From 1d9651e723a3e08e52e1ce14ac4e3025e20f90ff Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Sat, 21 May 2016 19:25:21 +0200 Subject: Remove systemd shell aliases --- nixos/modules/system/boot/systemd.nix | 7 ------- 1 file changed, 7 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index e7f892945315..076bbca850d9 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -753,13 +753,6 @@ in "TMPFS_XATTR" "SECCOMP" ]; - environment.shellAliases = - { start = "systemctl start"; - stop = "systemctl stop"; - restart = "systemctl restart"; - status = "systemctl status"; - }; - users.extraGroups.systemd-journal.gid = config.ids.gids.systemd-journal; users.extraUsers.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway; users.extraGroups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway; -- cgit 1.4.1 From e69ed2b64b39e0bf117174cb1ec75c4acc2d211f Mon Sep 17 00:00:00 2001 From: obadz Date: Sun, 22 May 2016 21:22:39 +0100 Subject: opensmtpd: 5.7.3p2 -> 5.9.2p1 --- nixos/modules/services/mail/opensmtpd.nix | 11 ++++- pkgs/servers/mail/opensmtpd/default.nix | 19 ++++---- pkgs/servers/mail/opensmtpd/proc_path.diff | 76 +++++++++++++++++------------- 3 files changed, 62 insertions(+), 44 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/mail/opensmtpd.nix b/nixos/modules/services/mail/opensmtpd.nix index 42a1244cde57..e773cdedaea2 100644 --- a/nixos/modules/services/mail/opensmtpd.nix +++ b/nixos/modules/services/mail/opensmtpd.nix @@ -107,7 +107,16 @@ in { wantedBy = [ "multi-user.target" ]; wants = [ "network.target" ]; after = [ "network.target" ]; - preStart = "mkdir -p /var/spool"; + preStart = '' + mkdir -p /var/spool/smtpd + + mkdir -p /var/spool/smtpd/offline + chown root.smtpq /var/spool/smtpd/offline + chmod 770 /var/spool/smtpd/offline + + mkdir -p /var/spool/smtpd/purge + chmod 700 /var/spool/smtpd/purge + ''; serviceConfig.ExecStart = "${opensmtpd}/sbin/smtpd -d -f ${conf} ${args}"; environment.OPENSMTPD_PROC_PATH = "${procEnv}/libexec/opensmtpd"; }; diff --git a/pkgs/servers/mail/opensmtpd/default.nix b/pkgs/servers/mail/opensmtpd/default.nix index 94bc9f2bfe98..4edee78898e4 100644 --- a/pkgs/servers/mail/opensmtpd/default.nix +++ b/pkgs/servers/mail/opensmtpd/default.nix @@ -1,17 +1,17 @@ { stdenv, fetchurl, autoconf, automake, libtool, bison -, libasr, libevent, zlib, openssl, db, pam, cacert +, libasr, libevent, zlib, openssl, db, pam }: stdenv.mkDerivation rec { name = "opensmtpd-${version}"; - version = "5.7.3p2"; + version = "5.9.2p1"; nativeBuildInputs = [ autoconf automake libtool bison ]; buildInputs = [ libasr libevent zlib openssl db pam ]; src = fetchurl { url = "http://www.opensmtpd.org/archives/${name}.tar.gz"; - sha256 = "0d2973008d0f66bebb84bed516be6c32617735241cc54dd26643529281a8e52b"; + sha256 = "07d7f1m5sxyz6mkk228rcm7fsf7350994ayvmhgph333q5rz48im"; }; patches = [ ./proc_path.diff ]; @@ -23,8 +23,9 @@ stdenv.mkDerivation rec { "--with-pam" "--without-bsd-auth" "--with-sock-dir=/run" - "--with-privsep-user=smtpd" - "--with-queue-user=smtpq" + "--with-user-smtpd=smtpd" + "--with-user-queue=smtpq" + "--with-group-queue=smtpq" "--with-ca-file=/etc/ssl/certs/ca-certificates.crt" "--with-libevent-dir=${libevent.dev}" "--enable-table-db" @@ -35,14 +36,14 @@ stdenv.mkDerivation rec { "localstatedir=\${TMPDIR}" ]; - meta = { + meta = with stdenv.lib; { homepage = https://www.opensmtpd.org/; description = '' A free implementation of the server-side SMTP protocol as defined by RFC 5321, with some additional standard extensions ''; - license = stdenv.lib.licenses.isc; - platforms = stdenv.lib.platforms.linux; - maintainers = [ stdenv.lib.maintainers.rickynils ]; + license = licenses.isc; + platforms = platforms.linux; + maintainers = with maintainers; [ rickynils obadz ]; }; } diff --git a/pkgs/servers/mail/opensmtpd/proc_path.diff b/pkgs/servers/mail/opensmtpd/proc_path.diff index 0e8eac0bb83b..9306685e365e 100644 --- a/pkgs/servers/mail/opensmtpd/proc_path.diff +++ b/pkgs/servers/mail/opensmtpd/proc_path.diff @@ -1,11 +1,12 @@ -diff -Naur opensmtpd-5.7.1p1/smtpd/parse.y opensmtpd-5.7.1p1.patched/smtpd/parse.y ---- opensmtpd-5.7.1p1/smtpd/parse.y 2015-06-30 10:13:34.000000000 +0200 -+++ opensmtpd-5.7.1p1.patched/smtpd/parse.y 2015-09-26 08:41:17.012472516 +0200 -@@ -2519,13 +2519,19 @@ +diff --git a/smtpd/parse.y b/smtpd/parse.y +index ab02719..c1c77d9 100644 +--- a/smtpd/parse.y ++++ b/smtpd/parse.y +@@ -2534,13 +2534,19 @@ create_filter_proc(char *name, char *prog) { struct filter_conf *f; char *path; -+ const char *proc_path; ++ const char *proc_path; if (dict_get(&conf->sc_filters, name)) { yyerror("filter \"%s\" already defined", name); @@ -13,64 +14,71 @@ diff -Naur opensmtpd-5.7.1p1/smtpd/parse.y opensmtpd-5.7.1p1.patched/smtpd/parse } - if (asprintf(&path, "%s/filter-%s", PATH_LIBEXEC, prog) == -1) { -+ proc_path = getenv("OPENSMTPD_PROC_PATH"); -+ if (proc_path == NULL) { -+ proc_path = PATH_LIBEXEC; -+ } ++ proc_path = getenv("OPENSMTPD_PROC_PATH"); ++ if (proc_path == NULL) { ++ proc_path = PATH_LIBEXEC; ++ } + + if (asprintf(&path, "%s/filter-%s", proc_path, prog) == -1) { yyerror("filter \"%s\" asprintf failed", name); return (0); } -diff -Naur opensmtpd-5.7.1p1/smtpd/smtpd.c opensmtpd-5.7.1p1.patched/smtpd/smtpd.c ---- opensmtpd-5.7.1p1/smtpd/smtpd.c 2015-06-30 10:13:34.000000000 +0200 -+++ opensmtpd-5.7.1p1.patched/smtpd/smtpd.c 2015-09-26 08:41:16.998472557 +0200 -@@ -854,6 +854,7 @@ +diff --git a/smtpd/smtpd.c b/smtpd/smtpd.c +index afc8891..9b0a80f 100644 +--- a/smtpd/smtpd.c ++++ b/smtpd/smtpd.c +@@ -795,6 +795,7 @@ fork_proc_backend(const char *key, const char *conf, const char *procname) char path[PATH_MAX]; char name[PATH_MAX]; char *arg; -+ char *proc_path; ++ char *proc_path; if (strlcpy(name, conf, sizeof(name)) >= sizeof(name)) { log_warnx("warn: %s-proc: conf too long", key); -@@ -864,7 +865,12 @@ +@@ -805,7 +806,12 @@ fork_proc_backend(const char *key, const char *conf, const char *procname) if (arg) *arg++ = '\0'; - if (snprintf(path, sizeof(path), PATH_LIBEXEC "/%s-%s", key, name) >= -+ proc_path = getenv("OPENSMTPD_PROC_PATH"); -+ if (proc_path == NULL) { -+ proc_path = PATH_LIBEXEC; -+ } ++ proc_path = getenv("OPENSMTPD_PROC_PATH"); ++ if (proc_path == NULL) { ++ proc_path = PATH_LIBEXEC; ++ } + + if (snprintf(path, sizeof(path), "%s/%s-%s", proc_path, key, name) >= (ssize_t)sizeof(path)) { log_warn("warn: %s-proc: exec path too long", key); return (-1); -diff -Naur opensmtpd-5.7.1p1/smtpd/table.c opensmtpd-5.7.1p1.patched/smtpd/table.c ---- opensmtpd-5.7.1p1/smtpd/table.c 2015-06-30 10:13:34.000000000 +0200 -+++ opensmtpd-5.7.1p1.patched/smtpd/table.c 2015-09-26 08:41:17.005472536 +0200 -@@ -201,6 +201,7 @@ +diff --git a/smtpd/table.c b/smtpd/table.c +index 21ee237..95b5164 100644 +--- a/smtpd/table.c ++++ b/smtpd/table.c +@@ -193,6 +193,7 @@ table_create(const char *backend, const char *name, const char *tag, struct table_backend *tb; char buf[LINE_MAX]; char path[LINE_MAX]; -+ const char *proc_path; ++ const char *proc_path; size_t n; struct stat sb; -@@ -215,8 +216,14 @@ +@@ -207,11 +208,16 @@ table_create(const char *backend, const char *name, const char *tag, if (name && table_find(name, NULL)) fatalx("table_create: table \"%s\" already defined", name); -+ proc_path = getenv("OPENSMTPD_PROC_PATH"); -+ if (proc_path == NULL) { -+ proc_path = PATH_LIBEXEC; -+ } ++ proc_path = getenv("OPENSMTPD_PROC_PATH"); ++ if (proc_path == NULL) { ++ proc_path = PATH_LIBEXEC; ++ } + if ((tb = table_backend_lookup(backend)) == NULL) { -- if ((size_t)snprintf(path, sizeof(path), PATH_LIBEXEC "/table-%s", +- if ((size_t)snprintf(path, sizeof(path), PATH_LIBEXEC"/table-%s", +- backend) >= sizeof(path)) { +- fatalx("table_create: path too long \"" +- PATH_LIBEXEC"/table-%s\"", backend); + if ((size_t)snprintf(path, sizeof(path), "%s/table-%s", -+ proc_path, - backend) >= sizeof(path)) { - fatalx("table_create: path too long \"" - PATH_LIBEXEC "/table-%s\"", backend); ++ proc_path, backend) >= sizeof(path)) { ++ fatalx("table_create: path too long \"%s/table-%s\"", ++ proc_path, backend); + } + if (stat(path, &sb) == 0) { + tb = table_backend_lookup("proc"); -- cgit 1.4.1 From 16535d4a71a21fe118adbcccdc97968513911098 Mon Sep 17 00:00:00 2001 From: Domen Kožar Date: Mon, 23 May 2016 13:09:08 +0100 Subject: setuid-wrappers: remove config.system.path from the closure The motivation is using sudo in chroot nix builds, a somewhat special edge case I have and pulling system path into chroot yields to some very nasty bug like https://github.com/NixOS/nixpkgs/issues/15581 Previously: $ cat /var/setuid-wrappers/sudo.real /nix/store/3sm04dzh0994r86xqxy52jjc0lqnkn65-system-path/bin/sudo After the change: $ cat /var/setuid-wrappers/sudo.real /nix/store/4g9sxbzy8maxf1v217ikp69c0c3q12as-sudo-1.8.15/bin/sudo --- nixos/modules/security/setuid-wrappers.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/security/setuid-wrappers.nix b/nixos/modules/security/setuid-wrappers.nix index 7d69f9b1183d..99dd514feea3 100644 --- a/nixos/modules/security/setuid-wrappers.nix +++ b/nixos/modules/security/setuid-wrappers.nix @@ -96,7 +96,7 @@ in }: '' - if ! source=${if source != "" then source else "$(PATH=$SETUID_PATH type -tP ${program})"}; then + if ! source=${if source != "" then source else "$(readlink -f $(PATH=$SETUID_PATH type -tP ${program}))"}; then # If we can't find the program, fall back to the # system profile. source=/nix/var/nix/profiles/default/bin/${program} -- cgit 1.4.1 From 5eb0e1360abc51e04de131fb3ece22390f251e0c Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Mon, 23 May 2016 15:16:41 +0200 Subject: release notes: mention removal of shell aliases --- nixos/doc/manual/release-notes/rl-1609.xml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml index 22dea8029242..b08688a66959 100644 --- a/nixos/doc/manual/release-notes/rl-1609.xml +++ b/nixos/doc/manual/release-notes/rl-1609.xml @@ -30,7 +30,10 @@ following incompatible changes: - todo + Shell aliases for systemd sub-commands + were dropped: + start, stop, + restart, status. -- cgit 1.4.1 From 77028b1e8db27602f61d8c32547849ea42ee97c9 Mon Sep 17 00:00:00 2001 From: Taeradan Date: Mon, 23 May 2016 12:44:35 +0200 Subject: fail2ban service: add iproute to PATH iproute is required for blocking via null routes; without it, rules based on routes.conf will fail. Closes #15638 --- nixos/modules/services/security/fail2ban.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index 33c4910fc0ce..22e3bb0066cc 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -102,7 +102,7 @@ in partOf = optional config.networking.firewall.enable "firewall.service"; restartTriggers = [ fail2banConf jailConf ]; - path = [ pkgs.fail2ban pkgs.iptables ]; + path = [ pkgs.fail2ban pkgs.iptables pkgs.iproute ]; preStart = '' -- cgit 1.4.1 From 0f384e5cf2d47ab389eb849d659fb4882887bf6c Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Mon, 23 May 2016 16:44:20 +0200 Subject: dnscrypt-proxy service: update resolver list --- nixos/modules/services/networking/dnscrypt-proxy.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index bb0dc756ba47..2a6161ee873a 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -90,7 +90,7 @@ in example = literalExample "${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"; default = pkgs.fetchurl { url = "https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv"; - sha256 = "07kbbisrvrqdxif3061hxj3whin3llg4nh50ln7prisi2vbd76xd"; + sha256 = "0lac20qhcgjxxiiz8jzcn3hkqj4ywl58hahp5n2i6vf9akfyqp7c"; }; defaultText = "pkgs.fetchurl { url = ...; sha256 = ...; }"; }; -- cgit 1.4.1 From b9df4311dc1f50253ec86be6b7908fa620070ffd Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Mon, 23 May 2016 19:50:25 +0200 Subject: man-db: make it the default man provider For now, leave the old implementation under `man-old` attribute. Small warning: I had a leftover ~/.nix-profile/man from an old package, which caused man-db's man prefer it and ignore ~/.nix-profile/share/man. The PATH->MANPATH code just selects the first match for each PATH item. --- nixos/modules/programs/man.nix | 2 +- pkgs/top-level/aliases.nix | 2 ++ pkgs/top-level/all-packages.nix | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/programs/man.nix b/nixos/modules/programs/man.nix index 201144ccb451..e59ffd6f936d 100644 --- a/nixos/modules/programs/man.nix +++ b/nixos/modules/programs/man.nix @@ -19,7 +19,7 @@ with lib; config = mkIf config.programs.man.enable { - environment.systemPackages = [ pkgs.man ]; + environment.systemPackages = [ pkgs.man-db ]; environment.pathsToLink = [ "/share/man" ]; diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index fb1b3571e37a..a6b312619c9a 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -64,6 +64,8 @@ doNotDisplayTwice rec { lttngTools = lttng-tools; # added 2014-07-31 lttngUst = lttng-ust; # added 2014-07-31 manpages = man-pages; # added 2015-12-06 + man_db = man-db; # added 2016-05 + man = man-db; # added 2016-05 midoriWrapper = midori; # added 2015-01 mlt-qt5 = qt5.mlt; # added 2015-12-19 module_init_tools = kmod; # added 2016-04-22 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 24b56ef5d75d..3f882ce1654c 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -2379,9 +2379,9 @@ in makemkv = callPackage ../applications/video/makemkv { }; - man = callPackage ../tools/misc/man { }; + man-old = callPackage ../tools/misc/man { }; - man_db = callPackage ../tools/misc/man-db { }; + man-db = callPackage ../tools/misc/man-db { }; mawk = callPackage ../tools/text/mawk { }; -- cgit 1.4.1 From 19ee3baa32d9cf74db392c1c88855a22f9391aff Mon Sep 17 00:00:00 2001 From: Markus Mueller Date: Mon, 23 May 2016 20:43:22 +0000 Subject: ldap module: fix activationScripts declaration --- nixos/modules/config/ldap.