diff options
Diffstat (limited to 'nixos')
98 files changed, 2421 insertions, 669 deletions
diff --git a/nixos/doc/manual/Makefile b/nixos/doc/manual/Makefile index 2e2322d5fb51..5cbbf140869a 100644 --- a/nixos/doc/manual/Makefile +++ b/nixos/doc/manual/Makefile @@ -14,6 +14,11 @@ format: find . -iname '*.xml' -type f -print0 | xargs -0 -I{} -n1 \ xmlformat --config-file "../xmlformat.conf" -i {} +.PHONY: fix-misc-xml +fix-misc-xml: + find . -iname '*.xml' -type f \ + -exec ../varlistentry-fixer.rb {} ';' + .PHONY: clean clean: rm -f manual-combined.xml generated diff --git a/nixos/doc/manual/administration/boot-problems.xml b/nixos/doc/manual/administration/boot-problems.xml index 5f05ad261ef3..de3d8ac21aeb 100644 --- a/nixos/doc/manual/administration/boot-problems.xml +++ b/nixos/doc/manual/administration/boot-problems.xml @@ -14,7 +14,8 @@ NixOS boot scripts or by systemd: <variablelist> <varlistentry> - <term><literal>boot.shell_on_fail</literal> + <term> + <literal>boot.shell_on_fail</literal> </term> <listitem> <para> @@ -25,7 +26,8 @@ </listitem> </varlistentry> <varlistentry> - <term><literal>boot.debug1</literal> + <term> + <literal>boot.debug1</literal> </term> <listitem> <para> @@ -37,7 +39,8 @@ </listitem> </varlistentry> <varlistentry> - <term><literal>boot.trace</literal> + <term> + <literal>boot.trace</literal> </term> <listitem> <para> @@ -46,7 +49,8 @@ </listitem> </varlistentry> <varlistentry> - <term><literal>single</literal> + <term> + <literal>single</literal> </term> <listitem> <para> @@ -59,7 +63,8 @@ </listitem> </varlistentry> <varlistentry> - <term><literal>systemd.log_level=debug systemd.log_target=console</literal> + <term> + <literal>systemd.log_level=debug systemd.log_target=console</literal> </term> <listitem> <para> diff --git a/nixos/doc/manual/configuration/config-file.xml b/nixos/doc/manual/configuration/config-file.xml index a9420b3fc921..8a1a39c98c10 100644 --- a/nixos/doc/manual/configuration/config-file.xml +++ b/nixos/doc/manual/configuration/config-file.xml @@ -80,7 +80,9 @@ The option value `services.httpd.enable' in `/etc/nixos/configuration.nix' is no Options have various types of values. The most important are: <variablelist> <varlistentry> - <term>Strings</term> + <term> + Strings + </term> <listitem> <para> Strings are enclosed in double quotes, e.g. @@ -112,7 +114,9 @@ The option value `services.httpd.enable' in `/etc/nixos/configuration.nix' is no </listitem> </varlistentry> <varlistentry> - <term>Booleans</term> + <term> + Booleans + </term> <listitem> <para> These can be <literal>true</literal> or <literal>false</literal>, e.g. @@ -124,7 +128,9 @@ The option value `services.httpd.enable' in `/etc/nixos/configuration.nix' is no </listitem> </varlistentry> <varlistentry> - <term>Integers</term> + <term> + Integers + </term> <listitem> <para> For example, @@ -141,7 +147,9 @@ The option value `services.httpd.enable' in `/etc/nixos/configuration.nix' is no </listitem> </varlistentry> <varlistentry> - <term>Sets</term> + <term> + Sets + </term> <listitem> <para> Sets were introduced above. They are name/value pairs enclosed in braces, @@ -157,7 +165,9 @@ The option value `services.httpd.enable' in `/etc/nixos/configuration.nix' is no </listitem> </varlistentry> <varlistentry> - <term>Lists</term> + <term> + Lists + </term> <listitem> <para> The important thing to note about lists is that list elements are @@ -173,7 +183,9 @@ swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; </listitem> </varlistentry> <varlistentry> - <term>Packages</term> + <term> + Packages + </term> <listitem> <para> Usually, the packages you need are already part of the Nix Packages diff --git a/nixos/doc/manual/configuration/linux-kernel.xml b/nixos/doc/manual/configuration/linux-kernel.xml index 6502aaec83e5..f4d697c42dbd 100644 --- a/nixos/doc/manual/configuration/linux-kernel.xml +++ b/nixos/doc/manual/configuration/linux-kernel.xml @@ -67,6 +67,57 @@ nixpkgs.config.packageOverrides = pkgs: parameters, run <command>sysctl -a</command>. </para> <section> + <title>Customize your kernel</title> + + <para> + The first step before compiling the kernel is to generate an appropriate + <literal>.config</literal> configuration. Either you pass your own config via + the <literal>configfile</literal> setting of <literal>linuxManualConfig</literal>: + <screen><![CDATA[ + custom-kernel = super.linuxManualConfig { + inherit (super) stdenv hostPlatform; + inherit (linux_4_9) src; + version = "${linux_4_9.version}-custom"; + + configfile = /home/me/my_kernel_config; + allowImportFromDerivation = true; + }; + ]]></screen> + +You can edit the config with this snippet (by default <command>make menuconfig</command> won't work + out of the box on nixos): + <screen><![CDATA[ + nix-shell -E 'with import <nixpkgs> {}; kernelToOverride.overrideAttrs (o: {nativeBuildInputs=o.nativeBuildInputs ++ [ pkgconfig ncurses ];})' + ]]></screen> + + + or you can let nixpkgs generate the configuration. + Nixpkgs generates it via answering the interactive kernel utility <command>make config</command>. + The answers depend on parameters passed to <filename>pkgs/os-specific/linux/kernel/generic.nix</filename> + (which you can influence by overriding <literal>extraConfig, autoModules, modDirVersion, preferBuiltin, extraConfig</literal>). +<screen><![CDATA[ + + mptcp93.override ({ + name="mptcp-local"; + + ignoreConfigErrors = true; + autoModules = false; + kernelPreferBuiltin = true; + + enableParallelBuilding = true; + + extraConfig = '' + DEBUG_KERNEL y + FRAME_POINTER y + KGDB y + KGDB_SERIAL_CONSOLE y + DEBUG_INFO y + ''; + }); + ]]></screen> + </para> + </section> + <section> <title>Developing kernel modules</title> <para> diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index 2c6309474b37..fef6b2f86c85 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -31,11 +31,12 @@ let else p; describe = args: let + title = args.title or null; name = args.name or (lib.concatStringsSep "." args.path); path = args.path or [ args.name ]; package = args.package or (lib.attrByPath path (throw "Invalid package attribute path `${toString path}'") pkgs); in "<listitem>" - + "<para><literal>pkgs.${name} (${package.meta.name})</literal>" + + "<para><literal>${lib.optionalString (title != null) "${title} aka "}pkgs.${name} (${package.meta.name})</literal>" + lib.optionalString (!package.meta.available) " <emphasis>[UNAVAILABLE]</emphasis>" + ": ${package.meta.description or "???"}.</para>" + lib.optionalString (args ? comment) "\n<para>${args.comment}</para>" @@ -51,7 +52,7 @@ let // lib.optionalAttrs (opt ? example) { example = substFunction opt.example; } // lib.optionalAttrs (opt ? default) { default = substFunction opt.default; } // lib.optionalAttrs (opt ? type) { type = substFunction opt.type; } - // lib.optionalAttrs (opt ? relatedPackages) { relatedPackages = genRelatedPackages opt.relatedPackages; }); + // lib.optionalAttrs (opt ? relatedPackages && opt.relatedPackages != []) { relatedPackages = genRelatedPackages opt.relatedPackages; }); # We need to strip references to /nix/store/* from options, # including any `extraSources` if some modules came from elsewhere, diff --git a/nixos/doc/manual/development/building-parts.xml b/nixos/doc/manual/development/building-parts.xml index 031048aaa377..eaffc0ef47c2 100644 --- a/nixos/doc/manual/development/building-parts.xml +++ b/nixos/doc/manual/development/building-parts.xml @@ -15,7 +15,8 @@ $ nix-build -A config.<replaceable>option</replaceable></screen> include: <variablelist> <varlistentry> - <term><varname>system.build.toplevel</varname> + <term> + <varname>system.build.toplevel</varname> </term> <listitem> <para> @@ -32,7 +33,8 @@ $ nix-build -A system</screen> </listitem> </varlistentry> <varlistentry> - <term><varname>system.build.manual.manual</varname> + <term> + <varname>system.build.manual.manual</varname> </term> <listitem> <para> @@ -41,7 +43,8 @@ $ nix-build -A system</screen> </listitem> </varlistentry> <varlistentry> - <term><varname>system.build.etc</varname> + <term> + <varname>system.build.etc</varname> </term> <listitem> <para> @@ -51,9 +54,11 @@ $ nix-build -A system</screen> </listitem> </varlistentry> <varlistentry> - <term><varname>system.build.initialRamdisk</varname> + <term> + <varname>system.build.initialRamdisk</varname> </term> - <term><varname>system.build.kernel</varname> + <term> + <varname>system.build.kernel</varname> </term> <listitem> <para> @@ -69,11 +74,14 @@ $ qemu-system-x86_64 -kernel ./kernel/bzImage -initrd ./initrd/initrd -hda /dev/ </listitem> </varlistentry> <varlistentry> - <term><varname>system.build.nixos-rebuild</varname> + <term> + <varname>system.build.nixos-rebuild</varname> </term> - <term><varname>system.build.nixos-install</varname> + <term> + <varname>system.build.nixos-install</varname> </term> - <term><varname>system.build.nixos-generate-config</varname> + <term> + <varname>system.build.nixos-generate-config</varname> </term> <listitem> <para> @@ -82,7 +90,8 @@ $ qemu-system-x86_64 -kernel ./kernel/bzImage -initrd ./initrd/initrd -hda /dev/ </listitem> </varlistentry> <varlistentry> - <term><varname>systemd.units.<replaceable>unit-name</replaceable>.unit</varname> + <term> + <varname>systemd.units.<replaceable>unit-name</replaceable>.unit</varname> </term> <listitem> <para> diff --git a/nixos/doc/manual/development/option-declarations.xml b/nixos/doc/manual/development/option-declarations.xml index a8f528a0a804..eee81bf64263 100644 --- a/nixos/doc/manual/development/option-declarations.xml +++ b/nixos/doc/manual/development/option-declarations.xml @@ -32,7 +32,8 @@ xlink:href="https://nixos.org/nixpkgs/manual/#sec-package-naming"> The function <varname>mkOption</varname> accepts the following arguments. <variablelist> <varlistentry> - <term><varname>type</varname> + <term> + <varname>type</varname> </term> <listitem> <para> @@ -43,7 +44,8 @@ xlink:href="https://nixos.org/nixpkgs/manual/#sec-package-naming"> </listitem> </varlistentry> <varlistentry> - <term><varname>default</varname> + <term> + <varname>default</varname> </term> <listitem> <para> @@ -55,7 +57,8 @@ xlink:href="https://nixos.org/nixpkgs/manual/#sec-package-naming"> </listitem> </varlistentry> <varlistentry> - <term><varname>example</varname> + <term> + <varname>example</varname> </term> <listitem> <para> @@ -64,7 +67,8 @@ xlink:href="https://nixos.org/nixpkgs/manual/#sec-package-naming"> </listitem> </varlistentry> <varlistentry> - <term><varname>description</varname> + <term> + <varname>description</varname> </term> <listitem> <para> diff --git a/nixos/doc/manual/development/option-types.xml b/nixos/doc/manual/development/option-types.xml index 5cb747e6d9f1..47dd09158e91 100644 --- a/nixos/doc/manual/development/option-types.xml +++ b/nixos/doc/manual/development/option-types.xml @@ -22,7 +22,8 @@ <variablelist> <varlistentry> - <term><varname>types.attrs</varname> + <term> + <varname>types.attrs</varname> </term> <listitem> <para> @@ -31,7 +32,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.bool</varname> + <term> + <varname>types.bool</varname> </term> <listitem> <para> @@ -41,7 +43,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.path</varname> + <term> + <varname>types.path</varname> </term> <listitem> <para> @@ -52,7 +55,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.package</varname> + <term> + <varname>types.package</varname> </term> <listitem> <para> @@ -68,7 +72,8 @@ <variablelist> <varlistentry> - <term><varname>types.int</varname> + <term> + <varname>types.int</varname> </term> <listitem> <para> @@ -77,7 +82,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.ints.{s8, s16, s32}</varname> + <term> + <varname>types.ints.{s8, s16, s32}</varname> </term> <listitem> <para> @@ -91,7 +97,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.ints.unsigned</varname> + <term> + <varname>types.ints.unsigned</varname> </term> <listitem> <para> @@ -100,7 +107,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.ints.{u8, u16, u32}</varname> + <term> + <varname>types.ints.{u8, u16, u32}</varname> </term> <listitem> <para> @@ -114,7 +122,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.ints.positive</varname> + <term> + <varname>types.ints.positive</varname> </term> <listitem> <para> @@ -130,7 +139,8 @@ <variablelist> <varlistentry> - <term><varname>types.str</varname> + <term> + <varname>types.str</varname> </term> <listitem> <para> @@ -139,7 +149,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.lines</varname> + <term> + <varname>types.lines</varname> </term> <listitem> <para> @@ -149,7 +160,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.commas</varname> + <term> + <varname>types.commas</varname> </term> <listitem> <para> @@ -159,7 +171,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.envVar</varname> + <term> + <varname>types.envVar</varname> </term> <listitem> <para> @@ -169,7 +182,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.strMatching</varname> + <term> + <varname>types.strMatching</varname> </term> <listitem> <para> @@ -191,7 +205,8 @@ <variablelist> <varlistentry> - <term><varname>types.enum</varname><replaceable>l</replaceable> + <term> + <varname>types.enum</varname> <replaceable>l</replaceable> </term> <listitem> <para> @@ -202,7 +217,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.separatedString</varname><replaceable>sep</replaceable> + <term> + <varname>types.separatedString</varname> <replaceable>sep</replaceable> </term> <listitem> <para> @@ -212,7 +228,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.ints.between</varname><replaceable>lowest</replaceable><replaceable>highest</replaceable> + <term> + <varname>types.ints.between</varname> <replaceable>lowest</replaceable> <replaceable>highest</replaceable> </term> <listitem> <para> @@ -223,7 +240,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.submodule</varname><replaceable>o</replaceable> + <term> + <varname>types.submodule</varname> <replaceable>o</replaceable> </term> <listitem> <para> @@ -250,7 +268,8 @@ <variablelist> <varlistentry> - <term><varname>types.listOf</varname><replaceable>t</replaceable> + <term> + <varname>types.listOf</varname> <replaceable>t</replaceable> </term> <listitem> <para> @@ -260,7 +279,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.attrsOf</varname><replaceable>t</replaceable> + <term> + <varname>types.attrsOf</varname> <replaceable>t</replaceable> </term> <listitem> <para> @@ -271,7 +291,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.loaOf</varname><replaceable>t</replaceable> + <term> + <varname>types.loaOf</varname> <replaceable>t</replaceable> </term> <listitem> <para> @@ -281,7 +302,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.nullOr</varname><replaceable>t</replaceable> + <term> + <varname>types.nullOr</varname> <replaceable>t</replaceable> </term> <listitem> <para> @@ -291,7 +313,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.uniq</varname><replaceable>t</replaceable> + <term> + <varname>types.uniq</varname> <replaceable>t</replaceable> </term> <listitem> <para> @@ -301,7 +324,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.either</varname><replaceable>t1</replaceable><replaceable>t2</replaceable> + <term> + <varname>types.either</varname> <replaceable>t1</replaceable> <replaceable>t2</replaceable> </term> <listitem> <para> @@ -312,7 +336,8 @@ </listitem> </varlistentry> <varlistentry> - <term><varname>types.coercedTo</varname><replaceable>from</replaceable><replaceable>f</replaceable><replaceable>to</replaceable> + <term> + <varname>types.coercedTo</varname> <replaceable>from</replaceable> <replaceable>f</replaceable> <replaceable>to</replaceable> </term> <listitem> <para> @@ -468,7 +493,8 @@ config.mod.two = { foo = 2; bar = "two"; };</screen> <variablelist> <varlistentry> - <term><varname>check</varname> + <term> + <varname>check</varname> </term> <listitem> <para> @@ -501,7 +527,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><varname>merge</varname> + <term> + <varname>merge</varname> </term> <listitem> <para> @@ -534,7 +561,8 @@ nixThings = mkOption { <variablelist> <varlistentry> - <term><varname>name</varname> + <term> + <varname>name</varname> </term> <listitem> <para> @@ -543,7 +571,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><varname>definition</varname> + <term> + <varname>definition</varname> </term> <listitem> <para> @@ -553,7 +582,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><varname>check</varname> + <term> + <varname>check</varname> </term> <listitem> <para> @@ -565,7 +595,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><varname>merge</varname> + <term> + <varname>merge</varname> </term> <listitem> <para> @@ -573,7 +604,8 @@ nixThings = mkOption { </para> <variablelist> <varlistentry> - <term><replaceable>loc</replaceable> + <term> + <replaceable>loc</replaceable> </term> <listitem> <para> @@ -583,7 +615,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><replaceable>defs</replaceable> + <term> + <replaceable>defs</replaceable> </term> <listitem> <para> @@ -600,7 +633,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><varname>getSubOptions</varname> + <term> + <varname>getSubOptions</varname> </term> <listitem> <para> @@ -615,7 +649,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><varname>getSubModules</varname> + <term> + <varname>getSubModules</varname> </term> <listitem> <para> @@ -628,7 +663,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><varname>substSubModules</varname> + <term> + <varname>substSubModules</varname> </term> <listitem> <para> @@ -644,7 +680,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><varname>typeMerge</varname> + <term> + <varname>typeMerge</varname> </term> <listitem> <para> @@ -654,7 +691,8 @@ nixThings = mkOption { </para> <variablelist> <varlistentry> - <term><replaceable>f</replaceable> + <term> + <replaceable>f</replaceable> </term> <listitem> <para> @@ -670,7 +708,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><varname>functor</varname> + <term> + <varname>functor</varname> </term> <listitem> <para> @@ -679,7 +718,8 @@ nixThings = mkOption { </para> <variablelist> <varlistentry> - <term><varname>type</varname> + <term> + <varname>type</varname> </term> <listitem> <para> @@ -688,7 +728,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><varname>wrapped</varname> + <term> + <varname>wrapped</varname> </term> <listitem> <para> @@ -697,7 +738,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><varname>payload</varname> + <term> + <varname>payload</varname> </term> <listitem> <para> @@ -709,7 +751,8 @@ nixThings = mkOption { </listitem> </varlistentry> <varlistentry> - <term><varname>binOp</varname> + <term> + <varname>binOp</varname> </term> <listitem> <para> diff --git a/nixos/doc/manual/development/writing-nixos-tests.xml b/nixos/doc/manual/development/writing-nixos-tests.xml index 89a6a4423627..5935fbc049bd 100644 --- a/nixos/doc/manual/development/writing-nixos-tests.xml +++ b/nixos/doc/manual/development/writing-nixos-tests.xml @@ -54,7 +54,8 @@ xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/nfs.nix">nf <!