diff options
| author | Mx Kookie <kookie@spacekookie.de> | 2020-12-21 06:05:12 +0100 |
|---|---|---|
| committer | Mx Kookie <kookie@spacekookie.de> | 2020-12-21 06:05:12 +0100 |
| commit | f107be784e6d5da5f90735765a68fdff96acfbb4 (patch) | |
| tree | 145573a598009fb6adbd5ef7fbce0a850681f5f0 /infra/libkookie/nixpkgs/nixos/modules/services/system | |
| parent | 2e04b35e5ac3a9123cafffbc84494fa4d389cca0 (diff) | |
| parent | e9158eca70ae59e73fae23be5d13d3fa0cfc78b4 (diff) | |
Add 'infra/libkookie/nixpkgs/' from commit 'e9158eca70ae59e73fae23be5d13d3fa0cfc78b4'
git-subtree-dir: infra/libkookie/nixpkgs
git-subtree-mainline: 2e04b35e5ac3a9123cafffbc84494fa4d389cca0
git-subtree-split: e9158eca70ae59e73fae23be5d13d3fa0cfc78b4
Diffstat (limited to 'infra/libkookie/nixpkgs/nixos/modules/services/system')
11 files changed, 938 insertions, 0 deletions
diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/system/cloud-init.nix b/infra/libkookie/nixpkgs/nixos/modules/services/system/cloud-init.nix new file mode 100644 index 000000000000..3518e0ee9dca --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/system/cloud-init.nix @@ -0,0 +1,180 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.services.cloud-init; + path = with pkgs; [ + cloud-init + iproute + nettools + openssh + shadow + util-linux + ] ++ optional cfg.btrfs.enable btrfs-progs + ++ optional cfg.ext4.enable e2fsprogs + ; +in +{ + options = { + services.cloud-init = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable the cloud-init service. This services reads + configuration metadata in a cloud environment and configures + the machine according to this metadata. + + This configuration is not completely compatible with the + NixOS way of doing configuration, as configuration done by + cloud-init might be overriden by a subsequent nixos-rebuild + call. However, some parts of cloud-init fall outside of + NixOS's responsibility, like filesystem resizing and ssh + public key provisioning, and cloud-init is useful for that + parts. Thus, be wary that using cloud-init in NixOS might + come as some cost. + ''; + }; + + btrfs.enable = mkOption { + type = types.bool; + default = false; + description = '' + Allow the cloud-init service to operate `btrfs` filesystem. + ''; + }; + + ext4.enable = mkOption { + type = types.bool; + default = true; + description = '' + Allow the cloud-init service to operate `ext4` filesystem. + ''; + }; + + config = mkOption { + type = types.str; + default = '' + system_info: + distro: nixos + users: + - root + + disable_root: false + preserve_hostname: false + + cloud_init_modules: + - migrator + - seed_random + - bootcmd + - write-files + - growpart + - resizefs + - update_etc_hosts + - ca-certs + - rsyslog + - users-groups + + cloud_config_modules: + - disk_setup + - mounts + - ssh-import-id + - set-passwords + - timezone + - disable-ec2-metadata + - runcmd + - ssh + + cloud_final_modules: + - rightscale_userdata + - scripts-vendor + - scripts-per-once + - scripts-per-boot + - scripts-per-instance + - scripts-user + - ssh-authkey-fingerprints + - keys-to-console + - phone-home + - final-message + - power-state-change + ''; + description = ''cloud-init configuration.''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + environment.etc."cloud/cloud.cfg".text = cfg.config; + + systemd.services.cloud-init-local = + { description = "Initial cloud-init job (pre-networking)"; + wantedBy = [ "multi-user.target" ]; + path = path; + serviceConfig = + { Type = "oneshot"; + ExecStart = "${pkgs.cloud-init}/bin/cloud-init init --local"; + RemainAfterExit = "yes"; + TimeoutSec = "infinity"; + StandardOutput = "journal+console"; + }; + }; + + systemd.services.cloud-init = + { description = "Initial cloud-init job (metadata service crawler)"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" "cloud-init-local.service" + "sshd.service" "sshd-keygen.service" ]; + after = [ "network-online.target" "cloud-init-local.service" ]; + before = [ "sshd.service" "sshd-keygen.service" ]; + requires = [ "network.target "]; + path = path; + serviceConfig = + { Type = "oneshot"; + ExecStart = "${pkgs.cloud-init}/bin/cloud-init init"; + RemainAfterExit = "yes"; + TimeoutSec = "infinity"; + StandardOutput = "journal+console"; + }; + }; + + systemd.services.cloud-config = + { description = "Apply the settings specified in