diff options
Diffstat (limited to 'nixpkgs/nixos')
79 files changed, 1230 insertions, 903 deletions
diff --git a/nixpkgs/nixos/doc/manual/configuration/ipv6-config.xml b/nixpkgs/nixos/doc/manual/configuration/ipv6-config.xml index e9ab7cce4eb2..675a5d9a260d 100644 --- a/nixpkgs/nixos/doc/manual/configuration/ipv6-config.xml +++ b/nixpkgs/nixos/doc/manual/configuration/ipv6-config.xml @@ -39,7 +39,7 @@ <xref linkend="opt-networking.defaultGateway6"/> = { address = "fe00::1"; interface = "enp0s3"; -} +}; </programlisting> </para> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml index 3c0699b4b539..eae84ee1a192 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml @@ -28,6 +28,11 @@ PHP now defaults to PHP 7.3, updated from 7.2. </para> </listitem> + <listitem> + <para> + PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release. + </para> + </listitem> </itemizedlist> </section> @@ -131,9 +136,10 @@ </listitem> <listitem> <para> - The limesurvey apache subservice was replaced with a full NixOS module. - One can configure it using the <option>services.limesurvey.enable</option> - and <option>services.limesurvey.virtualHost</option> options. + Several of the apache subservices have been replaced with full NixOS + modules including LimeSurvey and WordPress. + These modules can be enabled using the <option>services.limesurvey.enable</option> + and <option>services.wordpress.enable</option> options. </para> </listitem> <listitem> @@ -286,6 +292,12 @@ </listitem> <listitem> <para> + The <literal>consul</literal> package was upgraded past version <literal>1.5</literal>, + so its deprecated legacy UI is no longer available. + </para> + </listitem> + <listitem> + <para> The default resample-method for PulseAudio has been changed from the upstream default <literal>speex-float-1</literal> to <literal>speex-float-5</literal>. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this so you'll need to set <option>hardware.pulseaudio.daemon.config.resample-method</option> back to <literal>speex-float-1</literal>. diff --git a/nixpkgs/nixos/lib/make-ext4-fs.nix b/nixpkgs/nixos/lib/make-ext4-fs.nix index 47c6374c81ad..932adcd97967 100644 --- a/nixpkgs/nixos/lib/make-ext4-fs.nix +++ b/nixpkgs/nixos/lib/make-ext4-fs.nix @@ -1,9 +1,14 @@ # Builds an ext4 image containing a populated /nix/store with the closure -# of store paths passed in the storePaths parameter. The generated image -# is sized to only fit its contents, with the expectation that a script -# resizes the filesystem at boot time. +# of store paths passed in the storePaths parameter, in addition to the +# contents of a directory that can be populated with commands. The +# generated image is sized to only fit its contents, with the expectation +# that a script resizes the filesystem at boot time. { pkgs +# List of derivations to be included , storePaths +# Shell commands to populate the ./files directory. +# All files in that directory are copied to the root of the FS. +, populateImageCommands ? "" , volumeLabel , uuid ? "44444444-4444-4444-8888-888888888888" , e2fsprogs @@ -23,13 +28,17 @@ pkgs.stdenv.mkDerivation { buildCommand = '' + ( + mkdir -p ./files + ${populateImageCommands} + ) # Add the closures of the top-level store objects. storePaths=$(cat ${sdClosureInfo}/store-paths) # Make a crude approximation of the size of the target image. # If the script starts failing, increase the fudge factors here. - numInodes=$(find $storePaths | wc -l) - numDataBlocks=$(du -c -B 4096 --apparent-size $storePaths | awk '$2 == "total" { print int($1 * 1.03) }') + numInodes=$(find $storePaths ./files | wc -l) + numDataBlocks=$(du -s -c -B 4096 --apparent-size $storePaths ./files | tail -1 | awk '{ print int($1 * 1.03) }') bytes=$((2 * 4096 * $numInodes + 4096 * $numDataBlocks)) echo "Creating an EXT4 image of $bytes bytes (numInodes=$numInodes, numDataBlocks=$numDataBlocks)" @@ -47,6 +56,12 @@ pkgs.stdenv.mkDerivation { echo "copying store paths to image..." cptofs -t ext4 -i $out $storePaths /nix/store/ + ( + echo "copying files to image..." + cd ./files + cptofs -t ext4 -i $out ./* / + ) + # I have ended up with corrupted images sometimes, I suspect that happens when the build machine's disk gets full during the build. if ! fsck.ext4 -n -f $out; then echo "--- Fsck failed for EXT4 image of $bytes bytes (numInodes=$numInodes, numDataBlocks=$numDataBlocks) ---" diff --git a/nixpkgs/nixos/modules/config/malloc.nix b/nixpkgs/nixos/modules/config/malloc.nix index dfa86a44a326..65130454735c 100644 --- a/nixpkgs/nixos/modules/config/malloc.nix +++ b/nixpkgs/nixos/modules/config/malloc.nix @@ -79,19 +79,13 @@ in and/or service failure. </para> </warning> - - <note> - <para> - Changing this option does not affect the current session. - </para> - </note> ''; }; }; config = mkIf (cfg.provider != "libc") { - environment.variables.LD_PRELOAD = providerLibPath; - systemd.extraConfig = "DefaultEnvironment=\"LD_PRELOAD=${providerLibPath}\""; - systemd.user.extraConfig = "DefaultEnvironment=\"LD_PRELOAD=${providerLibPath}\""; + environment.etc."ld-nix.so.preload".text = '' + ${providerLibPath} + ''; }; } diff --git a/nixpkgs/nixos/modules/config/networking.nix b/nixpkgs/nixos/modules/config/networking.nix index 25253cf02e1d..eab4e73e19a1 100644 --- a/nixpkgs/nixos/modules/config/networking.nix +++ b/nixpkgs/nixos/modules/config/networking.nix @@ -233,7 +233,7 @@ in oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip}; allToString = set: concatMapStringsSep "\n" (oneToString set) (attrNames set); in '' - ${allToString cfg.hosts} + ${allToString (filterAttrs (_: v: v != []) cfg.hosts)} ${cfg.extraHosts} ''; @@ -309,8 +309,11 @@ in ln -s /run/systemd/resolve/resolv.conf /run/resolvconf/interfaces/systemd ''} - # Make sure resolv.conf is up to date if not managed manually or by systemd - ${optionalString (!config.environment.etc?"resolv.conf") '' + # Make sure resolv.conf is up to date if not managed manually, by systemd or + # by NetworkManager + ${optionalString (!config.environment.etc?"resolv.conf" && + (cfg.networkmanager.enable -> + cfg.networkmanager.rc-manager == "resolvconf")) '' ${pkgs.openresolv}/bin/resolvconf -u ''} ''; diff --git a/nixpkgs/nixos/modules/hardware/ksm.nix b/nixpkgs/nixos/modules/hardware/ksm.nix index d6ac69b5d65e..99d46c25236e 100644 --- a/nixpkgs/nixos/modules/hardware/ksm.nix +++ b/nixpkgs/nixos/modules/hardware/ksm.nix @@ -1,9 +1,24 @@ { config, lib, ... }: -{ - options.hardware.enableKSM = lib.mkEnableOption "Kernel Same-Page Merging"; +with lib; - config = lib.mkIf config.hardware.enableKSM { +let + cfg = config.hardware.ksm; + +in { + options.hardware.ksm = { + enable = mkEnableOption "Kernel Same-Page Merging"; + sleep = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + How many milliseconds ksmd should sleep between scans. + Setting it to <literal>null</literal> uses the kernel's default time. + ''; + }; + }; + + config = mkIf cfg.enable { systemd.services.enable-ksm = { description = "Enable Kernel Same-Page Merging"; wantedBy = [ "multi-user.target" ]; @@ -11,6 +26,7 @@ script = '' if [ -e /sys/kernel/mm/ksm ]; then echo 1 > /sys/kernel/mm/ksm/run + ${optionalString (cfg.sleep != null) ''echo ${toString cfg.sleep} > /sys/kernel/mm/ksm/sleep_millisecs''} fi ''; }; diff --git a/nixpkgs/nixos/modules/hardware/opengl.nix b/nixpkgs/nixos/modules/hardware/opengl.nix index 6b7b8069fd44..2defab51bc3a 100644 --- a/nixpkgs/nixos/modules/hardware/opengl.nix +++ b/nixpkgs/nixos/modules/hardware/opengl.nix @@ -11,9 +11,9 @@ let videoDrivers = config.services.xserver.videoDrivers; makePackage = p: pkgs.buildEnv { - name = "mesa-drivers+txc-${p.mesa_drivers.version}"; + name = "mesa-drivers+txc-${p.mesa.version}"; paths = - [ p.mesa_drivers + [ p.mesa.drivers (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc) ]; }; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix index 5f7194e92a36..a9241870fa71 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix @@ -26,8 +26,15 @@ in # Also increase the amount of CMA to ensure the virtual console on the RPi3 works. boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"]; + boot.initrd.availableKernelModules = [ + # Allows early (earlier) modesetting for the Raspberry Pi + "vc4" "bcm2835_dma" "i2c_bcm2835" + # Allows early (earlier) modesetting for Allwinner SoCs + "sun4i_drm" "sun8i_drm_hdmi" "sun8i_mixer" + ]; + sdImage = { - populateBootCommands = let + populateFirmwareCommands = let configTxt = pkgs.writeText "config.txt" '' kernel=u-boot-rpi3.bin @@ -43,10 +50,13 @@ in avoid_warnings=1 ''; in '' - (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/) - cp ${pkgs.ubootRaspberryPi3_64bit}/u-boot.bin boot/u-boot-rpi3.bin - cp ${configTxt} boot/config.txt - ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot + (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/) + cp ${pkgs.ubootRaspberryPi3_64bit}/u-boot.bin firmware/u-boot-rpi3.bin + cp ${configTxt} firmware/config.txt ''; + populateRootCommands = '' + mkdir -p ./files/boot + ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./files/boot + ''; }; } diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix index 71448f74c361..dab092415316 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix @@ -29,7 +29,7 @@ in boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=ttySAC2,115200n8" "console=tty0"]; sdImage = { - populateBootCommands = let + populateFirmwareCommands = let configTxt = pkgs.writeText "config.txt" '' # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel # when attempting to show low-voltage or overtemperature warnings. @@ -46,11 +46,14 @@ in enable_uart=1 ''; in '' - (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/) - cp ${pkgs.ubootRaspberryPi2}/u-boot.bin boot/u-boot-rpi2.bin - cp ${pkgs.ubootRaspberryPi3_32bit}/u-boot.bin boot/u-boot-rpi3.bin - cp ${configTxt} boot/config.txt - ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot + (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/) + cp ${pkgs.ubootRaspberryPi2}/u-boot.bin firmware/u-boot-rpi2.bin + cp ${pkgs.ubootRaspberryPi3_32bit}/u-boot.bin firmware/u-boot-rpi3.bin + cp ${configTxt} firmware/config.txt ''; + populateRootCommands = '' + mkdir -p ./files/boot + ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./files/boot + ''; }; } diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix index 96e06670694e..8c9090471dcd 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix @@ -22,7 +22,7 @@ in boot.kernelPackages = pkgs.linuxPackages_rpi; sdImage = { - populateBootCommands = let + populateFirmwareCommands = let configTxt = pkgs.writeText "config.txt" '' # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel # when attempting to show low-voltage or overtemperature warnings. @@ -35,11 +35,14 @@ in kernel=u-boot-rpi1.bin ''; in '' - (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/) - cp ${pkgs.ubootRaspberryPiZero}/u-boot.bin boot/u-boot-rpi0.bin - cp ${pkgs.ubootRaspberryPi}/u-boot.bin boot/u-boot-rpi1.bin - cp ${configTxt} boot/config.txt - ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot + (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/) + cp ${pkgs.ubootRaspberryPiZero}/u-boot.bin firmware/u-boot-rpi0.bin + cp ${pkgs.ubootRaspberryPi}/u-boot.bin firmware/u-boot-rpi1.bin + cp ${configTxt} firmware/config.txt ''; + populateRootCommands = '' + mkdir -p ./files/boot + ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./files/boot + ''; }; } diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix index 69746a8e9799..0c407b199367 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix @@ -1,8 +1,12 @@ # This module creates a bootable SD card image containing the given NixOS -# configuration. The generated image is MBR partitioned, with a FAT /boot -# partition, and ext4 root partition. The generated image is sized to fit -# its contents, and a boot script automatically resizes the root partition -# to fit the device on the first boot. +# configuration. The generated image is MBR partitioned, with a FAT +# /boot/firmware partition, and ext4 root partition. The generated image +# is sized to fit its contents, and a boot script automatically resizes +# the root partition to fit the device on the first boot. +# +# The firmware partition is built with expectation to hold the Raspberry +# Pi firmware and bootloader, and be removed and replaced with a firmware +# build for the target SoC for other board families. # # The derivation for the SD image will be placed in # config.system.build.sdImage @@ -14,12 +18,18 @@ with lib; let rootfsImage = pkgs.callPackage ../../../lib/make-ext4-fs.nix ({ inherit (config.sdImage) storePaths; + populateImageCommands = config.sdImage.populateRootCommands; volumeLabel = "NIXOS_SD"; } // optionalAttrs (config.sdImage.rootPartitionUUID != null) { uuid = config.sdImage.rootPartitionUUID; }); in { + imports = [ + (mkRemovedOptionModule [ "sdImage" "bootPartitionID" ] "The FAT partition for SD image now only holds the Raspberry Pi firmware files. Use firmwarePartitionID to configure that partition's ID.") + (mkRemovedOptionModule [ "sdImage" "bootSize" ] "The boot files for SD image have been moved to the main ext4 partition. The FAT partition now only holds the Raspberry Pi firmware files. Changing its size may not be required.") + ]; + options.sdImage = { imageName = mkOption { default = "${config.sdImage.imageBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.img"; @@ -43,12 +53,12 @@ in ''; }; - bootPartitionID = mkOption { + firmwarePartitionID = mkOption { type = types.string; default = "0x2178694e"; description = '' - Volume ID for the /boot partition on the SD card. This value must be a - 32-bit hexadecimal number. + Volume ID for the /boot/firmware partition on the SD card. This value + must be a 32-bit hexadecimal number. ''; }; @@ -61,29 +71,44 @@ in ''; }; - bootSize = mkOption { + firmwareSize = mkOption { type = types.int; - default = 120; + # As of 2019-05-31 the Raspberry pi firmware + u-bot takes ~13MiB + default = 20; + description = '' + Size of the /boot/firmware partition, in megabytes. + ''; + }; + + populateFirmwareCommands = mkOption { + example = literalExample "'' cp \${pkgs.myBootLoader}/u-boot.bin firmware/ ''"; description = '' - Size of the /boot partition, in megabytes. + Shell commands to populate the ./firmware directory. + All files in that directory are copied to the + /boot/firmware partition on the SD image. ''; }; - populateBootCommands = mkOption { - example = literalExample "'' cp \${pkgs.myBootLoader}/u-boot.bin boot/ ''"; + populateRootCommands = mkOption { + example = literalExample "''\${extlinux-conf-builder} -t 3 -c \${config.system.build.toplevel} -d ./files/boot''"; description = '' - Shell commands to populate the ./boot directory. + Shell commands to populate the ./files directory. All files in that directory are copied to the - /boot partition on the SD image. + root (/) partition on the SD image. Use this to + populate the ./files/boot (/boot) directory. ''; }; }; config = { fileSystems = { - "/boot" = { - device = "/dev/disk/by-label/NIXOS_BOOT"; + "/boot/firmware" = { + device = "/dev/disk/by-label/FIRMWARE"; fsType = "vfat"; + # Alternatively, this could be removed from the configuration. + # The filesystem is not needed at runtime, it could be treated + # as an opaque blob