diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/default.nix | 71 | ||||
-rw-r--r-- | nixos/modules/config/nsswitch.nix | 40 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 3 | ||||
-rw-r--r-- | nixos/modules/programs/browserpass.nix | 18 | ||||
-rw-r--r-- | nixos/modules/services/logging/heartbeat.nix | 72 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/lumina.nix | 1 | ||||
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/xen-dom0.nix | 57 | ||||
-rw-r--r-- | nixos/release-combined.nix | 2 |
9 files changed, 183 insertions, 83 deletions
diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index 40d49f1541b3..9413d71a34cf 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -65,7 +65,7 @@ let chmod -R u+w . ln -s ${modulesDoc} configuration/modules.xml ln -s ${optionsDocBook} options-db.xml - echo "${version}" > version + printf "%s" "${version}" > version ''; toc = builtins.toFile "toc.xml" @@ -94,25 +94,43 @@ let "--stringparam chunk.toc ${toc}" ]; - olinkDB = runCommand "manual-olinkdb" + manual-combined = runCommand "nixos-manual-combined" { inherit sources; buildInputs = [ libxml2 libxslt ]; + meta.description = "The NixOS manual as plain docbook XML"; } '' ${copySources} + xmllint --xinclude --output ./manual-combined.xml ./manual.xml + xmllint --xinclude --noxincludenode \ + --output ./man-pages-combined.xml ./man-pages.xml + + xmllint --debug --noout --nonet \ + --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \ + manual-combined.xml + xmllint --debug --noout --nonet \ + --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \ + man-pages-combined.xml + + + mkdir $out + cp manual-combined.xml $out/ + cp man-pages-combined.xml $out/ + ''; + + olinkDB = runCommand "manual-olinkdb" + { inherit sources; + buildInputs = [ libxml2 libxslt ]; + } + '' xsltproc \ ${manualXsltprocOptions} \ --stringparam collect.xref.targets only \ --stringparam targets.filename "$out/manual.db" \ - --nonet --xinclude \ + --nonet \ ${docbook5_xsl}/xml/xsl/docbook/xhtml/chunktoc.xsl \ - ./manual.xml - - # Check the validity of the man pages sources. - xmllint --noout --nonet --xinclude --noxincludenode \ - --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \ - ./man-pages.xml + ${manual-combined}/manual-combined.xml cat > "$out/olinkdb.xml" <<EOF <?xml version="1.0" encoding="utf-8"?> @@ -158,21 +176,15 @@ in rec { allowedReferences = ["out"]; } '' - ${copySources} - - # Check the validity of the manual sources. - xmllint --noout --nonet --xinclude --noxincludenode \ - --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \ - manual.xml - # Generate the HTML manual. dst=$out/share/doc/nixos mkdir -p $dst xsltproc \ ${manualXsltprocOptions} \ --stringparam target.database.document "${olinkDB}/olinkdb.xml" \ - --nonet --xinclude --output $dst/ \ - ${docbook5_xsl}/xml/xsl/docbook/xhtml/chunktoc.xsl ./manual.xml + --nonet --output $dst/ \ + ${docbook5_xsl}/xml/xsl/docbook/xhtml/chunktoc.xsl \ + ${manual-combined}/manual-combined.xml mkdir -p $dst/images/callouts cp ${docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/images/callouts/ @@ -190,13 +202,6 @@ in rec { buildInputs = [ libxml2 libxslt zip ]; } '' - ${copySources} - - # Check the validity of the manual sources. - xmllint --noout --nonet --xinclude --noxincludenode \ - --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \ - manual.xml - # Generate the epub manual. dst=$out/share/doc/nixos @@ -204,10 +209,11 @@ in rec { ${manualXsltprocOptions} \ --stringparam target.database.document "${olinkDB}/olinkdb.xml" \ --nonet --xinclude --output $dst/epub/ \ - ${docbook5_xsl}/xml/xsl/docbook/epub/docbook.xsl ./manual.xml + ${docbook5_xsl}/xml/xsl/docbook/epub/docbook.xsl \ + ${manual-combined}/manual-combined.xml mkdir -p $dst/epub/OEBPS/images/callouts - cp -r ${docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/epub/OEBPS/images/callouts + cp -r ${docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/epub/OEBPS/images/callouts # */ echo "application/epub+zip" > mimetype