diff options
Diffstat (limited to 'nixos/modules')
63 files changed, 1102 insertions, 385 deletions
diff --git a/nixos/modules/config/pulseaudio.nix b/nixos/modules/config/pulseaudio.nix index 642aedc3f242..f2db428a4441 100644 --- a/nixos/modules/config/pulseaudio.nix +++ b/nixos/modules/config/pulseaudio.nix @@ -98,9 +98,9 @@ in { package = mkOption { type = types.package; - default = pulseaudioLight; - defaultText = "pkgs.pulseaudioLight"; - example = literalExample "pkgs.pulseaudioFull"; + default = pulseaudioLight.out; + defaultText = "pkgs.pulseaudioLight.out"; + example = literalExample "pkgs.pulseaudioFull.out"; description = '' The PulseAudio derivation to use. This can be used to enable features (such as JACK support, Bluetooth) via the @@ -134,7 +134,7 @@ in { } (mkIf cfg.enable { - environment.systemPackages = [ cfg.package.out ]; + environment.systemPackages = [ cfg.package ]; environment.etc = singleton { target = "asound.conf"; @@ -158,7 +158,7 @@ in { wantedBy = [ "default.target" ]; serviceConfig = { Type = "notify"; - ExecStart = "${cfg.package}/bin/pulseaudio --daemonize=no"; + ExecStart = "${cfg.package.out}/bin/pulseaudio --daemonize=no"; Restart = "on-failure"; }; }; diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index d0d481f72a40..fb8e1ccab667 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -22,7 +22,11 @@ with lib; ###### implementation config = mkIf config.hardware.enableAllFirmware { - hardware.firmware = [ pkgs.firmwareLinuxNonfree pkgs.intel2200BGFirmware ]; + hardware.firmware = with pkgs; [ + firmwareLinuxNonfree + intel2200BGFirmware + rtl8723bs-firmware + ]; }; } diff --git a/nixos/modules/hardware/video/webcam/facetimehd.nix b/nixos/modules/hardware/video/webcam/facetimehd.nix index b35709763b90..2a2fcf3057d4 100644 --- a/nixos/modules/hardware/video/webcam/facetimehd.nix +++ b/nixos/modules/hardware/video/webcam/facetimehd.nix @@ -31,13 +31,13 @@ in # unload module during suspend/hibernate as it crashes the whole system powerManagement.powerDownCommands = '' - ${pkgs.module_init_tools}/bin/rmmod -f facetimehd + ${pkgs.kmod}/bin/lsmod | ${pkgs.gnugrep}/bin/grep -q "^facetimehd" && ${pkgs.kmod}/bin/rmmod -f -v facetimehd ''; # and load it back on resume powerManagement.resumeCommands = '' export MODULE_DIR=/run/current-system/kernel-modules/lib/modules - ${pkgs.module_init_tools}/bin/modprobe -v facetimehd + ${pkgs.kmod}/bin/modprobe -v facetimehd ''; }; diff --git a/nixos/modules/installer/cd-dvd/channel.nix b/nixos/modules/installer/cd-dvd/channel.nix index 1e5e2b2615c8..cd6e72755dea 100644 --- a/nixos/modules/installer/cd-dvd/channel.nix +++ b/nixos/modules/installer/cd-dvd/channel.nix @@ -34,7 +34,7 @@ in if ! [ -e /var/lib/nixos/did-channel-init ]; then echo "unpacking the NixOS/Nixpkgs sources..." mkdir -p /nix/var/nix/profiles/per-user/root - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \ + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \ -i ${channelSources} --quiet --option build-use-substitutes false mkdir -m 0700 -p /root/.nix-defexpr ln -s /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 5702e2d9a1e5..c31ded977e68 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -364,12 +364,12 @@ in '' # After booting, register the contents of the Nix store on the # CD in the Nix database in the tmpfs. - ${config.nix.package}/bin/nix-store --load-db < /nix/store/nix-path-registration + ${config.nix.package.out}/bin/nix-store --load-db < /nix/store/nix-path-registration # nixos-rebuild also requires a "system" profile and an # /etc/NIXOS tag. touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system ''; # Add vfat support to the initrd to enable people to copy the diff --git a/nixos/modules/installer/cd-dvd/sd-image.nix b/nixos/modules/installer/cd-dvd/sd-image.nix index 9eba542d8c91..23312c073d56 100644 --- a/nixos/modules/installer/cd-dvd/sd-image.nix +++ b/nixos/modules/installer/cd-dvd/sd-image.nix @@ -113,11 +113,11 @@ in ${pkgs.e2fsprogs}/bin/resize2fs $rootPart # Register the contents of the initial Nix store - ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration + ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration # nixos-rebuild also requires a "system" profile and an /etc/NIXOS tag. touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system # Prevents this from running on later boots. rm -f /nix-path-registration diff --git a/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix b/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix index 6fe490b02bf4..d984cb307170 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix @@ -52,8 +52,7 @@ in # Include some utilities that are useful for installing or repairing # the system. environment.systemPackages = - [ pkgs.subversion # for nixos-checkout - pkgs.w3m # needed for the manual anyway + [ pkgs.w3m # needed for the manual anyway pkgs.testdisk # useful for repairing boot problems pkgs.mssys # for writing Microsoft boot sectors / MBRs pkgs.parted diff --git a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix index 7badfcb8df22..9e733241993d 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix @@ -49,8 +49,7 @@ in # Include some utilities that are useful for installing or repairing # the system. environment.systemPackages = - [ pkgs.subversion # for nixos-checkout - pkgs.w3m # needed for the manual anyway + [ pkgs.w3m # needed for the manual anyway pkgs.ddrescue pkgs.ccrypt pkgs.cryptsetup # needed for dm-crypt volumes diff --git a/nixos/modules/installer/cd-dvd/system-tarball.nix b/nixos/modules/installer/cd-dvd/system-tarball.nix index 90e9b98a4575..1962a1959ead 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball.nix @@ -78,14 +78,14 @@ in # After booting, register the contents of the Nix store on the # CD in the Nix database in the tmpfs. if [ -f /nix-path-registration ]; then - ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration && + ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration && rm /nix-path-registration fi # nixos-rebuild also requires a "system" profile and an # /etc/NIXOS tag. touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system ''; }; diff --git a/nixos/modules/installer/netboot/netboot-base.nix b/nixos/modules/installer/netboot/netboot-base.nix new file mode 100644 index 000000000000..b12eaccf8707 --- /dev/null +++ b/nixos/modules/installer/netboot/netboot-base.nix @@ -0,0 +1,20 @@ +# This module contains the basic configuration for building netboot +# images + +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = + [ ./netboot.nix + + # Profiles of this basic netboot media + ../../profiles/all-hardware.nix + ../../profiles/base.nix + ../../profiles/installation-device.nix + ]; + + # Allow the user to log in as root without a password. + users.extraUsers.root.initialHashedPassword = ""; +} diff --git a/nixos/modules/installer/netboot/netboot-minimal.nix b/nixos/modules/installer/netboot/netboot-minimal.nix new file mode 100644 index 000000000000..8ad6234edc77 --- /dev/null +++ b/nixos/modules/installer/netboot/netboot-minimal.nix @@ -0,0 +1,10 @@ +# This module defines a small netboot environment. + +{ config, lib, ... }: + +{ + imports = + [ ./netboot-base.nix + ../../profiles/minimal.nix + ]; +} diff --git a/nixos/modules/installer/netboot/netboot.nix b/nixos/modules/installer/netboot/netboot.nix new file mode 100644 index 000000000000..366591a81148 --- /dev/null +++ b/nixos/modules/installer/netboot/netboot.nix @@ -0,0 +1,91 @@ +# This module creates netboot media containing the given NixOS +# configuration. + +{ config, lib, pkgs, ... }: + +with lib; + +{ + options = { + + netboot.storeContents = mkOption { + example = literalExample "[ pkgs.stdenv ]"; + description = '' + This option lists additional derivations to be included in the + Nix store in the generated netboot image. + ''; + }; + + }; + + config = { + + boot.loader.grub.version = 2; + + # Don't build the GRUB menu builder script, since we don't need it + # here and it causes a cyclic dependency. + boot.loader.grub.enable = false; + + boot.initrd.postMountCommands = '' + mkdir -p /mnt-root/nix/store + mount -t squashfs /nix-store.squashfs /mnt-root/nix/store + ''; + + # !!! Hack - attributes expected by other modules. + system.boot.loader.kernelFile = "bzImage"; + environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi pkgs.syslinux ]; + + boot.consoleLogLevel = mkDefault 7; + + fileSystems."