instead of a discrete FAT32 filesystem. + options = [ "nofail" "noauto" ]; }; "/" = { device = "/dev/disk/by-label/NIXOS_SD"; @@ -105,39 +130,44 @@ in echo "${pkgs.stdenv.buildPlatform.system}" > $out/nix-support/system echo "file sd-image $img" >> $out/nix-support/hydra-build-products - # Create the image file sized to fit /boot and /, plus 20M of slack + # Gap in front of the first partition, in MiB + gap=8 + + # Create the image file sized to fit /boot/firmware and /, plus slack for the gap. rootSizeBlocks=$(du -B 512 --apparent-size ${rootfsImage} | awk '{ print $1 }') - bootSizeBlocks=$((${toString config.sdImage.bootSize} * 1024 * 1024 / 512)) - imageSize=$((rootSizeBlocks * 512 + bootSizeBlocks * 512 + 20 * 1024 * 1024)) + firmwareSizeBlocks=$((${toString config.sdImage.firmwareSize} * 1024 * 1024 / 512)) + imageSize=$((rootSizeBlocks * 512 + firmwareSizeBlocks * 512 + gap * 1024 * 1024)) truncate -s $imageSize $img # type=b is 'W95 FAT32', type=83 is 'Linux'. + # The "bootable" partition is where u-boot will look file for the bootloader + # information (dtbs, extlinux.conf file). sfdisk $img <<EOF label: dos - label-id: ${config.sdImage.bootPartitionID} + label-id: ${config.sdImage.firmwarePartitionID} - start=8M, size=$bootSizeBlocks, type=b, bootable - start=${toString (8 + config.sdImage.bootSize)}M, type=83 + start=''${gap}M, size=$firmwareSizeBlocks, type=b + start=$((gap + ${toString config.sdImage.firmwareSize}))M, type=83, bootable EOF # Copy the rootfs into the SD image eval $(partx $img -o START,SECTORS --nr 2 --pairs) dd conv=notrunc if=${rootfsImage} of=$img seek=$START count=$SECTORS - # Create a FAT32 /boot partition of suitable size into bootpart.img + # Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img eval $(partx $img -o START,SECTORS --nr 1 --pairs) - truncate -s $((SECTORS * 512)) bootpart.img - faketime "1970-01-01 00:00:00" mkfs.vfat -i ${config.sdImage.bootPartitionID} -n NIXOS_BOOT bootpart.img + truncate -s $((SECTORS * 512)) firmware_part.img + faketime "1970-01-01 00:00:00" mkfs.vfat -i ${config.sdImage.firmwarePartitionID} -n FIRMWARE firmware_part.img - # Populate the files intended for /boot - mkdir boot - ${config.sdImage.populateBootCommands} + # Populate the files intended for /boot/firmware + mkdir firmware + ${config.sdImage.populateFirmwareCommands} - # Copy the populated /boot into the SD image - (cd boot; mcopy -psvm -i ../bootpart.img ./* ::) + # Copy the populated /boot/firmware into the SD image + (cd firmware; mcopy -psvm -i ../firmware_part.img ./* ::) # Verify the FAT partition before copying it. - fsck.vfat -vn bootpart.img - dd conv=notrunc if=bootpart.img of=$img seek=$START count=$SECTORS + fsck.vfat -vn firmware_part.img + dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS ''; }) {}; diff --git a/nixpkgs/nixos/modules/misc/documentation.nix b/nixpkgs/nixos/modules/misc/documentation.nix index 834ac0de9121..deecb005270f 100644 --- a/nixpkgs/nixos/modules/misc/documentation.nix +++ b/nixpkgs/nixos/modules/misc/documentation.nix @@ -49,11 +49,7 @@ let if [ -z "$browser" ]; then browser="$(type -P xdg-open || true)" if [ -z "$browser" ]; then - browser="$(type -P w3m || true)" - if [ -z "$browser" ]; then - echo "$0: unable to start a web browser; please set \$BROWSER" - exit 1 - fi + browser="${pkgs.w3m-nographics}/bin/w3m" fi fi exec "$browser" ${manual.manualHTMLIndex} @@ -187,8 +183,6 @@ in }) (mkIf cfg.doc.enable { - # TODO(@oxij): put it here and remove from profiles? - # environment.systemPackages = [ pkgs.w3m ]; # w3m-nox? environment.pathsToLink = [ "/share/doc" ]; environment.extraOutputsToInstall = [ "doc" ] ++ optional cfg.dev.enable "devdoc"; }) diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 12ecec62a226..52011ffafbe9 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -50,6 +50,7 @@ ./hardware/logitech.nix ./hardware/mcelog.nix ./hardware/network/b43.nix + ./hardware/network/intel-2200bg.nix ./hardware/nitrokey.nix ./hardware/opengl.nix ./hardware/pcmcia.nix @@ -190,6 +191,7 @@ ./services/audio/liquidsoap.nix ./services/audio/mpd.nix ./services/audio/mopidy.nix + ./services/audio/roon-server.nix ./services/audio/slimserver.nix ./services/audio/snapserver.nix ./services/audio/squeezelite.nix @@ -778,6 +780,7 @@ ./services/web-apps/tt-rss.nix ./services/web-apps/selfoss.nix ./services/web-apps/virtlyst.nix + ./services/web-apps/wordpress.nix ./services/web-apps/youtrack.nix ./services/web-servers/apache-httpd/default.nix ./services/web-servers/caddy.nix diff --git a/nixpkgs/nixos/modules/profiles/hardened.nix b/nixpkgs/nixos/modules/profiles/hardened.nix index 87bf66333c61..97279a78a57b 100644 --- a/nixpkgs/nixos/modules/profiles/hardened.nix +++ b/nixpkgs/nixos/modules/profiles/hardened.nix @@ -89,4 +89,37 @@ with lib; # # The value is taken from the KSPP recommendations (Debian uses 4096). boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536; + + # Disable ftrace debugging + boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; + + # Enable reverse path filtering (that is, do not attempt to route packets + # that "obviously" do not belong to the iface's network; dropped packets are + # logged as martians). + boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true; + + # Ignore broadcast ICMP (mitigate SMURF) + boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; + + # Ignore route information from sender + boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false; + boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false; + boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false; + + # Ignore incoming ICMP redirects (note: default is needed to ensure that the + # setting is applied to interfaces added after the sysctls are set) + boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false; + + # Ignore outgoing ICMP redirects (this is ipv4 only) + boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; } diff --git a/nixpkgs/nixos/modules/rename.nix b/nixpkgs/nixos/modules/rename.nix index a424e86038e7..1b77a895d717 100644 --- a/nixpkgs/nixos/modules/rename.nix +++ b/nixpkgs/nixos/modules/rename.nix @@ -213,6 +213,7 @@ with lib; (mkRemovedOptionModule [ "boot" "zfs" "enableLegacyCrypto" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd") + (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") # ZSH (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) @@ -240,6 +241,9 @@ with lib; # binfmt (mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ]) + # KSM + (mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ]) + ] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter" "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" "snmpExporter" "unifiExporter" "varnishExporter" ] diff --git a/nixpkgs/nixos/modules/services/audio/mopidy.nix b/nixpkgs/nixos/modules/services/audio/mopidy.nix index e2f4ec39f94c..a534b692f177 100644 --- a/nixpkgs/nixos/modules/services/audio/mopidy.nix +++ b/nixpkgs/nixos/modules/services/audio/mopidy.nix @@ -70,25 +70,25 @@ in { config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - mopidy mopidy - -" + ]; + systemd.services.mopidy = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" "sound.target" ]; description = "mopidy music player daemon"; - preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy ${cfg.dataDir}"; serviceConfig = { ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}"; User = "mopidy"; - PermissionsStartOnly = true; }; }; systemd.services.mopidy-scan = { description = "mopidy local files scanner"; - preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy ${cfg.dataDir}"; serviceConfig = { ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)} local scan"; User = "mopidy"; - PermissionsStartOnly = true; Type = "oneshot"; }; }; @@ -98,7 +98,7 @@ in { group = "mopidy"; extraGroups = [ "audio" ]; description = "Mopidy daemon user"; - home = "${cfg.dataDir}"; + home = cfg.dataDir; }; users.groups.mopidy.gid = gid; diff --git a/nixpkgs/nixos/modules/services/audio/roon-server.nix b/nixpkgs/nixos/modules/services/audio/roon-server.nix new file mode 100644 index 000000000000..9562ad1b164e --- /dev/null +++ b/nixpkgs/nixos/modules/services/audio/roon-server.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + name = "roon-server"; + cfg = config.services.roon-server; +in { + options = { + services.roon-server = { + enable = mkEnableOption "Roon Server"; + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open ports in the firewall for the server. + + UDP: 9003 + TCP: 9100 - 9200 + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.roon-server = { + after = [ "network.target" ]; + description = "Roon Server"; + wantedBy = [ "multi-user.target" ]; + + environment.ROON_DATAROOT = "/var/lib/${name}"; + + serviceConfig = { + ExecStart = "${pkgs.roon-server}/opt/start.sh"; + LimitNOFILE = 8192; + DynamicUser = true; + SupplementaryGroups = "audio"; + StateDirectory = name; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPortRanges = [ + { from = 9100; to = 9200; } + ]; + allowedUDPPorts = [ 9003 ]; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/audio/slimserver.nix b/nixpkgs/nixos/modules/services/audio/slimserver.nix index 640403d2c97d..8f94a2b49404 100644 --- a/nixpkgs/nixos/modules/services/audio/slimserver.nix +++ b/nixpkgs/nixos/modules/services/audio/slimserver.nix @@ -42,15 +42,17 @@ in { config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - slimserver slimserver - -" + ]; + systemd.services.slimserver = { after = [ "network.target" ]; description = "Slim Server for Logitech Squeezebox Players"; wantedBy = [ "multi-user.target" ]; - preStart = "mkdir -p ${cfg.dataDir} && chown -R slimserver:slimserver ${cfg.dataDir}"; serviceConfig = { User = "slimserver"; - PermissionsStartOnly = true; # Issue 40589: Disable broken image/video support (audio still works!) ExecStart = "${cfg.package}/slimserver.pl --logdir ${cfg.dataDir}/logs --prefsdir ${cfg.dataDir}/prefs --cachedir ${cfg.dataDir}/cache --noimage --novideo"; }; diff --git a/nixpkgs/nixos/modules/services/backup/duplicati.nix b/nixpkgs/nixos/modules/services/backup/duplicati.nix index 80287f30b813..0ff720c5897d 100644 --- a/nixpkgs/nixos/modules/services/backup/duplicati.nix +++ b/nixpkgs/nixos/modules/services/backup/duplicati.nix @@ -19,13 +19,22 @@ in }; interface = mkOption { - default = "lo"; + default = "127.0.0.1"; type = types.str; description = '' Listening interface for the web UI Set it to "any" to listen on all available interfaces ''; }; + + user = mkOption { + default = "duplicati"; + type = types.str; + description = '' + Duplicati runs as it's own user. It will only be able to backup world-readable files. + Run as root with special care. + ''; + }; }; }; @@ -37,14 +46,15 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - User = "duplicati"; + User = cfg.user; Group = "duplicati"; + StateDirectory = "duplicati"; ExecStart = "${pkgs.duplicati}/bin/duplicati-server --webservice-interface=${cfg.interface} --webservice-port=${toString cfg.port} --server-datafolder=/var/lib/duplicati"; Restart = "on-failure"; }; }; - users.users.duplicati = { + users.users.duplicati = lib.optionalAttrs (cfg.user == "duplicati") { uid = config.ids.uids.duplicati; home = "/var/lib/duplicati"; createHome = true; diff --git a/nixpkgs/nixos/modules/services/computing/boinc/client.nix b/nixpkgs/nixos/modules/services/computing/boinc/client.nix index 8abe3c5b8c9b..7022751b3f01 100644 --- a/nixpkgs/nixos/modules/services/computing/boinc/client.nix +++ b/nixpkgs/nixos/modules/services/computing/boinc/client.nix @@ -105,19 +105,18 @@ in isSystemUser = true; }; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - boinc - - -" + ]; + systemd.services.boinc = { description = "BOINC Client"; after = ["network.target" "local-fs.target"]; wantedBy = ["multi-user.target"]; - preStart = '' - mkdir -p ${cfg.dataDir} - chown boinc ${cfg.dataDir} - ''; script = '' ${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag} ''; serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root User = "boinc"; Nice = 10; }; diff --git a/nixpkgs/nixos/modules/services/databases/cassandra.nix b/nixpkgs/nixos/modules/services/databases/cassandra.nix index e2ea9fcda6b0..a9da3a3c5620 100644 --- a/nixpkgs/nixos/modules/services/databases/cassandra.nix +++ b/nixpkgs/nixos/modules/services/databases/cassandra.nix @@ -71,7 +71,7 @@ in { ''; clusterName = mkOption { type = types.str; - default = "NixOS Test Cluster"; + default = "Test Cluster"; description = '' The name of the cluster. This setting prevents nodes in one logical cluster from joining diff --git a/nixpkgs/nixos/modules/services/databases/firebird.nix b/nixpkgs/nixos/modules/services/databases/firebird.nix index cc81b440450b..042c9841df54 100644 --- a/nixpkgs/nixos/modules/services/databases/firebird.nix +++ b/nixpkgs/nixos/modules/services/databases/firebird.nix @@ -95,6 +95,11 @@ in environment.systemPackages = [cfg.package]; + systemd.tmpfiles.rules = [ + "d '${dataDir}' 0700 ${cfg.user} - - -" + "d '${systemDir}' 0700 ${cfg.user} - - -" + ]; + systemd.services.firebird = { description = "Firebird Super-Server"; @@ -104,21 +109,16 @@ in # is a better way preStart = '' - mkdir -m 0700 -p \ - "${dataDir}" \ - "${systemDir}" \ - /var/log/firebird - if ! test -e "${systemDir}/security2.fdb"; then cp ${firebird}/security2.fdb "${systemDir}" fi - chown -R ${cfg.user} "${dataDir}" "${systemDir}" /var/log/firebird chmod -R 700 "${dataDir}" "${systemDir}" /var/log/firebird ''; - serviceConfig.PermissionsStartOnly = true; # preStart must be run as root serviceConfig.User = cfg.user; + serviceConfig.LogsDirectory = "firebird"; + serviceConfig.LogsDirectoryMode = "0700"; serviceConfig.ExecStart = ''${firebird}/bin/fbserver -d''; # TODO think about shutdown diff --git a/nixpkgs/nixos/modules/services/databases/foundationdb.nix b/nixpkgs/nixos/modules/services/databases/foundationdb.nix index 490c5e9d005a..6182da5e7d65 100644 --- a/nixpkgs/nixos/modules/services/databases/foundationdb.nix +++ b/nixpkgs/nixos/modules/services/databases/foundationdb.nix @@ -359,6 +359,13 @@ in } ]; + systemd.tmpfiles.rules = [ + "d /etc/foundationdb 0755 ${cfg.user} ${cfg.group} - -" + "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" + "d '${cfg.logDir}' 0770 ${cfg.user} ${cfg.group} - -" + "F '${cfg.pidFile}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.foundationdb = { description = "FoundationDB Service"; @@ -396,25 +403,12 @@ in path = [ pkg pkgs.coreutils ]; preStart = '' - rm -f ${cfg.pidfile} && \ - touch ${cfg.pidfile} && \ - chown -R ${cfg.user}:${cfg.group} ${cfg.pidfile} - - for x in "${cfg.logDir}" "${cfg.dataDir}"; do - [ ! -d "$x" ] && mkdir -m 0770 -vp "$x"; - chown -R ${cfg.user}:${cfg.group} "$x"; - done - - [ ! -d /etc/foundationdb ] && \ - mkdir -m 0775 -vp /etc/foundationdb && \ - chown -R ${cfg.user}:${cfg.group} "/etc/foundationdb" - if [ ! -f /etc/foundationdb/fdb.cluster ]; then cf=/etc/foundationdb/fdb.cluster desc=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8) rand=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8) echo ''${desc}:''${rand}@${initialIpAddr}:${builtins.toString cfg.listenPortStart} > $cf - chmod 0664 $cf && chown -R ${cfg.user}:${cfg.group} $cf + chmod 0664 $cf touch "${cfg.dataDir}/.first_startup" fi ''; diff --git a/nixpkgs/nixos/modules/services/databases/hbase.nix b/nixpkgs/nixos/modules/services/databases/hbase.nix index 52f2d95b4e00..589c8cf5ec80 100644 --- a/nixpkgs/nixos/modules/services/databases/hbase.nix +++ b/nixpkgs/nixos/modules/services/databases/hbase.nix @@ -94,6 +94,11 @@ in { config = mkIf config.services.hbase.