diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1909.xml | 20 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/mail/dovecot.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/networking/nsd.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/networking/softether.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/strongswan-swanctl/module.nix | 5 | ||||
-rw-r--r-- | nixos/modules/services/networking/strongswan.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/torrent/magnetico.nix | 214 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/apache-httpd/default.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/x11/display-managers/default.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/containers.nix | 17 | ||||
-rw-r--r-- | nixos/tests/magnetico.nix | 28 |
13 files changed, 289 insertions, 14 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 2111b25930e7..36bea28530be 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -300,6 +300,26 @@ configuration while being better type-checked and mergeable. </para> </listitem> + <listitem> + <para> + No service depends on <literal>keys.target</literal> anymore which is a systemd + target that indicates if all <link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps keys</link> were successfully uploaded. + Instead, <literal><key-name>-key.service</literal> should be used to define + a dependency of a key in a service. The full issue behind the <literal>keys.target</literal> + dependency is described at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>. + </para> + <para> + The following services are affected by this: + <itemizedlist> + <listitem><para><link linkend="opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link></para></listitem> + <listitem><para><link linkend="opt-services.nsd.enable"><literal>services.nsd</literal></link></para></listitem> + <listitem><para><link linkend="opt-services.softether.enable"><literal>services.softether</literal></link></para></listitem> + <listitem><para><link linkend="opt-services.strongswan.enable"><literal>services.strongswan</literal></link></para></listitem> + <listitem><para><link linkend="opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link></para></listitem> + <listitem><para><link linkend="opt-services.httpd.enable"><literal>services.httpd</literal></link></para></listitem> + </itemizedlist> + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 6331e76c648f..75df6c8d453c 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -770,6 +770,7 @@ ./services/system/uptimed.nix ./services/torrent/deluge.nix ./services/torrent/flexget.nix + ./services/torrent/magnetico.nix ./services/torrent/opentracker.nix ./services/torrent/peerflix.nix ./services/torrent/transmission.nix diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 139011dca23a..cdbb776454b6 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -344,8 +344,7 @@ in systemd.services.dovecot2 = { description = "Dovecot IMAP/POP3 server"; - after = [ "keys.target" "network.target" ]; - wants = [ "keys.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ cfg.configFile ]; diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index 8b918dab86dd..c69b77f9deec 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -916,9 +916,8 @@ in systemd.services.nsd = { description = "NSD authoritative only domain name service"; - after = [ "keys.target" "network.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - wants = [ "keys.target" ]; serviceConfig = { ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf"; diff --git a/nixos/modules/services/networking/softether.nix b/nixos/modules/services/networking/softether.nix index 0046dcd366fa..65df93a00da9 100644 --- a/nixos/modules/services/networking/softether.nix +++ b/nixos/modules/services/networking/softether.nix @@ -70,8 +70,6 @@ in systemd.services."softether-init" = { description = "SoftEther VPN services initial task"; - after = [ "keys.target" ]; - wants = [ "keys.target" ]; wantedBy = [ "network.target" ]; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/networking/strongswan-swanctl/module.nix b/nixos/modules/services/networking/strongswan-swanctl/module.nix index 817b5ec55f78..0fec3ef00ad9 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/module.