manual="$dst/nixos-manual.epub" zip -0Xq "$manual" mimetype @@ -227,23 +233,16 @@ in rec { allowedReferences = ["out"]; } '' - ${copySources} - - # Check the validity of the man pages sources. - xmllint --noout --nonet --xinclude --noxincludenode \ - --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \ - ./man-pages.xml - # Generate manpages. mkdir -p $out/share/man - xsltproc --nonet --xinclude \ + xsltproc --nonet \ --param man.output.in.separate.dir 1 \ --param man.output.base.dir "'$out/share/man/'" \ --param man.endnotes.are.numbered 0 \ --param man.break.after.slash 1 \ --stringparam target.database.document "${olinkDB}/olinkdb.xml" \ ${docbook5_xsl}/xml/xsl/docbook/manpages/docbook.xsl \ - ./man-pages.xml + ${manual-combined}/man-pages-combined.xml ''; } diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index d541fff140eb..16c43a99ad56 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -6,24 +6,29 @@ with lib; let - inherit (config.services.avahi) nssmdns; - inherit (config.services.samba) nsswins; - ldap = (config.users.ldap.enable && config.users.ldap.nsswitch); - sssd = config.services.sssd.enable; - resolved = config.services.resolved.enable; - - hostArray = [ "files" "mymachines" ] + # only with nscd up and running we can load NSS modules that are not integrated in NSS + canLoadExternalModules = config.services.nscd.enable; + myhostname = canLoadExternalModules; + mymachines = canLoadExternalModules; + nssmdns = canLoadExternalModules && config.services.avahi.nssmdns; + nsswins = canLoadExternalModules && config.services.samba.nsswins; + ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch); + sssd = canLoadExternalModules && config.services.sssd.enable; + resolved = canLoadExternalModules && config.services.resolved.enable; + + hostArray = [ "files" ] + ++ optionals mymachines [ "mymachines" ] ++ optionals nssmdns [ "mdns_minimal [!UNAVAIL=return]" ] ++ optionals nsswins [ "wins" ] - ++ optionals resolved ["resolv [!UNAVAIL=return]"] + ++ optionals resolved ["resolve [!UNAVAIL=return]"] ++ [ "dns" ] ++ optionals nssmdns [ "mdns" ] - ++ ["myhostname" ]; + ++ optionals myhostname ["myhostname" ]; passwdArray = [ "files" ] ++ optional sssd "sss" ++ optionals ldap [ "ldap" ] - ++ [ "mymachines" ]; + ++ optionals mymachines [ "mymachines" ]; shadowArray = [ "files" ] ++ optional sssd "sss" @@ -36,6 +41,7 @@ in { options = { # NSS modules. Hacky! + # Only works with nscd! system.nssModules = mkOption { type = types.listOf types.path; internal = true; @@ -55,6 +61,18 @@ in { }; config = { + assertions = [ + { + # generic catch if the NixOS module adding to nssModules does not prevent it with specific message. + assertion = config.system.nssModules.path != "" -> canLoadExternalModules; + message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled."; + } + { + # resolved does not need to add to nssModules, therefore needs an extra assertion + assertion = resolved -> canLoadExternalModules; + message = "Loading systemd-resolved's nss-resolve NSS module requires nscd being enabled."; + } + ]; # Name Service Switch configuration file. Required by the C # library. !!! Factor out the mdns stuff. The avahi module @@ -78,7 +96,7 @@ in { # configured IP addresses, or ::1 and 127.0.0.2 as # fallbacks. Systemd also provides nss-mymachines to return IP # addresses of local containers. - system.nssModules = [ config.systemd.package.out ]; + system.nssModules = optionals canLoadExternalModules [ config.systemd.package.out ]; }; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 59419a5e8c56..d5aa6bedb98d 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -235,16 +235,17 @@ ./services/hardware/udisks2.nix ./services/hardware/upower.nix ./services/hardware/thermald.nix + ./services/logging/SystemdJournal2Gelf.nix ./services/logging/awstats.nix ./services/logging/fluentd.nix ./services/logging/graylog.nix + ./services/logging/heartbeat.nix ./services/logging/journalbeat.nix ./services/logging/klogd.nix ./services/logging/logcheck.nix ./services/logging/logrotate.nix ./services/logging/logstash.nix ./services/logging/rsyslogd.nix - ./services/logging/SystemdJournal2Gelf.nix ./services/logging/syslog-ng.nix ./services/logging/syslogd.nix ./services/mail/dovecot.nix diff --git a/nixos/modules/programs/browserpass.nix b/nixos/modules/programs/browserpass.nix index 2b7ec1856431..a073c7e66eb8 100644 --- a/nixos/modules/programs/browserpass.nix +++ b/nixos/modules/programs/browserpass.nix @@ -6,21 +6,17 @@ with lib; ###### interface options = { - programs.browserpass = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Whether to install the NativeMessaging configuration for installed browsers. - ''; - }; - }; + programs.browserpass.enable = mkEnableOption "the NativeMessaging configuration for Chromium, Chrome, and Vivaldi."; }; ###### implementation config = mkIf config.programs.browserpass.enable { environment.systemPackages = [ pkgs.browserpass ]; - environment.etc."chromium/native-messaging-hosts/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-host.json"; - environment.etc."opt/chrome/native-messaging-hosts/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-host.json"; + environment.etc = { + "chromium/native-messaging-hosts/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-host.json"; + "chromium/policies/managed/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-policy.json"; + "opt/chrome/native-messaging-hosts/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-host.json"; + "opt/chrome/policies/managed/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-policy.json"; + }; }; } diff --git a/nixos/modules/services/logging/heartbeat.nix b/nixos/modules/services/logging/heartbeat.nix new file mode 100644 index 000000000000..b595ac07bf5e --- /dev/null +++ b/nixos/modules/services/logging/heartbeat.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.heartbeat; + + heartbeatYml = pkgs.writeText "heartbeat.yml" '' + name: ${cfg.name} + tags: ${builtins.toJSON cfg.tags} + + ${cfg.extraConfig} + ''; + +in +{ + options = { + + services.heartbeat = { + + enable = mkEnableOption "heartbeat"; + + name = mkOption { + type = types.str; + default = "heartbeat"; + description = "Name of the beat"; + }; + + tags = mkOption { + type = types.listOf types.str; + default = []; + description = "Tags to place on the shipped log messages"; + }; + + stateDir = mkOption { + type = types.str; + default = "/var/lib/heartbeat"; + description = "The state directory. heartbeat's own logs and other data are stored here."; + }; + + extraConfig = mkOption { + type = types.lines; + default = '' + heartbeat.monitors: + - type: http + urls: ["http://localhost:9200"] + schedule: '@every 10s' + ''; + description = "Any other configuration options you want to add"; + }; + + }; + }; + + config = mkIf cfg.enable { + + systemd.services.heartbeat = with pkgs; { + description = "heartbeat log shipper"; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -p "${cfg.stateDir}"/{data,logs} + chown nobody:nogroup "${cfg.stateDir}"/{data,logs} + ''; + serviceConfig = { + User = "nobody"; + PermissionsStartOnly = true; + AmbientCapabilities = "cap_net_raw"; + ExecStart = "${pkgs.heartbeat}/bin/heartbeat -c \"${heartbeatYml}\" -path.data \"${cfg.stateDir}/data\" -path.logs \"${cfg.stateDir}/logs\""; + }; + }; + }; +} diff --git a/nixos/modules/services/x11/desktop-managers/lumina.nix b/nixos/modules/services/x11/desktop-managers/lumina.nix index ec5fbb13b323..5fe84cfb82ec 100644 --- a/nixos/modules/services/x11/desktop-managers/lumina.nix +++ b/nixos/modules/services/x11/desktop-managers/lumina.nix @@ -33,7 +33,6 @@ in environment.systemPackages = [ pkgs.fluxbox pkgs.libsForQt5.kwindowsystem - pkgs.kdeFrameworks.oxygen-icons5 pkgs.lumina pkgs.numlockx pkgs.qt5.qtsvg diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 59ebb88582ad..3ca679b479a0 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -241,7 +241,7 @@ in description = '' The encrypted disk that should be opened before the root filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM - setups are sypported. The