From 2307d2454481d26e22a02456a8e988c7b1196a27 Mon Sep 17 00:00:00 2001 From: Christian Albrecht Date: Wed, 23 Dec 2015 06:02:59 +0100 Subject: networkd: add IPForward and IPMasquerade options to Network config section --- nixos/modules/system/boot/networkd.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 34eea9af83b1..b9fb4b12e7d2 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -93,11 +93,13 @@ let checkNetwork = checkUnitConfig "Network" [ (assertOnlyFields [ - "Description" "DHCP" "DHCPServer" "IPv4LL" "IPv4LLRoute" + "Description" "DHCP" "DHCPServer" "IPForward" "IPMasquerade" "IPv4LL" "IPv4LLRoute" "LLMNR" "Domains" "Bridge" "Bond" ]) (assertValueOneOf "DHCP" ["both" "none" "v4" "v6"]) (assertValueOneOf "DHCPServer" boolValues) + (assertValueOneOf "IPForward" ["yes" "no" "ipv4" "ipv6"]) + (assertValueOneOf "IPMasquerade" boolValues) (assertValueOneOf "IPv4LL" boolValues) (assertValueOneOf "IPv4LLRoute" boolValues) (assertValueOneOf "LLMNR" boolValues) -- cgit 1.4.1 From 83a64cecc9fbe62d187428535774b2a1293afeaf Mon Sep 17 00:00:00 2001 From: Christian Albrecht Date: Wed, 23 Dec 2015 06:04:39 +0100 Subject: networkd: add DHCPServer config section --- nixos/modules/system/boot/networkd.nix | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index b9fb4b12e7d2..ab7485500261 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -131,6 +131,16 @@ let (assertValueOneOf "RequestBroadcast" boolValues) ]; + checkDhcpServer = checkUnitConfig "DHCPServer" [ + (assertOnlyFields [ + "PoolOffset" "PoolSize" "DefaultLeaseTimeSec" "MaxLeaseTimeSec" + "EmitDNS" "DNS" "EmitNTP" "NTP" "EmitTimezone" "Timezone" + ]) + (assertValueOneOf "EmitDNS" boolValues) + (assertValueOneOf "EmitNTP" boolValues) + (assertValueOneOf "EmitTimezone" boolValues) + ]; + commonNetworkOptions = { enable = mkOption { @@ -343,6 +353,18 @@ let ''; }; + dhcpServerConfig = mkOption { + default = {}; + example = { PoolOffset = 50; EmitDNS = false; }; + type = types.addCheck (types.attrsOf unitOption) checkDhcpServer; + description = '' + Each attribute in this set specifies an option in the + [DHCPServer] section of the unit. See + systemd.network + 5 for details. + ''; + }; + name = mkOption { type = types.nullOr types.str; default = null; @@ -567,6 +589,11 @@ let [DHCP] ${attrsToSection def.dhcpConfig} + ''} + ${optionalString (def.dhcpServerConfig != { }) '' + [DHCPServer] + ${attrsToSection def.dhcpServerConfig} + ''} ${flip concatMapStrings def.addresses (x: '' [Address] -- cgit 1.4.1 From 6309f4813717e426084c127c5659aad7a66cf8b0 Mon Sep 17 00:00:00 2001 From: Louis Taylor Date: Fri, 15 Jan 2016 13:11:08 +0000 Subject: rkt: 0.14.0 -> 0.15.0 --- nixos/modules/virtualisation/rkt.nix | 2 ++ pkgs/applications/virtualization/rkt/default.nix | 18 ++++++++++++------ 2 files changed, 14 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/virtualisation/rkt.nix b/nixos/modules/virtualisation/rkt.nix index 7b4d46e0749e..c4c5cb3380e8 100644 --- a/nixos/modules/virtualisation/rkt.nix +++ b/nixos/modules/virtualisation/rkt.nix @@ -58,5 +58,7 @@ in ExecStart = "${pkgs.rkt}/bin/rkt gc ${cfg.gc.options}"; }; }; + + users.extraGroups.rkt = {}; }; } diff --git a/pkgs/applications/virtualization/rkt/default.nix b/pkgs/applications/virtualization/rkt/default.nix index abdbb46bc5b1..43228b255a24 100644 --- a/pkgs/applications/virtualization/rkt/default.nix +++ b/pkgs/applications/virtualization/rkt/default.nix @@ -1,15 +1,15 @@ -{ stdenv, lib, autoconf, automake, go, file, git, wget, gnupg1, squashfsTools, cpio -, fetchurl, fetchFromGitHub }: +{ stdenv, lib, autoreconfHook, acl, go, file, git, wget, gnupg1, squashfsTools, + cpio, fetchurl, fetchFromGitHub, iptables, systemd, makeWrapper }: let coreosImageRelease = "794.1.0"; coreosImageSystemdVersion = "222"; # TODO: track https://github.com/coreos/rkt/issues/1758 to allow "host" flavor. - stage1Flavours = [ "coreos" "fly" ]; + stage1Flavours = [ "coreos" "fly" "host" ]; in stdenv.mkDerivation rec { - version = "0.14.0"; + version = "0.15.0"; name = "rkt-${version}"; BUILDDIR="build-${name}"; @@ -17,7 +17,7 @@ in stdenv.mkDerivation rec { rev = "v${version}"; owner = "coreos"; repo = "rkt"; - sha256 = "0dmgs9s40xhan2rh9f5n0k5gv8p2dn946zffq02sq35qqvi67s71"; + sha256 = "1pw14r38p8sdkma37xx0yy3zx5yxqc12zj35anmlbmrgw4vdgavf"; }; stage1BaseImage = fetchurl { @@ -25,7 +25,10 @@ in stdenv.mkDerivation rec { sha256 = "05nzl3av6cawr8v203a8c95c443g6h1nfy2n4jmgvn0j4iyy44ym"; }; - buildInputs = [ autoconf automake go file git wget gnupg1 squashfsTools cpio ]; + buildInputs = [ + autoreconfHook go file git wget gnupg1 squashfsTools cpio acl systemd + makeWrapper + ]; preConfigure = '' ./autogen.sh @@ -45,6 +48,9 @@ in stdenv.mkDerivation rec { installPhase = '' mkdir -p $out/bin cp -Rv $BUILDDIR/bin/* $out/bin + wrapProgram $out/bin/rkt \ + --prefix LD_LIBRARY_PATH : ${systemd}/lib \ + --prefix PATH : ${iptables}/bin ''; meta = with lib; { -- cgit 1.4.1 From 06865208e8516099c5ae54cfcd0c0be24ac9d0b9 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sun, 17 Jan 2016 03:34:39 +0300 Subject: cupsd service: use cups-pk-helper is policykit is enabled --- nixos/modules/services/printing/cupsd.nix | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index 0fe25b66da08..6f5df23f3427 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -4,10 +4,13 @@ with lib; let - inherit (pkgs) cups cups_filters; + inherit (pkgs) cups cups-pk-helper cups_filters; cfg = config.services.printing; + avahiEnabled = config.services.avahi.enable; + polkitEnabled = config.security.polkit.enable; + additionalBackends = pkgs.runCommand "additional-cups-backends" { } '' mkdir -p $out @@ -204,7 +207,7 @@ in description = "CUPS printing services"; }; - environment.systemPackages = [ cups ]; + environment.systemPackages = [ cups ] ++ optional polkitEnabled cups-pk-helper; environment.etc."cups/client.conf".text = cfg.clientConf; environment.etc."cups/cups-files.conf".text = cfg.cupsFilesConf; @@ -212,7 +215,7 @@ in environment.etc."cups/cups-browsed.conf".text = cfg.browsedConf; environment.etc."cups/snmp.conf".text = cfg.snmpConf; - services.dbus.packages = [ cups ]; + services.dbus.packages = [ cups ] ++ optional polkitEnabled cups-pk-helper; # Cups uses libusb to talk to printers, and does not use the # linux kernel driver. If the driver is not in a black list, it @@ -242,7 +245,7 @@ in ]; }; - systemd.services.cups-browsed = mkIf config.services.avahi.enable + systemd.services.cups-browsed = mkIf avahiEnabled { description = "CUPS Remote Printer Discovery"; wantedBy = [ "multi-user.target" ]; -- cgit 1.4.1 From 8377b4e5d6e008ba528e54d0760f0aea7707d087 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sun, 17 Jan 2016 03:38:52 +0300 Subject: cupsd service: move all default drivers to the bindir directly --- nixos/modules/services/printing/cupsd.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index 6f5df23f3427..06de71316ecc 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -33,7 +33,9 @@ let # cupsd.conf tells cupsd to use this tree. bindir = pkgs.buildEnv { name = "cups-progs"; - paths = cfg.drivers; + paths = + [ cups additionalBackends cups_filters pkgs.ghostscript ] + ++ cfg.drivers; pathsToLink = [ "/lib/cups" "/share/cups" "/bin" "/etc/cups" ]; postBuild = cfg.bindirCmds; ignoreCollisions = true; @@ -176,6 +178,7 @@ in drivers = mkOption { type = types.listOf types.path; + default = []; example = literalExample "[ pkgs.splix ]"; description = '' CUPS drivers to use. Drivers provided by CUPS, cups-filters, Ghostscript @@ -263,11 +266,6 @@ in ]; }; - services.printing.drivers = - [ cups pkgs.ghostscript pkgs.cups_filters additionalBackends - pkgs.perl pkgs.coreutils pkgs.gnused pkgs.bc pkgs.gawk pkgs.gnugrep - ]; - services.printing.cupsFilesConf = '' SystemGroup root wheel -- cgit 1.4.1 From d93f866f55adb6831e054e717253ee94071240b0 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sun, 17 Jan 2016 04:05:02 +0300 Subject: cupsd service: add gutenprint support --- nixos/modules/services/printing/cupsd.nix | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index 06de71316ecc..5964b62cc214 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -4,7 +4,7 @@ with lib; let - inherit (pkgs) cups cups-pk-helper cups_filters; + inherit (pkgs) cups cups-pk-helper cups_filters gutenprint; cfg = config.services.printing; @@ -35,6 +35,7 @@ let name = "cups-progs"; paths = [ cups additionalBackends cups_filters pkgs.ghostscript ] + ++ optional cfg.gutenprint gutenprint ++ cfg.drivers; pathsToLink = [ "/lib/cups" "/share/cups" "/bin" "/etc/cups" ]; postBuild = cfg.bindirCmds; @@ -176,6 +177,15 @@ in ''; }; + gutenprint = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Gutenprint drivers for CUPS. This includes auto-updating + Gutenprint PPD files. + ''; + }; + drivers = mkOption { type = types.listOf types.path; default = []; @@ -240,6 +250,9 @@ in mkdir -m 0700 -p /var/cache/cups mkdir -m 0700 -p /var/spool/cups mkdir -m 0755 -p ${cfg.tempDir} + ${optionalString cfg.gutenprint '' + ${gutenprint}/bin/cups-genppdupdate + ''} ''; restartTriggers = -- cgit 1.4.1 From c311901810ab8ddefd38d94e5f625212a86e1c6b Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sun, 17 Jan 2016 04:10:29 +0300 Subject: cupsd service: don't allow overriding necessary configuration options --- nixos/modules/rename.nix | 2 + nixos/modules/services/printing/cupsd.nix | 112 ++++++++++++++---------------- 2 files changed, 55 insertions(+), 59 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 010d44c40d19..cc7557c06eb4 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -99,6 +99,8 @@ with lib; (mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ]) (mkRemovedOptionModule [ "ec2" "metadata" ]) (mkRemovedOptionModule [ "services" "openvpn" "enable" ]) + (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ]) + (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ]) ]; } diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index 5964b62cc214..58d541dbcba6 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -42,6 +42,52 @@ let ignoreCollisions = true; }; + writeConf = name: text: pkgs.writeTextFile { + inherit name text; + destination = "/etc/cups/${name}"; + }; + + cupsFilesFile = writeConf "cups-files.conf" '' + SystemGroup root wheel + + ServerBin ${bindir}/lib/cups + DataDir ${bindir}/share/cups + + AccessLog syslog + ErrorLog syslog + PageLog syslog + + TempDir ${cfg.tempDir} + + # User and group used to run external programs, including + # those that actually send the job to the printer. Note that + # Udev sets the group of printer devices to `lp', so we want + # these programs to run as `lp' as well. + User cups + Group lp + + ${cfg.extraFilesConf} + ''; + + cupsdFile = writeConf "cupsd.conf" '' + ${concatMapStrings (addr: '' + Listen ${addr} + '') cfg.listenAddresses} + Listen /var/run/cups/cups.sock + + SetEnv PATH ${bindir}/lib/cups/filter:${bindir}/bin + + DefaultShared ${if cfg.defaultShared then "Yes" else "No"} + + Browsing ${if cfg.browsing then "Yes" else "No"} + + WebInterface ${if cfg.webInterface then "Yes" else "No"} + + ${cfg.extraConf} + ''; + + browsedFile = writeConf "cups-browsed.conf" cfg.browsedConf; + in { @@ -102,25 +148,11 @@ in ''; }; - cupsdConf = mkOption { + extraFilesConf = mkOption { type = types.lines; default = ""; - example = - '' - BrowsePoll cups.example.com - LogLevel debug - ''; description = '' - The contents of the configuration file of the CUPS daemon - (cupsd.conf). - ''; - }; - - cupsFilesConf = mkOption { - type = types.lines; - default = ""; - description = '' - The contents of the configuration file of the CUPS daemon + Extra contents of the configuration file of the CUPS daemon (cups-files.conf). ''; }; @@ -223,9 +255,9 @@ in environment.systemPackages = [ cups ] ++ optional polkitEnabled cups-pk-helper; environment.etc."cups/client.conf".text = cfg.clientConf; - environment.etc."cups/cups-files.conf".text = cfg.cupsFilesConf; - environment.etc."cups/cupsd.conf".text = cfg.cupsdConf; - environment.etc."cups/cups-browsed.conf".text = cfg.browsedConf; + environment.etc."cups/cups-files.conf".source = cupsFilesFile; + environment.etc."cups/cupsd.conf".source = cupsdFile; + environment.etc."cups/cups-browsed.conf".source = browsedFile; environment.etc."cups/snmp.conf".text = cfg.snmpConf; services.dbus.packages = [ cups ] ++ optional polkitEnabled cups-pk-helper; @@ -274,49 +306,13 @@ in serviceConfig.ExecStart = "${cups_filters}/bin/cups-browsed"; - restartTriggers = - [ config.environment.etc."cups/cups-browsed.conf".source - ]; + restartTriggers = [ browsedFile ]; }; - services.printing.cupsFilesConf = - '' - SystemGroup root wheel - - ServerBin ${bindir}/lib/cups - DataDir ${bindir}/share/cups - - AccessLog syslog - ErrorLog syslog - PageLog syslog - - TempDir ${cfg.tempDir} - - # User and group used to run external programs, including - # those that actually send the job to the printer. Note that - # Udev sets the group of printer devices to `lp', so we want - # these programs to run as `lp' as well. - User cups - Group lp - ''; - - services.printing.cupsdConf = + services.printing.extraConf = '' LogLevel info - ${concatMapStrings (addr: '' - Listen ${addr} - '') cfg.listenAddresses} - Listen /var/run/cups/cups.sock - - SetEnv PATH ${bindir}/lib/cups/filter:${bindir}/bin:${bindir}/sbin - - DefaultShared ${if cfg.defaultShared then "Yes" else "No"} - - Browsing ${if cfg.browsing then "Yes" else "No"} - - WebInterface ${if cfg.webInterface then "Yes" else "No"} - DefaultAuthType Basic @@ -357,8 +353,6 @@ in Order deny,allow - - ${cfg.extraConf} ''; security.pam.services.cups = {}; -- cgit 1.4.1 From 47017474fd75a75d747cdb5600b14b9203801984 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sun, 17 Jan 2016 04:12:11 +0300 Subject: cupsd service: move root directory to /var/lib/cups --- nixos/modules/services/printing/cupsd.nix | 48 ++++++++++++++++++++++--------- 1 file changed, 35 insertions(+), 13 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index 58d541dbcba6..98fb33e3256c 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -37,7 +37,7 @@ let [ cups additionalBackends cups_filters pkgs.ghostscript ] ++ optional cfg.gutenprint gutenprint ++ cfg.drivers; - pathsToLink = [ "/lib/cups" "/share/cups" "/bin" "/etc/cups" ]; + pathsToLink = [ "/lib/cups" "/share/cups" "/bin" ]; postBuild = cfg.bindirCmds; ignoreCollisions = true; }; @@ -88,6 +88,20 @@ let browsedFile = writeConf "cups-browsed.conf" cfg.browsedConf; + rootdir = pkgs.buildEnv { + name = "cups-progs"; + paths = [ + cupsFilesFile + cupsdFile + (writeConf "client.conf" cfg.clientConf) + (writeConf "snmp.conf" cfg.snmpConf) + ] ++ optional avahiEnabled browsedFile + ++ optional cfg.gutenprint gutenprint + ++ cfg.drivers; + pathsToLink = [ "/etc/cups" ]; + ignoreCollisions = true; + }; + in { @@ -253,12 +267,7 @@ in }; environment.systemPackages = [ cups ] ++ optional polkitEnabled cups-pk-helper; - - environment.etc."cups/client.conf".text = cfg.clientConf; - environment.etc."cups/cups-files.conf".source = cupsFilesFile; - environment.etc."cups/cupsd.conf".source = cupsdFile; - environment.etc."cups/cups-browsed.conf".source = browsedFile; - environment.etc."cups/snmp.conf".text = cfg.snmpConf; + environment.etc."cups".source = "/var/lib/cups"; services.dbus.packages = [ cups ] ++ optional polkitEnabled cups-pk-helper; @@ -278,19 +287,32 @@ in preStart = '' - mkdir -m 0755 -p /etc/cups mkdir -m 0700 -p /var/cache/cups mkdir -m 0700 -p /var/spool/cups mkdir -m 0755 -p ${cfg.tempDir} + + mkdir -m 0755 -p /var/lib/cups + # Backwards compatibility + if [ ! -L /etc/cups ]; then + mv /etc/cups/* /var/lib/cups + rmdir /etc/cups + ln -s /var/lib/cups /etc/cups + fi + # First, clean existing symlinks + if [ -n "$(ls /var/lib/cups)" ]; then + for i in /var/lib/cups/*; do + [ -L "$i" ] && rm "$i" + done + fi + # Then, populate it with static files + cd ${rootdir}/etc/cups + for i in *; do + [ ! -e "/var/lib/cups/$i" ] && ln -s "${rootdir}/etc/cups/$i" "/var/lib/cups/$i" + done ${optionalString cfg.gutenprint '' ${gutenprint}/bin/cups-genppdupdate ''} ''; - - restartTriggers = - [ config.environment.etc."cups/cups-files.conf".source - config.environment.etc."cups/cupsd.conf".source - ]; }; systemd.services.cups-browsed = mkIf avahiEnabled -- cgit 1.4.1 From d6f9f135120301f2d297d52336b5182e7ebc6122 Mon Sep 17 00:00:00 2001 From: Rickard Nilsson Date: Mon, 18 Jan 2016 15:57:25 +0100 Subject: bosun: Create ledisDir in pre-start script --- nixos/modules/services/monitoring/bosun.nix | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/monitoring/bosun.nix b/nixos/modules/services/monitoring/bosun.nix index 46273fc12187..51d38e8db4de 100644 --- a/nixos/modules/services/monitoring/bosun.nix +++ b/nixos/modules/services/monitoring/bosun.nix @@ -129,17 +129,19 @@ in { description = "bosun metrics collector (part of Bosun)"; wantedBy = [ "multi-user.target" ]; - preStart = - '' - mkdir -p `dirname ${cfg.stateFile}`; - touch ${cfg.stateFile} - touch ${cfg.stateFile}.tmp + preStart = '' + mkdir -p "$(dirname "${cfg.stateFile}")"; + touch "${cfg.stateFile}" + touch "${cfg.stateFile}.tmp" + + mkdir -p "${cfg.ledisDir}"; if [ "$(id -u)" = 0 ]; then - chown ${cfg.user}:${cfg.group} ${cfg.stateFile} - chown ${cfg.user}:${cfg.group} ${cfg.stateFile}.tmp + chown ${cfg.user}:${cfg.group} "${cfg.stateFile}" + chown ${cfg.user}:${cfg.group} "${cfg.stateFile}.tmp" + chown ${cfg.user}:${cfg.group} "${cfg.ledisDir}" fi - ''; + ''; serviceConfig = { PermissionsStartOnly = true; -- cgit 1.4.1 From ce543ebf27a619ba62e16b95a8090800a7050c53 Mon Sep 17 00:00:00 2001 From: Rickard Nilsson Date: Mon, 18 Jan 2016 15:57:52 +0100 Subject: elasticsearch: Fix some startup warnings --- nixos/modules/services/search/elasticsearch.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index ea0cf1dcd78f..356cfd409ad4 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -128,6 +128,7 @@ in { description = "Elasticsearch Daemon"; wantedBy = [ "multi-user.target" ]; after = [ "network-interfaces.target" ]; + path = [ pkgs.inetutils ]; environment = { ES_HOME = cfg.dataDir; }; serviceConfig = { ExecStart = "${cfg.package}/bin/elasticsearch -Des.path.conf=${configDir} ${toString cfg.extraCmdLineOptions}"; @@ -139,8 +140,7 @@ in { if [ "$(id -u)" = 0 ]; then chown -R elasticsearch ${cfg.dataDir}; fi # Install plugins - rm ${cfg.dataDir}/plugins || true - ln -s ${esPlugins}/plugins ${cfg.dataDir}/plugins + ln -sfT ${esPlugins}/plugins ${cfg.dataDir}/plugins ''; postStart = mkBefore '' until ${pkgs.curl}/bin/curl -s -o /dev/null ${cfg.listenAddress}:${toString cfg.port}; do -- cgit 1.4.1 From 148396c02219f1c6fcdb5991a7de7716cefaa1d8 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Mon, 18 Jan 2016 02:46:21 +0300 Subject: systemd service: add *.busname upstream units --- nixos/modules/system/boot/systemd.nix | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 211e0423216e..c5ee95f4c9a4 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -61,6 +61,8 @@ let "systemd-user-sessions.service" "dbus-org.freedesktop.login1.service" "dbus-org.freedesktop.machine1.service" + "org.freedesktop.login1.busname" + "org.freedesktop.machine1.busname" "user@.service" # Journal. @@ -147,10 +149,14 @@ let "systemd-tmpfiles-setup-dev.service" # Misc. + "org.freedesktop.systemd1.busname" "systemd-sysctl.service" "dbus-org.freedesktop.timedate1.service" "dbus-org.freedesktop.locale1.service" "dbus-org.freedesktop.hostname1.service" + "org.freedesktop.timedate1.busname" + "org.freedesktop.locale1.busname" + "org.freedesktop.hostname1.busname" "systemd-timedated.service" "systemd-localed.service" "systemd-hostnamed.service" -- cgit 1.4.1 From 0dd8e03308a4e300b22282358511fc0296327859 Mon Sep 17 00:00:00 2001 From: Eric Sagnes Date: Tue, 19 Jan 2016 09:32:49 +0900 Subject: i3 service: added i3status and dmenu dependency --- nixos/modules/services/x11/window-managers/i3.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/x11/window-managers/i3.nix b/nixos/modules/services/x11/window-managers/i3.nix index 0d5816e363d6..d43dacb1be6b 100644 --- a/nixos/modules/services/x11/window-managers/i3.nix +++ b/nixos/modules/services/x11/window-managers/i3.nix @@ -34,6 +34,6 @@ in ''; }]; }; - environment.systemPackages = [ pkgs.i3 ]; + environment.systemPackages = with pkgs; [ i3 i3status dmenu ]; }; } -- cgit 1.4.1 From 5e468b96b432c938665ac056463a29fde40067b7 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Tue, 19 Jan 2016 21:50:27 +0100 Subject: nixos: add 'networking.dnsExtensionMechanism' option to enable edns0 (for DNSSEC) Set this option to 'true' (default: 'false') to enable extension mechanisms for DNS (EDNS) in your local glibc resolver. This is required for supporting DNSSEC, for example. Implementation detail: the patch changes assignments to "resolv_conf_options" to use "+=" instead of "=" to ensure that multiple users of that variable don't overwrite each other. The generated config file is a shell script, after all, so this should work fine. Closes https://github.com/NixOS/nixpkgs/issues/12470. --- nixos/modules/config/networking.nix | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix index 293a42d38b5a..d4b1e6d6b968 100644 --- a/nixos/modules/config/networking.nix +++ b/nixos/modules/config/networking.nix @@ -39,6 +39,17 @@ in ''; }; + networking.dnsExtensionMechanism = lib.mkOption { + type = types.bool; + default = false; + description = '' + Enable the edns0 option in resolv.conf. With + that option set, glibc supports use of the extension mechanisms for + DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC, + which does not work without it. + ''; + }; + networking.extraResolvconfConf = lib.mkOption { type = types.lines; default = ""; @@ -162,7 +173,10 @@ in libc_restart='${pkgs.systemd}/bin/systemctl try-restart --no-block nscd.service 2> /dev/null' '' + optionalString cfg.dnsSingleRequest '' # only send one DNS request at a time - resolv_conf_options='single-request' + resolv_conf_options+=' single-request' + '' + optionalString dnsExtensionMechanism '' + # enable extension mechanisms for DNS + resolv_conf_options+=' edns0' '' + optionalString hasLocalResolver '' # This hosts runs a full-blown DNS resolver. name_servers='127.0.0.1' -- cgit 1.4.1 From df82096af06deaa8ddd53accaaa488474575b6d6 Mon Sep 17 00:00:00 2001 From: Nathan Zadoks Date: Tue, 19 Jan 2016 18:11:36 +0100 Subject: activation-script module: add environment.usrbinenv option --- .../system/activation/activation-script.nix | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index 02b3e25a313d..d78ec0d7bf3d 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -94,6 +94,18 @@ in }; + environment.usrbinenv = mkOption { + default = "${pkgs.coreutils}/bin/env"; + example = literalExample '' + "''${pkgs.busybox}/bin/env" + ''; + type = types.nullOr types.path; + visible = false; + description = '' + The env(1) executable that is linked system-wide to + /usr/bin/env. + ''; + }; }; @@ -128,11 +140,15 @@ in mkdir -m 0555 -p /var/empty ''; - system.activationScripts.usrbinenv = - '' + system.activationScripts.usrbinenv = if config.environment.usrbinenv != null + then '' mkdir -m 0755 -p /usr/bin - ln -sfn ${pkgs.coreutils}/bin/env /usr/bin/.env.tmp + ln -sfn ${config.environment.usrbinenv} /usr/bin/.env.tmp mv /usr/bin/.env.tmp /usr/bin/env # atomically replace /usr/bin/env + '' + else '' + rm -f /usr/bin/env + rmdir --ignore-fail-on-non-empty /usr/bin /usr ''; system.activationScripts.tmpfs = -- cgit 1.4.1 From df29b0d23f51dcb6538701178bd4a58a9ce51652 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Wed, 20 Jan 2016 01:18:57 +0100 Subject: nixos: fix evaluation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After commit 5e468b9, evaluation failed with: error: undefined variable ‘dnsExtensionMechanism’ at .../nixpkgs/nixos/modules/config/networking.nix:177:33 --- nixos/modules/config/networking.