diff options
| author | Katharina Fey <kookie@spacekookie.de> | 2020-05-20 01:39:43 +0200 |
|---|---|---|
| committer | Katharina Fey <kookie@spacekookie.de> | 2020-05-20 01:39:43 +0200 |
| commit | 1849de11ec1e32e9eebb83f24d5339bea88b7ed7 (patch) | |
| tree | 0aaf3cead09c2d55c67c6f6a86ad20af399797d8 /nixpkgs/nixos/modules | |
| parent | 304c06d7a7ea3f5c84031d325ece8d38b8c1d829 (diff) | |
| parent | 0f5ce2fac0c726036ca69a5524c59a49e2973dd4 (diff) | |
Merge commit '0f5ce2fac0c726036ca69a5524c59a49e2973dd4'
Diffstat (limited to 'nixpkgs/nixos/modules')
198 files changed, 4748 insertions, 2137 deletions
diff --git a/nixpkgs/nixos/modules/config/fonts/fontconfig.nix b/nixpkgs/nixos/modules/config/fonts/fontconfig.nix index 3bfa1893a8b..6ac64b0ec9c 100644 --- a/nixpkgs/nixos/modules/config/fonts/fontconfig.nix +++ b/nixpkgs/nixos/modules/config/fonts/fontconfig.nix @@ -45,6 +45,9 @@ let # generate the font cache setting file for a fontconfig version # use latest when no version is passed + # When cross-compiling, we can’t generate the cache, so we skip the + # <cachedir> part. fontconfig still works but is a little slower in + # looking things up. makeCacheConf = { version ? null }: let fcPackage = if version == null @@ -60,11 +63,13 @@ let <fontconfig> <!-- Font directories --> ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)} + ${optionalString (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) '' <!-- Pre-generated font caches --> <cachedir>${cache}</cachedir> ${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) '' <cachedir>${cache32}</cachedir> ''} + ''} </fontconfig> ''; diff --git a/nixpkgs/nixos/modules/config/fonts/fontdir.nix b/nixpkgs/nixos/modules/config/fonts/fontdir.nix index cc70fbf8744..a6aa84ae822 100644 --- a/nixpkgs/nixos/modules/config/fonts/fontdir.nix +++ b/nixpkgs/nixos/modules/config/fonts/fontdir.nix @@ -25,6 +25,7 @@ in fonts = { enableFontDir = mkOption { + type = types.bool; default = false; description = '' Whether to create a directory with links to all fonts in diff --git a/nixpkgs/nixos/modules/config/fonts/ghostscript.nix b/nixpkgs/nixos/modules/config/fonts/ghostscript.nix index 1c62a525de9..b1dd81bf2d2 100644 --- a/nixpkgs/nixos/modules/config/fonts/ghostscript.nix +++ b/nixpkgs/nixos/modules/config/fonts/ghostscript.nix @@ -9,6 +9,7 @@ with lib; fonts = { enableGhostscriptFonts = mkOption { + type = types.bool; default = false; description = '' Whether to add the fonts provided by Ghostscript (such as diff --git a/nixpkgs/nixos/modules/config/ldap.nix b/nixpkgs/nixos/modules/config/ldap.nix index b554f197dc4..1a5dbcd4e26 100644 --- a/nixpkgs/nixos/modules/config/ldap.nix +++ b/nixpkgs/nixos/modules/config/ldap.nix @@ -88,6 +88,7 @@ in }; useTLS = mkOption { + type = types.bool; default = false; description = '' If enabled, use TLS (encryption) over an LDAP (port 389) @@ -109,6 +110,7 @@ in daemon = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to let the nslcd daemon (nss-pam-ldapd) handle the @@ -242,6 +244,10 @@ in if cfg.daemon.enable then nss_pam_ldapd else nss_ldap ); + system.nssDatabases.group = optional cfg.nsswitch "ldap"; + system.nssDatabases.passwd = optional cfg.nsswitch "ldap"; + system.nssDatabases.shadow = optional cfg.nsswitch "ldap"; + users = mkIf cfg.daemon.enable { groups.nslcd = { gid = config.ids.gids.nslcd; diff --git a/nixpkgs/nixos/modules/config/networking.nix b/nixpkgs/nixos/modules/config/networking.nix index dd36696b94d..03944de8249 100644 --- a/nixpkgs/nixos/modules/config/networking.nix +++ b/nixpkgs/nixos/modules/config/networking.nix @@ -197,7 +197,7 @@ in } // optionalAttrs (pkgs.stdenv.hostPlatform.libc == "glibc") { # /etc/rpc: RPC program numbers. - rpc.source = pkgs.glibc.out + "/etc/rpc"; + rpc.source = pkgs.stdenv.cc.libc.out + "/etc/rpc"; }; networking.proxy.envVars = diff --git a/nixpkgs/nixos/modules/config/nsswitch.nix b/nixpkgs/nixos/modules/config/nsswitch.nix index 13277fe56e4..d19d35a4890 100644 --- a/nixpkgs/nixos/modules/config/nsswitch.nix +++ b/nixpkgs/nixos/modules/config/nsswitch.nix @@ -4,43 +4,7 @@ with lib; -let - - # only with nscd up and running we can load NSS modules that are not integrated in NSS - canLoadExternalModules = config.services.nscd.enable; - myhostname = canLoadExternalModules; - mymachines = canLoadExternalModules; - nssmdns = canLoadExternalModules && config.services.avahi.nssmdns; - nsswins = canLoadExternalModules && config.services.samba.nsswins; - ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch); - sssd = canLoadExternalModules && config.services.sssd.enable; - resolved = canLoadExternalModules && config.services.resolved.enable; - googleOsLogin = canLoadExternalModules && config.security.googleOsLogin.enable; - - hostArray = [ "files" ] - ++ optional mymachines "mymachines" - ++ optional nssmdns "mdns_minimal [NOTFOUND=return]" - ++ optional nsswins "wins" - ++ optional resolved "resolve [!UNAVAIL=return]" - ++ [ "dns" ] - ++ optional nssmdns "mdns" - ++ optional myhostname "myhostname"; - - passwdArray = [ "files" ] - ++ optional sssd "sss" - ++ optional ldap "ldap" - ++ optional mymachines "mymachines" - ++ optional googleOsLogin "cache_oslogin oslogin" - ++ [ "systemd" ]; - - shadowArray = [ "files" ] - ++ optional sssd "sss" - ++ optional ldap "ldap"; - - servicesArray = [ "files" ] - ++ optional sssd "sss"; - -in { +{ options = { # NSS modules. Hacky! @@ -61,56 +25,109 @@ in { }; }; - system.nssHosts = mkOption { - type = types.listOf types.str; - default = []; - example = [ "mdns" ]; - description = '' - List of host entries to configure in <filename>/etc/nsswitch.conf</filename>. - ''; - }; + system.nssDatabases = { + passwd = mkOption { + type = types.listOf types.str; + description = '' + List of passwd entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended while "systemd" is appended if nscd is enabled. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + group = mkOption { + type = types.listOf types.str; + description = '' + List of group entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended while "systemd" is appended if nscd is enabled. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + shadow = mkOption { + type = types.listOf types.str; + description = '' + List of shadow entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + hosts = mkOption { + type = types.listOf types.str; + description = '' + List of hosts entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended, and "dns" and "myhostname" are always appended. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + services = mkOption { + type = types.listOf types.str; + description = '' + List of services entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + }; }; + imports = [ + (mkRenamedOptionModule [ "system" "nssHosts" ] [ "system" "nssDatabases" "hosts" ]) + ]; + config = { assertions = [ { - # generic catch if the NixOS module adding to nssModules does not prevent it with specific message. - assertion = config.system.nssModules.path != "" -> canLoadExternalModules; - message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled."; - } - { - # resolved does not need to add to nssModules, therefore needs an extra assertion - assertion = resolved -> canLoadExternalModules; - message = "Loading systemd-resolved's nss-resolve NSS module requires nscd being enabled."; + # Prevent users from disabling nscd, with nssModules being set. + # If disabling nscd is really necessary, it's still possible to opt out + # by forcing config.system.nssModules to []. + assertion = config.system.nssModules.path != "" -> config.services.nscd.enable; + message = "Loading NSS modules from system.nssModules (${config.system.nssModules.path}), requires services.nscd.enable being set to true."; } ]; # Name Service Switch configuration file. Required by the C - # library. !!! Factor out the mdns stuff. The avahi module - # should define an option used by this module. + # library. environment.etc."nsswitch.conf".text = '' - passwd: ${concatStringsSep " " passwdArray} - group: ${concatStringsSep " " passwdArray} - shadow: ${concatStringsSep " " shadowArray} + passwd: ${concatStringsSep " " config.system.nssDatabases.passwd} + group: ${concatStringsSep " " config.system.nssDatabases.group} + shadow: ${concatStringsSep " " config.system.nssDatabases.shadow} - hosts: ${concatStringsSep " " config.system.nssHosts} + hosts: ${concatStringsSep " " config.system.nssDatabases.hosts} networks: files ethers: files - services: ${concatStringsSep " " servicesArray} + services: ${concatStringsSep " " config.system.nssDatabases.services} protocols: files rpc: files ''; - system.nssHosts = hostArray; - - # Systemd provides nss-myhostname to ensure that our hostname - # always resolves to a valid IP address. It returns all locally - # configured IP addresses, or ::1 and 127.0.0.2 as - # fallbacks. Systemd also provides nss-mymachines to return IP - # addresses of local containers. - system.nssModules = (optionals canLoadExternalModules [ config.systemd.package.out ]) - ++ optional googleOsLogin pkgs.google-compute-engine-oslogin.out; + system.nssDatabases = { + passwd = mkBefore [ "files" ]; + group = mkBefore [ "files" ]; + shadow = mkBefore [ "files" ]; + hosts = mkMerge [ + (mkBefore [ "files" ]) + (mkAfter [ "dns" ]) + ]; + services = mkBefore [ "files" ]; + }; }; } diff --git a/nixpkgs/nixos/modules/config/qt5.nix b/nixpkgs/nixos/modules/config/qt5.nix index d9dec74f155..eabba9ad95f 100644 --- a/nixpkgs/nixos/modules/config/qt5.nix +++ b/nixpkgs/nixos/modules/config/qt5.nix @@ -6,8 +6,8 @@ let cfg = config.qt5; - isQGnome = cfg.platformTheme == "gnome" && cfg.style == "adwaita"; - isQtStyle = cfg.platformTheme == "gtk2" && cfg.style != "adwaita"; + isQGnome = cfg.platformTheme == "gnome" && builtins.elem cfg.style ["adwaita" "adwaita-dark"]; + isQtStyle = cfg.platformTheme == "gtk2" && !(builtins.elem cfg.style ["adwaita" "adwaita-dark"]); packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ] else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins ] @@ -55,6 +55,7 @@ in style = mkOption { type = types.enum [ "adwaita" + "adwaita-dark" "cleanlooks" "gtk2" "motif" @@ -71,6 +72,7 @@ in <variablelist> <varlistentry> <term><literal>adwaita</literal></term> + <term><literal>adwaita-dark</literal></term> <listitem><para>Use Adwaita Qt style with <link xlink:href="https://github.com/FedoraQt/adwaita-qt">adwaita</link> </para></listitem> diff --git a/nixpkgs/nixos/modules/hardware/all-firmware.nix b/nixpkgs/nixos/modules/hardware/all-firmware.nix index 16be8bcfdd7..b07edb0f6ac 100644 --- a/nixpkgs/nixos/modules/hardware/all-firmware.nix +++ b/nixpkgs/nixos/modules/hardware/all-firmware.nix @@ -51,6 +51,7 @@ in { rtlwifi_new-firmware zd1211fw alsa-firmware + sof-firmware openelec-dvb-firmware ] ++ optional (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) raspberrypiWirelessFirmware ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [ diff --git a/nixpkgs/nixos/modules/hardware/device-tree.nix b/nixpkgs/nixos/modules/hardware/device-tree.nix index f57502d4c83..cf553497c89 100644 --- a/nixpkgs/nixos/modules/hardware/device-tree.nix +++ b/nixpkgs/nixos/modules/hardware/device-tree.nix @@ -19,7 +19,7 @@ in { base = mkOption { default = "${config.boot.kernelPackages.kernel}/dtbs"; defaultText = "\${config.boot.kernelPackages.kernel}/dtbs"; - example = literalExample "pkgs.deviceTree_rpi"; + example = literalExample "pkgs.device-tree_rpi"; type = types.path; description = '' The package containing the base device-tree (.dtb) to boot. Contains @@ -30,7 +30,7 @@ in { overlays = mkOption { default = []; example = literalExample - "[\"\${pkgs.deviceTree_rpi.overlays}/w1-gpio.dtbo\"]"; + "[\"\${pkgs.device-tree_rpi.overlays}/w1-gpio.dtbo\"]"; type = types.listOf types.path; description = '' A path containing device tree overlays (.dtbo) to be applied to all diff --git a/nixpkgs/nixos/modules/hardware/opengl.nix b/nixpkgs/nixos/modules/hardware/opengl.nix index 28cddea8b79..061528f4b1b 100644 --- a/nixpkgs/nixos/modules/hardware/opengl.nix +++ b/nixpkgs/nixos/modules/hardware/opengl.nix @@ -10,14 +10,6 @@ let videoDrivers = config.services.xserver.videoDrivers; - makePackage = p: pkgs.buildEnv { - name = "mesa-drivers+txc-${p.mesa.version}"; - paths = - [ p.mesa.drivers - (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc) - ]; - }; - package = pkgs.buildEnv { name = "opengl-drivers"; paths = [ cfg.package ] ++ cfg.extraPackages; @@ -34,6 +26,9 @@ in imports = [ (mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ]) + (mkRemovedOptionModule [ "hardware" "opengl" "s3tcSupport" ] '' + S3TC support is now always enabled in Mesa. + '') ]; options = { @@ -74,17 +69,6 @@ in ''; }; - s3tcSupport = mkOption { - type = types.bool; - default = false; - description = '' - Make S3TC(S3 Texture Compression) via libtxc_dxtn available - to OpenGL drivers instead of the patent-free S2TC replacement. - - Using this library may require a patent license depending on your location. - ''; - }; - package = mkOption { type = types.package; internal = true; @@ -166,8 +150,8 @@ in environment.sessionVariables.LD_LIBRARY_PATH = mkIf cfg.setLdLibraryPath ([ "/run/opengl-driver/lib" ] ++ optional cfg.driSupport32Bit "/run/opengl-driver-32/lib"); - hardware.opengl.package = mkDefault (makePackage pkgs); - hardware.opengl.package32 = mkDefault (makePackage pkgs.pkgsi686Linux); + hardware.opengl.package = mkDefault pkgs.mesa.drivers; + hardware.opengl.package32 = mkDefault pkgs.pkgsi686Linux.mesa.drivers; boot.extraModulePackages = optional (elem "virtualbox" videoDrivers) kernelPackages.virtualboxGuestAdditions; }; diff --git a/nixpkgs/nixos/modules/hardware/video/nvidia.nix b/nixpkgs/nixos/modules/hardware/video/nvidia.nix index 7461e231402..6328971492c 100644 --- a/nixpkgs/nixos/modules/hardware/video/nvidia.nix +++ b/nixpkgs/nixos/modules/hardware/video/nvidia.nix @@ -34,10 +34,12 @@ let enabled = nvidia_x11 != null; cfg = config.hardware.nvidia; + pCfg = cfg.prime; syncCfg = pCfg.sync; offloadCfg = pCfg.offload; primeEnabled = syncCfg.enable || offloadCfg.enable; + nvidiaPersistencedEnabled = cfg.nvidiaPersistenced; in { @@ -50,6 +52,15 @@ in ]; options = { + hardware.nvidia.powerManagement.enable = mkOption { + type = types.bool; + default = false; + description = '' + Experimental power management through systemd. For more information, see + the NVIDIA docs, on Chapter 21. Configuring Power Management Support. + ''; + }; + hardware.nvidia.modesetting.enable = mkOption { type = types.bool; default = false; @@ -129,6 +140,15 @@ in <option>hardware.nvidia.prime.intelBusId</option>). ''; }; + + hardware.nvidia.nvidiaPersistenced = mkOption { + default = false; + type = types.bool; + description = '' + Update for NVIDA GPU headless mode, i.e. nvidia-persistenced. It ensures all + GPUs stay awake even during headless mode. + ''; + }; }; config = mkIf enabled { @@ -215,6 +235,46 @@ in environment.systemPackages = [ nvidia_x11.bin nvidia_x11.settings ] ++ filter (p: p != null) [ nvidia_x11.persistenced ]; + systemd.packages = optional cfg.powerManagement.enable nvidia_x11.out; + + systemd.services = let + baseNvidiaService = state: { + description = "NVIDIA system ${state} actions"; + + path = with pkgs; [ kbd ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'"; + }; + }; + + nvidiaService = sleepState: (baseNvidiaService sleepState) // { + before = [ "systemd-${sleepState}.service" ]; + requiredBy = [ "systemd-${sleepState}.service" ]; + }; + + services = (builtins.listToAttrs (map (t: nameValuePair "nvidia-${t}" (nvidiaService t)) ["hibernate" "suspend"])) + // { + nvidia-resume = (baseNvidiaService "resume") // { + after = [ "systemd-suspend.service" "systemd-hibernate.service" ]; + requiredBy = [ "systemd-suspend.service" "systemd-hibernate.service" ]; + }; + }; + in optionalAttrs cfg.powerManagement.enable services + // optionalAttrs nvidiaPersistencedEnabled { + "nvidia-persistenced" = mkIf nvidiaPersistencedEnabled { + description = "NVIDIA Persistence Daemon"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "forking"; + Restart = "always"; + PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid"; + ExecStart = "${nvidia_x11.persistenced}/bin/nvidia-persistenced --verbose"; + ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced"; + }; + }; + }; + systemd.tmpfiles.rules = optional config.virtualisation.docker.enableNvidia "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin" ++ optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia) @@ -227,7 +287,8 @@ in optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ]; # If requested enable modesetting via kernel parameter. - boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1"; + boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1" + ++ optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1"; # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded. services.udev.extraRules = diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-base.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-base.nix index 9303e8fde13..6c7ea293e8a 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-base.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-base.nix @@ -1,7 +1,7 @@ # This module contains the basic configuration for building a NixOS # installation CD. -{ config, lib, pkgs, ... }: +{ config, lib, options, pkgs, ... }: with lib; @@ -15,6 +15,9 @@ with lib; ../../profiles/installation-device.nix ]; + # Adds terminus_font for people with HiDPI displays + console.packages = options.console.packages.default ++ [ pkgs.terminus_font ]; + # ISO naming. isoImage.isoName = "${config.isoImage.isoBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.iso"; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 84394a1ecae..3707c4b7ec6 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -11,9 +11,6 @@ with lib; services.xserver.desktopManager.gnome3.enable = true; - # Wayland can be problematic for some hardware like Nvidia graphics cards. - services.xserver.displayManager.defaultSession = "gnome-xorg"; - services.xserver.displayManager.gdm = { enable = true; # autoSuspend makes the machine automatically suspend after inactivity. diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl index a32c19a4eba..422c405054d 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl @@ -180,7 +180,7 @@ sub pciCheck { ) ) { # we need e.g. brcmfmac43602-pcie.bin - push @imports, "<nixpkgs/nixos/modules/hardware/network/broadcom-43xx.nix>"; + push @imports, "(modulesPath + \"/hardware/network/broadcom-43xx.nix\")"; } # Can't rely on $module here, since the module may not be loaded @@ -279,7 +279,7 @@ if ($virt eq "oracle") { # Likewise for QEMU. if ($virt eq "qemu" || $virt eq "kvm" || $virt eq "bochs") { - push @imports, "<nixpkgs/nixos/modules/profiles/qemu-guest.nix>"; + push @imports, "(modulesPath + \"/profiles/qemu-guest.nix\")"; } # Also for Hyper-V. @@ -296,7 +296,7 @@ if ($virt eq "systemd-nspawn") { # Provide firmware for devices that are not detected by this script, # unless we're in a VM/container. -push @imports, "<nixpkgs/nixos/modules/installer/scan/not-detected.nix>" +push @imports, "(modulesPath + \"/installer/scan/not-detected.nix\")" if $virt eq "none"; @@ -549,7 +549,7 @@ my $hwConfig = <<EOF; # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { imports =${\multiLineList(" ", @imports)}; diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-install.sh b/nixpkgs/nixos/modules/installer/tools/nixos-install.sh index a3ff3fe2c0c..1bccbbfaf24 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-install.sh +++ b/nixpkgs/nixos/modules/installer/tools/nixos-install.sh @@ -15,7 +15,6 @@ mountPoint=/mnt channelPath= system= verbosity=() -buildLogs= while [ "$#" -gt 0 ]; do i="$1"; shift 1 @@ -60,9 +59,6 @@ while [ "$#" -gt 0 ]; do -v*|--verbose) verbosity+=("$i") ;; - -L|--print-build-logs) - buildLogs="$i" - ;; *) echo "$0: unknown option \`$i'" exit 1 @@ -91,8 +87,11 @@ if [[ ! -e $NIXOS_CONFIG && -z $system ]]; then fi # A place to drop temporary stuff. +tmpdir="$(mktemp -d -p $mountPoint)" trap "rm -rf $tmpdir" EXIT -tmpdir="$(mktemp -d)" + +# store temporary files on target filesystem by default +export TMPDIR=${TMPDIR:-$tmpdir} sub="auto?trusted=1" @@ -100,9 +99,9 @@ sub="auto?trusted=1" if [[ -z $system ]]; then echo "building the configuration in $NIXOS_CONFIG..." outLink="$tmpdir/system" - nix build --out-link "$outLink" --store "$mountPoint" "${extraBuildFlags[@]}" \ + nix-build --out-link "$outLink" --store "$mountPoint" "${extraBuildFlags[@]}" \ --extra-substituters "$sub" \ - -f '<nixpkgs/nixos>' system -I "nixos-config=$NIXOS_CONFIG" ${verbosity[@]} ${buildLogs} + '<nixpkgs/nixos>' -A system -I "nixos-config=$NIXOS_CONFIG" ${verbosity[@]} system=$(readlink -f $outLink) fi diff --git a/nixpkgs/nixos/modules/installer/tools/tools.nix b/nixpkgs/nixos/modules/installer/tools/tools.nix index 655d77db157..11128621424 100644 --- a/nixpkgs/nixos/modules/installer/tools/tools.nix +++ b/nixpkgs/nixos/modules/installer/tools/tools.nix @@ -111,10 +111,10 @@ in # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. - # i18n = { - # consoleFont = "Lat2-Terminus16"; - # consoleKeyMap = "us"; - # defaultLocale = "en_US.UTF-8"; + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; # }; # Set your time zone. diff --git a/nixpkgs/nixos/modules/misc/version.nix b/nixpkgs/nixos/modules/misc/version.nix index ae98fba1580..a6fffb76f6e 100644 --- a/nixpkgs/nixos/modules/misc/version.nix +++ b/nixpkgs/nixos/modules/misc/version.nix @@ -109,8 +109,8 @@ in PRETTY_NAME="NixOS ${cfg.release} (${cfg.codeName})" LOGO="nix-snowflake" HOME_URL="https://nixos.org/" - DOCUMENTATION_URL="https://nixos.org/nixos/manual/index.html" - SUPPORT_URL="https://nixos.org/nixos/support.html" + DOCUMENTATION_URL="https://nixos.org/learn.html" + SUPPORT_URL="https://nixos.org/community.html" BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues" ''; diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 039c1203f5f..d1cbd6fbfdd 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -196,11 +196,11 @@ ./security/pam_usb.nix ./security/pam_mount.nix ./security/polkit.nix - ./security/prey.nix ./security/rngd.nix ./security/rtkit.nix ./security/wrappers/default.nix ./security/sudo.nix + ./security/doas.nix ./security/systemd-confinement.nix ./security/tpm2.nix ./services/admin/oxidized.nix @@ -238,6 +238,7 @@ ./services/backup/zfs-replication.nix ./services/backup/znapzend.nix ./services/cluster/hadoop/default.nix + ./services/cluster/k3s/default.nix ./services/cluster/kubernetes/addons/dns.nix ./services/cluster/kubernetes/addons/dashboard.nix ./services/cluster/kubernetes/addon-manager.nix @@ -545,6 +546,7 @@ ./services/monitoring/teamviewer.nix ./services/monitoring/telegraf.nix ./services/monitoring/thanos.nix + ./services/monitoring/tuptime.nix ./services/monitoring/ups.nix ./services/monitoring/uptime.nix ./services/monitoring/vnstat.nix @@ -791,6 +793,7 @@ ./services/security/nginx-sso.nix ./services/security/oauth2_proxy.nix ./services/security/oauth2_proxy_nginx.nix + ./services/security/privacyidea.nix ./services/security/physlock.nix ./services/security/shibboleth-sp.nix ./services/security/sks.nix @@ -983,9 +986,10 @@ ./virtualisation/anbox.nix ./virtualisation/container-config.nix ./virtualisation/containers.nix + ./virtualisation/nixos-containers.nix + ./virtualisation/oci-containers.nix ./virtualisation/cri-o.nix ./virtualisation/docker.nix - ./virtualisation/docker-containers.nix ./virtualisation/ecs-agent.nix ./virtualisation/libvirtd.nix ./virtualisation/lxc.nix @@ -996,9 +1000,9 @@ ./virtualisation/kvmgt.nix ./virtualisation/openvswitch.nix ./virtualisation/parallels-guest.nix + ./virtualisation/podman.nix ./virtualisation/qemu-guest-agent.nix ./virtualisation/railcar.nix - ./virtualisation/rkt.nix ./virtualisation/virtualbox-guest.nix ./virtualisation/virtualbox-host.nix ./virtualisation/vmware-guest.nix diff --git a/nixpkgs/nixos/modules/profiles/docker-container.nix b/nixpkgs/nixos/modules/profiles/docker-container.nix index 5d6b11498b5..183645de36f 100644 --- a/nixpkgs/nixos/modules/profiles/docker-container.nix +++ b/nixpkgs/nixos/modules/profiles/docker-container.nix @@ -2,6 +2,8 @@ with lib; +let inherit (pkgs) writeScript; in + let pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l; @@ -30,7 +32,12 @@ in { ]; # Some container managers like lxc need these - extraCommands = "mkdir -p proc sys dev"; + extraCommands = + let script = writeScript "extra-commands.sh" '' + rm etc + mkdir -p proc sys dev etc + ''; + in script; }; boot.isContainer = true; diff --git a/nixpkgs/nixos/modules/profiles/hardened.nix b/nixpkgs/nixos/modules/profiles/hardened.nix index 35743d83134..ef8c0d74f06 100644 --- a/nixpkgs/nixos/modules/profiles/hardened.nix +++ b/nixpkgs/nixos/modules/profiles/hardened.nix @@ -7,7 +7,7 @@ with lib; { meta = { - maintainers = [ maintainers.joachifm ]; + maintainers = [ maintainers.joachifm maintainers.emily ]; }; boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened; @@ -21,8 +21,6 @@ with lib; security.lockKernelModules = mkDefault true; - security.allowUserNamespaces = mkDefault false; - security.protectKernelImage = mkDefault true; security.allowSimultaneousMultithreading = mkDefault false; @@ -37,15 +35,9 @@ with lib; # Slab/slub sanity checks, redzoning, and poisoning "slub_debug=FZP" - # Disable slab merging to make certain heap overflow attacks harder - "slab_nomerge" - # Overwrite free'd memory "page_poison=1" - # Disable legacy virtual syscalls - "vsyscall=none" - # Enable page allocator randomization "page_alloc.shuffle=1" ]; @@ -82,38 +74,12 @@ with lib; # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; - # Restrict access to kernel ring buffer (information leaks) - boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true; - # Hide kptrs even for processes with CAP_SYSLOG boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; - # Unprivileged access to bpf() has been used for privilege escalation in - # the past - boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true; - # Disable bpf() JIT (to eliminate spray attacks) boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; - # ... or at least apply some hardening to it - boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true; - - # Raise ASLR entropy for 64bit & 32bit, respectively. - # - # Note: mmap_rnd_compat_bits may not exist on 64bit. - boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32; - boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16; - - # Allowing users to mmap() memory starting at virtual address 0 can turn a - # NULL dereference bug in the kernel into code execution with elevated - # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory - # space. This breaks applications that require mapping the 0 page, such as - # dosemu or running 16bit applications under wine. It also breaks older - # versions of qemu. - # - # The value is taken from the KSPP recommendations (Debian uses 4096). - boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536; - # Disable ftrace debugging boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; @@ -140,7 +106,4 @@ with lib; # Ignore outgoing ICMP redirects (this is ipv4 only) boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; - - # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability - boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false; } diff --git a/nixpkgs/nixos/modules/programs/cdemu.nix b/nixpkgs/nixos/modules/programs/cdemu.nix index 6a0185d362c..a59cd93cadf 100644 --- a/nixpkgs/nixos/modules/programs/cdemu.nix +++ b/nixpkgs/nixos/modules/programs/cdemu.nix @@ -8,6 +8,7 @@ in { options = { programs.cdemu = { enable = mkOption { + type = types.bool; default = false; description = '' <command>cdemu</command> for members of diff --git a/nixpkgs/nixos/modules/programs/chromium.nix b/nixpkgs/nixos/modules/programs/chromium.nix index 41c49db8c71..16c063ebc89 100644 --- a/nixpkgs/nixos/modules/programs/chromium.nix +++ b/nixpkgs/nixos/modules/programs/chromium.nix @@ -9,9 +9,7 @@ let HomepageLocation = cfg.homepageLocation; DefaultSearchProviderSearchURL = cfg.defaultSearchProviderSearchURL; DefaultSearchProviderSuggestURL = cfg.defaultSearchProviderSuggestURL; - ExtensionInstallForcelist = map (extension: - "${extension};https://clients2.google.com/service/update2/crx" - ) cfg.extensions; + ExtensionInstallForcelist = cfg.extensions; }; in @@ -28,7 +26,11 @@ in List of chromium extensions to install. For list of plugins ids see id in url of extensions on <link xlink:href="https://chrome.google.com/webstore/category/extensions">chrome web store</link> - page. + page. To install a chromium extension not included in the chrome web + store, append to the extension id a semicolon ";" followed by a URL + pointing to an Update Manifest XML file. See + <link xlink:href="https://www.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist">ExtensionInstallForcelist</link> + for additional details. ''; default = []; example = literalExample '' diff --git a/nixpkgs/nixos/modules/programs/criu.nix b/nixpkgs/nixos/modules/programs/criu.nix index 48cf5c88a9f..1714e1331a4 100644 --- a/nixpkgs/nixos/modules/programs/criu.nix +++ b/nixpkgs/nixos/modules/programs/criu.nix @@ -8,6 +8,7 @@ in { options = { programs.criu = { enable = mkOption { + type = types.bool; default = false; description = '' Install <command>criu</command> along with necessary kernel options. diff --git a/nixpkgs/nixos/modules/programs/fish.nix b/nixpkgs/nixos/modules/programs/fish.nix index 87f6816e4ac..48b324a0fe8 100644 --- a/nixpkgs/nixos/modules/programs/fish.nix +++ b/nixpkgs/nixos/modules/programs/fish.nix @@ -178,6 +178,10 @@ in set -l post (string join0 $fish_complete_path | string match --regex "[^\x00]*generated_completions.*" | string split0 | string match -er ".") set fish_complete_path $prev "/etc/fish/generated_completions" $post end + # prevent fish from generating completions on first run + if not test -d $__fish_user_data_dir/generated_completions + ${pkgs.coreutils}/bin/mkdir $__fish_user_data_dir/generated_completions + end ''; environment.etc."fish/generated_completions".source = diff --git a/nixpkgs/nixos/modules/programs/singularity.nix b/nixpkgs/nixos/modules/programs/singularity.nix index b27e122bd1d..6ac64a81fc2 100644 --- a/nixpkgs/nixos/modules/programs/singularity.nix +++ b/nixpkgs/nixos/modules/programs/singularity.nix @@ -5,8 +5,8 @@ let cfg = config.programs.singularity; singularity = pkgs.singularity.overrideAttrs (attrs : { installPhase = attrs.installPhase + '' - mv $bin/libexec/singularity/bin/starter-suid $bin/libexec/singularity/bin/starter-suid.orig - ln -s /run/wrappers/bin/singularity-suid $bin/libexec/singularity/bin/starter-suid + mv $out/libexec/singularity/bin/starter-suid $out/libexec/singularity/bin/starter-suid.orig + ln -s /run/wrappers/bin/singularity-suid $out/libexec/singularity/bin/starter-suid ''; }); in { diff --git a/nixpkgs/nixos/modules/programs/systemtap.nix b/nixpkgs/nixos/modules/programs/systemtap.nix index ca81e018c9d..360e106678e 100644 --- a/nixpkgs/nixos/modules/programs/systemtap.nix +++ b/nixpkgs/nixos/modules/programs/systemtap.nix @@ -8,6 +8,7 @@ in { options = { programs.systemtap = { enable = mkOption { + type = types.bool; default = false; description = '' Install <command>systemtap</command> along with necessary kernel options. diff --git a/nixpkgs/nixos/modules/programs/venus.nix b/nixpkgs/nixos/modules/programs/venus.nix index 110570ac3f0..58faf38777d 100644 --- a/nixpkgs/nixos/modules/programs/venus.nix +++ b/nixpkgs/nixos/modules/programs/venus.nix @@ -75,7 +75,7 @@ in }; link = mkOption { - default = "http://planet.nixos.org"; + default = "https://planet.nixos.org"; type = types.str; description = '' Link to the main page. diff --git a/nixpkgs/nixos/modules/programs/xonsh.nix b/nixpkgs/nixos/modules/programs/xonsh.nix index 1590020f7b6..c06fd1655c2 100644 --- a/nixpkgs/nixos/modules/programs/xonsh.nix +++ b/nixpkgs/nixos/modules/programs/xonsh.nix @@ -45,7 +45,32 @@ in config = mkIf cfg.enable { - environment.etc.xonshrc.text = cfg.config; + environment.etc.xonshrc.text = '' + # /etc/xonshrc: DO NOT EDIT -- this file has been generated automatically. + + + if not ''${...}.get('__NIXOS_SET_ENVIRONMENT_DONE'): + # The NixOS environment and thereby also $PATH + # haven't been fully set up at this point. But + # `source-bash` below requires `bash` to be on $PATH, + # so add an entry with bash's location: + $PATH.add('${pkgs.bash}/bin') + + # Stash xonsh's ls alias, so that we don't get a collision + # with Bash's ls alias from environment.shellAliases: + _ls_alias = aliases.pop('ls', None) + + # Source the NixOS environment config. + source-bash "${config.system.build.setEnvironment}" + + # Restore xonsh's ls alias, overriding that from Bash (if any). + if _ls_alias is not None: + aliases['ls'] = _ls_alias + del _ls_alias + + + ${cfg.config} + ''; environment.systemPackages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix b/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix index 932a780a356..f24842a4791 100644 --- a/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix +++ b/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix @@ -39,6 +39,7 @@ in options = { programs.zsh.ohMyZsh = { enable = mkOption { + type = types.bool; default = false; description = '' Enable oh-my-zsh. diff --git a/nixpkgs/nixos/modules/rename.nix b/nixpkgs/nixos/modules/rename.nix index 410db8fd84e..7776c648af8 100644 --- a/nixpkgs/nixos/modules/rename.nix +++ b/nixpkgs/nixos/modules/rename.nix @@ -48,6 +48,11 @@ with lib; systemd-logind API). Instead of using the module you can now simply add the brightnessctl package to environment.systemPackages. '') + (mkRemovedOptionModule [ "virtualisation" "rkt" ] "The rkt module has been removed, it was archived by upstream") + + (mkRemovedOptionModule ["services" "prey" ] '' + prey-bash-client is deprecated upstream + '') # Do NOT add any option renames here, see top of the file ]; diff --git a/nixpkgs/nixos/modules/security/acme.nix b/nixpkgs/nixos/modules/security/acme.nix index d5fb9b58f2e..776ef07d716 100644 --- a/nixpkgs/nixos/modules/security/acme.nix +++ b/nixpkgs/nixos/modules/security/acme.nix @@ -87,19 +87,19 @@ let default = {}; example = literalExample '' { - "example.org" = "/srv/http/nginx"; + "example.org" = null; "mydomain.org" = null; } ''; description = '' - A list of extra domain names, which are included in the one certificate to be issued, with their - own server roots if needed. + A list of extra domain names, which are included in the one certificate to be issued. + Setting a distinct server root is deprecated and not functional in 20.03+ ''; }; keyType = mkOption { type = types.str; - default = "ec384"; + default = "ec256"; description = '' Key type to use for private keys. For an up to date list of supported values check the --key-type option @@ -250,7 +250,7 @@ in "example.com" = { webroot = "/var/www/challenges/"; email = "foo@example.com"; - extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; }; + extraDomains = { "www.example.com" = null; "foo.example.com" = null; }; }; "bar.example.com" = { webroot = "/var/www/challenges/"; @@ -343,7 +343,9 @@ in # Test that existing cert is older than new cert KEY=${spath}/certificates/${keyName}.key + KEY_CHANGED=no if [ -e $KEY -a $KEY -nt key.pem ]; then + KEY_CHANGED=yes cp -p ${spath}/certificates/${keyName}.key key.pem cp -p ${spath}/certificates/${keyName}.crt fullchain.pem cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem @@ -354,7 +356,10 @@ in chmod ${fileMode} *.pem chown '${data.user}:${data.group}' *.pem - ${data.postRun} + if [ "$KEY_CHANGED" = "yes" ]; then + : # noop in case postRun is empty + ${data.postRun} + fi ''; in "+${script}"; @@ -453,7 +458,7 @@ in ]; meta = { - maintainers = with lib.maintainers; [ abbradar fpletz globin m1cr0man ]; + maintainers = lib.teams.acme.members; doc = ./acme.xml; }; } diff --git a/nixpkgs/nixos/modules/security/acme.xml b/nixpkgs/nixos/modules/security/acme.xml index 2b29c117484..f802faee974 100644 --- a/nixpkgs/nixos/modules/security/acme.xml +++ b/nixpkgs/nixos/modules/security/acme.xml @@ -6,92 +6,249 @@ <title>SSL/TLS Certificates with ACME</title> <para> NixOS supports automatic domain validation & certificate retrieval and - renewal using the ACME protocol. This is currently only implemented by and - for Let's Encrypt. The alternative ACME client <literal>lego</literal> is - used under the hood. + renewal using the ACME protocol. Any provider can be used, but by default + NixOS uses Let's Encrypt. The alternative ACME client <literal>lego</literal> + is used under the hood. + </para> + <para> + Automatic cert validation and configuration for Apache and Nginx virtual + hosts is included in NixOS, however if you would like to generate a wildcard + cert or you are not using a web server you will have to configure DNS + based validation. </para> <section xml:id="module-security-acme-prerequisites"> <title>Prerequisites</title> <para> - You need to have a running HTTP server for verification. The server must - have a webroot defined that can serve + To use the ACME module, you must accept the provider's terms of service + by setting <literal><xref linkend="opt-security.acme.acceptTerms" /></literal> + to <literal>true</literal>. The Let's Encrypt ToS can be found + <link xlink:href="https://letsencrypt.org/repository/">here</link>. + </para> + + <para> + You must also set an email address to be used when creating accounts with + Let's Encrypt. You can set this for all certs with + <literal><xref linkend="opt-security.acme.email" /></literal> + and/or on a per-cert basis with + <literal><xref linkend="opt-security.acme.certs._name_.email" /></literal>. + This address is only used for registration and renewal reminders, + and cannot be used to administer the certificates in any way. + </para> + + <para> + Alternatively, you can use a different ACME server by changing the + <literal><xref linkend="opt-security.acme.server" /></literal> option + to a provider of your choosing, or just change the server for one cert with + <literal><xref linkend="opt-security.acme.certs._name_.server" /></literal>. + </para> + + <para> + You will need an HTTP server or DNS server for verification. For HTTP, + the server must have a webroot defined that can serve <filename>.well-known/acme-challenge</filename>. This directory must be - writeable by the user that will run the ACME client. + writeable by the user that will run the ACME client. For DNS, you must + set up credentials with your provider/server for use with lego. </para> + </section> + <section xml:id="module-security-acme-nginx"> + <title>Using ACME certificates in Nginx</title> <para> - For instance, this generic snippet could be used for Nginx: + NixOS supports fetching ACME certificates for you by setting + <literal><link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> + = true;</literal> in a virtualHost config. We first create self-signed + placeholder certificates in place of the real ACME certs. The placeholder + certs are overwritten when the ACME certs arrive. For + <literal>foo.example.com</literal> the config would look like. + </para> + <programlisting> -http { - server { - server_name _; - listen 80; - listen [::]:80; - - location /.well-known/acme-challenge { - root /var/www/challenges; - } +<xref linkend="opt-security.acme.acceptTerms" /> = true; +<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com"; +services.nginx = { + <link linkend="opt-services.nginx.enable">enable</link> = true; + <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { + "foo.example.com" = { + <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true; + # All serverAliases will be added as <link linkend="opt-security.acme.certs._name_.extraDomains">extra domains</link> on the certificate. + <link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ "bar.example.com" ]; + locations."/" = { + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www"; + }; + }; - location / { - return 301 https://$host$request_uri; - } - } + # We can also add a different vhost and reuse the same certificate + # but we have to append extraDomains manually. + <link linkend="opt-security.acme.certs._name_.extraDomains">security.acme.certs."foo.example.com".extraDomains."baz.example.com"</link> = null; + "baz.example.com" = { + <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.useACMEHost">useACMEHost</link> = "foo.example.com"; + locations."/" = { + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www"; + }; + }; + }; } </programlisting> + </section> + <section xml:id="module-security-acme-httpd"> + <title>Using ACME certificates in Apache/httpd</title> + + <para> + Using ACME certificates with Apache virtual hosts is identical + to using them with Nginx. The attribute names are all the same, just replace + "nginx" with "httpd" where appropriate. </para> </section> <section xml:id="module-security-acme-configuring"> - <title>Configuring</title> + <title>Manual configuration of HTTP-01 validation</title> <para> - To enable ACME certificate retrieval & renewal for a certificate for - <literal>foo.example.com</literal>, add the following in your - <filename>configuration.nix</filename>: + First off you will need to set up a virtual host to serve the challenges. + This example uses a vhost called <literal>certs.example.com</literal>, with + the intent that you will generate certs for all your vhosts and redirect + everyone to HTTPS. + </para> + +<programlisting> +<xref linkend="opt-security.acme.acceptTerms" /> = true; +<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com"; +services.nginx = { + <link linkend="opt-services.nginx.enable">enable</link> = true; + <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { + "acmechallenge.example.com" = { + # Catchall vhost, will redirect users to HTTPS for all vhosts + <link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ "*.example.com" ]; + # /var/lib/acme/.challenges must be writable by the ACME user + # and readable by the Nginx user. + # By default, this is the case. + locations."/.well-known/acme-challenge" = { + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/lib/acme/.challenges"; + }; + locations."/" = { + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.return">return</link> = "301 https://$host$request_uri"; + }; + }; + }; +} +# Alternative config for Apache +services.httpd = { + <link linkend="opt-services.httpd.enable">enable = true;</link> + <link linkend="opt-services.httpd.virtualHosts">virtualHosts</link> = { + "acmechallenge.example.com" = { + # Catchall vhost, will redirect users to HTTPS for all vhosts + <link linkend="opt-services.httpd.virtualHosts._name_.serverAliases">serverAliases</link> = [ "*.example.com" ]; + # /var/lib/acme/.challenges must be writable by the ACME user and readable by the Apache user. + # By default, this is the case. + <link linkend="opt-services.httpd.virtualHosts._name_.documentRoot">documentRoot</link> = "/var/lib/acme/.challenges"; + <link linkend="opt-services.httpd.virtualHosts._name_.extraConfig">extraConfig</link> = '' + RewriteEngine On + RewriteCond %{HTTPS} off + RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge [NC] + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301] + ''; + }; + }; +} +</programlisting> + + <para> + Now you need to configure ACME to generate a certificate. + </para> + <programlisting> <xref linkend="opt-security.acme.certs"/>."foo.example.com" = { - <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/challenges"; + <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/lib/acme/.challenges"; <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com"; + # Since we have a wildcard vhost to handle port 80, + # we can generate certs for anything! + # Just make sure your DNS resolves them. + <link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains</link> = [ "mail.example.com" ]; }; </programlisting> - </para> <para> The private key <filename>key.pem</filename> and certificate <filename>fullchain.pem</filename> will be put into <filename>/var/lib/acme/foo.example.com</filename>. </para> + <para> Refer to <xref linkend="ch-options" /> for all available configuration options for the <link linkend="opt-security.acme.certs">security.acme</link> module. </para> </section> - <section xml:id="module-security-acme-nginx"> - <title>Using ACME certificates in Nginx</title> + <section xml:id="module-security-acme-config-dns"> + <title>Configuring ACME for DNS validation</title> <para> - NixOS supports fetching ACME certificates for you by setting - <literal><link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> - = true;</literal> in a virtualHost config. We first create self-signed - placeholder certificates in place of the real ACME certs. The placeholder - certs are overwritten when the ACME certs arrive. For - <literal>foo.example.com</literal> the config would look like. + This is useful if you want to generate a wildcard certificate, since + ACME servers will only hand out wildcard certs over DNS validation. + There a number of supported DNS providers and servers you can utilise, + see the <link xlink:href="https://go-acme.github.io/lego/dns/">lego docs</link> + for provider/server specific configuration values. For the sake of these + docs, we will provide a fully self-hosted example using bind. </para> <programlisting> -services.nginx = { - <link linkend="opt-services.nginx.enable">enable = true;</link> - <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { - "foo.example.com" = { - <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; - <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true; - locations."