diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/hardware/video/bumblebee.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/installer/tools/nixos-generate-config.pl | 6 | ||||
| -rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/rename.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/security/grsecurity.xml | 38 | ||||
| -rw-r--r-- | nixos/modules/services/hardware/sane.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/misc/gogs.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/network-filesystems/glusterfs.nix | 84 | ||||
| -rw-r--r-- | nixos/modules/services/network-filesystems/nfsd.nix | 101 | ||||
| -rw-r--r-- | nixos/modules/services/networking/dnschain.nix | 177 | ||||
| -rw-r--r-- | nixos/modules/services/networking/namecoind.nix | 211 | ||||
| -rw-r--r-- | nixos/modules/services/networking/rpcbind.nix | 52 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems/glusterfs.nix | 11 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems/nfs.nix | 100 |
16 files changed, 469 insertions, 325 deletions
diff --git a/nixos/modules/hardware/video/bumblebee.nix b/nixos/modules/hardware/video/bumblebee.nix index 3ce97ad31c22..fbf3f20885b5 100644 --- a/nixos/modules/hardware/video/bumblebee.nix +++ b/nixos/modules/hardware/video/bumblebee.nix @@ -76,7 +76,7 @@ in config = mkIf cfg.enable { boot.blacklistedKernelModules = [ "nvidia-drm" "nvidia" "nouveau" ]; - boot.kernelModules = optional useBbswitch [ "bbswitch" ]; + boot.kernelModules = optional useBbswitch "bbswitch"; boot.extraModulePackages = optional useBbswitch kernel.bbswitch ++ optional useNvidia kernel.nvidia_x11; environment.systemPackages = [ bumblebee primus ]; diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index e17c02d13745..0a5624ff6a3f 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -588,6 +588,12 @@ $bootLoaderConfig # Enable the OpenSSH daemon. # services.openssh.enable = true; + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + # Enable CUPS to print documents. # services.printing.enable = true; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 0ed44f9d3d15..60e00ce874a8 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -286,6 +286,7 @@ gogs = 268; pdns-recursor = 269; kresd = 270; + rpc = 271; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -541,6 +542,7 @@ couchpotato = 267; gogs = 268; kresd = 270; + #rpc = 271; # unused # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index fed75053e567..1398542a5c17 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -339,6 +339,7 @@ ./services/monitoring/zabbix-server.nix ./services/network-filesystems/cachefilesd.nix ./services/network-filesystems/drbd.nix + ./services/network-filesystems/glusterfs.nix ./services/network-filesystems/ipfs.nix ./services/network-filesystems/netatalk.nix ./services/network-filesystems/nfsd.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 4e7f62fc8f5c..5ae3f4bd6e63 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -172,6 +172,10 @@ with lib; (mkRenamedOptionModule [ "services" "locate" "period" ] [ "services" "locate" "interval" ]) (mkRemovedOptionModule [ "services" "locate" "includeStore" ] "Use services.locate.prunePaths" ) + # nfs + (mkRenamedOptionModule [ "services" "nfs" "lockdPort" ] [ "services" "nfs" "server" "lockdPort" ]) + (mkRenamedOptionModule [ "services" "nfs" "statdPort" ] [ "services" "nfs" "server" "statdPort" ]) + # Options that are obsolete and have no replacement. (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "") (mkRemovedOptionModule [ "programs" "bash" "enable" ] "") diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml index a7bcf4924f01..ef0aab4a3f13 100644 --- a/nixos/modules/security/grsecurity.xml +++ b/nixos/modules/security/grsecurity.xml @@ -7,21 +7,20 @@ <title>Grsecurity/PaX</title> <para> - Grsecurity/PaX is a set of patches against the Linux kernel that make it - harder to exploit bugs. The patchset includes protections such as - enforcement of non-executable memory, address space layout randomization, - and chroot jail hardening. These and other + Grsecurity/PaX is a set of patches against the Linux kernel that + implements an extensive suite of <link