-- FIXME: would be nice to generate this automatically. --> <variablelist> <varlistentry> - <term><option>virtualisation.memorySize</option> + <term> + <option>virtualisation.memorySize</option> </term> <listitem> <para> @@ -63,7 +64,8 @@ xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/nfs.nix">nf </listitem> </varlistentry> <varlistentry> - <term><option>virtualisation.vlans</option> + <term> + <option>virtualisation.vlans</option> </term> <listitem> <para> @@ -75,7 +77,8 @@ xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/nfs.nix">nf </listitem> </varlistentry> <varlistentry> - <term><option>virtualisation.writableStore</option> + <term> + <option>virtualisation.writableStore</option> </term> <listitem> <para> @@ -120,7 +123,8 @@ startAll; The following methods are available on machine objects: <variablelist> <varlistentry> - <term><methodname>start</methodname> + <term> + <methodname>start</methodname> </term> <listitem> <para> @@ -130,7 +134,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>shutdown</methodname> + <term> + <methodname>shutdown</methodname> </term> <listitem> <para> @@ -139,7 +144,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>crash</methodname> + <term> + <methodname>crash</methodname> </term> <listitem> <para> @@ -148,7 +154,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>block</methodname> + <term> + <methodname>block</methodname> </term> <listitem> <para> @@ -158,7 +165,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>unblock</methodname> + <term> + <methodname>unblock</methodname> </term> <listitem> <para> @@ -167,7 +175,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>screenshot</methodname> + <term> + <methodname>screenshot</methodname> </term> <listitem> <para> @@ -177,7 +186,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>getScreenText</methodname> + <term> + <methodname>getScreenText</methodname> </term> <listitem> <para> @@ -193,7 +203,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>sendMonitorCommand</methodname> + <term> + <methodname>sendMonitorCommand</methodname> </term> <listitem> <para> @@ -203,7 +214,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>sendKeys</methodname> + <term> + <methodname>sendKeys</methodname> </term> <listitem> <para> @@ -213,7 +225,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>sendChars</methodname> + <term> + <methodname>sendChars</methodname> </term> <listitem> <para> @@ -224,7 +237,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>execute</methodname> + <term> + <methodname>execute</methodname> </term> <listitem> <para> @@ -235,7 +249,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>succeed</methodname> + <term> + <methodname>succeed</methodname> </term> <listitem> <para> @@ -245,7 +260,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>fail</methodname> + <term> + <methodname>fail</methodname> </term> <listitem> <para> @@ -255,7 +271,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>waitUntilSucceeds</methodname> + <term> + <methodname>waitUntilSucceeds</methodname> </term> <listitem> <para> @@ -264,7 +281,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>waitUntilFails</methodname> + <term> + <methodname>waitUntilFails</methodname> </term> <listitem> <para> @@ -273,7 +291,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>waitForUnit</methodname> + <term> + <methodname>waitForUnit</methodname> </term> <listitem> <para> @@ -282,7 +301,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>waitForFile</methodname> + <term> + <methodname>waitForFile</methodname> </term> <listitem> <para> @@ -291,7 +311,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>waitForOpenPort</methodname> + <term> + <methodname>waitForOpenPort</methodname> </term> <listitem> <para> @@ -301,7 +322,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>waitForClosedPort</methodname> + <term> + <methodname>waitForClosedPort</methodname> </term> <listitem> <para> @@ -310,7 +332,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>waitForX</methodname> + <term> + <methodname>waitForX</methodname> </term> <listitem> <para> @@ -319,7 +342,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>waitForText</methodname> + <term> + <methodname>waitForText</methodname> </term> <listitem> <para> @@ -336,7 +360,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>waitForWindow</methodname> + <term> + <methodname>waitForWindow</methodname> </term> <listitem> <para> @@ -346,7 +371,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>copyFileFromHost</methodname> + <term> + <methodname>copyFileFromHost</methodname> </term> <listitem> <para> @@ -361,7 +387,8 @@ startAll; </listitem> </varlistentry> <varlistentry> - <term><methodname>systemctl</methodname> + <term> + <methodname>systemctl</methodname> </term> <listitem> <para> diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index 4e1fde662d6e..6066d025adbf 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -16,7 +16,9 @@ </para> <variablelist> <varlistentry> - <term>UEFI systems</term> + <term> + UEFI systems + </term> <listitem> <para> You should boot the live CD in UEFI mode (consult your specific @@ -138,7 +140,9 @@ <listitem> <variablelist> <varlistentry> - <term>UEFI systems</term> + <term> + UEFI systems + </term> <listitem> <para> For creating boot partitions: <command>mkfs.fat</command>. Again @@ -178,7 +182,9 @@ <listitem> <variablelist> <varlistentry> - <term>UEFI systems</term> + <term> + UEFI systems + </term> <listitem> <para> Mount the boot file system on <filename>/mnt/boot</filename>, e.g. @@ -234,7 +240,9 @@ </para> <variablelist> <varlistentry> - <term>BIOS systems</term> + <term> + BIOS systems + </term> <listitem> <para> You <emphasis>must</emphasis> set the option @@ -244,7 +252,9 @@ </listitem> </varlistentry> <varlistentry> - <term>UEFI systems</term> + <term> + UEFI systems + </term> <listitem> <para> You <emphasis>must</emphasis> set the option diff --git a/nixos/doc/manual/man-nixos-build-vms.xml b/nixos/doc/manual/man-nixos-build-vms.xml index 02dad4c548b8..87e4f3dae869 100644 --- a/nixos/doc/manual/man-nixos-build-vms.xml +++ b/nixos/doc/manual/man-nixos-build-vms.xml @@ -12,14 +12,22 @@ </refname><refpurpose>build a network of virtual machines from a network of NixOS configurations</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis><command>nixos-build-vms</command> - <arg><option>--show-trace</option> + <cmdsynopsis> + <command>nixos-build-vms</command> + <arg> + <option>--show-trace</option> </arg> - <arg><option>--no-out-link</option> + + <arg> + <option>--no-out-link</option> </arg> - <arg><option>--help</option> + + <arg> + <option>--help</option> </arg> - <arg choice="plain"><replaceable>network.nix</replaceable> + + <arg choice="plain"> + <replaceable>network.nix</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> @@ -78,7 +86,8 @@ </para> <variablelist> <varlistentry> - <term><option>--show-trace</option> + <term> + <option>--show-trace</option> </term> <listitem> <para> @@ -87,7 +96,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--no-out-link</option> + <term> + <option>--no-out-link</option> </term> <listitem> <para> @@ -96,7 +106,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>-h</option>, <option>--help</option> + <term> + <option>-h</option>, <option>--help</option> </term> <listitem> <para> diff --git a/nixos/doc/manual/man-nixos-enter.xml b/nixos/doc/manual/man-nixos-enter.xml index 7db4b72ee36e..42edaa1ae5b6 100644 --- a/nixos/doc/manual/man-nixos-enter.xml +++ b/nixos/doc/manual/man-nixos-enter.xml @@ -12,26 +12,40 @@ </refname><refpurpose>run a command in a NixOS chroot environment</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis><command>nixos-enter</command> + <cmdsynopsis> + <command>nixos-enter</command> <arg> - <arg choice='plain'><option>--root</option> - </arg><replaceable>root</replaceable> + <arg choice='plain'> + <option>--root</option> + </arg> + <replaceable>root</replaceable> </arg> + <arg> - <arg choice='plain'><option>--system</option> - </arg><replaceable>system</replaceable> + <arg choice='plain'> + <option>--system</option> + </arg> + <replaceable>system</replaceable> </arg> + <arg> - <arg choice='plain'><option>-c</option> - </arg><replaceable>shell-command</replaceable> + <arg choice='plain'> + <option>-c</option> + </arg> + <replaceable>shell-command</replaceable> </arg> + <arg> - <arg choice='plain'><option>--help</option> + <arg choice='plain'> + <option>--help</option> </arg> </arg> + <arg> - <arg choice='plain'><option>--</option> - </arg><replaceable>arguments</replaceable> + <arg choice='plain'> + <option>--</option> + </arg> + <replaceable>arguments</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> @@ -50,7 +64,8 @@ </para> <variablelist> <varlistentry> - <term><option>--root</option> + <term> + <option>--root</option> </term> <listitem> <para> @@ -60,7 +75,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--system</option> + <term> + <option>--system</option> </term> <listitem> <para> @@ -72,9 +88,11 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--command</option> + <term> + <option>--command</option> </term> - <term><option>-c</option> + <term> + <option>-c</option> </term> <listitem> <para> @@ -83,7 +101,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--</option> + <term> + <option>--</option> </term> <listitem> <para> diff --git a/nixos/doc/manual/man-nixos-generate-config.xml b/nixos/doc/manual/man-nixos-generate-config.xml index 8bf90f452db6..1227873f5780 100644 --- a/nixos/doc/manual/man-nixos-generate-config.xml +++ b/nixos/doc/manual/man-nixos-generate-config.xml @@ -12,16 +12,24 @@ </refname><refpurpose>generate NixOS configuration modules</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis><command>nixos-generate-config</command> - <arg><option>--force</option> + <cmdsynopsis> + <command>nixos-generate-config</command> + <arg> + <option>--force</option> </arg> + <arg> - <arg choice='plain'><option>--root</option> - </arg><replaceable>root</replaceable> + <arg choice='plain'> + <option>--root</option> + </arg> + <replaceable>root</replaceable> </arg> + <arg> - <arg choice='plain'><option>--dir</option> - </arg><replaceable>dir</replaceable> + <arg choice='plain'> + <option>--dir</option> + </arg> + <replaceable>dir</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> @@ -31,7 +39,8 @@ This command writes two NixOS configuration modules: <variablelist> <varlistentry> - <term><option>/etc/nixos/hardware-configuration.nix</option> + <term> + <option>/etc/nixos/hardware-configuration.nix</option> </term> <listitem> <para> @@ -53,7 +62,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>/etc/nixos/configuration.nix</option> + <term> + <option>/etc/nixos/configuration.nix</option> </term> <listitem> <para> @@ -74,7 +84,8 @@ </para> <variablelist> <varlistentry> - <term><option>--root</option> + <term> + <option>--root</option> </term> <listitem> <para> @@ -88,7 +99,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--dir</option> + <term> + <option>--dir</option> </term> <listitem> <para> @@ -99,7 +111,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--force</option> + <term> + <option>--force</option> </term> <listitem> <para> @@ -109,7 +122,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--no-filesystems</option> + <term> + <option>--no-filesystems</option> </term> <listitem> <para> @@ -119,7 +133,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--show-hardware-config</option> + <term> + <option>--show-hardware-config</option> </term> <listitem> <para> diff --git a/nixos/doc/manual/man-nixos-install.xml b/nixos/doc/manual/man-nixos-install.xml index 2d45e83a863f..25f4f40613ac 100644 --- a/nixos/doc/manual/man-nixos-install.xml +++ b/nixos/doc/manual/man-nixos-install.xml @@ -12,47 +12,76 @@ </refname><refpurpose>install bootloader and NixOS</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis><command>nixos-install</command> + <cmdsynopsis> + <command>nixos-install</command> <arg> - <arg choice='plain'><option>-I</option> - </arg><replaceable>path</replaceable> + <arg choice='plain'> + <option>-I</option> + </arg> + <replaceable>path</replaceable> </arg> + <arg> - <arg choice='plain'><option>--root</option> - </arg><replaceable>root</replaceable> + <arg choice='plain'> + <option>--root</option> + </arg> + <replaceable>root</replaceable> </arg> + <arg> - <arg choice='plain'><option>--system</option> - </arg><replaceable>path</replaceable> + <arg choice='plain'> + <option>--system</option> + </arg> + <replaceable>path</replaceable> </arg> + <arg> - <arg choice='plain'><option>--no-channel-copy</option> + <arg choice='plain'> + <option>--no-channel-copy</option> </arg> </arg> + <arg> - <arg choice='plain'><option>--no-root-passwd</option> + <arg choice='plain'> + <option>--no-root-passwd</option> </arg> </arg> + <arg> - <arg choice='plain'><option>--no-bootloader</option> + <arg choice='plain'> + <option>--no-bootloader</option> </arg> </arg> - <arg><group choice='req'> - <arg choice='plain'><option>--max-jobs</option> + + <arg> + <group choice='req'> + <arg choice='plain'> + <option>--max-jobs</option> </arg> - <arg choice='plain'><option>-j</option> - </arg></group><replaceable>number</replaceable> + + <arg choice='plain'> + <option>-j</option> + </arg> + </group> <replaceable>number</replaceable> </arg> - <arg><option>--cores</option><replaceable>number</replaceable> + + <arg> + <option>--cores</option> <replaceable>number</replaceable> </arg> - <arg><option>--option</option><replaceable>name</replaceable><replaceable>value</replaceable> + + <arg> + <option>--option</option> <replaceable>name</replaceable> <replaceable>value</replaceable> </arg> + <arg> - <arg choice='plain'><option>--show-trace</option> + <arg choice='plain'> + <option>--show-trace</option> </arg> </arg> + <arg> - <arg choice='plain'><option>--help</option> + <arg choice='plain'> + <option>--help</option> </arg> </arg> </cmdsynopsis> @@ -106,7 +135,8 @@ </para> <variablelist> <varlistentry> - <term><option>--root</option> + <term> + <option>--root</option> </term> <listitem> <para> @@ -117,7 +147,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--system</option> + <term> + <option>--system</option> </term> <listitem> <para> @@ -135,7 +166,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>-I</option> + <term> + <option>-I</option> </term> <listitem> <para> @@ -147,9 +179,11 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--max-jobs</option> + <term> + <option>--max-jobs</option> </term> - <term><option>-j</option> + <term> + <option>-j</option> </term> <listitem> <para> @@ -160,7 +194,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--cores</option> + <term> + <option>--cores</option> </term> <listitem> <para> @@ -177,7 +212,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--option</option><replaceable>name</replaceable><replaceable>value</replaceable> + <term> + <option>--option</option> <replaceable>name</replaceable> <replaceable>value</replaceable> </term> <listitem> <para> @@ -187,7 +223,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--show-trace</option> + <term> + <option>--show-trace</option> </term> <listitem> <para> @@ -197,7 +234,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--help</option> + <term> + <option>--help</option> </term> <listitem> <para> diff --git a/nixos/doc/manual/man-nixos-option.xml b/nixos/doc/manual/man-nixos-option.xml index c22c3811dedf..d436cce742a2 100644 --- a/nixos/doc/manual/man-nixos-option.xml +++ b/nixos/doc/manual/man-nixos-option.xml @@ -12,14 +12,22 @@ </refname><refpurpose>inspect a NixOS configuration</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis><command>nixos-option</command> - <arg><option>-I</option><replaceable>path</replaceable> + <cmdsynopsis> + <command>nixos-option</command> + <arg> + <option>-I</option> <replaceable>path</replaceable> </arg> - <arg><option>--verbose</option> + + <arg> + <option>--verbose</option> </arg> - <arg><option>--xml</option> + + <arg> + <option>--xml</option> </arg> - <arg choice="plain"><replaceable>option.name</replaceable> + + <arg choice="plain"> + <replaceable>option.name</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> @@ -42,7 +50,8 @@ </para> <variablelist> <varlistentry> - <term><option>-I</option><replaceable>path</replaceable> + <term> + <option>-I</option> <replaceable>path</replaceable> </term> <listitem> <para> @@ -52,7 +61,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--verbose</option> + <term> + <option>--verbose</option> </term> <listitem> <para> @@ -62,7 +72,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>--xml</option> + <term> + <option>--xml</option> </term> <listitem> <para> @@ -76,7 +87,8 @@ <title>Environment</title> <variablelist> <varlistentry> - <term><envar>NIXOS_CONFIG</envar> + <term> + <envar>NIXOS_CONFIG</envar> </term> <listitem> <para> diff --git a/nixos/doc/manual/man-nixos-rebuild.xml b/nixos/doc/manual/man-nixos-rebuild.xml index e1a2c7108d18..551a65f5e96b 100644 --- a/nixos/doc/manual/man-nixos-rebuild.xml +++ b/nixos/doc/manual/man-nixos-rebuild.xml @@ -12,43 +12,75 @@ </refname><refpurpose>reconfigure a NixOS machine</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis><command>nixos-rebuild</command><group choice='req'> - <arg choice='plain'><option>switch</option> + <cmdsynopsis> + <command>nixos-rebuild</command><group choice='req'> + <arg choice='plain'> + <option>switch</option> </arg> - <arg choice='plain'><option>boot</option> + + <arg choice='plain'> + <option>boot</option> </arg> - <arg choice='plain'><option>test</option> + + <arg choice='plain'> + <option>test</option> </arg> - <arg choice='plain'><option>build</option> + + <arg choice='plain'> + <option>build</option> </arg> - <arg choice='plain'><option>dry-build</option> + + <arg choice='plain'> + <option>dry-build</option> </arg> - <arg choice='plain'><option>dry-activate</option> + + <arg choice='plain'> + <option>dry-activate</option> </arg> - <arg choice='plain'><option>build-vm</option> + + <arg choice='plain'> + <option>build-vm</option> </arg> - <arg choice='plain'><option>build-vm-with-bootloader</option> - </arg></group> + + <arg choice='plain'> + <option>build-vm-with-bootloader</option> + </arg> + </group> <sbr /> - <arg><option>--upgrade</option> + <arg> + <option>--upgrade</option> </arg> - <arg><option>--install-bootloader</option> + + <arg> + <option>--install-bootloader</option> </arg> - <arg><option>--no-build-nix</option> + + <arg> + <option>--no-build-nix</option> </arg> - <arg><option>--fast</option> + + <arg> + <option>--fast</option> </arg> - <arg><option>--rollback</option> + + <arg> + <option>--rollback</option> </arg> <sbr /> - <arg><group choice='req'> - <arg choice='plain'><option>--profile-name</option> + <arg> + <group choice='req'> + <arg choice='plain'> + <option>--profile-name</option> + </arg> + + <arg choice='plain'> + <option>-p</option> </arg> - <arg choice='plain'><option>-p</option> - </arg></group><replaceable>name</replaceable> + </group> <replaceable>name</replaceable> </arg> <sbr /> - <arg><option>--show-trace</option> + <arg> + <option>--show-trace</option> </arg> </cmdsynopsis> </refsynopsisdiv> @@ -68,7 +100,8 @@ operation. It must be one of the following: <variablelist> <varlistentry> - <term><option>switch</option> + <term> + <option>switch</option> </term> <listitem> <para> @@ -82,7 +115,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>boot</option> + <term> + <option>boot</option> </term> <listitem> <para> @@ -94,7 +128,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>test</option> + <term> + <option>test</option> </term> <listitem> <para> @@ -107,7 +142,8 @@ </listitem> </varlistentry> <varlistentry> - <term><option>build</option> + <term> + <option>build</option> </term> <listitem> <para> @@ -124,7 +160,8 @@ $ nix-build /path/to/nixpkgs/nixos -A system </listitem> </varlistentry> <varlistentry> - <term><option>dry-build</option> + <term> + <option>dry-build</option> </term> <listitem> <para> @@ -134,7 +171,8 @@ $ nix-build /path/to/nixpkgs/nixos -A system </listitem> </varlistentry> <varlistentry> - <term><option>dry-activate</option> + <term> + <option>dry-activate</option> </term> <listitem> <para> @@ -147,7 +185,8 @@ $ nix-build /path/to/nixpkgs/nixos -A system </listitem> </varlistentry> <varlistentry> - <term><option>build-vm</option> + <term> + <option>build-vm</option> </term> <listitem> <para> @@ -186,7 +225,8 @@ $ ./result/bin/run-*-vm </listitem> </varlistentry> <varlistentry> - <term><option>build-vm-with-bootloader</option> + <term> + <option>build-vm-with-bootloader</option> </term> <listitem> <para> @@ -213,7 +253,8 @@ $ ./result/bin/run-*-vm </para> <variablelist> <varlistentry> - <term><option>--upgrade</option> + <term> + <option>--upgrade</option> </term> <listitem> <para> @@ -222,7 +263,8 @@ $ ./result/bin/run-*-vm </listitem> </varlistentry> <varlistentry> - <term><option>--install-bootloader</option> + <term> + <option>--install-bootloader</option> </term> <listitem> <para> @@ -232,7 +274,8 @@ $ ./result/bin/run-*-vm </listitem> </varlistentry> <varlistentry> - <term><option>--no-build-nix</option> + <term> + <option>--no-build-nix</option> </term> <listitem> <para> @@ -246,7 +289,8 @@ $ ./result/bin/run-*-vm </listitem> </varlistentry> <varlistentry> - <term><option>--fast</option> + <term> + <option>--fast</option> </term> <listitem> <para> @@ -258,7 +302,8 @@ $ ./result/bin/run-*-vm </listitem> </varlistentry> <varlistentry> - <term><option>--rollback</option> + <term> + <option>--rollback</option> </term> <listitem> <para> @@ -271,9 +316,11 @@ $ ./result/bin/run-*-vm </listitem> </varlistentry> <varlistentry> - <term><option>--profile-name</option> + <term> + <option>--profile-name</option> </term> - <term><option>-p</option> + <term> + <option>-p</option> </term> <listitem> <para> @@ -299,7 +346,8 @@ $ nixos-rebuild switch -p test -I nixos-config=./test.nix </listitem> </varlistentry> <varlistentry> - <term><option>--build-host</option> + <term> + <option>--build-host</option> </term> <listitem> <para> @@ -323,7 +371,8 @@ $ nixos-rebuild switch -p test -I nixos-config=./test.nix </listitem> </varlistentry> <varlistentry> - <term><option>--target-host</option> + <term> + <option>--target-host</option> </term> <listitem> <para> @@ -361,7 +410,8 @@ $ nixos-rebuild switch -p test -I nixos-config=./test.nix <title>Environment</title> <variablelist> <varlistentry> - <term><envar>NIXOS_CONFIG</envar> + <term> + <envar>NIXOS_CONFIG</envar> </term> <listitem> <para> @@ -371,7 +421,8 @@ $ nixos-rebuild switch -p test -I nixos-config=./test.nix </listitem> </varlistentry> <varlistentry> - <term><envar>NIX_SSHOPTS</envar> + <term> + <envar>NIX_SSHOPTS</envar> </term> <listitem> <para> @@ -386,7 +437,8 @@ $ nixos-rebuild switch -p test -I nixos-config=./test.nix <title>Files</title> <variablelist> <varlistentry> - <term><filename>/run/current-system</filename> + <term> + <filename>/run/current-system</filename> </term> <listitem> <para> @@ -395,7 +447,8 @@ $ nixos-rebuild switch -p test -I nixos-config=./test.nix </listitem> </varlistentry> <varlistentry> - <term><filename>/nix/var/nix/profiles/system</filename> + <term> + <filename>/nix/var/nix/profiles/system</filename> </term> <listitem> <para> diff --git a/nixos/doc/manual/man-nixos-version.xml b/nixos/doc/manual/man-nixos-version.xml index c173bce19136..931c4a5ad029 100644 --- a/nixos/doc/manual/man-nixos-version.xml +++ b/nixos/doc/manual/man-nixos-version.xml @@ -11,10 +11,14 @@ </refname><refpurpose>show the NixOS version</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis><command>nixos-version</command> - <arg><option>--hash</option> + <cmdsynopsis> + <command>nixos-version</command> + <arg> + <option>--hash</option> </arg> - <arg><option>--revision</option> + + <arg> + <option>--revision</option> </arg> </cmdsynopsis> </refsynopsisdiv> @@ -29,7 +33,8 @@ The version consists of the following elements: <variablelist> <varlistentry> - <term><literal>16.03</literal> + <term> + <literal>16.03</literal> </term> <listitem> <para> @@ -39,7 +44,8 @@ </listitem> </varlistentry> <varlistentry> - <term><literal>1011</literal> + <term> + <literal>1011</literal> </term> <listitem> <para> @@ -53,7 +59,8 @@ </listitem> </varlistentry> <varlistentry> - <term><literal>6317da4</literal> + <term> + <literal>6317da4</literal> </term> <listitem> <para> @@ -63,7 +70,8 @@ </listitem> </varlistentry> <varlistentry> - <term><literal>Emu</literal> + <term> + <literal>Emu</literal> </term> <listitem> <para> @@ -83,9 +91,11 @@ </para> <variablelist> <varlistentry> - <term><option>--hash</option> + <term> + <option>--hash</option> </term> - <term><option>--revision</option> + <term> + <option>--revision</option> </term> <listitem> <para> diff --git a/nixos/doc/manual/release-notes/rl-1509.xml b/nixos/doc/manual/release-notes/rl-1509.xml index 734bc076b852..2465f370cf13 100644 --- a/nixos/doc/manual/release-notes/rl-1509.xml +++ b/nixos/doc/manual/release-notes/rl-1509.xml @@ -435,11 +435,11 @@ system.autoUpgrade.enable = true; <programlisting> system.nixos.stateVersion = "14.12"; </programlisting> - The new option <option>system.nixos.stateVersion</option> ensures that certain - configuration changes that could break existing systems (such as the - <command>sshd</command> host key setting) will maintain compatibility with - the specified NixOS release. NixOps sets the state version of existing - deployments automatically. + The new option <option>system.nixos.stateVersion</option> ensures that + certain configuration changes that could break existing systems (such as + the <command>sshd</command> host key setting) will maintain compatibility + with the specified NixOS release. NixOps sets the state version of + existing deployments automatically. </para> </listitem> <listitem> diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml index 35dc69515ffd..667437a24135 100644 --- a/nixos/doc/manual/release-notes/rl-1809.xml +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -53,10 +53,12 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <itemizedlist> <listitem> - <para>When enabled the <literal>iproute2</literal> will copy the files - expected by ip route (e.g., <filename>rt_tables</filename>) in - <filename>/run/iproute2</filename>. This allows to write aliases for - routing tables for instance.</para> + <para> + When enabled the <literal>iproute2</literal> will copy the files expected + by ip route (e.g., <filename>rt_tables</filename>) in + <filename>/run/iproute2</filename>. This allows to write aliases for + routing tables for instance. + </para> </listitem> </itemizedlist> </section> @@ -99,20 +101,30 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' </listitem> <listitem> <para> - The <varname>services.docker-registry.extraConfig</varname> object doesn't contain - environment variables anymore. Instead it needs to provide an object structure - that can be mapped onto the YAML configuration defined in <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the <varname>docker/distribution</varname> docs</link>. + The <varname>services.docker-registry.extraConfig</varname> object doesn't + contain environment variables anymore. Instead it needs to provide an + object structure that can be mapped onto the YAML configuration defined in + <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the + <varname>docker/distribution</varname> docs</link>. + </para> + </listitem> + <listitem> + <para> + <literal>gnucash</literal> has changed from version 2.4 to 3.x. If you've + been using <literal>gnucash</literal> (version 2.4) instead of + <literal>gnucash26</literal> (version 2.6) you must open your Gnucash data + file(s) with <literal>gnucash26</literal> and then save them to upgrade + the file format. Then you may use your data file(s) with Gnucash 3.x. See + the upgrade + <link xlink:href="https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade">documentation</link>. + Gnucash 2.4 is still available under the attribute + <literal>gnucash24</literal>. </para> </listitem> <listitem> <para> - <literal>gnucash</literal> has changed from version 2.4 to 3.x. - If you've been using <literal>gnucash</literal> (version 2.4) instead of - <literal>gnucash26</literal> (version 2.6) you must open your Gnucash - data file(s) with <literal>gnucash26</literal> and then save them to - upgrade the file format. Then you may use your data file(s) with - Gnucash 3.x. See the upgrade <link xlink:href="https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade">documentation</link>. - Gnucash 2.4 is still available under the attribute <literal>gnucash24</literal>. + <varname>services.munge</varname> now runs as user (and group) <literal>munge</literal> instead of root. + Make sure the key file is accessible to the daemon. </para> </listitem> </itemizedlist> @@ -128,9 +140,9 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <itemizedlist> <listitem> <para> - <literal>dockerTools.pullImage</literal> relies on image digest - instead of image tag to download the image. The - <literal>sha256</literal> of a pulled image has to be updated. + <literal>dockerTools.pullImage</literal> relies on image digest instead of + image tag to download the image. The <literal>sha256</literal> of a pulled + image has to be updated. </para> </listitem> <listitem> @@ -166,9 +178,26 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' </listitem> <listitem> <para> - <literal>lib.traceValIfNot</literal> has been deprecated. Use - <literal>if/then/else</literal> and <literal>lib.traceValSeq</literal> - instead. + The <literal>pkgs</literal> argument to NixOS modules can now be set directly using <literal>nixpkgs.pkgs</literal>. Previously, only the <literal>system</literal>, <literal>config</literal> and <literal>overlays</literal> arguments could be used to influence <literal>pkgs</literal>. + </para> + </listitem> + <listitem> + <para> + A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example: + <programlisting> +inherit (pkgs.nixos { + boot.loader.grub.enable = false; + fileSystems."/".device = "/dev/xvda1"; +}) toplevel kernel initialRamdisk manual; + </programlisting> + + This benefits evaluation performance, lets you write Nixpkgs packages that depend on NixOS images and is consistent with a deployment architecture that would be centered around Nixpkgs overlays. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceValIfNot</literal> has been deprecated. Use + <literal>if/then/else</literal> and <literal>lib.traceValSeq</literal> instead. </para> </listitem> <listitem> @@ -187,32 +216,40 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <para> The module for <option>security.dhparams</option> has two new options now: </para> - <variablelist> <varlistentry> - <term><option>security.dhparams.stateless</option></term> - <listitem><para> - Puts the generated Diffie-Hellman parameters into the Nix store instead - of managing them in a stateful manner in - <filename class="directory">/var/lib/dhparams</filename>. - </para></listitem> + <term> + <option>security.dhparams.stateless</option> + </term> + <listitem> + <para> + Puts the generated Diffie-Hellman parameters into the Nix store instead + of managing them in a stateful manner in + <filename class="directory">/var/lib/dhparams</filename>. + </para> + </listitem> </varlistentry> <varlistentry> - <term><option>security.dhparams.defaultBitSize</option></term> - <listitem><para> - The default bit size to use for the generated Diffie-Hellman parameters. - </para></listitem> + <term> + <option>security.dhparams.defaultBitSize</option> + </term> + <listitem> + <para> + The default bit size to use for the generated Diffie-Hellman + parameters. + </para> + </listitem> </varlistentry> </variablelist> - - <note><para> - The path to the actual generated parameter files should now be queried - using - <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal> - because it might be either in the Nix store or in a directory configured - by <option>security.dhparams.path</option>. - </para></note> - + <note> + <para> + The path to the actual generated parameter files should now be queried + using + <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal> + because it might be either in the Nix store or in a directory configured + by <option>security.dhparams.path</option>. + </para> + </note> <note> <title>For developers:</title> <para> @@ -237,20 +274,60 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' </listitem> <listitem> <para> - <literal>networking.networkmanager.useDnsmasq</literal> has been deprecated. Use - <literal>networking.networkmanager.dns</literal> instead. + <literal>networking.networkmanager.useDnsmasq</literal> has been + deprecated. Use <literal>networking.networkmanager.dns</literal> instead. + </para> + </listitem> + <listitem> + <para> + The option + <varname>services.kubernetes.apiserver.admissionControl</varname> was + renamed to + <varname>services.kubernetes.apiserver.enableAdmissionPlugins</varname>. + </para> + </listitem> + <listitem> + <para> + Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS) + Therefore; public service port for the dashboard has changed to 443 + (container port 8443) and scheme to https. + </para> + </listitem> + <listitem> + <para> + The option <varname>services.kubernetes.apiserver.address</varname> + was renamed to <varname>services.kubernetes.apiserver.bindAddress</varname>. + Note that the default value has changed from 127.0.0.1 to 0.0.0.0. + </para> + </listitem> + <listitem> + <para> + The option <varname>services.kubernetes.apiserver.publicAddress</varname> + was not used and thus has been removed. + </para> + </listitem> + <listitem> + <para> + The option <varname>services.kubernetes.addons.dashboard.enableRBAC</varname> + was renamed to <varname>services.kubernetes.addons.dashboard.rbac.enable</varname>. </para> </listitem> <listitem> <para> - The option <varname>services.kubernetes.apiserver.admissionControl</varname> - was renamed to <varname>services.kubernetes.apiserver.enableAdmissionPlugins</varname>. + The Kubernetes Dashboard now has only minimal RBAC permissions by default. + If dashboard cluster-admin rights are desired, + set <varname>services.kubernetes.addons.dashboard.rbac.clusterAdmin</varname> to true. + On existing clusters, in order for the revocation of privileges to take effect, + the current ClusterRoleBinding for kubernetes-dashboard must be manually removed: + <literal>kubectl delete clusterrolebinding kubernetes-dashboard</literal> </para> </listitem> <listitem> <para> - Recommented way to access the Kubernetes Dashboard is with HTTPS (TLS) - Therefore; public service port for the dashboard has changed to 443 (container port 8443) and scheme to https. + The <varname>programs.screen</varname> module provides allows to configure + <literal>/etc/screenrc</literal>, however the module behaved fairly counterintuitive as + the config exists, but the package wasn't available. Since 18.09 <literal>pkgs.screen</literal> + will be added to <literal>environment.systemPackages</literal>. </para> </listitem> </itemizedlist> diff --git a/nixos/doc/manual/shell.nix b/nixos/doc/manual/shell.nix index 7f8422b4ec11..cc3609d750e0 100644 --- a/nixos/doc/manual/shell.nix +++ b/nixos/doc/manual/shell.nix @@ -4,5 +4,5 @@ in pkgs.mkShell { name = "nixos-manual"; - buildInputs = with pkgs; [ xmlformat jing xmloscopy ]; + buildInputs = with pkgs; [ xmlformat jing xmloscopy ruby ]; } diff --git a/nixos/doc/varlistentry-fixer.rb b/nixos/doc/varlistentry-fixer.rb new file mode 100755 index 000000000000..6c7cc1e6439b --- /dev/null +++ b/nixos/doc/varlistentry-fixer.rb @@ -0,0 +1,124 @@ +#!/usr/bin/env ruby + +# This script is written intended as a living, evolving tooling +# to fix oopsies within the docbook documentation. +# +# This is *not* a formatter. It, instead, handles some known cases +# where something bad happened, and fixing it manually is tedious. +# +# Read the code to see the different cases it handles. +# +# ALWAYS `make format` after fixing with this! +# ALWAYS read the changes, this tool isn't yet proven to be always right. + +require "rexml/document" +include REXML + +if ARGV.length < 1 then + $stderr.puts "Needs a filename." + exit 1 +end + +filename = ARGV.shift +doc = Document.new(File.open(filename)) + +$touched = false + +# Fixing varnames having a sibling element without spacing. +# This is to fix an initial `xmlformat` issue where `term` +# would mangle as spaces. +# +# <varlistentry> +# <term><varname>types.separatedString</varname><replaceable>sep</replaceable> <---- +# </term> +# ... +# +# Generates: types.separatedStringsep +# ^^^^ +# +# <varlistentry xml:id='fun-makeWrapper'> +# <term> +# <function>makeWrapper</function><replaceable>executable</replaceable><replaceable>wrapperfile</replaceable><replaceable>args</replaceable> <---- +# </term> +# +# Generates: makeWrapperexecutablewrapperfileargs +# ^^^^ ^^^^ ^^ ^^ +# +# <term> +# <option>--option</option><replaceable>name</replaceable><replaceable>value</replaceable> <----- +# </term> +# +# Generates: --optionnamevalue +# ^^ ^^ +doc.elements.each("//varlistentry/term") do |term| + ["varname", "function", "option", "replaceable"].each do |prev_name| + term.elements.each(prev_name) do |el| + if el.next_element and + el.next_element.name == "replaceable" and + el.next_sibling_node.class == Element + then + $touched = true + term.insert_after(el, Text.new(" ")) + end + end + end +end + + + +# <cmdsynopsis> +# <command>nixos-option</command> +# <arg> +# <option>-I</option><replaceable>path</replaceable> <------ +# </arg> +# +# Generates: -Ipath +# ^^ +doc.elements.each("//cmdsynopsis/arg") do |term| + ["option", "replaceable"].each do |prev_name| + term.elements.each(prev_name) do |el| + if el.next_element and + el.next_element.name == "replaceable" and + el.next_sibling_node.class == Element + then + $touched = true + term.insert_after(el, Text.new(" ")) + end + end + end +end + +# <cmdsynopsis> +# <arg> +# <group choice='req'> +# <arg choice='plain'> +# <option>--profile-name</option> +# </arg> +# +# <arg choice='plain'> +# <option>-p</option> +# </arg> +# </group><replaceable>name</replaceable> <---- +# </arg> +# +# Generates: [{--profile-name | -p }name] +# ^^^^ +doc.elements.each("//cmdsynopsis/arg") do |term| + ["group"].each do |prev_name| + term.elements.each(prev_name) do |el| + if el.next_element and + el.next_element.name == "replaceable" and + el.next_sibling_node.class == Element + then + $touched = true + term.insert_after(el, Text.new(" ")) + end + end + end +end + + +if $touched then + doc.context[:attribute_quote] = :quote + doc.write(output: File.open(filename, "w")) +end diff --git a/nixos/doc/xmlformat.conf b/nixos/doc/xmlformat.conf index 50255857b24a..4a565c8465bc 100644 --- a/nixos/doc/xmlformat.conf +++ b/nixos/doc/xmlformat.conf @@ -67,6 +67,7 @@ programlisting screen entry-break = 0 exit-break = 0 - -#term -# format inline +# This is needed so that the spacing inside those tags is kept. +term cmdsynopsis arg + normalize yes + format block diff --git a/nixos/maintainers/scripts/azure/create-azure.sh b/nixos/maintainers/scripts/azure/create-azure.sh index a834566be8f7..2b22cb536619 100755 --- a/nixos/maintainers/scripts/azure/create-azure.sh +++ b/nixos/maintainers/scripts/azure/create-azure.sh @@ -5,4 +5,4 @@ export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation export TIMESTAMP=$(date +%Y%m%d%H%M) nix-build '<nixpkgs/nixos>' \ - -A config.system.build.azureImage --argstr system x86_64-linux -o azure --option extra-binary-caches https://hydra.nixos.org -j 10 + -A config.system.build.azureImage --argstr system x86_64-linux -o azure -j 10 diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index a20910353f34..c7a6c943bc27 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -26,16 +26,16 @@ with lib; fonts.fontconfig.enable = false; - nixpkgs.config.packageOverrides = pkgs: { - dbus = pkgs.dbus.override { x11Support = false; }; - networkmanager-fortisslvpn = pkgs.networkmanager-fortisslvpn.override { withGnome = false; }; - networkmanager-l2tp = pkgs.networkmanager-l2tp.override { withGnome = false; }; - networkmanager-openconnect = pkgs.networkmanager-openconnect.override { withGnome = false; }; - networkmanager-openvpn = pkgs.networkmanager-openvpn.override { withGnome = false; }; - networkmanager-vpnc = pkgs.networkmanager-vpnc.override { withGnome = false; }; - networkmanager-iodine = pkgs.networkmanager-iodine.override { withGnome = false; }; - pinentry = pkgs.pinentry_ncurses; - gobjectIntrospection = pkgs.gobjectIntrospection.override { x11Support = false; }; - }; + nixpkgs.overlays = singleton (const (super: { + dbus = super.dbus.override { x11Support = false; }; + networkmanager-fortisslvpn = super.networkmanager-fortisslvpn.override { withGnome = false; }; + networkmanager-l2tp = super.networkmanager-l2tp.override { withGnome = false; }; + networkmanager-openconnect = super.networkmanager-openconnect.override { withGnome = false; }; + networkmanager-openvpn = super.networkmanager-openvpn.override { withGnome = false; }; + networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; + networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; + pinentry = super.pinentry_ncurses; + gobjectIntrospection = super.gobjectIntrospection.override { x11Support = false; }; + })); }; } diff --git a/nixos/modules/hardware/brightnessctl.nix b/nixos/modules/hardware/brightnessctl.nix new file mode 100644 index 000000000000..341e4b791c23 --- /dev/null +++ b/nixos/modules/hardware/brightnessctl.