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix index d4b1e6d6b968..ca498ca499eb 100644 --- a/nixos/modules/config/networking.nix +++ b/nixos/modules/config/networking.nix @@ -174,7 +174,7 @@ in '' + optionalString cfg.dnsSingleRequest '' # only send one DNS request at a time resolv_conf_options+=' single-request' - '' + optionalString dnsExtensionMechanism '' + '' + optionalString cfg.dnsExtensionMechanism '' # enable extension mechanisms for DNS resolv_conf_options+=' edns0' '' + optionalString hasLocalResolver '' -- cgit 1.4.1 From 1c393cbb3c60b85070950c8abc30a5308015ce3d Mon Sep 17 00:00:00 2001 From: Mark Laws Date: Mon, 18 Jan 2016 11:54:23 -0800 Subject: gale service: fix permissions configuration, fixes #12457 --- nixos/modules/services/networking/gale.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/networking/gale.nix b/nixos/modules/services/networking/gale.nix index 3a5d9bd63c7b..bc975159cdfd 100644 --- a/nixos/modules/services/networking/gale.nix +++ b/nixos/modules/services/networking/gale.nix @@ -76,7 +76,7 @@ in system.activationScripts.gale = mkIf cfg.enable ( stringAfter [ "users" "groups" ] '' - chmod -R 755 ${home} + chmod 755 ${home} mkdir -m 0777 -p ${home}/auth/cache mkdir -m 1777 -p ${home}/auth/local # GALE_DOMAIN.gpub mkdir -m 0700 -p ${home}/auth/private # ROOT.gpub @@ -86,7 +86,8 @@ in mkdir -m 0700 -p ${home}/.gale/auth/private # GALE_DOMAIN.gpri ln -sf ${pkgs.gale}/etc/gale/auth/trusted/ROOT "${home}/auth/trusted/ROOT" - chown -R ${cfg.user}:${cfg.group} ${home} + chown ${cfg.user}:${cfg.group} ${home} ${home}/auth ${home}/auth/* + chown ${cfg.user}:${cfg.group} ${home}/.gale ${home}/.gale/auth ${home}/.gale/auth/private '' ); @@ -149,10 +150,9 @@ in after = [ "network.target" ]; preStart = '' - install -m 0640 ${keyPath}/${cfg.domain}.gpri "${home}/.gale/auth/private/" - install -m 0644 ${gpubFile} "${home}/.gale/auth/private/${cfg.domain}.gpub" - install -m 0644 ${gpubFile} "${home}/auth/local/${cfg.domain}.gpub" - chown -R ${cfg.user}:${cfg.group} ${home} + install -m 0640 -o ${cfg.user} -g ${cfg.group} ${keyPath}/${cfg.domain}.gpri "${home}/.gale/auth/private/" + install -m 0644 -o ${cfg.user} -g ${cfg.group} ${gpubFile} "${home}/.gale/auth/private/${cfg.domain}.gpub" + install -m 0644 -o ${cfg.user} -g ${cfg.group} ${gpubFile} "${home}/auth/local/${cfg.domain}.gpub" ''; serviceConfig = { -- cgit 1.4.1 From 109ba4c86166f9b7aa31ba45869ee93b0eecb2e0 Mon Sep 17 00:00:00 2001 From: Rok Garbas Date: Wed, 20 Jan 2016 03:42:59 +0100 Subject: nixos: add test for postgresql, fixes #11146 --- nixos/release.nix | 1 + nixos/tests/postgresql.nix | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 nixos/tests/postgresql.nix (limited to 'nixos') diff --git a/nixos/release.nix b/nixos/release.nix index 8a502ae2baa1..3c7cf84c6729 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -287,6 +287,7 @@ in rec { tests.openssh = callTest tests/openssh.nix {}; tests.panamax = hydraJob (import tests/panamax.nix { system = "x86_64-linux"; }); tests.peerflix = callTest tests/peerflix.nix {}; + tests.postgresql = callTest tests/postgresql.nix {}; tests.printing = callTest tests/printing.nix {}; tests.proxy = callTest tests/proxy.nix {}; tests.pumpio = callTest tests/pump.io.nix {}; diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix new file mode 100644 index 000000000000..f17384b44ba6 --- /dev/null +++ b/nixos/tests/postgresql.nix @@ -0,0 +1,26 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "postgresql"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ zagy ]; + }; + + nodes = { + master = + { pkgs, config, ... }: + + { + services.postgresql.enable = true; + services.postgresql.initialScript = pkgs.writeText "postgresql-init.sql" + '' + CREATE ROLE postgres WITH superuser login createdb; + ''; + }; + }; + + testScript = '' + startAll; + $master->waitForUnit("postgresql"); + $master->sleep(10); # Hopefully this is long enough!! + $master->succeed("echo 'select 1' | sudo -u postgres psql"); + ''; +}) -- cgit 1.4.1 From 5b8c8718420671f7af2b0189299a55e43c252d5b Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 18 Nov 2015 10:47:25 -0700 Subject: If container name is already unique, don't append "-0" When using `--ensure-unique-name`, don't needlessly append `"-0"` if the container name is already unique. This is especially helpful with NixOps since when it deploys to a container it uses `--ensure-unique-name`. This means that the container name will never match the deployment host due to the `"-0"`. Having the container name and the host name match isn't exactly a requirement, but it's nice to have and a small change. --- nixos/modules/virtualisation/nixos-container.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) mode change 100644 => 100755 nixos/modules/virtualisation/nixos-container.pl (limited to 'nixos') diff --git a/nixos/modules/virtualisation/nixos-container.pl b/nixos/modules/virtualisation/nixos-container.pl old mode 100644 new mode 100755 index 004385f728c6..eda57a9751eb --- a/nixos/modules/virtualisation/nixos-container.pl +++ b/nixos/modules/virtualisation/nixos-container.pl @@ -97,10 +97,10 @@ if ($action eq "create") { if ($ensureUniqueName) { my $base = $containerName; for (my $nr = 0; ; $nr++) { - $containerName = "$base-$nr"; $confFile = "/etc/containers/$containerName.conf"; $root = "/var/lib/containers/$containerName"; last unless -e $confFile || -e $root; + $containerName = "$base-$nr"; } } -- cgit 1.4.1 From f8c3130e0fb0bc1545fed1ef2974c9509208c59f Mon Sep 17 00:00:00 2001 From: Rick Yang Date: Thu, 10 Dec 2015 00:52:44 +0800 Subject: softether: Fixed problems with using systemd services --- nixos/modules/services/networking/softether.nix | 31 ++++++++++++++----------- 1 file changed, 17 insertions(+), 14 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/networking/softether.nix b/nixos/modules/services/networking/softether.nix index a421b32f02c2..5e49efc3aa3a 100644 --- a/nixos/modules/services/networking/softether.nix +++ b/nixos/modules/services/networking/softether.nix @@ -61,11 +61,14 @@ in dataDir = cfg.dataDir; })) ]; - systemd.services.softether = { - description = "SoftEther VPN services initial job"; - after = [ "network-interfaces.target" ]; - wantedBy = [ "multi-user.target" ]; - preStart = '' + systemd.services."softether-init" = { + description = "SoftEther VPN services initial task"; + wantedBy = [ "network-interfaces.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = false; + }; + script = '' for d in vpnserver vpnbridge vpnclient vpncmd; do if ! test -e ${cfg.dataDir}/$d; then ${pkgs.coreutils}/bin/mkdir -m0700 -p ${cfg.dataDir}/$d @@ -81,12 +84,12 @@ in (mkIf (cfg.vpnserver.enable) { systemd.services.vpnserver = { description = "SoftEther VPN Server"; - after = [ "network-interfaces.target" ]; - wantedBy = [ "multi-user.target" ]; + after = [ "softether-init.service" ]; + wantedBy = [ "network-interfaces.target" ]; serviceConfig = { + Type = "forking"; ExecStart = "${pkg}/bin/vpnserver start"; ExecStop = "${pkg}/bin/vpnserver stop"; - Type = "forking"; }; preStart = '' rm -rf ${cfg.dataDir}/vpnserver/vpnserver @@ -101,12 +104,12 @@ in (mkIf (cfg.vpnbridge.enable) { systemd.services.vpnbridge = { description = "SoftEther VPN Bridge"; - after = [ "network-interfaces.target" ]; - wantedBy = [ "multi-user.target" ]; + after = [ "softether-init.service" ]; + wantedBy = [ "network-interfaces.target" ]; serviceConfig = { + Type = "forking"; ExecStart = "${pkg}/bin/vpnbridge start"; ExecStop = "${pkg}/bin/vpnbridge stop"; - Type = "forking"; }; preStart = '' rm -rf ${cfg.dataDir}/vpnbridge/vpnbridge @@ -121,12 +124,12 @@ in (mkIf (cfg.vpnclient.enable) { systemd.services.vpnclient = { description = "SoftEther VPN Client"; - after = [ "network-interfaces.target" ]; - wantedBy = [ "multi-user.target" ]; + after = [ "softether-init.service" ]; + wantedBy = [ "network-interfaces.target" ]; serviceConfig = { + Type = "forking"; ExecStart = "${pkg}/bin/vpnclient start"; ExecStop = "${pkg}/bin/vpnclient stop"; - Type = "forking"; }; preStart = '' rm -rf ${cfg.dataDir}/vpnclient/vpnclient -- cgit 1.4.1 From 2a88417f033cd9ac656a75e1f5734895f8a247d5 Mon Sep 17 00:00:00 2001 From: Joachim Schiele Date: Sat, 28 Feb 2015 15:30:06 +0100 Subject: nixos/doc: fix to: ~/.nix-defexpr wasn't created, fixes #6606 --- nixos/doc/manual/configuration/user-mgmt.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'nixos') diff --git a/nixos/doc/manual/configuration/user-mgmt.xml b/nixos/doc/manual/configuration/user-mgmt.xml index 40362fbbb23f..631742059278 100644 --- a/nixos/doc/manual/configuration/user-mgmt.xml +++ b/nixos/doc/manual/configuration/user-mgmt.xml @@ -65,6 +65,14 @@ account named alice: $ useradd -m alice +To make all nix tools available to this new user use `su - USER` which +opens a login shell (==shell that loads the profile) for given user. +This will create the ~/.nix-defexpr symlink. So run: + + +$ su - alice -c "true" + + The flag causes the creation of a home directory for the new user, which is generally what you want. The user does not have an initial password and therefore cannot log in. A password can -- cgit 1.4.1 From fb2eae08d53606823051dead0d07b6461e82ec1b Mon Sep 17 00:00:00 2001 From: Rickard Nilsson Date: Mon, 11 Jan 2016 19:41:48 +0100 Subject: Revert "Revert "nixos-rebuild: Add option for building and/or deploying on a remote host"" This reverts commit 78be7f5a53e3945b72482a99c639f5fe8cc75fd6. --- nixos/modules/installer/tools/nixos-rebuild.sh | 187 +++++++++++++++++++++---- 1 file changed, 160 insertions(+), 27 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh index 6792690b4c3b..1071460097e8 100644 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixos/modules/installer/tools/nixos-rebuild.sh @@ -19,6 +19,8 @@ rollback= upgrade= repair= profile=/nix/var/nix/profiles/system +buildHost= +targetHost= while [ "$#" -gt 0 ]; do i="$1"; shift 1 @@ -73,6 +75,14 @@ while [ "$#" -gt 0 ]; do fi shift 1 ;; + --build-host|h) + buildHost="$1" + shift 1 + ;; + --target-host|t) + targetHost="$1" + shift 1 + ;; *) echo "$0: unknown option \`$i'" exit 1 @@ -80,6 +90,90 @@ while [ "$#" -gt 0 ]; do esac done + +if [ -z "$buildHost" -a -n "$targetHost" ]; then + buildHost="$targetHost" +fi +if [ "$targetHost" = localhost ]; then + targetHost= +fi +if [ "$buildHost" = localhost ]; then + buildHost= +fi + +buildHostCmd() { + if [ -z "$buildHost" ]; then + "$@" + elif [ -n "$remoteNix" ]; then + ssh $SSHOPTS "$buildHost" PATH="$remoteNix:$PATH" "$@" + else + ssh $SSHOPTS "$buildHost" "$@" + fi +} + +targetHostCmd() { + if [ -z "$targetHost" ]; then + "$@" + else + ssh $SSHOPTS "$targetHost" "$@" + fi +} + +copyToTarget() { + if ! [ "$targetHost" = "$buildHost" ]; then + if [ -z "$targetHost" ]; then + NIX_SSHOPTS=$SSH_OPTS nix-copy-closure --from "$buildHost" "$1" + elif [ -z "$buildHost" ]; then + NIX_SSHOPTS=$SSH_OPTS nix-copy-closure --to "$targetHost" "$1" + else + buildHostCmd nix-copy-closure --to "$targetHost" "$1" + fi + fi +} + +nixBuild() { + if [ -z "$buildHost" ]; then + nix-build "$@" + else + local instArgs=() + local buildArgs=() + + while [ "$#" -gt 0 ]; do + local i="$1"; shift 1 + case "$i" in + -o) + local out="$1"; shift 1 + buildArgs+=("--add-root" "$out" "--indirect") + ;; + -A) + local j="$1"; shift 1 + instArgs+=("$i" "$j") + ;; + -I) + # We don't want this in buildArgs + shift 1 + ;; + "<"*) # nix paths + instArgs+=("$i") + ;; + *) + buildArgs+=("$i") + ;; + esac + done + + local drv="$(nix-instantiate "${instArgs[@]}" "${extraBuildFlags[@]}")" + if [ -a "$drv" ]; then + NIX_SSHOPTS=$SSH_OPTS nix-copy-closure --to "$buildHost" "$drv" + buildHostCmd nix-store -r "$drv" "${buildArgs[@]}" + else + echo "nix-instantiate failed" + exit 1 + fi + fi +} + + if [ -z "$action" ]; then showSyntax; fi # Only run shell scripts from the Nixpkgs tree if the action is @@ -128,7 +222,16 @@ fi tmpDir=$(mktemp -t -d nixos-rebuild.XXXXXX) -trap 'rm -rf "$tmpDir"' EXIT +SSHOPTS="$NIX_SSHOPTS -o ControlMaster=auto -o ControlPath=$tmpDir/ssh-%n -o ControlPersist=60" + +cleanup() { + for ctrl in "$tmpDir"/ssh-*; do + ssh -o ControlPath="$ctrl" -O exit dummyhost 2>/dev/null || true + done + rm -rf "$tmpDir" +} +trap cleanup EXIT + # If the Nix daemon is running, then use it. This allows us to use @@ -150,30 +253,56 @@ if [ -n "$rollback" -o "$action" = dry-build ]; then buildNix= fi +prebuiltNix() { + machine="$1" + if [ "$machine" = x86_64 ]; then + return /nix/store/xryr9g56h8yjddp89d6dw12anyb4ch7c-nix-1.10 + elif [[ "$machine" =~ i.86 ]]; then + return /nix/store/2w92k5wlpspf0q2k9mnf2z42prx3bwmv-nix-1.10 + else + echo "$0: unsupported platform" + exit 1 + fi +} + +remotePATH= + if [ -n "$buildNix" ]; then echo "building Nix..." >&2 - if ! nix-build '' -A config.nix.package -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then - if ! nix-build '' -A nixFallback -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then - if ! nix-build '' -A nix -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then - machine="$(uname -m)" - if [ "$machine" = x86_64 ]; then - nixStorePath=/nix/store/xryr9g56h8yjddp89d6dw12anyb4ch7c-nix-1.10 - elif [[ "$machine" =~ i.86 ]]; then - nixStorePath=/nix/store/2w92k5wlpspf0q2k9mnf2z42prx3bwmv-nix-1.10 - else - echo "$0: unsupported platform" - exit 1 - fi + nixDrv= + if ! nixDrv="$(nix-instantiate '' --add-root $tmpDir/nixdrv --indirect -A config.nix.package "${extraBuildFlags[@]}")"; then + if ! nixDrv="$(nix-instantiate '' --add-root $tmpDir/nixdrv --indirect -A nixFallback "${extraBuildFlags[@]}")"; then + if ! nixDrv="$(nix-instantiate '' --add-root $tmpDir/nixdrv --indirect -A nix "${extraBuildFlags[@]}")"; then + nixStorePath="$(prebuiltNix "$(uname -m)")" if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \ --option extra-binary-caches https://cache.nixos.org/; then echo "warning: don't know how to get latest Nix" >&2 fi # Older version of nix-store -r don't support --add-root. [ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix + if [ -n "$buildHost" ]; then + remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")" + remoteNix="$remoteNixStorePath/bin" + if ! buildHostCmd nix-store -r $remoteNixStorePath \ + --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then + remoteNix= + echo "warning: don't know how to get latest Nix" >&2 + fi + fi fi fi fi - PATH=$tmpDir/nix/bin:$PATH + if [ -a "$nixDrv" ]; then + nix-store -r "$nixDrv" --add-root $tmpDir/nix --indirect >/dev/null + if [ -n "$buildHost" ]; then + nix-copy-closure --to "$buildHost" "$nixDrv" + # The nix build produces multiple outputs, we add them all to the remote path + for p in $(buildHostCmd nix-store -r "$(readlink "$nixDrv")" "${buildArgs[@]}"); do + remoteNix="$remoteNix${remoteNix:+:}$p/bin" + done + fi + fi + PATH="$tmpDir/nix/bin:$PATH" fi @@ -200,31 +329,35 @@ fi if [ -z "$rollback" ]; then echo "building the system configuration..." >&2 if [ "$action" = switch -o "$action" = boot ]; then - nix-env "${extraBuildFlags[@]}" -p "$profile" -f '' --set -A system - pathToConfig="$profile" + pathToConfig="$(nixBuild '' -A system "${extraBuildFlags[@]}")" + copyToTarget "$pathToConfig" + targetHostCmd nix-env -p "$profile" --set "$pathToConfig" elif [ "$action" = test -o "$action" = build -o "$action" = dry-build -o "$action" = dry-activate ]; then - nix-build '' -A system -k "${extraBuildFlags[@]}" > /dev/null - pathToConfig=./result + pathToConfig="$(nixBuild '' -A system -k "${extraBuildFlags[@]}")" elif [ "$action" = build-vm ]; then - nix-build '' -A vm -k "${extraBuildFlags[@]}" > /dev/null - pathToConfig=./result + pathToConfig="$(nixBuild '' -A vm -k "${extraBuildFlags[@]}")" elif [ "$action" = build-vm-with-bootloader ]; then - nix-build '' -A vmWithBootLoader -k "${extraBuildFlags[@]}" > /dev/null - pathToConfig=./result + pathToConfig="$(nixBuild '' -A vmWithBootLoader -k "${extraBuildFlags[@]}")" else showSyntax fi + # Copy build to target host if we haven't already done it + if ! [ "$action" = switch -o "$action" = boot ]; then + copyToTarget "$pathToConfig" + fi else # [ -n "$rollback" ] if [ "$action" = switch -o "$action" = boot ]; then - nix-env --rollback -p "$profile" + targetHostCmd nix-env --rollback -p "$profile" pathToConfig="$profile" elif [ "$action" = test -o "$action" = build ]; then systemNumber=$( - nix-env -p "$profile" --list-generations | + targetHostCmd nix-env -p "$profile" --list-generations | sed -n '/current/ {g; p;}; s/ *\([0-9]*\).*/\1/; h' ) - ln -sT "$profile"-${systemNumber}-link ./result - pathToConfig=./result + pathToConfig="$profile"-${systemNumber}-link + if [ -z "$targetHost" ]; then + ln -sT "$pathToConfig" ./result + fi else showSyntax fi @@ -234,7 +367,7 @@ fi # If we're not just building, then make the new configuration the boot # default and/or activate it now. if [ "$action" = switch -o "$action" = boot -o "$action" = test -o "$action" = dry-activate ]; then - if ! $pathToConfig/bin/switch-to-configuration "$action"; then + if ! targetHostCmd $pathToConfig/bin/switch-to-configuration "$action"; then echo "warning: error(s) occurred while switching to the new configuration" >&2 exit 1 fi -- cgit 1.4.1 From 51c6383ebd10ea58094e80bdb0ead73b838f8b9c Mon Sep 17 00:00:00 2001 From: Rickard Nilsson Date: Mon, 11 Jan 2016 19:43:05 +0100 Subject: nixos-rebuild: Build only the 'out' output of nix (not 'doc' and 'debug' too) This fixes the failing NixOS installer tests. --- nixos/modules/installer/tools/nixos-rebuild.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh index 1071460097e8..105d1cd16252 100644 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixos/modules/installer/tools/nixos-rebuild.sh @@ -270,9 +270,9 @@ remotePATH= if [ -n "$buildNix" ]; then echo "building Nix..." >&2 nixDrv= - if ! nixDrv="$(nix-instantiate '' --add-root $tmpDir/nixdrv --indirect -A config.nix.package "${extraBuildFlags[@]}")"; then - if ! nixDrv="$(nix-instantiate '' --add-root $tmpDir/nixdrv --indirect -A nixFallback "${extraBuildFlags[@]}")"; then - if ! nixDrv="$(nix-instantiate '' --add-root $tmpDir/nixdrv --indirect -A nix "${extraBuildFlags[@]}")"; then + if ! nixDrv="$(nix-instantiate '' --add-root $tmpDir/nix.drv --indirect -A config.nix.package "${extraBuildFlags[@]}")"; then + if ! nixDrv="$(nix-instantiate '' --add-root $tmpDir/nix.drv --indirect -A nixFallback "${extraBuildFlags[@]}")"; then + if ! nixDrv="$(nix-instantiate '' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then nixStorePath="$(prebuiltNix "$(uname -m)")" if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \ --option extra-binary-caches https://cache.nixos.org/; then @@ -293,7 +293,7 @@ if [ -n "$buildNix" ]; then fi fi if [ -a "$nixDrv" ]; then - nix-store -r "$nixDrv" --add-root $tmpDir/nix --indirect >/dev/null + nix-store -r "$nixDrv"'!'"out" --add-root $tmpDir/nix --indirect >/dev/null if [ -n "$buildHost" ]; then nix-copy-closure --to "$buildHost" "$nixDrv" # The nix build produces multiple outputs, we add them all to the remote path -- cgit 1.4.1 From 39bd9be5a9dc8d8efe6016e3234302ab027dc4cf Mon Sep 17 00:00:00 2001 From: "Alexander V. Nikolaev" Date: Mon, 18 Jan 2016 23:10:58 +0200 Subject: postfix: use built-in set-permission tool to setup queue Make top level /var/lib/postfix as root:root 0755 After generating custom configs in /var/lib/postfix/conf, `postfix set-permissions` called, to perform all required tricks related to queue handling (postfix use file mode bits to keep some internal statuses, so `chmod -R` not recommended by authors, see comments in $out/libexec/postfix/post-install for details) Also post-install script was patched, to skip permission check/update for files inside $out, as well as symlinks following to $NIX_STORE. Config file `main.cf` extended with all default directory locations, to prevent post-install script from guessing and overwrite them. And finally all actions in activation script snippets performed by postmap/postalias/postfix tools from current build, not random one from paths. --- nixos/modules/services/mail/postfix.nix | 37 +++++++++++++++++----- pkgs/servers/mail/postfix/3.0.nix | 6 +++- .../servers/mail/postfix/post-install-script.patch | 28 ++++++++++++++++ 3 files changed, 62 insertions(+), 9 deletions(-) create mode 100644 pkgs/servers/mail/postfix/post-install-script.patch (limited to 'nixos') diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 6c5d7e92702b..f2d8189de6ef 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -20,6 +20,23 @@ let mail_owner = ${user} default_privs = nobody + # NixOS specific locations + data_directory = /var/lib/postfix/data + queue_directory = /var/lib/postfix/queue + + # Default location of everything in package + meta_directory = ${pkgs.postfix}/etc/postfix + command_directory = ${pkgs.postfix}/bin + sample_directory = /etc/postfix + newaliases_path = ${pkgs.postfix}/bin/newaliases + mailq_path = ${pkgs.postfix}/bin/mailq + readme_directory = no + sendmail_path = ${pkgs.postfix}/bin/sendmail + daemon_directory = ${pkgs.postfix}/libexec/postfix + manpage_directory = ${pkgs.postfix}/share/man + html_directory = ${pkgs.postfix}/share/postfix/doc/html + shlib_directory = no + '' + optionalString config.networking.enableIPv6 '' inet_protocols = all @@ -435,31 +452,35 @@ in mkdir -p /var/lib mv /var/postfix /var/lib/postfix fi - mkdir -p /var/lib/postfix/data /var/lib/postfix/queue/{pid,public,maildrop} - chown -R ${user}:${group} /var/lib/postfix - chown root /var/lib/postfix/queue - chown root /var/lib/postfix/queue/pid - chgrp -R ${setgidGroup} /var/lib/postfix/queue/{public,maildrop} - chmod 770 /var/lib/postfix/queue/{public,maildrop} + # All permissions set according ${pkgs.postfix}/etc/postfix/postfix-files script + mkdir -p /var/lib/postfix /var/lib/postfix/queue/{pid,public,maildrop} + chmod 0755 /var/lib/postfix + chown root:root /var/lib/postfix rm -rf /var/lib/postfix/conf mkdir -p /var/lib/postfix/conf + chmod 0755 /var/lib/postfix/conf + ln -sf ${pkgs.postfix}/etc/postfix/postfix-files ln -sf ${mainCfFile} /var/lib/postfix/conf/main.cf ln -sf ${masterCfFile} /var/lib/postfix/conf/master.cf + ${concatStringsSep "\n" (mapAttrsToList (to: from: '' ln -sf ${from} /var/lib/postfix/conf/${to} - postalias /var/lib/postfix/conf/${to} + ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to} '') cfg.aliasFiles)} ${concatStringsSep "\n" (mapAttrsToList (to: from: '' ln -sf ${from} /var/lib/postfix/conf/${to} - postmap /var/lib/postfix/conf/${to} + ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to} '') cfg.mapFiles)} mkdir -p /var/spool/mail chown root:root /var/spool/mail chmod a+rwxt /var/spool/mail ln -sf /var/spool/mail /var/ + + #Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them + ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf ''; }; } diff --git a/pkgs/servers/mail/postfix/3.0.nix b/pkgs/servers/mail/postfix/3.0.nix index 73ab8c8116f3..8ccd9f3a3f9a 100644 --- a/pkgs/servers/mail/postfix/3.0.nix +++ b/pkgs/servers/mail/postfix/3.0.nix @@ -35,10 +35,14 @@ in stdenv.mkDerivation rec { ++ lib.optional withMySQL libmysql ++ lib.optional withSQLite sqlite; - patches = [ ./postfix-script-shell.patch ./postfix-3.0-no-warnings.patch ]; + patches = [ ./postfix-script-shell.patch ./postfix-3.0-no-warnings.patch ./post-install-script.patch ]; preBuild = '' sed -e '/^PATH=/d' -i postfix-install + sed -e "s|@PACKAGE@|$out|" -i conf/post-install + + # post-install need skip permissions check/set on all symlinks following to /nix/store + sed -e "s|@NIX_STORE@|$NIX_STORE|" -i conf/post-install export command_directory=$out/sbin export config_directory=/etc/postfix diff --git a/pkgs/servers/mail/postfix/post-install-script.patch b/pkgs/servers/mail/postfix/post-install-script.patch new file mode 100644 index 000000000000..350fbf929b74 --- /dev/null +++ b/pkgs/servers/mail/postfix/post-install-script.patch @@ -0,0 +1,28 @@ +--- a/conf/post-install 1970-01-01 03:00:01.000000000 +0300 ++++ b/conf/post-install 2016-01-20 13:25:18.382233172 +0200 +@@ -254,6 +254,8 @@ + } + + # Bootstrapping problem. ++meta_directory="@PACKAGE@/etc/postfix" ++command_directory="@PACKAGE@/bin" + + if [ -n "$command_directory" ] + then +@@ -528,7 +530,16 @@ + # Skip uninstalled files. + case $path in + no|no/*) continue;; ++ # Skip immutable files from package, correct permissions provided by Nix. ++ @PACKAGE@/*) continue; + esac ++ # Also skip symlinks following to /nix/store ++ if test -L $path; then ++ case "$(readlink $path)" in ++ @NIX_STORE@/*) continue; ++ esac ++ fi ++ + # Pick up the flags. + case $flags in *u*) upgrade_flag=1;; *) upgrade_flag=;; esac + case $flags in *c*) create_flag=1;; *) create_flag=;; esac -- cgit 1.4.1 From 4948bdadd67a927864092b9f3c67399bffad19cf Mon Sep 17 00:00:00 2001 From: Edward Tjörnhammar Date: Thu, 21 Jan 2016 10:01:42 +0100 Subject: nixos: ihaskell, wrong type restriction redacted --- nixos/modules/services/misc/ihaskell.