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" + "d '${cfg.logDir}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.hbase = { description = "HBase Server"; wantedBy = [ "multi-user.target" ]; @@ -103,19 +108,7 @@ in { HBASE_LOG_DIR = cfg.logDir; }; - preStart = - '' - mkdir -p ${cfg.dataDir}; - mkdir -p ${cfg.logDir}; - - if [ "$(id -u)" = 0 ]; then - chown ${cfg.user}:${cfg.group} ${cfg.dataDir} - chown ${cfg.user}:${cfg.group} ${cfg.logDir} - fi - ''; - serviceConfig = { - PermissionsStartOnly = true; User = cfg.user; Group = cfg.group; ExecStart = "${cfg.package}/bin/hbase --config ${configDir} master start"; diff --git a/nixpkgs/nixos/modules/services/databases/mysql.nix b/nixpkgs/nixos/modules/services/databases/mysql.nix index 66d55b650a45..df74cfc9a26b 100644 --- a/nixpkgs/nixos/modules/services/databases/mysql.nix +++ b/nixpkgs/nixos/modules/services/databases/mysql.nix @@ -204,12 +204,6 @@ in ''; }; - # FIXME: remove this option; it's a really bad idea. - rootPassword = mkOption { - default = null; - description = "Path to a file containing the root password, modified on the first startup. Not specifying a root password will leave the root password empty."; - }; - replication = { role = mkOption { type = types.enum [ "master" "slave" "none" ]; @@ -323,114 +317,107 @@ in RuntimeDirectoryMode = "0755"; # The last two environment variables are used for starting Galera clusters ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION"; - }; - - postStart = - let - cmdWatchForMysqlSocket = '' - # Wait until the MySQL server is available for use - count=0 - while [ ! -e /run/mysqld/mysqld.sock ] - do - if [ $count -eq 30 ] - then - echo "Tried 30 times, giving up..." - exit 1 - fi - - echo "MySQL daemon not yet started. Waiting for 1 second..." - count=$((count++)) - sleep 1 - done - ''; - cmdInitialDatabases = concatMapStrings (database: '' - # Create initial databases - if ! test -e "${cfg.dataDir}/${database.name}"; then - echo "Creating initial database: ${database.name}" - ( echo 'create database `${database.name}`;' - - ${optionalString (database.schema != null) '' - echo 'use `${database.name}`;' - - # TODO: this silently falls through if database.schema does not exist, - # we should catch this somehow and exit, but can't do it here because we're in a subshell. - if [ -f "${database.schema}" ] - then - cat ${database.schema} - elif [ -d "${database.schema}" ] - then - cat ${database.schema}/mysql-databases/*.sql - fi - ''} + ExecStartPost = + let + setupScript = pkgs.writeScript "mysql-setup" '' + #!${pkgs.runtimeShell} -e + + ${optionalString (!hasNotify) '' + # Wait until the MySQL server is available for use + count=0 + while [ ! -e /run/mysqld/mysqld.sock ] + do + if [ $count -eq 30 ] + then + echo "Tried 30 times, giving up..." + exit 1 + fi + + echo "MySQL daemon not yet started. Waiting for 1 second..." + count=$((count++)) + sleep 1 + done + ''} + + if [ -f /tmp/mysql_init ] + then + ${concatMapStrings (database: '' + # Create initial databases + if ! test -e "${cfg.dataDir}/${database.name}"; then + echo "Creating initial database: ${database.name}" + ( echo 'create database `${database.name}`;' + + ${optionalString (database.schema != null) '' + echo 'use `${database.name}`;' + + # TODO: this silently falls through if database.schema does not exist, + # we should catch this somehow and exit, but can't do it here because we're in a subshell. + if [ -f "${database.schema}" ] + then + cat ${database.schema} + elif [ -d "${database.schema}" ] + then + cat ${database.schema}/mysql-databases/*.sql + fi + ''} + ) | ${mysql}/bin/mysql -u root -N + fi + '') cfg.initialDatabases} + + ${optionalString (cfg.replication.role == "master") + '' + # Set up the replication master + + ( echo "use mysql;" + echo "CREATE USER '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}' IDENTIFIED WITH mysql_native_password;" + echo "SET PASSWORD FOR '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}' = PASSWORD('${cfg.replication.masterPassword}');" + echo "GRANT REPLICATION SLAVE ON *.* TO '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}';" + ) | ${mysql}/bin/mysql -u root -N + ''} + + ${optionalString (cfg.replication.role == "slave") + '' + # Set up the replication slave + + ( echo "stop slave;" + echo "change master to master_host='${cfg.replication.masterHost}', master_user='${cfg.replication.masterUser}', master_password='${cfg.replication.masterPassword}';" + echo "start slave;" + ) | ${mysql}/bin/mysql -u root -N + ''} + + ${optionalString (cfg.initialScript != null) + '' + # Execute initial script + # using toString to avoid copying the file to nix store if given as path instead of string, + # as it might contain credentials + cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N + ''} + + rm /tmp/mysql_init + fi + + ${optionalString (cfg.ensureDatabases != []) '' + ( + ${concatMapStrings (database: '' + echo "CREATE DATABASE IF NOT EXISTS \`${database}\`;" + '') cfg.ensureDatabases} ) | ${mysql}/bin/mysql -u root -N - fi - '') cfg.initialDatabases; - in - - lib.optionalString (!hasNotify) cmdWatchForMysqlSocket + '' - if [ -f /tmp/mysql_init ] - then - ${cmdInitialDatabases} - ${optionalString (cfg.replication.role == "master") - '' - # Set up the replication master - - ( echo "use mysql;" - echo "CREATE USER '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}' IDENTIFIED WITH mysql_native_password;" - echo "SET PASSWORD FOR '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}' = PASSWORD('${cfg.replication.masterPassword}');" - echo "GRANT REPLICATION SLAVE ON *.* TO '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}';" - ) | ${mysql}/bin/mysql -u root -N - ''} + ''} - ${optionalString (cfg.replication.role == "slave") + ${concatMapStrings (user: '' - # Set up the replication slave - - ( echo "stop slave;" - echo "change master to master_host='${cfg.replication.masterHost}', master_user='${cfg.replication.masterUser}', master_password='${cfg.replication.masterPassword}';" - echo "start slave;" + ( echo "CREATE USER IF NOT EXISTS '${user.name}'@'localhost' IDENTIFIED WITH ${if isMariaDB then "unix_socket" else "auth_socket"};" + ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' + echo "GRANT ${permission} ON ${database} TO '${user.name}'@'localhost';" + '') user.ensurePermissions)} ) | ${mysql}/bin/mysql -u root -N - ''} - - ${optionalString (cfg.initialScript != null) - '' - # Execute initial script - # using toString to avoid copying the file to nix store if given as path instead of string, - # as it might contain credentials - cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N - ''} - - ${optionalString (cfg.rootPassword != null) - '' - # Change root password - - ( echo "use mysql;" - echo "update user set Password=password('$(cat ${cfg.rootPassword})') where User='root';" - echo "flush privileges;" - ) | ${mysql}/bin/mysql -u root -N - ''} - - rm /tmp/mysql_init - fi - - ${optionalString (cfg.ensureDatabases != []) '' - ( - ${concatMapStrings (database: '' - echo "CREATE DATABASE IF NOT EXISTS \`${database}\`;" - '') cfg.ensureDatabases} - ) | ${mysql}/bin/mysql -u root -N - ''} - - ${concatMapStrings (user: - '' - ( echo "CREATE USER IF NOT EXISTS '${user.name}'@'localhost' IDENTIFIED WITH ${if isMariaDB then "unix_socket" else "auth_socket"};" - ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' - echo "GRANT ${permission} ON ${database} TO '${user.name}'@'localhost';" - '') user.ensurePermissions)} - ) | ${mysql}/bin/mysql -u root -N - '') cfg.ensureUsers} - - ''; # */ + '') cfg.ensureUsers} + ''; + in + # ensureDatbases & ensureUsers depends on this script being run as root + # when the user has secured their mysql install + "+${setupScript}"; + }; }; }; diff --git a/nixpkgs/nixos/modules/services/desktops/deepin/deepin.nix b/nixpkgs/nixos/modules/services/desktops/deepin/deepin.nix index d9d5d539e422..931bac58aceb 100644 --- a/nixpkgs/nixos/modules/services/desktops/deepin/deepin.nix +++ b/nixpkgs/nixos/modules/services/desktops/deepin/deepin.nix @@ -33,8 +33,10 @@ environment.systemPackages = [ pkgs.deepin.dde-api pkgs.deepin.dde-calendar + pkgs.deepin.dde-control-center pkgs.deepin.dde-daemon pkgs.deepin.dde-dock + pkgs.deepin.dde-launcher pkgs.deepin.dde-file-manager pkgs.deepin.dde-session-ui pkgs.deepin.deepin-anything @@ -45,8 +47,10 @@ services.dbus.packages = [ pkgs.deepin.dde-api pkgs.deepin.dde-calendar + pkgs.deepin.dde-control-center pkgs.deepin.dde-daemon pkgs.deepin.dde-dock + pkgs.deepin.dde-launcher pkgs.deepin.dde-file-manager pkgs.deepin.dde-session-ui pkgs.deepin.deepin-anything diff --git a/nixpkgs/nixos/modules/services/hardware/udev.nix b/nixpkgs/nixos/modules/services/hardware/udev.nix index cb2f1e6621ae..83ab93bd7cfc 100644 --- a/nixpkgs/nixos/modules/services/hardware/udev.nix +++ b/nixpkgs/nixos/modules/services/hardware/udev.nix @@ -85,7 +85,7 @@ let for i in $import_progs $run_progs; do if [[ ! -x $i ]]; then echo "FAIL" - echo "$i is called in udev rules but not installed by udev" + echo "$i is called in udev rules but is not executable or does not exist" exit 1 fi done diff --git a/nixpkgs/nixos/modules/services/logging/graylog.nix b/nixpkgs/nixos/modules/services/logging/graylog.nix index 74a7b3c9b470..c8c4a9ff06db 100644 --- a/nixpkgs/nixos/modules/services/logging/graylog.nix +++ b/nixpkgs/nixos/modules/services/logging/graylog.nix @@ -108,7 +108,7 @@ in }; extraConfig = mkOption { - type = types.str; + type = types.lines; default = ""; description = "Any other configuration options you might want to add"; }; @@ -134,6 +134,10 @@ in }; }; + systemd.tmpfiles.rules = [ + "d '${cfg.messageJournalDir}' - ${cfg.user} - - -" + ]; + systemd.services.graylog = with pkgs; { description = "Graylog Server"; wantedBy = [ "multi-user.target" ]; @@ -143,8 +147,6 @@ in }; path = [ pkgs.jre_headless pkgs.which pkgs.procps ]; preStart = '' - mkdir -p /var/lib/graylog -m 755 - rm -rf /var/lib/graylog/plugins || true mkdir -p /var/lib/graylog/plugins -m 755 @@ -154,14 +156,10 @@ in for includedplugin in `ls ${cfg.package}/plugin/`; do ln -s ${cfg.package}/plugin/$includedplugin /var/lib/graylog/plugins/$includedplugin || true done - chown -R ${cfg.user} /var/lib/graylog - - mkdir -p ${cfg.messageJournalDir} -m 755 - chown -R ${cfg.user} ${cfg.messageJournalDir} ''; serviceConfig = { User="${cfg.user}"; - PermissionsStartOnly=true; + StateDirectory = "graylog"; ExecStart = "${cfg.package}/bin/graylogctl run"; }; }; diff --git a/nixpkgs/nixos/modules/services/logging/heartbeat.nix b/nixpkgs/nixos/modules/services/logging/heartbeat.nix index b595ac07bf5e..56fb4deabda5 100644 --- a/nixpkgs/nixos/modules/services/logging/heartbeat.nix +++ b/nixpkgs/nixos/modules/services/logging/heartbeat.nix @@ -54,16 +54,18 @@ in config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' - nobody nogroup - -" + ]; + systemd.services.heartbeat = with pkgs; { description = "heartbeat log shipper"; wantedBy = [ "multi-user.target" ]; preStart = '' mkdir -p "${cfg.stateDir}"/{data,logs} - chown nobody:nogroup "${cfg.stateDir}"/{data,logs} ''; serviceConfig = { User = "nobody"; - PermissionsStartOnly = true; AmbientCapabilities = "cap_net_raw"; ExecStart = "${pkgs.heartbeat}/bin/heartbeat -c \"${heartbeatYml}\" -path.data \"${cfg.stateDir}/data\" -path.logs \"${cfg.stateDir}/logs\""; }; diff --git a/nixpkgs/nixos/modules/services/mail/dspam.nix b/nixpkgs/nixos/modules/services/mail/dspam.nix index 167b5aeccc84..72b8c4c08b92 100644 --- a/nixpkgs/nixos/modules/services/mail/dspam.nix +++ b/nixpkgs/nixos/modules/services/mail/dspam.nix @@ -113,19 +113,14 @@ in { Group = cfg.group; RuntimeDirectory = optional (cfg.domainSocket == defaultSock) "dspam"; RuntimeDirectoryMode = optional (cfg.domainSocket == defaultSock) "0750"; - PermissionsStartOnly = true; + StateDirectory = "dspam"; + StateDirectoryMode = "0750"; + LogsDirectory = "dspam"; + LogsDirectoryMode = "0750"; # DSPAM segfaults on just about every error Restart = "on-abort"; RestartSec = "1s"; }; - - preStart = '' - mkdir -m750 -p /var/lib/dspam - chown -R "${cfg.user}:${cfg.group}" /var/lib/dspam - - mkdir -m750 -p /var/log/dspam - chown -R "${cfg.user}:${cfg.group}" /var/log/dspam - ''; }; } diff --git a/nixpkgs/nixos/modules/services/mail/opendkim.nix b/nixpkgs/nixos/modules/services/mail/opendkim.nix index 7855efb46c73..253823cbaf9c 100644 --- a/nixpkgs/nixos/modules/services/mail/opendkim.nix +++ b/nixpkgs/nixos/modules/services/mail/opendkim.nix @@ -101,13 +101,16 @@ in { environment.systemPackages = [ pkgs.opendkim ]; + systemd.tmpfiles.rules = [ + "d '${cfg.keyPath}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.opendkim = { description = "OpenDKIM signing and verification daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' - mkdir -p "${cfg.keyPath}" cd "${cfg.keyPath}" if ! test -f ${cfg.selector}.private; then ${pkgs.opendkim}/bin/opendkim-genkey -s ${cfg.selector} -d all-domains-generic-key @@ -116,7 +119,6 @@ in { cat ${cfg.selector}.txt echo "-------------------------------------------------------------" fi - chown ${cfg.user}:${cfg.group} ${cfg.selector}.private ''; serviceConfig = { @@ -124,7 +126,6 @@ in { User = cfg.user; Group = cfg.group; RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim"; - PermissionsStartOnly = true; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/apache-kafka.nix b/nixpkgs/nixos/modules/services/misc/apache-kafka.nix index 363ac4411e11..9eeae9556992 100644 --- a/nixpkgs/nixos/modules/services/misc/apache-kafka.nix +++ b/nixpkgs/nixos/modules/services/misc/apache-kafka.nix @@ -131,6 +131,8 @@ in { home = head cfg.logDirs; }; + systemd.tmpfiles.rules = map (logDir: "d '${logDir} 0700 apache-kafka - - -") cfg.logDirs; + systemd.services.apache-kafka = { description = "Apache Kafka Daemon"; wantedBy = [ "multi-user.target" ]; @@ -145,15 +147,8 @@ in { ${serverConfig} ''; User = "apache-kafka"; - PermissionsStartOnly = true; SuccessExitStatus = "0 143"; }; - preStart = '' - mkdir -m 0700 -p ${concatStringsSep " " cfg.logDirs} - if [ "$(id -u)" = 0 ]; then - chown apache-kafka ${concatStringsSep " " cfg.logDirs}; - fi - ''; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/couchpotato.nix b/nixpkgs/nixos/modules/services/misc/couchpotato.nix index 70aa895f76d8..528af486b414 100644 --- a/nixpkgs/nixos/modules/services/misc/couchpotato.nix +++ b/nixpkgs/nixos/modules/services/misc/couchpotato.nix @@ -19,16 +19,11 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -p /var/lib/couchpotato - chown -R couchpotato:couchpotato /var/lib/couchpotato - ''; - serviceConfig = { Type = "simple"; User = "couchpotato"; Group = "couchpotato"; - PermissionsStartOnly = "true"; + StateDirectory = "couchpotato"; ExecStart = "${pkgs.couchpotato}/bin/couchpotato"; Restart = "on-failure"; }; diff --git a/nixpkgs/nixos/modules/services/misc/gitea.nix b/nixpkgs/nixos/modules/services/misc/gitea.nix index 7daa2dd0d4cc..5a964e672ede 100644 --- a/nixpkgs/nixos/modules/services/misc/gitea.nix +++ b/nixpkgs/nixos/modules/services/misc/gitea.nix @@ -38,6 +38,7 @@ let HTTP_PORT = ${toString cfg.httpPort} ROOT_URL = ${cfg.rootUrl} STATIC_ROOT_PATH = ${cfg.staticRootPath} + LFS_JWT_SECRET = #jwtsecret# [session] COOKIE_NAME = session @@ -307,6 +308,7 @@ in systemd.tmpfiles.rules = [ "d '${cfg.stateDir}' - ${cfg.user} gitea - -" "d '${cfg.stateDir}/conf' - ${cfg.user} gitea - -" + "d '${cfg.stateDir}/custom' - ${cfg.user} gitea - -" "d '${cfg.stateDir}/custom/conf' - ${cfg.user} gitea - -" "d '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" "Z '${cfg.stateDir}' - ${cfg.user} gitea - -" @@ -325,21 +327,28 @@ in preStart = let runConfig = "${cfg.stateDir}/custom/conf/app.ini"; secretKey = "${cfg.stateDir}/custom/conf/secret_key"; + jwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; in '' # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' cp -f ${configFile} ${runConfig} if [ ! -e ${secretKey} ]; then - head -c 16 /dev/urandom | base64 > ${secretKey} + ${gitea.bin}/bin/gitea generate secret SECRET_KEY > ${secretKey} fi - KEY=$(head -n1 ${secretKey}) - DBPASS=$(head -n1 ${cfg.database.passwordFile}) + if [ ! -e ${jwtSecret} ]; then + ${gitea.bin}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret} + fi + + KEY="$(head -n1 ${secretKey})" + DBPASS="$(head -n1 ${cfg.database.passwordFile})" + JWTSECRET="$(head -n1 ${jwtSecret})" sed -e "s,#secretkey#,$KEY,g" \ -e "s,#dbpass#,$DBPASS,g" \ + -e "s,#jwtsecet#,$JWTSECET,g" \ -i ${runConfig} - chmod 640 ${runConfig} ${secretKey} + chmod 640 ${runConfig} ${secretKey} ${jwtSecret} ''} # update all hooks' binary paths diff --git a/nixpkgs/nixos/modules/services/misc/gollum.nix b/nixpkgs/nixos/modules/services/misc/gollum.nix index d1823bc6d4df..7653b415bf09 100644 --- a/nixpkgs/nixos/modules/services/misc/gollum.nix +++ b/nixpkgs/nixos/modules/services/misc/gollum.nix @@ -75,27 +75,24 @@ in users.groups.gollum = { }; + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' - ${config.users.users.gollum.name} ${config.users.groups.gollum.name} - -" + ]; + systemd.services.gollum = { description = "Gollum wiki"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.git ]; - preStart = let - userName = config.users.users.gollum.name; - groupName = config.users.groups.gollum.name; - in '' - # All of this is safe to be run on an existing repo - mkdir -p ${cfg.stateDir} + preStart = '' + # This is safe to be run on an existing repo git init ${cfg.stateDir} - chmod 755 ${cfg.stateDir} - chown -R ${userName}:${groupName} ${cfg.stateDir} ''; serviceConfig = { User = config.users.users.gollum.name; Group = config.users.groups.gollum.name; - PermissionsStartOnly = true; ExecStart = '' ${pkgs.gollum}/bin/gollum \ --port ${toString cfg.port} \ diff --git a/nixpkgs/nixos/modules/services/misc/lidarr.nix b/nixpkgs/nixos/modules/services/misc/lidarr.nix index f466402abfc7..4c37bd74f150 100644 --- a/nixpkgs/nixos/modules/services/misc/lidarr.nix +++ b/nixpkgs/nixos/modules/services/misc/lidarr.nix @@ -9,6 +9,37 @@ in options = { services.lidarr = { enable = mkEnableOption "Lidarr"; + + package = mkOption { + type = types.package; + default = pkgs.lidarr; + defaultText = "pkgs.lidarr"; + description = "The Lidarr package to use"; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open ports in the firewall for Lidarr + ''; + }; + + user = mkOption { + type = types.str; + default = "lidarr"; + description = '' + User account under which Lidarr runs. + ''; + }; + + group = mkOption { + type = types.str; + default = "lidarr"; + description = '' + Group under which Lidarr runs. + ''; + }; }; }; @@ -20,9 +51,9 @@ in serviceConfig = { Type = "simple"; - User = "lidarr"; - Group = "lidarr"; - ExecStart = "${pkgs.lidarr}/bin/Lidarr"; + User = cfg.user; + Group = cfg.group; + ExecStart = "${cfg.package}/bin/Lidarr"; Restart = "on-failure"; StateDirectory = "lidarr"; @@ -30,12 +61,21 @@ in }; }; - users.users.lidarr = { - uid = config.ids.uids.lidarr; - home = "/var/lib/lidarr"; - group = "lidarr"; + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ 8686 ]; + }; + + users.users = mkIf (cfg.user == "lidarr") { + lidarr = { + group = cfg.group; + uid = config.ids.uids.lidarr; + }; }; - users.groups.lidarr.gid = config.ids.gids.lidarr; + users.groups = mkIf (cfg.group == "lidarr") { + lidarr = { + gid = config.ids.gids.lidarr; + }; + }; }; } diff --git a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix index 8db3c44246f3..d8f90f1539c1 100644 --- a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix +++ b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix @@ -272,10 +272,12 @@ in binaryCaches = mkOption { type = types.listOf types.str; - default = [ https://cache.nixos.org/ ]; description = '' List of binary cache URLs used to obtain pre-built binaries of Nix packages. + + By default https://cache.nixos.org/ is added, + to override it use <literal>lib.mkForce []</literal>. ''; }; @@ -386,6 +388,7 @@ in config = { nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; + nix.binaryCaches = [ "https://cache.nixos.org/" ]; environment.etc."nix/nix.conf".source = nixConf; diff --git a/nixpkgs/nixos/modules/services/misc/octoprint.nix b/nixpkgs/nixos/modules/services/misc/octoprint.nix index 52ae25201c35..8950010773cf 100644 --- a/nixpkgs/nixos/modules/services/misc/octoprint.nix +++ b/nixpkgs/nixos/modules/services/misc/octoprint.nix @@ -97,6 +97,10 @@ in gid = config.ids.gids.octoprint; }); + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.octoprint = { description = "OctoPrint, web interface for 3D printers"; wantedBy = [ "multi-user.target" ]; @@ -105,7 +109,6 @@ in environment.PYTHONPATH = makeSearchPathOutput "lib" pkgs.python.sitePackages [ pluginsEnv ]; preStart = '' - mkdir -p "${cfg.stateDir}" if [ -e "${cfg.stateDir}/config.yaml" ]; then ${pkgs.yaml-merge}/bin/yaml-merge "${cfg.stateDir}/config.yaml" "${cfgUpdate}" > "${cfg.stateDir}/config.yaml.tmp" mv "${cfg.stateDir}/config.yaml.tmp" "${cfg.stateDir}/config.yaml" @@ -113,14 +116,12 @@ in cp "${cfgUpdate}" "${cfg.stateDir}/config.yaml" chmod 600 "${cfg.stateDir}/config.yaml" fi - chown -R ${cfg.user}:${cfg.group} "${cfg.stateDir}" ''; serviceConfig = { ExecStart = "${pkgs.octoprint}/bin/octoprint serve -b ${cfg.stateDir}"; User = cfg.user; Group = cfg.group; - PermissionsStartOnly = true; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/zoneminder.nix b/nixpkgs/nixos/modules/services/misc/zoneminder.nix index 9c555e8031c4..cf56ae89b399 100644 --- a/nixpkgs/nixos/modules/services/misc/zoneminder.nix +++ b/nixpkgs/nixos/modules/services/misc/zoneminder.nix @@ -50,7 +50,7 @@ let ZM_DB_TYPE=mysql ZM_DB_HOST=${cfg.database.host} ZM_DB_NAME=${cfg.database.name} - ZM_DB_USER=${if cfg.database.createLocally then user else cfg.database.username} + ZM_DB_USER=${cfg.database.username} ZM_DB_PASS=${cfg.database.password} # Web @@ -155,6 +155,7 @@ in { default = "zmpass"; description = '' Username for accessing the database. + Not used if <literal>createLocally</literal> is set. ''; }; }; @@ -189,6 +190,12 @@ in { config = lib.mkIf cfg.enable { + assertions = [ + { assertion = cfg.database.createLocally -> cfg.database.username == user; + message = "services.zoneminder.database.username must be set to ${user} if services.zoneminder.database.createLocally is set true"; + } + ]; + environment.etc = { "zoneminder/60-defaults.conf".source = defaultsFile; "zoneminder/80-nixos.conf".source = configFile; @@ -204,10 +211,9 @@ in { }; mysql = lib.mkIf cfg.database.createLocally { + enable = true; + package = lib.mkDefault pkgs.mariadb; ensureDatabases = [ cfg.database.name ]; - initialDatabases = [{ - inherit (cfg.database) name; schema = "${pkg}/share/zoneminder/db/zm_create.sql"; - }]; ensureUsers = [{ name = cfg.database.username; ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; }; @@ -256,7 +262,7 @@ in { fastcgi_pass ${fcgi.socketType}:${fcgi.socketAddress}; } - location /cache { + location /cache/ { alias /var/cache/${dirName}; } @@ -315,11 +321,16 @@ in { procps psmisc ]; - after = [ "mysql.service" "nginx.service" ]; + after = [ "nginx.service" ] ++ lib.optional cfg.database.createLocally "mysql.service"; wantedBy = [ "multi-user.target" ]; restartTriggers = [ defaultsFile configFile ]; - preStart = lib.mkIf useCustomDir '' + preStart = lib.optionalString useCustomDir '' install -dm775 -o ${user} -g ${group} ${cfg.storageDir}/{${lib.concatStringsSep "," libDirs}} + '' + lib.optionalString cfg.database.createLocally '' + if ! test -e "/var/lib/${dirName}/db-created"; then + ${config.services.mysql.package}/bin/mysql < ${pkg}/share/zoneminder/db/zm_create.sql + touch "/var/lib/${dirName}/db-created" + fi ''; serviceConfig = { User = user; diff --git a/nixpkgs/nixos/modules/services/monitoring/alerta.nix b/nixpkgs/nixos/modules/services/monitoring/alerta.nix index d423a91993c7..34f2d41706a5 100644 --- a/nixpkgs/nixos/modules/services/monitoring/alerta.nix +++ b/nixpkgs/nixos/modules/services/monitoring/alerta.nix @@ -83,6 +83,10 @@ in }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.logDir}' - alerta alerta - -" + ]; + systemd.services.alerta = { description = "Alerta Monitoring System"; wantedBy = [ "multi-user.target" ]; @@ -94,12 +98,7 @@ in ExecStart = "${pkgs.python36Packages.alerta-server}/bin/alertad run --port ${toString cfg.port} --host ${cfg.bind}"; User = "alerta"; Group = "alerta"; - PermissionsStartOnly = true; }; - preStart = '' - mkdir -p ${cfg.logDir} - chown alerta:alerta ${cfg.logDir} - ''; }; environment.systemPackages = [ pkgs.python36Packages.alerta ]; diff --git a/nixpkgs/nixos/modules/services/monitoring/kapacitor.nix b/nixpkgs/nixos/modules/services/monitoring/kapacitor.nix index cc4074be111b..0f236d25c9ed 100644 --- a/nixpkgs/nixos/modules/services/monitoring/kapacitor.nix +++ b/nixpkgs/nixos/modules/services/monitoring/kapacitor.nix @@ -163,6 +163,10 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.kapacitor ]; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.kapacitor = { description = "Kapacitor Real-Time Stream Processing Engine"; wantedBy = [ "multi-user.target" ]; @@ -171,12 +175,7 @@ in ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${kapacitorConf}"; User = "kapacitor"; Group = "kapacitor"; - PermissionsStartOnly = true; }; - preStart = '' - mkdir -p ${cfg.dataDir} - chown ${cfg.user}:${cfg.group} ${cfg.dataDir} - ''; }; users.users.kapacitor = { diff --git a/nixpkgs/nixos/modules/services/monitoring/nagios.nix b/nixpkgs/nixos/modules/services/monitoring/nagios.nix index 7f65236ed3d3..6a3b97769462 100644 --- a/nixpkgs/nixos/modules/services/monitoring/nagios.nix +++ b/nixpkgs/nixos/modules/services/monitoring/nagios.nix @@ -36,7 +36,7 @@ let # Uid/gid that the daemon runs under. nagios_user=nagios - nagios_group=nogroup + nagios_group=nagios # Misc. options. illegal_macro_output_chars=`~$&|'"<> @@ -58,9 +58,7 @@ let <Directory "${pkgs.nagios}/sbin"> Options ExecCGI - AllowOverride None - Order allow,deny - Allow from all + Require all granted SetEnv NAGIOS_CGI_CONFIG ${cfg.cgiConfigFile} </Directory> @@ -68,9 +66,7 @@ let <Directory "${pkgs.nagios}/share"> Options None - AllowOverride None - Order allow,deny - Allow from all + Require all granted </Directory> ''; @@ -149,9 +145,11 @@ in description = "Nagios user "; uid = config.ids.uids.nagios; home = nagiosState; - createHome = true; + group = "nagios"; }; + users.groups.nagios = { }; + # This isn't needed, it's just so that the user can type "nagiostats # -c /etc/nagios.cfg". environment.etc = [ @@ -169,16 +167,13 @@ in serviceConfig = { User = "nagios"; + Group = "nagios"; Restart = "always"; RestartSec = 2; - PermissionsStartOnly = true; + LogsDirectory = "nagios"; + StateDirectory = "nagios"; }; - preStart = '' - mkdir -m 0755 -p ${nagiosState} ${nagiosLogDir} - chown nagios ${nagiosState} ${nagiosLogDir} - ''; - script = '' for i in ${toString cfg.plugins}; do export PATH=$i/bin:$i/sbin:$i/libexec:$PATH diff --git a/nixpkgs/nixos/modules/services/monitoring/netdata.nix b/nixpkgs/nixos/modules/services/monitoring/netdata.nix index a49555cf677f..f9b7550af23a 100644 --- a/nixpkgs/nixos/modules/services/monitoring/netdata.nix +++ b/nixpkgs/nixos/modules/services/monitoring/netdata.nix @@ -8,6 +8,7 @@ let wrappedPlugins = pkgs.runCommand "wrapped-plugins" { preferLocalBuild = true; } '' mkdir -p $out/libexec/netdata/plugins.d ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin + ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin ''; plugins = [ @@ -140,12 +141,18 @@ in { path = (with pkgs; [ gawk curl ]) ++ lib.optional cfg.python.enable (pkgs.python3.withPackages cfg.python.extraPackages); serviceConfig = { - User = cfg.user; - Group = cfg.group; Environment="PYTHONPATH=${pkgs.netdata}/libexec/netdata/python.d/python_modules"; - PermissionsStartOnly = true; - ExecStart = "${pkgs.netdata}/bin/netdata -D -c ${configFile}"; + ExecStart = "${pkgs.netdata}/bin/netdata -P /run/netdata/netdata.pid -D -c ${configFile}"; + ExecReload = "${pkgs.utillinux}/bin/kill -s HUP -s USR1 -s USR2 $MAINPID"; TimeoutStopSec = 60; + # User and group + User = cfg.user; + Group = cfg.group; + # Runtime directory and mode + RuntimeDirectory = "netdata"; + RuntimeDirectoryMode = "0755"; + # Performance + LimitNOFILE = "30000"; }; }; @@ -157,6 +164,18 @@ in { permissions = "u+rx,g+rx,o-rwx"; }; + security.wrappers."freeipmi.plugin" = { + source = "${pkgs.netdata}/libexec/netdata/plugins.d/freeipmi.plugin.org"; + capabilities = "cap_dac_override,cap_fowner+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+rx,o-rwx"; + }; + + security.pam.loginLimits = [ + { domain = "netdata"; type = "soft"; item = "nofile"; value = "10000"; } + { domain = "netdata"; type = "hard"; item = "nofile"; value = "30000"; } + ]; users.users = optional (cfg.user == defaultUser) { name = defaultUser; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/node.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/node.nix index ee7bf39f199a..8c4128f9b634 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/node.