cloud-config"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" "syslog.target" "cloud-config.target" ]; + + path = path; + serviceConfig = + { Type = "oneshot"; + ExecStart = "${pkgs.cloud-init}/bin/cloud-init modules --mode=config"; + RemainAfterExit = "yes"; + TimeoutSec = "infinity"; + StandardOutput = "journal+console"; + }; + }; + + systemd.services.cloud-final = + { description = "Execute cloud user/final scripts"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" "syslog.target" "cloud-config.service" "rc-local.service" ]; + requires = [ "cloud-config.target" ]; + path = path; + serviceConfig = + { Type = "oneshot"; + ExecStart = "${pkgs.cloud-init}/bin/cloud-init modules --mode=final"; + RemainAfterExit = "yes"; + TimeoutSec = "infinity"; + StandardOutput = "journal+console"; + }; + }; + + systemd.targets.cloud-config = + { description = "Cloud-config availability"; + requires = [ "cloud-init-local.service" "cloud-init.service" ]; + }; + }; +} diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/system/dbus.nix b/infra/libkookie/nixpkgs/nixos/modules/services/system/dbus.nix new file mode 100644 index 000000000000..d4cacb85694b --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/system/dbus.nix @@ -0,0 +1,139 @@ +# D-Bus configuration and system bus daemon. + +{ config, lib, options, pkgs, ... }: + +with lib; + +let + + cfg = config.services.dbus; + + homeDir = "/run/dbus"; + + configDir = pkgs.makeDBusConf { + inherit (cfg) apparmor; + suidHelper = "${config.security.wrapperDir}/dbus-daemon-launch-helper"; + serviceDirectories = cfg.packages; + }; + +in + +{ + ###### interface + + options = { + + services.dbus = { + + enable = mkOption { + type = types.bool; + default = false; + internal = true; + description = '' + Whether to start the D-Bus message bus daemon, which is + required by many other system services and applications. + ''; + }; + + packages = mkOption { + type = types.listOf types.path; + default = [ ]; + description = '' + Packages whose D-Bus configuration files should be included in + the configuration of the D-Bus system-wide or session-wide + message bus. Specifically, files in the following directories + will be included into their respective DBus configuration paths: + <filename><replaceable>pkg</replaceable>/etc/dbus-1/system.d</filename> + <filename><replaceable>pkg</replaceable>/share/dbus-1/system.d</filename> + <filename><replaceable>pkg</replaceable>/share/dbus-1/system-services</filename> + <filename><replaceable>pkg</replaceable>/etc/dbus-1/session.d</filename> + <filename><replaceable>pkg</replaceable>/share/dbus-1/session.d</filename> + <filename><replaceable>pkg</replaceable>/share/dbus-1/services</filename> + ''; + }; + + apparmor = mkOption { + type = types.enum [ "enabled" "disabled" "required" ]; + description = '' + AppArmor mode for dbus. + + <literal>enabled</literal> enables mediation when it's + supported in the kernel, <literal>disabled</literal> + always disables AppArmor even with kernel support, and + <literal>required</literal> fails when AppArmor was not found + in the kernel. + ''; + default = "disabled"; + }; + + socketActivated = mkOption { + type = types.nullOr types.bool; + default = null; + visible = false; + description = '' + Removed option, do not use. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + warnings = optional (cfg.socketActivated != null) ( + let + files = showFiles options.services.dbus.socketActivated.files; + in + "The option 'services.dbus.socketActivated' in ${files} no longer has" + + " any effect and can be safely removed: the user D-Bus session is" + + " now always socket activated." + ); + + environment.systemPackages = [ pkgs.dbus.daemon pkgs.dbus ]; + + environment.etc."dbus-1".source = configDir; + + users.users.messagebus = { + uid = config.ids.uids.messagebus; + description = "D-Bus system message bus daemon user"; + home = homeDir; + group = "messagebus"; + }; + + users.groups.messagebus.gid = config.ids.gids.messagebus; + + systemd.packages = [ pkgs.dbus.daemon ]; + + security.wrappers.dbus-daemon-launch-helper = { + source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper"; + owner = "root"; + group = "messagebus"; + setuid = true; + setgid = false; + permissions = "u+rx,g+rx,o-rx"; + }; + + services.dbus.packages = [ + pkgs.dbus.out + config.system.path + ]; + + systemd.services.dbus = { + # Don't restart dbus-daemon. Bad things tend to happen if we