diff options
| author | Katharina Fey <kookie@spacekookie.de> | 2020-04-19 14:57:25 +0200 |
|---|---|---|
| committer | Katharina Fey <kookie@spacekookie.de> | 2020-04-19 14:57:25 +0200 |
| commit | 0ca211d4ec600fa7b3cc701e4997cd1e8d38ebdc (patch) | |
| tree | 4f9b09ca5d55e44710f020bcf6621daa4fd6b73a /nixpkgs/nixos/modules | |
| parent | 1c2ef52230ed2c8b2529c47ce6a857bdde46c7c7 (diff) | |
| parent | b61999e4ad60c351b4da63ae3ff43aae3c0bbdfb (diff) | |
Merge commit 'b61999e4ad60c351b4da63ae3ff43aae3c0bbdfb'
Diffstat (limited to 'nixpkgs/nixos/modules')
159 files changed, 2479 insertions, 900 deletions
diff --git a/nixpkgs/nixos/modules/config/gtk/gtk-icon-cache.nix b/nixpkgs/nixos/modules/config/gtk/gtk-icon-cache.nix index 86a6bfb5af4..7441f4de40e 100644 --- a/nixpkgs/nixos/modules/config/gtk/gtk-icon-cache.nix +++ b/nixpkgs/nixos/modules/config/gtk/gtk-icon-cache.nix @@ -77,7 +77,7 @@ with lib; if [ -w "$themedir" ]; then rm -f "$themedir"/icon-theme.cache - ${pkgs.gtk3.out}/bin/gtk-update-icon-cache --ignore-theme-index "$themedir" + ${pkgs.buildPackages.gtk3.out}/bin/gtk-update-icon-cache --ignore-theme-index "$themedir" fi done ''; diff --git a/nixpkgs/nixos/modules/config/vte.nix b/nixpkgs/nixos/modules/config/vte.nix index d4a8c926fef..24d32a00fd4 100644 --- a/nixpkgs/nixos/modules/config/vte.nix +++ b/nixpkgs/nixos/modules/config/vte.nix @@ -16,6 +16,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + options = { programs.bash.vteIntegration = mkOption { diff --git a/nixpkgs/nixos/modules/config/xdg/autostart.nix b/nixpkgs/nixos/modules/config/xdg/autostart.nix index 0ee94fed818..40984cb5ec5 100644 --- a/nixpkgs/nixos/modules/config/xdg/autostart.nix +++ b/nixpkgs/nixos/modules/config/xdg/autostart.nix @@ -2,19 +2,23 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.autostart.enable = mkOption { type = types.bool; default = true; description = '' - Whether to install files to support the + Whether to install files to support the <link xlink:href="https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html">XDG Autostart specification</link>. ''; }; }; config = mkIf config.xdg.autostart.enable { - environment.pathsToLink = [ + environment.pathsToLink = [ "/etc/xdg/autostart" ]; }; diff --git a/nixpkgs/nixos/modules/config/xdg/icons.nix b/nixpkgs/nixos/modules/config/xdg/icons.nix index 4677ce090b0..c83fdc251ef 100644 --- a/nixpkgs/nixos/modules/config/xdg/icons.nix +++ b/nixpkgs/nixos/modules/config/xdg/icons.nix @@ -2,6 +2,10 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.icons.enable = mkOption { type = types.bool; diff --git a/nixpkgs/nixos/modules/config/xdg/menus.nix b/nixpkgs/nixos/modules/config/xdg/menus.nix index c172692df5d..6735a7a5c43 100644 --- a/nixpkgs/nixos/modules/config/xdg/menus.nix +++ b/nixpkgs/nixos/modules/config/xdg/menus.nix @@ -2,19 +2,23 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.menus.enable = mkOption { type = types.bool; default = true; description = '' - Whether to install files to support the + Whether to install files to support the <link xlink:href="https://specifications.freedesktop.org/menu-spec/menu-spec-latest.html">XDG Desktop Menu specification</link>. ''; }; }; config = mkIf config.xdg.menus.enable { - environment.pathsToLink = [ + environment.pathsToLink = [ "/share/applications" "/share/desktop-directories" "/etc/xdg/menus" diff --git a/nixpkgs/nixos/modules/config/xdg/mime.nix b/nixpkgs/nixos/modules/config/xdg/mime.nix index a5374c2b468..4cdb3f30994 100644 --- a/nixpkgs/nixos/modules/config/xdg/mime.nix +++ b/nixpkgs/nixos/modules/config/xdg/mime.nix @@ -2,6 +2,10 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.mime.enable = mkOption { type = types.bool; diff --git a/nixpkgs/nixos/modules/config/xdg/portal.nix b/nixpkgs/nixos/modules/config/xdg/portal.nix index 1330a08070c..3c7cd729c60 100644 --- a/nixpkgs/nixos/modules/config/xdg/portal.nix +++ b/nixpkgs/nixos/modules/config/xdg/portal.nix @@ -7,6 +7,10 @@ with lib; (mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ]) ]; + meta = { + maintainers = teams.freedesktop.members; + }; + options.xdg.portal = { enable = mkEnableOption "<link xlink:href='https://github.com/flatpak/xdg-desktop-portal'>xdg desktop integration</link>"//{ diff --git a/nixpkgs/nixos/modules/config/xdg/sounds.nix b/nixpkgs/nixos/modules/config/xdg/sounds.nix index 14d6340fc33..0b94f550929 100644 --- a/nixpkgs/nixos/modules/config/xdg/sounds.nix +++ b/nixpkgs/nixos/modules/config/xdg/sounds.nix @@ -2,6 +2,10 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.sounds.enable = mkOption { type = types.bool; diff --git a/nixpkgs/nixos/modules/hardware/raid/hpsa.nix b/nixpkgs/nixos/modules/hardware/raid/hpsa.nix index 4d7af138292..c4977e3fd70 100644 --- a/nixpkgs/nixos/modules/hardware/raid/hpsa.nix +++ b/nixpkgs/nixos/modules/hardware/raid/hpsa.nix @@ -34,7 +34,7 @@ let meta = with lib; { description = "HP Smart Array CLI"; - homepage = https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/; + homepage = "https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/"; license = licenses.unfreeRedistributable; platforms = [ "x86_64-linux" ]; maintainers = with maintainers; [ volth ]; diff --git a/nixpkgs/nixos/modules/hardware/sensor/iio.nix b/nixpkgs/nixos/modules/hardware/sensor/iio.nix index a8bc1880002..4c359c3b172 100644 --- a/nixpkgs/nixos/modules/hardware/sensor/iio.nix +++ b/nixpkgs/nixos/modules/hardware/sensor/iio.nix @@ -8,7 +8,12 @@ with lib; options = { hardware.sensor.iio = { enable = mkOption { - description = "Enable this option to support IIO sensors."; + description = '' + Enable this option to support IIO sensors. + + IIO sensors are used for orientation and ambient light + sensors on some mobile devices. + ''; type = types.bool; default = false; }; diff --git a/nixpkgs/nixos/modules/hardware/uinput.nix b/nixpkgs/nixos/modules/hardware/uinput.nix new file mode 100644 index 00000000000..55e86bfa6bd --- /dev/null +++ b/nixpkgs/nixos/modules/hardware/uinput.nix @@ -0,0 +1,19 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.hardware.uinput; +in { + options.hardware.uinput = { + enable = lib.mkEnableOption "uinput support"; + }; + + config = lib.mkIf cfg.enable { + boot.kernelModules = [ "uinput" ]; + + users.groups.uinput = {}; + + services.udev.extraRules = '' + SUBSYSTEM=="misc", KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput" + ''; + }; +} diff --git a/nixpkgs/nixos/modules/hardware/wooting.nix b/nixpkgs/nixos/modules/hardware/wooting.nix new file mode 100644 index 00000000000..ee550cbbf6b --- /dev/null +++ b/nixpkgs/nixos/modules/hardware/wooting.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + options.hardware.wooting.enable = + mkEnableOption "Enable support for Wooting keyboards"; + + config = mkIf config.hardware.wooting.enable { + environment.systemPackages = [ pkgs.wootility ]; + services.udev.packages = [ pkgs.wooting-udev-rules ]; + }; +} diff --git a/nixpkgs/nixos/modules/i18n/input-method/ibus.nix b/nixpkgs/nixos/modules/i18n/input-method/ibus.nix index a3d97619fc4..b4746b21b65 100644 --- a/nixpkgs/nixos/modules/i18n/input-method/ibus.nix +++ b/nixpkgs/nixos/modules/i18n/input-method/ibus.nix @@ -75,5 +75,9 @@ in QT_IM_MODULE = "ibus"; XMODIFIERS = "@im=ibus"; }; + + xdg.portal.extraPortals = mkIf config.xdg.portal.enable [ + ibusPackage + ]; }; } diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-base.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-base.nix index 24070a78694..9303e8fde13 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-base.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-base.nix @@ -18,8 +18,6 @@ with lib; # ISO naming. isoImage.isoName = "${config.isoImage.isoBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.iso"; - isoImage.volumeID = substring 0 11 "NIXOS_ISO"; - # EFI booting isoImage.makeEfiBootable = true; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 62cbdbcfd17..84394a1ecae 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -7,6 +7,8 @@ with lib; { imports = [ ./installation-cd-graphical-base.nix ]; + isoImage.edition = "gnome"; + services.xserver.desktopManager.gnome3.enable = true; # Wayland can be problematic for some hardware like Nvidia graphics cards. diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix index e00d3f7535b..e76e06654ac 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix @@ -8,6 +8,8 @@ with lib; { imports = [ ./installation-cd-graphical-base.nix ]; + isoImage.edition = "plasma5"; + services.xserver = { desktopManager.plasma5 = { enable = true; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix index bcdbffdc20b..97506045e0e 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix @@ -8,5 +8,7 @@ [ ./installation-cd-base.nix ]; + isoImage.edition = "minimal"; + fonts.fontconfig.enable = false; } diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix b/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix index 4558b4dc955..cce7cc235ec 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix @@ -417,8 +417,17 @@ in ''; }; + isoImage.edition = mkOption { + default = ""; + description = '' + Specifies which edition string to use in the volume ID of the generated + ISO image. + ''; + }; + isoImage.volumeID = mkOption { - default = "NIXOS_BOOT_CD"; + # nixos-$EDITION-$RELEASE-$ARCH + default = "nixos${optionalString (config.isoImage.edition != "") "-${config.isoImage.edition}"}-${config.system.nixos.release}-${pkgs.stdenv.hostPlatform.uname.processor}"; description = '' Specifies the label or volume ID of the generated ISO image. Note that the label is used by stage 1 of the boot process to @@ -474,7 +483,7 @@ in isoImage.efiSplashImage = mkOption { default = pkgs.fetchurl { - url = https://raw.githubusercontent.com/NixOS/nixos-artwork/a9e05d7deb38a8e005a2b52575a3f59a63a4dba0/bootloader/efi-background.png; + url = "https://raw.githubusercontent.com/NixOS/nixos-artwork/a9e05d7deb38a8e005a2b52575a3f59a63a4dba0/bootloader/efi-background.png"; sha256 = "18lfwmp8yq923322nlb9gxrh5qikj1wsk6g5qvdh31c4h5b1538x"; }; description = '' @@ -484,7 +493,7 @@ in isoImage.splashImage = mkOption { default = pkgs.fetchurl { - url = https://raw.githubusercontent.com/NixOS/nixos-artwork/a9e05d7deb38a8e005a2b52575a3f59a63a4dba0/bootloader/isolinux/bios-boot.png; + url = "https://raw.githubusercontent.com/NixOS/nixos-artwork/a9e05d7deb38a8e005a2b52575a3f59a63a4dba0/bootloader/isolinux/bios-boot.png"; sha256 = "1wp822zrhbg4fgfbwkr7cbkr4labx477209agzc0hr6k62fr6rxd"; }; description = '' @@ -515,6 +524,19 @@ in }; config = { + assertions = [ + { + assertion = !(stringLength config.isoImage.volumeID > 32); + # https://wiki.osdev.org/ISO_9660#The_Primary_Volume_Descriptor + # Volume Identifier can only be 32 bytes + message = let + length = stringLength config.isoImage.volumeID; + howmany = toString length; + toomany = toString (length - 32); + in + "isoImage.volumeID ${config.isoImage.volumeID} is ${howmany} characters. That is ${toomany} characters longer than the limit of 32."; + } + ]; boot.loader.grub.version = 2; diff --git a/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix index 2068f27f1c9..842976c3574 100644 --- a/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/ddmmzn4ggz1f66lwxjy64n89864yj9w9-nix-2.3.3"; - i686-linux = "/nix/store/5axys7hsggb4282dsbps5k5p0v59yv13-nix-2.3.3"; - aarch64-linux = "/nix/store/k80nwvi19hxwbz3c9cxgp24f1jjxwmcc-nix-2.3.3"; - x86_64-darwin = "/nix/store/lrnvapsqmf0ja6zfyx4cpxr7ahdr7f9b-nix-2.3.3"; + x86_64-linux = "/nix/store/8928ygfyf9iassfrnj76v55s6zid58ja-nix-2.3.4"; + i686-linux = "/nix/store/b5cx3nmba9ahx3wk5ybxa67k40pdpdxn-nix-2.3.4"; + aarch64-linux = "/nix/store/p6j4mis6agdjlk4j0cyg7yh58wpm3kif-nix-2.3.4"; + x86_64-darwin = "/nix/store/aizhr07dljmlbf17wfrj40x3s0b5iv3d-nix-2.3.4"; } diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix b/nixpkgs/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix index 90f0702f717..0c9f8522cc1 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix +++ b/nixpkgs/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix @@ -3,7 +3,12 @@ , networkExpr }: -let nodes = import networkExpr; in +let + nodes = builtins.mapAttrs (vm: module: { + _file = "${networkExpr}@node-${vm}"; + imports = [ module ]; + }) (import networkExpr); +in with import ../../../../lib/testing-python.nix { inherit system; diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl index 629c56814a1..a32c19a4eba 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl @@ -91,9 +91,6 @@ sub hasCPUFeature { } -# Detect the number of CPU cores. -my $cpus = scalar (grep {/^processor\s*:/} (split '\n', $cpuinfo)); - # Determine CPU governor to use if (-e "/sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors") { @@ -562,7 +559,6 @@ my $hwConfig = <<EOF; boot.kernelModules = [$kernelModules ]; boot.extraModulePackages = [$modulePackages ]; $fsAndSwap - nix.maxJobs = lib.mkDefault $cpus; ${\join "", (map { " $_\n" } (uniq @attrs))}} EOF diff --git a/nixpkgs/nixos/modules/installer/tools/tools.nix b/nixpkgs/nixos/modules/installer/tools/tools.nix index 833865e99bb..655d77db157 100644 --- a/nixpkgs/nixos/modules/installer/tools/tools.nix +++ b/nixpkgs/nixos/modules/installer/tools/tools.nix @@ -42,7 +42,10 @@ let inherit (config.system.nixos-generate-config) configuration; }; - nixos-option = pkgs.callPackage ./nixos-option { }; + nixos-option = + if lib.versionAtLeast (lib.getVersion pkgs.nix) "2.4pre" + then null + else pkgs.callPackage ./nixos-option { }; nixos-version = makeProg { name = "nixos-version"; @@ -184,10 +187,9 @@ in nixos-install nixos-rebuild nixos-generate-config - nixos-option nixos-version nixos-enter - ]; + ] ++ lib.optional (nixos-option != null) nixos-option; system.build = { inherit nixos-install nixos-generate-config nixos-option nixos-rebuild nixos-enter; diff --git a/nixpkgs/nixos/modules/misc/documentation.nix b/nixpkgs/nixos/modules/misc/documentation.nix index d09afadd609..7ad4be9a02e 100644 --- a/nixpkgs/nixos/modules/misc/documentation.nix +++ b/nixpkgs/nixos/modules/misc/documentation.nix @@ -17,6 +17,7 @@ let inherit pkgs config; version = config.system.nixos.release; revision = "release-${version}"; + extraSources = cfg.nixos.extraModuleSources; options = let scrubbedEval = evalModules { @@ -163,6 +164,19 @@ in ''; }; + nixos.extraModuleSources = mkOption { + type = types.listOf (types.either types.path types.str); + default = [ ]; + description = '' + Which extra NixOS module paths the generated NixOS's documentation should strip + from options. + ''; + example = literalExample '' + # e.g. with options from modules in ''${pkgs.customModules}/nix: + [ pkgs.customModules ] + ''; + }; + }; }; @@ -204,9 +218,7 @@ in ++ optionals config.services.xserver.enable [ desktopItem pkgs.nixos-icons ]); services.mingetty.helpLine = mkIf cfg.doc.enable ( - "\nRun `nixos-help` " - + optionalString config.services.nixosManual.showManual "or press <Alt-F${toString config.services.nixosManual.ttyNumber}> " - + "for the NixOS manual." + "\nRun 'nixos-help' for the NixOS manual." ); }) diff --git a/nixpkgs/nixos/modules/misc/nixpkgs.nix b/nixpkgs/nixos/modules/misc/nixpkgs.nix index 011d493c153..4f5a9250eaa 100644 --- a/nixpkgs/nixos/modules/misc/nixpkgs.nix +++ b/nixpkgs/nixos/modules/misc/nixpkgs.nix @@ -236,8 +236,8 @@ in let nixosExpectedSystem = if config.nixpkgs.crossSystem != null - then config.nixpkgs.crossSystem.system - else config.nixpkgs.localSystem.system; + then config.nixpkgs.crossSystem.system or (lib.systems.parse.doubleFromSystem (lib.systems.parse.mkSystemFromString config.nixpkgs.crossSystem.config)) + else config.nixpkgs.localSystem.system or (lib.systems.parse.doubleFromSystem (lib.systems.parse.mkSystemFromString config.nixpkgs.localSystem.config)); nixosOption = if config.nixpkgs.crossSystem != null then "nixpkgs.crossSystem" diff --git a/nixpkgs/nixos/modules/misc/version.nix b/nixpkgs/nixos/modules/misc/version.nix index 9557def622d..ae98fba1580 100644 --- a/nixpkgs/nixos/modules/misc/version.nix +++ b/nixpkgs/nixos/modules/misc/version.nix @@ -76,7 +76,7 @@ in defaultChannel = mkOption { internal = true; type = types.str; - default = https://nixos.org/channels/nixos-unstable; + default = "https://nixos.org/channels/nixos-unstable"; description = "Default NixOS channel to which the root user is subscribed."; }; diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 60aa10f03a3..039c1203f5f 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -64,6 +64,8 @@ ./hardware/tuxedo-keyboard.nix ./hardware/usb-wwan.nix ./hardware/onlykey.nix + ./hardware/wooting.nix + ./hardware/uinput.nix ./hardware/video/amdgpu.nix ./hardware/video/amdgpu-pro.nix ./hardware/video/ati.nix @@ -293,7 +295,6 @@ ./services/desktops/deepin/deepin.nix ./services/desktops/dleyna-renderer.nix ./services/desktops/dleyna-server.nix - ./services/desktops/pantheon/contractor.nix ./services/desktops/pantheon/files.nix ./services/desktops/flatpak.nix ./services/desktops/geoclue2.nix @@ -367,6 +368,7 @@ ./services/hardware/thermald.nix ./services/hardware/undervolt.nix ./services/hardware/vdr.nix + ./services/hardware/xow.nix ./services/logging/SystemdJournal2Gelf.nix ./services/logging/awstats.nix ./services/logging/fluentd.nix @@ -468,7 +470,6 @@ ./services/misc/nix-daemon.nix ./services/misc/nix-gc.nix ./services/misc/nix-optimise.nix - ./services/misc/nixos-manual.nix ./services/misc/nix-ssh-serve.nix ./services/misc/novacomd.nix ./services/misc/nzbget.nix @@ -484,7 +485,6 @@ ./services/misc/redmine.nix ./services/misc/rippled.nix ./services/misc/ripple-data-api.nix - ./services/misc/rogue.nix ./services/misc/serviio.nix ./services/misc/safeeyes.nix ./services/misc/sickbeard.nix @@ -643,6 +643,7 @@ ./services/networking/lldpd.nix ./services/networking/logmein-hamachi.nix ./services/networking/mailpile.nix + ./services/networking/magic-wormhole-mailbox-server.nix ./services/networking/matterbridge.nix ./services/networking/mjpg-streamer.nix ./services/networking/minidlna.nix @@ -654,6 +655,7 @@ ./services/networking/mstpd.nix ./services/networking/mtprotoproxy.nix ./services/networking/mullvad.nix + ./services/networking/mullvad-vpn.nix ./services/networking/murmur.nix ./services/networking/mxisd.nix ./services/networking/namecoind.nix @@ -682,6 +684,7 @@ ./services/networking/ostinato.nix ./services/networking/owamp.nix ./services/networking/pdnsd.nix + ./services/networking/pixiecore.nix ./services/networking/polipo.nix ./services/networking/powerdns.nix ./services/networking/pdns-recursor.nix @@ -692,6 +695,7 @@ ./services/networking/prosody.nix ./services/networking/quagga.nix ./services/networking/quassel.nix + ./services/networking/quorum.nix ./services/networking/quicktun.nix ./services/networking/racoon.nix ./services/networking/radicale.nix @@ -823,6 +827,7 @@ ./services/web-apps/documize.nix ./services/web-apps/dokuwiki.nix ./services/web-apps/frab.nix + ./services/web-apps/gerrit.nix ./services/web-apps/gotify-server.nix ./services/web-apps/grocy.nix ./services/web-apps/icingaweb2/icingaweb2.nix diff --git a/nixpkgs/nixos/modules/profiles/hardened.nix b/nixpkgs/nixos/modules/profiles/hardened.nix index f7b2f5c7fc1..35743d83134 100644 --- a/nixpkgs/nixos/modules/profiles/hardened.nix +++ b/nixpkgs/nixos/modules/profiles/hardened.nix @@ -14,6 +14,9 @@ with lib; nix.allowedUsers = mkDefault [ "@users" ]; + environment.memoryAllocator.provider = mkDefault "scudo"; + environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; + security.hideProcessInformation = mkDefault true; security.lockKernelModules = mkDefault true; diff --git a/nixpkgs/nixos/modules/profiles/installation-device.nix b/nixpkgs/nixos/modules/profiles/installation-device.nix index 4596e163404..d05c0c50e82 100644 --- a/nixpkgs/nixos/modules/profiles/installation-device.nix +++ b/nixpkgs/nixos/modules/profiles/installation-device.nix @@ -26,10 +26,6 @@ with lib; # Show the manual. documentation.nixos.enable = mkForce true; - services.nixosManual.showManual = true; - - # Let the user play Rogue on TTY 8 during the installation. - #services.rogue.enable = true; # Use less privileged nixos user users.users.nixos = { diff --git a/nixpkgs/nixos/modules/programs/captive-browser.nix b/nixpkgs/nixos/modules/programs/captive-browser.nix index 55d474e5c9d..26db1675072 100644 --- a/nixpkgs/nixos/modules/programs/captive-browser.nix +++ b/nixpkgs/nixos/modules/programs/captive-browser.nix @@ -28,7 +28,7 @@ in browser = mkOption { type = types.str; default = concatStringsSep " " [ ''${pkgs.chromium}/bin/chromium'' - ''--user-data-dir=$HOME/.chromium-captive'' + ''--user-data-dir=''${XDG_DATA_HOME:-$HOME/.local/share}/chromium-captive'' ''--proxy-server="socks5://$PROXY"'' ''--host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"'' ''--no-first-run'' diff --git a/nixpkgs/nixos/modules/programs/geary.nix b/nixpkgs/nixos/modules/programs/geary.nix index 01803bc411e..5e441a75cb6 100644 --- a/nixpkgs/nixos/modules/programs/geary.nix +++ b/nixpkgs/nixos/modules/programs/geary.nix @@ -6,6 +6,10 @@ let cfg = config.programs.geary; in { + meta = { + maintainers = teams.gnome.members; + }; + options = { programs.geary.enable = mkEnableOption "Geary, a Mail client for GNOME 3"; }; diff --git a/nixpkgs/nixos/modules/programs/gnome-disks.nix b/nixpkgs/nixos/modules/programs/gnome-disks.nix index 1cf839a6ddb..80dc2983ea5 100644 --- a/nixpkgs/nixos/modules/programs/gnome-disks.nix +++ b/nixpkgs/nixos/modules/programs/gnome-disks.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + # Added 2019-08-09 imports = [ (mkRenamedOptionModule diff --git a/nixpkgs/nixos/modules/programs/gnome-documents.nix b/nixpkgs/nixos/modules/programs/gnome-documents.nix index bfa3d409ee3..9dd53483055 100644 --- a/nixpkgs/nixos/modules/programs/gnome-documents.nix +++ b/nixpkgs/nixos/modules/programs/gnome-documents.