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/node.nix @@ -32,8 +32,7 @@ in ${pkgs.prometheus-node-exporter}/bin/node_exporter \ ${concatMapStringsSep " " (x: "--collector." + x) cfg.enabledCollectors} \ ${concatMapStringsSep " " (x: "--no-collector." + x) cfg.disabledCollectors} \ - --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ - ${concatStringsSep " \\\n " cfg.extraFlags} + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} ${concatStringsSep " " cfg.extraFlags} ''; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/riemann-dash.nix b/nixpkgs/nixos/modules/services/monitoring/riemann-dash.nix index 7eb4d888b0cc..16eb83008509 100644 --- a/nixpkgs/nixos/modules/services/monitoring/riemann-dash.nix +++ b/nixpkgs/nixos/modules/services/monitoring/riemann-dash.nix @@ -59,18 +59,20 @@ in { group = "riemanndash"; }; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - riemanndash riemanndash - -" + ]; + systemd.services.riemann-dash = { wantedBy = [ "multi-user.target" ]; wants = [ "riemann.service" ]; after = [ "riemann.service" ]; preStart = '' - mkdir -p ${cfg.dataDir}/config - chown -R riemanndash:riemanndash ${cfg.dataDir} + mkdir -p '${cfg.dataDir}/config' ''; serviceConfig = { User = "riemanndash"; ExecStart = "${launcher}/bin/riemann-dash"; - PermissionsStartOnly = true; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/riemann-tools.nix b/nixpkgs/nixos/modules/services/monitoring/riemann-tools.nix index 4e8832dadc5e..9c400a1e3e46 100644 --- a/nixpkgs/nixos/modules/services/monitoring/riemann-tools.nix +++ b/nixpkgs/nixos/modules/services/monitoring/riemann-tools.nix @@ -54,7 +54,6 @@ in { serviceConfig = { User = "riemanntools"; ExecStart = "${healthLauncher}/bin/riemann-health"; - PermissionsStartOnly = true; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/scollector.nix b/nixpkgs/nixos/modules/services/monitoring/scollector.nix index fbded746a5f7..dc0899c7e684 100644 --- a/nixpkgs/nixos/modules/services/monitoring/scollector.nix +++ b/nixpkgs/nixos/modules/services/monitoring/scollector.nix @@ -116,7 +116,6 @@ in { path = [ pkgs.coreutils pkgs.iproute ]; serviceConfig = { - PermissionsStartOnly = true; User = cfg.user; Group = cfg.group; ExecStart = "${cfg.package.bin}/bin/scollector -conf=${conf} ${lib.concatStringsSep " " cfg.extraOpts}"; diff --git a/nixpkgs/nixos/modules/services/networking/aria2.nix b/nixpkgs/nixos/modules/services/networking/aria2.nix index 98eb00861016..53829bf18863 100644 --- a/nixpkgs/nixos/modules/services/networking/aria2.nix +++ b/nixpkgs/nixos/modules/services/networking/aria2.nix @@ -102,22 +102,19 @@ in users.groups.aria2.gid = config.ids.gids.aria2; + systemd.tmpfiles.rules = [ + "d '${homeDir}' 0770 aria2 aria2 - -" + "d '${config.services.aria2.downloadDir}' 0770 aria2 aria2 - -" + ]; + systemd.services.aria2 = { description = "aria2 Service"; after = [ "local-fs.target" "network.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' - mkdir -m 0770 -p "${homeDir}" - chown aria2:aria2 "${homeDir}" - if [[ ! -d "${config.services.aria2.downloadDir}" ]] - then - mkdir -m 0770 -p "${config.services.aria2.downloadDir}" - chown aria2:aria2 "${config.services.aria2.downloadDir}" - fi if [[ ! -e "${sessionFile}" ]] then touch "${sessionFile}" - chown aria2:aria2 "${sessionFile}" fi cp -f "${settingsFile}" "${settingsDir}/aria2.conf" ''; @@ -128,7 +125,6 @@ in ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "aria2"; Group = "aria2"; - PermissionsStartOnly = true; }; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/autossh.nix b/nixpkgs/nixos/modules/services/networking/autossh.nix index 9ea17469870d..a098a155e991 100644 --- a/nixpkgs/nixos/modules/services/networking/autossh.nix +++ b/nixpkgs/nixos/modules/services/networking/autossh.nix @@ -99,7 +99,6 @@ in serviceConfig = { User = "${s.user}"; - PermissionsStartOnly = true; # AutoSSH may exit with 0 code if the SSH session was # gracefully terminated by either local or remote side. Restart = "on-success"; diff --git a/nixpkgs/nixos/modules/services/networking/charybdis.nix b/nixpkgs/nixos/modules/services/networking/charybdis.nix index 3d02dc8d1375..e3aba063f87b 100644 --- a/nixpkgs/nixos/modules/services/networking/charybdis.nix +++ b/nixpkgs/nixos/modules/services/networking/charybdis.nix @@ -83,6 +83,10 @@ in gid = config.ids.gids.ircd; }; + systemd.tmpfiles.rules = [ + "d ${cfg.statedir} - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.charybdis = { description = "Charybdis IRC daemon"; wantedBy = [ "multi-user.target" ]; @@ -93,12 +97,7 @@ in ExecStart = "${charybdis}/bin/charybdis -foreground -logfile /dev/stdout -configfile ${configFile}"; Group = cfg.group; User = cfg.user; - PermissionsStartOnly = true; # preStart needs to run with root permissions }; - preStart = '' - ${coreutils}/bin/mkdir -p ${cfg.statedir} - ${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.statedir} - ''; }; } diff --git a/nixpkgs/nixos/modules/services/networking/ddclient.nix b/nixpkgs/nixos/modules/services/networking/ddclient.nix index 9a2e13e9553c..04ce5ca3a874 100644 --- a/nixpkgs/nixos/modules/services/networking/ddclient.nix +++ b/nixpkgs/nixos/modules/services/networking/ddclient.nix @@ -20,8 +20,8 @@ let wildcard=YES quiet=${boolToStr cfg.quiet} verbose=${boolToStr cfg.verbose} - ${lib.concatStringsSep "," cfg.domains} ${cfg.extraConfig} + ${lib.concatStringsSep "," cfg.domains} ''; in diff --git a/nixpkgs/nixos/modules/services/networking/hostapd.nix b/nixpkgs/nixos/modules/services/networking/hostapd.nix index 7add48308f80..54a5bed2563f 100644 --- a/nixpkgs/nixos/modules/services/networking/hostapd.nix +++ b/nixpkgs/nixos/modules/services/networking/hostapd.nix @@ -30,10 +30,11 @@ let ctrl_interface=/run/hostapd ctrl_interface_group=${cfg.group} - ${if cfg.wpa then '' + ${optionalString cfg.wpa '' wpa=2 wpa_passphrase=${cfg.wpaPassphrase} - '' else ""} + ''} + ${optionalString cfg.noScan "noscan=1"} ${cfg.extraConfig} '' ; @@ -69,6 +70,14 @@ in ''; }; + noScan = mkOption { + default = false; + description = '' + Do not scan for overlapping BSSs in HT40+/- mode. + Caution: turning this on will violate regulatory requirements! + ''; + }; + driver = mkOption { default = "nl80211"; example = "hostapd"; @@ -162,6 +171,7 @@ in after = [ "sys-subsystem-net-devices-${escapedInterface}.device" ]; bindsTo = [ "sys-subsystem-net-devices-${escapedInterface}.device" ]; requiredBy = [ "network-link-${cfg.interface}.service" ]; + wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.hostapd}/bin/hostapd ${configFile}"; diff --git a/nixpkgs/nixos/modules/services/networking/iperf3.nix b/nixpkgs/nixos/modules/services/networking/iperf3.nix index 742404a5692f..0fe378b225d7 100644 --- a/nixpkgs/nixos/modules/services/networking/iperf3.nix +++ b/nixpkgs/nixos/modules/services/networking/iperf3.nix @@ -19,6 +19,11 @@ let default = null; description = "Bind to the specific interface associated with the given address."; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Open ports in the firewall for iperf3."; + }; verbose = mkOption { type = types.bool; default = false; @@ -52,6 +57,11 @@ let }; imp = { + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + systemd.services.iperf3 = { description = "iperf3 daemon"; unitConfig.Documentation = "man:iperf3(1) https://iperf.fr/iperf-doc.php"; diff --git a/nixpkgs/nixos/modules/services/networking/minidlna.nix b/nixpkgs/nixos/modules/services/networking/minidlna.nix index 1858f03cac1f..ed0c1044a570 100644 --- a/nixpkgs/nixos/modules/services/networking/minidlna.nix +++ b/nixpkgs/nixos/modules/services/networking/minidlna.nix @@ -98,16 +98,10 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" "local-fs.target" ]; - preStart = - '' - mkdir -p /var/cache/minidlna - chown -R minidlna:minidlna /var/cache/minidlna - ''; - serviceConfig = { User = "minidlna"; Group = "minidlna"; - PermissionsStartOnly = true; + CacheDirectory = "minidlna"; RuntimeDirectory = "minidlna"; PIDFile = "/run/minidlna/pid"; ExecStart = diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index f1ba7dd4e4f2..f1f8c9722e02 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -17,6 +17,7 @@ let plugins=keyfile dhcp=${cfg.dhcp} dns=${cfg.dns} + rc-manager=${cfg.rc-manager} [keyfile] ${optionalString (cfg.unmanaged != []) @@ -90,11 +91,29 @@ let default = "preserve"; example = "00:11:22:33:44:55"; description = '' - "XX:XX:XX:XX:XX:XX": MAC address of the interface. - <literal>permanent</literal>: use the permanent MAC address of the device. - <literal>preserve</literal>: don’t change the MAC address of the device upon activation. - <literal>random</literal>: generate a randomized value upon each connect. - <literal>stable</literal>: generate a stable, hashed MAC address. + Set the MAC address of the interface. + <variablelist> + <varlistentry> + <term>"XX:XX:XX:XX:XX:XX"</term> + <listitem><para>MAC address of the interface</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"permanent"</literal></term> + <listitem><para>Use the permanent MAC address of the device</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"preserve"</literal></term> + <listitem><para>Don’t change the MAC address of the device upon activation</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"random"</literal></term> + <listitem><para>Generate a randomized value upon each connect</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"stable"</literal></term> + <listitem><para>Generate a stable, hashed MAC address</para></listitem> + </varlistentry> + </variablelist> ''; }; @@ -123,6 +142,16 @@ in { default = ""; description = '' Configuration appended to the generated NetworkManager.conf. + Refer to + <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html"> + https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html + </link> + or + <citerefentry> + <refentrytitle>NetworkManager.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + for more information. ''; }; @@ -131,8 +160,16 @@ in { default = []; description = '' List of interfaces that will not be managed by NetworkManager. - Interface name can be specified here, but if you need more fidelity - see "Device List Format" in NetworkManager.conf man page. + Interface name can be specified here, but if you need more fidelity, + refer to + <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html#device-spec"> + https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html#device-spec + </link> + or the "Device List Format" Appendix of + <citerefentry> + <refentrytitle>NetworkManager.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry>. ''; }; @@ -219,67 +256,34 @@ in { Set the DNS (<literal>resolv.conf</literal>) processing mode. </para> <para> - Options: - <variablelist> - <varlistentry> - <term><literal>"default"</literal></term> - <listitem><para> - NetworkManager will update <literal>/etc/resolv.conf</literal> to - reflect the nameservers provided by currently active connections. - </para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"dnsmasq"</literal></term> - <listitem> - <para> - Enable NetworkManager's dnsmasq integration. NetworkManager will - run dnsmasq as a local caching nameserver, using a "split DNS" - configuration if you are connected to a VPN, and then update - <literal>resolv.conf</literal> to point to the local nameserver. - </para> - <para> - It is possible to pass custom options to the dnsmasq instance by - adding them to files in the - <literal>/etc/NetworkManager/dnsmasq.d/</literal> directory. - </para> - <para> - When multiple upstream servers are available, dnsmasq will - initially contact them in parallel and then use the fastest to - respond, probing again other servers after some time. This - behavior can be modified passing the - <literal>all-servers</literal> or <literal>strict-order</literal> - options to dnsmasq (see the manual page for more details). - </para> - <para> - Note that this option causes NetworkManager to launch and manage - its own instance of the dnsmasq daemon, which is - <emphasis>not</emphasis> the same as setting - <literal>services.dnsmasq.enable = true;</literal>. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term><literal>"unbound"</literal></term> - <listitem><para> - NetworkManager will talk to unbound and dnssec-triggerd, - providing a "split DNS" configuration with DNSSEC support. - <literal>/etc/resolv.conf</literal> will be managed by - dnssec-trigger daemon. - </para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"systemd-resolved"</literal></term> - <listitem><para> - NetworkManager will push the DNS configuration to systemd-resolved. - </para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"none"</literal></term> - <listitem><para> - NetworkManager will not modify resolv.conf. - </para></listitem> - </varlistentry> - </variablelist> + A description of these modes can be found in the main section of + <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html"> + https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html + </link> + or in + <citerefentry> + <refentrytitle>NetworkManager.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry>. + ''; + }; + + rc-manager = mkOption { + type = types.enum [ "symlink" "file" "resolvconf" "netconfig" "unmanaged" "none" ]; + default = "resolvconf"; + description = '' + Set the <literal>resolv.conf</literal> management mode. + </para> + <para> + A description of these modes can be found in the main section of + <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html"> + https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html + </link> + or in + <citerefentry> + <refentrytitle>NetworkManager.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry>. ''; }; diff --git a/nixpkgs/nixos/modules/services/networking/quassel.nix b/nixpkgs/nixos/modules/services/networking/quassel.nix index b223a48e0550..b495b3948fb5 100644 --- a/nixpkgs/nixos/modules/services/networking/quassel.nix +++ b/nixpkgs/nixos/modules/services/networking/quassel.nix @@ -104,6 +104,10 @@ in gid = config.ids.gids.quassel; }]; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - ${user} - - -" + ]; + systemd.services.quassel = { description = "Quassel IRC client daemon"; @@ -111,11 +115,6 @@ in after = [ "network.target" ] ++ optional config.services.postgresql.enable "postgresql.service" ++ optional config.services.mysql.enable "mysql.service"; - preStart = '' - mkdir -p ${cfg.dataDir} - chown ${user} ${cfg.dataDir} - ''; - serviceConfig = { ExecStart = concatStringsSep " " ([ @@ -126,7 +125,6 @@ in ] ++ optional cfg.requireSSL "--require-ssl" ++ optional (cfg.certificateFile != null) "--ssl-cert=${cfg.certificateFile}"); User = user; - PermissionsStartOnly = true; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/squid.nix b/nixpkgs/nixos/modules/services/networking/squid.nix index b220c21b604f..9d063b92aa1e 100644 --- a/nixpkgs/nixos/modules/services/networking/squid.nix +++ b/nixpkgs/nixos/modules/services/networking/squid.nix @@ -159,11 +159,10 @@ in serviceConfig = { Type="forking"; PIDFile="/run/squid.pid"; - PermissionsStartOnly = true; ExecStart = "${pkgs.squid}/bin/squid -YCs -f ${squidConfig}"; }; }; }; -} \ No newline at end of file +} diff --git a/nixpkgs/nixos/modules/services/networking/teamspeak3.nix b/nixpkgs/nixos/modules/services/networking/teamspeak3.nix index 9ea9c83e37cd..fadb32dcd777 100644 --- a/nixpkgs/nixos/modules/services/networking/teamspeak3.nix +++ b/nixpkgs/nixos/modules/services/networking/teamspeak3.nix @@ -111,16 +111,15 @@ in gid = config.ids.gids.teamspeak; }; + systemd.tmpfiles.rules = [ + "d '${cfg.logPath}' - ${user} ${group} - -" + ]; + systemd.services.teamspeak3-server = { description = "Teamspeak3 voice communication server daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -p ${cfg.logPath} - chown ${user}:${group} ${cfg.logPath} - ''; - serviceConfig = { ExecStart = '' ${ts3}/bin/ts3server \ @@ -135,7 +134,6 @@ in WorkingDirectory = cfg.dataDir; User = user; Group = group; - PermissionsStartOnly = true; }; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/unifi.nix b/nixpkgs/nixos/modules/services/networking/unifi.nix index c82e0af2803d..9057a1e12b33 100644 --- a/nixpkgs/nixos/modules/services/networking/unifi.nix +++ b/nixpkgs/nixos/modules/services/networking/unifi.nix @@ -146,6 +146,11 @@ in where = where; }) mountPoints; + systemd.tmpfiles.rules = [ + "e '${stateDir}' 0700 unifi - - -" + "e '${stateDir}/data' 0700 unifi - - -" + ]; + systemd.services.unifi = { description = "UniFi controller daemon"; wantedBy = [ "multi-user.target" ]; @@ -157,14 +162,9 @@ in environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc.lib}/lib"; preStart = '' - # Ensure privacy of state and data. - chown unifi "${stateDir}" "${stateDir}/data" - chmod 0700 "${stateDir}" "${stateDir}/data" - # Create the volatile webapps rm -rf "${stateDir}/webapps" mkdir -p "${stateDir}/webapps" - chown unifi "${stateDir}/webapps" ln -s "${cfg.unifiPackage}/webapps/ROOT" "${stateDir}/webapps/ROOT" ''; @@ -177,7 +177,6 @@ in ExecStart = "${(removeSuffix "\n" cmd)} start"; ExecStop = "${(removeSuffix "\n" cmd)} stop"; User = "unifi"; - PermissionsStartOnly = true; UMask = "0077"; WorkingDirectory = "${stateDir}"; }; diff --git a/nixpkgs/nixos/modules/services/networking/zeronet.nix b/nixpkgs/nixos/modules/services/networking/zeronet.nix index 611a51c74ce2..f4988a902685 100644 --- a/nixpkgs/nixos/modules/services/networking/zeronet.nix +++ b/nixpkgs/nixos/modules/services/networking/zeronet.nix @@ -86,20 +86,17 @@ in with lib; { ''; }; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 750 zeronet zeronet - -" + "d '${cfg.logDir}' 750 zeronet zeronet - -" + ]; + systemd.services.zeronet = { description = "zeronet"; after = [ "network.target" (optionalString cfg.tor "tor.service") ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - # Ensure folder exists or create it and permissions are correct - mkdir -p ${escapeShellArg cfg.dataDir} ${escapeShellArg cfg.logDir} - chmod 750 ${escapeShellArg cfg.dataDir} ${escapeShellArg cfg.logDir} - chown zeronet:zeronet ${escapeShellArg cfg.dataDir} ${escapeShellArg cfg.logDir} - ''; - serviceConfig = { - PermissionsStartOnly = true; PrivateTmp = "yes"; User = "zeronet"; Group = "zeronet"; diff --git a/nixpkgs/nixos/modules/services/system/localtime.nix b/nixpkgs/nixos/modules/services/system/localtime.nix index 8e9286b94078..04595fc82fbb 100644 --- a/nixpkgs/nixos/modules/services/system/localtime.nix +++ b/nixpkgs/nixos/modules/services/system/localtime.nix @@ -28,33 +28,16 @@ in { }; }; - # so polkit will pick up the rules - environment.systemPackages = [ pkgs.localtime ]; - - users.users = [{ - name = "localtimed"; - description = "Taskserver user"; - }]; + # We use the 'out' output, since localtime has its 'bin' output + # first, so that is what we get if we use the derivation bare. + # Install the polkit rules. + environment.systemPackages = [ pkgs.localtime.out ]; + # Install the systemd unit. + systemd.packages = [ pkgs.localtime.out ]; systemd.services.localtime = { - description = "localtime service"; wantedBy = [ "multi-user.target" ]; - partOf = [ "geoclue.service "]; - - serviceConfig = { - Restart = "on-failure"; - # TODO: make it work with dbus - #DynamicUser = true; - Nice = 10; - User = "localtimed"; - PrivateTmp = "yes"; - PrivateDevices = true; - PrivateNetwork = "yes"; - NoNewPrivileges = "yes"; - ProtectSystem = "strict"; - ProtectHome = true; - ExecStart = "${pkgs.localtime}/bin/localtimed"; - }; + serviceConfig.Restart = "on-failure"; }; }; } diff --git a/nixpkgs/nixos/modules/services/web-apps/atlassian/confluence.nix b/nixpkgs/nixos/modules/services/web-apps/atlassian/confluence.nix index 15744d90cc79..cf163271d276 100644 --- a/nixpkgs/nixos/modules/services/web-apps/atlassian/confluence.nix +++ b/nixpkgs/nixos/modules/services/web-apps/atlassian/confluence.nix @@ -149,6 +149,17 @@ in users.groups."${cfg.group}" = {}; + systemd.tmpfiles.rules = [ + "d '${cfg.home}' - ${cfg.user} - - -" + "d /run/confluence - - - - -" + + "L+ /run/confluence/home - - - - ${cfg.home}" + "L+ /run/confluence/logs - - - - ${cfg.home}/logs" + "L+ /run/confluence/temp - - - - ${cfg.home}/temp" + "L+ /run/confluence/work - - - - ${cfg.home}/work" + "L+ /run/confluence/server.xml - - - - ${cfg.home}/server.xml" + ]; + systemd.services.confluence = { description = "Atlassian Confluence"; @@ -167,12 +178,6 @@ in preStart = '' mkdir -p ${cfg.home}/{logs,work,temp,deploy} - mkdir -p /run/confluence - ln -sf ${cfg.home}/{logs,work,temp,server.xml} /run/confluence - ln -sf ${cfg.home} /run/confluence/home - - chown ${cfg.user} ${cfg.home} - sed -e 's,port="8090",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ '' + (lib.optionalString cfg.proxy.enable '' -e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \ @@ -184,7 +189,6 @@ in User = cfg.user; Group = cfg.group; PrivateTmp = true; - PermissionsStartOnly = true; ExecStart = "${pkg}/bin/start-confluence.sh -fg"; ExecStop = "${pkg}/bin/stop-confluence.sh"; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/atlassian/crowd.nix b/nixpkgs/nixos/modules/services/web-apps/atlassian/crowd.nix index c144b21bdaf2..020ca8d89dbb 100644 --- a/nixpkgs/nixos/modules/services/web-apps/atlassian/crowd.nix +++ b/nixpkgs/nixos/modules/services/web-apps/atlassian/crowd.nix @@ -117,6 +117,16 @@ in users.groups."${cfg.group}" = {}; + systemd.tmpfiles.rules = [ + "d '${cfg.home}' - ${cfg.user} ${cfg.group} - -" + "d /run/atlassian-crowd - - - - -" + + "L+ /run/atlassian-crowd/database - - - - ${cfg.home}/database" + "L+ /run/atlassian-crowd/logs - - - - ${cfg.home}/logs" + "L+ /run/atlassian-crowd/work - - - - ${cfg.home}/work" + "L+ /run/atlassian-crowd/server.xml - - - - ${cfg.home}/server.xml" + ]; + systemd.services.atlassian-crowd = { description = "Atlassian Crowd"; @@ -136,12 +146,6 @@ in rm -rf ${cfg.home}/work mkdir -p ${cfg.home}/{logs,database,work} - mkdir -p /run/atlassian-crowd - ln -sf ${cfg.home}/{database,logs,work,server.xml} /run/atlassian-crowd - - chown ${cfg.user}:${cfg.group} ${cfg.home} - chown ${cfg.user}:${cfg.group} ${cfg.home}/{logs,database,work} - sed -e 's,port="8095",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ '' + (lib.optionalString cfg.proxy.enable '' -e 's,compression="on",compression="off" protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${boolToString cfg.proxy.secure}",' \ @@ -153,7 +157,6 @@ in User = cfg.user; Group = cfg.group; PrivateTmp = true; - PermissionsStartOnly = true; ExecStart = "${pkg}/start_crowd.sh -fg"; }; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/atlassian/jira.nix b/nixpkgs/nixos/modules/services/web-apps/atlassian/jira.nix index 0b3a5722d6c8..b0019e77ac27 100644 --- a/nixpkgs/nixos/modules/services/web-apps/atlassian/jira.nix +++ b/nixpkgs/nixos/modules/services/web-apps/atlassian/jira.nix @@ -155,6 +155,17 @@ in users.groups."${cfg.group}" = {}; + systemd.tmpfiles.rules = [ + "d '${cfg.home}' - ${cfg.user} - - -" + "d /run/atlassian-jira - - - - -" + + "L+ /run/atlassian-jira/home - - - - ${cfg.home}" + "L+ /run/atlassian-jira/logs - - - - ${cfg.home}/logs" + "L+ /run/atlassian-jira/work - - - - ${cfg.home}/work" + "L+ /run/atlassian-jira/temp - - - - ${cfg.home}/temp" + "L+ /run/atlassian-jira/server.xml - - - - ${cfg.home}/server.xml" + ]; + systemd.services.atlassian-jira = { description = "Atlassian JIRA"; @@ -174,12 +185,6 @@ in preStart = '' mkdir -p ${cfg.home}/{logs,work,temp,deploy} - mkdir -p /run/atlassian-jira - ln -sf ${cfg.home}/{logs,work,temp,server.xml} /run/atlassian-jira - ln -sf ${cfg.home} /run/atlassian-jira/home - - chown ${cfg.user} ${cfg.home} - sed -e 's,port="8080",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ '' + (lib.optionalString cfg.proxy.enable '' -e 's,protocol="HTTP/1.1",protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${toString cfg.proxy.secure}",' \ @@ -191,7 +196,6 @@ in User = cfg.user; Group = cfg.group; PrivateTmp = true; - PermissionsStartOnly = true; ExecStart = "${pkg}/bin/start-jira.sh -fg"; ExecStop = "${pkg}/bin/stop-jira.sh"; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/frab.nix b/nixpkgs/nixos/modules/services/web-apps/frab.nix index fb95e024817c..e885dc69b3c0 100644 --- a/nixpkgs/nixos/modules/services/web-apps/frab.nix +++ b/nixpkgs/nixos/modules/services/web-apps/frab.nix @@ -182,16 +182,16 @@ in users.groups = [ { name = cfg.group; } ]; + systemd.tmpfiles.rules = [ + "d '${cfg.statePath}/system/attachments' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.frab = { after = [ "network.target" "gitlab.service" ]; wantedBy = [ "multi-user.target" ]; environment = frabEnv; preStart = '' - mkdir -p ${cfg.statePath}/system/attachments - chown ${cfg.user}:${cfg.group} -R ${cfg.statePath} - - mkdir /run/frab -p ln -sf ${pkgs.writeText "frab-database.yml" databaseConfig} /run/frab/database.yml ln -sf ${cfg.statePath}/system /run/frab/system @@ -204,7 +204,6 @@ in ''; serviceConfig = { - PermissionsStartOnly = true; PrivateTmp = true; PrivateDevices = true; Type = "simple"; @@ -213,6 +212,7 @@ in TimeoutSec = "300s"; Restart = "on-failure"; RestartSec = "10s"; + RuntimeDirectory = "frab"; WorkingDirectory = "${package}/share/frab"; ExecStart = "${frab-rake}/bin/frab-bundle exec rails server " + "--binding=${cfg.listenAddress} --port=${toString cfg.listenPort}"; diff --git a/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix b/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix index f23b3075574d..5b2f3875aaa9 100644 --- a/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix @@ -2,16 +2,16 @@ let - inherit (lib) mkDefault mkEnableOption mkForce mkIf mkOption; + inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption; inherit (lib) mapAttrs optional optionalString types; cfg = config.services.limesurvey; + fpm = config.services.phpfpm.pools.limesurvey; user = "limesurvey"; group = config.services.httpd.group; stateDir = "/var/lib/limesurvey"; - php = pkgs.php; pkg = pkgs.limesurvey; configType = with types; either (either (attrsOf configType) str) (either int bool) // { @@ -130,7 +130,8 @@ in pm.max_requests = 500 ''; description = '' - Options for LimeSurvey's PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives. + Options for the LimeSurvey PHP pool. See the documentation on <literal>php-fpm.conf</literal> + for details on configuration directives. ''; }; @@ -202,7 +203,6 @@ in }; services.phpfpm.pools.limesurvey = { - phpPackage = php; listen = "/run/phpfpm/limesurvey.sock"; extraConfig = '' listen.owner = ${config.services.httpd.user}; @@ -220,8 +220,8 @@ in enable = true; adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ - (cfg.virtualHost // { + virtualHosts = [ (mkMerge [ + cfg.virtualHost { documentRoot = mkForce "${pkg}/share/limesurvey"; extraConfig = '' Alias "/tmp" "${stateDir}/tmp" @@ -241,7 +241,7 @@ in <Directory "${pkg}/share/limesurvey"> <FilesMatch "\.php$"> <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:/run/phpfpm/limesurvey.sock|fcgi://localhost/" + SetHandler "proxy:unix:${fpm.listen}|fcgi://localhost/" </If> </FilesMatch> @@ -250,8 +250,8 @@ in DirectoryIndex index.php </Directory> ''; - }) - ]; + } + ]) ]; }; systemd.tmpfiles.rules = [ @@ -270,8 +270,8 @@ in environment.LIMESURVEY_CONFIG = limesurveyConfig; script = '' # update or install the database as required - ${php}/bin/php ${pkg}/share/limesurvey/application/commands/console.php updatedb || \ - ${php}/bin/php ${pkg}/share/limesurvey/application/commands/console.php install admin password admin admin@example.com verbose + ${pkgs.php}/bin/php ${pkg}/share/limesurvey/application/commands/console.php updatedb || \ + ${pkgs.php}/bin/php ${pkg}/share/limesurvey/application/commands/console.php install admin password admin admin@example.com verbose ''; serviceConfig = { User = user; diff --git a/nixpkgs/nixos/modules/services/web-apps/restya-board.nix b/nixpkgs/nixos/modules/services/web-apps/restya-board.nix index 2e5e0ea6622d..b200a89260ac 100644 --- a/nixpkgs/nixos/modules/services/web-apps/restya-board.nix +++ b/nixpkgs/nixos/modules/services/web-apps/restya-board.nix @@ -178,7 +178,7 @@ in config = mkIf cfg.enable { - services.phpfpm.poolConfigs = { + services.phpfpm.pools = { "${poolName}" = { listen = phpfpmSocketName; phpOptions = '' diff --git a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix new file mode 100644 index 000000000000..624b0089a037 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix @@ -0,0 +1,371 @@ +{ config, pkgs, lib, ... }: + +let + inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption types; + inherit (lib) any attrValues concatMapStringsSep flatten literalExample; + inherit (lib) mapAttrs' mapAttrsToList nameValuePair optional optionalAttrs optionalString; + + eachSite = config.services.wordpress; + user = "wordpress"; + group = config.services.httpd.group; + stateDir = hostName: "/var/lib/wordpress/${hostName}"; + + pkg = hostName: cfg: pkgs.stdenv.mkDerivation rec { + pname = "wordpress-${hostName}"; + version = src.version; + src = cfg.package; + + installPhase = '' + mkdir -p $out + cp -r * $out/ + + # symlink the wordpress config + ln -s ${wpConfig hostName cfg} $out/share/wordpress/wp-config.php + # symlink uploads directory + ln -s ${cfg.uploadsDir} $out/share/wordpress/wp-content/uploads + + # https://github.com/NixOS/nixpkgs/pull/53399 + # + # Symlinking works for most plugins and themes, but Avada, for instance, fails to + # understand the symlink, causing its file path stripping to fail. This results in + # requests that look like: https://example.com/wp-content//nix/store/...plugin/path/some-file.js + # Since hard linking directories is not allowed, copying is the next best thing. + + # copy additional plugin(s) and theme(s) + ${concatMapStringsSep "\n" (theme: "cp -r ${theme} $out/share/wordpress/wp-content/themes/${theme.name}") cfg.themes} + ${concatMapStringsSep "\n" (plugin: "cp -r ${plugin} $out/share/wordpress/wp-content/plugins/${plugin.name}") cfg.plugins} + ''; + }; + + wpConfig = hostName: cfg: pkgs.writeText "wp-config-${hostName}.php" '' + <?php + define('DB_NAME', '${cfg.database.name}'); + define('DB_HOST', '${cfg.database.host}:${if cfg.database.socket != null then cfg.database.socket else toString cfg.database.port}'); + define('DB_USER', '${cfg.database.user}'); + ${optionalString (cfg.database.passwordFile != null) "define('DB_PASSWORD', file_get_contents('${cfg.database.passwordFile}'));"} + define('DB_CHARSET', 'utf8'); + $table_prefix = '${cfg.database.tablePrefix}'; + + require_once('${stateDir hostName}/secret-keys.php'); + + # wordpress is installed onto a read-only file system + define('DISALLOW_FILE_EDIT', true); + define('AUTOMATIC_UPDATER_DISABLED', true); + + ${cfg.extraConfig} + + if ( !defined('ABSPATH') ) + define('ABSPATH', dirname(__FILE__) . '/'); + + require_once(ABSPATH . 'wp-settings.php'); + ?> + ''; + + siteOpts = { lib, name, ... }: + { + options = { + package = mkOption { + type = types.package; + default = pkgs.wordpress; + description = "Which WordPress package to use."; + }; + + uploadsDir = mkOption { + type = types.path; + default = "/var/lib/wordpress/${name}/uploads"; + description = '' + This directory is used for uploads of pictures. The directory passed here is automatically + created and permissions adjusted as required. + ''; + }; + + plugins = mkOption { + type = types.listOf types.path; + default = []; + description = '' + List of path(s) to respective plugin(s) which are copied from the 'plugins' directory. + <note><para>These plugins need to be packaged before use, see example.