/" = + { fsType = "tmpfs"; + options = [ "mode=0755" ]; + }; + + boot.initrd.availableKernelModules = [ "squashfs" ]; + + boot.initrd.kernelModules = [ "loop" ]; + + # Closures to be copied to the Nix store, namely the init + # script and the top-level system configuration directory. + netboot.storeContents = + [ config.system.build.toplevel ]; + + # Create the squashfs image that contains the Nix store. + system.build.squashfsStore = import ../../../lib/make-squashfs.nix { + inherit (pkgs) stdenv squashfsTools perl pathsFromGraph; + storeContents = config.netboot.storeContents; + }; + + + # Create the initrd + system.build.netbootRamdisk = pkgs.makeInitrd { + inherit (config.boot.initrd) compressor; + prepend = [ "${config.system.build.initialRamdisk}/initrd" ]; + + contents = + [ { object = config.system.build.squashfsStore; + symlink = "/nix-store.squashfs"; + } + ]; + }; + + system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" "#!ipxe\nkernel bzImage init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}\ninitrd initrd\nboot"; + + boot.loader.timeout = 10; + + boot.postBootCommands = + '' + # After booting, register the contents of the Nix store + # in the Nix database in the tmpfs. + ${config.nix.package}/bin/nix-store --load-db < /nix/store/nix-path-registration + + # nixos-rebuild also requires a "system" profile and an + # /etc/NIXOS tag. + touch /etc/NIXOS + ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ''; + + }; + +} diff --git a/nixos/modules/installer/tools/auto-upgrade.nix b/nixos/modules/installer/tools/auto-upgrade.nix index 79ccb5c3d18a..b21b80c666aa 100644 --- a/nixos/modules/installer/tools/auto-upgrade.nix +++ b/nixos/modules/installer/tools/auto-upgrade.nix @@ -78,7 +78,7 @@ let cfg = config.system.autoUpgrade; in HOME = "/root"; }; - path = [ pkgs.gnutar pkgs.xz.bin config.nix.package ]; + path = [ pkgs.gnutar pkgs.xz.bin config.nix.package.out ]; script = '' ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch ${toString cfg.flags} diff --git a/nixos/modules/installer/tools/nixos-checkout.nix b/nixos/modules/installer/tools/nixos-checkout.nix deleted file mode 100644 index 07274e139f7d..000000000000 --- a/nixos/modules/installer/tools/nixos-checkout.nix +++ /dev/null @@ -1,60 +0,0 @@ -# This module generates the nixos-checkout script, which performs a -# checkout of the Nixpkgs Git repository. - -{ config, lib, pkgs, ... }: - -with lib; - -let - - nixosCheckout = pkgs.substituteAll { - name = "nixos-checkout"; - dir = "bin"; - isExecutable = true; - src = pkgs.writeScript "nixos-checkout" - '' - #! ${pkgs.stdenv.shell} -e - - if [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - echo "Usage: `basename $0` [PREFIX]. See NixOS Manual for more info." - exit 0 - fi - - prefix="$1" - if [ -z "$prefix" ]; then prefix=/etc/nixos; fi - mkdir -p "$prefix" - cd "$prefix" - - if [ -z "$(type -P git)" ]; then - echo "installing Git..." - nix-env -iA nixos.git - fi - - # Move any old nixpkgs directories out of the way. - backupTimestamp=$(date "+%Y%m%d%H%M%S") - - if [ -e nixpkgs -a ! -e nixpkgs/.git ]; then - mv nixpkgs nixpkgs-$backupTimestamp - fi - - # Check out the Nixpkgs sources. - if ! [ -e nixpkgs/.git ]; then - echo "Creating repository in $prefix/nixpkgs..." - git init --quiet nixpkgs - else - echo "Updating repository in $prefix/nixpkgs..." - fi - cd nixpkgs - git remote add origin git://github.com/NixOS/nixpkgs.git || true - git remote add channels git://github.com/NixOS/nixpkgs-channels.git || true - git remote set-url origin --push git@github.com:NixOS/nixpkgs.git - git remote update - git checkout master - ''; - }; - -in - -{ - environment.systemPackages = [ nixosCheckout ]; -} diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh index cd30958d9e8a..5ecdcdb3cdb5 100644 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixos/modules/installer/tools/nixos-rebuild.sh @@ -271,7 +271,7 @@ remotePATH= if [ -n "$buildNix" ]; then echo "building Nix..." >&2 nixDrv= - if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package "${extraBuildFlags[@]}")"; then + if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A nixFallback "${extraBuildFlags[@]}")"; then if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then nixStorePath="$(prebuiltNix "$(uname -m)")" diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 9ac3b7a5b16f..b8fd9deaf1e4 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -22,17 +22,17 @@ let src = ./nixos-install.sh; inherit (pkgs) perl pathsFromGraph; - nix = config.nix.package; + nix = config.nix.package.out; nixClosure = pkgs.runCommand "closure" - { exportReferencesGraph = ["refs" config.nix.package]; } + { exportReferencesGraph = ["refs" config.nix.package.out]; } "cp refs $out"; }; nixos-rebuild = makeProg { name = "nixos-rebuild"; src = ./nixos-rebuild.sh; - nix = config.nix.package; + nix = config.nix.package.out; }; nixos-generate-config = makeProg { diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 9e6bbc744381..7e40c1366677 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -263,6 +263,8 @@ caddy = 239; taskd = 240; factorio = 241; + emby = 242; + graylog = 243; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -497,6 +499,7 @@ caddy = 239; taskd = 240; factorio = 241; + emby = 242; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 41b60773a70b..b92361f628be 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -47,7 +47,6 @@ ./i18n/input-method/nabi.nix ./i18n/input-method/uim.nix ./installer/tools/auto-upgrade.nix - ./installer/tools/nixos-checkout.nix ./installer/tools/tools.nix ./misc/assertions.nix ./misc/crashdump.nix @@ -71,6 +70,7 @@ ./programs/kbdlight.nix ./programs/light.nix ./programs/man.nix + ./programs/mosh.nix ./programs/nano.nix ./programs/screen.nix ./programs/shadow.nix @@ -158,6 +158,7 @@ ./services/desktops/gnome3/tracker.nix ./services/desktops/profile-sync-daemon.nix ./services/desktops/telepathy.nix + ./services/development/hoogle.nix ./services/games/factorio.nix ./services/games/ghost-one.nix ./services/games/minecraft-server.nix @@ -182,6 +183,7 @@ ./services/hardware/thermald.nix ./services/logging/awstats.nix ./services/logging/fluentd.nix + ./services/logging/graylog.nix ./services/logging/klogd.nix ./services/logging/logcheck.nix ./services/logging/logrotate.nix @@ -215,6 +217,7 @@ ./services/misc/dictd.nix ./services/misc/disnix.nix ./services/misc/docker-registry.nix + ./services/misc/emby.nix ./services/misc/etcd.nix ./services/misc/felix.nix ./services/misc/folding-at-home.nix @@ -336,6 +339,7 @@ ./services/networking/kippo.nix ./services/networking/lambdabot.nix ./services/networking/libreswan.nix + ./services/networking/logmein-hamachi.nix ./services/networking/mailpile.nix ./services/networking/mfi.nix ./services/networking/mjpg-streamer.nix @@ -399,6 +403,7 @@ ./services/networking/wicd.nix ./services/networking/wpa_supplicant.nix ./services/networking/xinetd.nix + ./services/networking/zerobin.nix ./services/networking/zerotierone.nix ./services/networking/znc.nix ./services/printing/cupsd.nix diff --git a/nixos/modules/profiles/docker-container.nix b/nixos/modules/profiles/docker-container.nix index df762b7ac584..433492b96137 100644 --- a/nixos/modules/profiles/docker-container.nix +++ b/nixos/modules/profiles/docker-container.nix @@ -37,12 +37,12 @@ in { # After booting, register the contents of the Nix store in the Nix # database. if [ -f /nix-path-registration ]; then - ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration && + ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration && rm /nix-path-registration fi # nixos-rebuild also requires a "system" profile - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system ''; # Install new init script diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 1c3c07a1c210..e4e264ec0036 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -56,7 +56,7 @@ in */ shellAliases = mkOption { - default = config.environment.shellAliases // { which = "type -P"; }; + default = config.environment.shellAliases; description = '' Set of aliases for bash shell. See <option>environment.shellAliases</option> for an option format description. diff --git a/nixos/modules/programs/mosh.nix b/nixos/modules/programs/mosh.nix new file mode 100644 index 000000000000..b478f8e180fa --- /dev/null +++ b/nixos/modules/programs/mosh.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.programs.mosh; + +in +{ + options.programs.mosh = { + enable = mkOption { + description = '' + Whether to enable mosh. Note, this will open ports in your firewall! + ''; + default = false; + example = true; + type = lib.types.bool; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ mosh ]; + networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } ]; + }; +} diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 84eccfd51292..6b02446d53b4 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -68,6 +68,10 @@ with lib; # proxy (mkRenamedOptionModule [ "nix" "proxy" ] [ "networking" "proxy" "default" ]) + # sandboxing + (mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ]) + (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) + # KDE (mkRenamedOptionModule [ "kde" "extraPackages" ] [ "environment" "systemPackages" ]) (mkRenamedOptionModule [ "environment" "kdePackages" ] [ "environment" "systemPackages" ]) diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index c5cd0fb60ee9..cb5410a5f15d 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -152,7 +152,7 @@ in in nameValuePair ("acme-${cert}") ({ - description = "ACME cert renewal for ${cert} using simp_le"; + description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" ]; serviceConfig = { Type = "oneshot"; @@ -192,7 +192,7 @@ in systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair ("acme-${cert}") ({ - description = "timer for ACME cert renewal of ${cert}"; + description = "Renew ACME Certificate for ${cert}"; wantedBy = [ "timers.target" ]; timerConfig = { OnCalendar = cfg.renewInterval; diff --git a/nixos/modules/services/backup/crashplan.nix b/nixos/modules/services/backup/crashplan.nix index 94aa3b17b663..a69526f968b0 100644 --- a/nixos/modules/services/backup/crashplan.nix +++ b/nixos/modules/services/backup/crashplan.nix @@ -50,11 +50,8 @@ with lib; ensureDir ${crashplan.vardir}/log 777 cp -avn ${crashplan}/conf.template/* ${crashplan.vardir}/conf for x in app.asar bin EULA.txt install.vars lang lib libjniwrap64.so libjniwrap.so libjtux64.so libjtux.so libmd564.so libmd5.so share skin upgrade; do - if [ -e ${crashplan.vardir}/$x ]; then - true; - else - ln -s ${crashplan}/$x ${crashplan.vardir}/$x; - fi; + rm -f ${crashplan.vardir}/$x; + ln -sf ${crashplan}/$x ${crashplan.vardir}/$x; done ''; diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 31ffe51c11ef..80ee32f4ee33 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -242,7 +242,7 @@ in if test -e "${cfg.dataDir}/.first_startup"; then ${optionalString (cfg.initialScript != null) '' - cat "${cfg.initialScript}" | psql --port=${toString cfg.port} postgres + psql -f "${cfg.initialScript}" --port=${toString cfg.port} postgres ''} rm -f "${cfg.dataDir}/.first_startup" fi diff --git a/nixos/modules/services/development/hoogle.nix b/nixos/modules/services/development/hoogle.nix new file mode 100644 index 000000000000..90aa04d2762e --- /dev/null +++ b/nixos/modules/services/development/hoogle.nix @@ -0,0 +1,70 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.hoogle; + + hoogleEnv = pkgs.buildEnv { + name = "hoogle"; + paths = [ (cfg.haskellPackages.ghcWithHoogle cfg.packages) ]; + }; + +in { + + options.services.hoogle = { + enable = mkEnableOption "Haskell documentation server"; + + port = mkOption { + type = types.int; + default = 8080; + description = '' + Port number Hoogle will be listening to. + ''; + }; + + packages = mkOption { + default = hp: []; + defaultText = "hp: []"; + example = "hp: with hp; [ text lens ]"; + description = '' + The Haskell packages to generate documentation for. + + The option value is a function that takes the package set specified in + the <varname>haskellPackages</varname> option as its sole parameter and + returns a list of packages. + ''; + }; + + haskellPackages = mkOption { + description = "Which haskell package set to use."; + default = pkgs.haskellPackages; + defaultText = "pkgs.haskellPackages"; + }; + + }; + + config = mkIf cfg.enable { + systemd.services.hoogle = { + description = "Haskell documentation server"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "always"; + ExecStart = ''${hoogleEnv}/bin/hoogle server --local -p ${toString cfg.port}''; + + User = "nobody"; + Group = "nogroup"; + + PrivateTmp = true; + ProtectHome = true; + + RuntimeDirectory = "hoogle"; + WorkingDirectory = "%t/hoogle"; + }; + }; + }; + +} diff --git a/nixos/modules/services/logging/graylog.nix b/nixos/modules/services/logging/graylog.nix new file mode 100644 index 000000000000..a7785decd19a --- /dev/null +++ b/nixos/modules/services/logging/graylog.nix @@ -0,0 +1,161 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.graylog; + configBool = b: if b then "true" else "false"; + + confFile = pkgs.writeText "graylog.conf" '' + is_master = ${configBool cfg.isMaster} + node_id_file = ${cfg.nodeIdFile} + password_secret = ${cfg.passwordSecret} + root_username = ${cfg.rootUsername} + root_password_sha2 = ${cfg.rootPasswordSha2} + elasticsearch_cluster_name = ${cfg.elasticsearchClusterName} + elasticsearch_discovery_zen_ping_multicast_enabled = ${configBool cfg.elasticsearchDiscoveryZenPingMulticastEnabled} + elasticsearch_discovery_zen_ping_unicast_hosts = ${cfg.elasticsearchDiscoveryZenPingUnicastHosts} + message_journal_dir = ${cfg.messageJournalDir} + mongodb_uri = ${cfg.mongodbUri} + + ${cfg.extraConfig} + ''; +in + +{ + ###### interface + + options = { + + services.graylog = { + + enable = mkEnableOption "Graylog"; + + package = mkOption { + type = types.package; + default = pkgs.graylog; + defaultText = "pkgs.graylog"; + example = literalExample "pkgs.graylog"; + description = "Graylog package to use."; + }; + + user = mkOption { + type = types.str; + default = "graylog"; + example = literalExample "graylog"; + description = "User account under which graylog runs"; + }; + + isMaster = mkOption { + type = types.bool; + default = true; + description = "Whether this is the master instance of your Graylog cluster"; + }; + + nodeIdFile = mkOption { + type = types.str; + default = "/var/lib/graylog/server/node-id"; + description = "Path of the file containing the graylog node-id"; + }; + + passwordSecret = mkOption { + type = types.str; + description = '' + You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters. + Generate one by using for example: pwgen -N 1 -s 96 + ''; + }; + + rootUsername = mkOption { + type = types.str; + default = "admin"; + description = "Name of the default administrator user"; + }; + + rootPasswordSha2 = mkOption { + type = types.str; + example = "e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e952"; + description = '' + You MUST specify a hash password for the root user (which you only need to initially set up the + system and in case you lose connectivity to your authentication backend) + This password cannot be changed using the API or via the web interface. If you need to change it, + modify it here. + Create one by using for example: echo -n yourpassword | shasum -a 256 + and use the resulting hash value as string for the option + ''; + }; + + elasticsearchClusterName = mkOption { + type = types.str; + example = "graylog"; + description = "This must be the same as for your Elasticsearch cluster"; + }; + + elasticsearchDiscoveryZenPingMulticastEnabled = mkOption { + type = types.bool; + default = false; + description = "Whether to use elasticsearch multicast discovery"; + }; + + elasticsearchDiscoveryZenPingUnicastHosts = mkOption { + type = types.str; + default = "127.0.0.1:9300"; + description = "Tells Graylogs Elasticsearch client how to find other cluster members. See Elasticsearch documentation for details"; + }; + + messageJournalDir = mkOption { + type = types.str; + default = "/var/lib/graylog/data/journal"; + description = "The directory which will be used to store the message journal. The directory must be exclusively used by Graylog and must not contain any other files than the ones created by Graylog itself"; + }; + + mongodbUri = mkOption { + type = types.str; + default = "mongodb://localhost/graylog"; + description = "MongoDB connection string. See http://docs.mongodb.org/manual/reference/connection-string/ for details"; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Any other configuration options you might want to add"; + }; + + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + users.extraUsers = mkIf (cfg.user == "graylog") { + graylog = { + uid = config.ids.uids.graylog; + description = "Graylog server daemon user"; + }; + }; + + systemd.services.graylog = with pkgs; { + description = "Graylog Server"; + wantedBy = [ "multi-user.target" ]; + environment = { + JAVA_HOME = jre; + GRAYLOG_CONF = "${confFile}"; + }; + path = [ pkgs.openjdk8 pkgs.which pkgs.procps ]; + preStart = '' + mkdir -p /var/lib/graylog -m 755 + chown -R ${cfg.user} /var/lib/graylog + + mkdir -p ${cfg.messageJournalDir} -m 755 + chown -R ${cfg.user} ${cfg.messageJournalDir} + ''; + serviceConfig = { + User="${cfg.user}"; + PermissionsStartOnly=true; + ExecStart = "${cfg.package}/bin/graylogctl run"; + }; + }; + }; +} diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix index 6069262b4705..3a85fa60fe7a 100644 --- a/nixos/modules/services/logging/logcheck.nix +++ b/nixos/modules/services/logging/logcheck.nix @@ -11,7 +11,10 @@ let rm $out/logcheck.* ''; - rulesDir = pkgs.symlinkJoin "logcheck-rules-dir" ([ defaultRules ] ++ cfg.extraRulesDirs); + rulesDir = pkgs.symlinkJoin + { name = "logcheck-rules-dir"; + paths = ([ defaultRules ] ++ cfg.extraRulesDirs); + }; configFile = pkgs.writeText "logcheck.conf" cfg.config; diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 127c3da69d14..47e374d8edc3 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -63,8 +63,10 @@ let cfg.extraConfig ]; - modulesDir = pkgs.symlinkJoin "dovecot-modules" - (map (pkg: "${pkg}/lib/dovecot") ([ dovecotPkg ] ++ map (module: module.override { dovecot = dovecotPkg; }) cfg.modules)); + modulesDir = pkgs.symlinkJoin { + name = "dovecot-modules"; + paths = map (pkg: "${pkg}/lib/dovecot") ([ dovecotPkg ] ++ map (module: module.override { dovecot = dovecotPkg; }) cfg.modules); + }; in { diff --git a/nixos/modules/services/mail/rmilter.nix b/nixos/modules/services/mail/rmilter.nix index a6e2a9fc7808..d1f7cd2e173e 100644 --- a/nixos/modules/services/mail/rmilter.nix +++ b/nixos/modules/services/mail/rmilter.nix @@ -7,9 +7,14 @@ let rspamdCfg = config.services.rspamd; cfg = config.services.rmilter; + inetSockets = map (sock: let s = stringSplit ":" sock; in "inet:${last s}:${head s}") cfg.bindInetSockets; + unixSockets = map (sock: "unix:${sock}") cfg.bindUnixSockets; + + allSockets = unixSockets ++ inetSockets; + rmilterConf = '' pidfile = /run/rmilter/rmilter.pid; -bind_socket = ${cfg.bindSocket}; +bind_socket = ${if cfg.socketActivation then "fd:3" else concatStringsSep ", " allSockets}; tempdir = /tmp; '' + (with cfg.rspamd; if enable then '' @@ -68,14 +73,37 @@ in ''; }; - bindSocket = mkOption { - type = types.string; - default = "unix:/run/rmilter/rmilter.sock"; - description = "Socket to listed for MTA requests"; + bindUnixSockets = mkOption { + type = types.listOf