do. + reloadIfChanged = true; + restartTriggers = [ configDir ]; + environment = { LD_LIBRARY_PATH = config.system.nssModules.path; }; + }; + + systemd.user = { + services.dbus = { + # Don't restart dbus-daemon. Bad things tend to happen if we do. + reloadIfChanged = true; + restartTriggers = [ configDir ]; + }; + sockets.dbus.wantedBy = [ "sockets.target" ]; + }; + + environment.pathsToLink = [ "/etc/dbus-1" "/share/dbus-1" ]; + }; +} diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/system/earlyoom.nix b/infra/libkookie/nixpkgs/nixos/modules/services/system/earlyoom.nix new file mode 100644 index 000000000000..e29bdbe264cc --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/system/earlyoom.nix @@ -0,0 +1,123 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + ecfg = config.services.earlyoom; +in +{ + options = { + services.earlyoom = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable early out of memory killing. + ''; + }; + + freeMemThreshold = mkOption { + type = types.int; + default = 10; + description = '' + Minimum of availabe memory (in percent). + If the free memory falls below this threshold and the analog is true for + <option>services.earlyoom.freeSwapThreshold</option> + the killing begins. + ''; + }; + + freeSwapThreshold = mkOption { + type = types.int; + default = 10; + description = '' + Minimum of availabe swap space (in percent). + If the available swap space falls below this threshold and the analog + is true for <option>services.earlyoom.freeMemThreshold</option> + the killing begins. + ''; + }; + + useKernelOOMKiller= mkOption { + type = types.bool; + default = false; + description = '' + Use kernel OOM killer instead of own user-space implementation. + ''; + }; + + ignoreOOMScoreAdjust = mkOption { + type = types.bool; + default = false; + description = '' + Ignore oom_score_adjust values of processes. + User-space implementation only. + ''; + }; + + enableDebugInfo = mkOption { + type = types.bool; + default = false; + description = '' + Enable debugging messages. + ''; + }; + + notificationsCommand = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + This option is deprecated and ignored by earlyoom since 1.6. + Use <option>services.earlyoom.enableNotifications</option> instead. + ''; + }; + + enableNotifications = mkOption { + type = types.bool; + default = false; + description = '' + Send notifications about killed processes via the system d-bus. + To actually see the notifications in your GUI session, you need to have + <literal>systembus-notify</literal> running as your user. + + See <link xlink:href="https://github.com/rfjakob/earlyoom#notifications">README</link> for details. + ''; + }; + }; + }; + + config = mkIf ecfg.enable { + assertions = [ + { assertion = ecfg.freeMemThreshold > 0 && ecfg.freeMemThreshold <= 100; + message = "Needs to be a positive percentage"; } + { assertion = ecfg.freeSwapThreshold > 0 && ecfg.freeSwapThreshold <= 100; + message = "Needs to be a positive percentage"; } + { assertion = !ecfg.useKernelOOMKiller || !ecfg.ignoreOOMScoreAdjust; + message = "Both options in conjunction do not make sense"; } + ]; + + warnings = optional (ecfg.notificationsCommand != null) + "`services.earlyoom.notificationsCommand` is deprecated and ignored by earlyoom since 1.6."; + + systemd.services.earlyoom = { + description = "Early OOM Daemon for Linux"; + wantedBy = [ "multi-user.target" ]; + path = optional ecfg.enableNotifications pkgs.dbus; + serviceConfig = { + StandardOutput = "null"; + ExecStart = '' + ${pkgs.earlyoom}/bin/earlyoom \ + -m ${toString ecfg.freeMemThreshold} \ + -s ${toString ecfg.freeSwapThreshold} \ + ${optionalString ecfg.useKernelOOMKiller "-k"} \ + ${optionalString ecfg.ignoreOOMScoreAdjust "-i"} \ + ${optionalString ecfg.enableDebugInfo "-d"} \ + ${optionalString ecfg.enableNotifications "-n"} + ''; + }; + }; + + environment.systemPackages = optional ecfg.enableNotifications pkgs.systembus-notify; + }; +} diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/system/kerberos/default.nix b/infra/libkookie/nixpkgs/nixos/modules/services/system/kerberos/default.nix new file mode 100644 index 000000000000..9a1e67399010 --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/system/kerberos/default.nix @@ -0,0 +1,75 @@ +{config, lib, ...