingsFile} ${settingsDir}/settings.json ''; in @@ -110,6 +104,13 @@ in }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${homeDir}' 0770 '${cfg.user}' '${cfg.group}' - -" + "d '${settingsDir}' 0700 '${cfg.user}' '${cfg.group}' - -" + "d '${fullSettings.download-dir}' '${downloadDirPermissions}' '${cfg.user}' '${cfg.group}' - -" + "d '${fullSettings.incomplete-dir}' '${downloadDirPermissions}' '${cfg.user}' '${cfg.group}' - -" + ]; + systemd.services.transmission = { description = "Transmission BitTorrent Service"; after = [ "network.target" ] ++ optional apparmor "apparmor.service"; diff --git a/nixos/modules/services/web-apps/documize.nix b/nixos/modules/services/web-apps/documize.nix index 1b90299aa23c..a5f48e744fdc 100644 --- a/nixos/modules/services/web-apps/documize.nix +++ b/nixos/modules/services/web-apps/documize.nix @@ -130,7 +130,7 @@ in { config = mkIf cfg.enable { systemd.services.documize-server = { description = "Documize Wiki"; - documentation = [ https://documize.com/ ]; + documentation = [ "https://documize.com/" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { diff --git a/nixos/modules/services/web-apps/dokuwiki.nix b/nixos/modules/services/web-apps/dokuwiki.nix index 07af7aa0dfec..33a828fa2cb3 100644 --- a/nixos/modules/services/web-apps/dokuwiki.nix +++ b/nixos/modules/services/web-apps/dokuwiki.nix @@ -3,13 +3,14 @@ let inherit (lib) mkEnableOption mkForce mkIf mkMerge mkOption optionalAttrs recursiveUpdate types; + inherit (lib) concatMapStringsSep flatten mapAttrs mapAttrs' mapAttrsToList nameValuePair concatMapStringSep; - cfg = config.services.dokuwiki; + eachSite = config.services.dokuwiki; - user = config.services.nginx.user; + user = "dokuwiki"; group = config.services.nginx.group; - dokuwikiAclAuthConfig = pkgs.writeText "acl.auth.php" '' + dokuwikiAclAuthConfig = cfg: pkgs.writeText "acl.auth.php" '' # acl.auth.php # <?php exit()?> # @@ -18,244 +19,353 @@ let ${toString cfg.acl} ''; - dokuwikiLocalConfig = pkgs.writeText "local.php" '' + dokuwikiLocalConfig = cfg: pkgs.writeText "local.php" '' <?php $conf['savedir'] = '${cfg.stateDir}'; $conf['superuser'] = '${toString cfg.superUser}'; $conf['useacl'] = '${toString cfg.aclUse}'; + $conf['disableactions'] = '${cfg.disableActions}'; ${toString cfg.extraConfig} ''; - dokuwikiPluginsLocalConfig = pkgs.writeText "plugins.local.php" '' + dokuwikiPluginsLocalConfig = cfg: pkgs.writeText "plugins.local.php" '' <?php ${cfg.pluginsConfig} ''; -in -{ - options.services.dokuwiki = { - enable = mkEnableOption "DokuWiki web application."; + pkg = hostName: cfg: pkgs.stdenv.mkDerivation rec { + pname = "dokuwiki-${hostName}"; + version = src.version; + src = cfg.package; - hostName = mkOption { - type = types.str; - default = "localhost"; - description = "FQDN for the instance."; - }; + installPhase = '' + mkdir -p $out + cp -r * $out/ - stateDir = mkOption { - type = types.path; - default = "/var/lib/dokuwiki/data"; - description = "Location of the dokuwiki state directory."; - }; + # symlink the dokuwiki config + ln -s ${dokuwikiLocalConfig cfg} $out/share/dokuwiki/local.php - acl = mkOption { - type = types.nullOr types.lines; - default = null; - example = "* @ALL 8"; - description = '' - Access Control Lists: see <link xlink:href="https://www.dokuwiki.org/acl"/> - Mutually exclusive with services.dokuwiki.aclFile - Set this to a value other than null to take precedence over aclFile option. - ''; - }; + # symlink plugins config + ln -s ${dokuwikiPluginsLocalConfig cfg} $out/share/dokuwiki/plugins.local.php - aclFile = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl - Mutually exclusive with services.dokuwiki.acl which is preferred. - Consult documentation <link xlink:href="https://www.dokuwiki.org/acl"/> for further instructions. - Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/acl.auth.php.dist"/> - ''; - }; + # symlink acl + ln -s ${dokuwikiAclAuthConfig cfg} $out/share/dokuwiki/acl.auth.php - aclUse = mkOption { - type = types.bool; - default = true; - description = '' - Necessary for users to log in into the system. - Also limits anonymous users. When disabled, - everyone is able to create and edit content. - ''; - }; + # symlink additional plugin(s) and templates(s) + ${concatMapStringsSep "\n" (template: "ln -s ${template} $out/share/dokuwiki/lib/tpl/${template.name}") cfg.templates} + ${concatMapStringsSep "\n" (plugin: "ln -s ${plugin} $out/share/dokuwiki/lib/plugins/${plugin.name}") cfg.plugins} + ''; + }; - pluginsConfig = mkOption { - type = types.lines; - default = '' - $plugins['authad'] = 0; - $plugins['authldap'] = 0; - $plugins['authmysql'] = 0; - $plugins['authpgsql'] = 0; - ''; - description = '' - List of the dokuwiki (un)loaded plugins. - ''; - }; + siteOpts = { config, lib, name, ...}: { + options = { + enable = mkEnableOption "DokuWiki web application."; - superUser = mkOption { - type = types.nullOr types.str; - default = "@admin"; - description = '' - You can set either a username, a list of usernames (“admin1,admin2”), - or the name of a group by prepending an @ char to the groupname - Consult documentation <link xlink:href="https://www.dokuwiki.org/config:superuser"/> for further instructions. - ''; - }; + package = mkOption { + type = types.package; + default = pkgs.dokuwiki; + description = "Which dokuwiki package to use."; + }; + + hostName = mkOption { + type = types.str; + default = "localhost"; + description = "FQDN for the instance."; + }; + + stateDir = mkOption { + type = types.path; + default = "/var/lib/dokuwiki/${name}/data"; + description = "Location of the dokuwiki state directory."; + }; - usersFile = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - Location of the dokuwiki users file. List of users. Format: - login:passwordhash:Real Name:email:groups,comma,separated - Create passwordHash easily by using:$ mkpasswd -5 password `pwgen 8 1` - Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/users.auth.php.dist"/> + acl = mkOption { + type = types.nullOr types.lines; + default = null; + example = "* @ALL 8"; + description = '' + Access Control Lists: see <link xlink:href="https://www.dokuwiki.org/acl"/> + Mutually exclusive with services.dokuwiki.aclFile + Set this to a value other than null to take precedence over aclFile option. + + Warning: Consider using aclFile instead if you do not + want to store the ACL in the world-readable Nix store. ''; - }; + }; - extraConfig = mkOption { - type = types.nullOr types.lines; - default = null; - example = '' - $conf['title'] = 'My Wiki'; - $conf['userewrite'] = 1; - ''; - description = '' - DokuWiki configuration. Refer to - <link xlink:href="https://www.dokuwiki.org/config"/> - for details on supported values. - ''; - }; + aclFile = mkOption { + type = with types; nullOr str; + default = if (config.aclUse && config.acl == null) then "/var/lib/dokuwiki/${name}/users.auth.php" else null; + description = '' + Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl + Mutually exclusive with services.dokuwiki.acl which is preferred. + Consult documentation <link xlink:href="https://www.dokuwiki.org/acl"/> for further instructions. + Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/acl.auth.php.dist"/> + ''; + example = "/var/lib/dokuwiki/${name}/acl.auth.php"; + }; - poolConfig = mkOption { - type = with types; attrsOf (oneOf [ str int bool ]); - default = { - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 4; - "pm.max_requests" = 500; + aclUse = mkOption { + type = types.bool; + default = true; + description = '' + Necessary for users to log in into the system. + Also limits anonymous users. When disabled, + everyone is able to create and edit content. + ''; }; - description = '' - Options for the dokuwiki PHP pool. See the documentation on <literal>php-fpm.conf</literal> - for details on configuration directives. - ''; - }; - nginx = mkOption { - type = types.submodule ( - recursiveUpdate - (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) - { - # Enable encryption by default, - options.forceSSL.default = true; - options.enableACME.default = true; - } - ); - default = {forceSSL = true; enableACME = true;}; - example = { - serverAliases = [ - "wiki.\${config.networking.domain}" - ]; - enableACME = false; + pluginsConfig = mkOption { + type = types.lines; + default = '' + $plugins['authad'] = 0; + $plugins['authldap'] = 0; + $plugins['authmysql'] = 0; + $plugins['authpgsql'] = 0; + ''; + description = '' + List of the dokuwiki (un)loaded plugins. + ''; + }; + + superUser = mkOption { + type = types.nullOr types.str; + default = "@admin"; + description = '' + You can set either a username, a list of usernames (“admin1,admin2”), + or the name of a group by prepending an @ char to the groupname + Consult documentation <link xlink:href="https://www.dokuwiki.org/config:superuser"/> for further instructions. + ''; }; - description = '' - With this option, you can customize the nginx virtualHost which already has sensible defaults for DokuWiki. - ''; + + usersFile = mkOption { + type = with types; nullOr str; + default = if config.aclUse then "/var/lib/dokuwiki/${name}/users.auth.php" else null; + description = '' + Location of the dokuwiki users file. List of users. Format: + login:passwordhash:Real Name:email:groups,comma,separated + Create passwordHash easily by using:$ mkpasswd -5 password `pwgen 8 1` + Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/users.auth.php.dist"/> + ''; + example = "/var/lib/dokuwiki/${name}/users.auth.php"; + }; + + disableActions = mkOption { + type = types.nullOr types.str; + default = ""; + example = "search,register"; + description = '' + Disable individual action modes. Refer to + <link xlink:href="https://www.dokuwiki.org/config:action_modes"/> + for details on supported values. + ''; + }; + + extraConfig = mkOption { + type = types.nullOr types.lines; + default = null; + example = '' + $conf['title'] = 'My Wiki'; + $conf['userewrite'] = 1; + ''; + description = '' + DokuWiki configuration. Refer to + <link xlink:href="https://www.dokuwiki.org/config"/> + for details on supported values. + ''; + }; + + plugins = mkOption { + type = types.listOf types.path; + default = []; + description = '' + List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. + <note><para>These plugins need to be packaged before use, see example.</para></note> + ''; + example = '' + # Let's package the icalevents plugin + plugin-icalevents = pkgs.stdenv.mkDerivation { + name = "icalevents"; + # Download the plugin from the dokuwiki site + src = pkgs.fetchurl { + url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/2017-06-16/dokuwiki-plugin-icalevents-2017-06-16.zip"; + sha256 = "e40ed7dd6bbe7fe3363bbbecb4de481d5e42385b5a0f62f6a6ce6bf3a1f9dfa8"; + }; + sourceRoot = "."; + # We need unzip to build this package + buildInputs = [ pkgs.unzip ]; + # Installing simply means copying all files to the output directory + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + + # And then pass this theme to the plugin list like this: + plugins = [ plugin-icalevents ]; + ''; + }; + + templates = mkOption { + type = types.listOf types.path; + default = []; + description = '' + List of path(s) to respective template(s) which are copied from the 'tpl' directory. + <note><para>These templates need to be packaged before use, see example.</para></note> + ''; + example = '' + # Let's package the bootstrap3 theme + template-bootstrap3 = pkgs.stdenv.mkDerivation { + name = "bootstrap3"; + # Download the theme from the dokuwiki site + src = pkgs.fetchurl { + url = "https://github.com/giterlizzi/dokuwiki-template-bootstrap3/archive/v2019-05-22.zip"; + sha256 = "4de5ff31d54dd61bbccaf092c9e74c1af3a4c53e07aa59f60457a8f00cfb23a6"; + }; + # We need unzip to build this package + buildInputs = [ pkgs.unzip ]; + # Installing simply means copying all files to the output directory + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + + # And then pass this theme to the template list like this: + templates = [ template-bootstrap3 ]; + ''; + }; + + poolConfig = mkOption { + type = with types; attrsOf (oneOf [ str int bool ]); + default = { + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 4; + "pm.max_requests" = 500; + }; + description = '' + Options for the dokuwiki PHP pool. See the documentation on <literal>php-fpm.conf</literal> + for details on configuration directives. + ''; + }; + + nginx = mkOption { + type = types.submodule ( + recursiveUpdate + (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) + { + # Enable encryption by default, + options.forceSSL.default = true; + options.enableACME.default = true; + } + ); + default = {forceSSL = true; enableACME = true;}; + example = { + serverAliases = [ + "wiki.\${config.networking.domain}" + ]; + enableACME = false; + }; + description = '' + With this option, you can customize the nginx virtualHost which already has sensible defaults for DokuWiki. + ''; + }; + }; + }; +in +{ + # interface + options = { + services.dokuwiki = mkOption { + type = types.attrsOf (types.submodule siteOpts); + default = {}; + description = "Sepcification of one or more dokuwiki sites to service."; }; }; # implementation - config = mkIf cfg.enable { - - warnings = mkIf (cfg.superUser == null) ["Not setting services.dokuwiki.superUser will impair your ability to administer DokuWiki"]; - - assertions = [ - { - assertion = cfg.aclUse -> (cfg.acl != null || cfg.aclFile != null); - message = "Either services.dokuwiki.acl or services.dokuwiki.aclFile is mandatory when aclUse is true"; - } - { - assertion = cfg.usersFile != null -> cfg.aclUse != false; - message = "services.dokuwiki.aclUse must be true when usersFile is not null"; - } - ]; - - services.phpfpm.pools.dokuwiki = { - inherit user; - inherit group; - phpEnv = { - DOKUWIKI_LOCAL_CONFIG = "${dokuwikiLocalConfig}"; - DOKUWIKI_PLUGINS_LOCAL_CONFIG = "${dokuwikiPluginsLocalConfig}"; - } //optionalAttrs (cfg.usersFile != null) { - DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; - } //optionalAttrs (cfg.aclUse) { - DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig}" else "${toString cfg.aclFile}"; - }; - - settings = { - "listen.mode" = "0660"; - "listen.owner" = user; - "listen.group" = group; - } // cfg.poolConfig; - }; + config = mkIf (eachSite != {}) { + + warnings = mapAttrsToList (hostName: cfg: mkIf (cfg.superUser == null) "Not setting services.dokuwiki.${hostName} superUser will impair your ability to administer DokuWiki") eachSite; + + assertions = flatten (mapAttrsToList (hostName: cfg: + [{ + assertion = cfg.aclUse -> (cfg.acl != null || cfg.aclFile != null); + message = "Either services.dokuwiki.${hostName}.acl or services.dokuwiki.${hostName}.aclFile is mandatory if aclUse true"; + } + { + assertion = cfg.usersFile != null -> cfg.aclUse != false; + message = "services.dokuwiki.${hostName}.aclUse must must be true if usersFile is not null"; + } + ]) eachSite); + + services.phpfpm.pools = mapAttrs' (hostName: cfg: ( + nameValuePair "dokuwiki-${hostName}" { + inherit user; + inherit group; + phpEnv = { + DOKUWIKI_LOCAL_CONFIG = "${dokuwikiLocalConfig cfg}"; + DOKUWIKI_PLUGINS_LOCAL_CONFIG = "${dokuwikiPluginsLocalConfig cfg}"; + } // optionalAttrs (cfg.usersFile != null) { + DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; + } //optionalAttrs (cfg.aclUse) { + DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig cfg}" else "${toString cfg.aclFile}"; + }; + + settings = { + "listen.mode" = "0660"; + "listen.owner" = user; + "listen.group" = group; + } // cfg.poolConfig; + })) eachSite; services.nginx = { enable = true; - - virtualHosts = { - ${cfg.hostName} = mkMerge [ cfg.nginx { - root = mkForce "${pkgs.dokuwiki}/share/dokuwiki/"; - extraConfig = "fastcgi_param HTTPS on;"; - - locations."~ /(conf/|bin/|inc/|install.php)" = { - extraConfig = "deny all;"; - }; - - locations."~ ^/data/" = { - root = "${cfg.stateDir}"; - extraConfig = "internal;"; - }; - - locations."~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { - extraConfig = "expires 365d;"; - }; - - locations."/" = { - priority = 1; - index = "doku.php"; - extraConfig = ''try_files $uri $uri/ @dokuwiki;''; - }; - - locations."@dokuwiki" = { - extraConfig = '' + virtualHosts = mapAttrs (hostName: cfg: mkMerge [ cfg.nginx { + root = mkForce "${pkg hostName cfg}/share/dokuwiki"; + extraConfig = "fastcgi_param HTTPS on;"; + + locations."~ /(conf/|bin/|inc/|install.php)" = { + extraConfig = "deny all;"; + }; + + locations."~ ^/data/" = { + root = "${cfg.stateDir}"; + extraConfig = "internal;"; + }; + + locations."~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { + extraConfig = "expires 365d;"; + }; + + locations."/" = { + priority = 1; + index = "doku.php"; + extraConfig = ''try_files $uri $uri/ @dokuwiki;''; + }; + + locations."@dokuwiki" = { + extraConfig = '' # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1&$args last; - ''; - }; + ''; + }; - locations."~ \.php$" = { - extraConfig = '' + locations."~ \.php$" = { + extraConfig = '' try_files $uri $uri/ /doku.php; include ${pkgs.nginx}/conf/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param REDIRECT_STATUS 200; - fastcgi_pass unix:${config.services.phpfpm.pools.dokuwiki.socket}; + fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}; fastcgi_param HTTPS on; - ''; - }; - }]; - }; - + ''; + }; + }]) eachSite; }; - systemd.tmpfiles.rules = [ + systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [ "d ${cfg.stateDir}/attic 0750 ${user} ${group} - -" "d ${cfg.stateDir}/cache 0750 ${user} ${group} - -" "d ${cfg.stateDir}/index 0750 ${user} ${group} - -" @@ -266,7 +376,13 @@ in "d ${cfg.stateDir}/meta 0750 ${user} ${group} - -" "d ${cfg.stateDir}/pages 0750 ${user} ${group} - -" "d ${cfg.stateDir}/tmp 0750 ${user} ${group} - -" - ]; + ] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist" + ++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist" + ) eachSite); + users.users.${user} = { + group = group; + isSystemUser = true; + }; }; } diff --git a/nixos/modules/services/web-apps/engelsystem.nix b/nixos/modules/services/web-apps/engelsystem.nix new file mode 100644 index 000000000000..899582a20304 --- /dev/null +++ b/nixos/modules/services/web-apps/engelsystem.nix @@ -0,0 +1,186 @@ +{ config, lib, pkgs, utils, ... }: + +let + inherit (lib) mkDefault mkEnableOption mkIf mkOption types literalExample; + cfg = config.services.engelsystem; +in { + options = { + services.engelsystem = { + enable = mkOption { + default = false; + example = true; + description = '' + Whether to enable engelsystem, an online tool for coordinating helpers + and shifts on large events. + ''; + type = lib.types.bool; + }; + + domain = mkOption { + type = types.str; + example = "engelsystem.example.com"; + description = "Domain to serve on."; + }; + + package = mkOption { + type = types.package; + example = literalExample "pkgs.engelsystem"; + description = "Engelsystem package used for the service."; + default = pkgs.engelsystem; + }; + + createDatabase = mkOption { + type = types.bool; + default = true; + description = '' + Whether to create a local database automatically. + This will override every database setting in <option>services.engelsystem.config</option>. + ''; + }; + }; + + services.engelsystem.config = mkOption { + type = types.attrs; + default = { + database = { + host = "localhost"; + database = "engelsystem"; + username = "engelsystem"; + }; + }; + example = { + maintenance = false; + database = { + host = "database.example.com"; + database = "engelsystem"; + username = "engelsystem"; + password._secret = "/var/keys/engelsystem/database"; + }; + email = { + driver = "smtp"; + host = "smtp.example.com"; + port = 587; + from.address = "engelsystem@example.com"; + from.name = "example engelsystem"; + encryption = "tls"; + username = "engelsystem@example.com"; + password._secret = "/var/keys/engelsystem/mail"; + }; + autoarrive = true; + min_password_length = 6; + default_locale = "de_DE"; + }; + description = '' + Options to be added to config.php, as a nix attribute set. Options containing secret data + should be set to an attribute set containing the attribute _secret - a string pointing to a + file containing the value the option should be set to. See the example to get a better + picture of this: in the resulting config.php file, the email.password key will be set to + the contents of the /var/keys/engelsystem/mail file. + + See https://engelsystem.de/doc/admin/configuration/ for available options. + + Note that the admin user login credentials cannot be set here - they always default to + admin:asdfasdf. Log in and change them immediately. + ''; + }; + }; + + config = mkIf cfg.enable { + # create database + services.mysql = mkIf cfg.createDatabase { + enable = true; + package = mkDefault pkgs.mysql; + ensureUsers = [{ + name = "engelsystem"; + ensurePermissions = { "engelsystem.*" = "ALL PRIVILEGES"; }; + }]; + ensureDatabases = [ "engelsystem" ]; + }; + + environment.etc."engelsystem/config.php".source = + pkgs.writeText "config.php" '' + <?php + return json_decode(file_get_contents("/var/lib/engelsystem/config.json"), true); + ''; + + services.phpfpm.pools.engelsystem = { + user = "engelsystem"; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; + }; + }; + + services.nginx = { + enable = true; + virtualHosts."${cfg.domain}".locations = { + "/" = { + root = "${cfg.package}/share/engelsystem/public"; + extraConfig = '' + index index.php; + try_files $uri $uri/ /index.php?$args; + autoindex off; + ''; + }; + "~ \\.php$" = { + root = "${cfg.package}/share/engelsystem/public"; + extraConfig = '' + fastcgi_pass unix:${config.services.phpfpm.pools.engelsystem.socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${config.services.nginx.package}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi.conf; + ''; + }; + }; + }; + + systemd.services."engelsystem-init" = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { Type = "oneshot"; }; + script = + let + genConfigScript = pkgs.writeScript "engelsystem-gen-config.sh" + (utils.genJqSecretsReplacementSnippet cfg.config "config.json"); + in '' + umask 077 + mkdir -p /var/lib/engelsystem/storage/app + mkdir -p /var/lib/engelsystem/storage/cache/views + cd /var/lib/engelsystem + ${genConfigScript} + chmod 400 config.json + chown -R engelsystem . + ''; + }; + systemd.services."engelsystem-migrate" = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + User = "engelsystem"; + Group = "engelsystem"; + }; + script = '' + ${cfg.package}/bin/migrate + ''; + after = [ "engelsystem-init.service" "mysql.service" ]; + }; + systemd.services."phpfpm-engelsystem".after = + [ "engelsystem-migrate.service" ]; + + users.users.engelsystem = { + isSystemUser = true; + createHome = true; + home = "/var/lib/engelsystem/storage"; + group = "engelsystem"; + }; + users.groups.engelsystem = { }; + }; +} diff --git a/nixos/modules/services/web-apps/gerrit.nix b/nixos/modules/services/web-apps/gerrit.nix new file mode 100644 index 000000000000..b184c0754d45 --- /dev/null +++ b/nixos/modules/services/web-apps/gerrit.nix @@ -0,0 +1,218 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.gerrit; + + # NixOS option type for git-like configs + gitIniType = with types; + let + primitiveType = either str (either bool int); + multipleType = either primitiveType (listOf primitiveType); + sectionType = lazyAttrsOf multipleType; + supersectionType = lazyAttrsOf (either multipleType sectionType); + in lazyAttrsOf supersectionType; + + gerritConfig = pkgs.writeText "gerrit.conf" ( + lib.generators.toGitINI cfg.settings + ); + + # Wrap the gerrit java with all the java options so it can be called + # like a normal CLI app + gerrit-cli = pkgs.writeShellScriptBin "gerrit" '' + set -euo pipefail + jvmOpts=( + ${lib.escapeShellArgs cfg.jvmOpts} + -Xmx${cfg.jvmHeapLimit} + ) + exec ${cfg.jvmPackage}/bin/java \ + "''${jvmOpts[@]}" \ + -jar ${cfg.package}/webapps/${cfg.package.name}.war \ + "$@" + ''; + + gerrit-plugins = pkgs.runCommand + "gerrit-plugins" + { + buildInputs = [ gerrit-cli ]; + } + '' + shopt -s nullglob + mkdir $out + + for name in ${toString cfg.builtinPlugins}; do + echo "Installing builtin plugin $name.jar" + gerrit cat plugins/$name.jar > $out/$name.jar + done + + for file in ${toString cfg.plugins}; do + name=$(echo "$file" | cut -d - -f 2-) + echo "Installing plugin $name" + ln -sf "$file" $out/$name + done + ''; +in +{ + options = { + services.gerrit = { + enable = mkEnableOption "Gerrit service"; + + package = mkOption { + type = types.package; + default = pkgs.gerrit; + description = "Gerrit package to use"; + }; + + jvmPackage = mkOption { + type = types.package; + default = pkgs.jre_headless; + defaultText = "pkgs.jre_headless"; + description = "Java Runtime Environment package to use"; + }; + + jvmOpts = mkOption { + type = types.listOf types.str; + default = [ + "-Dflogger.backend_factory=com.google.common.flogger.backend.log4j.Log4jBackendFactory#getInstance" + "-Dflogger.logging_context=com.google.gerrit.server.logging.LoggingContext#getInstance" + ]; + description = "A list of JVM options to start gerrit with."; + }; + + jvmHeapLimit = mkOption { + type = types.str; + default = "1024m"; + description = '' + How much memory to allocate to the JVM heap + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = "[::]:8080"; + description = '' + <literal>hostname:port</literal> to listen for HTTP traffic. + + This is bound using the systemd socket activation. + ''; + }; + + settings = mkOption { + type = gitIniType; + default = {}; + description = '' + Gerrit configuration. This will be generated to the + <literal>etc/gerrit.config</literal> file. + ''; + }; + + plugins = mkOption { + type = types.listOf types.package; + default = []; + description = '' + List of plugins to add to Gerrit. Each derivation is a jar file + itself where the name of the derivation is the name of plugin. + ''; + }; + + builtinPlugins = mkOption { + type = types.listOf (types.enum cfg.package.passthru.plugins); + default = []; + description = '' + List of builtins plugins to install. Those are shipped in the + <literal>gerrit.war</literal> file. + ''; + }; + + serverId = mkOption { + type = types.str; + description = '' + Set a UUID that uniquely identifies the server. + + This can be generated with + <literal>nix-shell -p utillinux --run uuidgen</literal>. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + services.gerrit.settings = { + cache.directory = "/var/cache/gerrit"; + container.heapLimit = cfg.jvmHeapLimit; + gerrit.basePath = lib.mkDefault "git"; + gerrit.serverId = cfg.serverId; + httpd.inheritChannel = "true"; + httpd.listenUrl = lib.mkDefault "http://${cfg.listenAddress}"; + index.type = lib.mkDefault "lucene"; + }; + + # Add the gerrit CLI to the system to run `gerrit init` and friends. + environment.systemPackages = [ gerrit-cli ]; + + systemd.sockets.gerrit = { + unitConfig.Description = "Gerrit HTTP socket"; + wantedBy = [ "sockets.target" ]; + listenStreams = [ cfg.listenAddress ]; + }; + + systemd.services.gerrit = { + description = "Gerrit"; + + wantedBy = [ "multi-user.target" ]; + requires = [ "gerrit.socket" ]; + after = [ "gerrit.socket" "network.target" ]; + + path = [ + gerrit-cli + pkgs.bash + pkgs.coreutils + pkgs.git + pkgs.openssh + ]; + + environment = { + GERRIT_HOME = "%S/gerrit"; + GERRIT_TMP = "%T"; + HOME = "%S/gerrit"; + XDG_CONFIG_HOME = "%S/gerrit/.config"; + }; + + preStart = '' + set -euo pipefail + + # bootstrap if nothing exists + if [[ ! -d git ]]; then + gerrit init --batch --no-auto-start + fi + + # install gerrit.war for the plugin manager + rm -rf bin + mkdir bin + ln -sfv ${cfg.package}/webapps/${cfg.package.name}.war bin/gerrit.war + + # copy the config, keep it mutable because Gerrit + ln -sfv ${gerritConfig} etc/gerrit.config + + # install the plugins + rm -rf plugins + ln -sv ${gerrit-plugins} plugins + '' + ; + + serviceConfig = { + CacheDirectory = "gerrit"; + DynamicUser = true; + ExecStart = "${gerrit-cli}/bin/gerrit daemon --console-log"; + LimitNOFILE = 4096; + StandardInput = "socket"; + StandardOutput = "journal"; + StateDirectory = "gerrit"; + WorkingDirectory = "%S/gerrit"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ edef zimbatm ]; +} diff --git a/nixos/modules/services/web-apps/mattermost.nix b/nixos/modules/services/web-apps/mattermost.nix index 853347bf86e2..f5c2c356afce 100644 --- a/nixos/modules/services/web-apps/mattermost.nix +++ b/nixos/modules/services/web-apps/mattermost.nix @@ -224,7 +224,7 @@ in serviceConfig = { User = "nobody"; Group = "nogroup"; - ExecStart = "${pkgs.matterircd.bin}/bin/matterircd ${concatStringsSep " " cfg.matterircd.parameters}"; + ExecStart = "${pkgs.matterircd}/bin/matterircd ${concatStringsSep " " cfg.matterircd.parameters}"; WorkingDirectory = "/tmp"; PrivateTmp = true; Restart = "always"; diff --git a/nixos/modules/services/web-apps/mediawiki.nix b/nixos/modules/services/web-apps/mediawiki.nix index e9ed53857d81..0a5b6047bb58 100644 --- a/nixos/modules/services/web-apps/mediawiki.nix +++ b/nixos/modules/services/web-apps/mediawiki.nix @@ -29,7 +29,7 @@ let '') cfg.skins)} ${concatStringsSep "\n" (mapAttrsToList (k: v: '' - ln -s ${v} $out/share/mediawiki/extensions/${k} + ln -s ${if v != null then v else "$src/share/mediawiki/extensions/${k}"} $out/share/mediawiki/extensions/${k} '') cfg.extensions)} ''; }; @@ -204,17 +204,28 @@ in default = {}; type = types.attrsOf types.path; description = '' - List of paths whose content is copied to the 'skins' - subdirectory of the MediaWiki installation. + Attribute set of paths whose content is copied to the <filename>skins</filename> + subdirectory of the MediaWiki installation in addition to the default skins. ''; }; extensions = mkOption { default = {}; - type = types.attrsOf types.path; + type = types.attrsOf (types.nullOr types.path); description = '' - List of paths whose content is copied to the 'extensions' - subdirectory of the MediaWiki installation. + Attribute set of paths whose content is copied to the <filename>extensions</filename> + subdirectory of the MediaWiki installation and enabled in configuration. + + Use <literal>null</literal> instead of path to enable extensions that are part of MediaWiki. + ''; + example = literalExample '' + { + Matomo = pkgs.fetchzip { + url = "https://github.com/DaSchTour/matomo-mediawiki-extension/archive/v4.0.1.tar.gz"; + sha256 = "0g5rd3zp0avwlmqagc59cg9bbkn3r7wx7p6yr80s644mj6dlvs1b"; + }; + ParserFunctions = null; + } ''; }; diff --git a/nixos/modules/services/web-apps/moinmoin.nix b/nixos/modules/services/web-apps/moinmoin.nix index 0fee64be0bb2..dc7abce2a5cb 100644 --- a/nixos/modules/services/web-apps/moinmoin.nix +++ b/nixos/modules/services/web-apps/moinmoin.nix @@ -299,5 +299,5 @@ in ]))); }; - meta.maintainers = with lib.maintainers; [ b42 ]; + meta.maintainers = with lib.maintainers; [ mmilata ]; } diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 912e05d6d400..f826096bf608 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -6,31 +6,32 @@ let cfg = config.services.nextcloud; fpm = config.services.phpfpm.pools.nextcloud; - phpPackage = pkgs.php73; - phpPackages = pkgs.php73Packages; + phpPackage = + let + base = pkgs.php74; + in + base.buildEnv { + extensions = { enabled, all }: with all; + enabled ++ [ + apcu redis memcached imagick + ]; + extraConfig = phpOptionsStr; + }; toKeyValue = generators.toKeyValue { mkKeyValue = generators.mkKeyValueDefault {} " = "; }; - phpOptionsExtensions = '' - ${optionalString cfg.caching.apcu "extension=${phpPackages.apcu}/lib/php/extensions/apcu.so"} - ${optionalString cfg.caching.redis "extension=${phpPackages.redis}/lib/php/extensions/redis.so"} - ${optionalString cfg.caching.memcached "extension=${phpPackages.memcached}/lib/php/extensions/memcached.so"} - extension=${phpPackages.imagick}/lib/php/extensions/imagick.so - zend_extension = opcache.so - opcache.enable = 1 - ''; phpOptions = { upload_max_filesize = cfg.maxUploadSize; post_max_size = cfg.maxUploadSize; memory_limit = cfg.maxUploadSize; } // cfg.phpOptions; - phpOptionsStr = phpOptionsExtensions + (toKeyValue phpOptions); + phpOptionsStr = toKeyValue phpOptions; occ = pkgs.writeScriptBin "nextcloud-occ" '' - #! ${pkgs.stdenv.shell} - cd ${pkgs.nextcloud} + #! ${pkgs.runtimeShell} + cd ${cfg.package} sudo=exec if [[ "$USER" != nextcloud ]]; then sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR' @@ -38,10 +39,11 @@ let export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config" $sudo \ ${phpPackage}/bin/php \ - -c ${pkgs.writeText "php.ini" phpOptionsStr}\ occ $* ''; + inherit (config.system) stateVersion; + in { options.services.nextcloud = { enable = mkEnableOption "nextcloud"; @@ -64,6 +66,11 @@ in { default = false; description = "Use https for generated links."; }; + package = mkOption { + type = types.package; + description = "Which package to use for the Nextcloud instance."; + relatedPackages = [ "nextcloud17" "nextcloud18" ]; + }; maxUploadSize = mkOption { default = "512M"; @@ -309,10 +316,40 @@ in { } ]; - warnings = optional (cfg.poolConfig != null) '' - Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release. - Please migrate your configuration to config.services.nextcloud.poolSettings. - ''; + warnings = [] + ++ (optional (cfg.poolConfig != null) '' + Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release. + Please migrate your configuration to config.services.nextcloud.poolSettings. + '') + ++ (optional (versionOlder cfg.package.version "18") '' + A legacy Nextcloud install (from before NixOS 20.03) may be installed. + + You're currently deploying an older version of Nextcloud. This may be needed + since Nextcloud doesn't allow major version upgrades that skip multiple + versions (i.e. an upgrade from 16 is possible to 17, but not 16 to 18). + + It is assumed that Nextcloud will be upgraded from version 16 to 17. + + * If this is a fresh install, there will be no upgrade to do now. + + * If this server already had Nextcloud installed, first deploy this to your + server, and wait until the upgrade to 17 is finished. + + Then, set `services.nextcloud.package` to `pkgs.nextcloud18` to upgrade to + Nextcloud version 18. + ''); + + services.nextcloud.package = with pkgs; + mkDefault ( + if pkgs ? nextcloud + then throw '' + The `pkgs.nextcloud`-attribute has been removed. If it's supposed to be the default + nextcloud defined in an overlay, please set `services.nextcloud.package` to + `pkgs.nextcloud`. + '' + else if versionOlder stateVersion "20.03" then nextcloud17 + else nextcloud18 + ); } { systemd.timers.nextcloud-cron = { @@ -407,7 +444,7 @@ in { path = [ occ ]; script = '' chmod og+x ${cfg.home} - ln -sf ${pkgs.nextcloud}/apps ${cfg.home}/ + ln -sf ${cfg.package}/apps ${cfg.home}/ mkdir -p ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php @@ -429,7 +466,7 @@ in { environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config"; serviceConfig.Type = "oneshot"; serviceConfig.User = "nextcloud"; - serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${pkgs.nextcloud}/cron.php"; + serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php"; }; nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable { serviceConfig.Type = "oneshot"; @@ -471,7 +508,7 @@ in { enable = true; virtualHosts = { ${cfg.hostName} = { - root = pkgs.nextcloud; + root = cfg.package; locations = { "= /robots.txt" = { priority = 100; @@ -537,7 +574,7 @@ in { add_header Referrer-Policy no-referrer; access_log off; ''; - "~ \\.(?:png|html|ttf|ico|jpg|jpeg)$".extraConfig = '' + "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = '' try_files $uri /index.php$request_uri; access_log off; ''; diff --git a/nixos/modules/services/web-apps/nextcloud.xml b/nixos/modules/services/web-apps/nextcloud.xml index d66e0f0c2997..fc454f8ba254 100644 --- a/nixos/modules/services/web-apps/nextcloud.xml +++ b/nixos/modules/services/web-apps/nextcloud.xml @@ -113,5 +113,53 @@ maintenance:install</literal>! This command tries to install the application and can cause unwanted side-effects!</para> </warning> + + <para> + Nextcloud doesn't allow to move more than one major-version forward. If you're e.g. on + <literal>v16</literal>, you cannot upgrade to <literal>v18</literal>, you need to upgrade to + <literal>v17</literal> first. This is ensured automatically as long as the + <link linkend="opt-system.stateVersion">stateVersion</link> is declared properly. In that case + the oldest version available (one major behind the one from the previous NixOS + release) will be selected by default and the module will generate a warning that reminds + the user to upgrade to latest Nextcloud <emphasis>after</emphasis> that deploy. + </para> + </section> + + <section xml:id="module-services-nextcloud-maintainer-info"> + <title>Maintainer information</title> + + <para> + As stated in the previous paragraph, we must provide a clean upgrade-path for Nextcloud + since it cannot move more than one major version forward on a single upgrade. This chapter + adds some notes how Nextcloud updates should be rolled out in the future. + </para> + + <para> + While minor and patch-level updates are no problem and can be done directly in the + package-expression (and should be backported to supported stable branches after that), + major-releases should be added in a new attribute (e.g. Nextcloud <literal>v19.0.0</literal> + should be available in <literal>nixpkgs</literal> as <literal>pkgs.nextcloud19</literal>). + To provide simple upgrade paths it's generally useful to backport those as well to stable + branches. As long as the package-default isn't altered, this won't break existing setups. + After that, the versioning-warning in the <literal>nextcloud</literal>-module should be + updated to make sure that the + <link linkend="opt-services.nextcloud.package">package</link>-option selects the latest version + on fresh setups. + </para> + + <para> + If major-releases will be abandoned by upstream, we should check first if those are needed + in NixOS for a safe upgrade-path before removing those. In that case we shold keep those + packages, but mark them as insecure in an expression like this (in + <literal><nixpkgs/pkgs/servers/nextcloud/default.nix></literal>): +<programlisting>/* ... */ +{ + nextcloud17 = generic { + version = "17.0.x"; + sha256 = "0000000000000000000000000000000000000000000000000000"; + insecure = true; + }; +}</programlisting> + </para> </section> </chapter> diff --git a/nixos/modules/services/web-apps/sogo.nix b/nixos/modules/services/web-apps/sogo.nix new file mode 100644 index 000000000000..5f30124dd68a --- /dev/null +++ b/nixos/modules/services/web-apps/sogo.nix @@ -0,0 +1,272 @@ +{ config, pkgs, lib, ... }: with lib; let + cfg = config.services.sogo; + + preStart = pkgs.writeShellScriptBin "sogo-prestart" '' + touch /etc/sogo/sogo.conf + chown sogo:sogo /etc/sogo/sogo.conf + chmod 640 /etc/sogo/sogo.conf + + ${if (cfg.configReplaces != {}) then '' + # Insert secrets + ${concatStringsSep "\n" (mapAttrsToList (k: v: ''export ${k}="$(cat "${v}" | tr -d '\n')"'') cfg.configReplaces)} + + ${pkgs.perl}/bin/perl -p ${concatStringsSep " " (mapAttrsToList (k: v: '' -e 's/${k}/''${ENV{"${k}"}}/g;' '') cfg.configReplaces)} /etc/sogo/sogo.conf.raw > /etc/sogo/sogo.conf + '' else '' + cp /etc/sogo/sogo.conf.raw /etc/sogo/sogo.conf + ''} + ''; + +in { + options.services.sogo = with types; { + enable = mkEnableOption "SOGo groupware"; + + vhostName = mkOption { + description = "Name of the nginx vhost"; + type = str; + default = "sogo"; + }; + + timezone = mkOption { + description = "Timezone of your SOGo instance"; + type = str; + example = "America/Montreal"; + }; + + language = mkOption { + description = "Language of SOGo"; + type = str; + default = "English"; + }; + + ealarmsCredFile = mkOption { + description = "Optional path to a credentials file for email alarms"; + type = nullOr str; + default = null; + }; + + configReplaces = mkOption { + description = '' + Replacement-filepath mapping for sogo.conf. + Every key is replaced with the contents of the file specified as value. + + In the example, every occurence of LDAP_BINDPW will be replaced with the text of the + specified file. + ''; + type = attrsOf str; + default = {}; + example = { + LDAP_BINDPW = "/var/lib/secrets/sogo/ldappw"; + }; + }; + + extraConfig = mkOption { + description = "Extra sogo.conf configuration lines"; + type = lines; + default = ""; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.sogo ]; + + environment.etc."sogo/sogo.conf.raw".text = '' + { + // Mandatory parameters + SOGoTimeZone = "${cfg.timezone}"; + SOGoLanguage = "${cfg.language}"; + // Paths + WOSendMail = "/run/wrappers/bin/sendmail"; + SOGoMailSpoolPath = "/var/lib/sogo/spool"; + SOGoZipPath = "${pkgs.zip}/bin/zip"; + // Enable CSRF protection + SOGoXSRFValidationEnabled = YES; + // Remove dates from log (jornald does that) + NGLogDefaultLogEventFormatterClass = "NGLogEventFormatter"; + // Extra config + ${cfg.extraConfig} + } + ''; + + systemd.services.sogo = { + description = "SOGo groupware"; + after = [ "postgresql.service" "mysql.service" "memcached.service" "openldap.service" "dovecot2.service" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."sogo/sogo.conf.raw".source ]; + + environment.LDAPTLS_CACERT = "/etc/ssl/certs/ca-certificates.crt"; + + serviceConfig = { + Type = "forking"; + ExecStartPre = "+" + preStart + "/bin/sogo-prestart"; + ExecStart = "${pkgs.sogo}/bin/sogod -WOLogFile - -WOPidFile /run/sogo/sogo.pid"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RuntimeDirectory = "sogo"; + StateDirectory = "sogo/spool"; + + User = "sogo"; + Group = "sogo"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + MemoryDenyWriteExecute = true; + SystemCallFilter = "@basic-io @file-system @network-io @system-service @timer"; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; + }; + }; + + systemd.services.sogo-tmpwatch = { + description = "SOGo tmpwatch"; + + startAt = [ "hourly" ]; + script = '' + SOGOSPOOL=/var/lib/sogo/spool + + find "$SOGOSPOOL" -type f -user sogo -atime +23 -delete > /dev/null + find "$SOGOSPOOL" -mindepth 1 -type d -user sogo -empty -delete > /dev/null + ''; + + serviceConfig = { + Type = "oneshot"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + StateDirectory = "sogo/spool"; + + User = "sogo"; + Group = "sogo"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + PrivateNetwork = true; + SystemCallFilter = "@basic-io @file-system @system-service"; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = ""; + }; + }; + + systemd.services.sogo-ealarms = { + description = "SOGo email alarms"; + + after = [ "postgresql.service" "mysqld.service" "memcached.service" "openldap.service" "dovecot2.service" "sogo.service" ]; + restartTriggers = [ config.environment.etc."sogo/sogo.conf.raw".source ]; + + startAt = [ "minutely" ]; + + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.sogo}/bin/sogo-ealarms-notify${optionalString (cfg.ealarmsCredFile != null) " -p ${cfg.ealarmsCredFile}"}"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + StateDirectory = "sogo/spool"; + + User = "sogo"; + Group = "sogo"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + MemoryDenyWriteExecute = true; + SystemCallFilter = "@basic-io @file-system @network-io @system-service"; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; + }; + }; + + # nginx vhost + services.nginx.virtualHosts."${cfg.vhostName}" = { + locations."/".extraConfig = '' + rewrite ^ https://$server_name/SOGo; + allow all; + ''; + + # For iOS 7 + locations."/principals/".extraConfig = '' + rewrite ^ https://$server_name/SOGo/dav; + allow all; + ''; + + locations."^~/SOGo".extraConfig = '' + proxy_pass http://127.0.0.1:20000; + proxy_redirect http://127.0.0.1:20000 default; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header x-webobjects-server-protocol HTTP/1.0; + proxy_set_header x-webobjects-remote-host 127.0.0.1; + proxy_set_header x-webobjects-server-port $server_port; + proxy_set_header x-webobjects-server-name $server_name; + proxy_set_header x-webobjects-server-url $scheme://$host; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffer_size 4k; + proxy_buffers 4 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 64k; + client_max_body_size 50m; + client_body_buffer_size 128k; + break; + ''; + + locations."/SOGo.woa/WebServerResources/".extraConfig = '' + alias ${pkgs.sogo}/lib/GNUstep/SOGo/WebServerResources/; + allow all; + ''; + + locations."/SOGo/WebServerResources/".extraConfig = '' + alias ${pkgs.sogo}/lib/GNUstep/SOGo/WebServerResources/; + allow all; + ''; + + locations."~ ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$".extraConfig = '' + alias ${pkgs.sogo}/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + ''; + + locations."~ ^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\\.(jpg|png|gif|css|js)$".extraConfig = '' + alias ${pkgs.sogo}/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + ''; + }; + + # User and group + users.groups.sogo = {}; + users.users.sogo = { + group = "sogo"; + isSystemUser = true; + description = "SOGo service user"; + }; + }; +} diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index b92e34498949..2ea9537b93de 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -631,9 +631,12 @@ let serviceConfig = { User = "${cfg.user}"; Group = "tt_rss"; - ExecStart = "${pkgs.php}/bin/php ${cfg.root}/update.php --daemon"; + ExecStart = "${pkgs.php}/bin/php ${cfg.root}/update.php --daemon --quiet"; StandardOutput = "syslog"; StandardError = "syslog"; + Restart = "on-failure"; + RestartSec = "60"; + SyslogIdentifier = "tt-rss"; }; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/web-apps/wordpress.nix b/nixos/modules/services/web-apps/wordpress.nix index c48a44097372..5fbe53221ae8 100644 --- a/nixos/modules/services/web-apps/wordpress.nix +++ b/nixos/modules/services/web-apps/wordpress.nix @@ -105,7 +105,7 @@ let name = "embed-pdf-viewer-plugin"; # Download the theme from the wordpress site src = pkgs.fetchurl { - url = https://downloads.wordpress.org/plugin/embed-pdf-viewer.2.0.3.zip; + url = "https://downloads.wordpress.org/plugin/embed-pdf-viewer.2.0.3.zip"; sha256 = "1rhba5h5fjlhy8p05zf0p14c9iagfh96y91r36ni0rmk6y891lyd"; }; # We need unzip to build this package @@ -132,7 +132,7 @@ let name = "responsive-theme"; # Download the theme from the wordpress site src = pkgs.fetchurl { - url = https://downloads.wordpress.org/theme/responsive.3.14.zip; + url = "https://downloads.wordpress.org/theme/responsive.3.14.zip"; sha256 = "0rjwm811f4aa4q43r77zxlpklyb85q08f9c8ns2akcarrvj5ydx3"; }; # We need unzip to build this package diff --git a/nixos/modules/services/web-apps/youtrack.nix b/nixos/modules/services/web-apps/youtrack.nix index 830edac20bac..b4d653d2d77e 100644 --- a/nixos/modules/services/web-apps/youtrack.nix +++ b/nixos/modules/services/web-apps/youtrack.nix @@ -46,9 +46,11 @@ in https://www.jetbrains.com/help/youtrack/standalone/YouTrack-Java-Start-Parameters.html for more information. ''; - example = { - "jetbrains.youtrack.overrideRootPassword" = "tortuga"; - }; + example = literalExample '' + { + "jetbrains.youtrack.overrideRootPassword" = "tortuga"; + } + ''; type = types.attrsOf types.str; }; diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 832c8b30ee9d..8abee7130d7c 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -12,7 +12,7 @@ let httpdConf = cfg.configFile; - php = cfg.phpPackage.override { apacheHttpd = pkg.dev; /* otherwise it only gets .out */ }; + php = cfg.phpPackage.override { apacheHttpd = pkg; }; phpMajorVersion = lib.versions.major (lib.getVersion php); @@ -41,9 +41,9 @@ let "mime" "autoindex" "negotiation" "dir" "alias" "rewrite" "unixd" "slotmem_shm" "socache_shmcb" - "mpm_${cfg.multiProcessingModule}" + "mpm_${cfg.mpm}" ] - ++ (if cfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ]) + ++ (if cfg.mpm == "prefork" then [ "cgi" ] else [ "cgid" ]) ++ optional enableHttp2 "http2" ++ optional enableSSL "ssl" ++ optional enableUserDir "userdir" @@ -264,7 +264,7 @@ let PidFile ${runtimeDir}/httpd.pid - ${optionalString (cfg.multiProcessingModule != "prefork") '' + ${optionalString (cfg.mpm != "prefork") '' # mod_cgid requires this. ScriptSock ${runtimeDir}/cgisock ''} @@ -338,6 +338,7 @@ let } '' cat ${php}/etc/php.ini > $out + cat ${php.phpIni} > $out echo "$options" >> $out ''; @@ -349,6 +350,7 @@ in imports = [ (mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") (mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.") + (mkRenamedOptionModule [ "services" "httpd" "multiProcessingModule" ] [ "services" "httpd" "mpm" ]) # virtualHosts options (mkRemovedOptionModule [ "services" "httpd" "documentRoot" ] "Please define a virtual host using `services.httpd.virtualHosts`.") @@ -453,7 +455,13 @@ in type = types.str; default = "wwwrun"; description = '' - User account under which httpd runs. + User account under which httpd children processes run. + + If you require the main httpd process to run as + <literal>root</literal> add the following configuration: + <programlisting> + systemd.services.httpd.serviceConfig.User = lib.mkForce "root"; + </programlisting> ''; }; @@ -461,7 +469,7 @@ in type = types.str; default = "wwwrun"; description = '' - Group under which httpd runs. + Group under which httpd children processes run. ''; }; @@ -538,20 +546,19 @@ in ''; }; - multiProcessingModule = mkOption { + mpm = mkOption { type = types.enum [ "event" "prefork" "worker" ]; - default = "prefork"; + default = "event"; example = "worker"; description = '' Multi-processing module to be used by Apache. Available - modules are <literal>prefork</literal> (the default; - handles each request in a separate child process), - <literal>worker</literal> (hybrid approach that starts a - number of child processes each running a number of - threads) and <literal>event</literal> (a recent variant of - <literal>worker</literal> that handles persistent - connections more efficiently). + modules are <literal>prefork</literal> (handles each + request in a separate child process), <literal>worker</literal> + (hybrid approach that starts a number of child processes + each running a number of threads) and <literal>event</literal> + (the default; a recent variant of <literal>worker</literal> + that handles persistent connections more efficiently). ''; }; @@ -651,7 +658,7 @@ in services.httpd.phpOptions = '' ; Needed for PHP's mail() function. - sendmail_path = sendmail -t -i + sendmail_path = ${pkgs.system-sendmail}/bin/sendmail -t -i ; Don't advertise PHP expose_php = off @@ -702,9 +709,7 @@ in wants = concatLists (map (hostOpts: [ "acme-${hostOpts.hostName}.service" "acme-selfsigned-${hostOpts.hostName}.service" ]) vhostsACME); after = [ "network.target" "fs.target" ] ++ map (hostOpts: "acme-selfsigned-${hostOpts.hostName}.service") vhostsACME; - path = - [ pkg pkgs.coreutils pkgs.gnugrep ] - ++ optional cfg.enablePHP pkgs.system-sendmail; # Needed for PHP's mail() function. + path = [ pkg pkgs.coreutils pkgs.gnugrep ]; environment = optionalAttrs cfg.enablePHP { PHPRC = phpIni; } @@ -724,7 +729,7 @@ in ExecStart = "@${pkg}/bin/httpd httpd -f ${httpdConf}"; ExecStop = "${pkg}/bin/httpd -f ${httpdConf} -k graceful-stop"; ExecReload = "${pkg}/bin/httpd -f ${httpdConf} -k graceful"; - User = "root"; + User = cfg.user; Group = cfg.group; Type = "forking"; PIDFile = "${runtimeDir}/httpd.pid"; @@ -732,6 +737,7 @@ in RestartSec = "5s"; RuntimeDirectory = "httpd httpd/runtime"; RuntimeDirectoryMode = "0750"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; }; }; diff --git a/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix b/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix index 263980add8b2..173c0f8561c0 100644 --- a/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix +++ b/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix @@ -137,7 +137,7 @@ in http2 = mkOption { type = types.bool; - default = false; + default = true; description = '' Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. <emphasis>However, if you use the prefork mpm, there will be severe restrictions.</emphasis> Refer to <link xlink:href="https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config"/> for details. @@ -220,7 +220,7 @@ in globalRedirect = mkOption { type = types.nullOr types.str; default = null; - example = http://newserver.example.org/; + example = "http://newserver.example.org/"; description = '' If set, all requests for this host are redirected permanently to the given URL. diff --git a/nixos/modules/services/web-servers/jboss/default.nix b/nixos/modules/services/web-servers/jboss/default.nix index d28724281a83..ca5b8635fc00 100644 --- a/nixos/modules/services/web-servers/jboss/default.nix +++ b/nixos/modules/services/web-servers/jboss/default.nix @@ -24,6 +24,7 @@ in services.jboss = { enable = mkOption { + type = types.bool; default = false; description = "Whether to enable JBoss. WARNING : this package is outdated and is known to have vulnerabilities."; }; @@ -59,6 +60,7 @@ in }; useJK = mkOption { + type = types.bool; default = false; description = "Whether to use to connector to the Apache HTTP server"; }; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 28b433104a1c..8a015bb3556c 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -46,6 +46,15 @@ let } '')); + commonHttpConfig = '' + # The mime type definitions included with nginx are very incomplete, so + # we use a list of mime types from the mailcap package, which is also + # used by most other Linux distributions by default. + include ${pkgs.mailcap}/etc/nginx/mime.types; + include ${cfg.package}/conf/fastcgi.conf; + include ${cfg.package}/conf/uwsgi_params; + ''; + configFile = pkgs.writers.writeNginxConfig "nginx.conf" '' pid /run/nginx/nginx.pid; error_log ${cfg.logError}; @@ -61,12 +70,7 @@ let ${optionalString (cfg.httpConfig == "" && cfg.config == "") '' http { - # The mime type definitions included with nginx are very incomplete, so - # we use a list of mime types from the mailcap package, which is also - # used by most other Linux distributions by default. - include ${pkgs.mailcap}/etc/nginx/mime.types; - include ${cfg.package}/conf/fastcgi.conf; - include ${cfg.package}/conf/uwsgi_params; + ${commonHttpConfig} ${optionalString (cfg.resolver.addresses != []) '' resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"} ${optionalString (!cfg.resolver.ipv6) "ipv6=off"}; @@ -79,7 +83,7 @@ let tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; - types_hash_max_size 2048; + types_hash_max_size 4096; ''} ssl_protocols ${cfg.sslProtocols}; @@ -172,9 +176,7 @@ let ${optionalString (cfg.httpConfig != "") '' http { - include ${cfg.package}/conf/mime.types; - include ${cfg.package}/conf/fastcgi.conf; - include ${cfg.package}/conf/uwsgi_params; + ${commonHttpConfig} ${cfg.httpConfig} }''} @@ -185,7 +187,7 @@ let then "/etc/nginx/nginx.conf" else configFile; - execCommand = "${cfg.package}/bin/nginx -c '${configPath}' -p '${cfg.stateDir}'"; + execCommand = "${cfg.package}/bin/nginx -c '${configPath}'"; vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost: let @@ -461,11 +463,12 @@ in ''; }; - stateDir = mkOption { - default = "/var/spool/nginx"; - description = " - Directory holding all state for nginx to run. - "; + enableSandbox = mkOption { + default = false; + type = types.bool; + description = '' + Starting Nginx web server with additional sandbox/hardening options. + ''; }; user = mkOption { @@ -634,6 +637,13 @@ in }; }; + imports = [ + (mkRemovedOptionModule [ "services" "nginx" "stateDir" ] '' + The Nginx log directory has been moved to /var/log/nginx, the cache directory + to /var/cache/nginx. The option services.nginx.stateDir has been removed. + '') + ]; + config = mkIf cfg.enable { # TODO: test user supplied config file pases syntax test @@ -678,12 +688,6 @@ in } ]; - systemd.tmpfiles.rules = [ - "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" - "d '${cfg.stateDir}/logs' 0750 ${cfg.user} ${cfg.group} - -" - "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" - ]; - systemd.services.nginx = { description = "Nginx Web Server"; wantedBy = [ "multi-user.target" ]; @@ -706,8 +710,35 @@ in # Runtime directory and mode RuntimeDirectory = "nginx"; RuntimeDirectoryMode = "0750"; + # Cache directory and mode + CacheDirectory = "nginx"; + CacheDirectoryMode = "0750"; + # Logs directory and mode + LogsDirectory = "nginx"; + LogsDirectoryMode = "0750"; # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + # Security + NoNewPrivileges = true; + } // optionalAttrs cfg.enableSandbox { + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = mkDefault true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules); + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; }; }; @@ -725,9 +756,9 @@ in serviceConfig.Type = "oneshot"; serviceConfig.TimeoutSec = 60; script = '' - if ${pkgs.systemd}/bin/systemctl -q is-active nginx.service ; then + if /run/current-system/systemd/bin/systemctl -q is-active nginx.service ; then ${execCommand} -t && \ - ${pkgs.systemd}/bin/systemctl reload nginx.service + /run/current-system/systemd/bin/systemctl reload nginx.service fi ''; serviceConfig.RemainAfterExit = true; @@ -741,7 +772,7 @@ in webroot = vhostConfig.acmeRoot; extraDomains = genAttrs vhostConfig.serverAliases (alias: null); postRun = '' - systemctl reload nginx + /run/current-system/systemd/bin/systemctl reload nginx ''; }; }) acmeEnabledVhosts; in diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix index 2c73da103946..d090885a8ca5 100644 --- a/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixos/modules/services/web-servers/phpfpm/default.nix @@ -47,6 +47,7 @@ let Path to the unix socket file on which to accept FastCGI requests. <note><para>This option is read-only and managed by NixOS.