diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/lib/eval-config.nix | 6 | ||||
| -rw-r--r-- | nixos/lib/testing-python.nix | 4 | ||||
| -rw-r--r-- | nixos/lib/utils.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/config/networking.nix | 27 | ||||
| -rw-r--r-- | nixos/modules/misc/nixpkgs.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/programs/firejail.nix | 22 | ||||
| -rw-r--r-- | nixos/modules/services/mail/dovecot.nix | 234 | ||||
| -rw-r--r-- | nixos/modules/services/misc/ankisyncd.nix | 79 | ||||
| -rw-r--r-- | nixos/modules/services/monitoring/cadvisor.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/monitoring/prometheus/default.nix | 27 | ||||
| -rw-r--r-- | nixos/modules/services/networking/cjdns.nix | 52 | ||||
| -rw-r--r-- | nixos/modules/services/networking/firewall.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/ntp/ntpd.nix | 13 | ||||
| -rw-r--r-- | nixos/modules/system/activation/top-level.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems/btrfs.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/kvmgt.nix | 16 | ||||
| -rw-r--r-- | nixos/tests/nesting.nix | 8 |
18 files changed, 361 insertions, 149 deletions
diff --git a/nixos/lib/eval-config.nix b/nixos/lib/eval-config.nix index 77490ca3762a..9892d6f160f7 100644 --- a/nixos/lib/eval-config.nix +++ b/nixos/lib/eval-config.nix @@ -41,6 +41,12 @@ let # default to the argument. That way this new default could propagate all # they way through, but has the last priority behind everything else. nixpkgs.system = lib.mkDefault system; + + # Stash the value of the `system` argument. When using `nesting.children` + # we want to have the same default value behavior (immediately above) + # without any interference from the user's configuration. + nixpkgs.initialSystem = system; + _module.args.pkgs = lib.mkIf (pkgs_ != null) (lib.mkForce pkgs_); }; }; diff --git a/nixos/lib/testing-python.nix b/nixos/lib/testing-python.nix index 6663864f1e56..3891adc10435 100644 --- a/nixos/lib/testing-python.nix +++ b/nixos/lib/testing-python.nix @@ -175,13 +175,13 @@ in rec { nodeNames = builtins.attrNames nodes; invalidNodeNames = lib.filter - (node: builtins.match "^[A-z_][A-z0-9_]+$" node == null) nodeNames; + (node: builtins.match "^[A-z_]([A-z0-9_]+)?$" node == null) nodeNames; in if lib.length invalidNodeNames > 0 then throw '' Cannot create machines out of (${lib.concatStringsSep ", " invalidNodeNames})! - All machines are referenced as perl variables in the testing framework which will break the + All machines are referenced as python variables in the testing framework which will break the script when special characters are used. Please stick to alphanumeric chars and underscores as separation. diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix index a522834e4294..21f4c7c6988f 100644 --- a/nixos/lib/utils.nix +++ b/nixos/lib/utils.nix @@ -14,7 +14,7 @@ rec { # becomes dev-xyzzy. FIXME: slow. escapeSystemdPath = s: replaceChars ["/" "-" " "] ["-" "\\x2d" "\\x20"] - (if hasPrefix "/" s then substring 1 (stringLength s) s else s); + (removePrefix "/" s); # Returns a system path for a given shell package toShellPath = shell: diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix index 81427bb8ee64..dd36696b94d2 100644 --- a/nixos/modules/config/networking.nix +++ b/nixos/modules/config/networking.nix @@ -35,12 +35,22 @@ in ''; }; + networking.hostFiles = lib.mkOption { + type = types.listOf types.path; + defaultText = lib.literalExample "Hosts from `networking.hosts` and `networking.extraHosts`"; + example = lib.literalExample ''[ "''${pkgs.my-blocklist-package}/share/my-blocklist/hosts" ]''; + description = '' + Files that should be concatenated together to form <filename>/etc/hosts</filename>. + ''; + }; + networking.extraHosts = lib.mkOption { type = types.lines; default = ""; example = "192.168.0.1 lanlocalhost"; description = '' Additional verbatim entries to be appended to <filename>/etc/hosts</filename>. + For adding hosts from derivation results, use <option>networking.hostFiles</option> instead. ''; }; @@ -159,6 +169,15 @@ in "::1" = [ "localhost" ]; }; + networking.hostFiles = let + stringHosts = + let + oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip} + "\n"; + allToString = set: concatMapStrings (oneToString set) (attrNames set); + in pkgs.writeText "string-hosts" (allToString (filterAttrs (_: v: v != []) cfg.hosts)); + extraHosts = pkgs.writeText "extra-hosts" cfg.extraHosts; + in mkBefore [ stringHosts extraHosts ]; + environment.etc = { # /etc/services: TCP/UDP port assignments. services.source = pkgs.iana-etc + "/etc/services"; @@ -167,12 +186,8 @@ in protocols.source = pkgs.iana-etc + "/etc/protocols"; # /etc/hosts: Hostname-to-IP mappings. - hosts.text = let - oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip}; - allToString = set: concatMapStringsSep "\n" (oneToString set) (attrNames set); - in '' - ${allToString (filterAttrs (_: v: v != []) cfg.hosts)} - ${cfg.extraHosts} + hosts.source = pkgs.runCommandNoCC "hosts" {} '' + cat ${escapeShellArgs cfg.hostFiles} > $out ''; # /etc/host.conf: resolver configuration file diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index afb74581e239..011d493c1538 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -216,6 +216,14 @@ in Ignored when <code>nixpkgs.pkgs</code> is set. ''; }; + + initialSystem = mkOption { + type = types.str; + internal = true; + description = '' + Preserved value of <literal>system</literal> passed to <literal>eval-config.nix</literal>. + ''; + }; }; config = { diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 917840fb9195..dba2593bbef5 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -406,6 +406,7 @@ ./services/mail/sympa.nix ./services/mail/nullmailer.nix ./services/misc/airsonic.nix + ./services/misc/ankisyncd.nix ./services/misc/apache-kafka.nix ./services/misc/autofs.nix ./services/misc/autorandr.nix diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index 0abdde5ddebd..484f9eb44406 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -5,20 +5,20 @@ with lib; let cfg = config.programs.firejail; - wrappedBins = pkgs.stdenv.mkDerivation { - name = "firejail-wrapped-binaries"; - nativeBuildInputs = with pkgs; [ makeWrapper ]; - buildCommand = '' + wrappedBins = pkgs.runCommand "firejail-wrapped-binaries" + { preferLocalBuild = true; + allowSubstitutes = false; + } + '' mkdir -p $out/bin ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: '' - cat <<_EOF >$out/bin/${command} - #!${pkgs.stdenv.shell} -e - /run/wrappers/bin/firejail ${binary} "\$@" - _EOF - chmod 0755 $out/bin/${command} + cat <<_EOF >$out/bin/${command} + #! ${pkgs.runtimeShell} -e + exec /run/wrappers/bin/firejail ${binary} "\$@" + _EOF + chmod 0755 $out/bin/${command} '') cfg.wrappedBinaries)} ''; - }; in { options.programs.firejail = { @@ -47,7 +47,7 @@ in { config = mkIf cfg.enable { security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail"; - environment.systemPackages = [ wrappedBins ]; + environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ]; }; meta.maintainers = with maintainers; [ peterhoeg ]; diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index b5ed2c594f77..230a2ae3f825 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -14,18 +14,34 @@ let base_dir = ${baseDir} protocols = ${concatStringsSep " " cfg.protocols} sendmail_path = /run/wrappers/bin/sendmail + # defining mail_plugins must be done before the first protocol {} filter because of https://doc.dovecot.org/configuration_manual/config_file/config_file_syntax/#variable-expansion + mail_plugins = $mail_plugins ${concatStringsSep " " cfg.mailPlugins.globally.enable} '' - (if cfg.sslServerCert == null then '' - ssl = no - disable_plaintext_auth = no - '' else '' - ssl_cert = <${cfg.sslServerCert} - ssl_key = <${cfg.sslServerKey} - ${optionalString (cfg.sslCACert != null) ("ssl_ca = <" + cfg.sslCACert)} - ssl_dh = <${config.security.dhparams.params.dovecot2.path} - disable_plaintext_auth = yes - '') + ( + concatStringsSep "\n" ( + mapAttrsToList ( + protocol: plugins: '' + protocol ${protocol} { + mail_plugins = $mail_plugins ${concatStringsSep " " plugins.enable} + } + '' + ) cfg.mailPlugins.perProtocol + ) + ) + + ( + if cfg.sslServerCert == null then '' + ssl = no + disable_plaintext_auth = no + '' else '' + ssl_cert = <${cfg.sslServerCert} + ssl_key = <${cfg.sslServerKey} + ${optionalString (cfg.sslCACert != null) ("ssl_ca = <" + cfg.sslCACert)} + ssl_dh = <${config.security.dhparams.params.dovecot2.path} + disable_plaintext_auth = yes + '' + ) '' default_internal_user = ${cfg.user} @@ -45,55 +61,58 @@ let } '' - (optionalString cfg.enablePAM '' - userdb { - driver = passwd - } - - passdb { - driver = pam - args = ${optionalString cfg.showPAMFailure "failure_show_msg=yes"} dovecot2 - } - '') + ( + optionalString cfg.enablePAM '' + userdb { + driver = passwd + } - (optionalString (cfg.sieveScripts != {}) '' - plugin { - ${concatStringsSep "\n" (mapAttrsToList (to: from: "sieve_${to} = ${stateDir}/sieve/${to}") cfg.sieveScripts)} - } - '') + passdb { + driver = pam + args = ${optionalString cfg.showPAMFailure "failure_show_msg=yes"} dovecot2 + } + '' + ) - (optionalString (cfg.mailboxes != []) '' - protocol imap { - namespace inbox { - inbox=yes - ${concatStringsSep "\n" (map mailboxConfig cfg.mailboxes)} + ( + optionalString (cfg.sieveScripts != {}) '' + plugin { + ${concatStringsSep "\n" (mapAttrsToList (to: from: "sieve_${to} = ${stateDir}/sieve/${to}") cfg.sieveScripts)} } - } - '') - - (optionalString cfg.enableQuota '' - mail_plugins = $mail_plugins quota - service quota-status { - executable = ${dovecotPkg}/libexec/dovecot/quota-status -p postfix - inet_listener { - port = ${cfg.quotaPort} + '' + ) + + ( + optionalString (cfg.mailboxes != []) '' + protocol imap { + namespace inbox { + inbox=yes + ${concatStringsSep "\n" (map mailboxConfig cfg.mailboxes)} + } + } + '' + ) + + ( + optionalString cfg.enableQuota '' + service quota-status { + executable = ${dovecotPkg}/libexec/dovecot/quota-status -p postfix + inet_listener { + port = ${cfg.quotaPort} + } + client_limit = 1 } - client_limit = 1 - } - - protocol imap { - mail_plugins = $mail_plugins imap_quota - } - plugin { - quota_rule = *:storage=${cfg.quotaGlobalPerUser} - quota = maildir:User quota # per virtual mail user quota # BUG/FIXME broken, we couldn't get this working - quota_status_success = DUNNO - quota_status_nouser = DUNNO - quota_status_overquota = "552 5.2.2 Mailbox is full" - quota_grace = 10%% - } - '') + plugin { + quota_rule = *:storage=${cfg.quotaGlobalPerUser} + quota = maildir:User quota # per virtual mail user quota # BUG/FIXME broken, we couldn't get this working + quota_status_success = DUNNO + quota_status_nouser = DUNNO + quota_status_overquota = "552 5.2.2 Mailbox is full" + quota_grace = 10%% + } + '' + ) cfg.extraConfig ]; @@ -107,7 +126,7 @@ let mailbox "${mailbox.name}" { auto = ${toString mailbox.auto} '' + optionalString (mailbox.specialUse != null) '' - special_use = \${toString mailbox.specialUse} + special_use = \${toString mailbox.specialUse} '' + "}"; mailboxes = { ... }: { @@ -160,7 +179,7 @@ in protocols = mkOption { type = types.listOf types.str; - default = [ ]; + default = []; description = "Additional listeners to start when Dovecot is enabled."; }; @@ -183,6 +202,43 @@ in description = "Additional entries to put verbatim into Dovecot's config file."; }; + mailPlugins = + let + plugins = hint: types.submodule { + options = { + enable = mkOption { + type = types.listOf types.str; + default = []; + description = "mail plugins to enable as a list of strings to append to the ${hint} <literal>$mail_plugins</literal> configuration variable"; + }; + }; + }; + in + mkOption { + type = with types; submodule { + options = { + globally = mkOption { + description = "Additional entries to add to the mail_plugins variable for all protocols"; + type = plugins "top-level"; + example = { enable = [ "virtual" ]; }; + default = { enable = []; }; + }; + perProtocol = mkOption { + description = "Additional entries to add to the mail_plugins variable, per protocol"; + type = attrsOf (plugins "corresponding per-protocol"); + default = {}; + example = { imap = [ "imap_acl" ]; }; + }; + }; + }; + description = "Additional entries to add to the mail_plugins variable, globally and per protocol"; + example = { + globally.enable = [ "acl" ]; + perProtocol.imap.enable = [ "imap_acl" ]; + }; + default = { globally.enable = []; perProtocol = {}; }; + }; + configFile = mkOption { type = types.nullOr types.path; default = null; @@ -305,27 +361,33 @@ in enable = true; params.dovecot2 = {}; }; - services.dovecot2.protocols = - optional cfg.enableImap "imap" - ++ optional cfg.enablePop3 "pop3" - ++ optional cfg.enableLmtp "lmtp"; + services.dovecot2.protocols = + optional cfg.enableImap "imap" + ++ optional cfg.enablePop3 "pop3" + ++ optional cfg.enableLmtp "lmtp"; + + services.dovecot2.mailPlugins = mkIf cfg.enableQuota { + globally.enable = [ "quota" ]; + perProtocol.imap.enable = [ "imap_quota" ]; + }; users.users = { dovenull = - { uid = config.ids.uids.dovenull2; + { + uid = config.ids.uids.dovenull2; description = "Dovecot user for untrusted logins"; group = "dovenull"; }; } // optionalAttrs (cfg.user == "dovecot2") { dovecot2 = - { uid = config.ids.uids.dovecot2; - description = "Dovecot user"; - group = cfg.group; - }; + { + uid = config.ids.uids.dovecot2; + description = "Dovecot user"; + group = cfg.group; + }; } // optionalAttrs (cfg.createMailUser && cfg.mailUser != null) { ${cfg.mailUser} = - { description = "Virtual Mail User"; } // - optionalAttrs (cfg.mailGroup != null) + { description = "Virtual Mail User"; } // optionalAttrs (cfg.mailGroup != null) { group = cfg.mailGroup; }; }; @@ -334,7 +396,7 @@ in } // optionalAttrs (cfg.group == "dovecot2") { dovecot2.gid = config.ids.gids.dovecot2; } // optionalAttrs (cfg.createMailUser && cfg.mailGroup != null) { - ${cfg.mailGroup} = { }; + ${cfg.mailGroup} = {}; }; environment.etc."dovecot/modules".source = modulesDir; @@ -363,15 +425,19 @@ in rm -rf ${stateDir}/sieve '' + optionalString (cfg.sieveScripts != {}) '' mkdir -p ${stateDir}/sieve - ${concatStringsSep "\n" (mapAttrsToList (to: from: '' - if [ -d '${from}' ]; then - mkdir '${stateDir}/sieve/${to}' - cp -p "${from}/"*.sieve '${stateDir}/sieve/${to}' - else - cp -p '${from}' '${stateDir}/sieve/${to}' - fi - ${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/sieve/${to}' - '') cfg.sieveScripts)} + ${concatStringsSep "\n" ( + mapAttrsToList ( + to: from: '' + if [ -d '${from}' ]; then + mkdir '${stateDir}/sieve/${to}' + cp -p "${from}/"*.sieve '${stateDir}/sieve/${to}' + else + cp -p '${from}' '${stateDir}/sieve/${to}' + fi + ${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/sieve/${to}' + '' + ) cfg.sieveScripts + )} chown -R '${cfg.mailUser}:${cfg.mailGroup}' '${stateDir}/sieve' ''; }; @@ -379,17 +445,21 @@ in environment.systemPackages = [ dovecotPkg ]; assertions = [ - { assertion = intersectLists cfg.protocols [ "pop3" "imap" ] != []; + { + assertion = intersectLists cfg.protocols [ "pop3" "imap" ] != []; message = "dovecot needs at least one of the IMAP or POP3 listeners enabled"; } - { assertion = (cfg.sslServerCert == null) == (cfg.sslServerKey == null) - && (cfg.sslCACert != null -> !