}: + +let + inherit (lib) mkOption mkIf types length attrNames; + cfg = config.services.kerberos_server; + kerberos = config.krb5.kerberos; + + aclEntry = { + options = { + principal = mkOption { + type = types.str; + description = "Which principal the rule applies to"; + }; + access = mkOption { + type = types.either + (types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"])) + (types.enum ["all"]); + default = "all"; + description = "The changes the principal is allowed to make."; + }; + target = mkOption { + type = types.str; + default = "*"; + description = "The principals that 'access' applies to."; + }; + }; + }; + + realm = { + options = { + acl = mkOption { + type = types.listOf (types.submodule aclEntry); + default = [ + { principal = "*/admin"; access = "all"; } + { principal = "admin"; access = "all"; } + ]; + description = '' + The privileges granted to a user. + ''; + }; + }; + }; +in + +{ + imports = [ + ./mit.nix + ./heimdal.nix + ]; + + ###### interface + options = { + services.kerberos_server = { + enable = lib.mkEnableOption "the kerberos authentification server"; + + realms = mkOption { + type = types.attrsOf (types.submodule realm); + description = '' + The realm(s) to serve keys for. + ''; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + environment.systemPackages = [ kerberos ]; + assertions = [{ + assertion = length (attrNames cfg.realms) <= 1; + message = "Only one realm per server is currently supported."; + }]; + }; +} diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/system/kerberos/heimdal.nix b/infra/libkookie/nixpkgs/nixos/modules/services/system/kerberos/heimdal.nix new file mode 100644 index 000000000000..f0e56c7951a4 --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/system/kerberos/heimdal.nix @@ -0,0 +1,68 @@ +{ pkgs, config, lib, ... } : + +let + inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs + mapAttrsToList; + cfg = config.services.kerberos_server; + kerberos = config.krb5.kerberos; + stateDir = "/var/heimdal"; + aclFiles = mapAttrs + (name: {acl, ...}: pkgs.writeText "${name}.acl" (concatMapStrings (( + {principal, access, target, ...} : + "${principal}\t${concatStringsSep "," (toList access)}\t${target}\n" + )) acl)) cfg.realms; + + kdcConfigs = mapAttrsToList (name: value: '' + database = { + dbname = ${stateDir}/heimdal + acl_file = ${value} + } + '') aclFiles; + kdcConfFile = pkgs.writeText "kdc.conf" '' + [kdc] + ${concatStringsSep "\n" kdcConfigs} + ''; +in + +{ + # No documentation about correct triggers, so guessing at them. + + config = mkIf (cfg.enable && kerberos == pkgs.heimdalFull) { + systemd.services.kadmind = { + description = "Kerberos Administration Daemon"; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -m 0755 -p ${stateDir} + ''; + serviceConfig.ExecStart = + "${kerberos}/libexec/heimdal/kadmind --config-file=/etc/heimdal-kdc/kdc.conf"; + restartTriggers = [ kdcConfFile ]; + }; + + systemd.services.kdc = { + description = "Key Distribution Center daemon"; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -m 0755 -p ${stateDir} + ''; + serviceConfig.ExecStart = + "${kerberos}/libexec/heimdal/kdc --config-file=/etc/heimdal-kdc/kdc.conf"; + restartTriggers = [ kdcConfFile ]; + }; + + systemd.services.kpasswdd = { + description = "Kerberos Password Changing daemon"; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -m 0755 -p ${stateDir} + ''; + serviceConfig.ExecStart = "${kerberos}/libexec/heimdal/kpasswdd"; + restartTriggers = [ kdcConfFile ]; + }; + + environment.etc = { + # Can be set via the --config-file option to KDC + "heimdal-kdc/kdc.conf".source = kdcConfFile; + }; + }; +} diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/system/kerberos/mit.nix b/infra/libkookie/nixpkgs/nixos/modules/services/system/kerberos/mit.nix new file mode 100644 index 000000000000..25d7d51e808a --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/system/kerberos/mit.nix @@ -0,0 +1,68 @@ +{ pkgs, config, lib, ... } : + +let + inherit (lib) mkIf concatStrings concatStringsSep concatMapStrings toList + mapAttrs mapAttrsToList; + cfg = config.services.kerberos_server; + kerberos = config.krb5.kerberos; + stateDir = "/var/lib/krb5kdc"; + PIDFile = "/run/kdc.pid"; + aclMap = { + add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m"; + all = "*"; + }; + aclFiles = mapAttrs + (name: {acl, ...}: (pkgs.writeText "${name}.acl" (concatMapStrings ( + {principal, access, target, ...} : + let access_code = map (a: aclMap.