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + # Added 2019-08-09 imports = [ (mkRenamedOptionModule diff --git a/nixpkgs/nixos/modules/programs/gnome-terminal.nix b/nixpkgs/nixos/modules/programs/gnome-terminal.nix index 0036677a157..f2617e5bc03 100644 --- a/nixpkgs/nixos/modules/programs/gnome-terminal.nix +++ b/nixpkgs/nixos/modules/programs/gnome-terminal.nix @@ -12,6 +12,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + # Added 2019-08-19 imports = [ (mkRenamedOptionModule @@ -20,9 +24,7 @@ in ]; options = { - programs.gnome-terminal.enable = mkEnableOption "GNOME Terminal"; - }; config = mkIf cfg.enable { diff --git a/nixpkgs/nixos/modules/programs/nm-applet.nix b/nixpkgs/nixos/modules/programs/nm-applet.nix index 1b806071c43..273a6dec59a 100644 --- a/nixpkgs/nixos/modules/programs/nm-applet.nix +++ b/nixpkgs/nixos/modules/programs/nm-applet.nix @@ -1,6 +1,10 @@ { config, lib, pkgs, ... }: { + meta = { + maintainers = lib.teams.freedesktop.members; + }; + options.programs.nm-applet.enable = lib.mkEnableOption "nm-applet"; config = lib.mkIf config.programs.nm-applet.enable { diff --git a/nixpkgs/nixos/modules/programs/npm.nix b/nixpkgs/nixos/modules/programs/npm.nix index b351d80c7ac..f101a44587a 100644 --- a/nixpkgs/nixos/modules/programs/npm.nix +++ b/nixpkgs/nixos/modules/programs/npm.nix @@ -13,7 +13,14 @@ in programs.npm = { enable = mkEnableOption "<command>npm</command> global config"; - npmrc = lib.mkOption { + package = mkOption { + type = types.path; + description = "The npm package version / flavor to use"; + default = pkgs.nodePackages.npm; + example = literalExample "pkgs.nodePackages_13_x.npm"; + }; + + npmrc = mkOption { type = lib.types.lines; description = '' The system-wide npm configuration. @@ -40,7 +47,7 @@ in environment.variables.NPM_CONFIG_GLOBALCONFIG = "/etc/npmrc"; - environment.systemPackages = [ pkgs.nodePackages.npm ]; + environment.systemPackages = [ cfg.package ]; }; } diff --git a/nixpkgs/nixos/modules/programs/ssh.nix b/nixpkgs/nixos/modules/programs/ssh.nix index 80198990ed1..44e65ee8a9a 100644 --- a/nixpkgs/nixos/modules/programs/ssh.nix +++ b/nixpkgs/nixos/modules/programs/ssh.nix @@ -61,12 +61,9 @@ in ''; }; - # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) pubkeyAcceptedKeyTypes = mkOption { type = types.listOf types.str; - default = [ - "+ssh-dss" - ]; + default = []; example = [ "ssh-ed25519" "ssh-rsa" ]; description = '' Specifies the key types that will be used for public key authentication. @@ -75,9 +72,7 @@ in hostKeyAlgorithms = mkOption { type = types.listOf types.str; - default = [ - "+ssh-dss" - ]; + default = []; example = [ "ssh-ed25519" "ssh-rsa" ]; description = '' Specifies the host key algorithms that the client wants to use in order of preference. diff --git a/nixpkgs/nixos/modules/programs/ssmtp.nix b/nixpkgs/nixos/modules/programs/ssmtp.nix index f794eac8af0..c7a94739349 100644 --- a/nixpkgs/nixos/modules/programs/ssmtp.nix +++ b/nixpkgs/nixos/modules/programs/ssmtp.nix @@ -14,8 +14,16 @@ in { imports = [ - (mkRenamedOptionModule [ "networking" "defaultMailServer" ] [ "services" "ssmtp" ]) - (mkRenamedOptionModule [ "services" "ssmtp" "directDelivery" ] [ "services" "ssmtp" "enable" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "directDelivery" ] [ "services" "ssmtp" "enable" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "hostName" ] [ "services" "ssmtp" "hostName" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "domain" ] [ "services" "ssmtp" "domain" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "root" ] [ "services" "ssmtp" "root" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "useTLS" ] [ "services" "ssmtp" "useTLS" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "useSTARTTLS" ] [ "services" "ssmtp" "useSTARTTLS" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "authUser" ] [ "services" "ssmtp" "authUser" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "authPass" ] [ "services" "ssmtp" "authPass" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "authPassFile" ] [ "services" "ssmtp" "authPassFile" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" "setSendmail" ] [ "services" "ssmtp" "setSendmail" ]) ]; options = { diff --git a/nixpkgs/nixos/modules/security/acme.nix b/nixpkgs/nixos/modules/security/acme.nix index b787a767539..d5fb9b58f2e 100644 --- a/nixpkgs/nixos/modules/security/acme.nix +++ b/nixpkgs/nixos/modules/security/acme.nix @@ -301,7 +301,7 @@ in # StateDirectory must be relative, and will be created under /var/lib by systemd lpath = "acme/${cert}"; apath = "/var/lib/${lpath}"; - spath = "/var/lib/acme/.lego"; + spath = "/var/lib/acme/.lego/${cert}"; fileMode = if data.allowKeysForGroup then "640" else "600"; globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ] ++ optionals (cfg.acceptTerms) [ "--accept-tos" ] @@ -318,25 +318,20 @@ in description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" "network-online.target" ]; wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = mkIf (!config.boot.isContainer) [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; - # With RemainAfterExit the service is considered active even - # after the main process having exited, which means when it - # gets changed, the activation phase restarts it, meaning - # the permissions of the StateDirectory get adjusted - # according to the specified group - RemainAfterExit = true; User = data.user; Group = data.group; PrivateTmp = true; - StateDirectory = "acme/.lego ${lpath}"; + StateDirectory = "acme/.lego/${cert} acme/.lego/accounts ${lpath}"; StateDirectoryMode = if data.allowKeysForGroup then "750" else "700"; WorkingDirectory = spath; # Only try loading the credentialsFile if the dns challenge is enabled EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null; ExecStart = pkgs.writeScript "acme-start" '' #!${pkgs.runtimeShell} -e + test -L ${spath}/accounts -o -d ${spath}/accounts || ln -s ../accounts ${spath}/accounts ${pkgs.lego}/bin/lego ${renewOpts} || ${pkgs.lego}/bin/lego ${runOpts} ''; ExecStartPost = diff --git a/nixpkgs/nixos/modules/security/duosec.nix b/nixpkgs/nixos/modules/security/duosec.nix index c686a6861d0..71428b82f5d 100644 --- a/nixpkgs/nixos/modules/security/duosec.nix +++ b/nixpkgs/nixos/modules/security/duosec.nix @@ -9,8 +9,7 @@ let configFilePam = '' [duo] - ikey=${cfg.ikey} - skey=${cfg.skey} + ikey=${cfg.integrationKey} host=${cfg.host} ${optionalString (cfg.groups != "") ("groups="+cfg.groups)} failmode=${cfg.failmode} @@ -24,26 +23,12 @@ let motd=${boolToStr cfg.motd} accept_env_factor=${boolToStr cfg.acceptEnvFactor} ''; - - loginCfgFile = optionalAttrs cfg.ssh.enable { - "duo/login_duo.conf" = - { source = pkgs.writeText "login_duo.conf" configFileLogin; - mode = "0600"; - user = "sshd"; - }; - }; - - pamCfgFile = optional cfg.pam.enable { - "duo/pam_duo.conf" = - { source = pkgs.writeText "pam_duo.conf" configFilePam; - mode = "0600"; - user = "sshd"; - }; - }; in { imports = [ (mkRenamedOptionModule [ "security" "duosec" "group" ] [ "security" "duosec" "groups" ]) + (mkRenamedOptionModule [ "security" "duosec" "ikey" ] [ "security" "duosec" "integrationKey" ]) + (mkRemovedOptionModule [ "security" "duosec" "skey" ] "The insecure security.duosec.skey option has been replaced by a new security.duosec.secretKeyFile option. Use this new option to store a secure copy of your key instead.") ]; options = { @@ -60,14 +45,18 @@ in description = "If enabled, protect logins with Duo Security using PAM support."; }; - ikey = mkOption { + integrationKey = mkOption { type = types.str; description = "Integration key."; }; - skey = mkOption { - type = types.str; - description = "Secret key."; + secretKeyFile = mkOption { + type = types.path; + default = null; + description = '' + A file containing your secret key. The security of your Duo application is tied to the security of your secret key. + ''; + example = "/run/keys/duo-skey"; }; host = mkOption { @@ -195,21 +184,52 @@ in }; config = mkIf (cfg.ssh.enable || cfg.pam.enable) { - environment.systemPackages = [ pkgs.duo-unix ]; - - security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; - environment.etc = loginCfgFile // pamCfgFile; - - /* If PAM *and* SSH are enabled, then don't do anything special. - If PAM isn't used, set the default SSH-only options. */ - services.openssh.extraConfig = mkIf (cfg.ssh.enable || cfg.pam.enable) ( - if cfg.pam.enable then "UseDNS no" else '' - # Duo Security configuration - ForceCommand ${config.security.wrapperDir}/login_duo - PermitTunnel no - ${optionalString (!cfg.allowTcpForwarding) '' - AllowTcpForwarding no - ''} - ''); + environment.systemPackages = [ pkgs.duo-unix ]; + + security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; + + system.activationScripts = { + login_duo = mkIf cfg.ssh.enable '' + if test -f "${cfg.secretKeyFile}"; then + mkdir -m 0755 -p /etc/duo + + umask 0077 + conf="$(mktemp)" + { + cat ${pkgs.writeText "login_duo.conf" configFileLogin} + printf 'skey = %s\n' "$(cat ${cfg.secretKeyFile})" + } >"$conf" + + chown sshd "$conf" + mv -fT "$conf" /etc/duo/login_duo.conf + fi + ''; + pam_duo = mkIf cfg.pam.enable '' + if test -f "${cfg.secretKeyFile}"; then + mkdir -m 0755 -p /etc/duo + + umask 0077 + conf="$(mktemp)" + { + cat ${pkgs.writeText "login_duo.conf" configFilePam} + printf 'skey = %s\n' "$(cat ${cfg.secretKeyFile})" + } >"$conf" + + mv -fT "$conf" /etc/duo/pam_duo.conf + fi + ''; + }; + + /* If PAM *and* SSH are enabled, then don't do anything special. + If PAM isn't used, set the default SSH-only options. */ + services.openssh.extraConfig = mkIf (cfg.ssh.enable || cfg.pam.enable) ( + if cfg.pam.enable then "UseDNS no" else '' + # Duo Security configuration + ForceCommand ${config.security.wrapperDir}/login_duo + PermitTunnel no + ${optionalString (!cfg.allowTcpForwarding) '' + AllowTcpForwarding no + ''} + ''); }; } diff --git a/nixpkgs/nixos/modules/services/amqp/activemq/default.nix b/nixpkgs/nixos/modules/services/amqp/activemq/default.nix index 7729da27304..160dbddcd48 100644 --- a/nixpkgs/nixos/modules/services/amqp/activemq/default.nix +++ b/nixpkgs/nixos/modules/services/amqp/activemq/default.nix @@ -63,9 +63,11 @@ in { javaProperties = mkOption { type = types.attrs; default = { }; - example = { - "java.net.preferIPv4Stack" = "true"; - }; + example = literalExample '' + { + "java.net.preferIPv4Stack" = "true"; + } + ''; apply = attrs: { "activemq.base" = "${cfg.baseDir}"; "activemq.data" = "${cfg.baseDir}/data"; diff --git a/nixpkgs/nixos/modules/services/backup/borgbackup.nix b/nixpkgs/nixos/modules/services/backup/borgbackup.nix index a2eb80c55a8..be661b201f0 100644 --- a/nixpkgs/nixos/modules/services/backup/borgbackup.nix +++ b/nixpkgs/nixos/modules/services/backup/borgbackup.nix @@ -189,6 +189,7 @@ let in { meta.maintainers = with maintainers; [ dotlambda ]; + meta.doc = ./borgbackup.xml; ###### interface @@ -197,10 +198,11 @@ in { Deduplicating backups using BorgBackup. Adding a job will cause a borg-job-NAME wrapper to be added to your system path, so that you can perform maintenance easily. + See also the chapter about BorgBackup in the NixOS manual. ''; default = { }; example = literalExample '' - { + { # for a local backup rootBackup = { paths = "/"; exclude = [ "/nix" ]; @@ -213,6 +215,23 @@ in { startAt = "weekly"; }; } + { # Root backing each day up to a remote backup server. We assume that you have + # * created a password less key: ssh-keygen -N "" -t ed25519 -f /path/to/ssh_key + # best practices are: use -t ed25519, /path/to = /run/keys + # * the passphrase is in the file /run/keys/borgbackup_passphrase + # * you have initialized the repository manually + paths = [ "/etc" "/home" ]; + exclude = [ "/nix" "'**/.cache'" ]; + doInit = false; + repo = "user3@arep.repo.borgbase.com:repo"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /path/to/passphrase"; + }; + environment = { BORG_RSH = "ssh -i /path/to/ssh_key"; }; + compression = "auto,lzma"; + startAt = "daily"; + }; ''; type = types.attrsOf (types.submodule (let globalConfig = config; in { name, config, ... }: { @@ -268,6 +287,8 @@ in { <manvolnum>7</manvolnum></citerefentry>. If you do not want the backup to start automatically, use <literal>[ ]</literal>. + It will generate a systemd service borgbackup-job-NAME. + You may trigger it manually via systemctl restart borgbackup-job-NAME. ''; }; @@ -303,6 +324,10 @@ in { you to specify a <option>passCommand</option> or a <option>passphrase</option>. ''; + example = '' + encryption.mode = "repokey-blake2" ; + encryption.passphrase = "mySecretPassphrase" ; + ''; }; encryption.passCommand = mkOption { @@ -538,6 +563,7 @@ in { description = '' Serve BorgBackup repositories to given public SSH keys, restricting their access to the repository only. + See also the chapter about BorgBackup in the NixOS manual. Also, clients do not need to specify the absolute path when accessing the repository, i.e. <literal>user@machine:.</literal> is enough. (Note colon and dot.) ''; diff --git a/nixpkgs/nixos/modules/services/backup/borgbackup.xml b/nixpkgs/nixos/modules/services/backup/borgbackup.xml new file mode 100644 index 00000000000..bef7db608f8 --- /dev/null +++ b/nixpkgs/nixos/modules/services/backup/borgbackup.xml @@ -0,0 +1,227 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-borgbase"> + <title>BorgBackup</title> + <para> + <emphasis>Source:</emphasis> + <filename>modules/services/backup/borgbackup.nix</filename> + </para> + <para> + <emphasis>Upstream documentation:</emphasis> + <link xlink:href="https://borgbackup.readthedocs.io/"/> + </para> + <para> + <link xlink:href="https://www.borgbackup.org/">BorgBackup</link> (short: Borg) + is a deduplicating backup program. Optionally, it supports compression and + authenticated encryption. + </para> + <para> + The main goal of Borg is to provide an efficient and secure way to backup + data. The data deduplication technique used makes Borg suitable for daily + backups since only changes are stored. The authenticated encryption technique + makes it suitable for backups to not fully trusted targets. + </para> + <section xml:id="module-services-backup-borgbackup-configuring"> + <title>Configuring</title> + <para> + A complete list of options for the Borgbase module may be found + <link linkend="opt-services.borgbackup.jobs">here</link>. + </para> +</section> + <section xml:id="opt-services-backup-borgbackup-local-directory"> + <title>Basic usage for a local backup</title> + + <para> + A very basic configuration for backing up to a locally accessible directory + is: +<programlisting> +{ + opt.services.borgbackup.jobs = { + { rootBackup = { + paths = "/"; + exclude = [ "/nix" "/path/to/local/repo" ]; + repo = "/path/to/local/repo"; + doInit = true; + encryption = { + mode = "repokey"; + passphrase = "secret"; + }; + compression = "auto,lzma"; + startAt = "weekly"; + }; + } + }; +}</programlisting> + </para> + <warning> + <para> + If you do not want the passphrase to be stored in the world-readable + Nix store, use passCommand. You find an example below. + </para> + </warning> + </section> +<section xml:id="opt-services-backup-create-server"> + <title>Create a borg backup server</title> + <para>You should use a different SSH key for each repository you write to, + because the specified keys are restricted to running borg serve and can only + access this single repository. You need the output of the generate pub file. + </para> + <para> + <programlisting> +# sudo ssh-keygen -N '' -t ed25519 -f /run/keys/id_ed25519_my_borg_repo +# cat /run/keys/id_ed25519_my_borg_repo +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID78zmOyA+5uPG4Ot0hfAy+sLDPU1L4AiIoRYEIVbbQ/ root@nixos</programlisting> + </para> + <para> + Add the following snippet to your NixOS configuration: + <programlisting> +{ + services.borgbackup.repos = { + my_borg_repo = { + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID78zmOyA+5uPG4Ot0hfAy+sLDPU1L4AiIoRYEIVbbQ/ root@nixos" + ] ; + path = "/var/lib/my_borg_repo" ; + }; + }; +}</programlisting> + </para> +</section> + + <section xml:id="opt-services-backup-borgbackup-remote-server"> + <title>Backup to the borg repository server</title> + <para>The following NixOS snippet creates an hourly backup to the service + (on the host nixos) as created in the section above. We assume + that you have stored a secret passphrasse in the file + <code>/run/keys/borgbackup_passphrase</code>, which should be only + accessible by root + </para> + <para> + <programlisting> +{ + services.borgbackup.jobs = { + backupToLocalServer = { + paths = [ "/etc/nixos" ]; + doInit = true; + repo = "borg@nixos:." ; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /run/keys/borgbackup_passphrase"; + }; + environment = { BORG_RSH = "ssh -i /run/keys/id_ed25519_my_borg_repo"; }; + compression = "auto,lzma"; + startAt = "hourly"; + }; + }; +};</programlisting> + </para> + <para>The following few commands (run as root) let you test your backup. + <programlisting> +> nixos-rebuild switch +...restarting the following units: polkit.service +> systemctl restart borgbackup-job-backupToLocalServer +> sleep 10 +> systemctl restart borgbackup-job-backupToLocalServer +> export BORG_PASSPHRASE=topSecrect +> borg list --rsh='ssh -i /run/keys/id_ed25519_my_borg_repo' borg@nixos:. +nixos-backupToLocalServer-2020-03-30T21:46:17 Mon, 2020-03-30 21:46:19 [84feb97710954931ca384182f5f3cb90665f35cef214760abd7350fb064786ac] +nixos-backupToLocalServer-2020-03-30T21:46:30 Mon, 2020-03-30 21:46:32 [e77321694ecd160ca2228611747c6ad1be177d6e0d894538898de7a2621b6e68]</programlisting> + </para> +</section> + + <section xml:id="opt-services-backup-borgbackup-borgbase"> + <title>Backup to a hosting service</title> + + <para> + Several companies offer <link + xlink:href="https://www.borgbackup.org/support/commercial.html">(paid) + hosting services</link> for Borg repositories. + </para> + <para> + To backup your home directory to borgbase you have to: + </para> + <itemizedlist> + <listitem> + <para> + Generate a SSH key without a password, to access the remote server. E.g. + </para> + <para> + <programlisting>sudo ssh-keygen -N '' -t ed25519 -f /run/keys/id_ed25519_borgbase</programlisting> + </para> + </listitem> + <listitem> + <para> + Create the repository on the server by following the instructions for your + hosting server. + </para> + </listitem> + <listitem> + <para> + Initialize the repository on the server. Eg. + <programlisting> +sudo borg init --encryption=repokey-blake2 \ + -rsh "ssh -i /run/keys/id_ed25519_borgbase" \ + zzz2aaaaa@zzz2aaaaa.repo.borgbase.com:repo</programlisting> + </para> + </listitem> + <listitem> +<para>Add it to your NixOS configuration, e.g. +<programlisting> +{ + services.borgbackup.jobs = { + my_Remote_Backup = { + paths = [ "/" ]; + exclude = [ "/nix" "'**/.cache'" ]; + repo = "zzz2aaaaa@zzz2aaaaa.repo.borgbase.com:repo"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /run/keys/borgbackup_passphrase"; + }; + BORG_RSH = "ssh -i /run/keys/id_ed25519_borgbase"; + compression = "auto,lzma"; + startAt = "daily"; + }; + }; +}}</programlisting> + </para> + </listitem> +</itemizedlist> + </section> + <section xml:id="opt-services-backup-borgbackup-vorta"> + <title>Vorta backup client for the desktop</title> + <para> + Vorta is a backup client for macOS and Linux desktops. It integrates the + mighty BorgBackup with your desktop environment to protect your data from + disk failure, ransomware and theft. + </para> + <para> + It is available as a flatpak package. To enable it you must set the + following two configuration items. + </para> + <para> + <programlisting> +services.flatpak.enable = true ; +# next line is needed to avoid the Error +# Error deploying: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: +services.accounts-daemon.enable = true; + </programlisting> + </para> + <para>As a normal user you must first install, then run vorta using the + following commands: + <programlisting> +flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +flatpak install flathub com.borgbase.Vorta +flatpak run --branch=stable --arch=x86_64 --command=vorta com.borgbase.Vorta +</programlisting> + After running <code>flatpak install</code> you can start Vorta also via + the KDE application menu. + </para> + <para> + Details about using Vorta can be found under <link + xlink:href="https://vorta.borgbase.com/usage">https://vorta.borgbase.com + </link>. + </para> + </section> +</chapter> diff --git a/nixpkgs/nixos/modules/services/backup/syncoid.nix b/nixpkgs/nixos/modules/services/backup/syncoid.nix index 53787a0182a..fff119c2cf0 100644 --- a/nixpkgs/nixos/modules/services/backup/syncoid.nix +++ b/nixpkgs/nixos/modules/services/backup/syncoid.nix @@ -138,7 +138,11 @@ in { }; })); default = {}; - example."pool/test".target = "root@target:pool/test"; + example = literalExample '' + { + "pool/test".target = "root@target:pool/test"; + } + ''; description = "Syncoid commands to run."; }; }; diff --git a/nixpkgs/nixos/modules/services/cluster/hadoop/default.nix b/nixpkgs/nixos/modules/services/cluster/hadoop/default.nix index f0f5a6ecbfc..bfb73f68371 100644 --- a/nixpkgs/nixos/modules/services/cluster/hadoop/default.nix +++ b/nixpkgs/nixos/modules/services/cluster/hadoop/default.nix @@ -7,33 +7,41 @@ with lib; options.services.hadoop = { coreSite = mkOption { default = {}; - example = { - "fs.defaultFS" = "hdfs://localhost"; - }; + example = literalExample '' + { + "fs.defaultFS" = "hdfs://localhost"; + } + ''; description = "Hadoop core-site.xml definition"; }; hdfsSite = mkOption { default = {}; - example = { - "dfs.nameservices" = "namenode1"; - }; + example = literalExample '' + { + "dfs.nameservices" = "namenode1"; + } + ''; description = "Hadoop hdfs-site.xml definition"; }; mapredSite = mkOption { default = {}; - example = { - "mapreduce.map.cpu.vcores" = "1"; - }; + example = literalExample '' + { + "mapreduce.map.cpu.vcores" = "1"; + } + ''; description = "Hadoop mapred-site.xml definition"; }; yarnSite = mkOption { default = {}; - example = { - "yarn.resourcemanager.ha.id" = "resourcemanager1"; - }; + example = literalExample '' + { + "yarn.resourcemanager.ha.id" = "resourcemanager1"; + } + ''; description = "Hadoop yarn-site.xml definition"; }; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/addon-manager.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/addon-manager.nix index 17f2dde31a7..f55079300b1 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/addon-manager.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/addon-manager.nix @@ -88,7 +88,7 @@ in services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled (let - name = system:kube-addon-manager; + name = "system:kube-addon-manager"; namespace = "kube-system"; in { diff --git a/nixpkgs/nixos/modules/services/computing/boinc/client.nix b/nixpkgs/nixos/modules/services/computing/boinc/client.nix index a7edac02538..7becf624071 100644 --- a/nixpkgs/nixos/modules/services/computing/boinc/client.nix +++ b/nixpkgs/nixos/modules/services/computing/boinc/client.nix @@ -99,14 +99,16 @@ in environment.systemPackages = [cfg.package]; users.users.boinc = { + group = "boinc"; createHome = false; description = "BOINC Client"; home = cfg.dataDir; isSystemUser = true; }; + users.groups.boinc = {}; systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - boinc - - -" + "d '${cfg.dataDir}' - boinc boinc - -" ]; systemd.services.boinc = { @@ -114,7 +116,7 @@ in after = ["network.target"]; wantedBy = ["multi-user.target"]; script = '' - ${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag} + ${fhsEnvExecutable} --dir ${cfg.dataDir} ${allowRemoteGuiRpcFlag} ''; serviceConfig = { User = "boinc"; diff --git a/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix b/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix index c17d89c387a..b0045409ae6 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix @@ -208,8 +208,12 @@ in description = "Buildkite agent user"; extraGroups = [ "keys" ]; isSystemUser = true; + group = "buildkite-agent-${name}"; }; }); + config.users.groups = mapAgents (name: cfg: { + "buildkite-agent-${name}" = {}; + }); config.systemd.services = mapAgents (name: cfg: { "buildkite-agent-${name}" = diff --git a/nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix index 3d307b1abcf..bd4cf6a37ba 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -120,10 +120,16 @@ in ++ optional hasDocker "docker.service"; requires = optional hasDocker "docker.service"; wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = [ + config.environment.etc."gitlab-runner/config.toml".source + ]; serviceConfig = { + StateDirectory = "gitlab-runner"; + ExecReload= "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecStart = ''${cfg.package.bin}/bin/gitlab-runner run \ --working-directory ${cfg.workDir} \ - --config ${configFile} \ + --config /etc/gitlab-runner/config.toml \ --service gitlab-runner \ --user gitlab-runner \ ''; @@ -138,6 +144,9 @@ in # Make the gitlab-runner command availabe so users can query the runner environment.systemPackages = [ cfg.package ]; + # Make sure the config can be reloaded on change + environment.etc."gitlab-runner/config.toml".source = configFile; + users.users.gitlab-runner = { group = "gitlab-runner"; extraGroups = optional hasDocker "docker"; diff --git a/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix b/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix index 8b56207590a..502a5898a5d 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix @@ -37,6 +37,38 @@ let haveLocalDB = cfg.dbi == localDB; + inherit (config.system) stateVersion; + + hydra-package = + let + makeWrapperArgs = concatStringsSep " " (mapAttrsToList (key: value: "--set \"${key}\" \"${value}\"") hydraEnv); + in pkgs.buildEnv rec { + name = "hydra-env"; + buildInputs = [ pkgs.makeWrapper ]; + paths = [ cfg.package ]; + + postBuild = '' + if [ -L "$out/bin" ]; then + unlink "$out/bin" + fi + mkdir -p "$out/bin" + + for path in ${concatStringsSep " " paths}; do + if [ -d "$path/bin" ]; then + cd "$path/bin" + for prg in *; do + if [ -f "$prg" ]; then + rm -f "$out/bin/$prg" + if [ -x "$prg" ]; then + makeWrapper "$path/bin/$prg" "$out/bin/$prg" ${makeWrapperArgs} + fi + fi + done + fi + done + ''; + }; + in { @@ -63,8 +95,7 @@ in }; package = mkOption { - type = types.path; - default = pkgs.hydra; + type = types.package; defaultText = "pkgs.hydra"; description = "The Hydra package."; }; @@ -194,6 +225,34 @@ in config = mkIf cfg.enable { + warnings = optional (cfg.package.migration or false) '' + You're currently deploying an older version of Hydra which is needed to + make some required database changes[1]. As soon as this is done, it's recommended + to run `hydra-backfill-ids` and set `services.hydra.package` to `pkgs.hydra-unstable` + after that. + + [1] https://github.com/NixOS/hydra/pull/711 + ''; + + services.hydra.package = with pkgs; + mkDefault ( + if pkgs ? hydra + then throw '' + The Hydra package doesn't exist anymore in `nixpkgs`! It probably exists + due to an overlay. To upgrade Hydra, you need to take two steps as some + bigger changes in the database schema were implemented recently[1]. You first + need to deploy `pkgs.hydra-migration`, run `hydra-backfill-ids` on the server + and then deploy `pkgs.hydra-unstable`. + + If you want to use `pkgs.hydra` from your overlay, please set `services.hydra.package` + explicitly to `pkgs.hydra` and make sure you know what you're doing. + + [1] https://github.com/NixOS/hydra/pull/711 + '' + else if versionOlder stateVersion "20.03" then hydra-migration + else hydra-unstable + ); + users.groups.hydra = { gid = config.ids.gids.hydra; }; @@ -237,7 +296,7 @@ in use-substitutes = ${if cfg.useSubstitutes then "1" else "0"} ''; - environment.systemPackages = [ cfg.package ]; + environment.systemPackages = [ hydra-package ]; environment.variables = hydraEnv; @@ -298,7 +357,7 @@ in chown hydra.hydra ${cfg.gcRootsDir} chmod 2775 ${cfg.gcRootsDir} ''; - serviceConfig.ExecStart = "${cfg.package}/bin/hydra-init"; + serviceConfig.ExecStart = "${hydra-package}/bin/hydra-init"; serviceConfig.PermissionsStartOnly = true; serviceConfig.User = "hydra"; serviceConfig.Type = "oneshot"; @@ -313,7 +372,7 @@ in restartTriggers = [ hydraConf ]; serviceConfig = { ExecStart = - "@${cfg.package}/bin/hydra-server hydra-server -f -h '${cfg.listenHost}' " + "@${hydra-package}/bin/hydra-server hydra-server -f -h '${cfg.listenHost}' " + "-p ${toString cfg.port} --max_spare_servers 5 --max_servers 25 " + "--max_requests 100 ${optionalString cfg.debugServer "-d"}"; User = "hydra-www"; @@ -326,15 +385,15 @@ in { wantedBy = [ "multi-user.target" ]; requires = [ "hydra-init.service" ]; after = [ "hydra-init.service" "network.target" ]; - path = [ cfg.package pkgs.nettools pkgs.openssh pkgs.bzip2 config.nix.package ]; + path = [ hydra-package pkgs.nettools pkgs.openssh pkgs.bzip2 config.nix.package ]; restartTriggers = [ hydraConf ]; environment = env // { PGPASSFILE = "${baseDir}/pgpass-queue-runner"; # grrr IN_SYSTEMD = "1"; # to get log severity levels }; serviceConfig = - { ExecStart = "@${cfg.package}/bin/hydra-queue-runner hydra-queue-runner -v"; - ExecStopPost = "${cfg.package}/bin/hydra-queue-runner --unlock"; + { ExecStart = "@${hydra-package}/bin/hydra-queue-runner hydra-queue-runner -v"; + ExecStopPost = "${hydra-package}/bin/hydra-queue-runner --unlock"; User = "hydra-queue-runner"; Restart = "always"; @@ -348,11 +407,11 @@ in { wantedBy = [ "multi-user.target" ]; requires = [ "hydra-init.service" ]; after = [ "hydra-init.service" "network.target" ]; - path = with pkgs; [ cfg.package nettools jq ]; + path = with pkgs; [ hydra-package nettools jq ]; restartTriggers = [ hydraConf ]; environment = env; serviceConfig = - { ExecStart = "@${cfg.package}/bin/hydra-evaluator hydra-evaluator"; + { ExecStart = "@${hydra-package}/bin/hydra-evaluator hydra-evaluator"; User = "hydra"; Restart = "always"; WorkingDirectory = baseDir; @@ -364,7 +423,7 @@ in after = [ "hydra-init.service" ]; environment = env; serviceConfig = - { ExecStart = "@${cfg.package}/bin/hydra-update-gc-roots hydra-update-gc-roots"; + { ExecStart = "@${hydra-package}/bin/hydra-update-gc-roots hydra-update-gc-roots"; User = "hydra"; }; startAt = "2,14:15"; @@ -375,7 +434,7 @@ in after = [ "hydra-init.service" ]; environment = env; serviceConfig = - { ExecStart = "@${cfg.package}/bin/hydra-send-stats hydra-send-stats"; + { ExecStart = "@${hydra-package}/bin/hydra-send-stats hydra-send-stats"; User = "hydra"; }; }; @@ -389,7 +448,7 @@ in PGPASSFILE = "${baseDir}/pgpass-queue-runner"; }; serviceConfig = - { ExecStart = "@${cfg.package}/bin/hydra-notify hydra-notify"; + { ExecStart = "@${hydra-package}/bin/hydra-notify hydra-notify"; # FIXME: run this under a less privileged user? User = "hydra-queue-runner"; Restart = "always"; diff --git a/nixpkgs/nixos/modules/services/databases/mysql.nix b/nixpkgs/nixos/modules/services/databases/mysql.nix index 248bf0ebc91..f9e657f5774 100644 --- a/nixpkgs/nixos/modules/services/databases/mysql.nix +++ b/nixpkgs/nixos/modules/services/databases/mysql.nix @@ -10,16 +10,8 @@ let isMariaDB = lib.getName mysql == lib.getName pkgs.mariadb; - isMysqlAtLeast57 = - (lib.getName mysql == lib.getName pkgs.mysql57) - && (builtins.compareVersions mysql.version "5.7" >= 0); - mysqldOptions = "--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${mysql}"; - # For MySQL 5.7+, --insecure creates the root user without password - # (earlier versions and MariaDB do this by default). - installOptions = - "${mysqldOptions} ${lib.optionalString isMysqlAtLeast57 "--insecure"}"; settingsFile = pkgs.writeText "my.cnf" ( generators.toINI { listsAsDuplicateKeys = true; } cfg.settings + @@ -366,9 +358,14 @@ in pkgs.nettools ]; - preStart = '' + preStart = if isMariaDB then '' + if ! test -e ${cfg.dataDir}/mysql; then + ${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${mysqldOptions} + touch /tmp/mysql_init + fi + '' else '' if ! test -e ${cfg.dataDir}/mysql; then - ${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${installOptions} + ${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} --initialize-insecure touch /tmp/mysql_init fi ''; diff --git a/nixpkgs/nixos/modules/services/databases/postgresql.xml b/nixpkgs/nixos/modules/services/databases/postgresql.xml index 72d4a8249a3..07af4c937f0 100644 --- a/nixpkgs/nixos/modules/services/databases/postgresql.xml +++ b/nixpkgs/nixos/modules/services/databases/postgresql.xml @@ -7,12 +7,10 @@ <!-- FIXME: render nicely --> <!-- FIXME: source can be added automatically --> <para> - <emphasis>Source:</emphasis> - <filename>modules/services/databases/postgresql.nix</filename> + <emphasis>Source:</emphasis> <filename>modules/services/databases/postgresql.nix</filename> </para> <para> - <emphasis>Upstream documentation:</emphasis> - <link xlink:href="http://www.postgresql.org/docs/"/> + <emphasis>Upstream documentation:</emphasis> <link xlink:href="http://www.postgresql.org/docs/"/> </para> <!-- FIXME: more stuff, like maintainer? --> <para> @@ -23,18 +21,12 @@ <title>Configuring</title> <para> - To enable PostgreSQL, add the following to your - <filename>configuration.nix</filename>: + To enable PostgreSQL, add the following to your <filename>configuration.nix</filename>: <programlisting> <xref linkend="opt-services.postgresql.enable"/> = true; <xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_11; </programlisting> - Note that you are required to specify the desired version of PostgreSQL - (e.g. <literal>pkgs.postgresql_11</literal>). Since upgrading your - PostgreSQL version requires a database dump and reload (see below), NixOS - cannot provide a default value for - <xref linkend="opt-services.postgresql.package"/> such as the most recent - release of PostgreSQL. + Note that you are required to specify the desired version of PostgreSQL (e.g. <literal>pkgs.postgresql_11</literal>). Since upgrading your PostgreSQL version requires a database dump and reload (see below), NixOS cannot provide a default value for <xref linkend="opt-services.postgresql.package"/> such as the most recent release of PostgreSQL. </para> <!-- @@ -51,9 +43,7 @@ Type "help" for help. --> <para> - By default, PostgreSQL stores its databases in - <filename>/var/lib/postgresql/$psqlSchema</filename>. You can override this using - <xref linkend="opt-services.postgresql.dataDir"/>, e.g. + By default, PostgreSQL stores its databases in <filename>/var/lib/postgresql/$psqlSchema</filename>. You can override this using <xref linkend="opt-services.postgresql.dataDir"/>, e.g. <programlisting> <xref linkend="opt-services.postgresql.dataDir"/> = "/data/postgresql"; </programlisting> @@ -63,25 +53,83 @@ Type "help" for help. <title>Upgrading</title> <para> - FIXME: document dump/upgrade/load cycle. + Major PostgreSQL upgrade requires PostgreSQL downtime and a few imperative steps to be called. To simplify this process, use the following NixOS module: +<programlisting> + containers.temp-pg.config.services.postgresql = { + enable = true; + package = pkgs.postgresql_12; + ## set a custom new dataDir + # dataDir = "/some/data/dir"; + }; + environment.systemPackages = + let newpg = config.containers.temp-pg.config.services.postgresql; + in [ + (pkgs.writeScriptBin "upgrade-pg-cluster" '' + set -x + export OLDDATA="${config.services.postgresql.dataDir}" + export NEWDATA="${newpg.dataDir}" + export OLDBIN="${config.services.postgresql.package}/bin" + export NEWBIN="${newpg.package}/bin" + + install -d -m 0700 -o postgres -g postgres "$NEWDATA" + cd "$NEWDATA" + sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" + + systemctl stop postgresql # old one + + sudo -u postgres $NEWBIN/pg_upgrade \ + --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \ + --old-bindir $OLDBIN --new-bindir $NEWBIN \ + "$@" + '') + ]; +</programlisting> </para> + + <para> + The upgrade process is: + </para> + + <orderedlist> + <listitem> + <para> + Rebuild nixos configuration with the configuration above added to your <filename>configuration.nix</filename>. Alternatively, add that into separate file and reference it in <literal>imports</literal> list. + </para> + </listitem> + <listitem> + <para> + Login as root (<literal>sudo su -</literal>) + </para> + </listitem> + <listitem> + <para> + Run <literal>upgrade-pg-cluster</literal>. It will stop old postgresql, initialize new one and migrate old one to new one. You may supply arguments like <literal>--jobs 4</literal> and <literal>--link</literal> to speedup migration process. See <link xlink:href="https://www.postgresql.org/docs/current/pgupgrade.html" /> for details. + </para> + </listitem> + <listitem> + <para> + Change postgresql package in NixOS configuration to the one you were upgrading to, and change <literal>dataDir</literal> to the one you have migrated to. Rebuild NixOS. This should start new postgres using upgraded data directory. + </para> + </listitem> + <listitem> + <para> + After upgrade you may want to <literal>ANALYZE</literal> new db. + </para> + </listitem> + </orderedlist> </section> <section xml:id="module-services-postgres-options"> <title>Options</title> <para> - A complete list of options for the PostgreSQL module may be found - <link linkend="opt-services.postgresql.enable">here</link>. + A complete list of options for the PostgreSQL module may be found <link linkend="opt-services.postgresql.enable">here</link>. </para> </section> <section xml:id="module-services-postgres-plugins"> <title>Plugins</title> <para> - Plugins collection for each PostgreSQL version can be accessed with - <literal>.pkgs</literal>. For example, for - <literal>pkgs.postgresql_11</literal> package, its plugin collection is - accessed by <literal>pkgs.postgresql_11.pkgs</literal>: + Plugins collection for each PostgreSQL version can be accessed with <literal>.pkgs</literal>. For example, for <literal>pkgs.postgresql_11</literal> package, its plugin collection is accessed by <literal>pkgs.postgresql_11.pkgs</literal>: <screen> <prompt>$ </prompt>nix repl '<nixpkgs>' @@ -98,8 +146,9 @@ postgresql_11.pkgs.pg_partman postgresql_11.pkgs.pgroonga ... </screen> </para> + <para> - To add plugins via NixOS configuration, set <literal>services.postgresql.extraPlugins</literal>: + To add plugins via NixOS configuration, set <literal>services.postgresql.extraPlugins</literal>: <programlisting> <xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_11; <xref linkend="opt-services.postgresql.extraPlugins"/> = with pkgs.postgresql_11.pkgs; [ @@ -108,10 +157,9 @@ postgresql_11.pkgs.pg_partman postgresql_11.pkgs.pgroonga ]; </programlisting> </para> + <para> - You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using - function <literal>.withPackages</literal>. For example, creating a custom - PostgreSQL package in an overlay can look like: + You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using function <literal>.withPackages</literal>. For example, creating a custom PostgreSQL package in an overlay can look like: <programlisting> self: super: { postgresql_custom = self.postgresql_11.withPackages (ps: [ @@ -121,8 +169,9 @@ self: super: { } </programlisting> </para> + <para> - Here's a recipe on how to override a particular plugin through an overlay: + Here's a recipe on how to override a particular plugin through an overlay: <programlisting> self: super: { postgresql_11 = super.postgresql_11.override { this = self.postgresql_11; } // { diff --git a/nixpkgs/nixos/modules/services/desktops/accountsservice.nix b/nixpkgs/nixos/modules/services/desktops/accountsservice.nix index c48036a99e8..ae2ecb5ffeb 100644 --- a/nixpkgs/nixos/modules/services/desktops/accountsservice.nix +++ b/nixpkgs/nixos/modules/services/desktops/accountsservice.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/desktops/bamf.nix b/nixpkgs/nixos/modules/services/desktops/bamf.nix index 0928ee81a64..4b35146d084 100644 --- a/nixpkgs/nixos/modules/services/desktops/bamf.nix +++ b/nixpkgs/nixos/modules/services/desktops/bamf.nix @@ -5,6 +5,10 @@ with lib; { + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/at-spi2-core.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/at-spi2-core.nix index 8fa108c4f9d..492242e3296 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/at-spi2-core.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/at-spi2-core.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix index 3d2b3ed85e3..3c7f217b18d 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix @@ -4,6 +4,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { services.gnome3.chrome-gnome-shell.enable = mkEnableOption '' diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/evolution-data-server.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/evolution-data-server.nix index 7e312a1b81e..bd62d16f61c 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/evolution-data-server.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/evolution-data-server.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { @@ -16,7 +20,7 @@ with lib; type = types.bool; default = false; description = '' - Whether to enable Evolution Data Server, a collection of services for + Whether to enable Evolution Data Server, a collection of services for storing addressbooks and calendars. ''; }; diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/glib-networking.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/glib-networking.nix index fcd58509d6f..7e667b6b1f0 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/glib-networking.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/glib-networking.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix index d715d52c2d0..c391ad9694c 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix @@ -44,6 +44,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-keyring.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-keyring.nix index db60445ef77..2916a3c82b3 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-keyring.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-keyring.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { @@ -35,6 +39,8 @@ with lib; services.dbus.packages = [ pkgs.gnome3.gnome-keyring pkgs.gcr ]; + xdg.portal.extraPortals = [ pkgs.gnome3.gnome-keyring ]; + security.pam.services.login.enableGnomeKeyring = true; security.wrappers.gnome-keyring-daemon = { diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix index 748a025414a..3f9ced5e86b 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix index d406bf6f5e3..39d669e8b30 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix index 021f4f9534b..164a0a44f8c 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix @@ -4,6 +4,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { services.gnome3.gnome-remote-desktop = { @@ -13,6 +17,8 @@ with lib; ###### implementation config = mkIf config.services.gnome3.gnome-remote-desktop.enable { + services.pipewire.enable = true; + systemd.packages = [ pkgs.gnome3.gnome-remote-desktop ]; }; } diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix index 2f83fd653bd..1c33ed064a1 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix @@ -12,6 +12,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + imports = [ (mkRemovedOptionModule ["services" "gnome3" "gnome-settings-daemon" "package"] diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-user-share.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-user-share.nix index f8396287770..f2fe8b41a9e 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-user-share.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-user-share.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/rygel.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/rygel.nix index 55d5e703aa1..917a1d6541e 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/rygel.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/rygel.nix @@ -4,6 +4,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { services.gnome3.rygel = { @@ -26,5 +30,7 @@ with lib; services.dbus.packages = [ pkgs.gnome3.rygel ]; systemd.packages = [ pkgs.gnome3.rygel ]; + + environment.etc."rygel.conf".source = "${pkgs.gnome3.rygel}/etc/rygel.conf"; }; } diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/sushi.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/sushi.nix index 7a4389038b2..83b17365d5d 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/sushi.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/sushi.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/tracker-miners.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/tracker-miners.nix index b390d8368c6..f2af4024927 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/tracker-miners.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/tracker-miners.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { @@ -25,7 +29,6 @@ with lib; }; - ###### implementation config = mkIf config.services.gnome3.tracker-miners.enable { diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/tracker.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/tracker.nix index 2e829274226..cd196e38553 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/tracker.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/tracker.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/desktops/gvfs.nix b/nixpkgs/nixos/modules/services/desktops/gvfs.nix index 1d002eac41d..250ea6d4575 100644 --- a/nixpkgs/nixos/modules/services/desktops/gvfs.nix +++ b/nixpkgs/nixos/modules/services/desktops/gvfs.nix @@ -12,6 +12,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + # Added 2019-08-19 imports = [ (mkRenamedOptionModule diff --git a/nixpkgs/nixos/modules/services/desktops/malcontent.nix b/nixpkgs/nixos/modules/services/desktops/malcontent.nix index 416464cbe08..5d6912595b5 100644 --- a/nixpkgs/nixos/modules/services/desktops/malcontent.nix +++ b/nixpkgs/nixos/modules/services/desktops/malcontent.nix @@ -12,7 +12,7 @@ with lib; services.malcontent = { - enable = mkEnableOption "Malcontent"; + enable = mkEnableOption "Malcontent, parental control support for applications"; }; @@ -23,10 +23,15 @@ with lib; config = mkIf config.services.malcontent.enable { - environment.systemPackages = [ pkgs.malcontent ]; + environment.systemPackages = with pkgs; [ + malcontent + malcontent-ui + ]; services.dbus.packages = [ pkgs.malcontent ]; + services.accounts-daemon.enable = true; + }; } diff --git a/nixpkgs/nixos/modules/services/desktops/pantheon/contractor.nix b/nixpkgs/nixos/modules/services/desktops/pantheon/contractor.nix deleted file mode 100644 index c76145191a7..00000000000 --- a/nixpkgs/nixos/modules/services/desktops/pantheon/contractor.nix +++ /dev/null @@ -1,18 +0,0 @@ -# Contractor - -{ config, pkgs, lib, ... }: - -with lib; - -{ - - - ###### implementation - - config = mkIf config.services.pantheon.contractor.enable { - - - - }; - -} diff --git a/nixpkgs/nixos/modules/services/desktops/pipewire.nix b/nixpkgs/nixos/modules/services/desktops/pipewire.nix index 13f3d61e84c..5aee59cfdcc 100644 --- a/nixpkgs/nixos/modules/services/desktops/pipewire.nix +++ b/nixpkgs/nixos/modules/services/desktops/pipewire.nix @@ -8,6 +8,11 @@ let packages = with pkgs; [ pipewire ]; in { + + meta = { + maintainers = teams.freedesktop.members; + }; + ###### interface options = { services.pipewire = { @@ -33,5 +38,4 @@ in { systemd.user.sockets.pipewire.wantedBy = lib.mkIf cfg.socketActivation [ "sockets.target" ]; }; - meta.maintainers = with lib.maintainers; [ jtojnar ]; } diff --git a/nixpkgs/nixos/modules/services/desktops/telepathy.nix b/nixpkgs/nixos/modules/services/desktops/telepathy.nix index f5401c18098..34596bf7818 100644 --- a/nixpkgs/nixos/modules/services/desktops/telepathy.nix +++ b/nixpkgs/nixos/modules/services/desktops/telepathy.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/desktops/tumbler.nix b/nixpkgs/nixos/modules/services/desktops/tumbler.nix index a833e99ff8c..a09079517f0 100644 --- a/nixpkgs/nixos/modules/services/desktops/tumbler.nix +++ b/nixpkgs/nixos/modules/services/desktops/tumbler.nix @@ -18,6 +18,10 @@ in "") ]; + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/desktops/zeitgeist.nix b/nixpkgs/nixos/modules/services/desktops/zeitgeist.nix index 20c82ccdd56..cf7dd5fe3a1 100644 --- a/nixpkgs/nixos/modules/services/desktops/zeitgeist.nix +++ b/nixpkgs/nixos/modules/services/desktops/zeitgeist.nix @@ -5,6 +5,11 @@ with lib; { + + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/games/factorio.nix b/nixpkgs/nixos/modules/services/games/factorio.nix index f3831156f45..4b2e1a3c07f 100644 --- a/nixpkgs/nixos/modules/services/games/factorio.nix +++ b/nixpkgs/nixos/modules/services/games/factorio.nix @@ -4,14 +4,13 @@ with lib; let cfg = config.services.factorio; - factorio = pkgs.factorio-headless; name = "Factorio"; stateDir = "/var/lib/${cfg.stateDirName}"; mkSavePath = name: "${stateDir}/saves/${name}.zip"; configFile = pkgs.writeText "factorio.conf" '' use-system-read-write-data-directories=true [path] - read-data=${factorio}/share/factorio/data + read-data=${cfg.package}/share/factorio/data write-data=${stateDir} ''; serverSettings = { @@ -37,7 +36,7 @@ let only_admins_can_pause_the_game = true; autosave_only_on_server = true; admins = []; - }; + } // cfg.extraSettings; serverSettingsFile = pkgs.writeText "server-settings.json" (builtins.toJSON (filterAttrsRecursive (n: v: v != null) serverSettings)); modDir = pkgs.factorio-utils.mkModDirDrv cfg.mods; in @@ -115,6 +114,14 @@ in Description of the game that will appear in the listing. ''; }; + extraSettings = mkOption { + type = types.attrs; + default = {}; + example = { admins = [ "username" ];}; + description = '' + Extra game configuration that will go into server-settings.json + ''; + }; public = mkOption { type = types.bool; default = false; @@ -136,6 +143,15 @@ in Your factorio.com login credentials. Required for games with visibility public. ''; }; + package = mkOption { + type = types.package; + default = pkgs.factorio-headless; + defaultText = "pkgs.factorio-headless"; + example = "pkgs.factorio-headless-experimental"; + description = '' + Factorio version to use. This defaults to the stable channel. + ''; + }; password = mkOption { type = types.nullOr types.str; default = null; @@ -184,7 +200,7 @@ in preStart = toString [ "test -e ${stateDir}/saves/${cfg.saveName}.zip" "||" - "${factorio}/bin/factorio" + "${cfg.package}/bin/factorio" "--config=${cfg.configFile}" "--create=${mkSavePath cfg.saveName}" (optionalString (cfg.mods != []) "--mod-directory=${modDir}") @@ -197,7 +213,7 @@ in StateDirectory = cfg.stateDirName; UMask = "0007"; ExecStart = toString [ - "${factorio}/bin/factorio" + "${cfg.package}/bin/factorio" "--config=${cfg.configFile}" "--port=${toString cfg.port}" "--start-server=${mkSavePath cfg.saveName}" diff --git a/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix b/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix index 6bf31982b71..ec0457bbd58 100644 --- a/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix +++ b/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix @@ -63,7 +63,7 @@ stdenv.mkDerivation { meta = { description = "Brother brscan4 sane backend driver etc files"; - homepage = http://www.brother.com; + homepage = "http://www.brother.com"; platforms = stdenv.lib.platforms.linux; license = stdenv.lib.licenses.unfree; maintainers = with stdenv.lib.maintainers; [ jraygauthier ]; diff --git a/nixpkgs/nixos/modules/services/hardware/xow.nix b/nixpkgs/nixos/modules/services/hardware/xow.nix new file mode 100644 index 00000000000..a18d60ad83b --- /dev/null +++ b/nixpkgs/nixos/modules/services/hardware/xow.nix @@ -0,0 +1,17 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.services.hardware.xow; +in { + options.services.hardware.xow = { + enable = lib.mkEnableOption "xow as a systemd service"; + }; + + config = lib.mkIf cfg.enable { + hardware.uinput.enable = true; + + systemd.packages = [ pkgs.xow ]; + + services.udev.packages = [ pkgs.xow ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/mail/roundcube.nix b/nixpkgs/nixos/modules/services/mail/roundcube.nix index 0bb0eaedad5..21e92cfee01 100644 --- a/nixpkgs/nixos/modules/services/mail/roundcube.nix +++ b/nixpkgs/nixos/modules/services/mail/roundcube.nix @@ -7,6 +7,7 @@ let fpm = config.services.phpfpm.pools.roundcube; localDB = cfg.database.host == "localhost"; user = cfg.database.username; + phpWithPspell = pkgs.php.withExtensions (e: [ e.pspell ] ++ pkgs.php.enabledExtensions); in { options.services.roundcube = { @@ -85,6 +86,15 @@ in ''; }; + dicts = mkOption { + type = types.listOf types.package; + default = []; + example = literalExample "with pkgs.aspellDicts; [ en fr de ]"; + description = '' + List of aspell dictionnaries for spell checking. If empty, spell checking is disabled. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -109,6 +119,11 @@ in $config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}]; $config['des_key'] = file_get_contents('/var/lib/roundcube/des_key'); $config['mime_types'] = '${pkgs.nginx}/conf/mime.types'; + $config['enable_spellcheck'] = ${if cfg.dicts == [] then "false" else "true"}; + # by default, spellchecking uses a third-party cloud services + $config['spellcheck_engine'] = 'pspell'; + $config['spellcheck_languages'] = array(${lib.concatMapStringsSep ", " (dict: let p = builtins.parseDrvName dict.shortName; in "'${p.name}' => '${dict.fullName}'") cfg.dicts}); + ${cfg.extraConfig} ''; @@ -172,6 +187,8 @@ in "pm.max_requests" = 500; "catch_workers_output" = true; }; + phpPackage = phpWithPspell; + phpEnv.ASPELL_CONF = "dict-dir ${pkgs.aspellWithDicts (_: cfg.dicts)}/lib/aspell"; }; systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ]; @@ -199,7 +216,7 @@ in ${psql} <<< 'TRUNCATE TABLE session;' fi - ${pkgs.php}/bin/php ${cfg.package}/bin/update.sh + ${phpWithPspell}/bin/php ${cfg.package}/bin/update.sh ''; serviceConfig = { Type = "oneshot"; diff --git a/nixpkgs/nixos/modules/services/mail/sympa.nix b/nixpkgs/nixos/modules/services/mail/sympa.nix index c3ae9d4255b..0cad09927b2 100644 --- a/nixpkgs/nixos/modules/services/mail/sympa.nix +++ b/nixpkgs/nixos/modules/services/mail/sympa.nix @@ -25,8 +25,6 @@ let StateDirectory = "sympa"; ProtectHome = true; ProtectSystem = "full"; - ProtectKernelTunables = true; - ProtectKernelModules = true; ProtectControlGroups = true; }; @@ -415,7 +413,7 @@ in # force-copy static_content so it's up to date with package # set permissions for wwsympa which needs write access (...) "R ${dataDir}/static_content - - - - -" - "C ${dataDir}/static_content 0711 ${user} ${group} - ${pkg}/static_content" + "C ${dataDir}/static_content 0711 ${user} ${group} - ${pkg}/var/lib/sympa/static_content" "e ${dataDir}/static_content/* 0711 ${user} ${group} - -" "d /run/sympa 0755 ${user} ${group} - -" @@ -497,7 +495,7 @@ in -F ${toString cfg.web.fcgiProcs} \ -P /run/sympa/wwsympa.pid \ -s /run/sympa/wwsympa.socket \ - -- ${pkg}/bin/wwsympa.fcgi + -- ${pkg}/lib/sympa/cgi/wwsympa.fcgi ''; } // commonServiceConfig; @@ -518,7 +516,7 @@ in fastcgi_split_path_info ^(${loc})(.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param SCRIPT_FILENAME ${pkg}/bin/wwsympa.fcgi; + fastcgi_param SCRIPT_FILENAME ${pkg}/lib/sympa/cgi/wwsympa.fcgi; ''; }) // { "/static-sympa/".alias = "${dataDir}/static_content/"; @@ -550,7 +548,7 @@ in args = [ "flags=hqRu" "user=${user}" - "argv=${pkg}/bin/queue" + "argv=${pkg}/libexec/queue" "\${nexthop}" ]; }; @@ -562,7 +560,7 @@ in args = [ "flags=hqRu" "user=${user}" - "argv=${pkg}/bin/bouncequeue" + "argv=${pkg}/libexec/bouncequeue" "\${nexthop}" ]; }; diff --git a/nixpkgs/nixos/modules/services/misc/airsonic.nix b/nixpkgs/nixos/modules/services/misc/airsonic.nix index c296e048cea..5cc2ff7f4bd 100644 --- a/nixpkgs/nixos/modules/services/misc/airsonic.nix +++ b/nixpkgs/nixos/modules/services/misc/airsonic.nix @@ -138,6 +138,7 @@ in { services.nginx = mkIf (cfg.virtualHost != null) { enable = true; + recommendedProxySettings = true; virtualHosts.${cfg.virtualHost} = { locations.${cfg.contextPath}.proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}"; }; diff --git a/nixpkgs/nixos/modules/services/misc/dysnomia.nix b/nixpkgs/nixos/modules/services/misc/dysnomia.nix index 33a6fb15264..4b52963500d 100644 --- a/nixpkgs/nixos/modules/services/misc/dysnomia.nix +++ b/nixpkgs/nixos/modules/services/misc/dysnomia.nix @@ -177,7 +177,7 @@ in wrapper = {}; } // lib.optionalAttrs (config.services.httpd.enable) { apache-webapplication = { - documentRoot = config.services.httpd.documentRoot; + documentRoot = config.services.httpd.virtualHosts.localhost.documentRoot; }; } // lib.optionalAttrs (config.services.tomcat.axis2.enable) { axis2-webservice = {}; } // lib.optionalAttrs (config.services.ejabberd.enable) { ejabberd-dump = { diff --git a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix index d02fa13bb99..703bc9416f8 100644 --- a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix @@ -31,7 +31,6 @@ bind_host: "${cfg.bind_host}" ''} server_name: "${cfg.server_name}" pid_file: "/run/matrix-synapse.pid" -web_client: ${boolToString cfg.web_client} ${optionalString (cfg.public_baseurl != null) '' public_baseurl: "${cfg.public_baseurl}" ''} @@ -202,13 +201,6 @@ in { This is also the last part of your UserID. ''; }; - web_client = mkOption { - type = types.bool; - default = false; - description = '' - Whether to serve a web client from the HTTP/HTTPS root resource. - ''; - }; public_baseurl = mkOption { type = types.nullOr types.str; default = null; @@ -719,6 +711,7 @@ in { Database configuration must be done manually. An exemplary setup is demonstrated in <nixpkgs/nixos/tests/matrix-synapse.nix> '') + (mkRemovedOptionModule [ "services" "matrix-synapse" "web_client" ] "") ]; meta.doc = ./matrix-synapse.xml; diff --git a/nixpkgs/nixos/modules/services/misc/matrix-synapse.xml b/nixpkgs/nixos/modules/services/misc/matrix-synapse.xml index 053a3b2a563..2f2ac27eeb9 100644 --- a/nixpkgs/nixos/modules/services/misc/matrix-synapse.xml +++ b/nixpkgs/nixos/modules/services/misc/matrix-synapse.xml @@ -33,6 +33,7 @@ <link xlink:href="https://github.com/matrix-org/synapse#synapse-installation"> installation instructions of Synapse </link>. <programlisting> +{ pkgs, ... }: let fqdn = let @@ -46,7 +47,7 @@ in { <link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ]; <link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true; - <link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link> = '' + <link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link> = pkgs.writeText "synapse-init.sql" '' CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 diff --git a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix index 17c3582db0f..0c2407e1dd2 100644 --- a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix +++ b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix @@ -92,13 +92,14 @@ in maxJobs = mkOption { type = types.either types.int (types.enum ["auto"]); - default = 1; + default = "auto"; example = 64; description = '' - This option defines the maximum number of jobs that Nix will try - to build in parallel. The default is 1. You should generally - set it to the total number of logical cores in your system (e.g., 16 - for two CPUs with 4 cores each and hyper-threading). + This option defines the maximum number of jobs that Nix will try to + build in parallel. The default is auto, which means it will use all + available logical cores. It is recommend to set it to the total + number of logical cores in your system (e.g., 16 for two CPUs with 4 + cores each and hyper-threading). ''; }; @@ -282,7 +283,7 @@ in trustedBinaryCaches = mkOption { type = types.listOf types.str; default = [ ]; - example = [ http://hydra.nixos.org/ ]; + example = [ "http://hydra.nixos.org/" ]; description = '' List of binary cache URLs that non-root users can use (in addition to those specified using @@ -376,6 +377,59 @@ in If enabled (the default), checks that Nix can parse the generated nix.conf. ''; }; + + registry = mkOption { + type = types.attrsOf (types.submodule ( + let + inputAttrs = types.attrsOf (types.oneOf [types.str types.int types.bool types.package]); + in + { config, name, ... }: + { options = { + from = mkOption { + type = inputAttrs; + example = { type = "indirect"; id = "nixpkgs"; }; + description = "The flake reference to be rewritten."; + }; + to = mkOption { + type = inputAttrs; + example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; + description = "The flake reference to which <option>from></option> is to be rewritten."; + }; + flake = mkOption { + type = types.unspecified; + default = null; + example = literalExample "nixpkgs"; + description = '' + The flake input to which <option>from></option> is to be rewritten. + ''; + }; + exact = mkOption { + type = types.bool; + default = true; + description = '' + Whether the <option>from</option> reference needs to match exactly. If set, + a <option>from</option> reference like <literal>nixpkgs</literal> does not + match with a reference like <literal>nixpkgs/nixos-20.03</literal>. + ''; + }; + }; + config = { + from = mkDefault { type = "indirect"; id = name; }; + to = mkIf (config.flake != null) + ({ type = "path"; + path = config.flake.outPath; + } // lib.filterAttrs + (n: v: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") + config.flake); + }; + } + )); + default = {}; + description = '' + A system-wide flake registry. + ''; + }; + }; }; @@ -390,6 +444,11 @@ in environment.etc."nix/nix.conf".source = nixConf; + environment.etc."nix/registry.json".text = builtins.toJSON { + version = 2; + flakes = mapAttrsToList (n: v: { inherit (v) from to exact; }) cfg.registry; + }; + # List of machines for distributed Nix builds in the format # expected by build-remote.pl. environment.etc."nix/machines" = diff --git a/nixpkgs/nixos/modules/services/misc/nixos-manual.nix b/nixpkgs/nixos/modules/services/misc/nixos-manual.nix deleted file mode 100644 index ab73f49d4be..00000000000 --- a/nixpkgs/nixos/modules/services/misc/nixos-manual.nix +++ /dev/null @@ -1,73 +0,0 @@ -# This module optionally starts a browser that shows the NixOS manual -# on one of the virtual consoles which is useful for the installation -# CD. - -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.nixosManual; - cfgd = config.documentation; -in - -{ - - options = { - - # TODO(@oxij): rename this to `.enable` eventually. - services.nixosManual.showManual = mkOption { - type = types.bool; - default = false; - description = '' - Whether to show the NixOS manual on one of the virtual - consoles. - ''; - }; - - services.nixosManual.ttyNumber = mkOption { - type = types.int; - default = 8; - description = '' - Virtual console on which to show the manual. - ''; - }; - - services.nixosManual.browser = mkOption { - type = types.path; - default = "${pkgs.w3m-nographics}/bin/w3m"; - description = '' - Browser used to show the manual. - ''; - }; - - }; - - - config = mkMerge [ - (mkIf cfg.showManual { - assertions = singleton { - assertion = cfgd.enable && cfgd.nixos.enable; - message = "Can't enable `services.nixosManual.showManual` without `documentation.nixos.enable`"; - }; - }) - (mkIf (cfg.showManual && cfgd.enable && cfgd.nixos.enable) { - console.extraTTYs = [ "tty${toString cfg.ttyNumber}" ]; - - systemd.services.nixos-manual = { - description = "NixOS Manual"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = "${cfg.browser} ${config.system.build.manual.manualHTMLIndex}"; - StandardInput = "tty"; - StandardOutput = "tty"; - TTYPath = "/dev/tty${toString cfg.ttyNumber}"; - TTYReset = true; - TTYVTDisallocate = true; - Restart = "always"; - }; - }; - }) - ]; - -} diff --git a/nixpkgs/nixos/modules/services/misc/rogue.nix b/nixpkgs/nixos/modules/services/misc/rogue.nix deleted file mode 100644 index d56d103b5f3..00000000000 --- a/nixpkgs/nixos/modules/services/misc/rogue.nix +++ /dev/null @@ -1,62 +0,0 @@ -# Execute the game `rogue' on tty 9. Mostly used by the NixOS -# installation CD. - -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.rogue; - -in - -{ - ###### interface - - options = { - - services.rogue.enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable the Rogue game on one of the virtual - consoles. - ''; - }; - - services.rogue.tty = mkOption { - type = types.str; - default = "tty9"; - description = '' - Virtual console on which to run Rogue. - ''; - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - console.extraTTYs = [ cfg.tty ]; - - systemd.services.rogue = - { description = "Rogue dungeon crawling game"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = - { ExecStart = "${pkgs.rogue}/bin/rogue"; - StandardInput = "tty"; - StandardOutput = "tty"; - TTYPath = "/dev/${cfg.tty}"; - TTYReset = true; - TTYVTDisallocate = true; - WorkingDirectory = "/tmp"; - Restart = "always"; - }; - }; - - }; - -} diff --git a/nixpkgs/nixos/modules/services/monitoring/graphite.nix b/nixpkgs/nixos/modules/services/monitoring/graphite.nix index dd147bb3793..64d9d61950d 100644 --- a/nixpkgs/nixos/modules/services/monitoring/graphite.nix +++ b/nixpkgs/nixos/modules/services/monitoring/graphite.nix @@ -39,8 +39,6 @@ let GRAPHITE_URL = cfg.seyren.graphiteUrl; } // cfg.seyren.extraConfig; - pagerConfig = pkgs.writeText "alarms.yaml" cfg.pager.alerts; - configDir = pkgs.buildEnv { name = "graphite-config"; paths = lists.filter (el: el != null) [ @@ -61,12 +59,10 @@ let carbonEnv = { PYTHONPATH = let - cenv = pkgs.python.buildEnv.override { - extraLibs = [ pkgs.python27Packages.carbon ]; + cenv = pkgs.python3.buildEnv.override { + extraLibs = [ pkgs.python3Packages.carbon ]; }; - cenvPack = "${cenv}/${pkgs.python.sitePackages}"; - # opt/graphite/lib contains twisted.plugins.carbon-cache - in "${cenvPack}/opt/graphite/lib:${cenvPack}"; + in "${cenv}/${pkgs.python3.sitePackages}"; GRAPHITE_ROOT = dataDir; GRAPHITE_CONF_DIR = configDir; GRAPHITE_STORAGE_DIR = dataDir; @@ -74,6 +70,10 @@ let in { + imports = [ + (mkRemovedOptionModule ["services" "graphite" "pager"] "") + ]; + ###### interface options.services.graphite = { @@ -132,7 +132,7 @@ in { finders = mkOption { description = "List of finder plugins to load."; default = []; - example = literalExample "[ pkgs.python27Packages.influxgraph ]"; + example = literalExample "[ pkgs.python3Packages.influxgraph ]"; type = types.listOf types.package; }; @@ -159,8 +159,8 @@ in { package = mkOption { description = "Package to use for graphite api."; - default = pkgs.python27Packages.graphite_api; - defaultText = "pkgs.python27Packages.graphite_api"; + default = pkgs.python3Packages.graphite_api; + defaultText = "pkgs.python3Packages.graphite_api"; type = types.package; }; @@ -344,49 +344,6 @@ in { }; }; - pager = { - enable = mkOption { - description = '' - Whether to enable graphite-pager service. For more information visit - <link xlink:href="https://github.com/seatgeek/graphite-pager"/> - ''; - default = false; - type = types.bool; - }; - - redisUrl = mkOption { - description = "Redis connection string."; - default = "redis://localhost:${toString config.services.redis.port}/"; - type = types.str; - }; - - graphiteUrl = mkOption { - description = "URL to your graphite service."; - default = "http://${cfg.web.listenAddress}:${toString cfg.web.port}"; - type = types.str; - }; - - alerts = mkOption { - description = "Alerts configuration for graphite-pager."; - default = '' - alerts: - - target: constantLine(100) - warning: 90 - critical: 200 - name: Test - ''; - example = '' - pushbullet_key: pushbullet_api_key - alerts: - - target: stats.seatgeek.app.deal_quality.venue_info_cache.hit - warning: .5 - critical: 1 - name: Deal quality venue cache hits - ''; - type = types.lines; - }; - }; - beacon = { enable = mkEnableOption "graphite beacon"; @@ -409,7 +366,7 @@ in { environment = carbonEnv; serviceConfig = { RuntimeDirectory = name; - ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd ${carbonOpts name}"; + ExecStart = "${pkgs.python3Packages.twisted}/bin/twistd ${carbonOpts name}"; User = "graphite"; Group = "graphite"; PermissionsStartOnly = true; @@ -431,7 +388,7 @@ in { environment = carbonEnv; serviceConfig = { RuntimeDirectory = name; - ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd ${carbonOpts name}"; + ExecStart = "${pkgs.python3Packages.twisted}/bin/twistd ${carbonOpts name}"; User = "graphite"; Group = "graphite"; PIDFile="/run/${name}/${name}.pid"; @@ -447,7 +404,7 @@ in { environment = carbonEnv; serviceConfig = { RuntimeDirectory = name; - ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd ${carbonOpts name}"; + ExecStart = "${pkgs.python3Packages.twisted}/bin/twistd ${carbonOpts name}"; User = "graphite"; Group = "graphite"; PIDFile="/run/${name}/${name}.pid"; @@ -457,19 +414,11 @@ in { (mkIf (cfg.carbon.enableCache || cfg.carbon.enableAggregator || cfg.carbon.enableRelay) { environment.systemPackages = [ - pkgs.pythonPackages.carbon + pkgs.python3Packages.carbon ]; }) - (mkIf cfg.web.enable (let - python27' = pkgs.python27.override { - packageOverrides = self: super: { - django = self.django_1_8; - django_tagging = self.django_tagging_0_4_3; - }; - }; - pythonPackages = python27'.pkgs; - in { + (mkIf cfg.web.enable ({ systemd.services.graphiteWeb = { description = "Graphite Web Interface"; wantedBy = [ "multi-user.target" ]; @@ -477,28 +426,27 @@ in { path = [ pkgs.perl ]; environment = { PYTHONPATH = let - penv = pkgs.python.buildEnv.override { + penv = pkgs.python3.buildEnv.override { extraLibs = [ - pythonPackages.graphite-web - pythonPackages.pysqlite + pkgs.python3Packages.graphite-web ]; }; - penvPack = "${penv}/${pkgs.python.sitePackages}"; + penvPack = "${penv}/${pkgs.python3.sitePackages}"; in concatStringsSep ":" [ "${graphiteLocalSettingsDir}" - "${penvPack}/opt/graphite/webapp" "${penvPack}" # explicitly adding pycairo in path because it cannot be imported via buildEnv - "${pkgs.pythonPackages.pycairo}/${pkgs.python.sitePackages}" + "${pkgs.python3Packages.pycairo}/${pkgs.python3.sitePackages}" ]; DJANGO_SETTINGS_MODULE = "graphite.settings"; + GRAPHITE_SETTINGS_MODULE = "graphite_local_settings"; GRAPHITE_CONF_DIR = configDir; GRAPHITE_STORAGE_DIR = dataDir; LD_LIBRARY_PATH = "${pkgs.cairo.out}/lib"; }; serviceConfig = { ExecStart = '' - ${pkgs.python27Packages.waitress-django}/bin/waitress-serve-django \ + ${pkgs.python3Packages.waitress-django}/bin/waitress-serve-django \ --host=${cfg.web.listenAddress} --port=${toString cfg.web.port} ''; User = "graphite"; @@ -510,7 +458,7 @@ in { mkdir -p ${dataDir}/{whisper/,log/webapp/} chmod 0700 ${dataDir}/{whisper/,log/webapp/} - ${pkgs.pythonPackages.django_1_8}/bin/django-admin.py migrate --noinput + ${pkgs.python3Packages.django}/bin/django-admin.py migrate --noinput chown -R graphite:graphite ${dataDir} @@ -518,16 +466,16 @@ in { fi # Only collect static files when graphite_web changes. - if ! [ "${dataDir}/current_graphite_web" -ef "${pythonPackages.graphite-web}" ]; then + if ! [ "${dataDir}/current_graphite_web" -ef "${pkgs.python3Packages.graphite-web}" ]; then mkdir -p ${staticDir} - ${pkgs.pythonPackages.django_1_8}/bin/django-admin.py collectstatic --noinput --clear + ${pkgs.python3Packages.django}/bin/django-admin.py collectstatic --noinput --clear chown -R graphite:graphite ${staticDir} - ln -sfT "${pythonPackages.graphite-web}" "${dataDir}/current_graphite_web" + ln -sfT "${pkgs.python3Packages.graphite-web}" "${dataDir}/current_graphite_web" fi ''; }; - environment.systemPackages = [ pythonPackages.graphite-web ]; + environment.systemPackages = [ pkgs.python3Packages.graphite-web ]; })) (mkIf cfg.api.enable { @@ -537,16 +485,16 @@ in { after = [ "network.target" ]; environment = { PYTHONPATH = let - aenv = pkgs.python.buildEnv.override { - extraLibs = [ cfg.api.package pkgs.cairo pkgs.pythonPackages.cffi ] ++ cfg.api.finders; + aenv = pkgs.python3.buildEnv.override { + extraLibs = [ cfg.api.package pkgs.cairo pkgs.python3Packages.cffi ] ++ cfg.api.finders; }; - in "${aenv}/${pkgs.python.sitePackages}"; + in "${aenv}/${pkgs.python3.sitePackages}"; GRAPHITE_API_CONFIG = graphiteApiConfig; LD_LIBRARY_PATH = "${pkgs.cairo.out}/lib"; }; serviceConfig = { ExecStart = '' - ${pkgs.python27Packages.waitress}/bin/waitress-serve \ + ${pkgs.python3Packages.waitress}/bin/waitress-serve \ --host=${cfg.api.listenAddress} --port=${toString cfg.api.port} \ graphite_api.app:app ''; @@ -591,34 +539,13 @@ in { services.mongodb.enable = mkDefault true; }) - (mkIf cfg.pager.enable { - systemd.services.graphitePager = { - description = "Graphite Pager Alerting Daemon"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "redis.service" ]; - environment = { - REDIS_URL = cfg.pager.redisUrl; - GRAPHITE_URL = cfg.pager.graphiteUrl; - }; - serviceConfig = { - ExecStart = "${pkgs.pythonPackages.graphitepager}/bin/graphite-pager --config ${pagerConfig}"; - User = "graphite"; - Group = "graphite"; - }; - }; - - services.redis.enable = mkDefault true; - - environment.systemPackages = [ pkgs.pythonPackages.graphitepager ]; - }) - (mkIf cfg.beacon.enable { systemd.services.graphite-beacon = { description = "Grpahite Beacon Alerting Daemon"; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = '' - ${pkgs.pythonPackages.graphite_beacon}/bin/graphite-beacon \ + ${pkgs.python3Packages.graphite_beacon}/bin/graphite-beacon \ --config=${pkgs.writeText "graphite-beacon.json" (builtins.toJSON cfg.beacon.config)} ''; User = "graphite"; @@ -630,7 +557,7 @@ in { (mkIf ( cfg.carbon.enableCache || cfg.carbon.enableAggregator || cfg.carbon.enableRelay || cfg.web.enable || cfg.api.enable || - cfg.seyren.enable || cfg.pager.enable || cfg.beacon.enable + cfg.seyren.enable || cfg.beacon.enable ) { users.users.graphite = { uid = config.ids.uids.graphite; diff --git a/nixpkgs/nixos/modules/services/monitoring/netdata.nix b/nixpkgs/nixos/modules/services/monitoring/netdata.nix index f8225af2042..a5233a46e34 100644 --- a/nixpkgs/nixos/modules/services/monitoring/netdata.nix +++ b/nixpkgs/nixos/modules/services/monitoring/netdata.nix @@ -9,10 +9,12 @@ let mkdir -p $out/libexec/netdata/plugins.d ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin + ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin + ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin ''; plugins = [ - "${pkgs.netdata}/libexec/netdata/plugins.d" + "${cfg.package}/libexec/netdata/plugins.d" "${wrappedPlugins}/libexec/netdata/plugins.d" ] ++ cfg.extraPluginPaths; @@ -35,6 +37,13 @@ in { services.netdata = { enable = mkEnableOption "netdata"; + package = mkOption { + type = types.package; + default = pkgs.netdata; + defaultText = "pkgs.netdata"; + description = "Netdata package to use."; + }; + user = mkOption { type = types.str; default = "netdata"; @@ -141,10 +150,11 @@ in { path = (with pkgs; [ curl gawk which ]) ++ lib.optional cfg.python.enable (pkgs.python3.withPackages cfg.python.extraPackages); serviceConfig = { - Environment="PYTHONPATH=${pkgs.netdata}/libexec/netdata/python.d/python_modules"; - ExecStart = "${pkgs.netdata}/bin/netdata -P /run/netdata/netdata.pid -D -c ${configFile}"; + Environment="PYTHONPATH=${cfg.package}/libexec/netdata/python.d/python_modules"; + ExecStart = "${cfg.package}/bin/netdata -P /run/netdata/netdata.pid -D -c ${configFile}"; ExecReload = "${pkgs.utillinux}/bin/kill -s HUP -s USR1 -s USR2 $MAINPID"; TimeoutStopSec = 60; + Restart = "on-failure"; # User and group User = cfg.user; Group = cfg.group; @@ -159,7 +169,7 @@ in { systemd.enableCgroupAccounting = true; security.wrappers."apps.plugin" = { - source = "${pkgs.netdata}/libexec/netdata/plugins.d/apps.plugin.org"; + source = "${cfg.package}/libexec/netdata/plugins.d/apps.plugin.org"; capabilities = "cap_dac_read_search,cap_sys_ptrace+ep"; owner = cfg.user; group = cfg.group; @@ -167,13 +177,29 @@ in { }; security.wrappers."freeipmi.plugin" = { - source = "${pkgs.netdata}/libexec/netdata/plugins.d/freeipmi.plugin.org"; + source = "${cfg.package}/libexec/netdata/plugins.d/freeipmi.plugin.org"; capabilities = "cap_dac_override,cap_fowner+ep"; owner = cfg.user; group = cfg.group; permissions = "u+rx,g+rx,o-rwx"; }; + security.wrappers."perf.plugin" = { + source = "${cfg.package}/libexec/netdata/plugins.d/perf.plugin.org"; + capabilities = "cap_sys_admin+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+rx,o-rx"; + }; + + security.wrappers."slabinfo.plugin" = { + source = "${cfg.package}/libexec/netdata/plugins.d/slabinfo.plugin.org"; + capabilities = "cap_dac_override+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+rx,o-rx"; + }; + security.pam.loginLimits = [ { domain = "netdata"; type = "soft"; item = "nofile"; value = "10000"; } { domain = "netdata"; type = "hard"; item = "nofile"; value = "30000"; } diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix index 4534d150885..1b02ebf3704 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix @@ -21,6 +21,8 @@ let "--config.file /tmp/alert-manager-substituted.yaml" "--web.listen-address ${cfg.listenAddress}:${toString cfg.port}" "--log.level ${cfg.logLevel}" + "--storage.path /var/lib/alertmanager" + (toString (map (peer: "--cluster.peer ${peer}:9094") cfg.clusterPeers)) ] ++ (optional (cfg.webExternalUrl != null) "--web.external-url ${cfg.webExternalUrl}" ) ++ (optional (cfg.logFormat != null) @@ -120,6 +122,14 @@ in { ''; }; + clusterPeers = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Initial peers for HA cluster. + ''; + }; + extraFlags = mkOption { type = types.listOf types.str; default = []; @@ -155,13 +165,14 @@ in { systemd.services.alertmanager = { wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + after = [ "network-online.target" ]; preStart = '' ${lib.getBin pkgs.envsubst}/bin/envsubst -o "/tmp/alert-manager-substituted.yaml" \ -i "${alertmanagerYml}" ''; serviceConfig = { Restart = "always"; + StateDirectory = "alertmanager"; DynamicUser = true; # implies PrivateTmp EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; WorkingDirectory = "/tmp"; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix index 6b1a4be44d1..84a72afac2f 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix @@ -10,7 +10,7 @@ let # a wrapper that verifies that the configuration is valid promtoolCheck = what: name: file: if cfg.checkConfig then - pkgs.runCommand + pkgs.runCommandNoCCLocal "${name}-${replaceStrings [" "] [""] what}-checked" { buildInputs = [ cfg.package ]; } '' ln -s ${file} $out @@ -19,7 +19,7 @@ let # Pretty-print JSON to a file writePrettyJSON = name: x: - pkgs.runCommand name { preferLocalBuild = true; } '' + pkgs.runCommandNoCCLocal name {} '' echo '${builtins.toJSON x}' | ${pkgs.jq}/bin/jq . > $out ''; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/netatalk.nix b/nixpkgs/nixos/modules/services/network-filesystems/netatalk.nix index 1dd869043f0..5422d4dd4e2 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/netatalk.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/netatalk.nix @@ -98,13 +98,14 @@ in Set of AFP volumes to export. See <literal>man apf.conf</literal> for more information. ''; - example = + example = literalExample '' { srv = { path = "/srv"; "read only" = true; "hosts allow" = "10.1.0.0/16 10.2.1.100 2001:0db8:1234::/48"; }; - }; + } + ''; }; extmap = mkOption { diff --git a/nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix b/nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix index 79c4b7aee06..677111814a0 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix @@ -9,7 +9,7 @@ let cfg = config.services.openafsClient; cellServDB = pkgs.fetchurl { - url = http://dl.central.org/dl/cellservdb/CellServDB.2018-05-14; + url = "http://dl.central.org/dl/cellservdb/CellServDB.2018-05-14"; sha256 = "1wmjn6mmyy2r8p10nlbdzs4nrqxy8a9pjyrdciy5nmppg4053rk2"; }; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/rsyncd.nix b/nixpkgs/nixos/modules/services/network-filesystems/rsyncd.nix index b17ec3aa930..ccad64cfdb2 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/rsyncd.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/rsyncd.nix @@ -74,13 +74,14 @@ in See <command>man rsyncd.conf</command> for options. ''; type = types.attrsOf (types.attrsOf types.str); - example = + example = literalExample '' { srv = { path = "/srv"; "read only" = "yes"; comment = "Public rsync share."; }; - }; + } + ''; }; user = mkOption { diff --git a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix index a3c22ce6948..a115590ccaa 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix @@ -189,7 +189,7 @@ in See <command>man smb.conf</command> for options. ''; type = types.attrsOf (types.attrsOf types.unspecified); - example = + example = literalExample '' { public = { path = "/srv/public"; "read only" = true; @@ -197,7 +197,8 @@ in "guest ok" = "yes"; comment = "Public samba share."; }; - }; + } + ''; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/3proxy.nix b/nixpkgs/nixos/modules/services/networking/3proxy.nix index 26aa1667946..ae8a4958ca9 100644 --- a/nixpkgs/nixos/modules/services/networking/3proxy.nix +++ b/nixpkgs/nixos/modules/services/networking/3proxy.nix @@ -334,10 +334,12 @@ in { nsrecord = mkOption { type = types.attrsOf types.str; default = { }; - example = { - "files.local" = "192.168.1.12"; - "site.local" = "192.168.1.43"; - }; + example = literalExample '' + { + "files.local" = "192.168.1.12"; + "site.local" = "192.168.1.43"; + } + ''; description = "Adds static nsrecords."; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/connman.nix b/nixpkgs/nixos/modules/services/networking/connman.nix index e8eadc4e187..6ccc2dffb26 100644 --- a/nixpkgs/nixos/modules/services/networking/connman.nix +++ b/nixpkgs/nixos/modules/services/networking/connman.nix @@ -77,6 +77,13 @@ in { ''; }; + package = mkOption { + type = types.path; + description = "The connman package / build flavor"; + default = connman; + example = literalExample "pkgs.connmanFull"; + }; + }; }; @@ -89,11 +96,13 @@ in { assertion = !config.networking.useDHCP; message = "You can not use services.connman with networking.useDHCP"; }{ + # TODO: connman seemingly can be used along network manager and + # connmanFull supports this - so this should be worked out somehow assertion = !config.networking.networkmanager.enable; message = "You can not use services.connman with networking.networkmanager"; }]; - environment.systemPackages = [ connman ]; + environment.systemPackages = [ cfg.package ]; systemd.services.connman = { description = "Connection service"; @@ -105,7 +114,7 @@ in { BusName = "net.connman"; Restart = "on-failure"; ExecStart = toString ([ - "${pkgs.connman}/sbin/connmand" + "${cfg.package}/sbin/connmand" "--config=${configFile}" "--nodaemon" ] ++ optional enableIwd "--wifi=iwd_agent" @@ -122,7 +131,7 @@ in { serviceConfig = { Type = "dbus"; BusName = "net.connman.vpn"; - ExecStart = "${pkgs.connman}/sbin/connman-vpnd -n"; + ExecStart = "${cfg.package}/sbin/connman-vpnd -n"; StandardOutput = "null"; }; }; @@ -132,7 +141,7 @@ in { serviceConfig = { Name = "net.connman.vpn"; before = [ "connman" ]; - ExecStart = "${pkgs.connman}/sbin/connman-vpnd -n"; + ExecStart = "${cfg.package}/sbin/connman-vpnd -n"; User = "root"; SystemdService = "connman-vpn.service"; }; diff --git a/nixpkgs/nixos/modules/services/networking/dnscache.nix b/nixpkgs/nixos/modules/services/networking/dnscache.nix index d123bca9321..d06032daecc 100644 --- a/nixpkgs/nixos/modules/services/networking/dnscache.nix +++ b/nixpkgs/nixos/modules/services/networking/dnscache.nix @@ -61,10 +61,12 @@ in { Table of {hostname: server} pairs to use as authoritative servers for hosts (and subhosts). If entry for @ is not specified predefined list of root servers is used. ''; - example = { - "@" = ["8.8.8.8" "8.8.4.4"]; - "example.com" = ["192.168.100.100"]; - }; + example = literalExample '' + { + "@" = ["8.8.8.8" "8.8.4.4"]; + "example.com" = ["192.168.100.100"]; + } + ''; }; forwardOnly = mkOption { diff --git a/nixpkgs/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix b/nixpkgs/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix new file mode 100644 index 00000000000..09d357cd2b6 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.magic-wormhole-mailbox-server; + dataDir = "/var/lib/magic-wormhole-mailbox-server;"; + python = pkgs.python3.withPackages (py: [ py.magic-wormhole-mailbox-server py.twisted ]); +in +{ + options.services.magic-wormhole-mailbox-server = { + enable = mkEnableOption "Enable Magic Wormhole Mailbox Server"; + }; + + config = mkIf cfg.enable { + systemd.services.magic-wormhole-mailbox-server = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + ExecStart = "${python}/bin/twistd --nodaemon wormhole-mailbox"; + WorkingDirectory = dataDir; + StateDirectory = baseNameOf dataDir; + }; + }; + + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/mullvad-vpn.nix b/nixpkgs/nixos/modules/services/networking/mullvad-vpn.nix new file mode 100644 index 00000000000..cc98414257c --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/mullvad-vpn.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.mullvad-vpn; +in +with lib; +{ + options.services.mullvad-vpn.enable = mkOption { + type = types.bool; + default = false; + description = '' + This option enables Mullvad VPN daemon. + ''; + }; + + config = mkIf cfg.enable { + boot.kernelModules = [ "tun" ]; + + systemd.services.mullvad-daemon = { + description = "Mullvad VPN daemon"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network.target" ]; + after = [ + "network-online.target" + "NetworkManager.service" + "systemd-resolved.service" + ]; + path = [ + pkgs.iproute + # Needed for ping + "/run/wrappers" + ]; + serviceConfig = { + StartLimitBurst = 5; + StartLimitIntervalSec = 20; + ExecStart = "${pkgs.mullvad-vpn}/bin/mullvad-daemon -v --disable-stdout-timestamps"; + Restart = "always"; + RestartSec = 1; + }; + }; + }; + + meta.maintainers = [ maintainers.xfix ]; +} diff --git a/nixpkgs/nixos/modules/services/networking/ndppd.nix b/nixpkgs/nixos/modules/services/networking/ndppd.nix index e015f76f622..77e979a8a42 100644 --- a/nixpkgs/nixos/modules/services/networking/ndppd.nix +++ b/nixpkgs/nixos/modules/services/networking/ndppd.nix @@ -43,7 +43,7 @@ let timeout = mkOption { type = types.int; description = '' - Controls how long to wait for a Neighbor Advertisment Message before + Controls how long to wait for a Neighbor Advertisment Message before invalidating the entry, in milliseconds. ''; default = 500; @@ -51,7 +51,7 @@ let ttl = mkOption { type = types.int; description = '' - Controls how long a valid or invalid entry remains in the cache, in + Controls how long a valid or invalid entry remains in the cache, in milliseconds. ''; default = 30000; @@ -142,7 +142,11 @@ in { messages, and respond to them according to a set of rules. ''; default = {}; - example = { eth0.rules."1111::/64" = {}; }; + example = literalExample '' + { + eth0.rules."1111::/64" = {}; + } + ''; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index e817f295a44..6f24141b33c 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -131,6 +131,10 @@ let in { + meta = { + maintainers = teams.freedesktop.members; + }; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/networking/nftables.nix b/nixpkgs/nixos/modules/services/networking/nftables.nix index ad7c013a544..ec9d9753cfe 100644 --- a/nixpkgs/nixos/modules/services/networking/nftables.nix +++ b/nixpkgs/nixos/modules/services/networking/nftables.nix @@ -52,7 +52,7 @@ in ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept # allow "ping" - ip6 nexthdr icmp icmpv6 type echo-request accept + ip6 nexthdr icmpv6 icmpv6 type echo-request accept ip protocol icmp icmp type echo-request accept # accept SSH connections (required for a server) diff --git a/nixpkgs/nixos/modules/services/networking/pixiecore.nix b/nixpkgs/nixos/modules/services/networking/pixiecore.nix new file mode 100644 index 00000000000..0e32f182e2a --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/pixiecore.nix @@ -0,0 +1,134 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.pixiecore; +in +{ + meta.maintainers = with maintainers; [ bbigras danderson ]; + + options = { + services.pixiecore = { + enable = mkEnableOption "Pixiecore"; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open ports (67, 69 UDP and 4011, 'port', 'statusPort' TCP) in the firewall for Pixiecore. + ''; + }; + + mode = mkOption { + description = "Which mode to use"; + default = "boot"; + type = types.enum [ "api" "boot" ]; + }; + + debug = mkOption { + type = types.bool; + default = false; + description = "Log more things that aren't directly related to booting a recognized client"; + }; + + dhcpNoBind = mkOption { + type = types.bool; + default = false; + description = "Handle DHCP traffic without binding to the DHCP server port"; + }; + + kernel = mkOption { + type = types.str or types.path; + default = ""; + description = "Kernel path. Ignored unless mode is set to 'boot'"; + }; + + initrd = mkOption { + type = types.str or types.path; + default = ""; + description = "Initrd path. Ignored unless mode is set to 'boot'"; + }; + + cmdLine = mkOption { + type = types.str; + default = ""; + description = "Kernel commandline arguments. Ignored unless mode is set to 'boot'"; + }; + + listen = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IPv4 address to listen on"; + }; + + port = mkOption { + type = types.port; + default = 80; + description = "Port to listen on for HTTP"; + }; + + statusPort = mkOption { + type = types.port; + default = 80; + description = "HTTP port for status information (can be the same as --port)"; + }; + + apiServer = mkOption { + type = types.str; + example = "localhost:8080"; + description = "host:port to connect to the API. Ignored unless mode is set to 'api'"; + }; + + extraArguments = mkOption { + type = types.listOf types.str; + default = []; + description = "Additional command line arguments to pass to Pixiecore"; + }; + }; + }; + + config = mkIf cfg.enable { + users.groups.pixiecore = {}; + users.users.pixiecore = { + description = "Pixiecore daemon user"; + group = "pixiecore"; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ 4011 cfg.port cfg.statusPort ]; + allowedUDPPorts = [ 67 69 ]; + }; + + systemd.services.pixiecore = { + description = "Pixiecore server"; + after = [ "network.target"]; + wants = [ "network.target"]; + wantedBy = [ "multi-user.target"]; + serviceConfig = { + User = "pixiecore"; + Restart = "always"; + AmbientCapabilities = [ "cap_net_bind_service" ] ++ optional cfg.dhcpNoBind "cap_net_raw"; + ExecStart = + let + argString = + if cfg.mode == "boot" + then [ "boot" cfg.kernel ] + ++ optional (cfg.initrd != "") cfg.initrd + ++ optional (cfg.cmdLine != "") "--cmdline=${lib.escapeShellArg cfg.cmdLine}" + else [ "api" cfg.apiServer ]; + in + '' + ${pkgs.pixiecore}/bin/pixiecore \ + ${lib.escapeShellArgs argString} \ + ${optionalString cfg.debug "--debug"} \ + ${optionalString cfg.dhcpNoBind "--dhcp-no-bind"} \ + --listen-addr ${lib.escapeShellArg cfg.listen} \ + --port ${toString cfg.port} \ + --status-port ${toString cfg.statusPort} \ + ${escapeShellArgs cfg.extraArguments} + ''; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/quorum.nix b/nixpkgs/nixos/modules/services/networking/quorum.nix new file mode 100644 index 00000000000..2f612c9db68 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/quorum.nix @@ -0,0 +1,229 @@ +{ config, pkgs, lib, ... }: +let + + inherit (lib) mkEnableOption mkIf mkOption literalExample types optionalString; + + cfg = config.services.quorum; + dataDir = "/var/lib/quorum"; + genesisFile = pkgs.writeText "genesis.json" (builtins.toJSON cfg.genesis); + staticNodesFile = pkgs.writeText "static-nodes.json" (builtins.toJSON cfg.staticNodes); + +in { + options = { + + services.quorum = { + enable = mkEnableOption "Quorum blockchain daemon"; + + user = mkOption { + type = types.str; + default = "quorum"; + description = "The user as which to run quorum."; + }; + + group = mkOption { + type = types.str; + default = cfg.user; + description = "The group as which to run quorum."; + }; + + port = mkOption { + type = types.port; + default = 21000; + description = "Override the default port on which to listen for connections."; + }; + + nodekeyFile = mkOption { + type = types.path; + default = "${dataDir}/nodekey"; + description = "Path to the nodekey."; + }; + + staticNodes = mkOption { + type = types.listOf types.str; + default = []; + example = [ "enode://dd333ec28f0a8910c92eb4d336461eea1c20803eed9cf2c056557f986e720f8e693605bba2f4e8f289b1162e5ac7c80c914c7178130711e393ca76abc1d92f57@0.0.0.0:30303?discport=0" ]; + description = "List of validator nodes."; + }; + + privateconfig = mkOption { + type = types.str; + default = "ignore"; + description = "Configuration of privacy transaction manager."; + }; + + syncmode = mkOption { + type = types.enum [ "fast" "full" "light" ]; + default = "full"; + description = "Blockchain sync mode."; + }; + + blockperiod = mkOption { + type = types.int; + default = 5; + description = "Default minimum difference between two consecutive block's timestamps in seconds."; + }; + + permissioned = mkOption { + type = types.bool; + default = true; + description = "Allow only a defined list of nodes to connect."; + }; + + rpc = { + enable = mkOption { + type = types.bool; + default = true; + description = "Enable RPC interface."; + }; + + address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "Listening address for RPC connections."; + }; + + port = mkOption { + type = types.port; + default = 22004; + description = "Override the default port on which to listen for RPC connections."; + }; + + api = mkOption { + type = types.str; + default = "admin,db,eth,debug,miner,net,shh,txpool,personal,web3,quorum,istanbul"; + description = "API's offered over the HTTP-RPC interface."; + }; + }; + + ws = { + enable = mkOption { + type = types.bool; + default = true; + description = "Enable WS-RPC interface."; + }; + + address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "Listening address for WS-RPC connections."; + }; + + port = mkOption { + type = types.port; + default = 8546; + description = "Override the default port on which to listen for WS-RPC connections."; + }; + + api = mkOption { + type = types.str; + default = "admin,db,eth,debug,miner,net,shh,txpool,personal,web3,quorum,istanbul"; + description = "API's offered over the WS-RPC interface."; + }; + + origins = mkOption { + type = types.str; + default = "*"; + description = "Origins from which to accept websockets requests"; + }; + }; + + genesis = mkOption { + type = types.nullOr types.attrs; + default = null; + example = literalExample '' { + alloc = { + a47385db68718bdcbddc2d2bb7c54018066ec111 = { + balance = "1000000000000000000000000000"; + }; + }; + coinbase = "0x0000000000000000000000000000000000000000"; + config = { + byzantiumBlock = 4; + chainId = 494702925; + eip150Block = 2; + eip155Block = 3; + eip158Block = 3; + homesteadBlock = 1; + isQuorum = true; + istanbul = { + epoch = 30000; + policy = 0; + }; + }; + difficulty = "0x1"; + extraData = "0x0000000000000000000000000000000000000000000000000000000000000000f85ad59438f0508111273d8e482f49410ca4078afc86a961b8410000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0"; + gasLimit = "0x2FEFD800"; + mixHash = "0x63746963616c2062797a616e74696e65201111756c7420746f6c6572616e6365"; + nonce = "0x0"; + parentHash = "0x0000000000000000000000000000000000000000000000000000000000000000"; + timestamp = "0x00"; + }''; + description = "Blockchain genesis settings."; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.quorum ]; + systemd.tmpfiles.rules = [ + "d '${dataDir}' 0770 '${cfg.user}' '${cfg.group}' - -" + ]; + systemd.services.quorum = { + description = "Quorum daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + PRIVATE_CONFIG = "${cfg.privateconfig}"; + }; + preStart = '' + if [ ! -d ${dataDir}/geth ]; then + if [ ! -d ${dataDir}/keystore ]; then + echo ERROR: You need to create a wallet before initializing your genesis file, run: + echo # su -s /bin/sh - quorum + echo $ geth --datadir ${dataDir} account new + echo and configure your genesis file accordingly. + exit 1; + fi + ln -s ${staticNodesFile} ${dataDir}/static-nodes.json + ${pkgs.quorum}/bin/geth --datadir ${dataDir} init ${genesisFile} + fi + ''; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = ''${pkgs.quorum}/bin/geth \ + --nodiscover \ + --verbosity 5 \ + --nodekey ${cfg.nodekeyFile} \ + --istanbul.blockperiod ${toString cfg.blockperiod} \ + --syncmode ${cfg.syncmode} \ + ${optionalString (cfg.permissioned) + "--permissioned"} \ + --mine --minerthreads 1 \ + ${optionalString (cfg.rpc.enable) + "--rpc --rpcaddr ${cfg.rpc.address} --rpcport ${toString cfg.rpc.port} --rpcapi ${cfg.rpc.api}"} \ + ${optionalString (cfg.ws.enable) + "--ws --wsaddr ${cfg.ws.address} --wsport ${toString cfg.ws.port} --wsapi ${cfg.ws.api} --wsorigins ${cfg.ws.origins}"} \ + --emitcheckpoints \ + --datadir ${dataDir} \ + --port ${toString cfg.port}''; + Restart = "on-failure"; + + # Hardening measures + PrivateTmp = "true"; + ProtectSystem = "full"; + NoNewPrivileges = "true"; + PrivateDevices = "true"; + MemoryDenyWriteExecute = "true"; + }; + }; + users.users.${cfg.user} = { + name = cfg.user; + group = cfg.group; + description = "Quorum daemon user"; + home = dataDir; + isSystemUser = true; + }; + users.groups.