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix @@ -62,9 +62,8 @@ in { systemd.services.strongswan-swanctl = { description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl"; wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" "keys.target" ]; - wants = [ "keys.target" ]; - path = with pkgs; [ kmod iproute iptables utillinux ]; + after = [ "network-online.target" ]; + path = with pkgs; [ kmod iproute iptables utillinux ]; environment = { STRONGSWAN_CONF = pkgs.writeTextFile { name = "strongswan.conf"; diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 41b69039ba7a..4ff9c486059c 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -151,8 +151,7 @@ in description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux - wants = [ "keys.target" ]; - after = [ "network-online.target" "keys.target" ]; + after = [ "network-online.target" ]; environment = { STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; }; diff --git a/nixos/modules/services/torrent/magnetico.nix b/nixos/modules/services/torrent/magnetico.nix new file mode 100644 index 000000000000..02fa2ac0750a --- /dev/null +++ b/nixos/modules/services/torrent/magnetico.nix @@ -0,0 +1,214 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.magnetico; + + dataDir = "/var/lib/magnetico"; + + credFile = with cfg.web; + if credentialsFile != null + then credentialsFile + else pkgs.writeText "magnetico-credentials" + (concatStrings (mapAttrsToList + (user: hash: "${user}:${hash}\n") + cfg.web.credentials)); + + # default options in magneticod/main.go + dbURI = concatStrings + [ "sqlite3://${dataDir}/database.sqlite3" + "?_journal_mode=WAL" + "&_busy_timeout=3000" + "&_foreign_keys=true" + ]; + + crawlerArgs = with cfg.crawler; escapeShellArgs + ([ "--database=${dbURI}" + "--indexer-addr=${address}:${toString port}" + "--indexer-max-neighbors=${toString maxNeighbors}" + "--leech-max-n=${toString maxLeeches}" + ] ++ extraOptions); + + webArgs = with cfg.web; escapeShellArgs + ([ "--database=${dbURI}" + (if (cfg.web.credentialsFile != null || cfg.web.credentials != { }) + then "--credentials=${toString credFile}" + else "--no-auth") + ] ++ extraOptions); + +in { + + ###### interface + + options.services.magnetico = { + enable = mkEnableOption "Magnetico, Bittorrent DHT crawler"; + + crawler.address = mkOption { + type = types.str; + default = "0.0.0.0"; + example = "1.2.3.4"; + description = '' + Address to be used for indexing DHT nodes. + ''; + }; + + crawler.port = mkOption { + type = types.port; + default = 0; + description = '' + Port to be used for indexing DHT nodes. + This port should be added to + <option>networking.firewall.allowedTCPPorts</option>. + ''; + }; + + crawler.maxNeighbors = mkOption { + type = types.ints.positive; + default = 1000; + description = '' + Maximum number of simultaneous neighbors of an indexer. + Be careful changing this number: high values can very + easily cause your network to be congested or even crash + your router. + ''; + }; + + crawler.maxLeeches = mkOption { + type = types.ints.positive; + default = 200; + description = '' + Maximum number of simultaneous leeches. + ''; + }; + + crawler.extraOptions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra command line arguments to pass to magneticod. + ''; + }; + + web.address = mkOption { + type = types.str; + default = "localhost"; + example = "1.2.3.4"; + description = '' + Address the web interface will listen to. + ''; + }; + + web.port = mkOption { + type = types.port; + default = 8080; + description = '' + Port the web interface will listen to. + ''; + }; + + web.credentials = mkOption { + type = types.attrsOf types.str; + default = {}; + example = lib.literalExample '' + { + myuser = "$2y$12$YE01LZ8jrbQbx6c0s2hdZO71dSjn2p/O9XsYJpz.5968yCysUgiaG"; + } + ''; + description = '' + The credentials to access the web interface, in case authentication is + enabled, in the format <literal>username:hash</literal>. If unset no + authentication will be required. + + Usernames must start with a lowercase ([a-z]) ASCII character, might + contain non-consecutive underscores except at the end, and consists of + small-case a-z characters and digits 0-9. The + <command>htpasswd</command> tool from the <package>apacheHttpd + </package> package may be used to generate the hash: <command>htpasswd + -bnBC 12 username password</command> + + <warning> + <para> + The hashes will be stored world-readable in the nix store. + Consider using the <literal>credentialsFile</literal> option if you + don't want this. + </para> + </warning> + ''; + }; + + web.credentialsFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + The path to the file holding the credentials to access the web + interface. If unset no authentication will be required. + + The file must constain user names and password hashes in the format + <literal>username:hash </literal>, one for each line. Usernames