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/misc/ihaskell.nix b/nixos/modules/services/misc/ihaskell.nix index 1927922909ee..13c41466eab2 100644 --- a/nixos/modules/services/misc/ihaskell.nix +++ b/nixos/modules/services/misc/ihaskell.nix @@ -22,7 +22,6 @@ in }; haskellPackages = mkOption { - type = types.attrsOf types.package; default = pkgs.haskellPackages; defaultText = "pkgs.haskellPackages"; example = literalExample "pkgs.haskell.packages.ghc784"; -- cgit 1.4.1 From 15ea50733d781faa5035436dc356ddb62d52a840 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Thu, 21 Jan 2016 12:41:59 +0300 Subject: nixos changelog: mention ejabberd fixes --- nixos/doc/manual/release-notes/rl-unstable.xml | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-unstable.xml b/nixos/doc/manual/release-notes/rl-unstable.xml index cd828dfc8887..3c0a4990a815 100644 --- a/nixos/doc/manual/release-notes/rl-unstable.xml +++ b/nixos/doc/manual/release-notes/rl-unstable.xml @@ -158,6 +158,11 @@ nginx.override { nix-shell (without installing anything). + + ejabberd module is brought back and now works on + NixOS. + + -- cgit 1.4.1 From 9fe72b34edc978c3a034419439f7ac0e110e175d Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Thu, 21 Jan 2016 12:47:16 +0300 Subject: nixos changelog: mention postfix changes --- nixos/doc/manual/release-notes/rl-unstable.xml | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-unstable.xml b/nixos/doc/manual/release-notes/rl-unstable.xml index 3c0a4990a815..6099b5218714 100644 --- a/nixos/doc/manual/release-notes/rl-unstable.xml +++ b/nixos/doc/manual/release-notes/rl-unstable.xml @@ -145,6 +145,15 @@ nginx.override { from the ELPA, MELPA, and MELPA Stable repositories. + + + Data directory for Postfix MTA server is moved from + /var/postfix to /var/lib/postfix. + Old configurations are migrated automatically. service.postfix + module has also received many improvements, such as correct directories' access + rights, new aliasFiles and mapFiles + options and more. + -- cgit 1.4.1 From d1a9c55d910af49a93023f9e7de44bdf4a5cc03c Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Wed, 6 Jan 2016 23:09:06 +0300 Subject: nixos/dovecot: add reload command --- nixos/modules/services/mail/dovecot.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 36bdcaca47a3..e8eaeafff3e9 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -162,7 +162,7 @@ in enablePAM = mkOption { type = types.bool; default = true; - description = "Wether to create a own Dovecot PAM service and configure PAM user logins."; + description = "Whether to create a own Dovecot PAM service and configure PAM user logins."; }; showPAMFailure = mkOption { @@ -211,6 +211,7 @@ in serviceConfig = { ExecStart = "${dovecotPkg}/sbin/dovecot -F -c ${cfg.configFile}"; + ExecReload = "${dovecotPkg}/sbin/doveadm reload -c ${cfg.configFile}"; Restart = "on-failure"; RestartSec = "1s"; StartLimitInterval = "1min"; -- cgit 1.4.1 From 9c7b067c6a22338b91f77638c06f1f9e545755cc Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Thu, 7 Jan 2016 01:27:06 +0300 Subject: nixos/dovecot: create user/group only if they are default --- nixos/modules/services/mail/dovecot.nix | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index e8eaeafff3e9..ae9de6445906 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -178,22 +178,22 @@ in security.pam.services.dovecot2 = mkIf cfg.enablePAM {}; users.extraUsers = [ - { name = cfg.user; - uid = config.ids.uids.dovecot2; - description = "Dovecot user"; - group = cfg.group; - } { name = "dovenull"; uid = config.ids.uids.dovenull2; description = "Dovecot user for untrusted logins"; group = cfg.group; } - ]; - - users.extraGroups = singleton { - name = cfg.group; - gid = config.ids.gids.dovecot2; - }; + ] ++ optional (cfg.user == "dovecot2") + { name = "dovecot2"; + uid = config.ids.uids.dovecot2; + description = "Dovecot user"; + group = cfg.group; + }; + + users.extraGroups = optional (cfg.group == "dovecot2") + { name = "dovecot2"; + gid = config.ids.gids.dovecot2; + }; systemd.services.dovecot2 = { description = "Dovecot IMAP/POP3 server"; -- cgit 1.4.1 From 122929cda74f92555c40e9888c968e02611cb3e8 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sat, 9 Jan 2016 04:15:25 +0300 Subject: nixos/dovecot: use systemd's RuntimeDirectory instead of creating it by ourselves --- nixos/modules/services/mail/dovecot.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index ae9de6445906..c9406a2ac516 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -203,8 +203,6 @@ in wantedBy = [ "multi-user.target" ]; preStart = '' - mkdir -p "${baseDir}/login" - chown -R ${cfg.user}:${cfg.group} "${baseDir}" rm -f "${stateDir}/modules" ln -s "${modulesDir}" "${stateDir}/modules" ''; @@ -215,6 +213,7 @@ in Restart = "on-failure"; RestartSec = "1s"; StartLimitInterval = "1min"; + RuntimeDirectory = [ "dovecot2" ]; }; }; -- cgit 1.4.1 From b2b58642fedd4b315bf8b92a3352792fa3d77bce Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sun, 10 Jan 2016 06:54:07 +0300 Subject: nixos/dovecot: add 'protocols' option --- nixos/modules/services/mail/dovecot.nix | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index c9406a2ac516..e244bdbd30bb 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -9,16 +9,10 @@ let baseDir = "/run/dovecot2"; stateDir = "/var/lib/dovecot"; - protocols = concatStrings [ - (optionalString cfg.enableImap "imap") - (optionalString cfg.enablePop3 "pop3") - (optionalString cfg.enableLmtp "lmtp") - ]; - dovecotConf = concatStrings [ '' base_dir = ${baseDir} - protocols = ${protocols} + protocols = ${concatStringsSep " " cfg.protocols} '' (if isNull cfg.sslServerCert then '' @@ -87,6 +81,12 @@ in description = "Start the LMTP listener (when Dovecot is enabled)."; }; + protocols = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "Additional listeners to start when Dovecot is enabled."; + }; + package = mkOption { type = types.package; default = pkgs.dovecot22; @@ -177,6 +177,11 @@ in security.pam.services.dovecot2 = mkIf cfg.enablePAM {}; + services.dovecot2.protocols = + optional cfg.enableImap "imap" + ++ optional cfg.enablePop3 "pop3" + ++ optional cfg.enableLmtp "lmtp"; + users.extraUsers = [ { name = "dovenull"; uid = config.ids.uids.dovenull2; @@ -220,7 +225,7 @@ in environment.systemPackages = [ dovecotPkg ]; assertions = [ - { assertion = cfg.enablePop3 || cfg.enableImap; + { assertion = intersectLists cfg.protocols [ "pop3" "imap" ] != []; message = "dovecot needs at least one of the IMAP or POP3 listeners enabled"; } { assertion = isNull cfg.sslServerCert == isNull cfg.sslServerKey -- cgit 1.4.1 From 94a43b41af1204f4a87261ddb0820c5c8e3bc2c8 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sun, 10 Jan 2016 06:58:56 +0300 Subject: nixos/dovecot: add dovecot package to modules, force proper dovecot version --- nixos/modules/services/mail/dovecot.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index e244bdbd30bb..c034e5e04700 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -55,7 +55,7 @@ let ]; modulesDir = pkgs.symlinkJoin "dovecot-modules" - (map (module: "${module}/lib/dovecot") cfg.modules); + (map (pkg: "${pkg}/lib/dovecot") ([ dovecotPkg ] ++ map (module: module.override { dovecot = dovecotPkg; }) cfg.modules)); in { -- cgit 1.4.1 From 70e77f9b53b036edfc9300ce3a16ecc637c5f6c3 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sun, 10 Jan 2016 07:00:34 +0300 Subject: nixos/dovecot: use new modules directory --- nixos/modules/services/mail/dovecot.nix | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index c034e5e04700..974dfb708f1b 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -135,7 +135,7 @@ in example = literalExample "[ pkgs.dovecot_pigeonhole ]"; description = '' Symlinks the contents of lib/dovecot of every given package into - /var/lib/dovecot/modules. This will make the given modules available + /etc/dovecot/modules. This will make the given modules available if a dovecot package with the module_dir patch applied (like pkgs.dovecot22, the default) is being used. ''; @@ -200,6 +200,8 @@ in gid = config.ids.gids.dovecot2; }; + environment.etc."dovecot/modules".source = modulesDir; + systemd.services.dovecot2 = { description = "Dovecot IMAP/POP3 server"; @@ -207,11 +209,6 @@ in wants = [ "keys.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - rm -f "${stateDir}/modules" - ln -s "${modulesDir}" "${stateDir}/modules" - ''; - serviceConfig = { ExecStart = "${dovecotPkg}/sbin/dovecot -F -c ${cfg.configFile}"; ExecReload = "${dovecotPkg}/sbin/doveadm reload -c ${cfg.configFile}"; -- cgit 1.4.1 From 39bbac96afce0624b7ea57461431efcdabdd5fc8 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sun, 10 Jan 2016 07:02:24 +0300 Subject: nixos/dovecot: symlink system-wide config and use it --- nixos/modules/services/mail/dovecot.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 974dfb708f1b..a2a93a520e9b 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -201,6 +201,7 @@ in }; environment.etc."dovecot/modules".source = modulesDir; + environment.etc."dovecot/dovecot.conf".source = cfg.configFile; systemd.services.dovecot2 = { description = "Dovecot IMAP/POP3 server"; @@ -208,10 +209,11 @@ in after = [ "keys.target" "network.target" ]; wants = [ "keys.target" ]; wantedBy = [ "multi-user.target" ]; + restartTriggers = [ cfg.configFile ]; serviceConfig = { - ExecStart = "${dovecotPkg}/sbin/dovecot -F -c ${cfg.configFile}"; - ExecReload = "${dovecotPkg}/sbin/doveadm reload -c ${cfg.configFile}"; + ExecStart = "${dovecotPkg}/sbin/dovecot -F"; + ExecReload = "${dovecotPkg}/sbin/doveadm reload"; Restart = "on-failure"; RestartSec = "1s"; StartLimitInterval = "1min"; -- cgit 1.4.1 From b781cf1a12ce77fd29ec0656bb04895b0cdaecf7 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sun, 10 Jan 2016 07:05:12 +0300 Subject: nixos/dovecot: add sieveScripts support --- nixos/modules/services/mail/dovecot.nix | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index a2a93a520e9b..efe6a3beb9ae 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -51,6 +51,12 @@ let } '') + (optionalString (cfg.sieveScripts != {}) '' + plugin { + ${concatStringsSep "\n" (mapAttrsToList (to: from: "sieve_${to} = ${stateDir}/sieve/${to}") cfg.sieveScripts)} + } + '') + cfg.extraConfig ]; @@ -165,6 +171,12 @@ in description = "Whether to create a own Dovecot PAM service and configure PAM user logins."; }; + sieveScripts = mkOption { + type = types.attrsOf types.path; + default = {}; + description = "Sieve scripts to be executed. Key is a sequence, e.g. 