diff options
Diffstat (limited to 'nixos')
60 files changed, 1082 insertions, 257 deletions
diff --git a/nixos/doc/manual/development/sources.xml b/nixos/doc/manual/development/sources.xml index f9fadd6bf5ed..3ac07da19f12 100644 --- a/nixos/doc/manual/development/sources.xml +++ b/nixos/doc/manual/development/sources.xml @@ -40,20 +40,22 @@ rebuild everything from source. So you may want to create a local branch based on your current NixOS version: <screen> -$ nixos-version -14.04.273.ea1952b (Baboon) - -$ git checkout -b local ea1952b +$ <replaceable>/my/sources</replaceable>/nixpkgs/maintainers/scripts/update-channel-branches.sh +Fetching channels from https://nixos.org/channels: + * [new branch] cbe467e -> channels/remotes/nixos-unstable +Fetching channels from nixos-version: + * [new branch] 9ff4738 -> channels/current-system +Fetching channels from ~/.nix-defexpr: + * [new branch] 0d4acad -> channels/root/nixos +$ git checkout -b local channels/current-system </screen> Or, to base your local branch on the latest version available in the NixOS channel: <screen> -$ curl -sI https://nixos.org/channels/nixos-unstable/ | grep Location -Location: https://releases.nixos.org/nixos/unstable/nixos-14.10pre43986.acaf4a6/ - -$ git checkout -b local acaf4a6 +$ <replaceable>/my/sources</replaceable>/nixpkgs/maintainers/scripts/update-channel-branches.sh +$ git checkout -b local channels/remotes/nixos-unstable </screen> You can then use <command>git rebase</command> to sync your local diff --git a/nixos/doc/manual/release-notes/rl-1412.xml b/nixos/doc/manual/release-notes/rl-1412.xml index 86b11966c76d..324a3e6bdc2f 100644 --- a/nixos/doc/manual/release-notes/rl-1412.xml +++ b/nixos/doc/manual/release-notes/rl-1412.xml @@ -6,46 +6,159 @@ <title>Release 14.12 (“Caterpillar”, 2014/12/??)</title> +<para>In addition to numerous new and upgraded packages, this release has the following highlights: + +<itemizedlist> + +<listitem><para>Systemd has been updated to version 217, which has numerous +<link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements +.</link></para></listitem> + +<listitem><para><link xlink:href="http://thread.gmane.org/gmane.linux.distributions.nixos/15165"> +Nix has been updated to 1.8.</link></para></listitem> + +<listitem><para>NixOS is now based on Glibc 2.20.</para></listitem> + +<listitem><para>KDE has been updated to 4.14.</para></listitem> + +<listitem><para>The default Linux kernel has been updated to 3.14.</para></listitem> + +<listitem><para><option>users.mutableUsers</option> set to <literal>true</literal> now respect any changes +made after initial creation of a user or a group. +</para></listitem> + +</itemizedlist></para> + +<para>Following new services were added since the last release: + +<itemizedlist> +<listitem><para>parallels-guest</para></listitem> +<listitem><para>docker</para></listitem> +<listitem><para>lxc</para></listitem> +<listitem><para>openvswitch</para></listitem> +<listitem><para>fluxbox</para></listitem> +<listitem><para>bspwm</para></listitem> +<listitem><para>gdm</para></listitem> +<listitem><para>fcgiwrap</para></listitem> +<listitem><para>peerflix</para></listitem> +<listitem><para>fail2ban</para></listitem> +<listitem><para>chronos</para></listitem> +<listitem><para>znc</para></listitem> +<listitem><para>unifi</para></listitem> +<listitem><para>teamspeak3</para></listitem> +<listitem><para>strongswan</para></listitem> +<listitem><para>seeks</para></listitem> +<listitem><para>radicale</para></listitem> +<listitem><para>prosody</para></listitem> +<listitem><para>polipo</para></listitem> +<listitem><para>openntpd</para></listitem> +<listitem><para>nsd</para></listitem> +<listitem><para>mailpile</para></listitem> +<listitem><para>i2pd</para></listitem> +<listitem><para>dnscrypt-proxy</para></listitem> +<listitem><para>consul</para></listitem> +<listitem><para>atftpd</para></listitem> +<listitem><para>scollector</para></listitem> +<listitem><para>collectd</para></listitem> +<listitem><para>bosun</para></listitem> +<listitem><para>riemann</para></listitem> +<listitem><para>zookeeper</para></listitem> +<listitem><para>uhub</para></listitem> +<listitem><para>siproxd</para></listitem> +<listitem><para>redmine</para></listitem> +<listitem><para>phd</para></listitem> +<listitem><para>mesos</para></listitem> +<listitem><para>gitlab</para></listitem> +<listitem><para>gitolite</para></listitem> +<listitem><para>etcd</para></listitem> +<listitem><para>docker-registry</para></listitem> +<listitem><para>cpuminer-cryptonight</para></listitem> +<listitem><para>thermald</para></listitem> +<listitem><para>mlmmj</para></listitem> +<listitem><para>tcsd</para></listitem> +<listitem><para>gnome3.seahorse</para></listitem> +<listitem><para>gnome3.gvfs</para></listitem> +<listitem><para>gnome3.gnome-online-miners</para></listitem> +<listitem><para>gnome3.gnome-documents</para></listitem> +<listitem><para>geoclue2</para></listitem> +<listitem><para>opentsdb</para></listitem> +<listitem><para>neo4j</para></listitem> +<listitem><para>monetdb</para></listitem> +<listitem><para>influxdb</para></listitem> +<listitem><para>hbase</para></listitem> +<listitem><para>torque/mrom</para></listitem> +<listitem><para>torque/server</para></listitem> +<listitem><para>kubernetes</para></listitem> +<listitem><para>fleet</para></listitem> +<listitem><para>crashplan</para></listitem> +<listitem><para>mopidy</para></listitem> +<listitem><para>liquidsoap</para></listitem> +</itemizedlist> +</para> + <para>When upgrading from a previous release, please be aware of the following incompatible changes: <itemizedlist> - <listitem><para>The default version of Apache httpd is now 2.4. If - you use the <option>extraConfig</option> option to pass literal - Apache configuration text, you may need to update it — see <link - xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache’s - documentation</link> for details. If you wish to continue to use - httpd 2.2, add the following line to your NixOS configuration: - -<programlisting> -services.httpd.package = pkgs.apacheHttpd_2_2; -</programlisting> - - </para></listitem> - - <listitem><para>PHP 5.3 has been removed because it is no longer - supported by the PHP project. A <link - xlink:href="http://php.net/migration54">migration guide</link> is - available.</para></listitem> - - <listitem><para>The host side of a container virtual Ethernet pair - is now called <literal>ve-<replaceable>container-name</replaceable></literal> - rather than <literal>c-<replaceable>container-name</replaceable></literal>.</para></listitem> - - <listitem><para>GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.</para></listitem> - - <listitem><para>The system-wide default timezone for NixOS installations - changed from <literal>CET</literal> to <literal>UTC</literal>. To choose - a different timezone for your system, configure - <literal>time.timeZone</literal> in - <literal>configuration.nix</literal>. A fairly complete list of possible - values for that setting is available at <link - xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>.</para></listitem> - - <listitem><para>GNU screen has been updated to 4.2.1, which breaks - the ability to connect to sessions created by older versions of - screen.</para></listitem> +<listitem><para>The default version of Apache httpd is now 2.4. If +you use the <option>extraConfig</option> option to pass literal +Apache configuration text, you may need to update it — see <link +xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache’s +documentation</link> for details. If you wish to continue to use +httpd 2.2, add the following line to your NixOS configuration: + +rogramlisting> +rvices.httpd.package = pkgs.apacheHttpd_2_2; +programlisting> + +</para></listitem> + +<listitem><para>PHP 5.3 has been removed because it is no longer +supported by the PHP project. A <link +xlink:href="http://php.net/migration54">migration guide</link> is +available.</para></listitem> + +<listitem><para>The host side of a container virtual Ethernet pair +is now called <literal>ve-<replaceable>container-name</replaceable></literal> +rather than <literal>c-<replaceable>container-name</replaceable></literal>.</para></listitem> + +<listitem><para>GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.