/" = { - <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www"; - }; - }; - }; +services.bind = { + <link linkend="opt-services.bind.enable">enable</link> = true; + <link linkend="opt-services.bind.extraConfig">extraConfig</link> = '' + include "/var/lib/secrets/dnskeys.conf"; + ''; + <link linkend="opt-services.bind.zones">zones</link> = [ + rec { + name = "example.com"; + file = "/var/db/bind/${name}"; + master = true; + extraConfig = "allow-update { key rfc2136key.example.com.; };"; + } + ]; } + +# Now we can configure ACME +<xref linkend="opt-security.acme.acceptTerms" /> = true; +<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com"; +<xref linkend="opt-security.acme.certs" />."example.com" = { + <link linkend="opt-security.acme.certs._name_.domain">domain</link> = "*.example.com"; + <link linkend="opt-security.acme.certs._name_.dnsProvider">dnsProvider</link> = "rfc2136"; + <link linkend="opt-security.acme.certs._name_.credentialsFile">credentialsFile</link> = "/var/lib/secrets/certs.secret"; + # We don't need to wait for propagation since this is a local DNS server + <link linkend="opt-security.acme.certs._name_.dnsPropagationCheck">dnsPropagationCheck</link> = false; +}; </programlisting> + + <para> + The <filename>dnskeys.conf</filename> and <filename>certs.secret</filename> + must be kept secure and thus you should not keep their contents in your + Nix config. Instead, generate them one time with these commands: + </para> + +<programlisting> +mkdir -p /var/lib/secrets +tsig-keygen rfc2136key.example.com > /var/lib/secrets/dnskeys.conf +chown named:root /var/lib/secrets/dnskeys.conf +chmod 400 /var/lib/secrets/dnskeys.conf + +# Copy the secret value from the dnskeys.conf, and put it in +# RFC2136_TSIG_SECRET below + +cat > /var/lib/secrets/certs.secret << EOF +RFC2136_NAMESERVER='127.0.0.1:53' +RFC2136_TSIG_ALGORITHM='hmac-sha256.' +RFC2136_TSIG_KEY='rfc2136key.example.com' +RFC2136_TSIG_SECRET='your secret key' +EOF +chmod 400 /var/lib/secrets/certs.secret +</programlisting> + + <para> + Now you're all set to generate certs! You should monitor the first invokation + by running <literal>systemctl start acme-example.com.service & + journalctl -fu acme-example.com.service</literal> and watching its log output. + </para> </section> </chapter> diff --git a/nixpkgs/nixos/modules/security/apparmor-suid.nix b/nixpkgs/nixos/modules/security/apparmor-suid.nix index 3c93f5440ab..6c479e070e2 100644 --- a/nixpkgs/nixos/modules/security/apparmor-suid.nix +++ b/nixpkgs/nixos/modules/security/apparmor-suid.nix @@ -9,6 +9,7 @@ with lib; ]; options.security.apparmor.confineSUIDApplications = mkOption { + type = types.bool; default = true; description = '' Install AppArmor profiles for commonly-used SUID application diff --git a/nixpkgs/nixos/modules/security/doas.nix b/nixpkgs/nixos/modules/security/doas.nix new file mode 100644 index 00000000000..b81f2d0c2d5 --- /dev/null +++ b/nixpkgs/nixos/modules/security/doas.nix @@ -0,0 +1,274 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.security.doas; + + inherit (pkgs) doas; + + mkUsrString = user: toString user; + + mkGrpString = group: ":${toString group}"; + + mkOpts = rule: concatStringsSep " " [ + (optionalString rule.noPass "nopass") + (optionalString rule.persist "persist") + (optionalString rule.keepEnv "keepenv") + "setenv { SSH_AUTH_SOCK ${concatStringsSep " " rule.setEnv} }" + ]; + + mkArgs = rule: + if (isNull rule.args) then "" + else if (length rule.args == 0) then "args" + else "args ${concatStringsSep " " rule.args}"; + + mkRule = rule: + let + opts = mkOpts rule; + + as = optionalString (!isNull rule.runAs) "as ${rule.runAs}"; + + cmd = optionalString (!isNull rule.cmd) "cmd ${rule.cmd}"; + + args = mkArgs rule; + in + optionals (length cfg.extraRules > 0) [ + ( + optionalString (length rule.users > 0) + (map (usr: "permit ${opts} ${mkUsrString usr} ${as} ${cmd} ${args}") rule.users) + ) + ( + optionalString (length rule.groups > 0) + (map (grp: "permit ${opts} ${mkGrpString grp} ${as} ${cmd} ${args}") rule.groups) + ) + ]; +in +{ + + ###### interface + + options.security.doas = { + + enable = mkOption { + type = with types; bool; + default = false; + description = '' + Whether to enable the <command>doas</command> command, which allows + non-root users to execute commands as root. + ''; + }; + + wheelNeedsPassword = mkOption { + type = with types; bool; + default = true; + description = '' + Whether users of the <code>wheel</code> group must provide a password to + run commands as super user via <command>doas</command>. + ''; + }; + + extraRules = mkOption { + default = []; + description = '' + Define specific rules to be set in the + <filename>/etc/doas.conf</filename> file. More specific rules should + come after more general ones in order to yield the expected behavior. + You can use <code>mkBefore</code> and/or <code>mkAfter</code> to ensure + this is the case when configuration options are merged. + ''; + example = literalExample '' + [ + # Allow execution of any command by any user in group doas, requiring + # a password and keeping any previously-defined environment variables. + { groups = [ "doas" ]; noPass = false; keepEnv = true; } + + # Allow execution of "/home/root/secret.sh" by user `backup` OR user + # `database` OR any member of the group with GID `1006`, without a + # password. + { users = [ "backup" "database" ]; groups = [ 1006 ]; + cmd = "/home/root/secret.sh"; noPass = true; } + + # Allow any member of group `bar` to run `/home/baz/cmd1.sh` as user + # `foo` with argument `hello-doas`. + { groups = [ "bar" ]; runAs = "foo"; + cmd = "/home/baz/cmd1.sh"; args = [ "hello-doas" ]; } + + # Allow any member of group `bar` to run `/home/baz/cmd2.sh` as user + # `foo` with no arguments. + { groups = [ "bar" ]; runAs = "foo"; + cmd = "/home/baz/cmd2.sh"; args = [ ]; } + + # Allow user `abusers` to execute "nano" and unset the value of + # SSH_AUTH_SOCK, override the value of ALPHA to 1, and inherit the + # value of BETA from the current environment. + { users = [ "abusers" ]; cmd = "nano"; + setEnv = [ "-SSH_AUTH_SOCK" "ALPHA=1" "BETA" ]; } + ] + ''; + type = with types; listOf ( + submodule { + options = { + + noPass = mkOption { + type = with types; bool; + default = false; + description = '' + If <code>true</code>, the user is not required to enter a + password. + ''; + }; + + persist = mkOption { + type = with types; bool; + default = false; + description = '' + If <code>true</code>, do not ask for a password again for some + time after the user successfully authenticates. + ''; + }; + + keepEnv = mkOption { + type = with types; bool; + default = false; + description = '' + If <code>true</code>, environment variables other than those + listed in + <citerefentry><refentrytitle>doas</refentrytitle><manvolnum>1</manvolnum></citerefentry> + are kept when creating the environment for the new process. + ''; + }; + + setEnv = mkOption { + type = with types; listOf str; + default = []; + description = '' + Keep or set the specified variables. Variables may also be + removed with a leading '-' or set using + <code>variable=value</code>. If the first character of + <code>value</code> is a '$', the value to be set is taken from + the existing environment variable of the indicated name. This + option is processed after the default environment has been + created. + + NOTE: All rules have <code>setenv { SSH_AUTH_SOCK }</code> by + default. To prevent <code>SSH_AUTH_SOCK</code> from being + inherited, add <code>"-SSH_AUTH_SOCK"</code> anywhere in this + list. + ''; + }; + + users = mkOption { + type = with types; listOf (either str int); + default = []; + description = "The usernames / UIDs this rule should apply for."; + }; + + groups = mkOption { + type = with types; listOf (either str int); + default = []; + description = "The groups / GIDs this rule should apply for."; + }; + + runAs = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Which user or group the specified command is allowed to run as. + When set to <code>null</code> (the default), all users are + allowed. + + A user can be specified using just the username: + <code>"foo"</code>. It is also possible to only allow running as + a specific group with <code>":bar"</code>. + ''; + }; + + cmd = mkOption { + type = with types; nullOr str; + default = null; + description = '' + The command the user is allowed to run. When set to + <code>null</code> (the default), all commands are allowed. + + NOTE: It is best practice to specify absolute paths. If a + relative path is specified, only a restricted PATH will be + searched. + ''; + }; + + args = mkOption { + type = with types; nullOr (listOf str); + default = null; + description = '' + Arguments that must be provided to the command. When set to + <code>[]</code>, the command must be run without any arguments. + ''; + }; + }; + } + ); + }; + + extraConfig = mkOption { + type = with types; lines; + default = ""; + description = '' + Extra configuration text appended to <filename>doas.conf</filename>. + ''; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + security.doas.extraRules = mkOrder 600 [ + { + groups = [ "wheel" ]; + noPass = !cfg.wheelNeedsPassword; + } + ]; + + security.wrappers = { + doas.source = "${doas}/bin/doas"; + }; + + environment.systemPackages = [ + doas + ]; + + security.pam.services.doas = { + allowNullPassword = true; + sshAgentAuth = true; + }; + + environment.etc."doas.conf" = { + source = pkgs.runCommand "doas-conf" + { + src = pkgs.writeText "doas-conf-in" '' + # To modify this file, set the NixOS options + # `security.doas.extraRules` or `security.doas.extraConfig`. To + # completely replace the contents of this file, use + # `environment.etc."doas.conf"`. + + # "root" is allowed to do anything. + permit nopass keepenv root + + # extraRules + ${concatStringsSep "\n" (lists.flatten (map mkRule cfg.extraRules))} + + # extraConfig + ${cfg.extraConfig} + ''; + preferLocalBuild = true; + } + # Make sure that the doas.conf file is syntactically valid. + "${pkgs.buildPackages.doas}/bin/doas -C $src && cp $src $out"; + mode = "0440"; + }; + + }; + + meta.maintainers = with maintainers; [ cole-h ]; +} diff --git a/nixpkgs/nixos/modules/security/google_oslogin.nix b/nixpkgs/nixos/modules/security/google_oslogin.nix index 6f9962e1d62..c2889a0f0d1 100644 --- a/nixpkgs/nixos/modules/security/google_oslogin.nix +++ b/nixpkgs/nixos/modules/security/google_oslogin.nix @@ -49,6 +49,8 @@ in # enable the nss module, so user lookups etc. work system.nssModules = [ package ]; + system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ]; + system.nssDatabases.group = [ "cache_oslogin" "oslogin" ]; # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable. # So indirect by a symlink. diff --git a/nixpkgs/nixos/modules/security/pam.nix b/nixpkgs/nixos/modules/security/pam.nix index bfc2a881387..e1a94b0121a 100644 --- a/nixpkgs/nixos/modules/security/pam.nix +++ b/nixpkgs/nixos/modules/security/pam.nix @@ -54,7 +54,7 @@ let description = '' If set, users listed in <filename>~/.yubico/authorized_yubikeys</filename> - are able to log in with the asociated Yubikey tokens. + are able to log in with the associated Yubikey tokens. ''; }; @@ -219,6 +219,14 @@ let ''; }; + nodelay = mkOption { + default = false; + type = types.bool; + description = '' + Wheather the delay after typing a wrong password should be disabled. + ''; + }; + requireWheel = mkOption { default = false; type = types.bool; @@ -366,7 +374,7 @@ let || cfg.enableGnomeKeyring || cfg.googleAuthenticator.enable || cfg.duoSecurity.enable)) '' - auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth + auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth ${optionalString config.security.pam.enableEcryptfs "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} ${optionalString cfg.pamMount @@ -382,7 +390,7 @@ let "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"} '') + '' ${optionalString cfg.unixAuth - "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} + "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass"} ${optionalString cfg.otpwAuth "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} ${optionalString use_ldap @@ -545,6 +553,7 @@ in }; security.pam.enableSSHAgentAuth = mkOption { + type = types.bool; default = false; description = '' @@ -555,12 +564,7 @@ in ''; }; - security.pam.enableOTPW = mkOption { - default = false; - description = '' - Enable the OTPW (one-time password) PAM module. - ''; - }; + security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module"; security.pam.u2f = { enable = mkOption { @@ -719,12 +723,7 @@ in }; }; - security.pam.enableEcryptfs = mkOption { - default = false; - description = '' - Enable eCryptfs PAM module (mounting ecryptfs home directory on login). - ''; - }; + security.pam.enableEcryptfs = mkEnableOption "eCryptfs PAM module (mounting ecryptfs home directory on login)"; users.motd = mkOption { default = null; diff --git a/nixpkgs/nixos/modules/security/prey.nix b/nixpkgs/nixos/modules/security/prey.nix deleted file mode 100644 index b899ccb6c3e..00000000000 --- a/nixpkgs/nixos/modules/security/prey.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.prey; - myPrey = pkgs.prey-bash-client.override { - apiKey = cfg.apiKey; - deviceKey = cfg.deviceKey; - }; -in { - options = { - - services.prey = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enables the <link xlink:href="http://preyproject.com/" /> - shell client. Be sure to specify both API and device keys. - Once enabled, a <command>cron</command> job will run every 15 - minutes to report status information. - ''; - }; - - deviceKey = mkOption { - type = types.str; - description = '' - <literal>Device key</literal> obtained by visiting - <link xlink:href="https://panel.preyproject.com/devices" /> - and clicking on your device. - ''; - }; - - apiKey = mkOption { - type = types.str; - description = '' - <literal>API key</literal> obtained from - <link xlink:href="https://panel.preyproject.com/profile" />. - ''; - }; - }; - - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ myPrey ]; - services.cron.systemCronJobs = [ "*/15 * * * * root ${myPrey}/prey.sh" ]; - }; - -} diff --git a/nixpkgs/nixos/modules/security/systemd-confinement.nix b/nixpkgs/nixos/modules/security/systemd-confinement.nix index cd4eb81dbe1..0a400f1d535 100644 --- a/nixpkgs/nixos/modules/security/systemd-confinement.nix +++ b/nixpkgs/nixos/modules/security/systemd-confinement.nix @@ -160,6 +160,11 @@ in { + " the 'users.users' option instead as this combination is" + " currently not supported."; } + { assertion = !cfg.serviceConfig.ProtectSystem or false; + message = "${whatOpt "ProtectSystem"}. ProtectSystem is not compatible" + + " with service confinement as it fails to remount /usr within" + + " our chroot. Please disable the option."; + } ]) config.systemd.services); config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let diff --git a/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix b/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix index f80d6b3f1ba..646708e01c4 100644 --- a/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix +++ b/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix @@ -17,6 +17,7 @@ in { options = { services.rabbitmq = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to enable the RabbitMQ server, an Advanced Message diff --git a/nixpkgs/nixos/modules/services/audio/mopidy.nix b/nixpkgs/nixos/modules/services/audio/mopidy.nix index d30c227db42..6fd7eae5b89 100644 --- a/nixpkgs/nixos/modules/services/audio/mopidy.nix +++ b/nixpkgs/nixos/modules/services/audio/mopidy.nix @@ -13,11 +13,11 @@ let mopidyEnv = buildEnv { name = "mopidy-with-extensions-${mopidy.version}"; paths = closePropagation cfg.extensionPackages; - pathsToLink = [ "/${python3.sitePackages}" ]; + pathsToLink = [ "/${mopidyPackages.python.sitePackages}" ]; buildInputs = [ makeWrapper ]; postBuild = '' makeWrapper ${mopidy}/bin/mopidy $out/bin/mopidy \ - --prefix PYTHONPATH : $out/${python3.sitePackages} + --prefix PYTHONPATH : $out/${mopidyPackages.python.sitePackages} ''; }; in { diff --git a/nixpkgs/nixos/modules/services/audio/mpd.nix b/nixpkgs/nixos/modules/services/audio/mpd.nix index e20591b5beb..f4eb4a265a4 100644 --- a/nixpkgs/nixos/modules/services/audio/mpd.nix +++ b/nixpkgs/nixos/modules/services/audio/mpd.nix @@ -18,8 +18,6 @@ let ''} state_file "${cfg.dataDir}/state" sticker_file "${cfg.dataDir}/sticker.sql" - user "${cfg.user}" - group "${cfg.group}" ${optionalString (cfg.network.listenAddress != "any") ''bind_to_address "${cfg.network.listenAddress}"''} ${optionalString (cfg.network.port != 6600) ''port "${toString cfg.network.port}"''} diff --git a/nixpkgs/nixos/modules/services/backup/mysql-backup.nix b/nixpkgs/nixos/modules/services/backup/mysql-backup.nix index f58af82773f..31d606b141a 100644 --- a/nixpkgs/nixos/modules/services/backup/mysql-backup.nix +++ b/nixpkgs/nixos/modules/services/backup/mysql-backup.nix @@ -37,12 +37,7 @@ in services.mysqlBackup = { - enable = mkOption { - default = false; - description = '' - Whether to enable MySQL backups. - ''; - }; + enable = mkEnableOption "MySQL backups"; calendar = mkOption { type = types.str; diff --git a/nixpkgs/nixos/modules/services/backup/postgresql-backup.nix b/nixpkgs/nixos/modules/services/backup/postgresql-backup.nix index 580c7ce68f1..428861a7598 100644 --- a/nixpkgs/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixpkgs/nixos/modules/services/backup/postgresql-backup.nix @@ -44,12 +44,7 @@ in { options = { services.postgresqlBackup = { - enable = mkOption { - default = false; - description = '' - Whether to enable PostgreSQL dumps. - ''; - }; + enable = mkEnableOption "PostgreSQL dumps"; startAt = mkOption { default = "*-*-* 01:15:00"; diff --git a/nixpkgs/nixos/modules/services/backup/znapzend.nix b/nixpkgs/nixos/modules/services/backup/znapzend.nix index 203631a577f..8098617d11f 100644 --- a/nixpkgs/nixos/modules/services/backup/znapzend.nix +++ b/nixpkgs/nixos/modules/services/backup/znapzend.nix @@ -268,7 +268,8 @@ let mkSrcAttrs = srcCfg: with srcCfg; { enabled = onOff enable; - mbuffer = with mbuffer; if enable then "${pkgs.mbuffer}/bin/mbuffer" + # mbuffer is not referenced by its full path to accomodate non-NixOS systems or differing mbuffer versions between source and target + mbuffer = with mbuffer; if enable then "mbuffer" + optionalString (port != null) ":${toString port}" else "off"; mbuffer_size = mbuffer.size; post_znap_cmd = nullOff postsnap; @@ -357,6 +358,12 @@ in default = false; }; + features.oracleMode = mkEnableOption '' + Destroy snapshots one by one instead of using one long argument list. + If source and destination are out of sync for a long time, you may have + so many snapshots to destroy that the argument gets is too long and the + command fails. + ''; features.recvu = mkEnableOption '' recvu feature which uses <literal>-u</literal> on the receiving end to keep the destination filesystem unmounted. @@ -372,6 +379,41 @@ in and <citerefentry><refentrytitle>zfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more info. ''; + features.sendRaw = mkEnableOption '' + sendRaw feature which adds the options <literal>-w</literal> to the + <command>zfs send</command> command. For encrypted source datasets this + instructs zfs not to decrypt before sending which results in a remote + backup that can't be read without the encryption key/passphrase, useful + when the remote isn't fully trusted or not physically secure. This + option must be used consistently, raw incrementals cannot be based on + non-raw snapshots and vice versa. + ''; + features.skipIntermediates = mkEnableOption '' + Enable the skipIntermediates feature to send a single increment + between latest common snapshot and the newly made one. It may skip + several source snaps if the destination was offline for some time, and + it should skip snapshots not managed by znapzend. Normally for online + destinations, the new snapshot is sent as soon as it is created on the + source, so there are no automatic increments to skip. + ''; + features.lowmemRecurse = mkEnableOption '' + use lowmemRecurse on systems where you have too many datasets, so a + recursive listing of attributes to find backup plans exhausts the + memory available to <command>znapzend</command>: instead, go the slower + way to first list all impacted dataset names, and then query their + configs one by one. + ''; + features.zfsGetType = mkEnableOption '' + use zfsGetType if your <command>zfs get</command> supports a + <literal>-t</literal> argument for filtering by dataset type at all AND + lists properties for snapshots by default when recursing, so that there + is too much data to process while searching for backup plans. + If these two conditions apply to your system, the time needed for a + <literal>--recursive</literal> search for backup plans can literally + differ by hundreds of times (depending on the amount of snapshots in + that dataset tree... and a decent backup plan will ensure you have a lot + of those), so you would benefit from requesting this feature. + ''; }; }; @@ -423,5 +465,5 @@ in }; }; - meta.maintainers = with maintainers; [ infinisil ]; + meta.maintainers = with maintainers; [ infinisil SlothOfAnarchy ]; } diff --git a/nixpkgs/nixos/modules/services/cluster/k3s/default.nix b/nixpkgs/nixos/modules/services/cluster/k3s/default.nix new file mode 100644 index 00000000000..2e8bf20a68f --- /dev/null +++ b/nixpkgs/nixos/modules/services/cluster/k3s/default.nix @@ -0,0 +1,101 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.k3s; +in +{ + # interface + options.services.k3s = { + enable = mkEnableOption "k3s"; + + package = mkOption { + type = types.package; + default = pkgs.k3s; + defaultText = "pkgs.k3s"; + example = literalExample "pkgs.k3s"; + description = "Package that should be used for k3s"; + }; + + role = mkOption { + description = '' + Whether k3s should run as a server or agent. + Note that the server, by default, also runs as an agent. + ''; + default = "server"; + type = types.enum [ "server" "agent" ]; + }; + + serverAddr = mkOption { + type = types.str; + description = "The k3s server to connect to. This option only makes sense for an agent."; + example = "https://10.0.0.10:6443"; + default = ""; + }; + + token = mkOption { + type = types.str; + description = "The k3s token to use when connecting to the server. This option only makes sense for an agent."; + default = ""; + }; + + docker = mkOption { + type = types.bool; + default = false; + description = "Use docker to run containers rather than the built-in containerd."; + }; + + extraFlags = mkOption { + description = "Extra flags to pass to the k3s command."; + default = ""; + example = "--no-deploy traefik --cluster-cidr 10.24.0.0/16"; + }; + + disableAgent = mkOption { + type = types.bool; + default = false; + description = "Only run the server. This option only makes sense for a server."; + }; + }; + + # implementation + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.role == "agent" -> cfg.serverAddr != ""; + message = "serverAddr should be set if role is 'agent'"; + } + { + assertion = cfg.role == "agent" -> cfg.token != ""; + message = "token should be set if role is 'agent'"; + } + ]; + + virtualisation.docker = mkIf cfg.docker { + enable = mkDefault true; + }; + + systemd.services.k3s = { + description = "k3s service"; + after = mkIf cfg.docker [ "docker.