diff options
Diffstat (limited to 'nixos')
45 files changed, 746 insertions, 332 deletions
diff --git a/nixos/doc/manual/development/sources.xml b/nixos/doc/manual/development/sources.xml index 879a31e32c59..fd0b0109b322 100644 --- a/nixos/doc/manual/development/sources.xml +++ b/nixos/doc/manual/development/sources.xml @@ -11,35 +11,25 @@ uses the NixOS and Nixpkgs sources provided by the <literal>nixos-unstable</literal> channel (kept in <filename>/nix/var/nix/profiles/per-user/root/channels/nixos</filename>). To modify NixOS, however, you should check out the latest sources from -Git. This is done using the following command: +Git. This is as follows: <screen> -$ nixos-checkout <replaceable>/my/sources</replaceable> -</screen> - -or - -<screen> -$ mkdir -p <replaceable>/my/sources</replaceable> -$ cd <replaceable>/my/sources</replaceable> -$ nix-env -i git $ git clone git://github.com/NixOS/nixpkgs.git $ cd nixpkgs $ git remote add channels git://github.com/NixOS/nixpkgs-channels.git $ git remote update channels </screen> -This will check out the latest NixOS sources to -<filename><replaceable>/my/sources</replaceable>/nixpkgs/nixos</filename> -and the Nixpkgs sources to -<filename><replaceable>/my/sources</replaceable>/nixpkgs</filename>. -(The NixOS source tree lives in a subdirectory of the Nixpkgs -repository.) The remote <literal>channels</literal> refers to a -read-only repository that tracks the Nixpkgs/NixOS channels (see <xref -linkend="sec-upgrading"/> for more information about channels). Thus, -the Git branch <literal>channels/nixos-14.12</literal> will contain -the latest built and tested version available in the -<literal>nixos-14.12</literal> channel.</para> +This will check out the latest Nixpkgs sources to +<filename>./nixpkgs</filename> the NixOS sources to +<filename>./nixpkgs/nixos</filename>. (The NixOS source tree lives in +a subdirectory of the Nixpkgs repository.) The remote +<literal>channels</literal> refers to a read-only repository that +tracks the Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/> +for more information about channels). Thus, the Git branch +<literal>channels/nixos-14.12</literal> will contain the latest built +and tested version available in the <literal>nixos-14.12</literal> +channel.</para> <para>It’s often inconvenient to develop directly on the master branch, since if somebody has just committed (say) a change to GCC, diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix index caf0ab4c07b5..63666c99b230 100644 --- a/nixos/lib/make-disk-image.nix +++ b/nixos/lib/make-disk-image.nix @@ -81,14 +81,14 @@ pkgs.vmTools.runInLinuxVM ( # Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" + chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group "" # Add missing size/hash fields to the database. FIXME: # exportReferencesGraph should provide these directly. - chroot /mnt ${config.nix.package}/bin/nix-store --verify --check-contents + chroot /mnt ${config.nix.package.out}/bin/nix-store --verify --check-contents # Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env --option build-users-group "" \ + chroot /mnt ${config.nix.package.out}/bin/nix-env --option build-users-group "" \ -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} # `nixos-rebuild' requires an /etc/NIXOS. diff --git a/nixos/modules/hardware/video/webcam/facetimehd.nix b/nixos/modules/hardware/video/webcam/facetimehd.nix index b35709763b90..2a2fcf3057d4 100644 --- a/nixos/modules/hardware/video/webcam/facetimehd.nix +++ b/nixos/modules/hardware/video/webcam/facetimehd.nix @@ -31,13 +31,13 @@ in # unload module during suspend/hibernate as it crashes the whole system powerManagement.powerDownCommands = '' - ${pkgs.module_init_tools}/bin/rmmod -f facetimehd + ${pkgs.kmod}/bin/lsmod | ${pkgs.gnugrep}/bin/grep -q "^facetimehd" && ${pkgs.kmod}/bin/rmmod -f -v facetimehd ''; # and load it back on resume powerManagement.resumeCommands = '' export MODULE_DIR=/run/current-system/kernel-modules/lib/modules - ${pkgs.module_init_tools}/bin/modprobe -v facetimehd + ${pkgs.kmod}/bin/modprobe -v facetimehd ''; }; diff --git a/nixos/modules/installer/cd-dvd/channel.nix b/nixos/modules/installer/cd-dvd/channel.nix index 1e5e2b2615c8..cd6e72755dea 100644 --- a/nixos/modules/installer/cd-dvd/channel.nix +++ b/nixos/modules/installer/cd-dvd/channel.nix @@ -34,7 +34,7 @@ in if ! [ -e /var/lib/nixos/did-channel-init ]; then echo "unpacking the NixOS/Nixpkgs sources..." mkdir -p /nix/var/nix/profiles/per-user/root - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \ + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \ -i ${channelSources} --quiet --option build-use-substitutes false mkdir -m 0700 -p /root/.nix-defexpr ln -s /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 5702e2d9a1e5..c31ded977e68 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -364,12 +364,12 @@ in '' # After booting, register the contents of the Nix store on the # CD in the Nix database in the tmpfs. - ${config.nix.package}/bin/nix-store --load-db < /nix/store/nix-path-registration + ${config.nix.package.out}/bin/nix-store --load-db < /nix/store/nix-path-registration # nixos-rebuild also requires a "system" profile and an # /etc/NIXOS tag. touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system ''; # Add vfat support to the initrd to enable people to copy the diff --git a/nixos/modules/installer/cd-dvd/sd-image.nix b/nixos/modules/installer/cd-dvd/sd-image.nix index 9eba542d8c91..23312c073d56 100644 --- a/nixos/modules/installer/cd-dvd/sd-image.nix +++ b/nixos/modules/installer/cd-dvd/sd-image.nix @@ -113,11 +113,11 @@ in ${pkgs.e2fsprogs}/bin/resize2fs $rootPart # Register the contents of the initial Nix store - ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration + ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration # nixos-rebuild also requires a "system" profile and an /etc/NIXOS tag. touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system # Prevents this from running on later boots. rm -f /nix-path-registration diff --git a/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix b/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix index 6fe490b02bf4..d984cb307170 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix @@ -52,8 +52,7 @@ in # Include some utilities that are useful for installing or repairing # the system. environment.systemPackages = - [ pkgs.subversion # for nixos-checkout - pkgs.w3m # needed for the manual anyway + [ pkgs.w3m # needed for the manual anyway pkgs.testdisk # useful for repairing boot problems pkgs.mssys # for writing Microsoft boot sectors / MBRs pkgs.parted diff --git a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix index 7badfcb8df22..9e733241993d 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix @@ -49,8 +49,7 @@ in # Include some utilities that are useful for installing or repairing # the system. environment.systemPackages = - [ pkgs.subversion # for nixos-checkout - pkgs.w3m # needed for the manual anyway + [ pkgs.w3m # needed for the manual anyway pkgs.ddrescue pkgs.ccrypt pkgs.cryptsetup # needed for dm-crypt volumes diff --git a/nixos/modules/installer/cd-dvd/system-tarball.nix b/nixos/modules/installer/cd-dvd/system-tarball.nix index 90e9b98a4575..1962a1959ead 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball.nix @@ -78,14 +78,14 @@ in # After booting, register the contents of the Nix store on the # CD in the Nix database in the tmpfs. if [ -f /nix-path-registration ]; then - ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration && + ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration && rm /nix-path-registration fi # nixos-rebuild also requires a "system" profile and an # /etc/NIXOS tag. touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system ''; }; diff --git a/nixos/modules/installer/tools/auto-upgrade.nix b/nixos/modules/installer/tools/auto-upgrade.nix index 79ccb5c3d18a..b21b80c666aa 100644 --- a/nixos/modules/installer/tools/auto-upgrade.nix +++ b/nixos/modules/installer/tools/auto-upgrade.nix @@ -78,7 +78,7 @@ let cfg = config.system.autoUpgrade; in HOME = "/root"; }; - path = [ pkgs.gnutar pkgs.xz.bin config.nix.package ]; + path = [ pkgs.gnutar pkgs.xz.bin config.nix.package.out ]; script = '' ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch ${toString cfg.flags} diff --git a/nixos/modules/installer/tools/nixos-checkout.nix b/nixos/modules/installer/tools/nixos-checkout.nix deleted file mode 100644 index 07274e139f7d..000000000000 --- a/nixos/modules/installer/tools/nixos-checkout.nix +++ /dev/null @@ -1,60 +0,0 @@ -# This module generates the nixos-checkout script, which performs a -# checkout of the Nixpkgs Git repository. - -{ config, lib, pkgs, ... }: - -with lib; - -let - - nixosCheckout = pkgs.substituteAll { - name = "nixos-checkout"; - dir = "bin"; - isExecutable = true; - src = pkgs.writeScript "nixos-checkout" - '' - #! ${pkgs.stdenv.shell} -e - - if [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - echo "Usage: `basename $0` [PREFIX]. See NixOS Manual for more info." - exit 0 - fi - - prefix="$1" - if [ -z "$prefix" ]; then prefix=/etc/nixos; fi - mkdir -p "$prefix" - cd "$prefix" - - if [ -z "$(type -P git)" ]; then - echo "installing Git..." - nix-env -iA nixos.git - fi - - # Move any old nixpkgs directories out of the way. - backupTimestamp=$(date "+%Y%m%d%H%M%S") - - if [ -e nixpkgs -a ! -e nixpkgs/.git ]; then - mv nixpkgs nixpkgs-$backupTimestamp - fi - - # Check out the Nixpkgs sources. - if ! [ -e nixpkgs/.git ]; then - echo "Creating repository in $prefix/nixpkgs..." - git init --quiet nixpkgs - else - echo "Updating repository in $prefix/nixpkgs..." - fi - cd nixpkgs - git remote add origin git://github.com/NixOS/nixpkgs.git || true - git remote add channels git://github.com/NixOS/nixpkgs-channels.git || true - git remote set-url origin --push git@github.com:NixOS/nixpkgs.git - git remote update - git checkout master - ''; - }; - -in - -{ - environment.systemPackages = [ nixosCheckout ]; -} diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh index cd30958d9e8a..5ecdcdb3cdb5 100644 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixos/modules/installer/tools/nixos-rebuild.sh @@ -271,7 +271,7 @@ remotePATH= if [ -n "$buildNix" ]; then echo "building Nix..." >&2 nixDrv= - if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package "${extraBuildFlags[@]}")"; then + if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A nixFallback "${extraBuildFlags[@]}")"; then if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then nixStorePath="$(prebuiltNix "$(uname -m)")" diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 9ac3b7a5b16f..b8fd9deaf1e4 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -22,17 +22,17 @@ let src = ./nixos-install.sh; inherit (pkgs) perl pathsFromGraph; - nix = config.nix.package; + nix = config.nix.package.out; nixClosure = pkgs.runCommand "closure" - { exportReferencesGraph = ["refs" config.nix.package]; } + { exportReferencesGraph = ["refs" config.nix.package.out]; } "cp refs $out"; }; nixos-rebuild = makeProg { name = "nixos-rebuild"; src = ./nixos-rebuild.sh; - nix = config.nix.package; + nix = config.nix.package.out; }; nixos-generate-config = makeProg { diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 9e6bbc744381..684ca132bc74 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -263,6 +263,7 @@ caddy = 239; taskd = 240; factorio = 241; + emby = 242; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -497,6 +498,7 @@ caddy = 239; taskd = 240; factorio = 241; + emby = 242; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index bb8fa48105ac..b238003dd0ca 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -47,7 +47,6 @@ ./i18n/input-method/nabi.nix ./i18n/input-method/uim.nix ./installer/tools/auto-upgrade.nix - ./installer/tools/nixos-checkout.nix ./installer/tools/tools.nix ./misc/assertions.nix ./misc/crashdump.nix @@ -159,6 +158,7 @@ ./services/desktops/gnome3/tracker.nix ./services/desktops/profile-sync-daemon.nix ./services/desktops/telepathy.nix + ./services/development/hoogle.nix ./services/games/factorio.nix ./services/games/ghost-one.nix ./services/games/minecraft-server.nix @@ -216,6 +216,7 @@ ./services/misc/dictd.nix ./services/misc/disnix.nix ./services/misc/docker-registry.nix + ./services/misc/emby.nix ./services/misc/etcd.nix ./services/misc/felix.nix ./services/misc/folding-at-home.nix @@ -400,6 +401,7 @@ ./services/networking/wicd.nix ./services/networking/wpa_supplicant.nix ./services/networking/xinetd.nix + ./services/networking/zerobin.nix ./services/networking/zerotierone.nix ./services/networking/znc.nix ./services/printing/cupsd.nix diff --git a/nixos/modules/profiles/docker-container.nix b/nixos/modules/profiles/docker-container.nix index df762b7ac584..433492b96137 100644 --- a/nixos/modules/profiles/docker-container.nix +++ b/nixos/modules/profiles/docker-container.nix @@ -37,12 +37,12 @@ in { # After booting, register the contents of the Nix store in the Nix # database. if [ -f /nix-path-registration ]; then - ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration && + ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration && rm /nix-path-registration fi # nixos-rebuild also requires a "system" profile - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system ''; # Install new init script diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 84eccfd51292..6b02446d53b4 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -68,6 +68,10 @@ with lib; # proxy (mkRenamedOptionModule [ "nix" "proxy" ] [ "networking" "proxy" "default" ]) + # sandboxing + (mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ]) + (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) + # KDE (mkRenamedOptionModule [ "kde" "extraPackages" ] [ "environment" "systemPackages" ]) (mkRenamedOptionModule [ "environment" "kdePackages" ] [ "environment" "systemPackages" ]) diff --git a/nixos/modules/services/development/hoogle.nix b/nixos/modules/services/development/hoogle.nix new file mode 100644 index 000000000000..90aa04d2762e --- /dev/null +++ b/nixos/modules/services/development/hoogle.nix @@ -0,0 +1,70 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.hoogle; + + hoogleEnv = pkgs.buildEnv { + name = "hoogle"; + paths = [ (cfg.haskellPackages.ghcWithHoogle cfg.packages) ]; + }; + +in { + + options.services.hoogle = { + enable = mkEnableOption "Haskell documentation server"; + + port = mkOption { + type = types.int; + default = 8080; + description = '' + Port number Hoogle will be listening to. + ''; + }; + + packages = mkOption { + default = hp: []; + defaultText = "hp: []"; + example = "hp: with hp; [ text lens ]"; + description = '' + The Haskell packages to generate documentation for. + + The option value is a function that takes the package set specified in + the <varname>haskellPackages</varname> option as its sole parameter and + returns a list of packages. + ''; + }; + + haskellPackages = mkOption { + description = "Which haskell package set to use."; + default = pkgs.haskellPackages; + defaultText = "pkgs.haskellPackages"; + }; + + }; + + config = mkIf cfg.enable { + systemd.services.hoogle = { + description = "Haskell documentation server"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "always"; + ExecStart = ''${hoogleEnv}/bin/hoogle server --local -p ${toString cfg.port}''; + + User = "nobody"; + Group = "nogroup"; + + PrivateTmp = true; + ProtectHome = true; + + RuntimeDirectory = "hoogle"; + WorkingDirectory = "%t/hoogle"; + }; + }; + }; + +} diff --git a/nixos/modules/services/misc/emby.nix b/nixos/modules/services/misc/emby.nix new file mode 100644 index 000000000000..fe872349f45e --- /dev/null +++ b/nixos/modules/services/misc/emby.nix @@ -0,0 +1,64 @@ +{ config, pkgs, lib, mono, ... }: + +with lib; + +let + cfg = config.services.emby; + emby = pkgs.emby; +in +{ + options = { + services.emby = { + enable = mkEnableOption "Emby Media Server"; + + user = mkOption { + type = types.str; + default = "emby"; + description = "User account under which Emby runs."; + }; + + group = mkOption { + type = types.str; + default = "emby"; + description = "Group under which emby runs."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.emby = { + description = "Emby Media Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + test -d /var/lib/emby/ProgramData-Server || { + echo "Creating initial Emby data directory in /var/lib/emby/ProgramData-Server" + mkdir -p /var/lib/emby/ProgramData-Server + chown -R ${cfg.user}:${cfg.group} /var/lib/emby/ProgramData-Server + } + ''; + + serviceConfig = { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + PermissionsStartOnly = "true"; + ExecStart = "${pkgs.mono}/bin/mono ${pkgs.emby}/bin/MediaBrowser.Server.Mono.exe"; + Restart = "on-failure"; + }; + }; + + users.extraUsers = mkIf (cfg.user == "emby") { + emby = { + group = cfg.group; + uid = config.ids.uids.emby; + }; + }; + + users.extraGroups = mkIf (cfg.group == "emby") { + emby = { + gid = config.ids.gids.emby; + }; + }; + }; +} diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 10ac6f93cfdb..d71837737ab3 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -6,7 +6,7 @@ let cfg = config.nix; - nix = cfg.package; + nix = cfg.package.out; makeNixBuildUser = nr: { name = "nixbld${toString nr}"; @@ -24,8 +24,8 @@ let nixConf = let - # If we're using a chroot for builds, then provide /bin/sh in - # the chroot as a bind-mount to bash. This means we also need to + # If we're using sandbox for builds, then provide /bin/sh in + # the sandbox as a bind-mount to bash. This means we also need to # include the entire closure of bash. sh = pkgs.stdenv.shell; binshDeps = pkgs.writeReferencesToFile sh; @@ -39,8 +39,8 @@ let build-users-group = nixbld build-max-jobs = ${toString (cfg.maxJobs)} build-cores = ${toString (cfg.buildCores)} - build-use-chroot = ${if (builtins.isBool cfg.useChroot) then (if cfg.useChroot then "true" else "false") else cfg.useChroot} - build-chroot-dirs = ${toString cfg.chrootDirs} /bin/sh=${sh} $(echo $extraPaths) + build-use-sandbox = ${if (builtins.isBool cfg.useSandbox) then (if cfg.useSandbox then "true" else "false") else cfg.useSandbox} + build-sandbox-paths = ${toString cfg.sandboxPaths} /bin/sh=${sh} $(echo $extraPaths) binary-caches = ${toString cfg.binaryCaches} trusted-binary-caches = ${toString cfg.trustedBinaryCaches} binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys} @@ -65,8 +65,8 @@ in package = mkOption { type = types.package; - default = pkgs.nix.out; - defaultText = "pkgs.nix.out"; + default = pkgs.nix; + defaultText = "pkgs.nix"; description = '' This option specifies the Nix package instance to use throughout the system. ''; @@ -98,25 +98,25 @@ in ''; }; - useChroot = mkOption { + useSandbox = mkOption { type = types.either types.bool (types.enum ["relaxed"]); default = false; description = " - If set, Nix will perform builds in a chroot-environment that it + If set, Nix will perform builds in a sandboxed environment that it will set up automatically for each build. This prevents impurities in builds by disallowing access to dependencies outside of the Nix store. "; }; - chrootDirs = mkOption { + sandboxPaths = mkOption { type = types.listOf types.str; default = []; example = [ "/dev" "/proc" ]; description = '' Directories from the host filesystem to be included - in the chroot. + in the sandbox. ''; }; diff --git a/nixos/modules/services/misc/nix-gc.nix b/nixos/modules/services/misc/nix-gc.nix index 6a7a7f4cee72..5c13da6e83dd 100644 --- a/nixos/modules/services/misc/nix-gc.nix +++ b/nixos/modules/services/misc/nix-gc.nix @@ -52,7 +52,7 @@ in systemd.services.nix-gc = { description = "Nix Garbage Collector"; - script = "exec ${config.nix.package}/bin/nix-collect-garbage ${cfg.options}"; + script = "exec ${config.nix.package.out}/bin/nix-collect-garbage ${cfg.options}"; startAt = optionalString cfg.automatic cfg.dates; }; diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix index d70bd855c7ff..66148431709f 100644 --- a/nixos/modules/services/misc/nix-ssh-serve.nix +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -41,7 +41,7 @@ with lib; PermitTTY no PermitTunnel no X11Forwarding no - ForceCommand ${config.nix.package}/bin/nix-store --serve + ForceCommand ${config.nix.package.out}/bin/nix-store --serve Match All ''; diff --git a/nixos/modules/services/network-filesystems/openafs-client/default.nix b/nixos/modules/services/network-filesystems/openafs-client/default.nix index 7a44fc1ea5ec..61c66bb88357 100644 --- a/nixos/modules/services/network-filesystems/openafs-client/default.nix +++ b/nixos/modules/services/network-filesystems/openafs-client/default.nix @@ -80,7 +80,7 @@ in preStart = '' mkdir -p -m 0755 /afs mkdir -m 0700 -p ${cfg.cacheDirectory} - ${pkgs.module_init_tools}/sbin/insmod ${openafsPkgs}/lib/openafs/libafs-*.ko || true + ${pkgs.kmod}/sbin/insmod ${openafsPkgs}/lib/openafs/libafs-*.ko || true ${openafsPkgs}/sbin/afsd -confdir ${afsConfig} -cachedir ${cfg.cacheDirectory} ${if cfg.sparse then "-dynroot-sparse" else "-dynroot"} -fakestat -afsdb ${openafsPkgs}/bin/fs setcrypt ${if cfg.crypt then "on" else "off"} ''; @@ -92,7 +92,7 @@ in preStop = '' ${pkgs.utillinux}/bin/umount /afs ${openafsPkgs}/sbin/afsd -shutdown - ${pkgs.module_init_tools}/sbin/rmmod libafs + ${pkgs.kmod}/sbin/rmmod libafs ''; }; }; diff --git a/nixos/modules/services/networking/mfi.nix b/nixos/modules/services/networking/mfi.nix index 5afb83ed022f..775564a2c446 100644 --- a/nixos/modules/services/networking/mfi.nix +++ b/nixos/modules/services/networking/mfi.nix @@ -10,6 +10,7 @@ let { what = "${pkgs.mfi}/dl"; where = "${stateDir}/dl"; } { what = "${pkgs.mfi}/lib"; where = "${stateDir}/lib"; } { what = "${pkgs.mongodb248}/bin"; where = "${stateDir}/bin"; } + { what = "${cfg.dataDir}"; where = "${stateDir}/data"; } ]; systemdMountPoints = map (m: "${utils.escapeSystemdPath m.where}.mount") mountPoints; ports = [ 6080 6880 6443 6843 ]; @@ -23,6 +24,15 @@ in default = true; description = "Whether to open TCP ports ${concatMapStrings (a: "${toString a} ") ports}for the services."; }; + dataDir = mkOption { + type = types.str; + default = "${stateDir}/data"; + description = '' + Where to store the database and other data. + + This directory will be bind-mounted to ${stateDir}/data as part of the service startup. + ''; + }; }; }; diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix index 8f6881441cf7..3e865e3b76a8 100644 --- a/nixos/modules/services/networking/nix-serve.nix +++ b/nixos/modules/services/networking/nix-serve.nix @@ -50,7 +50,7 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = [ config.nix.package pkgs.bzip2.bin ]; + path = [ config.nix.package.out pkgs.bzip2.bin ]; environment.NIX_REMOTE = "daemon"; environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile; diff --git a/nixos/modules/services/networking/quassel.nix b/nixos/modules/services/networking/quassel.nix index 52c7ac8e6893..99269c49e8f1 100644 --- a/nixos/modules/services/networking/quassel.nix +++ b/nixos/modules/services/networking/quassel.nix @@ -3,7 +3,7 @@ with lib; let - quassel = pkgs.quasselDaemon_qt5; + quassel = pkgs.kde4.quasselDaemon; cfg = config.services.quassel; user = if cfg.user != null then cfg.user else "quassel"; in diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index 4dc0cd96904c..cb5a88e67aae 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -17,6 +17,10 @@ let what = "${pkgs.mongodb}/bin"; where = "${stateDir}/bin"; } + { + what = "${cfg.dataDir}"; + where = "${stateDir}/data"; + } ]; systemdMountPoints = map (m: "${utils.escapeSystemdPath m.where}.mount") mountPoints; in @@ -32,6 +36,16 @@ in ''; }; + services.unifi.dataDir = mkOption { + type = types.str; + default = "${stateDir}/data"; + description = '' + Where to store the database and other data. + + This directory will be bind-mounted to ${stateDir}/data as part of the service startup. + ''; + }; + }; config = mkIf cfg.enable { @@ -62,7 +76,7 @@ in bindsTo = systemdMountPoints; unitConfig.RequiresMountsFor = stateDir; # This a HACK to fix missing dependencies of dynamic libs extracted from jars - environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc}/lib"; + environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc.lib}/lib"; preStart = '' # Ensure privacy of state diff --git a/nixos/modules/services/networking/zerobin.nix b/nixos/modules/services/networking/zerobin.nix new file mode 100644 index 000000000000..1c524602f8e9 --- /dev/null +++ b/nixos/modules/services/networking/zerobin.nix @@ -0,0 +1,102 @@ +{ config, pkgs, lib, nodes, ... }: +with lib; +let + cfg = config.services.zerobin; + + zerobin_config = pkgs.writeText "zerobin-config.py" '' + PASTE_FILES_ROOT = "${cfg.dataDir}" + ${cfg.extraConfig} + ''; + +in + { + options = { + services.zerobin = { + enable = mkEnableOption "0bin"; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/zerobin"; + description = '' + Path to the 0bin data directory + ''; + }; + + user = mkOption { + type = types.str; + default = "zerobin"; + description = '' + The user 0bin should run as + ''; + }; + + group = mkOption { + type = types.str; + default = "zerobin"; + description = '' + The group 0bin should run as + ''; + }; + + listenPort = mkOption { + type = types.int; + default = 8000; + example = 1357; + description = '' + The port zerobin should listen on + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = "localhost"; + example = "127.0.0.1"; + description = '' + The address zerobin should listen to + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + MENU = ( + ('Home', '/'), + ) + COMPRESSED_STATIC_FILE = True + ''; + description = '' + Extra configuration to be appended to the 0bin config file + (see https://0bin.readthedocs.org/en/latest/en/options.html) + ''; + }; + }; + }; + + config = mkIf (cfg.enable) { + users.users."${cfg.user}" = + if cfg.user == "zerobin" then { + isSystemUser = true; + group = cfg.group; + home = cfg.dataDir; + createHome = true; + } + else {}; + users.groups."${cfg.group}" = {}; + + systemd.services.zerobin = { + enable = true; + after = [ "network-interfaces.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${pkgs.pythonPackages.zerobin}/bin/zerobin ${cfg.listenAddress} ${toString cfg.listenPort} false ${cfg.user} ${cfg.group} ${zerobin_config}"; + serviceConfig.PrivateTmp="yes"; + serviceConfig.User = cfg.user; + serviceConfig.Group = cfg.group; + preStart = '' + mkdir -p ${cfg.dataDir} + chown ${cfg.user} ${cfg.dataDir} + ''; + }; + }; + } + diff --git a/nixos/modules/services/system/kerberos.nix b/nixos/modules/services/system/kerberos.nix index 347302c6090d..4f2e2fdf662b 100644 --- a/nixos/modules/services/system/kerberos.nix +++ b/nixos/modules/services/system/kerberos.nix @@ -4,7 +4,7 @@ let inherit (lib) mkOption mkIf singleton; - inherit (pkgs) heimdal; + inherit (pkgs) heimdalFull; stateDir = "/var/heimdal"; in @@ -33,7 +33,7 @@ in config = mkIf config.services.kerberos_server.enable { - environment.systemPackages = [ heimdal ]; + environment.systemPackages = [ heimdalFull ]; services.xinetd.enable = true; services.xinetd.services = lib.singleton @@ -42,7 +42,7 @@ in protocol = "tcp"; user = "root"; server = "${pkgs.tcp_wrappers}/sbin/tcpd"; - serverArgs = "${pkgs.heimdal}/sbin/kadmind"; + serverArgs = "${pkgs.heimdalFull}/sbin/kadmind"; }; systemd.services.kdc = { @@ -51,13 +51,13 @@ in preStart = '' mkdir -m 0755 -p ${stateDir} ''; - script = "${heimdal}/sbin/kdc"; + script = "${heimdalFull}/sbin/kdc"; }; systemd.services.kpasswdd = { description = "Kerberos Password Changing daemon"; wantedBy = [ "multi-user.target" ]; - script = "${heimdal}/sbin/kpasswdd"; + script = "${heimdalFull}/sbin/kpasswdd"; }; }; diff --git a/nixos/modules/services/x11/redshift.nix b/nixos/modules/services/x11/redshift.nix index 