</para></listitem> + +<listitem><para>VirtualBox has been upgraded to 4.3.20 release. Users may be required to run +<command>rm -rf /tmp.vbox*</command>. <literal>imports = [ <nixpkgs/nixos/modules/programs/virtualbox.nix> ]</literal> +is no longer necessary, use <literal>services.virtualboxHost.enable = true</literal> instead. +</para> +<para>Also, hardening mode is now enabled by default, which means that unless you want to use +USB support, you no longer need to be a member of the <literal>vboxusers</literal> group. +</para></listitem> + +<listitem><para>Chromium has been updated to 39.0.2171.65. <option>enablePepperPDF</option> is now enabled by default. +<literal>chromium*Wrapper</literal> packages no longer exist, because upstream removed NSAPI support. +<literal>chromium-stable</literal> has been renamed to <literal>chromium</literal>. +</para></listitem> + +<listitem><para>Python packaging documentation is now part of nixpkgs manual. To override +the python packages available to a custom python you now use <literal>pkgs.pythonFull.buildEnv.override</literal> +instead of <literal>pkgs.pythonFull.override</literal>. +</para></listitem> + +<listitem><para><literal>boot.resumeDevice = "8:6"</literal> is no longer supported. Most users will +want to leave it undefined, which takes the swap partitions automatically. There is an evaluation +assertion to ensure that the string starts with a slash. +</para></listitem> + +<listitem><para>The system-wide default timezone for NixOS installations +changed from <literal>CET</literal> to <literal>UTC</literal>. To choose +a different timezone for your system, configure +<literal>time.timeZone</literal> in +<literal>configuration.nix</literal>. A fairly complete list of possible +values for that setting is available at <link +xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>.</para></listitem> + +<listitem><para>GNU screen has been updated to 4.2.1, which breaks +the ability to connect to sessions created by older versions of +screen.</para></listitem> </itemizedlist> diff --git a/nixos/lib/eval-config.nix b/nixos/lib/eval-config.nix index 0fa00637a93a..08adcf3a0078 100644 --- a/nixos/lib/eval-config.nix +++ b/nixos/lib/eval-config.nix @@ -11,15 +11,16 @@ , prefix ? [] }: -let extraArgs_ = extraArgs; pkgs_ = pkgs; system_ = system; in - -rec { +let extraArgs_ = extraArgs; pkgs_ = pkgs; system_ = system; + extraModules = let e = builtins.getEnv "NIXOS_EXTRA_MODULE_PATH"; + in if e == "" then [] else [(import (builtins.toPath e))]; +in rec { # Merge the option definitions in all modules, forming the full # system configuration. inherit (pkgs.lib.evalModules { inherit prefix; - modules = modules ++ baseModules; + modules = modules ++ extraModules ++ baseModules; args = extraArgs; check = check && options.environment.checkConfigurationOptions.value; }) config options; diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index 1777c200dd11..7693bd5bb453 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -16,7 +16,6 @@ let [ p.mesa_drivers p.mesa_noglu # mainly for libGL (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc) - p.udev ]; }; diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index a7333fbd541d..9dfc322b9f74 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -30,8 +30,7 @@ while [ "$#" -gt 0 ]; do case "$i" in -I) given_path="$1"; shift 1 - absolute_path=$(readlink -m $given_path) - extraBuildFlags+=("$i" "/mnt$absolute_path") + extraBuildFlags+=("$i" "$given_path") ;; --root) mountPoint="$1"; shift 1 @@ -250,7 +249,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate # Ask the user to set a root password. -if [ -t 0 ] ; then +if [ "$(chroot $mountPoint nix-instantiate --eval '<nixos>' -A config.users.mutableUsers)" = true ] && [ -t 0 ] ; then echo "setting root password..." chroot $mountPoint /var/setuid-wrappers/passwd fi diff --git a/nixos/modules/installer/tools/nixos-option.sh b/nixos/modules/installer/tools/nixos-option.sh index 96d09c3a6058..17c17d05e288 100644 --- a/nixos/modules/installer/tools/nixos-option.sh +++ b/nixos/modules/installer/tools/nixos-option.sh @@ -13,6 +13,7 @@ usage () { xml=false verbose=false +nixPath="" option="" @@ -26,6 +27,7 @@ for arg; do while test "$sarg" != "-"; do case $sarg in --*) longarg=$arg; sarg="--";; + -I) argfun="include_nixpath";; -*) usage;; esac # remove the first letter option @@ -53,6 +55,9 @@ for arg; do var=$(echo $argfun | sed 's,^set_,,') eval $var=$arg ;; + include_nixpath) + nixPath="-I $arg $nixPath" + ;; esac argfun="" fi @@ -69,18 +74,114 @@ fi ############################# evalNix(){ - nix-instantiate - --eval-only "$@" + result=$(nix-instantiate ${nixPath:+$nixPath} - --eval-only "$@" 2>&1) + if test $? -eq 0; then + cat <<EOF +$result +EOF + return 0; + else + sed -n ' + /^error/ { s/, at (string):[0-9]*:[0-9]*//; p; }; + /^warning: Nix search path/ { p; }; +' <<EOF +$result +EOF + return 1; + fi +} + +header="let + nixos = import <nixpkgs/nixos> {}; + nixpkgs = import <nixpkgs> {}; +in with nixpkgs.lib; +" + +# This function is used for converting the option definition path given by +# the user into accessors for reaching the definition and the declaration +# corresponding to this option. +generateAccessors(){ + if result=$(evalNix --strict --show-trace <<EOF +$header + +let + path = "${option:+$option}"; + pathList = splitString "." path; + + walkOptions = attrsNames: result: + if attrsNames == [] then + result + else + let name = head attrsNames; rest = tail attrsNames; in + if isOption result.options then + walkOptions rest { + options = result.options.type.getSubOptions ""; + opt = ''(\${result.opt}.type.getSubOptions "")''; + cfg = ''\${result.cfg}."\${name}"''; + } + else + walkOptions rest { + options = result.options.\${name}; + opt = ''\${result.opt}."\${name}"''; + cfg = ''\${result.cfg}."\${name}"''; + } + ; + + walkResult = (if path == "" then x: x else walkOptions pathList) { + options = nixos.options; + opt = ''nixos.options''; + cfg = ''nixos.config''; + }; + +in + ''let option = \${walkResult.opt}; config = \${walkResult.cfg}; in'' +EOF +) + then + echo $result + else + # In case of error we want to ignore the error message roduced by the + # script above, as it is iterating over each attribute, which does not + # produce a nice error message. The following code is a fallback + # solution which is cause a nicer error message in the next + # evaluation. + echo "\"let option = nixos.options${option:+.$option}; config = nixos.config${option:+.$option}; in\"" + fi } +header="$header +$(eval echo $(generateAccessors)) +" + evalAttr(){ local prefix="$1" local strict="$2" local suffix="$3" - echo "(import <nixos> {}).$prefix${option:+.$option}${suffix:+.$suffix}" | evalNix ${strict:+--strict} + + # If strict is set, then set it to "true". + test -n "$strict" && strict=true + + evalNix ${strict:+--strict} <<EOF +$header + +let + value = $prefix${suffix:+.$suffix}; + strict = ${strict:-false}; + cleanOutput = x: with nixpkgs.lib; + if isDerivation x then x.outPath + else if isFunction x then "<CODE>" + else if strict then + if isAttrs x then mapAttrs (n: cleanOutput) x + else if isList x then map cleanOutput x + else x + else x; +in + cleanOutput value +EOF } evalOpt(){ - evalAttr "options" "" "$@" + evalAttr "option" "" "$@" } evalCfg(){ @@ -90,8 +191,11 @@ evalCfg(){ findSources(){ local suffix=$1 - echo "(import <nixos> {}).options${option:+.$option}.$suffix" | - evalNix --strict + evalNix --strict <<EOF +$header + +option.$suffix +EOF } # Given a result from nix-instantiate, recover the list of attributes it @@ -121,13 +225,12 @@ nixMap() { # the output of nixos-option with other tools such as nixos-gui. if $xml; then evalNix --xml --no-location <<EOF +$header + let - reach = attrs: attrs${option:+.$option}; - nixos = import <nixos> {}; - nixpkgs = import <nixpkgs> {}; sources = builtins.map (f: f.source); - opt = reach nixos.options; - cfg = reach nixos.config; + opt = option; + cfg = config; in with nixpkgs.lib; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 3bb7fdb9b2d6..1ca15053b123 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -173,6 +173,8 @@ peerflix = 163; chronos = 164; gitlab = 165; + tox-bootstrapd = 166; + cadvisor = 167; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -272,6 +274,7 @@ jenkins = 109; systemd-journal-gateway = 110; notbit = 111; + btsync = 113; monetdb = 115; foundationdb = 118; newrelic = 119; diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index f4271cea853b..5afdcf214f27 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -53,7 +53,7 @@ with lib; mkDefault (if pathExists fn then readFile fn else "master"); # Note: code names must only increase in alphabetical order. - system.nixosCodeName = "Caterpillar"; + system.nixosCodeName = "Dingo"; # Generate /etc/os-release. See # http://0pointer.de/public/systemd-man/os-release.html for the diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2cee8cb502aa..503dd87ad4d9 100755 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -197,6 +197,7 @@ ./services/misc/zookeeper.nix ./services/monitoring/apcupsd.nix ./services/monitoring/bosun.nix + ./services/monitoring/cadvisor.nix ./services/monitoring/collectd.nix ./services/monitoring/dd-agent.nix ./services/monitoring/graphite.nix @@ -286,6 +287,7 @@ ./services/networking/tcpcrypt.nix ./services/networking/teamspeak3.nix ./services/networking/tftpd.nix + ./services/networking/tox-bootstrapd.nix ./services/networking/unbound.nix ./services/networking/unifi.nix ./services/networking/vsftpd.nix @@ -307,8 +309,10 @@ ./services/security/fprot.nix ./services/security/frandom.nix ./services/security/haveged.nix + ./services/security/torify.nix ./services/security/tor.nix ./services/security/torsocks.nix + ./services/system/cloud-init.nix ./services/system/dbus.nix ./services/system/kerberos.nix ./services/system/nscd.nix diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 03899425da5d..c5c0f9d01215 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -105,7 +105,7 @@ in }; enableCompletion = mkOption { - default = true; + default = false; description = '' Enable Bash completion for all interactive bash shells. ''; diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index c9bfe2fe0f70..796740ea636a 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -61,7 +61,8 @@ in agentTimeout = mkOption { type = types.nullOr types.string; - default = "1h"; + default = null; + example = "1h"; description = '' How long to keep the private keys in memory. Use null to keep them forever. ''; diff --git a/nixos/modules/programs/virtualbox-host.nix b/nixos/modules/programs/virtualbox-host.nix index c6abc9ddf894..fc113a08a356 100644 --- a/nixos/modules/programs/virtualbox-host.nix +++ b/nixos/modules/programs/virtualbox-host.nix @@ -35,7 +35,7 @@ in enableHardening = mkOption { type = types.bool; - default = false; + default = true; description = '' Enable hardened VirtualBox, which ensures that only the binaries in the system path get access to the devices exposed by the kernel modules @@ -54,23 +54,21 @@ in boot.extraModulePackages = [ virtualbox ]; environment.systemPackages = [ virtualbox ]; - warnings = mkIf (!cfg.enableHardening) (singleton ( - "Hardening is currently disabled for VirtualBox, because of some " + - "issues in conjunction with host-only-interfaces. If you don't use " + - "hostonlyifs, it's strongly recommended to set " + - "`services.virtualboxHost.enableHardening = true'!" - )); - security.setuidOwners = let - mkVboxStub = program: { + mkSuid = program: { inherit program; + source = "${virtualbox}/libexec/virtualbox/${program}"; owner = "root"; group = "vboxusers"; setuid = true; }; - in mkIf cfg.enableHardening (map mkVboxStub [ + in mkIf cfg.enableHardening (map mkSuid [ "VBoxHeadless" + "VBoxNetAdpCtl" + "VBoxNetDHCP" + "VBoxNetNAT" "VBoxSDL" + "VBoxVolInfo" "VirtualBox" ]); diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 9893e63fb24f..0e3a54325cad 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -110,7 +110,7 @@ in default = false; description = '' Print the contents of <literal>/etc/motd</literal> to screen - after a succesful login. + after a successful login. ''; }; @@ -145,7 +145,7 @@ in When $DUO_PASSCODE is non-empty, it will override autopush. The SSH client will need SendEnv DUO_PASSCODE in - its configuration, and the SSH server will similarily need + its configuration, and the SSH server will similarly need AcceptEnv DUO_PASSCODE. ''; }; diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index cbad94007088..5c8c49939510 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -38,7 +38,7 @@ in type = types.bool; default = false; description = '' - Enable the testing grsecurity patch, based on Linux 3.17. + Enable the testing grsecurity patch, based on Linux 3.18. ''; }; @@ -227,7 +227,7 @@ in message = '' If grsecurity is enabled, you must select either the stable patch (with kernel 3.14), or the testing patch (with - kernel 3.17) to continue. + kernel 3.18) to continue. ''; } { assertion = (cfg.stable -> !cfg.testing) || (cfg.testing -> !cfg.stable); diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 4c6a1c26426e..d42a8c7f7d29 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -64,7 +64,7 @@ in security.sudo.configFile = '' # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’ - # and security.sudo.extraConfig instead. + # or ‘security.sudo.extraConfig’ instead. # Environment variables to keep for root and %wheel. Defaults:root,%wheel env_keep+=TERMINFO_DIRS @@ -90,11 +90,10 @@ in environment.etc = singleton { source = pkgs.runCommand "sudoers" - {src = pkgs.writeText "sudoers-in" cfg.configFile; } + { src = pkgs.writeText "sudoers-in" cfg.configFile; } # Make sure that the sudoers file is syntactically valid. # (currently disabled - NIXOS-66) - "${pkgs.sudo}/sbin/visudo -f $src -c && - cp $src $out"; + "${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out"; target = "sudoers"; mode = "0440"; }; diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index e6b525c4b1ba..eab7993387de 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -15,7 +15,6 @@ let state_file "${cfg.dataDir}/state" sticker_file "${cfg.dataDir}/sticker.sql" log_file "syslog" - user "mpd" ${if cfg.network.host != "any" then "bind_to_address ${cfg.network.host}" else ""} ${if cfg.network.port != 6600 then @@ -99,6 +98,9 @@ in { path = [ pkgs.mpd ]; preStart = "mkdir -p ${cfg.dataDir} && chown -R mpd:mpd ${cfg.dataDir}"; script = "exec mpd --no-daemon ${mpdConf}"; + serviceConfig = { + User = "mpd"; + }; }; users.extraUsers.mpd = { diff --git a/nixos/modules/services/mail/mlmmj.nix b/nixos/modules/services/mail/mlmmj.nix index 637974f05cd1..db3a266d011f 100644 --- a/nixos/modules/services/mail/mlmmj.nix +++ b/nixos/modules/services/mail/mlmmj.nix @@ -90,7 +90,7 @@ in enable = true; recipientDelimiter= "+"; extraMasterConf = '' - mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-recieve -F -L ${spoolDir}/$nextHop + mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-receive -F -L ${spoolDir}/$nextHop ''; extraAliases = concatMapStrings (alias cfg.listDomain) cfg.mailLists; diff --git a/nixos/modules/services/misc/mesos-slave.nix b/nixos/modules/services/misc/mesos-slave.nix index d89531f7e909..26fb3fdb00c9 100644 --- a/nixos/modules/services/misc/mesos-slave.nix +++ b/nixos/modules/services/misc/mesos-slave.nix @@ -5,6 +5,13 @@ with lib; let cfg = config.services.mesos.slave; + mkAttributes = + attrs: concatStringsSep ";" (mapAttrsToList + (k: v: "${k}:${v}") + (filterAttrs (k: v: v != null) attrs)); + attribsArg = optionalString (cfg.attributes != {}) + "--attributes=${mkAttributes cfg.attributes}"; + in { options.services.mesos = { @@ -31,9 +38,9 @@ in { }; withHadoop = mkOption { - description = "Add the HADOOP_HOME to the slave."; - default = false; - type = types.bool; + description = "Add the HADOOP_HOME to the slave."; + default = false; + type = types.bool; }; workDir = mkOption { @@ -44,10 +51,10 @@ in { extraCmdLineOptions = mkOption { description = '' - Extra command line options for Mesos Slave. + Extra command line options for Mesos Slave. - See https://mesos.apache.org/documentation/latest/configuration/ - ''; + See https://mesos.apache.org/documentation/latest/configuration/ + ''; default = [ "" ]; type = types.listOf types.string; example = [ "--gc_delay=3days" ]; @@ -62,6 +69,19 @@ in { type = types.str; }; + attributes = mkOption { + description = '' + Machine attributes for the slave instance. + + Use caution when changing this; you may need to manually reset slave + metadata before the slave can re-register. + ''; + default = {}; + type = types.attrsOf types.str; + example = { rack = "aa"; + host = "aabc123"; + os = "nixos"; }; + }; }; }; @@ -74,20 +94,21 @@ in { after = [ "network-interfaces.target" ]; environment.MESOS_CONTAINERIZERS = "docker,mesos"; serviceConfig = { - ExecStart = '' - ${pkgs.mesos}/bin/mesos-slave \ - --port=${toString cfg.port} \ - --master=${cfg.master} \ - ${optionalString cfg.withHadoop "--hadoop-home=${pkgs.hadoop}"} \ - --work_dir=${cfg.workDir} \ - --logging_level=${cfg.logLevel} \ - --docker=${pkgs.docker}/libexec/docker/docker \ - ${toString cfg.extraCmdLineOptions} - ''; - PermissionsStartOnly = true; + ExecStart = '' + ${pkgs.mesos}/bin/mesos-slave \ + --port=${toString cfg.port} \ + --master=${cfg.master} \ + ${optionalString cfg.withHadoop "--hadoop-home=${pkgs.hadoop}"} \ + ${attribsArg} \ + --work_dir=${cfg.workDir} \ + --logging_level=${cfg.logLevel} \ + --docker=${pkgs.docker}/libexec/docker/docker \ + ${toString cfg.extraCmdLineOptions} + ''; + PermissionsStartOnly = true; }; preStart = '' - mkdir -m 0700 -p ${cfg.workDir} + mkdir -m 0700 -p ${cfg.workDir} ''; }; }; diff --git a/nixos/modules/services/misc/synergy.nix b/nixos/modules/services/misc/synergy.nix index 271968f48b8a..054df965347d 100644 --- a/nixos/modules/services/misc/synergy.nix +++ b/nixos/modules/services/misc/synergy.nix @@ -86,7 +86,7 @@ in systemd.services."synergy-client" = { after = [ "network.target" ]; description = "Synergy client"; - wantedBy = [ "multi-user.target" ]; + wantedBy = optional cfgC.autoStart "multi-user.target"; path = [ pkgs.synergy ]; serviceConfig.ExecStart = ''${pkgs.synergy}/bin/synergyc -f ${optionalString (cfgC.screenName != "") "-n ${cfgC.screenName}"} ${cfgC.serverAddress}''; }; @@ -95,7 +95,7 @@ in