diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/hardware/all-firmware.nix | 10 | ||||
-rw-r--r-- | nixos/modules/hardware/logitech.nix | 28 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
-rw-r--r-- | nixos/modules/programs/gnupg.nix | 15 | ||||
-rw-r--r-- | nixos/modules/services/networking/quicktun.nix | 118 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix | 599 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 14 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 2 | ||||
-rw-r--r-- | nixos/tests/pdns-recursor.nix | 12 | ||||
-rw-r--r-- | nixos/tests/wireguard/default.nix | 97 | ||||
-rw-r--r-- | nixos/tests/wireguard/snakeoil-keys.nix | 11 |
11 files changed, 401 insertions, 507 deletions
diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index 69cc22aaa34b..c79be810eefd 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -38,6 +38,12 @@ in { firmwareLinuxNonfree intel2200BGFirmware rtl8192su-firmware + rt5677-firmware + rtl8723bs-firmware + rtlwifi_new-firmware + zd1211fw + alsa-firmware + openelec-dvb-firmware ] ++ optional (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) raspberrypiWirelessFirmware ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [ rtl8723bs-firmware @@ -54,6 +60,10 @@ in { }]; hardware.firmware = with pkgs; [ broadcom-bt-firmware + b43Firmware_5_1_138 + b43Firmware_6_30_163_46 + b43FirmwareCutter + facetimehd-firmware ]; }) ]; diff --git a/nixos/modules/hardware/logitech.nix b/nixos/modules/hardware/logitech.nix new file mode 100644 index 000000000000..d6f43bdddcc8 --- /dev/null +++ b/nixos/modules/hardware/logitech.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.hardware.logitech; + +in { + options.hardware.logitech = { + enable = mkEnableOption "Logitech Devices"; + + enableGraphical = mkOption { + type = types.bool; + default = false; + description = "Enable graphical support applications."; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ + pkgs.ltunify + ] ++ lib.optional cfg.enableGraphical pkgs.solaar; + + # ltunifi and solaar both provide udev rules but the most up-to-date have been split + # out into a dedicated derivation + services.udev.packages = with pkgs; [ logitech-udev-rules ]; + }; +} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 374e39f553fa..03e5f537c224 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -46,6 +46,7 @@ ./hardware/sensor/iio.nix ./hardware/ksm.nix ./hardware/ledger.nix + ./hardware/logitech.nix ./hardware/mcelog.nix ./hardware/network/b43.nix ./hardware/nitrokey.nix @@ -632,6 +633,7 @@ ./services/networking/prosody.nix ./services/networking/quagga.nix ./services/networking/quassel.nix + ./services/networking/quicktun.nix ./services/networking/racoon.nix ./services/networking/radicale.nix ./services/networking/radvd.nix diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index 22521280e936..9618d61a1f5b 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -11,6 +11,15 @@ in { options.programs.gnupg = { + package = mkOption { + type = types.package; + default = pkgs.gnupg; + defaultText = "pkgs.gnupg"; + description = '' + The gpg package that should be used. + ''; + }; + agent.enable = mkOption { type = types.bool; default = false; @@ -75,7 +84,7 @@ in wantedBy = [ "sockets.target" ]; }; - systemd.packages = [ pkgs.gnupg ]; + systemd.packages = [ cfg.package ]; environment.interactiveShellInit = '' # Bind gpg-agent to this TTY if gpg commands are used. @@ -84,12 +93,12 @@ in '' + (optionalString cfg.agent.enableSSHSupport '' # SSH agent protocol doesn't support changing TTYs, so bind the agent # to every new TTY. - ${pkgs.gnupg}/bin/gpg-connect-agent --quiet updatestartuptty /bye > /dev/null + ${cfg.package}/bin/gpg-connect-agent --quiet updatestartuptty /bye > /dev/null ''); environment.extraInit = mkIf cfg.agent.enableSSHSupport '' if [ -z "$SSH_AUTH_SOCK" ]; then - export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket) + export SSH_AUTH_SOCK=$(${cfg.package}/bin/gpgconf --list-dirs agent-ssh-socket) fi ''; diff --git a/nixos/modules/services/networking/quicktun.nix b/nixos/modules/services/networking/quicktun.nix new file mode 100644 index 000000000000..5bcf923f909c --- /dev/null +++ b/nixos/modules/services/networking/quicktun.nix @@ -0,0 +1,118 @@ +{ config, pkgs, lib, ... }: + +let + + cfg = config.services.quicktun; + +in + +with lib; + +{ + options = { + + services.quicktun = mkOption { + default = { }; + description = "QuickTun tunnels"; + type = types.attrsOf (types.submodule { + options = { + tunMode = mkOption { + type = types.int; + default = 0; + example = 1; + description = ""; + }; + + remoteAddress = mkOption { + type = types.str; + example = "tunnel.example.com"; + description = ""; + }; + + localAddress = mkOption { + type = types.str; + example = "0.0.0.0"; + description = ""; + }; + + localPort = mkOption { + type = types.int; + default = 2998; + description = ""; + }; + + remotePort = mkOption { + type = types.int; + default = 2998; + description = ""; + }; + + remoteFloat = mkOption { + type = types.int; + default = 0; + description = ""; + }; + + protocol = mkOption { + type = types.str; + default = "nacltai"; + description = ""; + }; + + privateKey = mkOption { + type = types.str; + description = ""; + }; + + publicKey = mkOption { + type = types.str; + description = ""; + }; + + timeWindow = mkOption { + type = types.int; + default = 5; + description = ""; + }; + + upScript = mkOption { + type = types.lines; + default = ""; + description = ""; + }; + }; + }); + }; + + }; + + config = mkIf (cfg != []) { + systemd.services = fold (a: b: a // b) {} ( + mapAttrsToList (name: qtcfg: { + "quicktun-${name}" = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = { + "INTERFACE" = name; + "TUN_MODE" = toString qtcfg.tunMode; + "REMOTE_ADDRESS" = qtcfg.remoteAddress; + "LOCAL_ADDRESS" = qtcfg.localAddress; + "LOCAL_PORT" = toString qtcfg.localPort; + "REMOTE_PORT" = toString qtcfg.remotePort; + "REMOTE_FLOAT" = toString qtcfg.remoteFloat; + "PRIVATE_KEY" = qtcfg.privateKey; + "PUBLIC_KEY" = qtcfg.publicKey; + "TIME_WINDOW" = toString qtcfg.timeWindow; + "TUN_UP_SCRIPT" = pkgs.writeScript "quicktun-${name}-up.sh" qtcfg.upScript; + "SUID" = "nobody"; + }; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.quicktun}/bin/quicktun.${qtcfg.protocol}"; + }; + }; + }) cfg + ); + }; + +} diff --git a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix index 50775c5262fa..644aad82df2c 100644 --- a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix +++ b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix @@ -3,112 +3,18 @@ poolName = "icingaweb2"; phpfpmSocketName = "/var/run/phpfpm/${poolName}.sock"; - formatBool = b: if b then "1" else "0"; - - configIni = let - config = cfg.generalConfig; - in '' - [global] - show_stacktraces = "${formatBool config.showStacktraces}" - show_application_state_messages = "${formatBool config.showApplicationStateMessages}" - module_path = "${pkgs.icingaweb2}/modules${optionalString (builtins.length config.modulePath > 0) ":${concatStringsSep ":" config.modulePath}"}" - config_backend = "${config.configBackend}" - ${optionalString (config.configBackend == "db") ''config_resource = "${config.configResource}"''} - - [logging] - log = "${config.log}" - ${optionalString (config.log != "none") ''level = "${config.logLevel}"''} - ${optionalString (config.log == "php" || config.log == "syslog") ''application = "${config.logApplication}"''} - ${optionalString (config.log == "syslog") ''facility = "${config.logFacility}"''} - ${optionalString (config.log == "file") ''file = "${config.logFile}"''} - - [themes] - default = "${config.themeDefault}" - disabled = "${formatBool config.themeDisabled}" - - [authentication] - ${optionalString (config.authDefaultDomain != null) ''default_domain = "${config.authDefaultDomain}"''} - ''; - - resourcesIni = concatStringsSep "\n" (mapAttrsToList (name: config: '' - [${name}] - type = "${config.type}" - ${optionalString (config.type == "db") '' - db = "${config.db}" - host = "${config.host}" - ${optionalString (config.port != null) ''port = "${toString config.port}"''} - username = "${config.username}" - password = "${config.password}" - dbname = "${config.dbname}" - ${optionalString (config.charset != null) ''charset = "${config.charset}"''} - use_ssl = "${formatBool config.useSSL}" - ${optionalString (config.sslCert != null) ''ssl_cert = "${config.sslCert}"''} - ${optionalString (config.sslKey != null) ''ssl_cert = "${config.sslKey}"''} - ${optionalString (config.sslCA != null) ''ssl_cert = "${config.sslCA}"''} - ${optionalString (config.sslCApath != null) ''ssl_cert = "${config.sslCApath}"''} - ${optionalString (config.sslCipher != null) ''ssl_cert = "${config.sslCipher}"''} - ''} - ${optionalString (config.type == "ldap") '' - hostname = "${config.host}" - ${optionalString (config.port != null) ''port = "${toString config.port}"''} - root_dn = "${config.rootDN}" - bind_dn = "${config.username}" - bind_pw = "${config.password}" - encryption = "${config.ldapEncryption}" - timeout = "${toString config.ldapTimeout}" - ''} - ${optionalString (config.type == "ssh") '' - user = "${config.username}" - private_key = "${config.sshPrivateKey}" - ''} - - '') cfg.resources); - - authenticationIni = concatStringsSep "\n" (mapAttrsToList (name: config: '' - [${name}] - backend = "${config.backend}" - ${optionalString (config.domain != null) ''domain = "${config.domain}"''} - ${optionalString (config.backend == "external" && config.externalStripRegex != null) ''strip_username_regexp = "${config.externalStripRegex}"''} - ${optionalString (config.backend != "external") ''resource = "${config.resource}"''} - ${optionalString (config.backend == "ldap" || config.backend == "msldap") '' - ${optionalString (config.ldapUserClass != null) ''user_class = "${config.ldapUserClass}"''} - ${optionalString (config.ldapUserNameAttr != null) ''user_name_attribute = "${config.ldapUserNameAttr}"''} - ${optionalString (config.ldapFilter != null) ''filter = "${config.ldapFilter}"''} - ''} - '') cfg.authentications); - - groupsIni = concatStringsSep "\n" (mapAttrsToList (name: config: '' - [${name}] - backend = "${config.backend}" - resource = "${config.resource}" - ${optionalString (config.backend != "db") '' - ${optionalString (config.ldapUserClass != null) ''user_class = "${config.ldapUserClass}"''} - ${optionalString (config.ldapUserNameAttr != null) ''user_name_attribute = "${config.ldapUserNameAttr}"''} - ${optionalString (config.ldapGroupClass != null) ''group_class = "${config.ldapGroupClass}"''} - ${optionalString (config.ldapGroupNameAttr != null) ''group_name_attribute = "${config.ldapGroupNameAttr}"''} - ${optionalString (config.ldapGroupFilter != null) ''group_filter = "${config.ldapGroupFilter}"''} - ''} - ${optionalString (config.backend == "msldap" && config.ldapNestedSearch) ''nested_group_search = "1"''} - '') cfg.groupBackends); - - rolesIni = let - optionalList = var: attribute: optionalString (builtins.length var > 0) ''${attribute} = "${concatStringsSep "," var}"''; - in concatStringsSep "\n" (mapAttrsToList (name: config: '' - [${name}] - ${optionalList config.users "users"} - ${optionalList config.groups "groups"} - ${optionalList config.permissions "permissions"} - ${optionalList config.permissions "permissions"} - ${concatStringsSep "\n" (mapAttrsToList (key: value: optionalList value key) config.extraAssignments)} - '') cfg.roles); - + defaultConfig = { + global = { + module_path = "${pkgs.icingaweb2}/modules${optionalString (builtins.length config.modulePath > 0) ":${concatStringsSep ":" config.modulePath}"}"; + }; + }; in { options.services.icingaweb2 = with types; { enable = mkEnableOption "the icingaweb2 web interface"; pool = mkOption { type = str; - default = "${poolName}"; + default = poolName; description = '' Name of existing PHP-FPM pool that is used to run Icingaweb2. If not specified, a pool will automatically created with default values. @@ -143,7 +49,7 @@ in { default = {}; example = literalExample '' { - "snow" = pkgs.icingaweb2Modules.theme-snow; + "snow" = icingaweb2Modules.theme-snow; } ''; description = '' @@ -153,419 +59,130 @@ in { ''; }; - generalConfig = { - mutable = mkOption { - type = bool; - default = false; - description = '' - Make config.ini mutable (e.g. via the web interface). - Not that you need to update module_path manually. - ''; - }; - - showStacktraces = mkOption { - type = bool; - default = true; - description = "Enable stack traces in the Web UI"; - }; - - showApplicationStateMessages = mkOption { - type = bool; - default = true; - description = "Enable application state messages in the Web UI"; - }; - - modulePath = mkOption { - type = listOf str; - default = []; - description = "List of additional module search paths"; - }; - - configBackend = mkOption { - type = enum [ "ini" "db" "none" ]; - default = "db"; - description = "Where to store user preferences"; - }; - - configResource = mkOption { - type = nullOr str; - default = null; - description = "Database resource where user preferences are stored (if they are stored in a database)"; - }; - - log = mkOption { - type = enum [ "syslog" "php" "file" "none" ]; - default = "syslog"; - description = "Logging target"; - }; - - logLevel = mkOption { - type = enum [ "ERROR" "WARNING" "INFO" "DEBUG" ]; - default = "ERROR"; - description = "Maximum logging level to emit"; - }; - - logApplication = mkOption { - type = str; - default = "icingaweb2"; - description = "Application name to log under (syslog and php log)"; - }; - - logFacility = mkOption { - type = enum [ "user" "local0" "local1" "local2" "local3" "local4" "local5" "local6" "local7" ]; - default = "user"; - description = "Syslog facility to log to"; - }; - - logFile = mkOption { - type = str; - default = "/var/log/icingaweb2/icingaweb2.log"; - description = "File to log to"; - }; - - themeDefault = mkOption { - type = str; - default = "Icinga"; - description = "Name of the default theme"; - }; - - themeDisabled = mkOption { - type = bool; - default = false; - description = "Disallow users to change the theme"; - }; - - authDefaultDomain = mkOption { - type = nullOr str; - default = null; - description = "Domain for users logging in without a qualified domain"; + generalConfig = mkOption { + type = nullOr attrs; + default = null; + example = { + general = { + showStacktraces = 1; + config_resource = "icingaweb_db"; + }; + logging = { + log = "syslog"; + level = "CRITICAL"; + }; }; - }; + description = '' + config.ini contents. + Will automatically be converted to a .ini file. + If you don't set global.module_path, the module will take care of it. - mutableResources = mkOption { - type = bool; - default = false; - description = "Make resources.ini mutable (e.g. via the web interface)"; + If the value is null, no config.ini is created and you can + modify it manually (e.g. via the web interface). + Note that you need to update module_path manually. + ''; }; resources = mkOption { - default = {}; - description = "Icingaweb 2 resources to define"; - type = attrsOf (submodule ({ name, ... }: { - options = { - name = mkOption { - visible = false; - default = name; - type = str; - description = "Name of this resource"; - }; - - type = mkOption { - type = enum [ "db" "ldap" "ssh" ]; - default = "db"; - description = "Type of this resouce"; - }; - - db = mkOption { - type = enum [ "mysql" "pgsql" ]; - default = "mysql"; - description = "Type of this database resource"; - }; - - host = mkOption { - type = str; - description = "Host to connect to"; - }; - - port = mkOption { - type = nullOr port; - default = null; - description = "Port to connect on"; - }; - - username = mkOption { - type = str; - description = "Database or SSH user or LDAP bind DN to connect with"; - }; - - password = mkOption { - type = str; - description = "Password for the database user or LDAP bind DN"; - }; - - dbname = mkOption { - type = str; - description = "Name of the database to connect to"; - }; - - charset = mkOption { - type = nullOr str; - default = null; - example = "utf8"; - description = "Database character set to connect with"; - }; - - useSSL = mkOption { - type = nullOr bool; - default = false; - description = "Whether to connect to the database using SSL"; - }; - - sslCert = mkOption { - type = nullOr str; - default = null; - description = "The file path to the SSL certificate. Only available for the mysql database."; - }; - - sslKey = mkOption { - type = nullOr str; - default = null; - description = "The file path to the SSL key. Only available for the mysql database."; - }; - - sslCA = mkOption { - type = nullOr str; - default = null; - description = "The file path to the SSL certificate authority. Only available for the mysql database."; - }; - - sslCApath = mkOption { - type = nullOr str; - default = null; - description = "The file path to the directory that contains the trusted SSL CA certificates in PEM format. Only available for the mysql database."; - }; - - sslCipher = mkOption { - type = nullOr str; - default = null; - description = "A list of one or more permissible ciphers to use for SSL encryption, in a format understood by OpenSSL. Only available for the mysql database."; - }; - - rootDN = mkOption { - type = str; - description = "Root object of the LDAP tree"; - }; - - ldapEncryption = mkOption { - type = enum [ "none" "starttls" "ldaps" ]; - default = "none"; - description = "LDAP encryption to use"; - }; - - ldapTimeout = mkOption { - type = ints.positive; - default = 5; - description = "Connection timeout for every LDAP connection"; - }; - - sshPrivateKey = mkOption { - type = str; - description = "The path to the private key of the user"; - }; + type = nullOr attrs; + default = null; + example = { + icingaweb_db = { + type = "db"; + db = "mysql"; + host = "localhost"; + username = "icingaweb2"; + password = "icingaweb2"; + dbname = "icingaweb2"; }; - })); - }; + }; + description = '' + resources.ini contents. + Will automatically be converted to a .ini file. - mutableAuthConfig = mkOption { - type = bool; - default = true; - description = "Make authentication.ini mutable (e.g. via the web interface)"; + If the value is null, no resources.ini is created and you can + modify it manually (e.g. via the web interface). + Note that if you set passwords here, they will go into the nix store. + ''; }; authentications = mkOption { - default = {}; - description = "Icingaweb 2 authentications to define"; - type = attrsOf (submodule ({ name, ... }: { - options = { - name = mkOption { - visible = false; - default = name; - type = str; - description = "Name of this authentication"; - }; - - backend = mkOption { - type = enum [ "external" "ldap" "msldap" "db" ]; - default = "db"; - description = "The type of this authentication backend"; - }; - - domain = mkOption { - type = nullOr str; - default = null; - description = "Domain for domain-aware authentication"; - }; - - externalStripRegex = mkOption { - type = nullOr str; - default = null; - description = "Regular expression to strip off specific user name parts"; - }; - - resource = mkOption { - type = str; - description = "Name of the database/LDAP resource"; - }; - - ldapUserClass = mkOption { - type = nullOr str; - default = null; - description = "LDAP user class"; - }; - - ldapUserNameAttr = mkOption { - type = nullOr str; - default = null; - description = "LDAP attribute which contains the username"; - }; - - ldapFilter = mkOption { - type = nullOr str; - default = null; - description = "LDAP search filter"; - }; + type = nullOr attrs; + default = null; + example = { + icingaweb = { + backend = "db"; + resource = "icingaweb_db"; }; - })); - }; + }; + description = '' + authentication.ini contents. + Will automatically be converted to a .ini file. - mutableGroupsConfig = mkOption { - type = bool; - default = true; - description = "Make groups.ini mutable (e.g. via the web interface)"; + If the value is null, no authentication.ini is created and you can + modify it manually (e.g. via the web interface). + ''; }; groupBackends = mkOption { - default = {}; - description = "Icingaweb 2 group backends to define"; - type = attrsOf (submodule ({ name, ... }: { - options = { - name = mkOption { - visible = false; - default = name; - type = str; - description = "Name of this group backend"; - }; - - backend = mkOption { - type = enum [ "ldap" "msldap" "db" ]; - default = "db"; - description = "The type of this group backend"; - }; - - resource = mkOption { - type = str; - description = "Name of the database/LDAP resource"; - }; - - ldapUserClass = mkOption { - type = nullOr str; - default = null; - description = "LDAP user class"; - }; - - ldapUserNameAttr = mkOption { - type = nullOr str; - default = null; - description = "LDAP attribute which contains the username"; - }; - - ldapGroupClass = mkOption { - type = nullOr str; - default = null; - description = "LDAP group class"; - }; - - ldapGroupNameAttr = mkOption { - type = nullOr str; - default = null; - description = "LDAP attribute which contains the groupname"; - }; - - ldapGroupFilter = mkOption { - type = nullOr str; - default = null; - description = "LDAP group search filter"; - }; - - ldapNestedSearch = mkOption { - type = bool; - default = false; - description = "Enable nested group search in Active Directory based on the user"; - }; + type = nullOr attrs; + default = null; + example = { + icingaweb = { + backend = "db"; + resource = "icingaweb_db"; }; - })); - }; + }; + description = '' + groups.ini contents. + Will automatically be converted to a .ini file. - mutableRolesConfig = mkOption { - type = bool; - default = true; - description = "Make roles.ini mutable (e.g. via the web interface)"; + If the value is null, no groups.ini is created and you can + modify it manually (e.g. via the web interface). + ''; }; roles = mkOption { - default = {}; - description = "Icingaweb 2 roles to define"; - type = attrsOf (submodule ({ name, ... }: { - options = { - name = mkOption { - visible = false; - default = name; - type = str; - description = "Name of this role"; - }; - - users = mkOption { - type = listOf str; - default = []; - description = "List of users that are assigned to the role"; - }; - - groups = mkOption { - type = listOf str; - default = []; - description = "List of groups that are assigned to the role"; - }; - - permissions = mkOption { - type = listOf str; - default = []; - example = [ "application/share/navigation" "config/*" ]; - description = "The permissions to grant"; - }; - - extraAssignments = mkOption { - type = attrsOf (listOf str); - default = {}; - example = { "monitoring/blacklist/properties" = [ "sla" "customer"]; }; - description = "Additional assignments of this role"; - }; + type = nullOr attrs; + default = null; + example = { + Administrators = { + users = "admin"; + permissions = "*"; }; - })); + }; + description = '' + roles.ini contents. + Will automatically be converted to a .ini file. + + If the value is null, no roles.ini is created and you can + modify it manually (e.g. via the web interface). + ''; }; }; config = mkIf cfg.enable { services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") { - "${poolName}" = { - listen = phpfpmSocketName; - phpOptions = '' - extension = ${pkgs.phpPackages.imagick}/lib/php/extensions/imagick.so - date.timezone = "${cfg.timezone}" - ''; - extraConfig = '' - listen.owner = nginx - listen.group = nginx - listen.mode = 0600 - user = icingaweb2 - pm = dynamic - pm.max_children = 75 - pm.start_servers = 2 - pm.min_spare_servers = 2 - pm.max_spare_servers = 10 - ''; - }; + "${poolName}" = '' + listen = "${phpfpmSocketName}" + listen.owner = nginx + listen.group = nginx + listen.mode = 0600 + user = icingaweb2 + pm = dynamic + pm.max_children = 75 + pm.start_servers = 2 + pm.min_spare_servers = 2 + pm.max_spare_servers = 10 + ''; }; + services.phpfpm.phpOptions = mkIf (cfg.pool == "${poolName}") + '' + extension = ${pkgs.phpPackages.imagick}/lib/php/extensions/imagick.so + date.timezone = "${cfg.timezone}" + ''; + systemd.services."phpfpm-${poolName}".serviceConfig.ReadWritePaths = [ "/etc/icingaweb2" ]; services.nginx = { @@ -609,11 +226,11 @@ in { // doModule "test" // doModule "translation" # Configs - // optionalAttrs (!cfg.generalConfig.mutable) { "icingaweb2/config.ini".text = configIni; } - // optionalAttrs (!cfg.mutableResources) { "icingaweb2/resources.ini".text = resourcesIni; } - // optionalAttrs (!cfg.mutableAuthConfig) { "icingaweb2/authentication.ini".text = authenticationIni; } - // optionalAttrs (!cfg.mutableGroupsConfig) { "icingaweb2/groups.ini".text = groupsIni; } - // optionalAttrs (!cfg.mutableRolesConfig) { "icingaweb2/roles.ini".text = rolesIni; }; + // optionalAttrs (cfg.generalConfig != null) { "icingaweb2/config.ini".text = generators.toINI {} (defaultConfig // cfg.generalConfig); } + // optionalAttrs (cfg.resources != null) { "icingaweb2/resources.ini".text = generators.toINI {} cfg.resources; } + // optionalAttrs (cfg.authentications != null) { "icingaweb2/authentication.ini".text = generators.toINI {} cfg.authentications; } + // optionalAttrs (cfg.groupBackends != null) { "icingaweb2/groups.ini".text = generators.toINI {} cfg.groupBackends; } + // optionalAttrs (cfg.roles != null) { "icingaweb2/roles.ini".text = generators.toINI {} cfg.roles; }; # User and group users.groups.icingaweb2 = {}; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index bf9f0c21aedf..3a154ab75ba9 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -44,19 +44,7 @@ let } '')); - awkFormat = builtins.toFile "awkFormat-nginx.awk" '' - awk -f - {sub(/^[ \t]+/,"");idx=0} - /\{/{ctx++;idx=1} - /\}/{ctx--} - {id="";for(i=idx;i<ctx;i++)id=sprintf("%s%s", id, "\t");printf "%s%s\n", id, $0} - ''; - - configFile = pkgs.runCommand "nginx.conf" {} ('' - awk -f ${awkFormat} ${pre-configFile} | sed '/^\s*$/d' > $out - ''); - - pre-configFile = pkgs.writeText "pre-nginx.conf" '' + configFile = pkgs.writers.writeNginxConfig "nginx.conf" '' user ${cfg.user} ${cfg.group}; error_log ${cfg.logError}; daemon off; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 1db99a03d25d..b366f019f6e0 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -223,6 +223,7 @@ in syncthing-relay = handleTest ./syncthing-relay.nix {}; systemd = handleTest ./systemd.