</para></note> + ''; + example = '' + # Wordpress plugin 'embed-pdf-viewer' installation example + embedPdfViewerPlugin = pkgs.stdenv.mkDerivation { + name = "embed-pdf-viewer-plugin"; + # Download the theme from the wordpress site + src = pkgs.fetchurl { + url = https://downloads.wordpress.org/plugin/embed-pdf-viewer.2.0.3.zip; + sha256 = "1rhba5h5fjlhy8p05zf0p14c9iagfh96y91r36ni0rmk6y891lyd"; + }; + # We need unzip to build this package + buildInputs = [ pkgs.unzip ]; + # Installing simply means copying all files to the output directory + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + + And then pass this theme to the themes list like this: + plugins = [ embedPdfViewerPlugin ]; + ''; + }; + + themes = mkOption { + type = types.listOf types.path; + default = []; + description = '' + List of path(s) to respective theme(s) which are copied from the 'theme' directory. + <note><para>These themes need to be packaged before use, see example.</para></note> + ''; + example = '' + # For shits and giggles, let's package the responsive theme + responsiveTheme = pkgs.stdenv.mkDerivation { + name = "responsive-theme"; + # Download the theme from the wordpress site + src = pkgs.fetchurl { + url = https://downloads.wordpress.org/theme/responsive.3.14.zip; + sha256 = "0rjwm811f4aa4q43r77zxlpklyb85q08f9c8ns2akcarrvj5ydx3"; + }; + # We need unzip to build this package + buildInputs = [ pkgs.unzip ]; + # Installing simply means copying all files to the output directory + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + + And then pass this theme to the themes list like this: + themes = [ responsiveTheme ]; + ''; + }; + + database = rec { + host = mkOption { + type = types.str; + default = "localhost"; + description = "Database host address."; + }; + + port = mkOption { + type = types.port; + default = 3306; + description = "Database host port."; + }; + + name = mkOption { + type = types.str; + default = "wordpress"; + description = "Database name."; + }; + + user = mkOption { + type = types.str; + default = "wordpress"; + description = "Database user."; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/wordpress-dbpassword"; + description = '' + A file containing the password corresponding to + <option>database.user</option>. + ''; + }; + + tablePrefix = mkOption { + type = types.str; + default = "wp_"; + description = '' + The $table_prefix is the value placed in the front of your database tables. + Change the value if you want to use something other than wp_ for your database + prefix. Typically this is changed if you are installing multiple WordPress blogs + in the same database. + + See <link xlink:href='https://codex.wordpress.org/Editing_wp-config.php#table_prefix'/>. + ''; + }; + + socket = mkOption { + type = types.nullOr types.path; + default = null; + defaultText = "/run/mysqld/mysqld.sock"; + description = "Path to the unix socket file to use for authentication."; + }; + + createLocally = mkOption { + type = types.bool; + default = true; + description = "Create the database and database user locally."; + }; + }; + + virtualHost = mkOption { + type = types.submodule ({ + options = import ../web-servers/apache-httpd/per-server-options.nix { + inherit lib; + forMainServer = false; + }; + }); + example = literalExample '' + { + enableSSL = true; + adminAddr = "webmaster@example.org"; + sslServerCert = "/var/lib/acme/wordpress.example.org/full.pem"; + sslServerKey = "/var/lib/acme/wordpress.example.org/key.pem"; + } + ''; + description = '' + Apache configuration can be done by adapting <option>services.httpd.virtualHosts</option>. + ''; + }; + + poolConfig = mkOption { + type = types.lines; + default = '' + pm = dynamic + pm.max_children = 32 + pm.start_servers = 2 + pm.min_spare_servers = 2 + pm.max_spare_servers = 4 + pm.max_requests = 500 + ''; + description = '' + Options for the WordPress PHP pool. See the documentation on <literal>php-fpm.conf</literal> + for details on configuration directives. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Any additional text to be appended to the wp-config.php + configuration file. This is a PHP script. For configuration + settings, see <link xlink:href='https://codex.wordpress.org/Editing_wp-config.php'/>. + ''; + example = '' + define( 'AUTOSAVE_INTERVAL', 60 ); // Seconds + ''; + }; + }; + + config.virtualHost.hostName = mkDefault name; + }; +in +{ + # interface + options = { + services.wordpress = mkOption { + type = types.attrsOf (types.submodule siteOpts); + default = {}; + description = "Specification of one or more WordPress sites to serve via Apache."; + }; + }; + + # implementation + config = mkIf (eachSite != {}) { + + assertions = mapAttrsToList (hostName: cfg: + { assertion = cfg.database.createLocally -> cfg.database.user == user; + message = "services.wordpress.${hostName}.database.user must be ${user} if the database is to be automatically provisioned"; + } + ) eachSite; + + services.mysql = mkIf (any (v: v.database.createLocally) (attrValues eachSite)) { + enable = true; + package = mkDefault pkgs.mariadb; + ensureDatabases = mapAttrsToList (hostName: cfg: cfg.database.name) eachSite; + ensureUsers = mapAttrsToList (hostName: cfg: + { name = cfg.database.user; + ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; }; + } + ) eachSite; + }; + + services.phpfpm.pools = mapAttrs' (hostName: cfg: ( + nameValuePair "wordpress-${hostName}" { + listen = "/run/phpfpm/wordpress-${hostName}.sock"; + extraConfig = '' + listen.owner = ${config.services.httpd.user} + listen.group = ${config.services.httpd.group} + user = ${user} + group = ${group} + + ${cfg.poolConfig} + ''; + } + )) eachSite; + + services.httpd = { + enable = true; + extraModules = [ "proxy_fcgi" ]; + virtualHosts = mapAttrsToList (hostName: cfg: + (mkMerge [ + cfg.virtualHost { + documentRoot = mkForce "${pkg hostName cfg}/share/wordpress"; + extraConfig = '' + <Directory "${pkg hostName cfg}/share/wordpress"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:/run/phpfpm/wordpress-${hostName}.sock|fcgi://localhost/" + </If> + </FilesMatch> + + # standard wordpress .htaccess contents + <IfModule mod_rewrite.c> + RewriteEngine On + RewriteBase / + RewriteRule ^index\.php$ - [L] + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule . /index.php [L] + </IfModule> + + DirectoryIndex index.php + Require all granted + Options +FollowSymLinks + </Directory> + + # https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php + <Files wp-config.php> + Require all denied + </Files> + ''; + } + ]) + ) eachSite; + }; + + systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [ + "d '${stateDir hostName}' 0750 ${user} ${group} - -" + "d '${cfg.uploadsDir}' 0750 ${user} ${group} - -" + "Z '${cfg.uploadsDir}' 0750 ${user} ${group} - -" + ]) eachSite); + + systemd.services = mkMerge [ + (mapAttrs' (hostName: cfg: ( + nameValuePair "wordpress-init-${hostName}" { + wantedBy = [ "multi-user.target" ]; + before = [ "phpfpm-wordpress-${hostName}.service" ]; + after = optional cfg.database.createLocally "mysql.service"; + script = '' + if ! test -e "${stateDir hostName}/secret-keys.php"; then + echo "<?php" >> "${stateDir hostName}/secret-keys.php" + ${pkgs.curl}/bin/curl -s https://api.wordpress.org/secret-key/1.1/salt/ >> "${stateDir hostName}/secret-keys.php" + echo "?>" >> "${stateDir hostName}/secret-keys.php" + chmod 440 "${stateDir hostName}/secret-keys.php" + fi + ''; + + serviceConfig = { + Type = "oneshot"; + User = user; + Group = group; + }; + })) eachSite) + + (optionalAttrs (any (v: v.database.createLocally) (attrValues eachSite)) { + httpd.after = [ "mysql.service" ]; + }) + ]; + + users.users.${user}.group = group; + + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/wordpress.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/wordpress.nix deleted file mode 100644 index 3dddda138fed..000000000000 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/wordpress.nix +++ /dev/null @@ -1,285 +0,0 @@ -{ config, lib, pkgs, serverInfo, ... }: -# http://codex.wordpress.org/Hardening_WordPress - -with lib; - -let - # Our bare-bones wp-config.php file using the above settings - wordpressConfig = pkgs.writeText "wp-config.php" '' - <?php - define('DB_NAME', '${config.dbName}'); - define('DB_USER', '${config.dbUser}'); - define('DB_PASSWORD', file_get_contents('${config.dbPasswordFile}')); - define('DB_HOST', '${config.dbHost}'); - define('DB_CHARSET', 'utf8'); - $table_prefix = '${config.tablePrefix}'; - define('AUTOMATIC_UPDATER_DISABLED', true); - ${config.extraConfig} - if ( !defined('ABSPATH') ) - define('ABSPATH', dirname(__FILE__) . '/'); - require_once(ABSPATH . 'wp-settings.php'); - ''; - - # .htaccess to support pretty URLs - htaccess = pkgs.writeText "htaccess" '' - <IfModule mod_rewrite.c> - RewriteEngine On - RewriteBase / - RewriteRule ^index\.php$ - [L] - - # add a trailing slash to /wp-admin - RewriteRule ^wp-admin$ wp-admin/ [R=301,L] - - RewriteCond %{REQUEST_FILENAME} -f [OR] - RewriteCond %{REQUEST_FILENAME} -d - RewriteRule ^ - [L] - RewriteRule ^(wp-(content|admin|includes).*) $1 [L] - RewriteRule ^(.*\.php)$ $1 [L] - RewriteRule . index.php [L] - </IfModule> - - ${config.extraHtaccess} - ''; - - # WP translation can be found here: - # https://github.com/nixcloud/wordpress-translations - supportedLanguages = { - en_GB = { revision="d6c005372a5318fd758b710b77a800c86518be13"; sha256="0qbbsi87k47q4rgczxx541xz4z4f4fr49hw4lnaxkdsf5maz8p9p"; }; - de_DE = { revision="3c62955c27baaae98fd99feb35593d46562f4736"; sha256="1shndgd11dk836dakrjlg2arwv08vqx6j4xjh4jshvwmjab6ng6p"; }; - zh_ZN = { revision="12b9f811e8cae4b6ee41de343d35deb0a8fdda6d"; sha256="1339ggsxh0g6lab37jmfxicsax4h702rc3fsvv5azs7mcznvwh47"; }; - fr_FR = { revision="688c8b1543e3d38d9e8f57e0a6f2a2c3c8b588bd"; sha256="1j41iak0i6k7a4wzyav0yrllkdjjskvs45w53db8vfm8phq1n014"; }; - }; - - downloadLanguagePack = language: revision: sha256s: - pkgs.stdenv.mkDerivation rec { - name = "wp_${language}"; - src = pkgs.fetchFromGitHub { - owner = "nixcloud"; - repo = "wordpress-translations"; - rev = revision; - sha256 = sha256s; - }; - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - - selectedLanguages = map (lang: downloadLanguagePack lang supportedLanguages.${lang}.revision supportedLanguages.${lang}.sha256) (config.languages); - - # The wordpress package itself - wordpressRoot = pkgs.stdenv.mkDerivation rec { - name = "wordpress"; - src = config.package; - installPhase = '' - mkdir -p $out - # copy all the wordpress files we downloaded - cp -R * $out/ - - # symlink the wordpress config - ln -s ${wordpressConfig} $out/wp-config.php - # symlink custom .htaccess - ln -s ${htaccess} $out/.htaccess - # symlink uploads directory - ln -s ${config.wordpressUploads} $out/wp-content/uploads - - # remove bundled plugins(s) coming with wordpress - rm -Rf $out/wp-content/plugins/* - # remove bundled themes(s) coming with wordpress - rm -Rf $out/wp-content/themes/* - - # copy additional theme(s) - ${concatMapStrings (theme: "cp -r ${theme} $out/wp-content/themes/${theme.name}\n") config.themes} - # copy additional plugin(s) - ${concatMapStrings (plugin: "cp -r ${plugin} $out/wp-content/plugins/${plugin.name}\n") (config.plugins) } - - # symlink additional translation(s) - mkdir -p $out/wp-content/languages - ${concatMapStrings (language: "ln -s ${language}/*.mo ${language}/*.po $out/wp-content/languages/\n") (selectedLanguages) } - ''; - }; - -in - -{ - - # And some httpd extraConfig to make things work nicely - extraConfig = '' - <Directory ${wordpressRoot}> - DirectoryIndex index.php - Allow from * - Options FollowSymLinks - AllowOverride All - </Directory> - ''; - - enablePHP = true; - - options = { - package = mkOption { - type = types.path; - default = pkgs.wordpress; - description = '' - Path to the wordpress sources. - Upgrading? We have a test! nix-build ./nixos/tests/wordpress.nix - ''; - }; - dbHost = mkOption { - default = "localhost"; - description = "The location of the database server."; - example = "localhost"; - }; - dbName = mkOption { - default = "wordpress"; - description = "Name of the database that holds the Wordpress data."; - example = "localhost"; - }; - dbUser = mkOption { - default = "wordpress"; - description = "The dbUser, read: the username, for the database."; - example = "wordpress"; - }; - dbPassword = mkOption { - default = "wordpress"; - description = '' - The mysql password to the respective dbUser. - - Warning: this password is stored in the world-readable Nix store. It's - recommended to use the $dbPasswordFile option since that gives you control over - the security of the password. $dbPasswordFile also takes precedence over $dbPassword. - ''; - example = "wordpress"; - }; - dbPasswordFile = mkOption { - type = types.str; - default = toString (pkgs.writeTextFile { - name = "wordpress-dbpassword"; - text = config.dbPassword; - }); - example = "/run/keys/wordpress-dbpassword"; - description = '' - Path to a file that contains the mysql password to the respective dbUser. - The file should be readable by the user: config.services.httpd.user. - - $dbPasswordFile takes precedence over the $dbPassword option. - - This defaults to a file in the world-readable Nix store that contains the value - of the $dbPassword option. It's recommended to override this with a path not in - the Nix store. Tip: use nixops key management: - <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'/> - ''; - }; - tablePrefix = mkOption { - default = "wp_"; - description = '' - The $table_prefix is the value placed in the front of your database tables. Change the value if you want to use something other than wp_ for your database prefix. Typically this is changed if you are installing multiple WordPress blogs in the same database. See <link xlink:href='http://codex.wordpress.org/Editing_wp-config.php#table_prefix'/>. - ''; - }; - wordpressUploads = mkOption { - default = "/data/uploads"; - description = '' - This directory is used for uploads of pictures and must be accessible (read: owned) by the httpd running user. The directory passed here is automatically created and permissions are given to the httpd running user. - ''; - }; - plugins = mkOption { - default = []; - type = types.listOf types.path; - description = - '' - List of path(s) to respective plugin(s) which are symlinked from the 'plugins' directory. Note: These plugins need to be packaged before use, see example. - ''; - example = '' - # Wordpress plugin 'akismet' installation example - akismetPlugin = pkgs.stdenv.mkDerivation { - name = "akismet-plugin"; - # Download the theme from the wordpress site - src = pkgs.fetchurl { - url = https://downloads.wordpress.org/plugin/akismet.3.1.zip; - sha256 = "1i4k7qyzna08822ncaz5l00wwxkwcdg4j9h3z2g0ay23q640pclg"; - }; - # We need unzip to build this package - buildInputs = [ pkgs.unzip ]; - # Installing simply means copying all files to the output directory - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - - And then pass this theme to the themes list like this: - plugins = [ akismetPlugin ]; - ''; - }; - themes = mkOption { - default = []; - type = types.listOf types.path; - description = - '' - List of path(s) to respective theme(s) which are symlinked from the 'theme' directory. Note: These themes need to be packaged before use, see example. - ''; - example = '' - # For shits and giggles, let's package the responsive theme - responsiveTheme = pkgs.stdenv.mkDerivation { - name = "responsive-theme"; - # Download the theme from the wordpress site - src = pkgs.fetchurl { - url = http://wordpress.org/themes/download/responsive.1.9.7.6.zip; - sha256 = "06i26xlc5kdnx903b1gfvnysx49fb4kh4pixn89qii3a30fgd8r8"; - }; - # We need unzip to build this package - buildInputs = [ pkgs.unzip ]; - # Installing simply means copying all files to the output directory - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - - And then pass this theme to the themes list like this: - themes = [ responsiveTheme ]; - ''; - }; - languages = mkOption { - default = []; - description = "Installs wordpress language packs based on the list, see wordpress.nix for possible translations."; - example = "[ \"en_GB\" \"de_DE\" ];"; - }; - extraConfig = mkOption { - type = types.lines; - default = ""; - example = - '' - define( 'AUTOSAVE_INTERVAL', 60 ); // Seconds - ''; - description = '' - Any additional text to be appended to Wordpress's wp-config.php - configuration file. This is a PHP script. For configuration - settings, see <link xlink:href='http://codex.wordpress.org/Editing_wp-config.php'/>. - ''; - }; - extraHtaccess = mkOption { - default = ""; - example = - '' - php_value upload_max_filesize 20M - php_value post_max_size 20M - ''; - description = '' - Any additional text to be appended to Wordpress's .htaccess file. - ''; - }; - }; - - documentRoot = wordpressRoot; - - # FIXME adding the user has to be done manually for the time being - startupScript = pkgs.writeScript "init-wordpress.sh" '' - #!