${a}) (toList access); in + "${principal} ${concatStrings access_code} ${target}\n" + ) acl))) cfg.realms; + kdcConfigs = mapAttrsToList (name: value: '' + ${name} = { + acl_file = ${value} + } + '') aclFiles; + kdcConfFile = pkgs.writeText "kdc.conf" '' + [realms] + ${concatStringsSep "\n" kdcConfigs} + ''; + env = { + # What Debian uses, could possibly link directly to Nix store? + KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf"; + }; +in + +{ + config = mkIf (cfg.enable && kerberos == pkgs.krb5Full) { + systemd.services.kadmind = { + description = "Kerberos Administration Daemon"; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -m 0755 -p ${stateDir} + ''; + serviceConfig.ExecStart = "${kerberos}/bin/kadmind -nofork"; + restartTriggers = [ kdcConfFile ]; + environment = env; + }; + + systemd.services.kdc = { + description = "Key Distribution Center daemon"; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -m 0755 -p ${stateDir} + ''; + serviceConfig = { + Type = "forking"; + PIDFile = PIDFile; + ExecStart = "${kerberos}/bin/krb5kdc -P ${PIDFile}"; + }; + restartTriggers = [ kdcConfFile ]; + environment = env; + }; + + environment.etc = { + "krb5kdc/kdc.conf".source = kdcConfFile; + }; + environment.variables = env; + }; +} diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/system/localtime.nix b/infra/libkookie/nixpkgs/nixos/modules/services/system/localtime.nix new file mode 100644 index 000000000000..8f8e2e2e9339 --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/system/localtime.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.localtime; +in { + options = { + services.localtime = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable <literal>localtime</literal>, simple daemon for keeping the system + timezone up-to-date based on the current location. It uses geoclue2 to + determine the current location and systemd-timedated to actually set + the timezone. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + services.geoclue2 = { + enable = true; + appConfig.localtime = { + isAllowed = true; + isSystem = true; + }; + }; + + # We use the 'out' output, since localtime has its 'bin' output + # first, so that is what we get if we use the derivation bare. + # Install the polkit rules. + environment.systemPackages = [ pkgs.localtime.out ]; + # Install the systemd unit. + systemd.packages = [ pkgs.localtime.out ]; + + users.users.localtimed = { + description = "Taskserver user"; + }; + + systemd.services.localtime = { + wantedBy = [ "multi-user.target" ]; + serviceConfig.Restart = "on-failure"; + }; + }; +} diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/system/nscd.conf b/infra/libkookie/nixpkgs/nixos/modules/services/system/nscd.conf new file mode 100644 index 000000000000..722b883ba420 --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/system/nscd.conf @@ -0,0 +1,34 @@ +# We basically use nscd as a proxy for forwarding nss requests to appropriate +# nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory +# containing all such modules +# Note that we can not use `enable-cache no` As this will actually cause nscd +# to just reject the nss requests it receives, which then causes glibc to +# fallback to trying to handle the request by itself. Which won't work as glibc +# is not aware of the path in which the nss modules live. As a workaround, we +# have `enable-cache yes` with an explicit ttl of 0 +server-user nscd + +enable-cache passwd yes +positive-time-to-live passwd 0 +negative-time-to-live passwd 0 +shared passwd yes + +enable-cache group yes +positive-time-to-live group 0 +negative-time-to-live group 0 +shared group yes + +enable-cache netgroup yes +positive-time-to-live netgroup 0 +negative-time-to-live netgroup 0 +shared netgroup yes + +enable-cache hosts yes +positive-time-to-live hosts 0 +negative-time-to-live hosts 0 +shared hosts yes + +enable-cache services yes +positive-time-to-live services 0 +negative-time-to-live services 0 +shared services yes diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/system/nscd.nix b/infra/libkookie/nixpkgs/nixos/modules/services/system/nscd.nix new file mode 100644 index 000000000000..d720f254b813 --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/system/nscd.