${cfg.group} = {}; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/resilio.nix b/nixpkgs/nixos/modules/services/networking/resilio.nix index 9b25aa57583..e74e03fc0b0 100644 --- a/nixpkgs/nixos/modules/services/networking/resilio.nix +++ b/nixpkgs/nixos/modules/services/networking/resilio.nix @@ -244,7 +244,7 @@ in group = "rslsync"; }; - users.groups = [ { name = "rslsync"; } ]; + users.groups.rslsync = {}; systemd.services.resilio = with pkgs; { description = "Resilio Sync Service"; diff --git a/nixpkgs/nixos/modules/services/networking/rxe.nix b/nixpkgs/nixos/modules/services/networking/rxe.nix index a6a069ec50c..c7d174a00de 100644 --- a/nixpkgs/nixos/modules/services/networking/rxe.nix +++ b/nixpkgs/nixos/modules/services/networking/rxe.nix @@ -5,20 +5,6 @@ with lib; let cfg = config.networking.rxe; - runRxeCmd = cmd: ifcs: - concatStrings ( map (x: "${pkgs.rdma-core}/bin/rxe_cfg -n ${cmd} ${x};") ifcs); - - startScript = pkgs.writeShellScriptBin "rxe-start" '' - ${pkgs.rdma-core}/bin/rxe_cfg -n start - ${runRxeCmd "add" cfg.interfaces} - ${pkgs.rdma-core}/bin/rxe_cfg - ''; - - stopScript = pkgs.writeShellScriptBin "rxe-stop" '' - ${runRxeCmd "remove" cfg.interfaces } - ${pkgs.rdma-core}/bin/rxe_cfg -n stop - ''; - in { ###### interface @@ -31,9 +17,8 @@ in { example = [ "eth0" ]; description = '' Enable RDMA on the listed interfaces. The corresponding virtual - RDMA interfaces will be named rxe0 ... rxeN where the ordering - will be as they are named in the list. UDP port 4791 must be - open on the respective ethernet interfaces. + RDMA interfaces will be named rxe_<interface>. + UDP port 4791 must be open on the respective ethernet interfaces. ''; }; }; @@ -44,7 +29,6 @@ in { config = mkIf cfg.enable { systemd.services.rxe = { - path = with pkgs; [ kmod rdma-core ]; description = "RoCE interfaces"; wantedBy = [ "multi-user.target" ]; @@ -54,8 +38,13 @@ in { serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStart = "${startScript}/bin/rxe-start"; - ExecStop = "${stopScript}/bin/rxe-stop"; + ExecStart = map ( x: + "${pkgs.iproute}/bin/rdma link add rxe_${x} type rxe netdev ${x}" + ) cfg.interfaces; + + ExecStop = map ( x: + "${pkgs.iproute}/bin/rdma link delete rxe_${x}" + ) cfg.interfaces; }; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix index 464e9ed38c4..17f31e3a488 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix @@ -9,8 +9,8 @@ let # This middle-ground solution ensures *an* sshd can do their basic validation # on the configuration. validationPackage = if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform - then [ cfgc.package ] - else [ pkgs.buildPackages.openssh ]; + then cfgc.package + else pkgs.buildPackages.openssh; sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ validationPackage ]; } '' cat >$out <<EOL diff --git a/nixpkgs/nixos/modules/services/networking/strongswan.nix b/nixpkgs/nixos/modules/services/networking/strongswan.nix index 4ff9c486059..13a1a897c5e 100644 --- a/nixpkgs/nixos/modules/services/networking/strongswan.nix +++ b/nixpkgs/nixos/modules/services/networking/strongswan.nix @@ -4,7 +4,7 @@ let inherit (builtins) toFile; inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList - mkIf mkEnableOption mkOption types; + mkIf mkEnableOption mkOption types literalExample; cfg = config.services.strongswan; @@ -79,19 +79,21 @@ in connections = mkOption { type = types.attrsOf (types.attrsOf types.str); default = {}; - example = { - "%default" = { - keyexchange = "ikev2"; - keyingtries = "1"; - }; - roadwarrior = { - auto = "add"; - leftcert = "/run/keys/moonCert.pem"; - leftid = "@moon.strongswan.org"; - leftsubnet = "10.1.0.0/16"; - right = "%any"; - }; - }; + example = literalExample '' + { + "%default" = { + keyexchange = "ikev2"; + keyingtries = "1"; + }; + roadwarrior = { + auto = "add"; + leftcert = "/run/keys/moonCert.pem"; + leftid = "@moon.strongswan.org"; + leftsubnet = "10.1.0.0/16"; + right = "%any"; + }; + } + ''; description = '' A set of connections and their options for the ‘conn xxx’ sections of the <filename>ipsec.conf</filename> file. diff --git a/nixpkgs/nixos/modules/services/networking/supplicant.nix b/nixpkgs/nixos/modules/services/networking/supplicant.nix index 35c1e649e2e..b5b9989ce18 100644 --- a/nixpkgs/nixos/modules/services/networking/supplicant.nix +++ b/nixpkgs/nixos/modules/services/networking/supplicant.nix @@ -39,8 +39,6 @@ let bindsTo = deps; after = deps; before = [ "network.target" ]; - # Receive restart event after resume - partOf = [ "post-resume.target" ]; path = [ pkgs.coreutils ]; diff --git a/nixpkgs/nixos/modules/services/networking/syncthing.nix b/nixpkgs/nixos/modules/services/networking/syncthing.nix index 5b3eb6f04b4..e717d78feed 100644 --- a/nixpkgs/nixos/modules/services/networking/syncthing.nix +++ b/nixpkgs/nixos/modules/services/networking/syncthing.nix @@ -169,12 +169,14 @@ in { description = '' folders which should be shared by syncthing. ''; - example = { - "/home/user/sync" = { - id = "syncme"; - devices = [ "bigbox" ]; - }; - }; + example = literalExample '' + { + "/home/user/sync" = { + id = "syncme"; + devices = [ "bigbox" ]; + }; + } + ''; type = types.attrsOf (types.submodule ({ name, ... }: { options = { diff --git a/nixpkgs/nixos/modules/services/networking/wg-quick.nix b/nixpkgs/nixos/modules/services/networking/wg-quick.nix index b770d47d269..ff1bdeed9f4 100644 --- a/nixpkgs/nixos/modules/services/networking/wg-quick.nix +++ b/nixpkgs/nixos/modules/services/networking/wg-quick.nix @@ -302,7 +302,7 @@ in { ###### implementation config = mkIf (cfg.interfaces != {}) { - boot.extraModulePackages = [ kernel.wireguard ]; + boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard; environment.systemPackages = [ pkgs.wireguard-tools ]; # This is forced to false for now because the default "--validmark" rpfilter we apply on reverse path filtering # breaks the wg-quick routing because wireguard packets leave with a fwmark from wireguard. diff --git a/nixpkgs/nixos/modules/services/scheduling/atd.nix b/nixpkgs/nixos/modules/services/scheduling/atd.nix index 93ed9231d3c..cefe72b0e99 100644 --- a/nixpkgs/nixos/modules/services/scheduling/atd.nix +++ b/nixpkgs/nixos/modules/services/scheduling/atd.nix @@ -67,8 +67,6 @@ in systemd.services.atd = { description = "Job Execution Daemon (atd)"; - after = [ "systemd-udev-settle.service" ]; - wants = [ "systemd-udev-settle.service" ]; wantedBy = [ "multi-user.target" ]; path = [ at ]; diff --git a/nixpkgs/nixos/modules/services/security/fail2ban.nix b/nixpkgs/nixos/modules/services/security/fail2ban.nix index cb748c93d24..3f84f9c2560 100644 --- a/nixpkgs/nixos/modules/services/security/fail2ban.nix +++ b/nixpkgs/nixos/modules/services/security/fail2ban.nix @@ -216,6 +216,10 @@ in config = mkIf cfg.enable { + warnings = mkIf (config.networking.firewall.enable == false && config.networking.nftables.enable == false) [ + "fail2ban can not be used without a firewall" + ]; + environment.systemPackages = [ cfg.package ]; environment.etc = { diff --git a/nixpkgs/nixos/modules/services/web-apps/documize.nix b/nixpkgs/nixos/modules/services/web-apps/documize.nix index 1b90299aa23..a5f48e744fd 100644 --- a/nixpkgs/nixos/modules/services/web-apps/documize.nix +++ b/nixpkgs/nixos/modules/services/web-apps/documize.nix @@ -130,7 +130,7 @@ in { config = mkIf cfg.enable { systemd.services.documize-server = { description = "Documize Wiki"; - documentation = [ https://documize.com/ ]; + documentation = [ "https://documize.com/" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { diff --git a/nixpkgs/nixos/modules/services/web-apps/gerrit.nix b/nixpkgs/nixos/modules/services/web-apps/gerrit.nix new file mode 100644 index 00000000000..b184c0754d4 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/gerrit.nix @@ -0,0 +1,218 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.gerrit; + + # NixOS option type for git-like configs + gitIniType = with types; + let + primitiveType = either str (either bool int); + multipleType = either primitiveType (listOf primitiveType); + sectionType = lazyAttrsOf multipleType; + supersectionType = lazyAttrsOf (either multipleType sectionType); + in lazyAttrsOf supersectionType; + + gerritConfig = pkgs.writeText "gerrit.conf" ( + lib.generators.toGitINI cfg.settings + ); + + # Wrap the gerrit java with all the java options so it can be called + # like a normal CLI app + gerrit-cli = pkgs.writeShellScriptBin "gerrit" '' + set -euo pipefail + jvmOpts=( + ${lib.escapeShellArgs cfg.jvmOpts} + -Xmx${cfg.jvmHeapLimit} + ) + exec ${cfg.jvmPackage}/bin/java \ + "''${jvmOpts[@]}" \ + -jar ${cfg.package}/webapps/${cfg.package.name}.war \ + "$@" + ''; + + gerrit-plugins = pkgs.runCommand + "gerrit-plugins" + { + buildInputs = [ gerrit-cli ]; + } + '' + shopt -s nullglob + mkdir $out + + for name in ${toString cfg.builtinPlugins}; do + echo "Installing builtin plugin $name.jar" + gerrit cat plugins/$name.jar > $out/$name.jar + done + + for file in ${toString cfg.plugins}; do + name=$(echo "$file" | cut -d - -f 2-) + echo "Installing plugin $name" + ln -sf "$file" $out/$name + done + ''; +in +{ + options = { + services.gerrit = { + enable = mkEnableOption "Gerrit service"; + + package = mkOption { + type = types.package; + default = pkgs.gerrit; + description = "Gerrit package to use"; + }; + + jvmPackage = mkOption { + type = types.package; + default = pkgs.jre_headless; + defaultText = "pkgs.jre_headless"; + description = "Java Runtime Environment package to use"; + }; + + jvmOpts = mkOption { + type = types.listOf types.str; + default = [ + "-Dflogger.backend_factory=com.google.common.flogger.backend.log4j.Log4jBackendFactory#getInstance" + "-Dflogger.logging_context=com.google.gerrit.server.logging.LoggingContext#getInstance" + ]; + description = "A list of JVM options to start gerrit with."; + }; + + jvmHeapLimit = mkOption { + type = types.str; + default = "1024m"; + description = '' + How much memory to allocate to the JVM heap + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = "[::]:8080"; + description = '' + <literal>hostname:port</literal> to listen for HTTP traffic. + + This is bound using the systemd socket activation. + ''; + }; + + settings = mkOption { + type = gitIniType; + default = {}; + description = '' + Gerrit configuration. This will be generated to the + <literal>etc/gerrit.config</literal> file. + ''; + }; + + plugins = mkOption { + type = types.listOf types.package; + default = []; + description = '' + List of plugins to add to Gerrit. Each derivation is a jar file + itself where the name of the derivation is the name of plugin. + ''; + }; + + builtinPlugins = mkOption { + type = types.listOf (types.enum cfg.package.passthru.plugins); + default = []; + description = '' + List of builtins plugins to install. Those are shipped in the + <literal>gerrit.war</literal> file. + ''; + }; + + serverId = mkOption { + type = types.str; + description = '' + Set a UUID that uniquely identifies the server. + + This can be generated with + <literal>nix-shell -p utillinux --run uuidgen</literal>. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + services.gerrit.settings = { + cache.directory = "/var/cache/gerrit"; + container.heapLimit = cfg.jvmHeapLimit; + gerrit.basePath = lib.mkDefault "git"; + gerrit.serverId = cfg.serverId; + httpd.inheritChannel = "true"; + httpd.listenUrl = lib.mkDefault "http://${cfg.listenAddress}"; + index.type = lib.mkDefault "lucene"; + }; + + # Add the gerrit CLI to the system to run `gerrit init` and friends. + environment.systemPackages = [ gerrit-cli ]; + + systemd.sockets.gerrit = { + unitConfig.Description = "Gerrit HTTP socket"; + wantedBy = [ "sockets.target" ]; + listenStreams = [ cfg.listenAddress ]; + }; + + systemd.services.gerrit = { + description = "Gerrit"; + + wantedBy = [ "multi-user.target" ]; + requires = [ "gerrit.socket" ]; + after = [ "gerrit.socket" "network.target" ]; + + path = [ + gerrit-cli + pkgs.bash + pkgs.coreutils + pkgs.git + pkgs.openssh + ]; + + environment = { + GERRIT_HOME = "%S/gerrit"; + GERRIT_TMP = "%T"; + HOME = "%S/gerrit"; + XDG_CONFIG_HOME = "%S/gerrit/.config"; + }; + + preStart = '' + set -euo pipefail + + # bootstrap if nothing exists + if [[ ! -d git ]]; then + gerrit init --batch --no-auto-start + fi + + # install gerrit.war for the plugin manager + rm -rf bin + mkdir bin + ln -sfv ${cfg.package}/webapps/${cfg.package.name}.war bin/gerrit.war + + # copy the config, keep it mutable because Gerrit + ln -sfv ${gerritConfig} etc/gerrit.config + + # install the plugins + rm -rf plugins + ln -sv ${gerrit-plugins} plugins + '' + ; + + serviceConfig = { + CacheDirectory = "gerrit"; + DynamicUser = true; + ExecStart = "${gerrit-cli}/bin/gerrit daemon --console-log"; + LimitNOFILE = 4096; + StandardInput = "socket"; + StandardOutput = "journal"; + StateDirectory = "gerrit"; + WorkingDirectory = "%S/gerrit"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ edef zimbatm ]; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/moinmoin.nix b/nixpkgs/nixos/modules/services/web-apps/moinmoin.nix index 0fee64be0bb..dc7abce2a5c 100644 --- a/nixpkgs/nixos/modules/services/web-apps/moinmoin.nix +++ b/nixpkgs/nixos/modules/services/web-apps/moinmoin.nix @@ -299,5 +299,5 @@ in ]))); }; - meta.maintainers = with lib.maintainers; [ b42 ]; + meta.maintainers = with lib.maintainers; [ mmilata ]; } diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix index 912e05d6d40..5f6f2bc7a16 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix @@ -6,31 +6,32 @@ let cfg = config.services.nextcloud; fpm = config.services.phpfpm.pools.nextcloud; - phpPackage = pkgs.php73; - phpPackages = pkgs.php73Packages; + phpPackage = + let + base = pkgs.php74; + in + base.buildEnv { + extensions = e: with e; + base.enabledExtensions ++ [ + apcu redis memcached imagick + ]; + extraConfig = phpOptionsStr; + }; toKeyValue = generators.toKeyValue { mkKeyValue = generators.mkKeyValueDefault {} " = "; }; - phpOptionsExtensions = '' - ${optionalString cfg.caching.apcu "extension=${phpPackages.apcu}/lib/php/extensions/apcu.so"} - ${optionalString cfg.caching.redis "extension=${phpPackages.redis}/lib/php/extensions/redis.so"} - ${optionalString cfg.caching.memcached "extension=${phpPackages.memcached}/lib/php/extensions/memcached.so"} - extension=${phpPackages.imagick}/lib/php/extensions/imagick.so - zend_extension = opcache.so - opcache.enable = 1 - ''; phpOptions = { upload_max_filesize = cfg.maxUploadSize; post_max_size = cfg.maxUploadSize; memory_limit = cfg.maxUploadSize; } // cfg.phpOptions; - phpOptionsStr = phpOptionsExtensions + (toKeyValue phpOptions); + phpOptionsStr = toKeyValue phpOptions; occ = pkgs.writeScriptBin "nextcloud-occ" '' - #! ${pkgs.stdenv.shell} - cd ${pkgs.nextcloud} + #! ${pkgs.runtimeShell} + cd ${cfg.package} sudo=exec if [[ "$USER" != nextcloud ]]; then sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR' @@ -38,10 +39,11 @@ let export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config" $sudo \ ${phpPackage}/bin/php \ - -c ${pkgs.writeText "php.ini" phpOptionsStr}\ occ $* ''; + inherit (config.system) stateVersion; + in { options.services.nextcloud = { enable = mkEnableOption "nextcloud"; @@ -64,6 +66,11 @@ in { default = false; description = "Use https for generated links."; }; + package = mkOption { + type = types.package; + description = "Which package to use for the Nextcloud instance."; + relatedPackages = [ "nextcloud17" "nextcloud18" ]; + }; maxUploadSize = mkOption { default = "512M"; @@ -309,10 +316,40 @@ in { } ]; - warnings = optional (cfg.poolConfig != null) '' - Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release. - Please migrate your configuration to config.services.nextcloud.poolSettings. - ''; + warnings = [] + ++ (optional (cfg.poolConfig != null) '' + Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release. + Please migrate your configuration to config.services.nextcloud.poolSettings. + '') + ++ (optional (versionOlder cfg.package.version "18") '' + A legacy Nextcloud install (from before NixOS 20.03) may be installed. + + You're currently deploying an older version of Nextcloud. This may be needed + since Nextcloud doesn't allow major version upgrades that skip multiple + versions (i.e. an upgrade from 16 is possible to 17, but not 16 to 18). + + It is assumed that Nextcloud will be upgraded from version 16 to 17. + + * If this is a fresh install, there will be no upgrade to do now. + + * If this server already had Nextcloud installed, first deploy this to your + server, and wait until the upgrade to 17 is finished. + + Then, set `services.nextcloud.package` to `pkgs.nextcloud18` to upgrade to + Nextcloud version 18. + ''); + + services.nextcloud.package = with pkgs; + mkDefault ( + if pkgs ? nextcloud + then throw '' + The `pkgs.nextcloud`-attribute has been removed. If it's supposed to be the default + nextcloud defined in an overlay, please set `services.nextcloud.package` to + `pkgs.nextcloud`. + '' + else if versionOlder stateVersion "20.03" then nextcloud17 + else nextcloud18 + ); } { systemd.timers.nextcloud-cron = { @@ -407,7 +444,7 @@ in { path = [ occ ]; script = '' chmod og+x ${cfg.home} - ln -sf ${pkgs.nextcloud}/apps ${cfg.home}/ + ln -sf ${cfg.package}/apps ${cfg.home}/ mkdir -p ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php @@ -429,7 +466,7 @@ in { environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config"; serviceConfig.Type = "oneshot"; serviceConfig.User = "nextcloud"; - serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${pkgs.nextcloud}/cron.php"; + serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php"; }; nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable { serviceConfig.Type = "oneshot"; @@ -471,7 +508,7 @@ in { enable = true; virtualHosts = { ${cfg.hostName} = { - root = pkgs.nextcloud; + root = cfg.package; locations = { "= /robots.txt" = { priority = 100; @@ -537,7 +574,7 @@ in { add_header Referrer-Policy no-referrer; access_log off; ''; - "~ \\.(?:png|html|ttf|ico|jpg|jpeg)$".extraConfig = '' + "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = '' try_files $uri /index.php$request_uri; access_log off; ''; diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.xml b/nixpkgs/nixos/modules/services/web-apps/nextcloud.xml index d66e0f0c299..fc454f8ba25 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.xml +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.xml @@ -113,5 +113,53 @@ maintenance:install</literal>! This command tries to install the application and can cause unwanted side-effects!</para> </warning> + + <para> + Nextcloud doesn't allow to move more than one major-version forward. If you're e.g. on + <literal>v16</literal>, you cannot upgrade to <literal>v18</literal>, you need to upgrade to + <literal>v17</literal> first. This is ensured automatically as long as the + <link linkend="opt-system.stateVersion">stateVersion</link> is declared properly. In that case + the oldest version available (one major behind the one from the previous NixOS + release) will be selected by default and the module will generate a warning that reminds + the user to upgrade to latest Nextcloud <emphasis>after</emphasis> that deploy. + </para> + </section> + + <section xml:id="module-services-nextcloud-maintainer-info"> + <title>Maintainer information</title> + + <para> + As stated in the previous paragraph, we must provide a clean upgrade-path for Nextcloud + since it cannot move more than one major version forward on a single upgrade. This chapter + adds some notes how Nextcloud updates should be rolled out in the future. + </para> + + <para> + While minor and patch-level updates are no problem and can be done directly in the + package-expression (and should be backported to supported stable branches after that), + major-releases should be added in a new attribute (e.g. Nextcloud <literal>v19.0.0</literal> + should be available in <literal>nixpkgs</literal> as <literal>pkgs.nextcloud19</literal>). + To provide simple upgrade paths it's generally useful to backport those as well to stable + branches. As long as the package-default isn't altered, this won't break existing setups. + After that, the versioning-warning in the <literal>nextcloud</literal>-module should be + updated to make sure that the + <link linkend="opt-services.nextcloud.package">package</link>-option selects the latest version + on fresh setups. + </para> + + <para> + If major-releases will be abandoned by upstream, we should check first if those are needed + in NixOS for a safe upgrade-path before removing those. In that case we shold keep those + packages, but mark them as insecure in an expression like this (in + <literal><nixpkgs/pkgs/servers/nextcloud/default.nix></literal>): +<programlisting>/* ... */ +{ + nextcloud17 = generic { + version = "17.0.x"; + sha256 = "0000000000000000000000000000000000000000000000000000"; + insecure = true; + }; +}</programlisting> + </para> </section> </chapter> diff --git a/nixpkgs/nixos/modules/services/web-apps/youtrack.nix b/nixpkgs/nixos/modules/services/web-apps/youtrack.nix index 830edac20ba..b4d653d2d77 100644 --- a/nixpkgs/nixos/modules/services/web-apps/youtrack.nix +++ b/nixpkgs/nixos/modules/services/web-apps/youtrack.nix @@ -46,9 +46,11 @@ in https://www.jetbrains.com/help/youtrack/standalone/YouTrack-Java-Start-Parameters.html for more information. ''; - example = { - "jetbrains.youtrack.overrideRootPassword" = "tortuga"; - }; + example = literalExample '' + { + "jetbrains.youtrack.overrideRootPassword" = "tortuga"; + } + ''; type = types.attrsOf types.str; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix index 263980add8b..2e806afb42c 100644 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix @@ -220,7 +220,7 @@ in globalRedirect = mkOption { type = types.nullOr types.str; default = null; - example = http://newserver.example.org/; + example = "http://newserver.example.org/"; description = '' If set, all requests for this host are redirected permanently to the given URL. diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix index 28b433104a1..8d49dc66eb1 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix @@ -46,6 +46,15 @@ let } '')); + commonHttpConfig = '' + # The mime type definitions included with nginx are very incomplete, so + # we use a list of mime types from the mailcap package, which is also + # used by most other Linux distributions by default. + include ${pkgs.mailcap}/etc/nginx/mime.types; + include ${cfg.package}/conf/fastcgi.conf; + include ${cfg.package}/conf/uwsgi_params; + ''; + configFile = pkgs.writers.writeNginxConfig "nginx.conf" '' pid /run/nginx/nginx.pid; error_log ${cfg.logError}; @@ -61,12 +70,7 @@ let ${optionalString (cfg.httpConfig == "" && cfg.config == "") '' http { - # The mime type definitions included with nginx are very incomplete, so - # we use a list of mime types from the mailcap package, which is also - # used by most other Linux distributions by default. - include ${pkgs.mailcap}/etc/nginx/mime.types; - include ${cfg.package}/conf/fastcgi.conf; - include ${cfg.package}/conf/uwsgi_params; + ${commonHttpConfig} ${optionalString (cfg.resolver.addresses != []) '' resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"} ${optionalString (!cfg.resolver.ipv6) "ipv6=off"}; @@ -79,7 +83,7 @@ let tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; - types_hash_max_size 2048; + types_hash_max_size 4096; ''} ssl_protocols ${cfg.sslProtocols}; @@ -172,9 +176,7 @@ let ${optionalString (cfg.httpConfig != "") '' http { - include ${cfg.package}/conf/mime.types; - include ${cfg.package}/conf/fastcgi.conf; - include ${cfg.package}/conf/uwsgi_params; + ${commonHttpConfig} ${cfg.httpConfig} }''} diff --git a/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix b/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix index 2c73da10394..3db19c781d0 100644 --- a/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix @@ -47,6 +47,7 @@ let Path to the unix socket file on which to accept FastCGI requests. <note><para>This option is read-only and managed by NixOS.