</para></note> ''; + example = "${runtimeDir}/<name>.sock"; }; listen = mkOption { @@ -208,14 +209,14 @@ in { user = "php"; group = "php"; phpPackage = pkgs.php; - settings = ''' + settings = { "pm" = "dynamic"; "pm.max_children" = 75; "pm.start_servers" = 10; "pm.min_spare_servers" = 5; "pm.max_spare_servers" = 20; "pm.max_requests" = 500; - '''; + }; } }''; description = '' diff --git a/nixos/modules/services/web-servers/traefik.nix b/nixos/modules/services/web-servers/traefik.nix index 5b0fc467ea46..4ab7307c3b67 100644 --- a/nixos/modules/services/web-servers/traefik.nix +++ b/nixos/modules/services/web-servers/traefik.nix @@ -4,56 +4,102 @@ with lib; let cfg = config.services.traefik; - configFile = - if cfg.configFile == null then - pkgs.runCommand "config.toml" { - buildInputs = [ pkgs.remarshal ]; - preferLocalBuild = true; - } '' - remarshal -if json -of toml \ - < ${pkgs.writeText "config.json" (builtins.toJSON cfg.configOptions)} \ - > $out - '' - else cfg.configFile; - + jsonValue = with types; + let + valueType = nullOr (oneOf [ + bool + int + float + str + (lazyAttrsOf valueType) + (listOf valueType) + ]) // { + description = "JSON value"; + emptyValue.value = { }; + }; + in valueType; + dynamicConfigFile = if cfg.dynamicConfigFile == null then + pkgs.runCommand "config.toml" { + buildInputs = [ pkgs.remarshal ]; + preferLocalBuild = true; + } '' + remarshal -if json -of toml \ + < ${ + pkgs.writeText "dynamic_config.json" + (builtins.toJSON cfg.dynamicConfigOptions) + } \ + > $out + '' + else + cfg.dynamicConfigFile; + staticConfigFile = if cfg.staticConfigFile == null then + pkgs.runCommand "config.toml" { + buildInputs = [ pkgs.yj ]; + preferLocalBuild = true; + } '' + yj -jt -i \ + < ${ + pkgs.writeText "static_config.json" (builtins.toJSON + (recursiveUpdate cfg.staticConfigOptions { + providers.file.filename = "${dynamicConfigFile}"; + })) + } \ + > $out + '' + else + cfg.staticConfigFile; in { options.services.traefik = { enable = mkEnableOption "Traefik web server"; - configFile = mkOption { + staticConfigFile = mkOption { default = null; - example = literalExample "/path/to/config.toml"; + example = literalExample "/path/to/static_config.toml"; type = types.nullOr types.path; description = '' - Path to verbatim traefik.toml to use. - (Using that option has precedence over <literal>configOptions</literal>) + Path to traefik's static configuration to use. + (Using that option has precedence over <literal>staticConfigOptions</literal> and <literal>dynamicConfigOptions</literal>) ''; }; - configOptions = mkOption { + staticConfigOptions = mkOption { description = '' - Config for Traefik. + Static configuration for Traefik. ''; - type = types.attrs; - default = { - defaultEntryPoints = ["http"]; - entryPoints.http.address = ":80"; - }; + type = jsonValue; + default = { entryPoints.http.address = ":80"; }; example = { - defaultEntrypoints = [ "http" ]; - web.address = ":8080"; + entryPoints.web.address = ":8080"; entryPoints.http.address = ":80"; - file = {}; - frontends = { - frontend1 = { - backend = "backend1"; - routes.test_1.rule = "Host:localhost"; - }; - }; - backends.backend1 = { - servers.server1.url = "http://localhost:8000"; + api = { }; + }; + }; + + dynamicConfigFile = mkOption { + default = null; + example = literalExample "/path/to/dynamic_config.toml"; + type = types.nullOr types.path; + description = '' + Path to traefik's dynamic configuration to use. + (Using that option has precedence over <literal>dynamicConfigOptions</literal>) + ''; + }; + + dynamicConfigOptions = mkOption { + description = '' + Dynamic configuration for Traefik. + ''; + type = jsonValue; + default = { }; + example = { + http.routers.router1 = { + rule = "Host(`localhost`)"; + service = "service1"; }; + + http.services.service1.loadBalancer.servers = + [{ url = "http://localhost:8080"; }]; }; }; @@ -61,7 +107,7 @@ in { default = "/var/lib/traefik"; type = types.path; description = '' - Location for any persistent data traefik creates, ie. acme + Location for any persistent data traefik creates, ie. acme ''; }; @@ -84,16 +130,15 @@ in { }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 traefik traefik - -" - ]; + systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0700 traefik traefik - -" ]; systemd.services.traefik = { description = "Traefik web server"; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = ''${cfg.package.bin}/bin/traefik --configfile=${configFile}''; + ExecStart = + "${cfg.package}/bin/traefik --configfile=${staticConfigFile}"; Type = "simple"; User = "traefik"; Group = cfg.group; @@ -120,6 +165,6 @@ in { isSystemUser = true; }; - users.groups.traefik = {}; + users.groups.traefik = { }; }; } diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix index f8a18954fc99..989866144e1e 100644 --- a/nixos/modules/services/web-servers/unit/default.nix +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -91,41 +91,47 @@ in { description = "Unit App Server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ curl ]; preStart = '' - test -f '${cfg.stateDir}/conf.json' || rm -f '${cfg.stateDir}/conf.json' + [ ! -e '${cfg.stateDir}/conf.json' ] || rm -f '${cfg.stateDir}/conf.json' ''; postStart = '' - curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' + ${pkgs.curl}/bin/curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' ''; serviceConfig = { + Type = "forking"; + PIDFile = "/run/unit/unit.pid"; ExecStart = '' ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \ - --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \ + --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' \ --user ${cfg.user} --group ${cfg.group} ''; - # User and group - User = cfg.user; - Group = cfg.group; - # Capabilities - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; + ExecStop = '' + ${pkgs.curl}/bin/curl -X DELETE --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' + ''; + # Runtime directory and mode + RuntimeDirectory = "unit"; + RuntimeDirectoryMode = "0750"; + # Access write directories + ReadWritePaths = [ cfg.stateDir cfg.logDir ]; # Security NoNewPrivileges = true; # Sandboxing - ProtectSystem = "full"; + ProtectSystem = "strict"; ProtectHome = true; - RuntimeDirectory = "unit"; - RuntimeDirectoryMode = "0750"; PrivateTmp = true; PrivateDevices = true; ProtectHostname = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; + RestrictSUIDSGID = true; PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; }; }; diff --git a/nixos/modules/services/web-servers/uwsgi.nix b/nixos/modules/services/web-servers/uwsgi.nix index 4b74c329e3dc..936e211ec713 100644 --- a/nixos/modules/services/web-servers/uwsgi.nix +++ b/nixos/modules/services/web-servers/uwsgi.nix @@ -79,7 +79,25 @@ in { }; instance = mkOption { - type = types.attrs; + type = with lib.types; let + valueType = nullOr (oneOf [ + bool + int + float + str + (lazyAttrsOf valueType) + (listOf valueType) + (mkOptionType { + name = "function"; + description = "function"; + check = x: isFunction x; + merge = mergeOneOption; + }) + ]) // { + description = "Json value or lambda"; + emptyValue.value = {}; + }; + in valueType; default = { type = "normal"; }; diff --git a/nixos/modules/services/x11/desktop-managers/cde.nix b/nixos/modules/services/x11/desktop-managers/cde.nix index c1b6d3bf064a..2d9504fb5f1e 100644 --- a/nixos/modules/services/x11/desktop-managers/cde.nix +++ b/nixos/modules/services/x11/desktop-managers/cde.nix @@ -8,9 +8,26 @@ let in { options.services.xserver.desktopManager.cde = { enable = mkEnableOption "Common Desktop Environment"; + + extraPackages = mkOption { + type = with types; listOf package; + default = with pkgs.xorg; [ + xclock bitmap xlsfonts xfd xrefresh xload xwininfo xdpyinfo xwd xwud + ]; + example = literalExample '' + with pkgs.xorg; [ + xclock bitmap xlsfonts xfd xrefresh xload xwininfo xdpyinfo xwd xwud + ] + ''; + description = '' + Extra packages to be installed system wide. + ''; + }; }; config = mkIf (xcfg.enable && cfg.enable) { + environment.systemPackages = cfg.extraPackages; + services.rpcbind.enable = true; services.xinetd.enable = true; diff --git a/nixos/modules/services/x11/desktop-managers/default.nix b/nixos/modules/services/x11/desktop-managers/default.nix index ea6aac9f6c92..5d3a84d71399 100644 --- a/nixos/modules/services/x11/desktop-managers/default.nix +++ b/nixos/modules/services/x11/desktop-managers/default.nix @@ -19,7 +19,7 @@ in # E.g., if Plasma 5 is enabled, it supersedes xterm. imports = [ ./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix - ./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix ./maxx.nix + ./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix ./mate.nix ./pantheon.nix ./surf-display.nix ./cde.nix ]; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 26b662a2a643..3a7ab64510b5 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -23,6 +23,7 @@ in options = { services.xserver.desktopManager.enlightenment.enable = mkOption { + type = types.bool; default = false; description = "Enable the Enlightenment desktop environment."; }; @@ -31,15 +32,14 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ - e.efl e.enlightenment - e.terminology e.econnman - pkgs.xorg.xauth # used by kdesu - pkgs.gtk2 # To get GTK's themes. - pkgs.tango-icon-theme - - pkgs.gnome2.gnome_icon_theme - pkgs.xorg.xcursorthemes + environment.systemPackages = with pkgs; [ + enlightenment.econnman + enlightenment.efl + enlightenment.enlightenment + enlightenment.ephoto + enlightenment.rage + enlightenment.terminology + xorg.xcursorthemes ]; environment.pathsToLink = [ @@ -49,11 +49,10 @@ in "/share/locale" ]; - services.xserver.desktopManager.session = [ - { name = "Enlightenment"; - start = '' - export XDG_MENU_PREFIX=e- + services.xserver.displayManager.sessionPackages = [ pkgs.enlightenment.enlightenment ]; + services.xserver.displayManager.sessionCommands = '' + if test "$XDG_CURRENT_DESKTOP" = "Enlightenment"; then export GST_PLUGIN_PATH="${GST_PLUGIN_PATH}" # make available for D-BUS user services @@ -61,12 +60,15 @@ in # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/ ${pkgs.xdg-user-dirs}/bin/xdg-user-dirs-update - - exec ${e.enlightenment}/bin/enlightenment_start - ''; - }]; - - security.wrappers = (import "${e.enlightenment}/e-wrappers.nix").security.wrappers; + fi + ''; + + # Wrappers for programs installed by enlightenment that should be setuid + security.wrappers = { + enlightenment_ckpasswd.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd"; + enlightenment_sys.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys"; + enlightenment_system.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system"; + }; environment.etc."X11/xkb".source = xcfg.xkbDir; diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 5756cf14ed94..bbc7feb2d049 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -57,6 +57,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + options = { services.gnome3 = { @@ -68,6 +72,7 @@ in services.xserver.desktopManager.gnome3 = { enable = mkOption { + type = types.bool; default = false; description = "Enable Gnome 3 desktop manager."; }; @@ -180,7 +185,7 @@ in wmCommand = "${pkgs.gnome3.metacity}/bin/metacity"; } ++ cfg.flashback.customSessions); - security.pam.services.gnome-screensaver = { + security.pam.services.gnome-flashback = { enableGnomeKeyring = true; }; @@ -191,9 +196,10 @@ in inherit (wm) wmName; }) cfg.flashback.customSessions); - services.dbus.packages = [ - pkgs.gnome3.gnome-screensaver - ]; + # gnome-panel needs these for menu applet + environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.gnome3.gnome-flashback}/share" ]; + # TODO: switch to sessionVariables (resolve conflict) + environment.variables.XDG_CONFIG_DIRS = [ "${pkgs.gnome3.gnome-flashback}/etc/xdg" ]; }) (mkIf serviceCfg.core-os-services.enable { @@ -252,7 +258,6 @@ in systemd.packages = with pkgs.gnome3; [ gnome-session gnome-shell - vino ]; services.avahi.enable = mkDefault true; @@ -304,7 +309,7 @@ in environment = mkForce {}; }; - # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-32/elements/core/meta-gnome-core-shell.bst + # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-36/elements/core/meta-gnome-core-shell.bst environment.systemPackages = with pkgs.gnome3; [ adwaita-icon-theme gnome-backgrounds @@ -323,11 +328,10 @@ in pkgs.hicolor-icon-theme pkgs.shared-mime-info # for update-mime-database pkgs.xdg-user-dirs # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/ - vino ]; }) - # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-32/elements/core/meta-gnome-core-utilities.bst + # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-36/elements/core/meta-gnome-core-utilities.bst (mkIf serviceCfg.core-utilities.enable { environment.systemPackages = (with pkgs.gnome3; removePackagesByName [ baobab diff --git a/nixos/modules/services/x11/desktop-managers/kodi.nix b/nixos/modules/services/x11/desktop-managers/kodi.nix index 65a7b9c628e5..bdae9c3afdb7 100644 --- a/nixos/modules/services/x11/desktop-managers/kodi.nix +++ b/nixos/modules/services/x11/desktop-managers/kodi.nix @@ -10,6 +10,7 @@ in options = { services.xserver.desktopManager.kodi = { enable = mkOption { + type = types.bool; default = false; description = "Enable the kodi multimedia center."; }; @@ -20,7 +21,7 @@ in services.xserver.desktopManager.session = [{ name = "kodi"; start = '' - ${pkgs.kodi}/bin/kodi --lircdev /run/lirc/lircd --standalone & + LIRC_SOCKET_PATH=/run/lirc/lircd ${pkgs.kodi}/bin/kodi --standalone & waitPID=$! ''; }]; diff --git a/nixos/modules/services/x11/desktop-managers/lumina.nix b/nixos/modules/services/x11/desktop-managers/lumina.nix index 2224bcd5a2a5..419f5055d8be 100644 --- a/nixos/modules/services/x11/desktop-managers/lumina.nix +++ b/nixos/modules/services/x11/desktop-managers/lumina.nix @@ -23,12 +23,9 @@ in config = mkIf cfg.enable { - services.xserver.desktopManager.session = singleton { - name = "lumina"; - start = '' - exec ${pkgs.lumina.lumina}/bin/start-lumina-desktop - ''; - }; + services.xserver.displayManager.sessionPackages = [ + pkgs.lumina.lumina + ]; environment.systemPackages = pkgs.lumina.preRequisitePackages ++ diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index 910a246d776c..f236c14fcf3e 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -44,35 +44,35 @@ in config = mkIf cfg.enable { - services.xserver.desktopManager.session = singleton { - name = "mate"; - bgSupport = true; - start = '' - export XDG_MENU_PREFIX=mate- + services.xserver.displayManager.sessionPackages = [ + pkgs.mate.mate-session-manager + ]; - # Let caja find extensions - export CAJA_EXTENSION_DIRS=$CAJA_EXTENSION_DIRS''${CAJA_EXTENSION_DIRS:+:}${config.system.path}/lib/caja/extensions-2.0 + services.xserver.displayManager.sessionCommands = '' + if test "$XDG_CURRENT_DESKTOP" = "MATE"; then + export XDG_MENU_PREFIX=mate- - # Let caja extensions find gsettings schemas - ${concatMapStrings (p: '' + # Let caja find extensions + export CAJA_EXTENSION_DIRS=$CAJA_EXTENSION_DIRS''${CAJA_EXTENSION_DIRS:+:}${config.system.path}/lib/caja/extensions-2.0 + + # Let caja extensions find gsettings schemas + ${concatMapStrings (p: '' if [ -d "${p}/lib/caja/extensions-2.0" ]; then - ${addToXDGDirs p} + ${addToXDGDirs p} fi - '') - config.environment.systemPackages - } + '') config.environment.systemPackages} - # Let mate-panel find applets - export MATE_PANEL_APPLETS_DIR=$MATE_PANEL_APPLETS_DIR''${MATE_PANEL_APPLETS_DIR:+:}${config.system.path}/share/mate-panel/applets - export MATE_PANEL_EXTRA_MODULES=$MATE_PANEL_EXTRA_MODULES''${MATE_PANEL_EXTRA_MODULES:+:}${config.system.path}/lib/mate-panel/applets + # Add mate-control-center paths to some XDG variables because its schemas are needed by mate-settings-daemon, and mate-settings-daemon is a dependency for mate-control-center (that is, they are mutually recursive) + ${addToXDGDirs pkgs.mate.mate-control-center} + fi + ''; - # Add mate-control-center paths to some XDG variables because its schemas are needed by mate-settings-daemon, and mate-settings-daemon is a dependency for mate-control-center (that is, they are mutually recursive) - ${addToXDGDirs pkgs.mate.mate-control-center} + # Let mate-panel find applets + environment.sessionVariables."MATE_PANEL_APPLETS_DIR" = "${config.system.path}/share/mate-panel/applets"; + environment.sessionVariables."MATE_PANEL_EXTRA_MODULES" = "${config.system.path}/lib/mate-panel/applets"; - ${pkgs.mate.mate-session-manager}/bin/mate-session ${optionalString cfg.debug "--debug"} & - waitPID=$! - ''; - }; + # Debugging + environment.sessionVariables.MATE_SESSION_DEBUG = mkIf cfg.debug "1"; environment.systemPackages = pkgs.mate.basePackages ++ diff --git a/nixos/modules/services/x11/desktop-managers/maxx.nix b/nixos/modules/services/x11/desktop-managers/maxx.nix deleted file mode 100644 index 1c04104df41e..000000000000 --- a/nixos/modules/services/x11/desktop-managers/maxx.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - xcfg = config.services.xserver; - cfg = xcfg.desktopManager.maxx; -in { - options.services.xserver.desktopManager.maxx = { - enable = mkEnableOption "MaXX desktop environment"; - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.maxx ]; - - # there is hardcoded path in binaries - system.activationScripts.setup-maxx = '' - mkdir -p /opt - ln -sfn ${pkgs.maxx}/opt/MaXX /opt - ''; - - services.xserver.desktopManager.session = [ - { name = "MaXX"; - start = '' - exec ${pkgs.maxx}/opt/MaXX/etc/skel/Xsession.dt - ''; - }]; - }; - - meta.maintainers = [ maintainers.gnidorah ]; -} diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index 869c66944897..5fcc8590232a 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -109,7 +109,7 @@ in # Without this, elementary LightDM greeter will pre-select non-existent `default` session # https://github.com/elementary/greeter/issues/368 - services.xserver.displayManager.defaultSession = "pantheon"; + services.xserver.displayManager.defaultSession = mkDefault "pantheon"; services.xserver.displayManager.sessionCommands = '' if test "$XDG_CURRENT_DESKTOP" = "Pantheon"; then @@ -181,7 +181,6 @@ in hicolor-icon-theme lightlocker onboard - plank qgnomeplatform shared-mime-info sound-theme-freedesktop @@ -195,6 +194,7 @@ in # Desktop elementary-default-settings + elementary-dock elementary-session-settings elementary-shortcut-overlay gala @@ -206,9 +206,9 @@ in }) # Services - cerbere elementary-capnet-assist elementary-dpms-helper + elementary-notifications elementary-settings-daemon pantheon-agent-geoclue2 pantheon-agent-polkit diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.xml b/nixos/modules/services/x11/desktop-managers/pantheon.xml index 4d92a7446c0d..7905ceebd9aa 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.xml +++ b/nixos/modules/services/x11/desktop-managers/pantheon.xml @@ -1,7 +1,7 @@ <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="chap-pantheon"> - <title>Pantheon Destkop</title> + <title>Pantheon Desktop</title> <para> Pantheon is the desktop environment created for the elementary OS distribution. It is written from scratch in Vala, utilizing GNOME technologies with GTK 3 and Granite. </para> @@ -89,22 +89,6 @@ switchboard-with-plugs.override { </para> </listitem> </varlistentry> - <varlistentry xml:id="sec-pantheon-faq-slow-shutdown"> - <term> - Using Pantheon sometimes makes my shutdown take a long time. - </term> - <listitem> - <para> - We have not yet determined what processes fight with systemd during shutdown, there are many reports. In elementary OS the default system timeout is lowered to lessen the impact of the issue. If you'd like to do this in NixOS, set -<programlisting> - <xref linkend="opt-systemd.extraConfig"/> = '' - DefaultTimeoutStopSec=10s - DefaultTimeoutStartSec=10s -''; -</programlisting> - </para> - </listitem> - </varlistentry> <varlistentry xml:id="sec-pantheon-faq-gnome3-and-pantheon"> <term> I cannot enable both GNOME 3 and Pantheon. diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 60ef0159ff1a..6d48b899d231 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -158,6 +158,19 @@ in example = "vlc"; description = "Phonon audio backend to install."; }; + + supportDDC = mkOption { + type = types.bool; + default = false; + description = '' + Support setting monitor brightness via DDC. + </para> + <para> + This is not needed for controlling brightness of the internal monitor + of a laptop and as it is considered experimental by upstream, it is + disabled by default. + ''; + }; }; }; @@ -184,6 +197,12 @@ in }; }; + # DDC support + boot.kernelModules = lib.optional cfg.supportDDC "i2c_dev"; + services.udev.extraRules = lib.optionalString cfg.supportDDC '' + KERNEL=="i2c-[0-9]*", TAG+="uaccess" + ''; + environment.systemPackages = with pkgs; with qt5; with libsForQt5; with plasma5; with kdeApplications; [ frameworkintegration diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index a08b1947f65b..d39b4d64904f 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -8,6 +8,10 @@ in { + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + imports = [ # added 2019-08-18 # needed to preserve some semblance of UI familarity @@ -129,6 +133,7 @@ in services.xserver.desktopManager.session = [{ name = "xfce"; + desktopNames = [ "XFCE" ]; bgSupport = true; start = '' ${pkgs.runtimeShell} ${pkgs.xfce.xfce4-session.xinitrc} & diff --git a/nixos/modules/services/x11/display-managers/account-service-util.nix b/nixos/modules/services/x11/display-managers/account-service-util.nix index 1dbe703b5662..2b08c62d0ad1 100644 --- a/nixos/modules/services/x11/display-managers/account-service-util.nix +++ b/nixos/modules/services/x11/display-managers/account-service-util.nix @@ -3,6 +3,7 @@ , gobject-introspection , python3 , wrapGAppsHook +, lib }: python3.pkgs.buildPythonApplication { @@ -36,4 +37,8 @@ python3.pkgs.buildPythonApplication { cp $src $out/bin/set-session chmod +x $out/bin/set-session ''; + + meta = with lib; { + maintainers = with maintainers; [ worldofpeace ]; + }; } diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 5d49ca943872..aa6a5ec42be8 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -39,7 +39,8 @@ let ${optionalString cfg.startDbusSession '' if test -z "$DBUS_SESSION_BUS_ADDRESS"; then - exec ${pkgs.dbus.dbus-launch} --exit-with-session "$0" "$@" + /run/current-system/systemd/bin/systemctl --user start dbus.socket + export `/run/current-system/systemd/bin/systemctl --user show-environment | grep '^DBUS_SESSION_BUS_ADDRESS'` fi ''} @@ -54,20 +55,12 @@ let exec &> >(tee ~/.xsession-errors) ''} - # Start PulseAudio if enabled. - ${optionalString (config.hardware.pulseaudio.enable) '' - # Publish access credentials in the root window. - if ${config.hardware.pulseaudio.package.out}/bin/pulseaudio --dump-modules | grep module-x11-publish &> /dev/null; then - ${config.hardware.pulseaudio.package.out}/bin/pactl load-module module-x11-publish "display=$DISPLAY" - fi - ''} - # Tell systemd about our $DISPLAY and $XAUTHORITY. # This is needed by the ssh-agent unit. # # Also tell systemd about the dbus session bus address. # This is required by user units using the session bus. - ${config.systemd.package}/bin/systemctl --user import-environment DISPLAY XAUTHORITY DBUS_SESSION_BUS_ADDRESS + /run/current-system/systemd/bin/systemctl --user import-environment DISPLAY XAUTHORITY DBUS_SESSION_BUS_ADDRESS # Load X defaults. This should probably be safe on wayland too. ${xorg.xrdb}/bin/xrdb -merge ${xresourcesXft} @@ -96,7 +89,7 @@ let fi # Start systemd user services for graphical sessions - ${config.systemd.package}/bin/systemctl --user start graphical-session.target + /run/current-system/systemd/bin/systemctl --user start graphical-session.target # Allow the user to setup a custom session type. if test -x ~/.xsession; then @@ -401,7 +394,7 @@ in test -n "$waitPID" && wait "$waitPID" - ${config.systemd.package}/bin/systemctl --user stop graphical-session.target + /run/current-system/systemd/bin/systemctl --user stop graphical-session.target exit 0 ''; @@ -412,6 +405,9 @@ in (dm: wm: let sessionName = "${dm.name}${optionalString (wm.name != "none") ("+" + wm.name)}"; script = xsession dm wm; + desktopNames = if dm ? desktopNames + then concatStringsSep ";" dm.desktopNames + else sessionName; in optional (dm.name != "none" || wm.name != "none") (pkgs.writeTextFile { @@ -427,7 +423,7 @@ in TryExec=${script} Exec=${script} Name=${sessionName} - DesktopNames=${sessionName} + DesktopNames=${desktopNames} ''; } // { providedSessions = [ sessionName ]; diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index e0ac47bb766d..622ea62f3a91 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -38,6 +38,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { @@ -89,16 +93,17 @@ in }; wayland = mkOption { + type = types.bool; default = true; description = '' Allow GDM to run on Wayland instead of Xserver. Note to enable Wayland with Nvidia you need to enable the <option>nvidiaWayland</option>. ''; - type = types.bool; }; nvidiaWayland = mkOption { + type = types.bool; default = false; description = '' Whether to allow wayland to be used with the proprietary @@ -184,6 +189,9 @@ in "systemd-machined.service" # setSessionScript wants AccountsService "accounts-daemon.service" + # Failed to open gpu '/dev/dri/card0': GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Operation not permitted + # https://github.com/NixOS/nixpkgs/pull/25311#issuecomment-609417621 + "systemd-udev-settle.service" ]; systemd.services.display-manager.after = [ @@ -193,6 +201,7 @@ in "getty@tty${gdm.initialVT}.service" "plymouth-quit.service" "plymouth-start.service" + "systemd-udev-settle.service" ]; systemd.services.display-manager.conflicts = [ "getty@tty${gdm.initialVT}.service" diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix index 0025f9b36037..16d7fdf15cf6 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix @@ -14,7 +14,9 @@ let user = ${cfg.user} show-password-label = true password-label-text = Password: + invalid-password-text = Invalid Password show-input-cursor = true + password-alignment = right [greeter-hotkeys] mod-key = meta @@ -26,6 +28,8 @@ let [greeter-theme] font = Sans font-size = 1em + font-weight = bold + font-style = normal text-color = "#080800" error-color = "#F8F8F0" background-image = "${ldmcfg.background}" @@ -36,6 +40,8 @@ let layout-space = 15 password-color = "#F8F8F0" password-background-color = "#1B1D1E" + password-border-color = "#080800" + password-border-width = 2px ${cfg.extraConfig} ''; diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix index 77c94114e6d9..087c6b9c38ac 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix @@ -10,6 +10,10 @@ let in { + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + options = { services.xserver.displayManager.lightdm.greeters.pantheon = { diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index cb7b5f959588..479548863b47 