diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1909.xml | 27 | ||||
-rw-r--r-- | nixos/modules/programs/zsh/zsh.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/dnschain.nix | 14 | ||||
-rw-r--r-- | nixos/modules/services/networking/pdns-recursor.nix | 83 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/matomo.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 6 | ||||
-rw-r--r-- | nixos/tests/systemd.nix | 7 |
7 files changed, 106 insertions, 34 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index b02d99438de0..6493bb995967 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -284,6 +284,13 @@ Squid 3 has been removed and the <option>squid</option> derivation now refers to Squid 4. </para> </listitem> + <listitem> + <para> + The <option>services.pdns-recursor.extraConfig</option> option has been replaced by + <option>services.pdns-recursor.settings</option>. The new option allows setting extra + configuration while being better type-checked and mergeable. + </para> + </listitem> </itemizedlist> </section> @@ -506,12 +513,20 @@ been removed. </para> </listitem> - <listitem> - <para> - The <literal>rmilter</literal> package was removed with associated module and options due deprecation by upstream developer. - Use <literal>rspamd</literal> in proxy mode instead. - </para> - </listitem> + <listitem> + <para> + The <literal>rmilter</literal> package was removed with associated module and options due deprecation by upstream developer. + Use <literal>rspamd</literal> in proxy mode instead. + </para> + </listitem> + <listitem> + <para> + systemd cgroup accounting via the + <link linkend="opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link> + option is now enabled by default. It now also enables the more recent Block IO and IP accounting + features. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 27f4166e1005..6e9eefd74d18 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -214,7 +214,6 @@ in # Need to disable features to support TRAMP if [ "$TERM" = dumb ]; then unsetopt zle prompt_cr prompt_subst - unfunction precmd preexec unset RPS1 RPROMPT PS1='$ ' PROMPT='$ ' diff --git a/nixos/modules/services/networking/dnschain.nix b/nixos/modules/services/networking/dnschain.nix index 0c2add424bac..5b58ea9b0c91 100644 --- a/nixos/modules/services/networking/dnschain.nix +++ b/nixos/modules/services/networking/dnschain.nix @@ -136,10 +136,16 @@ in "/.dns/127.0.0.1#${toString cfg.dns.port}" ]; - services.pdns-recursor.forwardZones = mkIf cfgs.pdns-recursor.resolveDNSChainQueries - { bit = "127.0.0.1:${toString cfg.dns.port}"; - dns = "127.0.0.1:${toString cfg.dns.port}"; - }; + services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveDNSChainQueries { + forwardZones = + { bit = "127.0.0.1:${toString cfg.dns.port}"; + dns = "127.0.0.1:${toString cfg.dns.port}"; + }; + luaConfig ='' + addNTA("bit", "namecoin doesn't support DNSSEC") + addNTA("dns", "namecoin doesn't support DNSSEC") + ''; + }; users.users = singleton { name = username; diff --git a/nixos/modules/services/networking/pdns-recursor.nix b/nixos/modules/services/networking/pdns-recursor.nix index d07deb9dcc67..ec69cc838da9 100644 --- a/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixos/modules/services/networking/pdns-recursor.nix @@ -6,25 +6,27 @@ let dataDir = "/var/lib/pdns-recursor"; username = "pdns-recursor"; - cfg = config.services.pdns-recursor; - zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones; + cfg = config.services.pdns-recursor; - configFile = pkgs.writeText "recursor.conf" '' - local-address=${cfg.dns.address} - local-port=${toString cfg.dns.port} - allow-from=${concatStringsSep "," cfg.dns.allowFrom} + oneOrMore = type: with types; either type (listOf type); + valueType = with types; oneOf [ int str bool path ]; + configType = with types; attrsOf (nullOr (oneOrMore valueType)); - webserver-address=${cfg.api.address} - webserver-port=${toString cfg.api.port} - webserver-allow-from=${concatStringsSep "," cfg.api.allowFrom} + toBool = val: if val then "yes" else "no"; + serialize = val: with types; + if str.check val then val + else if int.check val then toString val + else if path.check val then toString val + else if bool.check val then toBool val + else