4318a17a4fa5..8f1e317e52b0 100644 --- a/nixos/modules/services/x11/redshift.nix +++ b/nixos/modules/services/x11/redshift.nix @@ -94,11 +94,9 @@ in { }; config = mkIf cfg.enable { - systemd.services.redshift = { + systemd.user.services.redshift = { description = "Redshift colour temperature adjuster"; - requires = [ "display-manager.service" ]; - after = [ "display-manager.service" ]; - wantedBy = [ "graphical.target" ]; + wantedBy = [ "default.target" ]; serviceConfig = { ExecStart = '' ${cfg.package}/bin/redshift \ @@ -107,10 +105,10 @@ in { -b ${toString cfg.brightness.day}:${toString cfg.brightness.night} \ ${lib.strings.concatStringsSep " " cfg.extraOptions} ''; - RestartSec = 3; + RestartSec = 3; + Restart = "always"; }; environment = { DISPLAY = ":0"; }; - serviceConfig.Restart = "always"; }; }; diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 05322497a4bf..289405f93195 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -499,7 +499,7 @@ in } ] ++ flip map args.devices (device: { assertion = device == "nodev" || hasPrefix "/" device; - message = "GRUB devices must be absolute paths, not ${dev} in ${args.path}"; + message = "GRUB devices must be absolute paths, not ${device} in ${args.path}"; })); }) diff --git a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix index 6c201eb8212f..69ad2c6d44f4 100644 --- a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix +++ b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix @@ -14,7 +14,7 @@ let inherit (pkgs) python gummiboot; - nix = config.nix.package; + nix = config.nix.package.out; timeout = if cfg.timeout != null then cfg.timeout else ""; diff --git a/nixos/modules/virtualisation/amazon-init.nix b/nixos/modules/virtualisation/amazon-init.nix index 886552f33c2c..c9356c9b4eaa 100644 --- a/nixos/modules/virtualisation/amazon-init.nix +++ b/nixos/modules/virtualisation/amazon-init.nix @@ -8,7 +8,7 @@ let echo "attempting to fetch configuration from EC2 user data..." - export PATH=${config.nix.package}/bin:${pkgs.systemd}/bin:${pkgs.gnugrep}/bin:${pkgs.gnused}/bin:${config.system.build.nixos-rebuild}/bin:$PATH + export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.gnused config.system.build.nixos-rebuild]}:$PATH export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels userData=/etc/ec2-metadata/user-data diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index 9dc0ce119929..9fac543b03d5 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -62,10 +62,10 @@ in echo Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" + chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group "" echo Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env \ + chroot /mnt ${config.nix.package.out}/bin/nix-env \ -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} --option build-users-group "" echo nixos-rebuild requires an /etc/NIXOS. diff --git a/nixos/modules/virtualisation/brightbox-image.nix b/nixos/modules/virtualisation/brightbox-image.nix index b6b2bd4f69be..bcafc06e47c0 100644 --- a/nixos/modules/virtualisation/brightbox-image.nix +++ b/nixos/modules/virtualisation/brightbox-image.nix @@ -62,10 +62,10 @@ in # Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" + chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group "" # Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env \ + chroot /mnt ${config.nix.package.out}/bin/nix-env \ -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \ --option build-users-group "" diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 121ecbc9bf2c..fca21a8610be 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -28,14 +28,23 @@ let # Initialise the container side of the veth pair. if [ "$PRIVATE_NETWORK" = 1 ]; then + ip link set host0 name eth0 ip link set dev eth0 up + + if [ -n "$LOCAL_ADDRESS" ]; then + ip addr add $LOCAL_ADDRESS dev eth0 + fi + if [ -n "$LOCAL_ADDRESS6" ]; then + ip -6 addr add $LOCAL_ADDRESS6 dev eth0 + fi if [ -n "$HOST_ADDRESS" ]; then ip route add $HOST_ADDRESS dev eth0 ip route add default via $HOST_ADDRESS fi - if [ -n "$LOCAL_ADDRESS" ]; then - ip addr add $LOCAL_ADDRESS dev eth0 + if [ -n "$HOST_ADDRESS6" ]; then + ip -6 route add $HOST_ADDRESS6 dev eth0 + ip -6 route add default via $HOST_ADDRESS6 fi fi @@ -48,7 +57,7 @@ let system = config.nixpkgs.system; bindMountOpts = { name, config, ... }: { - + options = { mountPoint = mkOption { example = "/mnt/usb"; @@ -68,13 +77,13 @@ let description = "Determine whether the mounted path will be accessed in read-only mode."; }; }; - + config = { mountPoint = mkDefault name; }; - + }; - + mkBindFlag = d: let flagPrefix = if d.isReadOnly then " --bind-ro=" else " --bind="; mountstr = if d.hostPath != null then "${d.hostPath}:${d.mountPoint}" else "${d.mountPoint}"; @@ -142,12 +151,33 @@ in ''; }; + hostBridge = mkOption { + type = types.nullOr types.string; + default = null; + example = "br0"; + description = '' + Put the host-side of the veth-pair into the named bridge. + Only one of hostAddress* or hostBridge can be given. + ''; + }; + hostAddress = mkOption { type = types.nullOr types.str; default = null; example = "10.231.136.1"; description = '' The IPv4 address assigned to the host interface. + (Not used when hostBridge is set.) + ''; + }; + + hostAddress6 = mkOption { + type = types.nullOr types.string; + default = null; + example = "fc00::1"; + description = '' + The IPv6 address assigned to the host interface. + (Not used when hostBridge is set.) ''; }; @@ -161,6 +191,16 @@ in ''; }; + localAddress6 = mkOption { + type = types.nullOr types.string; + default = null; + example = "fc00::2"; + description = '' + The IPv6 address assigned to <literal>eth0</literal> + in the container. + ''; + }; + interfaces = mkOption { type = types.listOf types.string; default = []; @@ -185,7 +225,7 @@ in example = { "/home" = { hostPath = "/home/alice"; isReadOnly = false; }; }; - + description = '' An extra list of directories that is bound to the container. @@ -238,154 +278,180 @@ in }; - config = mkIf (config.boot.enableContainers) { + config = mkIf (config.boot.enableContainers) (let - systemd.services."container@" = - { description = "Container '%i'"; + unit = { + description = "Container '%i'"; - unitConfig.RequiresMountsFor = [ "/var/lib/containers/%i" ]; + unitConfig.RequiresMountsFor = [ "/var/lib/containers/%i" ]; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute ]; - environment.INSTANCE = "%i"; - environment.root = "/var/lib/containers/%i"; + environment.INSTANCE = "%i"; + environment.root = "/var/lib/containers/%i"; - preStart = - '' - # Clean up existing machined registration and interfaces. - machinectl terminate "$INSTANCE" 2> /dev/null || true - - if [ "$PRIVATE_NETWORK" = 1 ]; then - ip link del dev "ve-$INSTANCE" 2> /dev/null || true - fi + preStart = + '' + # Clean up existing machined registration and interfaces. + machinectl terminate "$INSTANCE" 2> /dev/null || true + if [ "$PRIVATE_NETWORK" = 1 ]; then + ip link del dev "ve-$INSTANCE" 