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.hardware.brightnessctl; +in +{ + + options = { + + hardware.brightnessctl = { + + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enable brightnessctl in userspace. + This will allow brightness control from users in the video group. + ''; + + }; + }; + }; + + + config = mkIf cfg.enable { + services.udev.packages = with pkgs; [ brightnessctl ]; + }; + +} diff --git a/nixos/modules/hardware/video/uvcvideo/default.nix b/nixos/modules/hardware/video/uvcvideo/default.nix new file mode 100644 index 000000000000..7e3e94fdf2bd --- /dev/null +++ b/nixos/modules/hardware/video/uvcvideo/default.nix @@ -0,0 +1,64 @@ + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.uvcvideo; + + uvcdynctrl-udev-rules = packages: pkgs.callPackage ./uvcdynctrl-udev-rules.nix { + drivers = packages; + udevDebug = false; + }; + +in + +{ + + options = { + services.uvcvideo.dynctrl = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable <command>uvcvideo</command> dynamic controls. + + Note that enabling this brings the <command>uvcdynctrl</command> tool + into your environement and register all dynamic controls from + specified <command>packages</command> to the <command>uvcvideo</command> driver. + ''; + }; + + packages = mkOption { + type = types.listOf types.path; + example = literalExample "[ pkgs.tiscamera ]"; + description = '' + List of packages containing <command>uvcvideo</command> dynamic controls + rules. All files found in + <filename><replaceable>pkg</replaceable>/share/uvcdynctrl/data</filename> + will be included. + + Note that these will serve as input to the <command>libwebcam</command> + package which through its own <command>udev</command> rule will register + the dynamic controls from specified packages to the <command>uvcvideo</command> + driver. + ''; + apply = map getBin; + }; + }; + }; + + config = mkIf cfg.dynctrl.enable { + + services.udev.packages = [ + (uvcdynctrl-udev-rules cfg.dynctrl.packages) + ]; + + environment.systemPackages = [ + pkgs.libwebcam + ]; + + }; +} diff --git a/nixos/modules/hardware/video/uvcvideo/uvcdynctrl-udev-rules.nix b/nixos/modules/hardware/video/uvcvideo/uvcdynctrl-udev-rules.nix new file mode 100644 index 000000000000..832e61966120 --- /dev/null +++ b/nixos/modules/hardware/video/uvcvideo/uvcdynctrl-udev-rules.nix @@ -0,0 +1,46 @@ +{ lib +, stdenv +, buildEnv +, libwebcam +, makeWrapper +, runCommand +, drivers ? [] +, udevDebug ? false +}: + +let + version = "0.0.0"; + + dataPath = buildEnv { + name = "uvcdynctrl-with-drivers-data-path"; + paths = drivers ++ [ libwebcam ]; + pathsToLink = [ "/share/uvcdynctrl/data" ]; + ignoreCollisions = false; + }; + + dataDir = "${dataPath}/share/uvcdynctrl/data"; + udevDebugVarValue = if udevDebug then "1" else "0"; +in + +runCommand "uvcdynctrl-udev-rules-${version}" +{ + inherit dataPath; + buildInputs = [ + makeWrapper + libwebcam + ]; + dontPatchELF = true; + dontStrip = true; +} +'' + mkdir -p "$out/lib/udev" + makeWrapper "${libwebcam}/lib/udev/uvcdynctrl" "$out/lib/udev/uvcdynctrl" \ + --set NIX_UVCDYNCTRL_DATA_DIR "${dataDir}" \ + --set NIX_UVCDYNCTRL_UDEV_DEBUG "${udevDebugVarValue}" + + mkdir -p "$out/lib/udev/rules.d" + cat "${libwebcam}/lib/udev/rules.d/80-uvcdynctrl.rules" | \ + sed -r "s#RUN\+\=\"([^\"]+)\"#RUN\+\=\"$out/lib/udev/uvcdynctrl\"#g" > \ + "$out/lib/udev/rules.d/80-uvcdynctrl.rules" +'' + diff --git a/nixos/modules/i18n/input-method/default.xml b/nixos/modules/i18n/input-method/default.xml index 76ffa8cb7e37..eb75b7415c9c 100644 --- a/nixos/modules/i18n/input-method/default.xml +++ b/nixos/modules/i18n/input-method/default.xml @@ -68,6 +68,18 @@ ibus.engines = with pkgs.ibus-engines; [ table table-others ]; <para>To use any input method, the package must be added in the configuration, as shown above, and also (after running <literal>nixos-rebuild</literal>) the input method must be added from IBus' preference dialog.</para> + +<simplesect> + <title>Troubleshooting</title> + <para>If IBus works in some applications but not others, a likely cause of + this is that IBus is depending on a different version of + <literal>glib</literal> to what the applications are depending on. This can + be checked by running <literal>nix-store -q --requisites <path> | grep + glib</literal>, where <literal><path></literal> is the path of either + IBus or an application in the Nix store. The <literal>glib</literal> + packages must match exactly. If they do not, uninstalling and reinstalling + the application is a likely fix.</para> +</simplesect> </section> <section><title>Fcitx</title> diff --git a/nixos/modules/installer/scan/not-detected.nix b/nixos/modules/installer/scan/not-detected.nix index 903933e2df02..baa068c08dbf 100644 --- a/nixos/modules/installer/scan/not-detected.nix +++ b/nixos/modules/installer/scan/not-detected.nix @@ -1,9 +1,6 @@ -# List all devices which are _not_ detected by nixos-generate-config. -# Common devices are enabled by default. -{ config, lib, pkgs, ... }: - -with lib; +# Enables non-free firmware on devices not recognized by `nixos-generate-config`. +{ lib, ... }: { - hardware.enableRedistributableFirmware = true; + hardware.enableRedistributableFirmware = lib.mkDefault true; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index da4c21296ffd..c425f3c65075 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -29,6 +29,7 @@ ./config/vpnc.nix ./config/zram.nix ./hardware/all-firmware.nix + ./hardware/brightnessctl.nix ./hardware/ckb.nix ./hardware/cpu/amd-microcode.nix ./hardware/cpu/intel-microcode.nix @@ -50,6 +51,7 @@ ./hardware/video/bumblebee.nix ./hardware/video/displaylink.nix ./hardware/video/nvidia.nix + ./hardware/video/uvcvideo/default.nix ./hardware/video/webcam/facetimehd.nix ./i18n/input-method/default.nix ./i18n/input-method/fcitx.nix @@ -127,6 +129,7 @@ ./programs/zsh/oh-my-zsh.nix ./programs/zsh/zsh.nix ./programs/zsh/zsh-autoenv.nix + ./programs/zsh/zsh-autosuggestions.nix ./programs/zsh/zsh-syntax-highlighting.nix ./rename.nix ./security/acme.nix @@ -472,6 +475,7 @@ ./services/networking/dnschain.nix ./services/networking/dnscrypt-proxy.nix ./services/networking/dnscrypt-wrapper.nix + ./services/networking/dnsdist.nix ./services/networking/dnsmasq.nix ./services/networking/ejabberd.nix ./services/networking/fakeroute.nix @@ -537,6 +541,7 @@ ./services/networking/openntpd.nix ./services/networking/openvpn.nix ./services/networking/ostinato.nix + ./services/networking/owamp.nix ./services/networking/pdnsd.nix ./services/networking/polipo.nix ./services/networking/powerdns.nix @@ -657,6 +662,7 @@ ./services/web-apps/tt-rss.nix ./services/web-apps/selfoss.nix ./services/web-apps/quassel-webserver.nix + ./services/web-apps/virtlyst.nix ./services/web-apps/youtrack.nix ./services/web-servers/apache-httpd/default.nix ./services/web-servers/caddy.nix diff --git a/nixos/modules/programs/mosh.nix b/nixos/modules/programs/mosh.nix index b3aa55e189a3..359fe23e0ecd 100644 --- a/nixos/modules/programs/mosh.nix +++ b/nixos/modules/programs/mosh.nix @@ -16,10 +16,28 @@ in default = false; type = lib.types.bool; }; + withUtempter = mkOption { + description = '' + Whether to enable libutempter for mosh. + This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions). + Note, this will add a guid wrapper for the group utmp! + ''; + default = true; + type = lib.types.bool; + }; }; config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ mosh ]; networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } ]; + security.wrappers = mkIf cfg.withUtempter { + utempter = { + source = "${pkgs.libutempter}/lib/utempter/utempter"; + owner = "nobody"; + group = "utmp"; + setuid = false; + setgid = true; + }; + }; }; } diff --git a/nixos/modules/programs/npm.nix b/nixos/modules/programs/npm.nix index 7ef172355c1f..5fdd4fa841a1 100644 --- a/nixos/modules/programs/npm.nix +++ b/nixos/modules/programs/npm.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -39,6 +39,8 @@ in environment.etc."npmrc".text = cfg.npmrc; environment.variables.NPM_CONFIG_GLOBALCONFIG = "/etc/npmrc"; + + environment.systemPackages = [ pkgs.nodePackages.npm ]; }; } diff --git a/nixos/modules/programs/screen.nix b/nixos/modules/programs/screen.nix index f82338a69d25..c1daaa58f16f 100644 --- a/nixos/modules/programs/screen.nix +++ b/nixos/modules/programs/screen.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let inherit (lib) mkOption mkIf types; @@ -25,6 +25,8 @@ in config = mkIf (cfg.screenrc != "") { environment.etc."screenrc".text = cfg.screenrc; + + environment.systemPackages = [ pkgs.screen ]; }; } diff --git a/nixos/modules/programs/thefuck.nix b/nixos/modules/programs/thefuck.nix index eb913477cf05..f4ae52934760 100644 --- a/nixos/modules/programs/thefuck.nix +++ b/nixos/modules/programs/thefuck.nix @@ -31,8 +31,8 @@ in environment.systemPackages = with pkgs; [ thefuck ]; environment.shellInit = initScript; - programs.zsh.shellInit = mkIf prg.zsh.enable initScript; - programs.fish.shellInit = mkIf prg.fish.enable '' + programs.zsh.interactiveShellInit = mkIf prg.zsh.enable initScript; + programs.fish.interactiveShellInit = mkIf prg.fish.enable '' ${pkgs.thefuck}/bin/thefuck --alias | source ''; }; diff --git a/nixos/modules/programs/zsh/zsh-autosuggestions.nix b/nixos/modules/programs/zsh/zsh-autosuggestions.nix new file mode 100644 index 000000000000..416f4c9c6751 --- /dev/null +++ b/nixos/modules/programs/zsh/zsh-autosuggestions.nix @@ -0,0 +1,60 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.programs.zsh.autosuggestions; +in +{ + options.programs.zsh.autosuggestions = { + + enable = mkEnableOption "zsh-autosuggestions"; + + highlightStyle = mkOption { + type = types.str; + default = "fg=8"; # https://github.com/zsh-users/zsh-autosuggestions/tree/v0.4.3#suggestion-highlight-style + description = "Highlight style for suggestions ({fore,back}ground color)"; + example = "fg=cyan"; + }; + + strategy = mkOption { + type = types.enum [ "default" "match_prev_cmd" ]; + default = "default"; + description = '' + Set ZSH_AUTOSUGGEST_STRATEGY to choose the strategy for generating suggestions. + There are currently two to choose from: + + * default: Chooses the most recent match. + * match_prev_cmd: Chooses the most recent match whose preceding history item matches + the most recently executed command (more info). Note that this strategy won't work as + expected with ZSH options that don't preserve the history order such as + HIST_IGNORE_ALL_DUPS or HIST_EXPIRE_DUPS_FIRST. + ''; + }; + + extraConfig = mkOption { + type = with types; attrsOf str; + default = {}; + description = "Attribute set with additional configuration values"; + example = literalExample '' + { + "ZSH_AUTOSUGGEST_BUFFER_MAX_SIZE" = "20"; + } + ''; + }; + + }; + + config = mkIf cfg.enable { + + programs.zsh.interactiveShellInit = '' + source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh + + export ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE="${cfg.highlightStyle}" + export ZSH_AUTOSUGGEST_STRATEGY="${cfg.strategy}" + + ${concatStringsSep "\n" (mapAttrsToList (key: value: ''export ${key}="${value}"'') cfg.extraConfig)} + ''; + + }; +} diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 662b463d572e..42d4e1d4ada0 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -87,13 +87,6 @@ in type = types.bool; }; - enableAutosuggestions = mkOption { - default = false; - description = '' - Enable zsh-autosuggestions - ''; - type = types.bool; - }; }; }; @@ -168,10 +161,6 @@ in ${optionalString cfg.enableCompletion "autoload -U compinit && compinit"} - ${optionalString (cfg.enableAutosuggestions) - "source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh" - } - ${cfge.interactiveShellInit} ${cfg.interactiveShellInit} diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index b15dd84999a9..7b094fc14203 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -32,6 +32,9 @@ with lib; (mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ]) (mkRenamedOptionModule [ "services" "kibana" "host" ] [ "services" "kibana" "listenAddress" ]) (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) + (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") + (mkRenamedOptionModule [ "services" "kubernetes" "addons" "dashboard" "enableRBAC" ] [ "services" "kubernetes" "addons" "dashboard" "rbac" "enable" ]) (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ]) (mkRenamedOptionModule [ "services" "mpd" "network" "host" ] [ "services" "mpd" "network" "listenAddress" ]) (mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "listenAddress" ]) @@ -197,6 +200,12 @@ with lib; (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "fonts" "fontconfig" "forceAutohint" ]) (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ]) + # postgresqlBackup + (mkRemovedOptionModule [ "services" "postgresqlBackup" "period" ] '' + A systemd timer is now used instead of cron. + The starting time can be configured via <literal>services.postgresqlBackup.startAt</literal>. + '') + # Profile splitting (mkRenamedOptionModule [ "virtualization" "growPartition" ] [ "boot" "growPartition" ]) @@ -247,6 +256,8 @@ with lib; (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "custom" ] [ "programs" "zsh" "ohMyZsh" "custom" ]) (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "plugins" ] [ "programs" "zsh" "ohMyZsh" "plugins" ]) + (mkRenamedOptionModule [ "programs" "zsh" "enableAutosuggestions" ] [ "programs" "zsh" "autosuggestions" "enable" ]) + # Xen (mkRenamedOptionModule [ "virtualisation" "xen" "qemu-package" ] [ "virtualisation" "xen" "package-qemu" ]) diff --git a/nixos/modules/services/backup/duplicati.nix b/nixos/modules/services/backup/duplicati.nix index 9772ca4d20a7..379fde1fe038 100644 --- a/nixos/modules/services/backup/duplicati.nix +++ b/nixos/modules/services/backup/duplicati.nix @@ -9,6 +9,23 @@ in options = { services.duplicati = { enable = mkEnableOption "Duplicati"; + + port = mkOption { + default = 8200; + type = types.int; + description = '' + Port serving the web interface + ''; + }; + + interface = mkOption { + default = "lo"; + type = types.str; + description = '' + Listening interface for the web UI + Set it to "any" to listen on all available interfaces + ''; + }; }; }; @@ -22,7 +39,7 @@ in serviceConfig = { User = "duplicati"; Group = "duplicati"; - ExecStart = "${pkgs.duplicati}/bin/duplicati-server --webservice-interface=any --webservice-port=8200 --server-datafolder=/var/lib/duplicati"; + ExecStart = "${pkgs.duplicati}/bin/duplicati-server --webservice-interface=${cfg.interface} --webservice-port=${toString cfg.port} --server-datafolder=/var/lib/duplicati"; Restart = "on-failure"; }; }; diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix index 4a5ebebc682e..2ec78ce6f2cf 100644 --- a/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixos/modules/services/backup/postgresql-backup.nix @@ -3,18 +3,41 @@ with lib; let - inherit (pkgs) gzip; - location = config.services.postgresqlBackup.location; + cfg = config.services.postgresqlBackup; - postgresqlBackupCron = db: - '' - ${config.services.postgresqlBackup.period} root ${config.services.postgresql.package}/bin/pg_dump ${db} | ${gzip}/bin/gzip -c > ${location}/${db}.gz - ''; + postgresqlBackupService = db : + { + enable = true; -in + description = "Backup of database ${db}"; -{ + requires = [ "postgresql.service" ]; + + preStart = '' + mkdir -m 0700 -p ${cfg.location} + chown postgres ${cfg.location} + ''; + + script = '' + if [ -e ${cfg.location}/${db}.sql.gz ]; then + ${pkgs.coreutils}/bin/mv ${cfg.location}/${db}.sql.gz ${cfg.location}/${db}.prev.sql.gz + fi + + ${config.services.postgresql.package}/bin/pg_dump ${cfg.pgdumpOptions} ${db} | \ + ${pkgs.gzip}/bin/gzip -c > ${cfg.location}/${db}.sql.gz + ''; + + serviceConfig = { + Type = "oneshot"; + PermissionsStartOnly = "true"; + User = "postgres"; + }; + + startAt = cfg.startAt; + }; + +in { options = { @@ -27,10 +50,10 @@ in ''; }; - period = mkOption { - default = "15 01 * * *"; + startAt = mkOption { + default = "*-*-* 01:15:00"; description = '' - This option defines (in the format used by cron) when the + This option defines (see <literal>systemd.time</literal> for format) when the databases should be dumped. The default is to update at 01:15 (at night) every day. ''; @@ -49,18 +72,23 @@ in Location to put the gzipped PostgreSQL database dumps. ''; }; + + pgdumpOptions = mkOption { + type = types.string; + default = "-Cbo"; + description = '' + Command line options for pg_dump. + ''; + }; }; }; config = mkIf config.services.postgresqlBackup.enable { - services.cron.systemCronJobs = map postgresqlBackupCron config.services.postgresqlBackup.databases; - system.activationScripts.postgresqlBackup = stringAfter [ "stdio" "users" ] - '' - mkdir -m 0700 -p ${config.services.postgresqlBackup.location} - chown root ${config.services.postgresqlBackup.location} - ''; + systemd.services = listToAttrs (map (db : { + name = "postgresqlBackup-${db}"; + value = postgresqlBackupService db; } ) cfg.databases); }; } diff --git a/nixos/modules/services/cluster/kubernetes/dashboard.nix b/nixos/modules/services/cluster/kubernetes/dashboard.nix index 8c1f35ec651b..6d9faada4401 100644 --- a/nixos/modules/services/cluster/kubernetes/dashboard.nix +++ b/nixos/modules/services/cluster/kubernetes/dashboard.nix @@ -4,29 +4,51 @@ with lib; let cfg = config.services.kubernetes.addons.dashboard; - - name = "k8s.gcr.io/kubernetes-dashboard-amd64"; - version = "v1.8.3"; - - image = pkgs.dockerTools.pullImage { - imageName = name; - imageDigest = "sha256:dc4026c1b595435ef5527ca598e1e9c4343076926d7d62b365c44831395adbd0"; - finalImageTag = version; - sha256 = "18ajcg0q1vignfjk2sm4xj4wzphfz8wah69ps8dklqfvv0164mc8"; - }; in { options.services.kubernetes.addons.dashboard = { enable = mkEnableOption "kubernetes dashboard addon"; - enableRBAC = mkOption { - description = "Whether to enable role based access control is enabled for kubernetes dashboard"; - type = types.bool; - default = elem "RBAC" config.services.kubernetes.apiserver.authorizationMode; + rbac = mkOption { + description = "Role-based access control (RBAC) options"; + type = types.submodule { + + options = { + enable = mkOption { + description = "Whether to enable role based access control is