types.str; + default = ["/run/rmilter.sock"]; + description = '' + Unix domain sockets to listen for MTA requests. + ''; example = '' - "unix:/run/rmilter/rmilter.sock" or - "inet:11990@127.0.0.1" - ''; + [ "/run/rmilter.sock"] + ''; + }; + + bindInetSockets = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Inet addresses to listen (in format accepted by systemd.socket) + ''; + example = '' + ["127.0.0.1:11990"] + ''; + }; + + socketActivation = mkOption { + type = types.bool; + default = true; + description = '' + Enable systemd socket activation for rmilter. + (disabling socket activation not recommended + when unix socket used, and follow to wrong + permissions on unix domain socket.) + ''; }; rspamd = { @@ -86,7 +114,7 @@ in servers = mkOption { type = types.listOf types.str; - default = ["r:0.0.0.0:11333"]; + default = ["r:/run/rspamd.sock"]; description = '' Spamd socket definitions. Is server name is prefixed with r: it is rspamd server. @@ -129,7 +157,7 @@ in type = types.str; description = "Addon to postfix configuration"; default = '' -smtpd_milters = ${cfg.bindSocket} +smtpd_milters = ${head allSockets} # or for TCP socket # # smtpd_milters = inet:localhost:9900 milter_protocol = 6 @@ -169,21 +197,30 @@ milter_default_action = accept serviceConfig = { ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}"; + ExecReload = "/bin/kill -USR1 $MAINPID"; User = cfg.user; Group = cfg.group; PermissionsStartOnly = true; Restart = "always"; + RuntimeDirectory = "rmilter"; + RuntimeDirectoryPermissions="0755"; }; - preStart = '' - ${pkgs.coreutils}/bin/mkdir -p /run/rmilter - ${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} /run/rmilter - ''; + }; + systemd.sockets.rmilter = mkIf cfg.socketActivation { + description = "Rmilter service socket"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = cfg.bindUnixSockets ++ cfg.bindInetSockets; + SocketUser = cfg.user; + SocketGroup = cfg.group; + SocketMode = "0660"; + }; }; services.postfix.extraConfig = optionalString cfg.postfix.enable cfg.postfix.configFragment; - + users.users.postfix.extraGroups = [ cfg.group ]; }; } diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index a083f8293243..412b99ccc570 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -6,6 +6,35 @@ let cfg = config.services.rspamd; + mkBindSockets = socks: concatStringsSep "\n" (map (each: " bind_socket = \"${each}\"") socks); + + rspamdConf = + '' + .include "$CONFDIR/common.conf" + + options { + pidfile = "$RUNDIR/rspamd.pid"; + .include "$CONFDIR/options.inc" + } + + logging { + type = "file"; + filename = "$LOGDIR/rspamd.log"; + .include "$CONFDIR/logging.inc" + } + + worker { + ${mkBindSockets cfg.bindSocket} + .include "$CONFDIR/worker-normal.inc" + } + + worker { + ${mkBindSockets cfg.bindUISocket} + .include "$CONFDIR/worker-controller.inc" + } + ''; + rspamdConfFile = pkgs.writeText "rspamd.conf" rspamdConf; + in { @@ -26,6 +55,32 @@ in description = "Whether to run the rspamd daemon in debug mode."; }; + bindSocket = mkOption { + type = types.listOf types.str; + default = [ + "/run/rspamd.sock mode=0666 owner=${cfg.user}" + ]; + description = '' + List of sockets to listen, in format acceptable by rspamd + ''; + example = '' + bindSocket = [ + "/run/rspamd.sock mode=0666 owner=rspamd" + "*:11333" + ]; + ''; + }; + + bindUISocket = mkOption { + type = types.listOf types.str; + default = [ + "localhost:11334" + ]; + description = '' + List of sockets for web interface, in format acceptable by rspamd + ''; + }; + user = mkOption { type = types.string; default = "rspamd"; @@ -62,7 +117,7 @@ in users.extraGroups = singleton { name = cfg.group; - gid = config.ids.gids.spamd; + gid = config.ids.gids.rspamd; }; systemd.services.rspamd = { @@ -72,7 +127,7 @@ in after = [ "network.target" ]; serviceConfig = { - ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -f"; + ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -c ${rspamdConfFile} -f"; RuntimeDirectory = "/var/lib/rspamd"; PermissionsStartOnly = true; Restart = "always"; diff --git a/nixos/modules/services/misc/emby.nix b/nixos/modules/services/misc/emby.nix new file mode 100644 index 000000000000..fe872349f45e --- /dev/null +++ b/nixos/modules/services/misc/emby.nix @@ -0,0 +1,64 @@ +{ config, pkgs, lib, mono, ... }: + +with lib; + +let + cfg = config.services.emby; + emby = pkgs.emby; +in +{ + options = { + services.emby = { + enable = mkEnableOption "Emby Media Server"; + + user = mkOption { + type = types.str; + default = "emby"; + description = "User account under which Emby runs."; + }; + + group = mkOption { + type = types.str; + default = "emby"; + description = "Group under which emby runs."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.emby = { + description = "Emby Media Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + test -d /var/lib/emby/ProgramData-Server || { + echo "Creating initial Emby data directory in /var/lib/emby/ProgramData-Server" + mkdir -p /var/lib/emby/ProgramData-Server + chown -R ${cfg.user}:${cfg.group} /var/lib/emby/ProgramData-Server + } + ''; + + serviceConfig = { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + PermissionsStartOnly = "true"; + ExecStart = "${pkgs.mono}/bin/mono ${pkgs.emby}/bin/MediaBrowser.Server.Mono.exe"; + Restart = "on-failure"; + }; + }; + + users.extraUsers = mkIf (cfg.user == "emby") { + emby = { + group = cfg.group; + uid = config.ids.uids.emby; + }; + }; + + users.extraGroups = mkIf (cfg.group == "emby") { + emby = { + gid = config.ids.gids.emby; + }; + }; + }; +} diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 911f79e5756a..d71837737ab3 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -6,7 +6,7 @@ let cfg = config.nix; - nix = cfg.package; + nix = cfg.package.out; makeNixBuildUser = nr: { name = "nixbld${toString nr}"; @@ -24,8 +24,8 @@ let nixConf = let - # If we're using a chroot for builds, then provide /bin/sh in - # the chroot as a bind-mount to bash. This means we also need to + # If we're using sandbox for builds, then provide /bin/sh in + # the sandbox as a bind-mount to bash. This means we also need to # include the entire closure of bash. sh = pkgs.stdenv.shell; binshDeps = pkgs.writeReferencesToFile sh; @@ -39,8 +39,8 @@ let build-users-group = nixbld build-max-jobs = ${toString (cfg.maxJobs)} build-cores = ${toString (cfg.buildCores)} - build-use-chroot = ${if (builtins.isBool cfg.useChroot) then (if cfg.useChroot then "true" else "false") else cfg.useChroot} - build-chroot-dirs = ${toString cfg.chrootDirs} /bin/sh=${sh} $(echo $extraPaths) + build-use-sandbox = ${if (builtins.isBool cfg.useSandbox) then (if cfg.useSandbox then "true" else "false") else cfg.useSandbox} + build-sandbox-paths = ${toString cfg.sandboxPaths} /bin/sh=${sh} $(echo $extraPaths) binary-caches = ${toString cfg.binaryCaches} trusted-binary-caches = ${toString cfg.trustedBinaryCaches} binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys} @@ -98,25 +98,25 @@ in ''; }; - useChroot = mkOption { + useSandbox = mkOption { type = types.either types.bool (types.enum ["relaxed"]); default = false; description = " - If set, Nix will perform builds in a chroot-environment that it + If set, Nix will perform builds in a sandboxed environment that it will set up automatically for each build. This prevents impurities in builds by disallowing access to dependencies outside of the Nix store. "; }; - chrootDirs = mkOption { + sandboxPaths = mkOption { type = types.listOf types.str; default = []; example = [ "/dev" "/proc" ]; description = '' Directories from the host filesystem to be included - in the chroot. + in the sandbox. ''; }; diff --git a/nixos/modules/services/misc/nix-gc.nix b/nixos/modules/services/misc/nix-gc.nix index 6a7a7f4cee72..5c13da6e83dd 100644 --- a/nixos/modules/services/misc/nix-gc.nix +++ b/nixos/modules/services/misc/nix-gc.nix @@ -52,7 +52,7 @@ in systemd.services.nix-gc = { description = "Nix Garbage Collector"; - script = "exec ${config.nix.package}/bin/nix-collect-garbage ${cfg.options}"; + script = "exec ${config.nix.package.out}/bin/nix-collect-garbage ${cfg.options}"; startAt = optionalString cfg.automatic cfg.dates; }; diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix index d70bd855c7ff..66148431709f 100644 --- a/nixos/modules/services/misc/nix-ssh-serve.nix +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -41,7 +41,7 @@ with lib; PermitTTY no PermitTunnel no X11Forwarding no - ForceCommand ${config.nix.package}/bin/nix-store --serve + ForceCommand ${config.nix.package.out}/bin/nix-store --serve Match All ''; diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index 8459aafeee73..b7d14e90a2b7 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -449,7 +449,7 @@ in { }; }; }) - (mkIf needToCreateCA { + (mkIf (cfg.enable && needToCreateCA) { systemd.services.taskserver-ca = { wantedBy = [ "taskserver.service" ]; after = [ "taskserver-init.service" ]; @@ -533,7 +533,7 @@ in { ''; }; }) - (mkIf (cfg.listenHost != "localhost") { + (mkIf (cfg.enable && cfg.listenHost != "localhost") { networking.firewall.allowedTCPPorts = [ cfg.listenPort ]; }) { meta.doc = ./taskserver.xml; } diff --git a/nixos/modules/services/network-filesystems/openafs-client/default.nix b/nixos/modules/services/network-filesystems/openafs-client/default.nix index 7a44fc1ea5ec..61c66bb88357 100644 --- a/nixos/modules/services/network-filesystems/openafs-client/default.nix +++ b/nixos/modules/services/network-filesystems/openafs-client/default.nix @@ -80,7 +80,7 @@ in preStart = '' mkdir -p -m 0755 /afs mkdir -m 0700 -p ${cfg.cacheDirectory} - ${pkgs.module_init_tools}/sbin/insmod ${openafsPkgs}/lib/openafs/libafs-*.ko || true + ${pkgs.kmod}/sbin/insmod ${openafsPkgs}/lib/openafs/libafs-*.ko || true ${openafsPkgs}/sbin/afsd -confdir ${afsConfig} -cachedir ${cfg.cacheDirectory} ${if cfg.sparse then "-dynroot-sparse" else "-dynroot"} -fakestat -afsdb ${openafsPkgs}/bin/fs setcrypt ${if cfg.crypt then "on" else "off"} ''; @@ -92,7 +92,7 @@ in preStop = '' ${pkgs.utillinux}/bin/umount /afs ${openafsPkgs}/sbin/afsd -shutdown - ${pkgs.module_init_tools}/sbin/rmmod libafs + ${pkgs.kmod}/sbin/rmmod libafs ''; }; }; diff --git a/nixos/modules/services/networking/logmein-hamachi.nix b/nixos/modules/services/networking/logmein-hamachi.nix new file mode 100644 index 000000000000..406626a8a343 --- /dev/null +++ b/nixos/modules/services/networking/logmein-hamachi.