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -69,6 +69,10 @@ let in { + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + # Note: the order in which lightdm greeter modules are imported # here determines the default: later modules (if enable) are # preferred. diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index 4224c557ed63..2f42271da872 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -30,8 +30,8 @@ let cfgFile = pkgs.writeText "sddm.conf" '' [General] - HaltCommand=${pkgs.systemd}/bin/systemctl poweroff - RebootCommand=${pkgs.systemd}/bin/systemctl reboot + HaltCommand=/run/current-system/systemd/bin/systemctl poweroff + RebootCommand=/run/current-system/systemd/bin/systemctl reboot ${optionalString cfg.autoNumlock '' Numlock=on ''} diff --git a/nixos/modules/services/x11/display-managers/startx.nix b/nixos/modules/services/x11/display-managers/startx.nix index 570469843586..3980203b9457 100644 --- a/nixos/modules/services/x11/display-managers/startx.nix +++ b/nixos/modules/services/x11/display-managers/startx.nix @@ -15,6 +15,7 @@ in options = { services.xserver.displayManager.startx = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to enable the dummy "startx" pseudo-display manager, diff --git a/nixos/modules/services/x11/gdk-pixbuf.nix b/nixos/modules/services/x11/gdk-pixbuf.nix index 9ad926369ec7..3fd6fed91e13 100644 --- a/nixos/modules/services/x11/gdk-pixbuf.nix +++ b/nixos/modules/services/x11/gdk-pixbuf.nix @@ -19,7 +19,7 @@ let continue fi GDK_PIXBUF_MODULEDIR="$module_dir" \ - ${pkgs.gdk-pixbuf.dev}/bin/gdk-pixbuf-query-loaders + ${pkgs.stdenv.hostPlatform.emulator pkgs.buildPackages} ${pkgs.gdk-pixbuf.dev}/bin/gdk-pixbuf-query-loaders done ) > "$out" ''; diff --git a/nixos/modules/services/x11/hardware/digimend.nix b/nixos/modules/services/x11/hardware/digimend.nix index a9f5640905aa..b1b1682f00b2 100644 --- a/nixos/modules/services/x11/hardware/digimend.nix +++ b/nixos/modules/services/x11/hardware/digimend.nix @@ -16,12 +16,7 @@ in services.xserver.digimend = { - enable = mkOption { - default = false; - description = '' - Whether to enable the digimend drivers for Huion/XP-Pen/etc. tablets. - ''; - }; + enable = mkEnableOption "the digimend drivers for Huion/XP-Pen/etc. tablets"; }; diff --git a/nixos/modules/services/x11/hardware/libinput.nix b/nixos/modules/services/x11/hardware/libinput.nix index f6b0e7c09f51..9548ecb8ef6d 100644 --- a/nixos/modules/services/x11/hardware/libinput.nix +++ b/nixos/modules/services/x11/hardware/libinput.nix @@ -184,7 +184,11 @@ in { '' Option "DragLockButtons" "L1 B1 L2 B2" ''; - description = "Additional options for libinput touchpad driver."; + description = '' + Additional options for libinput touchpad driver. See + <citerefentry><refentrytitle>libinput</refentrytitle><manvolnum>4</manvolnum></citerefentry> + for available options."; + ''; }; }; diff --git a/nixos/modules/services/x11/hardware/wacom.nix b/nixos/modules/services/x11/hardware/wacom.nix index a27889c36a70..dad2b308d1b4 100644 --- a/nixos/modules/services/x11/hardware/wacom.nix +++ b/nixos/modules/services/x11/hardware/wacom.nix @@ -15,6 +15,7 @@ in services.xserver.wacom = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to enable the Wacom touchscreen/digitizer/tablet. diff --git a/nixos/modules/services/x11/picom.nix b/nixos/modules/services/x11/picom.nix index e3bd21be73e4..1289edd2904a 100644 --- a/nixos/modules/services/x11/picom.nix +++ b/nixos/modules/services/x11/picom.nix @@ -1,39 +1,48 @@ { config, lib, pkgs, ... }: with lib; -with builtins; let cfg = config.services.picom; - pairOf = x: with types; addCheck (listOf x) (y: length y == 2); - - floatBetween = a: b: with lib; with types; - addCheck str (x: versionAtLeast x a && versionOlder x b); - - toConf = attrs: concatStringsSep "\n" - (mapAttrsToList - (k: v: let - sep = if isAttrs v then ":" else "="; - # Basically a tinkered lib.generators.mkKeyValueDefault - mkValueString = v: - if isBool v then boolToString v - else if isInt v then toString v - else if isFloat v then toString v - else if isString v then ''"${escape [ ''"'' ] v}"'' - else if isList v then "[ " - + concatMapStringsSep " , " mkValueString v - + " ]" - else if isAttrs v then "{ " - + concatStringsSep " " - (mapAttrsToList - (key: value: "${toString key}=${mkValueString value};") - v) - + " }" - else abort "picom.mkValueString: unexpected type (v = ${v})"; - in "${escape [ sep ] k}${sep}${mkValueString v};") - attrs); + pairOf = x: with types; + addCheck (listOf x) (y: length y == 2) + // { description = "pair of ${x.description}"; }; + + floatBetween = a: b: with types; + let + # toString prints floats with hardcoded high precision + floatToString = f: builtins.toJSON f; + in + addCheck float (x: x <= b && x >= a) + // { description = "a floating point number in " + + "range [${floatToString a}, ${floatToString b}]"; }; + + mkDefaultAttrs = mapAttrs (n: v: mkDefault v); + + # Basically a tinkered lib.generators.mkKeyValueDefault + # It either serializes a top-level definition "key: { values };" + # or an expression "key = { values };" + mkAttrsString = top: + mapAttrsToList (k: v: + let sep = if (top && isAttrs v) then ":" else "="; + in "${escape [ sep ] k}${sep}${mkValueString v};"); + + # This serializes a Nix expression to the libconfig format. + mkValueString = v: + if types.bool.check v then boolToString v + else if types.int.check v then toString v + else if types.float.check v then toString v + else if types.str.check v then "\"${escape [ "\"" ] v}\"" + else if builtins.isList v then "[ ${concatMapStringsSep " , " mkValueString v} ]" + else if types.attrs.check v then "{ ${concatStringsSep " " (mkAttrsString false v) } }" + else throw '' + invalid expression used in option services.picom.settings: + ${v} + ''; + + toConf = attrs: concatStringsSep "\n" (mkAttrsString true cfg.settings); configFile = pkgs.writeText "picom.conf" (toConf cfg.settings); @@ -61,7 +70,7 @@ in { }; fadeDelta = mkOption { - type = types.addCheck types.int (x: x > 0); + type = types.ints.positive; default = 10; example = 5; description = '' @@ -70,12 +79,11 @@ in { }; fadeSteps = mkOption { - type = pairOf (floatBetween "0.01" "1.01"); - default = [ "0.028" "0.03" ]; - example = [ "0.04" "0.04" ]; + type = pairOf (floatBetween 0.01 1); + default = [ 0.028 0.03 ]; + example = [ 0.04 0.04 ]; description = '' Opacity change between fade steps (in and out). - (numbers in range 0.01 - 1.0) ''; }; @@ -111,11 +119,11 @@ in { }; shadowOpacity = mkOption { - type = floatBetween "0.0" "1.01"; - default = "0.75"; - example = "0.8"; + type = floatBetween 0 1; + default = 0.75; + example = 0.8; description = '' - Window shadows opacity (number in range 0.0 - 1.0). + Window shadows opacity. ''; }; @@ -134,29 +142,29 @@ in { }; activeOpacity = mkOption { - type = floatBetween "0.0" "1.01"; - default = "1.0"; - example = "0.8"; + type = floatBetween 0 1; + default = 1.0; + example = 0.8; description = '' - Opacity of active windows (number in range 0.0 - 1.0). + Opacity of active windows. ''; }; inactiveOpacity = mkOption { - type = floatBetween "0.1" "1.01"; - default = "1.0"; - example = "0.8"; + type = floatBetween 0.1 1; + default = 1.0; + example = 0.8; description = '' - Opacity of inactive windows (number in range 0.1 - 1.0). + Opacity of inactive windows. ''; }; menuOpacity = mkOption { - type = floatBetween "0.0" "1.01"; - default = "1.0"; - example = "0.8"; + type = floatBetween 0 1; + default = 1.0; + example = 0.8; description = '' - Opacity of dropdown and popup menu (number in range 0.0 - 1.0). + Opacity of dropdown and popup menu. ''; }; @@ -210,7 +218,7 @@ in { }; refreshRate = mkOption { - type = types.addCheck types.int (x: x >= 0); + type = types.ints.unsigned; default = 0; example = 60; description = '' @@ -218,54 +226,69 @@ in { ''; }; - settings = let - configTypes = with types; oneOf [ bool int float str ]; - # types.loaOf converts lists to sets - loaOf = t: with types; either (listOf t) (attrsOf t); + settings = with types; + let + scalar = oneOf [ bool int float str ] + // { description = "scalar types"; }; + + libConfig = oneOf [ scalar (listOf libConfig) (attrsOf libConfig) ] + // { description = "libconfig type"; }; + + topLevel = attrsOf libConfig + // { description = '' + libconfig configuration. The format consists of an attributes + set (called a group) of settings. Each setting can be a scalar type + (boolean, integer, floating point number or string), a list of + scalars or a group itself + ''; + }; + in mkOption { - type = loaOf (types.either configTypes (loaOf (types.either configTypes (loaOf configTypes)))); - default = {}; + type = topLevel; + default = { }; + example = literalExample '' + blur = + { method = "gaussian"; + size = 10; + deviation = 5.0; + }; + ''; description = '' - Additional Picom configuration. + Picom settings. Use this option to configure Picom settings not exposed + in a NixOS option or to bypass one. For the available options see the + CONFIGURATION FILES section at <literal>picom(1)</literal>. ''; }; }; config = mkIf cfg.enable { - services.picom.settings = let - # Hard conversion to float, literally lib.toInt but toFloat - toFloat = str: let - may_be_float = builtins.fromJSON str; - in if builtins.isFloat may_be_float - then may_be_float - else throw "Could not convert ${str} to float."; - in { + services.picom.settings = mkDefaultAttrs { # fading - fading = mkDefault cfg.fade; - fade-delta = mkDefault cfg.fadeDelta; - fade-in-step = mkDefault (toFloat (elemAt cfg.fadeSteps 0)); - fade-out-step = mkDefault (toFloat (elemAt cfg.fadeSteps 1)); - fade-exclude = mkDefault cfg.fadeExclude; + fading = cfg.fade; + fade-delta = cfg.fadeDelta; + fade-in-step = elemAt cfg.fadeSteps 0; + fade-out-step = elemAt cfg.fadeSteps 1; + fade-exclude = cfg.fadeExclude; # shadows - shadow = mkDefault cfg.shadow; - shadow-offset-x = mkDefault (elemAt cfg.shadowOffsets 0); - shadow-offset-y = mkDefault (elemAt cfg.shadowOffsets 1); - shadow-opacity = mkDefault (toFloat cfg.shadowOpacity); - shadow-exclude = mkDefault cfg.shadowExclude; + shadow = cfg.shadow; + shadow-offset-x = elemAt cfg.shadowOffsets 0; + shadow-offset-y = elemAt cfg.shadowOffsets 1; + shadow-opacity = cfg.shadowOpacity; + shadow-exclude = cfg.shadowExclude; # opacity - active-opacity = mkDefault (toFloat cfg.activeOpacity); - inactive-opacity = mkDefault (toFloat cfg.inactiveOpacity); + active-opacity = cfg.activeOpacity; + inactive-opacity = cfg.inactiveOpacity; - wintypes = mkDefault cfg.wintypes; + wintypes = cfg.wintypes; - opacity-rule = mkDefault cfg.opacityRules; + opacity-rule = cfg.opacityRules; # other options - backend = mkDefault cfg.backend; - vsync = mkDefault cfg.vSync; - refresh-rate = mkDefault cfg.refreshRate; + backend = cfg.backend; + vsync = cfg.vSync; + refresh-rate = cfg.refreshRate; }; systemd.user.services.picom = { diff --git a/nixos/modules/services/x11/window-managers/berry.nix b/nixos/modules/services/x11/window-managers/berry.nix new file mode 100644 index 000000000000..0d2285e7a60e --- /dev/null +++ b/nixos/modules/services/x11/window-managers/berry.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.berry; +in +{ + ###### interface + options = { + services.xserver.windowManager.berry.enable = mkEnableOption "berry"; + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "berry"; + start = '' + ${pkgs.berry}/bin/berry & + waitPID=$! + ''; + }; + environment.systemPackages = [ pkgs.berry ]; + }; +} diff --git a/nixos/modules/services/x11/window-managers/default.nix b/nixos/modules/services/x11/window-managers/default.nix index 04a9fc46628c..87702c58727a 100644 --- a/nixos/modules/services/x11/window-managers/default.nix +++ b/nixos/modules/services/x11/window-managers/default.nix @@ -10,6 +10,7 @@ in imports = [ ./2bwm.nix ./afterstep.nix + ./berry.nix ./bspwm.nix ./cwm.nix ./dwm.nix @@ -21,6 +22,7 @@ in ./i3.nix ./jwm.nix ./leftwm.nix + ./lwm.nix ./metacity.nix ./mwm.nix ./openbox.nix @@ -28,12 +30,15 @@ in ./notion.nix ./ratpoison.nix ./sawfish.nix + ./smallwm.nix ./stumpwm.nix ./spectrwm.nix + ./tinywm.nix ./twm.nix ./windowmaker.nix ./wmii.nix ./xmonad.nix + ./yeahwm.nix ./qtile.nix ./none.nix ]; diff --git a/nixos/modules/services/x11/window-managers/lwm.nix b/nixos/modules/services/x11/window-managers/lwm.nix new file mode 100644 index 000000000000..e2aa062fd13b --- /dev/null +++ b/nixos/modules/services/x11/window-managers/lwm.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.lwm; +in +{ + ###### interface + options = { + services.xserver.windowManager.lwm.enable = mkEnableOption "lwm"; + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "lwm"; + start = '' + ${pkgs.lwm}/bin/lwm & + waitPID=$! + ''; + }; + environment.systemPackages = [ pkgs.lwm ]; + }; +} diff --git a/nixos/modules/services/x11/window-managers/smallwm.nix b/nixos/modules/services/x11/window-managers/smallwm.nix new file mode 100644 index 000000000000..091ba4f92b94 --- /dev/null +++ b/nixos/modules/services/x11/window-managers/smallwm.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.smallwm; +in +{ + ###### interface + options = { + services.xserver.windowManager.smallwm.enable = mkEnableOption "smallwm"; + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "smallwm"; + start = '' + ${pkgs.smallwm}/bin/smallwm & + waitPID=$! + ''; + }; + environment.systemPackages = [ pkgs.smallwm ]; + }; +} diff --git a/nixos/modules/services/x11/window-managers/tinywm.nix b/nixos/modules/services/x11/window-managers/tinywm.nix new file mode 100644 index 000000000000..8e5d9b9170ca --- /dev/null +++ b/nixos/modules/services/x11/window-managers/tinywm.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.tinywm; +in +{ + ###### interface + options = { + services.xserver.windowManager.tinywm.enable = mkEnableOption "tinywm"; + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "tinywm"; + start = '' + ${pkgs.tinywm}/bin/tinywm & + waitPID=$! + ''; + }; + environment.systemPackages = [ pkgs.tinywm ]; + }; +} diff --git a/nixos/modules/services/x11/window-managers/yeahwm.nix b/nixos/modules/services/x11/window-managers/yeahwm.nix new file mode 100644 index 000000000000..351bd7dfe48b --- /dev/null +++ b/nixos/modules/services/x11/window-managers/yeahwm.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.yeahwm; +in +{ + ###### interface + options = { + services.xserver.windowManager.yeahwm.enable = mkEnableOption "yeahwm"; + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "yeahwm"; + start = '' + ${pkgs.yeahwm}/bin/yeahwm & + waitPID=$! + ''; + }; + environment.systemPackages = [ pkgs.yeahwm ]; + }; +} diff --git a/nixos/modules/services/x11/xautolock.nix b/nixos/modules/services/x11/xautolock.nix index 3e03131ca114..5ce08fce7c43 100644 --- a/nixos/modules/services/x11/xautolock.nix +++ b/nixos/modules/services/x11/xautolock.nix @@ -66,7 +66,7 @@ in killer = mkOption { default = null; # default according to `man xautolock` is none - example = "${pkgs.systemd}/bin/systemctl suspend"; + example = "/run/current-system/systemd/bin/systemctl suspend"; type = types.nullOr types.str; description = '' diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 74d702ea1c3d..6aec1c0753a2 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -651,8 +651,7 @@ in systemd.services.display-manager = { description = "X11 Server"; - after = [ "systemd-udev-settle.service" "acpid.service" "systemd-logind.service" ]; - wants = [ "systemd-udev-settle.service" ]; + after = [ "acpid.service" "systemd-logind.service" ]; restartIfChanged = false; diff --git a/nixos/modules/system/activation/no-clone.nix b/nixos/modules/system/activation/no-clone.nix index 7f4584435266..912420347dc0 100644 --- a/nixos/modules/system/activation/no-clone.nix +++ b/nixos/modules/system/activation/no-clone.nix @@ -4,6 +4,5 @@ with lib; { boot.loader.grub.device = mkOverride 0 "nodev"; - nesting.children = mkOverride 0 []; - nesting.clone = mkOverride 0 []; + specialisation = mkOverride 0 {}; } diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 14bd751ce324..f6739977fa4f 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -11,21 +11,16 @@ let # you can provide an easy way to boot the same configuration # as you use, but with another kernel # !!! fix this - cloner = inheritParent: list: - map (childConfig: + children = mapAttrs (childName: childConfig: (import ../../../lib/eval-config.nix { inherit baseModules; system = config.nixpkgs.initialSystem; modules = - (optionals inheritParent modules) + (optionals childConfig.inheritParentConfig modules) ++ [ ./no-clone.nix ] - ++ [ childConfig ]; + ++ [ childConfig.configuration ]; }).config.system.build.toplevel - ) list; - - children = - cloner false config.nesting.children - ++ cloner true config.nesting.clone; + ) config.specialisation; systemBuilder = let @@ -75,14 +70,11 @@ let echo -n "$configurationName" > $out/configuration-name echo -n "systemd ${toString config.systemd.package.interfaceVersion}" > $out/init-interface-version echo -n "$nixosLabel" > $out/nixos-version - echo -n "${pkgs.stdenv.hostPlatform.system}" > $out/system + echo -n "${config.boot.kernelPackages.stdenv.hostPlatform.system}" > $out/system - mkdir $out/fine-tune - childCount=0 - for i in $children; do - childCount=$(( childCount + 1 )) - ln -s $i $out/fine-tune/child-$childCount - done + mkdir $out/specialisation + ${concatStringsSep "\n" + (mapAttrsToList (name: path: "ln -s ${path} $out/specialisation/${name}") children)} mkdir $out/bin export localeArchive="${config.i18n.glibcLocales}/lib/locale/locale-archive" @@ -112,7 +104,6 @@ let shell = "${pkgs.bash}/bin/sh"; su = "${pkgs.shadow.su}/bin/su"; - inherit children; kernelParams = config.boot.kernelParams; installBootLoader = config.system.build.installBootLoader @@ -143,6 +134,11 @@ let in { + imports = [ + (mkRemovedOptionModule [ "nesting" "clone" ] "Use `specialisation.«name» = { inheritParentConfig = true; configuration = { ... }; }` instead.") + (mkRemovedOptionModule [ "nesting" "children" ] "Use `specialisation.«name».configuration = { ... }` instead.") + ]; + options = { system.build = mkOption { @@ -154,26 +150,35 @@ in ''; }; - nesting.children = mkOption { - default = []; - description = '' - Additional configurations to build. - ''; - }; - - nesting.clone = mkOption { - default = []; + specialisation = mkOption { + default = {}; + example = lib.literalExample "{ fewJobsManyCores.configuration = { nix.buildCores = 0; nix.maxJobs = 1; }; }"; description = '' - Additional configurations to build based on the current - configuration which then has a lower priority. + Additional configurations to build. If + <literal>inheritParentConfig</literal> is true, the system + will be based on the overall system configuration. - To switch to a cloned configuration (e.g. <literal>child-1</literal>) - at runtime, run + To switch to a specialised configuration + (e.g. <literal>fewJobsManyCores</literal>) at runtime, run: <programlisting> - # sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test + # sudo /run/current-system/specialisation/fewJobsManyCores/bin/switch-to-configuration test </programlisting> ''; + type = types.attrsOf (types.submodule ( + { ... }: { + options.inheritParentConfig = mkOption { + type = types.bool; + default = true; + description = "Include the entire system's configuration. Set to false to make a completely differently configured system."; + }; + + options.configuration = mkOption { + default = {}; + description = "Arbitrary NixOS configuration options."; + }; + }) + ); }; system.boot.loader.id = mkOption { diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index a677ab4cb71a..9eeae0c3ef44 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -268,9 +268,10 @@ in { mkdir -p -m 0755 /run/binfmt ${lib.concatStringsSep "\n" (lib.mapAttrsToList activationSnippet config.boot.binfmt.registrations)} ''; - systemd.additionalUpstreamSystemUnits = lib.mkIf (config.boot.binfmt.registrations != {}) - [ "proc-sys-fs-binfmt_misc.automount" - "proc-sys-fs-binfmt_misc.mount" - ]; + systemd.additionalUpstreamSystemUnits = lib.mkIf (config.boot.binfmt.registrations != {}) [ + "proc-sys-fs-binfmt_misc.automount" + "proc-sys-fs-binfmt_misc.mount" + "systemd-binfmt.service" + ]; }; } diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index 2d3e3b05c980..f7ef26103709 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -10,19 +10,21 @@ in { - options = { - - boot.initrd.network.ssh.enable = mkOption { + options.boot.initrd.network.ssh = { + enable = mkOption { type = types.bool; default = false; description = '' Start SSH service during initrd boot. It can be used to debug failing boot on a remote server, enter pasphrase for an encrypted partition etc. Service is killed when stage-1 boot is finished. + + The sshd configuration is largely inherited from + <option>services.openssh</option>. ''; }; - boot.initrd.network.ssh.port = mkOption { + port = mkOption { type = types.int; default = 22; description = '' @@ -30,7 +32,7 @@ in ''; }; - boot.initrd.network.ssh.shell = mkOption { + shell = mkOption { type = types.str; default = "/bin/ash"; description = '' @@ -38,95 +40,171 @@ in ''; }; - boot.initrd.network.ssh.hostRSAKey = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - RSA SSH private key file in the Dropbear format. - - WARNING: Unless your bootloader supports initrd secrets, this key is - contained insecurely in the global Nix store. Do NOT use your regular - SSH host private keys for this purpose or you'll expose them to - regular users! - ''; - }; - - boot.initrd.network.ssh.hostDSSKey = mkOption { - type = types.nullOr types.path; - default = null; + hostKeys = mkOption { + type = types.listOf (types.either types.str types.path); + default = []; + example = [ + "/etc/secrets/initrd/ssh_host_rsa_key" + "/etc/secrets/initrd/ssh_host_ed25519_key" + ]; description = '' - DSS SSH private key file in the Dropbear format. - - WARNING: Unless your bootloader supports initrd secrets, this key is - contained insecurely in the global Nix store. Do NOT use your regular - SSH host private keys for this purpose or you'll expose them to - regular users! + Specify SSH host keys to import into the initrd. + + To generate keys, use + <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>: + + <screen> + <prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key + <prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key + </screen> + + <warning> + <para> + Unless your bootloader supports initrd secrets, these keys + are stored insecurely in the global Nix store. Do NOT use + your regular SSH host private keys for this purpose or + you'll expose them to regular users! + </para> + <para> + Additionally, even if your initrd supports secrets, if + you're using initrd SSH to unlock an encrypted disk then + using your regular host keys exposes the private keys on + your unencrypted boot partition. + </para> + </warning> ''; }; - boot.initrd.network.ssh.hostECDSAKey = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - ECDSA SSH private key file in the Dropbear format. - - WARNING: Unless your bootloader supports initrd secrets, this key is - contained insecurely in the global Nix store. Do NOT use your regular - SSH host private keys for this purpose or you'll expose them to - regular users! - ''; - }; - - boot.initrd.network.ssh.authorizedKeys = mkOption { + authorizedKeys = mkOption { type = types.listOf types.str; default = config.users.users.root.openssh.authorizedKeys.keys; + defaultText = "config.users.users.root.openssh.authorizedKeys.keys"; description = '' Authorized keys for the root user on initrd. - Note that Dropbear doesn't support OpenSSH's Ed25519 key type. ''; }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Verbatim contents of <filename>sshd_config</filename>."; + }; }; - config = mkIf (config.boot.initrd.network.enable && cfg.enable) { + imports = + map (opt: mkRemovedOptionModule ([ "boot" "initrd" "network" "ssh" ] ++ [ opt ]) '' + The initrd SSH functionality now uses OpenSSH rather than Dropbear. + + If you want to keep your existing initrd SSH host keys, convert them with + $ dropbearconvert dropbear openssh dropbear_host_$type_key ssh_host_$type_key + and then set options.boot.initrd.network.ssh.hostKeys. + '') [ "hostRSAKey" "hostDSSKey" "hostECDSAKey" ]; + + config = let + # Nix complains if you include a store hash in initrd path names, so + # as an awful hack we drop the first character of the hash. + initrdKeyPath = path: if isString path + then path + else let name = builtins.baseNameOf path; in + builtins.unsafeDiscardStringContext ("/etc/ssh/" + + substring 1 (stringLength name) name); + + sshdCfg = config.services.openssh; + + sshdConfig = '' + Port ${toString cfg.port} + + PasswordAuthentication no + ChallengeResponseAuthentication no + + ${flip concatMapStrings cfg.hostKeys (path: '' + HostKey ${initrdKeyPath path} + '')} + + KexAlgorithms ${concatStringsSep "," sshdCfg.kexAlgorithms} + Ciphers ${concatStringsSep "," sshdCfg.ciphers} + MACs ${concatStringsSep "," sshdCfg.macs} + + LogLevel ${sshdCfg.logLevel} + + ${if sshdCfg.useDns then '' + UseDNS yes + '' else '' + UseDNS no + ''} + + ${cfg.extraConfig} + ''; + in mkIf (config.boot.initrd.network.enable && cfg.enable) { assertions = [ - { assertion = cfg.authorizedKeys != []; + { + assertion = cfg.authorizedKeys != []; message = "You should specify at least one authorized key for initrd SSH"; } + + { + assertion = cfg.hostKeys != []; + message = '' + You must now pre-generate the host keys for initrd SSH. + See the boot.initrd.network.ssh.hostKeys documentation + for instructions. + ''; + } ]; boot.initrd.extraUtilsCommands = '' - copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear + copy_bin_and_libs ${pkgs.openssh}/bin/sshd cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib ''; boot.initrd.extraUtilsCommandsTest = '' - $out/bin/dropbear -V + # sshd requires a host key to check config, so we pass in the test's + echo -n ${escapeShellArg sshdConfig} | + $out/bin/sshd -t -f /dev/stdin \ + -h ${../../../tests/initrd-network-ssh/ssh_host_ed25519_key} ''; boot.initrd.network.postCommands = '' echo '${cfg.shell}' > /etc/shells echo 'root:x:0:0:root:/root:${cfg.shell}' > /etc/passwd + echo 'sshd:x:1:1:sshd:/var/empty:/bin/nologin' >> /etc/passwd echo 'passwd: files' > /etc/nsswitch.conf - mkdir -p /var/log + mkdir -p /var/log /var/empty touch /var/log/lastlog - mkdir -p /etc/dropbear + mkdir -p /etc/ssh + echo -n ${escapeShellArg sshdConfig} > /etc/ssh/sshd_config + + echo "export PATH=$PATH" >> /etc/profile + echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> /etc/profile mkdir -p /root/.ssh ${concatStrings (map (key: '' echo ${escapeShellArg key} >> /root/.ssh/authorized_keys '') cfg.authorizedKeys)} - dropbear -s -j -k -E -p ${toString cfg.port} ${optionalString (cfg.hostRSAKey == null && cfg.hostDSSKey == null && cfg.hostECDSAKey == null) "-R"} + ${flip concatMapStrings cfg.hostKeys (path: '' + # keys from Nix store are world-readable, which sshd doesn't like + chmod 0600 "${initrdKeyPath path}" + '')} + + /bin/sshd -e ''; - boot.initrd.secrets = - (optionalAttrs (cfg.hostRSAKey != null) { "/etc/dropbear/dropbear_rsa_host_key" = cfg.hostRSAKey; }) // - (optionalAttrs (cfg.hostDSSKey != null) { "/etc/dropbear/dropbear_dss_host_key" = cfg.hostDSSKey; }) // - (optionalAttrs (cfg.hostECDSAKey != null) { "/etc/dropbear/dropbear_ecdsa_host_key" = cfg.hostECDSAKey; }); + boot.initrd.postMountCommands = '' + # Stop sshd cleanly before stage 2. + # + # If you want to keep it around to debug post-mount SSH issues, + # run `touch /.keep_sshd` (either from an SSH session or in + # another initrd hook like preDeviceCommands). + if ! [ -e /.keep_sshd ]; then + pkill -x sshd + fi + ''; + boot.initrd.secrets = listToAttrs + (map (path: nameValuePair (initrdKeyPath path) path) cfg.hostKeys); }; } diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index b97ef88a7ca0..c775632a4aa0 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -588,7 +588,7 @@ in { boot.loader.grub.splashImage = mkDefault ( if cfg.version == 1 then pkgs.fetchurl { - url = http://www.gnome-look.org/CONTENT/content-files/36909-soft-tux.xpm.gz; + url = "http://www.gnome-look.org/CONTENT/content-files/36909-soft-tux.xpm.gz"; sha256 = "14kqdx2lfqvh40h6fjjzqgff1mwk74dmbjvmqphi6azzra7z8d59"; } # GRUB 1.97 doesn't support gzipped XPMs. diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index ca0fb0248e0e..8df18cbd9013 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -409,7 +409,7 @@ $conf .