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + nssModulesPath = config.system.nssModules.path; + cfg = config.services.nscd; + + nscd = if pkgs.stdenv.hostPlatform.libc == "glibc" + then pkgs.stdenv.cc.libc.bin + else pkgs.glibc.bin; + +in + +{ + + ###### interface + + options = { + + services.nscd = { + + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the Name Service Cache Daemon. + Disabling this is strongly discouraged, as this effectively disables NSS Lookups + from all non-glibc NSS modules, including the ones provided by systemd. + ''; + }; + + config = mkOption { + type = types.lines; + default = builtins.readFile ./nscd.conf; + description = "Configuration to use for Name Service Cache Daemon."; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + environment.etc."nscd.conf".text = cfg.config; + + systemd.services.nscd = + { description = "Name Service Cache Daemon"; + + wantedBy = [ "nss-lookup.target" "nss-user-lookup.target" ]; + + environment = { LD_LIBRARY_PATH = nssModulesPath; }; + + restartTriggers = [ + config.environment.etc.hosts.source + config.environment.etc."nsswitch.conf".source + config.environment.etc."nscd.conf".source + ]; + + # We use DynamicUser because in default configurations nscd doesn't + # create any files that need to survive restarts. However, in some + # configurations, nscd needs to be started as root; it will drop + # privileges after all the NSS modules have read their configuration + # files. So prefix the ExecStart command with "!" to prevent systemd + # from dropping privileges early. See ExecStart in systemd.service(5). + serviceConfig = + { ExecStart = "!@${nscd}/sbin/nscd nscd"; + Type = "forking"; + DynamicUser = true; + RuntimeDirectory = "nscd"; + PIDFile = "/run/nscd/nscd.pid"; + Restart = "always"; + ExecReload = + [ "${nscd}/sbin/nscd --invalidate passwd" + "${nscd}/sbin/nscd --invalidate group" + "${nscd}/sbin/nscd --invalidate hosts" + ]; + }; + }; + + }; +} diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/system/saslauthd.nix b/infra/libkookie/nixpkgs/nixos/modules/services/system/saslauthd.nix new file mode 100644 index 000000000000..8fcf4fb91fc4 --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/system/saslauthd.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.saslauthd; + +in + +{ + + ###### interface + + options = { + + services.saslauthd = { + + enable = mkEnableOption "saslauthd, the Cyrus SASL authentication daemon"; + + package = mkOption { + default = pkgs.cyrus_sasl.bin; + defaultText = "pkgs.cyrus_sasl.bin"; + type = types.package; + description = "Cyrus SASL package to use."; + }; + + mechanism = mkOption { + type = types.str; + default = "pam"; + description = "Auth mechanism to use"; + }; + + config = mkOption { + type = types.lines; + default = ""; + description = "Configuration to use for Cyrus SASL authentication daemon."; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.saslauthd = { + description = "Cyrus SASL authentication daemon"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "@${cfg.package}/sbin/saslauthd saslauthd -a ${cfg.mechanism} -O ${pkgs.writeText "saslauthd.conf" cfg.config}"; + Type = "forking"; + PIDFile = "/run/saslauthd/saslauthd.pid"; + Restart = "always"; + }; + }; + }; +} diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/system/uptimed.nix b/infra/libkookie/nixpkgs/nixos/modules/services/system/uptimed.nix new file mode 100644 index 000000000000..1e256c51408e --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/system/uptimed.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.uptimed; + stateDir = "/var/spool/uptimed"; +in +{ + options = { + services.uptimed = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable <literal>uptimed</literal>, allowing you to track + your highest uptimes. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + users.users.uptimed = { + description = "Uptimed daemon user"; + home = stateDir; + createHome = true; + uid = config.ids.uids.uptimed; + }; + + systemd.services.uptimed = { + unitConfig.Documentation = "man:uptimed(8) man:uprecords(1)"; + description = "uptimed service"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "on-failure"; + User = "uptimed"; + Nice = 19; + IOSchedulingClass = "idle"; + PrivateTmp = "yes"; + PrivateNetwork = "yes"; + NoNewPrivileges = "yes"; + ReadWriteDirectories = stateDir; + InaccessibleDirectories = "/home"; + ExecStart = "${pkgs.uptimed}/sbin/uptimed -f -p ${stateDir}/pid"; + }; + + preStart = '' + if ! test -f ${stateDir}/bootid ; then + ${pkgs.uptimed}/sbin/uptimed -b + fi + ''; + }; + }; +} |