unencrypted devices can be accessed as + setups are supported. The unencrypted devices can be accessed as <filename>/dev/mapper/<replaceable>name</replaceable></filename>. ''; diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index f6f2d5dad01c..5239652d4075 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -267,26 +267,36 @@ in mkdir -p /var/lib/xen # so we create them here unconditionally. grep -q control_d /proc/xen/capabilities ''; - serviceConfig.ExecStart = '' - ${cfg.stored}${optionalString cfg.trace " -T /var/log/xen/xenstored-trace.log"} --no-fork - ''; + serviceConfig = if cfg.package.version < "4.8" then + { ExecStart = '' + ${cfg.stored}${optionalString cfg.trace " -T /var/log/xen/xenstored-trace.log"} --no-fork + ''; + } else { + ExecStart = '' + ${cfg.package}/etc/xen/scripts/launch-xenstore + ''; + Type = "notify"; + RemainAfterExit = true; + NotifyAccess = "all"; + }; postStart = '' - time=0 - timeout=30 - # Wait for xenstored to actually come up, timing out after 30 seconds - while [ $time -lt $timeout ] && ! `${cfg.package}/bin/xenstore-read -s / >/dev/null 2>&1` ; do - time=$(($time+1)) - sleep 1 - done - - # Exit if we timed out - if ! [ $time -lt $timeout ] ; then - echo "Could not start Xenstore Daemon" - exit 1 - fi - - ${cfg.package}/bin/xenstore-write "/local/domain/0/name" "Domain-0" - ${cfg.package}/bin/xenstore-write "/local/domain/0/domid" 0 + ${optionalString (cfg.package.version < "4.8") '' + time=0 + timeout=30 + # Wait for xenstored to actually come up, timing out after 30 seconds + while [ $time -lt $timeout ] && ! `${cfg.package}/bin/xenstore-read -s / >/dev/null 2>&1` ; do + time=$(($time+1)) + sleep 1 + done + + # Exit if we timed out + if ! [ $time -lt $timeout ] ; then + echo "Could not start Xenstore Daemon" + exit 1 + fi + ''} + echo "executing xen-init-dom0" + ${cfg.package}/lib/xen/bin/xen-init-dom0 ''; }; @@ -306,6 +316,7 @@ in description = "Xen Console Daemon"; wantedBy = [ "multi-user.target" ]; after = [ "xen-store.service" ]; + requires = [ "xen-store.service" ]; preStart = '' mkdir -p /var/run/xen ${optionalString cfg.trace "mkdir -p /var/log/xen"} @@ -313,7 +324,9 @@ in ''; serviceConfig = { ExecStart = '' - ${cfg.package}/bin/xenconsoled${optionalString cfg.trace " --log=all --log-dir=/var/log/xen"} + ${cfg.package}/bin/xenconsoled\ + ${optionalString ((cfg.package.version >= "4.8")) " -i"}\ + ${optionalString cfg.trace " --log=all --log-dir=/var/log/xen"} ''; }; }; @@ -323,6 +336,7 @@ in description = "Xen Qemu Daemon"; wantedBy = [ "multi-user.target" ]; after = [ "xen-console.service" ]; + requires = [ "xen-store.service" ]; serviceConfig.ExecStart = '' ${cfg.qemu} -xen-attach -xen-domid 0 -name dom0 -M xenpv \ -nographic -monitor /dev/null -serial /dev/null -parallel /dev/null @@ -333,7 +347,7 @@ in systemd.services.xen-watchdog = { description = "Xen Watchdog Daemon"; wantedBy = [ "multi-user.target" ]; - after = [ "xen-qemu.service" ]; + after = [ "xen-qemu.service" "xen-domains.service" ]; serviceConfig.ExecStart = "${cfg.package}/bin/xenwatchdogd 30 15"; serviceConfig.Type = "forking"; serviceConfig.RestartSec = "1"; @@ -426,6 +440,7 @@ in description = "Xen domains - automatically starts, saves and restores Xen domains"; wantedBy = [ "multi-user.target" ]; after = [ "xen-bridge.service" "xen-qemu.service" ]; + requires = [ "xen-bridge.service" "xen-qemu.service" ]; ## To prevent a race between dhcpcd and xend's bridge setup script ## (which renames eth* to peth* and recreates eth* as a virtual ## device), start dhcpcd after xend. diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 49ddd95887be..ecbd317cb9a4 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -52,7 +52,7 @@ in rec { (all nixos.tests.firefox) (all nixos.tests.firewall) nixos.tests.gnome3.x86_64-linux # FIXME: i686-linux - (all nixos.tests.installer.zfsroot) + nixos.tests.installer.zfsroot.x86_64-linux # ZFS is 64bit only (all nixos.tests.installer.lvm) (all nixos.tests.installer.luksroot) (all nixos.tests.installer.separateBoot) |