diff options
Diffstat (limited to 'nixos')
-rwxr-xr-x | nixos/modules/module-list.nix | 2 | ||||
-rw-r--r-- | nixos/modules/programs/zsh/zsh.nix | 6 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 11 | ||||
-rw-r--r-- | nixos/modules/security/rngd.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/databases/postgresql.xml | 4 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/riemann.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/mstpd.nix | 33 | ||||
-rw-r--r-- | nixos/modules/services/search/solr.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/security/fprintd.nix | 53 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/winstone.nix | 2 | ||||
-rw-r--r-- | nixos/modules/tasks/network-interfaces-scripted.nix | 18 | ||||
-rw-r--r-- | nixos/modules/tasks/network-interfaces.nix | 7 | ||||
-rw-r--r-- | nixos/release-small.nix | 2 |
13 files changed, 130 insertions, 18 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 503dd87ad4d9..844fae536e95 100755 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -254,6 +254,7 @@ ./services/networking/kippo.nix ./services/networking/mailpile.nix ./services/networking/minidlna.nix + ./services/networking/mstpd.nix ./services/networking/murmur.nix ./services/networking/nat.nix ./services/networking/networkmanager.nix @@ -306,6 +307,7 @@ ./services/search/solr.nix ./services/security/clamav.nix ./services/security/fail2ban.nix + ./services/security/fprintd.nix ./services/security/fprot.nix ./services/security/frandom.nix ./services/security/haveged.nix diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 39f9671316ee..74dd6af0bdde 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -100,15 +100,11 @@ in export HISTSIZE=2000 export HISTFILE=$HOME/.zsh_history - setopt HIST_IGNORE_DUPS SHARE_HISTORY + setopt HIST_IGNORE_DUPS SHARE_HISTORY HIST_FCNTL_LOCK ''; }; - environment.profileRelativeEnvVars = - { FPATH = [ "/share/zsh/site-functions" ]; - }; - environment.etc."zshenv".text = '' # /etc/zshenv: DO NOT EDIT -- this file has been generated automatically. diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 844a9da0eb46..3b5dd41868be 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -54,6 +54,15 @@ let ''; }; + fprintAuth = mkOption { + default = config.services.fprintd.enable; + type = types.bool; + description = '' + If set, fingerprint reader will be used (if exists and + your fingerprints are enrolled). + ''; + }; + sshAgentAuth = mkOption { default = false; type = types.bool; @@ -179,6 +188,8 @@ let "auth required pam_tally.so"} ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} + ${optionalString cfg.fprintAuth + "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} ${optionalString cfg.usbAuth "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} ${optionalString cfg.unixAuth diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix index 4d8fabc7696e..b14ea7a5f276 100644 --- a/nixos/modules/security/rngd.nix +++ b/nixos/modules/security/rngd.nix @@ -20,7 +20,7 @@ with lib; KERNEL=="random", TAG+="systemd" SUBSYSTEM=="cpu", ENV{MODALIAS}=="x86cpu:*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" - KERNEL=="tmp0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" + ${if config.services.tcsd.enable then "" else ''KERNEL=="tpm0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"''} ''; systemd.services.rngd = { @@ -32,8 +32,6 @@ with lib; serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" + (if config.services.tcsd.enable then " --no-tpm=1" else ""); - - restartTriggers = [ pkgs.rng_tools ]; }; }; } diff --git a/nixos/modules/services/databases/postgresql.xml b/nixos/modules/services/databases/postgresql.xml index e98b431bd60a..a98026942959 100644 --- a/nixos/modules/services/databases/postgresql.xml +++ b/nixos/modules/services/databases/postgresql.xml @@ -24,11 +24,11 @@ <programlisting> services.postgresql.enable = true; -services.postgresql.package = pkgs.postgresql93; +services.postgresql.package = pkgs.postgresql94; </programlisting> Note that you are required to specify the desired version of -PostgreSQL (e.g. <literal>pkgs.postgresql93</literal>). Since +PostgreSQL (e.g. <literal>pkgs.postgresql94</literal>). Since upgrading your PostgreSQL version requires a database dump and reload (see below), NixOS cannot provide a default value for <option>services.postgresql.package</option> such as the most recent diff --git a/nixos/modules/services/monitoring/riemann.nix b/nixos/modules/services/monitoring/riemann.nix index ab37d717b86d..ac5d0134a80d 100644 --- a/nixos/modules/services/monitoring/riemann.nix +++ b/nixos/modules/services/monitoring/riemann.nix @@ -17,7 +17,7 @@ let launcher = writeScriptBin "riemann" '' #!