2> /dev/null || true + ip link del dev "vb-$INSTANCE" 2> /dev/null || true + fi + ''; - if [ "$PRIVATE_NETWORK" = 1 ]; then - ip link del dev "ve-$INSTANCE" 2> /dev/null || true - fi - ''; - - script = - '' - mkdir -p -m 0755 "$root/etc" "$root/var/lib" - mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers - if ! [ -e "$root/etc/os-release" ]; then - touch "$root/etc/os-release" + script = + '' + mkdir -p -m 0755 "$root/etc" "$root/var/lib" + mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers + if ! [ -e "$root/etc/os-release" ]; then + touch "$root/etc/os-release" + fi + + mkdir -p -m 0755 \ + "/nix/var/nix/profiles/per-container/$INSTANCE" \ + "/nix/var/nix/gcroots/per-container/$INSTANCE" + + cp --remove-destination /etc/resolv.conf "$root/etc/resolv.conf" + + if [ "$PRIVATE_NETWORK" = 1 ]; then + extraFlags+=" --network-veth" + if [ -n "$HOST_BRIDGE" ]; then + extraFlags+=" --network-bridge=$HOST_BRIDGE" fi + fi - mkdir -p -m 0755 \ - "/nix/var/nix/profiles/per-container/$INSTANCE" \ - "/nix/var/nix/gcroots/per-container/$INSTANCE" + for iface in $INTERFACES; do + extraFlags+=" --network-interface=$iface" + done - cp --remove-destination /etc/resolv.conf "$root/etc/resolv.conf" + for iface in $MACVLANS; do + extraFlags+=" --network-macvlan=$iface" + done - if [ "$PRIVATE_NETWORK" = 1 ]; then - extraFlags+=" --network-veth" + # If the host is 64-bit and the container is 32-bit, add a + # --personality flag. + ${optionalString (config.nixpkgs.system == "x86_64-linux") '' + if [ "$(< ''${SYSTEM_PATH:-/nix/var/nix/profiles/per-container/$INSTANCE/system}/system)" = i686-linux ]; then + extraFlags+=" --personality=x86" fi + ''} + + + + # Run systemd-nspawn without startup notification (we'll + # wait for the container systemd to signal readiness). + EXIT_ON_REBOOT=1 NOTIFY_SOCKET= \ + exec ${config.systemd.package}/bin/systemd-nspawn \ + --keep-unit \ + -M "$INSTANCE" -D "$root" $extraFlags \ + $EXTRA_NSPAWN_FLAGS \ + --bind-ro=/nix/store \ + --bind-ro=/nix/var/nix/db \ + --bind-ro=/nix/var/nix/daemon-socket \ + --bind=/run/systemd/notify:/var/lib/private/host-notify \ + --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ + --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ + --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ + --setenv HOST_BRIDGE="$HOST_BRIDGE" \ + --setenv HOST_ADDRESS="$HOST_ADDRESS" \ + --setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \ + --setenv HOST_ADDRESS6="$HOST_ADDRESS6" \ + --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \ + --setenv PATH="$PATH" \ + ${containerInit} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init" + ''; - for iface in $INTERFACES; do - extraFlags+=" --network-interface=$iface" - done - - for iface in $MACVLANS; do - extraFlags+=" --network-macvlan=$iface" - done - - # If the host is 64-bit and the container is 32-bit, add a - # --personality flag. - ${optionalString (config.nixpkgs.system == "x86_64-linux") '' - if [ "$(< ''${SYSTEM_PATH:-/nix/var/nix/profiles/per-container/$INSTANCE/system}/system)" = i686-linux ]; then - extraFlags+=" --personality=x86" - fi - ''} - - - - # Run systemd-nspawn without startup notification (we'll - # wait for the container systemd to signal readiness). - EXIT_ON_REBOOT=1 NOTIFY_SOCKET= \ - exec ${config.systemd.package}/bin/systemd-nspawn \ - --keep-unit \ - -M "$INSTANCE" -D "$root" $extraFlags \ - $EXTRA_NSPAWN_FLAGS \ - --bind-ro=/nix/store \ - --bind-ro=/nix/var/nix/db \ - --bind-ro=/nix/var/nix/daemon-socket \ - --bind=/run/systemd/notify:/var/lib/private/host-notify \ - --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ - --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ - --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ - --setenv HOST_ADDRESS="$HOST_ADDRESS" \ - --setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \ - --setenv PATH="$PATH" \ - ${containerInit} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init" - ''; - - postStart = - '' - if [ "$PRIVATE_NETWORK" = 1 ]; then + postStart = + '' + if [ "$PRIVATE_NETWORK" = 1 ]; then + if [ -z "$HOST_BRIDGE" ]; then ifaceHost=ve-$INSTANCE ip link set dev $ifaceHost up if [ -n "$HOST_ADDRESS" ]; then ip addr add $HOST_ADDRESS dev $ifaceHost fi + if [ -n "$HOST_ADDRESS6" ]; then + ip -6 addr add $HOST_ADDRESS6 dev $ifaceHost + fi if [ -n "$LOCAL_ADDRESS" ]; then ip route add $LOCAL_ADDRESS dev $ifaceHost fi + if [ -n "$LOCAL_ADDRESS6" ]; then + ip -6 route add $LOCAL_ADDRESS6 dev $ifaceHost + fi fi + fi - # Get the leader PID so that we can signal it in - # preStop. We can't use machinectl there because D-Bus - # might be shutting down. FIXME: in systemd 219 we can - # just signal systemd-nspawn to do a clean shutdown. - machinectl show "$INSTANCE" | sed 's/Leader=\(.*\)/\1/;t;d' > "/run/containers/$INSTANCE.pid" - ''; + # Get the leader PID so that we can signal it in + # preStop. We can't use machinectl there because D-Bus + # might be shutting down. FIXME: in systemd 219 we can + # just signal systemd-nspawn to do a clean shutdown. + machinectl show "$INSTANCE" | sed 's/Leader=\(.*\)/\1/;t;d' > "/run/containers/$INSTANCE.pid" + ''; - preStop = - '' - pid="$(cat /run/containers/$INSTANCE.pid)" - if [ -n "$pid" ]; then - kill -RTMIN+4 "$pid" - fi - rm -f "/run/containers/$INSTANCE.pid" - ''; + preStop = + '' + pid="$(cat /run/containers/$INSTANCE.pid)" + if [ -n "$pid" ]; then + kill -RTMIN+4 "$pid" + fi + rm -f "/run/containers/$INSTANCE.pid" + ''; - restartIfChanged = false; - #reloadIfChanged = true; # FIXME + restartIfChanged = false; - serviceConfig = { - ExecReload = pkgs.writeScript "reload-container" - '' - #! ${pkgs.stdenv.shell} -e - ${nixos-container}/bin/nixos-container run "$INSTANCE" -- \ - bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" - ''; + serviceConfig = { + ExecReload = pkgs.writeScript "reload-container" + '' + #! ${pkgs.stdenv.shell} -e + ${nixos-container}/bin/nixos-container run "$INSTANCE" -- \ + bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" + ''; - SyslogIdentifier = "container %i"; + SyslogIdentifier = "container %i"; - EnvironmentFile = "-/etc/containers/%i.conf"; + EnvironmentFile = "-/etc/containers/%i.conf"; - Type = "notify"; + Type = "notify"; - NotifyAccess = "all"; + NotifyAccess = "all"; - # Note that on reboot, systemd-nspawn returns 133, so this - # unit will be restarted. On poweroff, it returns 0, so the - # unit won't be restarted. - RestartForceExitStatus = "133"; - SuccessExitStatus = "133"; + # Note that on reboot, systemd-nspawn returns 133, so this + # unit will be restarted. On poweroff, it returns 0, so the + # unit won't be restarted. + RestartForceExitStatus = "133"; + SuccessExitStatus = "133"; - Restart = "on-failure"; + Restart = "on-failure"; - # Hack: we don't want to kill systemd-nspawn, since we call - # "machinectl poweroff" in preStop to shut down the - # container cleanly. But systemd requires sending a signal - # (at least if we want remaining processes