diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/lib/test-driver/Machine.pm | 30 | ||||
-rw-r--r-- | nixos/modules/misc/version.nix | 2 | ||||
-rw-r--r-- | nixos/modules/security/acme.xml | 62 | ||||
-rw-r--r-- | nixos/modules/services/networking/bind.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/ddclient.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/wpa_supplicant.nix | 15 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/apache-httpd/default.nix | 7 |
7 files changed, 66 insertions, 54 deletions
diff --git a/nixos/lib/test-driver/Machine.pm b/nixos/lib/test-driver/Machine.pm index 274b16164db3..14c39e859bc1 100644 --- a/nixos/lib/test-driver/Machine.pm +++ b/nixos/lib/test-driver/Machine.pm @@ -611,11 +611,37 @@ sub copyFileFromHost { } +my %charToKey = ( + '!' => "shift-0x02", + '@' => "shift-0x03", + '#' => "shift-0x04", + '$' => "shift-0x05", + '%' => "shift-0x06", + '^' => "shift-0x07", + '&' => "shift-0x08", + '*' => "shift-0x09", + '(' => "shift-0x0A", + ')' => "shift-0x0B", + '-' => "0x0C", '_' => "shift-0x0C", + '=' => "0x0D", '+' => "shift-0x0D", + '[' => "0x1A", '{' => "shift-0x1A", + ']' => "0x1B", '}' => "shift-0x1B", + ';' => "0x27", ':' => "shift-0x27", + '\'' => "0x28", '"' => "shift-0x28", + '`' => "0x29", '~' => "shift-0x29", + '\\' => "0x2B", '|' => "shift-0x2B", + ',' => "0x33", '<' => "shift-0x33", + '.' => "0x34", '>' => "shift-0x34", + '/' => "0x35", '?' => "shift-0x35", + ' ' => "spc", + "\n" => "ret", +); + + sub sendKeys { my ($self, @keys) = @_; foreach my $key (@keys) { - $key = "spc" if $key eq " "; - $key = "ret" if $key eq "\n"; + $key = $charToKey{$key} if exists $charToKey{$key}; $self->sendMonitorCommand("sendkey $key"); } } diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index ec423768296a..70cd3fb9766a 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -99,7 +99,7 @@ in }; # Generate /etc/os-release. See - # http://0pointer.de/public/systemd-man/os-release.html for the + # https://www.freedesktop.org/software/systemd/man/os-release.html for the # format. environment.etc."os-release".text = '' diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index 6fddb27e6a34..823806f4641b 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -67,52 +67,30 @@ options for the <literal>security.acme</literal> module.</para> </section> <section><title>Using ACME certificates in Nginx</title> -<para>In practice ACME is mostly used for retrieval and renewal of - certificates that will be used in a webserver like Nginx. A configuration for - Nginx that uses the certificates from ACME for - <literal>foo.example.com</literal> will look similar to: +<para>NixOS supports fetching ACME certificates for you by setting +<literal>enableACME = true;</literal> in a virtualHost config. We +first create self-signed placeholder certificates in place of the +real ACME certs. The placeholder certs are overwritten when the ACME +certs arrive. For <literal>foo.example.com</literal> the config would +look like. </para> <programlisting> -security.acme.certs."foo.example.com" = { - webroot = config.security.acme.directory + "/acme-challenge"; - email = "foo@example.com"; - user = "nginx"; - group = "nginx"; - postRun = "systemctl restart nginx.service"; -}; -services.nginx.httpConfig = '' - server { - server_name foo.example.com; - listen 80; - listen [::]:80; - - location /.well-known/acme-challenge { - root /var/www/challenges; - } - - location / { - return 301 https://$host$request_uri; - } - } - - server { - server_name foo.example.com; - listen 443 ssl; - ssl_certificate ${config.security.acme.directory}/foo.example.com/fullchain.pem; - ssl_certificate_key ${config.security.acme.directory}/foo.example.com/key.pem; - root /var/www/foo.example.com/; - } -''; +services.nginx = { + enable = true; + virtualHosts = { + "foo.example.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + root = "/var/www"; + }; + }; + }; +} </programlisting> -<para>Now Nginx will try to use the certificates that will be retrieved by ACME. - ACME needs Nginx (or any other webserver) to function and Nginx needs - the certificates to actually start. For this reason the ACME module - automatically generates self-signed certificates that will be used by Nginx to - start. After that Nginx is used by ACME to retrieve the actual ACME - certificates. <literal>security.acme.preliminarySelfsigned</literal> can be - used to control whether to generate the self-signed certificates. -</para> +<para>At the moment you still have to restart Nginx after the ACME +certs arrive.</para> </section> </chapter> diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index 72110e625766..0272b6ceff20 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -155,7 +155,7 @@ in chown ${bindUser} /var/run/named ''; - script = "${pkgs.bind.bin}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; + script = "${pkgs.bind.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; unitConfig.Documentation = "man:named(8)"; }; }; diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index 5050ecbd7492..d1900deceaf6 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -120,7 +120,7 @@ in }; environment.etc."ddclient.conf" = { - enable = config.services.ddclient.configFile == /etc/ddclient.conf; + enable = config.services.ddclient.configFile == "/etc/ddclient.conf"; uid = config.ids.uids.ddclient; mode = "0600"; text = '' diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 5657b91c1e72..c91ba91fcb4d 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -12,11 +12,13 @@ let psk = if networkConfig.psk != null then ''"${networkConfig.psk}"'' else networkConfig.pskRaw; + priority = networkConfig.priority; in '' network={ ssid="${ssid}" ${optionalString (psk != null) ''psk=${psk}''} ${optionalString (psk == null) ''key_mgmt=NONE''} + ${optionalString (priority != null) ''priority=${toString priority}''} } '') cfg.networks)} '' else "/etc/wpa_supplicant.conf"; @@ -68,6 +70,19 @@ in { Mutually exclusive with <varname>psk</varname>. ''; }; + priority = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + By default, all networks will get same priority group (0). If some of the + networks are more desirable, this field can be used to change the order in + which wpa_supplicant goes through the networks when selecting a BSS. The + priority groups will be iterated in decreasing priority (i.e., the larger the + priority value, the sooner the network is matched against the scan results). + Within each priority group, networks will be selected based on security + policy, signal strength, etc. + ''; + }; }; }); description = '' diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 84c608ca2ab1..dc0ca501a484 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -709,13 +709,6 @@ in ''} mkdir -m 0700 -p ${mainCfg.logDir} - ${optionalString (mainCfg.documentRoot != null) - '' - # Create the document root directory if does not exists yet - mkdir -p ${mainCfg.documentRoot} - '' - } - # Get rid of old semaphores. These tend to accumulate across # server restarts, eventually preventing it from restarting # successfully. |