xlink:href="https://grsecurity.net/features.php">features</link> - render entire classes of exploits inert without additional efforts on the - part of the adversary. + designed to increase the difficulty of exploiting kernel and + application bugs. </para> <para> The NixOS grsecurity/PaX module is designed with casual users in mind and is - intended to be compatible with normal desktop usage, without unnecessarily - compromising security. The following sections describe the configuration - and administration of a grsecurity/PaX enabled NixOS system. For - more comprehensive coverage, please refer to the + intended to be compatible with normal desktop usage, without + <emphasis>unnecessarily</emphasis> compromising security. The + following sections describe the configuration and administration of + a grsecurity/PaX enabled NixOS system. For more comprehensive + coverage, please refer to the <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link> and the <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch @@ -35,7 +34,7 @@ and each configuration requires quite a bit of testing to ensure that the resulting packages work as advertised. Defining additional package sets would likely result in a large number of functionally broken packages, to - nobody's benefit.</para></note>. + nobody's benefit.</para></note> </para> <sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title> @@ -126,10 +125,10 @@ The NixOS kernel is built using upstream's recommended settings for a desktop deployment that generally favours security over performance. This section details deviations from upstream's recommendations that may - compromise operational security. + compromise security. <warning><para>There may be additional problems not covered here!</para> - </warning>. + </warning> </para> <itemizedlist> @@ -159,8 +158,8 @@ <listitem><para> The NixOS module conditionally weakens <command>chroot</command> restrictions to accommodate NixOS lightweight containers and sandboxed Nix - builds. This is problematic if the deployment also runs a privileged - network facing process that <emphasis>relies</emphasis> on + builds. This can be problematic if the deployment also runs privileged + network facing processes that <emphasis>rely</emphasis> on <command>chroot</command> for isolation. </para></listitem> @@ -221,15 +220,18 @@ </para> <para> - The wikibook provides an exhaustive listing of + The grsecurity/PaX wikibook provides an exhaustive listing of <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>. </para> <para> The NixOS module makes several assumptions about the kernel and so may be incompatible with your customised kernel. Currently, the only way - to work around incompatibilities is to eschew the NixOS module. + to work around these incompatibilities is to eschew the NixOS + module. + </para> + <para> If not using the NixOS module, a custom grsecurity package set can be specified inline instead, as in <programlisting> @@ -290,7 +292,7 @@ <listitem><para>User initiated autoloading of modules (e.g., when using fuse or loop devices) is disallowed; either load requisite modules - as root or add them to<option>boot.kernelModules</option>.</para></listitem> + as root or add them to <option>boot.kernelModules</option>.</para></listitem> <listitem><para>Virtualization: KVM is the preferred virtualization solution. Xen, Virtualbox, and VMWare are diff --git a/nixos/modules/services/hardware/sane.nix b/nixos/modules/services/hardware/sane.nix index 8ddb9ef9c53b..d651ccaa5776 100644 --- a/nixos/modules/services/hardware/sane.nix +++ b/nixos/modules/services/hardware/sane.nix @@ -51,7 +51,7 @@ in Enable support for SANE scanners. <note><para> - Users in the "scanner" group will gain access to the scanner. + Users in the "scanner" group will gain access to the scanner, or the "lp" group if it's also a printer. </para></note> ''; }; diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix index 09e5c4fe1ff1..ca8fc06e4835 100644 --- a/nixos/modules/services/misc/gogs.nix +++ b/nixos/modules/services/misc/gogs.nix @@ -208,6 +208,7 @@ in group = "gogs"; home = cfg.stateDir; createHome = true; + shell = pkgs.bash; }; extraGroups.gogs.gid = config.ids.gids.gogs; }; diff --git a/nixos/modules/services/network-filesystems/glusterfs.nix b/nixos/modules/services/network-filesystems/glusterfs.nix new file mode 100644 index 000000000000..a2f2c0339515 --- /dev/null +++ b/nixos/modules/services/network-filesystems/glusterfs.