</para></note> ''; + example = "${runtimeDir}/<name>.sock"; }; listen = mkOption { diff --git a/nixpkgs/nixos/modules/services/web-servers/traefik.nix b/nixpkgs/nixos/modules/services/web-servers/traefik.nix index 5b0fc467ea4..4ab7307c3b6 100644 --- a/nixpkgs/nixos/modules/services/web-servers/traefik.nix +++ b/nixpkgs/nixos/modules/services/web-servers/traefik.nix @@ -4,56 +4,102 @@ with lib; let cfg = config.services.traefik; - configFile = - if cfg.configFile == null then - pkgs.runCommand "config.toml" { - buildInputs = [ pkgs.remarshal ]; - preferLocalBuild = true; - } '' - remarshal -if json -of toml \ - < ${pkgs.writeText "config.json" (builtins.toJSON cfg.configOptions)} \ - > $out - '' - else cfg.configFile; - + jsonValue = with types; + let + valueType = nullOr (oneOf [ + bool + int + float + str + (lazyAttrsOf valueType) + (listOf valueType) + ]) // { + description = "JSON value"; + emptyValue.value = { }; + }; + in valueType; + dynamicConfigFile = if cfg.dynamicConfigFile == null then + pkgs.runCommand "config.toml" { + buildInputs = [ pkgs.remarshal ]; + preferLocalBuild = true; + } '' + remarshal -if json -of toml \ + < ${ + pkgs.writeText "dynamic_config.json" + (builtins.toJSON cfg.dynamicConfigOptions) + } \ + > $out + '' + else + cfg.dynamicConfigFile; + staticConfigFile = if cfg.staticConfigFile == null then + pkgs.runCommand "config.toml" { + buildInputs = [ pkgs.yj ]; + preferLocalBuild = true; + } '' + yj -jt -i \ + < ${ + pkgs.writeText "static_config.json" (builtins.toJSON + (recursiveUpdate cfg.staticConfigOptions { + providers.file.filename = "${dynamicConfigFile}"; + })) + } \ + > $out + '' + else + cfg.staticConfigFile; in { options.services.traefik = { enable = mkEnableOption "Traefik web server"; - configFile = mkOption { + staticConfigFile = mkOption { default = null; - example = literalExample "/path/to/config.toml"; + example = literalExample "/path/to/static_config.toml"; type = types.nullOr types.path; description = '' - Path to verbatim traefik.toml to use. - (Using that option has precedence over <literal>configOptions</literal>) + Path to traefik's static configuration to use. + (Using that option has precedence over <literal>staticConfigOptions</literal> and <literal>dynamicConfigOptions</literal>) ''; }; - configOptions = mkOption { + staticConfigOptions = mkOption { description = '' - Config for Traefik. + Static configuration for Traefik. ''; - type = types.attrs; - default = { - defaultEntryPoints = ["http"]; - entryPoints.http.address = ":80"; - }; + type = jsonValue; + default = { entryPoints.http.address = ":80"; }; example = { - defaultEntrypoints = [ "http" ]; - web.address = ":8080"; + entryPoints.web.address = ":8080"; entryPoints.http.address = ":80"; - file = {}; - frontends = { - frontend1 = { - backend = "backend1"; - routes.test_1.rule = "Host:localhost"; - }; - }; - backends.backend1 = { - servers.server1.url = "http://localhost:8000"; + api = { }; + }; + }; + + dynamicConfigFile = mkOption { + default = null; + example = literalExample "/path/to/dynamic_config.toml"; + type = types.nullOr types.path; + description = '' + Path to traefik's dynamic configuration to use. + (Using that option has precedence over <literal>dynamicConfigOptions</literal>) + ''; + }; + + dynamicConfigOptions = mkOption { + description = '' + Dynamic configuration for Traefik. + ''; + type = jsonValue; + default = { }; + example = { + http.routers.router1 = { + rule = "Host(`localhost`)"; + service = "service1"; }; + + http.services.service1.loadBalancer.servers = + [{ url = "http://localhost:8080"; }]; }; }; @@ -61,7 +107,7 @@ in { default = "/var/lib/traefik"; type = types.path; description = '' - Location for any persistent data traefik creates, ie. acme + Location for any persistent data traefik creates, ie. acme ''; }; @@ -84,16 +130,15 @@ in { }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 traefik traefik - -" - ]; + systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0700 traefik traefik - -" ]; systemd.services.traefik = { description = "Traefik web server"; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = ''${cfg.package.bin}/bin/traefik --configfile=${configFile}''; + ExecStart = + "${cfg.package}/bin/traefik --configfile=${staticConfigFile}"; Type = "simple"; User = "traefik"; Group = cfg.group; @@ -120,6 +165,6 @@ in { isSystemUser = true; }; - users.groups.traefik = {}; + users.groups.traefik = { }; }; } diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 26b662a2a64..32c9a40e535 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -38,7 +38,7 @@ in pkgs.gtk2 # To get GTK's themes. pkgs.tango-icon-theme - pkgs.gnome2.gnome_icon_theme + pkgs.gnome-icon-theme pkgs.xorg.xcursorthemes ]; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix index 5756cf14ed9..ac8e70c52bc 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -57,6 +57,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + options = { services.gnome3 = { @@ -180,7 +184,7 @@ in wmCommand = "${pkgs.gnome3.metacity}/bin/metacity"; } ++ cfg.flashback.customSessions); - security.pam.services.gnome-screensaver = { + security.pam.services.gnome-flashback = { enableGnomeKeyring = true; }; @@ -191,9 +195,10 @@ in inherit (wm) wmName; }) cfg.flashback.customSessions); - services.dbus.packages = [ - pkgs.gnome3.gnome-screensaver - ]; + # gnome-panel needs these for menu applet + environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.gnome3.gnome-flashback}/share" ]; + # TODO: switch to sessionVariables (resolve conflict) + environment.variables.XDG_CONFIG_DIRS = [ "${pkgs.gnome3.gnome-flashback}/etc/xdg" ]; }) (mkIf serviceCfg.core-os-services.enable { @@ -252,7 +257,6 @@ in systemd.packages = with pkgs.gnome3; [ gnome-session gnome-shell - vino ]; services.avahi.enable = mkDefault true; @@ -304,7 +308,7 @@ in environment = mkForce {}; }; - # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-32/elements/core/meta-gnome-core-shell.bst + # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-36/elements/core/meta-gnome-core-shell.bst environment.systemPackages = with pkgs.gnome3; [ adwaita-icon-theme gnome-backgrounds @@ -323,11 +327,10 @@ in pkgs.hicolor-icon-theme pkgs.shared-mime-info # for update-mime-database pkgs.xdg-user-dirs # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/ - vino ]; }) - # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-32/elements/core/meta-gnome-core-utilities.bst + # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-36/elements/core/meta-gnome-core-utilities.bst (mkIf serviceCfg.core-utilities.enable { environment.systemPackages = (with pkgs.gnome3; removePackagesByName [ baobab diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/kodi.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/kodi.nix index 65a7b9c628e..e997b9a1134 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/kodi.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/kodi.nix @@ -20,7 +20,7 @@ in services.xserver.desktopManager.session = [{ name = "kodi"; start = '' - ${pkgs.kodi}/bin/kodi --lircdev /run/lirc/lircd --standalone & + LIRC_SOCKET_PATH=/run/lirc/lircd ${pkgs.kodi}/bin/kodi --standalone & waitPID=$! ''; }]; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix index 910a246d776..f236c14fcf3 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix @@ -44,35 +44,35 @@ in config = mkIf cfg.enable { - services.xserver.desktopManager.session = singleton { - name = "mate"; - bgSupport = true; - start = '' - export XDG_MENU_PREFIX=mate- + services.xserver.displayManager.sessionPackages = [ + pkgs.mate.mate-session-manager + ]; - # Let caja find extensions - export CAJA_EXTENSION_DIRS=$CAJA_EXTENSION_DIRS''${CAJA_EXTENSION_DIRS:+:}${config.system.path}/lib/caja/extensions-2.0 + services.xserver.displayManager.sessionCommands = '' + if test "$XDG_CURRENT_DESKTOP" = "MATE"; then + export XDG_MENU_PREFIX=mate- - # Let caja extensions find gsettings schemas - ${concatMapStrings (p: '' + # Let caja find extensions + export CAJA_EXTENSION_DIRS=$CAJA_EXTENSION_DIRS''${CAJA_EXTENSION_DIRS:+:}${config.system.path}/lib/caja/extensions-2.0 + + # Let caja extensions find gsettings schemas + ${concatMapStrings (p: '' if [ -d "${p}/lib/caja/extensions-2.0" ]; then - ${addToXDGDirs p} + ${addToXDGDirs p} fi - '') - config.environment.systemPackages - } + '') config.environment.systemPackages} - # Let mate-panel find applets - export MATE_PANEL_APPLETS_DIR=$MATE_PANEL_APPLETS_DIR''${MATE_PANEL_APPLETS_DIR:+:}${config.system.path}/share/mate-panel/applets - export MATE_PANEL_EXTRA_MODULES=$MATE_PANEL_EXTRA_MODULES''${MATE_PANEL_EXTRA_MODULES:+:}${config.system.path}/lib/mate-panel/applets + # Add mate-control-center paths to some XDG variables because its schemas are needed by mate-settings-daemon, and mate-settings-daemon is a dependency for mate-control-center (that is, they are mutually recursive) + ${addToXDGDirs pkgs.mate.mate-control-center} + fi + ''; - # Add mate-control-center paths to some XDG variables because its schemas are needed by mate-settings-daemon, and mate-settings-daemon is a dependency for mate-control-center (that is, they are mutually recursive) - ${addToXDGDirs pkgs.mate.mate-control-center} + # Let mate-panel find applets + environment.sessionVariables."MATE_PANEL_APPLETS_DIR" = "${config.system.path}/share/mate-panel/applets"; + environment.sessionVariables."MATE_PANEL_EXTRA_MODULES" = "${config.system.path}/lib/mate-panel/applets"; - ${pkgs.mate.mate-session-manager}/bin/mate-session ${optionalString cfg.debug "--debug"} & - waitPID=$! - ''; - }; + # Debugging + environment.sessionVariables.MATE_SESSION_DEBUG = mkIf cfg.debug "1"; environment.systemPackages = pkgs.mate.basePackages ++ diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix index 869c6694489..01fe230b8a4 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -181,7 +181,6 @@ in hicolor-icon-theme lightlocker onboard - plank qgnomeplatform shared-mime-info sound-theme-freedesktop @@ -195,6 +194,7 @@ in # Desktop elementary-default-settings + elementary-dock elementary-session-settings elementary-shortcut-overlay gala @@ -206,9 +206,9 @@ in }) # Services - cerbere elementary-capnet-assist elementary-dpms-helper + elementary-notifications elementary-settings-daemon pantheon-agent-geoclue2 pantheon-agent-polkit diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.xml b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.xml index 4d92a7446c0..9541f2cfd4e 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.xml +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.xml @@ -89,22 +89,6 @@ switchboard-with-plugs.override { </para> </listitem> </varlistentry> - <varlistentry xml:id="sec-pantheon-faq-slow-shutdown"> - <term> - Using Pantheon sometimes makes my shutdown take a long time. - </term> - <listitem> - <para> - We have not yet determined what processes fight with systemd during shutdown, there are many reports. In elementary OS the default system timeout is lowered to lessen the impact of the issue. If you'd like to do this in NixOS, set -<programlisting> - <xref linkend="opt-systemd.extraConfig"/> = '' - DefaultTimeoutStopSec=10s - DefaultTimeoutStartSec=10s -''; -</programlisting> - </para> - </listitem> - </varlistentry> <varlistentry xml:id="sec-pantheon-faq-gnome3-and-pantheon"> <term> I cannot enable both GNOME 3 and Pantheon. diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix index a08b1947f65..d39b4d64904 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -8,6 +8,10 @@ in { + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + imports = [ # added 2019-08-18 # needed to preserve some semblance of UI familarity @@ -129,6 +133,7 @@ in services.xserver.desktopManager.session = [{ name = "xfce"; + desktopNames = [ "XFCE" ]; bgSupport = true; start = '' ${pkgs.runtimeShell} ${pkgs.xfce.xfce4-session.xinitrc} & diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/account-service-util.nix b/nixpkgs/nixos/modules/services/x11/display-managers/account-service-util.nix index 1dbe703b566..2b08c62d0ad 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/account-service-util.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/account-service-util.nix @@ -3,6 +3,7 @@ , gobject-introspection , python3 , wrapGAppsHook +, lib }: python3.pkgs.buildPythonApplication { @@ -36,4 +37,8 @@ python3.pkgs.buildPythonApplication { cp $src $out/bin/set-session chmod +x $out/bin/set-session ''; + + meta = with lib; { + maintainers = with maintainers; [ worldofpeace ]; + }; } diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/default.nix b/nixpkgs/nixos/modules/services/x11/display-managers/default.nix index 5d49ca94387..2a7a19e7695 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/default.nix @@ -54,14 +54,6 @@ let exec &> >(tee ~/.xsession-errors) ''} - # Start PulseAudio if enabled. - ${optionalString (config.hardware.pulseaudio.enable) '' - # Publish access credentials in the root window. - if ${config.hardware.pulseaudio.package.out}/bin/pulseaudio --dump-modules | grep module-x11-publish &> /dev/null; then - ${config.hardware.pulseaudio.package.out}/bin/pactl load-module module-x11-publish "display=$DISPLAY" - fi - ''} - # Tell systemd about our $DISPLAY and $XAUTHORITY. # This is needed by the ssh-agent unit. # @@ -412,6 +404,9 @@ in (dm: wm: let sessionName = "${dm.name}${optionalString (wm.name != "none") ("+" + wm.name)}"; script = xsession dm wm; + desktopNames = if dm ? desktopNames + then concatStringsSep ";" dm.desktopNames + else sessionName; in optional (dm.name != "none" || wm.name != "none") (pkgs.writeTextFile { @@ -427,7 +422,7 @@ in TryExec=${script} Exec=${script} Name=${sessionName} - DesktopNames=${sessionName} + DesktopNames=${desktopNames} ''; } // { providedSessions = [ sessionName ]; diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix index e0ac47bb766..d7bef68e5bc 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix @@ -38,6 +38,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { @@ -184,6 +188,9 @@ in "systemd-machined.service" # setSessionScript wants AccountsService "accounts-daemon.service" + # Failed to open gpu '/dev/dri/card0': GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Operation not permitted + # https://github.com/NixOS/nixpkgs/pull/25311#issuecomment-609417621 + "systemd-udev-settle.service" ]; systemd.services.display-manager.after = [ @@ -193,6 +200,7 @@ in "getty@tty${gdm.initialVT}.service" "plymouth-quit.service" "plymouth-start.service" + "systemd-udev-settle.service" ]; systemd.services.display-manager.conflicts = [ "getty@tty${gdm.initialVT}.service" diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix index 0025f9b3603..16d7fdf15cf 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix @@ -14,7 +14,9 @@ let user = ${cfg.user} show-password-label = true password-label-text = Password: + invalid-password-text = Invalid Password show-input-cursor = true + password-alignment = right [greeter-hotkeys] mod-key = meta @@ -26,6 +28,8 @@ let [greeter-theme] font = Sans font-size = 1em + font-weight = bold + font-style = normal text-color = "#080800" error-color = "#F8F8F0" background-image = "${ldmcfg.background}" @@ -36,6 +40,8 @@ let layout-space = 15 password-color = "#F8F8F0" password-background-color = "#1B1D1E" + password-border-color = "#080800" + password-border-width = 2px ${cfg.extraConfig} ''; diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix index 77c94114e6d..087c6b9c38a 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix @@ -10,6 +10,10 @@ let in { + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + options = { services.xserver.displayManager.lightdm.greeters.pantheon = { diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix index cb7b5f95958..479548863b4 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix @@ -69,6 +69,10 @@ let in { + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + # Note: the order in which lightdm greeter modules are imported # here determines the default: later modules (if enable) are # preferred. diff --git a/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix b/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix index f6b0e7c09f5..9548ecb8ef6 100644 --- a/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix +++ b/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix @@ -184,7 +184,11 @@ in { '' Option "DragLockButtons" "L1 B1 L2 B2" ''; - description = "Additional options for libinput touchpad driver."; + description = '' + Additional options for libinput touchpad driver. See + <citerefentry><refentrytitle>libinput</refentrytitle><manvolnum>4</manvolnum></citerefentry> + for available options."; + ''; }; }; diff --git a/nixpkgs/nixos/modules/services/x11/xserver.nix b/nixpkgs/nixos/modules/services/x11/xserver.nix index 74d702ea1c3..6aec1c0753a 100644 --- a/nixpkgs/nixos/modules/services/x11/xserver.nix +++ b/nixpkgs/nixos/modules/services/x11/xserver.nix @@ -651,8 +651,7 @@ in systemd.services.display-manager = { description = "X11 Server"; - after = [ "systemd-udev-settle.service" "acpid.service" "systemd-logind.service" ]; - wants = [ "systemd-udev-settle.service" ]; + after = [ "acpid.service" "systemd-logind.service" ]; restartIfChanged = false; diff --git a/nixpkgs/nixos/modules/system/activation/no-clone.nix b/nixpkgs/nixos/modules/system/activation/no-clone.nix index 7f458443526..912420347dc 100644 --- a/nixpkgs/nixos/modules/system/activation/no-clone.nix +++ b/nixpkgs/nixos/modules/system/activation/no-clone.nix @@ -4,6 +4,5 @@ with lib; { boot.loader.grub.device = mkOverride 0 "nodev"; - nesting.children = mkOverride 0 []; - nesting.clone = mkOverride 0 []; + specialisation = mkOverride 0 {}; } diff --git a/nixpkgs/nixos/modules/system/activation/top-level.nix b/nixpkgs/nixos/modules/system/activation/top-level.nix index 14bd751ce32..f6739977fa4 100644 --- a/nixpkgs/nixos/modules/system/activation/top-level.nix +++ b/nixpkgs/nixos/modules/system/activation/top-level.nix @@ -11,21 +11,16 @@ let # you can provide an easy way to boot the same configuration # as you use, but with another kernel # !!! fix this - cloner = inheritParent: list: - map (childConfig: + children = mapAttrs (childName: childConfig: (import ../../../lib/eval-config.nix { inherit baseModules; system = config.nixpkgs.initialSystem; modules = - (optionals inheritParent modules) + (optionals childConfig.inheritParentConfig modules) ++ [ ./no-clone.nix ] - ++ [ childConfig ]; + ++ [ childConfig.configuration ]; }).config.system.build.toplevel - ) list; - - children = - cloner false config.nesting.children - ++ cloner true config.nesting.clone; + ) config.specialisation; systemBuilder = let @@ -75,14 +70,11 @@ let echo -n "$configurationName" > $out/configuration-name echo -n "systemd ${toString config.systemd.package.interfaceVersion}" > $out/init-interface-version echo -n "$nixosLabel" > $out/nixos-version - echo -n "${pkgs.stdenv.hostPlatform.system}" > $out/system + echo -n "${config.boot.kernelPackages.stdenv.hostPlatform.system}" > $out/system - mkdir $out/fine-tune - childCount=0 - for i in $children; do - childCount=$(( childCount + 1 )) - ln -s $i $out/fine-tune/child-$childCount - done + mkdir $out/specialisation + ${concatStringsSep "\n" + (mapAttrsToList (name: path: "ln -s ${path} $out/specialisation/${name}") children)} mkdir $out/bin export localeArchive="${config.i18n.glibcLocales}/lib/locale/locale-archive" @@ -112,7 +104,6 @@ let shell = "${pkgs.bash}/bin/sh"; su = "${pkgs.shadow.su}/bin/su"; - inherit children; kernelParams = config.boot.kernelParams; installBootLoader = config.system.build.installBootLoader @@ -143,6 +134,11 @@ let in { + imports = [ + (mkRemovedOptionModule [ "nesting" "clone" ] "Use `specialisation.«name» = { inheritParentConfig = true; configuration = { ... }; }` instead.") + (mkRemovedOptionModule [ "nesting" "children" ] "Use `specialisation.«name».configuration = { ... }` instead.") + ]; + options = { system.build = mkOption { @@ -154,26 +150,35 @@ in ''; }; - nesting.children = mkOption { - default = []; - description = '' - Additional configurations to build. - ''; - }; - - nesting.clone = mkOption { - default = []; + specialisation = mkOption { + default = {}; + example = lib.literalExample "{ fewJobsManyCores.configuration = { nix.buildCores = 0; nix.maxJobs = 1; }; }"; description = '' - Additional configurations to build based on the current - configuration which then has a lower priority. + Additional configurations to build. If + <literal>inheritParentConfig</literal> is true, the system + will be based on the overall system configuration. - To switch to a cloned configuration (e.g. <literal>child-1</literal>) - at runtime, run + To switch to a specialised configuration + (e.g. <literal>fewJobsManyCores</literal>) at runtime, run: <programlisting> - # sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test + # sudo /run/current-system/specialisation/fewJobsManyCores/bin/switch-to-configuration test </programlisting> ''; + type = types.attrsOf (types.submodule ( + { ... }: { + options.inheritParentConfig = mkOption { + type = types.bool; + default = true; + description = "Include the entire system's configuration. Set to false to make a completely differently configured system."; + }; + + options.configuration = mkOption { + default = {}; + description = "Arbitrary NixOS configuration options."; + }; + }) + ); }; system.boot.loader.id = mkOption { diff --git a/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix b/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix index 2d3e3b05c98..5a334e69056 100644 --- a/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix @@ -10,19 +10,21 @@ in { - options = { - - boot.initrd.network.ssh.enable = mkOption { + options.boot.initrd.network.ssh = { + enable = mkOption { type = types.bool; default = false; description = '' Start SSH service during initrd boot. It can be used to debug failing boot on a remote server, enter pasphrase for an encrypted partition etc. Service is killed when stage-1 boot is finished. + + The sshd configuration is largely inherited from + <option>services.openssh</option>. ''; }; - boot.initrd.network.ssh.port = mkOption { + port = mkOption { type = types.int; default = 22; description = '' @@ -30,7 +32,7 @@ in ''; }; - boot.initrd.network.ssh.shell = mkOption { + shell = mkOption { type = types.str; default = "/bin/ash"; description = '' @@ -38,95 +40,163 @@ in ''; }; - boot.initrd.network.ssh.hostRSAKey = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - RSA SSH private key file in the Dropbear format. - - WARNING: Unless your bootloader supports initrd secrets, this key is - contained insecurely in the global Nix store. Do NOT use your regular - SSH host private keys for this purpose or you'll expose them to - regular users! - ''; - }; - - boot.initrd.network.ssh.hostDSSKey = mkOption { - type = types.nullOr types.path; - default = null; + hostKeys = mkOption { + type = types.listOf (types.either types.str types.path); + default = []; + example = [ + "/etc/secrets/initrd/ssh_host_rsa_key" + "/etc/secrets/initrd/ssh_host_ed25519_key" + ]; description = '' - DSS SSH private key file in the Dropbear format. - - WARNING: Unless your bootloader supports initrd secrets, this key is - contained insecurely in the global Nix store. Do NOT use your regular - SSH host private keys for this purpose or you'll expose them to - regular users! + Specify SSH host keys to import into the initrd. + + To generate keys, use + <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>: + + <screen> + <prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key + <prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed_25519_key + </screen> + + <warning> + <para> + Unless your bootloader supports initrd secrets, these keys + are stored insecurely in the global Nix store. Do NOT use + your regular SSH host private keys for this purpose or + you'll expose them to regular users! + </para> + <para> + Additionally, even if your initrd supports secrets, if + you're using initrd SSH to unlock an encrypted disk then + using your regular host keys exposes the private keys on + your unencrypted boot partition. + </para> + </warning> ''; }; - boot.initrd.network.ssh.hostECDSAKey = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - ECDSA SSH private key file in the Dropbear format. - - WARNING: Unless your bootloader supports initrd secrets, this key is - contained insecurely in the global Nix store. Do NOT use your regular - SSH host private keys for this purpose or you'll expose them to - regular users! - ''; - }; - - boot.initrd.network.ssh.authorizedKeys = mkOption { + authorizedKeys = mkOption { type = types.listOf types.str; default = config.users.users.root.openssh.authorizedKeys.keys; + defaultText = "config.users.users.root.openssh.authorizedKeys.keys"; description = '' Authorized keys for the root user on initrd. - Note that Dropbear doesn't support OpenSSH's Ed25519 key type. ''; }; - }; - config = mkIf (config.boot.initrd.network.enable && cfg.enable) { + imports = + map (opt: mkRemovedOptionModule ([ "boot" "initrd" "network" "ssh" ] ++ [ opt ]) '' + The initrd SSH functionality now uses OpenSSH rather than Dropbear. + + If you want to keep your existing initrd SSH host keys, convert