'before2', 'after' etc."; + }; + showPAMFailure = mkOption { type = types.bool; default = false; @@ -219,6 +231,22 @@ in StartLimitInterval = "1min"; RuntimeDirectory = [ "dovecot2" ]; }; + + preStart = '' + rm -rf ${stateDir}/sieve + '' + optionalString (cfg.sieveScripts != {}) '' + mkdir -p ${stateDir}/sieve + ${concatStringsSep "\n" (mapAttrsToList (to: from: '' + if [ -d '${from}' ]; then + mkdir '${stateDir}/sieve/${to}' + cp ${from}/*.sieve '${stateDir}/sieve/${to}' + else + cp '${from}' '${stateDir}/sieve/${to}' + fi + ${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/sieve/${to}' + '') cfg.sieveScripts)} + chown -R '${cfg.user}:${cfg.group}' ${stateDir}/sieve + ''; }; environment.systemPackages = [ dovecotPkg ]; -- cgit 1.4.1 From 5b5e2c05c41de4d0aa298eab133923f2feb851a2 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sun, 10 Jan 2016 07:07:26 +0300 Subject: nixos/dovecot: add mail user and group --- nixos/modules/services/mail/dovecot.nix | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index efe6a3beb9ae..11e8b26c75ef 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -27,6 +27,8 @@ let '' default_internal_user = ${cfg.user} + ${optionalString (cfg.mailUser != null) "mail_uid = ${cfg.mailUser}"} + ${optionalString (cfg.mailGroup != null) "mail_gid = ${cfg.mailGroup}"} mail_location = ${cfg.mailLocation} @@ -135,6 +137,18 @@ in ''; }; + mailUser = mkOption { + type = types.nullOr types.str; + default = null; + description = "Default user to store mail for virtual users."; + }; + + mailGroup = mkOption { + type = types.nullOr types.str; + default = null; + description = "Default group to store mail for virtual users."; + }; + modules = mkOption { type = types.listOf types.package; default = []; @@ -245,7 +259,7 @@ in fi ${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/sieve/${to}' '') cfg.sieveScripts)} - chown -R '${cfg.user}:${cfg.group}' ${stateDir}/sieve + chown -R '${cfg.mailUser}:${cfg.mailGroup}' '${stateDir}/sieve' ''; }; -- cgit 1.4.1 From c92d7481a5aec31394ab885c86dde93ade04576c Mon Sep 17 00:00:00 2001 From: aszlig Date: Thu, 21 Jan 2016 16:07:38 +0100 Subject: multipath_tools: Rename to multipath-tools See http://nixos.org/nixpkgs/manual/#sec-package-naming I've added an alias for multipath_tools to make sure that we don't break existing configurations referencing the old name. Signed-off-by: aszlig --- nixos/modules/virtualisation/nova.nix | 2 +- pkgs/applications/virtualization/xen/generic.nix | 4 ++-- pkgs/development/python-modules/blivet/default.nix | 4 ++-- pkgs/top-level/all-packages.nix | 3 ++- 4 files changed, 7 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/virtualisation/nova.nix b/nixos/modules/virtualisation/nova.nix index f356445abe46..c2837d0e2e24 100644 --- a/nixos/modules/virtualisation/nova.nix +++ b/nixos/modules/virtualisation/nova.nix @@ -146,7 +146,7 @@ in path = [ pkgs.sudo pkgs.vlan pkgs.nettools pkgs.iptables pkgs.qemu_kvm - pkgs.e2fsprogs pkgs.utillinux pkgs.multipath_tools pkgs.iproute + pkgs.e2fsprogs pkgs.utillinux pkgs.multipath-tools pkgs.iproute pkgs.bridge-utils ]; diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index 71c26c5f99c9..6774675266c4 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -5,7 +5,7 @@ , flex, cmake, ocaml, ocamlPackages, figlet, libaio, yajl , checkpolicy, transfig, glusterfs, acl, fetchgit, xz, spice , spice_protocol, usbredir, alsaLib, quilt -, coreutils, gawk, gnused, gnugrep, diffutils, multipath_tools +, coreutils, gawk, gnused, gnugrep, diffutils, multipath-tools , inetutils, iptables, openvswitch, nbd, drbd, xenConfig , xenserverPatched ? false, ... }: @@ -51,7 +51,7 @@ let ]; scriptEnvPath = stdenv.lib.concatStrings (stdenv.lib.intersperse ":" (map (x: "${x}/bin") - [ coreutils gawk gnused gnugrep which perl diffutils utillinux multipath_tools + [ coreutils gawk gnused gnugrep which perl diffutils utillinux multipath-tools iproute inetutils iptables bridge-utils openvswitch nbd drbd ])); in diff --git a/pkgs/development/python-modules/blivet/default.nix b/pkgs/development/python-modules/blivet/default.nix index 240fe6388348..a55e1993ac37 100644 --- a/pkgs/development/python-modules/blivet/default.nix +++ b/pkgs/development/python-modules/blivet/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchFromGitHub, buildPythonPackage, pykickstart, pyparted, pyblock -, pyudev, six, libselinux, cryptsetup, multipath_tools, lsof, utillinux +, pyudev, six, libselinux, cryptsetup, multipath-tools, lsof, utillinux }: let @@ -19,7 +19,7 @@ in buildPythonPackage rec { postPatch = '' sed -i \ - -e 's|"multipath"|"${multipath_tools}/sbin/multipath"|' \ + -e 's|"multipath"|"${multipath-tools}/sbin/multipath"|' \ -e '/^def set_friendly_names/a \ return False' \ blivet/devicelibs/mpath.py sed -i -e '/"wipefs"/ { diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index f98465f45f4f..1c283e4acb10 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -10384,7 +10384,7 @@ let inherit modules; }; - multipath_tools = callPackage ../os-specific/linux/multipath-tools { }; + multipath-tools = callPackage ../os-specific/linux/multipath-tools { }; musl = callPackage ../os-specific/linux/musl { }; @@ -15880,6 +15880,7 @@ aliases = with self; rec { lttngUst = lttng-ust; # added 2014-07-31 midoriWrapper = midori; # added 2015-01 mlt-qt5 = qt5.mlt; # added 2015-12-19 + multipath_tools = multipath-tools; # added 2016-01-21 nfsUtils = nfs-utils; # added 2014-12-06 phonon_qt5 = qt5.phonon; # added 2015-12-19 phonon_qt5_backend_gstreamer = qt5.phonon-backend-gstreamer; # added 2015-12-19 -- cgit 1.4.1 From 3ade072aade5ba4ce4a09ce286f4229070926f22 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Thu, 21 Jan 2016 12:38:03 +0300 Subject: nixos changelog: mention CUPS changes --- nixos/doc/manual/release-notes/rl-unstable.xml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-unstable.xml b/nixos/doc/manual/release-notes/rl-unstable.xml index cd828dfc8887..ffe8171171ac 100644 --- a/nixos/doc/manual/release-notes/rl-unstable.xml +++ b/nixos/doc/manual/release-notes/rl-unstable.xml @@ -145,6 +145,26 @@ nginx.override { from the ELPA, MELPA, and MELPA Stable repositories. + + + CUPS, installed by services.printing module, now + has its data directory in /var/lib/cups. Old + configurations from /etc/cups are moved there + automatically, but there might be problems. Also configuration options + services.printing.cupsdConf and + services.printing.cupsdFilesConf were removed + because they had been allowing one to override configuration variables + required for CUPS to work at all on NixOS. For most use cases, + services.printing.extraConf and new option + services.printing.extraFilesConf should be enough; + if you encounter a situation when they are not, please file a bug. + + There are also Gutenprint improvements; in particular, a new option + services.printing.gutenprint is added to enable automatic + updating of Gutenprint PPMs; it's greatly recommended to enable it instead + of adding gutenprint to the drivers list. + + -- cgit 1.4.1 From eda3e938d720b6415cb4f1a76838712d755b00c1 Mon Sep 17 00:00:00 2001 From: Thomas Bereknyei Date: Thu, 21 Jan 2016 17:16:02 -0500 Subject: IHaskell: remove un-needed inherit --- nixos/modules/services/misc/ihaskell.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/misc/ihaskell.nix b/nixos/modules/services/misc/ihaskell.nix index 13c41466eab2..d0e9b839e754 100644 --- a/nixos/modules/services/misc/ihaskell.nix +++ b/nixos/modules/services/misc/ihaskell.nix @@ -6,7 +6,6 @@ let cfg = config.services.ihaskell; ihaskell = pkgs.ihaskell.override { - inherit (cfg.haskellPackages) ihaskell ghcWithPackages; packages = self: cfg.extraPackages self; }; -- cgit 1.4.1 From e6cd147ae7ae05900ec2ab8ad933bfac7428feac Mon Sep 17 00:00:00 2001 From: Ryan Artecona Date: Fri, 22 Jan 2016 14:22:12 -0500 Subject: nixos manual: allow options from nix packages --- nixos/doc/manual/default.nix | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index bd558dac971d..eb2ceb7fd021 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -1,4 +1,4 @@ -{ pkgs, options, version, revision }: +{ pkgs, options, version, revision, extraSources ? [] }: with pkgs; with pkgs.lib; @@ -17,19 +17,27 @@ let # Clean up declaration sites to not refer to the NixOS source tree. optionsList' = flip map optionsList (opt: opt // { - declarations = map (fn: stripPrefix fn) opt.declarations; + declarations = map (fn: stripAnyPrefixes fn) opt.declarations; } // optionalAttrs (opt ? example) { example = substFunction opt.example; } // optionalAttrs (opt ? default) { default = substFunction opt.default; } // optionalAttrs (opt ? type) { type = substFunction opt.type; }); - prefix = toString ../../..; - - stripPrefix = fn: - if substring 0 (stringLength prefix) fn == prefix then - substring (stringLength prefix + 1) 1000 fn - else - fn; + # We need to strip references to /nix/store/* from options, + # including any `extraSources` if some modules came from elsewhere, + # or else the build will fail. + # + # E.g. if some `options` came from modules in ${pkgs.customModules}/nix, + # you'd need to include `extraSources = [ "#{pkgs.customModules}" ]` + herePrefix = toString ../../..; + prefixesToStrip = [ herePrefix ] ++ extraSources; + + stripAnyPrefixes = fn: + flip (flip fold fn) prefixesToStrip (fn: prefix: + if substring 0 (stringLength prefix) fn == prefix then + substring (stringLength prefix + 1) 1000 fn + else + fn); # Convert the list of options into an XML file. optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList'); -- cgit 1.4.1 From 7ccda42007b892d82b0a89d511d93acec771a83e Mon Sep 17 00:00:00 2001 From: Dan Peebles Date: Sat, 23 Jan 2016 19:28:01 +0000 Subject: nixos: uptimed - rewrite and harden a bit (#7220) This is mostly @thoughtpolice's work, but I cleaned it up a bit. --- nixos/modules/services/system/uptimed.nix | 71 +++++++++++++------------------ 1 file changed, 30 insertions(+), 41 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/system/uptimed.nix b/nixos/modules/services/system/uptimed.nix index 5f8916bbf9a4..b20d60968032 100644 --- a/nixos/modules/services/system/uptimed.nix +++ b/nixos/modules/services/system/uptimed.nix @@ -1,66 +1,55 @@ -{pkgs, config, lib, ...}: +{ config, lib, pkgs, ... }: -let - - inherit (lib) mkOption mkIf singleton; - - inherit (pkgs) uptimed; +with lib; +let + cfg = config.services.uptimed; stateDir = "/var/spool/uptimed"; - - uptimedUser = "uptimed"; - in - { - - ###### interface - options = { - services.uptimed = { - enable = mkOption { default = false; description = '' - Uptimed allows you to track your highest uptimes. + Enable uptimed, allowing you to track + your highest uptimes. ''; }; - }; - }; - - ###### implementation - - config = mkIf config.services.uptimed.enable { - - environment.systemPackages = [ uptimed ]; - - users.extraUsers = singleton - { name = uptimedUser; - uid = config.ids.uids.uptimed; - description = "Uptimed daemon user"; - home = stateDir; - }; + config = mkIf cfg.enable { + users.extraUsers.uptimed = { + description = "Uptimed daemon user"; + home = stateDir; + createHome = true; + uid = config.ids.uids.uptimed; + }; systemd.services.uptimed = { - description = "Uptimed daemon"; - wantedBy = [ "multi-user.target" ]; + unitConfig.Documentation = "man:uptimed(8) man:uprecords(1)"; + description = "uptimed service"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "on-failure"; + User = "uptimed"; + Nice = 19; + IOSchedulingClass = "idle"; + PrivateTmp = "yes"; + PrivateNetwork = "yes"; + NoNewPrivileges = "yes"; + ReadWriteDirectories = stateDir; + InaccessibleDirectories = "/home"; + ExecStart = "${pkgs.uptimed}/sbin/uptimed -f -p ${stateDir}/pid"; + }; preStart = '' - mkdir -m 0755 -p ${stateDir} - chown ${uptimedUser} ${stateDir} - if ! test -f ${stateDir}/bootid ; then - ${uptimed}/sbin/uptimed -b + ${pkgs.uptimed}/sbin/uptimed -b fi ''; - - script = "${uptimed}/sbin/uptimed"; }; - }; - } -- cgit 1.4.1 From e409d0fed3b5d50147b61b6d223d9aa272863485 Mon Sep 17 00:00:00 2001 From: Dan Peebles Date: Sat, 23 Jan 2016 20:44:30 +0000 Subject: nixos: update-locatedb - harden via systemd (#7220) Also, use systemd timers. Most of the work is by @thoughtpolice but I changed enough of it to warrant changing commit author. --- nixos/doc/manual/development/writing-modules.xml | 76 +++++++------- nixos/modules/misc/locate.nix | 127 ++++++++++++----------- 2 files changed, 107 insertions(+), 96 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/development/writing-modules.xml b/nixos/doc/manual/development/writing-modules.xml index a699e74e5f62..971e586f20bd 100644 --- a/nixos/doc/manual/development/writing-modules.xml +++ b/nixos/doc/manual/development/writing-modules.xml @@ -107,12 +107,12 @@ the file system. This module declares two options that can be defined by other modules (typically the user’s configuration.nix): (whether the database should -be updated) and (when the +be updated) and (when the update should be done). It implements its functionality by defining two options declared by other modules: (the set of all systemd services) -and (the list of -commands to be executed periodically by cron). +and (the list of commands to be +executed periodically by systemd). NixOS Module for the “locate” Service @@ -120,53 +120,59 @@ commands to be executed periodically by cron). with lib; -let locatedb = "/var/cache/locatedb"; in - -{ - options = { - - services.locate = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - If enabled, NixOS will periodically update the database of - files used by the locate command. - ''; - }; - - period = mkOption { - type = types.str; - default = "15 02 * * *"; - description = '' - This option defines (in the format used by cron) when the - locate database is updated. The default is to update at - 02:15 at night every day. - ''; - }; +let + cfg = config.services.locate; +in { + options.services.locate = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, NixOS will periodically update the database of + files used by the locate command. + ''; + }; + interval = mkOption { + type = types.str; + default = "02:15"; + example = "hourly"; + description = '' + Update the locate database at this interval. Updates by + default at 2:15 AM every day. + + The format is described in + systemd.time + 7. + ''; }; + # Other options omitted for documentation }; config = { - systemd.services.update-locatedb = { description = "Update Locate Database"; path = [ pkgs.su ]; script = '' - mkdir -m 0755 -p $(dirname ${locatedb}) - exec updatedb --localuser=nobody --output=${locatedb} --prunepaths='/tmp /var/tmp /run' + mkdir -m 0755 -p $(dirname ${toString cfg.output}) + exec updatedb \ + --localuser=${cfg.localuser} \ + ${optionalString (!cfg.includeStore) "--prunepaths='/nix/store'"} \ + --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags} ''; }; - services.cron.systemCronJobs = optional config.services.locate.enable - "${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service"; - + systemd.timers.update-locatedb = mkIf cfg.enable + { description = "Update timer for locate database"; + partOf = [ "update-locatedb.