if builtins.isList val then (concatMapStringsSep "," serialize val) + else ""; - forward-zones=${concatStringsSep "," zones} - export-etc-hosts=${if cfg.exportHosts then "yes" else "no"} - dnssec=${cfg.dnssecValidation} - serve-rfc1918=${if cfg.serveRFC1918 then "yes" else "no"} + configFile = pkgs.writeText "recursor.conf" + (concatStringsSep "\n" + (flip mapAttrsToList cfg.settings + (name: val: "${name}=${serialize val}"))); - ${cfg.extraConfig} - ''; + mkDefaultAttrs = mapAttrs (n: v: mkDefault v); in { options.services.pdns-recursor = { @@ -117,17 +119,55 @@ in { ''; }; - extraConfig = mkOption { + settings = mkOption { + type = configType; + default = { }; + example = literalExample '' + { + loglevel = 8; + log-common-errors = true; + } + ''; + description = '' + PowerDNS Recursor settings. Use this option to configure Recursor + settings not exposed in a NixOS option or to bypass one. + See the full documentation at + <link xlink:href="https://doc.powerdns.com/recursor/settings.html"/> + for the available options. + ''; + }; + + luaConfig = mkOption { type = types.lines; default = ""; description = '' - Extra options to be appended to the configuration file. + The content Lua configuration file for PowerDNS Recursor. See + <link xlink:href="https://doc.powerdns.com/recursor/lua-config/index.html"/>. ''; }; }; config = mkIf cfg.enable { + services.pdns-recursor.settings = mkDefaultAttrs { + local-address = cfg.dns.address; + local-port = cfg.dns.port; + allow-from = cfg.dns.allowFrom; + + webserver-address = cfg.api.address; + webserver-port = cfg.api.port; + webserver-allow-from = cfg.api.allowFrom; + + forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones; + export-etc-hosts = cfg.exportHosts; + dnssec = cfg.dnssecValidation; + serve-rfc1918 = cfg.serveRFC1918; + lua-config-file = pkgs.writeText "recursor.lua" cfg.luaConfig; + + log-timestamp = false; + disable-syslog = true; + }; + users.users."${username}" = { home = dataDir; createHome = true; @@ -150,8 +190,7 @@ in { AmbientCapabilities = "cap_net_bind_service"; ExecStart = ''${pkgs.pdns-recursor}/bin/pdns_recursor \ --config-dir=${dataDir} \ - --socket-dir=${dataDir} \ - --disable-syslog + --socket-dir=${dataDir} ''; }; @@ -165,4 +204,10 @@ in { ''; }; }; + + imports = [ + (mkRemovedOptionModule [ "services" "pdns-recursor" "extraConfig" ] + "To change extra Recursor settings use services.pdns-recursor.settings instead.") + ]; + } diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index bf8b9dbcc216..d9f840408cc8 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -176,7 +176,7 @@ in { # Use User-Private Group scheme to protect Matomo data, but allow administration / backup via 'matomo' group # Copy config folder chmod g+s "${dataDir}" - cp -r "${cfg.package}/config" "${dataDir}/" + cp -r "${cfg.package}/share/config" "${dataDir}/" chmod -R u+rwX,g+rwX,o-rwx "${dataDir}" # check whether user setup has already been done diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 23a2dd45d492..2a0360b12cbc 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -537,7 +537,7 @@ in }; systemd.enableCgroupAccounting = mkOption { - default = false; + default = true; type = types.bool; description = '' Whether to enable cgroup accounting. @@ -804,10 +804,10 @@ in [Manager] ${optionalString config.systemd.enableCgroupAccounting '' DefaultCPUAccounting=yes + DefaultBlockIOAccounting=yes DefaultIOAccounting=yes DefaultBlockIOAccounting=yes - DefaultMemoryAccounting=yes - DefaultTasksAccounting=yes + DefaultIPAccounting=yes ''} DefaultLimitCORE=infinity ${config.systemd.extraConfig} diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index 3168c026d514..1c201e3b5dcc 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -89,5 +89,12 @@ import ./make-test.nix ({ pkgs, ... }: { $machine->waitForUnit('multi-user.target'); $machine->succeed('sysctl net.core.default_qdisc | grep -q "fq_codel"'); }; + + # Test cgroup accounting is enabled + subtest "systemd cgroup accounting is enabled", sub { + $machine->waitForUnit('multi-user.target'); + $machine->succeed('systemctl show testservice1.service -p IOAccounting | grep -q "yes"'); + $machine->succeed('systemctl status testservice1.service | grep -q "CPU:"'); + }; ''; }) |