enabled for kubernetes dashboard"; + type = types.bool; + default = elem "RBAC" config.services.kubernetes.apiserver.authorizationMode; + }; + + clusterAdmin = mkOption { + description = "Whether to assign cluster admin rights to the kubernetes dashboard"; + type = types.bool; + default = false; + }; + + }; + }; + }; + + version = mkOption { + description = "Which version of the kubernetes dashboard to deploy"; + type = types.str; + default = "v1.8.3"; + }; + + image = mkOption { + description = "Docker image to seed for the kubernetes dashboard container."; + type = types.attrs; + default = { + imageName = "k8s.gcr.io/kubernetes-dashboard-amd64"; + imageDigest = "sha256:dc4026c1b595435ef5527ca598e1e9c4343076926d7d62b365c44831395adbd0"; + finalImageTag = cfg.version; + sha256 = "18ajcg0q1vignfjk2sm4xj4wzphfz8wah69ps8dklqfvv0164mc8"; + }; }; }; config = mkIf cfg.enable { - services.kubernetes.kubelet.seedDockerImages = [image]; + services.kubernetes.kubelet.seedDockerImages = [(pkgs.dockerTools.pullImage cfg.image)]; services.kubernetes.addonManager.addons = { kubernetes-dashboard-deployment = { @@ -36,7 +58,7 @@ in { labels = { k8s-addon = "kubernetes-dashboard.addons.k8s.io"; k8s-app = "kubernetes-dashboard"; - version = version; + version = cfg.version; "kubernetes.io/cluster-service" = "true"; "addonmanager.kubernetes.io/mode" = "Reconcile"; }; @@ -52,7 +74,7 @@ in { labels = { k8s-addon = "kubernetes-dashboard.addons.k8s.io"; k8s-app = "kubernetes-dashboard"; - version = version; + version = cfg.version; "kubernetes.io/cluster-service" = "true"; }; annotations = { @@ -63,7 +85,7 @@ in { priorityClassName = "system-cluster-critical"; containers = [{ name = "kubernetes-dashboard"; - image = "${name}:${version}"; + image = with cfg.image; "${imageName}:${finalImageTag}"; ports = [{ containerPort = 8443; protocol = "TCP"; @@ -195,29 +217,106 @@ in { namespace = "kube-system"; }; }; - } // (optionalAttrs cfg.enableRBAC { - kubernetes-dashboard-crb = { - apiVersion = "rbac.authorization.k8s.io/v1"; - kind = "ClusterRoleBinding"; - metadata = { - name = "kubernetes-dashboard"; - labels = { - k8s-app = "kubernetes-dashboard"; - k8s-addon = "kubernetes-dashboard.addons.k8s.io"; - "addonmanager.kubernetes.io/mode" = "Reconcile"; - }; - }; - roleRef = { - apiGroup = "rbac.authorization.k8s.io"; - kind = "ClusterRole"; - name = "cluster-admin"; - }; + } // (optionalAttrs cfg.rbac.enable + (let subjects = [{ kind = "ServiceAccount"; name = "kubernetes-dashboard"; namespace = "kube-system"; }]; - }; - }); + labels = { + k8s-app = "kubernetes-dashboard"; + k8s-addon = "kubernetes-dashboard.addons.k8s.io"; + "addonmanager.kubernetes.io/mode" = "Reconcile"; + }; + in + (if cfg.rbac.clusterAdmin then { + kubernetes-dashboard-crb = { + apiVersion = "rbac.authorization.k8s.io/v1"; + kind = "ClusterRoleBinding"; + metadata = { + name = "kubernetes-dashboard"; + inherit labels; + }; + roleRef = { + apiGroup = "rbac.authorization.k8s.io"; + kind = "ClusterRole"; + name = "cluster-admin"; + }; + inherit subjects; + }; + } + else + { + # Upstream role- and rolebinding as per: + # https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml + kubernetes-dashboard-role = { + apiVersion = "rbac.authorization.k8s.io/v1"; + kind = "Role"; + metadata = { + name = "kubernetes-dashboard-minimal"; + namespace = "kube-system"; + inherit labels; + }; + rules = [ + # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. + { + apiGroups = [""]; + resources = ["secrets"]; + verbs = ["create"]; + } + # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. + { + apiGroups = [""]; + resources = ["configmaps"]; + verbs = ["create"]; + } + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. + { + apiGroups = [""]; + resources = ["secrets"]; + resourceNames = ["kubernetes-dashboard-key-holder"]; + verbs = ["get" "update" "delete"]; + } + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. + { + apiGroups = [""]; + resources = ["configmaps"]; + resourceNames = ["kubernetes-dashboard-settings"]; + verbs = ["get" "update"]; + } + # Allow Dashboard to get metrics from heapster. + { + apiGroups = [""]; + resources = ["services"]; + resourceNames = ["heapster"]; + verbs = ["proxy"]; + } + { + apiGroups = [""]; + resources = ["services/proxy"]; + resourceNames = ["heapster" "http:heapster:" "https:heapster:"]; + verbs = ["get"]; + } + ]; + }; + + kubernetes-dashboard-rb = { + apiVersion = "rbac.authorization.k8s.io/v1"; + kind = "RoleBinding"; + metadata = { + name = "kubernetes-dashboard-minimal"; + namespace = "kube-system"; + inherit labels; + }; + roleRef = { + apiGroup = "rbac.authorization.k8s.io"; + kind = "Role"; + name = "kubernetes-dashboard-minimal"; + }; + inherit subjects; + }; + }) + )); }; } diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index e624f41601b3..5e87ae88f5a8 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -73,7 +73,9 @@ let mkKubeConfigOptions = prefix: { server = mkOption { description = "${prefix} kube-apiserver server address."; - default = "http://${cfg.apiserver.address}:${toString cfg.apiserver.port}"; + default = "http://${if cfg.apiserver.advertiseAddress != null + then cfg.apiserver.advertiseAddress + else "127.0.0.1"}:${toString cfg.apiserver.port}"; type = types.str; }; @@ -103,12 +105,18 @@ let keyFile = mkDefault cfg.kubeconfig.keyFile; }; - cniConfig = pkgs.buildEnv { - name = "kubernetes-cni-config"; - paths = imap (i: entry: - pkgs.writeTextDir "${toString (10+i)}-${entry.type}.conf" (builtins.toJSON entry) - ) cfg.kubelet.cni.config; - }; + cniConfig = + if cfg.kubelet.cni.config != [] && !(isNull cfg.kubelet.cni.configDir) then + throw "Verbatim CNI-config and CNI configDir cannot both be set." + else if !(isNull cfg.kubelet.cni.configDir) then + cfg.kubelet.cni.configDir + else + (pkgs.buildEnv { + name = "kubernetes-cni-config"; + paths = imap (i: entry: + pkgs.writeTextDir "${toString (10+i)}-${entry.type}.conf" (builtins.toJSON entry) + ) cfg.kubelet.cni.config; + }); manifests = pkgs.buildEnv { name = "kubernetes-manifests"; @@ -244,18 +252,13 @@ in { type = types.listOf types.str; }; - address = mkOption { - description = "Kubernetes apiserver listening address."; - default = "127.0.0.1"; - type = types.str; - }; - - publicAddress = mkOption { + bindAddress = mkOption { description = '' - Kubernetes apiserver public listening address used for read only and - secure port. + The IP address on which to listen for the --secure-port port. + The associated interface(s) must be reachable by the rest + of the cluster, and by CLI/web clients. ''; - default = cfg.apiserver.address; + default = "0.0.0.0"; type = types.str; }; @@ -329,11 +332,11 @@ in { authorizationMode = mkOption { description = '' - Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See + Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node). See <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/"/> ''; default = ["RBAC" "Node"]; - type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]); + type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "Webhook" "RBAC" "Node"]); }; authorizationPolicy = mkOption { @@ -345,6 +348,15 @@ in { type = types.listOf types.attrs; }; + webhookConfig = mkOption { + description = '' + Kubernetes apiserver Webhook config file. It uses the kubeconfig file format. + See <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/webhook/"/> + ''; + default = null; + type = types.nullOr types.path; + }; + allowPrivileged = mkOption { description = "Whether to allow privileged containers on Kubernetes."; default = true; @@ -670,6 +682,12 @@ in { }] ''; }; + + configDir = mkOption { + description = "Path to Kubernetes CNI configuration directory."; + type = types.nullOr types.path; + default = null; + }; }; manifests = mkOption { @@ -892,7 +910,7 @@ in { (mkIf cfg.apiserver.enable { systemd.services.kube-apiserver = { - description = "Kubernetes Kubelet Service"; + description = "Kubernetes APIServer Service"; wantedBy = [ "kubernetes.target" ]; after = [ "network.target" "docker.service" ]; serviceConfig = { @@ -906,7 +924,7 @@ in { ${optionalString (cfg.etcd.keyFile != null) "--etcd-keyfile=${cfg.etcd.keyFile}"} \ --insecure-port=${toString cfg.apiserver.port} \ - --bind-address=${toString cfg.apiserver.address} \ + --bind-address=${cfg.apiserver.bindAddress} \ ${optionalString (cfg.apiserver.advertiseAddress != null) "--advertise-address=${cfg.apiserver.advertiseAddress}"} \ --allow-privileged=${boolToString cfg.apiserver.allowPrivileged}\ @@ -934,6 +952,9 @@ in { (concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.apiserver.authorizationPolicy) }" } \ + ${optionalString (elem "Webhook" cfg.apiserver.authorizationMode) + "--authorization-webhook-config-file=${cfg.apiserver.webhookConfig}" + } \ --secure-port=${toString cfg.apiserver.securePort} \ --service-cluster-ip-range=${cfg.apiserver.serviceClusterIpRange} \ ${optionalString (cfg.apiserver.runtimeConfig != "") diff --git a/nixos/modules/services/cluster/kubernetes/dns.nix b/nixos/modules/services/cluster/kubernetes/dns.nix index 9751e5f7cf0a..43bbb50a48d4 100644 --- a/nixos/modules/services/cluster/kubernetes/dns.nix +++ b/nixos/modules/services/cluster/kubernetes/dns.nix @@ -4,28 +4,6 @@ with lib; let version = "1.14.10"; - - k8s-dns-kube-dns = pkgs.dockerTools.pullImage { - imageName = "k8s.gcr.io/k8s-dns-kube-dns-amd64"; - imageDigest = "sha256:b99fc3eee2a9f052f7eb4cc00f15eb12fc405fa41019baa2d6b79847ae7284a8"; - finalImageTag = version; - sha256 = "0x583znk9smqn0fix7ld8sm5jgaxhqhx3fq97b1wkqm7iwhvl3pj"; - }; - - k8s-dns-dnsmasq-nanny = pkgs.dockerTools.pullImage { - imageName = "k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64"; - imageDigest = "sha256:bbb2a290a568125b3b996028958eb773f33b5b87a6b37bf38a28f8b62dddb3c8"; - finalImageTag = version; - sha256 = "1fihml7s2mfwgac51cbqpylkwbivc8nyhgi4vb820s83zvl8a6y1"; - }; - - k8s-dns-sidecar = pkgs.dockerTools.pullImage { - imageName = "k8s.gcr.io/k8s-dns-sidecar-amd64"; - imageDigest = "sha256:4f1ab957f87b94a5ec1edc26fae50da2175461f00afecf68940c4aa079bd08a4"; - finalImageTag = version; - sha256 = "08l1bv5jgrhvjzpqpbinrkgvv52snc4fzyd8ya9v18ns2klyz7m0"; - }; - cfg = config.services.kubernetes.addons.dns; in { options.services.kubernetes.addons.dns = { @@ -48,13 +26,46 @@ in { default = "cluster.local"; type = types.str; }; + + kube-dns = mkOption { + description = "Docker image to seed for the kube-dns main container."; + type = types.attrs; + default = { + imageName = "k8s.gcr.io/k8s-dns-kube-dns-amd64"; + imageDigest = "sha256:b99fc3eee2a9f052f7eb4cc00f15eb12fc405fa41019baa2d6b79847ae7284a8"; + finalImageTag = version; + sha256 = "0x583znk9smqn0fix7ld8sm5jgaxhqhx3fq97b1wkqm7iwhvl3pj"; + }; + }; + + dnsmasq-nanny = mkOption { + description = "Docker image to seed for the kube-dns dnsmasq container."; + type = types.attrs; + default = { + imageName = "k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64"; + imageDigest = "sha256:bbb2a290a568125b3b996028958eb773f33b5b87a6b37bf38a28f8b62dddb3c8"; + finalImageTag = version; + sha256 = "1fihml7s2mfwgac51cbqpylkwbivc8nyhgi4vb820s83zvl8a6y1"; + }; + }; + + sidecar = mkOption { + description = "Docker image to seed for the kube-dns sidecar container."; + type = types.attrs; + default = { + imageName = "k8s.gcr.io/k8s-dns-sidecar-amd64"; + imageDigest = "sha256:4f1ab957f87b94a5ec1edc26fae50da2175461f00afecf68940c4aa079bd08a4"; + finalImageTag = version; + sha256 = "08l1bv5jgrhvjzpqpbinrkgvv52snc4fzyd8ya9v18ns2klyz7m0"; + }; + }; }; config = mkIf cfg.enable { - services.kubernetes.kubelet.seedDockerImages = [ - k8s-dns-kube-dns - k8s-dns-dnsmasq-nanny - k8s-dns-sidecar + services.kubernetes.kubelet.seedDockerImages = with pkgs.dockerTools; [ + (pullImage cfg.kube-dns) + (pullImage cfg.dnsmasq-nanny) + (pullImage cfg.sidecar) ]; services.kubernetes.addonManager.addons = { @@ -88,7 +99,7 @@ in { containers = [ { name = "kubedns"; - image = "k8s.gcr.io/k8s-dns-kube-dns-amd64:${version}"; + image = with cfg.kube-dns; "${imageName}:${finalImageTag}"; resources = { limits.memory = "170Mi"; requests = { @@ -154,7 +165,7 @@ in { } { name = "dnsmasq"; - image = "k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64:${version}"; + image = with cfg.dnsmasq-nanny; "${imageName}:${finalImageTag}"; livenessProbe = { httpGet = { path = "/healthcheck/dnsmasq"; @@ -206,7 +217,7 @@ in { } { name = "sidecar"; - image = "k8s.gcr.io/k8s-dns-sidecar-amd64:${version}"; + image = with cfg.sidecar; "${imageName}:${finalImageTag}"; livenessProbe = { httpGet = { path = "/metrics"; diff --git a/nixos/modules/services/databases/pgmanage.nix b/nixos/modules/services/databases/pgmanage.nix index d1b48c06440e..1a34c7f5ecee 100644 --- a/nixos/modules/services/databases/pgmanage.nix +++ b/nixos/modules/services/databases/pgmanage.nix @@ -41,7 +41,9 @@ let pgmanage = "pgmanage"; - pgmanageOptions = { +in { + + options.services.pgmanage = { enable = mkEnableOption "PostgreSQL Administration for the web"; package = mkOption { @@ -176,47 +178,29 @@ let }; }; - -in { - - options.services.pgmanage = pgmanageOptions; - - # This is deprecated and should be removed for NixOS-18.03. - options.services.postage = pgmanageOptions; - - config = mkMerge [ - { assertions = [ - { assertion = !config.services.postage.enable; - message = - "services.postage is deprecated in favour of pgmanage. " + - "They have the same options so just substitute postage for pgmanage." ; - } - ]; - } - (mkIf cfg.enable { - systemd.services.pgmanage = { - description = "pgmanage - PostgreSQL Administration for the web"; - wants = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = pgmanage; - Group = pgmanage; - ExecStart = "${pkgs.pgmanage}/sbin/pgmanage -c ${confFile}" + - optionalString cfg.localOnly " --local-only=true"; - }; + config = mkIf cfg.enable { + systemd.services.pgmanage = { + description = "pgmanage - PostgreSQL Administration for the web"; + wants = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = pgmanage; + Group = pgmanage; + ExecStart = "${pkgs.pgmanage}/sbin/pgmanage -c ${confFile}" + + optionalString cfg.localOnly " --local-only=true"; }; - users = { - users."${pgmanage}" = { - name = pgmanage; - group = pgmanage; - home = cfg.sqlRoot; - createHome = true; - }; - groups."${pgmanage}" = { - name = pgmanage; - }; + }; + users = { + users."${pgmanage}" = { + name = pgmanage; + group = pgmanage; + home = cfg.sqlRoot; + createHome = true; }; - }) - ]; + groups."${pgmanage}" = { + name = pgmanage; + }; + }; + }; } diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 4ad4728ccda6..42d61fa1b368 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -24,14 +24,13 @@ let postgresql = postgresqlAndPlugins cfg.package; - flags = optional cfg.enableTCPIP "-i"; - # The main PostgreSQL configuration file. configFile = pkgs.writeText "postgresql.conf" '' hba_file = '${pkgs.writeText "pg_hba.conf" cfg.authentication}' ident_file = '${pkgs.writeText "pg_ident.conf" cfg.identMap}' log_destination = 'stderr' + listen_addresses = '${if cfg.enableTCPIP then "*" else "localhost"}' port = ${toString cfg.port} ${cfg.extraConfig} ''; @@ -229,7 +228,7 @@ in "${cfg.dataDir}/recovery.conf" ''} - exec postgres ${toString flags} + exec postgres ''; serviceConfig = diff --git a/nixos/modules/services/logging/journaldriver.nix b/nixos/modules/services/logging/journaldriver.nix new file mode 100644 index 000000000000..74ac3d4c2365 --- /dev/null +++ b/nixos/modules/services/logging/journaldriver.nix @@ -0,0 +1,112 @@ +# This module implements a systemd service for running journaldriver, +# a log forwarding agent that sends logs from journald to Stackdriver +# Logging. +# +# It can be enabled without extra configuration when running on GCP. +# On machines hosted elsewhere, the other configuration options need +# to be set. +# +# For further information please consult the documentation in the +# upstream repository at: https://github.com/aprilabank/journaldriver/ + +{ config, lib, pkgs, ...}: + +with lib; let cfg = config.services.journaldriver; +in { + options.services.journaldriver = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable journaldriver to forward journald logs to + Stackdriver Logging. + ''; + }; + + logLevel = mkOption { + type = types.str; + default = "info"; + description = '' + Log level at which journaldriver logs its own output. + ''; + }; + + logName = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Configures the name of the target log in Stackdriver Logging. + This option can be set to, for example, the hostname of a + machine to improve the user experience in the logging + overview. + ''; + }; + + googleCloudProject = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Configures the name of the Google Cloud project to which to + forward journald logs. + + This option is required on non-GCP machines, but should not be + set on GCP instances. + ''; + }; + + logStream = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Configures the name of the Stackdriver Logging log stream into + which to write journald entries. + + This option is required on non-GCP machines, but should not be + set on GCP instances. + ''; + }; + + applicationCredentials = mkOption { + type = with types; nullOr path; + default = null; + description = '' + Path to the service account private key (in JSON-format) used + to forward log entries to Stackdriver Logging on non-GCP + instances. + + This option is required on non-GCP machines, but should not be + set on GCP instances. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.journaldriver = { + description = "Stackdriver Logging journal forwarder"; + script = "${pkgs.journaldriver}/bin/journaldriver"; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "always"; + DynamicUser = true; + + # This directive lets systemd automatically configure + # permissions on /var/lib/journaldriver, the directory in + # which journaldriver persists its cursor state. + StateDirectory = "journaldriver"; + + # This group is required for accessing journald. + SupplementaryGroups = "systemd-journal"; + }; + + environment = { + RUST_LOG = cfg.logLevel; + LOG_NAME = cfg.logName; + LOG_STREAM = cfg.logStream; + GOOGLE_CLOUD_PROJECT = cfg.googleCloudProject; + GOOGLE_APPLICATION_CREDENTIALS = cfg.applicationCredentials; + }; + }; + }; +} diff --git a/nixos/modules/services/mail/opensmtpd.nix b/nixos/modules/services/mail/opensmtpd.nix index 53acdba42457..f9b890532ceb 100644 --- a/nixos/modules/services/mail/opensmtpd.nix +++ b/nixos/modules/services/mail/opensmtpd.nix @@ -10,7 +10,7 @@ let sendmail = pkgs.runCommand "opensmtpd-sendmail" {} '' mkdir -p $out/bin - ln -s ${pkgs.opensmtpd}/sbin/smtpctl $out/bin/sendmail + ln -s ${cfg.package}/sbin/smtpctl $out/bin/sendmail ''; in { @@ -27,6 +27,13 @@ in { description = "Whether to enable the OpenSMTPD server."; }; + package = mkOption { + type = types.package; + default = pkgs.opensmtpd; + defaultText = "pkgs.opensmtpd"; + description = "The OpenSMTPD package to use."; + }; + addSendmailToSystemPath = mkOption { type = types.bool; default = true; @@ -97,7 +104,7 @@ in { systemd.services.opensmtpd = let procEnv = pkgs.buildEnv { name = "opensmtpd-procs"; - paths = [ pkgs.opensmtpd ] ++ cfg.procPackages; + paths = [ cfg.package ] ++ cfg.procPackages; pathsToLink = [ "/libexec/opensmtpd" ]; }; in { @@ -115,7 +122,7 @@ in { chown smtpq.root /var/spool/smtpd/purge chmod 700 /var/spool/smtpd/purge ''; - serviceConfig.ExecStart = "${pkgs.opensmtpd}/sbin/smtpd -d -f ${conf} ${args}"; + serviceConfig.ExecStart = "${cfg.package}/sbin/smtpd -d -f ${conf} ${args}"; environment.OPENSMTPD_PROC_PATH = "${procEnv}/libexec/opensmtpd"; }; diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix index 45931cb42b54..f628da4ac4c0 100644 --- a/nixos/modules/services/misc/docker-registry.nix +++ b/nixos/modules/services/misc/docker-registry.nix @@ -42,7 +42,7 @@ let }; }; - configFile = pkgs.writeText "docker-registry-config.yml" (builtins.toJSON (registryConfig // cfg.extraConfig)); + configFile = pkgs.writeText "docker-registry-config.yml" (builtins.toJSON (recursiveUpdate registryConfig cfg.extraConfig)); in { options.services.dockerRegistry = { @@ -91,7 +91,7 @@ in { Docker extra registry configuration via environment variables. ''; default = {}; - type = types.attrsOf types.str; + type = types.attrs; }; enableGarbageCollect = mkEnableOption "garbage collect"; @@ -120,6 +120,7 @@ in { serviceConfig = { User = "docker-registry"; WorkingDirectory = cfg.storagePath; + AmbientCapabilities = mkIf (cfg.port < 1024) "cap_net_bind_service"; }; }; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 429ce09ea68f..0ee105e4c6f1 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -130,11 +130,13 @@ in default = false; description = " If set, Nix will perform builds in a sandboxed environment that it - will set up automatically for each build. This prevents - impurities in builds by disallowing access to dependencies - outside of the Nix store. This isn't enabled by default for - performance. It doesn't affect derivation hashes, so changing - this option will not trigger a rebuild of packages. + will set up automatically for each build. This prevents impurities + in builds by disallowing access to dependencies outside of the Nix + store by using network and mount namespaces in a chroot environment. + This isn't enabled by default for possible performance impacts due to + the initial setup time of a sandbox for each build. It doesn't affect + derivation hashes, so changing this option will not trigger a rebuild + of packages. "; }; diff --git a/nixos/modules/services/misc/xmr-stak.nix b/nixos/modules/services/misc/xmr-stak.nix index 57f439365471..a87878c31e0d 100644 --- a/nixos/modules/services/misc/xmr-stak.nix +++ b/nixos/modules/services/misc/xmr-stak.nix @@ -10,9 +10,6 @@ let inherit (cfg) openclSupport cudaSupport; }; - xmrConfArg = optionalString (cfg.configText != "") ("-c " + - pkgs.writeText "xmr-stak-config.txt" cfg.configText); - in { @@ -29,22 +26,34 @@ in description = "List of parameters to pass to xmr-stak."; }; - configText = mkOption { - type = types.lines; - default = ""; - example = '' - "currency" : "monero", - "pool_list" : - [ { "pool_address" : "pool.supportxmr.com:5555", - "wallet_address" : "<long-hash>", - "pool_password" : "minername", - "pool_weight" : 1, - }, - ], + configFiles = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample '' + { + "config.txt" = ''' + "verbose_level" : 4, + "h_print_time" : 60, + "tls_secure_algo" : true, + '''; + "pools.txt" = ''' + "currency" : "monero7", + "pool_list" : + [ { "pool_address" : "pool.supportxmr.com:443", + "wallet_address" : "my-wallet-address", + "rig_id" : "", + "pool_password" : "nixos", + "use_nicehash" : false, + "use_tls" : true, + "tls_fingerprint" : "", + "pool_weight" : 23 + }, + ], + '''; + } ''; description = '' - Verbatim xmr-stak config.txt. If empty, the <literal>-c</literal> - parameter will not be added to the xmr-stak command. + Content of config files like config.txt, pools.txt or cpu.txt. ''; }; }; @@ -58,10 +67,13 @@ in environment = mkIf cfg.cudaSupport { LD_LIBRARY_PATH = "${pkgs.linuxPackages_latest.nvidia_x11}/lib"; }; - script = '' - exec ${pkg}/bin/xmr-stak ${xmrConfArg} ${concatStringsSep " " cfg.extraArgs} - ''; + + preStart = concatStrings (flip mapAttrsToList cfg.configFiles (fn: content: '' + ln -sf '${pkgs.writeText "xmr-stak-${fn}" content}' '${fn}' + '')); + serviceConfig = let rootRequired = cfg.openclSupport || cfg.cudaSupport; in { + ExecStart = "${pkg}/bin/xmr-stak ${concatStringsSep " " cfg.extraArgs}"; # xmr-stak generates cpu and/or gpu configuration files WorkingDirectory = "/tmp"; PrivateTmp = true; @@ -70,4 +82,12 @@ in }; }; }; + + imports = [ + (mkRemovedOptionModule ["services" "xmr-stak" "configText"] '' + This option was removed in favour of `services.xmr-stak.configFiles` + because the new config file `pools.txt` was introduced. You are + now able to define all other config files like cpu.txt or amd.txt. + '') + ]; } diff --git a/nixos/modules/services/networking/chrony.nix b/nixos/modules/services/networking/chrony.nix index 9bf266b38054..c287ca01feb5 100644 --- a/nixos/modules/services/networking/chrony.nix +++ b/nixos/modules/services/networking/chrony.nix @@ -109,7 +109,7 @@ in home = stateDir; }; - systemd.services.timesyncd.enable = mkForce false; + services.timesyncd.enable = mkForce false; systemd.services.chronyd = { description = "chrony NTP daemon"; diff --git a/nixos/modules/services/networking/dnsdist.nix b/nixos/modules/services/networking/dnsdist.nix new file mode 100644 index 000000000000..12eee136e639 --- /dev/null +++ b/nixos/modules/services/networking/dnsdist.nix @@ -0,0 +1,61 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.dnsdist; + configFile = pkgs.writeText "dndist.conf" '' + setLocal('${cfg.listenAddress}:${toString cfg.listenPort}') + ${cfg.extraConfig} + ''; +in { + options = { + services.dnsdist = { + enable = mkEnableOption "dnsdist domain name server"; + + listenAddress = mkOption { + type = types.str; + description = "Listen IP Address"; + default = "0.0.0.0"; + }; + listenPort = mkOption { + type = types.int; + description = "Listen port"; + default = 53; + }; + + extraConfig = mkOption { + type = types.lines; + default = '' + ''; + description = '' + Extra lines to be added verbatim to dnsdist.conf. + ''; + }; + }; + }; + + config = mkIf config.services.dnsdist.enable { + systemd.services.dnsdist = { + description = "dnsdist load balancer"; + wantedBy = [ "multi-user.target" ]; + after = ["network.target"]; + + serviceConfig = { + Restart="on-failure"; + RestartSec="1"; + DynamicUser = true; + StartLimitInterval="0"; + PrivateTmp=true; + PrivateDevices=true; + CapabilityBoundingSet="CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; + ExecStart = "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}"; + ProtectSystem="full"; + ProtectHome=true; + RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6"; + LimitNOFILE="16384"; + TasksMax="8192"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index da3827c35e63..89d8590093dd 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -38,19 +38,19 @@ let # NAT the marked packets. ${optionalString (cfg.internalInterfaces != []) '' iptables -w -t nat -A nixos-nat-post -m mark --mark 1 \ - -o ${cfg.externalInterface} ${dest} + ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest} ''} # NAT packets coming from the internal IPs. ${concatMapStrings (range: '' iptables -w -t nat -A nixos-nat-post \ - -s '${range}' -o ${cfg.externalInterface} ${dest} + -s '${range}' ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest} '') cfg.internalIPs} # NAT from external ports to internal ports. ${concatMapStrings (fwd: '' iptables -w -t nat -A nixos-nat-pre \ - -i ${cfg.externalInterface} -p ${fwd.proto} \ + -i ${toString cfg.externalInterface} -p ${fwd.proto} \ --dport ${builtins.toString fwd.sourcePort} \ -j DNAT --to-destination ${fwd.destination} @@ -81,7 +81,7 @@ let ${optionalString (cfg.dmzHost != null) '' iptables -w -t nat -A nixos-nat-pre \ - -i ${cfg.externalInterface} -j DNAT \ + -i ${toString cfg.externalInterface} -j DNAT \ --to-destination ${cfg.dmzHost} ''} @@ -134,7 +134,8 @@ in }; networking.nat.externalInterface = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; example = "eth1"; description = '' @@ -236,6 +237,15 @@ in { networking.firewall.extraCommands = mkBefore flushNat; } (mkIf config.networking.nat.enable { + assertions = [ + { assertion = (cfg.dmzHost != null) -> (cfg.externalInterface != null); + message = "networking.nat.dmzHost requires networking.nat.externalInterface"; + } + { assertion = (cfg.forwardPorts != []) -> (cfg.externalInterface != null); + message = "networking.nat.forwardPorts requires networking.nat.externalInterface"; + } + ]; + environment.systemPackages = [ pkgs.iptables ]; boot = { diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index f4c4adcaaeb8..816234506593 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -38,6 +38,8 @@ let [device] wifi.scan-rand-mac-address=${if cfg.wifi.scanRandMacAddress then "yes" else "no"} + + ${cfg.extraConfig} ''; /* @@ -120,6 +122,14 @@ in { ''; }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Configuration appended to the generated NetworkManager.conf. + ''; + }; + unmanaged = mkOption { type = types.listOf types.string; default = []; diff --git a/nixos/modules/services/networking/owamp.nix b/nixos/modules/services/networking/owamp.nix new file mode 100644 index 000000000000..a0d3e70d8e57 --- /dev/null +++ b/nixos/modules/services/networking/owamp.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.owamp; +in +{ + + ###### interface + + options = { + services.owamp.enable = mkEnableOption ''Enable OWAMP server''; + }; + + + ###### implementation + + config = mkIf cfg.enable { + users.extraUsers = singleton { + name = "owamp"; + group = "owamp"; + description = "Owamp daemon"; + }; + + users.extraGroups = singleton { + name = "owamp"; + }; + + systemd.services.owamp = { + description = "Owamp server"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart="${pkgs.owamp}/bin/owampd -R /run/owamp -d /run/owamp -v -Z "; + PrivateTmp = true; + Restart = "always"; + Type="simple"; + User = "owamp"; + Group = "owamp"; + RuntimeDirectory = "owamp"; + StateDirectory = "owamp"; + AmbientCapabilities = "cap_net_bind_service"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 902e759f3a3a..961e72b2b810 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -334,7 +334,9 @@ in services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; environment.etc = authKeysFiles // - { "ssh/moduli".source = cfg.moduliFile; }; + { "ssh/moduli".source = cfg.moduliFile; + "ssh/sshd_config".text = cfg.extraConfig; + }; systemd = let @@ -365,7 +367,7 @@ in { ExecStart = (optionalString cfg.startWhenNeeded "-") + "${cfgc.package}/bin/sshd " + (optionalString cfg.startWhenNeeded "-i ") + - "-f ${pkgs.writeText "sshd_config" cfg.extraConfig}"; + "-f /etc/ssh/sshd_config"; KillMode = "process"; } // (if cfg.startWhenNeeded then { StandardInput = "socket"; diff --git a/nixos/modules/services/networking/sslh.nix b/nixos/modules/services/networking/sslh.nix index e3d65c49fbf2..0222e8ce8b58 100644 --- a/nixos/modules/services/networking/sslh.nix +++ b/nixos/modules/services/networking/sslh.nix @@ -4,15 +4,14 @@ with lib; let cfg = config.services.sslh; + user = "sslh"; configFile = pkgs.writeText "sslh.conf" '' verbose: ${boolToString cfg.verbose}; foreground: true; inetd: false; numeric: false; - transparent: false; + transparent: ${boolToString cfg.transparent}; timeout: "${toString cfg.timeout}"; - user: "nobody"; - pidfile: "${cfg.pidfile}"; listen: ( @@ -50,16 +49,16 @@ in description = "Timeout in seconds."; }; - pidfile = mkOption { - type = types.path; - default = "/run/sslh.pid"; - description = "PID file path for sslh daemon."; + transparent = mkOption { + type = types.bool; + default = false; + description = "Will the services behind sslh (Apache, sshd and so on) see the external IP and ports as if the external world connected directly to them"; }; listenAddress = mkOption { type = types.str; - default = config.networking.hostName; - description = "Listening hostname."; + default = "0.0.0.0"; + description = "Listening address or hostname."; }; port = mkOption { @@ -76,14 +75,91 @@ in }; }; - config = mkIf cfg.enable { - systemd.services.sslh = { - description = "Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.sslh}/bin/sslh -F${configFile}"; - serviceConfig.KillMode = "process"; - serviceConfig.PIDFile = "${cfg.pidfile}"; - }; - }; + config = mkMerge [ + (mkIf cfg.enable { + users.users.${user} = { + description = "sslh daemon user"; + isSystemUser = true; + }; + + systemd.services.sslh = { + description = "Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = user; + Group = "nogroup"; + PermissionsStartOnly = true; + Restart = "always"; + RestartSec = "1s"; + ExecStart = "${pkgs.sslh}/bin/sslh -F${configFile}"; + KillMode = "process"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_SETGID CAP_SETUID"; + PrivateTmp = true; + PrivateDevices = true; + ProtectSystem = "full"; + ProtectHome = true; + }; + }; + }) + + # code from https://github.com/yrutschle/sslh#transparent-proxy-support + # the only difference is using iptables mark 0x2 instead of 0x1 to avoid conflicts with nixos/nat module + (mkIf (cfg.enable && cfg.transparent) { + # Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination + boot.kernel.sysctl."net.ipv4.conf.default.route_localnet" = 1; + boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1; + + systemd.services.sslh = let + iptablesCommands = [ + # DROP martian packets as they would have been if route_localnet was zero + # Note: packets not leaving the server aren't affected by this, thus sslh will still work + { table = "raw"; command = "PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP"; } + { table = "mangle"; command = "POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP"; } + # Mark all connections made by ssl for special treatment (here sslh is run as user ${user}) + { table = "nat"; command = "OUTPUT -m owner --uid-owner ${user} -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x02/0x0f"; } + # Outgoing packets that should go to sslh instead have to be rerouted, so mark them accordingly (copying over the connection mark) + { table = "mangle"; command = "OUTPUT ! -o lo -p tcp -m connmark --mark 0x02/0x0f -j CONNMARK --restore-mark --mask 0x0f"; } + ]; + ip6tablesCommands = [ + { table = "raw"; command = "PREROUTING ! -i lo -d ::1/128 -j DROP"; } + { table = "mangle"; command = "POSTROUTING ! -o lo -s ::1/128 -j DROP"; } + { table = "nat"; command = "OUTPUT -m owner --uid-owner ${user} -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x02/0x0f"; } + { table = "mangle"; command = "OUTPUT ! -o lo -p tcp -m connmark --mark 0x02/0x0f -j CONNMARK --restore-mark --mask 0x0f"; } + ]; + in { + path = [ pkgs.iptables pkgs.iproute pkgs.procps ]; + + preStart = '' + # Cleanup old iptables entries which might be still there + ${concatMapStringsSep "\n" ({table, command}: "while iptables -w -t ${table} -D ${command} 2>/dev/null; do echo; done") iptablesCommands} + ${concatMapStringsSep "\n" ({table, command}: "iptables -w -t ${table} -A ${command}" ) iptablesCommands} + + # Configure routing for those marked packets + ip rule add fwmark 0x2 lookup 100 + ip route add local 0.0.0.0/0 dev lo table 100 + + '' + optionalString config.networking.enableIPv6 '' + ${concatMapStringsSep "\n" ({table, command}: "while ip6tables -w -t ${table} -D ${command} 2>/dev/null; do echo; done") ip6tablesCommands} + ${concatMapStringsSep "\n" ({table, command}: "ip6tables -w -t ${table} -A ${command}" ) ip6tablesCommands} + + ip -6 rule add fwmark 0x2 lookup 100 + ip -6 route add local ::/0 dev lo table 100 + ''; + + postStop = '' + ${concatMapStringsSep "\n" ({table, command}: "iptables -w -t ${table} -D ${command}") iptablesCommands} + + ip rule del fwmark 0x2 lookup 100 + ip route del local 0.0.0.0/0 dev lo table 100 + '' + optionalString config.networking.enableIPv6 '' + ${concatMapStringsSep "\n" ({table, command}: "ip6tables -w -t ${table} -D ${command}") ip6tablesCommands} + + ip -6 rule del fwmark 0x2 lookup 100 + ip -6 route del local ::/0 dev lo table 100 + ''; + }; + }) + ]; } diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix index ad211f41eef0..b16d299917fe 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -938,9 +938,12 @@ in { protection. ''; - hw_offload = mkYesNoParam no '' + hw_offload = mkEnumParam ["yes" "no" "auto"] "no" '' Enable hardware offload for this CHILD_SA, if supported by the IPsec - implementation. + implementation. The value <literal>yes</literal> enforces offloading + and the installation will fail if it's not supported by either kernel or + device. The value <literal>auto</literal> enables offloading, if it's + supported, but the installation does not fail otherwise. ''; start_action = mkEnumParam ["none" "trap" "start"] "none" '' diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index e3c9b5282b8c..77bcdae80191 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -163,12 +163,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; path = [ data.package ]; - restartTriggers = - let - drvlist = [ config.environment.etc."tinc/${network}/tinc.conf".source ] - ++ mapAttrsToList (host: _: config.environment.etc."tinc/${network}/hosts/${host}".source) data.hosts; - in # drvlist might be too long to be used directly - [ (builtins.hashString "sha256" (concatMapStrings (d: d.outPath) drvlist)) ]; + restartTriggers = [ config.environment.etc."tinc/${network}/tinc.conf".source ]; serviceConfig = { Type = "simple"; Restart = "always"; @@ -207,7 +202,8 @@ in ${concatStringsSep "\n" (mapAttrsToList (network: data: optionalString (versionAtLeast data.package.version "1.1pre") '' makeWrapper ${data.package}/bin/tinc "$out/bin/tinc.${network}" \ - --add-flags "--pidfile=/run/tinc.${network}.pid" + --add-flags "--pidfile=/run/tinc.