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = cfg.interval; + }; }; -} +} + diff --git a/nixos/modules/misc/locate.nix b/nixos/modules/misc/locate.nix index 4f9c8d4e5ba1..318b81ca07c2 100644 --- a/nixos/modules/misc/locate.nix +++ b/nixos/modules/misc/locate.nix @@ -1,76 +1,74 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; let cfg = config.services.locate; in { + options.services.locate = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, NixOS will periodically update the database of + files used by the locate command. + ''; + }; - ###### interface - - options = { - - services.locate = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - If enabled, NixOS will periodically update the database of - files used by the locate command. - ''; - }; - - period = mkOption { - type = types.str; - default = "15 02 * * *"; - description = '' - This option defines (in the format used by cron) when the - locate database is updated. - The default is to update at 02:15 at night every day. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = [ ]; - description = '' - Extra flags to pass to updatedb. - ''; - }; + interval = mkOption { + type = types.str; + default = "02:15"; + example = "hourly"; + description = '' + Update the locate database at this interval. Updates by + default at 2:15 AM every day. + + The format is described in + systemd.time + 7. + ''; + }; - output = mkOption { - type = types.path; - default = "/var/cache/locatedb"; - description = '' - The database file to build. - ''; - }; + # This is no longer supported, but we keep it to give a better warning below + period = mkOption { visible = false; }; - localuser = mkOption { - type = types.str; - default = "nobody"; - description = '' - The user to search non-network directories as, using - su. - ''; - }; + extraFlags = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Extra flags to pass to updatedb. + ''; + }; - includeStore = mkOption { - type = types.bool; - default = false; - description = '' - Whether to include /nix/store in the locate database. - ''; - }; + output = mkOption { + type = types.path; + default = "/var/cache/locatedb"; + description = '' + The database file to build. + ''; + }; + localuser = mkOption { + type = types.str; + default = "nobody"; + description = '' + The user to search non-network directories as, using + su. + ''; }; + includeStore = mkOption { + type = types.bool; + default = false; + description = '' + Whether to include /nix/store in the locate database. + ''; + }; }; - ###### implementation - config = { + warnings = let opt = options.services.locate.period; in optional opt.isDefined "The `period` definition in ${showFiles opt.files} has been removed; please replace it with `interval`, using the new systemd.time interval specifier."; + systemd.services.update-locatedb = { description = "Update Locate Database"; path = [ pkgs.su ]; @@ -84,11 +82,18 @@ in { ''; serviceConfig.Nice = 19; serviceConfig.IOSchedulingClass = "idle"; + serviceConfig.PrivateTmp = "yes"; + serviceConfig.PrivateNetwork = "yes"; + serviceConfig.NoNewPrivileges = "yes"; + serviceConfig.ReadOnlyDirectories = "/"; + serviceConfig.ReadWriteDirectories = cfg.output; }; - services.cron.systemCronJobs = optional config.services.locate.enable - "${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service"; - + systemd.timers.update-locatedb = mkIf cfg.enable + { description = "Update timer for locate database"; + partOf = [ "update-locatedb.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = cfg.interval; + }; }; - } -- cgit 1.4.1 From dd184470550d02ca8f89a0c11b9b20de3ecfa3d1 Mon Sep 17 00:00:00 2001 From: Dan Peebles Date: Sun, 24 Jan 2016 04:06:19 +0000 Subject: grsecurity: add NixOS VM test --- nixos/release.nix | 1 + nixos/tests/grsecurity.nix | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 nixos/tests/grsecurity.nix (limited to 'nixos') diff --git a/nixos/release.nix b/nixos/release.nix index 3c7cf84c6729..9c15b1ea0746 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -230,6 +230,7 @@ in rec { #tests.gitlab = callTest tests/gitlab.nix {}; tests.gnome3 = callTest tests/gnome3.nix {}; tests.gnome3-gdm = callTest tests/gnome3-gdm.nix {}; + tests.grsecurity = callTest tests/grsecurity.nix {}; tests.i3wm = callTest tests/i3wm.nix {}; tests.installer.grub1 = forAllSystems (system: hydraJob (import tests/installer.nix { inherit system; }).grub1.test); tests.installer.lvm = forAllSystems (system: hydraJob (import tests/installer.nix { inherit system; }).lvm.test); diff --git a/nixos/tests/grsecurity.nix b/nixos/tests/grsecurity.nix new file mode 100644 index 000000000000..14f1aa9ff885 --- /dev/null +++ b/nixos/tests/grsecurity.nix @@ -0,0 +1,19 @@ +# Basic test to make sure grsecurity works + +import ./make-test.nix ({ pkgs, ...} : { + name = "grsecurity"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ copumpkin ]; + }; + + machine = { config, pkgs, ... }: + { boot.kernelPackages = pkgs.linuxPackages_grsec_testing_server; }; + + testScript = + '' + $machine->succeed("uname -a") =~ /grsec/; + # FIXME: this seems to hang the whole test. Unclear why, but let's fix it + # $machine->succeed("${pkgs.paxtest}/bin/paxtest blackhat"); + ''; +}) + -- cgit 1.4.1 From 312bae7fc07c846d70751ff2d414db2b11c43563 Mon Sep 17 00:00:00 2001 From: Reno Reckling Date: Sun, 24 Jan 2016 11:18:30 +0100 Subject: nixos-ssh: set SSH_ASKPASS globally and not just on interactive shells If we limit SSH_ASKPASS to interactive shells, users are unable to trigger the ssh-passphrase dialog from their desktop environment autostart scripts. Usecase: I call ssh-add during my desktop environment autostart and want to have the passphrase dialog immediately after startup. For this to work, SSH_ASKPASS needs to be propagated properly on non-interactive shells. --- nixos/modules/programs/ssh.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 260888be485f..2da8ff738fbc 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -221,10 +221,7 @@ in fi ''; - environment.interactiveShellInit = optionalString config.services.xserver.enable - '' - export SSH_ASKPASS=${askPassword} - ''; + environment.variables.SSH_ASKPASS = optionalString config.services.xserver.enable askPassword; programs.ssh.askPassword = mkDefault "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"; -- cgit 1.4.1 From 80d38d12b42cf1033506b202e390199806e5ab7e Mon Sep 17 00:00:00 2001 From: Thomas Bereknyei Date: Thu, 17 Dec 2015 13:17:49 -0500 Subject: Gateone: fix cacerts dependency --- nixos/modules/services/networking/gateone.nix | 4 +--- pkgs/top-level/python-packages.nix | 9 ++++++--- 2 files changed, 7 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/networking/gateone.nix b/nixos/modules/services/networking/gateone.nix index 93273837181e..78ff0b76198c 100644 --- a/nixos/modules/services/networking/gateone.nix +++ b/nixos/modules/services/networking/gateone.nix @@ -21,7 +21,7 @@ options = { }; config = mkIf cfg.enable { environment.systemPackages = with pkgs.pythonPackages; [ - gateone pkgs.openssh pkgs.procps pkgs.coreutils ]; + gateone pkgs.openssh pkgs.procps pkgs.coreutils pkgs.cacert]; users.extraUsers.gateone = { description = "GateOne privilege separation user"; @@ -49,8 +49,6 @@ config = mkIf cfg.enable { User = "gateone"; Group = "gateone"; WorkingDirectory = cfg.settingsDir; - PermissionsStartOnly = true; - }; wantedBy = [ "multi-user.target" ]; diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 41f0afd9e705..130abbe8f3b2 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -5065,18 +5065,21 @@ in modules // { name = "gateone-1.2-0d57c3"; disabled = ! isPy27; src = pkgs.fetchFromGitHub { - rev = "11ed97c663b3e8c1b8eba473b5cf8362b10d57c3"; + rev = "1d0e8037fbfb7c270f3710ce24154e24b7031bea"; owner= "liftoff"; repo = "GateOne"; - sha256 ="0zp9vfs6sqbx4d0g45kkjinfmsl9zqwa6bhp3xd81wx3ph9yr1hq"; + sha256 = "1ghrawlqwv7wnck6alqpbwy9mpv0y21cw2jirrvsxaracmvgk6vv"; }; - propagatedBuildInputs = with self; [tornado futures html5lib readline pkgs.openssl]; + propagatedBuildInputs = with self; [tornado futures html5lib readline pkgs.openssl pkgs.cacert pkgs.openssh]; meta = { homepage = https://liftoffsoftware.com/; description = "GateOne is a web-based terminal emulator and SSH client"; maintainers = with maintainers; [ tomberek ]; }; + postInstall='' + cp -R $out/gateone/* $out/lib/python2.7/site-packages/gateone + ''; }; gcutil = buildPythonPackage rec { -- cgit 1.4.1 From 3e1599f57bbc9a83222ba0cbd91e55f09ce48875 Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Mon, 25 Jan 2016 07:55:42 +0100 Subject: nixos-generate-config: fix #12595: broadcom quoting --- nixos/modules/installer/tools/nixos-generate-config.pl | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index c590c4cde3f0..2284eba07a2d 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -148,7 +148,7 @@ sub pciCheck { $device eq "0x4331" || $device eq "0x43a0" || $device eq "0x43b1" ) ) { - push @modulePackages, "\${config.boot.kernelPackages.broadcom_sta}"; + push @modulePackages, "config.boot.kernelPackages.broadcom_sta"; push @kernelModules, "wl"; } @@ -422,13 +422,20 @@ EOF # Generate the hardware configuration file. -sub toNixExpr { +sub toNixStringList { my $res = ""; foreach my $s (@_) { $res .= " \"$s\""; } return $res; } +sub toNixList { + my $res = ""; + foreach my $s (@_) { + $res .= " $s"; + } + return $res; +} sub multiLineList { my $indent = shift; @@ -444,9 +451,9 @@ sub multiLineList { return $res; } -my $initrdAvailableKernelModules = toNixExpr(uniq @initrdAvailableKernelModules); -my $kernelModules = toNixExpr(uniq @kernelModules); -my $modulePackages = toNixExpr(uniq @modulePackages); +my $initrdAvailableKernelModules = toNixStringList(uniq @initrdAvailableKernelModules); +my $kernelModules = toNixStringList(uniq @kernelModules); +my $modulePackages = toNixList(uniq @modulePackages); my $fsAndSwap = ""; if (!$noFilesystems) { -- cgit 1.4.1 From c95bd5d08594ddf26280e7998e7c762aa5f0b01b Mon Sep 17 00:00:00 2001 From: Tony White Date: Tue, 26 Jan 2016 06:17:32 +0000 Subject: sddm: add numlock switch - added numlock on boot switch - simply add : services.xserver.displayManager.sddm.autoNumlock = true; to configuration.nix and sddm will start with numlock enabled. --- nixos/modules/services/x11/display-managers/sddm.