/bin/sh - mkdir -p ${config.wordpressUploads} - chown ${serverInfo.serverConfig.user} ${config.wordpressUploads} - - # we should use systemd dependencies here - if [ ! -d ${serverInfo.fullConfig.services.mysql.dataDir}/${config.dbName} ]; then - echo "Need to create the database '${config.dbName}' and grant permissions to user named '${config.dbUser}'." - # Wait until MySQL is up - while [ ! -S /run/mysqld/mysqld.sock ]; do - sleep 1 - done - ${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};' - ${pkgs.mysql}/bin/mysql -e "GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY \"$(cat ${config.dbPasswordFile})\";" - else - echo "Good, no need to do anything database related." - fi - ''; -} diff --git a/nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix b/nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix index 4ec4a5a3359e..9f25dc34f3f0 100644 --- a/nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix +++ b/nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix @@ -42,10 +42,10 @@ in configText = mkOption { default = ""; example = '' - cache-size=1000 - scan-path=/srv/git source-filter=''${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py about-filter=''${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + cache-size=1000 + scan-path=/srv/git ''; type = types.lines; description = '' diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/xterm.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/xterm.nix index f386ebc4d3c1..ea441fbbe715 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/xterm.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/xterm.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.xserver.desktopManager.xterm; + xserverEnabled = config.services.xserver.enable; in @@ -13,7 +14,8 @@ in services.xserver.desktopManager.xterm.enable = mkOption { type = types.bool; - default = true; + default = xserverEnabled; + defaultText = "config.services.xserver.enable"; description = "Enable a xterm terminal as a desktop manager."; }; diff --git a/nixpkgs/nixos/modules/system/boot/kernel.nix b/nixpkgs/nixos/modules/system/boot/kernel.nix index ab919099d112..ee43fe100238 100644 --- a/nixpkgs/nixos/modules/system/boot/kernel.nix +++ b/nixpkgs/nixos/modules/system/boot/kernel.nix @@ -196,7 +196,7 @@ in # (so you don't need to reboot to have changes take effect). boot.kernelParams = [ "loglevel=${toString config.boot.consoleLogLevel}" ] ++ - optionals config.boot.vesa [ "vga=0x317" ]; + optionals config.boot.vesa [ "vga=0x317" "nomodeset" ]; boot.kernel.sysctl."kernel.printk" = mkDefault config.boot.consoleLogLevel; diff --git a/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index ebe37ca10a2d..f48a085ce57a 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -133,7 +133,9 @@ def get_generations(profile=None): universal_newlines=True) gen_lines = gen_list.split('\n') gen_lines.pop() - return [ (profile, int(line.split()[0])) for line in gen_lines ] + + configurationLimit = @configurationLimit@ + return [ (profile, int(line.split()[0])) for line in gen_lines ][-configurationLimit:] def remove_old_entries(gens): rex_profile = re.compile("^@efiSysMountPoint@/loader/entries/nixos-(.*)-generation-.*\.conf$") diff --git a/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index 3e39dc5dd396..910a602c61de 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -22,7 +22,7 @@ let editor = if cfg.editor then "True" else "False"; - inherit (cfg) consoleMode; + inherit (cfg) consoleMode configurationLimit; inherit (efi) efiSysMountPoint canTouchEfiVariables; @@ -57,6 +57,16 @@ in { ''; }; + configurationLimit = mkOption { + default = 100; + example = 120; + type = types.int; + description = '' + Maximum of configurations in boot menu. Otherwise boot partition could + run out of disk space. + ''; + }; + consoleMode = mkOption { default = "keep"; diff --git a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix index 93bbd141284d..f7f07bad9522 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix @@ -179,10 +179,9 @@ in requestEncryptionCredentials = mkOption { type = types.bool; - default = config.boot.zfs.enableUnstable; + default = true; description = '' Request encryption keys or passwords for all encrypted datasets on import. - Dataset encryption is only supported in zfsUnstable at the moment. For root pools the encryption key can be supplied via both an interactive prompt (keylocation=prompt) and from a file (keylocation=file://). Note that for data pools the encryption key can @@ -314,10 +313,6 @@ in assertion = !cfgZfs.forceImportAll || cfgZfs.forceImportRoot; message = "If you enable boot.zfs.forceImportAll, you must also enable boot.zfs.forceImportRoot"; } - { - assertion = cfgZfs.requestEncryptionCredentials -> cfgZfs.enableUnstable; - message = "This feature is only available for zfs unstable. Set the NixOS option boot.zfs.enableUnstable."; - } ]; virtualisation.lxd.zfsSupport = true; diff --git a/nixpkgs/nixos/modules/virtualisation/containers.nix b/nixpkgs/nixos/modules/virtualisation/containers.nix index 2235eec9d95a..c10e2b162ccc 100644 --- a/nixpkgs/nixos/modules/virtualisation/containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/containers.nix @@ -445,7 +445,7 @@ in type = types.bool; default = !config.boot.isContainer; description = '' - Whether to enable support for nixos containers. + Whether to enable support for NixOS containers. ''; }; diff --git a/nixpkgs/nixos/modules/virtualisation/libvirtd.nix b/nixpkgs/nixos/modules/virtualisation/libvirtd.nix index f4d7af1664af..394b4ce56563 100644 --- a/nixpkgs/nixos/modules/virtualisation/libvirtd.nix +++ b/nixpkgs/nixos/modules/virtualisation/libvirtd.nix @@ -23,14 +23,16 @@ let ''} ${cfg.qemuVerbatimConfig} ''; + dirName = "libvirt"; + subDirs = list: [ dirName ] ++ map (e: "${dirName}/${e}") list; in { ###### interface - options = { + options.virtualisation.libvirtd = { - virtualisation.libvirtd.enable = mkOption { + enable = mkOption { type = types.bool; default = false; description = '' @@ -41,7 +43,7 @@ in { ''; }; - virtualisation.libvirtd.qemuPackage = mkOption { + qemuPackage = mkOption { type = types.package; default = pkgs.qemu; description = '' @@ -51,7 +53,7 @@ in { ''; }; - virtualisation.libvirtd.extraConfig = mkOption { + extraConfig = mkOption { type = types.lines; default = ""; description = '' @@ -60,7 +62,7 @@ in { ''; }; - virtualisation.libvirtd.qemuRunAsRoot = mkOption { + qemuRunAsRoot = mkOption { type = types.bool; default = true; description = '' @@ -72,7 +74,7 @@ in { ''; }; - virtualisation.libvirtd.qemuVerbatimConfig = mkOption { + qemuVerbatimConfig = mkOption { type = types.lines; default = '' namespaces = [] @@ -84,7 +86,7 @@ in { ''; }; - virtualisation.libvirtd.qemuOvmf = mkOption { + qemuOvmf = mkOption { type = types.bool; default = true; description = '' @@ -93,7 +95,7 @@ in { ''; }; - virtualisation.libvirtd.extraOptions = mkOption { + extraOptions = mkOption { type = types.listOf types.str; default = [ ]; example = [ "--verbose" ]; @@ -102,7 +104,7 @@ in { ''; }; - virtualisation.libvirtd.onShutdown = mkOption { + onShutdown = mkOption { type = types.enum ["shutdown" "suspend" ]; default = "suspend"; description = '' @@ -113,6 +115,14 @@ in { ''; }; + allowedBridges = mkOption { + type = types.listOf types.str; + default = [ "virbr0" ]; + description = '' + List of bridge devices that can be used by qemu:///session + ''; + }; + }; @@ -120,7 +130,12 @@ in { config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ libvirt libressl.nc cfg.qemuPackage ]; + environment = { + # this file is expected in /etc/qemu and not sysconfdir (/var/lib) + etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e: + "allow ${e}") cfg.allowedBridges; + systemPackages = with pkgs; [ libvirt libressl.nc cfg.qemuPackage ]; + }; boot.kernelModules = [ "tun" ]; @@ -134,30 +149,15 @@ in { group = "qemu-libvirtd"; }; - systemd.packages = [ pkgs.libvirt ]; - - systemd.services.libvirtd = { - description = "Libvirt Virtual Machine Management Daemon"; - - wantedBy = [ "multi-user.target" ]; - after = [ "systemd-udev-settle.service" ] - ++ optional vswitch.enable "vswitchd.service"; - - environment.LIBVIRTD_ARGS = ''--config "${configFile}" ${concatStringsSep " " cfg.extraOptions}''; - - path = [ cfg.qemuPackage ] # libvirtd requires qemu-img to manage disk images - ++ optional vswitch.enable vswitch.package; - - preStart = '' - mkdir -p /var/log/libvirt/qemu -m 755 - rm -f /var/run/libvirtd.pid - - mkdir -p /var/lib/libvirt - mkdir -p /var/lib/libvirt/dnsmasq + security.wrappers.qemu-bridge-helper = { + source = "/run/${dirName}/nix-helpers/qemu-bridge-helper"; + }; - chmod 755 /var/lib/libvirt - chmod 755 /var/lib/libvirt/dnsmasq + systemd.packages = [ pkgs.libvirt ]; + systemd.services.libvirtd-config = { + description = "Libvirt Virtual Machine Management Daemon - configuration"; + script = '' # Copy default libvirt network config .xml files to /var/lib # Files modified by the user will not be overwritten for i in $(cd ${pkgs.libvirt}/var/lib && echo \ @@ -169,22 +169,46 @@ in { done # Copy generated qemu config to libvirt directory - cp -f ${qemuConfigFile} /var/lib/libvirt/qemu.conf + cp -f ${qemuConfigFile} /var/lib/${dirName}/qemu.conf # stable (not GC'able as in /nix/store) paths for using in <emulator> section of xml configs - mkdir -p /run/libvirt/nix-emulators for emulator in ${pkgs.libvirt}/libexec/libvirt_lxc ${cfg.qemuPackage}/bin/qemu-kvm ${cfg.qemuPackage}/bin/qemu-system-*; do - ln -s --force "$emulator" /run/libvirt/nix-emulators/ + ln -s --force "$emulator" /run/${dirName}/nix-emulators/ + done + + for helper in libexec/qemu-bridge-helper bin/qemu-pr-helper; do + ln -s --force ${cfg.qemuPackage}/$helper /run/${dirName}/nix-helpers/ done ${optionalString cfg.qemuOvmf '' - mkdir -p /run/libvirt/nix-ovmf - ln -s --force ${pkgs.OVMF.fd}/FV/OVMF_CODE.fd /run/libvirt/nix-ovmf/ - ln -s --force ${pkgs.OVMF.fd}/FV/OVMF_VARS.fd /run/libvirt/nix-ovmf/ + ln -s --force ${pkgs.OVMF.fd}/FV/OVMF_CODE.fd /run/${dirName}/nix-ovmf/ + ln -s --force ${pkgs.OVMF.fd}/FV/OVMF_VARS.fd /run/${dirName}/nix-ovmf/ ''} ''; serviceConfig = { + Type = "oneshot"; + RuntimeDirectoryPreserve = "yes"; + LogsDirectory = subDirs [ "qemu" ]; + RuntimeDirectory = subDirs [ "nix-emulators" "nix-helpers" "nix-ovmf" ]; + StateDirectory = subDirs [ "dnsmasq" ]; + }; + }; + + systemd.services.libvirtd = { + description = "Libvirt Virtual Machine Management Daemon"; + + wantedBy = [ "multi-user.target" ]; + requires = [ "libvirtd-config.service" ]; + after = [ "systemd-udev-settle.service" "libvirtd-config.service" ] + ++ optional vswitch.enable "vswitchd.service"; + + environment.LIBVIRTD_ARGS = ''--config "${configFile}" ${concatStringsSep " " cfg.extraOptions}''; + + path = [ cfg.qemuPackage ] # libvirtd requires qemu-img to manage disk images + ++ optional vswitch.enable vswitch.package; + + serviceConfig = { Type = "notify"; KillMode = "process"; # when stopping, leave the VMs alone Restart = "no"; @@ -203,7 +227,7 @@ in { systemd.sockets.virtlogd = { description = "Virtual machine log manager socket"; wantedBy = [ "sockets.target" ]; - listenStreams = [ "/run/libvirt/virtlogd-sock" ]; + listenStreams = [ "/run/${dirName}/virtlogd-sock" ]; }; systemd.services.virtlogd = { @@ -215,7 +239,7 @@ in { systemd.sockets.virtlockd = { description = "Virtual machine lock manager socket"; wantedBy = [ "sockets.target" ]; - listenStreams = [ "/run/libvirt/virtlockd-sock" ]; + listenStreams = [ "/run/${dirName}/virtlockd-sock" ]; }; systemd.services.virtlockd = { diff --git a/nixpkgs/nixos/tests/mysql.nix b/nixpkgs/nixos/tests/mysql.nix index cfe10bc41b0c..abf9606aa366 100644 --- a/nixpkgs/nixos/tests/mysql.nix +++ b/nixpkgs/nixos/tests/mysql.nix @@ -28,6 +28,12 @@ import ./make-test.nix ({ pkgs, ...} : { { users.users.testuser = { }; services.mysql.enable = true; + services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' + ALTER USER root@localhost IDENTIFIED WITH unix_socket; + DELETE FROM mysql.user WHERE password = ''' AND plugin = '''; + DELETE FROM mysql.user WHERE user = '''; + FLUSH PRIVILEGES; + ''; services.mysql.ensureDatabases = [ "testdb" ]; services.mysql.ensureUsers = [{ name = "testuser"; diff --git a/nixpkgs/nixos/tests/wordpress.nix b/nixpkgs/nixos/tests/wordpress.nix index 5003e25a7d5b..774ef6293b51 100644 --- a/nixpkgs/nixos/tests/wordpress.nix +++ b/nixpkgs/nixos/tests/wordpress.nix @@ -6,48 +6,37 @@ import ./make-test.nix ({ pkgs, ... }: maintainers = [ grahamc ]; # under duress! }; - nodes = - { web = - { pkgs, ... }: - { - services.mysql = { - enable = true; - package = pkgs.mysql; - }; - services.httpd = { - enable = true; - logPerVirtualHost = true; - adminAddr="js@lastlog.de"; - - virtualHosts = [ - { - hostName = "wordpress"; - extraSubservices = - [ - { - serviceType = "wordpress"; - dbPassword = "wordpress"; - dbHost = "127.0.0.1"; - languages = [ "de_DE" "en_GB" ]; - } - ]; - } - ]; - }; - }; - }; - - testScript = + machine = { ... }: - '' - startAll; + { services.httpd.adminAddr = "webmaster@site.local"; + services.httpd.logPerVirtualHost = true; + + services.wordpress."site1.local" = { + database.tablePrefix = "site1_"; + }; - $web->waitForUnit("mysql"); - $web->waitForUnit("httpd"); + services.wordpress."site2.local" = { + database.tablePrefix = "site2_"; + }; + + networking.hosts."127.0.0.1" = [ "site1.local" "site2.local" ]; + + # required for wordpress-init.service to succeed + systemd.tmpfiles.rules = [ + "F /var/lib/wordpress/site1.local/secret-keys.php 0440 wordpress wwwrun - -" + "F /var/lib/wordpress/site2.local/secret-keys.php 0440 wordpress wwwrun - -" + ]; + }; - $web->succeed("curl -L 127.0.0.1:80 | grep 'Welcome to the famous'"); + testScript = '' + startAll; + $machine->waitForUnit("httpd"); + $machine->waitForUnit("phpfpm-wordpress-site1.local"); + $machine->waitForUnit("phpfpm-wordpress-site2.local"); - ''; + $machine->succeed("curl -L site1.local | grep 'Welcome to the famous'"); + $machine->succeed("curl -L site2.local | grep 'Welcome to the famous'"); + ''; }) |