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + inherit (pkgs) glusterfs; + + cfg = config.services.glusterfs; + +in + +{ + + ###### interface + + options = { + + services.glusterfs = { + + enable = mkEnableOption "GlusterFS Daemon"; + + logLevel = mkOption { + type = types.enum ["DEBUG" "INFO" "WARNING" "ERROR" "CRITICAL" "TRACE" "NONE"]; + description = "Log level used by the GlusterFS daemon"; + default = "INFO"; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + description = "Extra flags passed to the GlusterFS daemon"; + default = []; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.glusterfs ]; + + services.rpcbind.enable = true; + + systemd.services.glusterd = { + + description = "GlusterFS, a clustered file-system server"; + + wantedBy = [ "multi-user.target" ]; + + requires = [ "rpcbind.service" ]; + after = [ "rpcbind.service" "network.target" "local-fs.target" ]; + before = [ "network-online.target" ]; + + preStart = '' + install -m 0755 -d /var/log/glusterfs + ''; + + serviceConfig = { + Type="forking"; + PIDFile="/run/glusterd.pid"; + LimitNOFILE=65536; + ExecStart="${glusterfs}/sbin/glusterd -p /run/glusterd.pid --log-level=${cfg.logLevel} ${toString cfg.extraFlags}"; + KillMode="process"; + }; + }; + + systemd.services.glustereventsd = { + + description = "Gluster Events Notifier"; + + wantedBy = [ "multi-user.target" ]; + + after = [ "syslog.target" "network.target" ]; + + serviceConfig = { + Type="simple"; + Environment="PYTHONPATH=${glusterfs}/usr/lib/python2.7/site-packages"; + PIDFile="/run/glustereventsd.pid"; + ExecStart="${glusterfs}/sbin/glustereventsd --pid-file /run/glustereventsd.pid"; + ExecReload="/bin/kill -SIGUSR2 $MAINPID"; + KillMode="control-group"; + }; + }; + }; +} diff --git a/nixos/modules/services/network-filesystems/nfsd.nix b/nixos/modules/services/network-filesystems/nfsd.nix index ddc7258ce0b4..4fafb7a1fdbb 100644 --- a/nixos/modules/services/network-filesystems/nfsd.nix +++ b/nixos/modules/services/network-filesystems/nfsd.nix @@ -20,6 +20,7 @@ in server = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to enable the kernel's NFS server. @@ -27,6 +28,7 @@ in }; exports = mkOption { + type = types.lines; default = ""; description = '' Contents of the /etc/exports file. See @@ -36,6 +38,7 @@ in }; hostName = mkOption { + type = types.nullOr types.str; default = null; description = '' Hostname or address on which NFS requests will be accepted. @@ -46,6 +49,7 @@ in }; nproc = mkOption { + type = types.int; default = 8; description = '' Number of NFS server threads. Defaults to the recommended value of 8. @@ -53,11 +57,13 @@ in }; createMountPoints = mkOption { + type = types.bool; default = false; description = "Whether to create the mount points in the exports file at startup time."; }; mountdPort = mkOption { + type = types.nullOr types.int; default = null; example = 4002; description = '' @@ -66,11 +72,26 @@ in }; lockdPort = mkOption { - default = 0; + type = types.nullOr types.int; + default = null; + example = 4001; description = '' - Fix the lockd port number. This can help setting firewall rules for NFS. + Use a fixed port for the NFS lock manager kernel module + (<literal>lockd/nlockmgr</literal>). This is useful if the + NFS server is behind a firewall. ''; }; + + statdPort = mkOption { + type = types.nullOr types.int; + default = null; + example = 4000; + description = '' + Use a fixed port for <command>rpc.statd</command>. This is + useful if the NFS server is behind a firewall. + ''; + }; + }; }; @@ -82,61 +103,42 @@ in config = mkIf cfg.enable { - services.rpcbind.enable = true; + services.nfs.extraConfig = '' + [nfsd] + threads=${toString cfg.nproc} + ${optionalString (cfg.hostName != null) "host=${cfg.hostName}"} - boot.supportedFilesystems = [ "nfs" ]; # needed for statd and idmapd + [mountd] + ${optionalString (cfg.mountdPort != null) "port=${toString cfg.mountdPort}"} - environment.systemPackages = [ pkgs.nfs-utils ]; + [statd] + ${optionalString (cfg.statdPort != null) "port=${toString cfg.statdPort}"} - environment.etc.exports.source = exports; - - boot.kernelModules = [ "nfsd" ]; - - systemd.services.nfsd = - { description = "NFS Server"; - - wantedBy = [ "multi-user.target" ]; - - requires = [ "rpcbind.service" "mountd.service" ]; - after = [ "rpcbind.service" "mountd.service" "idmapd.service" ]; - before = [ "statd.service" ]; - - path = [ pkgs.nfs-utils ]; + [lockd] + ${optionalString (cfg.lockdPort != null) '' + port=${toString cfg.lockdPort} + udp-port=${toString cfg.lockdPort} + ''} + ''; - script = - '' - # Create a state directory required by NFSv4. - mkdir -p /var/lib/nfs/v4recovery - - ${pkgs.procps}/sbin/sysctl -w fs.nfs.nlm_tcpport=${builtins.toString cfg.lockdPort} - ${pkgs.procps}/sbin/sysctl -w fs.nfs.nlm_udpport=${builtins.toString cfg.lockdPort} + services.rpcbind.enable = true; - rpc.nfsd \ - ${if cfg.hostName != null then "-H ${cfg.hostName}" else ""} \ - ${builtins.toString cfg.nproc} - ''; + boot.supportedFilesystems = [ "nfs" ]; # needed for statd and idmapd - postStop = "rpc.nfsd 0"; + environment.etc.exports.source = exports; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; + systemd.services.nfs-server = + { enable = true; + wantedBy = [ "multi-user.target" ]; }; - systemd.services.mountd = - { description = "NFSv3 Mount Daemon"; - - requires = [ "rpcbind.service" ]; - after = [ "rpcbind.service" "local-fs.target" ]; - - path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ]; + systemd.services.nfs-mountd = + { enable = true; + path = [ pkgs.nfs-utils ]; + restartTriggers = [ exports ]; preStart = '' - mkdir -p /var/lib/nfs - touch /var/lib/nfs/rmtab - - mountpoint -q /proc/fs/nfsd || mount -t nfsd none /proc/fs/nfsd - ${optionalString cfg.createMountPoints '' # create export directories: @@ -149,15 +151,6 @@ in exportfs -rav ''; - - restartTriggers = [ exports ]; - - serviceConfig.Type = "forking"; - serviceConfig.ExecStart = '' - @${pkgs.nfs-utils}/sbin/rpc.mountd rpc.mountd \ - ${if cfg.mountdPort != null then "-p ${toString cfg.mountdPort}" else ""} - ''; - serviceConfig.Restart = "always"; }; }; diff --git a/nixos/modules/services/networking/dnschain.nix b/nixos/modules/services/networking/dnschain.nix index f17f8c832ee4..b64929960576 100644 --- a/nixos/modules/services/networking/dnschain.nix +++ b/nixos/modules/services/networking/dnschain.nix @@ -3,23 +3,28 @@ with lib; let - cfg = config.services; + cfgs = config.services; + cfg = cfgs.dnschain; - dnschainConf = pkgs.writeText "dnschain.conf" '' + dataDir = "/var/lib/dnschain"; + username = "dnschain"; + + configFile = pkgs.writeText "dnschain.conf" '' [log] - level=info + level = info [dns] - host = 127.0.0.1 - port = 5333 + host = ${cfg.dns.address} + port = ${toString cfg.dns.port} oldDNSMethod = NO_OLD_DNS - # TODO: check what that address is acutally used for - externalIP = 127.0.0.1 + externalIP = ${cfg.dns.address} [http] - host = 127.0.0.1 - port=8088 - tlsPort=4443 + host = ${cfg.api.hostname} + port = ${toString cfg.api.port} + tlsPort = ${toString cfg.api.tlsPort} + + ${cfg.extraConfig} ''; in @@ -32,28 +37,81 @@ in services.dnschain = { - enable = mkOption { - type = types.bool; - default = false; + enable = mkEnableOption '' + DNSChain, a blockchain based DNS + HTTP server. + To resolve .bit domains set <literal>services.namecoind.enable = true;</literal> + and an RPC username/password. + ''; + + dns.address = mkOption { + type = types.str; + default = "127.0.0.1"; description = '' - Whether to run dnschain. That implies running - namecoind as well, so make sure to configure - it appropriately. + The IP address that will be used to reach this machine. + Leave this unchanged if you do not wish to directly expose the DNSChain resolver. ''; }; - }; + dns.port = mkOption { + type = types.int; + default = 5333; + description = '' + The port the DNSChain resolver will bind to. + ''; + }; + + api.hostname = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + The hostname (or IP address) the DNSChain API server will bind to. + ''; + }; + + api.port = mkOption { + type = types.int; + default = 8080; + description = '' + The port the DNSChain API server (HTTP) will