diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/README | 12 | ||||
-rw-r--r-- | nixos/modules/services/amqp/rabbitmq.nix | 41 | ||||
-rw-r--r-- | nixos/modules/services/misc/nix-ssh-serve.nix | 40 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/munin.nix | 15 | ||||
-rw-r--r-- | nixos/modules/services/networking/znc.nix | 30 | ||||
-rw-r--r-- | nixos/modules/services/search/elasticsearch.nix | 18 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/lighttpd/cgit.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/lighttpd/default.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/lighttpd/gitweb.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/e18.nix | 7 | ||||
-rw-r--r-- | nixos/modules/system/etc/etc.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/etc/setup-etc.pl | 41 |
12 files changed, 156 insertions, 62 deletions
diff --git a/nixos/doc/manual/README b/nixos/doc/manual/README new file mode 100644 index 000000000000..587f6275197a --- /dev/null +++ b/nixos/doc/manual/README @@ -0,0 +1,12 @@ +To build the manual, you need Nix installed on your system (no need +for NixOS). To install Nix, follow the instructions at + + https://nixos.org/nix/download.html + +When you have Nix on your system, in the root directory of the project +(i.e., `nixpkgs`), run: + + nix-build nixos/release.nix -A manual.x86_64-linux + +When this command successfully finishes, it will tell you where the +manual got generated. diff --git a/nixos/modules/services/amqp/rabbitmq.nix b/nixos/modules/services/amqp/rabbitmq.nix index bef15fb64b7f..a930098bfeec 100644 --- a/nixos/modules/services/amqp/rabbitmq.nix +++ b/nixos/modules/services/amqp/rabbitmq.nix @@ -4,6 +4,8 @@ with lib; let cfg = config.services.rabbitmq; + config_file = pkgs.writeText "rabbitmq.config" cfg.config; + config_file_wo_suffix = builtins.substring 0 ((builtins.stringLength config_file) - 7) config_file; in { ###### interface @@ -31,7 +33,6 @@ in { ''; }; - dataDir = mkOption { type = types.path; default = "/var/lib/rabbitmq"; @@ -40,6 +41,30 @@ in { ''; }; + cookie = mkOption { + default = ""; + type = types.str; + description = '' + Erlang cookie is a string of arbitrary length which must + be the same for several nodes to be allowed to communicate. + Leave empty to generate automatically. + ''; + }; + + config = mkOption { + default = ""; + type = types.str; + description = '' + Verbatim configuration file contents. + See http://www.rabbitmq.com/configure.htm + ''; + }; + + plugins = mkOption { + default = []; + type = types.listOf types.str; + description = "The names of plugins to enable"; + }; }; }; @@ -69,7 +94,10 @@ in { RABBITMQ_NODE_IP_ADDRESS = cfg.listenAddress; RABBITMQ_SERVER_START_ARGS = "-rabbit error_logger tty -rabbit sasl_error_logger false"; SYS_PREFIX = ""; - }; + RABBITMQ_ENABLED_PLUGINS_FILE = pkgs.writeText "enabled_plugins" '' + [ ${concatStringsSep "," cfg.plugins} ]. + ''; + } // optionalAttrs (cfg.config != "") { RABBITMQ_CONFIG_FILE = config_file_wo_suffix; }; serviceConfig = { ExecStart = "${pkgs.rabbitmq_server}/sbin/rabbitmq-server"; @@ -81,6 +109,15 @@ in { preStart = '' mkdir -p ${cfg.dataDir} && chmod 0700 ${cfg.dataDir} if [ "$(id -u)" = 0 ]; then chown rabbitmq:rabbitmq ${cfg.dataDir}; fi + + ${optionalString (cfg.cookie != "") '' + echo -n ${cfg.cookie} > ${cfg.dataDir}/.erlang.cookie + chmod 400 ${cfg.dataDir}/.erlang.cookie + chown rabbitmq:rabbitmq ${cfg.dataDir}/.erlang.cookie + ''} + + mkdir -p /var/log/rabbitmq && chmod 0700 /var/log/rabbitmq + chown rabbitmq:rabbitmq /var/log/rabbitmq ''; }; diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix index 80e7961b1f82..d70bd855c7ff 100644 --- a/nixos/modules/services/misc/nix-ssh-serve.nix +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -1,32 +1,35 @@ { config, lib, pkgs, ... }: -let - serveOnly = pkgs.writeScript "nix-store-serve" '' - #!