= "$extraEntries\n" unless $extraEntriesBeforeNixOS; # Find all the children of the current default configuration # Do not search for grand children -my @links = sort (glob "$defaultConfig/fine-tune/*"); +my @links = sort (glob "$defaultConfig/specialisation/*"); foreach my $link (@links) { my $entryName = ""; @@ -425,7 +425,8 @@ foreach my $link (@links) { if ($cfgName) { $entryName = $cfgName; } else { - $entryName = "($date - $version)"; + my $linkname = basename($link); + $entryName = "($linkname - $date - $version)"; } addEntry("NixOS - $entryName", $link); } diff --git a/nixos/modules/system/boot/loader/init-script/init-script-builder.sh b/nixos/modules/system/boot/loader/init-script/init-script-builder.sh index 08d4ab14c9ca..6f48d2539ace 100644 --- a/nixos/modules/system/boot/loader/init-script/init-script-builder.sh +++ b/nixos/modules/system/boot/loader/init-script/init-script-builder.sh @@ -69,7 +69,7 @@ addEntry "NixOS - Default" $defaultConfig "" # Add all generations of the system profile to the menu, in reverse # (most recent to least recent) order. -for link in $((ls -d $defaultConfig/fine-tune/* ) | sort -n); do +for link in $((ls -d $defaultConfig/specialisation/* ) | sort -n); do date=$(stat --printf="%y\n" $link | sed 's/\..*//') addEntry "NixOS - variation" $link "" done diff --git a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi-builder.nix b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi-builder.nix index 7eb52e3d021f..e75aa9d13875 100644 --- a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi-builder.nix +++ b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi-builder.nix @@ -3,8 +3,8 @@ pkgs.substituteAll { src = ./raspberrypi-builder.sh; isExecutable = true; - inherit (pkgs) bash; - path = [pkgs.coreutils pkgs.gnused pkgs.gnugrep]; + inherit (pkgs.buildPackages) bash; + path = with pkgs.buildPackages; [coreutils gnused gnugrep]; firmware = pkgs.raspberrypifw; inherit configTxt; } diff --git a/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix b/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix index 1dc397e521b4..a4352ab9a240 100644 --- a/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix +++ b/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix @@ -20,7 +20,7 @@ let extlinuxConfBuilder = import ../generic-extlinux-compatible/extlinux-conf-builder.nix { - inherit pkgs; + pkgs = pkgs.buildPackages; }; in pkgs.substituteAll { diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 3078f84f6e92..9b34b12e73a5 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -205,7 +205,7 @@ let "IPv6HopLimit" "IPv4ProxyARP" "IPv6ProxyNDP" "IPv6ProxyNDPAddress" "IPv6PrefixDelegation" "IPv6MTUBytes" "Bridge" "Bond" "VRF" "VLAN" "IPVLAN" "MACVLAN" "VXLAN" "Tunnel" "ActiveSlave" "PrimarySlave" - "ConfigureWithoutCarrier" "Xfrm" + "ConfigureWithoutCarrier" "Xfrm" "KeepConfiguration" ]) # Note: For DHCP the values both, none, v4, v6 are deprecated (assertValueOneOf "DHCP" ["yes" "no" "ipv4" "ipv6" "both" "none" "v4" "v6"]) @@ -228,6 +228,7 @@ let (assertValueOneOf "ActiveSlave" boolValues) (assertValueOneOf "PrimarySlave" boolValues) (assertValueOneOf "ConfigureWithoutCarrier" boolValues) + (assertValueOneOf "KeepConfiguration" (boolValues ++ ["static" "dhcp-on-stop" "dhcp"])) ]; checkAddress = checkUnitConfig "Address" [ @@ -274,15 +275,16 @@ let ]) ]; - checkDhcp = checkUnitConfig "DHCP" [ + checkDhcpV4 = checkUnitConfig "DHCPv4" [ (assertOnlyFields [ - "UseDNS" "UseNTP" "UseMTU" "Anonymize" "SendHostname" "UseHostname" - "Hostname" "UseDomains" "UseRoutes" "UseTimezone" "CriticalConnection" - "ClientIdentifier" "VendorClassIdentifier" "UserClass" "DUIDType" - "DUIDRawData" "IAID" "RequestBroadcast" "RouteMetric" "RouteTable" - "ListenPort" "RapidCommit" + "UseDNS" "RoutesToDNS" "UseNTP" "UseMTU" "Anonymize" "SendHostname" "UseHostname" + "Hostname" "UseDomains" "UseRoutes" "UseTimezone" + "ClientIdentifier" "VendorClassIdentifier" "UserClass" "MaxAttempts" + "DUIDType" "DUIDRawData" "IAID" "RequestBroadcast" "RouteMetric" "RouteTable" + "ListenPort" "SendRelease" ]) (assertValueOneOf "UseDNS" boolValues) + (assertValueOneOf "RoutesToDNS" boolValues) (assertValueOneOf "UseNTP" boolValues) (assertValueOneOf "UseMTU" boolValues) (assertValueOneOf "Anonymize" boolValues) @@ -291,13 +293,50 @@ let (assertValueOneOf "UseDomains" ["yes" "no" "route"]) (assertValueOneOf "UseRoutes" boolValues) (assertValueOneOf "UseTimezone" boolValues) - (assertValueOneOf "CriticalConnection" boolValues) + (assertMinimum "MaxAttempts" 0) (assertValueOneOf "RequestBroadcast" boolValues) (assertInt "RouteTable") (assertMinimum "RouteTable" 0) + (assertValueOneOf "SendRelease" boolValues) + ]; + + checkDhcpV6 = checkUnitConfig "DHCPv6" [ + (assertOnlyFields [ + "UseDns" "UseNTP" "RapidCommit" "ForceDHCPv6PDOtherInformation" + "PrefixDelegationHint" + ]) + (assertValueOneOf "UseDNS" boolValues) + (assertValueOneOf "UseNTP" boolValues) (assertValueOneOf "RapidCommit" boolValues) + (assertValueOneOf "ForceDHCPv6PDOtherInformation" boolValues) + ]; + + checkIpv6PrefixDelegation = checkUnitConfig "IPv6PrefixDelegation" [ + (assertOnlyFields [ + "Managed" "OtherInformation" "RouterLifetimeSec" + "RouterPreference" "EmitDNS" "DNS" "EmitDomains" "Domains" + "DNSLifetimeSec" + ]) + (assertValueOneOf "Managed" boolValues) + (assertValueOneOf "OtherInformation" boolValues) + (assertValueOneOf "RouterPreference" ["high" "medium" "low" "normal" "default"]) + (assertValueOneOf "EmitDNS" boolValues) + (assertValueOneOf "EmitDomains" boolValues) + (assertMinimum "DNSLifetimeSec" 0) + ]; + + checkIpv6Prefix = checkUnitConfig "IPv6Prefix" [ + (assertOnlyFields [ + "AddressAutoconfiguration" "OnLink" "Prefix" + "PreferredLifetimeSec" "ValidLifetimeSec" + ]) + (assertValueOneOf "AddressAutoconfiguration" boolValues) + (assertValueOneOf "OnLink" boolValues) + (assertMinimum "PreferredLifetimeSec" 0) + (assertMinimum "ValidLifetimeSec" 0) ]; + checkDhcpServer = checkUnitConfig "DHCPServer" [ (assertOnlyFields [ "PoolOffset" "PoolSize" "DefaultLeaseTimeSec" "MaxLeaseTimeSec" @@ -621,6 +660,22 @@ let }; }; + ipv6PrefixOptions = { + options = { + ipv6PrefixConfig = mkOption { + default = {}; + example = { Prefix = "fd00::/64"; }; + type = types.addCheck (types.attrsOf unitOption) checkIpv6Prefix; + description = '' + Each attribute in this set specifies an option in the + <literal>[IPv6Prefix]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + }; + }; + networkOptions = commonNetworkOptions // { @@ -636,13 +691,55 @@ let ''; }; + # systemd.network.networks.*.dhcpConfig has been deprecated in favor of ….dhcpV4Config + # Produce a nice warning message so users know it is gone. dhcpConfig = mkOption { + visible = false; + apply = _: throw "The option `systemd.network.networks.*.dhcpConfig` can no longer be used since it's been removed. Please use `systemd.network.networks.*.dhcpV4Config` instead."; + }; + + dhcpV4Config = mkOption { + default = {}; + example = { UseDNS = true; UseRoutes = true; }; + type = types.addCheck (types.attrsOf unitOption) checkDhcpV4; + description = '' + Each attribute in this set specifies an option in the + <literal>[DHCPv4]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + + dhcpV6Config = mkOption { default = {}; example = { UseDNS = true; UseRoutes = true; }; - type = types.addCheck (types.attrsOf unitOption) checkDhcp; + type = types.addCheck (types.attrsOf unitOption) checkDhcpV6; + description = '' + Each attribute in this set specifies an option in the + <literal>[DHCPv6]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + + ipv6PrefixDelegationConfig = mkOption { + default = {}; + example = { EmitDNS = true; Managed = true; OtherInformation = true; }; + type = types.addCheck (types.attrsOf unitOption) checkIpv6PrefixDelegation; description = '' Each attribute in this set specifies an option in the - <literal>[DHCP]</literal> section of the unit. See + <literal>[IPv6PrefixDelegation]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + + ipv6Prefixes = mkOption { + default = []; + example = { AddressAutoconfiguration = true; OnLink = true; }; + type = with types; listOf (submodule ipv6PrefixOptions); + description = '' + A list of ipv6Prefix sections to be added to the unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details. ''; @@ -973,11 +1070,26 @@ let ${concatStringsSep "\n" (map (s: "Tunnel=${s}") def.tunnel)} ${concatStringsSep "\n" (map (s: "Xfrm=${s}") def.xfrm)} - ${optionalString (def.dhcpConfig != { }) '' - [DHCP] - ${attrsToSection def.dhcpConfig} + ${optionalString (def.dhcpV4Config != { }) '' + [DHCPv4] + ${attrsToSection def.dhcpV4Config} ''} + ${optionalString (def.dhcpV6Config != {}) '' + [DHCPv6] + ${attrsToSection def.dhcpV6Config} + + ''} + ${optionalString (def.ipv6PrefixDelegationConfig != {}) '' + [IPv6PrefixDelegation] + ${attrsToSection def.ipv6PrefixDelegationConfig} + + ''} + ${flip concatMapStrings def.ipv6Prefixes (x: '' + [IPv6Prefix] + ${attrsToSection x.ipv6PrefixConfig} + + '')} ${optionalString (def.dhcpServerConfig != { }) '' [DHCPServer] ${attrsToSection def.dhcpServerConfig} @@ -1054,6 +1166,7 @@ in }; config = mkMerge [ + # .link units are honored by udev, no matter if systemd-networkd is enabled or not. { systemd.network.units = mapAttrs' (n: v: nameValuePair "${n}.link" (linkToUnit n v)) cfg.links; @@ -1073,7 +1186,7 @@ in systemd.services.systemd-networkd = { wantedBy = [ "multi-user.target" ]; - restartTriggers = attrNames unitFiles; + restartTriggers = map (x: x.source) (attrValues unitFiles); # prevent race condition with interface renaming (#39069) requires = [ "systemd-udev-settle.service" ]; after = [ "systemd-udev-settle.service" ]; diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index da61c64faf8b..b7aaef575ac1 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -138,6 +138,10 @@ in users.users.resolved.group = "systemd-resolve"; + # add resolve to nss hosts database if enabled and nscd enabled + # system.nssModules is configured in nixos/modules/system/boot/systemd.nix + system.nssDatabases.hosts = optional config.services.nscd.enable "resolve [!UNAVAIL=return]"; + systemd.additionalUpstreamSystemUnits = [ "systemd-resolved.service" ]; diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 93cd801ef803..dfd158e2d75f 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -137,12 +137,17 @@ let ''} # Copy secrets if needed. + # + # TODO: move out to a separate script; see #85000. ${optionalString (!config.boot.loader.supportsInitrdSecrets) (concatStringsSep "\n" (mapAttrsToList (dest: source: let source' = if source == null then dest else source; in '' mkdir -p $(dirname "$out/secrets/${dest}") - cp -a ${source'} "$out/secrets/${dest}" + # Some programs (e.g. ssh) doesn't like secrets to be + # symlinks, so we use `cp -L` here to match the + # behaviour when secrets are natively supported. + cp -Lr ${source'} "$out/secrets/${dest}" '' ) config.boot.initrd.secrets)) } @@ -576,6 +581,25 @@ in message = "boot.resumeDevice has to be an absolute path." + " Old \"x:y\" style is no longer supported."; } + # TODO: remove when #85000 is fixed + { assertion = !config.boot.loader.supportsInitrdSecrets -> + all (source: + builtins.isPath source || + (builtins.isString source && hasPrefix source builtins.storeDir)) + (attrValues config.boot.initrd.secrets); + message = '' + boot.loader.initrd.secrets values must be unquoted paths when + using a bootloader that doesn't natively support initrd + secrets, e.g.: + + boot.initrd.secrets = { + "/etc/secret" = /path/to/secret; + }; + + Note that this will result in all secrets being stored + world-readable in the Nix store! + ''; + } ]; system.build = diff --git a/nixos/modules/system/boot/systemd-lib.nix b/nixos/modules/system/boot/systemd-lib.nix index a33602915867..fa109394fedb 100644 --- a/nixos/modules/system/boot/systemd-lib.nix +++ b/nixos/modules/system/boot/systemd-lib.nix @@ -114,7 +114,9 @@ in rec { (if isList value then value else [value])) as)); - generateUnits = type: units: upstreamUnits: upstreamWants: + generateUnits = generateUnits' true; + + generateUnits' = allowCollisions: type: units: upstreamUnits: upstreamWants: pkgs.runCommand "${type}-units" { preferLocalBuild = true; allowSubstitutes = false; @@ -182,8 +184,13 @@ in rec { if [ "$(readlink -f $i/$fn)" = /dev/null ]; then ln -sfn /dev/null $out/$fn else - mkdir -p $out/$fn.d - ln -s $i/$fn $out/$fn.d/overrides.conf + ${if allowCollisions then '' + mkdir -p $out/$fn.d + ln -s $i/$fn $out/$fn.d/overrides.conf + '' else '' + echo "Found multiple derivations configuring $fn!" + exit 1 + ''} fi else ln -fs $i/$fn $out/ diff --git a/nixos/modules/system/boot/systemd-nspawn.nix b/nixos/modules/system/boot/systemd-nspawn.nix index 1e2435e36f0c..06ea5ee49f72 100644 --- a/nixos/modules/system/boot/systemd-nspawn.nix +++ b/nixos/modules/system/boot/systemd-nspawn.nix @@ -116,7 +116,7 @@ in { in mkMerge [ (mkIf (cfg != {}) { - environment.etc."systemd/nspawn".source = mkIf (cfg != {}) (generateUnits "nspawn" units [] []); + environment.etc."systemd/nspawn".source = mkIf (cfg != {}) (generateUnits' false "nspawn" units [] []); }) { systemd.targets.multi-user.wants = [ "machines.target" ]; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index cdc9d2379392..99892a28115c 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -164,7 +164,6 @@ let "systemd-timedated.service" "systemd-localed.service" "systemd-hostnamed.service" - "systemd-binfmt.service" "systemd-exit.service" "systemd-update-done.service" ] ++ optionals config.services.journald.enableHttpGateway [ @@ -201,8 +200,23 @@ let ]; makeJobScript = name: text: - let mkScriptName = s: "unit-script-" + (replaceChars [ "\\" "@" ] [ "-" "_" ] (shellEscape s) ); - in pkgs.writeTextFile { name = mkScriptName name; executable = true; inherit text; }; + let + scriptName = replaceChars [ "\\" "@" ] [ "-" "_" ] (shellEscape name); + out = pkgs.writeTextFile { + # The derivation name is different from the script file name + # to keep the script file name short to avoid cluttering logs. + name = "unit-script-${scriptName}"; + executable = true; + destination = "/bin/${scriptName}"; + text = '' + #!${pkgs.runtimeShell} -e + ${text} + ''; + checkPhase = '' + ${pkgs.stdenv.shell} -n "$out/bin/${scriptName}" + ''; + }; + in "${out}/bin/${scriptName}"; unitConfig = { config, options, ... }: { config = { @@ -250,40 +264,28 @@ let environment.PATH = config.path; } (mkIf (config.preStart != "") - { serviceConfig.ExecStartPre = makeJobScript "${name}-pre-start" '' - #! ${pkgs.runtimeShell} -e - ${config.preStart} - ''; + { serviceConfig.ExecStartPre = + makeJobScript "${name}-pre-start" config.preStart; }) (mkIf (config.script != "") - { serviceConfig.ExecStart = makeJobScript "${name}-start" '' - #! ${pkgs.runtimeShell} -e - ${config.script} - '' + " " + config.scriptArgs; + { serviceConfig.ExecStart = + makeJobScript "${name}-start" config.script + " " + config.scriptArgs; }) (mkIf (config.postStart != "") - { serviceConfig.ExecStartPost = makeJobScript "${name}-post-start" '' - #! ${pkgs.runtimeShell} -e - ${config.postStart} - ''; + { serviceConfig.ExecStartPost = + makeJobScript "${name}-post-start" config.postStart; }) (mkIf (config.reload != "") - { serviceConfig.ExecReload = makeJobScript "${name}-reload" '' - #! ${pkgs.runtimeShell} -e - ${config.reload} - ''; + { serviceConfig.ExecReload = + makeJobScript "${name}-reload" config.reload; }) (mkIf (config.preStop != "") - { serviceConfig.ExecStop = makeJobScript "${name}-pre-stop" '' - #! ${pkgs.runtimeShell} -e - ${config.preStop} - ''; + { serviceConfig.ExecStop = + makeJobScript "${name}-pre-stop" config.preStop; }) (mkIf (config.postStop != "") - { serviceConfig.ExecStopPost = makeJobScript "${name}-post-stop" '' - #! ${pkgs.runtimeShell} -e - ${config.postStop} - ''; + { serviceConfig.ExecStopPost = + makeJobScript "${name}-post-stop" config.postStop; }) ]; }; @@ -405,6 +407,8 @@ let "hibernate" "hybrid-sleep" "suspend-then-hibernate" "lock" ]; + proxy_env = config.networking.proxy.envVars; + in { @@ -593,17 +597,33 @@ in each other's limit. The value may be specified in the following units: s, min, h, ms, us. To turn off any kind of rate limiting, set either value to 0. + + See <option>services.journald.rateLimitBurst</option> for important + considerations when setting this value. ''; }; services.journald.rateLimitBurst = mkOption { - default = 1000; + default = 10000; type = types.int; description = '' Configures the rate limiting burst limit (number of messages per interval) that is applied to all messages generated on the system. This rate limiting is applied per-service, so that two services which log do not interfere with each other's limit. + + Note that the effective rate limit is multiplied by a factor derived + from the available free disk space for the journal as described on + <link xlink:href="https://www.freedesktop.org/software/systemd/man/journald.conf.html"> + journald.conf(5)</link>. + + Note that the total amount of logs stored is limited by journald settings + such as <literal>SystemMaxUse</literal>, which defaults to a 4 GB cap. + + It is thus recommended to compute what period of time that you will be + able to store logs for when an application logs at full burst rate. + With default settings for log lines that are 100 Bytes long, this can + amount to just a few hours. ''; }; @@ -811,6 +831,23 @@ in system.build.units = cfg.units; + system.nssModules = [ systemd.out ]; + system.nssDatabases = { + hosts = (mkMerge [ + [ "mymachines" ] + (mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last + ) + ]); + passwd = (mkMerge [ + [ "mymachines" ] + (mkAfter [ "systemd" ]) + ]); + group = (mkMerge [ + [ "mymachines" ] + (mkAfter [ "systemd" ]) + ]); + }; + environment.systemPackages = [ systemd ]; environment.etc = let @@ -842,7 +879,6 @@ in [Manager] ${optionalString config.systemd.enableCgroupAccounting '' DefaultCPUAccounting=yes - DefaultBlockIOAccounting=yes DefaultIOAccounting=yes DefaultBlockIOAccounting=yes DefaultIPAccounting=yes @@ -895,6 +931,13 @@ in "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; + "tmpfiles.d/00-nixos.conf".text = '' + # This file is created automatically and should not be modified. + # Please change the option ‘systemd.tmpfiles.rules’ instead. + + ${concatStringsSep "\n" cfg.tmpfiles.rules} + ''; + "tmpfiles.d/home.conf".source = "${systemd}/example/tmpfiles.d/home.conf"; "tmpfiles.d/journal-nocow.conf".source = "${systemd}/example/tmpfiles.d/journal-nocow.conf"; "tmpfiles.d/portables.conf".source = "${systemd}/example/tmpfiles.d/portables.conf"; @@ -907,13 +950,6 @@ in "tmpfiles.d/var.conf".source = "${systemd}/example/tmpfiles.d/var.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; - "tmpfiles.d/nixos.conf".text = '' - # This file is created automatically and should not be modified. - # Please change the option ‘systemd.tmpfiles.rules’ instead. - - ${concatStringsSep "\n" cfg.tmpfiles.rules} - ''; - "systemd/system-generators" = { source = hooks "generators" cfg.generators; }; "systemd/system-shutdown" = { source = hooks "shutdown" cfg.shutdown; }; }); @@ -1019,7 +1055,7 @@ in systemd.targets.local-fs.unitConfig.X-StopOnReconfiguration = true; systemd.targets.remote-fs.unitConfig.X-StopOnReconfiguration = true; systemd.targets.network-online.wantedBy = [ "multi-user.target" ]; - systemd.services.systemd-binfmt.wants = [ "proc-sys-fs-binfmt_misc.mount" ]; + systemd.services.systemd-importd.environment = proxy_env; # Don't bother with certain units in containers. systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container"; diff --git a/nixos/modules/tasks/auto-upgrade.nix b/nixos/modules/tasks/auto-upgrade.nix index bfc1e301efaf..e70004e643e1 100644 --- a/nixos/modules/tasks/auto-upgrade.nix +++ b/nixos/modules/tasks/auto-upgrade.nix @@ -24,7 +24,7 @@ let cfg = config.system.autoUpgrade; in channel = mkOption { type = types.nullOr types.str; default = null; - example = https://nixos.org/channels/nixos-14.12-small; + example = "https://nixos.org/channels/nixos-14.12-small"; description = '' The URI of the NixOS channel to use for automatic upgrades. By default, this is the channel set using diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 09c7e074e121..71eed4d6f1a4 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -433,6 +433,16 @@ in services.zfs.zed.settings = { ZED_EMAIL_PROG = mkDefault "${pkgs.mailutils}/bin/mail"; + PATH = lib.makeBinPath [ + packages.zfsUser + pkgs.coreutils + pkgs.curl + pkgs.gawk + pkgs.gnugrep + pkgs.gnused + pkgs.nettools + pkgs.utillinux + ]; }; environment.etc = genAttrs @@ -478,6 +488,7 @@ in createImportService = pool: nameValuePair "zfs-import-${pool}" { description = "Import ZFS pool \"${pool}\""; + # we need systemd-udev-settle until https://github.com/zfsonlinux/zfs/pull/4943 is merged requires = [ "systemd-udev-settle.service" ]; after = [ "systemd-udev-settle.service" "systemd-modules-load.service" ]; wantedBy = (getPoolMounts pool) ++ [ "local-fs.target" ]; diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 4d25137c5dfc..d895c58bab03 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -54,7 +54,16 @@ let }; normalConfig = { - + systemd.network.links = let + createNetworkLink = i: nameValuePair "40-${i.name}" { + matchConfig.OriginalName = i.name; + linkConfig = optionalAttrs (i.macAddress != null) { + MACAddress = i.macAddress; + } // optionalAttrs (i.mtu != null) { + MTUBytes = toString i.mtu; + }; + }; + in listToAttrs (map createNetworkLink interfaces); systemd.services = let @@ -164,7 +173,6 @@ let { description = "Address configuration of ${i.name}"; wantedBy = [ "network-setup.service" - "network-link-${i.name}.service" "network.target" ]; # order before network-setup because the routes that are configured @@ -183,6 +191,8 @@ let state="/run/nixos/network/addresses/${i.name}" mkdir -p $(dirname "$state") + ip link set "${i.name}" up + ${flip concatMapStrings ips (ip: let cidr = "${ip.address}/${toString ip.prefixLength}"; @@ -266,7 +276,7 @@ let bindsTo = deps ++ optional v.rstp "mstpd.service"; partOf = [ "network-setup.service" ] ++ optional v.rstp "mstpd.service"; after = [ "network-pre.target" ] ++ deps ++ optional v.rstp "mstpd.service" - ++ concatMap (i: [ "network-addresses-${i}.service" "network-link-${i}.service" ]) v.interfaces; + ++ map (i: "network-addresses-${i}.service") v.interfaces; before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; @@ -291,13 +301,19 @@ let ${optionalString config.virtualisation.libvirtd.enable '' # Enslave dynamically added interfaces which may be lost on nixos-rebuild - for uri in qemu:///system lxc:///; do - for dom in $(${pkgs.libvirt}/bin/virsh -c $uri list --name); do - ${pkgs.libvirt}/bin/virsh -c $uri dumpxml "$dom" | \ - ${pkgs.xmlstarlet}/bin/xmlstarlet sel -t -m "//domain/devices/interface[@type='bridge'][source/@bridge='${n}'][target/@dev]" -v "concat('ip link set ',target/@dev,' master ',source/@bridge,';')" | \ - ${pkgs.bash}/bin/bash + # + # if `libvirtd.service` is not running, do not use `virsh` which would try activate it via 'libvirtd.socket' and thus start it out-of-order. + # `libvirtd.service` will set up bridge interfaces when it will start normally. + # + if /run/current-system/systemd/bin/systemctl --quiet is-active 'libvirtd.service'; then + for uri in qemu:///system lxc:///; do + for dom in $(${pkgs.libvirt}/bin/virsh -c $uri list --name); do + ${pkgs.libvirt}/bin/virsh -c $uri dumpxml "$dom" | \ + ${pkgs.xmlstarlet}/bin/xmlstarlet sel -t -m "//domain/devices/interface[@type='bridge'][source/@bridge='${n}'][target/@dev]" -v "concat('ip link set ',target/@dev,' master ',source/@bridge,';')" | \ + ${pkgs.bash}/bin/bash + done done - done + fi ''} # Enable stp on the interface @@ -337,7 +353,7 @@ let createVswitchDevice = n: v: nameValuePair "${n}-netdev" (let deps = concatLists (map deviceDependency (attrNames (filterAttrs (_: config: config.type != "internal") v.interfaces))); - internalConfigs = concatMap (i: ["network-link-${i}.service" "network-addresses-${i}.service"]) (attrNames (filterAttrs (_: config: config.type == "internal") v.interfaces)); + internalConfigs = map (i: "network-addresses-${i}.service") (attrNames (filterAttrs (_: config: config.type == "internal") v.interfaces)); ofRules = pkgs.writeText "vswitch-${n}-openFlowRules" v.openFlowRules; in { description = "Open vSwitch Interface ${n}"; @@ -389,7 +405,7 @@ let bindsTo = deps; partOf = [ "network-setup.service" ]; after = [ "network-pre.target" ] ++ deps - ++ concatMap (i: [ "network-addresses-${i}.service" "network-link-${i}.service" ]) v.interfaces; + ++ map (i: "network-addresses-${i}.service") v.interfaces; before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 41deceb000e6..23e1e611a71e 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -94,7 +94,12 @@ in address = forEach (interfaceIps i) (ip: "${ip.address}/${toString ip.prefixLength}"); networkConfig.IPv6PrivacyExtensions = "kernel"; - } ]; + linkConfig = optionalAttrs (i.macAddress != null) { + MACAddress = i.macAddress; + } // optionalAttrs (i.mtu != null) { + MTUBytes = toString i.mtu; + }; + }]; }))) (mkMerge (flip mapAttrsToList cfg.bridges (name: bridge: { netdevs."40-${name}" = { diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 9542a60beeed..a28111049447 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -283,7 +283,7 @@ let default = false; type = types.bool; description = '' - Turn on proxy_arp for this device (and proxy_ndp for ipv6). + Turn on proxy_arp for this device. This is mainly useful for creating pseudo-bridges between a real interface and a virtual network such as VPN or a virtual machine for interfaces that don't support real bridging (most wlan interfaces). @@ -376,10 +376,20 @@ in networking.hostName = mkOption { default = "nixos"; - type = types.str; + # Only allow hostnames without the domain name part (i.e. no FQDNs, see + # e.g. "man 5 hostname") and require valid DNS labels (recommended + # syntax). Note: We also allow underscores for compatibility/legacy + # reasons (as undocumented feature): + type = types.strMatching + "^[[:alpha:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$"; description = '' - The name of the machine. Leave it empty if you want to obtain - it from a DHCP server (if using DHCP). + The name of the machine. Leave it empty if you want to obtain it from a + DHCP server (if using DHCP). The hostname must be a valid DNS label (see + RFC 1035 section 2.3.1: "Preferred name syntax") and as such must not + contain the domain part. This means that the hostname must start with a + letter, end with a letter or digit, and have as interior characters only + letters, digits, and hyphen. The maximum length is 63 characters. + Additionally it is recommended to only use lower-case characters. ''; }; @@ -634,19 +644,23 @@ in networking.bonds = let - driverOptionsExample = { - miimon = "100"; - mode = "active-backup"; - }; + driverOptionsExample = '' + { + miimon = "100"; + mode = "active-backup"; + } + ''; in mkOption { default = { }; - example = literalExample { - bond0 = { - interfaces = [ "eth0" "wlan0" ]; - driverOptions = driverOptionsExample; - }; - anotherBond.interfaces = [ "enp4s0f0" "enp4s0f1" "enp5s0f0" "enp5s0f1" ]; - }; + example = literalExample '' + { + bond0 = { + interfaces = [ "eth0" "wlan0" ]; + driverOptions = ${driverOptionsExample}; + }; + anotherBond.interfaces = [ "enp4s0f0" "enp4s0f1" "enp5s0f0" "enp5s0f1" ]; + } + ''; description = '' This option allows you to define bond devices that aggregate multiple, underlying networking interfaces together. The value of this option is @@ -731,12 +745,14 @@ in networking.macvlans = mkOption { default = { }; - example = literalExample { - wan = { - interface = "enp2s0"; - mode = "vepa"; - }; - }; + example = literalExample '' + { + wan = { + interface = "enp2s0"; + mode = "vepa"; + }; + } + ''; description = '' This option allows you to define macvlan interfaces which should be automatically created. @@ -764,18 +780,20 @@ in networking.sits = mkOption { default = { }; - example = literalExample { - hurricane = { - remote = "10.0.0.1"; - local = "10.0.0.22"; - ttl = 255; - }; - msipv6 = { - remote = "192.168.0.1"; - dev = "enp3s0"; - ttl = 127; - }; - }; + example = literalExample '' + { + hurricane = { + remote = "10.0.0.1"; + local = "10.0.0.22"; + ttl = 255; + }; + msipv6 = { + remote = "192.168.0.1"; + dev = "enp3s0"; + ttl = 127; + }; + } + ''; description = '' This option allows you to define 6-to-4 interfaces which should be automatically created. ''; @@ -826,16 +844,18 @@ in networking.vlans = mkOption { default = { }; - example = literalExample { - vlan0 = { - id = 3; - interface = "enp3s0"; - }; - vlan1 = { - id = 1; - interface = "wlan0"; - }; - }; + example = literalExample '' + { + vlan0 = { + id = 3; + interface = "enp3s0"; + }; + vlan1 = { + id = 1; + interface = "wlan0"; + }; + } + ''; description = '' This option allows you to define vlan devices that tag packets @@ -868,24 +888,26 @@ in networking.wlanInterfaces = mkOption { default = { }; - example = literalExample { - wlan-station0 = { - device = "wlp6s0"; - }; - wlan-adhoc0 = { - type = "ibss"; - device = "wlp6s0"; - mac = "02:00:00:00:00:01"; - }; - wlan-p2p0 = { - device = "wlp6s0"; - mac = "02:00:00:00:00:02"; - }; - wlan-ap0 = { - device = "wlp6s0"; - mac = "02:00:00:00:00:03"; - }; - }; + example = literalExample '' + { + wlan-station0 = { + device = "wlp6s0"; + }; + wlan-adhoc0 = { + type = "ibss"; + device = "wlp6s0"; + mac = "02:00:00:00:00:01"; + }; + wlan-p2p0 = { + device = "wlp6s0"; + mac = "02:00:00:00:00:02"; + }; + wlan-ap0 = { + device = "wlp6s0"; + mac = "02:00:00:00:00:03"; + }; + } + ''; description = '' Creating multiple WLAN interfaces on top of one physical WLAN device (NIC). @@ -1019,6 +1041,11 @@ in message = '' Temporary addresses are only needed when IPv6 is enabled. ''; + })) ++ (forEach interfaces (i: { + assertion = (i.virtual && i.virtualType == "tun") -> i.macAddress == null; + message = '' + Setting a MAC Address for tun device ${i.name} isn't supported. + ''; })) ++ [ { assertion = cfg.hostId == null || (stringLength cfg.hostId == 8 && isHexString cfg.hostId); @@ -1038,11 +1065,11 @@ in optionalString hasBonds "options bonding max_bonds=0"; boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); "net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); - "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) - (i: forEach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${replaceChars ["."] ["/"] i.name}.proxy_arp" true))) + (i: [(nameValuePair "net.ipv4.conf.