must + start with a lowecase ([a-z]) ASCII character, might contain + non-consecutive underscores except at the end, and consists of + small-case a-z characters and digits 0-9. + The <command>htpasswd</command> tool from the <package>apacheHttpd + </package> package may be used to generate the hash: + <command>htpasswd -bnBC 12 username password</command> + ''; + }; + + web.extraOptions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra command line arguments to pass to magneticow. + ''; + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + users.users.magnetico = { + description = "Magnetico daemons user"; + }; + + systemd.services.magneticod = { + description = "Magnetico DHT crawler"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + User = "magnetico"; + Restart = "on-failure"; + ExecStart = "${pkgs.magnetico}/bin/magneticod ${crawlerArgs}"; + }; + }; + + systemd.services.magneticow = { + description = "Magnetico web interface"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" "magneticod.service"]; + + serviceConfig = { + User = "magnetico"; + StateDirectory = "magnetico"; + Restart = "on-failure"; + ExecStart = "${pkgs.magnetico}/bin/magneticow ${webArgs}"; + }; + }; + + assertions = + [ + { + assertion = cfg.web.credentialsFile != null || cfg.web.credentials != { }; + message = '' + The options services.magnetico.web.credentialsFile and + services.magnetico.web.credentials are mutually exclusives. + ''; + } + ]; + + }; + +} diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 12200c879beb..098160ee3692 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -670,8 +670,7 @@ in { description = "Apache HTTPD"; wantedBy = [ "multi-user.target" ]; - wants = [ "keys.target" ]; - after = [ "network.target" "fs.target" "keys.target" ]; + after = [ "network.target" "fs.target" ]; path = [ httpd pkgs.coreutils pkgs.gnugrep ] diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 0e87e6adbab8..bf6b048654b3 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -109,7 +109,7 @@ let # Allow the user to setup a custom session type. if test -x ~/.xsession; then - exec ~/.xsession + eval exec ~/.xsession "$@" fi if test "$1"; then diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 2a0360b12cbc..a79513850624 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -112,11 +112,13 @@ let # Hibernate / suspend. "hibernate.target" "suspend.target" + "suspend-then-hibernate.target" "sleep.target" "hybrid-sleep.target" "systemd-hibernate.service" "systemd-hybrid-sleep.service" "systemd-suspend.service" + "systemd-suspend-then-hibernate.service" # Reboot stuff. "reboot.target" diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index b65374c92577..b61558b22019 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -256,6 +256,10 @@ let RestartForceExitStatus = "133"; SuccessExitStatus = "133"; + # Some containers take long to start + # especially when you automatically start many at once + TimeoutStartSec = cfg.timeoutStartSec; + Restart = "on-failure"; Slice = "machine.slice"; @@ -423,6 +427,7 @@ let extraVeths = {}; additionalCapabilities = []; ephemeral = false; + timeoutStartSec = "15s"; allowedDevices = []; hostAddress = null; hostAddress6 = null; @@ -595,6 +600,18 @@ in ''; }; + timeoutStartSec = mkOption { + type = types.str; + default = "1min"; + description = '' + Time for the container to start. In case of a timeout, + the container processes get killed. + See <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry> + for more information about the format. + ''; + }; + bindMounts = mkOption { type = with types; loaOf (submodule bindMountOpts); default = {}; diff --git a/nixos/tests/magnetico.nix b/nixos/tests/magnetico.nix new file mode 100644 index 000000000000..bc7aef653ee5 --- /dev/null +++ b/nixos/tests/magnetico.nix @@ -0,0 +1,28 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "magnetico"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ rnhmjoj ]; + }; + + machine = { ... }: { + imports = [ ../modules/profiles/minimal.nix ]; + + networking.firewall.allowedTCPPorts = [ 9000 ]; + + services.magnetico = { + enable = true; + crawler.port = 9000; + web.credentials.user = "$2y$12$P88ZF6soFthiiAeXnz64aOWDsY3Dw7Yw8fZ6GtiqFNjknD70zDmNe"; + }; + }; + + testScript = + '' + startAll; + $machine->waitForUnit("magneticod"); + $machine->waitForUnit("magneticow"); + $machine->succeed("${pkgs.curl}/bin/curl -u user:password http://localhost:8080"); + $machine->succeed("${pkgs.curl}/bin/curl -u user:wrongpwd http://localhost:8080") =~ "Unauthorised." or die; + $machine->shutdown(); + ''; +}) |