systemd.services."synergy-server" = { after = [ "network.target" ]; description = "Synergy server"; - wantedBy = [ "multi-user.target" ]; + wantedBy = optional cfgS.autoStart "multi-user.target"; path = [ pkgs.synergy ]; serviceConfig.ExecStart = ''${pkgs.synergy}/bin/synergys -c ${cfgS.configFile} -f ${optionalString (cfgS.address != "") "-a ${cfgS.address}"} ${optionalString (cfgS.screenName != "") "-n ${cfgS.screenName}" }''; }; diff --git a/nixos/modules/services/monitoring/cadvisor.nix b/nixos/modules/services/monitoring/cadvisor.nix new file mode 100644 index 000000000000..0a06291da2a4 --- /dev/null +++ b/nixos/modules/services/monitoring/cadvisor.nix @@ -0,0 +1,106 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.cadvisor; + +in { + options = { + services.cadvisor = { + enable = mkOption { + default = false; + type = types.bool; + description = "Whether to enable cadvisor service."; + }; + + host = mkOption { + default = "127.0.0.1"; + type = types.str; + description = "Cadvisor listening host"; + }; + + port = mkOption { + default = 8080; + type = types.int; + description = "Cadvisor listening port"; + }; + + storageDriver = mkOption { + default = null; + type = types.nullOr types.str; + example = "influxdb"; + description = "Cadvisor storage driver."; + }; + + storageDriverHost = mkOption { + default = "localhost:8086"; + type = types.str; + description = "Cadvisor storage driver host."; + }; + + storageDriverDb = mkOption { + default = "root"; + type = types.str; + description = "Cadvisord storage driver database name."; + }; + + storageDriverUser = mkOption { + default = "root"; + type = types.str; + description = "Cadvisor storage driver username."; + }; + + storageDriverPassword = mkOption { + default = "root"; + type = types.str; + description = "Cadvisor storage driver password."; + }; + + storageDriverSecure = mkOption { + default = false; + type = types.bool; + description = "Cadvisor storage driver, enable secure communication."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.cadvisor = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "docker.service" "influxdb.service" ]; + + postStart = mkBefore '' + until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.host}:${toString cfg.port}/containers/'; do + sleep 1; + done + ''; + + serviceConfig = { + ExecStart = ''${pkgs.cadvisor}/bin/cadvisor \ + -logtostderr=true \ + -listen_ip=${cfg.host} \ + -port=${toString cfg.port} \ + ${optionalString (cfg.storageDriver != null) '' + -storage_driver ${cfg.storageDriver} \ + -storage_driver_user ${cfg.storageDriverHost} \ + -storage_driver_db ${cfg.storageDriverDb} \ + -storage_driver_user ${cfg.storageDriverUser} \ + -storage_driver_password ${cfg.storageDriverPassword} \ + ${optionalString cfg.storageDriverSecure "-storage_driver_secure"} + ''} + ''; + User = "cadvisor"; + }; + }; + + virtualisation.docker.enable = true; + + users.extraUsers = singleton { + name = "cadvisor"; + uid = config.ids.uids.cadvisor; + description = "Cadvisor user"; + extraGroups = [ "docker" ]; + }; + }; +} diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index aab1c4b75efb..8558c4ff8e48 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -34,7 +34,7 @@ let cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file) wrapProgram $file \ - --set PATH "/run/current-system/sw/bin:/run/current-system/sw/sbin" \ + --set PATH "/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/sbin" \ --set MUNIN_LIBDIR "${pkgs.munin}/lib" \ --set MUNIN_PLUGSTATE "/var/run/munin" @@ -194,7 +194,7 @@ in mkdir -p /etc/munin/plugins rm -rf /etc/munin/plugins/* - PATH="/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash + PATH="/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash ''; serviceConfig = { ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/"; diff --git a/nixos/modules/services/monitoring/statsd.nix b/nixos/modules/services/monitoring/statsd.nix index 942ce72f6a36..7d7ca27bb2f0 100644 --- a/nixos/modules/services/monitoring/statsd.nix +++ b/nixos/modules/services/monitoring/statsd.nix @@ -53,7 +53,7 @@ in }; mgmt_address = mkOption { - description = "Address to run managment TCP interface on"; + description = "Address to run management TCP interface on"; default = "127.0.0.1"; type = types.str; }; @@ -65,7 +65,7 @@ in }; backends = mkOption { - description = "List of backends statsd will use for data persistance"; + description = "List of backends statsd will use for data persistence"; default = ["graphite"]; example = ["graphite" pkgs.nodePackages."statsd-influxdb-backend"]; type = types.listOf (types.either types.str types.package); diff --git a/nixos/modules/services/network-filesystems/nfsd.nix b/nixos/modules/services/network-filesystems/nfsd.nix index 9b317e968849..33b7ec3d9f1c 100644 --- a/nixos/modules/services/network-filesystems/nfsd.nix +++ b/nixos/modules/services/network-filesystems/nfsd.nix @@ -61,7 +61,7 @@ in default = null; example = 4002; description = '' - Use fixed port for rpc.mountd, usefull if server is behind firewall. + Use fixed port for rpc.mountd, useful if server is behind firewall. ''; }; diff --git a/nixos/modules/services/network-filesystems/rsyncd.nix b/nixos/modules/services/network-filesystems/rsyncd.nix index 19aa7efd2ff4..2018bfa14a57 100644 --- a/nixos/modules/services/network-filesystems/rsyncd.nix +++ b/nixos/modules/services/network-filesystems/rsyncd.nix @@ -6,113 +6,84 @@ let cfg = config.services.rsyncd; - motdFile = pkgs.writeText "rsyncd-motd" cfg.motd; - - rsyncdCfg = "" - + optionalString (cfg.motd != "") "motd file = ${motdFile}\n" - + optionalString (cfg.address != "") "address = ${cfg.address}\n" - + optionalString (cfg.port != 873) "port = ${toString cfg.port}\n" - + cfg.extraConfig - + "\n" - + flip concatMapStrings cfg.modules (m: "[${m.name}]\n\tpath = ${m.path}\n" - + optionalString (m.comment != "") "\tcomment = ${m.comment}\n" - + m.extraConfig - + "\n" - ); - - rsyncdCfgFile = pkgs.writeText "rsyncd.conf" rsyncdCfg; - + motdFile = builtins.toFile "rsyncd-motd" cfg.motd; + + moduleConfig = name: + let module = getAttr name cfg.modules; in + "[${name}]\n " + (toString ( + map + (key: "${key} = ${toString (getAttr key module)}\n") + (attrNames module) + )); + + cfgFile = builtins.toFile "rsyncd.conf" + '' + ${optionalString (cfg.motd != "") "motd file = ${motdFile}"} + ${optionalString (cfg.address != "") "address = ${cfg.address}"} + ${optionalString (cfg.port != 873) "port = ${toString cfg.port}"} + ${cfg.extraConfig} + ${toString (map moduleConfig (attrNames cfg.modules))} + ''; in { options = { - services.rsyncd = { enable = mkOption { default = false; - description = "Whether to enable the rsync daemon."; + description = "Whether to enable the rsync daemon."; }; motd = mkOption { type = types.string; default = ""; - description = '' - Message of the day to display to clients on each connect. - This usually contains site information and any legal notices. - ''; + description = '' + Message of the day to display to clients on each connect. + This usually contains site information and any legal notices. + ''; }; port = mkOption { default = 873; - type = types.int; - description = "TCP port the daemon will listen on."; + type = types.int; + description = "TCP port the daemon will listen on."; }; address = mkOption { default = ""; - example = "192.168.1.2"; - description = '' - IP address the daemon will listen on; rsyncd will listen on - all addresses if this is not specified. - ''; + example = "192.168.1.2"; + description = '' + IP address the daemon will listen on; rsyncd will listen on + all addresses if this is not specified. + ''; }; extraConfig = mkOption { type = types.lines; - default = ""; - description = '' - Lines of configuration to add to rsyncd globally. - See <literal>man rsyncd.conf</literal> for more options. - ''; + default = ""; + description = '' + Lines of configuration to add to rsyncd globally. + See <command>man rsyncd.conf</command> for options. + ''; }; modules = mkOption { - default = [ ]; - example = [ - { name = "ftp"; - path = "/home/ftp"; - comment = "ftp export area"; - extraConfig = '' - secrets file = /etc/rsyncd.secrets - ''; - } - ]; - description = "The list of file paths to export."; - type = types.listOf types.optionSet; - - options = { - - name = mkOption { - example = "ftp"; - type = types.string; - description = "Name of export module."; - }; - - comment = mkOption { - default = ""; - description = '' - Description string that is displayed next to the module name - when clients obtain a list of available modules. - ''; - }; - - path = mkOption { - example = "/home/ftp"; - type = types.string; - description = "Directory to make available in this module."; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Lines of configuration to add to this module. - See <literal>man rsyncd.conf</literal> for more options. - ''; + default = {}; + description = '' + A set describing exported directories. + See <command>man rsyncd.conf</command> for options. + ''; + type = types.attrsOf (types.attrsOf types.str); + example = + { srv = + { path = "/srv"; + "read only" = "yes"; + comment = "Public rsync share."; + }; }; - }; }; + }; }; @@ -120,20 +91,16 @@ in config = mkIf cfg.enable { - environment.etc = singleton - { source = rsyncdCfgFile; + environment.etc = singleton { + source = cfgFile; target = "rsyncd.conf"; }; systemd.services.rsyncd = { description = "Rsync daemon"; wantedBy = [ "multi-user.target" ]; - - path = [ pkgs.rsync ]; - serviceConfig.ExecStart = "${pkgs.rsync}/bin/rsync --daemon --no-detach"; }; - networking.firewall.allowedTCPPorts = [ cfg.port ]; }; } diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index fd1e83d9f3e7..1199fa316f91 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -27,6 +27,14 @@ let mkdir -p ${privateDir} ''; + shareConfig = name: + let share = getAttr name cfg.shares; in + "[${name}]\n " + (toString ( + map + (key: "${key} = ${toString (getAttr key share)}\n") + (attrNames share) + )); + configFile = pkgs.writeText "smb.conf" (if cfg.configText != null then cfg.configText else '' @@ -36,6 +44,8 @@ let ${optionalString cfg.syncPasswordsByPam "pam password change = true"} ${cfg.extraConfig} + + ${toString (map shareConfig (attrNames cfg.shares))} ''); # This may include nss_ldap, needed for samba if it has to use ldap. @@ -159,6 +169,23 @@ in ''; }; + shares = mkOption { + default = {}; + description = + '' + A set describing shared resources. + See <command>man smb.conf</command> for options. + ''; + type = types.attrsOf (types.attrsOf types.str); + example = + { srv = + { path = "/srv"; + "read only" = "yes"; + comment = "Public samba share."; + }; + }; + }; + }; }; diff --git a/nixos/modules/services/networking/btsync.nix b/nixos/modules/services/networking/btsync.nix index 7ddc9e1045e4..34bddf908731 100644 --- a/nixos/modules/services/networking/btsync.nix +++ b/nixos/modules/services/networking/btsync.nix @@ -88,7 +88,7 @@ in use <literal>systemctl start btsync@user</literal> to start the daemon only for user <literal>user</literal>, using the configuration file located at - <literal>$HOME/.config/btsync.conf</literal> + <literal>$HOME/.config/btsync.conf</literal>. ''; }; @@ -223,6 +223,21 @@ in --generate-secret</literal>. Note that this secret will be put inside the Nix store, so it is realistically not very secret. + + If you would like to be able to modify the contents of this + directories, it is recommended that you make your user a + member of the <literal>btsync</literal> group. + + Directories in this list should be in the + <literal>btsync</literal> group, and that group must have + write access to the directory. It is also recommended that + <literal>chmod g+s</literal> is applied to the directory + so that any sub directories created will also belong to + the <literal>btsync</literal> group. Also, + <literal>setfacl -d -m group:btsync:rwx</literal> and + <literal>setfacl -m group:btsync:rwx</literal> should also + be applied so that the sub directories are writable by + the group. ''; }; }; @@ -246,14 +261,20 @@ in home = "/var/lib/btsync"; createHome = true; uid = config.ids.uids.btsync; + group = "btsync"; }; + users.extraGroups = [ + { name = "btsync"; + }]; + systemd.services.btsync = with pkgs; { description = "Bittorrent Sync Service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { Restart = "on-abort"; + UMask = "0002"; User = "btsync"; ExecStart = "${bittorrentSync}/bin/btsync --nodaemon --config ${configFile}"; diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index c5f5bd79c1a9..b2d5854fbc0c 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -150,6 +150,7 @@ in ExecReload = "${pkgs.consul}/bin/consul reload"; PermissionsStartOnly = true; User = if cfg.dropPrivileges then "consul" else null; + TimeoutStartSec = "${toString (20 + (3 * cfg.joinRetries))}s"; } // (optionalAttrs (cfg.leaveOnStop) { ExecStop = "${pkgs.consul}/bin/consul leave"; }); diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index b129727087aa..1f17661c9f08 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -443,7 +443,7 @@ in networking.firewall.trustedInterfaces = [ "lo" ]; - environment.systemPackages = [ pkgs.iptables ]; + environment.systemPackages = [ pkgs.iptables pkgs.ipset ]; boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' @@ -462,7 +462,7 @@ in before = [ "network-pre.target" ]; after = [ "systemd-modules-load.service" ]; - path = [ pkgs.iptables ]; + path = [ pkgs.iptables pkgs.ipset ]; # FIXME: this module may also try to load kernel modules, but # containers don't have CAP_SYS_MODULE. So the host system had diff --git a/nixos/modules/services/networking/i2pd.nix b/nixos/modules/services/networking/i2pd.nix index d0127fd3f75e..95b0ae59ff3c 100644 --- a/nixos/modules/services/networking/i2pd.nix +++ b/nixos/modules/services/networking/i2pd.nix @@ -142,7 +142,7 @@ in type = types.int; default = 80; description = '' - Port to forward incoming trafic to. 80 by default. + Port to forward incoming traffic to. 80 by default. ''; }; keyFile = mkOption { @@ -195,4 +195,4 @@ in }; }; } -# \ No newline at end of file +# diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 55a93dfe64c2..f72c7fb39d6c 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -194,7 +194,7 @@ in { }; powerManagement.resumeCommands = '' - systemctl restart network-manager + ${config.systemd.package}/bin/systemctl restart network-manager ''; security.polkit.extraConfig = polkitConf; diff --git a/nixos/modules/services/networking/ntpd.nix b/nixos/modules/services/networking/ntpd.nix index 8f4bf26d411d..1988c7140d34 100644 --- a/nixos/modules/services/networking/ntpd.nix +++ b/nixos/modules/services/networking/ntpd.nix @@ -11,19 +11,15 @@ let ntpUser = "ntp"; configFile = pkgs.writeText "ntp.conf" '' - # Keep the drift file in ${stateDir}/ntp.drift. However, since we - # chroot to ${stateDir}, we have to specify it as /ntp.drift. - driftfile /ntp.drift + driftfile ${stateDir}/ntp.drift - restrict default kod nomodify notrap nopeer noquery - restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 ${toString (map (server: "server " + server + " iburst\n") config.services.ntp.servers)} ''; - ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup -i ${stateDir}"; + ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup"; in @@ -64,7 +60,7 @@ in config = mkIf config.services.ntp.enable { - # Make tools such as ntpq available in the system path + # Make tools such as ntpq available in the system path. environment.systemPackages = [ pkgs.ntp ]; users.extraUsers = singleton @@ -74,20 +70,20 @@ in home = stateDir; }; - jobs.ntpd = + systemd.services.ntpd = { description = "NTP Daemon"; wantedBy = [ "multi-user.target" ]; - path = [ ntp ]; - preStart = '' mkdir -m 0755 -p ${stateDir} chown ${ntpUser} ${stateDir} ''; - exec = "ntpd -g -n ${ntpFlags}"; + serviceConfig = { + ExecStart = "@${ntp}/bin/ntpd ntpd -g -n ${ntpFlags}"; + }; }; }; diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 19ad635d07e7..8778b0364f9a 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -118,7 +118,7 @@ in systemd.services.strongswan = { description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ kmod ]; # XXX Linux + path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux wants = [ "keys.target" ]; after = [ "network.target" "keys.target" ]; environment = { diff --git a/nixos/modules/services/networking/tox-bootstrapd.nix b/nixos/modules/services/networking/tox-bootstrapd.nix new file mode 100644 index 000000000000..c1f945773e23 --- /dev/null +++ b/nixos/modules/services/networking/tox-bootstrapd.nix @@ -0,0 +1,80 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + home = "/var/lib/tox-bootstrapd"; + PIDFile = "${home}/pid"; + + pkg = pkgs.libtoxcore; + cfg = config.services.toxBootstrapd; + cfgFile = builtins.toFile "tox-bootstrapd.conf" + '' + port = ${toString cfg.port} + keys_file_path = "${home}/keys" + pid_file_path = "${PIDFile}" + ${cfg.extraConfig} + ''; +in +{ + options = + { services.toxBootstrapd = + { enable = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to enable the Tox DHT bootstrap daemon. + ''; + }; + + port = mkOption { + type = types.int; + default = 33445; + description = "Listening port (UDP)."; + }; + + keysFile = mkOption { + type = types.str; + default = "${home}/keys"; + description = "Node key file."