${replaceChars ["."] ["/"] i.name}.proxy_arp" true)])) // listToAttrs (forEach interfaces (i: let opt = i.tempAddress; @@ -1128,38 +1155,7 @@ in ${cfg.localCommands} ''; }; - } // (listToAttrs (forEach interfaces (i: - let - deviceDependency = if (config.boot.isContainer || i.name == "lo") - then [] - else [ (subsystemDevice i.name) ]; - in - nameValuePair "network-link-${i.name}" - { description = "Link configuration of ${i.name}"; - wantedBy = [ "network-interfaces.target" ]; - before = [ "network-interfaces.target" ]; - bindsTo = deviceDependency; - after = [ "network-pre.target" ] ++ deviceDependency; - path = [ pkgs.iproute ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = - '' - echo "Configuring link..." - '' + optionalString (i.macAddress != null) '' - echo "setting MAC address to ${i.macAddress}..." - ip link set "${i.name}" address "${i.macAddress}" - '' + optionalString (i.mtu != null) '' - echo "setting MTU to ${toString i.mtu}..." - ip link set "${i.name}" mtu "${toString i.mtu}" - '' + '' - echo -n "bringing up interface... " - ip link set "${i.name}" up && echo "done" || (echo "failed"; exit 1) - ''; - }))); - + }; services.mstpd = mkIf needsMstpd { enable = true; }; virtualisation.vswitch = mkIf (cfg.vswitches != { }) { enable = true; }; diff --git a/nixos/modules/virtualisation/azure-agent.nix b/nixos/modules/virtualisation/azure-agent.nix index 036b1036f92a..e85482af8392 100644 --- a/nixos/modules/virtualisation/azure-agent.nix +++ b/nixos/modules/virtualisation/azure-agent.nix @@ -48,7 +48,7 @@ let provisionedHook = pkgs.writeScript "provisioned-hook" '' #!${pkgs.runtimeShell} - ${config.systemd.package}/bin/systemctl start provisioned.target + /run/current-system/systemd/bin/systemctl start provisioned.target ''; in diff --git a/nixos/modules/virtualisation/azure-common.nix b/nixos/modules/virtualisation/azure-common.nix index 03239991b95a..8efa177e30d1 100644 --- a/nixos/modules/virtualisation/azure-common.nix +++ b/nixos/modules/virtualisation/azure-common.nix @@ -15,6 +15,8 @@ with lib; boot.loader.grub.version = 2; boot.loader.timeout = 0; + boot.growPartition = true; + # Don't put old configurations in the GRUB menu. The user has no # way to select them anyway. boot.loader.grub.configurationLimit = 0; diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index e91dd72ff5d4..21fd58e5c902 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -2,27 +2,38 @@ with lib; let - diskSize = 2048; + cfg = config.virtualisation.azureImage; in { - system.build.azureImage = import ../../lib/make-disk-image.nix { - name = "azure-image"; - postVM = '' - ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -o subformat=fixed,force_size -O vpc $diskImage $out/disk.vhd - ''; - configFile = ./azure-config-user.nix; - format = "raw"; - inherit diskSize; - inherit config lib pkgs; - }; - imports = [ ./azure-common.nix ]; + + options = { + virtualisation.azureImage.diskSize = mkOption { + type = with types; int; + default = 2048; + description = '' + Size of disk image. Unit is MB. + ''; + }; + }; + config = { + system.build.azureImage = import ../../lib/make-disk-image.nix { + name = "azure-image"; + postVM = '' + ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -o subformat=fixed,force_size -O vpc $diskImage $out/disk.vhd + rm $diskImage + ''; + configFile = ./azure-config-user.nix; + format = "raw"; + inherit (cfg) diskSize; + inherit config lib pkgs; + }; - # Azure metadata is available as a CD-ROM drive. - fileSystems."/metadata".device = "/dev/sr0"; + # Azure metadata is available as a CD-ROM drive. + fileSystems."/metadata".device = "/dev/sr0"; - systemd.services.fetch-ssh-keys = - { description = "Fetch host keys and authorized_keys for root user"; + systemd.services.fetch-ssh-keys = { + description = "Fetch host keys and authorized_keys for root user"; wantedBy = [ "sshd.service" "waagent.service" ]; before = [ "sshd.service" "waagent.service" ]; @@ -54,6 +65,6 @@ in serviceConfig.RemainAfterExit = true; serviceConfig.StandardError = "journal+console"; serviceConfig.StandardOutput = "journal+console"; - }; - + }; + }; } diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 02de5801da25..7d184575640b 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -1,822 +1,125 @@ { config, lib, pkgs, ... }: - -with lib; - let - - # The container's init script, a small wrapper around the regular - # NixOS stage-2 init script. - containerInit = (cfg: - let - renderExtraVeth = (name: cfg: - '' - echo "Bringing ${name} up" - ip link set dev ${name} up - ${optionalString (cfg.localAddress != null) '' - echo "Setting ip for ${name}" - ip addr add ${cfg.localAddress} dev ${name} - ''} - ${optionalString (cfg.localAddress6 != null) '' - echo "Setting ip6 for ${name}" - ip -6 addr add ${cfg.localAddress6} dev ${name} - ''} - ${optionalString (cfg.hostAddress != null) '' - echo "Setting route to host for ${name}" - ip route add ${cfg.hostAddress} dev ${name} - ''} - ${optionalString (cfg.hostAddress6 != null) '' - echo "Setting route6 to host for ${name}" - ip -6 route add ${cfg.hostAddress6} dev ${name} - ''} - '' - ); - in - pkgs.writeScript "container-init" - '' - #! ${pkgs.runtimeShell} -e - - # Initialise the container side of the veth pair. - if [ -n "$HOST_ADDRESS" ] || [ -n "$HOST_ADDRESS6" ] || - [ -n "$LOCAL_ADDRESS" ] || [ -n "$LOCAL_ADDRESS6" ] || - [ -n "$HOST_BRIDGE" ]; then - ip link set host0 name eth0 - ip link set dev eth0 up - - if [ -n "$LOCAL_ADDRESS" ]; then - ip addr add $LOCAL_ADDRESS dev eth0 - fi - if [ -n "$LOCAL_ADDRESS6" ]; then - ip -6 addr add $LOCAL_ADDRESS6 dev eth0 - fi - if [ -n "$HOST_ADDRESS" ]; then - ip route add $HOST_ADDRESS dev eth0 - ip route add default via $HOST_ADDRESS - fi - if [ -n "$HOST_ADDRESS6" ]; then - ip -6 route add $HOST_ADDRESS6 dev eth0 - ip -6 route add default via $HOST_ADDRESS6 - fi - - ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} - fi - - # Start the regular stage 1 script. - exec "$1" - '' - ); - - nspawnExtraVethArgs = (name: cfg: "--network-veth-extra=${name}"); - - startScript = cfg: - '' - mkdir -p -m 0755 "$root/etc" "$root/var/lib" - mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers - if ! [ -e "$root/etc/os-release" ]; then - touch "$root/etc/os-release" - fi - - if ! [ -e "$root/etc/machine-id" ]; then - touch "$root/etc/machine-id" - fi - - mkdir -p -m 0755 \ - "/nix/var/nix/profiles/per-container/$INSTANCE" \ - "/nix/var/nix/gcroots/per-container/$INSTANCE" - - cp --remove-destination /etc/resolv.conf "$root/etc/resolv.conf" - - if [ "$PRIVATE_NETWORK" = 1 ]; then - extraFlags+=" --private-network" - fi - - if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || - [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then - extraFlags+=" --network-veth" - fi - - if [ -n "$HOST_PORT" ]; then - OIFS=$IFS - IFS="," - for i in $HOST_PORT - do - extraFlags+=" --port=$i" - done - IFS=$OIFS - fi - - if [ -n "$HOST_BRIDGE" ]; then - extraFlags+=" --network-bridge=$HOST_BRIDGE" - fi - - extraFlags+=" ${concatStringsSep " " (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)}" - - for iface in $INTERFACES; do - extraFlags+=" --network-interface=$iface" - done - - for iface in $MACVLANS; do - extraFlags+=" --network-macvlan=$iface" - done - - # If the host is 64-bit and the container is 32-bit, add a - # --personality flag. - ${optionalString (config.nixpkgs.localSystem.system == "x86_64-linux") '' - if [ "$(< ''${SYSTEM_PATH:-/nix/var/nix/profiles/per-container/$INSTANCE/system}/system)" = i686-linux ]; then - extraFlags+=" --personality=x86" - fi - ''} - - # Run systemd-nspawn without startup notification (we'll - # wait for the container systemd to signal readiness). - exec ${config.systemd.package}/bin/systemd-nspawn \ - --keep-unit \ - -M "$INSTANCE" -D "$root" $extraFlags \ - $EXTRA_NSPAWN_FLAGS \ - --notify-ready=yes \ - --bind-ro=/nix/store \ - --bind-ro=/nix/var/nix/db \ - --bind-ro=/nix/var/nix/daemon-socket \ - --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ - --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ - ${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \ - --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ - --setenv HOST_BRIDGE="$HOST_BRIDGE" \ - --setenv HOST_ADDRESS="$HOST_ADDRESS" \ - --setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \ - --setenv HOST_ADDRESS6="$HOST_ADDRESS6" \ - --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \ - --setenv HOST_PORT="$HOST_PORT" \ - --setenv PATH="$PATH" \ - ${optionalString cfg.ephemeral "--ephemeral"} \ - ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then - ''--capability="${concatStringsSep "," cfg.additionalCapabilities}"'' else "" - } \ - ${if cfg.tmpfs != null && cfg.tmpfs != [] then - ''--tmpfs=${concatStringsSep " --tmpfs=" cfg.tmpfs}'' else "" - } \ - ${containerInit cfg} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init" - ''; - - preStartScript = cfg: - '' - # Clean up existing machined registration and interfaces. - machinectl terminate "$INSTANCE" 2> /dev/null || true - - if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || - [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then - ip link del dev "ve-$INSTANCE" 2> /dev/null || true - ip link del dev "vb-$INSTANCE" 2> /dev/null || true - fi - - ${concatStringsSep "\n" ( - mapAttrsToList (name: cfg: - ''ip link del dev ${name} 2> /dev/null || true '' - ) cfg.extraVeths - )} - ''; - - postStartScript = (cfg: - let - ipcall = cfg: ipcmd: variable: attribute: - if cfg.${attribute} == null then - '' - if [ -n "${variable}" ]; then - ${ipcmd} add ${variable} dev $ifaceHost - fi - '' - else - ''${ipcmd} add ${cfg.${attribute}} dev $ifaceHost''; - renderExtraVeth = name: cfg: - if cfg.hostBridge != null then - '' - # Add ${name} to bridge ${cfg.hostBridge} - ip link set dev ${name} master ${cfg.hostBridge} up - '' - else - '' - echo "Bring ${name} up" - ip link set dev ${name} up - # Set IPs and routes for ${name} - ${optionalString (cfg.hostAddress != null) '' - ip addr add ${cfg.hostAddress} dev ${name} - ''} - ${optionalString (cfg.hostAddress6 != null) '' - ip -6 addr add ${cfg.hostAddress6} dev ${name} - ''} - ${optionalString (cfg.localAddress != null) '' - ip route add ${cfg.localAddress} dev ${name} - ''} - ${optionalString (cfg.localAddress6 != null) '' - ip -6 route add ${cfg.localAddress6} dev ${name} - ''} - ''; - in - '' - if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || - [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then - if [ -z "$HOST_BRIDGE" ]; then - ifaceHost=ve-$INSTANCE - ip link set dev $ifaceHost up - - ${ipcall cfg "ip addr" "$HOST_ADDRESS" "hostAddress"} - ${ipcall cfg "ip -6 addr" "$HOST_ADDRESS6" "hostAddress6"} - ${ipcall cfg "ip route" "$LOCAL_ADDRESS" "localAddress"} - ${ipcall cfg "ip -6 route" "$LOCAL_ADDRESS6" "localAddress6"} - fi - ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} - fi - '' - ); - - serviceDirectives = cfg: { - ExecReload = pkgs.writeScript "reload-container" - '' - #! ${pkgs.runtimeShell} -e - ${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \ - bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" - ''; - - SyslogIdentifier = "container %i"; - - EnvironmentFile = "-/etc/containers/%i.conf"; - - Type = "notify"; - - RuntimeDirectory = lib.optional cfg.ephemeral "containers/%i"; - - # Note that on reboot, systemd-nspawn returns 133, so this - # unit will be restarted. On poweroff, it returns 0, so the - # unit won't be restarted. - RestartForceExitStatus = "133"; - SuccessExitStatus = "133"; - - # Some containers take long to start - # especially when you automatically start many at once - TimeoutStartSec = cfg.timeoutStartSec; - - Restart = "on-failure"; - - Slice = "machine.slice"; - Delegate = true; - - # Hack: we don't want to kill systemd-nspawn, since we call - # "machinectl poweroff" in preStop to shut down the - # container cleanly. But systemd requires sending a signal - # (at least if we want remaining processes to be killed - # after the timeout). So send an ignored signal. - KillMode = "mixed"; - KillSignal = "WINCH"; - - DevicePolicy = "closed"; - DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; + cfg = config.virtualisation.containers; + + inherit (lib) mkOption types; + + # Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator + toTOML = name: value: pkgs.runCommandNoCC name { + nativeBuildInputs = [ pkgs.remarshal ]; + value = builtins.toJSON value; + passAsFile = [ "value" ]; + } '' + json2toml "$valuePath" "$out" + ''; + + # Copy configuration files to avoid having the entire sources in the system closure + copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} '' + cp ${filePath} $out + ''; +in +{ + meta = { + maintainers = [] ++ lib.teams.podman.members; }; + options.virtualisation.containers = { - system = config.nixpkgs.localSystem.system; - - bindMountOpts = { name, ... }: { - - options = { - mountPoint = mkOption { - example = "/mnt/usb"; - type = types.str; - description = "Mount point on the container file system."; - }; - hostPath = mkOption { - default = null; - example = "/home/alice"; - type = types.nullOr types.str; - description = "Location of the host path to be mounted."; - }; - isReadOnly = mkOption { - default = true; + enable = + mkOption { type = types.bool; - description = "Determine whether the mounted path will be accessed in read-only mode."; + default = false; + description = '' + This option enables the common /etc/containers configuration module. + ''; }; - }; - - config = { - mountPoint = mkDefault name; - }; - }; - - allowedDeviceOpts = { ... }: { - options = { - node = mkOption { - example = "/dev/net/tun"; - type = types.str; - description = "Path to device node"; - }; - modifier = mkOption { - example = "rw"; - type = types.str; + registries = { + search = mkOption { + type = types.listOf types.str; + default = [ "docker.io" "quay.io" ]; description = '' - Device node access modifier. Takes a combination - <literal>r</literal> (read), <literal>w</literal> (write), and - <literal>m</literal> (mknod). See the - <literal>systemd.resource-control(5)</literal> man page for more - information.''; + List of repositories to search. + ''; }; - }; - }; - - - mkBindFlag = d: - let flagPrefix = if d.isReadOnly then " --bind-ro=" else " --bind="; - mountstr = if d.hostPath != null then "${d.hostPath}:${d.mountPoint}" else "${d.mountPoint}"; - in flagPrefix + mountstr ; - mkBindFlags = bs: concatMapStrings mkBindFlag (lib.attrValues bs); + insecure = mkOption { + default = []; + type = types.listOf types.str; + description = '' + List of insecure repositories. + ''; + }; - networkOptions = { - hostBridge = mkOption { - type = types.nullOr types.str; - default = null; - example = "br0"; - description = '' - Put the host-side of the veth-pair into the named bridge. - Only one of hostAddress* or hostBridge can be given. - ''; + block = mkOption { + default = []; + type = types.listOf types.str; + description = '' + List of blocked repositories. + ''; + }; }; - forwardPorts = mkOption { - type = types.listOf (types.submodule { - options = { - protocol = mkOption { - type = types.str; - default = "tcp"; - description = "The protocol specifier for port forwarding between host and container"; - }; - hostPort = mkOption { - type = types.int; - description = "Source port of the external interface on host"; - }; - containerPort = mkOption { - type = types.nullOr types.int; - default = null; - description = "Target port of container"; + policy = mkOption { + default = {}; + type = types.attrs; + example = lib.literalExample '' + { + default = [ { type = "insecureAcceptAnything"; } ]; + transports = { + docker-daemon = { + "" = [ { type = "insecureAcceptAnything"; } ]; + }; }; - }; - }); - default = []; - example = [ { protocol = "tcp"; hostPort = 8080; containerPort = 80; } ]; - description = '' - List of forwarded ports from host to container. Each forwarded port - is specified by protocol, hostPort and containerPort. By default, - protocol is tcp and hostPort and containerPort are assumed to be - the same if containerPort is not explicitly given. - ''; - }; - - - hostAddress = mkOption { - type = types.nullOr types.str; - default = null; - example = "10.231.136.1"; - description = '' - The IPv4 address assigned to the host interface. - (Not used when hostBridge is set.) + } ''; - }; - - hostAddress6 = mkOption { - type = types.nullOr types.str; - default = null; - example = "fc00::1"; description = '' - The IPv6 address assigned to the host interface. - (Not used when hostBridge is set.) + Signature verification policy file. + If this option is empty the default policy file from + <literal>skopeo</literal> will be used. ''; }; - localAddress = mkOption { - type = types.nullOr types.str; - default = null; - example = "10.231.136.2"; - description = '' - The IPv4 address assigned to the interface in the container. - If a hostBridge is used, this should be given with netmask to access - the whole network. Otherwise the default netmask is /32 and routing is - set up from localAddress to hostAddress and back. - ''; - }; - - localAddress6 = mkOption { - type = types.nullOr types.str; - default = null; - example = "fc00::2"; + users = mkOption { + default = []; + type = types.listOf types.str; description = '' - The IPv6 address assigned to the interface in the container. - If a hostBridge is used, this should be given with netmask to access - the whole network. Otherwise the default netmask is /128 and routing is - set up from localAddress6 to hostAddress6 and back. + List of users to set up subuid/subgid mappings for. + This is a requirement for running rootless containers. ''; }; }; - dummyConfig = - { - extraVeths = {}; - additionalCapabilities = []; - ephemeral = false; - timeoutStartSec = "15s"; - allowedDevices = []; - hostAddress = null; - hostAddress6 = null; - localAddress = null; - localAddress6 = null; - tmpfs = null; - }; - -in - -{ - options = { - - boot.isContainer = mkOption { - type = types.bool; - default = false; - description = '' - Whether this NixOS machine is a lightweight container running - in another NixOS system. - ''; - }; + config = lib.mkIf cfg.enable { - boot.enableContainers = mkOption { - type = types.bool; - default = !config.boot.isContainer; - description = '' - Whether to enable support for NixOS containers. - ''; + environment.etc."containers/registries.conf".source = toTOML "registries.conf" { + registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; }; - containers = mkOption { - type = types.attrsOf (types.submodule ( - { config, options, name, ... }: - { - options = { - - config = mkOption { - description = '' - A specification of the desired configuration of this - container, as a NixOS module. - ''; - type = lib.mkOptionType { - name = "Toplevel NixOS config"; - merge = loc: defs: (import ../../lib/eval-config.nix { - inherit system; - modules = - let - extraConfig = { - _file = "module at ${__curPos.file}:${toString __curPos.line}"; - config = { - boot.isContainer = true; - networking.hostName = mkDefault name; - networking.useDHCP = false; - assertions = [ - { - assertion = config.privateNetwork -> stringLength name < 12; - message = '' - Container name `${name}` is too long: When `privateNetwork` is enabled, container names can - not be longer than 11 characters, because the container's interface name is derived from it. - This might be fixed in the future. See https://github.com/NixOS/nixpkgs/issues/38509 - ''; - } - ]; - }; - }; - in [ extraConfig ] ++ (map (x: x.value) defs); - prefix = [ "containers" name ]; - }).config; - }; - }; - - path = mkOption { - type = types.path; - example = "/nix/var/nix/profiles/containers/webserver"; - description = '' - As an alternative to specifying - <option>config</option>, you can specify the path to - the evaluated NixOS system configuration, typically a - symlink to a system profile. - ''; - }; - - additionalCapabilities = mkOption { - type = types.listOf types.str; - default = []; - example = [ "CAP_NET_ADMIN" "CAP_MKNOD" ]; - description = '' - Grant additional capabilities to the container. See the - capabilities(7) and systemd-nspawn(1) man pages for more - information. - ''; - }; - - ephemeral = mkOption { - type = types.bool; - default = false; - description = '' - Runs container in ephemeral mode with the empty root filesystem at boot. - This way container will be bootstrapped from scratch on each boot - and will be cleaned up on shutdown leaving no traces behind. - Useful for completely stateless, reproducible containers. - - Note that this option might require to do some adjustments to the container configuration, - e.g. you might want to set - <varname>systemd.network.networks.$interface.dhcpConfig.ClientIdentifier</varname> to "mac" - if you use <varname>macvlans</varname> option. - This way dhcp client identifier will be stable between the container restarts. - - Note that the container journal will not be linked to the host if this option is enabled. - ''; - }; - - enableTun = mkOption { - type = types.bool; - default = false; - description = '' - Allows the container to create and setup tunnel interfaces - by granting the <literal>NET_ADMIN</literal> capability and - enabling access to <literal>/dev/net/tun</literal>. - ''; - }; - - privateNetwork = mkOption { - type = types.bool; - default = false; - description = '' - Whether to give the container its own private virtual - Ethernet interface. The interface is called - <literal>eth0</literal>, and is hooked up to the interface - <literal>ve-<replaceable>container-name</replaceable></literal> - on the host. If this option is not set, then the - container shares the network interfaces of the host, - and can bind to any port on any interface. - ''; - }; - - interfaces = mkOption { - type = types.listOf types.str; - default = []; - example = [ "eth1" "eth2" ]; - description = '' - The list of interfaces to be moved into the container. - ''; - }; - - macvlans = mkOption { - type = types.listOf types.str; - default = []; - example = [ "eth1" "eth2" ]; - description = '' - The list of host interfaces from which macvlans will be - created. For each interface specified, a macvlan interface - will be created and moved to the container. - ''; - }; - - extraVeths = mkOption { - type = with types; attrsOf (submodule { options = networkOptions; }); - default = {}; - description = '' - Extra veth-pairs to be created for the container - ''; - }; - - autoStart = mkOption { - type = types.bool; - default = false; - description = '' - Whether the container is automatically started at boot-time. - ''; - }; - - timeoutStartSec = mkOption { - type = types.str; - default = "1min"; - description = '' - Time for the container to start. In case of a timeout, - the container processes get killed. - See <citerefentry><refentrytitle>systemd.time</refentrytitle> - <manvolnum>7</manvolnum></citerefentry> - for more information about the format. - ''; - }; - - bindMounts = mkOption { - type = with types; loaOf (submodule bindMountOpts); - default = {}; - example = { "/home" = { hostPath = "/home/alice"; - isReadOnly = false; }; - }; - - description = - '' - An extra list of directories that is bound to the container. - ''; - }; - - allowedDevices = mkOption { - type = with types; listOf (submodule allowedDeviceOpts); - default = []; - example = [ { node = "/dev/net/tun"; modifier = "rw"; } ]; - description = '' - A list of device nodes to which the containers has access to. - ''; - }; - - tmpfs = mkOption { - type = types.listOf types.str; - default = []; - example = [ "/var" ]; - description = '' - Mounts a set of tmpfs file systems into the container. - Multiple paths can be specified. - Valid items must conform to the --tmpfs argument - of systemd-nspawn. See systemd-nspawn(1) for details. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - example = [ "--drop-capability=CAP_SYS_CHROOT" ]; - description = '' - Extra flags passed to the systemd-nspawn command. - See systemd-nspawn(1) for details. - ''; - }; - - } // networkOptions; - - config = mkMerge - [ - (mkIf options.config.isDefined { - path = config.config.system.build.toplevel; - }) + users.extraUsers = builtins.listToAttrs ( + ( + builtins.foldl' ( + acc: user: { + values = acc.values ++ [ + { + name = user; + value = { + subUidRanges = [ { startUid = acc.offset; count = 65536; } ]; + subGidRanges = [ { startGid = acc.offset; count = 65536; } ]; + }; + } ]; - })); - - default = {}; - example = literalExample - '' - { webserver = - { path = "/nix/var/nix/profiles/webserver"; - }; - database = - { config = - { config, pkgs, ... }: - { services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql_9_6; - - system.stateVersion = "17.03"; - }; - }; + offset = acc.offset + 65536; } - ''; - description = '' - A set of NixOS system configurations to be run as lightweight - containers. Each container appears as a service - <literal>container-<replaceable>name</replaceable></literal> - on the host system, allowing it to be started and stopped via - <command>systemctl</command>. - ''; - }; + ) + { values = []; offset = 100000; } (lib.unique cfg.users) + ).values + ); + environment.etc."containers/policy.json".source = + if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) + else copyFile "${pkgs.skopeo.src}/default-policy.json"; }; - - config = mkIf (config.boot.enableContainers) (let - - unit = { - description = "Container '%i'"; - - unitConfig.RequiresMountsFor = "/var/lib/containers/%i"; - - path = [ pkgs.iproute ]; - - environment = { - root = "/var/lib/containers/%i"; - INSTANCE = "%i"; - }; - - preStart = preStartScript dummyConfig; - - script = startScript dummyConfig; - - postStart = postStartScript dummyConfig; - - preStop = "machinectl poweroff $INSTANCE"; - - restartIfChanged = false; - - serviceConfig = serviceDirectives dummyConfig; - }; - in { - systemd.targets.multi-user.wants = [ "machines.target" ]; - - systemd.services = listToAttrs (filter (x: x.value != null) ( - # The generic container template used by imperative containers - [{ name = "container@"; value = unit; }] - # declarative containers - ++ (mapAttrsToList (name: cfg: nameValuePair "container@${name}" (let - containerConfig = cfg // ( - if cfg.enableTun then - { - allowedDevices = cfg.allowedDevices - ++ [ { node = "/dev/net/tun"; modifier = "rw"; } ]; - additionalCapabilities = cfg.additionalCapabilities - ++ [ "CAP_NET_ADMIN" ]; - } - else {}); - in - recursiveUpdate unit { - preStart = preStartScript containerConfig; - script = startScript containerConfig; - postStart = postStartScript containerConfig; - serviceConfig = serviceDirectives containerConfig; - unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "/var/lib/containers/%i"; - environment.root = if containerConfig.ephemeral then "/run/containers/%i" else "/var/lib/containers/%i"; - } // ( - if containerConfig.autoStart then - { - wantedBy = [ "machines.target" ]; - wants = [ "network.target" ]; - after = [ "network.target" ]; - restartTriggers = [ - containerConfig.path - config.environment.etc."containers/${name}.conf".source - ]; - restartIfChanged = true; - } - else {}) - )) config.containers) - )); - - # Generate a configuration file in /etc/containers for each - # container so that container@.target can get the container - # configuration. - environment.etc = - let mkPortStr = p: p.protocol + ":" + (toString p.hostPort) + ":" + (if p.containerPort == null then toString p.hostPort else toString p.containerPort); - in mapAttrs' (name: cfg: nameValuePair "containers/${name}.conf" - { text = - '' - SYSTEM_PATH=${cfg.path} - ${optionalString cfg.privateNetwork '' - PRIVATE_NETWORK=1 - ${optionalString (cfg.hostBridge != null) '' - HOST_BRIDGE=${cfg.hostBridge} - ''} - ${optionalString (length cfg.forwardPorts > 0) '' - HOST_PORT=${concatStringsSep "," (map mkPortStr cfg.forwardPorts)} - ''} - ${optionalString (cfg.hostAddress != null) '' - HOST_ADDRESS=${cfg.hostAddress} - ''} - ${optionalString (cfg.hostAddress6 != null) '' - HOST_ADDRESS6=${cfg.hostAddress6} - ''} - ${optionalString (cfg.localAddress != null) '' - LOCAL_ADDRESS=${cfg.localAddress} - ''} - ${optionalString (cfg.localAddress6 != null) '' - LOCAL_ADDRESS6=${cfg.localAddress6} - ''} - ''} - INTERFACES="${toString cfg.interfaces}" - MACVLANS="${toString cfg.macvlans}" - ${optionalString cfg.autoStart '' - AUTO_START=1 - ''} - EXTRA_NSPAWN_FLAGS="${mkBindFlags cfg.bindMounts + - optionalString (cfg.extraFlags != []) - (" " + concatStringsSep " " cfg.extraFlags)}" - ''; - }) config.containers; - - # Generate /etc/hosts entries for the containers. - networking.extraHosts = concatStrings (mapAttrsToList (name: cfg: optionalString (cfg.localAddress != null) - '' - ${head (splitString "/" cfg.localAddress)} ${name}.containers - '') config.containers); - - networking.dhcpcd.denyInterfaces = [ "ve-*" "vb-*" ]; - - services.udev.extraRules = optionalString config.networking.networkmanager.enable '' - # Don't manage interfaces created by nixos-container. - ENV{INTERFACE}=="v[eb]-*", ENV{NM_UNMANAGED}="1" - ''; - - environment.systemPackages = [ pkgs.nixos-container ]; - - boot.kernelModules = [ - "bridge" - "macvlan" - "tap" - "tun" - ]; - }); } diff --git a/nixos/modules/virtualisation/cri-o.nix b/nixos/modules/virtualisation/cri-o.nix index 14a435f6c8bb..f267c97b1788 100644 --- a/nixos/modules/virtualisation/cri-o.nix +++ b/nixos/modules/virtualisation/cri-o.nix @@ -4,94 +4,124 @@ with lib; let cfg = config.virtualisation.cri-o; + + crioPackage = (pkgs.cri-o.override { inherit (cfg) extraPackages; }); + + # Copy configuration files to avoid having the entire sources in the system closure + copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} '' + cp ${filePath} $out + ''; in { + imports = [ + (mkRenamedOptionModule [ "virtualisation" "cri-o" "registries" ] [ "virtualisation" "containers" "registries" "search" ]) + ]; + + meta = { + maintainers = lib.teams.podman.members; + }; + options.virtualisation.cri-o = { enable = mkEnableOption "Container Runtime Interface for OCI (CRI-O)"; storageDriver = mkOption { - type = types.enum ["btrfs" "overlay" "vfs"]; + type = types.enum [ "btrfs" "overlay" "vfs" ]; default = "overlay"; description = "Storage driver to be used"; }; logLevel = mkOption { - type = types.enum ["trace" "debug" "info" "warn" "error" "fatal"]; + type = types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ]; default = "info"; description = "Log level to be used"; }; pauseImage = mkOption { - type = types.str; - default = "k8s.gcr.io/pause:3.1"; - description = "Pause image for pod sandboxes to be used"; + type = types.nullOr types.str; + default = null; + description = "Override the default pause image for pod sandboxes"; + example = [ "k8s.gcr.io/pause:3.2" ]; }; pauseCommand = mkOption { - type = types.str; - default = "/pause"; - description = "Pause command to be executed"; + type = types.nullOr types.str; + default = null; + description = "Override the default pause command"; + example = [ "/pause" ]; + }; + + runtime = mkOption { + type = types.nullOr types.str; + default = null; + description = "Override the default runtime"; + example = [ "crun" ]; + }; + + extraPackages = mkOption { + type = with types; listOf package; + default = [ ]; + example = lib.literalExample '' + [ + pkgs.gvisor + ] + ''; + description = '' + Extra packages to be installed in the CRI-O wrapper. + ''; }; - registries = mkOption { - type = types.listOf types.str; - default = [ "docker.io" "quay.io" ]; - description = "Registries to be configured for unqualified image pull"; + package = lib.mkOption { + type = types.package; + default = crioPackage; + internal = true; + description = '' + The final CRI-O package (including extra packages). + ''; }; }; config = mkIf cfg.enable { - environment.systemPackages = with pkgs; - [ cri-o cri-tools conmon cni-plugins iptables runc utillinux ]; - environment.etc."crictl.yaml".text = '' - runtime-endpoint: unix:///var/run/crio/crio.sock - ''; + environment.systemPackages = [ cfg.package pkgs.cri-tools ]; + + environment.etc."crictl.yaml".source = copyFile "${pkgs.cri-o-unwrapped.src}/crictl.yaml"; + environment.etc."crio/crio.conf".text = '' [crio] storage_driver = "${cfg.storageDriver}" [crio.image] - pause_image = "${cfg.pauseImage}" - pause_command = "${cfg.pauseCommand}" - registries = [ - ${concatMapStringsSep ", " (x: "\"" + x + "\"") cfg.registries} - ] + ${optionalString (cfg.pauseImage != null) ''pause_image = "${cfg.pauseImage}"''} + ${optionalString (cfg.pauseCommand != null) ''pause_command = "${cfg.pauseCommand}"''} + + [crio.network] + plugin_dirs = ["${pkgs.cni-plugins}/bin/"] [crio.runtime] - conmon = "${pkgs.conmon}/bin/conmon" + cgroup_manager = "systemd" log_level = "${cfg.logLevel}" - manage_network_ns_lifecycle = true - ''; - environment.etc."containers/policy.json".text = '' - {"default": [{"type": "insecureAcceptAnything"}]} - ''; - environment.etc."cni/net.d/20-cri-o-bridge.conf".text = '' - { - "cniVersion": "0.3.1", - "name": "crio-bridge", - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] - } - } + manage_ns_lifecycle = true + + ${optionalString (cfg.runtime != null) '' + default_runtime = "${cfg.runtime}" + [crio.runtime.runtimes] + [crio.runtime.runtimes.${cfg.runtime}] + ''} ''; + environment.etc."cni/net.d/10-crio-bridge.conf".source = copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/10-crio-bridge.conf"; + + # Enable common /etc/containers configuration + virtualisation.containers.enable = true; + systemd.services.crio = { description = "Container Runtime Interface for OCI (CRI-O)"; documentation = [ "https://github.com/cri-o/cri-o" ]; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - path = [ pkgs.utillinux pkgs.runc pkgs.iptables ]; + path = [ cfg.package ]; serviceConfig = { Type = "notify"; - ExecStart = "${pkgs.cri-o}/bin/crio"; + ExecStart = "${cfg.package}/bin/crio"; ExecReload = "/bin/kill -s HUP $MAINPID"; TasksMax = "infinity"; LimitNOFILE = "1048576"; diff --git a/nixos/modules/virtualisation/ec2-amis.nix b/nixos/modules/virtualisation/ec2-amis.nix index 3b4e55d39d7b..24de8cf1afbf 100644 --- a/nixos/modules/virtualisation/ec2-amis.nix +++ b/nixos/modules/virtualisation/ec2-amis.nix @@ -291,21 +291,43 @@ let self = { "19.03".sa-east-1.hvm-ebs = "ami-0c6a43c6e0ad1f4e2"; "19.03".ap-south-1.hvm-ebs = "ami-0303deb1b5890f878"; - # 19.09.981.205691b7cbe - "19.09".eu-west-1.hvm-ebs = "ami-0ebd3156e21e9642f"; - "19.09".eu-west-2.hvm-ebs = "ami-02a2b5480a79084b7"; - "19.09".eu-west-3.hvm-ebs = "ami-09aa175c7588734f7"; - "19.09".eu-central-1.hvm-ebs = "ami-00a7fafd7e237a330"; - "19.09".us-east-1.hvm-ebs = "ami-00a8eeaf232a74f84"; - "19.09".us-east-2.hvm-ebs = "ami-093efd3a57a1e03a8"; - "19.09".us-west-1.hvm-ebs = "ami-0913e9a2b677fac30"; - "19.09".us-west-2.hvm-ebs = "ami-02d9a19f77b47882a"; - "19.09".ca-central-1.hvm-ebs = "ami-0627dd3f7b3627a29"; - "19.09".ap-southeast-1.hvm-ebs = "ami-083614e4d08f2164d"; - "19.09".ap-southeast-2.hvm-ebs = "ami-0048c704185ded6dc"; - "19.09".ap-northeast-1.hvm-ebs = "ami-0329e7fc2d7f60bd0"; - "19.09".ap-northeast-2.hvm-ebs = "ami-03d4ae7d0b5fc364f"; - "19.09".ap-south-1.hvm-ebs = "ami-0b599690b35aeef23"; + # 19.09.2243.84af403f54f + "19.09".eu-west-1.hvm-ebs = "ami-071082f0fa035374f"; + "19.09".eu-west-2.hvm-ebs = "ami-0d9dc33c54d1dc4c3"; + "19.09".eu-west-3.hvm-ebs = "ami-09566799591d1bfed"; + "19.09".eu-central-1.hvm-ebs = "ami-015f8efc2be419b79"; + "19.09".eu-north-1.hvm-ebs = "ami-07fc0a32d885e01ed"; + "19.09".us-east-1.hvm-ebs = "ami-03330d8b51287412f"; + "19.09".us-east-2.hvm-ebs = "ami-0518b4c84972e967f"; + "19.09".us-west-1.hvm-ebs = "ami-06ad07e61a353b4a6"; + "19.09".us-west-2.hvm-ebs = "ami-0e31e30925cf3ce4e"; + "19.09".ca-central-1.hvm-ebs = "ami-07df50fc76702a36d"; + "19.09".ap-southeast-1.hvm-ebs = "ami-0f71ae5d4b0b78d95"; + "19.09".ap-southeast-2.hvm-ebs = "ami-057bbf2b4bd62d210"; + "19.09".ap-northeast-1.hvm-ebs = "ami-02a62555ca182fb5b"; + "19.09".ap-northeast-2.hvm-ebs = "ami-0219dde0e6b7b7b93"; + "19.09".ap-south-1.hvm-ebs = "ami-066f7f2a895c821a1"; + "19.09".ap-east-1.hvm-ebs = "ami-055b2348db2827ff1"; + "19.09".sa-east-1.hvm-ebs = "ami-018aab68377227e06"; - latest = self."19.09"; + # 20.03.1554.94e39623a49 + "20.03".eu-west-1.hvm-ebs = "ami-02c34db5766cc7013"; + "20.03".eu-west-2.hvm-ebs = "ami-0e32bd8c7853883f1"; + "20.03".eu-west-3.hvm-ebs = "ami-061edb1356c1d69fd"; + "20.03".eu-central-1.hvm-ebs = "ami-0a1a94722dcbff94c"; + "20.03".eu-north-1.hvm-ebs = "ami-02699abfacbb6464b"; + "20.03".us-east-1.hvm-ebs = "ami-0c5e7760748b74e85"; + "20.03".us-east-2.hvm-ebs = "ami-030296bb256764655"; + "20.03".us-west-1.hvm-ebs = "ami-050be818e0266b741"; + "20.03".us-west-2.hvm-ebs = "ami-06562f78dca68eda2"; + "20.03".ca-central-1.hvm-ebs = "ami-02365684a173255c7"; + "20.03".ap-southeast-1.hvm-ebs = "ami-0dbf353e168d155f7"; + "20.03".ap-southeast-2.hvm-ebs = "ami-04c0f3a75f63daddd"; + "20.03".ap-northeast-1.hvm-ebs = "ami-093d9cc49c191eb6c"; + "20.03".ap-northeast-2.hvm-ebs = "ami-0087df91a7b6ebd45"; + "20.03".ap-south-1.hvm-ebs = "ami-0a1a6b569af04af9d"; + "20.03".ap-east-1.hvm-ebs = "ami-0d18fdd309cdefa86"; + "20.03".sa-east-1.hvm-ebs = "ami-09859378158ae971d"; + + latest = self."20.03"; }; in self diff --git a/nixos/modules/virtualisation/ecs-agent.nix b/nixos/modules/virtualisation/ecs-agent.nix index fc51b159579e..93fefe56d1a5 100644 --- a/nixos/modules/virtualisation/ecs-agent.nix +++ b/nixos/modules/virtualisation/ecs-agent.nix @@ -38,9 +38,8 @@ in { if [ ! -z "$ECS_DATADIR" ]; then mkdir -p "$ECS_DATADIR" fi - ${cfg.package.bin}/bin/agent + ${cfg.package}/bin/agent ''; }; }; } - diff --git a/nixos/modules/virtualisation/hyperv-image.nix b/nixos/modules/virtualisation/hyperv-image.nix new file mode 100644 index 000000000000..fabc9113dfc4 --- /dev/null +++ b/nixos/modules/virtualisation/hyperv-image.nix @@ -0,0 +1,70 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.hyperv; + +in { + options = { + hyperv = { + baseImageSize = mkOption { + type = types.int; + default = 2048; + description = '' + The size of the hyper-v base image in MiB. + ''; + }; + vmDerivationName = mkOption { + type = types.str; + default = "nixos-hyperv-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}"; + description = '' + The name of the derivation for the hyper-v appliance. + ''; + }; + vmFileName = mkOption { + type = types.str; + default = "nixos-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.vhdx"; + description = '' + The file name of the hyper-v appliance. + ''; + }; + }; + }; + + config = { + system.build.hypervImage = import ../../lib/make-disk-image.nix { + name = cfg.vmDerivationName; + postVM = '' + ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -o subformat=dynamic -O vhdx $diskImage $out/${cfg.vmFileName} + rm $diskImage + ''; + format = "raw"; + diskSize = cfg.baseImageSize; + partitionTableType = "efi"; + inherit config lib pkgs; + }; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; + + boot.growPartition = true; + + boot.loader.grub = { + version = 2; + device = "nodev"; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + virtualisation.hypervGuest.enable = true; + }; +} diff --git a/nixos/modules/virtualisation/kvmgt.nix b/nixos/modules/virtualisation/kvmgt.nix index 0902d2dc2cb0..e08ad3446281 100644 --- a/nixos/modules/virtualisation/kvmgt.nix +++ b/nixos/modules/virtualisation/kvmgt.nix @@ -9,8 +9,8 @@ let vgpuOptions = { uuid = mkOption { - type = types.str; - description = "UUID of VGPU device. You can generate one with <package>libossp_uuid</package>."; + type = with types; listOf str; + description = "UUID(s) of VGPU device. You can generate one with <package>libossp_uuid</package>."; }; }; @@ -36,7 +36,7 @@ in { and find info about device via <command>cat /sys/bus/pci/devices/*/mdev_supported_types/i915-GVTg_V5_4/description</command> ''; example = { - i915-GVTg_V5_8.uuid = "a297db4a-f4c2-11e6-90f6-d3b88d6c9525"; + i915-GVTg_V5_8.uuid = [ "a297db4a-f4c2-11e6-90f6-d3b88d6c9525" ]; }; }; }; @@ -51,31 +51,35 @@ in { boot.kernelModules = [ "kvmgt" ]; boot.kernelParams = [ "i915.enable_gvt=1" ]; - systemd.paths = mapAttrs' (name: value: - nameValuePair "kvmgt-${name}" { - description = "KVMGT VGPU ${name} path"; - wantedBy = [ "multi-user.target" ]; - pathConfig = { - PathExists = "/sys/bus/pci/devices/${cfg.device}/mdev_supported_types/${name}/create"; - }; - } - ) cfg.vgpus; - services.udev.extraRules = '' SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm" ''; - systemd.services = mapAttrs' (name: value: - nameValuePair "kvmgt-${name}" { - description = "KVMGT VGPU ${name}"; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStart = "${pkgs.runtimeShell} -c 'echo ${value.uuid} > /sys/bus/pci/devices/${cfg.device}/mdev_supported_types/${name}/create'"; - ExecStop = "${pkgs.runtimeShell} -c 'echo 1 > /sys/bus/pci/devices/${cfg.device}/${value.uuid}/remove'"; - }; - } - ) cfg.vgpus; + systemd = let + vgpus = listToAttrs (flatten (mapAttrsToList + (mdev: opt: map (id: nameValuePair "kvmgt-${id}" { inherit mdev; uuid = id; }) opt.uuid) + cfg.vgpus)); + in { + paths = mapAttrs (_: opt: + { + description = "KVMGT VGPU ${opt.uuid} path"; + wantedBy = [ "multi-user.target" ]; + pathConfig = { + PathExists = "/sys/bus/pci/devices/${cfg.device}/mdev_supported_types/${opt.mdev}/create"; + }; + }) vgpus; + + services = mapAttrs (_: opt: + { + description = "KVMGT VGPU ${opt.uuid}"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.runtimeShell} -c 'echo ${opt.uuid} > /sys/bus/pci/devices/${cfg.device}/mdev_supported_types/${opt.mdev}/create'"; + ExecStop = "${pkgs.runtimeShell} -c 'echo 1 > /sys/bus/pci/devices/${cfg.device}/${opt.uuid}/remove'"; + }; + }) vgpus; + }; }; meta.maintainers = with maintainers; [ gnidorah ]; diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index 9f7bac480e38..f89e5d544b22 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -7,10 +7,8 @@ let cfg = config.virtualisation.libvirtd; vswitch = config.virtualisation.vswitch; configFile = pkgs.writeText "libvirtd.conf" '' - unix_sock_group = "libvirtd" - unix_sock_rw_perms = "0770" - auth_unix_ro = "none" - auth_unix_rw = "none" + auth_unix_ro = "polkit" + auth_unix_rw = "polkit" ${cfg.extraConfig} ''; qemuConfigFile = pkgs.writeText "qemu.conf" '' @@ -214,14 +212,14 @@ in { }; systemd.services.libvirtd = { - description = "Libvirt Virtual Machine Management Daemon"; - - wantedBy = [ "multi-user.target" ]; requires = [ "libvirtd-config.service" ]; after = [ "systemd-udev-settle.service" "libvirtd-config.service" ] ++ optional vswitch.enable "ovs-vswitchd.service"; - environment.LIBVIRTD_ARGS = ''--config "${configFile}" ${concatStringsSep " " cfg.extraOptions}''; + environment.LIBVIRTD_ARGS = escapeShellArgs ( + [ "--config" configFile + "--timeout" "120" # from ${libvirt}/var/lib/sysconfig/libvirtd + ] ++ cfg.extraOptions); path = [ cfg.qemuPackage ] # libvirtd requires qemu-img to manage disk images ++ optional vswitch.enable vswitch.package; @@ -266,5 +264,17 @@ in { serviceConfig.ExecStart = "@${pkgs.libvirt}/sbin/virtlockd virtlockd"; restartIfChanged = false; }; + + systemd.sockets.libvirtd .wantedBy = [ "sockets.target" ]; + systemd.sockets.libvirtd-tcp.wantedBy = [ "sockets.target" ]; + + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirtd")) { + return polkit.Result.YES; + } + }); + ''; }; } diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index de48d3a780e2..53b89a9f55b1 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -108,7 +108,7 @@ in ''; serviceConfig = { - ExecStart = "@${cfg.package.bin}/bin/lxd lxd --group lxd"; + ExecStart = "@${cfg.package}/bin/lxd lxd --group lxd"; Type = "simple"; KillMode = "process"; # when stopping, leave the containers alone LimitMEMLOCK = "infinity"; diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix new file mode 100644 index 000000000000..b0fa03917c82 --- /dev/null +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -0,0 +1,844 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + # The container's init script, a small wrapper around the regular + # NixOS stage-2 init script. + containerInit = (cfg: + let + renderExtraVeth = (name: cfg: + '' + echo "Bringing ${name} up" + ip link set dev ${name} up + ${optionalString (cfg.localAddress != null) '' + echo "Setting ip for ${name}" + ip addr add ${cfg.localAddress} dev ${name} + ''} + ${optionalString (cfg.localAddress6 != null) '' + echo "Setting ip6 for ${name}" + ip -6 addr add ${cfg.localAddress6} dev ${name} + ''} + ${optionalString (cfg.hostAddress != null) '' + echo "Setting route to host for ${name}" + ip route add ${cfg.hostAddress} dev ${name} + ''} + ${optionalString (cfg.hostAddress6 != null) '' + echo "Setting route6 to host for ${name}" + ip -6 route add ${cfg.hostAddress6} dev ${name} + ''} + '' + ); + in + pkgs.writeScript "container-init" + '' + #! ${pkgs.runtimeShell} -e + + # Initialise the container side of the veth pair. + if [ -n "$HOST_ADDRESS" ] || [ -n "$HOST_ADDRESS6" ] || + [ -n "$LOCAL_ADDRESS" ] || [ -n "$LOCAL_ADDRESS6" ] || + [ -n "$HOST_BRIDGE" ]; then + ip link set host0 name eth0 + ip link set dev eth0 up + + if [ -n "$LOCAL_ADDRESS" ]; then + ip addr add $LOCAL_ADDRESS dev eth0 + fi + if [ -n "$LOCAL_ADDRESS6" ]; then + ip -6 addr add $LOCAL_ADDRESS6 dev eth0 + fi + if [ -n "$HOST_ADDRESS" ]; then + ip route add $HOST_ADDRESS dev eth0 + ip route add default via $HOST_ADDRESS + fi + if [ -n "$HOST_ADDRESS6" ]; then + ip -6 route add $HOST_ADDRESS6 dev eth0 + ip -6 route add default via $HOST_ADDRESS6 + fi + + ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} + fi + + # Start the regular stage 1 script. + exec "$1" + '' + ); + + nspawnExtraVethArgs = (name: cfg: "--network-veth-extra=${name}"); + + startScript = cfg: + '' + mkdir -p -m 0755 "$root/etc" "$root/var/lib" + mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers + if ! [ -e "$root/etc/os-release" ]; then + touch "$root/etc/os-release" + fi + + if ! [ -e "$root/etc/machine-id" ]; then + touch "$root/etc/machine-id" + fi + + mkdir -p -m 0755 \ + "/nix/var/nix/profiles/per-container/$INSTANCE" \ + "/nix/var/nix/gcroots/per-container/$INSTANCE" + + cp --remove-destination /etc/resolv.conf "$root/etc/resolv.conf" + + if [ "$PRIVATE_NETWORK" = 1 ]; then + extraFlags+=" --private-network" + fi + + if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || + [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then + extraFlags+=" --network-veth" + fi + + if [ -n "$HOST_PORT" ]; then + OIFS=$IFS + IFS="," + for i in $HOST_PORT + do + extraFlags+=" --port=$i" + done + IFS=$OIFS + fi + + if [ -n "$HOST_BRIDGE" ]; then + extraFlags+=" --network-bridge=$HOST_BRIDGE" + fi + + extraFlags+=" ${concatStringsSep " " (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)}" + + for iface in $INTERFACES; do + extraFlags+=" --network-interface=$iface" + done + + for iface in $MACVLANS; do + extraFlags+=" --network-macvlan=$iface" + done + + # If the host is 64-bit and the container is 32-bit, add a + # --personality flag. + ${optionalString (config.nixpkgs.localSystem.system == "x86_64-linux") '' + if [ "$(< ''${SYSTEM_PATH:-/nix/var/nix/profiles/per-container/$INSTANCE/system}/system)" = i686-linux ]; then + extraFlags+=" --personality=x86" + fi + ''} + + # Run systemd-nspawn without startup notification (we'll + # wait for the container systemd to signal readiness). + exec ${config.systemd.package}/bin/systemd-nspawn \ + --keep-unit \ + -M "$INSTANCE" -D "$root" $extraFlags \ + $EXTRA_NSPAWN_FLAGS \ + --notify-ready=yes \ + --bind-ro=/nix/store \ + --bind-ro=/nix/var/nix/db \ + --bind-ro=/nix/var/nix/daemon-socket \ + --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ + --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ + ${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \ + --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ + --setenv HOST_BRIDGE="$HOST_BRIDGE" \ + --setenv HOST_ADDRESS="$HOST_ADDRESS" \ + --setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \ + --setenv HOST_ADDRESS6="$HOST_ADDRESS6" \ + --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \ + --setenv HOST_PORT="$HOST_PORT" \ + --setenv PATH="$PATH" \ + ${optionalString cfg.ephemeral "--ephemeral"} \ + ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then + ''--capability="${concatStringsSep "," cfg.additionalCapabilities}"'' else "" + } \ + ${if cfg.tmpfs != null && cfg.tmpfs != [] then + ''--tmpfs=${concatStringsSep " --tmpfs=" cfg.tmpfs}'' else "" + } \ + ${containerInit cfg} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init" + ''; + + preStartScript = cfg: + '' + # Clean up existing machined registration and interfaces. + machinectl terminate "$INSTANCE" 2> /dev/null || true + + if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || + [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then + ip link del dev "ve-$INSTANCE" 2> /dev/null || true + ip link del dev "vb-$INSTANCE" 2> /dev/null || true + fi + + ${concatStringsSep "\n" ( + mapAttrsToList (name: cfg: + ''ip link del dev ${name} 2> /dev/null || true '' + ) cfg.extraVeths + )} + ''; + + postStartScript = (cfg: + let + ipcall = cfg: ipcmd: variable: attribute: + if cfg.${attribute} == null then + '' + if [ -n "${variable}" ]; then + ${ipcmd} add ${variable} dev $ifaceHost + fi + '' + else + ''${ipcmd} add ${cfg.${attribute}} dev $ifaceHost''; + renderExtraVeth = name: cfg: + if cfg.hostBridge != null then + '' + # Add ${name} to bridge ${cfg.hostBridge} + ip link set dev ${name} master ${cfg.hostBridge} up + '' + else + '' + echo "Bring ${name} up" + ip link set dev ${name} up + # Set IPs and routes for ${name} + ${optionalString (cfg.hostAddress != null) '' + ip addr add ${cfg.hostAddress} dev ${name} + ''} + ${optionalString (cfg.hostAddress6 != null) '' + ip -6 addr add ${cfg.hostAddress6} dev ${name} + ''} + ${optionalString (cfg.localAddress != null) '' + ip route add ${cfg.localAddress} dev ${name} + ''} + ${optionalString (cfg.localAddress6 != null) '' + ip -6 route add ${cfg.localAddress6} dev ${name} + ''} + ''; + in + '' + if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || + [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then + if [ -z "$HOST_BRIDGE" ]; then + ifaceHost=ve-$INSTANCE + ip link set dev $ifaceHost up + + ${ipcall cfg "ip addr" "$HOST_ADDRESS" "hostAddress"} + ${ipcall cfg "ip -6 addr" "$HOST_ADDRESS6" "hostAddress6"} + ${ipcall cfg "ip route" "$LOCAL_ADDRESS" "localAddress"} + ${ipcall cfg "ip -6 route" "$LOCAL_ADDRESS6" "localAddress6"} + fi + ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} + fi + '' + ); + + serviceDirectives = cfg: { + ExecReload = pkgs.writeScript "reload-container" + '' + #! ${pkgs.runtimeShell} -e + ${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \ + bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" + ''; + + SyslogIdentifier = "container %i"; + + EnvironmentFile = "-/etc/containers/%i.conf"; + + Type = "notify"; + + RuntimeDirectory = lib.optional cfg.ephemeral "containers/%i"; + + # Note that on reboot, systemd-nspawn returns 133, so this + # unit will be restarted. On poweroff, it returns 0, so the + # unit won't be restarted. + RestartForceExitStatus = "133"; + SuccessExitStatus = "133"; + + # Some containers take long to start + # especially when you automatically start many at once + TimeoutStartSec = cfg.timeoutStartSec; + + Restart = "on-failure"; + + Slice = "machine.slice"; + Delegate = true; + + # Hack: we don't want to kill systemd-nspawn, since we call + # "machinectl poweroff" in preStop to shut down the + # container cleanly. But systemd requires sending a signal + # (at least if we want remaining processes to be killed + # after the timeout). So send an ignored signal. + KillMode = "mixed"; + KillSignal = "WINCH"; + + DevicePolicy = "closed"; + DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; + }; + + + system = config.nixpkgs.localSystem.system; + + bindMountOpts = { name, ... }: { + + options = { + mountPoint = mkOption { + example = "/mnt/usb"; + type = types.str; + description = "Mount point on the container file system."; + }; + hostPath = mkOption { + default = null; + example = "/home/alice"; + type = types.nullOr types.str; + description = "Location of the host path to be mounted."; + }; + isReadOnly = mkOption { + default = true; + type = types.bool; + description = "Determine whether the mounted path will be accessed in read-only mode."; + }; + }; + + config = { + mountPoint = mkDefault name; + }; + + }; + + allowedDeviceOpts = { ... }: { + options = { + node = mkOption { + example = "/dev/net/tun"; + type = types.str; + description = "Path to device node"; + }; + modifier = mkOption { + example = "rw"; + type = types.str; + description = '' + Device node access modifier. Takes a combination + <literal>r</literal> (read), <literal>w</literal> (write), and + <literal>m</literal> (mknod). See the + <literal>systemd.resource-control(5)</literal> man page for more + information.''; + }; + }; + }; + + + mkBindFlag = d: + let flagPrefix = if d.isReadOnly then " --bind-ro=" else " --bind="; + mountstr = if d.hostPath != null then "${d.hostPath}:${d.mountPoint}" else "${d.mountPoint}"; + in flagPrefix + mountstr ; + + mkBindFlags = bs: concatMapStrings mkBindFlag (lib.attrValues bs); + + networkOptions = { + hostBridge = mkOption { + type = types.nullOr types.str; + default = null; + example = "br0"; + description = '' + Put the host-side of the veth-pair into the named bridge. + Only one of hostAddress* or hostBridge can be given. + ''; + }; + + forwardPorts = mkOption { + type = types.listOf (types.submodule { + options = { + protocol = mkOption { + type = types.str; + default = "tcp"; + description = "The protocol specifier for port forwarding between host and container"; + }; + hostPort = mkOption { + type = types.int; + description = "Source port of the external interface on host"; + }; + containerPort = mkOption { + type = types.nullOr types.int; + default = null; + description = "Target port of container"; + }; + }; + }); + default = []; + example = [ { protocol = "tcp"; hostPort = 8080; containerPort = 80; } ]; + description = '' + List of forwarded ports from host to container. Each forwarded port + is specified by protocol, hostPort and containerPort. By default, + protocol is tcp and hostPort and containerPort are assumed to be + the same if containerPort is not explicitly given. + ''; + }; + + + hostAddress = mkOption { + type = types.nullOr types.str; + default = null; + example = "10.231.136.1"; + description = '' + The IPv4 address assigned to the host interface. + (Not used when hostBridge is set.) + ''; + }; + + hostAddress6 = mkOption { + type = types.nullOr types.str; + default = null; + example = "fc00::1"; + description = '' + The IPv6 address assigned to the host interface. + (Not used when hostBridge is set.) + ''; + }; + + localAddress = mkOption { + type = types.nullOr types.str; + default = null; + example = "10.231.136.2"; + description = '' + The IPv4 address assigned to the interface in the container. + If a hostBridge is used, this should be given with netmask to access + the whole network. Otherwise the default netmask is /32 and routing is + set up from localAddress to hostAddress and back. + ''; + }; + + localAddress6 = mkOption { + type = types.nullOr types.str; + default = null; + example = "fc00::2"; + description = '' + The IPv6 address assigned to the interface in the container. + If a hostBridge is used, this should be given with netmask to access + the whole network. Otherwise the default netmask is /128 and routing is + set up from localAddress6 to hostAddress6 and back. + ''; + }; + + }; + + dummyConfig = + { + extraVeths = {}; + additionalCapabilities = []; + ephemeral = false; + timeoutStartSec = "15s"; + allowedDevices = []; + hostAddress = null; + hostAddress6 = null; + localAddress = null; + localAddress6 = null; + tmpfs = null; + }; + +in + +{ + options = { + + boot.isContainer = mkOption { + type = types.bool; + default = false; + description = '' + Whether this NixOS machine is a lightweight container running + in another NixOS system. If set to true, support for nested + containers is disabled by default, but can be reenabled by + setting <option>boot.enableContainers</option> to true. + ''; + }; + + boot.enableContainers = mkOption { + type = types.bool; + default = !config.boot.isContainer; + description = '' + Whether to enable support for NixOS containers. Defaults to true + (at no cost if containers are not actually used), but only if the + system is not itself a lightweight container of a host. + To enable support for nested containers, this option has to be + explicitly set to true (in the outer container). + ''; + }; + + containers = mkOption { + type = types.attrsOf (types.submodule ( + { config, options, name, ... }: + { + options = { + + config = mkOption { + description = '' + A specification of the desired configuration of this + container, as a NixOS module. + ''; + type = let + confPkgs = if config.pkgs == null then pkgs else config.pkgs; + in lib.mkOptionType { + name = "Toplevel NixOS config"; + merge = loc: defs: (import (confPkgs.path + "/nixos/lib/eval-config.nix") { + inherit system; + pkgs = confPkgs; + baseModules = import (confPkgs.path + "/nixos/modules/module-list.nix"); + inherit (confPkgs) lib; + modules = + let + extraConfig = { + _file = "module at ${__curPos.file}:${toString __curPos.line}"; + config = { + boot.isContainer = true; + networking.hostName = mkDefault name; + networking.useDHCP = false; + assertions = [ + { + assertion = config.privateNetwork -> stringLength name < 12; + message = '' + Container name `${name}` is too long: When `privateNetwork` is enabled, container names can + not be longer than 11 characters, because the container's interface name is derived from it. + This might be fixed in the future. See https://github.com/NixOS/nixpkgs/issues/38509 + ''; + } + ]; + }; + }; + in [ extraConfig ] ++ (map (x: x.value) defs); + prefix = [ "containers" name ]; + }).config; + }; + }; + + path = mkOption { + type = types.path; + example = "/nix/var/nix/profiles/containers/webserver"; + description = '' + As an alternative to specifying + <option>config</option>, you can specify the path to + the evaluated NixOS system configuration, typically a + symlink to a system profile. + ''; + }; + + additionalCapabilities = mkOption { + type = types.listOf types.str; + default = []; + example = [ "CAP_NET_ADMIN" "CAP_MKNOD" ]; + description = '' + Grant additional capabilities to the container. See the + capabilities(7) and systemd-nspawn(1) man pages for more + information. + ''; + }; + + pkgs = mkOption { + type = types.nullOr types.attrs; + default = null; + example = literalExample "pkgs"; + description = '' + Customise which nixpkgs to use for this container. + ''; + }; + + ephemeral = mkOption { + type = types.bool; + default = false; + description = '' + Runs container in ephemeral mode with the empty root filesystem at boot. + This way container will be bootstrapped from scratch on each boot + and will be cleaned up on shutdown leaving no traces behind. + Useful for completely stateless, reproducible containers. + + Note that this option might require to do some adjustments to the container configuration, + e.g. you might want to set + <varname>systemd.network.networks.$interface.dhcpV4Config.ClientIdentifier</varname> to "mac" + if you use <varname>macvlans</varname> option. + This way dhcp client identifier will be stable between the container restarts. + + Note that the container journal will not be linked to the host if this option is enabled. + ''; + }; + + enableTun = mkOption { + type = types.bool; + default = false; + description = '' + Allows the container to create and setup tunnel interfaces + by granting the <literal>NET_ADMIN</literal> capability and + enabling access to <literal>/dev/net/tun</literal>. + ''; + }; + + privateNetwork = mkOption { + type = types.bool; + default = false; + description = '' + Whether to give the container its own private virtual + Ethernet interface. The interface is called + <literal>eth0</literal>, and is hooked up to the interface + <literal>ve-<replaceable>container-name</replaceable></literal> + on the host. If this option is not set, then the + container shares the network interfaces of the host, + and can bind to any port on any interface. + ''; + }; + + interfaces = mkOption { + type = types.listOf types.str; + default = []; + example = [ "eth1" "eth2" ]; + description = '' + The list of interfaces to be moved into the container. + ''; + }; + + macvlans = mkOption { + type = types.listOf types.str; + default = []; + example = [ "eth1" "eth2" ]; + description = '' + The list of host interfaces from which macvlans will be + created. For each interface specified, a macvlan interface + will be created and moved to the container. + ''; + }; + + extraVeths = mkOption { + type = with types; attrsOf (submodule { options = networkOptions; }); + default = {}; + description = '' + Extra veth-pairs to be created for the container. + ''; + }; + + autoStart = mkOption { + type = types.bool; + default = false; + description = '' + Whether the container is automatically started at boot-time. + ''; + }; + + timeoutStartSec = mkOption { + type = types.str; + default = "1min"; + description = '' + Time for the container to start. In case of a timeout, + the container processes get killed. + See <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry> + for more information about the format. + ''; + }; + + bindMounts = mkOption { + type = with types; loaOf (submodule bindMountOpts); + default = {}; + example = literalExample '' + { "/home" = { hostPath = "/home/alice"; + isReadOnly = false; }; + } + ''; + + description = + '' + An extra list of directories that is bound to the container. + ''; + }; + + allowedDevices = mkOption { + type = with types; listOf (submodule allowedDeviceOpts); + default = []; + example = [ { node = "/dev/net/tun"; modifier = "rw"; } ]; + description = '' + A list of device nodes to which the containers has access to. + ''; + }; + + tmpfs = mkOption { + type = types.listOf types.str; + default = []; + example = [ "/var" ]; + description = '' + Mounts a set of tmpfs file systems into the container. + Multiple paths can be specified. + Valid items must conform to the --tmpfs argument + of systemd-nspawn. See systemd-nspawn(1) for details. + ''; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + example = [ "--drop-capability=CAP_SYS_CHROOT" ]; + description = '' + Extra flags passed to the systemd-nspawn command. + See systemd-nspawn(1) for details. + ''; + }; + + } // networkOptions; + + config = mkMerge + [ + (mkIf options.config.isDefined { + path = config.config.system.build.toplevel; + }) + ]; + })); + + default = {}; + example = literalExample + '' + { webserver = + { path = "/nix/var/nix/profiles/webserver"; + }; + database = + { config = + { config, pkgs, ... }: + { services.postgresql.enable = true; + services.postgresql.package = pkgs.postgresql_9_6; + + system.stateVersion = "17.03"; + }; + }; + } + ''; + description = '' + A set of NixOS system configurations to be run as lightweight + containers. Each container appears as a service + <literal>container-<replaceable>name</replaceable></literal> + on the host system, allowing it to be started and stopped via + <command>systemctl</command>. + ''; + }; + + }; + + + config = mkIf (config.boot.enableContainers) (let + + unit = { + description = "Container '%i'"; + + unitConfig.RequiresMountsFor = "/var/lib/containers/%i"; + + path = [ pkgs.iproute ]; + + environment = { + root = "/var/lib/containers/%i"; + INSTANCE = "%i"; + }; + + preStart = preStartScript dummyConfig; + + script = startScript dummyConfig; + + postStart = postStartScript dummyConfig; + + preStop = "machinectl poweroff $INSTANCE"; + + restartIfChanged = false; + + serviceConfig = serviceDirectives dummyConfig; + }; + in { + systemd.targets.multi-user.wants = [ "machines.target" ]; + + systemd.services = listToAttrs (filter (x: x.value != null) ( + # The generic container template used by imperative containers + [{ name = "container@"; value = unit; }] + # declarative containers + ++ (mapAttrsToList (name: cfg: nameValuePair "container@${name}" (let + containerConfig = cfg // ( + if cfg.enableTun then + { + allowedDevices = cfg.allowedDevices + ++ [ { node = "/dev/net/tun"; modifier = "rw"; } ]; + additionalCapabilities = cfg.additionalCapabilities + ++ [ "CAP_NET_ADMIN" ]; + } + else {}); + in + recursiveUpdate unit { + preStart = preStartScript containerConfig; + script = startScript containerConfig; + postStart = postStartScript containerConfig; + serviceConfig = serviceDirectives containerConfig; + unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "/var/lib/containers/%i"; + environment.root = if containerConfig.ephemeral then "/run/containers/%i" else "/var/lib/containers/%i"; + } // ( + if containerConfig.autoStart then + { + wantedBy = [ "machines.target" ]; + wants = [ "network.target" ]; + after = [ "network.target" ]; + restartTriggers = [ + containerConfig.path + config.environment.etc."containers/${name}.conf".source + ]; + restartIfChanged = true; + } + else {}) + )) config.containers) + )); + + # Generate a configuration file in /etc/containers for each + # container so that container@.target can get the container + # configuration. + environment.etc = + let mkPortStr = p: p.protocol + ":" + (toString p.hostPort) + ":" + (if p.containerPort == null then toString p.hostPort else toString p.containerPort); + in mapAttrs' (name: cfg: nameValuePair "containers/${name}.conf" + { text = + '' + SYSTEM_PATH=${cfg.path} + ${optionalString cfg.privateNetwork '' + PRIVATE_NETWORK=1 + ${optionalString (cfg.hostBridge != null) '' + HOST_BRIDGE=${cfg.hostBridge} + ''} + ${optionalString (length cfg.forwardPorts > 0) '' + HOST_PORT=${concatStringsSep "," (map mkPortStr cfg.forwardPorts)} + ''} + ${optionalString (cfg.hostAddress != null) '' + HOST_ADDRESS=${cfg.hostAddress} + ''} + ${optionalString (cfg.hostAddress6 != null) '' + HOST_ADDRESS6=${cfg.hostAddress6} + ''} + ${optionalString (cfg.localAddress != null) '' + LOCAL_ADDRESS=${cfg.localAddress} + ''} + ${optionalString (cfg.localAddress6 != null) '' + LOCAL_ADDRESS6=${cfg.localAddress6} + ''} + ''} + INTERFACES="${toString cfg.interfaces}" + MACVLANS="${toString cfg.macvlans}" + ${optionalString cfg.autoStart '' + AUTO_START=1 + ''} + EXTRA_NSPAWN_FLAGS="${mkBindFlags cfg.bindMounts + + optionalString (cfg.extraFlags != []) + (" " + concatStringsSep " " cfg.extraFlags)}" + ''; + }) config.containers; + + # Generate /etc/hosts entries for the containers. + networking.extraHosts = concatStrings (mapAttrsToList (name: cfg: optionalString (cfg.localAddress != null) + '' + ${head (splitString "/" cfg.localAddress)} ${name}.containers + '') config.containers); + + networking.dhcpcd.denyInterfaces = [ "ve-*" "vb-*" ]; + + services.udev.extraRules = optionalString config.networking.networkmanager.enable '' + # Don't manage interfaces created by nixos-container. + ENV{INTERFACE}=="v[eb]-*", ENV{NM_UNMANAGED}="1" + ''; + + environment.systemPackages = [ pkgs.nixos-container ]; + + boot.kernelModules = [ + "bridge" + "macvlan" + "tap" + "tun" + ]; + }); +} diff --git a/nixos/modules/virtualisation/docker-containers.nix b/nixos/modules/virtualisation/oci-containers.nix index 5ab990a3d7cc..a46dd65eb491 100644 --- a/nixos/modules/virtualisation/docker-containers.nix +++ b/nixos/modules/virtualisation/oci-containers.nix @@ -1,17 +1,20 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; let - cfg = config.docker-containers; + cfg = config.virtualisation.oci-containers; + proxy_env = config.networking.proxy.envVars; - dockerContainer = + defaultBackend = options.virtualisation.oci-containers.backend.default; + + containerOptions = { ... }: { options = { image = mkOption { type = with types; str; - description = "Docker image to run."; + description = "OCI image to run."; example = "library/hello-world"; }; @@ -58,18 +61,19 @@ let log-driver = mkOption { type = types.str; - default = "none"; + default = "journald"; description = '' Logging driver for the container. The default of - <literal>"none"</literal> means that the container's logs will be - handled as part of the systemd unit. Setting this to - <literal>"journald"</literal> will result in duplicate logging, but - the container's logs will be visible to the <command>docker - logs</command> command. - - For more details and a full list of logging drivers, refer to the - <link xlink:href="https://docs.docker.com/engine/reference/run/#logging-drivers---log-driver"> - Docker engine documentation</link> + <literal>"journald"</literal> means that the container's logs will be + handled as part of the systemd unit. + + For more details and a full list of logging drivers, refer to respective backends documentation. + + For Docker: + <link xlink:href="https://docs.docker.com/engine/reference/run/#logging-drivers---log-driver">Docker engine documentation</link> + + For Podman: + Refer to the docker-run(1) man page. ''; }; @@ -172,10 +176,10 @@ let description = '' Define which other containers this one depends on. They will be added to both After and Requires for the unit. - Use the same name as the attribute under <literal>services.docker-containers</literal>. + Use the same name as the attribute under <literal>virtualisation.oci-containers</literal>. ''; example = literalExample '' - services.docker-containers = { + virtualisation.oci-containers = { node1 = {}; node2 = { dependsOn = [ "node1" ]; @@ -184,10 +188,10 @@ let ''; }; - extraDockerOptions = mkOption { + extraOptions = mkOption { type = with types; listOf str; default = []; - description = "Extra options for <command>docker run</command>."; + description = "Extra options for <command>${defaultBackend} run</command>."; example = literalExample '' ["--network=host"] ''; @@ -205,24 +209,31 @@ let }; mkService = name: container: let - mkAfter = map (x: "docker-${x}.service") container.dependsOn; - in rec { + dependsOn = map (x: "${cfg.backend}-${x}.service") container.dependsOn; + in { wantedBy = [] ++ optional (container.autoStart) "multi-user.target"; - after = [ "docker.service" "docker.socket" ] ++ mkAfter; - requires = after; - path = [ pkgs.docker ]; + after = lib.optionals (cfg.backend == "docker") [ "docker.service" "docker.socket" ] ++ dependsOn; + requires = dependsOn; + environment = proxy_env; + + path = + if cfg.backend == "docker" then [ pkgs.docker ] + else if cfg.backend == "podman" then [ config.virtualisation.podman.package ] + else throw "Unhandled backend: ${cfg.backend}"; preStart = '' - docker rm -f ${name} || true + ${cfg.backend} rm -f ${name} || true ${optionalString (container.imageFile != null) '' - docker load -i ${container.imageFile} + ${cfg.backend} load -i ${container.imageFile} ''} ''; - postStop = "docker rm -f ${name} || true"; - + postStop = "${cfg.backend} rm -f ${name} || true"; + serviceConfig = { + StandardOutput = "null"; + StandardError = "null"; ExecStart = concatStringsSep " \\\n " ([ - "${pkgs.docker}/bin/docker run" + "${config.system.path}/bin/${cfg.backend} run" "--rm" "--name=${name}" "--log-driver=${container.log-driver}" @@ -233,12 +244,12 @@ let ++ optional (container.user != null) "-u ${escapeShellArg container.user}" ++ map (v: "-v ${escapeShellArg v}") container.volumes ++ optional (container.workdir != null) "-w ${escapeShellArg container.workdir}" - ++ map escapeShellArg container.extraDockerOptions + ++ map escapeShellArg container.extraOptions ++ [container.image] ++ map escapeShellArg container.cmd ); - ExecStop = ''${pkgs.bash}/bin/sh -c "[ $SERVICE_RESULT = success ] || docker stop ${name}"''; + ExecStop = ''${pkgs.bash}/bin/sh -c "[ $SERVICE_RESULT = success ] || ${cfg.backend} stop ${name}"''; ### There is no generalized way of supporting `reload` for docker ### containers. Some containers may respond well to SIGHUP sent to their @@ -263,19 +274,50 @@ let }; in { + imports = [ + ( + lib.mkChangedOptionModule + [ "docker-containers" ] + [ "virtualisation" "oci-containers" ] + (oldcfg: { + backend = "docker"; + containers = lib.mapAttrs (n: v: builtins.removeAttrs (v // { + extraOptions = v.extraDockerOptions or []; + }) [ "extraDockerOptions" ]) oldcfg.docker-containers; + }) + ) + ]; + + options.virtualisation.oci-containers = { + + backend = mkOption { + type = types.enum [ "podman" "docker" ]; + default = + # TODO: Once https://github.com/NixOS/nixpkgs/issues/77925 is resolved default to podman + # if versionAtLeast config.system.stateVersion "20.09" then "podman" + # else "docker"; + "docker"; + description = "The underlying Docker implementation to use."; + }; - options.docker-containers = mkOption { - default = {}; - type = types.attrsOf (types.submodule dockerContainer); - description = "Docker containers to run as systemd services."; - }; - - config = mkIf (cfg != {}) { - - systemd.services = mapAttrs' (n: v: nameValuePair "docker-${n}" (mkService n v)) cfg; - - virtualisation.docker.enable = true; + containers = mkOption { + default = {}; + type = types.attrsOf (types.submodule containerOptions); + description = "OCI (Docker) containers to run as systemd services."; + }; }; + config = lib.mkIf (cfg.containers != {}) (lib.mkMerge [ + { + systemd.services = mapAttrs' (n: v: nameValuePair "${cfg.backend}-${n}" (mkService n v)) cfg.containers; + } + (lib.mkIf (cfg.backend == "podman") { + virtualisation.podman.enable = true; + }) + (lib.mkIf (cfg.backend == "docker") { + virtualisation.docker.enable = true; + }) + ]); + } diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix new file mode 100644 index 000000000000..652850bf5006 --- /dev/null +++ b/nixos/modules/virtualisation/podman.nix @@ -0,0 +1,123 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.virtualisation.podman; + + inherit (lib) mkOption types; + + podmanPackage = (pkgs.podman.override { inherit (cfg) extraPackages; }); + + # Provides a fake "docker" binary mapping to podman + dockerCompat = pkgs.runCommandNoCC "${podmanPackage.pname}-docker-compat-${podmanPackage.version}" { + outputs = [ "out" "man" ]; + inherit (podmanPackage) meta; + } '' + mkdir -p $out/bin + ln -s ${podmanPackage}/bin/podman $out/bin/docker + + mkdir -p $man/share/man/man1 + for f in ${podmanPackage.man}/share/man/man1/*; do + basename=$(basename $f | sed s/podman/docker/g) + ln -s $f $man/share/man/man1/$basename + done + ''; + + # Copy configuration files to avoid having the entire sources in the system closure + copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} '' + cp ${filePath} $out + ''; + +in +{ + meta = { + maintainers = lib.teams.podman.members; + }; + + options.virtualisation.podman = { + + enable = + mkOption { + type = types.bool; + default = false; + description = '' + This option enables Podman, a daemonless container engine for + developing, managing, and running OCI Containers on your Linux System. + + It is a drop-in replacement for the <command>docker</command> command. + ''; + }; + + dockerCompat = mkOption { + type = types.bool; + default = false; + description = '' + Create an alias mapping <command>docker</command> to <command>podman</command>. + ''; + }; + + extraPackages = mkOption { + type = with types; listOf package; + default = [ ]; + example = lib.literalExample '' + [ + pkgs.gvisor + ] + ''; + description = '' + Extra packages to be installed in the Podman wrapper. + ''; + }; + + libpod = mkOption { + default = {}; + description = "Libpod configuration"; + type = types.submodule { + options = { + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration that should be put in the libpod.conf + configuration file + ''; + + }; + }; + }; + }; + + package = lib.mkOption { + type = types.package; + default = podmanPackage; + internal = true; + description = '' + The final Podman package (including extra packages). + ''; + }; + + + }; + + config = lib.mkIf cfg.enable { + + environment.systemPackages = [ cfg.package ] + ++ lib.optional cfg.dockerCompat dockerCompat; + + environment.etc."containers/libpod.conf".text = '' + cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"] + + '' + cfg.libpod.extraConfig; + + environment.etc."cni/net.d/87-podman-bridge.conflist".source = copyFile "${pkgs.podman-unwrapped.src}/cni/87-podman-bridge.conflist"; + + # Enable common /etc/containers configuration + virtualisation.containers.enable = true; + + assertions = [{ + assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable; + message = "Option dockerCompat conflicts with docker"; + }]; + + }; + +} diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 31d332e9f07a..ac86330c098b 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -189,9 +189,18 @@ let mkdir /boot/grub echo '(hd0) /dev/vda' > /boot/grub/device.map - # Install GRUB and generate the GRUB boot menu. - touch /etc/NIXOS + # This is needed for systemd-boot to find ESP, and udev is not available here to create this + mkdir -p /dev/block + ln -s /dev/vda2 /dev/block/254:2 + + # Set up system profile (normally done by nixos-rebuild / nix-env --set) mkdir -p /nix/var/nix/profiles + ln -s ${config.system.build.toplevel} /nix/var/nix/profiles/system-1-link + ln -s /nix/var/nix/profiles/system-1-link /nix/var/nix/profiles/system + + # Install bootloader + touch /etc/NIXOS + export NIXOS_INSTALL_BOOTLOADER=1 ${config.system.build.toplevel}/bin/switch-to-configuration boot umount /boot @@ -499,7 +508,7 @@ in # FIXME: Consolidate this one day. virtualisation.qemu.options = mkMerge [ (mkIf (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [ - "-vga std" "-usb" "-device usb-tablet,bus=usb-bus.0" + "-usb" "-device usb-tablet,bus=usb-bus.0" ]) (mkIf (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ "-device virtio-gpu-pci" "-device usb-ehci,id=usb0" "-device usb-kbd" "-device usb-tablet" diff --git a/nixos/modules/virtualisation/rkt.nix b/nixos/modules/virtualisation/rkt.nix deleted file mode 100644 index fd662b52df52..000000000000 --- a/nixos/modules/virtualisation/rkt.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.virtualisation.rkt; -in -{ - options.virtualisation.rkt = { - enable = mkEnableOption "rkt metadata service"; - - gc = { - automatic = mkOption { - default = true; - type = types.bool; - description = "Automatically run the garbage collector at a specific time."; - }; - - dates = mkOption { - default = "03:15"; - type = types.str; - description = '' - Specification (in the format described by - <citerefentry><refentrytitle>systemd.time</refentrytitle> - <manvolnum>7</manvolnum></citerefentry>) of the time at - which the garbage collector will run. - ''; - }; - - options = mkOption { - default = "--grace-period=24h"; - type = types.str; - description = '' - Options given to <filename>rkt gc</filename> when the - garbage collector is run automatically. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.rkt ]; - - systemd.services.rkt = { - description = "rkt metadata service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - ExecStart = "${pkgs.rkt}/bin/rkt metadata-service"; - }; - }; - - systemd.services.rkt-gc = { - description = "rkt garbage collection"; - startAt = optionalString cfg.gc.automatic cfg.gc.dates; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.rkt}/bin/rkt gc ${cfg.gc.options}"; - }; - }; - - users.groups.rkt = {}; - }; -} diff --git a/nixos/modules/virtualisation/vmware-image.nix b/nixos/modules/virtualisation/vmware-image.nix new file mode 100644 index 000000000000..9da9e145f7a9 --- /dev/null +++ b/nixos/modules/virtualisation/vmware-image.nix @@ -0,0 +1,90 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + boolToStr = value: if value then "on" else "off"; + cfg = config.vmware; + + subformats = [ + "monolithicSparse" + "monolithicFlat" + "twoGbMaxExtentSparse" + "twoGbMaxExtentFlat" + "streamOptimized" + ]; + +in { + options = { + vmware = { + baseImageSize = mkOption { + type = types.int; + default = 2048; + description = '' + The size of the VMWare base image in MiB. + ''; + }; + vmDerivationName = mkOption { + type = types.str; + default = "nixos-vmware-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}"; + description = '' + The name of the derivation for the VMWare appliance. + ''; + }; + vmFileName = mkOption { + type = types.str; + default = "nixos-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.vmdk"; + description = '' + The file name of the VMWare appliance. + ''; + }; + vmSubformat = mkOption { + type = types.enum subformats; + default = "monolithicSparse"; + description = "Specifies which VMDK subformat to use."; + }; + vmCompat6 = mkOption { + type = types.bool; + default = false; + example = true; + description = "Create a VMDK version 6 image (instead of version 4)."; + }; + }; + }; + + config = { + system.build.vmwareImage = import ../../lib/make-disk-image.nix { + name = cfg.vmDerivationName; + postVM = '' + ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -o compat6=${boolToStr cfg.vmCompat6},subformat=${cfg.vmSubformat} -O vmdk $diskImage $out/${cfg.vmFileName} + rm $diskImage + ''; + format = "raw"; + diskSize = cfg.baseImageSize; + partitionTableType = "efi"; + inherit config lib pkgs; + }; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; + + boot.growPartition = true; + + boot.loader.grub = { + version = 2; + device = "nodev"; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + virtualisation.vmware.guest.enable = true; + }; +} diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index 7f0af9901b9b..7b2a66c43489 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -103,6 +103,7 @@ in }; forwardDns = mkOption { + type = types.bool; default = false; description = '' If set to <literal>true</literal>, the DNS queries from the @@ -135,14 +136,8 @@ in }; }; - virtualisation.xen.trace = - mkOption { - default = false; - description = - '' - Enable Xen tracing. - ''; - }; + virtualisation.xen.trace = mkEnableOption "Xen tracing"; + }; |