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {}; + pdns-recursor = handleTest ./pdns-recursor.nix {}; taskserver = handleTest ./taskserver.nix {}; telegraf = handleTest ./telegraf.nix {}; tomcat = handleTest ./tomcat.nix {}; @@ -232,6 +233,7 @@ in upnp = handleTest ./upnp.nix {}; vault = handleTest ./vault.nix {}; virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {}; + wireguard = handleTest ./wireguard {}; wordpress = handleTest ./wordpress.nix {}; xautolock = handleTest ./xautolock.nix {}; xdg-desktop-portal = handleTest ./xdg-desktop-portal.nix {}; diff --git a/nixos/tests/pdns-recursor.nix b/nixos/tests/pdns-recursor.nix new file mode 100644 index 000000000000..bf6e6093d69c --- /dev/null +++ b/nixos/tests/pdns-recursor.nix @@ -0,0 +1,12 @@ +import ./make-test.nix ({ pkgs, ... }: { + name = "powerdns"; + + nodes.server = { ... }: { + services.pdns-recursor.enable = true; + }; + + testScript = '' + $server->waitForUnit("pdns-recursor"); + $server->waitForOpenPort("53"); + ''; +}) diff --git a/nixos/tests/wireguard/default.nix b/nixos/tests/wireguard/default.nix new file mode 100644 index 000000000000..b0797b963235 --- /dev/null +++ b/nixos/tests/wireguard/default.nix @@ -0,0 +1,97 @@ +let + wg-snakeoil-keys = import ./snakeoil-keys.nix; +in + +import ../make-test.nix ({ pkgs, ...} : { + name = "wireguard"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ma27 ]; + }; + + nodes = { + peer0 = { lib, ... }: { + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = "1"; + "net.ipv6.conf.default.forwarding" = "1"; + "net.ipv4.ip_forward" = "1"; + }; + + networking.useDHCP = false; + networking.interfaces.eth1 = { + ipv4.addresses = lib.singleton { + address = "192.168.0.1"; + prefixLength = 24; + }; + ipv6.addresses = lib.singleton { + address = "fd00::1"; + prefixLength = 64; + }; + }; + + networking.firewall.allowedUDPPorts = [ 23542 ]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.23.42.1/32" "fc00::1/128" ]; + listenPort = 23542; + + inherit (wg-snakeoil-keys.peer0) privateKey; + + peers = lib.singleton { + allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ]; + + inherit (wg-snakeoil-keys.peer1) publicKey; + }; + }; + }; + + peer1 = { pkgs, lib, ... }: { + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = "1"; + "net.ipv6.conf.default.forwarding" = "1"; + "net.ipv4.ip_forward" = "1"; + }; + + networking.useDHCP = false; + networking.interfaces.eth1 = { + ipv4.addresses = lib.singleton { + address = "192.168.0.2"; + prefixLength = 24; + }; + ipv6.addresses = lib.singleton { + address = "fd00::2"; + prefixLength = 64; + }; + }; + + networking.wireguard.interfaces.wg0 = { + ips = [ "10.23.42.2/32" "fc00::2/128" ]; + listenPort = 23542; + allowedIPsAsRoutes = false; + + inherit (wg-snakeoil-keys.peer1) privateKey; + + peers = lib.singleton { + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "192.168.0.1:23542"; + persistentKeepalive = 25; + + inherit (wg-snakeoil-keys.peer0) publicKey; + }; + + postSetup = let inherit (pkgs) iproute; in '' + ${iproute}/bin/ip route replace 10.23.42.1/32 dev wg0 + ${iproute}/bin/ip route replace fc00::1/128 dev wg0 + ''; + }; + }; + }; + + testScript = '' + startAll; + + $peer0->waitForUnit("wireguard-wg0.service"); + $peer1->waitForUnit("wireguard-wg0.service"); + + $peer1->succeed("ping -c5 fc00::1"); + $peer1->succeed("ping -c5 10.23.42.1") + ''; +}) diff --git a/nixos/tests/wireguard/snakeoil-keys.nix b/nixos/tests/wireguard/snakeoil-keys.nix new file mode 100644 index 000000000000..55ad582d4059 --- /dev/null +++ b/nixos/tests/wireguard/snakeoil-keys.nix @@ -0,0 +1,11 @@ +{ + peer0 = { + privateKey = "OPuVRS2T0/AtHDp3PXkNuLQYDiqJaBEEnYe42BSnJnQ="; + publicKey = "IujkG119YPr2cVQzJkSLYCdjpHIDjvr/qH1w1tdKswY="; + }; + + peer1 = { + privateKey = "uO8JVo/sanx2DOM0L9GUEtzKZ82RGkRnYgpaYc7iXmg="; + publicKey = "Ks9yRJIi/0vYgRmn14mIOQRwkcUGBujYINbMpik2SBI="; + }; +} |