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index bcac83aa738b..4d61afe0eaeb 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -31,6 +31,9 @@ let [General] HaltCommand=${pkgs.systemd}/bin/systemctl poweroff RebootCommand=${pkgs.systemd}/bin/systemctl reboot + ${optionalString cfg.autoNumlock '' + Numlock=on + ''} [Theme] Current=${cfg.theme} @@ -110,6 +113,14 @@ in ''; }; + autoNumlock = mkOption { + type = types.bool; + default = false; + description = '' + Enable numlock at login. + ''; + }; + setupScript = mkOption { type = types.str; default = ""; -- cgit 1.4.1 From 1ae1791e8e8b047d2a45221845ca40ed7f928503 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Mon, 25 Jan 2016 02:57:15 +0300 Subject: nixos opengl: add extraPackages and extraPackages32 --- nixos/modules/hardware/opengl.nix | 36 ++++++++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index 7693bd5bb453..fabdfad869cc 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -10,7 +10,7 @@ let videoDrivers = config.services.xserver.videoDrivers; - makePackage = p: p.buildEnv { + makePackage = p: pkgs.buildEnv { name = "mesa-drivers+txc-${p.mesa_drivers.version}"; paths = [ p.mesa_drivers @@ -19,6 +19,16 @@ let ]; }; + package = pkgs.buildEnv { + name = "opengl-drivers"; + paths = [ cfg.package ] ++ cfg.extraPackages; + }; + + package32 = pkgs.buildEnv { + name = "opengl-drivers-32bit"; + paths = [ cfg.package32 ] ++ cfg.extraPackages32; + }; + in { @@ -75,7 +85,25 @@ in internal = true; description = '' The package that provides the 32-bit OpenGL implementation on - 64-bit systems. Used when is + 64-bit systems. Used when is + set. + ''; + }; + + hardware.opengl.extraPackages = mkOption { + type = types.listOf types.package; + default = []; + description = '' + Additional packages to add to OpenGL drivers. + ''; + }; + + hardware.opengl.extraPackages32 = mkOption { + type = types.listOf types.package; + default = []; + description = '' + Additional packages to add to 32-bit OpenGL drivers on + 64-bit systems. Used when is set. ''; }; @@ -91,11 +119,11 @@ in system.activationScripts.setup-opengl = '' - ln -sfn ${cfg.package} /run/opengl-driver + ln -sfn ${package} /run/opengl-driver ${if pkgs.stdenv.isi686 then '' ln -sfn opengl-driver /run/opengl-driver-32 '' else if cfg.driSupport32Bit then '' - ln -sfn ${cfg.package32} /run/opengl-driver-32 + ln -sfn ${package32} /run/opengl-driver-32 '' else '' rm -f /run/opengl-driver-32 ''} -- cgit 1.4.1 From b52acfdf0178a3bd3cd3b359dc9dbc354992aff3 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Mon, 25 Jan 2016 02:57:28 +0300 Subject: nixos xserver: remove vaapiDrivers Use hardware.opengl.extraPackages instead. --- nixos/doc/manual/release-notes/rl-unstable.xml | 6 ++++++ nixos/modules/hardware/opengl.nix | 7 +++++-- nixos/modules/rename.nix | 1 + nixos/modules/services/x11/display-managers/default.nix | 9 --------- nixos/modules/services/x11/xserver.nix | 9 --------- 5 files changed, 12 insertions(+), 20 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-unstable.xml b/nixos/doc/manual/release-notes/rl-unstable.xml index 092c2a788ed8..ffde542d4e18 100644 --- a/nixos/doc/manual/release-notes/rl-unstable.xml +++ b/nixos/doc/manual/release-notes/rl-unstable.xml @@ -174,6 +174,12 @@ nginx.override { of adding gutenprint to the drivers list. + + + services.xserver.vaapiDrivers has been removed. Use + services.hardware.opengl.extraPackages{,32} instead. You can + also specify VDPAU drivers there. + diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index fabdfad869cc..d3b146be6b33 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -93,18 +93,21 @@ in hardware.opengl.extraPackages = mkOption { type = types.listOf types.package; default = []; + example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]"; description = '' - Additional packages to add to OpenGL drivers. + Additional packages to add to OpenGL drivers. This can be used + to add additional VA-API/VDPAU drivers. ''; }; hardware.opengl.extraPackages32 = mkOption { type = types.listOf types.package; default = []; + example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]"; description = '' Additional packages to add to 32-bit OpenGL drivers on 64-bit systems. Used when is - set. + set. This can be used to add additional VA-API/VDPAU drivers. ''; }; diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index cc7557c06eb4..6e10b47f03cc 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -77,6 +77,7 @@ with lib; (mkRenamedOptionModule [ "services" "xserver" "driSupport32Bit" ] [ "hardware" "opengl" "driSupport32Bit" ]) (mkRenamedOptionModule [ "services" "xserver" "s3tcSupport" ] [ "hardware" "opengl" "s3tcSupport" ]) (mkRenamedOptionModule [ "hardware" "opengl" "videoDrivers" ] [ "services" "xserver" "videoDrivers" ]) + (mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ]) (mkRenamedOptionModule [ "services" "mysql55" ] [ "services" "mysql" ]) diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index bad99ccd8696..d7825400b5ae 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -16,13 +16,6 @@ let cfg = config.services.xserver; xorg = pkgs.xorg; - vaapiDrivers = pkgs.buildEnv { - name = "vaapi-drivers"; - paths = cfg.vaapiDrivers; - # We only want /lib/dri, but with a single input path, we need "/" for it to work - pathsToLink = [ "/" ]; - }; - fontconfig = config.fonts.fontconfig; xresourcesXft = pkgs.writeText "Xresources-Xft" '' ${optionalString (fontconfig.dpi != 0) ''Xft.dpi: ${toString fontconfig.dpi}''} @@ -107,8 +100,6 @@ let ${xorg.xrdb}/bin/xrdb -merge ~/.Xdefaults fi - export LIBVA_DRIVERS_PATH=${vaapiDrivers}/lib/dri - # Speed up application start by 50-150ms according to # http://kdemonkey.blogspot.nl/2008/04/magic-trick.html rm -rf $HOME/.compose-cache diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 68745ba8197a..653c97d7e6fa 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -216,15 +216,6 @@ in ''; }; - vaapiDrivers = mkOption { - type = types.listOf types.path; - default = [ ]; - example = literalExample "[ pkgs.vaapiIntel pkgs.vaapiVdpau ]"; - description = '' - Packages providing libva acceleration drivers. - ''; - }; - startGnuPGAgent = mkOption { type = types.bool; default = false; -- cgit 1.4.1 From 2352e2589ea0de775ffb6b68e66964c694953ea9 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 18 Jan 2016 13:57:27 +0100 Subject: audit: Disable in containers This barfs: Jan 18 12:46:32 machine 522i0x9l80z7gw56iahxjjsdjp0xi10q-audit-start[506]: The audit system is disabled --- nixos/modules/security/audit.nix | 4 +++- nixos/modules/virtualisation/container-config.nix | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/security/audit.nix b/nixos/modules/security/audit.nix index 3aa31e079073..f223f52ec487 100644 --- a/nixos/modules/security/audit.nix +++ b/nixos/modules/security/audit.nix @@ -93,9 +93,11 @@ in { config = mkIf (cfg.enable == "lock" || cfg.enable) { systemd.services.audit = { - description = "pseudo-service representing the kernel audit state"; + description = "Kernel Auditing"; wantedBy = [ "basic.target" ]; + unitConfig.ConditionVirtualization = "!container"; + path = [ pkgs.audit ]; serviceConfig = { diff --git a/nixos/modules/virtualisation/container-config.nix b/nixos/modules/virtualisation/container-config.nix index c210c8d5f25e..b4f9d8b6fc17 100644 --- a/nixos/modules/virtualisation/container-config.nix +++ b/nixos/modules/virtualisation/container-config.nix @@ -19,6 +19,9 @@ with lib; # Shut up warnings about not having a boot loader. system.build.installBootLoader = "${pkgs.coreutils}/bin/true"; + # Not supported in systemd-nspawn containers. + security.audit.enable = false; + }; } -- cgit 1.4.1 From bfebc7342e42ebe7a57c9e21b11ab19579189bfd Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 29 Jan 2016 02:32:05 +0100 Subject: Fix some references to deprecated /etc/ssl/certs/ca-bundle.crt --- nixos/modules/programs/venus.nix | 2 +- nixos/modules/security/ca.nix | 10 +++++----- nixos/modules/services/misc/nix-daemon.nix | 2 +- nixos/modules/services/monitoring/dd-agent.nix | 2 +- nixos/modules/services/networking/ddclient.nix | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/programs/venus.nix b/nixos/modules/programs/venus.nix index 8f85b602fe2c..c3756b4838c7 100644 --- a/nixos/modules/programs/venus.nix +++ b/nixos/modules/programs/venus.nix @@ -165,7 +165,7 @@ in script = "exec venus-planet ${configFile}"; serviceConfig.User = "${cfg.user}"; serviceConfig.Group = "${cfg.group}"; - environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"; + environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; startAt = cfg.dates; }; diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index ddfad52d42ed..98d73ed25426 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -4,7 +4,7 @@ with lib; let - caBundle = pkgs.runCommand "ca-bundle.crt" + caCertificates = pkgs.runCommand "ca-certificates.crt" { files = config.security.pki.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ]; @@ -26,7 +26,7 @@ in description = '' A list of files containing trusted root certificates in PEM format. These are concatenated to form - /etc/ssl/certs/ca-bundle.crt, which is + /etc/ssl/certs/ca-certificates.crt, which is used by many programs that use OpenSSL, such as curl and git. ''; @@ -56,13 +56,13 @@ in security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. - environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; + environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates; # Old NixOS compatibility. - environment.etc."ssl/certs/ca-bundle.crt".source = caBundle; + environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates; # CentOS/Fedora compatibility. - environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle; + environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates; environment.sessionVariables = { SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index da03eb17e302..8e984727a80e 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -364,7 +364,7 @@ in ++ optionals cfg.distributedBuilds [ pkgs.gzip ]; environment = cfg.envVars - // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-bundle.crt"; } + // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; } // config.networking.proxy.envVars; serviceConfig = diff --git a/nixos/modules/services/monitoring/dd-agent.nix b/nixos/modules/services/monitoring/dd-agent.nix index 8c847af3bfc0..ed9be73ba65b 100644 --- a/nixos/modules/services/monitoring/dd-agent.nix +++ b/nixos/modules/services/monitoring/dd-agent.nix @@ -183,7 +183,7 @@ in { Restart = "always"; RestartSec = 2; }; - environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"; + environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig ]; }; diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index ee06dfbbca3a..e60520c742bd 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -127,7 +127,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"; + environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; serviceConfig = { # Uncomment this if too many problems occur: # Type = "forking"; -- cgit 1.4.1 From 39b5bc3b2f6b214e65c39ab74baa10eba0c7d7a3 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Fri, 29 Jan 2016 14:40:51 +0300 Subject: fontconfig service: add pre-generated fonts caches --- nixos/modules/config/fonts/fontconfig.nix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index be6662decea6..e078a75b295c 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -129,6 +129,14 @@ with lib; }; + cache32Bit = mkOption { + default = false; + type = types.bool; + description = '' + Generate system fonts cache for 32-bit applications. + ''; + }; + }; }; @@ -231,12 +239,19 @@ with lib; "${pkgs.fontconfig}/etc/fonts/fonts.conf"; environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/00-nixos.conf".text = - '' + let + cache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; }; + in '' ${concatStringsSep "\n" (map (font: "${font}") config.fonts.fonts)} + + ${cache pkgs.fontconfig} + ${optionalString (pkgs.stdenv.isx86_64 && config.fonts.fontconfig.cache32Bit) '' + ${cache pkgs.pkgsi686Linux.fontconfig} + ''} ''; -- cgit 1.4.1