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = + '' + Configuration for bootstrap daemon. + See <link xlink:href="https://github.com/irungentoo/toxcore/blob/master/other/bootstrap_daemon/tox-bootstrapd.conf"/> + and <link xlink:href="http://wiki.tox.im/Nodes"/>. + ''; + }; + }; + + }; + + config = mkIf config.services.toxBootstrapd.enable { + + users.extraUsers = singleton + { name = "tox-bootstrapd"; + uid = config.ids.uids.tox-bootstrapd; + description = "Tox bootstrap daemon user"; + inherit home; + createHome = true; + }; + + systemd.services.tox-bootstrapd = { + description = "Tox DHT bootstrap daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = + { ExecStart = "${pkg}/bin/tox-bootstrapd ${cfgFile}"; + Type = "forking"; + inherit PIDFile; + User = "tox-bootstrapd"; + }; + }; + + }; +} diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 2b4132cb5688..47f863b96df2 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -17,7 +17,8 @@ let '' # Client connection config + optionalString cfg.client.enable '' - SOCKSPort ${cfg.client.socksListenAddress} + SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr + SOCKSPort ${cfg.client.socksListenAddressFaster} ${opt "SocksPolicy" cfg.client.socksPolicy} '' # Relay config @@ -93,10 +94,23 @@ in example = "192.168.0.1:9100"; description = '' Bind to this address to listen for connections from - Socks-speaking applications. + Socks-speaking applications. Provides strong circuit + isolation, separate circuit per IP address. ''; }; + socksListenAddressFaster = mkOption { + type = types.str; + default = "127.0.0.1:9063"; + example = "192.168.0.1:9101"; + description = '' + Bind to this address to listen for connections from + Socks-speaking applications. Same as socksListenAddress + but uses weaker circuit isolation to provide performance + suitable for a web browser. + ''; + }; + socksPolicy = mkOption { type = types.nullOr types.str; default = null; @@ -108,6 +122,22 @@ in SocksListenAddress. ''; }; + + privoxy.enable = mkOption { + default = true; + description = '' + Whether to enable and configure the system Privoxy to use Tor's + faster port, suitable for HTTP. + + To have anonymity, protocols need to be scrubbed of identifying + information, and this can be accomplished for HTTP by Privoxy. + + Privoxy can also be useful for KDE torification. A good setup would be: + setting SOCKS proxy to the default Tor port, providing maximum + circuit isolation where possible; and setting HTTP proxy to Privoxy + to route HTTP traffic over faster, but less isolated port. + ''; + }; }; relay = { @@ -322,5 +352,16 @@ in }; environment.systemPackages = [ pkgs.tor ]; + + services.privoxy = mkIf (cfg.client.enable && cfg.client.privoxy.enable) { + enable = true; + extraConfig = '' + forward-socks4a / ${cfg.client.socksListenAddressFaster} . + toggle 1 + enable-remote-toggle 0 + enable-edit-actions 0 + enable-remote-http-toggle 0 + ''; + }; }; } diff --git a/nixos/modules/services/security/torify.nix b/nixos/modules/services/security/torify.nix new file mode 100644 index 000000000000..a81cdbbc172f --- /dev/null +++ b/nixos/modules/services/security/torify.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: +with lib; +let + + cfg = config.services.tor; + + torify = pkgs.writeTextFile { + name = "tsocks"; + text = '' + #!${pkgs.stdenv.shell} + TSOCKS_CONF_FILE=${pkgs.writeText "tsocks.conf" cfg.tsocks.config} LD_PRELOAD="${pkgs.tsocks}/lib/libtsocks.so $LD_PRELOAD" "$@" + ''; + executable = true; + destination = "/bin/tsocks"; + }; + +in + +{ + + ###### interface + + options = { + + services.tor.tsocks = { + + enable = mkOption { + default = cfg.enable && cfg.client.enable; + description = '' + Whether to build tsocks wrapper script to relay application traffic via TOR. + ''; + }; + + server = mkOption { + default = "localhost:9050"; + example = "192.168.0.20"; + description = '' + IP address of TOR client to use. + ''; + }; + + config = mkOption { + default = ""; + description = '' + Extra configuration. Contents will be added verbatim to TSocks + configuration file. + ''; + }; + + }; + + }; + + ###### implementation + + config = mkIf cfg.tsocks.enable { + + environment.systemPackages = [ torify ]; # expose it to the users + + services.tor.tsocks.config = '' + server = ${toString(head (splitString ":" cfg.tsocks.server))} + server_port = ${toString(tail (splitString ":" cfg.tsocks.server))} + + local = 127.0.0.0/255.128.0.0 + local = 127.128.0.0/255.192.0.0 + ''; + }; + +} diff --git a/nixos/modules/services/security/torsocks.nix b/nixos/modules/services/security/torsocks.nix index 5361d924ebe3..1b5a05b21e77 100644 --- a/nixos/modules/services/security/torsocks.nix +++ b/nixos/modules/services/security/torsocks.nix @@ -6,9 +6,9 @@ let cfg = config.services.tor.torsocks; optionalNullStr = b: v: optionalString (b != null) v; - configFile = '' - TorAddress ${toString (head (splitString ":" cfg.server))} - TorPort ${toString (tail (splitString ":" cfg.server))} + configFile = server: '' + TorAddress ${toString (head (splitString ":" server))} + TorPort ${toString (tail (splitString ":" server))} OnionAddrRange ${cfg.onionAddrRange} @@ -19,13 +19,24 @@ let AllowInbound ${if cfg.allowInbound then "1" else "0"} ''; + + wrapTorsocks = name: server: pkgs.writeTextFile { + name = name; + text = '' + #!${pkgs.stdenv.shell} + TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (configFile server)} ${pkgs.torsocks}/bin/torsocks "$@" + ''; + executable = true; + destination = "/bin/${name}"; + }; + in { options = { services.tor.torsocks = { enable = mkOption { type = types.bool; - default = false; + default = config.services.tor.enable && config.services.tor.client.enable; description = '' Whether to build <literal>/etc/tor/torsocks.conf</literal> containing the specified global torsocks configuration. @@ -42,6 +53,16 @@ in ''; }; + fasterServer = mkOption { + type = types.str; + default = "127.0.0.1:9063"; + example = "192.168.0.20:1234"; + description = '' + IP/Port of the Tor SOCKS server for torsocks-faster wrapper suitable for HTTP. + Currently, hostnames are NOT supported by torsocks. + ''; + }; + onionAddrRange = mkOption { type = types.str; default = "127.42.42.0/24"; @@ -89,10 +110,10 @@ in }; config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.torsocks ]; + environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ]; environment.etc = - [ { source = pkgs.writeText "torsocks.conf" configFile; + [ { source = pkgs.writeText "torsocks.conf" (configFile cfg.server); target = "tor/torsocks.conf"; } ]; diff --git a/nixos/modules/services/system/cloud-init.nix b/nixos/modules/services/system/cloud-init.nix new file mode 100644 index 000000000000..0ef31ef8a8b9 --- /dev/null +++ b/nixos/modules/services/system/cloud-init.nix @@ -0,0 +1,152 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.services.cloud-init; + path = with pkgs; [ cloud-init nettools utillinux e2fsprogs shadow dmidecode openssh ]; + configFile = pkgs.writeText "cloud-init.cfg" '' +users: + - root + +disable_root: false +preserve_hostname: false + +cloud_init_modules: + - migrator + - seed_random + - bootcmd + - write-files + - growpart + - resizefs + - set_hostname + - update_hostname + - update_etc_hosts + - ca-certs + - rsyslog + - users-groups + +cloud_config_modules: + - emit_upstart + - disk_setup + - mounts + - ssh-import-id + - set-passwords + - timezone + - disable-ec2-metadata + - runcmd + - ssh + +cloud_final_modules: + - rightscale_userdata + - scripts-vendor + - scripts-per-once + - scripts-per-boot + - scripts-per-instance + - scripts-user + - ssh-authkey-fingerprints + - keys-to-console + - phone-home + - final-message + - power-state-change +''; +in +{ + options = { + + services.cloud-init = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable the cloud-init service. This services reads + configuration metadata in a cloud environment and configures + the machine according to this metadata. + + This configuration is not completely compatible with the + NixOS way of doing configuration, as configuration done by + cloud-init might be overriden by a subsequent nixos-rebuild + call. However, some parts of cloud-init fall outside of + NixOS's responsibility, like filesystem resizing and ssh + public key provisioning, and cloud-init is useful for that + parts. Thus, be wary that using cloud-init in NixOS might + come as some cost. + ''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.cloud-init-local = + { description = "Initial cloud-init job (pre-networking)"; + wantedBy = [ "multi-user.target" ]; + wants = [ "local-fs.target" ]; + after = [ "local-fs.target" ]; + path = path; + serviceConfig = + { Type = "oneshot"; + ExecStart = "${pkgs.cloud-init}/bin/cloud-init -f ${configFile} init --local"; + RemainAfterExit = "yes"; + TimeoutSec = "0"; + StandardOutput = "journal+console"; + }; + }; + + systemd.services.cloud-init = + { description = "Initial cloud-init job (metadata service crawler)"; + wantedBy = [ "multi-user.target" ]; + wants = [ "local-fs.target" "cloud-init-local.service" "sshd.service" "sshd-keygen.service" ]; + after = [ "local-fs.target" "network.target" "cloud-init-local.service" ]; + before = [ "sshd.service" "sshd-keygen.service" ]; + requires = [ "network.target "]; + path = path; + serviceConfig = + { Type = "oneshot"; + ExecStart = "${pkgs.cloud-init}/bin/cloud-init -f ${configFile} init"; + RemainAfterExit = "yes"; + TimeoutSec = "0"; + StandardOutput = "journal+console"; + }; + }; + + systemd.services.cloud-config = + { description = "Apply the settings specified in cloud-config"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network.target" ]; + after = [ "network.target" "syslog.target" "cloud-config.target" ]; + + path = path; + serviceConfig = + { Type = "oneshot"; + ExecStart = "${pkgs.cloud-init}/bin/cloud-init -f ${configFile} modules --mode=config"; + RemainAfterExit = "yes"; + TimeoutSec = "0"; + StandardOutput = "journal+console"; + }; + }; + + systemd.services.cloud-final = + { description = "Execute cloud user/final scripts"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network.target" ]; + after = [ "network.target" "syslog.target" "cloud-config.service" "rc-local.service" ]; + requires = [ "cloud-config.target" ]; + path = path; + serviceConfig = + { Type = "oneshot"; + ExecStart = "${pkgs.cloud-init}/bin/cloud-init -f ${configFile} modules --mode=final"; + RemainAfterExit = "yes"; + TimeoutSec = "0"; + StandardOutput = "journal+console"; + }; + }; + + systemd.targets.cloud-config = + { description = "Cloud-config availability"; + requires = [ "cloud-init-local.service" "cloud-init.service" ]; + }; + }; +} diff --git a/nixos/modules/services/web-servers/zope2.nix b/nixos/modules/services/web-servers/zope2.nix index 21117118457d..bbe4d10f83d0 100644 --- a/nixos/modules/services/web-servers/zope2.nix +++ b/nixos/modules/services/web-servers/zope2.nix @@ -24,7 +24,7 @@ let http_address = mkOption { default = "localhost:8080"; type = types.string; - description = "Give a port and adress for the HTTP server."; + description = "Give a port and address for the HTTP server."; }; user = mkOption { diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 65bbc025bcf9..c4329cd77550 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -80,7 +80,6 @@ in { services.telepathy.enable = mkDefault true; networking.networkmanager.enable = mkDefault true; services.upower.enable = config.powerManagement.enable; - services.upower.package = gnome3.upower; fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell_fonts ]; diff --git a/nixos/modules/services/x11/desktop-managers/kde4.nix b/nixos/modules/services/x11/desktop-managers/kde4.nix index f7579fce7b5a..16c99862e9e0 100644 --- a/nixos/modules/services/x11/desktop-managers/kde4.nix +++ b/nixos/modules/services/x11/desktop-managers/kde4.nix @@ -152,7 +152,9 @@ in xorg.xauth # used by kdesu pkgs.shared_desktop_ontologies # used by nepomuk pkgs.strigi # used by nepomuk + pkgs.kde4.akonadi pkgs.mysql # used by akonadi + pkgs.kde4.kdepim_runtime ] ++ lib.optional config.hardware.pulseaudio.enable pkgs.kde4.kmix # Perhaps this should always be enabled ++ lib.optional config.hardware.bluetooth.enable pkgs.kde4.bluedevil diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 8bc8175f88f9..a1b5daa3336d 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -189,7 +189,7 @@ in xserverArgs = mkOption { type = types.listOf types.str; default = []; - example = [ "-ac" "-logverbose" "-nolisten tcp" ]; + example = [ "-ac" "-logverbose" "-verbose" "-nolisten tcp" ]; description = "List of arguments for the X server."; apply = toString; }; diff --git a/nixos/modules/services/x11/window-managers/awesome.nix b/nixos/modules/services/x11/window-managers/awesome.nix index 9b2f042a87a6..455b3568499f 100644 --- a/nixos/modules/services/x11/window-managers/awesome.nix +++ b/nixos/modules/services/x11/window-managers/awesome.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.xserver.windowManager.awesome; + awesome = cfg.package; in @@ -14,9 +15,24 @@ in options = { - services.xserver.windowManager.awesome.enable = mkOption { - default = false; - description = "Enable the Awesome window manager."; + services.xserver.windowManager.awesome = { + + enable = mkEnableOption "Awesome window manager"; + + luaModules = mkOption { + default = []; + type = types.listOf types.package; + description = "List of lua packages available for being used in the Awesome configuration."; + example = literalExample "[ luaPackages.oocairo ]"; + }; + + package = mkOption { + default = null; + type = types.nullOr types.package; + description = "Package to use for running the Awesome WM."; + apply = pkg: if pkg == null then pkgs.awesome else pkg; + }; + }; }; @@ -30,12 +46,17 @@ in { name = "awesome"; start = '' - ${pkgs.awesome}/bin/awesome & + ${concatMapStrings (pkg: '' + export LUA_CPATH=$LUA_CPATH''${LUA_CPATH:+;}${pkg}/lib/lua/${awesome.lua.luaversion}/?.so + export LUA_PATH=$LUA_PATH''${LUA_PATH:+;}${pkg}/lib/lua/${awesome.lua.luaversion}/?.lua + '') cfg.luaModules} + + ${awesome}/bin/awesome & waitPID=$! ''; }; - environment.systemPackages = [ pkgs.awesome ]; + environment.systemPackages = [ awesome ]; }; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index f911d3c81f90..64e0d4d8050e 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -483,8 +483,6 @@ in services.xserver.displayManager.xserverArgs = [ "-ac" - "-logverbose" - "-verbose" "-terminate" "-logfile" "/var/log/X.${toString cfg.display}.log" "-config ${configFile}" diff --git a/nixos/modules/system/activation/switch-to-configuration.pl b/nixos/modules/system/activation/switch-to-configuration.pl index c0e0ae23d387..c814469ae41d 100644 --- a/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixos/modules/system/activation/switch-to-configuration.pl @@ -181,7 +181,7 @@ while (my ($unit, $state) = each %{$activePrev}) { } elsif ($unit =~ /\.mount$/) { # Reload the changed mount unit to force a remount. write_file($reloadListFile, { append => 1 }, "$unit\n"); - } elsif ($unit =~ /\.socket$/ || $unit =~ /\.path$/) { + } elsif ($unit =~ /\.socket$/ || $unit =~ /\.path$/ || $unit =~ /\.slice$/) { # FIXME: do something? } else { my $unitInfo = parseUnit($newUnitFile); diff --git a/nixos/modules/system/boot/loader/gummiboot/gummiboot-builder.py b/nixos/modules/system/boot/loader/gummiboot/gummiboot-builder.py index db73544181b6..ef431a7732e1 100644 --- a/nixos/modules/system/boot/loader/gummiboot/gummiboot-builder.py +++ b/nixos/modules/system/boot/loader/gummiboot/gummiboot-builder.py @@ -63,7 +63,8 @@ def get_generations(profile): "@nix@/bin/nix-env", "--list-generations", "-p", - "/nix/var/nix/profiles/%s" % (profile) + "/nix/var/nix/profiles/%s" % (profile), + "--option", "build-users-group", "" ]) gen_lines = gen_list.split('\n') gen_lines.pop() diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index b62aed4ead95..0b7d4de6d205 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -56,9 +56,10 @@ echo # Mount special file systems. -mkdir -p /etc +mkdir -p /etc/udev touch /etc/fstab # to shut up mount touch /etc/mtab # to shut up mke2fs +touch /etc/udev/hwdb.bin # to shut up udev touch /etc/initrd-release mkdir -p /proc mount -t proc proc /proc diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index cd30ce1b7cef..f0d8b04d0875 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -326,7 +326,7 @@ in boot.initrd.compressor = mkOption { internal = true; - default = "gzip -9"; + default = "gzip -9n"; type = types.str; description = "The compressor to use on the initrd image."; example = "xz"; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 8fc2d0bee184..053a85c4c5b9 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -695,21 +695,21 @@ in default = {}; type = types.attrsOf types.optionSet; options = [ linkOptions ]; - description = "Definiton of systemd network links."; + description = "Definition of systemd network links."; }; systemd.network.netdevs = mkOption { default = {}; type = types.attrsOf types.optionSet; options = [ netdevOptions ]; - description = "Definiton of systemd network devices."; + description = "Definition of systemd network devices."; }; systemd.network.networks = mkOption { default = {}; type = types.attrsOf types.optionSet; options = [ networkOptions networkConfig ]; - description = "Definiton of systemd networks."; + description = "Definition of systemd networks."; }; systemd.network.units = mkOption { diff --git a/nixos/modules/tasks/filesystems/nfs.nix b/nixos/modules/tasks/filesystems/nfs.nix index 75c4f93c6917..79de6556f251 100644 --- a/nixos/modules/tasks/filesystems/nfs.nix +++ b/nixos/modules/tasks/filesystems/nfs.nix @@ -38,7 +38,7 @@ in default = null; example = 4000; description = '' - Use fixed port for rpc.statd, usefull if NFS server is behind firewall. + Use fixed port for rpc.statd, useful if NFS server is behind firewall. ''; }; lockdPort = mkOption { @@ -46,7 +46,7 @@ in example = 4001; description = '' Use fixed port for NFS lock manager kernel module (lockd/nlockmgr), - usefull if NFS server is behind firewall. + useful if NFS server is behind firewall. ''; }; }; diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 