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.logmein-hamachi; + +in + +{ + + ###### interface + + options = { + + services.logmein-hamachi.enable = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to enable LogMeIn Hamachi, a proprietary + (closed source) commercial VPN software. + ''; + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.logmein-hamachi = { + description = "LogMeIn Hamachi Daemon"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "local-fs.target" ]; + + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.logmein-hamachi}/bin/hamachid"; + }; + }; + + environment.systemPackages = [ pkgs.logmein-hamachi ]; + + }; + +} diff --git a/nixos/modules/services/networking/mfi.nix b/nixos/modules/services/networking/mfi.nix index 5afb83ed022f..775564a2c446 100644 --- a/nixos/modules/services/networking/mfi.nix +++ b/nixos/modules/services/networking/mfi.nix @@ -10,6 +10,7 @@ let { what = "${pkgs.mfi}/dl"; where = "${stateDir}/dl"; } { what = "${pkgs.mfi}/lib"; where = "${stateDir}/lib"; } { what = "${pkgs.mongodb248}/bin"; where = "${stateDir}/bin"; } + { what = "${cfg.dataDir}"; where = "${stateDir}/data"; } ]; systemdMountPoints = map (m: "${utils.escapeSystemdPath m.where}.mount") mountPoints; ports = [ 6080 6880 6443 6843 ]; @@ -23,6 +24,15 @@ in default = true; description = "Whether to open TCP ports ${concatMapStrings (a: "${toString a} ") ports}for the services."; }; + dataDir = mkOption { + type = types.str; + default = "${stateDir}/data"; + description = '' + Where to store the database and other data. + + This directory will be bind-mounted to ${stateDir}/data as part of the service startup. + ''; + }; }; }; diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix index 8f6881441cf7..3e865e3b76a8 100644 --- a/nixos/modules/services/networking/nix-serve.nix +++ b/nixos/modules/services/networking/nix-serve.nix @@ -50,7 +50,7 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = [ config.nix.package pkgs.bzip2.bin ]; + path = [ config.nix.package.out pkgs.bzip2.bin ]; environment.NIX_REMOTE = "daemon"; environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile; diff --git a/nixos/modules/services/networking/quassel.nix b/nixos/modules/services/networking/quassel.nix index 52c7ac8e6893..99269c49e8f1 100644 --- a/nixos/modules/services/networking/quassel.nix +++ b/nixos/modules/services/networking/quassel.nix @@ -3,7 +3,7 @@ with lib; let - quassel = pkgs.quasselDaemon_qt5; + quassel = pkgs.kde4.quasselDaemon; cfg = config.services.quassel; user = if cfg.user != null then cfg.user else "quassel"; in diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index 4dc0cd96904c..cb5a88e67aae 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -17,6 +17,10 @@ let what = "${pkgs.mongodb}/bin"; where = "${stateDir}/bin"; } + { + what = "${cfg.dataDir}"; + where = "${stateDir}/data"; + } ]; systemdMountPoints = map (m: "${utils.escapeSystemdPath m.where}.mount") mountPoints; in @@ -32,6 +36,16 @@ in ''; }; + services.unifi.dataDir = mkOption { + type = types.str; + default = "${stateDir}/data"; + description = '' + Where to store the database and other data. + + This directory will be bind-mounted to ${stateDir}/data as part of the service startup. + ''; + }; + }; config = mkIf cfg.enable { @@ -62,7 +76,7 @@ in bindsTo = systemdMountPoints; unitConfig.RequiresMountsFor = stateDir; # This a HACK to fix missing dependencies of dynamic libs extracted from jars - environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc}/lib"; + environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc.lib}/lib"; preStart = '' # Ensure privacy of state diff --git a/nixos/modules/services/networking/zerobin.nix b/nixos/modules/services/networking/zerobin.nix new file mode 100644 index 000000000000..1c524602f8e9 --- /dev/null +++ b/nixos/modules/services/networking/zerobin.nix @@ -0,0 +1,102 @@ +{ config, pkgs, lib, nodes, ... }: +with lib; +let + cfg = config.services.zerobin; + + zerobin_config = pkgs.writeText "zerobin-config.py" '' + PASTE_FILES_ROOT = "${cfg.dataDir}" + ${cfg.extraConfig} + ''; + +in + { + options = { + services.zerobin = { + enable = mkEnableOption "0bin"; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/zerobin"; + description = '' + Path to the 0bin data directory + ''; + }; + + user = mkOption { + type = types.str; + default = "zerobin"; + description = '' + The user 0bin should run as + ''; + }; + + group = mkOption { + type = types.str; + default = "zerobin"; + description = '' + The group 0bin should run as + ''; + }; + + listenPort = mkOption { + type = types.int; + default = 8000; + example = 1357; + description = '' + The port zerobin should listen on + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = "localhost"; + example = "127.0.0.1"; + description = '' + The address zerobin should listen to + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + MENU = ( + ('Home', '/'), + ) + COMPRESSED_STATIC_FILE = True + ''; + description = '' + Extra configuration to be appended to the 0bin config file + (see https://0bin.readthedocs.org/en/latest/en/options.html) + ''; + }; + }; + }; + + config = mkIf (cfg.enable) { + users.users."${cfg.user}" = + if cfg.user == "zerobin" then { + isSystemUser = true; + group = cfg.group; + home = cfg.dataDir; + createHome = true; + } + else {}; + users.groups."${cfg.group}" = {}; + + systemd.services.zerobin = { + enable = true; + after = [ "network-interfaces.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${pkgs.pythonPackages.zerobin}/bin/zerobin ${cfg.listenAddress} ${toString cfg.listenPort} false ${cfg.user} ${cfg.group} ${zerobin_config}"; + serviceConfig.PrivateTmp="yes"; + serviceConfig.User = cfg.user; + serviceConfig.Group = cfg.group; + preStart = '' + mkdir -p ${cfg.dataDir} + chown ${cfg.user} ${cfg.dataDir} + ''; + }; + }; + } + diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index 29166be2399b..0bcb1a0c20c4 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -34,7 +34,7 @@ let bindir = pkgs.buildEnv { name = "cups-progs"; paths = - [ cups additionalBackends cups_filters pkgs.ghostscript ] + [ cups.out additionalBackends cups_filters pkgs.ghostscript ] ++ optional cfg.gutenprint gutenprint ++ cfg.drivers; pathsToLink = [ "/lib/cups" "/share/cups" "/bin" ]; @@ -267,24 +267,24 @@ in description = "CUPS printing services"; }; - environment.systemPackages = [ cups ] ++ optional polkitEnabled cups-pk-helper; + environment.systemPackages = [ cups.out ] ++ optional polkitEnabled cups-pk-helper; environment.etc."cups".source = "/var/lib/cups"; - services.dbus.packages = [ cups ] ++ optional polkitEnabled cups-pk-helper; + services.dbus.packages = [ cups.out ] ++ optional polkitEnabled cups-pk-helper; # Cups uses libusb to talk to printers, and does not use the # linux kernel driver. If the driver is not in a black list, it # gets loaded, and then cups cannot access the printers. boot.blacklistedKernelModules = [ "usblp" ]; - systemd.packages = [ cups ]; + systemd.packages = [ cups.out ]; systemd.services.cups = { wantedBy = [ "multi-user.target" ]; wants = [ "network.target" ]; after = [ "network.target" ]; - path = [ cups ]; + path = [ cups.out ]; preStart = '' diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index c51a42b8e9c1..17ac8fe7e245 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -145,6 +145,7 @@ in { # Install plugins ln -sfT ${esPlugins}/plugins ${cfg.dataDir}/plugins ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib + ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules if [ "$(id -u)" = 0 ]; then chown -R elasticsearch ${cfg.dataDir}; fi ''; postStart = mkBefore '' diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index afbd81be91f2..33c4910fc0ce 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -99,34 +99,32 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + partOf = optional config.networking.firewall.enable "firewall.service"; restartTriggers = [ fail2banConf jailConf ]; path = [ pkgs.fail2ban pkgs.iptables ]; preStart = '' - mkdir -p /run/fail2ban -m 0755 mkdir -p /var/lib/fail2ban ''; + unitConfig.Documentation = "man:fail2ban(1)"; + serviceConfig = - { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; + { Type = "forking"; + ExecStart = "${pkgs.fail2ban}/bin/fail2ban-client -x start"; + ExecStop = "${pkgs.fail2ban}/bin/fail2ban-client stop"; + ExecReload = "${pkgs.fail2ban}/bin/fail2ban-client reload"; + PIDFile = "/run/fail2ban/fail2ban.pid"; + Restart = "always"; + ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run /var/tmp /var/lib"; + ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib"; + PrivateTmp = "true"; + RuntimeDirectory = "fail2ban"; CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; }; - - postStart = - '' - # Wait for the server to start listening. - for ((n = 0; n < 20; n++)); do - if fail2ban-client ping; then break; fi - sleep 0.5 - done - - # Reload its configuration. - fail2ban-client reload - ''; }; # Add some reasonable default jails. The special "DEFAULT" jail diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index 2e29ef6a8f53..59c2e482e1ad 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -121,7 +121,7 @@ in security.setuidOwners = singleton { program = "dbus-daemon-launch-helper"; - source = "${pkgs.dbus_daemon.lib}/libexec/dbus-daemon-launch-helper"; + source = "${pkgs.dbus_daemon.out}/libexec/dbus-daemon-launch-helper"; owner = "root"; group = "messagebus"; setuid = true; diff --git a/nixos/modules/services/system/kerberos.nix b/nixos/modules/services/system/kerberos.nix index 347302c6090d..4f2e2fdf662b 100644 --- a/nixos/modules/services/system/kerberos.nix +++ b/nixos/modules/services/system/kerberos.nix @@ -4,7 +4,7 @@ let inherit (lib) mkOption mkIf singleton; - inherit (pkgs) heimdal; + inherit (pkgs) heimdalFull; stateDir = "/var/heimdal"; in @@ -33,7 +33,7 @@ in config = mkIf config.services.kerberos_server.enable { - environment.systemPackages = [ heimdal ]; + environment.systemPackages = [ heimdalFull ]; services.xinetd.enable = true; services.xinetd.services = lib.singleton @@ -42,7 +42,7 @@ in protocol = "tcp"; user = "root"; server = "${pkgs.tcp_wrappers}/sbin/tcpd"; - serverArgs = "${pkgs.heimdal}/sbin/kadmind"; + serverArgs = "${pkgs.heimdalFull}/sbin/kadmind"; }; systemd.services.kdc = { @@ -51,13 +51,13 @@ in preStart = '' mkdir -m 0755 -p ${stateDir} ''; - script = "${heimdal}/sbin/kdc"; + script = "${heimdalFull}/sbin/kdc"; }; systemd.services.kpasswdd = { description = "Kerberos Password Changing daemon"; wantedBy = [ "multi-user.target" ]; - script = "${heimdal}/sbin/kpasswdd"; + script = "${heimdalFull}/sbin/kpasswdd"; }; }; diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index c2220cb0cff7..26182dc93cd4 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -124,7 +124,7 @@ in ${pkgs.xz.out}/lib/liblzma*.so* mr, ${pkgs.libgcrypt.out}/lib/libgcrypt*.so* mr, ${pkgs.libgpgerror.out}/lib/libgpg-error*.so* mr, - ${pkgs.libnghttp2.out}/lib/libnghttp2*.so* mr, + ${pkgs.nghttp2.lib}/lib/libnghttp2*.so* mr, ${pkgs.c-ares.out}/lib/libcares*.so* mr, ${pkgs.libcap.out}/lib/libcap*.so* mr, ${pkgs.attr.out}/lib/libattr*.so* mr, diff --git a/nixos/modules/services/x11/desktop-managers/kde5.nix b/nixos/modules/services/x11/desktop-managers/kde5.nix index 4f74d5732af5..70dc1ac2a26a 100644 --- a/nixos/modules/services/x11/desktop-managers/kde5.nix +++ b/nixos/modules/services/x11/desktop-managers/kde5.nix @@ -62,17 +62,25 @@ in ${config.hardware.pulseaudio.package}/bin/pactl load-module module-device-manager "do_routing=1" ''} - exec startkde + exec "${kde5.startkde}" + ''; }; - security.setuidOwners = singleton { - program = "kcheckpass"; - source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass"; - owner = "root"; - group = "root"; - setuid = true; - }; + security.setuidOwners = [ + { + program = "kcheckpass"; + source = "${kde5.plasma-workspace}/lib/libexec/kcheckpass"; + owner = "root"; + setuid = true; + } + { + program = "start_kdeinit_wrapper"; + source = "${kde5.plasma-workspace}/lib/libexec/kf5/start_kdeinit_wrapper"; + owner = "root"; + setuid = true; + } + ]; environment.systemPackages = [ diff --git a/nixos/modules/services/x11/redshift.nix b/nixos/modules/services/x11/redshift.nix index 4318a17a4fa5..8f1e317e52b0 100644 --- a/nixos/modules/services/x11/redshift.nix +++ b/nixos/modules/services/x11/redshift.nix @@ -94,11 +94,9 @@ in { }; config = mkIf cfg.enable { - systemd.services.redshift = { + systemd.user.services.redshift = { description = "Redshift colour temperature adjuster"; - requires = [ "display-manager.service" ]; - after = [ "display-manager.service" ]; - wantedBy = [ "graphical.target" ]; + wantedBy = [ "default.target" ]; serviceConfig = { ExecStart = '' ${cfg.package}/bin/redshift \ @@ -107,10 +105,10 @@ in { -b ${toString cfg.brightness.day}:${toString cfg.brightness.night} \ ${lib.strings.concatStringsSep " " cfg.extraOptions} ''; - RestartSec = 3; + RestartSec = 3; + Restart = "always"; }; environment = { DISPLAY = ":0"; }; - serviceConfig.Restart = "always"; }; }; diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 05322497a4bf..289405f93195 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -499,7 +499,7 @@ in } ] ++ flip map args.devices (device: { assertion = device == "nodev" || hasPrefix "/" device; - message = "GRUB devices must be absolute paths, not ${dev} in ${args.path}"; + message = "GRUB devices must be absolute paths, not ${device} in ${args.path}"; })); }) diff --git a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix index 6c201eb8212f..69ad2c6d44f4 100644 --- a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix +++ b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix @@ -14,7 +14,7 @@ let inherit (pkgs) python gummiboot; - nix = config.nix.package; + nix = config.nix.package.out; timeout = if cfg.timeout != null then cfg.timeout else ""; diff --git a/nixos/modules/system/etc/etc.nix b/nixos/modules/system/etc/etc.nix index 9d5b3db472c3..163f4f4106e8 100644 --- a/nixos/modules/system/etc/etc.nix +++ b/nixos/modules/system/etc/etc.nix @@ -36,7 +36,7 @@ in type = types.loaOf types.optionSet; default = {}; example = literalExample '' - { hosts = + { example-configuration-file = { source = "/nix/store/.../etc/dir/file.conf.example"; mode = "0440"; }; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index f4c42b162206..19292bd1ef71 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -80,11 +80,8 @@ in description = '' Name of directory from which to import ZFS devices. - Usually /dev works. However, ZFS import may fail if a device node is renamed. - It should therefore use stable device names, such as from /dev/disk/by-id. - - The default remains /dev for 15.09, due to backwards compatibility concerns. - It will change to /dev/disk/by-id in the next NixOS release. + This should be a path under /dev containing stable names for all devices needed, as + import may fail if device nodes are renamed concurrently with a device failing. ''; }; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 0528012adfd8..c52bd904caec 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -523,7 +523,7 @@ in networking.bonds = mkOption { default = { }; - example = { + example = literalExample { bond0 = { interfaces = [ "eth0" "wlan0" ]; miimon = 100; @@ -598,7 +598,7 @@ in networking.macvlans = mkOption { type = types.attrsOf types.optionSet; default = { }; - example = { + example = literalExample { wan = { interface = "enp2s0"; mode = "vepa"; @@ -629,7 +629,7 @@ in networking.sits = mkOption { type = types.attrsOf types.optionSet; default = { }; - example = { + example = literalExample { hurricane = { remote = "10.0.0.1"; local = "10.0.0.22"; @@ -688,7 +688,7 @@ in networking.vlans = mkOption { default = { }; - example = { + example = literalExample { vlan0 = { id = 3; interface = "enp3s0"; @@ -727,7 +727,7 @@ in networking.wlanInterfaces = mkOption { default = { }; - example = { + example = literalExample { "wlan-station0" = { device = "wlp6s0"; }; diff --git a/nixos/modules/virtualisation/amazon-init.nix b/nixos/modules/virtualisation/amazon-init.nix index 886552f33c2c..c9356c9b4eaa 100644 --- a/nixos/modules/virtualisation/amazon-init.nix +++ b/nixos/modules/virtualisation/amazon-init.nix @@ -8,7 +8,7 @@ let echo "attempting to fetch configuration from EC2 user data..." - export PATH=${config.nix.package}/bin:${pkgs.systemd}/bin:${pkgs.gnugrep}/bin:${pkgs.gnused}/bin:${config.system.build.nixos-rebuild}/bin:$PATH + export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.gnused config.system.build.nixos-rebuild]}:$PATH export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels userData=/etc/ec2-metadata/user-data diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index 9dc0ce119929..9fac543b03d5 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -62,10 +62,10 @@ in echo Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" + chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group "" echo Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env \ + chroot /mnt ${config.nix.package.out}/bin/nix-env \ -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} --option build-users-group "" echo nixos-rebuild requires an /etc/NIXOS. diff --git a/nixos/modules/virtualisation/brightbox-image.nix b/nixos/modules/virtualisation/brightbox-image.nix index b6b2bd4f69be..bcafc06e47c0 100644 --- a/nixos/modules/virtualisation/brightbox-image.nix +++ b/nixos/modules/virtualisation/brightbox-image.nix @@ -62,10 +62,10 @@ in # Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" + chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group "" # Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env \ + chroot /mnt ${config.nix.package.out}/bin/nix-env \ -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \ --option build-users-group "" diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 121ecbc9bf2c..fca21a8610be 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -28,14 +28,23 @@ let # Initialise the container side of the veth pair. if [ "$PRIVATE_NETWORK" = 1 ]; then + ip link set host0 name eth0 ip link set dev eth0 up + + if [ -n "$LOCAL_ADDRESS" ]; then + ip addr add $LOCAL_ADDRESS dev eth0 + fi + if [ -n "$LOCAL_ADDRESS6" ]; then + ip -6 addr add $LOCAL_ADDRESS6 dev eth0 + fi if [ -n "$HOST_ADDRESS" ]; then ip route add $HOST_ADDRESS dev eth0 ip route add default via $HOST_ADDRESS fi - if [ -n "$LOCAL_ADDRESS" ]; then - ip addr add $LOCAL_ADDRESS dev eth0 + if [ -n "$HOST_ADDRESS6" ]; then + ip -6 route add $HOST_ADDRESS6 dev eth0 + ip -6 route add default via $HOST_ADDRESS6 fi fi @@ -48,7 +57,7 @@ let system = config.nixpkgs.system; bindMountOpts = { name, config, ... }: { - + options = { mountPoint = mkOption { example = "/mnt/usb"; @@ -68,13 +77,13 @@ let description = "Determine whether the mounted path will be accessed in read-only mode."; }; }; - + config = { mountPoint = mkDefault name; }; - + }; - + mkBindFlag = d: let flagPrefix = if d.isReadOnly then " --bind-ro=" else " --bind="; mountstr = if d.hostPath != null then "${d.hostPath}:${d.mountPoint}" else "${d.mountPoint}"; @@ -142,12 +151,33 @@ in ''; }; + hostBridge = mkOption { + type = types.nullOr types.string; + default = null; + example = "br0"; + description = '' + Put the host-side of the veth-pair into the named bridge. + Only one of hostAddress* or hostBridge can be given. + ''; + }; + hostAddress = mkOption { type = types.nullOr types.str; default = null; example = "10.231.136.1"; description = '' The IPv4 address assigned to the host interface. + (Not used when hostBridge is set.) + ''; + }; + + hostAddress6 = mkOption { + type = types.nullOr types.string; + default = null; + example = "fc00::1"; + description = '' + The IPv6 address assigned to the host interface. + (Not used when hostBridge is set.) ''; }; @@ -161,6 +191,16 @@ in ''; }; + localAddress6 = mkOption { + type = types.nullOr types.string; + default = null; + example = "fc00::2"; + description = '' + The IPv6 address assigned to <literal>eth0</literal> + in the container. + ''; + }; + interfaces = mkOption { type = types.listOf types.string; default = []; @@ -185,7 +225,7 @@ in example = { "/home" = { hostPath = "/home/alice"; isReadOnly = false; }; }; - + description = '' An extra list of directories that is bound to the container. @@ -238,154 +278,180 @@ in }; - config = mkIf (config.boot.enableContainers) { + config = mkIf (config.boot.enableContainers) (let - systemd.services."container@" = - { description = "Container '%i'"; + unit = { + description = "Container '%i'"; - unitConfig.RequiresMountsFor = [ "/var/lib/containers/%i" ]; + unitConfig.RequiresMountsFor = [ "/var/lib/containers/%i" ]; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute ]; - environment.INSTANCE = "%i"; - environment.root = "/var/lib/containers/%i"; + environment.INSTANCE = "%i"; + environment.root = "/var/lib/containers/%i"; - preStart = - '' - # Clean up existing machined registration and interfaces. - machinectl terminate "$INSTANCE" 2> /dev/null || true - - if [ "$PRIVATE_NETWORK" = 1 ]; then - ip link del dev "ve-$INSTANCE" 2> /dev/null || true - fi + preStart = + '' + # Clean up existing machined registration and interfaces. + machinectl terminate "$INSTANCE" 2> /dev/null || true + if [ "$PRIVATE_NETWORK" = 1 ]; then + ip link del dev "ve-$INSTANCE" 2> /dev/null || true + ip link del dev "vb-$INSTANCE" 2> /dev/null || true + fi + ''; - if [ "$PRIVATE_NETWORK" = 1 ]; then - ip link del dev "ve-$INSTANCE" 2> /dev/null || true - fi - ''; - - script = - '' - mkdir -p -m 0755 "$root/etc" "$root/var/lib" - mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers - if ! [ -e "$root/etc/os-release" ]; then - touch "$root/etc/os-release" + script = + '' + mkdir -p -m 0755 "$root/etc" "$root/var/lib" + mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers + if ! [ -e "$root/etc/os-release" ]; then + touch "$root/etc/os-release" + fi + + mkdir -p -m 0755 \ + "/nix/var/nix/profiles/per-container/$INSTANCE" \ + "/nix/var/nix/gcroots/per-container/$INSTANCE" + + cp --remove-destination /etc/resolv.conf "$root/etc/resolv.conf" + + if [ "$PRIVATE_NETWORK" = 1 ]; then + extraFlags+=" --network-veth" + if [ -n "$HOST_BRIDGE" ]; then + extraFlags+=" --network-bridge=$HOST_BRIDGE" fi + fi - mkdir -p -m 0755 \ - "/nix/var/nix/profiles/per-container/$INSTANCE" \ - "/nix/var/nix/gcroots/per-container/$INSTANCE" + for iface in $INTERFACES; do + extraFlags+=" --network-interface=$iface" + done - cp --remove-destination /etc/resolv.conf "$root/etc/resolv.conf" + for iface in $MACVLANS; do + extraFlags+=" --network-macvlan=$iface" + done - if [ "$PRIVATE_NETWORK" = 1 ]; then - extraFlags+=" --network-veth" + # If the host is 64-bit and the container is 32-bit, add a + # --personality flag. + ${optionalString (config.nixpkgs.system == "x86_64-linux") '' + if [ "$(< ''${SYSTEM_PATH:-/nix/var/nix/profiles/per-container/$INSTANCE/system}/system)" = i686-linux ]; then + extraFlags+=" --personality=x86" fi + ''} + + + + # Run systemd-nspawn without startup notification (we'll + # wait for the container systemd to signal readiness). + EXIT_ON_REBOOT=1 NOTIFY_SOCKET= \ + exec ${config.systemd.package}/bin/systemd-nspawn \ + --keep-unit \ + -M "$INSTANCE" -D "$root" $extraFlags \ + $EXTRA_NSPAWN_FLAGS \ + --bind-ro=/nix/store \ + --bind-ro=/nix/var/nix/db \ + --bind-ro=/nix/var/nix/daemon-socket \ + --bind=/run/systemd/notify:/var/lib/private/host-notify \ + --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ + --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ + --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ + --setenv HOST_BRIDGE="$HOST_BRIDGE" \ + --setenv HOST_ADDRESS="$HOST_ADDRESS" \ + --setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \ + --setenv HOST_ADDRESS6="$HOST_ADDRESS6" \ + --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \ + --setenv PATH="$PATH" \ + ${containerInit} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init" + ''; - for iface in $INTERFACES; do - extraFlags+=" --network-interface=$iface" - done - - for iface in $MACVLANS; do - extraFlags+=" --network-macvlan=$iface" - done - - # If the host is 64-bit and the container is 32-bit, add a - # --personality flag. - ${optionalString (config.nixpkgs.system == "x86_64-linux") '' - if [ "$(< ''${SYSTEM_PATH:-/nix/var/nix/profiles/per-container/$INSTANCE/system}/system)" = i686-linux ]; then - extraFlags+=" --personality=x86" - fi - ''} - - - - # Run systemd-nspawn without startup notification (we'll - # wait for the container systemd to signal readiness). - EXIT_ON_REBOOT=1 NOTIFY_SOCKET= \ - exec ${config.systemd.package}/bin/systemd-nspawn \ - --keep-unit \ - -M "$INSTANCE" -D "$root" $extraFlags \ - $EXTRA_NSPAWN_FLAGS \ - --bind-ro=/nix/store \ - --bind-ro=/nix/var/nix/db \ - --bind-ro=/nix/var/nix/daemon-socket \ - --bind=/run/systemd/notify:/var/lib/private/host-notify \ - --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ - --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ - --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ - --setenv HOST_ADDRESS="$HOST_ADDRESS" \ - --setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \ - --setenv PATH="$PATH" \ - ${containerInit} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init" - ''; - - postStart = - '' - if [ "$PRIVATE_NETWORK" = 1 ]; then + postStart = + '' + if [ "$PRIVATE_NETWORK" = 1 ]; then + if [ -z "$HOST_BRIDGE" ]; then ifaceHost=ve-$INSTANCE ip link set dev $ifaceHost up if [ -n "$HOST_ADDRESS" ]; then ip addr add $HOST_ADDRESS dev $ifaceHost fi + if [ -n "$HOST_ADDRESS6" ]; then + ip -6 addr add $HOST_ADDRESS6 dev $ifaceHost + fi if [ -n "$LOCAL_ADDRESS" ]; then ip route add $LOCAL_ADDRESS dev $ifaceHost fi + if [ -n "$LOCAL_ADDRESS6" ]; then + ip -6 route add $LOCAL_ADDRESS6 dev $ifaceHost + fi fi + fi - # Get the leader PID so that we can signal it in - # preStop. We can't use machinectl there because D-Bus - # might be shutting down. FIXME: in systemd 219 we can - # just signal systemd-nspawn to do a clean shutdown. - machinectl show "$INSTANCE" | sed 's/Leader=\(.*\)/\1/;t;d' > "/run/containers/$INSTANCE.pid" - ''; + # Get the leader PID so that we can signal it in + # preStop. We can't use machinectl there because D-Bus + # might be shutting down. FIXME: in systemd 219 we can + # just signal systemd-nspawn to do a clean shutdown. + machinectl show "$INSTANCE" | sed 's/Leader=\(.