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index a6657768e061..7064ef64b4c8 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -192,7 +192,7 @@ in system.activationScripts = mkIf insertLdapPassword { ldap = stringAfter [ "etc" "groups" "users" ] '' if test -f "${cfg.bind.password}" ; then - echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig} - > /etc/ldap.conf.bindpw + echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig.source} - > /etc/ldap.conf.bindpw mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf chmod 600 /etc/ldap.conf fi -- cgit 1.4.1 From 77f2c305b67881a02c6671c35264bb71e652baea Mon Sep 17 00:00:00 2001 From: Hans-Harro Horn Date: Sun, 22 May 2016 16:07:26 +0200 Subject: mosquitto service: init Initial Mosquitto MQTT Broker service file. --- nixos/modules/misc/ids.nix | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/services/networking/mosquitto.nix | 219 ++++++++++++++++++++++++ 3 files changed, 222 insertions(+) create mode 100644 nixos/modules/services/networking/mosquitto.nix (limited to 'nixos') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index b2cb121d1d63..149062a6b332 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -267,6 +267,7 @@ graylog = 243; sniproxy = 244; nzbget = 245; + mosquitto = 246; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -504,6 +505,7 @@ emby = 242; sniproxy = 244; nzbget = 245; + mosquitto = 246; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 370220d253a5..be41b5ebcdd7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -347,6 +347,7 @@ ./services/networking/mjpg-streamer.nix ./services/networking/minidlna.nix ./services/networking/miniupnpd.nix + ./services/networking/mosquitto.nix ./services/networking/mstpd.nix ./services/networking/murmur.nix ./services/networking/namecoind.nix diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix new file mode 100644 index 000000000000..f926cd710c8d --- /dev/null +++ b/nixos/modules/services/networking/mosquitto.nix @@ -0,0 +1,219 @@ +{ config, lib, pkgs, ...}: + +with lib; + +let + cfg = config.services.mosquitto; + + listenerConf = optionalString cfg.ssl.enable '' + listener ${toString cfg.ssl.port} ${cfg.ssl.host} + cafile ${cfg.ssl.cafile} + certfile ${cfg.ssl.certfile} + keyfile ${cfg.ssl.keyfile} + ''; + + mosquittoConf = pkgs.writeText "mosquitto.conf" '' + pid_file /run/mosquitto/pid + acl_file ${aclFile} + persistence true + allow_anonymous ${if cfg.allowAnonymous then "true" else "false"} + bind_address ${cfg.host} + port ${toString cfg.port} + ${listenerConf} + ${cfg.extraConf} + ''; + + userAcl = (concatStringsSep "\n\n" (mapAttrsToList (n: c: + "user ${n}\n" + (concatStringsSep "\n" c.acl)) cfg.users + )); + + aclFile = pkgs.writeText "mosquitto.acl" '' + ${cfg.aclExtraConf} + ${userAcl} + ''; + +in + +{ + + ###### Interface + + options = { + services.mosquitto = { + enable = mkEnableOption "Enable the MQTT Mosquitto broker."; + + host = mkOption { + default = "127.0.0.1"; + example = "0.0.0.0"; + type = types.string; + description = '' + Host to listen on without SSL. + ''; + }; + + port = mkOption { + default = 1883; + example = 1883; + type = types.int; + description = '' + Port on which to listen without SSL. + ''; + }; + + ssl = { + enable = mkEnableOption "Enable SSL listener."; + + cafile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to PEM encoded CA certificates."; + }; + + certfile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to PEM encoded server certificate."; + }; + + keyfile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to PEM encoded server key."; + }; + + host = mkOption { + default = "0.0.0.0"; + example = "localhost"; + type = types.string; + description = '' + Host to listen on with SSL. + ''; + }; + + port = mkOption { + default = 8883; + example = 8883; + type = types.int; + description = '' + Port on which to listen with SSL. + ''; + }; + }; + + dataDir = mkOption { + default = "/var/lib/mosquitto"; + type = types.path; + description = '' + The data directory. + ''; + }; + + users = mkOption { + type = types.attrsOf (types.submodule { + options = { + password = mkOption { + type = with types; uniq (nullOr str); + default = null; + description = '' + Specifies the (clear text) password for the MQTT User. + ''; + }; + + hashedPassword = mkOption { + type = with types; uniq (nullOr str); + default = null; + description = '' + Specifies the hashed password for the MQTT User. + overrides . + To generate hashed password install mkpasswd + package and run mkpasswd -m sha-512. + ''; + }; + + acl = mkOption { + type = types.listOf types.string; + example = [ "topic read A/B" "topic A/#" ]; + description = '' + Control client access to topics on the broker. + ''; + }; + }; + }); + example = { john = { password = "123456"; acl = [ "topic readwrite john/#" ]; }; }; + description = '' + A set of users and their passwords and ACLs. + ''; + }; + + allowAnonymous = mkOption { + default = false; + example = true; + type = types.bool; + description = '' + Allow clients to connect without authentication. + ''; + }; + + extraConf = mkOption { + default = ""; + type = types.lines; + description = '' + Extra config to append to `mosquitto.conf` file. + ''; + }; + + aclExtraConf = mkOption { + default = ""; + type = types.lines; + description = '' + Extra config to prepend to the ACL file. + ''; + }; + + }; + }; + + + ###### Implementation + + config = mkIf cfg.enable { + + systemd.services.mosquitto = { + description = "Mosquitto MQTT Broker Daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Type = "forking"; + User = "mosquitto"; + Group = "mosquitto"; + RuntimeDirectory = "mosquitto"; + WorkingDirectory = cfg.dataDir; + Restart = "on-failure"; + ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf} -d"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + PIDFile = "/run/mosquitto/pid"; + }; + preStart = '' + rm -f ${cfg.dataDir}/passwd + touch ${cfg.dataDir}/passwd + '' + concatStringsSep "\n" ( + mapAttrsToList (n: c: + if c.hashedPassword != null then + "echo '${n}:${c.hashedPassword}' > ${cfg.dataDir}/passwd" + else optionalString (c.password != null) + "${pkgs.mosquitto}/bin/mosquitto_passwd -b ${cfg.dataDir}/passwd ${n} ${c.password}" + ) cfg.users); + }; + + users.extraUsers.mosquitto = { + description = "Mosquitto MQTT Broker Daemon owner"; + group = "mosquitto"; + uid = config.ids.uids.mosquitto; + home = cfg.dataDir; + createHome = true; + }; + + users.extraGroups.mosquitto.gid = config.ids.gids.mosquitto; + + }; +} -- cgit 1.4.1 From 493cae87567b298c1100c284b48cc74faccbc9eb Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Tue, 24 May 2016 11:13:46 +0200 Subject: Revert "Merge pull request #15384 from Shados/fix-preshell-terminfo" This reverts commit 4e9833d9e8e7bb449ca897d1f7e9db48fbf8aa53, reversing changes made to 6194e9d801d31d6241deb5c6dc534975887f143d. Setting TERMINFO prevents ncurses from reading TERMINFO_DIRS. See https://github.com/NixOS/nixpkgs/pull/15384#issuecomment-221205596 --- nixos/modules/config/shells-environment.nix | 4 ---- 1 file changed, 4 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index 89b8a04b5e7c..9642981803bf 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -150,10 +150,6 @@ in system.build.binsh = pkgs.bashInteractive; - # Ensure TERMINFO is set appropriately *before* user shells are run, - # as they may depend on it - environment.sessionVariables.TERMINFO = "/run/current-system/sw/share/terminfo"; - # Set session variables in the shell as well. This is usually # unnecessary, but it allows changes to session variables to take # effect without restarting the session (e.g. by opening a new -- cgit 1.4.1 From ad29b726866b5abeed9ad05cad52995295cf4813 