bind to. + ''; + }; - services.dnsmasq = { - resolveDnschainQueries = mkOption { - type = types.bool; - default = false; + api.tlsPort = mkOption { + type = types.int; + default = 4433; description = '' - Resolve <literal>.bit</literal> top-level domains - with dnschain and namecoind. + The port the DNSChain API server (HTTPS) will bind to. ''; }; + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + [log] + level = debug + ''; + description = '' + Additional options that will be appended to the configuration file. + ''; + }; + + }; + + services.dnsmasq.resolveDNSChainQueries = mkOption { + type = types.bool; + default = false; + description = '' + Resolve <literal>.bit</literal> top-level domains using DNSChain and namecoin. + ''; + }; + + services.pdns-recursor.resolveDNSChainQueries = mkOption { + type = types.bool; + default = false; + description = '' + Resolve <literal>.bit</literal> top-level domains using DNSChain and namecoin. + ''; }; }; @@ -61,48 +119,47 @@ in ###### implementation - config = mkIf cfg.dnschain.enable { - - services.namecoind.enable = true; + config = mkIf cfg.enable { - services.dnsmasq.servers = optionals cfg.dnsmasq.resolveDnschainQueries [ "/.bit/127.0.0.1#5333" ]; + services.dnsmasq.servers = optionals cfgs.dnsmasq.resolveDNSChainQueries + [ "/.bit/127.0.0.1#${toString cfg.dns.port}" + "/.dns/127.0.0.1#${toString cfg.dns.port}" + ]; - users.extraUsers = singleton - { name = "dnschain"; - uid = config.ids.uids.dnschain; - extraGroups = [ "namecoin" ]; - description = "Dnschain daemon user"; - home = "/var/lib/dnschain"; - createHome = true; + services.pdns-recursor.forwardZones = mkIf cfgs.pdns-recursor.resolveDNSChainQueries + { bit = "127.0.0.1:${toString cfg.dns.port}"; + dns = "127.0.0.1:${toString cfg.dns.port}"; }; + users.extraUsers = singleton { + name = username; + description = "DNSChain daemon user"; + home = dataDir; + createHome = true; + uid = config.ids.uids.dnschain; + extraGroups = optional cfgs.namecoind.enable "namecoin"; + }; + systemd.services.dnschain = { - description = "Dnschain Daemon"; - after = [ "namecoind.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.openssl ]; - preStart = '' - # Link configuration file into dnschain HOME directory - if [ "$(${pkgs.coreutils}/bin/realpath /var/lib/dnschain/.dnschain.conf)" != "${dnschainConf}" ]; then - rm -rf /var/lib/dnschain/.dnschain.conf - ln -s ${dnschainConf} /var/lib/dnschain/.dnschain.conf - fi - - # Create empty namecoin.conf so that dnschain is not - # searching for /etc/namecoin/namecoin.conf - if [ ! -e /var/lib/dnschain/.namecoin/namecoin.conf ]; then - mkdir -p /var/lib/dnschain/.namecoin - touch /var/lib/dnschain/.namecoin/namecoin.conf - fi - ''; - serviceConfig = { - Type = "simple"; - User = "dnschain"; - EnvironmentFile = config.services.namecoind.userFile; - ExecStart = "${pkgs.dnschain}/bin/dnschain --rpcuser=\${USER} --rpcpassword=\${PASSWORD} --rpcport=8336"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID"; - }; + description = "DNSChain daemon"; + after = optional cfgs.namecoind.enable "namecoind.target"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "dnschain"; + Restart = "on-failure"; + ExecStart = "${pkgs.dnschain}/bin/dnschain"; + }; + + preStart = '' + # Link configuration file into dnschain home directory + configPath=${dataDir}/.dnschain/dnschain.conf + mkdir -p ${dataDir}/.dnschain + if [ "$(realpath $configPath)" != "${configFile}" ]; then + rm -f $configPath + ln -s ${configFile} $configPath + fi + ''; }; }; diff --git a/nixos/modules/services/networking/namecoind.nix b/nixos/modules/services/networking/namecoind.nix index 83fc1ec66679..9df9f67cde83 100644 --- a/nixos/modules/services/networking/namecoind.nix +++ b/nixos/modules/services/networking/namecoind.nix @@ -3,25 +3,35 @@ with lib; let - cfg = config.services.namecoind; + cfg = config.services.namecoind; + dataDir = "/var/lib/namecoind"; + useSSL = (cfg.rpc.certificate != null) && (cfg.rpc.key != null); + useRPC = (cfg.rpc.user != null) && (cfg.rpc.password != null); - namecoinConf = - let - useSSL = (cfg.rpcCertificate != null) && (cfg.rpcKey != null); - in - pkgs.writeText "namecoin.conf" '' + listToConf = option: list: + concatMapStrings (value :"${option}=${value}\n") list; + + configFile = pkgs.writeText "namecoin.conf" ('' server=1 daemon=0 - rpcallowip=127.0.0.1 - walletpath=${cfg.wallet} - gen=${if cfg.generate then "1" else "0"} - rpcssl=${if useSSL then "1" else "0"} - ${optionalString useSSL "rpcsslcertificatechainfile=${cfg.rpcCertificate}"} - ${optionalString useSSL "rpcsslprivatekeyfile=${cfg.rpcKey}"} - ${optionalString useSSL "rpcsslciphers=TLSv1.2+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH"} txindex=1 txprevcache=1 - ''; + walletpath=${cfg.wallet} + gen=${if cfg.generate then "1" else "0"} + ${listToConf "addnode" cfg.extraNodes} + ${listToConf "connect" cfg.trustedNodes} + '' + optionalString useRPC '' + rpcbind=${cfg.rpc.address} + rpcport=${toString cfg.rpc.port} + rpcuser=${cfg.rpc.user} + rpcpassword=${cfg.rpc.password} + ${listToConf "rpcallowip" cfg.rpc.allowFrom} + '' + optionalString useSSL '' + rpcssl=1 + rpcsslcertificatechainfile=${cfg.rpc.certificate} + rpcsslprivatekeyfile=${cfg.rpc.key} + rpcsslciphers=TLSv1.2+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH + ''); in @@ -33,66 +43,102 @@ in services.namecoind = { - enable = mkOption { + enable = mkEnableOption "namecoind, Namecoin client."; + + wallet = mkOption { + type = types.path; + default = "${dataDir}/wallet.dat"; + description = '' + Wallet file. The ownership of the file has to be + namecoin:namecoin, and the permissions must be 0640. + ''; + }; + + generate = mkOption { type = types.bool; default = false; description = '' - Whether to run namecoind. + Whether to generate (mine) Namecoins. ''; }; - wallet = mkOption { - type = types.path; - example = "/etc/namecoin/wallet.dat"; + extraNodes = mkOption { + type = types.listOf types.str; + default = [ ]; description = '' - Wallet file. The ownership of the file has to be - namecoin:namecoin, and the permissions must be 0640. + List of additional peer IP addresses to connect to. ''; }; - userFile = mkOption { - type = types.nullOr types.path; + trustedNodes = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + List of the only peer IP addresses to connect to. If specified + no other connection will be made. + ''; + }; + + rpc.user = mkOption { + type = types.nullOr types.str; default = null; - example = "/etc/namecoin/user"; description = '' - File containing the user name and user password to - authenticate RPC connections to namecoind. - The content of the file is of the form: - <literal> - USER=namecoin - PASSWORD=secret - </literal> - The ownership of the file has to be namecoin:namecoin, - and the permissions must be 0640. + User name for RPC connections. ''; }; - generate = mkOption { - type = types.bool; - default = false; + rpc.password = mkOption { + type = types.str; + default = null; description = '' - Whether to generate (mine) Namecoins. + Password for RPC connections. ''; }; - rpcCertificate = mkOption { + rpc.address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + IP address the RPC server will bind to. + ''; + }; + + rpc.port = mkOption { + type = types.int; + default = 8332; + description = '' + Port the RPC server will bind to. + ''; + }; + + rpc.certificate = mkOption { type = types.nullOr types.path; default = null; - example = "/etc/namecoin/server.cert"; + example = "/var/lib/namecoind/server.cert"; description = '' Certificate file for securing RPC connections. ''; }; - rpcKey = mkOption { + rpc.key = mkOption { type = types.nullOr types.path; default = null; - example = "/etc/namecoin/server.pem"; + example = "/var/lib/namecoind/server.pem"; description = '' Key file for securing RPC connections. ''; }; + + rpc.allowFrom = mkOption { + type = types.listOf types.str; + default = [ "127.0.0.1" ]; + description = '' + List of IP address ranges allowed to use the RPC API. + Wiledcards (*) can be user to specify a range. + ''; + }; + }; }; @@ -102,47 +148,54 @@ in config = mkIf cfg.enable { - users.extraUsers = singleton - { name = "namecoin"; - uid = config.ids.uids.namecoin; - description = "Namecoin daemon user"; - home = "/var/lib/namecoin"; - createHome = true; - }; + services.dnschain.extraConfig = '' + [namecoin] + config = ${configFile} + ''; + + users.extraUsers = singleton { + name = "namecoin"; + uid = config.ids.uids.namecoin; + description = "Namecoin daemon user"; + home = dataDir; + createHome = true; + }; - users.extraGroups = singleton - { name = "namecoin"; - gid = config.ids.gids.namecoin; - }; + users.extraGroups = singleton { + name = "namecoin"; + gid = config.ids.gids.namecoin; + }; systemd.services.namecoind = { - description = "Namecoind Daemon"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - preStart = '' - if [ "$(stat --printf '%u' ${cfg.userFile})" != "${toString config.ids.uids.namecoin}" \ - -o "$(stat --printf '%g' ${cfg.userFile})" != "${toString config.ids.gids.namecoin}" \ - -o "$(stat --printf '%a' ${cfg.userFile})" != "640" ]; then - echo "ERROR: bad ownership or rights on ${cfg.userFile}" >&2 - exit 1 - fi - if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \ - -o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \ - -o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then - echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2 - exit 1 - fi - ''; - serviceConfig = { - Type = "simple"; - User = "namecoin"; - EnvironmentFile = cfg.userFile; - ExecStart = "${pkgs.altcoins.namecoind}/bin/namecoind -conf=${namecoinConf} -rpcuser=\${USER} -rpcpassword=\${PASSWORD} -printtoconsole"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID"; - StandardOutput = "null"; - Nice = "10"; - }; + description = "Namecoind daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "namecoin"; + Griup = "namecoin"; + ExecStart = "${pkgs.altcoins.namecoind}/bin/namecoind -conf=${configFile} -datadir=${dataDir} -printtoconsole"; + ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Nice = "10"; + PrivateTmp = true; + TimeoutStopSec = "60s"; + TimeoutStartSec = "2s"; + Restart = "always"; + StartLimitInterval = "120s"; + StartLimitBurst = "5"; + }; + + preStart = optionalString (cfg.wallet != "${dataDir}/wallet.dat") '' + # check wallet file permissions + if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \ + -o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \ + -o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then + echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2 + exit 1 + fi + ''; + }; }; diff --git a/nixos/modules/services/networking/rpcbind.nix b/nixos/modules/services/networking/rpcbind.nix index eef1e8e8cd88..cddcb09054e0 100644 --- a/nixos/modules/services/networking/rpcbind.nix +++ b/nixos/modules/services/networking/rpcbind.nix @@ -2,35 +2,6 @@ with lib; -let - - netconfigFile = { - target = "netconfig"; - source = pkgs.writeText "netconfig" '' - # - # The network configuration file. This file is currently only used in - # conjunction with the TI-RPC code in the libtirpc library. - # - # Entries consist of: - # - # <network_id> <semantics> <flags> <protofamily> <protoname> \ - # <device> <nametoaddr_libs> - # - # The <device> and <nametoaddr_libs> fields are always empty in this - # implementation. - # - udp tpi_clts v inet udp - - - tcp tpi_cots_ord v inet tcp - - - udp6 tpi_clts v inet6 udp - - - tcp6 tpi_cots_ord v inet6 tcp - - - rawip tpi_raw - inet - - - - local tpi_cots_ord - loopback - - - - unix tpi_cots_ord - loopback - - - - ''; - }; - -in - { ###### interface @@ -58,25 +29,18 @@ in ###### implementation config = mkIf config.services.rpcbind.enable { - environment.systemPackages = [ pkgs.rpcbind ]; - environment.etc = [ netconfigFile ]; - - systemd.services.rpcbind = - { description = "ONC RPC Directory Service"; + systemd.packages = [ pkgs.rpcbind ]; - wantedBy = [ "multi-user.target" ]; - - requires = [ "basic.target" ]; - after = [ "basic.target" ]; - - unitConfig.DefaultDependencies = false; # don't stop during shutdown - - serviceConfig.Type = "forking"; - serviceConfig.ExecStart = "@${pkgs.rpcbind}/bin/rpcbind rpcbind"; - }; + systemd.services.rpcbind = { + wantedBy = [ "multi-user.target" ]; + }; + users.extraUsers.rpc = { + group = "nogroup"; + uid = config.ids.uids.rpc; + }; }; } diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 49ba66ad50af..8bd35385739e 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -216,7 +216,7 @@ in environment.etc.fstab.text = let - fsToSkipCheck = [ "none" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" ]; + fsToSkipCheck = [ "none" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" ]; skipCheck = fs: fs.noCheck || fs.device == "none" || builtins.elem fs.fsType fsToSkipCheck; in '' # This is a generated file. Do not edit! diff --git a/nixos/modules/tasks/filesystems/glusterfs.nix b/nixos/modules/tasks/filesystems/glusterfs.nix new file mode 100644 index 000000000000..e8c7fa8efbae --- /dev/null +++ b/nixos/modules/tasks/filesystems/glusterfs.nix @@ -0,0 +1,11 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + config = mkIf (any (fs: fs == "glusterfs") config.boot.supportedFilesystems) { + + system.fsPackages = [ pkgs.glusterfs ]; + + }; +} diff --git a/nixos/modules/tasks/filesystems/nfs.nix b/nixos/modules/tasks/filesystems/nfs.nix index e9a7ccc721a9..692034c0e37b 100644 --- a/nixos/modules/tasks/filesystems/nfs.nix +++ b/nixos/modules/tasks/filesystems/nfs.nix @@ -24,6 +24,8 @@ let Method = nsswitch ''; + nfsConfFile = pkgs.writeText "nfs.conf" cfg.extraConfig; + cfg = config.services.nfs; in @@ -32,23 +34,12 @@ in ###### interface options = { - services.nfs = { - statdPort = mkOption { - default = null; - example = 4000; - description = '' - Use a fixed port for <command>rpc.statd</command>. This is - useful if the NFS server is behind a firewall. - ''; - }; - lockdPort = mkOption { - default = null; - example = 4001; + extraConfig = mkOption { + type = types.lines; + default = ""; description = '' - Use a fixed port for the NFS lock manager kernel module - (<literal>lockd/nlockmgr</literal>). This is useful if the - NFS server is behind a firewall. + Extra nfs-utils configuration. ''; }; }; @@ -62,69 +53,44 @@ in system.fsPackages = [ pkgs.nfs-utils ]; - boot.extraModprobeConfig = mkIf (cfg.lockdPort != null) '' - options lockd nlm_udpport=${toString cfg.lockdPort} nlm_tcpport=${toString cfg.lockdPort} - ''; - - boot.kernelModules = [ "sunrpc" ]; - boot.initrd.kernelModules = mkIf inInitrd [ "nfs" ]; - # FIXME: should use upstream units from nfs-utils. - - systemd.services.statd = - { description = "NFSv3 Network Status Monitor"; - - path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ]; + systemd.packages = [ pkgs.nfs-utils ]; + systemd.generator-packages = [ pkgs.nfs-utils ]; - wants = [ "remote-fs-pre.target" ]; - before = [ "remote-fs-pre.target" ]; - wantedBy = [ "remote-fs.target" ]; - requires = [ "basic.target" "rpcbind.service" ]; - after = [ "basic.target" "rpcbind.service" ]; - - unitConfig.DefaultDependencies = false; # don't stop during shutdown - - preStart = - '' - mkdir -p ${nfsStateDir}/sm - mkdir -p ${nfsStateDir}/sm.bak - sm-notify -d - ''; + environment.etc = { + "idmapd.conf".source = idmapdConfFile; + "nfs.conf".source = nfsConfFile; + }; - serviceConfig.Type = "forking"; - serviceConfig.ExecStart = '' - @${pkgs.nfs-utils}/sbin/rpc.statd rpc.statd --no-notify \ - ${if cfg.statdPort != null then "-p ${toString cfg.statdPort}" else ""} - ''; - serviceConfig.Restart = "always"; + systemd.services.nfs-blkmap = + { restartTriggers = [ nfsConfFile ]; }; - systemd.services.idmapd = - { description = "NFSv4 ID Mapping Daemon"; + systemd.targets.nfs-client = + { wantedBy = [ "multi-user.target" "remote-fs.target" ]; + }; - path = [ pkgs.sysvtools pkgs.utillinux ]; + systemd.services.nfs-idmapd = + { restartTriggers = [ idmapdConfFile ]; + }; - wants = [ "remote-fs-pre.target" ]; - before = [ "remote-fs-pre.target" ]; - wantedBy = [ "remote-fs.target" ]; - requires = [ "rpcbind.service" ]; - after = [ "rpcbind.service" ]; + systemd.services.nfs-mountd = + { restartTriggers = [ nfsConfFile ]; + enable = mkDefault false; + }; - preStart = - '' - mkdir -p ${rpcMountpoint} - mount -t rpc_pipefs rpc_pipefs ${rpcMountpoint} - ''; + systemd.services.nfs-server = + { restartTriggers = [ nfsConfFile ]; + enable = mkDefault false; + }; - postStop = - '' - umount ${rpcMountpoint} - ''; + systemd.services.rpc-gssd = + { restartTriggers = [ nfsConfFile ]; + }; - serviceConfig.Type = "forking"; - serviceConfig.ExecStart = "@${pkgs.nfs-utils}/sbin/rpc.idmapd rpc.idmapd -c ${idmapdConfFile}"; - serviceConfig.Restart = "always"; + systemd.services.rpc-statd = + { restartTriggers = [ nfsConfFile ]; }; }; |