/bin/sh - exec ${openjdk}/bin/java ${concatStringsSep "\n" cfg.extraJavaOpts} \ + exec ${jdk}/bin/java ${concatStringsSep "\n" cfg.extraJavaOpts} \ -cp ${classpath} \ riemann.bin ${writeText "riemann-config.clj" riemannConfig} ''; diff --git a/nixos/modules/services/networking/mstpd.nix b/nixos/modules/services/networking/mstpd.nix new file mode 100644 index 000000000000..5d1fc4a65427 --- /dev/null +++ b/nixos/modules/services/networking/mstpd.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.mstpd; +in +with lib; +{ + options.services.mstpd = { + + enable = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable the multiple spanning tree protocol daemon. + ''; + }; + + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.mstpd ]; + + systemd.services.mstpd = { + description = "Multiple Spanning Tree Protocol Daemon"; + wantedBy = [ "network.target" ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + serviceConfig = { + Type = "forking"; + ExecStart = "@${pkgs.mstpd}/bin/mstpd mstpd"; + PIDFile = "/run/mstpd.pid"; + }; + }; + }; +} diff --git a/nixos/modules/services/search/solr.nix b/nixos/modules/services/search/solr.nix index 38d9dedbe3cf..7886d1e2e8e6 100644 --- a/nixos/modules/services/search/solr.nix +++ b/nixos/modules/services/search/solr.nix @@ -22,7 +22,7 @@ let cp common/lib/*.jar $out/lib/ ln -s ${pkgs.ant}/lib/ant/lib/ant.jar $out/lib/ ln -s ${cfg.solrPackage}/lib/ext/* $out/lib/ - ln -s ${pkgs.openjdk}/lib/openjdk/lib/tools.jar $out/lib/ + ln -s ${pkgs.jdk.home}/lib/tools.jar $out/lib/ '' + optionalString (cfg.extraJars != []) '' for f in ${concatStringsSep " " cfg.extraJars}; do cp $f $out/lib @@ -44,7 +44,7 @@ in { javaPackage = mkOption { type = types.package; - default = pkgs.openjre; + default = pkgs.jre; description = '' Which Java derivation to use for running solr. ''; diff --git a/nixos/modules/services/security/fprintd.nix b/nixos/modules/services/security/fprintd.nix new file mode 100644 index 000000000000..a35b065ba815 --- /dev/null +++ b/nixos/modules/services/security/fprintd.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.fprintd; + +in + + +{ + + ###### interface + + options = { + + services.fprintd = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable fprintd daemon and PAM module for fingerprint readers handling. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + services.dbus.packages = [ pkgs.fprintd ]; + + environment.systemPackages = [ pkgs.fprintd ]; + + systemd.services.fprintd = { + description = "Fingerprint Authentication Daemon"; + + serviceConfig = { + Type = "dbus"; + BusName = "net.reactivated.Fprint"; + ExecStart = "${pkgs.fprintd}/libexec/fprintd"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/web-servers/winstone.nix b/nixos/modules/services/web-servers/winstone.nix index 7f48012f158e..eed16a64f2a8 100644 --- a/nixos/modules/services/web-servers/winstone.nix +++ b/nixos/modules/services/web-servers/winstone.nix @@ -30,7 +30,7 @@ let javaPackage = mkOption { type = types.package; - default = pkgs.openjre; + default = pkgs.jre; description = '' Which Java derivation to use for running Winstone. ''; diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 9d61a4b05301..da0d8530241b 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -37,6 +37,8 @@ let ip link del "${i}" 2>/dev/null || true ''; + needsMstpd = any ({ rstp, ... }: rstp) (attrValues cfg.bridges); + in { @@ -185,13 +187,14 @@ in in { description = "Bridge Interface ${n}"; wantedBy = [ "network.target" (subsystemDevice n) ]; - bindsTo = deps; - after = [ "network-pre.target" ] ++ deps + bindsTo = deps ++ optional v.rstp "mstpd.service"; + partOf = optional v.rstp "mstpd.service"; + after = [ "network-pre.target" "mstpd.service" ] ++ deps ++ concatMap (i: [ "network-addresses-${i}.service" "network-link-${i}.service" ]) v.interfaces; before = [ "network-interfaces.target" (subsystemDevice n) ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute ] ++ optional v.rstp pkgs.mstpd; script = '' # Remove Dead Interfaces echo "Removing old bridge ${n}..." @@ -206,6 +209,13 @@ in ip link set "${i}" up '')} + # Enable rstp on the interface + ${optionalString v.rstp '' + echo 1 >/sys/class/net/${n}/bridge/stp_state + mstpctl addbridge "${n}" + mstpctl setforcevers "${n}" rstp + ''} + ip link set "${n}" up ''; postStop = '' @@ -343,6 +353,8 @@ in KERNEL=="tun", TAG+="systemd" ''; + services.mstpd = mkIf needsMstpd { enable = true; }; + }; } diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 4a272483e549..9f72e0f0d509 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -368,6 +368,13 @@ in "The physical network interfaces connected by the bridge."; }; + rstp = mkOption { + example = true; + default = false; + type = types.bool; + description = "Whether the bridge interface should enable rstp."; + }; + }; }; diff --git a/nixos/release-small.nix b/nixos/release-small.nix index 07cd672843ea..7f53a101bdfc 100644 --- a/nixos/release-small.nix +++ b/nixos/release-small.nix @@ -61,12 +61,12 @@ in rec { gettext git imagemagick + jdk linux mysql51 mysql55 nginx nodejs - openjdk openssh php postgresql92 |