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + # See: https://github.com/rancher/k3s/blob/dddbd16305284ae4bd14c0aade892412310d7edc/install.sh#L197 + Type = if cfg.role == "agent" then "exec" else "notify"; + KillMode = "process"; + Delegate = "yes"; + Restart = "always"; + RestartSec = "5s"; + ExecStart = concatStringsSep " \\\n " ( + [ + "${cfg.package}/bin/k3s ${cfg.role}" + ] ++ (optional cfg.docker "--docker") + ++ (optional cfg.disableAgent "--disable-agent") + ++ (optional (cfg.role == "agent") "--server ${cfg.serverAddr} --token ${cfg.token}") + ++ [ cfg.extraFlags ] + ); + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix index bd4cf6a37ba..eacfed85ddf 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -1,160 +1,494 @@ { config, lib, pkgs, ... }: - with lib; - let cfg = config.services.gitlab-runner; - configFile = - if (cfg.configFile == null) then - (pkgs.runCommand "config.toml" { - buildInputs = [ pkgs.remarshal ]; - preferLocalBuild = true; - } '' - remarshal -if json -of toml \ - < ${pkgs.writeText "config.json" (builtins.toJSON cfg.configOptions)} \ - > $out - '') - else - cfg.configFile; hasDocker = config.virtualisation.docker.enable; + hashedServices = with builtins; (mapAttrs' (name: service: nameValuePair + "${name}_${config.networking.hostName}_${ + substring 0 12 + (hashString "md5" (unsafeDiscardStringContext (toJSON service)))}" + service) + cfg.services); + configPath = "$HOME/.gitlab-runner/config.toml"; + configureScript = pkgs.writeShellScriptBin "gitlab-runner-configure" ( + if (cfg.configFile != null) then '' + mkdir -p $(dirname ${configPath}) + cp ${cfg.configFile} ${configPath} + # make config file readable by service + chown -R --reference=$HOME $(dirname ${configPath}) + '' else '' + export CONFIG_FILE=${configPath} + + mkdir -p $(dirname ${configPath}) + + # remove no longer existing services + gitlab-runner verify --delete + + # current and desired state + NEEDED_SERVICES=$(echo ${concatStringsSep " " (attrNames hashedServices)} | tr " " "\n") + REGISTERED_SERVICES=$(gitlab-runner list 2>&1 | grep 'Executor' | awk '{ print $1 }') + + # difference between current and desired state + NEW_SERVICES=$(grep -vxF -f <(echo "$REGISTERED_SERVICES") <(echo "$NEEDED_SERVICES") || true) + OLD_SERVICES=$(grep -vxF -f <(echo "$NEEDED_SERVICES") <(echo "$REGISTERED_SERVICES") || true) + + # register new services + ${concatStringsSep "\n" (mapAttrsToList (name: service: '' + if echo "$NEW_SERVICES" | grep -xq ${name}; then + bash -c ${escapeShellArg (concatStringsSep " \\\n " ([ + "set -a && source ${service.registrationConfigFile} &&" + "gitlab-runner register" + "--non-interactive" + "--name ${name}" + "--executor ${service.executor}" + "--limit ${toString service.limit}" + "--request-concurrency ${toString service.requestConcurrency}" + "--maximum-timeout ${toString service.maximumTimeout}" + ] ++ service.registrationFlags + ++ optional (service.buildsDir != null) + "--builds-dir ${service.buildsDir}" + ++ optional (service.preCloneScript != null) + "--pre-clone-script ${service.preCloneScript}" + ++ optional (service.preBuildScript != null) + "--pre-build-script ${service.preBuildScript}" + ++ optional (service.postBuildScript != null) + "--post-build-script ${service.postBuildScript}" + ++ optional (service.tagList != [ ]) + "--tag-list ${concatStringsSep "," service.tagList}" + ++ optional service.runUntagged + "--run-untagged" + ++ optional service.protected + "--access-level ref_protected" + ++ optional service.debugTraceDisabled + "--debug-trace-disabled" + ++ map (e: "--env ${escapeShellArg e}") (mapAttrsToList (name: value: "${name}=${value}") service.environmentVariables) + ++ optionals (service.executor == "docker") ( + assert ( + assertMsg (service.dockerImage != null) + "dockerImage option is required for docker executor (${name})"); + [ "--docker-image ${service.dockerImage}" ] + ++ optional service.dockerDisableCache + "--docker-disable-cache" + ++ optional service.dockerPrivileged + "--docker-privileged" + ++ map (v: "--docker-volumes ${escapeShellArg v}") service.dockerVolumes + ++ map (v: "--docker-extra-hosts ${escapeShellArg v}") service.dockerExtraHosts + ++ map (v: "--docker-allowed-images ${escapeShellArg v}") service.dockerAllowedImages + ++ map (v: "--docker-allowed-services ${escapeShellArg v}") service.dockerAllowedServices + ) + ))} && sleep 1 + fi + '') hashedServices)} + + # unregister old services + for NAME in $(echo "$OLD_SERVICES") + do + [ ! -z "$NAME" ] && gitlab-runner unregister \ + --name "$NAME" && sleep 1 + done + + # update global options + remarshal --if toml --of json ${configPath} \ + | jq -cM '.check_interval = ${toString cfg.checkInterval} | + .concurrent = ${toString cfg.concurrent}' \ + | remarshal --if json --of toml \ + | sponge ${configPath} + + # make config file readable by service + chown -R --reference=$HOME $(dirname ${configPath}) + ''); + startScript = pkgs.writeShellScriptBin "gitlab-runner-start" '' + export CONFIG_FILE=${configPath} + exec gitlab-runner run --working-directory $HOME + ''; in { options.services.gitlab-runner = { enable = mkEnableOption "Gitlab Runner"; - configFile = mkOption { + type = types.nullOr types.path; default = null; description = '' Configuration file for gitlab-runner. - Use this option in favor of configOptions to avoid placing CI tokens in the nix store. - <option>configFile</option> takes precedence over <option>configOptions</option>. + <option>configFile</option> takes precedence over <option>services</option>. + <option>checkInterval</option> and <option>concurrent</option> will be ignored too. - Warning: Not using <option>configFile</option> will potentially result in secrets - leaking into the WORLD-READABLE nix store. + This option is deprecated, please use <option>services</option> instead. + You can use <option>registrationConfigFile</option> and + <option>registrationFlags</option> + for settings not covered by this module. ''; - type = types.nullOr types.path; }; - - configOptions = mkOption { + checkInterval = mkOption { + type = types.int; + default = 0; + example = literalExample "with lib; (length (attrNames config.services.gitlab-runner.services)) * 3"; description = '' - Configuration for gitlab-runner - <option>configFile</option> will take precedence over this option. - - Warning: all Configuration, especially CI token, will be stored in a - WORLD-READABLE file in the Nix Store. - - If you want to protect your CI token use <option>configFile</option> instead. + Defines the interval length, in seconds, between new jobs check. + The default value is 3; + if set to 0 or lower, the default value will be used. + See <link xlink:href="https://docs.gitlab.com/runner/configuration/advanced-configuration.html#how-check_interval-works">runner documentation</link> for more information. + ''; + }; + concurrent = mkOption { + type = types.int; + default = 1; + example = literalExample "config.nix.maxJobs"; + description = '' + Limits how many jobs globally can be run concurrently. + The most upper limit of jobs using all defined runners. + 0 does not mean unlimited. ''; - type = types.attrs; - example = { - concurrent = 2; - runners = [{ - name = "docker-nix-1.11"; - url = "https://CI/"; - token = "TOKEN"; - executor = "docker"; - builds_dir = ""; - docker = { - host = ""; - image = "nixos/nix:1.11"; - privileged = true; - disable_cache = true; - cache_dir = ""; - }; - }]; - }; }; - gracefulTermination = mkOption { - default = false; type = types.bool; + default = false; description = '' - Finish all remaining jobs before stopping, restarting or reconfiguring. - If not set gitlab-runner will stop immediatly without waiting for jobs to finish, - which will lead to failed builds. + Finish all remaining jobs before stopping. + If not set gitlab-runner will stop immediatly without waiting + for jobs to finish, which will lead to failed builds. ''; }; - gracefulTimeout = mkOption { - default = "infinity"; type = types.str; + default = "infinity"; example = "5min 20s"; - description = ''Time to wait until a graceful shutdown is turned into a forceful one.''; - }; - - workDir = mkOption { - default = "/var/lib/gitlab-runner"; - type = types.path; - description = "The working directory used"; + description = '' + Time to wait until a graceful shutdown is turned into a forceful one. + ''; }; - package = mkOption { - description = "Gitlab Runner package to use"; + type = types.package; default = pkgs.gitlab-runner; defaultText = "pkgs.gitlab-runner"; - type = types.package; example = literalExample "pkgs.gitlab-runner_1_11"; + description = "Gitlab Runner package to use."; }; - - packages = mkOption { - default = [ pkgs.bash pkgs.docker-machine ]; - defaultText = "[ pkgs.bash pkgs.docker-machine ]"; + extraPackages = mkOption { type = types.listOf types.package; + default = [ ]; description = '' - Packages to add to PATH for the gitlab-runner process. + Extra packages to add to PATH for the gitlab-runner process. ''; }; + services = mkOption { + description = "GitLab Runner services."; + default = { }; + example = literalExample '' + { + # runner for building in docker via host's nix-daemon + # nix store will be readable in runner, might be insecure + nix = { + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `REGISTRATION_TOKEN` + registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + dockerImage = "alpine"; + dockerVolumes = [ + "/nix/store:/nix/store:ro" + "/nix/var/nix/db:/nix/var/nix/db:ro" + "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" + ]; + dockerDisableCache = true; + preBuildScript = pkgs.writeScript "setup-container" ''' + mkdir -p -m 0755 /nix/var/log/nix/drvs + mkdir -p -m 0755 /nix/var/nix/gcroots + mkdir -p -m 0755 /nix/var/nix/profiles + mkdir -p -m 0755 /nix/var/nix/temproots + mkdir -p -m 0755 /nix/var/nix/userpool + mkdir -p -m 1777 /nix/var/nix/gcroots/per-user + mkdir -p -m 1777 /nix/var/nix/profiles/per-user + mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root + mkdir -p -m 0700 "$HOME/.nix-defexpr" - }; + . ''${pkgs.nix}/etc/profile.d/nix.sh + ''${pkgs.nix}/bin/nix-env -i ''${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} + + ''${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable + ''${pkgs.nix}/bin/nix-channel --update nixpkgs + '''; + environmentVariables = { + ENV = "/etc/profile"; + USER = "root"; + NIX_REMOTE = "daemon"; + PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; + NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; + }; + tagList = [ "nix" ]; + }; + # runner for building docker images + docker-images = { + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `REGISTRATION_TOKEN` + registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + dockerImage = "docker:stable"; + dockerVolumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ]; + tagList = [ "docker-images" ]; + }; + # runner for executing stuff on host system (very insecure!) + # make sure to add required packages (including git!) + # to `environment.systemPackages` + shell = { + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `REGISTRATION_TOKEN` + registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + executor = "shell"; + tagList = [ "shell" ]; + }; + # runner for everything else + default = { + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `REGISTRATION_TOKEN` + registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + dockerImage = "debian:stable"; + }; + } + ''; + type = types.attrsOf (types.submodule { + options = { + registrationConfigFile = mkOption { + type = types.path; + description = '' + Absolute path to a file with environment variables + used for gitlab-runner registration. + A list of all supported environment variables can be found in + <literal>gitlab-runner register --help</literal>. + + Ones that you probably want to set is + + <literal>CI_SERVER_URL=<CI server URL></literal> + + <literal>REGISTRATION_TOKEN=<registration secret></literal> + ''; + }; + registrationFlags = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "--docker-helper-image my/gitlab-runner-helper" ]; + description = '' + Extra command-line flags passed to + <literal>gitlab-runner register</literal>. + Execute <literal>gitlab-runner register --help</literal> + for a list of supported flags. + ''; + }; + environmentVariables = mkOption { + type = types.attrsOf types.str; + default = { }; + example = { NAME = "value"; }; + description = '' + Custom environment variables injected to build environment. + For secrets you can use <option>registrationConfigFile</option> + with <literal>RUNNER_ENV</literal> variable set. + ''; + }; + executor = mkOption { + type = types.str; + default = "docker"; + description = '' + Select executor, eg. shell, docker, etc. + See <link xlink:href="https://docs.gitlab.com/runner/executors/README.html">runner documentation</link> for more information. + ''; + }; + buildsDir = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/gitlab-runner/builds"; + description = '' + Absolute path to a directory where builds will be stored + in context of selected executor (Locally, Docker, SSH). + ''; + }; + dockerImage = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Docker image to be used. + ''; + }; + dockerVolumes = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "/var/run/docker.sock:/var/run/docker.sock" ]; + description = '' + Bind-mount a volume and create it + if it doesn't exist prior to mounting. + ''; + }; + dockerDisableCache = mkOption { + type = types.bool; + default = false; + description = '' + Disable all container caching. + ''; + }; + dockerPrivileged = mkOption { + type = types.bool; + default = false; + description = '' + Give extended privileges to container. + ''; + }; + dockerExtraHosts = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "other-host:127.0.0.1" ]; + description = '' + Add a custom host-to-IP mapping. + ''; + }; + dockerAllowedImages = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "ruby:*" "python:*" "php:*" "my.registry.tld:5000/*:*" ]; + description = '' + Whitelist allowed images. + ''; + }; + dockerAllowedServices = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "postgres:9" "redis:*" "mysql:*" ]; + description = '' + Whitelist allowed services. + ''; + }; + preCloneScript = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Runner-specific command script executed before code is pulled. + ''; + }; + preBuildScript = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Runner-specific command script executed after code is pulled, + just before build executes. + ''; + }; + postBuildScript = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Runner-specific command script executed after code is pulled + and just after build executes. + ''; + }; + tagList = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Tag list. + ''; + }; + runUntagged = mkOption { + type = types.bool; + default = false; + description = '' + Register to run untagged builds; defaults to + <literal>true</literal> when <option>tagList</option> is empty. + ''; + }; + limit = mkOption { + type = types.int; + default = 0; + description = '' + Limit how many jobs can be handled concurrently by this service. + 0 (default) simply means don't limit. + ''; + }; + requestConcurrency = mkOption { + type = types.int; + default = 0; + description = '' + Limit number of concurrent requests for new jobs from GitLab. + ''; + }; + maximumTimeout = mkOption { + type = types.int; + default = 0; + description = '' + What is the maximum timeout (in seconds) that will be set for + job when using this Runner. 0 (default) simply means don't limit. + ''; + }; + protected = mkOption { + type = types.bool; + default = false; + description = '' + When set to true Runner will only run on pipelines + triggered on protected branches. + ''; + }; + debugTraceDisabled = mkOption { + type = types.bool; + default = false; + description = '' + When set to true Runner will disable the possibility of + using the <literal>CI_DEBUG_TRACE</literal> feature. + ''; + }; + }; + }); + }; + }; config = mkIf cfg.enable { + warnings = optional (cfg.configFile != null) "services.gitlab-runner.`configFile` is deprecated, please use services.gitlab-runner.`services`."; + environment.systemPackages = [ cfg.package ]; systemd.services.gitlab-runner = { - path = cfg.packages; - environment = config.networking.proxy.envVars // { - # Gitlab runner will not start if the HOME variable is not set - HOME = cfg.workDir; - }; description = "Gitlab Runner"; + documentation = [ "https://docs.gitlab.com/runner/" ]; after = [ "network.target" ] ++ optional hasDocker "docker.service"; requires = optional hasDocker "docker.service"; wantedBy = [ "multi-user.target" ]; + environment = config.networking.proxy.envVars // { + HOME = "/var/lib/gitlab-runner"; + }; + path = with pkgs; [ + bash + gawk + jq + moreutils + remarshal + utillinux + cfg.package + ] ++ cfg.extraPackages; reloadIfChanged = true; - restartTriggers = [ - config.environment.etc."gitlab-runner/config.toml".source - ]; serviceConfig = { + # Set `DynamicUser` under `systemd.services.gitlab-runner.serviceConfig` + # to `lib.mkForce false` in your configuration to run this service as root. + # You can also set `User` and `Group` options to run this service as desired user. + # Make sure to restart service or changes won't apply. + DynamicUser = true; StateDirectory = "gitlab-runner"; - ExecReload= "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ExecStart = ''${cfg.package.bin}/bin/gitlab-runner run \ - --working-directory ${cfg.workDir} \ - --config /etc/gitlab-runner/config.toml \ - --service gitlab-runner \ - --user gitlab-runner \ - ''; - - } // optionalAttrs (cfg.gracefulTermination) { + SupplementaryGroups = optional hasDocker "docker"; + ExecStartPre = "!${configureScript}/bin/gitlab-runner-configure"; + ExecStart = "${startScript}/bin/gitlab-runner-start"; + ExecReload = "!${configureScript}/bin/gitlab-runner-configure"; + } // optionalAttrs (cfg.gracefulTermination) { TimeoutStopSec = "${cfg.gracefulTimeout}"; KillSignal = "SIGQUIT"; KillMode = "process"; }; }; - - # Make the gitlab-runner command availabe so users can query the runner - environment.systemPackages = [ cfg.package ]; - - # Make sure the config can be reloaded on change - environment.etc."gitlab-runner/config.toml".source = configFile; - - users.users.gitlab-runner = { - group = "gitlab-runner"; - extraGroups = optional hasDocker "docker"; - uid = config.ids.uids.gitlab-runner; - home = cfg.workDir; - createHome = true; - }; - - users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner; + # Enable docker if `docker` executor is used in any service + virtualisation.docker.enable = mkIf ( + any (s: s.executor == "docker") (attrValues cfg.services) + ) (mkDefault true); }; + imports = [ + (mkRenamedOptionModule [ "services" "gitlab-runner" "packages" ] [ "services" "gitlab-runner" "extraPackages" ] ) + (mkRemovedOptionModule [ "services" "gitlab-runner" "configOptions" ] "Use services.gitlab-runner.services option instead" ) + (mkRemovedOptionModule [ "services" "gitlab-runner" "workDir" ] "You should move contents of workDir (if any) to /var/lib/gitlab-runner" ) + ]; } diff --git a/nixpkgs/nixos/modules/services/databases/clickhouse.nix b/nixpkgs/nixos/modules/services/databases/clickhouse.nix index dbabcae43ee..27440fec4e1 100644 --- a/nixpkgs/nixos/modules/services/databases/clickhouse.nix +++ b/nixpkgs/nixos/modules/services/databases/clickhouse.nix @@ -11,10 +11,7 @@ with lib; services.clickhouse = { - enable = mkOption { - default = false; - description = "Whether to enable ClickHouse database server."; - }; + enable = mkEnableOption "ClickHouse database server"; }; diff --git a/nixpkgs/nixos/modules/services/databases/cockroachdb.nix b/nixpkgs/nixos/modules/services/databases/cockroachdb.nix index b6f94a4881a..35fb46d69d8 100644 --- a/nixpkgs/nixos/modules/services/databases/cockroachdb.nix +++ b/nixpkgs/nixos/modules/services/databases/cockroachdb.nix @@ -153,7 +153,7 @@ in defaultText = "pkgs.cockroachdb"; description = '' The CockroachDB derivation to use for running the service. - + This would primarily be useful to enable Enterprise Edition features in your own custom CockroachDB build (Nixpkgs CockroachDB binaries only contain open source features and open source code). diff --git a/nixpkgs/nixos/modules/services/databases/firebird.nix b/nixpkgs/nixos/modules/services/databases/firebird.nix index 042c9841df5..95837aa1cea 100644 --- a/nixpkgs/nixos/modules/services/databases/firebird.nix +++ b/nixpkgs/nixos/modules/services/databases/firebird.nix @@ -40,12 +40,7 @@ in services.firebird = { - enable = mkOption { - default = false; - description = '' - Whether to enable the Firebird super server. - ''; - }; + enable = mkEnableOption "the Firebird super server"; package = mkOption { default = pkgs.firebirdSuper; diff --git a/nixpkgs/nixos/modules/services/databases/memcached.nix b/nixpkgs/nixos/modules/services/databases/memcached.nix index 89ff957babf..f54bb6cc9b1 100644 --- a/nixpkgs/nixos/modules/services/databases/memcached.nix +++ b/nixpkgs/nixos/modules/services/databases/memcached.nix @@ -18,12 +18,7 @@ in services.memcached = { - enable = mkOption { - default = false; - description = " - Whether to enable Memcached. - "; - }; + enable = mkEnableOption "Memcached"; user = mkOption { default = "memcached"; diff --git a/nixpkgs/nixos/modules/services/databases/mongodb.nix b/nixpkgs/nixos/modules/services/databases/mongodb.nix index 12879afed47..4453a182990 100644 --- a/nixpkgs/nixos/modules/services/databases/mongodb.nix +++ b/nixpkgs/nixos/modules/services/databases/mongodb.nix @@ -29,12 +29,7 @@ in services.mongodb = { - enable = mkOption { - default = false; - description = " - Whether to enable the MongoDB server. - "; - }; + enable = mkEnableOption "the MongoDB server"; package = mkOption { default = pkgs.mongodb; diff --git a/nixpkgs/nixos/modules/services/databases/mysql.nix b/nixpkgs/nixos/modules/services/databases/mysql.nix index f9e657f5774..44183788d93 100644 --- a/nixpkgs/nixos/modules/services/databases/mysql.nix +++ b/nixpkgs/nixos/modules/services/databases/mysql.nix @@ -87,7 +87,6 @@ in datadir = /var/lib/mysql bind-address = 127.0.0.1 port = 3336 - plugin-load-add = auth_socket.so !includedir /etc/mysql/conf.d/ '''; @@ -315,13 +314,16 @@ in datadir = cfg.dataDir; bind-address = mkIf (cfg.bind != null) cfg.bind; port = cfg.port; - plugin-load-add = optional (cfg.ensureUsers != []) "auth_socket.so"; } (mkIf (cfg.replication.role == "master" || cfg.replication.role == "slave") { log-bin = "mysql-bin-${toString cfg.replication.serverId}"; log-bin-index = "mysql-bin-${toString cfg.replication.serverId}.index"; relay-log = "mysql-relay-bin"; server-id = cfg.replication.serverId; + binlog-ignore-db = [ "information_schema" "performance_schema" "mysql" ]; + }) + (mkIf (!isMariaDB) { + plugin-load-add = optional (cfg.ensureUsers != []) "auth_socket.so"; }) ]; @@ -444,7 +446,6 @@ in ( echo "stop slave;" echo "change master to master_host='${cfg.replication.masterHost}', master_user='${cfg.replication.masterUser}', master_password='${cfg.replication.masterPassword}';" - echo "set global slave_exec_mode='IDEMPOTENT';" echo "start slave;" ) | ${mysql}/bin/mysql -u root -N ''} diff --git a/nixpkgs/nixos/modules/services/databases/openldap.nix b/nixpkgs/nixos/modules/services/databases/openldap.nix index 809f61cfa81..8c2851c37ac 100644 --- a/nixpkgs/nixos/modules/services/databases/openldap.nix +++ b/nixpkgs/nixos/modules/services/databases/openldap.nix @@ -231,6 +231,10 @@ in }; + meta = { + maintainers = lib.maintainers.mic92; + }; + ###### implementation diff --git a/nixpkgs/nixos/modules/services/databases/postgresql.nix b/nixpkgs/nixos/modules/services/databases/postgresql.nix index 0b79a996dc7..579b6a4d9c6 100644 --- a/nixpkgs/nixos/modules/services/databases/postgresql.nix +++ b/nixpkgs/nixos/modules/services/databases/postgresql.nix @@ -17,6 +17,7 @@ let hba_file = '${pkgs.writeText "pg_hba.conf" cfg.authentication}' ident_file = '${pkgs.writeText "pg_ident.conf" cfg.identMap}' log_destination = 