*\)/\1/;t;d' > "/run/containers/$INSTANCE.pid" + ''; - preStop = - '' - pid="$(cat /run/containers/$INSTANCE.pid)" - if [ -n "$pid" ]; then - kill -RTMIN+4 "$pid" - fi - rm -f "/run/containers/$INSTANCE.pid" - ''; + preStop = + '' + pid="$(cat /run/containers/$INSTANCE.pid)" + if [ -n "$pid" ]; then + kill -RTMIN+4 "$pid" + fi + rm -f "/run/containers/$INSTANCE.pid" + ''; - restartIfChanged = false; - #reloadIfChanged = true; # FIXME + restartIfChanged = false; - serviceConfig = { - ExecReload = pkgs.writeScript "reload-container" - '' - #! ${pkgs.stdenv.shell} -e - ${nixos-container}/bin/nixos-container run "$INSTANCE" -- \ - bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" - ''; + serviceConfig = { + ExecReload = pkgs.writeScript "reload-container" + '' + #! ${pkgs.stdenv.shell} -e + ${nixos-container}/bin/nixos-container run "$INSTANCE" -- \ + bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" + ''; - SyslogIdentifier = "container %i"; + SyslogIdentifier = "container %i"; - EnvironmentFile = "-/etc/containers/%i.conf"; + EnvironmentFile = "-/etc/containers/%i.conf"; - Type = "notify"; + Type = "notify"; - NotifyAccess = "all"; + NotifyAccess = "all"; - # Note that on reboot, systemd-nspawn returns 133, so this - # unit will be restarted. On poweroff, it returns 0, so the - # unit won't be restarted. - RestartForceExitStatus = "133"; - SuccessExitStatus = "133"; + # Note that on reboot, systemd-nspawn returns 133, so this + # unit will be restarted. On poweroff, it returns 0, so the + # unit won't be restarted. + RestartForceExitStatus = "133"; + SuccessExitStatus = "133"; - Restart = "on-failure"; + Restart = "on-failure"; - # Hack: we don't want to kill systemd-nspawn, since we call - # "machinectl poweroff" in preStop to shut down the - # container cleanly. But systemd requires sending a signal - # (at least if we want remaining processes to be killed - # after the timeout). So send an ignored signal. - KillMode = "mixed"; - KillSignal = "WINCH"; - }; + # Hack: we don't want to kill systemd-nspawn, since we call + # "machinectl poweroff" in preStop to shut down the + # container cleanly. But systemd requires sending a signal + # (at least if we want remaining processes to be killed + # after the timeout). So send an ignored signal. + KillMode = "mixed"; + KillSignal = "WINCH"; }; + }; + in { + systemd.services = listToAttrs (filter (x: x.value != null) ( + # The generic container template used by imperative containers + [{ name = "container@"; value = unit; }] + # declarative containers + ++ (mapAttrsToList (name: cfg: nameValuePair "container@${name}" ( + if cfg.autoStart then + unit // { + wantedBy = [ "multi-user.target" ]; + wants = [ "network.target" ]; + after = [ "network.target" ]; + restartTriggers = [ cfg.path ]; + reloadIfChanged = true; + } + else null + )) config.containers) + )); # Generate a configuration file in /etc/containers for each # container so that container@.target can get the container @@ -396,12 +462,21 @@ in SYSTEM_PATH=${cfg.path} ${optionalString cfg.privateNetwork '' PRIVATE_NETWORK=1 + ${optionalString (cfg.hostBridge != null) '' + HOST_BRIDGE=${cfg.hostBridge} + ''} ${optionalString (cfg.hostAddress != null) '' HOST_ADDRESS=${cfg.hostAddress} ''} + ${optionalString (cfg.hostAddress6 != null) '' + HOST_ADDRESS6=${cfg.hostAddress6} + ''} ${optionalString (cfg.localAddress != null) '' LOCAL_ADDRESS=${cfg.localAddress} ''} + ${optionalString (cfg.localAddress6 != null) '' + LOCAL_ADDRESS6=${cfg.localAddress6} + ''} ''} INTERFACES="${toString cfg.interfaces}" ${optionalString cfg.autoStart '' @@ -420,31 +495,5 @@ in networking.dhcpcd.denyInterfaces = [ "ve-*" ]; environment.systemPackages = [ nixos-container ]; - - # Start containers at boot time. - systemd.services.all-containers = - { description = "All Containers"; - - wantedBy = [ "multi-user.target" ]; - - unitConfig.ConditionDirectoryNotEmpty = "/etc/containers"; - - serviceConfig.Type = "oneshot"; - - script = - '' - res=0 - shopt -s nullglob - for i in /etc/containers/*.conf; do - AUTO_START= - source "$i" - if [ "$AUTO_START" = 1 ]; then - systemctl start "container@$(basename "$i" .conf).service" || res=1 - fi - done - exit $res - ''; # */ - }; - - }; + }); } diff --git a/nixos/modules/virtualisation/ec2-amis.nix b/nixos/modules/virtualisation/ec2-amis.nix index e0aad5e42f20..5257aaf62025 100644 --- a/nixos/modules/virtualisation/ec2-amis.nix +++ b/nixos/modules/virtualisation/ec2-amis.nix @@ -90,40 +90,40 @@ "15.09".us-west-2.pv-ebs = "ami-005fb160"; "15.09".us-west-2.pv-s3 = "ami-cd55bbad"; - "16.03".ap-northeast-1.hvm-ebs = "ami-885040e6"; - "16.03".ap-northeast-1.hvm-s3 = "ami-d15a4abf"; - "16.03".ap-northeast-1.pv-ebs = "ami-7f455511"; - "16.03".ap-northeast-1.pv-s3 = "ami-6d7d6d03"; - "16.03".ap-southeast-1.hvm-ebs = "ami-478a5f24"; - "16.03".ap-southeast-1.hvm-s3 = "ami-b2885dd1"; - "16.03".ap-southeast-1.pv-ebs = "ami-55b46136"; - "16.03".ap-southeast-1.pv-s3 = "ami-92b762f1"; - "16.03".ap-southeast-2.hvm-ebs = "ami-26b09345"; - "16.03".ap-southeast-2.hvm-s3 = "ami-52ac8f31"; - "16.03".ap-southeast-2.pv-ebs = "ami-1fb3907c"; - "16.03".ap-southeast-2.pv-s3 = "ami-49b1922a"; - "16.03".eu-central-1.hvm-ebs = "ami-2bd63744"; - "16.03".eu-central-1.hvm-s3 = "ami-82d435ed"; - "16.03".eu-central-1.pv-ebs = "ami-b729c8d8"; - "16.03".eu-central-1.pv-s3 = "ami-a12dccce"; - "16.03".eu-west-1.hvm-ebs = "ami-87c242f4"; - "16.03".eu-west-1.hvm-s3 = "ami-b6c343c5"; - "16.03".eu-west-1.pv-ebs = "ami-6bc94918"; - "16.03".eu-west-1.pv-s3 = "ami-00cb4b73"; - "16.03".sa-east-1.hvm-ebs = "ami-845cd3e8"; - "16.03".sa-east-1.hvm-s3 = "ami-8142cded"; - "16.03".sa-east-1.pv-ebs = "ami-1643cc7a"; - "16.03".sa-east-1.pv-s3 = "ami-1646c97a"; - "16.03".us-east-1.hvm-ebs = "ami-2cc4d046"; - "16.03".us-east-1.hvm-s3 = "ami-9bc9ddf1"; - "16.03".us-east-1.pv-ebs = "ami-7df4e017"; - "16.03".us-east-1.pv-s3 = "ami-90f2e6fa"; - "16.03".us-west-1.hvm-ebs = "ami-d8116db8"; - "16.03".us-west-1.hvm-s3 = "ami-a7166ac7"; - "16.03".us-west-1.pv-ebs = "ami-e90c7089"; - "16.03".us-west-1.pv-s3 = "ami-5b0c703b"; - "16.03".us-west-2.hvm-ebs = "ami-b339ccd3"; - "16.03".us-west-2.hvm-s3 = "ami-2c3bce4c"; - "16.03".us-west-2.pv-ebs = "ami-0625d066"; - "16.03".us-west-2.pv-s3 = "ami-7414e114"; + "16.03".ap-northeast-1.hvm-ebs = "ami-b6edf5d8"; + "16.03".ap-northeast-1.hvm-s3 = "ami-b1e3fbdf"; + "16.03".ap-northeast-1.pv-ebs = "ami-6190880f"; + "16.03".ap-northeast-1.pv-s3 = "ami-908d95fe"; + "16.03".ap-southeast-1.hvm-ebs = "ami-35b16656"; + "16.03".ap-southeast-1.hvm-s3 = "ami-41be6922"; + "16.03".ap-southeast-1.pv-ebs = "ami-4cb96e2f"; + "16.03".ap-southeast-1.pv-s3 = "ami-3bb96e58"; + "16.03".ap-southeast-2.hvm-ebs = "ami-debc91bd"; + "16.03".ap-southeast-2.hvm-s3 = "ami-55bc9136"; + "16.03".ap-southeast-2.pv-ebs = "ami-b38ba6d0"; + "16.03".ap-southeast-2.pv-s3 = "ami-9e8ba6fd"; + "16.03".eu-central-1.hvm-ebs = "ami-7c967413"; + "16.03".eu-central-1.hvm-s3 = "ami-b29072dd"; + "16.03".eu-central-1.pv-ebs = "ami-7a947615"; + "16.03".eu-central-1.pv-s3 = "ami-729b791d"; + "16.03".eu-west-1.hvm-ebs = "ami-ff27a98c"; + "16.03".eu-west-1.hvm-s3 = "ami-6c21af1f"; + "16.03".eu-west-1.pv-ebs = "ami-a33cb2d0"; + "16.03".eu-west-1.pv-s3 = "ami-ec38b69f"; + "16.03".sa-east-1.hvm-ebs = "ami-5bef6637"; + "16.03".sa-east-1.hvm-s3 = "ami-55f87139"; + "16.03".sa-east-1.pv-ebs = "ami-76e56c1a"; + "16.03".sa-east-1.pv-s3 = "ami-e1f8718d"; + "16.03".us-east-1.hvm-ebs = "ami-4bfd1926"; + "16.03".us-east-1.hvm-s3 = "ami-60c5210d"; + "16.03".us-east-1.pv-ebs = "ami-c0c92dad"; + "16.03".us-east-1.pv-s3 = "ami-f9d63294"; + "16.03".us-west-1.hvm-ebs = "ami-13aad473"; + "16.03".us-west-1.hvm-s3 = "ami-e1a8d681"; + "16.03".us-west-1.pv-ebs = "ami-c0a6d8a0"; + "16.03".us-west-1.pv-s3 = "ami-6aa9d70a"; + "16.03".us-west-2.hvm-ebs = "ami-265dad46"; + "16.03".us-west-2.hvm-s3 = "ami-cd40b0ad"; + "16.03".us-west-2.pv-ebs = "ami-7b4aba1b"; + "16.03".us-west-2.pv-s3 = "ami-0849b968"; } diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 77074b882468..38417315df5b 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -66,10 +66,10 @@ in # Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" + chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group "" # Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env \ + chroot /mnt ${config.nix.package.out}/bin/nix-env \ -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \ --option build-users-group "" diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 7dfbc38efee6..8aa643687557 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -149,11 +149,11 @@ let ${pkgs.mtools}/bin/mlabel -i /dev/vda2 ::boot # Mount /boot; load necessary modules first. - ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_cp437.ko || true - ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_iso8859-1.ko || true - ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/fat.ko || true - ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/vfat.ko || true - ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/efivarfs/efivarfs.ko || true + ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_cp437.ko.xz || true + ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_iso8859-1.ko.xz || true + ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/fat.ko.xz || true + ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/vfat.ko.xz || true + ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/efivarfs/efivarfs.ko.xz || true mkdir /boot mount /dev/vda2 /boot @@ -403,7 +403,7 @@ in boot.postBootCommands = '' if [[ "$(cat /proc/cmdline)" =~ regInfo=([^ ]*) ]]; then - ${config.nix.package}/bin/nix-store --load-db < ''${BASH_REMATCH[1]} + ${config.nix.package.out}/bin/nix-store --load-db < ''${BASH_REMATCH[1]} fi ''; |