${network}.pid" \ + --add-flags "--config=/etc/tinc/${network}" '') cfg.networks)} ''; }; diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index f069a9883a7f..07936faaa133 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -60,7 +60,7 @@ in }; interfaces = mkOption { - default = [ "127.0.0.1" "::1" ]; + default = [ "127.0.0.1" ] ++ optional config.networking.enableIPv6 "::1"; type = types.listOf types.str; description = "What addresses the server should listen on."; }; @@ -112,8 +112,8 @@ in mkdir -m 0755 -p ${stateDir}/dev/ cp ${confFile} ${stateDir}/unbound.conf ${optionalString cfg.enableRootTrustAnchor '' - ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" - chown unbound ${stateDir} ${rootTrustAnchorFile} + ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" + chown unbound ${stateDir} ${rootTrustAnchorFile} ''} touch ${stateDir}/dev/random ${pkgs.utillinux}/bin/mount --bind -n /dev/urandom ${stateDir}/dev/random @@ -126,6 +126,8 @@ in ProtectSystem = true; ProtectHome = true; PrivateDevices = true; + Restart = "always"; + RestartSec = "5s"; }; }; diff --git a/nixos/modules/services/networking/xrdp.nix b/nixos/modules/services/networking/xrdp.nix index bf23c6ae6192..0e882873b4ba 100644 --- a/nixos/modules/services/networking/xrdp.nix +++ b/nixos/modules/services/networking/xrdp.nix @@ -97,6 +97,7 @@ in # xrdp can run X11 program even if "services.xserver.enable = false" environment.pathsToLink = [ "/etc/xdg" "/share/xdg" "/share/applications" "/share/icons" "/share/pixmaps" ]; + fonts.enableDefaultFonts = mkDefault true; systemd = { services.xrdp = { diff --git a/nixos/modules/services/security/munge.nix b/nixos/modules/services/security/munge.nix index 919c2c2b0e15..5bca15833544 100644 --- a/nixos/modules/services/security/munge.nix +++ b/nixos/modules/services/security/munge.nix @@ -35,7 +35,15 @@ in environment.systemPackages = [ pkgs.munge ]; - systemd.services.munged = { + users.users.munge = { + description = "Munge daemon user"; + isSystemUser = true; + group = "munge"; + }; + + users.groups.munge = {}; + + systemd.services.munged = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; @@ -44,14 +52,20 @@ in preStart = '' chmod 0700 ${cfg.password} mkdir -p /var/lib/munge -m 0711 + chown -R munge:munge /var/lib/munge mkdir -p /var/log/munge -m 0700 + chown -R munge:munge /var/log/munge mkdir -p /run/munge -m 0755 + chown -R munge:munge /run/munge ''; serviceConfig = { ExecStart = "${pkgs.munge}/bin/munged --syslog --key-file ${cfg.password}"; PIDFile = "/run/munge/munged.pid"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + PermissionsStartOnly = "true"; + User = "munge"; + Group = "munge"; }; }; diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 433d97c2a7d7..96d78630e6d1 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -72,6 +72,7 @@ let mapConfig = key: attr: if (!isNull attr && attr != []) then ( + if isDerivation attr then mapConfig key (toString attr) else if (builtins.typeOf attr) == "set" then concatStringsSep " " (mapAttrsToList (name: value: mapConfig (key + "-" + name) value) attr) else if (builtins.typeOf attr) == "list" then concatMapStringsSep " " (mapConfig key) attr else diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 806252f49b8d..15200c49d70a 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -39,7 +39,7 @@ let ''} ${optint "ControlPort" cfg.controlPort} - ${optionalString cfg.controlSocket.enable "ControlSocket ${torRunDirectory}/control GroupWritable RelaxDirModeCheck"} + ${optionalString cfg.controlSocket.enable "ControlPort unix:${torRunDirectory}/control GroupWritable RelaxDirModeCheck"} '' # Client connection config + optionalString cfg.client.enable '' @@ -360,7 +360,7 @@ in <important> <para> - WARNING: THE FOLLOWING PARAGRAPH IS NOT LEGAL ADVISE. + WARNING: THE FOLLOWING PARAGRAPH IS NOT LEGAL ADVICE. Consult with your lawer when in doubt. </para> @@ -695,19 +695,38 @@ in uid = config.ids.uids.tor; }; + # We have to do this instead of using RuntimeDirectory option in + # the service below because systemd has no way to set owners of + # RuntimeDirectory and putting this into the service below + # requires that service to relax it's sandbox since this needs + # writable /run + systemd.services.tor-init = + { description = "Tor Daemon Init"; + wantedBy = [ "tor.service" ]; + after = [ "local-fs.target" ]; + script = '' + install -m 0700 -o tor -g tor -d ${torDirectory} ${torDirectory}/onion + install -m 0750 -o tor -g tor -d ${torRunDirectory} + ''; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + }; + systemd.services.tor = { description = "Tor Daemon"; path = [ pkgs.tor ]; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + after = [ "tor-init.service" "network.target" ]; restartTriggers = [ torRcFile ]; serviceConfig = { Type = "simple"; # Translated from the upstream contrib/dist/tor.service.in ExecStartPre = "${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config"; - ExecStart = "${pkgs.tor}/bin/tor -f ${torRcFile} --RunAsDaemon 0"; + ExecStart = "${pkgs.tor}/bin/tor -f ${torRcFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; KillSignal = "SIGINT"; TimeoutSec = 30; @@ -715,20 +734,18 @@ in LimitNOFILE = 32768; # Hardening - # Note: DevicePolicy is set to 'closed', although the - # minimal permissions are really: - # DeviceAllow /dev/null rw - # DeviceAllow /dev/urandom r - # .. but we can't specify DeviceAllow multiple times. 'closed' - # is close enough. - RuntimeDirectory = "tor"; - StateDirectory = [ "tor" "tor/onion" ]; - PrivateTmp = "yes"; - DevicePolicy = "closed"; - InaccessibleDirectories = "/home"; - ReadOnlyDirectories = "/"; - ReadWriteDirectories = [torDirectory torRunDirectory]; + # this seems to unshare /run despite what systemd.exec(5) says + PrivateTmp = mkIf (!cfg.controlSocket.enable) "yes"; + PrivateDevices = "yes"; + ProtectHome = "yes"; + ProtectSystem = "strict"; + InaccessiblePaths = "/home"; + ReadOnlyPaths = "/"; + ReadWritePaths = [ torDirectory torRunDirectory ]; NoNewPrivileges = "yes"; + + # tor.service.in has this in, but this line it fails to spawn a namespace when using hidden services + #CapabilityBoundingSet = "CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE"; }; }; diff --git a/nixos/modules/services/web-apps/mattermost.nix b/nixos/modules/services/web-apps/mattermost.nix index be74a2b1955b..96792c47cd24 100644 --- a/nixos/modules/services/web-apps/mattermost.nix +++ b/nixos/modules/services/web-apps/mattermost.nix @@ -25,7 +25,7 @@ in { options = { services.mattermost = { - enable = mkEnableOption "Mattermost chat platform"; + enable = mkEnableOption "Mattermost chat server"; statePath = mkOption { type = types.str; @@ -167,7 +167,7 @@ in ''; systemd.services.mattermost = { - description = "Mattermost chat platform service"; + description = "Mattermost chat service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" "postgresql.service" ]; @@ -201,13 +201,13 @@ in PermissionsStartOnly = true; User = cfg.user; Group = cfg.group; - ExecStart = "${pkgs.mattermost}/bin/mattermost-platform"; + ExecStart = "${pkgs.mattermost}/bin/mattermost"; WorkingDirectory = "${cfg.statePath}"; - JoinsNamespaceOf = mkIf cfg.localDatabaseCreate "postgresql.service"; Restart = "always"; RestartSec = "10"; LimitNOFILE = "49152"; }; + unitConfig.JoinsNamespaceOf = mkIf cfg.localDatabaseCreate "postgresql.service"; }; }) (mkIf cfg.matterircd.enable { diff --git a/nixos/modules/services/web-apps/nexus.nix b/nixos/modules/services/web-apps/nexus.nix index d5bd0f12febb..b0eaee6040e3 100644 --- a/nixos/modules/services/web-apps/nexus.nix +++ b/nixos/modules/services/web-apps/nexus.nix @@ -13,6 +13,12 @@ in services.nexus = { enable = mkEnableOption "Sonatype Nexus3 OSS service"; + package = mkOption { + type = types.package; + default = pkgs.nexus; + description = "Package which runs Nexus3"; + }; + user = mkOption { type = types.str; default = "nexus"; @@ -55,10 +61,10 @@ in -XX:LogFile=${cfg.home}/nexus3/log/jvm.log -XX:-OmitStackTraceInFastThrow -Djava.net.preferIPv4Stack=true - -Dkaraf.home=${pkgs.nexus} - -Dkaraf.base=${pkgs.nexus} - -Dkaraf.etc=${pkgs.nexus}/etc/karaf - -Djava.util.logging.config.file=${pkgs.nexus}/etc/karaf/java.util.logging.properties + -Dkaraf.home=${cfg.package} + -Dkaraf.base=${cfg.package} + -Dkaraf.etc=${cfg.package}/etc/karaf + -Djava.util.logging.config.file=${cfg.package}/etc/karaf/java.util.logging.properties -Dkaraf.data=${cfg.home}/nexus3 -Djava.io.tmpdir=${cfg.home}/nexus3/tmp -Dkaraf.startLocalConsole=false @@ -112,7 +118,7 @@ in fi ''; - script = "${pkgs.nexus}/bin/nexus run"; + script = "${cfg.package}/bin/nexus run"; serviceConfig = { User = cfg.user; diff --git a/nixos/modules/services/web-apps/virtlyst.nix b/nixos/modules/services/web-apps/virtlyst.nix new file mode 100644 index 000000000000..2fc67435ce82 --- /dev/null +++ b/nixos/modules/services/web-apps/virtlyst.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.virtlyst; + stateDir = "/var/lib/virtlyst"; + + ini = pkgs.writeText "virtlyst-config.ini" '' + [wsgi] + master = true + threads = auto + http-socket = ${cfg.httpSocket} + application = ${pkgs.virtlyst}/lib/libVirtlyst.so + chdir2 = ${stateDir} + static-map = /static=${pkgs.virtlyst}/root/static + + [Cutelyst] + production = true + DatabasePath = virtlyst.sqlite + TemplatePath = ${pkgs.virtlyst}/root/src + + [Rules] + cutelyst.* = true + virtlyst.* = true + ''; + +in + +{ + + options.services.virtlyst = { + enable = mkEnableOption "Virtlyst libvirt web interface"; + + adminPassword = mkOption { + type = types.str; + description = '' + Initial admin password with which the database will be seeded. + ''; + }; + + httpSocket = mkOption { + type = types.str; + default = "localhost:3000"; + description = '' + IP and/or port to which to bind the http socket. + ''; + }; + }; + + config = mkIf cfg.enable { + users.extraUsers.virtlyst = { + home = stateDir; + createHome = true; + group = mkIf config.virtualisation.libvirtd.enable "libvirtd"; + }; + + systemd.services.virtlyst = { + wantedBy = [ "multi-user.target" ]; + environment = { + VIRTLYST_ADMIN_PASSWORD = cfg.adminPassword; + }; + serviceConfig = { + ExecStart = "${pkgs.cutelyst}/bin/cutelyst-wsgi2 --ini ${ini}"; + User = "virtlyst"; + WorkingDirectory = stateDir; + }; + }; + }; + +} diff --git a/nixos/modules/services/web-servers/minio.nix b/nixos/modules/services/web-servers/minio.nix index 843f0d986877..7ead33483ea4 100644 --- a/nixos/modules/services/web-servers/minio.nix +++ b/nixos/modules/services/web-servers/minio.nix @@ -85,7 +85,7 @@ in ''; serviceConfig = { PermissionsStartOnly = true; - ExecStart = "${cfg.package}/bin/minio server --address ${cfg.listenAddress} --config-dir=${cfg.configDir} ${cfg.dataDir}"; + ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --config-dir=${cfg.configDir} ${cfg.dataDir}"; Type = "simple"; User = "minio"; Group = "minio"; diff --git a/nixos/modules/services/web-servers/tomcat.nix b/nixos/modules/services/web-servers/tomcat.nix index aa94e0e976c9..bc713a08f18f 100644 --- a/nixos/modules/services/web-servers/tomcat.nix +++ b/nixos/modules/services/web-servers/tomcat.nix @@ -110,7 +110,7 @@ in webapps = mkOption { type = types.listOf types.package; default = [ tomcat.webapps ]; - defaultText = "[ tomcat.webapps ]"; + defaultText = "[ pkgs.tomcat85.webapps ]"; description = "List containing WAR files or directories with WAR files which are web applications to be deployed on Tomcat"; }; diff --git a/nixos/modules/services/web-servers/uwsgi.nix b/nixos/modules/services/web-servers/uwsgi.nix index 14596bb3add0..356b896a6dc9 100644 --- a/nixos/modules/services/web-servers/uwsgi.nix +++ b/nixos/modules/services/web-servers/uwsgi.nix @@ -31,9 +31,7 @@ let inherit python; }; - penv = python.buildEnv.override { - extraLibs = (c.pythonPackages or (self: [])) pythonPackages; - }; + pythonEnv = python.withPackages (c.pythonPackages or (self: [])); uwsgiCfg = { uwsgi = @@ -42,7 +40,7 @@ let inherit plugins; } // removeAttrs c [ "type" "pythonPackages" ] // optionalAttrs (python != null) { - pythonpath = "${penv}/${python.sitePackages}"; + pythonpath = "${pythonEnv}/${python.sitePackages}"; env = # Argh, uwsgi expects list of key-values there instead of a dictionary. let env' = c.env or []; @@ -51,7 +49,7 @@ let then substring (stringLength "PATH=") (stringLength x) x else null; oldPaths = filter (x: x != null) (map getPath env'); - in env' ++ [ "PATH=${optionalString (oldPaths != []) "${last oldPaths}:"}${penv}/bin" ]; + in env' ++ [ "PATH=${optionalString (oldPaths != []) "${last oldPaths}:"}${pythonEnv}/bin" ]; } else if c.type == "emperor" then { diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix new file mode 100644 index 000000000000..ba8151a60f20 --- /dev/null +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix @@ -0,0 +1,100 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + dmcfg = config.services.xserver.displayManager; + ldmcfg = dmcfg.lightdm; + cfg = ldmcfg.greeters.mini; + + xgreeters = pkgs.linkFarm "lightdm-mini-greeter-xgreeters" [{ + path = "${pkgs.lightdm-mini-greeter}/share/xgreeters/lightdm-mini-greeter.desktop"; + name = "lightdm-mini-greeter.desktop"; + }]; + + miniGreeterConf = pkgs.writeText "lightdm-mini-greeter.conf" + '' + [greeter] + user = ${cfg.user} + show-password-label = true + password-label-text = Password: + show-input-cursor = true + + [greeter-hotkeys] + mod-key = meta + shutdown-key = s + restart-key = r + hibernate-key = h + suspend-key = u + + [greeter-theme] + font = Sans + font-size = 1em + text-color = "#080800" + error-color = "#F8F8F0" + background-image = "${ldmcfg.background}" + background-color = "#1B1D1E" + window-color = "#F92672" + border-color = "#080800" + border-width = 2px + layout-space = 15 + password-color = "#F8F8F0" + password-background-color = "#1B1D1E" + + ${cfg.extraConfig} + ''; + +in +{ + options = { + + services.xserver.displayManager.lightdm.greeters.mini = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable lightdm-mini-greeter as the lightdm greeter. + + Note that this greeter starts only the default X session. + You can configure the default X session by + <option>services.xserver.desktopManager.default</option> and + <option>services.xserver.windowManager.default</option>. + ''; + }; + + user = mkOption { + type = types.str; + default = "root"; + description = '' + The user to login as. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration that should be put in the lightdm-mini-greeter.conf + configuration file. + ''; + }; + + }; + + }; + + config = mkIf (ldmcfg.enable && cfg.enable) { + + services.xserver.displayManager.lightdm.greeters.gtk.enable = false; + + services.xserver.displayManager.lightdm.greeter = mkDefault { + package = xgreeters; + name = "lightdm-mini-greeter"; + }; + + environment.etc."lightdm/lightdm-mini-greeter.conf".source = miniGreeterConf; + + }; +} diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index 9d30155a7234..5beadacdfa93 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -72,6 +72,7 @@ in # preferred. imports = [ ./lightdm-greeters/gtk.nix + ./lightdm-greeters/mini.nix ]; options = { diff --git a/nixos/modules/services/x11/window-managers/awesome.nix b/nixos/modules/services/x11/window-managers/awesome.nix index 71eb02ec5954..089e9f769f0a 100644 --- a/nixos/modules/services/x11/window-managers/awesome.nix +++ b/nixos/modules/services/x11/window-managers/awesome.nix @@ -37,6 +37,11 @@ in apply = pkg: if pkg == null then pkgs.awesome else pkg; }; + noArgb = mkOption { + default = false; + type = types.bool; + description = "Disable client transparency support, which can be greatly detrimental to performance in some setups"; + }; }; }; @@ -50,7 +55,7 @@ in { name = "awesome"; start = '' - ${awesome}/bin/awesome ${makeSearchPath cfg.luaModules} & + ${awesome}/bin/awesome ${lib.optionalString cfg.noArgb "--no-argb"} ${makeSearchPath cfg.luaModules} & waitPID=$! ''; }; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 1404231f837e..3048cd02683f 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -244,6 +244,13 @@ in "ati_unfree" "amdgpu" "amdgpu-pro" "nv" "nvidia" "nvidiaLegacy340" "nvidiaLegacy304" ]; + # TODO(@oxij): think how to easily add the rest, like those nvidia things + relatedPackages = concatLists + (mapAttrsToList (n: v: + optional (hasPrefix "xf86video" n) { + path = [ "xorg" n ]; + title = removePrefix "xf86video" n; + }) pkgs.xorg); description = '' The names of the video drivers the configuration supports. They will be tried in order until one that diff --git a/nixos/modules/system/boot/initrd-network.nix b/nixos/modules/system/boot/initrd-network.nix index 33862b0965cc..384ae909b701 100644 --- a/nixos/modules/system/boot/initrd-network.nix +++ b/nixos/modules/system/boot/initrd-network.nix @@ -12,6 +12,7 @@ let if [ "$1" = bound ]; then ip address add "$ip/$mask" dev "$interface" if [ -n "$router" ]; then + ip route add "$router" dev "$interface" # just in case if "$router" is not within "$ip/$mask" (e.g. Hetzner Cloud) ip route add default via "$router" dev "$interface" fi if [ -n "$dns" ]; then diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 67daaa333e5e..42da65857221 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -64,9 +64,10 @@ let )) + ":" + (makeSearchPathOutput "bin" "sbin" [ pkgs.mdadm pkgs.utillinux ]); - font = if lib.last (lib.splitString "." cfg.font) == "pf2" + font = if cfg.font == null then "" + else (if lib.last (lib.splitString "." cfg.font) == "pf2" then cfg.font - else "${convertedFont}"; + else "${convertedFont}"); }); bootDeviceCounters = fold (device: attr: attr // { "${device}" = (attr."${device}" or 0) + 1; }) {} @@ -384,8 +385,9 @@ in }; default = mkOption { - default = 0; - type = types.int; + default = "0"; + type = types.either types.int types.str; + apply = toString; description = '' Index of the default menu item to be booted. ''; diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index 1aa14729a75c..d1ff6e6bf525 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -54,7 +54,7 @@ my $splashImage = get("splashImage"); my $configurationLimit = int(get("configurationLimit")); my $copyKernels = get("copyKernels") eq "true"; my $timeout = int(get("timeout")); -my $defaultEntry = int(get("default")); +my $defaultEntry = get("default"); my $fsIdentifier = get("fsIdentifier"); my $grubEfi = get("grubEfi"); my $grubTargetEfi = get("grubTargetEfi"); @@ -281,22 +281,24 @@ else { else insmod vbe fi - insmod font - if loadfont " . $grubBoot->path . "/converted-font.pf2; then - insmod gfxterm - if [ \"\${grub_platform}\" = \"efi\" ]; then - set gfxmode=$gfxmodeEfi - set gfxpayload=keep - else - set gfxmode=$gfxmodeBios - set gfxpayload=text - fi - terminal_output gfxterm - fi "; if ($font) { copy $font, "$bootPath/converted-font.pf2" or die "cannot copy $font to $bootPath\n"; + $conf .= " + insmod font + if loadfont " . $grubBoot->path . "/converted-font.pf2; then + insmod gfxterm + if [ \"\${grub_platform}\" = \"efi\" ]; then + set gfxmode=$gfxmodeEfi + set gfxpayload=keep + else + set gfxmode=$gfxmodeBios + set gfxpayload=text + fi + terminal_output gfxterm + fi + "; } if ($splashImage) { # Keeps the image's extension. diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 92e68b72664a..de8451bbe31b 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -251,6 +251,9 @@ checkFS() { # Skip fsck for bcachefs - not implemented yet. if [ "$fsType" = bcachefs ]; then return 0; fi + # Skip fsck for nilfs2 - not needed by design and no fsck tool for this filesystem. + if [ "$fsType" = nilfs2 ]; then return 0; fi + # Skip fsck for inherently readonly filesystems. if [ "$fsType" = squashfs ]; then return 0; fi diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 55bb6d3449c5..6756f68cdf72 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -56,6 +56,12 @@ let left=("''${left[@]:3}") if [ -z ''${seen[$next]+x} ]; then seen[$next]=1 + + # Ignore the dynamic linker which for some reason appears as a DT_NEEDED of glibc but isn't in glibc's RPATH. + case "$next" in + ld*.so.?) continue;; + esac + IFS=: read -ra paths <<< $rpath res= for path in "''${paths[@]}"; do diff --git a/nixos/modules/system/boot/systemd-lib.nix b/nixos/modules/system/boot/systemd-lib.nix index ae9ee8811f77..8b37bf8d35d8 100644 --- a/nixos/modules/system/boot/systemd-lib.nix +++ b/nixos/modules/system/boot/systemd-lib.nix @@ -78,10 +78,16 @@ in rec { optional (badFields != [ ]) "Systemd ${group} has extra fields [${concatStringsSep " " badFields}]."; - checkUnitConfig = group: checks: v: - let errors = concatMap (c: c group v) checks; in - if errors == [] then true - else builtins.trace (concatStringsSep "\n" errors) false; + checkUnitConfig = group: checks: attrs: let + # We're applied at the top-level type (attrsOf unitOption), so the actual + # unit options might contain attributes from mkOverride that we need to + # convert into single values before checking them. + defs = mapAttrs (const (v: + if v._type or "" == "override" then v.content else v + )) attrs; + errors = concatMap (c: c group defs) checks; + in if errors == [] then true + else builtins.trace (concatStringsSep "\n" errors) false; toOption = x: if x == true then "true" diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index c3bf897d51fd..bfcd81d62159 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -171,8 +171,12 @@ in default = config.boot.zfs.enableUnstable; description = '' Request encryption keys or passwords for all encrypted datasets on import. - Dataset encryption is only supported in zfsUnstable at the moment. + For root pools the encryption key can be supplied via both an + interactive prompt (keylocation=prompt) and from a file + (keylocation=file://). Note that for data pools the encryption key can + be only loaded from a file and not via interactive prompt since the + import is processed in a background systemd service. ''; }; @@ -394,6 +398,7 @@ in script = '' zpool_cmd="${packages.zfsUser}/sbin/zpool" ("$zpool_cmd" list "${pool}" >/dev/null) || "$zpool_cmd" import -d ${cfgZfs.devNodes} -N ${optionalString cfgZfs.forceImportAll "-f"} "${pool}" + ${optionalString cfgZfs.requestEncryptionCredentials "\"${packages.zfsUser}/sbin/zfs\" load-key -r \"${pool}\""} ''; }; @@ -403,6 +408,9 @@ in nameValuePair "zfs-sync-${pool}" { description = "Sync ZFS pool \"${pool}\""; wantedBy = [ "shutdown.target" ]; + unitConfig = { + DefaultDependencies = false; + }; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -411,12 +419,15 @@ in ${packages.zfsUser}/sbin/zfs set nixos:shutdown-time="$(date)" "${pool}" ''; }; + createZfsService = serv: + nameValuePair serv { + after = [ "systemd-modules-load.service" ]; + wantedBy = [ "zfs.target" ]; + }; - in listToAttrs (map createImportService dataPools ++ map createSyncService allPools) // { - "zfs-mount" = { after = [ "systemd-modules-load.service" ]; }; - "zfs-share" = { after = [ "systemd-modules-load.service" ]; }; - "zfs-zed" = { after = [ "systemd-modules-load.service" ]; }; - }; + in listToAttrs (map createImportService dataPools ++ + map createSyncService allPools ++ + map createZfsService [ "zfs-mount" "zfs-share" "zfs-zed" ]); systemd.targets."zfs-import" = let @@ -425,6 +436,7 @@ in { requires = services; after = services; + wantedBy = [ "zfs.target" ]; }; systemd.targets."zfs".wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 14f9b9567515..a3534e10bb17 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -46,22 +46,6 @@ let ''; }); - # Collect all interfaces that are defined for a device - # as device:interface key:value pairs. - wlanDeviceInterfaces = - let - allDevices = unique (mapAttrsToList (_: v: v.device) cfg.wlanInterfaces); - interfacesOfDevice = d: filterAttrs (_: v: v.device == d) cfg.wlanInterfaces; - in - genAttrs allDevices (d: interfacesOfDevice d); - - # Convert device:interface key:value pairs into a list, and if it exists, - # place the interface which is named after the device at the beginning. - wlanListDeviceFirst = device: interfaces: - if hasAttr device interfaces - then mapAttrsToList (n: v: v//{_iName=n;}) (filterAttrs (n: _: n==device) interfaces) ++ mapAttrsToList (n: v: v//{_iName=n;}) (filterAttrs (n: _: n!