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 24 May 2016 16:33:14 +0200 Subject: test-driver: Fix "unit X is inactive and there are no pending jobs" This was causing many random test failures. --- nixos/lib/test-driver/Machine.pm | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/lib/test-driver/Machine.pm b/nixos/lib/test-driver/Machine.pm index 37d6518fd8d7..1a243918c22f 100644 --- a/nixos/lib/test-driver/Machine.pm +++ b/nixos/lib/test-driver/Machine.pm @@ -382,9 +382,17 @@ sub waitForUnit { my $state = $info->{ActiveState}; die "unit ‘$unit’ reached state ‘$state’\n" if $state eq "failed"; if ($state eq "inactive") { + # If there are no pending jobs, then assume this unit + # will never reach active state. my ($status, $jobs) = $self->execute("systemctl list-jobs --full 2>&1"); - die "unit ‘$unit’ is inactive and there are no pending jobs\n" - if $jobs =~ /No jobs/; # FIXME: fragile + if ($jobs =~ /No jobs/) { # FIXME: fragile + # Handle the case where the unit may have started + # between the previous getUnitInfo() and + # list-jobs. + my $info2 = $self->getUnitInfo($unit); + die "unit ‘$unit’ is inactive and there are no pending jobs\n" + if $info2->{ActiveState} eq $state; + } } return 1 if $state eq "active"; }; -- cgit 1.4.1 From 3e7b510281e6144a441646dd6e32cc3f3bae1f8a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 24 May 2016 17:20:22 +0200 Subject: nixos.tests.swraid: Drop mdadm -W This command is racy because it will return a non-zero exit code if the array is already clean. This caused numerous random failures. It should be unnecessary anyway. (Maybe in the past we needed this because of #15226.) http://hydra.nixos.org/job/nixos/release-16.03/nixos.tests.installer.swraid.i686-linux --- nixos/tests/installer.nix | 2 -- 1 file changed, 2 deletions(-) (limited to 'nixos') diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 0b0e53ee7324..7b949ff93be7 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -403,8 +403,6 @@ in { "mkdir /mnt/boot", "mount LABEL=boot /mnt/boot", "udevadm settle", - "mdadm --verbose -W /dev/md0", # wait for sync to finish; booting off an unsynced device tends to fail - "mdadm --verbose -W /dev/md1", ); ''; preBootCommands = '' -- cgit 1.4.1 From d84741a4bfb6ed2531ec7154479c147d2c9a737c Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 24 May 2016 21:07:26 +0200 Subject: X server: Log to the journal instead of /var/log/X.0.log This ensures that "journalctl -u display-manager" does what you would expect in 2016. However, the main reason is to ensure that our VM tests show the output of the X server. A slight problem is that with KDE user switching, messages from the various X servers end up in the same place. However, that's an improvement over the previous situation, where the second X server would overwrite the /var/log/X.0.log of the first. (This was caused by the fact that we were passing a hard-coded value for -logfile.) --- nixos/modules/services/x11/display-managers/kdm.nix | 2 +- nixos/modules/services/x11/xserver.nix | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/x11/display-managers/kdm.nix b/nixos/modules/services/x11/display-managers/kdm.nix index 9b937ff7ee18..d9f7f8f0dfc4 100644 --- a/nixos/modules/services/x11/display-managers/kdm.nix +++ b/nixos/modules/services/x11/display-managers/kdm.nix @@ -139,7 +139,7 @@ in mkdir -m 0755 -p /var/lib/kdm chown kdm /var/lib/kdm ${(optionalString (config.system.boot.loader.id == "grub" && config.system.build.grub != null) "PATH=${config.system.build.grub}/sbin:$PATH ") + - "KDEDIRS=/run/current-system/sw exec ${kdebase_workspace}/bin/kdm -config ${kdmrc} -nodaemon"} + "KDEDIRS=/run/current-system/sw exec ${kdebase_workspace}/bin/kdm -config ${kdmrc} -nodaemon -logfile /dev/stderr"} ''; logsXsession = true; }; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 4f65ed72d36e..82d3e31e2a01 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -520,6 +520,7 @@ in serviceConfig = { Restart = "always"; RestartSec = "200ms"; + SyslogIdentifier = "display-manager"; }; }; @@ -527,10 +528,11 @@ in [ "-terminate" "-config ${configFile}" "-xkbdir" "${cfg.xkbDir}" + # Log at the default verbosity level to stderr rather than /var/log/X.*.log. + "-verbose" "3" "-logfile" "/dev/null" ] ++ optional (cfg.display != null) ":${toString cfg.display}" ++ optional (cfg.tty != null) "vt${toString cfg.tty}" ++ optional (cfg.dpi != null) "-dpi ${toString cfg.dpi}" - ++ optionals (cfg.display != null) [ "-logfile" "/var/log/X.${toString cfg.display}.log" ] ++ optional (!cfg.enableTCP) "-nolisten tcp"; services.xserver.modules = -- cgit 1.4.1 From c99608c63808f0fe244fe9619ef6d97bf8a5af6f Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 24 May 2016 21:29:22 +0200 Subject: Add an option to write the X session log to the journal ... rather than ~/.xsession-errors. It might make sense to make this the default, in order to eliminate ad hoc, uncentralised, poorly discoverable log files. --- .../services/x11/display-managers/default.nix | 20 +++++++++++++++++++- nixos/modules/testing/test-instrumentation.nix | 2 ++ 2 files changed, 21 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 376f9f4b46b5..09735dac0eb0 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -32,6 +32,12 @@ let '' #! ${pkgs.bash}/bin/bash + ${optionalString cfg.displayManager.logToJournal '' + if [ -z "$_DID_SYSTEMD_CAT" ]; then + _DID_SYSTEMD_CAT=1 exec ${config.systemd.package}/bin/systemd-cat -t xsession -- "$0" "$sessionType" + fi + ''} + . /etc/profile cd "$HOME" @@ -39,7 +45,7 @@ let sessionType="$1" if [ "$sessionType" = default ]; then sessionType=""; fi - ${optionalString (!cfg.displayManager.job.logsXsession) '' + ${optionalString (!cfg.displayManager.job.logsXsession && !cfg.displayManager.logToJournal) '' exec > ~/.xsession-errors 2>&1 ''} @@ -83,6 +89,8 @@ let # .local/share doesn't exist yet. mkdir -p $HOME/.local/share + unset _DID_SYSTEMD_CAT + ${cfg.displayManager.sessionCommands} # Allow the user to execute commands at the beginning of the X session. @@ -278,6 +286,16 @@ in }; + logToJournal = mkOption { + type = types.bool; + default = true; + description = '' + By default, the stdout/stderr of sessions is written + to ~/.xsession-errors. When this option + is enabled, it will instead be written to the journal. + ''; + }; + }; }; diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index f0f56b17f20f..40a40c8a5700 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -113,6 +113,8 @@ let kernel = config.boot.kernelPackages.kernel; in # Make it easy to log in as root when running the test interactively. users.extraUsers.root.initialHashedPassword = mkOverride 150 ""; + services.xserver.displayManager.logToJournal = true; + }; } -- cgit 1.4.1 From c726773f26373381331d32ed3521290c288438fc Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 24 May 2016 21:36:56 +0200 Subject: cpufreq: Fix "sh: modprobe: command not found" --- nixos/modules/tasks/cpu-freq.