diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/default.nix | 1 | ||||
-rw-r--r-- | nixos/modules/config/gnu.nix | 1 | ||||
-rw-r--r-- | nixos/modules/misc/ids.nix | 6 | ||||
-rw-r--r-- | nixos/modules/rename.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/backup/crashplan.nix | 8 | ||||
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy.nix | 25 | ||||
-rw-r--r-- | nixos/modules/services/networking/iodined.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/networking/radicale.nix | 15 | ||||
-rw-r--r-- | nixos/modules/services/x11/display-managers/default.nix | 11 | ||||
-rw-r--r-- | nixos/modules/services/x11/window-managers/default.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/x11/xserver.nix | 20 | ||||
-rw-r--r-- | nixos/tests/chromium.nix | 15 | ||||
-rw-r--r-- | nixos/tests/dnscrypt-proxy.nix | 5 | ||||
-rw-r--r-- | nixos/tests/riak.nix | 2 |
14 files changed, 61 insertions, 53 deletions
diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index 4ce6ea1c1118..746ddc071b6a 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -187,6 +187,7 @@ in rec { --param man.output.in.separate.dir 1 \ --param man.output.base.dir "'$out/share/man/'" \ --param man.endnotes.are.numbered 0 \ + --param man.break.after.slash 1 \ ${docbook5_xsl}/xml/xsl/docbook/manpages/docbook.xsl \ ./man-pages.xml ''; diff --git a/nixos/modules/config/gnu.nix b/nixos/modules/config/gnu.nix index f8c35b440d12..ad0e35c8a63f 100644 --- a/nixos/modules/config/gnu.nix +++ b/nixos/modules/config/gnu.nix @@ -37,7 +37,6 @@ with lib; services.openssh.enable = false; services.lshd.enable = true; programs.ssh.startAgent = false; - services.xserver.startGnuPGAgent = true; # TODO: GNU dico. # TODO: GNU Inetutils' inetd. diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 919271cc4e96..f71d1e3fe200 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -176,7 +176,6 @@ seeks = 148; prosody = 149; i2pd = 150; - dnscrypt-proxy = 151; systemd-network = 152; systemd-resolve = 153; systemd-timesync = 154; @@ -255,6 +254,9 @@ avahi-autoipd = 231; nntp-proxy = 232; mjpg-streamer = 233; + radicale = 234; + hydra-queue-runner = 235; + hydra-www = 236; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -411,7 +413,6 @@ seeks = 148; prosody = 149; i2pd = 150; - dnscrypt-proxy = 151; systemd-network = 152; systemd-resolve = 153; systemd-timesync = 154; @@ -483,6 +484,7 @@ cfdyndns = 227; pdnsd = 229; octoprint = 230; + radicale = 234; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 0de6ca758c16..c6a781b6f00f 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -111,6 +111,7 @@ with lib; (mkRemovedOptionModule [ "services" "openvpn" "enable" ]) (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ]) (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ]) + (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ]) ]; } diff --git a/nixos/modules/services/backup/crashplan.nix b/nixos/modules/services/backup/crashplan.nix index 74643d1d4635..46d4c5192d9e 100644 --- a/nixos/modules/services/backup/crashplan.nix +++ b/nixos/modules/services/backup/crashplan.nix @@ -48,6 +48,14 @@ with lib; ensureDir ${crashplan.vardir}/cache 700 ensureDir ${crashplan.vardir}/backupArchives 700 ensureDir ${crashplan.vardir}/log 777 + cp -avn ${crashplan}/conf.template/* ${crashplan.vardir}/conf + for x in app.asar bin EULA.txt install.vars lang lib libjniwrap64.so libjniwrap.so libjtux64.so libjtux.so libmd564.so libmd5.so share skin upgrade; do + if [ -e $x ]; then + true; + else + ln -s ${crashplan}/$x ${crashplan.vardir}/$x; + fi; + done ''; serviceConfig = { diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index a6b5b1deed76..886bfc30468e 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -5,14 +5,17 @@ let apparmorEnabled = config.security.apparmor.enable; dnscrypt-proxy = pkgs.dnscrypt-proxy; cfg = config.services.dnscrypt-proxy; + resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"; localAddress = "${cfg.localAddress}:${toString cfg.localPort}"; + daemonArgs = [ "--local-address=${localAddress}" (optionalString cfg.tcpOnly "--tcp-only") (optionalString cfg.ephemeralKeys "-E") ] ++ resolverArgs; + resolverArgs = if (cfg.customResolver != null) then [ "--resolver-address=${cfg.customResolver.address}:${toString cfg.customResolver.port}" @@ -50,7 +53,7 @@ in services.dnsmasq.resolveLocalQueries = true; # this is the default } </programlisting> - ''; }; + ''; }; localAddress = mkOption { default = "127.0.0.1"; type = types.string; @@ -71,13 +74,13 @@ in ''; }; resolverName = mkOption { - default = "cisco"; + default = "dnscrypt.eu-nl"; type = types.nullOr types.string; description = '' The name of the upstream DNSCrypt resolver to use. See - <filename>${resolverListFile}</filename> for alternative resolvers - (e.g., if you are concerned about logging and/or server - location). + <filename>${resolverListFile}</filename> for alternative resolvers. + The default resolver is located in Holland, supports DNS security + extensions, and claims to not keep logs. ''; }; customResolver = mkOption { @@ -170,11 +173,12 @@ in } '')); - users.extraUsers.dnscrypt-proxy = { - uid = config.ids.uids.dnscrypt-proxy; + users.users.dnscrypt-proxy = { description = "dnscrypt-proxy daemon user"; + isSystemUser = true; + group = "dnscrypt-proxy"; }; - users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy; + users.groups.dnscrypt-proxy = {}; systemd.sockets.dnscrypt-proxy = { description = "dnscrypt-proxy listening socket"; @@ -187,16 +191,21 @@ in systemd.services.dnscrypt-proxy = { description = "dnscrypt-proxy daemon"; + after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service"; requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service"; + serviceConfig = { Type = "simple"; NonBlocking = "true"; ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}"; + User = "dnscrypt-proxy"; Group = "dnscrypt-proxy"; + PrivateTmp = true; PrivateDevices = true; + ProtectHome = true; }; }; }; diff --git a/nixos/modules/services/networking/iodined.nix b/nixos/modules/services/networking/iodined.nix index 6bfe62e6261c..20d371c4e2d1 100644 --- a/nixos/modules/services/networking/iodined.nix +++ b/nixos/modules/services/networking/iodined.nix @@ -64,8 +64,7 @@ in systemd.services.iodined = { description = "iodine, ip over dns daemon"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = [ "ip-up.target" ]; serviceConfig.ExecStart = "${pkgs.iodine}/sbin/iodined -f -u ${iodinedUser} ${cfg.extraConfig} ${cfg.ip} ${cfg.domain}"; }; diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix index 4b77ef22ac12..19762f4e570c 100644 --- a/nixos/modules/services/networking/radicale.nix +++ b/nixos/modules/services/networking/radicale.nix @@ -35,12 +35,27 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.pythonPackages.radicale ]; + users.extraUsers = singleton + { name = "radicale"; + uid = config.ids.uids.radicale; + description = "radicale user"; + home = "/var/lib/radicale"; + createHome = true; + }; + + users.extraGroups = singleton + { name = "radicale"; + gid = config.ids.gids.radicale; + }; + systemd.services.radicale = { description = "A Simple Calendar and Contact Server"; after = [ "network-interfaces.target" ]; wantedBy = [ "multi-user.target" ]; script = "${pkgs.pythonPackages.radicale}/bin/radicale -C ${confFile} -d"; serviceConfig.Type = "forking"; + serviceConfig.User = "radicale"; + serviceConfig.Group = "radicale"; }; }; } diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 