310527667d7a..9d61a4b05301 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -85,6 +85,12 @@ in optionalString (cfg.defaultGatewayWindowSize != null) "window ${cfg.defaultGatewayWindowSize}"} || true ''} + ${optionalString (cfg.defaultGateway6 != null && cfg.defaultGateway6 != "") '' + # FIXME: get rid of "|| true" (necessary to make it idempotent). + ip -6 route add ::/0 via "${cfg.defaultGateway6}" ${ + optionalString (cfg.defaultGatewayWindowSize != null) + "window ${cfg.defaultGatewayWindowSize}"} || true + ''} ''; }; diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 10185c7709b5..70158fc7252b 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -51,6 +51,8 @@ in DHCP = override (dhcpStr cfg.useDHCP); } // optionalAttrs (cfg.defaultGateway != null) { gateway = override [ cfg.defaultGateway ]; + } // optionalAttrs (cfg.defaultGateway6 != null) { + gateway = override [ cfg.defaultGateway6 ]; } // optionalAttrs (domains != [ ]) { domains = override domains; }; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 9c6c71a1dbb0..4a272483e549 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -233,8 +233,12 @@ in The 32-bit host ID of the machine, formatted as 8 hexadecimal characters. You should try to make this ID unique among your machines. You can - generate a random 32-bit ID using the following command: + generate a random 32-bit ID using the following commands: + <literal>cksum /etc/machine-id | while read c rest; do printf "%x" $c; done</literal> + + (this derives it from the machine-id that systemd generates) or + <literal>head -c4 /dev/urandom | od -A none -t x4</literal> ''; }; @@ -256,6 +260,15 @@ in ''; }; + networking.defaultGateway6 = mkOption { + default = null; + example = "2001:4d0:1e04:895::1"; + type = types.nullOr types.str; + description = '' + The default ipv6 gateway. It can be left empty if it is auto-detected through DHCP. + ''; + }; + networking.defaultGatewayWindowSize = mkOption { default = null; example = 524288; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index a7610b3e11a0..33c64cc890e0 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -57,8 +57,7 @@ let -name ${vmName} \ -m ${toString config.virtualisation.memorySize} \ ${optionalString (pkgs.stdenv.system == "x86_64-linux") "-cpu kvm64"} \ - -net nic,vlan=0,model=virtio \ - -net user,vlan=0''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} \ + ${concatStringsSep " " config.virtualisation.qemu.networkingOptions} \ -virtfs local,path=/nix/store,security_model=none,mount_tag=store \ -virtfs local,path=$TMPDIR/xchg,security_model=none,mount_tag=xchg \ -virtfs local,path=''${SHARED_DIR:-$TMPDIR/xchg},security_model=none,mount_tag=shared \ @@ -248,12 +247,31 @@ in description = "Primary IP address used in /etc/hosts."; }; - virtualisation.qemu.options = - mkOption { - default = []; - example = [ "-vga std" ]; - description = "Options passed to QEMU."; - }; + virtualisation.qemu = { + options = + mkOption { + default = []; + example = [ "-vga std" ]; + description = "Options passed to QEMU."; + }; + + networkingOptions = + mkOption { + default = [ + "-net nic,vlan=0,model=virtio" + "-net user,vlan=0\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}" + ]; + type = types.listOf types.str; + description = '' + Networking-related command-line options that should be passed to qemu. + The default is to use userspace networking (slirp). + + If you override this option, be advised to keep + ''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} (as seen in the default) + to keep the default runtime behaviour. + ''; + }; + }; virtualisation.useBootLoader = mkOption { diff --git a/nixos/release.nix b/nixos/release.nix index 04b8fd9bf675..c2760965d200 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -242,6 +242,7 @@ in rec { tests.avahi = callTest tests/avahi.nix {}; tests.bittorrent = callTest tests/bittorrent.nix {}; tests.blivet = callTest tests/blivet.nix {}; + tests.cadvisor = scrubDrv (import tests/cadvisor.nix { system = "x86_64-linux"; }); tests.chromium = callTest tests/chromium.nix {}; tests.cjdns = callTest tests/cjdns.nix {}; tests.containers = callTest tests/containers.nix {}; diff --git a/nixos/tests/blivet.nix b/nixos/tests/blivet.nix index acaf4fec614f..72c2a33f87eb 100644 --- a/nixos/tests/blivet.nix +++ b/nixos/tests/blivet.nix @@ -43,11 +43,6 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.pythonPackages; rec { TMPDIR=/tmp/xchg/bigtmp export TMPDIR - mkPythonPath() { - nix-store -qR "$@" \ - | sed -e 's|$|/lib/${pkgs.python.libPrefix}/site-packages|' - } - cp -Rd "${blivet.src}/tests" . # Skip SELinux tests @@ -73,8 +68,11 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.pythonPackages; rec { -e 's|_STORE_FILE_PATH = .*|_STORE_FILE_PATH = tempfile.gettempdir()|' \ tests/loopbackedtestcase.py - PYTHONPATH=".:$(mkPythonPath "${blivet}" "${mock}" | paste -sd :)" \ - python "${pythonTestRunner}" + PYTHONPATH=".:$(< "${pkgs.stdenv.mkDerivation { + name = "blivet-pythonpath"; + buildInputs = [ blivet mock ]; + buildCommand = "echo \"$PYTHONPATH\" > \"$out\""; + }}")" python "${pythonTestRunner}" ''; testScript = '' diff --git a/nixos/tests/cadvisor.nix b/nixos/tests/cadvisor.nix new file mode 100644 index 000000000000..225bf1a7483d --- /dev/null +++ b/nixos/tests/cadvisor.nix @@ -0,0 +1,30 @@ +import ./make-test.nix { + name = "cadvisor"; + + nodes = { + machine = { config, pkgs, ... }: { + services.cadvisor.enable = true; + }; + + influxdb = { config, pkgs, lib, ... }: with lib; { + services.cadvisor.enable = true; + services.cadvisor.storageDriver = "influxdb"; + services.influxdb.enable = true; + systemd.services.influxdb.postStart = mkAfter '' + ${pkgs.curl}/bin/curl -X POST 'http://localhost:8086/db?u=root&p=root' \ + -d '{"name": "root"}' + ''; + }; + }; + + testScript = + '' + startAll; + $machine->waitForUnit("cadvisor.service"); + $machine->succeed("curl http://localhost:8080/containers/"); + + $influxdb->waitForUnit("influxdb.service"); + $influxdb->waitForUnit("cadvisor.service"); + $influxdb->succeed("curl http://localhost:8080/containers/"); + ''; +} diff --git a/nixos/tests/containers.nix b/nixos/tests/containers.nix index e0add8a936fc..e40a8100a06c 100644 --- a/nixos/tests/containers.nix +++ b/nixos/tests/containers.nix @@ -43,7 +43,7 @@ import ./make-test.nix { $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null"); # Make sure we have a NixOS tree (required by ‘nixos-container create’). - $machine->succeed("nix-env -qa -A nixos.pkgs.hello >&2"); + $machine->succeed("PAGER=cat nix-env -qa -A nixos.pkgs.hello >&2"); # Create some containers imperatively. my $id1 = $machine->succeed("nixos-container create foo --ensure-unique-name"); diff --git a/nixos/tests/gitlab.nix b/nixos/tests/gitlab.nix index 2b0715e97bc9..27c65fe47e8d 100644 --- a/nixos/tests/gitlab.nix +++ b/nixos/tests/gitlab.nix @@ -8,6 +8,7 @@ import ./make-test.nix { virtualisation.memorySize = 768; services.gitlab.enable = true; services.gitlab.databasePassword = "gitlab"; + systemd.services.gitlab.serviceConfig.TimeoutStartSec = "10min"; }; }; diff --git a/nixos/tests/mesos.nix b/nixos/tests/mesos.nix index 4fc02d1cd3ff..040f613c5966 100644 --- a/nixos/tests/mesos.nix +++ b/nixos/tests/mesos.nix @@ -8,6 +8,10 @@ import ./make-test.nix { slave = { enable = true; master = "zk://localhost:2181/mesos"; + attributes = { + tag1 = "foo"; + tag2 = "bar"; + }; }; master = { enable = true; diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix index e4c3de146e93..b2b1ec877798 100644 --- a/nixos/tests/virtualbox.nix +++ b/nixos/tests/virtualbox.nix @@ -1,5 +1,7 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let + debug = false; + testVMConfig = vmName: attrs: { config, pkgs, ... }: { boot.kernelParams = let miniInit = '' @@ -64,7 +66,7 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let rotated = map (i: "${logfile}.${toString i}") (range 1 9); all = concatMapStringsSep " " (f: "\"${f}\"") ([logfile] ++ rotated); logcmd = "tail -F ${all} 2> /dev/null | logger -t \"${tag}\""; - in "$machine->execute(ru '${logcmd} & disown');"; + in optionalString debug "$machine->execute(ru '${logcmd} & disown');"; testVM = vmName: vmScript: let cfg = (import ../lib/eval-config.nix { @@ -297,14 +299,16 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let in { name = "virtualbox"; - machine = { pkgs, ... }: { + machine = { pkgs, lib, config, ... }: { imports = let mkVMConf = name: val: val.machine // { key = "${name}-config"; }; vmConfigs = mapAttrsToList mkVMConf vboxVMs; in [ ./common/user-account.nix ./common/x11.nix ] ++ vmConfigs; virtualisation.memorySize = 768; services.virtualboxHost.enable = true; - users.extraUsers.alice.extraGroups = [ "vboxusers" ]; + users.extraUsers.alice.extraGroups = let + inherit (config.services.virtualboxHost) enableHardening; + in lib.mkIf enableHardening (lib.singleton "vboxusers"); }; testScript = '' |