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/tasks/cpu-freq.nix b/nixos/modules/tasks/cpu-freq.nix index 70bbee8474eb..1f4d1db33cef 100644 --- a/nixos/modules/tasks/cpu-freq.nix +++ b/nixos/modules/tasks/cpu-freq.nix @@ -38,7 +38,7 @@ in description = "CPU Frequency Governor Setup"; after = [ "systemd-modules-load.service" ]; wantedBy = [ "multi-user.target" ]; - path = [ cpupower ]; + path = [ cpupower config.system.sbin.modprobe ]; unitConfig.ConditionVirtualization = false; serviceConfig = { Type = "oneshot"; -- cgit 1.4.1 From 47950b53538471c1aff04b00790fadded7eca207 Mon Sep 17 00:00:00 2001 From: obadz Date: Tue, 24 May 2016 23:34:28 +0100 Subject: modules/misc/version.nix: populate nixosRevision based on when possible (#15624) Example: $ nixos-option system.nixosLabel Value: "16.09.git.4643ca1" --- lib/sources.nix | 26 ++++++++++++++++++++++++++ nixos/modules/misc/version.nix | 8 ++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/lib/sources.nix b/lib/sources.nix index 4ed16d65d2b7..6b19b192dfd6 100644 --- a/lib/sources.nix +++ b/lib/sources.nix @@ -29,4 +29,30 @@ rec { in type == "directory" || lib.any (ext: lib.hasSuffix ext base) exts; in builtins.filterSource filter path; + # Get the commit id of a git repo + # Example: commitIdFromGitRepo + commitIdFromGitRepo = + let readCommitFromFile = path: file: + with builtins; + let fileName = toString path + "/" + file; + packedRefsName = toString path + "/packed-refs"; + in if lib.pathExists fileName + then + let fileContent = readFile fileName; + # Sometimes git stores the commitId directly in the file but + # sometimes it stores something like: «ref: refs/heads/branch-name» + matchRef = match "^ref: (.*)\n$" fileContent; + in if isNull matchRef + then lib.removeSuffix "\n" fileContent + else readCommitFromFile path (lib.head matchRef) + # Sometimes, the file isn't there at all and has been packed away in the + # packed-refs file, so we have to grep through it: + else if lib.pathExists packedRefsName + then + let packedRefs = lib.splitString "\n" (readFile packedRefsName); + matchRule = match ("^(.*) " + file + "$"); + matchedRefs = lib.flatten (lib.filter (m: ! (isNull m)) (map matchRule packedRefs)); + in lib.head matchedRefs + else throw ("Not a .git directory: " + path); + in lib.flip readCommitFromFile "HEAD"; } diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index f12ecc1b88ec..fd7cadf76cc1 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -5,9 +5,11 @@ with lib; let cfg = config.system; - releaseFile = "${toString pkgs.path}/.version"; - suffixFile = "${toString pkgs.path}/.version-suffix"; + releaseFile = "${toString pkgs.path}/.version"; + suffixFile = "${toString pkgs.path}/.version-suffix"; revisionFile = "${toString pkgs.path}/.git-revision"; + gitRepo = "${toString pkgs.path}/.git"; + gitCommitId = lib.substring 0 7 (commitIdFromGitRepo gitRepo); in { @@ -102,6 +104,8 @@ in # changing them would not rebuild the manual nixosLabel = mkDefault (maybeEnv "NIXOS_LABEL" cfg.nixosVersion); nixosVersion = mkDefault (maybeEnv "NIXOS_VERSION" (cfg.nixosRelease + cfg.nixosVersionSuffix)); + nixosRevision = mkIf (pathExists gitRepo) (mkDefault gitCommitId); + nixosVersionSuffix = mkIf (pathExists gitRepo) (mkDefault (".git." + gitCommitId)); # Note: code names must only increase in alphabetical order. nixosCodeName = "Flounder"; -- cgit 1.4.1 From fe875b41004bafd898645fe3856420b18c63f3f5 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 May 2016 10:21:14 +0200 Subject: nixos/tests/boot.nix: Remove empty module --- nixos/tests/boot.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/tests/boot.nix b/nixos/tests/boot.nix index af7db5aa8164..3ea0df65c8b5 100644 --- a/nixos/tests/boot.nix +++ b/nixos/tests/boot.nix @@ -12,7 +12,6 @@ let modules = [ ../modules/installer/cd-dvd/installation-cd-minimal.nix ../modules/testing/test-instrumentation.nix - { key = "serial"; } ]; }).config.system.build.isoImage; @@ -30,20 +29,25 @@ let ''; }; in { + biosCdrom = makeBootTest "bios-cdrom" '' cdrom => glob("${iso}/iso/*.iso") ''; + biosUsb = makeBootTest "bios-usb" '' usb => glob("${iso}/iso/*.iso") ''; + uefiCdrom = makeBootTest "uefi-cdrom" '' cdrom => glob("${iso}/iso/*.iso"), bios => '${pkgs.OVMF}/FV/OVMF.fd' ''; + uefiUsb = makeBootTest "uefi-usb" '' usb => glob("${iso}/iso/*.iso"), bios => '${pkgs.OVMF}/FV/OVMF.fd' ''; + netboot = let config = (import ../lib/eval-config.nix { inherit system; -- cgit 1.4.1 From 32bed83b1804de5e905a2459603dde2b958bb847 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 May 2016 10:34:54 +0200 Subject: Remove boot.loader.grub.timeout and boot.loader.gummiboot.timeout There is a generic boot.loader.timeout option. --- nixos/modules/installer/cd-dvd/iso-image.nix | 2 +- nixos/modules/rename.nix | 2 ++ nixos/modules/system/boot/loader/grub/grub.nix | 11 ++--------- nixos/modules/system/boot/loader/gummiboot/gummiboot.nix | 16 +--------------- nixos/modules/virtualisation/amazon-image.nix | 2 +- nixos/modules/virtualisation/azure-common.nix | 4 ++-- nixos/modules/virtualisation/brightbox-image.nix | 2 +- nixos/modules/virtualisation/google-compute-image.nix | 2 +- nixos/modules/virtualisation/nova-image.nix | 2 +- 9 files changed, 12 insertions(+), 31 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index c31ded977e68..bdb3c227ecc8 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -79,7 +79,7 @@ let echo "options init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} nomodeset" >> $out/loader/entries/nixos-livecd-nomodeset.conf echo "default nixos-livecd" > $out/loader/loader.conf - echo "timeout ${builtins.toString config.boot.loader.gummiboot.timeout}" >> $out/loader/loader.conf + echo "timeout ${builtins.toString config.boot.loader.timeout}" >> $out/loader/loader.conf ''; efiImg = pkgs.runCommand "efi-image_eltorito" { buildInputs = [ pkgs.mtools pkgs.libfaketime ]; } diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 2f37f180c7ec..3440261c3965 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -34,6 +34,8 @@ with lib; # Old Grub-related options. (mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ]) (mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ]) + (mkRenamedOptionModule [ "boot" "loader" "grub" "timeout" ] [ "boot" "loader" "timeout" ]) + (mkRenamedOptionModule [ "boot" "loader" "gummiboot" "timeout" ] [ "boot" "loader" "timeout" ]) # smartd (mkRenamedOptionModule [ "services" "smartd" "deviceOpts" ] [ "services" "smartd" "defaults" "monitored" ]) diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 7fc467b60f7b..2e06a684f0cc 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -48,12 +48,13 @@ let bootPath = args.path; storePath = config.boot.loader.grub.storePath; bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId; + timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout; inherit efiSysMountPoint; inherit (args) devices; inherit (efi) canTouchEfiVariables; inherit (cfg) version extraConfig extraPerEntryConfig extraEntries - extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout + extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels default fsIdentifier efiSupport gfxmodeEfi gfxmodeBios; path = (makeBinPath ([ pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs @@ -313,14 +314,6 @@ in ''; }; - timeout = mkOption { - default = if (config.boot.loader.timeout != null) then config.boot.loader.timeout else -1; - type = types.int; - description = '' - Timeout (in seconds) until GRUB boots the default menu item. - ''; - }; - default = mkOption { default = 0; type = types.int; diff --git a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix index 69ad2c6d44f4..aec697da4a1a 100644 --- a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix +++ b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix @@ -16,7 +16,7 @@ let nix = config.nix.package.out; - timeout = if cfg.timeout != null then cfg.timeout else ""; + timeout = if config.boot.loader.timeout != null then config.boot.loader.timeout else ""; inherit (efi) efiSysMountPoint canTouchEfiVariables; }; @@ -29,20 +29,6 @@ in { description = "Whether to enable the gummiboot UEFI boot manager"; }; - - timeout = mkOption { - default = if config.boot.loader.timeout == null then 10000 else config.boot.loader.timeout; - - example = 4; - - type = types.nullOr types.int; - - description = '' - Timeout (in seconds) for how long to show the menu (null if none). - Note that even with no timeout the menu can be forced if the space - key is pressed during bootup - ''; - }; }; config = mkIf cfg.enable { diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index 5d99bccb0e93..9e8417cde1df 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -32,8 +32,8 @@ let cfg = config.ec2; in # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. boot.loader.grub.version = if cfg.hvm then 2 else 1; boot.loader.grub.device = if cfg.hvm then "/dev/xvda" else "nodev"; - boot.loader.grub.timeout = 0; boot.loader.grub.extraPerEntryConfig = mkIf (!cfg.hvm) "root (hd0)"; + boot.loader.timeout = 0; boot.initrd.postDeviceCommands = '' diff --git a/nixos/modules/virtualisation/azure-common.nix b/nixos/modules/virtualisation/azure-common.nix index eedf115ee150..70a3d752f6d1 100644 --- a/nixos/modules/virtualisation/azure-common.nix +++ b/nixos/modules/virtualisation/azure-common.nix @@ -10,10 +10,10 @@ with lib; boot.kernelParams = [ "console=ttyS0" "earlyprintk=ttyS0" "rootdelay=300" "panic=1" "boot.panic_on_fail" ]; boot.initrd.kernelModules = [ "hv_vmbus" "hv_netvsc" "hv_utils" "hv_storvsc" ]; - # Generate a GRUB menu. + # Generate a GRUB menu. boot.loader.grub.device = "/dev/sda"; boot.loader.grub.version = 2; - boot.loader.grub.timeout = 0; + boot.loader.timeout = 0; # Don't put old configurations in the GRUB menu. The user has no # way to select them anyway. diff --git a/nixos/modules/virtualisation/brightbox-image.nix b/nixos/modules/virtualisation/brightbox-image.nix index bcafc06e47c0..456a19fc2512 100644 --- a/nixos/modules/virtualisation/brightbox-image.nix +++ b/nixos/modules/virtualisation/brightbox-image.nix @@ -94,7 +94,7 @@ in # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. boot.loader.grub.device = "/dev/vda"; - boot.loader.grub.timeout = 0; + boot.loader.timeout = 0; # Don't put old configurations in the GRUB menu. The user has no # way to select them anyway. diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 38417315df5b..2b522dbe2660 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -102,7 +102,7 @@ in # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. boot.loader.grub.device = "/dev/sda"; - boot.loader.grub.timeout = 0; + boot.loader.timeout = 0; # Don't put old configurations in the GRUB menu. The user has no # way to select them anyway. diff --git a/nixos/modules/virtualisation/nova-image.nix b/nixos/modules/virtualisation/nova-image.nix index 13e36e7888b5..7971212b47c5 100644 --- a/nixos/modules/virtualisation/nova-image.nix +++ b/nixos/modules/virtualisation/nova-image.nix @@ -27,7 +27,7 @@ with lib; boot.kernelParams = [ "console=ttyS0" ]; boot.loader.grub.device = "/dev/vda"; - boot.loader.grub.timeout = 0; + boot.loader.timeout = 0; # Allow root logins services.openssh.enable = true; -- cgit 1.4.1 From 845c9b50bf7137c3e21f443e70ebcb16510f4e68 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 May 2016 13:23:32 +0200 Subject: boot.initrd.luks.devices: Change into an attribute set This allows setting options for the same LUKS device in different modules. For example, the auto-generated hardware-configuration.nix can contain boot.initrd.luks.devices.crypted.device = "/dev/disk/..."; while configuration.nix can add boot.initrd.luks.devices.crypted.allowDiscards = true; Also updated the examples/docs to use /disk/disk/by-uuid instead of /dev/sda, since we shouldn't promote the use of the latter. --- .../doc/manual/configuration/luks-file-systems.xml | 12 +++---- nixos/modules/system/boot/luksroot.nix | 42 +++++++++++----------- nixos/modules/virtualisation/qemu-vm.nix | 2 +- nixos/tests/installer.nix | 3 +- 4 files changed, 29 insertions(+), 30 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/configuration/luks-file-systems.xml b/nixos/doc/manual/configuration/luks-file-systems.xml index 45475dbcd446..88b506d5323d 100644 --- a/nixos/doc/manual/configuration/luks-file-systems.xml +++ b/nixos/doc/manual/configuration/luks-file-systems.xml @@ -9,21 +9,21 @@ NixOS supports file systems that are encrypted using LUKS (Linux Unified Key Setup). For example, here is how you create an encrypted Ext4 file system on the device -/dev/sda2: +/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: -$ cryptsetup luksFormat /dev/sda2 +$ cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d WARNING! ======== -This will overwrite data on /dev/sda2 irrevocably. +This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: *** Verify passphrase: *** -$ cryptsetup luksOpen /dev/sda2 crypted -Enter passphrase for /dev/sda2: *** +$ cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted +Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: *** $ mkfs.ext4 /dev/mapper/crypted @@ -33,7 +33,7 @@ as /, add the following to configuration.nix: -boot.initrd.luks.devices = [ { device = "/dev/sda2"; name = "crypted"; } ]; +boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d"; fileSystems."/".device = "/dev/mapper/crypted"; diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 77a82547031a..400293d0e2e9 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with lib; let luks = config.boot.initrd.luks; - openCommand = { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: '' + openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' # Wait for luksRoot to appear, e.g. if on a usb drive. # XXX: copied and adapted from stage-1-init.sh - should be # available as a function. @@ -192,9 +192,8 @@ let ''} ''; - isPreLVM = f: f.preLVM; - preLVM = filter isPreLVM luks.devices; - postLVM = filter (f: !