=device) interfaces) - else mapAttrsToList (n: v: v // {_iName = n;}) interfaces; - # We must escape interfaces due to the systemd interpretation subsystemDevice = interface: "sys-subsystem-net-devices-${escapeSystemdPath interface}.device"; diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index cb756842f369..dd2108ccc379 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -2,13 +2,13 @@ with lib; let - diskSize = 30720; + diskSize = 2048; in { system.build.azureImage = import ../../lib/make-disk-image.nix { name = "azure-image"; postVM = '' - ${pkgs.vmTools.qemu-220}/bin/qemu-img convert -f raw -o subformat=fixed -O vpc $diskImage $out/disk.vhd + ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -o subformat=fixed,force_size -O vpc $diskImage $out/disk.vhd ''; configFile = ./azure-config-user.nix; format = "raw"; diff --git a/nixos/modules/virtualisation/azure-qemu-220-no-etc-install.patch b/nixos/modules/virtualisation/azure-qemu-220-no-etc-install.patch deleted file mode 100644 index 81d29feea3de..000000000000 --- a/nixos/modules/virtualisation/azure-qemu-220-no-etc-install.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/Makefile b/Makefile -index d6b9dc1..ce7c493 100644 ---- a/Makefile -+++ b/Makefile -@@ -384,8 +384,7 @@ install-confdir: - install-sysconfig: install-datadir install-confdir - $(INSTALL_DATA) $(SRC_PATH)/sysconfigs/target/target-x86_64.conf "$(DESTDIR)$(qemu_confdir)" - --install: all $(if $(BUILD_DOCS),install-doc) install-sysconfig \ --install-datadir install-localstatedir -+install: all $(if $(BUILD_DOCS),install-doc) install-datadir - ifneq ($(TOOLS),) - $(call install-prog,$(TOOLS),$(DESTDIR)$(bindir)) - endif diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 989764874c48..66b253c230f1 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -88,12 +88,14 @@ in rec { (all nixos.tests.env) (all nixos.tests.ipv6) (all nixos.tests.i3wm) - (all nixos.tests.keymap.azerty) - (all nixos.tests.keymap.colemak) - (all nixos.tests.keymap.dvorak) - (all nixos.tests.keymap.dvp) - (all nixos.tests.keymap.neo) - (all nixos.tests.keymap.qwertz) + # 2018-06-06: keymap tests temporarily removed from tested job + # since non-deterministic failure are blocking the channel (#41538) + #(all nixos.tests.keymap.azerty) + #(all nixos.tests.keymap.colemak) + #(all nixos.tests.keymap.dvorak) + #(all nixos.tests.keymap.dvp) + #(all nixos.tests.keymap.neo) + #(all nixos.tests.keymap.qwertz) (all nixos.tests.plasma5) #(all nixos.tests.lightdm) (all nixos.tests.login) diff --git a/nixos/release.nix b/nixos/release.nix index 8777d85c5d46..e494fa35029f 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -300,11 +300,13 @@ in rec { tests.grafana = callTest tests/grafana.nix {}; tests.graphite = callTest tests/graphite.nix {}; tests.hardened = callTest tests/hardened.nix { }; + tests.haproxy = callTest tests/haproxy.nix {}; tests.hibernate = callTest tests/hibernate.nix {}; tests.hitch = callTest tests/hitch {}; tests.home-assistant = callTest tests/home-assistant.nix { }; tests.hound = callTest tests/hound.nix {}; tests.hocker-fetchdocker = callTest tests/hocker-fetchdocker {}; + tests.hydra = callTest tests/hydra {}; tests.i3wm = callTest tests/i3wm.nix {}; tests.iftop = callTest tests/iftop.nix {}; tests.initrd-network-ssh = callTest tests/initrd-network-ssh {}; @@ -312,6 +314,7 @@ in rec { tests.influxdb = callTest tests/influxdb.nix {}; tests.ipv6 = callTest tests/ipv6.nix {}; tests.jenkins = callTest tests/jenkins.nix {}; + tests.ostree = callTest tests/ostree.nix {}; tests.osquery = callTest tests/osquery.nix {}; tests.plasma5 = callTest tests/plasma5.nix {}; tests.plotinus = callTest tests/plotinus.nix {}; @@ -332,6 +335,7 @@ in rec { #tests.logstash = callTest tests/logstash.nix {}; tests.mathics = callTest tests/mathics.nix {}; tests.matrix-synapse = callTest tests/matrix-synapse.nix {}; + tests.memcached = callTest tests/memcached.nix {}; tests.mesos = callTest tests/mesos.nix {}; tests.misc = callTest tests/misc.nix {}; tests.mongodb = callTest tests/mongodb.nix {}; @@ -395,6 +399,7 @@ in rec { tests.switchTest = callTest tests/switch-test.nix {}; tests.taskserver = callTest tests/taskserver.nix {}; tests.tomcat = callTest tests/tomcat.nix {}; + tests.tor = callTest tests/tor.nix {}; tests.transmission = callTest tests/transmission.nix {}; tests.udisks2 = callTest tests/udisks2.nix {}; tests.vault = callTest tests/vault.nix {}; diff --git a/nixos/tests/gnome3.nix b/nixos/tests/gnome3.nix index 492fa61484a0..591ed8600685 100644 --- a/nixos/tests/gnome3.nix +++ b/nixos/tests/gnome3.nix @@ -11,8 +11,9 @@ import ./make-test.nix ({ pkgs, ...} : { services.xserver.enable = true; - services.xserver.displayManager.auto.enable = true; - services.xserver.displayManager.auto.user = "alice"; + services.xserver.displayManager.lightdm.enable = true; + services.xserver.displayManager.lightdm.autoLogin.enable = true; + services.xserver.displayManager.lightdm.autoLogin.user = "alice"; services.xserver.desktopManager.gnome3.enable = true; virtualisation.memorySize = 1024; @@ -21,7 +22,9 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' $machine->waitForX; - $machine->sleep(15); + + # wait for alice to be logged in + $machine->waitForUnit("default.target","alice"); # Check that logging in has given the user ownership of devices. $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); diff --git a/nixos/tests/haproxy.nix b/nixos/tests/haproxy.nix new file mode 100644 index 000000000000..ce4094237db2 --- /dev/null +++ b/nixos/tests/haproxy.nix @@ -0,0 +1,41 @@ +import ./make-test.nix ({ pkgs, ...}: { + name = "haproxy"; + nodes = { + machine = { config, ...}: { + imports = [ ../modules/profiles/minimal.nix ]; + services.haproxy = { + enable = true; + config = '' + defaults + timeout connect 10s + + backend http_server + mode http + server httpd [::1]:8000 + + frontend http + bind *:80 + mode http + use_backend http_server + ''; + }; + services.httpd = { + enable = true; + documentRoot = pkgs.writeTextDir "index.txt" "We are all good!"; + adminAddr = "notme@yourhost.local"; + listen = [{ + ip = "::1"; + port = 8000; + }]; + }; + }; + }; + testScript = '' + startAll; + $machine->waitForUnit('multi-user.target'); + $machine->waitForUnit('haproxy.service'); + $machine->waitForUnit('httpd.service'); + $machine->succeed('curl -k http://localhost:80/index.txt | grep "We are all good!"'); + + ''; +}) diff --git a/nixos/tests/hydra.nix b/nixos/tests/hydra.nix deleted file mode 100644 index 6abd7a5ad300..000000000000 --- a/nixos/tests/hydra.nix +++ /dev/null @@ -1,32 +0,0 @@ -import ./make-test.nix ({ pkgs, ...} : { - name = "hydra-init-localdb"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ pstn ]; - }; - - machine = - { config, pkgs, ... }: - - { - services.hydra = { - enable = true; - - #Hydra needs those settings to start up, so we add something not harmfull. - hydraURL = "example.com"; - notificationSender = "example@example.com"; - }; - }; - - testScript = - '' - # let the system boot up - $machine->waitForUnit("multi-user.target"); - # test whether the database is running - $machine->succeed("systemctl status postgresql.service"); - # test whether the actual hydra daemons are running - $machine->succeed("systemctl status hydra-queue-runner.service"); - $machine->succeed("systemctl status hydra-init.service"); - $machine->succeed("systemctl status hydra-evaluator.service"); - $machine->succeed("systemctl status hydra-send-stats.service"); - ''; -}) diff --git a/nixos/tests/hydra/create-trivial-project.sh b/nixos/tests/hydra/create-trivial-project.sh new file mode 100755 index 000000000000..3cca5665acc5 --- /dev/null +++ b/nixos/tests/hydra/create-trivial-project.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env bash +# +# This script creates a project, a jobset with an input of type local +# path. This local path is a directory that contains a Nix expression +# to define a job. +# The EXPR-PATH environment variable must be set with the local path. + +set -e + +URL=http://localhost:3000 +USERNAME="admin" +PASSWORD="admin" +PROJECT_NAME="trivial" +JOBSET_NAME="trivial" +EXPR_PATH=${EXPR_PATH:-} + +if [ -z $EXPR_PATH ]; then + echo "Environment variable EXPR_PATH must be set" + exit 1 +fi + +mycurl() { + curl --referer $URL -H "Accept: application/json" -H "Content-Type: application/json" $@ +} + +cat >data.json <<EOF +{ "username": "$USERNAME", "password": "$PASSWORD" } +EOF +mycurl -X POST -d '@data.json' $URL/login -c hydra-cookie.txt + +cat >data.json <<EOF +{ + "displayname":"Trivial", + "enabled":"1" +} +EOF +mycurl --silent -X PUT $URL/project/$PROJECT_NAME -d @data.json -b hydra-cookie.txt + +cat >data.json <<EOF +{ + "description": "Trivial", + "checkinterval": "60", + "enabled": "1", + "visible": "1", + "keepnr": "1", + "nixexprinput": "trivial", + "nixexprpath": "trivial.nix", + "inputs": { + "trivial": { + "value": "$EXPR_PATH", + "type": "path" + } + } +} +EOF +mycurl --silent -X PUT $URL/jobset/$PROJECT_NAME/$JOBSET_NAME -d @data.json -b hydra-cookie.txt diff --git a/nixos/tests/hydra/default.nix b/nixos/tests/hydra/default.nix new file mode 100644 index 000000000000..74919444c16d --- /dev/null +++ b/nixos/tests/hydra/default.nix @@ -0,0 +1,78 @@ +import ../make-test.nix ({ pkgs, ...} : + +let + trivialJob = pkgs.writeTextDir "trivial.nix" '' + with import <nix/config.nix>; + + { trivial = builtins.derivation { + name = "trivial"; + system = "x86_64-linux"; + PATH = coreutils; + builder = shell; + args = ["-c" "touch $out; exit 0"]; + }; + } + ''; + + createTrivialProject = pkgs.stdenv.mkDerivation { + name = "create-trivial-project"; + unpackPhase = ":"; + buildInputs = [ pkgs.makeWrapper ]; + installPhase = "install -m755 -D ${./create-trivial-project.sh} $out/bin/create-trivial-project.sh"; + postFixup = '' + wrapProgram "$out/bin/create-trivial-project.sh" --prefix PATH ":" ${pkgs.stdenv.lib.makeBinPath [ pkgs.curl ]} --set EXPR_PATH ${trivialJob} + ''; + }; + +in { + name = "hydra-init-localdb"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ pstn lewo ]; + }; + + machine = + { config, pkgs, ... }: + + { + virtualisation.memorySize = 1024; + time.timeZone = "UTC"; + + environment.systemPackages = [ createTrivialProject pkgs.jq ]; + services.hydra = { + enable = true; + + #Hydra needs those settings to start up, so we add something not harmfull. + hydraURL = "example.com"; + notificationSender = "example@example.com"; + }; + nix = { + buildMachines = [{ + hostName = "localhost"; + systems = [ "x86_64-linux" ]; + }]; + }; + }; + + testScript = + '' + # let the system boot up + $machine->waitForUnit("multi-user.target"); + # test whether the database is running + $machine->succeed("systemctl status postgresql.service"); + # test whether the actual hydra daemons are running + $machine->succeed("systemctl status hydra-queue-runner.service"); + $machine->succeed("systemctl status hydra-init.service"); + $machine->succeed("systemctl status hydra-evaluator.service"); + $machine->succeed("systemctl status hydra-send-stats.service"); + + $machine->succeed("hydra-create-user admin --role admin --password admin"); + + # create a project with a trivial job + $machine->waitForOpenPort(3000); + + # make sure the build as been successfully built + $machine->succeed("create-trivial-project.sh"); + + $machine->waitUntilSucceeds('curl -L -s http://localhost:3000/build/1 -H "Accept: application/json" | jq .buildstatus | xargs test 0 -eq'); + ''; +}) diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 7da02d9c204a..92f400937b97 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -51,6 +51,8 @@ let hardware.enableAllFirmware = lib.mkForce false; + services.udisks2.enable = lib.mkDefault false; + ${replaceChars ["\n"] ["\n "] extraConfig} } ''; @@ -250,6 +252,8 @@ let ++ optional (bootLoader == "grub" && grubVersion == 1) pkgs.grub ++ optionals (bootLoader == "grub" && grubVersion == 2) [ pkgs.grub2 pkgs.grub2_efi ]; + services.udisks2.enable = mkDefault false; + nix.binaryCaches = mkForce [ ]; nix.extraOptions = '' diff --git a/nixos/tests/memcached.nix b/nixos/tests/memcached.nix new file mode 100644 index 000000000000..f9ef3647bd1a --- /dev/null +++ b/nixos/tests/memcached.nix @@ -0,0 +1,28 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "memcached"; + + nodes = { + machine = + { config, pkgs, ... }: + { + imports = [ ../modules/profiles/minimal.nix ]; + services.memcached.enable = true; + }; + }; + + testScript = let + testScript = pkgs.writeScript "testScript.py" '' + #!${pkgs.python3.withPackages (p: [p.memcached])}/bin/python + + import memcache + c = memcache.Client(['localhost:11211']) + c.set('key', 'value') + assert 'value' == c.get('key') + ''; + in '' + startAll; + $machine->waitForUnit("memcached.service"); + $machine->waitForOpenPort("11211"); + $machine->succeed("${testScript}"); + ''; +}) diff --git a/nixos/tests/morty.nix b/nixos/tests/morty.nix index e052ee988060..0a5324259ada 100644 --- a/nixos/tests/morty.nix +++ b/nixos/tests/morty.nix @@ -22,9 +22,9 @@ import ./make-test.nix ({ pkgs, ... }: testScript = { nodes , ... }: '' - startAll; + $mortyProxyWithKey->waitForUnit("default.target"); - $mortyProxyWithKey->waitForUnit("morty"); + $mortyProxyWithKey->waitForOpenPort(3001); $mortyProxyWithKey->succeed("curl -L 127.0.0.1:3001 | grep MortyProxy"); ''; diff --git a/nixos/tests/ostree.nix b/nixos/tests/ostree.nix new file mode 100644 index 000000000000..8b19004874e7 --- /dev/null +++ b/nixos/tests/ostree.nix @@ -0,0 +1,21 @@ +# run installed tests +import ./make-test.nix ({ pkgs, lib, ... }: { + name = "ostree"; + + meta = { + maintainers = pkgs.ostree.meta.maintainers; + }; + + # TODO: Wrap/patch the tests directly in the package + machine = { pkgs, ... }: { + environment.systemPackages = with pkgs; [ + gnome-desktop-testing ostree gnupg (python3.withPackages (p: with p; [ pyyaml ])) + ]; + + environment.variables.GI_TYPELIB_PATH = lib.makeSearchPath "lib/girepository-1.0" (with pkgs; [ gtk3 pango.out ostree gdk_pixbuf atk ]); # for GJS tests + }; + + testScript = '' + $machine->succeed("gnome-desktop-testing-runner -d ${pkgs.ostree.installedTests}/share"); + ''; +}) diff --git a/nixos/tests/plasma5.nix b/nixos/tests/plasma5.nix index f3bd4c5915b0..14ab2e30cabf 100644 --- a/nixos/tests/plasma5.nix +++ b/nixos/tests/plasma5.nix @@ -6,13 +6,28 @@ import ./make-test.nix ({ pkgs, ...} : maintainers = [ ttuegel ]; }; - machine = { lib, ... }: { + machine = { lib, ... }: + let + sddm_theme = pkgs.stdenv.mkDerivation { + name = "breeze-ocr-theme"; + phases = "buildPhase"; + buildCommand = '' + mkdir -p $out/share/sddm/themes/ + cp -r ${pkgs.plasma-workspace}/share/sddm/themes/breeze $out/share/sddm/themes/breeze-ocr-theme + chmod -R +w $out/share/sddm/themes/breeze-ocr-theme + printf "[General]\ntype=color\ncolor=#1d99f3\nbackground=\n" > $out/share/sddm/themes/breeze-ocr-theme/theme.conf + ''; + }; + in + { imports = [ ./common/user-account.nix ]; services.xserver.enable = true; services.xserver.displayManager.sddm.enable = true; + services.xserver.displayManager.sddm.theme = "breeze-ocr-theme"; services.xserver.desktopManager.plasma5.enable = true; services.xserver.desktopManager.default = "plasma5"; virtualisation.memorySize = 1024; + environment.systemPackages = [ sddm_theme ]; # fontconfig-penultimate-0.3.3 -> 0.3.4 broke OCR apparently, but no idea why. nixpkgs.config.packageOverrides = superPkgs: { @@ -30,7 +45,6 @@ import ./make-test.nix ({ pkgs, ...} : xdo = "${pkgs.xdotool}/bin/xdotool"; in '' startAll; - # Wait for display manager to start $machine->waitForText(qr/${user.description}/); $machine->screenshot("sddm"); diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix index 0ce37b55bb7b..2381939552e2 100644 --- a/nixos/tests/postgresql.nix +++ b/nixos/tests/postgresql.nix @@ -26,6 +26,9 @@ let { services.postgresql.package=postgresql-package; services.postgresql.enable = true; + + services.postgresqlBackup.enable = true; + services.postgresqlBackup.databases = [ "postgres" ]; }; testScript = '' @@ -46,6 +49,10 @@ let $machine->succeed(check_count("SELECT * FROM sth;", 5)); $machine->fail(check_count("SELECT * FROM sth;", 4)); $machine->succeed(check_count("SELECT xpath(\'/test/text()\', doc) FROM xmltest;", 1)); + + # Check backup service + $machine->succeed("systemctl start postgresqlBackup-postgres.service"); + $machine->succeed("zcat /var/backup/postgresql/postgres.sql.gz | grep '<test>ok</test>'"); $machine->shutdown; ''; diff --git a/nixos/tests/slurm.nix b/nixos/tests/slurm.nix index c23d85e40020..ec67ea092874 100644 --- a/nixos/tests/slurm.nix +++ b/nixos/tests/slurm.nix @@ -61,6 +61,7 @@ in { $node->succeed("mkdir /etc/munge"); $node->succeed("echo '${mungekey}' > /etc/munge/munge.key"); $node->succeed("chmod 0400 /etc/munge/munge.key"); + $node->succeed("chown munge:munge /etc/munge/munge.key"); $node->succeed("systemctl restart munged"); } diff --git a/nixos/tests/tor.nix b/nixos/tests/tor.nix new file mode 100644 index 000000000000..24d46a03897e --- /dev/null +++ b/nixos/tests/tor.nix @@ -0,0 +1,28 @@ +import ./make-test.nix ({ lib, ... }: with lib; + +rec { + name = "tor"; + meta.maintainers = with maintainers; [ joachifm ]; + + common = + { config, ... }: + { boot.kernelParams = [ "audit=0" "apparmor=0" "quiet" ]; + networking.firewall.enable = false; + networking.useDHCP = false; + }; + + nodes.client = + { config, pkgs, ... }: + { imports = [ common ]; + environment.systemPackages = with pkgs; [ netcat ]; + services.tor.enable = true; + services.tor.client.enable = true; + services.tor.controlPort = 9051; + }; + + testScript = '' + $client->waitForUnit("tor.service"); + $client->waitForOpenPort(9051); + $client->succeed("echo GETINFO version | nc 127.0.0.1 9051") =~ /514 Authentication required./ or die; + ''; +}) |