533b03aff08d..7dffdfc2b36c 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -49,17 +49,6 @@ let fi ''} - ${optionalString cfg.startGnuPGAgent '' - if test -z "$SSH_AUTH_SOCK"; then - # Restart this script as a child of the GnuPG agent. - exec "${pkgs.gnupg}/bin/gpg-agent" \ - --enable-ssh-support --daemon \ - --pinentry-program "${pkgs.pinentry}/bin/pinentry-gtk-2" \ - --write-env-file "$HOME/.gpg-agent-info" \ - "$0" "$sessionType" - fi - ''} - # Handle being called by kdm. if test "''${1:0:1}" = /; then eval exec "$1"; fi diff --git a/nixos/modules/services/x11/window-managers/default.nix b/nixos/modules/services/x11/window-managers/default.nix index 63136beac710..fce71bbda7e2 100644 --- a/nixos/modules/services/x11/window-managers/default.nix +++ b/nixos/modules/services/x11/window-managers/default.nix @@ -10,7 +10,6 @@ in imports = [ ./afterstep.nix ./bspwm.nix - ./clfswm.nix ./compiz.nix ./dwm.nix ./exwm.nix diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index abbe00cc8881..0fcea6ce5e4f 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -219,17 +219,6 @@ in ''; }; - startGnuPGAgent = mkOption { - type = types.bool; - default = false; - description = '' - Whether to start the GnuPG agent when you log in. The GnuPG agent - remembers private keys for you so that you don't have to type in - passphrases every time you make an SSH connection or sign/encrypt - data. Use <command>ssh-add</command> to add a key to the agent. - ''; - }; - startDbusSession = mkOption { type = types.bool; default = true; @@ -444,14 +433,7 @@ in in optional (driver != null) ({ inherit name; driverName = name; } // driver)); assertions = - [ { assertion = !(config.programs.ssh.startAgent && cfg.startGnuPGAgent); - message = - '' - The OpenSSH agent and GnuPG agent cannot be started both. Please - choose between ‘programs.ssh.startAgent’ and ‘services.xserver.startGnuPGAgent’. - ''; - } - { assertion = config.security.polkit.enable; + [ { assertion = config.security.polkit.enable; message = "X11 requires Polkit to be enabled (‘security.polkit.enable = true’)."; } ]; diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix index 974af6888b69..9a6414f81c39 100644 --- a/nixos/tests/chromium.nix +++ b/nixos/tests/chromium.nix @@ -1,4 +1,11 @@ -{ system ? builtins.currentSystem }: +{ system ? builtins.currentSystem +, pkgs ? import ../.. { inherit system; } +, channelMap ? { + stable = pkgs.chromium; + beta = pkgs.chromiumBeta; + dev = pkgs.chromiumDev; + } +}: with import ../lib/testing.nix { inherit system; }; with pkgs.lib; @@ -160,8 +167,4 @@ mapAttrs (channel: chromiumPkg: makeTest rec { $machine->shutdown; ''; -}) { - stable = pkgs.chromium; - beta = pkgs.chromiumBeta; - dev = pkgs.chromiumDev; -} +}) channelMap diff --git a/nixos/tests/dnscrypt-proxy.nix b/nixos/tests/dnscrypt-proxy.nix index 20ec3a333e77..b686e9582a7d 100644 --- a/nixos/tests/dnscrypt-proxy.nix +++ b/nixos/tests/dnscrypt-proxy.nix @@ -23,10 +23,11 @@ import ./make-test.nix ({ pkgs, ... }: { testScript = '' $client->start; - $client->waitForUnit("multi-user.target"); + $client->waitForUnit("sockets.target"); + $client->waitForUnit("dnsmasq"); # The daemon is socket activated; sending a single ping should activate it. $client->execute("${pkgs.iputils}/bin/ping -c1 example.com"); - $client->succeed("systemctl is-active dnscrypt-proxy.service"); + $client->succeed("systemctl is-active dnscrypt-proxy"); ''; }) diff --git a/nixos/tests/riak.nix b/nixos/tests/riak.nix index f36d12bdb2cf..18d028232ac2 100644 --- a/nixos/tests/riak.nix +++ b/nixos/tests/riak.nix @@ -7,7 +7,7 @@ import ./make-test.nix { { services.riak.enable = true; - services.riak.package = pkgs.riak2; + services.riak.package = pkgs.riak; }; }; |