(isPreLVM f)) luks.devices; + preLVM = filterAttrs (n: v: v.preLVM) luks.devices; + postLVM = filterAttrs (n: v: !v.preLVM) luks.devices; in { @@ -228,31 +227,31 @@ in }; boot.initrd.luks.devices = mkOption { - default = [ ]; - example = literalExample ''[ { name = "luksroot"; device = "/dev/sda3"; preLVM = true; } ]''; + default = { }; + example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; description = '' - The list of devices that should be decrypted using LUKS before trying to mount the - root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups. - - The devices are decrypted to the device mapper names defined. - - Make sure that initrd has the crypto modules needed for decryption. + The encrypted disk that should be opened before the root + filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM + setups are sypported. The unencrypted devices can be accessed as + /dev/mapper/name. ''; - type = types.listOf types.optionSet; + type = types.loaOf types.optionSet; - options = { + options = { name, ... }: { options = { name = mkOption { + visible = false; + default = name; example = "luksroot"; type = types.str; - description = "Named to be used for the generated device in /dev/mapper."; + description = "Name of the unencrypted device in /dev/mapper."; }; device = mkOption { - example = "/dev/sda2"; + example = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; type = types.str; - description = "Path of the underlying block device."; + description = "Path of the underlying encrypted block device."; }; header = mkOption { @@ -289,6 +288,7 @@ in ''; }; + # FIXME: get rid of this option. preLVM = mkOption { default = true; type = types.bool; @@ -394,7 +394,7 @@ in }; }; - }; + }; }; }; boot.initrd.luks.yubikeySupport = mkOption { @@ -408,7 +408,7 @@ in }; }; - config = mkIf (luks.devices != []) { + config = mkIf (luks.devices != {}) { # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks @@ -463,8 +463,8 @@ in ''} ''; - boot.initrd.preLVMCommands = concatMapStrings openCommand preLVM; - boot.initrd.postDeviceCommands = concatMapStrings openCommand postLVM; + boot.initrd.preLVMCommands = concatStrings (mapAttrsToList openCommand preLVM); + boot.initrd.postDeviceCommands = concatStrings (mapAttrsToList openCommand postLVM); environment.systemPackages = [ pkgs.cryptsetup ]; }; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 8aa643687557..9d9b725a805d 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -465,7 +465,7 @@ in }); swapDevices = mkVMOverride [ ]; - boot.initrd.luks.devices = mkVMOverride []; + boot.initrd.luks.devices = mkVMOverride {}; # Don't run ntpd in the guest. It should get the correct time from KVM. services.ntp.enable = false; diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 7b949ff93be7..866f98825362 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -363,8 +363,7 @@ in { # XXX: Currently, generate-config doesn't detect LUKS yet. extraConfig = '' boot.kernelParams = lib.mkAfter [ "console=tty0" ]; - boot.initrd.luks.devices = lib.singleton { - name = "cryptroot"; + boot.initrd.luks.devices.cryptroot = { device = "/dev/vda3"; preLVM = true; }; -- cgit 1.4.1 From c6ab4ab20613150dab0496958e21c14bbe0ca350 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 May 2016 14:56:28 +0200 Subject: nixos-generate-config: Enable strictness --- nixos/modules/installer/tools/nixos-generate-config.pl | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index 8e75f8d3c40a..ed6c1b2dcd31 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -1,5 +1,6 @@ #! @perl@ +use strict; use Cwd 'abs_path'; use File::Spec; use File::Path; @@ -69,6 +70,7 @@ for (my $n = 0; $n < scalar @ARGV; $n++) { my @attrs = (); my @kernelModules = (); my @initrdKernelModules = (); +my @initrdAvailableKernelModules = (); my @modulePackages = (); my @imports; @@ -379,7 +381,7 @@ EOF # Is this a btrfs filesystem? if ($fsType eq "btrfs") { my ($status, @id_info) = runCommand("btrfs subvol show $rootDir$mountPoint"); - if ($status != 0 || join("", @msg) =~ /ERROR:/) { + if ($status != 0 || join("", @id_info) =~ /ERROR:/) { die "Failed to retrieve subvolume info for $mountPoint\n"; } my @ids = join("", @id_info) =~ m/Subvolume ID:[ \t\n]*([^ \t\n]*)/; @@ -440,7 +442,7 @@ sub toNixList { sub multiLineList { my $indent = shift; return " [ ]" if !@_; - $res = "\n${indent}[ "; + my $res = "\n${indent}[ "; my $first = 1; foreach my $s (@_) { $res .= "$indent " if !$first; @@ -494,7 +496,7 @@ if ($showHardwareConfig) { if ($force || ! -e $fn) { print STDERR "writing $fn...\n"; - my $bootloaderConfig = ""; + my $bootLoaderConfig = ""; if (-e "/sys/firmware/efi/efivars") { $bootLoaderConfig = < Date: Wed, 25 May 2016 15:34:37 +0200 Subject: nixos-generate-config: Emit LUKS configuration for boot device --- nixos/doc/manual/man-nixos-generate-config.xml | 4 ++-- .../installer/tools/nixos-generate-config.pl | 23 ++++++++++++++++++++-- 2 files changed, 23 insertions(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/man-nixos-generate-config.xml b/nixos/doc/manual/man-nixos-generate-config.xml index 140642bc9c9c..993a932ddfbe 100644 --- a/nixos/doc/manual/man-nixos-generate-config.xml +++ b/nixos/doc/manual/man-nixos-generate-config.xml @@ -113,8 +113,8 @@ - Omit everything concerning file system information - (which includes swap devices) from the hardware configuration. + Omit everything concerning file systems and swap devices + from the hardware configuration. diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index ed6c1b2dcd31..ca7fb71ba9b8 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -410,7 +410,7 @@ EOF EOF if (scalar @extraOptions > 0) { - $fileSystems .= < 'quiet') =~ /^CRYPT-LUKS/) + { + my @slaves = glob("/sys/class/block/$deviceName/slaves/*"); + if (scalar @slaves == 1) { + my $slave = "/dev/" . basename($slaves[0]); + if (-e $slave) { + my $dmName = read_file("/sys/class/block/$deviceName/dm/name"); + chomp $dmName; + $fileSystems .= " boot.initrd.luks.devices.\"$dmName\".device = \"${\(findStableDevPath $slave)}\";\n\n"; + } + } + } + } } @@ -459,7 +478,7 @@ my $modulePackages = toNixList(uniq @modulePackages); my $fsAndSwap = ""; if (!$noFilesystems) { - $fsAndSwap = "\n${fileSystems} "; + $fsAndSwap = "\n$fileSystems "; $fsAndSwap .= "swapDevices =" . multiLineList(" ", @swapDevices) . ";\n"; } -- cgit 1.4.1 From 331fa2feff8cbdca5cc831d1fae36d9505618124 Mon Sep 17 00:00:00 2001 From: obadz Date: Wed, 25 May 2016 17:29:29 +0100 Subject: xsession: fix variable read before set introduced in c99608c --- nixos/modules/services/x11/display-managers/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 09735dac0eb0..862ddc1d13f2 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -34,7 +34,7 @@ let ${optionalString cfg.displayManager.logToJournal '' if [ -z "$_DID_SYSTEMD_CAT" ]; then - _DID_SYSTEMD_CAT=1 exec ${config.systemd.package}/bin/systemd-cat -t xsession -- "$0" "$sessionType" + _DID_SYSTEMD_CAT=1 exec ${config.systemd.package}/bin/systemd-cat -t xsession -- "$0" "$1" fi ''} -- cgit 1.4.1 From e78a99c35b046aeebbae8213321d3181cd908d4f Mon Sep 17 00:00:00 2001 From: obadz Date: Thu, 26 May 2016 04:00:58 +0100 Subject: nixos/tests/installer.nix: nixos-generate-config detects LUKS since a7baec7 Fixes nix-build '' -A tests.installer.luksroot.x86_64-linux --- nixos/tests/installer.nix | 5 ----- 1 file changed, 5 deletions(-) (limited to 'nixos') diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 866f98825362..3fdf6510953e 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -360,13 +360,8 @@ in { "mount LABEL=boot /mnt/boot", ); ''; - # XXX: Currently, generate-config doesn't detect LUKS yet. extraConfig = '' boot.kernelParams = lib.mkAfter [ "console=tty0" ]; - boot.initrd.luks.devices.cryptroot = { - device = "/dev/vda3"; - preLVM = true; - }; ''; enableOCR = true; preBootCommands = '' -- cgit 1.4.1 From 467cd6f3a45cc2255baf59a33e0a59cf03f06383 Mon Sep 17 00:00:00 2001 From: Domen Kožar Date: Thu, 26 May 2016 10:46:48 +0100 Subject: Make i3wm test a release blocker Catch issues like https://github.com/NixOS/nixpkgs/commit/331fa2feff8cbdca5cc831d1fae36d9505618124 --- nixos/release-combined.