to be killed - # after the timeout). So send an ignored signal. - KillMode = "mixed"; - KillSignal = "WINCH"; - }; + # Hack: we don't want to kill systemd-nspawn, since we call + # "machinectl poweroff" in preStop to shut down the + # container cleanly. But systemd requires sending a signal + # (at least if we want remaining processes to be killed + # after the timeout). So send an ignored signal. + KillMode = "mixed"; + KillSignal = "WINCH"; }; + }; + in { + systemd.services = listToAttrs (filter (x: x.value != null) ( + # The generic container template used by imperative containers + [{ name = "container@"; value = unit; }] + # declarative containers + ++ (mapAttrsToList (name: cfg: nameValuePair "container@${name}" ( + if cfg.autoStart then + unit // { + wantedBy = [ "multi-user.target" ]; + wants = [ "network.target" ]; + after = [ "network.target" ]; + restartTriggers = [ cfg.path ]; + reloadIfChanged = true; + } + else null + )) config.containers) + )); # Generate a configuration file in /etc/containers for each # container so that container@.target can get the container @@ -396,12 +462,21 @@ in SYSTEM_PATH=${cfg.path} ${optionalString cfg.privateNetwork '' PRIVATE_NETWORK=1 + ${optionalString (cfg.hostBridge != null) '' + HOST_BRIDGE=${cfg.hostBridge} + ''} ${optionalString (cfg.hostAddress != null) '' HOST_ADDRESS=${cfg.hostAddress} ''} + ${optionalString (cfg.hostAddress6 != null) '' + HOST_ADDRESS6=${cfg.hostAddress6} + ''} ${optionalString (cfg.localAddress != null) '' LOCAL_ADDRESS=${cfg.localAddress} ''} + ${optionalString (cfg.localAddress6 != null) '' + LOCAL_ADDRESS6=${cfg.localAddress6} + ''} ''} INTERFACES="${toString cfg.interfaces}" ${optionalString cfg.autoStart '' @@ -420,31 +495,5 @@ in networking.dhcpcd.denyInterfaces = [ "ve-*" ]; environment.systemPackages = [ nixos-container ]; - - # Start containers at boot time. - systemd.services.all-containers = - { description = "All Containers"; - - wantedBy = [ "multi-user.target" ]; - - unitConfig.ConditionDirectoryNotEmpty = "/etc/containers"; - - serviceConfig.Type = "oneshot"; - - script = - '' - res=0 - shopt -s nullglob - for i in /etc/containers/*.conf; do - AUTO_START= - source "$i" - if [ "$AUTO_START" = 1 ]; then - systemctl start "container@$(basename "$i" .conf).service" || res=1 - fi - done - exit $res - ''; # */ - }; - - }; + }); } diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 77074b882468..38417315df5b 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -66,10 +66,10 @@ in # Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" + chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group "" # Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env \ + chroot /mnt ${config.nix.package.out}/bin/nix-env \ -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \ --option build-users-group "" diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 7dfbc38efee6..8aa643687557 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -149,11 +149,11 @@ let ${pkgs.mtools}/bin/mlabel -i /dev/vda2 ::boot # Mount /boot; load necessary modules first. - ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_cp437.ko || true - ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_iso8859-1.ko || true - ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/fat.ko || true - ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/vfat.ko || true - ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/efivarfs/efivarfs.ko || true + ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_cp437.ko.xz || true + ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_iso8859-1.ko.xz || true + ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/fat.ko.xz || true + ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/vfat.ko.xz || true + ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/efivarfs/efivarfs.ko.xz || true mkdir /boot mount /dev/vda2 /boot @@ -403,7 +403,7 @@ in boot.postBootCommands = '' if [[ "$(cat /proc/cmdline)" =~ regInfo=([^ ]*) ]]; then - ${config.nix.package}/bin/nix-store --load-db < ''${BASH_REMATCH[1]} + ${config.nix.package.out}/bin/nix-store --load-db < ''${BASH_REMATCH[1]} fi ''; diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 53ef4564b5cd..abb69f121da0 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -64,6 +64,9 @@ in rec { (all nixos.tests.installer.btrfsSubvols) (all nixos.tests.installer.btrfsSubvolDefault) (all nixos.tests.boot.biosCdrom) + (all nixos.tests.boot.biosUsb) + (all nixos.tests.boot.uefiCdrom) + (all nixos.tests.boot.uefiUsb) (all nixos.tests.ipv6) (all nixos.tests.kde4) #(all nixos.tests.lightdm) diff --git a/nixos/release.nix b/nixos/release.nix index 2bccef1fd34b..d78c1bb1c150 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -199,7 +199,10 @@ in rec { tests.cadvisor = hydraJob (import tests/cadvisor.nix { system = "x86_64-linux"; }); tests.chromium = callSubTests tests/chromium.nix {}; tests.cjdns = callTest tests/cjdns.nix {}; - tests.containers = callTest tests/containers.nix {}; + tests.containers-ipv4 = callTest tests/containers-ipv4.nix {}; + tests.containers-ipv6 = callTest tests/containers-ipv6.nix {}; + tests.containers-bridge = callTest tests/containers-bridge.nix {}; + tests.containers-imperative = callTest tests/containers-imperative.nix {}; tests.docker = hydraJob (import tests/docker.nix { system = "x86_64-linux"; }); tests.dockerRegistry = hydraJob (import tests/docker-registry.nix { system = "x86_64-linux"; }); tests.dnscrypt-proxy = callTest tests/dnscrypt-proxy.nix { system = "x86_64-linux"; }; diff --git a/nixos/tests/containers-bridge.nix b/nixos/tests/containers-bridge.nix new file mode 100644 index 000000000000..8c3340b60a7c --- /dev/null +++ b/nixos/tests/containers-bridge.nix @@ -0,0 +1,81 @@ +# Test for NixOS' container support. + +let + hostIp = "192.168.0.1"; + containerIp = "192.168.0.100/24"; + hostIp6 = "fc00::1"; + containerIp6 = "fc00::2/7"; +in + +import ./make-test.nix ({ pkgs, ...