diff options
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/i18n/input-method/default.xml | 12 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/backup/restic.nix | 10 | ||||
-rw-r--r-- | nixos/modules/services/development/bloop.nix | 37 | ||||
-rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 85 | ||||
-rw-r--r-- | nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix | 7 | ||||
-rw-r--r-- | nixos/modules/services/networking/unbound.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/networking/zerotierone.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/system/dbus.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/tt-rss.nix | 40 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/virtlyst.nix | 72 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/lighttpd/cgit.nix | 28 | ||||
-rw-r--r-- | nixos/modules/system/boot/resolved.nix | 2 | ||||
-rw-r--r-- | nixos/modules/tasks/filesystems/zfs.nix | 7 |
14 files changed, 280 insertions, 29 deletions
diff --git a/nixos/modules/i18n/input-method/default.xml b/nixos/modules/i18n/input-method/default.xml index 76ffa8cb7e37..eb75b7415c9c 100644 --- a/nixos/modules/i18n/input-method/default.xml +++ b/nixos/modules/i18n/input-method/default.xml @@ -68,6 +68,18 @@ ibus.engines = with pkgs.ibus-engines; [ table table-others ]; <para>To use any input method, the package must be added in the configuration, as shown above, and also (after running <literal>nixos-rebuild</literal>) the input method must be added from IBus' preference dialog.</para> + +<simplesect> + <title>Troubleshooting</title> + <para>If IBus works in some applications but not others, a likely cause of + this is that IBus is depending on a different version of + <literal>glib</literal> to what the applications are depending on. This can + be checked by running <literal>nix-store -q --requisites <path> | grep + glib</literal>, where <literal><path></literal> is the path of either + IBus or an application in the Nix store. The <literal>glib</literal> + packages must match exactly. If they do not, uninstalling and reinstalling + the application is a likely fix.</para> +</simplesect> </section> <section><title>Fcitx</title> diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 193ef0d1c961..ea996acebb20 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -242,6 +242,7 @@ ./services/desktops/gnome3/tracker-miners.nix ./services/desktops/profile-sync-daemon.nix ./services/desktops/telepathy.nix + ./services/development/bloop.nix ./services/development/hoogle.nix ./services/editors/emacs.nix ./services/editors/infinoted.nix @@ -486,6 +487,7 @@ ./services/networking/flannel.nix ./services/networking/flashpolicyd.nix ./services/networking/freenet.nix + ./services/networking/freeradius.nix ./services/networking/gale.nix ./services/networking/gateone.nix ./services/networking/gdomap.nix @@ -662,6 +664,7 @@ ./services/web-apps/tt-rss.nix ./services/web-apps/selfoss.nix ./services/web-apps/quassel-webserver.nix + ./services/web-apps/virtlyst.nix ./services/web-apps/youtrack.nix ./services/web-servers/apache-httpd/default.nix ./services/web-servers/caddy.nix diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix index 21d82469c605..2d14762e8685 100644 --- a/nixos/modules/services/backup/restic.nix +++ b/nixos/modules/services/backup/restic.nix @@ -14,7 +14,15 @@ with lib; Read the repository password from a file. ''; example = "/etc/nixos/restic-password"; + }; + s3CredentialsFile = mkOption { + type = with types; nullOr str; + description = '' + file containing the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY + for an S3-hosted repository, in the format of an EnvironmentFile + as described by systemd.exec(5) + ''; }; repository = mkOption { @@ -134,6 +142,8 @@ with lib; Type = "oneshot"; ExecStart = "${resticCmd} backup ${concatStringsSep " " backup.extraBackupArgs} ${concatStringsSep " " backup.paths}"; User = backup.user; + } // optionalAttrs (backup.s3CredentialsFile != null) { + EnvironmentFile = backup.s3CredentialsFile; }; } // optionalAttrs backup.initialize { preStart = '' diff --git a/nixos/modules/services/development/bloop.nix b/nixos/modules/services/development/bloop.nix new file mode 100644 index 000000000000..56904b7c40e6 --- /dev/null +++ b/nixos/modules/services/development/bloop.