'stderr' + log_line_prefix = '${cfg.logLinePrefix}' listen_addresses = '${if cfg.enableTCPIP then "*" else "localhost"}' port = ${toString cfg.port} ${cfg.extraConfig} @@ -34,13 +35,7 @@ in services.postgresql = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to run PostgreSQL. - ''; - }; + enable = mkEnableOption "PostgreSQL Server"; package = mkOption { type = types.package; @@ -192,6 +187,17 @@ in ''; }; + logLinePrefix = mkOption { + type = types.str; + default = "[%p] "; + example = "%m [%p] "; + description = '' + A printf-style string that is output at the beginning of each log line. + Upstream default is <literal>'%m [%p] '</literal>, i.e. it includes the timestamp. We do + not include the timestamp, because journal has it anyway. + ''; + }; + extraPlugins = mkOption { type = types.listOf types.path; default = []; @@ -337,7 +343,7 @@ in # Wait for PostgreSQL to be ready to accept connections. postStart = '' - PSQL="${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql --port=${toString cfg.port}" + PSQL="${pkgs.utillinux}/bin/runuser -u ${cfg.superUser} -- psql --port=${toString cfg.port}" while ! $PSQL -d postgres -c "" 2> /dev/null; do if ! kill -0 "$MAINPID"; then exit 1; fi diff --git a/nixpkgs/nixos/modules/services/databases/redis.nix b/nixpkgs/nixos/modules/services/databases/redis.nix index 5c817422aae..799c3db6216 100644 --- a/nixpkgs/nixos/modules/services/databases/redis.nix +++ b/nixpkgs/nixos/modules/services/databases/redis.nix @@ -11,12 +11,11 @@ let port ${toString cfg.port} ${condOption "bind" cfg.bind} ${condOption "unixsocket" cfg.unixSocket} - daemonize yes + daemonize no supervised systemd loglevel ${cfg.logLevel} logfile ${cfg.logfile} syslog-enabled ${redisBool cfg.syslog} - pidfile /run/redis/redis.pid databases ${toString cfg.databases} ${concatMapStrings (d: "save ${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}\n") cfg.save} dbfilename dump.rdb diff --git a/nixpkgs/nixos/modules/services/databases/virtuoso.nix b/nixpkgs/nixos/modules/services/databases/virtuoso.nix index 0cc027cb1d7..6eb09e0a58f 100644 --- a/nixpkgs/nixos/modules/services/databases/virtuoso.nix +++ b/nixpkgs/nixos/modules/services/databases/virtuoso.nix @@ -13,10 +13,7 @@ with lib; services.virtuoso = { - enable = mkOption { - default = false; - description = "Whether to enable Virtuoso Opensource database server."; - }; + enable = mkEnableOption "Virtuoso Opensource database server"; config = mkOption { default = ""; diff --git a/nixpkgs/nixos/modules/services/editors/emacs.xml b/nixpkgs/nixos/modules/services/editors/emacs.xml index 03483f69fa2..74c60014dce 100644 --- a/nixpkgs/nixos/modules/services/editors/emacs.xml +++ b/nixpkgs/nixos/modules/services/editors/emacs.xml @@ -294,7 +294,7 @@ https://nixos.org/nixpkgs/manual/#sec-modify-via-packageOverrides If you are not on NixOS or want to install this particular Emacs only for yourself, you can do so by adding it to your <filename>~/.config/nixpkgs/config.nix</filename> (see - <link xlink:href="http://nixos.org/nixpkgs/manual/#sec-modify-via-packageOverrides">Nixpkgs + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-modify-via-packageOverrides">Nixpkgs manual</link>): <example xml:id="module-services-emacs-config-nix"> <title>Custom Emacs in <filename>~/.config/nixpkgs/config.nix</filename></title> diff --git a/nixpkgs/nixos/modules/services/hardware/ratbagd.nix b/nixpkgs/nixos/modules/services/hardware/ratbagd.nix index 103e1d2315a..01a8276750f 100644 --- a/nixpkgs/nixos/modules/services/hardware/ratbagd.nix +++ b/nixpkgs/nixos/modules/services/hardware/ratbagd.nix @@ -10,12 +10,7 @@ in options = { services.ratbagd = { - enable = mkOption { - default = false; - description = '' - Whether to enable ratbagd for configuring gaming mice. - ''; - }; + enable = mkEnableOption "ratbagd for configuring gaming mice"; }; }; diff --git a/nixpkgs/nixos/modules/services/hardware/thermald.nix b/nixpkgs/nixos/modules/services/hardware/thermald.nix index 69577bbe018..ecb529e9bf0 100644 --- a/nixpkgs/nixos/modules/services/hardware/thermald.nix +++ b/nixpkgs/nixos/modules/services/hardware/thermald.nix @@ -8,12 +8,7 @@ in { ###### interface options = { services.thermald = { - enable = mkOption { - default = false; - description = '' - Whether to enable thermald, the temperature management daemon. - ''; - }; + enable = mkEnableOption "thermald, the temperature management daemon"; debug = mkOption { type = types.bool; diff --git a/nixpkgs/nixos/modules/services/logging/awstats.nix b/nixpkgs/nixos/modules/services/logging/awstats.nix index 5939d7808f7..896f52302ff 100644 --- a/nixpkgs/nixos/modules/services/logging/awstats.nix +++ b/nixpkgs/nixos/modules/services/logging/awstats.nix @@ -24,7 +24,7 @@ let logFile = mkOption { type = types.str; - example = "/var/spool/nginx/logs/access.log"; + example = "/var/log/nginx/access.log"; description = '' The log file to be scanned. @@ -110,7 +110,7 @@ in { "mysite" = { domain = "example.com"; - logFile = "/var/spool/nginx/logs/access.log"; + logFile = "/var/log/nginx/access.log"; }; } ''; diff --git a/nixpkgs/nixos/modules/services/mail/dovecot.nix b/nixpkgs/nixos/modules/services/mail/dovecot.nix index 230a2ae3f82..9fbf0c19752 100644 --- a/nixpkgs/nixos/modules/services/mail/dovecot.nix +++ b/nixpkgs/nixos/modules/services/mail/dovecot.nix @@ -407,7 +407,7 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - restartTriggers = [ cfg.configFile ]; + restartTriggers = [ cfg.configFile modulesDir ]; serviceConfig = { ExecStart = "${dovecotPkg}/sbin/dovecot -F"; diff --git a/nixpkgs/nixos/modules/services/mail/postfix.nix b/nixpkgs/nixos/modules/services/mail/postfix.nix index 19e11b31d9c..608f64a68fb 100644 --- a/nixpkgs/nixos/modules/services/mail/postfix.nix +++ b/nixpkgs/nixos/modules/services/mail/postfix.nix @@ -269,6 +269,7 @@ in }; enableSmtp = mkOption { + type = types.bool; default = true; description = "Whether to enable smtp in master.cf."; }; diff --git a/nixpkgs/nixos/modules/services/mail/roundcube.nix b/nixpkgs/nixos/modules/services/mail/roundcube.nix index 21e92cfee01..ed1439745ac 100644 --- a/nixpkgs/nixos/modules/services/mail/roundcube.nix +++ b/nixpkgs/nixos/modules/services/mail/roundcube.nix @@ -7,7 +7,7 @@ let fpm = config.services.phpfpm.pools.roundcube; localDB = cfg.database.host == "localhost"; user = cfg.database.username; - phpWithPspell = pkgs.php.withExtensions (e: [ e.pspell ] ++ pkgs.php.enabledExtensions); + phpWithPspell = pkgs.php.withExtensions ({ enabled, all }: [ all.pspell ] ++ enabled); in { options.services.roundcube = { diff --git a/nixpkgs/nixos/modules/services/mail/rss2email.nix b/nixpkgs/nixos/modules/services/mail/rss2email.nix index c1e5964c453..7f8d2adac64 100644 --- a/nixpkgs/nixos/modules/services/mail/rss2email.nix +++ b/nixpkgs/nixos/modules/services/mail/rss2email.nix @@ -91,6 +91,8 @@ in { }; }; + environment.systemPackages = with pkgs; [ rss2email ]; + services.rss2email.config.to = cfg.to; systemd.tmpfiles.rules = [ diff --git a/nixpkgs/nixos/modules/services/mail/spamassassin.nix b/nixpkgs/nixos/modules/services/mail/spamassassin.nix index 2d5fb40fad3..4e642542ec6 100644 --- a/nixpkgs/nixos/modules/services/mail/spamassassin.nix +++ b/nixpkgs/nixos/modules/services/mail/spamassassin.nix @@ -12,12 +12,10 @@ in options = { services.spamassassin = { - enable = mkOption { - default = false; - description = "Whether to run the SpamAssassin daemon"; - }; + enable = mkEnableOption "the SpamAssassin daemon"; debug = mkOption { + type = types.bool; default = false; description = "Whether to run the SpamAssassin daemon in debug mode"; }; diff --git a/nixpkgs/nixos/modules/services/misc/autofs.nix b/nixpkgs/nixos/modules/services/misc/autofs.nix index f1742177326..5e7c1e66828 100644 --- a/nixpkgs/nixos/modules/services/misc/autofs.nix +++ b/nixpkgs/nixos/modules/services/misc/autofs.nix @@ -19,6 +19,7 @@ in services.autofs = { enable = mkOption { + type = types.bool; default = false; description = '' Mount filesystems on demand. Unmount them automatically. @@ -56,6 +57,7 @@ in }; debug = mkOption { + type = types.bool; default = false; description = '' Pass -d and -7 to automount and write log to the system journal. diff --git a/nixpkgs/nixos/modules/services/misc/cgminer.nix b/nixpkgs/nixos/modules/services/misc/cgminer.nix index 9fcae645269..7635c2a0f4e 100644 --- a/nixpkgs/nixos/modules/services/misc/cgminer.nix +++ b/nixpkgs/nixos/modules/services/misc/cgminer.nix @@ -31,13 +31,7 @@ in services.cgminer = { - enable = mkOption { - default = false; - description = '' - Whether to enable cgminer, an ASIC/FPGA/GPU miner for bitcoin and - litecoin. - ''; - }; + enable = mkEnableOption "cgminer, an ASIC/FPGA/GPU miner for bitcoin and litecoin"; package = mkOption { default = pkgs.cgminer; diff --git a/nixpkgs/nixos/modules/services/misc/confd.nix b/nixpkgs/nixos/modules/services/misc/confd.nix index 8e9bec15dd4..c1ebdb3dde9 100755 --- a/nixpkgs/nixos/modules/services/misc/confd.nix +++ b/nixpkgs/nixos/modules/services/misc/confd.nix @@ -75,7 +75,7 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - ExecStart = "${cfg.package.bin}/bin/confd"; + ExecStart = "${cfg.package}/bin/confd"; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/devmon.nix b/nixpkgs/nixos/modules/services/misc/devmon.nix index 9dc8fee2964..e4a3348646b 100644 --- a/nixpkgs/nixos/modules/services/misc/devmon.nix +++ b/nixpkgs/nixos/modules/services/misc/devmon.nix @@ -8,12 +8,7 @@ let in { options = { services.devmon = { - enable = mkOption { - default = false; - description = '' - Whether to enable devmon, an automatic device mounting daemon. - ''; - }; + enable = mkEnableOption "devmon, an automatic device mounting daemon"; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/disnix.nix b/nixpkgs/nixos/modules/services/misc/disnix.nix index b7b6eb7cd66..69386cdbb38 100644 --- a/nixpkgs/nixos/modules/services/misc/disnix.nix +++ b/nixpkgs/nixos/modules/services/misc/disnix.nix @@ -17,10 +17,7 @@ in services.disnix = { - enable = mkOption { - default = false; - description = "Whether to enable Disnix"; - }; + enable = mkEnableOption "Disnix"; enableMultiUser = mkOption { type = types.bool; @@ -28,10 +25,7 @@ in description = "Whether to support multi-user mode by enabling the Disnix D-Bus service"; }; - useWebServiceInterface = mkOption { - default = false; - description = "Whether to enable the DisnixWebService interface running on Apache Tomcat"; - }; + useWebServiceInterface = mkEnableOption "the DisnixWebService interface running on Apache Tomcat"; package = mkOption { type = types.path; diff --git a/nixpkgs/nixos/modules/services/misc/etcd.nix b/nixpkgs/nixos/modules/services/misc/etcd.nix index 7322e1c080b..32360d43768 100644 --- a/nixpkgs/nixos/modules/services/misc/etcd.nix +++ b/nixpkgs/nixos/modules/services/misc/etcd.nix @@ -178,7 +178,7 @@ in { serviceConfig = { Type = "notify"; - ExecStart = "${pkgs.etcd.bin}/bin/etcd"; + ExecStart = "${pkgs.etcd}/bin/etcd"; User = "etcd"; LimitNOFILE = 40000; }; diff --git a/nixpkgs/nixos/modules/services/misc/felix.nix b/nixpkgs/nixos/modules/services/misc/felix.nix index 188e45abc58..21740c8c0b7 100644 --- a/nixpkgs/nixos/modules/services/misc/felix.nix +++ b/nixpkgs/nixos/modules/services/misc/felix.nix @@ -17,10 +17,7 @@ in services.felix = { - enable = mkOption { - default = false; - description = "Whether to enable the Apache Felix OSGi service"; - }; + enable = mkEnableOption "the Apache Felix OSGi service"; bundles = mkOption { type = types.listOf types.package; diff --git a/nixpkgs/nixos/modules/services/misc/gitea.nix b/nixpkgs/nixos/modules/services/misc/gitea.nix index 38910a5a005..f8bcedc94fe 100644 --- a/nixpkgs/nixos/modules/services/misc/gitea.nix +++ b/nixpkgs/nixos/modules/services/misc/gitea.nix @@ -14,53 +14,9 @@ let RUN_USER = ${cfg.user} RUN_MODE = prod - [database] - DB_TYPE = ${cfg.database.type} - ${optionalString (usePostgresql || useMysql) '' - HOST = ${if cfg.database.socket != null then cfg.database.socket else cfg.database.host + ":" + toString cfg.database.port} - NAME = ${cfg.database.name} - USER = ${cfg.database.user} - PASSWD = #dbpass# - ''} - ${optionalString useSqlite '' - PATH = ${cfg.database.path} - ''} - ${optionalString usePostgresql '' - SSL_MODE = disable - ''} - - [repository] - ROOT = ${cfg.repositoryRoot} - - [server] - DOMAIN = ${cfg.domain} - HTTP_ADDR = ${cfg.httpAddress} - HTTP_PORT = ${toString cfg.httpPort} - ROOT_URL = ${cfg.rootUrl} - STATIC_ROOT_PATH = ${cfg.staticRootPath} - LFS_JWT_SECRET = #jwtsecret# - - [session] - COOKIE_NAME = session - COOKIE_SECURE = ${boolToString cfg.cookieSecure} - - [security] - SECRET_KEY = #secretkey# - INSTALL_LOCK = true - - [log] - ROOT_PATH = ${cfg.log.rootPath} - LEVEL = ${cfg.log.level} - - [service] - DISABLE_REGISTRATION = ${boolToString cfg.disableRegistration} - - ${optionalString (cfg.mailerPasswordFile != null) '' - [mailer] - PASSWD = #mailerpass# - ''} - - ${cfg.extraConfig} + ${generators.toINI {} cfg.settings} + + ${optionalString (cfg.extraConfig != null) cfg.extraConfig} ''; in @@ -279,9 +235,36 @@ in ''; }; + settings = mkOption { + type = with types; attrsOf (attrsOf (oneOf [ bool int str ])); + default = {}; + description = '' + Gitea configuration. Refer to <link xlink:href="https://docs.gitea.io/en-us/config-cheat-sheet/"/> + for details on supported values. + ''; + example = literalExample '' + { + "cron.sync_external_users" = { + RUN_AT_START = true; + SCHEDULE = "@every 24h"; + UPDATE_EXISTING = true; + }; + mailer = { + ENABLED = true; + MAILER_TYPE = "sendmail"; + FROM = "do-not-reply@example.org"; + SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail"; + }; + other = { + SHOW_FOOTER_VERSION = false; + }; + } + ''; + }; + extraConfig = mkOption { - type = types.str; - default = ""; + type = with types; nullOr str; + default = null; description = "Configuration lines appended to the generated gitea configuration file."; }; }; @@ -294,6 +277,62 @@ in } ]; + services.gitea.settings = { + database = mkMerge [ + { + DB_TYPE = cfg.database.type; + } + (mkIf (useMysql || usePostgresql) { + HOST = if cfg.database.socket != null then cfg.database.socket else cfg.database.host + ":" + toString cfg.database.port; + NAME = cfg.database.name; + USER = cfg.database.user; + PASSWD = "#dbpass#"; + }) + (mkIf useSqlite { + PATH = cfg.database.path; + }) + (mkIf usePostgresql { + SSL_MODE = "disable"; + }) + ]; + + repository = { + ROOT = cfg.repositoryRoot; + }; + + server = { + DOMAIN = cfg.domain; + HTTP_ADDR = cfg.httpAddress; + HTTP_PORT = cfg.httpPort; + ROOT_URL = cfg.rootUrl; + STATIC_ROOT_PATH = cfg.staticRootPath; + LFS_JWT_SECRET = "#jwtsecret#"; + }; + + session = { + COOKIE_NAME = "session"; + COOKIE_SECURE = cfg.cookieSecure; + }; + + security = { + SECRET_KEY = "#secretkey#"; + INSTALL_LOCK = true; + }; + + log = { + ROOT_PATH = cfg.log.rootPath; + LEVEL = cfg.log.level; + }; + + service = { + DISABLE_REGISTRATION = cfg.disableRegistration; + }; + + mailer = mkIf (cfg.mailerPasswordFile != null) { + PASSWD = "#mailerpass#"; + }; + }; + services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) { enable = mkDefault true; @@ -335,7 +374,7 @@ in description = "gitea"; after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service"; wantedBy = [ "multi-user.target" ]; - path = [ gitea.bin pkgs.gitAndTools.git ]; + path = [ gitea pkgs.gitAndTools.git ]; preStart = let runConfig = "${cfg.stateDir}/custom/conf/app.ini"; @@ -347,11 +386,11 @@ in cp -f ${configFile} ${runConfig} if [ ! -e ${secretKey} ]; then - ${gitea.bin}/bin/gitea generate secret SECRET_KEY > ${secretKey} + ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} fi if [ ! -e ${jwtSecret} ]; then - ${gitea.bin}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret} + ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret} fi KEY="$(head -n1 ${secretKey})" @@ -374,7 +413,7 @@ in HOOKS=$(find ${cfg.repositoryRoot} -mindepth 4 -maxdepth 6 -type f -wholename "*git/hooks/*") if [ "$HOOKS" ] then - sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea.bin}/bin/gitea,g' $HOOKS + sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea}/bin/gitea,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/env,${pkgs.coreutils}/bin/env,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/bash,${pkgs.bash}/bin/bash,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/perl,${pkgs.perl}/bin/perl,g' $HOOKS @@ -383,7 +422,7 @@ in # update command option in authorized_keys if [ -r ${cfg.stateDir}/.ssh/authorized_keys ] then - sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea.bin}/bin/gitea,g' ${cfg.stateDir}/.ssh/authorized_keys + sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea}/bin/gitea,g' ${cfg.stateDir}/.ssh/authorized_keys fi ''; @@ -392,7 +431,7 @@ in User = cfg.user; Group = "gitea"; WorkingDirectory = cfg.stateDir; - ExecStart = "${gitea.bin}/bin/gitea web"; + ExecStart = "${gitea}/bin/gitea web"; Restart = "always"; # Filesystem @@ -435,9 +474,12 @@ in users.groups.gitea = {}; - warnings = optional (cfg.database.password != "") - ''config.services.gitea.database.password will be stored as plaintext - in the Nix store. Use database.passwordFile instead.''; + warnings = + optional (cfg.database.password != "") '' + config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead.'' ++ + optional (cfg.extraConfig != null) '' + services.gitea.`extraConfig` is deprecated, please use services.gitea.`settings`. + ''; # Create database passwordFile default when password is configured. services.gitea.database.passwordFile = @@ -450,7 +492,7 @@ in description = "gitea dump"; after = [ "gitea.service" ]; wantedBy = [ "default.target" ]; - path = [ gitea.bin ]; + path = [ gitea ]; environment = { USER = cfg.user; @@ -461,7 +503,7 @@ in serviceConfig = { Type = "oneshot"; User = cfg.user; - ExecStart = "${gitea.bin}/bin/gitea dump"; + ExecStart = "${gitea}/bin/gitea dump"; WorkingDirectory = cfg.stateDir; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/gitlab.nix b/nixpkgs/nixos/modules/services/misc/gitlab.nix index aa958985379..730166b04d2 100644 --- a/nixpkgs/nixos/modules/services/misc/gitlab.nix +++ b/nixpkgs/nixos/modules/services/misc/gitlab.nix @@ -180,7 +180,7 @@ let ${optionalString (cfg.smtp.passwordFile != null) ''password: "@smtpPassword@",''} domain: "${cfg.smtp.domain}", ${optionalString (cfg.smtp.authentication != null) "authentication: :${cfg.smtp.authentication},"} - enable_starttls_auto: ${toString cfg.smtp.enableStartTLSAuto}, + enable_starttls_auto: ${boolToString cfg.smtp.enableStartTLSAuto}, ca_file: "/etc/ssl/certs/ca-certificates.crt", openssl_verify_mode: '${cfg.smtp.opensslVerifyMode}' } diff --git a/nixpkgs/nixos/modules/services/misc/gogs.nix b/nixpkgs/nixos/modules/services/misc/gogs.nix index ee99967c261..c5070aaa356 100644 --- a/nixpkgs/nixos/modules/services/misc/gogs.nix +++ b/nixpkgs/nixos/modules/services/misc/gogs.nix @@ -200,7 +200,7 @@ in description = "Gogs (Go Git Service)"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.gogs.bin ]; + path = [ pkgs.gogs ]; preStart = let runConfig = "${cfg.stateDir}/custom/conf/app.ini"; @@ -230,7 +230,7 @@ in HOOKS=$(find ${cfg.repositoryRoot} -mindepth 4 -maxdepth 4 -type f -wholename "*git/hooks/*") if [ "$HOOKS" ] then - sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gogs,${pkgs.gogs.bin}/bin/gogs,g' $HOOKS + sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gogs,${pkgs.gogs}/bin/gogs,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/env,${pkgs.coreutils}/bin/env,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/bash,${pkgs.bash}/bin/bash,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/perl,${pkgs.perl}/bin/perl,g' $HOOKS @@ -242,7 +242,7 @@ in User = cfg.user; Group = cfg.group; WorkingDirectory = cfg.stateDir; - ExecStart = "${pkgs.gogs.bin}/bin/gogs web"; + ExecStart = "${pkgs.gogs}/bin/gogs web"; Restart = "always"; }; diff --git a/nixpkgs/nixos/modules/services/misc/ihaskell.nix b/nixpkgs/nixos/modules/services/misc/ihaskell.nix index 11597706d0d..684a242d738 100644 --- a/nixpkgs/nixos/modules/services/misc/ihaskell.nix +++ b/nixpkgs/nixos/modules/services/misc/ihaskell.nix @@ -15,6 +15,7 @@ in options = { services.ihaskell = { enable = mkOption { + type = types.bool; default = false; description = "Autostart an IHaskell notebook service."; }; diff --git a/nixpkgs/nixos/modules/services/misc/leaps.nix b/nixpkgs/nixos/modules/services/misc/leaps.nix index d4e88ecbebd..ef89d3e64d0 100644 --- a/nixpkgs/nixos/modules/services/misc/leaps.nix +++ b/nixpkgs/nixos/modules/services/misc/leaps.nix @@ -55,7 +55,7 @@ in Restart = "on-failure"; WorkingDirectory = stateDir; PrivateTmp = true; - ExecStart = "${pkgs.leaps.bin}/bin/leaps -path ${toString cfg.path} -address ${cfg.address}:${toString cfg.port}"; + ExecStart = "${pkgs.leaps}/bin/leaps -path ${toString cfg.path} -address ${cfg.address}:${toString cfg.port}"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix index 0c2407e1dd2..2577cb78e96 100644 --- a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix +++ b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix @@ -283,7 +283,7 @@ in trustedBinaryCaches = mkOption { type = types.listOf types.str; default = [ ]; - example = [ "http://hydra.nixos.org/" ]; + example = [ "https://hydra.nixos.org/" ]; description = '' List of binary cache URLs that non-root users can use (in addition to those specified using @@ -510,8 +510,7 @@ in system.activationScripts.nix = stringAfter [ "etc" "users" ] '' - # Create directories in /nix. - ${nix}/bin/nix ping-store --no-net + install -m 0755 -d /nix/var/nix/{gcroots,profiles}/per-user # Subscribe the root user to the NixOS channel by default. if [ ! -e "/root/.nix-channels" ]; then diff --git a/nixpkgs/nixos/modules/services/misc/octoprint.nix b/nixpkgs/nixos/modules/services/misc/octoprint.nix index 651ed374388..7a71d2c8c6a 100644 --- a/nixpkgs/nixos/modules/services/misc/octoprint.nix +++ b/nixpkgs/nixos/modules/services/misc/octoprint.nix @@ -17,9 +17,9 @@ let cfgUpdate = pkgs.writeText "octoprint-config.yaml" (builtins.toJSON fullConfig); - pluginsEnv = pkgs.python.buildEnv.override { - extraLibs = cfg.plugins pkgs.octoprint-plugins; - }; + pluginsEnv = package.python.withPackages (ps: [ps.octoprint] ++ (cfg.plugins ps)); + + package = pkgs.octoprint; in { @@ -106,7 +106,6 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; path = [ pluginsEnv ]; - environment.PYTHONPATH = makeSearchPathOutput "lib" pkgs.python.sitePackages [ pluginsEnv ]; preStart = '' if [ -e "${cfg.stateDir}/config.yaml" ]; then @@ -119,7 +118,7 @@ in ''; serviceConfig = { - ExecStart = "${pkgs.octoprint}/bin/octoprint serve -b ${cfg.stateDir}"; + ExecStart = "${pluginsEnv}/bin/octoprint serve -b ${cfg.stateDir}"; User = cfg.user; Group = cfg.group; }; diff --git a/nixpkgs/nixos/modules/services/misc/pykms.nix b/nixpkgs/nixos/modules/services/misc/pykms.nix index 25aa27ae767..d6aeae48ccb 100644 --- a/nixpkgs/nixos/modules/services/misc/pykms.nix +++ b/nixpkgs/nixos/modules/services/misc/pykms.nix @@ -82,6 +82,7 @@ in { ]); ProtectHome = "tmpfs"; WorkingDirectory = libDir; + SyslogIdentifier = "pykms"; Restart = "on-failure"; MemoryLimit = cfg.memoryLimit; }; diff --git a/nixpkgs/nixos/modules/services/misc/redmine.nix b/nixpkgs/nixos/modules/services/misc/redmine.nix index 