them with + $ dropbearconvert dropbear openssh dropbear_host_$type_key ssh_host_$type_key + and then set options.boot.initrd.network.ssh.hostKeys. + '') [ "hostRSAKey" "hostDSSKey" "hostECDSAKey" ]; + + config = let + # Nix complains if you include a store hash in initrd path names, so + # as an awful hack we drop the first character of the hash. + initrdKeyPath = path: if isString path + then path + else let name = builtins.baseNameOf path; in + builtins.unsafeDiscardStringContext ("/etc/ssh/" + + substring 1 (stringLength name) name); + + sshdCfg = config.services.openssh; + + sshdConfig = '' + Port ${toString cfg.port} + + PasswordAuthentication no + ChallengeResponseAuthentication no + + ${flip concatMapStrings cfg.hostKeys (path: '' + HostKey ${initrdKeyPath path} + '')} + + KexAlgorithms ${concatStringsSep "," sshdCfg.kexAlgorithms} + Ciphers ${concatStringsSep "," sshdCfg.ciphers} + MACs ${concatStringsSep "," sshdCfg.macs} + + LogLevel ${sshdCfg.logLevel} + + ${if sshdCfg.useDns then '' + UseDNS yes + '' else '' + UseDNS no + ''} + ''; + in mkIf (config.boot.initrd.network.enable && cfg.enable) { assertions = [ - { assertion = cfg.authorizedKeys != []; + { + assertion = cfg.authorizedKeys != []; message = "You should specify at least one authorized key for initrd SSH"; } + + { + assertion = cfg.hostKeys != []; + message = '' + You must now pre-generate the host keys for initrd SSH. + See the boot.initrd.network.ssh.hostKeys documentation + for instructions. + ''; + } ]; boot.initrd.extraUtilsCommands = '' - copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear + copy_bin_and_libs ${pkgs.openssh}/bin/sshd cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib ''; boot.initrd.extraUtilsCommandsTest = '' - $out/bin/dropbear -V + # sshd requires a host key to check config, so we pass in the test's + echo -n ${escapeShellArg sshdConfig} | + $out/bin/sshd -t -f /dev/stdin \ + -h ${../../../tests/initrd-network-ssh/ssh_host_ed25519_key} ''; boot.initrd.network.postCommands = '' echo '${cfg.shell}' > /etc/shells echo 'root:x:0:0:root:/root:${cfg.shell}' > /etc/passwd + echo 'sshd:x:1:1:sshd:/var/empty:/bin/nologin' >> /etc/passwd echo 'passwd: files' > /etc/nsswitch.conf - mkdir -p /var/log + mkdir -p /var/log /var/empty touch /var/log/lastlog - mkdir -p /etc/dropbear + mkdir -p /etc/ssh + echo -n ${escapeShellArg sshdConfig} > /etc/ssh/sshd_config + + echo "export PATH=$PATH" >> /etc/profile + echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> /etc/profile mkdir -p /root/.ssh ${concatStrings (map (key: '' echo ${escapeShellArg key} >> /root/.ssh/authorized_keys '') cfg.authorizedKeys)} - dropbear -s -j -k -E -p ${toString cfg.port} ${optionalString (cfg.hostRSAKey == null && cfg.hostDSSKey == null && cfg.hostECDSAKey == null) "-R"} + ${flip concatMapStrings cfg.hostKeys (path: '' + # keys from Nix store are world-readable, which sshd doesn't like + chmod 0600 "${initrdKeyPath path}" + '')} + + /bin/sshd -e ''; - boot.initrd.secrets = - (optionalAttrs (cfg.hostRSAKey != null) { "/etc/dropbear/dropbear_rsa_host_key" = cfg.hostRSAKey; }) // - (optionalAttrs (cfg.hostDSSKey != null) { "/etc/dropbear/dropbear_dss_host_key" = cfg.hostDSSKey; }) // - (optionalAttrs (cfg.hostECDSAKey != null) { "/etc/dropbear/dropbear_ecdsa_host_key" = cfg.hostECDSAKey; }); + boot.initrd.postMountCommands = '' + # Stop sshd cleanly before stage 2. + # + # If you want to keep it around to debug post-mount SSH issues, + # run `touch /.keep_sshd` (either from an SSH session or in + # another initrd hook like preDeviceCommands). + if ! [ -e /.keep_sshd ]; then + pkill -x sshd + fi + ''; + boot.initrd.secrets = listToAttrs + (map (path: nameValuePair (initrdKeyPath path) path) cfg.hostKeys); }; } diff --git a/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix b/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix index b97ef88a7ca..c775632a4aa 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix @@ -588,7 +588,7 @@ in { boot.loader.grub.splashImage = mkDefault ( if cfg.version == 1 then pkgs.fetchurl { - url = http://www.gnome-look.org/CONTENT/content-files/36909-soft-tux.xpm.gz; + url = "http://www.gnome-look.org/CONTENT/content-files/36909-soft-tux.xpm.gz"; sha256 = "14kqdx2lfqvh40h6fjjzqgff1mwk74dmbjvmqphi6azzra7z8d59"; } # GRUB 1.97 doesn't support gzipped XPMs. diff --git a/nixpkgs/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixpkgs/nixos/modules/system/boot/loader/grub/install-grub.pl index ca0fb0248e0..8df18cbd901 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixpkgs/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -409,7 +409,7 @@ $conf .= "$extraEntries\n" unless $extraEntriesBeforeNixOS; # Find all the children of the current default configuration # Do not search for grand children -my @links = sort (glob "$defaultConfig/fine-tune/*"); +my @links = sort (glob "$defaultConfig/specialisation/*"); foreach my $link (@links) { my $entryName = ""; @@ -425,7 +425,8 @@ foreach my $link (@links) { if ($cfgName) { $entryName = $cfgName; } else { - $entryName = "($date - $version)"; + my $linkname = basename($link); + $entryName = "($linkname - $date - $version)"; } addEntry("NixOS - $entryName", $link); } diff --git a/nixpkgs/nixos/modules/system/boot/loader/init-script/init-script-builder.sh b/nixpkgs/nixos/modules/system/boot/loader/init-script/init-script-builder.sh index 08d4ab14c9c..6f48d2539ac 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/init-script/init-script-builder.sh +++ b/nixpkgs/nixos/modules/system/boot/loader/init-script/init-script-builder.sh @@ -69,7 +69,7 @@ addEntry "NixOS - Default" $defaultConfig "" # Add all generations of the system profile to the menu, in reverse # (most recent to least recent) order. -for link in $((ls -d $defaultConfig/fine-tune/* ) | sort -n); do +for link in $((ls -d $defaultConfig/specialisation/* ) | sort -n); do date=$(stat --printf="%y\n" $link | sed 's/\..*//') addEntry "NixOS - variation" $link "" done diff --git a/nixpkgs/nixos/modules/system/boot/stage-1.nix b/nixpkgs/nixos/modules/system/boot/stage-1.nix index 93cd801ef80..9e3ee5cf0a3 100644 --- a/nixpkgs/nixos/modules/system/boot/stage-1.nix +++ b/nixpkgs/nixos/modules/system/boot/stage-1.nix @@ -142,7 +142,10 @@ let let source' = if source == null then dest else source; in '' mkdir -p $(dirname "$out/secrets/${dest}") - cp -a ${source'} "$out/secrets/${dest}" + # Some programs (e.g. ssh) doesn't like secrets to be + # symlinks, so we use `cp -L` here to match the + # behaviour when secrets are natively supported. + cp -Lr ${source'} "$out/secrets/${dest}" '' ) config.boot.initrd.secrets)) } diff --git a/nixpkgs/nixos/modules/system/boot/systemd-lib.nix b/nixpkgs/nixos/modules/system/boot/systemd-lib.nix index a3360291586..fa109394fed 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd-lib.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd-lib.nix @@ -114,7 +114,9 @@ in rec { (if isList value then value else [value])) as)); - generateUnits = type: units: upstreamUnits: upstreamWants: + generateUnits = generateUnits' true; + + generateUnits' = allowCollisions: type: units: upstreamUnits: upstreamWants: pkgs.runCommand "${type}-units" { preferLocalBuild = true; allowSubstitutes = false; @@ -182,8 +184,13 @@ in rec { if [ "$(readlink -f $i/$fn)" = /dev/null ]; then ln -sfn /dev/null $out/$fn else - mkdir -p $out/$fn.d - ln -s $i/$fn $out/$fn.d/overrides.conf + ${if allowCollisions then '' + mkdir -p $out/$fn.d + ln -s $i/$fn $out/$fn.d/overrides.conf + '' else '' + echo "Found multiple derivations configuring $fn!" + exit 1 + ''} fi else ln -fs $i/$fn $out/ diff --git a/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix b/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix index 1e2435e36f0..06ea5ee49f7 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix @@ -116,7 +116,7 @@ in { in mkMerge [ (mkIf (cfg != {}) { - environment.etc."systemd/nspawn".source = mkIf (cfg != {}) (generateUnits "nspawn" units [] []); + environment.etc."systemd/nspawn".source = mkIf (cfg != {}) (generateUnits' false "nspawn" units [] []); }) { systemd.targets.multi-user.wants = [ "machines.target" ]; diff --git a/nixpkgs/nixos/modules/system/boot/systemd.nix b/nixpkgs/nixos/modules/system/boot/systemd.nix index cdc9d237939..7f207e6c7ef 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd.nix @@ -842,7 +842,6 @@ in [Manager] ${optionalString config.systemd.enableCgroupAccounting '' DefaultCPUAccounting=yes - DefaultBlockIOAccounting=yes DefaultIOAccounting=yes DefaultBlockIOAccounting=yes DefaultIPAccounting=yes diff --git a/nixpkgs/nixos/modules/tasks/auto-upgrade.nix b/nixpkgs/nixos/modules/tasks/auto-upgrade.nix index bfc1e301efa..e70004e643e 100644 --- a/nixpkgs/nixos/modules/tasks/auto-upgrade.nix +++ b/nixpkgs/nixos/modules/tasks/auto-upgrade.nix @@ -24,7 +24,7 @@ let cfg = config.system.autoUpgrade; in channel = mkOption { type = types.nullOr types.str; default = null; - example = https://nixos.org/channels/nixos-14.12-small; + example = "https://nixos.org/channels/nixos-14.12-small"; description = '' The URI of the NixOS channel to use for automatic upgrades. By default, this is the channel set using diff --git a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix index 09c7e074e12..43347161a84 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix @@ -433,6 +433,7 @@ in services.zfs.zed.settings = { ZED_EMAIL_PROG = mkDefault "${pkgs.mailutils}/bin/mail"; + PATH = lib.makeBinPath [ packages.zfsUser pkgs.utillinux pkgs.gawk pkgs.gnused pkgs.gnugrep pkgs.coreutils pkgs.curl ]; }; environment.etc = genAttrs @@ -478,6 +479,7 @@ in createImportService = pool: nameValuePair "zfs-import-${pool}" { description = "Import ZFS pool \"${pool}\""; + # we need systemd-udev-settle until https://github.com/zfsonlinux/zfs/pull/4943 is merged requires = [ "systemd-udev-settle.service" ]; after = [ "systemd-udev-settle.service" "systemd-modules-load.service" ]; wantedBy = (getPoolMounts pool) ++ [ "local-fs.target" ]; diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces-scripted.nix b/nixpkgs/nixos/modules/tasks/network-interfaces-scripted.nix index 4d25137c5df..9720d90217c 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces-scripted.nix @@ -237,6 +237,38 @@ let ''; }; + createNetworkLink = i: + let + deviceDependency = if (config.boot.isContainer || i.name == "lo") + then [] + else [ (subsystemDevice i.name) ]; + in + nameValuePair "network-link-${i.name}" + { description = "Link configuration of ${i.name}"; + wantedBy = [ "network-interfaces.target" ]; + before = [ "network-interfaces.target" ]; + bindsTo = deviceDependency; + after = [ "network-pre.target" ] ++ deviceDependency; + path = [ pkgs.iproute ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = + '' + echo "Configuring link..." + '' + optionalString (i.macAddress != null) '' + echo "setting MAC address to ${i.macAddress}..." + ip link set "${i.name}" address "${i.macAddress}" + '' + optionalString (i.mtu != null) '' + echo "setting MTU to ${toString i.mtu}..." + ip link set "${i.name}" mtu "${toString i.mtu}" + '' + '' + echo -n "bringing up interface... " + ip link set "${i.name}" up && echo "done" || (echo "failed"; exit 1) + ''; + }; + createTunDevice = i: nameValuePair "${i.name}-netdev" { description = "Virtual Network Interface ${i.name}"; bindsTo = [ "dev-net-tun.device" ]; @@ -291,13 +323,19 @@ let ${optionalString config.virtualisation.libvirtd.enable '' # Enslave dynamically added interfaces which may be lost on nixos-rebuild - for uri in qemu:///system lxc:///; do - for dom in $(${pkgs.libvirt}/bin/virsh -c $uri list --name); do - ${pkgs.libvirt}/bin/virsh -c $uri dumpxml "$dom" | \ - ${pkgs.xmlstarlet}/bin/xmlstarlet sel -t -m "//domain/devices/interface[@type='bridge'][source/@bridge='${n}'][target/@dev]" -v "concat('ip link set ',target/@dev,' master ',source/@bridge,';')" | \ - ${pkgs.bash}/bin/bash + # + # if `libvirtd.service` is not running, do not use `virsh` which would try activate it via 'libvirtd.socket' and thus start it out-of-order. + # `libvirtd.service` will set up bridge interfaces when it will start normally. + # + if ${pkgs.systemd}/bin/systemctl --quiet is-active 'libvirtd.service'; then + for uri in qemu:///system lxc:///; do + for dom in $(${pkgs.libvirt}/bin/virsh -c $uri list --name); do + ${pkgs.libvirt}/bin/virsh -c $uri dumpxml "$dom" | \ + ${pkgs.xmlstarlet}/bin/xmlstarlet sel -t -m "//domain/devices/interface[@type='bridge'][source/@bridge='${n}'][target/@dev]" -v "concat('ip link set ',target/@dev,' master ',source/@bridge,';')" | \ + ${pkgs.bash}/bin/bash + done done - done + fi ''} # Enable stp on the interface @@ -502,6 +540,7 @@ let }); in listToAttrs ( + map createNetworkLink interfaces ++ map configureAddrs interfaces ++ map createTunDevice (filter (i: i.virtual) interfaces)) // mapAttrs' createBridgeDevice cfg.bridges diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix index 41deceb000e..23e1e611a71 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix @@ -94,7 +94,12 @@ in address = forEach (interfaceIps i) (ip: "${ip.address}/${toString ip.prefixLength}"); networkConfig.IPv6PrivacyExtensions = "kernel"; - } ]; + linkConfig = optionalAttrs (i.macAddress != null) { + MACAddress = i.macAddress; + } // optionalAttrs (i.mtu != null) { + MTUBytes = toString i.mtu; + }; + }]; }))) (mkMerge (flip mapAttrsToList cfg.bridges (name: bridge: { netdevs."40-${name}" = { diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces.nix b/nixpkgs/nixos/modules/tasks/network-interfaces.nix index 9542a60beee..44677d417ea 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces.nix @@ -634,19 +634,23 @@ in networking.bonds = let - driverOptionsExample = { - miimon = "100"; - mode = "active-backup"; - }; + driverOptionsExample = '' + { + miimon = "100"; + mode = "active-backup"; + } + ''; in mkOption { default = { }; - example = literalExample { - bond0 = { - interfaces = [ "eth0" "wlan0" ]; - driverOptions = driverOptionsExample; - }; - anotherBond.interfaces = [ "enp4s0f0" "enp4s0f1" "enp5s0f0" "enp5s0f1" ]; - }; + example = literalExample '' + { + bond0 = { + interfaces = [ "eth0" "wlan0" ]; + driverOptions = ${driverOptionsExample}; + }; + anotherBond.interfaces = [ "enp4s0f0" "enp4s0f1" "enp5s0f0" "enp5s0f1" ]; + } + ''; description = '' This option allows you to define bond devices that aggregate multiple, underlying networking interfaces together. The value of this option is @@ -731,12 +735,14 @@ in networking.macvlans = mkOption { default = { }; - example = literalExample { - wan = { - interface = "enp2s0"; - mode = "vepa"; - }; - }; + example = literalExample '' + { + wan = { + interface = "enp2s0"; + mode = "vepa"; + }; + } + ''; description = '' This option allows you to define macvlan interfaces which should be automatically created. @@ -764,18 +770,20 @@ in networking.sits = mkOption { default = { }; - example = literalExample { - hurricane = { - remote = "10.0.0.1"; - local = "10.0.0.22"; - ttl = 255; - }; - msipv6 = { - remote = "192.168.0.1"; - dev = "enp3s0"; - ttl = 127; - }; - }; + example = literalExample '' + { + hurricane = { + remote = "10.0.0.1"; + local = "10.0.0.22"; + ttl = 255; + }; + msipv6 = { + remote = "192.168.0.1"; + dev = "enp3s0"; + ttl = 127; + }; + } + ''; description = '' This option allows you to define 6-to-4 interfaces which should be automatically created. ''; @@ -826,16 +834,18 @@ in networking.vlans = mkOption { default = { }; - example = literalExample { - vlan0 = { - id = 3; - interface = "enp3s0"; - }; - vlan1 = { - id = 1; - interface = "wlan0"; - }; - }; + example = literalExample '' + { + vlan0 = { + id = 3; + interface = "enp3s0"; + }; + vlan1 = { + id = 1; + interface = "wlan0"; + }; + } + ''; description = '' This option allows you to define vlan devices that tag packets @@ -868,24 +878,26 @@ in networking.wlanInterfaces = mkOption { default = { }; - example = literalExample { - wlan-station0 = { - device = "wlp6s0"; - }; - wlan-adhoc0 = { - type = "ibss"; - device = "wlp6s0"; - mac = "02:00:00:00:00:01"; - }; - wlan-p2p0 = { - device = "wlp6s0"; - mac = "02:00:00:00:00:02"; - }; - wlan-ap0 = { - device = "wlp6s0"; - mac = "02:00:00:00:00:03"; - }; - }; + example = literalExample '' + { + wlan-station0 = { + device = "wlp6s0"; + }; + wlan-adhoc0 = { + type = "ibss"; + device = "wlp6s0"; + mac = "02:00:00:00:00:01"; + }; + wlan-p2p0 = { + device = "wlp6s0"; + mac = "02:00:00:00:00:02"; + }; + wlan-ap0 = { + device = "wlp6s0"; + mac = "02:00:00:00:00:03"; + }; + } + ''; description = '' Creating multiple WLAN interfaces on top of one physical WLAN device (NIC). @@ -1019,6 +1031,11 @@ in message = '' Temporary addresses are only needed when IPv6 is enabled. ''; + })) ++ (forEach interfaces (i: { + assertion = (i.virtual && i.virtualType == "tun") -> i.macAddress == null; + message = '' + Setting a MAC Address for tun device ${i.name} isn't supported. + ''; })) ++ [ { assertion = cfg.hostId == null || (stringLength cfg.hostId == 8 && isHexString cfg.hostId); @@ -1128,38 +1145,7 @@ in ${cfg.localCommands} ''; }; - } // (listToAttrs (forEach interfaces (i: - let - deviceDependency = if (config.boot.isContainer || i.name == "lo") - then [] - else [ (subsystemDevice i.name) ]; - in - nameValuePair "network-link-${i.name}" - { description = "Link configuration of ${i.name}"; - wantedBy = [ "network-interfaces.target" ]; - before = [ "network-interfaces.target" ]; - bindsTo = deviceDependency; - after = [ "network-pre.target" ] ++ deviceDependency; - path = [ pkgs.iproute ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = - '' - echo "Configuring link..." - '' + optionalString (i.macAddress != null) '' - echo "setting MAC address to ${i.macAddress}..." - ip link set "${i.name}" address "${i.macAddress}" - '' + optionalString (i.mtu != null) '' - echo "setting MTU to ${toString i.mtu}..." - ip link set "${i.name}" mtu "${toString i.mtu}" - '' + '' - echo -n "bringing up interface... " - ip link set "${i.name}" up && echo "done" || (echo "failed"; exit 1) - ''; - }))); - + }; services.mstpd = mkIf needsMstpd { enable = true; }; virtualisation.vswitch = mkIf (cfg.vswitches != { }) { enable = true; }; diff --git a/nixpkgs/nixos/modules/virtualisation/azure-common.nix b/nixpkgs/nixos/modules/virtualisation/azure-common.nix index 03239991b95..8efa177e30d 100644 --- a/nixpkgs/nixos/modules/virtualisation/azure-common.nix +++ b/nixpkgs/nixos/modules/virtualisation/azure-common.nix @@ -15,6 +15,8 @@ with lib; boot.loader.grub.version = 2; boot.loader.timeout = 0; + boot.growPartition = true; + # Don't put old configurations in the GRUB menu. The user has no # way to select them anyway. boot.loader.grub.configurationLimit = 0; diff --git a/nixpkgs/nixos/modules/virtualisation/azure-image.nix b/nixpkgs/nixos/modules/virtualisation/azure-image.nix index e91dd72ff5d..21fd58e5c90 100644 --- a/nixpkgs/nixos/modules/virtualisation/azure-image.nix +++ b/nixpkgs/nixos/modules/virtualisation/azure-image.nix @@ -2,27 +2,38 @@ with lib; let - diskSize = 2048; + cfg = config.virtualisation.azureImage; in { - system.build.azureImage = import ../../lib/make-disk-image.nix { - name = "azure-image"; - postVM = '' - ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -o subformat=fixed,force_size -O vpc $diskImage $out/disk.vhd - ''; - configFile = ./azure-config-user.nix; - format = "raw"; - inherit diskSize; - inherit config lib pkgs; - }; - imports = [ ./azure-common.nix ]; + + options = { + virtualisation.azureImage.diskSize = mkOption { + type = with types; int; + default = 2048; + description = '' + Size of disk image. Unit is MB. + ''; + }; + }; + config = { + system.build.azureImage = import ../../lib/make-disk-image.nix { + name = "azure-image"; + postVM = '' + ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -o subformat=fixed,force_size -O vpc $diskImage $out/disk.vhd + rm $diskImage + ''; + configFile = ./azure-config-user.nix; + format = "raw"; + inherit (cfg) diskSize; + inherit config lib pkgs; + }; - # Azure metadata is available as a CD-ROM drive. - fileSystems."/metadata".device = "/dev/sr0"; + # Azure metadata is available as a CD-ROM drive. + fileSystems."/metadata".device = "/dev/sr0"; - systemd.services.fetch-ssh-keys = - { description = "Fetch host keys and authorized_keys for root user"; + systemd.services.fetch-ssh-keys = { + description = "Fetch host keys and authorized_keys for root user"; wantedBy = [ "sshd.service" "waagent.service" ]; before = [ "sshd.service" "waagent.service" ]; @@ -54,6 +65,6 @@ in serviceConfig.RemainAfterExit = true; serviceConfig.StandardError = "journal+console"; serviceConfig.StandardOutput = "journal+console"; - }; - + }; + }; } diff --git a/nixpkgs/nixos/modules/virtualisation/containers.nix b/nixpkgs/nixos/modules/virtualisation/containers.nix index 02de5801da2..dad211ef55b 100644 --- a/nixpkgs/nixos/modules/virtualisation/containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/containers.nix @@ -609,9 +609,11 @@ in bindMounts = mkOption { type = with types; loaOf (submodule bindMountOpts); default = {}; - example = { "/home" = { hostPath = "/home/alice"; - isReadOnly = false; }; - }; + example = literalExample '' + { "/home" = { hostPath = "/home/alice"; + isReadOnly = false; }; + } + ''; description = '' diff --git a/nixpkgs/nixos/modules/virtualisation/hyperv-image.nix b/nixpkgs/nixos/modules/virtualisation/hyperv-image.nix new file mode 100644 index 00000000000..be2f12b7d01 --- /dev/null +++ b/nixpkgs/nixos/modules/virtualisation/hyperv-image.nix @@ -0,0 +1,69 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.hyperv; + +in { + options = { + hyperv = { + baseImageSize = mkOption { + type = types.int; + default = 2048; + description = '' + The size of the hyper-v base image in MiB. + ''; + }; + vmDerivationName = mkOption { + type = types.str; + default = "nixos-hyperv-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}"; + description = '' + The name of the derivation for the hyper-v appliance. + ''; + }; + vmFileName = mkOption { + type = types.str; + default = "nixos-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.vhdx"; + description = '' + The file name of the hyper-v appliance. + ''; + }; + }; + }; + + config = { + system.build.hypervImage = import ../../lib/make-disk-image.nix { + name = cfg.vmDerivationName; + postVM = '' + ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -o subformat=dynamic -O vhdx $diskImage $out/${cfg.vmFileName} + ''; + format = "raw"; + diskSize = cfg.baseImageSize; + partitionTableType = "efi"; + inherit config lib pkgs; + }; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; + + boot.growPartition = true; + + boot.loader.grub = { + version = 2; + device = "nodev"; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + virtualisation.hypervGuest.enable = true; + }; +} diff --git a/nixpkgs/nixos/modules/virtualisation/libvirtd.nix b/nixpkgs/nixos/modules/virtualisation/libvirtd.nix index 9f7bac480e3..4f22099443f 100644 --- a/nixpkgs/nixos/modules/virtualisation/libvirtd.nix +++ b/nixpkgs/nixos/modules/virtualisation/libvirtd.nix @@ -214,14 +214,14 @@ in { }; systemd.services.libvirtd = { - description = "Libvirt Virtual Machine Management Daemon"; - - wantedBy = [ "multi-user.target" ]; requires = [ "libvirtd-config.service" ]; after = [ "systemd-udev-settle.service" "libvirtd-config.service" ] ++ optional vswitch.enable "ovs-vswitchd.service"; - environment.LIBVIRTD_ARGS = ''--config "${configFile}" ${concatStringsSep " " cfg.extraOptions}''; + environment.LIBVIRTD_ARGS = escapeShellArgs ( + [ "--config" configFile + "--timeout" "120" # from ${libvirt}/var/lib/sysconfig/libvirtd + ] ++ cfg.extraOptions); path = [ cfg.qemuPackage ] # libvirtd requires qemu-img to manage disk images ++ optional vswitch.enable vswitch.package; @@ -266,5 +266,8 @@ in { serviceConfig.ExecStart = "@${pkgs.libvirt}/sbin/virtlockd virtlockd"; restartIfChanged = false; }; + + systemd.sockets.libvirtd .wantedBy = [ "sockets.target" ]; + systemd.sockets.libvirtd-tcp.wantedBy = [ "sockets.target" ]; }; } |