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.bloop; + +in { + + options.services.bloop = { + install = mkOption { + type = types.bool; + default = false; + description = '' + Whether to install a user service for the Bloop server. + + The service must be manually started for each user with + "systemctl --user start bloop". + ''; + }; + }; + + config = mkIf (cfg.install) { + systemd.user.services.bloop = { + description = "Bloop Scala build server"; + + serviceConfig = { + Type = "simple"; + ExecStart = ''${pkgs.bloop}/bin/blp-server''; + Restart = "always"; + }; + }; + + environment.systemPackages = [ pkgs.bloop ]; + }; +} diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 816234506593..4e51725b19de 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -9,18 +9,11 @@ let # /var/lib/misc is for dnsmasq.leases. stateDirs = "/var/lib/NetworkManager /var/lib/dhclient /var/lib/misc"; - dns = - if cfg.dns == "none" then "none" - else if cfg.dns == "dnsmasq" then "dnsmasq" - else if config.services.resolved.enable then "systemd-resolved" - else if config.services.unbound.enable then "unbound" - else "default"; - configFile = writeText "NetworkManager.conf" '' [main] plugins=keyfile dhcp=${cfg.dhcp} - dns=${dns} + dns=${cfg.dns} [keyfile] ${optionalString (cfg.unmanaged != []) @@ -217,19 +210,73 @@ in { }; dns = mkOption { - type = types.enum [ "auto" "dnsmasq" "none" ]; - default = "auto"; + type = types.enum [ "default" "dnsmasq" "unbound" "systemd-resolved" "none" ]; + default = "default"; description = '' + Set the DNS (<literal>resolv.conf</literal>) processing mode. + </para> + <para> Options: - - auto: Check for systemd-resolved, unbound, or use default. - - dnsmasq: - Enable NetworkManager's dnsmasq integration. NetworkManager will run - dnsmasq as a local caching nameserver, using a "split DNS" - configuration if you are connected to a VPN, and then update - resolv.conf to point to the local nameserver. - - none: - Disable NetworkManager's DNS integration completely. - It will not touch your /etc/resolv.conf. + <variablelist> + <varlistentry> + <term><literal>"default"</literal></term> + <listitem><para> + NetworkManager will update <literal>/etc/resolv.conf</literal> to + reflect the nameservers provided by currently active connections. + </para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"dnsmasq"</literal></term> + <listitem> + <para> + Enable NetworkManager's dnsmasq integration. NetworkManager will + run dnsmasq as a local caching nameserver, using a "split DNS" + configuration if you are connected to a VPN, and then update + <literal>resolv.conf</literal> to point to the local nameserver. + </para> + <para> + It is possible to pass custom options to the dnsmasq instance by + adding them to files in the + <literal>/etc/NetworkManager/dnsmasq.d/</literal> directory. + </para> + <para> + When multiple upstream servers are available, dnsmasq will + initially contact them in parallel and then use the fastest to + respond, probing again other servers after some time. This + behavior can be modified passing the + <literal>all-servers</literal> or <literal>strict-order</literal> + options to dnsmasq (see the manual page for more details). + </para> + <para> + Note that this option causes NetworkManager to launch and manage + its own instance of the dnsmasq daemon, which is + <emphasis>not</emphasis> the same as setting + <literal>services.dnsmasq.enable = true;</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>"unbound"</literal></term> + <listitem><para> + NetworkManager will talk to unbound and dnssec-triggerd, + providing a "split DNS" configuration with DNSSEC support. + <literal>/etc/resolv.conf</literal> will be managed by + dnssec-trigger daemon. + </para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"systemd-resolved"</literal></term> + <listitem><para> + NetworkManager will push the DNS configuration to systemd-resolved. + </para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"none"</literal></term> + <listitem><para> + NetworkManager will not modify resolv.conf. + </para></listitem> + </varlistentry> + </variablelist> ''; }; diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix index ad211f41eef0..b16d299917fe 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -938,9 +938,12 @@ in { protection. ''; - hw_offload = mkYesNoParam no '' + hw_offload = mkEnumParam ["yes" "no" "auto"] "no" '' Enable hardware offload for this CHILD_SA, if supported by the IPsec - implementation. + implementation. The value <literal>yes</literal> enforces offloading + and the installation will fail if it's not supported by either kernel or + device. The value <literal>auto</literal> enables offloading, if it's + supported, but the installation does not fail otherwise. ''; start_action = mkEnumParam ["none" "trap" "start"] "none" '' diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 07936faaa133..1a35979ad44c 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -131,6 +131,9 @@ in }; }; + # If networkmanager is enabled, ask it to interface with unbound. + networking.networkmanager.dns = "unbound"; + }; } diff --git a/nixos/modules/services/networking/zerotierone.nix b/nixos/modules/services/networking/zerotierone.nix index cd1617b8e2ba..4c1ee75d536c 100644 --- a/nixos/modules/services/networking/zerotierone.nix +++ b/nixos/modules/services/networking/zerotierone.nix @@ -47,7 +47,7 @@ in }; # ZeroTier does not issue DHCP leases, but some strangers might... - networking.dhcpcd.denyInterfaces = [ "zt0" ]; + networking.dhcpcd.denyInterfaces = [ "zt*" ]; # ZeroTier receives UDP transmissions on port 9993 by default networking.firewall.allowedUDPPorts = [ 9993 ]; diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index 643bec188142..248df7351a8c 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -100,6 +100,7 @@ in # Don't restart dbus-daemon. Bad things tend to happen if we do. reloadIfChanged = true; restartTriggers = [ configDir ]; + environment = { LD_LIBRARY_PATH = config.system.nssModules.path; }; }; systemd.user = { diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index 610c6463a5eb..1646ee5964fb 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -76,6 +76,8 @@ let define('SMTP_FROM_NAME', '${escape ["'" "\\"] cfg.email.fromName}'); define('SMTP_FROM_ADDRESS', '${escape ["'" "\\"] cfg.email.fromAddress}'); define('DIGEST_SUBJECT', '${escape ["'" "\\"] cfg.email.digestSubject}'); + + ${cfg.extraConfig} ''; in { @@ -431,6 +433,26 @@ let ''; }; + pluginPackages = mkOption { + type = types.listOf types.package; + default = []; + description = '' + List of plugins to install. The list elements are expected to + be derivations. All elements in this derivation are automatically + copied to the <literal>plugins.local</literal> directory. + ''; + }; + + themePackages = mkOption { + type = types.listOf types.package; + default = []; + description = '' + List of themes to install. The list elements are expected to + be derivations. All elements in this derivation are automatically + copied to the <literal>themes.local</literal> directory. + ''; + }; + logDestination = mkOption { type = types.enum ["" "sql" "syslog"]; default = "sql"; @@ -441,6 +463,14 @@ let error.log). ''; }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Additional lines to append to <literal>config.php</literal>. + ''; + }; }; }; @@ -517,6 +547,16 @@ let rm -rf "${cfg.root}/*" mkdir -m 755 -p "${cfg.root}" cp -r "${pkgs.tt-rss}/"* "${cfg.root}" + ${optionalString (cfg.pluginPackages != []) '' + for plugin in ${concatStringsSep " " cfg.pluginPackages}; do + cp -r "$plugin"/* "${cfg.root}/plugins.local/" + done + ''} + ${optionalString (cfg.themePackages != []) '' + for theme in ${concatStringsSep " " cfg.themePackages}; do + cp -r "$theme"/* "${cfg.root}/themes.local/" + done + ''} ln -sf "${tt-rss-config}" "${cfg.root}/config.php" chown -R "${cfg.user}" "${cfg.root}" chmod -R 755 "${cfg.root}" diff --git a/nixos/modules/services/web-apps/virtlyst.nix b/nixos/modules/services/web-apps/virtlyst.nix new file mode 100644 index 000000000000..2fc67435ce82 --- /dev/null +++ b/nixos/modules/services/web-apps/virtlyst.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.virtlyst; + stateDir = "/var/lib/virtlyst"; + + ini = pkgs.writeText "virtlyst-config.ini" '' + [wsgi] + master = true + threads = auto + http-socket = ${cfg.httpSocket} + application = ${pkgs.virtlyst}/lib/libVirtlyst.so + chdir2 = ${stateDir} + static-map = /static=${pkgs.virtlyst}/root/static + + [Cutelyst] + production = true + DatabasePath = virtlyst.sqlite + TemplatePath = ${pkgs.virtlyst}/root/src + + [Rules] + cutelyst.