${pkgs.stdenv.shell} - if [ "$SSH_ORIGINAL_COMMAND" != "nix-store --serve" ]; then - echo 'Error: You are only allowed to run `nix-store --serve'\'''!' >&2 - exit 1 - fi - exec /run/current-system/sw/bin/nix-store --serve - ''; - - inherit (lib) mkIf mkOption types; -in { +with lib; + +{ options = { + nix.sshServe = { + enable = mkOption { - description = "Whether to enable serving the nix store over ssh."; - default = false; type = types.bool; + default = false; + description = "Whether to enable serving the Nix store as a binary cache via SSH."; + }; + + keys = mkOption { + type = types.listOf types.str; + default = []; + example = [ "ssh-dss AAAAB3NzaC1k... alice@example.org" ]; + description = "A list of SSH public keys allowed to access the binary cache via SSH."; }; + }; + }; config = mkIf config.nix.sshServe.enable { + users.extraUsers.nix-ssh = { - description = "User for running nix-store --serve."; + description = "Nix SSH substituter user"; uid = config.ids.uids.nix-ssh; - shell = pkgs.stdenv.shell; + useDefaultShell = true; }; services.openssh.enable = true; @@ -38,8 +41,11 @@ in { PermitTTY no PermitTunnel no X11Forwarding no - ForceCommand ${serveOnly} + ForceCommand ${config.nix.package}/bin/nix-store --serve Match All ''; + + users.extraUsers.nix-ssh.openssh.authorizedKeys.keys = config.nix.sshServe.keys; + }; } diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index 966c2eca282a..21840bc67e8f 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -189,19 +189,18 @@ in wantedBy = [ "multi-user.target" ]; path = [ pkgs.munin ]; environment.MUNIN_PLUGSTATE = "/var/run/munin"; + preStart = '' + echo "updating munin plugins..." + + mkdir -p /etc/munin/plugins + rm -rf /etc/munin/plugins/* + PATH="/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash + ''; serviceConfig = { ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/"; }; }; - system.activationScripts.munin-node = '' - echo "updating munin plugins..." - - mkdir -p /etc/munin/plugins - rm -rf /etc/munin/plugins/* - PATH="/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash - ''; - }) (mkIf cronCfg.enable { services.cron.systemCronJobs = [ diff --git a/nixos/modules/services/networking/znc.nix b/nixos/modules/services/networking/znc.nix index a40fd924741b..56946f37aaf9 100644 --- a/nixos/modules/services/networking/znc.nix +++ b/nixos/modules/services/networking/znc.nix @@ -23,7 +23,7 @@ let confOptions = { ... }: { options = { modules = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = [ "partyline" "webadmin" "adminlog" "log" ]; example = [ "partyline" "webadmin" "adminlog" "log" ]; description = '' @@ -34,7 +34,7 @@ let userName = mkOption { default = defaultUserName; example = "johntron"; - type = types.string; + type = types.str; description = '' The user name to use when generating the `znc.conf` file. This is the user name used by the user logging into the ZNC web admin. @@ -44,7 +44,7 @@ let nick = mkOption { default = "znc-user"; example = "john"; - type = types.string; + type = types.str; description = '' The IRC nick to use when generating the `znc.conf` file. ''; @@ -53,7 +53,7 @@ let passBlock = mkOption { default = defaultPassBlock; example = "Must be the block generated by the `znc --makepass` command."; - type = types.string; + type = types.str; description = '' The pass block to use when generating the `znc.conf` file. This is the password used by the user logging into the ZNC web admin. @@ -63,9 +63,9 @@ let }; port = mkOption { - default = "5000"; - example = "5000"; - type = types.string; + default = 5000; + example = 5000; + type = types.int; description = '' Specifies the port on which to listen. ''; @@ -104,7 +104,7 @@ let AllowWeb = true IPv4 = true IPv6 = false - Port = ${if confOpts.useSSL then "+" else ""}${confOpts.port} + Port = ${if confOpts.useSSL then "+" else ""}${toString confOpts.port} SSL = ${if confOpts.useSSL then "true" else "false"} </Listener> @@ -160,7 +160,7 @@ in user = mkOption { default = "znc"; example = "john"; - type = types.string; + type = types.str; description = '' The name of an existing user account to use to own the ZNC server process. If not specified, a default user will be created to own the process. @@ -170,7 +170,7 @@ in dataDir = mkOption { default = "/home/${cfg.user}/.znc"; example = "/home/john/.znc"; - type = types.string; + type = types.path; description = '' The data directory. Used for configuration files and modules. ''; @@ -179,7 +179,7 @@ in zncConf = mkOption { default = ""; example = "See: http://wiki.znc.in/Configuration"; - type = types.string; + type = types.lines; description = '' The contents of the `znc.conf` file to use when creating it. If specified, `confOptions` will be ignored, and this value, as-is, will be used. @@ -218,9 +218,9 @@ in }; extraFlags = mkOption { - default = ""; - example = "--debug"; - type = types.string; + default = [ ]; + example = [ "--debug" ]; + type = types.listOf types.str; description = '' Extra flags to use when executing znc command. ''; @@ -272,7 +272,7 @@ in ${pkgs.znc}/bin/znc --makepem fi ''; - script = "${pkgs.znc}/bin/znc --foreground --datadir ${cfg.dataDir} ${cfg.extraFlags}"; + script = "${pkgs.znc}/bin/znc --foreground --datadir ${cfg.dataDir} ${toString cfg.extraFlags}"; }; users.extraUsers = optional (cfg.user == defaultUser) diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index eeae11dc4ff3..c99d1e229677 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -21,6 +21,11 @@ let ]; }; + esPlugins = pkgs.buildEnv { + name = "elasticsearch-plugins"; + paths = cfg.plugins; + }; + in { ###### interface @@ -101,6 +106,12 @@ in { example = [ "-Djava.net.preferIPv4Stack=true" ]; }; + plugins = mkOption { + description = "Extra elasticsearch plugins"; + default = []; + type = types.listOf types.package; + }; + }; ###### implementation @@ -111,14 +122,19 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network-interfaces.target" ]; environment = { ES_HOME = cfg.dataDir; }; + path = [ pkgs.elasticsearch ]; serviceConfig = { - ExecStart = "${pkgs.elasticsearch}/bin/elasticsearch -Des.path.conf=${configDir} ${toString cfg.extraCmdLineOptions}"; + ExecStart = "elasticsearch -Des.path.conf=${configDir} ${toString cfg.extraCmdLineOptions}"; User = "elasticsearch"; PermissionsStartOnly = true; }; preStart = '' mkdir -m 0700 -p ${cfg.dataDir} if [ "$(id -u)" = 0 ]; then chown -R elasticsearch ${cfg.dataDir}; fi + + # Install plugins + rm ${cfg.dataDir}/plugins || true + ln -s ${esPlugins}/plugins ${cfg.dataDir}/plugins ''; }; diff --git a/nixos/modules/services/web-servers/lighttpd/cgit.nix b/nixos/modules/services/web-servers/lighttpd/cgit.nix index dbff565bd8a3..d4663781fd84 100644 --- a/nixos/modules/services/web-servers/lighttpd/cgit.nix +++ b/nixos/modules/services/web-servers/lighttpd/cgit.nix @@ -29,7 +29,7 @@ in cache-size=1000 scan-path=/srv/git ''; - type = types.string; + type = types.lines; description = '' Verbatim contents of the cgit runtime configuration file. Documentation (with cgitrc example file) is available in "man cgitrc". Or online: diff --git a/nixos/modules/services/web-servers/lighttpd/default.nix b/nixos/modules/services/web-servers/lighttpd/default.nix index 3ba934c72bf8..f0f59a664026 100644 --- a/nixos/modules/services/web-servers/lighttpd/default.nix +++ b/nixos/modules/services/web-servers/lighttpd/default.nix @@ -102,7 +102,7 @@ in document-root = mkOption { default = "/srv/www"; - type = types.str; + type = types.path; description = '' Document-root of the web server. Must be readable by the "lighttpd" user. ''; @@ -128,7 +128,7 @@ in configText = mkOption { default = ""; - type = types.string; + type = types.lines; example = ''...verbatim config file contents...''; description = '' Overridable config file contents to use for lighttpd. By default, use @@ -138,7 +138,7 @@ in extraConfig = mkOption { default = ""; - type = types.string; + type = types.lines; description = '' These configuration lines will be appended to the generated lighttpd config file. Note that this mechanism does not work when the manual diff --git a/nixos/modules/services/web-servers/lighttpd/gitweb.nix b/nixos/modules/services/web-servers/lighttpd/gitweb.nix index d49278be09a8..c407a1d89778 100644 --- a/nixos/modules/services/web-servers/lighttpd/gitweb.nix +++ b/nixos/modules/services/web-servers/lighttpd/gitweb.nix @@ -25,7 +25,7 @@ in projectroot = mkOption { default = "/srv/git"; - type = types.str; + type = types.path; description = '' Path to git projects (bare repositories) that should be served by gitweb. Must not end with a slash. @@ -34,7 +34,7 @@ in extraConfig = mkOption { default = ""; - type = types.str; + type = types.lines; description = '' Verbatim configuration text appended to the generated gitweb.conf file. ''; diff --git a/nixos/modules/services/x11/desktop-managers/e18.nix b/nixos/modules/services/x11/desktop-managers/e18.nix index e59b7f426837..cb717eea909c 100644 --- a/nixos/modules/services/x11/desktop-managers/e18.nix +++ b/nixos/modules/services/x11/desktop-managers/e18.nix @@ -6,6 +6,7 @@ let xcfg = config.services.xserver; cfg = xcfg.desktopManager.e18; + e18_enlightenment = pkgs.e18.enlightenment.override { set_freqset_setuid = true; }; in @@ -23,18 +24,20 @@ in config = mkIf (xcfg.enable && cfg.enable) { environment.systemPackages = [ - pkgs.e18.efl pkgs.e18.evas pkgs.e18.emotion pkgs.e18.elementary pkgs.e18.enlightenment + pkgs.e18.efl pkgs.e18.evas pkgs.e18.emotion pkgs.e18.elementary e18_enlightenment pkgs.e18.terminology pkgs.e18.econnman ]; services.xserver.desktopManager.session = [ { name = "E18"; start = '' - ${pkgs.e18.enlightenment}/bin/enlightenment_start + ${e18_enlightenment}/bin/enlightenment_start waitPID=$! ''; }]; + security.setuidPrograms = [ "e18_freqset" ]; + }; } diff --git a/nixos/modules/system/etc/etc.nix b/nixos/modules/system/etc/etc.nix index 22d55a9e246c..b57b03bcf962 100644 --- a/nixos/modules/system/etc/etc.nix +++ b/nixos/modules/system/etc/etc.nix @@ -132,7 +132,7 @@ in '' # Set up the statically computed bits of /etc. echo "setting up /etc..." - ${pkgs.perl}/bin/perl ${./setup-etc.pl} ${etc}/etc + ${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/lib/perl5/site_perl ${./setup-etc.pl} ${etc}/etc ''; }; diff --git a/nixos/modules/system/etc/setup-etc.pl b/nixos/modules/system/etc/setup-etc.pl index 8ba9a370b27a..d7e15eccefcd 100644 --- a/nixos/modules/system/etc/setup-etc.pl +++ b/nixos/modules/system/etc/setup-etc.pl @@ -3,6 +3,7 @@ use File::Find; use File::Copy; use File::Path; use File::Basename; +use File::Slurp; my $etc = $ARGV[0] or die; my $static = "/etc/static"; @@ -46,35 +47,55 @@ sub cleanup { find(\&cleanup, "/etc"); +# Use /etc/.clean to keep track of copied files. +my @oldCopied = read_file("/etc/.clean", chomp => 1, err_mode => 'quiet'); +open CLEAN, ">>/etc/.clean"; + + # For every file in the etc tree, create a corresponding symlink in # /etc to /etc/static. The indirection through /etc/static is to make # switching to a new configuration somewhat more atomic. +my %created; +my @copied; + sub link { my $fn = substr $File::Find::name, length($etc) + 1 or next; my $target = "/etc/$fn"; File::Path::make_path(dirname $target); + $created{$fn} = 1; if (-e "$_.mode") { - open MODE, "<$_.mode"; - my $mode = <MODE>; chomp $mode; - close MODE; + my $mode = read_file("$_.mode"); chomp $mode; if ($mode eq "direct-symlink") { atomicSymlink readlink("$static/$fn"), $target or warn; } else { - open UID, "<$_.uid"; - my $uid = <UID>; chomp $uid; - close UID; - open GID, "<$_.gid"; - my $gid = <GID>; chomp $gid; - close GID; - + my $uid = read_file("$_.uid"); chomp $uid; + my $gid = read_file("$_.gid"); chomp $gid; copy "$static/$fn", "$target.tmp" or warn; chown int($uid), int($gid), "$target.tmp" or warn; chmod oct($mode), "$target.tmp" or warn; rename "$target.tmp", $target or warn; } + push @copied, $fn; + print CLEAN "$fn\n"; } elsif (-l "$_") { atomicSymlink "$static/$fn", $target or warn; } } find(\&link, $etc); + + +# Delete files that were copied in a previous version but not in the +# current. +foreach my $fn (@oldCopied) { + if (!defined $created{$fn}) { + $fn = "/etc/$fn"; + print STDERR "removing obsolete file ‘$fn’...\n"; + unlink "$fn"; + } +} + + +# Rewrite /etc/.clean. +close CLEAN; +write_file("/etc/.clean", map { "$_\n" } @copied); |