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos') diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index c8c4df5c9138..f275291c716c 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -69,6 +69,7 @@ in rec { (all nixos.tests.boot.uefiUsb) (all nixos.tests.boot-stage1) (all nixos.tests.ipv6) + (all nixos.tests.i3wm) (all nixos.tests.kde4) #(all nixos.tests.lightdm) (all nixos.tests.login) -- cgit 1.4.1 From cb796ccd0919e5a698e76091753efa8e464527ee Mon Sep 17 00:00:00 2001 From: aszlig Date: Thu, 26 May 2016 14:14:07 +0200 Subject: nixos/test-driver/Logger: Replace invalid UTF-8 Regression introduced by d84741a4bfb6ed2531ec7154479c147d2c9a737c. The mentioned commit actually is a good thing, because we now get the output from the X session. Unfortunately, for the i3wm test, the i3-config-wizard prints out the raw keyboard symbols directly coming from xcb, so the output isn't necessarily proper UTF-8. As the XML::Writer already expects valid UTF-8 input, we assume that everything that comes into sanitise() will be UTF-8 from the start. So we just decode() it using FB_DEFAULT as the check argument so that every invalid character is replaced by the unicode replacement character: https://en.wikipedia.org/wiki/Specials_(Unicode_block)#Replacement_character We simply re-oncode it again afterwards and return it, so we should always get out valid UTF-8 in the log XML. For more information about FB_DEFAULT and FB_CROAK, have a look at: http://search.cpan.org/~dankogai/Encode-2.84/Encode.pm#Handling_Malformed_Data Signed-off-by: aszlig --- nixos/lib/test-driver/Logger.pm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/lib/test-driver/Logger.pm b/nixos/lib/test-driver/Logger.pm index 6e62fdfd7708..3fe5ef67c144 100644 --- a/nixos/lib/test-driver/Logger.pm +++ b/nixos/lib/test-driver/Logger.pm @@ -3,6 +3,7 @@ package Logger; use strict; use Thread::Queue; use XML::Writer; +use Encode qw(decode encode); sub new { my ($class) = @_; @@ -56,7 +57,8 @@ sub nest { sub sanitise { my ($s) = @_; $s =~ s/[[:cntrl:]\xff]//g; - return $s; + $s = decode('UTF-8', $s, Encode::FB_DEFAULT); + return encode('UTF-8', $s, Encode::FB_CROAK); } sub log { -- cgit 1.4.1 From ecd3cbb9e764ac75865bc5fb91e8afb2c5ebfdb8 Mon Sep 17 00:00:00 2001 From: aszlig Date: Thu, 26 May 2016 15:03:01 +0200 Subject: nixos/tests/vbox: Start X server with user "alice" The VirtualBox tests so far ran the X server as root instead of user "alice" and it did work, because we had access control turned off by default. Fortunately, it was changed in 1541fa351b4d664c51dddaeaa67ee0652892f405. As a side effect, it caused all the VirtualBox tests to fail because they now can't connect to the X server, which is a good thing because it's a bug of the VirtualBox tests. So to fix it, let's just start the X server as user alice. Signed-off-by: aszlig --- nixos/tests/virtualbox.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos') diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix index da4c0bddc348..06efb034c086 100644 --- a/nixos/tests/virtualbox.nix +++ b/nixos/tests/virtualbox.nix @@ -326,6 +326,7 @@ let in [ ./common/user-account.nix ./common/x11.nix ] ++ vmConfigs; virtualisation.memorySize = 2048; virtualisation.virtualbox.host.enable = true; + services.xserver.displayManager.auto.user = "alice"; users.extraUsers.alice.extraGroups = let inherit (config.virtualisation.virtualbox.host) enableHardening; in lib.mkIf enableHardening (lib.singleton "vboxusers"); -- cgit 1.4.1 From b37d6d8996cf9270d5a74e5bec605b79ec35b862 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 26 May 2016 15:36:15 +0200 Subject: Fix failure to start old containers The existence of $root/var/lib/private/host-notify as a socket prevented a bind mount: container foo[8083]: Failed to create mount point /var/lib/containers/foo/var/lib/private/host-notify: No such device or address --- nixos/modules/virtualisation/containers.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index fca21a8610be..dc65e4940549 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -338,7 +338,7 @@ in fi ''} - + rm -f $root/var/lib/private/host-notify # Run systemd-nspawn without startup notification (we'll # wait for the container systemd to signal readiness). -- cgit 1.4.1 From 8fbdb40ef0ce39e6605db3dfd223402636de8907 Mon Sep 17 00:00:00 2001 From: Alexander Ried Date: Thu, 26 May 2016 16:25:36 +0200 Subject: services.*ntp*: Add time-sync.target to ntp clients (#15714) See: https://www.freedesktop.org/software/systemd/man/systemd.special.html#time-sync.target --- nixos/modules/services/networking/chrony.nix | 6 ++++-- nixos/modules/services/networking/ntpd.nix | 2 ++ nixos/modules/services/networking/openntpd.nix | 3 ++- 3 files changed, 8 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/networking/chrony.nix b/nixos/modules/services/networking/chrony.nix index 1cd678e7c621..a38142b4a08f 100644 --- a/nixos/modules/services/networking/chrony.nix +++ b/nixos/modules/services/networking/chrony.nix @@ -64,7 +64,7 @@ in ###### implementation - config = mkIf config.services.chrony.enable { + config = mkIf cfg.enable { # Make chronyc available in the system path environment.systemPackages = [ pkgs.chrony ]; @@ -101,12 +101,14 @@ in home = stateDir; }; - systemd.services.ntpd.enable = false; + systemd.services.ntpd.enable = mkForce false; systemd.services.chronyd = { description = "chrony NTP daemon"; wantedBy = [ "multi-user.target" ]; + wants = [ "time-sync.target" ]; + before = [ "time-sync.target" ]; after = [ "network.target" ]; conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; diff --git a/nixos/modules/services/networking/ntpd.nix b/nixos/modules/services/networking/ntpd.nix index 5256fc9bc071..c8a085679280 100644 --- a/nixos/modules/services/networking/ntpd.nix +++ b/nixos/modules/services/networking/ntpd.nix @@ -82,6 +82,8 @@ in { description = "NTP Daemon"; wantedBy = [ "multi-user.target" ]; + wants = [ "time-sync.target" ]; + before = [ "time-sync.target" ]; preStart = '' diff --git a/nixos/modules/services/networking/openntpd.nix b/nixos/modules/services/networking/openntpd.nix index e53fc574fbea..a8625fa2fa91 100644 --- a/nixos/modules/services/networking/openntpd.nix +++ b/nixos/modules/services/networking/openntpd.nix @@ -64,7 +64,8 @@ in systemd.services.openntpd = { description = "OpenNTP Server"; wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; + wants = [ "network-online.target" "time-sync.target" ]; + before = [ "time-sync.target" ]; after = [ "dnsmasq.service" "bind.service" "network-online.target" ]; serviceConfig.ExecStart = "${package}/sbin/ntpd -d -f ${cfgFile} ${cfg.extraOptions}"; }; -- cgit 1.4.1