* = true + virtlyst.* = true + ''; + +in + +{ + + options.services.virtlyst = { + enable = mkEnableOption "Virtlyst libvirt web interface"; + + adminPassword = mkOption { + type = types.str; + description = '' + Initial admin password with which the database will be seeded. + ''; + }; + + httpSocket = mkOption { + type = types.str; + default = "localhost:3000"; + description = '' + IP and/or port to which to bind the http socket. + ''; + }; + }; + + config = mkIf cfg.enable { + users.extraUsers.virtlyst = { + home = stateDir; + createHome = true; + group = mkIf config.virtualisation.libvirtd.enable "libvirtd"; + }; + + systemd.services.virtlyst = { + wantedBy = [ "multi-user.target" ]; + environment = { + VIRTLYST_ADMIN_PASSWORD = cfg.adminPassword; + }; + serviceConfig = { + ExecStart = "${pkgs.cutelyst}/bin/cutelyst-wsgi2 --ini ${ini}"; + User = "virtlyst"; + WorkingDirectory = stateDir; + }; + }; + }; + +} diff --git a/nixos/modules/services/web-servers/lighttpd/cgit.nix b/nixos/modules/services/web-servers/lighttpd/cgit.nix index 710fecc0c05c..e6a054c296dc 100644 --- a/nixos/modules/services/web-servers/lighttpd/cgit.nix +++ b/nixos/modules/services/web-servers/lighttpd/cgit.nix @@ -4,8 +4,15 @@ with lib; let cfg = config.services.lighttpd.cgit; + pathPrefix = if stringLength cfg.subdir == 0 then "" else "/" + cfg.subdir; configFile = pkgs.writeText "cgitrc" '' + # default paths to static assets + css=${pathPrefix}/cgit.css + logo=${pathPrefix}/cgit.png + favicon=${pathPrefix}/favicon.ico + + # user configuration ${cfg.configText} ''; in @@ -18,8 +25,17 @@ in type = types.bool; description = '' If true, enable cgit (fast web interface for git repositories) as a - sub-service in lighttpd. cgit will be accessible at - http://yourserver/cgit + sub-service in lighttpd. + ''; + }; + + subdir = mkOption { + default = "cgit"; + example = ""; + type = types.str; + description = '' + The subdirectory in which to serve cgit. The web application will be + accessible at http://yourserver/''${subdir} ''; }; @@ -48,14 +64,14 @@ in services.lighttpd.enableModules = [ "mod_cgi" "mod_alias" "mod_setenv" ]; services.lighttpd.extraConfig = '' - $HTTP["url"] =~ "^/cgit" { + $HTTP["url"] =~ "^/${cfg.subdir}" { cgi.assign = ( "cgit.cgi" => "${pkgs.cgit}/cgit/cgit.cgi" ) alias.url = ( - "/cgit.css" => "${pkgs.cgit}/cgit/cgit.css", - "/cgit.png" => "${pkgs.cgit}/cgit/cgit.png", - "/cgit" => "${pkgs.cgit}/cgit/cgit.cgi" + "${pathPrefix}/cgit.css" => "${pkgs.cgit}/cgit/cgit.css", + "${pathPrefix}/cgit.png" => "${pkgs.cgit}/cgit/cgit.png", + "${pathPrefix}" => "${pkgs.cgit}/cgit/cgit.cgi" ) setenv.add-environment = ( "CGIT_CONFIG" => "${configFile}" diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 4d9de020c84e..e1095fb988eb 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -147,6 +147,8 @@ in ${config.services.resolved.extraConfig} ''; + # If networkmanager is enabled, ask it to interface with resolved. + networking.networkmanager.dns = "systemd-resolved"; }; } diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index b8a420b7d745..bfcd81d62159 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -171,8 +171,12 @@ in default = config.boot.zfs.enableUnstable; description = '' Request encryption keys or passwords for all encrypted datasets on import. - Dataset encryption is only supported in zfsUnstable at the moment. + For root pools the encryption key can be supplied via both an + interactive prompt (keylocation=prompt) and from a file + (keylocation=file://). Note that for data pools the encryption key can + be only loaded from a file and not via interactive prompt since the + import is processed in a background systemd service. ''; }; @@ -394,6 +398,7 @@ in script = '' zpool_cmd="${packages.zfsUser}/sbin/zpool" ("$zpool_cmd" list "${pool}" >/dev/null) || "$zpool_cmd" import -d ${cfgZfs.devNodes} -N ${optionalString cfgZfs.forceImportAll "-f"} "${pool}" + ${optionalString cfgZfs.requestEncryptionCredentials "\"${packages.zfsUser}/sbin/zfs\" load-key -r \"${pool}\""} ''; }; |