(cfg.sslServerCert == null || cfg.sslServerKey == null)); + { + assertion = (cfg.sslServerCert == null) == (cfg.sslServerKey == null) + && (cfg.sslCACert != null -> !(cfg.sslServerCert == null || cfg.sslServerKey == null)); message = "dovecot needs both sslServerCert and sslServerKey defined for working crypto"; } - { assertion = cfg.showPAMFailure -> cfg.enablePAM; + { + assertion = cfg.showPAMFailure -> cfg.enablePAM; message = "dovecot is configured with showPAMFailure while enablePAM is disabled"; } - { assertion = cfg.sieveScripts != {} -> (cfg.mailUser != null && cfg.mailGroup != null); + { + assertion = cfg.sieveScripts != {} -> (cfg.mailUser != null && cfg.mailGroup != null); message = "dovecot requires mailUser and mailGroup to be set when sieveScripts is set"; } ]; diff --git a/nixos/modules/services/misc/ankisyncd.nix b/nixos/modules/services/misc/ankisyncd.nix new file mode 100644 index 000000000000..5fc19649d3d9 --- /dev/null +++ b/nixos/modules/services/misc/ankisyncd.nix @@ -0,0 +1,79 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.ankisyncd; + + name = "ankisyncd"; + + stateDir = "/var/lib/${name}"; + + authDbPath = "${stateDir}/auth.db"; + + sessionDbPath = "${stateDir}/session.db"; + + configFile = pkgs.writeText "ankisyncd.conf" (lib.generators.toINI {} { + sync_app = { + host = cfg.host; + port = cfg.port; + data_root = stateDir; + auth_db_path = authDbPath; + session_db_path = sessionDbPath; + + base_url = "/sync/"; + base_media_url = "/msync/"; + }; + }); +in + { + options.services.ankisyncd = { + enable = mkEnableOption "ankisyncd"; + + package = mkOption { + type = types.package; + default = pkgs.ankisyncd; + defaultText = literalExample "pkgs.ankisyncd"; + description = "The package to use for the ankisyncd command."; + }; + + host = mkOption { + type = types.str; + default = "localhost"; + description = "ankisyncd host"; + }; + + port = mkOption { + type = types.int; + default = 27701; + description = "ankisyncd port"; + }; + + openFirewall = mkOption { + default = false; + type = types.bool; + description = "Whether to open the firewall for the specified port."; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + + environment.etc."ankisyncd/ankisyncd.conf".source = configFile; + + systemd.services.ankisyncd = { + description = "ankisyncd - Anki sync server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ cfg.package ]; + + serviceConfig = { + Type = "simple"; + DynamicUser = true; + StateDirectory = name; + ExecStart = "${cfg.package}/bin/ankisyncd"; + Restart = "always"; + }; + }; + }; + } diff --git a/nixos/modules/services/monitoring/cadvisor.nix b/nixos/modules/services/monitoring/cadvisor.nix index 695a8c42e85e..655a6934a266 100644 --- a/nixos/modules/services/monitoring/cadvisor.nix +++ b/nixos/modules/services/monitoring/cadvisor.nix @@ -135,7 +135,6 @@ in { serviceConfig.TimeoutStartSec=300; }; - virtualisation.docker.enable = mkDefault true; }) ]; } diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index b67f697ca0de..6b1a4be44d1d 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -9,12 +9,13 @@ let # a wrapper that verifies that the configuration is valid promtoolCheck = what: name: file: - pkgs.runCommand - "${name}-${replaceStrings [" "] [""] what}-checked" - { buildInputs = [ cfg.package ]; } '' - ln -s ${file} $out - promtool ${what} $out - ''; + if cfg.checkConfig then + pkgs.runCommand + "${name}-${replaceStrings [" "] [""] what}-checked" + { buildInputs = [ cfg.package ]; } '' + ln -s ${file} $out + promtool ${what} $out + '' else file; # Pretty-print JSON to a file writePrettyJSON = name: x: @@ -601,6 +602,20 @@ in { if Prometheus is served via a reverse proxy). ''; }; + + checkConfig = mkOption { + type = types.bool; + default = true; + description = '' + Check configuration with <literal>promtool + check</literal>. The call to <literal>promtool</literal> is + subject to sandboxing by Nix. When credentials are stored in + external files (<literal>password_file</literal>, + <literal>bearer_token_file</literal>, etc), they will not be + visible to <literal>promtool</literal> and it will report + errors, despite a correct configuration. + ''; + }; }; config = mkIf cfg.enable { diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index 3fb85b16cbe2..5f8ac96b2292 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -29,17 +29,13 @@ let }; # Additional /etc/hosts entries for peers with an associated hostname - cjdnsExtraHosts = import (pkgs.runCommand "cjdns-hosts" {} - # Generate a builder that produces an output usable as a Nix string value - '' - exec >$out - echo \'\' - ${concatStringsSep "\n" (mapAttrsToList (k: v: - optionalString (v.hostname != "") - "echo $(${pkgs.cjdns}/bin/publictoip6 ${v.publicKey}) ${v.hostname}") - (cfg.ETHInterface.connectTo // cfg.UDPInterface.connectTo))} - echo \'\' - ''); + cjdnsExtraHosts = pkgs.runCommandNoCC "cjdns-hosts" {} '' + exec >$out + ${concatStringsSep "\n" (mapAttrsToList (k: v: + optionalString (v.hostname != "") + "echo $(${pkgs.cjdns}/bin/publictoip6 ${v.publicKey}) ${v.hostname}") + (cfg.ETHInterface.connectTo // cfg.UDPInterface.connectTo))} + ''; parseModules = x: x // { connectTo = mapAttrs (name: value: { inherit (value) password publicKey; }) x.connectTo; }; @@ -144,13 +140,15 @@ in connectTo = mkOption { type = types.attrsOf ( types.submodule ( connectToSubmodule ) ); default = { }; - example = { - "192.168.1.1:27313" = { - hostname = "homer.hype"; - password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM"; - publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k"; - }; - }; + example = literalExample '' + { + "192.168.1.1:27313" = { + hostname = "homer.hype"; + password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM"; + publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k"; + }; + } + ''; description = '' Credentials for making UDP tunnels. ''; @@ -189,13 +187,15 @@ in connectTo = mkOption { type = types.attrsOf ( types.submodule ( connectToSubmodule ) ); default = { }; - example = { - "01:02:03:04:05:06" = { - hostname = "homer.hype"; - password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM"; - publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k"; - }; - }; + example = literalExample '' + { + "01:02:03:04:05:06" = { + hostname = "homer.hype"; + password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM"; + publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k"; + }; + } + ''; description = '' Credentials for connecting look similar to UDP credientials except they begin with the mac address. @@ -278,7 +278,7 @@ in }; }; - networking.extraHosts = mkIf cfg.addExtraHosts cjdnsExtraHosts; + networking.hostFiles = mkIf cfg.addExtraHosts [ cjdnsExtraHosts ]; assertions = [ { assertion = ( cfg.ETHInterface.bind != "" || cfg.UDPInterface.bind != "" || cfg.confFile != null ); diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 15aaf7410674..b0045ff795e3 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -546,7 +546,7 @@ in options nf_conntrack nf_conntrack_helper=1 ''; - assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter; + assertions = [ { assertion = cfg.checkReversePath -> kernelHasRPFilter; message = "This kernel does not support rpfilter"; } ]; diff --git a/nixos/modules/services/networking/ntp/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix index b5403cb747d0..54ff054d84c7 100644 --- a/nixos/modules/services/networking/ntp/ntpd.nix +++ b/nixos/modules/services/networking/ntp/ntpd.nix @@ -23,6 +23,8 @@ let restrict -6 ::1 ${toString (map (server: "server " + server + " iburst\n") cfg.servers)} + + ${cfg.extraConfig} ''; ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup ${toString cfg.extraFlags}"; @@ -81,6 +83,17 @@ in ''; }; + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + fudge 127.127.1.0 stratum 10 + ''; + description = '' + Additional text appended to <filename>ntp.conf</filename>. + ''; + }; + extraFlags = mkOption { type = types.listOf types.str; description = "Extra flags passed to the ntpd command."; diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index f67d29005616..14bd751ce324 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -15,6 +15,7 @@ let map (childConfig: (import ../../../lib/eval-config.nix { inherit baseModules; + system = config.nixpkgs.initialSystem; modules = (optionals inheritParent modules) ++ [ ./no-clone.nix ] diff --git a/nixos/modules/tasks/filesystems/btrfs.nix b/nixos/modules/tasks/filesystems/btrfs.nix index 48be18c71021..f64493e1a3c7 100644 --- a/nixos/modules/tasks/filesystems/btrfs.nix +++ b/nixos/modules/tasks/filesystems/btrfs.nix @@ -118,12 +118,17 @@ in fs' = utils.escapeSystemdPath fs; in nameValuePair "btrfs-scrub-${fs'}" { description = "btrfs scrub on ${fs}"; + # scrub prevents suspend2ram or proper shutdown + conflicts = [ "shutdown.target" "sleep.target" ]; + before = [ "shutdown.target" "sleep.target" ]; serviceConfig = { - Type = "oneshot"; + # simple and not oneshot, otherwise ExecStop is not used + Type = "simple"; Nice = 19; IOSchedulingClass = "idle"; ExecStart = "${pkgs.btrfs-progs}/bin/btrfs scrub start -B ${fs}"; + ExecStop = "${pkgs.btrfs-progs}/bin/btrfs scrub cancel ${fs}"; }; }; in listToAttrs (map scrubService cfgScrub.fileSystems); diff --git a/nixos/modules/virtualisation/kvmgt.nix b/nixos/modules/virtualisation/kvmgt.nix index 36ef6d17df69..0902d2dc2cb0 100644 --- a/nixos/modules/virtualisation/kvmgt.nix +++ b/nixos/modules/virtualisation/kvmgt.nix @@ -19,7 +19,8 @@ in { virtualisation.kvmgt = { enable = mkEnableOption '' KVMGT (iGVT-g) VGPU support. Allows Qemu/KVM guests to share host's Intel integrated graphics card. - Currently only one graphical device can be shared + Currently only one graphical device can be shared. To allow users to access the device without root add them + to the kvm group: <literal>users.extraUsers.<yourusername>.extraGroups = [ "kvm" ];</literal> ''; # multi GPU support is under the question device = mkOption { @@ -35,9 +36,7 @@ in { and find info about device via <command>cat /sys/bus/pci/devices/*/mdev_supported_types/i915-GVTg_V5_4/description</command> ''; example = { - i915-GVTg_V5_8 = { - uuid = "a297db4a-f4c2-11e6-90f6-d3b88d6c9525"; - }; + i915-GVTg_V5_8.uuid = "a297db4a-f4c2-11e6-90f6-d3b88d6c9525"; }; }; }; @@ -50,10 +49,7 @@ in { }; boot.kernelModules = [ "kvmgt" ]; - - boot.extraModprobeConfig = '' - options i915 enable_gvt=1 - ''; + boot.kernelParams = [ "i915.enable_gvt=1" ]; systemd.paths = mapAttrs' (name: value: nameValuePair "kvmgt-${name}" { @@ -65,6 +61,10 @@ in { } ) cfg.vgpus; + services.udev.extraRules = '' + SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm" + ''; + systemd.services = mapAttrs' (name: value: nameValuePair "kvmgt-${name}" { description = "KVMGT VGPU ${name}"; diff --git a/nixos/tests/nesting.nix b/nixos/tests/nesting.nix index 6388b67a6e40..a75806b24ff6 100644 --- a/nixos/tests/nesting.nix +++ b/nixos/tests/nesting.nix @@ -29,10 +29,10 @@ import ./make-test-python.nix { ) clone.succeed("cowsay hey") clone.succeed("hello") - - children.wait_for_unit("default.target") - children.succeed("cowsay hey") - children.fail("hello") + + children.wait_for_unit("default.target") + children.succeed("cowsay hey") + children.fail("hello") with subtest("Nested children do not inherit from parent"): children.succeed( |