} : { + name = "containers-bridge"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ aristid aszlig eelco chaoflow ]; + }; + + machine = + { config, pkgs, ... }: + { imports = [ ../modules/installer/cd-dvd/channel.nix ]; + virtualisation.writableStore = true; + virtualisation.memorySize = 768; + + networking.bridges = { + br0 = { + interfaces = []; + }; + }; + networking.interfaces = { + br0 = { + ip4 = [{ address = hostIp; prefixLength = 24; }]; + ip6 = [{ address = hostIp6; prefixLength = 7; }]; + }; + }; + + containers.webserver = + { + autoStart = true; + privateNetwork = true; + hostBridge = "br0"; + localAddress = containerIp; + localAddress6 = containerIp6; + config = + { services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + networking.firewall.allowedTCPPorts = [ 80 ]; + networking.firewall.allowPing = true; + }; + }; + + virtualisation.pathsInNixDB = [ pkgs.stdenv ]; + }; + + testScript = + '' + $machine->waitForUnit("default.target"); + $machine->succeed("nixos-container list") =~ /webserver/ or die; + + # Start the webserver container. + $machine->succeed("nixos-container status webserver") =~ /up/ or die; + + "${containerIp}" =~ /([^\/]+)\/([0-9+])/; + my $ip = $1; + chomp $ip; + $machine->succeed("ping -n -c 1 $ip"); + $machine->succeed("curl --fail http://$ip/ > /dev/null"); + + "${containerIp6}" =~ /([^\/]+)\/([0-9+])/; + my $ip6 = $1; + chomp $ip6; + $machine->succeed("ping6 -n -c 1 $ip6"); + $machine->succeed("curl --fail http://[$ip6]/ > /dev/null"); + + # Stop the container. + $machine->succeed("nixos-container stop webserver"); + $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null"); + $machine->fail("curl --fail --connect-timeout 2 http://[$ip6]/ > /dev/null"); + + # Destroying a declarative container should fail. + $machine->fail("nixos-container destroy webserver"); + ''; + +}) diff --git a/nixos/tests/containers.nix b/nixos/tests/containers-imperative.nix index ce36a7e0588f..8d100fedf78c 100644 --- a/nixos/tests/containers.nix +++ b/nixos/tests/containers-imperative.nix @@ -1,7 +1,7 @@ # Test for NixOS' container support. import ./make-test.nix ({ pkgs, ...} : { - name = "containers"; + name = "containers-imperative"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ aristid aszlig eelco chaoflow ]; }; @@ -11,40 +11,11 @@ import ./make-test.nix ({ pkgs, ...} : { { imports = [ ../modules/installer/cd-dvd/channel.nix ]; virtualisation.writableStore = true; virtualisation.memorySize = 768; - - containers.webserver = - { privateNetwork = true; - hostAddress = "10.231.136.1"; - localAddress = "10.231.136.2"; - config = - { services.httpd.enable = true; - services.httpd.adminAddr = "foo@example.org"; - networking.firewall.allowedTCPPorts = [ 80 ]; - networking.firewall.allowPing = true; - }; - }; - virtualisation.pathsInNixDB = [ pkgs.stdenv ]; }; testScript = '' - $machine->succeed("nixos-container list") =~ /webserver/ or die; - - # Start the webserver container. - $machine->succeed("nixos-container start webserver"); - - # Since "start" returns after the container has reached - # multi-user.target, we should now be able to access it. - my $ip = $machine->succeed("nixos-container show-ip webserver"); - chomp $ip; - #$machine->succeed("ping -c1 $ip"); # FIXME - $machine->succeed("curl --fail http://$ip/ > /dev/null"); - - # Stop the container. - $machine->succeed("nixos-container stop webserver"); - $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null"); - # Make sure we have a NixOS tree (required by ‘nixos-container create’). $machine->succeed("PAGER=cat nix-env -qa -A nixos.hello >&2"); @@ -111,9 +82,6 @@ import ./make-test.nix ({ pkgs, ...} : { # Ensure that the container path is gone "test ! -e /var/lib/containers/$id1" ); - - # Destroying a declarative container should fail. - $machine->fail("nixos-container destroy webserver"); ''; }) diff --git a/nixos/tests/containers-ipv4.nix b/nixos/tests/containers-ipv4.nix new file mode 100644 index 000000000000..8f1ab40221a8 --- /dev/null +++ b/nixos/tests/containers-ipv4.nix @@ -0,0 +1,55 @@ +# Test for NixOS' container support. + +import ./make-test.nix ({ pkgs, ...} : { + name = "containers-ipv4"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ aristid aszlig eelco chaoflow ]; + }; + + machine = + { config, pkgs, ... }: + { imports = [ ../modules/installer/cd-dvd/channel.nix ]; + virtualisation.writableStore = true; + virtualisation.memorySize = 768; + + containers.webserver = + { privateNetwork = true; + hostAddress = "10.231.136.1"; + localAddress = "10.231.136.2"; + config = + { services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + networking.firewall.allowedTCPPorts = [ 80 ]; + networking.firewall.allowPing = true; + }; + }; + + virtualisation.pathsInNixDB = [ pkgs.stdenv ]; + }; + + testScript = + '' + $machine->succeed("nixos-container list") =~ /webserver/ or die; + + # Start the webserver container. + $machine->succeed("nixos-container start webserver"); + + # wait two seconds for the container to start and the network to be up + sleep 2; + + # Since "start" returns after the container has reached + # multi-user.target, we should now be able to access it. + my $ip = $machine->succeed("nixos-container show-ip webserver"); + chomp $ip; + $machine->succeed("ping -n -c1 $ip"); + $machine->succeed("curl --fail http://$ip/ > /dev/null"); + + # Stop the container. + $machine->succeed("nixos-container stop webserver"); + $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null"); + + # Destroying a declarative container should fail. + $machine->fail("nixos-container destroy webserver"); + ''; + +}) diff --git a/nixos/tests/containers-ipv6.nix b/nixos/tests/containers-ipv6.nix new file mode 100644 index 000000000000..0c1b8e88564d --- /dev/null +++ b/nixos/tests/containers-ipv6.nix @@ -0,0 +1,61 @@ +# Test for NixOS' container support. + +let + hostIp = "fc00::2"; + localIp = "fc00::1"; +in + +import ./make-test.nix ({ pkgs, ...} : { + name = "containers-ipv6"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ aristid aszlig eelco chaoflow ]; + }; + + machine = + { config, pkgs, ... }: + { imports = [ ../modules/installer/cd-dvd/channel.nix ]; + virtualisation.writableStore = true; + virtualisation.memorySize = 768; + + containers.webserver = + { privateNetwork = true; + hostAddress6 = hostIp; + localAddress6 = localIp; + config = + { services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + networking.firewall.allowedTCPPorts = [ 80 ]; + networking.firewall.allowPing = true; + }; + }; + + virtualisation.pathsInNixDB = [ pkgs.stdenv ]; + }; + + testScript = + '' + $machine->waitForUnit("default.target"); + $machine->succeed("nixos-container list") =~ /webserver/ or die; + + # Start the webserver container. + $machine->succeed("nixos-container start webserver"); + + # wait two seconds for the container to start and the network to be up + sleep 2; + + # Since "start" returns after the container has reached + # multi-user.target, we should now be able to access it. + my $ip = "${localIp}"; + chomp $ip; + $machine->succeed("ping6 -n -c 1 $ip"); + $machine->succeed("curl --fail http://[$ip]/ > /dev/null"); + + # Stop the container. + $machine->succeed("nixos-container stop webserver"); + $machine->fail("curl --fail --connect-timeout 2 http://[$ip]/ > /dev/null"); + + # Destroying a declarative container should fail. + $machine->fail("nixos-container destroy webserver"); + ''; + +}) diff --git a/nixos/tests/printing.nix b/nixos/tests/printing.nix index 10d69b446cd7..c777fd41b780 100644 --- a/nixos/tests/printing.nix +++ b/nixos/tests/printing.nix @@ -62,7 +62,7 @@ import ./make-test.nix ({pkgs, ... }: { # Test printing various file types. foreach my $file ("${pkgs.groff.doc}/share/doc/*/examples/mom/penguin.pdf", "${pkgs.groff.doc}/share/doc/*/meref.ps", - "${pkgs.cups}/share/doc/cups/images/cups.png", + "${pkgs.cups.out}/share/doc/cups/images/cups.png", "${pkgs.pcre.doc}/share/doc/pcre/pcre.txt") { $file =~ /([^\/]*)$/; my $fn = $1; |