3b8c14d196f..1febdba0c8f 100644 --- a/nixpkgs/nixos/modules/services/misc/redmine.nix +++ b/nixpkgs/nixos/modules/services/misc/redmine.nix @@ -132,7 +132,7 @@ in example = literalExample '' { dkuk-redmine_alex_skin = builtins.fetchurl { - url = https://bitbucket.org/dkuk/redmine_alex_skin/get/1842ef675ef3.zip; + url = "https://bitbucket.org/dkuk/redmine_alex_skin/get/1842ef675ef3.zip"; sha256 = "0hrin9lzyi50k4w2bd2b30vrf1i4fi1c0gyas5801wn8i7kpm9yl"; }; } @@ -146,7 +146,7 @@ in example = literalExample '' { redmine_env_auth = builtins.fetchurl { - url = https://github.com/Intera/redmine_env_auth/archive/0.6.zip; + url = "https://github.com/Intera/redmine_env_auth/archive/0.6.zip"; sha256 = "0yyr1yjd8gvvh832wdc8m3xfnhhxzk2pk3gm2psg5w9jdvd6skak"; }; } diff --git a/nixpkgs/nixos/modules/services/misc/safeeyes.nix b/nixpkgs/nixos/modules/services/misc/safeeyes.nix index 1a33971d922..6ecb0d13187 100644 --- a/nixpkgs/nixos/modules/services/misc/safeeyes.nix +++ b/nixpkgs/nixos/modules/services/misc/safeeyes.nix @@ -16,10 +16,7 @@ in services.safeeyes = { - enable = mkOption { - default = false; - description = "Whether to enable the safeeyes OSGi service"; - }; + enable = mkEnableOption "the safeeyes OSGi service"; }; diff --git a/nixpkgs/nixos/modules/services/misc/ssm-agent.nix b/nixpkgs/nixos/modules/services/misc/ssm-agent.nix index e951a4c7ffa..f7c05deeecb 100644 --- a/nixpkgs/nixos/modules/services/misc/ssm-agent.nix +++ b/nixpkgs/nixos/modules/services/misc/ssm-agent.nix @@ -35,7 +35,7 @@ in { path = [ fake-lsb-release ]; serviceConfig = { - ExecStart = "${cfg.package.bin}/bin/agent"; + ExecStart = "${cfg.package}/bin/agent"; KillMode = "process"; Restart = "on-failure"; RestartSec = "15min"; @@ -43,4 +43,3 @@ in { }; }; } - diff --git a/nixpkgs/nixos/modules/services/misc/sssd.nix b/nixpkgs/nixos/modules/services/misc/sssd.nix index 36008d25741..3da99a3b38c 100644 --- a/nixpkgs/nixos/modules/services/misc/sssd.nix +++ b/nixpkgs/nixos/modules/services/misc/sssd.nix @@ -42,11 +42,6 @@ in { }; config = mkMerge [ (mkIf cfg.enable { - assertions = singleton { - assertion = nscd.enable; - message = "nscd must be enabled through `services.nscd.enable` for SSSD to work."; - }; - systemd.services.sssd = { description = "System Security Services Daemon"; wantedBy = [ "multi-user.target" ]; @@ -74,7 +69,13 @@ in { mode = "0400"; }; - system.nssModules = optional cfg.enable pkgs.sssd; + system.nssModules = pkgs.sssd; + system.nssDatabases = { + group = [ "sss" ]; + passwd = [ "sss" ]; + services = [ "sss" ]; + shadow = [ "sss" ]; + }; services.dbus.packages = [ pkgs.sssd ]; }) diff --git a/nixpkgs/nixos/modules/services/misc/svnserve.nix b/nixpkgs/nixos/modules/services/misc/svnserve.nix index 6292bc52b1e..3335ed09d40 100644 --- a/nixpkgs/nixos/modules/services/misc/svnserve.nix +++ b/nixpkgs/nixos/modules/services/misc/svnserve.nix @@ -18,6 +18,7 @@ in services.svnserve = { enable = mkOption { + type = types.bool; default = false; description = "Whether to enable svnserve to serve Subversion repositories through the SVN protocol."; }; diff --git a/nixpkgs/nixos/modules/services/misc/synergy.nix b/nixpkgs/nixos/modules/services/misc/synergy.nix index bfab8c534d8..5b7cf3ac46c 100644 --- a/nixpkgs/nixos/modules/services/misc/synergy.nix +++ b/nixpkgs/nixos/modules/services/misc/synergy.nix @@ -19,12 +19,8 @@ in # !!! All these option descriptions needs to be cleaned up. client = { - enable = mkOption { - default = false; - description = " - Whether to enable the Synergy client (receive keyboard and mouse events from a Synergy server). - "; - }; + enable = mkEnableOption "the Synergy client (receive keyboard and mouse events from a Synergy server)"; + screenName = mkOption { default = ""; description = '' @@ -47,12 +43,8 @@ in }; server = { - enable = mkOption { - default = false; - description = '' - Whether to enable the Synergy server (send keyboard and mouse events). - ''; - }; + enable = mkEnableOption "the Synergy server (send keyboard and mouse events)"; + configFile = mkOption { default = "/etc/synergy-server.conf"; description = "The Synergy server configuration file."; diff --git a/nixpkgs/nixos/modules/services/misc/zoneminder.nix b/nixpkgs/nixos/modules/services/misc/zoneminder.nix index d5b3537068d..d9d34b7fac9 100644 --- a/nixpkgs/nixos/modules/services/misc/zoneminder.nix +++ b/nixpkgs/nixos/modules/services/misc/zoneminder.nix @@ -63,10 +63,6 @@ let ${cfg.extraConfig} ''; - phpExtensions = with pkgs.phpPackages; [ - { pkg = apcu; name = "apcu"; } - ]; - in { options = { services.zoneminder = with lib; { @@ -289,11 +285,9 @@ in { phpfpm = lib.mkIf useNginx { pools.zoneminder = { inherit user group; + phpPackage = pkgs.php.withExtensions ({ enabled, all }: enabled ++ [ all.apcu ]); phpOptions = '' date.timezone = "${config.time.timeZone}" - - ${lib.concatStringsSep "\n" (map (e: - "extension=${e.pkg}/lib/php/extensions/${e.name}.so") phpExtensions)} ''; settings = lib.mapAttrs (name: lib.mkDefault) { "listen.owner" = user; diff --git a/nixpkgs/nixos/modules/services/monitoring/bosun.nix b/nixpkgs/nixos/modules/services/monitoring/bosun.nix index b1c12cce1f8..04e9da1c81a 100644 --- a/nixpkgs/nixos/modules/services/monitoring/bosun.nix +++ b/nixpkgs/nixos/modules/services/monitoring/bosun.nix @@ -148,7 +148,7 @@ in { User = cfg.user; Group = cfg.group; ExecStart = '' - ${cfg.package.bin}/bin/bosun -c ${configFile} + ${cfg.package}/bin/bosun -c ${configFile} ''; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix b/nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix index 2c5fe47242e..f1cb890794e 100644 --- a/nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix +++ b/nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix @@ -225,7 +225,7 @@ in { Restart = "always"; RestartSec = 2; }; - restartTriggers = [ datadogPkg ] ++ attrNames etcfiles; + restartTriggers = [ datadogPkg ] ++ map (x: x.source) (attrValues etcfiles); } attrs; in { datadog-agent = makeService { diff --git a/nixpkgs/nixos/modules/services/monitoring/grafana-reporter.nix b/nixpkgs/nixos/modules/services/monitoring/grafana-reporter.nix index b5a78e4583e..893c15d568b 100644 --- a/nixpkgs/nixos/modules/services/monitoring/grafana-reporter.nix +++ b/nixpkgs/nixos/modules/services/monitoring/grafana-reporter.nix @@ -59,7 +59,7 @@ in { "-templates ${cfg.templateDir}" ]; in { - ExecStart = "${pkgs.grafana_reporter.bin}/bin/grafana-reporter ${args}"; + ExecStart = "${pkgs.grafana_reporter}/bin/grafana-reporter ${args}"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/grafana.nix b/nixpkgs/nixos/modules/services/monitoring/grafana.nix index 0f8bc2471e3..b0c81a46d4d 100644 --- a/nixpkgs/nixos/modules/services/monitoring/grafana.nix +++ b/nixpkgs/nixos/modules/services/monitoring/grafana.nix @@ -535,7 +535,7 @@ in { ${optionalString cfg.provision.enable '' export GF_PATHS_PROVISIONING=${provisionConfDir}; ''} - exec ${cfg.package.bin}/bin/grafana-server -homepath ${cfg.dataDir} + exec ${cfg.package}/bin/grafana-server -homepath ${cfg.dataDir} ''; serviceConfig = { WorkingDirectory = cfg.dataDir; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix index 045e48a3d0f..01276366e97 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix @@ -58,7 +58,7 @@ in in { serviceConfig = { ExecStart = '' - ${pkgs.prometheus-snmp-exporter.bin}/bin/snmp_exporter \ + ${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter \ --config.file=${escapeShellArg configFile} \ --log.format=${escapeShellArg cfg.logFormat} \ --log.level=${cfg.logLevel} \ diff --git a/nixpkgs/nixos/modules/services/monitoring/scollector.nix b/nixpkgs/nixos/modules/services/monitoring/scollector.nix index 38cd2213de7..6f13ce889cb 100644 --- a/nixpkgs/nixos/modules/services/monitoring/scollector.nix +++ b/nixpkgs/nixos/modules/services/monitoring/scollector.nix @@ -118,7 +118,7 @@ in { serviceConfig = { User = cfg.user; Group = cfg.group; - ExecStart = "${cfg.package.bin}/bin/scollector -conf=${conf} ${lib.concatStringsSep " " cfg.extraOpts}"; + ExecStart = "${cfg.package}/bin/scollector -conf=${conf} ${lib.concatStringsSep " " cfg.extraOpts}"; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/tuptime.nix b/nixpkgs/nixos/modules/services/monitoring/tuptime.nix new file mode 100644 index 00000000000..731260a5c20 --- /dev/null +++ b/nixpkgs/nixos/modules/services/monitoring/tuptime.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.tuptime; + +in { + + options.services.tuptime = { + + enable = mkEnableOption "the total uptime service"; + + timer = { + enable = mkOption { + type = types.bool; + default = true; + description = "Whether to regularly log uptime to detect bad shutdowns."; + }; + + period = mkOption { + type = types.str; + default = "*:0/5"; + description = "systemd calendar event"; + }; + }; + }; + + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.tuptime ]; + + users.users.tuptime.description = "tuptime database owner"; + + systemd = { + services = { + + tuptime = { + description = "the total uptime service"; + documentation = [ "man:tuptime(1)" ]; + after = [ "time-sync.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + StateDirectory = "tuptime"; + Type = "oneshot"; + User = "tuptime"; + RemainAfterExit = true; + ExecStart = "${pkgs.tuptime}/bin/tuptime -x"; + ExecStop = "${pkgs.tuptime}/bin/tuptime -xg"; + }; + }; + + tuptime-oneshot = mkIf cfg.timer.enable { + description = "the tuptime scheduled execution unit"; + serviceConfig = { + StateDirectory = "tuptime"; + Type = "oneshot"; + User = "tuptime"; + ExecStart = "${pkgs.tuptime}/bin/tuptime -x"; + }; + }; + }; + + timers.tuptime = mkIf cfg.timer.enable { + description = "the tuptime scheduled execution timer"; + # this timer should be started if the service is started + # even if the timer was previously stopped + wantedBy = [ "tuptime.service" "timers.target" ]; + # this timer should be stopped if the service is stopped + partOf = [ "tuptime.service" ]; + timerConfig = { + OnBootSec = "1min"; + OnCalendar = cfg.timer.period; + Unit = "tuptime-oneshot.service"; + }; + }; + }; + }; + + meta.maintainers = [ maintainers.evils ]; + +} diff --git a/nixpkgs/nixos/modules/services/network-filesystems/ipfs.nix b/nixpkgs/nixos/modules/services/network-filesystems/ipfs.nix index b6d881afd7b..1f5c14d777d 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/ipfs.nix @@ -37,9 +37,7 @@ let baseService = recursiveUpdate commonEnv { wants = [ "ipfs-init.service" ]; # NB: migration must be performed prior to pre-start, else we get the failure message! - preStart = '' - ipfs repo fsck # workaround for BUG #4212 (https://github.com/ipfs/go-ipfs/issues/4214) - '' + optionalString cfg.autoMount '' + preStart = optionalString cfg.autoMount '' ipfs --local config Mounts.FuseAllowOther --json true ipfs --local config Mounts.IPFS ${cfg.ipfsMountDir} ipfs --local config Mounts.IPNS ${cfg.ipnsMountDir} @@ -219,6 +217,9 @@ in { createHome = false; uid = config.ids.uids.ipfs; description = "IPFS daemon user"; + packages = [ + pkgs.ipfs-migrator + ]; }; }; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/netatalk.nix b/nixpkgs/nixos/modules/services/network-filesystems/netatalk.nix index 5422d4dd4e2..7674c8f7fa8 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/netatalk.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/netatalk.nix @@ -43,10 +43,7 @@ in options = { services.netatalk = { - enable = mkOption { - default = false; - description = "Whether to enable the Netatalk AFP fileserver."; - }; + enable = mkEnableOption "the Netatalk AFP fileserver"; port = mkOption { default = 548; @@ -65,6 +62,7 @@ in homes = { enable = mkOption { + type = types.bool; default = false; description = "Enable sharing of the UNIX server user home directories."; }; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/rsyncd.nix b/nixpkgs/nixos/modules/services/network-filesystems/rsyncd.nix index ccad64cfdb2..fa29e18a939 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/rsyncd.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/rsyncd.nix @@ -29,10 +29,7 @@ in options = { services.rsyncd = { - enable = mkOption { - default = false; - description = "Whether to enable the rsync daemon."; - }; + enable = mkEnableOption "the rsync daemon"; motd = mkOption { type = types.str; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix index a115590ccaa..08c912e0fcd 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix @@ -224,6 +224,7 @@ in (mkIf cfg.enable { system.nssModules = optional cfg.nsswins samba; + system.nssDatabases.hosts = optional cfg.nsswins "wins"; systemd = { targets.samba = { diff --git a/nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix b/nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix index c93e201da56..b8f8c1d7117 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix @@ -100,11 +100,13 @@ in dir = { enable = mkOption { + type = types.bool; default = true; description = '' Whether to enable XtreemFS DIR service. ''; }; + uuid = mkOption { example = "eacb6bab-f444-4ebf-a06a-3f72d7465e40"; description = '' @@ -218,11 +220,13 @@ in mrc = { enable = mkOption { + type = types.bool; default = true; description = '' Whether to enable XtreemFS MRC service. ''; }; + uuid = mkOption { example = "eacb6bab-f444-4ebf-a06a-3f72d7465e41"; description = '' @@ -354,11 +358,13 @@ in osd = { enable = mkOption { + type = types.bool; default = true; description = '' Whether to enable XtreemFS OSD service. ''; }; + uuid = mkOption { example = "eacb6bab-f444-4ebf-a06a-3f72d7465e42"; description = '' diff --git a/nixpkgs/nixos/modules/services/network-filesystems/yandex-disk.nix b/nixpkgs/nixos/modules/services/network-filesystems/yandex-disk.nix index 0aa01ef9e6d..cc73f13bf77 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/yandex-disk.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/yandex-disk.nix @@ -21,6 +21,7 @@ in services.yandex-disk = { enable = mkOption { + type = types.bool; default = false; description = " Whether to enable Yandex-disk client. See https://disk.yandex.ru/ diff --git a/nixpkgs/nixos/modules/services/networking/amuled.nix b/nixpkgs/nixos/modules/services/networking/amuled.nix index 57f02542eaf..1128ee2c3e6 100644 --- a/nixpkgs/nixos/modules/services/networking/amuled.nix +++ b/nixpkgs/nixos/modules/services/networking/amuled.nix @@ -16,6 +16,7 @@ in services.amule = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to run the AMule daemon. You need to manually run "amuled --ec-config" to configure the service for the first time. diff --git a/nixpkgs/nixos/modules/services/networking/avahi-daemon.nix b/nixpkgs/nixos/modules/services/networking/avahi-daemon.nix index ddcfe3d77e2..c876b252e8c 100644 --- a/nixpkgs/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixpkgs/nixos/modules/services/networking/avahi-daemon.nix @@ -238,6 +238,10 @@ in users.groups.avahi = {}; system.nssModules = optional cfg.nssmdns pkgs.nssmdns; + system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [ + [ "mdns_minimal [NOTFOUND=return]" ] + (mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns + ]); environment.systemPackages = [ pkgs.avahi ]; diff --git a/nixpkgs/nixos/modules/services/networking/babeld.nix b/nixpkgs/nixos/modules/services/networking/babeld.nix index de863461eab..e62c74d0069 100644 --- a/nixpkgs/nixos/modules/services/networking/babeld.nix +++ b/nixpkgs/nixos/modules/services/networking/babeld.nix @@ -35,12 +35,7 @@ in services.babeld = { - enable = mkOption { - default = false; - description = '' - Whether to run the babeld network routing daemon. - ''; - }; + enable = mkEnableOption "the babeld network routing daemon"; interfaceDefaults = mkOption { default = null; diff --git a/nixpkgs/nixos/modules/services/networking/bind.nix b/nixpkgs/nixos/modules/services/networking/bind.nix index e3b95afb3d8..faad8863575 100644 --- a/nixpkgs/nixos/modules/services/networking/bind.nix +++ b/nixpkgs/nixos/modules/services/networking/bind.nix @@ -68,12 +68,7 @@ in services.bind = { - enable = mkOption { - default = false; - description = " - Whether to enable BIND domain name server. - "; - }; + enable = mkEnableOption "BIND domain name server"; cacheNetworks = mkOption { default = ["127.0.0.0/24"]; diff --git a/nixpkgs/nixos/modules/services/networking/bitlbee.nix b/nixpkgs/nixos/modules/services/networking/bitlbee.nix index 01a16698384..9ebf382fce4 100644 --- a/nixpkgs/nixos/modules/services/networking/bitlbee.nix +++ b/nixpkgs/nixos/modules/services/networking/bitlbee.nix @@ -48,6 +48,7 @@ in services.bitlbee = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to run the BitlBee IRC to other chat network gateway. diff --git a/nixpkgs/nixos/modules/services/networking/cntlm.nix b/nixpkgs/nixos/modules/services/networking/cntlm.nix index 4e4e3104c3a..5b5068e43d7 100644 --- a/nixpkgs/nixos/modules/services/networking/cntlm.nix +++ b/nixpkgs/nixos/modules/services/networking/cntlm.nix @@ -33,12 +33,7 @@ in options.services.cntlm = { - enable = mkOption { - default = false; - description = '' - Whether to enable the cntlm, which start a local proxy. - ''; - }; + enable = mkEnableOption "cntlm, which starts a local proxy"; username = mkOption { description = '' diff --git a/nixpkgs/nixos/modules/services/networking/consul.nix b/nixpkgs/nixos/modules/services/networking/consul.nix index 689cbc8a986..f7d2afead06 100644 --- a/nixpkgs/nixos/modules/services/networking/consul.nix +++ b/nixpkgs/nixos/modules/services/networking/consul.nix @@ -179,15 +179,15 @@ in (filterAttrs (n: _: hasPrefix "consul.d/" n) config.environment.etc); serviceConfig = { - ExecStart = "@${cfg.package.bin}/bin/consul consul agent -config-dir /etc/consul.d" + ExecStart = "@${cfg.package}/bin/consul consul agent -config-dir /etc/consul.d" + concatMapStrings (n: " -config-file ${n}") configFiles; - ExecReload = "${cfg.package.bin}/bin/consul reload"; + ExecReload = "${cfg.package}/bin/consul reload"; PermissionsStartOnly = true; User = if cfg.dropPrivileges then "consul" else null; Restart = "on-failure"; TimeoutStartSec = "infinity"; } // (optionalAttrs (cfg.leaveOnStop) { - ExecStop = "${cfg.package.bin}/bin/consul leave"; + ExecStop = "${cfg.package}/bin/consul leave"; }); path = with pkgs; [ iproute gnugrep gawk consul ]; @@ -238,7 +238,7 @@ in serviceConfig = { ExecStart = '' - ${cfg.alerts.package.bin}/bin/consul-alerts start \ + ${cfg.alerts.package}/bin/consul-alerts start \ --alert-addr=${cfg.alerts.listenAddr} \ --consul-addr=${cfg.alerts.consulAddr} \ ${optionalString cfg.alerts.watchChecks "--watch-checks"} \ diff --git a/nixpkgs/nixos/modules/services/networking/flannel.nix b/nixpkgs/nixos/modules/services/networking/flannel.nix index dd2f6454e95..4c040112d28 100644 --- a/nixpkgs/nixos/modules/services/networking/flannel.nix +++ b/nixpkgs/nixos/modules/services/networking/flannel.nix @@ -19,8 +19,8 @@ in { package = mkOption { description = "Package to use for flannel"; type = types.package; - default = pkgs.flannel.bin; - defaultText = "pkgs.flannel.bin"; + default = pkgs.flannel; + defaultText = "pkgs.flannel"; }; publicIp = mkOption { @@ -167,7 +167,7 @@ in { touch /run/flannel/docker '' + optionalString (cfg.storageBackend == "etcd") '' echo "setting network configuration" - until ${pkgs.etcdctl.bin}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' + until ${pkgs.etcdctl}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' do echo "setting network configuration, retry" sleep 1 diff --git a/nixpkgs/nixos/modules/services/networking/flashpolicyd.nix b/nixpkgs/nixos/modules/services/networking/flashpolicyd.nix index 9c51b88ef67..7f25083307c 100644 --- a/nixpkgs/nixos/modules/services/networking/flashpolicyd.nix +++ b/nixpkgs/nixos/modules/services/networking/flashpolicyd.nix @@ -39,6 +39,7 @@ in services.flashpolicyd = { enable = mkOption { + type = types.bool; default = false; description = '' diff --git a/nixpkgs/nixos/modules/services/networking/gogoclient.nix b/nixpkgs/nixos/modules/services/networking/gogoclient.nix index c9b03bca711..99455b18314 100644 --- a/nixpkgs/nixos/modules/services/networking/gogoclient.nix +++ b/nixpkgs/nixos/modules/services/networking/gogoclient.nix @@ -19,6 +19,7 @@ in ''; }; autorun = mkOption { + type = types.bool; default = true; description = '' Whether to automatically start the tunnel. diff --git a/nixpkgs/nixos/modules/services/networking/gvpe.nix b/nixpkgs/nixos/modules/services/networking/gvpe.nix index 3ef3548e0a0..92e87cd4640 100644 --- a/nixpkgs/nixos/modules/services/networking/gvpe.nix +++ b/nixpkgs/nixos/modules/services/networking/gvpe.nix @@ -42,12 +42,8 @@ in { options = { services.gvpe = { - enable = mkOption { - default = false; - description = '' - Whether to run gvpe - ''; - }; + enable = lib.mkEnableOption "gvpe"; + nodename = mkOption { default = null; description ='' diff --git a/nixpkgs/nixos/modules/services/networking/hostapd.nix b/nixpkgs/nixos/modules/services/networking/hostapd.nix index 2915b54f05b..5d73038363a 100644 --- a/nixpkgs/nixos/modules/services/networking/hostapd.nix +++ b/nixpkgs/nixos/modules/services/networking/hostapd.nix @@ -20,12 +20,14 @@ let ssid=${cfg.ssid} hw_mode=${cfg.hwMode} channel=${toString cfg.channel} + ${optionalString (cfg.countryCode != null) ''country_code=${cfg.countryCode}''} + ${optionalString (cfg.countryCode != null) ''ieee80211d=1''} # logging (debug level) logger_syslog=-1 - logger_syslog_level=2 + logger_syslog_level=${toString cfg.logLevel} logger_stdout=-1 - logger_stdout_level=2 + logger_stdout_level=${toString cfg.logLevel} ctrl_interface=/run/hostapd ctrl_interface_group=${cfg.group} @@ -49,6 +51,7 @@ in services.hostapd = { enable = mkOption { + type = types.bool; default = false; description = '' Enable putting a wireless interface into infrastructure mode, @@ -71,6 +74,7 @@ in }; noScan = mkOption { + type = types.bool; default = false; description = '' Do not scan for overlapping BSSs in HT40+/- mode. @@ -126,6 +130,7 @@ in }; wpa = mkOption { + type = types.bool; default = true; description = '' Enable WPA (IEEE 802.11i/D3.0) to authenticate with the access point. @@ -144,6 +149,35 @@ in ''; }; + logLevel = mkOption { + default = 2; + type = types.int; + description = '' + Levels (minimum value for logged events): + 0 = verbose debugging + 1 = debugging + 2 = informational messages + 3 = notification + 4 = warning + ''; + }; + + countryCode = mkOption { + default = null; + example = "US"; + type = with types; nullOr str; + description = '' + Country code (ISO/IEC 3166-1). Used to set regulatory domain. + Set as needed to indicate country in which device is operating. + This can limit available channels and transmit power. + These two octets are used as the first two octets of the Country String + (dot11CountryString). + If set this enables IEEE 802.11d. This advertises the countryCode and + the set of allowed channels and transmit power levels based on the + regulatory limits. + ''; + }; + extraConfig = mkOption { default = ""; example = '' @@ -164,6 +198,8 @@ in environment.systemPackages = [ pkgs.hostapd ]; + services.udev.packages = optional (cfg.countryCode != null) [ pkgs.crda ]; + systemd.services.hostapd = { description = "hostapd wireless AP"; diff --git a/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix b/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix index b236552eb65..91d0bf437d6 100644 --- a/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix +++ b/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix @@ -36,12 +36,7 @@ in services.ircdHybrid = { - enable = mkOption { - default = false; - description = " - Enable IRCD. - "; - }; + enable = mkEnableOption "IRCD"; serverName = mkOption { default = "hades.arpa"; diff --git a/nixpkgs/nixos/modules/services/networking/mailpile.nix b/nixpkgs/nixos/modules/services/networking/mailpile.nix index c42d3d5a44c..b79ee11d17d 100644 --- a/nixpkgs/nixos/modules/services/networking/mailpile.nix +++ b/nixpkgs/nixos/modules/services/networking/mailpile.nix @@ -18,12 +18,8 @@ in options = { services.mailpile = { - enable = mkOption { - default = false; - description = " - Whether to enable Mailpile the mail client. - "; - }; + enable = mkEnableOption "Mailpile the mail client"; + hostname = mkOption { default = "localhost"; description = "Listen to this hostname or ip."; diff --git a/nixpkgs/nixos/modules/services/networking/monero.nix b/nixpkgs/nixos/modules/services/networking/monero.nix index b9536430868..97af2997839 100644 --- a/nixpkgs/nixos/modules/services/networking/monero.nix +++ b/nixpkgs/nixos/modules/services/networking/monero.nix @@ -26,7 +26,7 @@ let rpc-login=${rpc.user}:${rpc.password} ''} ${optionalString rpc.restricted '' - restrict-rpc=1 + restricted-rpc=1 ''} limit-rate-up=${toString limits.upload} diff --git a/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix b/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix index da9d960cc14..b7e4c89a155 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix @@ -30,6 +30,7 @@ in options = { services.chrony = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to synchronise your machine's time using chrony. @@ -92,6 +93,11 @@ in systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "chronyd.service"; }; + systemd.tmpfiles.rules = [ + "d ${stateDir} 0755 chrony chrony - -" + "f ${keyFile} 0640 chrony chrony -" + ]; + systemd.services.chronyd = { description = "chrony NTP daemon"; @@ -103,13 +109,6 @@ in path = [ pkgs.chrony ]; - preStart = '' - mkdir -m 0755 -p ${stateDir} - touch ${keyFile} - chmod 0640 ${keyFile} - chown chrony:chrony ${stateDir} ${keyFile} - ''; - unitConfig.ConditionCapability = "CAP_SYS_TIME"; serviceConfig = { Type = "simple"; @@ -118,7 +117,7 @@ in ProtectHome = "yes"; ProtectSystem = "full"; PrivateTmp = "yes"; - + StateDirectory = "chrony"; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix b/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix index 54ff054d84c..51398851adc 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix @@ -40,6 +40,7 @@ in services.ntp = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to synchronise your machine's time using ntpd, as a peer in diff --git a/nixpkgs/nixos/modules/services/networking/openfire.nix b/nixpkgs/nixos/modules/services/networking/openfire.nix index 4059eb3db83..fe0499d5232 100644 --- a/nixpkgs/nixos/modules/services/networking/openfire.nix +++ b/nixpkgs/nixos/modules/services/networking/openfire.nix @@ -9,14 +9,10 @@ with lib; services.openfire = { - enable = mkOption { - default = false; - description = " - Whether to enable OpenFire XMPP server. - "; - }; + enable = mkEnableOption "OpenFire XMPP server"; usePostgreSQL = mkOption { + type = types.bool; default = true; description = " Whether you use PostgreSQL service for your storage back-end. diff --git a/nixpkgs/nixos/modules/services/networking/pixiecore.nix b/nixpkgs/nixos/modules/services/networking/pixiecore.nix index 0e32f182e2a..85aa40784af 100644 --- a/nixpkgs/nixos/modules/services/networking/pixiecore.nix +++ b/nixpkgs/nixos/modules/services/networking/pixiecore.nix @@ -115,7 +115,7 @@ in if cfg.mode == "boot" then [ "boot" cfg.kernel ] ++ optional (cfg.initrd != "") cfg.initrd - ++ optional (cfg.cmdLine != "") "--cmdline=${lib.escapeShellArg cfg.cmdLine}" + ++ optionals (cfg.cmdLine != "") [ "--cmdline" cfg.cmdLine ] else [ "api" cfg.apiServer ]; in '' diff --git a/nixpkgs/nixos/modules/services/networking/prayer.nix b/nixpkgs/nixos/modules/services/networking/prayer.nix index 9c9eeba23da..f04dac01d9b 100644 --- a/nixpkgs/nixos/modules/services/networking/prayer.nix +++ b/nixpkgs/nixos/modules/services/networking/prayer.nix @@ -41,12 +41,7 @@ in services.prayer = { - enable = mkOption { - default = false; - description = '' - Whether to run the prayer webmail http server. - ''; - }; + enable = mkEnableOption "the prayer webmail http server"; port = mkOption { default = "2080"; diff --git a/nixpkgs/nixos/modules/services/networking/prosody.nix b/nixpkgs/nixos/modules/services/networking/prosody.nix index 0fd84efc403..cdd341c9fb6 100644 --- a/nixpkgs/nixos/modules/services/networking/prosody.nix +++ b/nixpkgs/nixos/modules/services/networking/prosody.nix @@ -1,9 +1,7 @@ { config, lib, pkgs, ... }: with lib; - let - cfg = config.services.prosody; sslOpts = { ... }: { @@ -30,8 +28,21 @@ let }; }; + discoOpts = { + options = { + url = mkOption { + type = types.str; + description = "URL of the endpoint you want to make discoverable"; + }; + description = mkOption { + type = types.str; + description = "A short description of the endpoint you want to advertise"; + }; + }; + }; + moduleOpts = { - # Generally required + # Required for compliance with https://compliance.conversations.im/about/ roster = mkOption { type = types.bool; default = true; @@ -69,6 +80,18 @@ let description = "Keep multiple clients in sync"; }; + csi = mkOption { + type = types.bool; + default = true; + description = "Implements the CSI protocol that allows clients to report their active/inactive state to the server"; + }; + + cloud_notify = mkOption { + type = types.bool; + default = true; + description = "Push notifications to inform users of new messages or other pertinent information even when they have no XMPP clients online"; + }; + pep = mkOption { type = types.bool; default = true; @@ -89,10 +112,22 @@ let vcard = mkOption { type = types.bool; - default = true; + default = false; description = "Allow users to set vCards"; }; + vcard_legacy = mkOption { + type = types.bool; + default = true; + description = "Converts users profiles and Avatars between old and new formats"; + }; + + bookmarks = mkOption { + type = types.bool; + default = true; + description = "Allows interop between older clients that use XEP-0048: Bookmarks in its 1.0 version and recent clients which use it in PEP"; + }; + # Nice to have version = mkOption { type = types.bool; @@ -126,10 +161,16 @@ let mam = mkOption { type = types.bool; - default = false; + default = true; description = "Store messages in an archive and allow users to access it"; }; + smacks = mkOption { + type = types.bool; + default = true; + description = "Allow a client to resume a disconnected session, and prevent message loss"; + }; + # Admin interfaces admin_adhoc = mkOption { type = types.bool; @@ -137,6 +178,18 @@ let description = "Allows administration via an XMPP client that supports ad-hoc commands"; }; + http_files = mkOption { + type = types.bool; + default = true; + description = "Serve static files from a directory over HTTP"; + }; + + proxy65 = mkOption { + type = types.bool; + default = true; + description = "Enables a file transfer proxy service which clients behind NAT can use"; + }; + admin_telnet = mkOption { type = types.bool; default = false; @@ -156,18 +209,6 @@ let description = "Enable WebSocket support"; }; - http_files = mkOption { - type = types.bool; - default = false; - description = "Serve static files from a directory over HTTP"; - }; - - http_upload = mkOption { - type = types.bool; - default = true; - description = "Allows clients to upload files via HTTP requests"; - }; - # Other specific functionality limits = mkOption { type = types.bool; @@ -216,13 +257,6 @@ let default = false; description = "Legacy authentication. Only used by some old clients and bots"; }; - - proxy65 = mkOption { - type = types.bool; - default = false; - description = "Enables a file transfer proxy service which clients behind NAT can use"; - }; - }; toLua = x: @@ -241,6 +275,158 @@ let }; ''; + mucOpts = { ... }: { + options = { + domain = mkOption { + type = types.str; + description = "Domain name of the MUC"; + }; + name = mkOption { + type = types.str; + description = "The name to return in service discovery responses for the MUC service itself"; + default = "Prosody Chatrooms"; + }; + restrictRoomCreation = mkOption { + type = types.enum [ true false "admin" "local" ]; + default = false; + description = "Restrict room creation to server admins"; + }; + maxHistoryMessages = mkOption { + type = types.int; + default = 20; + description = "Specifies a limit on what each room can be configured to keep"; + }; + roomLocking = mkOption { + type = types.bool; + default = true; + description = '' + Enables room locking, which means that a room must be + configured before it can be used. Locked rooms are invisible + and cannot be entered by anyone but the creator + ''; + }; + roomLockTimeout = mkOption { + type = types.int; + default = 300; + description = '' + Timout after which the room is destroyed or unlocked if not + configured, in seconds + ''; + }; + tombstones = mkOption { + type = types.bool; + default = true; + description = '' + When a room is destroyed, it leaves behind a tombstone which + prevents the room being entered or recreated. It also allows + anyone who was not in the room at the time it was destroyed + to learn about it, and to update their bookmarks. Tombstones + prevents the case where someone could recreate a previously + semi-anonymous room in order to learn the real JIDs of those + who often join there. + ''; + }; + tombstoneExpiry = mkOption { + type = types.int; + default = 2678400; + description = '' + This settings controls how long a tombstone is considered + valid. It defaults to 31 days. After this time, the room in + question can be created again. + ''; + }; + + vcard_muc = mkOption { + type = types.bool; + default = true; + description = "Adds the ability to set vCard for Multi User Chat rooms"; + }; + + # Extra parameters. Defaulting to prosody default values. + # Adding them explicitly to make them visible from the options + # documentation. + # + # See https://prosody.im/doc/modules/mod_muc for more details. + roomDefaultPublic = mkOption { + type = types.bool; + default = true; + description = "If set, the MUC rooms will be public by default."; + }; + roomDefaultMembersOnly = mkOption { + type = types.bool; + default = false; + description = "If set, the MUC rooms will only be accessible to the members by default."; + }; + roomDefaultModerated = mkOption { + type = types.bool; + default = false; + description = "If set, the MUC rooms will be moderated by default."; + }; + roomDefaultPublicJids = mkOption { + type = types.bool; + default = false; + description = "If set, the MUC rooms will display the public JIDs by default."; + }; + roomDefaultChangeSubject = mkOption { + type = types.bool; + default = false; + description = "If set, the rooms will display the public JIDs by default."; + }; + roomDefaultHistoryLength = mkOption { + type = types.int; + default = 20; + description = "Number of history message sent to participants by default."; + }; + roomDefaultLanguage = mkOption { + type = types.str; + default = "en"; + description = "Default room language."; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional MUC specific configuration"; + }; + }; + }; + + uploadHttpOpts = { ... }: { + options = { + domain = mkOption { + type = types.nullOr types.str; + description = "Domain name for the http-upload service"; + }; + uploadFileSizeLimit = mkOption { + type = types.str; + default = "50 * 1024 * 1024"; + description = "Maximum file size, in bytes. Defaults to 50MB."; + }; + uploadExpireAfter = mkOption { + type = types.str; + default = "60 * 60 * 24 * 7"; + description = "Max age of a file before it gets deleted, in seconds."; + }; + userQuota = mkOption { + type = types.nullOr types.int; + default = null; + example = 1234; + description = '' + Maximum size of all uploaded files per user, in bytes. There + will be no quota if this option is set to null. + ''; + }; + httpUploadPath = mkOption { + type = types.str; + description = '' + Directory where the uploaded files will be stored. By + default, uploaded files are put in a sub-directory of the + default Prosody storage path (usually /var/lib/prosody). + ''; + default = "/var/lib/prosody"; + }; + }; + }; + vHostOpts = { ... }: { options = { @@ -289,6 +475,27 @@ in description = "Whether to enable the prosody server"; }; + xmppComplianceSuite = mkOption { + type = types.bool; + default = true; + description = '' + The XEP-0423 defines a set of recommended XEPs to implement + for a server. It's generally a good idea to implement this + set of extensions if you want to provide your users with a + good XMPP experience. + + This NixOS module aims to provide a "advanced server" + experience as per defined in the XEP-0423[1] specification. + + Setting this option to true will prevent you from building a + NixOS configuration which won't comply with this standard. + You can explicitely decide to ignore this standard if you + know what you are doing by setting this option to false. + + [1] https://xmpp.org/extensions/xep-0423.html + ''; + }; + package = mkOption { type = types.package; description = "Prosody package to use"; @@ -308,6 +515,12 @@ in default = "/var/lib/prosody"; }; + disco_items = mkOption { + type = types.listOf (types.submodule discoOpts); + default = []; + description = "List of discoverable items you want to advertise."; + }; + user = mkOption { type = types.str; default = "prosody"; @@ -326,6 +539,31 @@ in description = "Allow account creation"; }; + # HTTP server-related options + httpPorts = mkOption { + type = types.listOf types.int; + description = "Listening HTTP ports list for this service."; + default = [ 5280 ]; + }; + + httpInterfaces = mkOption { + type = types.listOf types.str; + default = [ "*" "::" ]; + description = "Interfaces on which the HTTP server will listen on."; + }; + + httpsPorts = mkOption { + type = types.listOf types.int; + description = "Listening HTTPS ports list for this service."; + default = [ 5281 ]; + }; + + httpsInterfaces = mkOption { + type = types.listOf types.str; + default = [ "*" "::" ]; + description = "Interfaces on which the HTTPS server will listen on."; + }; + c2sRequireEncryption = mkOption { type = types.bool; default = true; @@ -393,6 +631,26 @@ in description = "Addtional path in which to look find plugins/modules"; }; + uploadHttp = mkOption { + description = '' + Configures the Prosody builtin HTTP server to handle user uploads. + ''; + type = types.nullOr (types.submodule uploadHttpOpts); + default = null; + example = { + domain = "uploads.my-xmpp-example-host.org"; + }; + }; + + muc = mkOption { + type = types.listOf (types.submodule mucOpts); + default = [ ]; + example = [ { + domain = "conference.my-xmpp-example-host.org"; + } ]; + description = "Multi User Chat (MUC) configuration"; + }; + virtualHosts = mkOption { description = "Define the virtual hosts"; @@ -449,9 +707,44 @@ in config = mkIf cfg.enable { + assertions = let + genericErrMsg = '' + + Having a server not XEP-0423-compliant might make your XMPP + experience terrible. See the NixOS manual for further + informations. + + If you know what you're doing, you can disable this warning by + setting config.services.prosody.xmppComplianceSuite to false. + ''; + errors = [ + { assertion = (builtins.length cfg.muc > 0) || !cfg.xmppComplianceSuite; + message = '' + You need to setup at least a MUC domain to comply with + XEP-0423. + '' + genericErrMsg;} + { assertion = cfg.uploadHttp != null || !cfg.xmppComplianceSuite; + message = '' + You need to setup the uploadHttp module through + config.services.prosody.uploadHttp to comply with + XEP-0423. + '' + genericErrMsg;} + ]; + in errors; + environment.systemPackages = [ cfg.package ]; - environment.etc."prosody/prosody.cfg.lua".text = '' + environment.etc."prosody/prosody.cfg.lua".text = + let + httpDiscoItems = if (cfg.uploadHttp != null) + then [{ url = cfg.uploadHttp.domain; description = "HTTP upload endpoint";}] + else []; + mucDiscoItems = builtins.foldl' + (acc: muc: [{ url = muc.domain; description = "${muc.domain} MUC endpoint";}] ++ acc) + [] + cfg.muc; + discoItems = cfg.disco_items ++ httpDiscoItems ++ mucDiscoItems; + in '' pidfile = "/run/prosody/prosody.pid" @@ -478,6 +771,10 @@ in ${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.extraModules)} }; + disco_items = { + ${ lib.concatStringsSep "\n" (builtins.map (x: ''{ "${x.url}", "${x.description}"};'') discoItems)} + }; + allow_registration = ${toLua cfg.allowRegistration} c2s_require_encryption = ${toLua cfg.c2sRequireEncryption} @@ -492,8 +789,44 @@ in authentication = ${toLua cfg.authentication} + http_interfaces = ${toLua cfg.httpInterfaces} + + https_interfaces = ${toLua cfg.httpsInterfaces} + + http_ports = ${toLua cfg.httpPorts} + + https_ports = ${toLua cfg.httpsPorts} + ${ cfg.extraConfig } + ${lib.concatMapStrings (muc: '' + Component ${toLua muc.domain} "muc" + modules_enabled = { "muc_mam"; ${optionalString muc.vcard_muc ''"vcard_muc";'' } } + name = ${toLua muc.name} + restrict_room_creation = ${toLua muc.restrictRoomCreation} + max_history_messages = ${toLua muc.maxHistoryMessages} + muc_room_locking = ${toLua muc.roomLocking} + muc_room_lock_timeout = ${toLua muc.roomLockTimeout} + muc_tombstones = ${toLua muc.tombstones} + muc_tombstone_expiry = ${toLua muc.tombstoneExpiry} + muc_room_default_public = ${toLua muc.roomDefaultPublic} + muc_room_default_members_only = ${toLua muc.roomDefaultMembersOnly} + muc_room_default_moderated = ${toLua muc.roomDefaultModerated} + muc_room_default_public_jids = ${toLua muc.roomDefaultPublicJids} + muc_room_default_change_subject = ${toLua muc.roomDefaultChangeSubject} + muc_room_default_history_length = ${toLua muc.roomDefaultHistoryLength} + muc_room_default_language = ${toLua muc.roomDefaultLanguage} + ${ muc.extraConfig } + '') cfg.muc} + + ${ lib.optionalString (cfg.uploadHttp != null) '' + Component ${toLua cfg.uploadHttp.domain} "http_upload" + http_upload_file_size_limit = ${cfg.uploadHttp.uploadFileSizeLimit} + http_upload_expire_after = ${cfg.uploadHttp.uploadExpireAfter} + ${lib.optionalString (cfg.uploadHttp.userQuota != null) "http_upload_quota = ${toLua cfg.uploadHttp.userQuota}"} + http_upload_path = ${toLua cfg.uploadHttp.httpUploadPath} + ''} + ${ lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: '' VirtualHost "${v.domain}" enabled = ${boolToString v.enabled}; @@ -528,9 +861,22 @@ in PIDFile = "/run/prosody/prosody.pid"; ExecStart = "${cfg.package}/bin/prosodyctl start"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; }; }; }; - + meta.doc = ./prosody.xml; } diff --git a/nixpkgs/nixos/modules/services/networking/prosody.xml b/nixpkgs/nixos/modules/services/networking/prosody.xml new file mode 100644 index 00000000000..7859cb1578b --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/prosody.xml @@ -0,0 +1,88 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-prosody"> + <title>Prosody</title> + <para> + <link xlink:href="https://prosody.im/">Prosody</link> is an open-source, modern XMPP server. + </para> + <section xml:id="module-services-prosody-basic-usage"> + <title>Basic usage</title> + + <para> + A common struggle for most XMPP newcomers is to find the right set + of XMPP Extensions (XEPs) to setup. Forget to activate a few of + those and your XMPP experience might turn into a nightmare! + </para> + + <para> + The XMPP community tackles this problem by creating a meta-XEP + listing a decent set of XEPs you should implement. This meta-XEP + is issued every year, the 2020 edition being + <link xlink:href="https://xmpp.org/extensions/xep-0423.html">XEP-0423</link>. + </para> + <para> + The NixOS Prosody module will implement most of these recommendend XEPs out of + the box. That being said, two components still require some + manual configuration: the + <link xlink:href="https://xmpp.org/extensions/xep-0045.html">Multi User Chat (MUC)</link> + and the <link xlink:href="https://xmpp.org/extensions/xep-0363.html">HTTP File Upload</link> ones. + You'll need to create a DNS subdomain for each of those. The current convention is to name your + MUC endpoint <literal>conference.example.org</literal> and your HTTP upload domain <literal>upload.example.org</literal>. + </para> + <para> + A good configuration to start with, including a + <link xlink:href="https://xmpp.org/extensions/xep-0045.html">Multi User Chat (MUC)</link> + endpoint as well as a <link xlink:href="https://xmpp.org/extensions/xep-0363.html">HTTP File Upload</link> + endpoint will look like this: + <programlisting> +services.prosody = { + <link linkend="opt-services.prosody.enable">enable</link> = true; + <link linkend="opt-services.prosody.admins">admins</link> = [ "root@example.org" ]; + <link linkend="opt-services.prosody.ssl.cert">ssl.cert</link> = "/var/lib/acme/example.org/fullchain.pem"; + <link linkend="opt-services.prosody.ssl.key">ssl.key</link> = "/var/lib/acme/example.org/key.pem"; + <link linkend="opt-services.prosody.virtualHosts">virtualHosts</link>."example.org" = { + <link linkend="opt-services.prosody.virtualHosts._name__.enabled">enabled</link> = true; + <link linkend="opt-services.prosody.virtualHosts._name__.domain">domain</link> = "example.org"; + <link linkend="opt-services.prosody.virtualHosts._name__.ssl.cert">ssl.cert</link> = "/var/lib/acme/example.org/fullchain.pem"; + <link linkend="opt-services.prosody.virtualHosts._name__.ssl.key">ssl.key</link> = "/var/lib/acme/example.org/key.pem"; + }; + <link linkend="opt-services.prosody.muc">muc</link> = [ { + <link linkend="opt-services.prosody.muc">domain</link> = "conference.example.org"; + } ]; + <link linkend="opt-services.prosody.uploadHttp">uploadHttp</link> = { + <link linkend="opt-services.prosody.uploadHttp.domain">domain</link> = "upload.example.org"; + }; +};</programlisting> + </para> + </section> + <section xml:id="module-services-prosody-letsencrypt"> + <title>Let's Encrypt Configuration</title> + <para> + As you can see in the code snippet from the + <link linkend="module-services-prosody-basic-usage">previous section</link>, + you'll need a single TLS certificate covering your main endpoint, + the MUC one as well as the HTTP Upload one. We can generate such a + certificate by leveraging the ACME + <link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains</link> module option. + </para> + <para> + Provided the setup detailed in the previous section, you'll need the following acme configuration to generate + a TLS certificate for the three endponits: + <programlisting> +security.acme = { + <link linkend="opt-security.acme.email">email</link> = "root@example.org"; + <link linkend="opt-security.acme.acceptTerms">acceptTerms</link> = true; + <link linkend="opt-security.acme.certs">certs</link> = { + "example.org" = { + <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/example.org"; + <link linkend="opt-security.acme.certs._name_.email">email</link> = "root@example.org"; + <link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains."conference.example.org"</link> = null; + <link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains."upload.example.org"</link> = null; + }; + }; +};</programlisting> + </para> +</section> +</chapter> diff --git a/nixpkgs/nixos/modules/services/networking/quassel.nix b/nixpkgs/nixos/modules/services/networking/quassel.nix index 52ecd90b7c6..da723ec86ad 100644 --- a/nixpkgs/nixos/modules/services/networking/quassel.nix +++ b/nixpkgs/nixos/modules/services/networking/quassel.nix @@ -16,12 +16,7 @@ in services.quassel = { - enable = mkOption { - default = false; - description = '' - Whether to run the Quassel IRC client daemon. - ''; - }; + enable = mkEnableOption "the Quassel IRC client daemon"; certificateFile = mkOption { type = types.nullOr types.str; diff --git a/nixpkgs/nixos/modules/services/networking/radvd.nix b/nixpkgs/nixos/modules/services/networking/radvd.nix index 020faa34922..f4b00c9b356 100644 --- a/nixpkgs/nixos/modules/services/networking/radvd.nix +++ b/nixpkgs/nixos/modules/services/networking/radvd.nix @@ -19,6 +19,7 @@ in options = { services.radvd.enable = mkOption { + type = types.bool; default = false; description = '' diff --git a/nixpkgs/nixos/modules/services/networking/rdnssd.nix b/nixpkgs/nixos/modules/services/networking/rdnssd.nix index bccab805bee..469504c4317 100644 --- a/nixpkgs/nixos/modules/services/networking/rdnssd.nix +++ b/nixpkgs/nixos/modules/services/networking/rdnssd.nix @@ -17,6 +17,7 @@ in options = { services.rdnssd.enable = mkOption { + type = types.bool; default = false; #default = config.networking.enableIPv6; description = diff --git a/nixpkgs/nixos/modules/services/networking/sabnzbd.nix b/nixpkgs/nixos/modules/services/networking/sabnzbd.nix index 62b24d4377f..ff5aef7d1cb 100644 --- a/nixpkgs/nixos/modules/services/networking/sabnzbd.nix +++ b/nixpkgs/nixos/modules/services/networking/sabnzbd.nix @@ -15,10 +15,8 @@ in options = { services.sabnzbd = { - enable = mkOption { - default = false; - description = "Whether to enable the sabnzbd server."; - }; + enable = mkEnableOption "the sabnzbd server"; + configFile = mkOption { default = "/var/lib/sabnzbd/sabnzbd.ini"; description = "Path to config file."; diff --git a/nixpkgs/nixos/modules/services/networking/shairport-sync.nix b/nixpkgs/nixos/modules/services/networking/shairport-sync.nix index 2e988e0ca2e..b4b86a2d55b 100644 --- a/nixpkgs/nixos/modules/services/networking/shairport-sync.nix +++ b/nixpkgs/nixos/modules/services/networking/shairport-sync.nix @@ -17,6 +17,7 @@ in services.shairport-sync = { enable = mkOption { + type = types.bool; default = false; description = '' Enable the shairport-sync daemon. diff --git a/nixpkgs/nixos/modules/services/networking/skydns.nix b/nixpkgs/nixos/modules/services/networking/skydns.nix index 6ad18bb2240..e79d6de9264 100644 --- a/nixpkgs/nixos/modules/services/networking/skydns.nix +++ b/nixpkgs/nixos/modules/services/networking/skydns.nix @@ -83,7 +83,7 @@ in { SKYDNS_NAMESERVERS = concatStringsSep "," cfg.nameservers; }; serviceConfig = { - ExecStart = "${cfg.package.bin}/bin/skydns"; + ExecStart = "${cfg.package}/bin/skydns"; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/ssh/lshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/lshd.nix index eca599afb33..41d0584080e 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/lshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/lshd.nix @@ -19,6 +19,7 @@ in services.lshd = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to enable the GNU lshd SSH2 daemon, which allows @@ -53,21 +54,25 @@ in }; syslog = mkOption { + type = types.bool; default = true; description = ''Whether to enable syslog output.''; }; passwordAuthentication = mkOption { + type = types.bool; default = true; description = ''Whether to enable password authentication.''; }; publicKeyAuthentication = mkOption { + type = types.bool; default = true; description = ''Whether to enable public key authentication.''; }; rootLogin = mkOption { + type = types.bool; default = false; description = ''Whether to enable remote root login.''; }; @@ -89,11 +94,13 @@ in }; tcpForwarding = mkOption { + type = types.bool; default = true; description = ''Whether to enable TCP/IP forwarding.''; }; x11Forwarding = mkOption { + type = types.bool; default = true; description = ''Whether to enable X11 forwarding.''; }; diff --git a/nixpkgs/nixos/modules/services/networking/tailscale.nix b/nixpkgs/nixos/modules/services/networking/tailscale.nix index 513c42b4011..4d6aeb75ebd 100644 --- a/nixpkgs/nixos/modules/services/networking/tailscale.nix +++ b/nixpkgs/nixos/modules/services/networking/tailscale.nix @@ -37,7 +37,10 @@ in { RuntimeDirectoryMode = 755; StateDirectory = "tailscale"; - StateDirectoryMode = 700; + StateDirectoryMode = 750; + + CacheDirectory = "tailscale"; + CacheDirectoryMode = 750; Restart = "on-failure"; }; diff --git a/nixpkgs/nixos/modules/services/networking/tcpcrypt.nix b/nixpkgs/nixos/modules/services/networking/tcpcrypt.nix index 18f2e135124..5a91054e166 100644 --- a/nixpkgs/nixos/modules/services/networking/tcpcrypt.nix +++ b/nixpkgs/nixos/modules/services/networking/tcpcrypt.nix @@ -15,6 +15,7 @@ in options = { networking.tcpcrypt.enable = mkOption { + type = types.bool; default = false; description = '' Whether to enable opportunistic TCP encryption. If the other end diff --git a/nixpkgs/nixos/modules/services/networking/thelounge.nix b/nixpkgs/nixos/modules/services/networking/thelounge.nix index 875d8f66169..a1b06703484 100644 --- a/nixpkgs/nixos/modules/services/networking/thelounge.nix +++ b/nixpkgs/nixos/modules/services/networking/thelounge.nix @@ -62,7 +62,6 @@ in { systemd.services.thelounge = { description = "The Lounge web IRC client"; wantedBy = [ "multi-user.target" ]; - environment = { THELOUNGE_HOME = dataDir; }; preStart = "ln -sf ${pkgs.writeText "config.js" configJsData} ${dataDir}/config.js"; serviceConfig = { User = "thelounge"; diff --git a/nixpkgs/nixos/modules/services/networking/wicd.nix b/nixpkgs/nixos/modules/services/networking/wicd.nix index 03c6bd28aab..aa10a50f876 100644 --- a/nixpkgs/nixos/modules/services/networking/wicd.nix +++ b/nixpkgs/nixos/modules/services/networking/wicd.nix @@ -9,6 +9,7 @@ with lib; options = { networking.wicd.enable = mkOption { + type = types.bool; default = false; description = '' Whether to start <command>wicd</command>. Wired and diff --git a/nixpkgs/nixos/modules/services/networking/xinetd.nix b/nixpkgs/nixos/modules/services/networking/xinetd.nix index 8dc6f845ed8..2f527ab156a 100644 --- a/nixpkgs/nixos/modules/services/networking/xinetd.nix +++ b/nixpkgs/nixos/modules/services/networking/xinetd.nix @@ -44,12 +44,7 @@ in options = { - services.xinetd.enable = mkOption { - default = false; - description = '' - Whether to enable the xinetd super-server daemon. - ''; - }; + services.xinetd.enable = mkEnableOption "the xinetd super-server daemon"; services.xinetd.extraDefaults = mkOption { default = ""; diff --git a/nixpkgs/nixos/modules/services/networking/yggdrasil.nix b/nixpkgs/nixos/modules/services/networking/yggdrasil.nix index 9e675ecd6f4..ecd1406b483 100644 --- a/nixpkgs/nixos/modules/services/networking/yggdrasil.nix +++ b/nixpkgs/nixos/modules/services/networking/yggdrasil.nix @@ -83,6 +83,14 @@ in { ''; }; + group = mkOption { + type = types.str; + default = "root"; + example = "wheel"; + description = + "Group to grant acces to the Yggdrasil control socket."; + }; + openMulticastPort = mkOption { type = bool; default = false; @@ -144,8 +152,9 @@ in { ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Restart = "always"; + Group = cfg.group; RuntimeDirectory = "yggdrasil"; - RuntimeDirectoryMode = "0700"; + RuntimeDirectoryMode = "0750"; BindReadOnlyPaths = mkIf configFileProvided [ "${cfg.configFile}" ]; diff --git a/nixpkgs/nixos/modules/services/printing/cupsd.nix b/nixpkgs/nixos/modules/services/printing/cupsd.nix index 59306d625e6..e67badfcd29 100644 --- a/nixpkgs/nixos/modules/services/printing/cupsd.nix +++ b/nixpkgs/nixos/modules/services/printing/cupsd.nix @@ -153,6 +153,16 @@ in ''; }; + allowFrom = mkOption { + type = types.listOf types.str; + default = [ "localhost" ]; + example = [ "all" ]; + apply = concatMapStringsSep "\n" (x: "Allow ${x}"); + description = '' + From which hosts to allow unconditional access. + ''; + }; + bindirCmds = mkOption { type = types.lines; internal = true; @@ -403,19 +413,19 @@ in <Location /> Order allow,deny - Allow localhost + ${cfg.allowFrom} </Location> <Location /admin> Order allow,deny - Allow localhost + ${cfg.allowFrom} </Location> <Location /admin/conf> AuthType Basic Require user @SYSTEM Order allow,deny - Allow localhost + ${cfg.allowFrom} </Location> <Policy default> diff --git a/nixpkgs/nixos/modules/services/security/bitwarden_rs/default.nix b/nixpkgs/nixos/modules/services/security/bitwarden_rs/default.nix index a63be0ee766..903a5327037 100644 --- a/nixpkgs/nixos/modules/services/security/bitwarden_rs/default.nix +++ b/nixpkgs/nixos/modules/services/security/bitwarden_rs/default.nix @@ -58,7 +58,7 @@ in { default = {}; example = literalExample '' { - domain = https://bw.domain.tld:8443; + domain = "https://bw.domain.tld:8443"; signupsAllowed = true; rocketPort = 8222; rocketLog = "critical"; diff --git a/nixpkgs/nixos/modules/services/security/fprot.nix b/nixpkgs/nixos/modules/services/security/fprot.nix index f203f2abc03..3a0b08b3c6d 100644 --- a/nixpkgs/nixos/modules/services/security/fprot.nix +++ b/nixpkgs/nixos/modules/services/security/fprot.nix @@ -10,12 +10,7 @@ in { services.fprot = { updater = { - enable = mkOption { - default = false; - description = '' - Whether to enable automatic F-Prot virus definitions database updates. - ''; - }; + enable = mkEnableOption "automatic F-Prot virus definitions database updates"; productData = mkOption { description = '' diff --git a/nixpkgs/nixos/modules/services/security/hologram-agent.nix b/nixpkgs/nixos/modules/services/security/hologram-agent.nix index a5087b0a99b..e37334b3cf5 100644 --- a/nixpkgs/nixos/modules/services/security/hologram-agent.nix +++ b/nixpkgs/nixos/modules/services/security/hologram-agent.nix @@ -43,12 +43,12 @@ in { description = "Provide EC2 instance credentials to machines outside of EC2"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - requires = [ "network-link-dummy0.service" "network-addresses-dummy0.service" ]; + requires = [ "network-link-dummy0.service" "network-addresses-dummy0.service" ]; preStart = '' /run/current-system/sw/bin/rm -fv /run/hologram.sock ''; serviceConfig = { - ExecStart = "${pkgs.hologram.bin}/bin/hologram-agent -debug -conf ${cfgFile} -port ${cfg.httpPort}"; + ExecStart = "${pkgs.hologram}/bin/hologram-agent -debug -conf ${cfgFile} -port ${cfg.httpPort}"; }; }; diff --git a/nixpkgs/nixos/modules/services/security/hologram-server.nix b/nixpkgs/nixos/modules/services/security/hologram-server.nix index bad02c7440b..4acf6ae0e21 100644 --- a/nixpkgs/nixos/modules/services/security/hologram-server.nix +++ b/nixpkgs/nixos/modules/services/security/hologram-server.nix @@ -123,7 +123,7 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${pkgs.hologram.bin}/bin/hologram-server --debug --conf ${cfgFile}"; + ExecStart = "${pkgs.hologram}/bin/hologram-server --debug --conf ${cfgFile}"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix b/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix index 2abb9ec32ac..d5c5437329e 100644 --- a/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix @@ -12,7 +12,7 @@ let # command-line to launch oauth2_proxy. providerSpecificOptions = { azure = cfg: { - azure.tenant = cfg.azure.tenant; + azure-tenant = cfg.azure.tenant; resource = cfg.azure.resource; }; @@ -44,6 +44,7 @@ let pass-access-token = passAccessToken; pass-basic-auth = passBasicAuth; pass-host-header = passHostHeader; + reverse-proxy = reverseProxy; proxy-prefix = proxyPrefix; profile-url = profileURL; redeem-url = redeemURL; @@ -65,8 +66,8 @@ let } // lib.optionalAttrs (cfg.htpasswd.file != null) { display-htpasswd-file = cfg.htpasswd.displayForm; } // lib.optionalAttrs tls.enable { - tls-cert = tls.certificate; - tls-key = tls.key; + tls-cert-file = tls.certificate; + tls-key-file = tls.key; https-address = tls.httpsAddress; } // (getProviderOptions cfg cfg.provider) // cfg.extraConfig; @@ -98,14 +99,21 @@ in ############################################## # PROVIDER configuration + # Taken from: https://github.com/pusher/oauth2_proxy/blob/master/providers/providers.go provider = mkOption { type = types.enum [ "google" - "github" "azure" + "facebook" + "github" + "keycloak" "gitlab" "linkedin" - "myusa" + "login.gov" + "bitbucket" + "nextcloud" + "digitalocean" + "oidc" ]; default = "google"; description = '' @@ -433,6 +441,17 @@ in ''; }; + reverseProxy = mkOption { + type = types.bool; + default = false; + description = '' + In case when running behind a reverse proxy, controls whether headers + like <literal>X-Real-Ip</literal> are accepted. Usage behind a reverse + proxy will require this flag to be set to avoid logging the reverse + proxy IP address. + ''; + }; + proxyPrefix = mkOption { type = types.str; default = "/oauth2"; @@ -558,7 +577,7 @@ in serviceConfig = { User = "oauth2_proxy"; Restart = "always"; - ExecStart = "${cfg.package.bin}/bin/oauth2_proxy ${configString}"; + ExecStart = "${cfg.package}/bin/oauth2_proxy ${configString}"; EnvironmentFile = mkIf (cfg.keyFile != null) cfg.keyFile; }; }; diff --git a/nixpkgs/nixos/modules/services/security/privacyidea.nix b/nixpkgs/nixos/modules/services/security/privacyidea.nix new file mode 100644 index 00000000000..d6abfd0e271 --- /dev/null +++ b/nixpkgs/nixos/modules/services/security/privacyidea.nix @@ -0,0 +1,279 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.privacyidea; + + uwsgi = pkgs.uwsgi.override { plugins = [ "python3" ]; }; + python = uwsgi.python3; + penv = python.withPackages (ps: [ ps.privacyidea ]); + logCfg = pkgs.writeText "privacyidea-log.cfg" '' + [formatters] + keys=detail + + [handlers] + keys=stream + + [formatter_detail] + class=privacyidea.lib.log.SecureFormatter + format=[%(asctime)s][%(process)d][%(thread)d][%(levelname)s][%(name)s:%(lineno)d] %(message)s + + [handler_stream] + class=StreamHandler + level=NOTSET + formatter=detail + args=(sys.stdout,) + + [loggers] + keys=root,privacyidea + + [logger_privacyidea] + handlers=stream + qualname=privacyidea + level=INFO + + [logger_root] + handlers=stream + level=ERROR + ''; + + piCfgFile = pkgs.writeText "privacyidea.cfg" '' + SUPERUSER_REALM = [ '${concatStringsSep "', '" cfg.superuserRealm}' ] + SQLALCHEMY_DATABASE_URI = 'postgresql:///privacyidea' + SECRET_KEY = '${cfg.secretKey}' + PI_PEPPER = '${cfg.pepper}' + PI_ENCFILE = '${cfg.encFile}' + PI_AUDIT_KEY_PRIVATE = '${cfg.auditKeyPrivate}' + PI_AUDIT_KEY_PUBLIC = '${cfg.auditKeyPublic}' + PI_LOGCONFIG = '${logCfg}' + ${cfg.extraConfig} + ''; + +in + +{ + options = { + services.privacyidea = { + enable = mkEnableOption "PrivacyIDEA"; + + stateDir = mkOption { + type = types.str; + default = "/var/lib/privacyidea"; + description = '' + Directory where all PrivacyIDEA files will be placed by default. + ''; + }; + + superuserRealm = mkOption { + type = types.listOf types.str; + default = [ "super" "administrators" ]; + description = '' + The realm where users are allowed to login as administrators. + ''; + }; + + secretKey = mkOption { + type = types.str; + example = "t0p s3cr3t"; + description = '' + This is used to encrypt the auth_token. + ''; + }; + + pepper = mkOption { + type = types.str; + example = "Never know..."; + description = '' + This is used to encrypt the admin passwords. + ''; + }; + + encFile = mkOption { + type = types.str; + default = "${cfg.stateDir}/enckey"; + description = '' + This is used to encrypt the token data and token passwords + ''; + }; + + auditKeyPrivate = mkOption { + type = types.str; + default = "${cfg.stateDir}/private.pem"; + description = '' + Private Key for signing the audit log. + ''; + }; + + auditKeyPublic = mkOption { + type = types.str; + default = "${cfg.stateDir}/public.pem"; + description = '' + Public key for checking signatures of the audit log. + ''; + }; + + adminPasswordFile = mkOption { + type = types.path; + description = "File containing password for the admin user"; + }; + + adminEmail = mkOption { + type = types.str; + example = "admin@example.com"; + description = "Mail address for the admin user"; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration options for pi.cfg. + ''; + }; + + user = mkOption { + type = types.str; + default = "privacyidea"; + description = "User account under which PrivacyIDEA runs."; + }; + + group = mkOption { + type = types.str; + default = "privacyidea"; + description = "Group account under which PrivacyIDEA runs."; + }; + + ldap-proxy = { + enable = mkEnableOption "PrivacyIDEA LDAP Proxy"; + + configFile = mkOption { + type = types.path; + default = ""; + description = '' + Path to PrivacyIDEA LDAP Proxy configuration (proxy.ini). + ''; + }; + + user = mkOption { + type = types.str; + default = "pi-ldap-proxy"; + description = "User account under which PrivacyIDEA LDAP proxy runs."; + }; + + group = mkOption { + type = types.str; + default = "pi-ldap-proxy"; + description = "Group account under which PrivacyIDEA LDAP proxy runs."; + }; + }; + }; + }; + + config = mkMerge [ + + (mkIf cfg.enable { + + environment.systemPackages = [ python.pkgs.privacyidea ]; + + services.postgresql.enable = mkDefault true; + + systemd.services.privacyidea = let + piuwsgi = pkgs.writeText "uwsgi.json" (builtins.toJSON { + uwsgi = { + plugins = [ "python3" ]; + pythonpath = "${penv}/${uwsgi.python3.sitePackages}"; + socket = "/run/privacyidea/socket"; + uid = cfg.user; + gid = cfg.group; + chmod-socket = 770; + chown-socket = "${cfg.user}:nginx"; + chdir = cfg.stateDir; + wsgi-file = "${penv}/etc/privacyidea/privacyideaapp.wsgi"; + processes = 4; + harakiri = 60; + reload-mercy = 8; + stats = "/run/privacyidea/stats.socket"; + max-requests = 2000; + limit-as = 1024; + reload-on-as = 512; + reload-on-rss = 256; + no-orphans = true; + vacuum = true; + }; + }); + in { + wantedBy = [ "multi-user.target" ]; + after = [ "postgresql.service" ]; + path = with pkgs; [ openssl ]; + environment.PRIVACYIDEA_CONFIGFILE = piCfgFile; + preStart = let + pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage"; + pgsu = config.services.postgresql.superUser; + psql = config.services.postgresql.package; + in '' + mkdir -p ${cfg.stateDir} /run/privacyidea + chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} /run/privacyidea + if ! test -e "${cfg.stateDir}/db-created"; then + ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user} + ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea + ${pi-manage} create_enckey + ${pi-manage} create_audit_keys + ${pi-manage} createdb + ${pi-manage} admin add admin -e ${cfg.adminEmail} -p "$(cat ${cfg.adminPasswordFile})" + ${pi-manage} db stamp head -d ${penv}/lib/privacyidea/migrations + touch "${cfg.stateDir}/db-created" + chmod g+r "${cfg.stateDir}/enckey" "${cfg.stateDir}/private.pem" + fi + ${pi-manage} db upgrade -d ${penv}/lib/privacyidea/migrations + ''; + serviceConfig = { + Type = "notify"; + ExecStart = "${uwsgi}/bin/uwsgi --json ${piuwsgi}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; + NotifyAccess = "main"; + KillSignal = "SIGQUIT"; + StandardError = "syslog"; + }; + }; + + users.users.privacyidea = mkIf (cfg.user == "privacyidea") { + group = cfg.group; + }; + + users.groups.privacyidea = mkIf (cfg.group == "privacyidea") {}; + }) + + (mkIf cfg.ldap-proxy.enable { + + systemd.services.privacyidea-ldap-proxy = let + ldap-proxy-env = pkgs.python2.withPackages (ps: [ ps.privacyidea-ldap-proxy ]); + in { + description = "privacyIDEA LDAP proxy"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.ldap-proxy.user; + Group = cfg.ldap-proxy.group; + ExecStart = '' + ${ldap-proxy-env}/bin/twistd \ + --nodaemon \ + --pidfile= \ + -u ${cfg.ldap-proxy.user} \ + -g ${cfg.ldap-proxy.group} \ + ldap-proxy \ + -c ${cfg.ldap-proxy.configFile} + ''; + Restart = "always"; + }; + }; + + users.users.pi-ldap-proxy = mkIf (cfg.ldap-proxy.user == "pi-ldap-proxy") { + group = cfg.ldap-proxy.group; + }; + + users.groups.pi-ldap-proxy = mkIf (cfg.ldap-proxy.group == "pi-ldap-proxy") {}; + }) + ]; + +} diff --git a/nixpkgs/nixos/modules/services/system/kerberos/default.nix b/nixpkgs/nixos/modules/services/system/kerberos/default.nix index c55241c4cff..9a1e6739901 100644 --- a/nixpkgs/nixos/modules/services/system/kerberos/default.nix +++ b/nixpkgs/nixos/modules/services/system/kerberos/default.nix @@ -51,12 +51,7 @@ in ###### interface options = { services.kerberos_server = { - enable = mkOption { - default = false; - description = '' - Enable the kerberos authentification server. - ''; - }; + enable = lib.mkEnableOption "the kerberos authentification server"; realms = mkOption { type = types.attrsOf (types.submodule realm); diff --git a/nixpkgs/nixos/modules/services/system/localtime.nix b/nixpkgs/nixos/modules/services/system/localtime.nix index 74925c5e2c4..8f8e2e2e933 100644 --- a/nixpkgs/nixos/modules/services/system/localtime.nix +++ b/nixpkgs/nixos/modules/services/system/localtime.nix @@ -8,6 +8,7 @@ in { options = { services.localtime = { enable = mkOption { + type = types.bool; default = false; description = '' Enable <literal>localtime</literal>, simple daemon for keeping the system diff --git a/nixpkgs/nixos/modules/services/system/nscd.nix b/nixpkgs/nixos/modules/services/system/nscd.nix index e11f7e049d8..d720f254b81 100644 --- a/nixpkgs/nixos/modules/services/system/nscd.nix +++ b/nixpkgs/nixos/modules/services/system/nscd.nix @@ -7,6 +7,10 @@ let nssModulesPath = config.system.nssModules.path; cfg = config.services.nscd; + nscd = if pkgs.stdenv.hostPlatform.libc == "glibc" + then pkgs.stdenv.cc.libc.bin + else pkgs.glibc.bin; + in { @@ -20,7 +24,11 @@ in enable = mkOption { type = types.bool; default = true; - description = "Whether to enable the Name Service Cache Daemon."; + description = '' + Whether to enable the Name Service Cache Daemon. + Disabling this is strongly discouraged, as this effectively disables NSS Lookups + from all non-glibc NSS modules, including the ones provided by systemd. + ''; }; config = mkOption { @@ -59,16 +67,16 @@ in # files. So prefix the ExecStart command with "!" to prevent systemd # from dropping privileges early. See ExecStart in systemd.service(5). serviceConfig = - { ExecStart = "!@${pkgs.glibc.bin}/sbin/nscd nscd"; + { ExecStart = "!@${nscd}/sbin/nscd nscd"; Type = "forking"; DynamicUser = true; RuntimeDirectory = "nscd"; PIDFile = "/run/nscd/nscd.pid"; Restart = "always"; ExecReload = - [ "${pkgs.glibc.bin}/sbin/nscd --invalidate passwd" - "${pkgs.glibc.bin}/sbin/nscd --invalidate group" - "${pkgs.glibc.bin}/sbin/nscd --invalidate hosts" + [ "${nscd}/sbin/nscd --invalidate passwd" + "${nscd}/sbin/nscd --invalidate group" + "${nscd}/sbin/nscd --invalidate hosts" ]; }; }; diff --git a/nixpkgs/nixos/modules/services/system/uptimed.nix b/nixpkgs/nixos/modules/services/system/uptimed.nix index 3c9978ab226..1e256c51408 100644 --- a/nixpkgs/nixos/modules/services/system/uptimed.nix +++ b/nixpkgs/nixos/modules/services/system/uptimed.nix @@ -10,6 +10,7 @@ in options = { services.uptimed = { enable = mkOption { + type = types.bool; default = false; description = '' Enable <literal>uptimed</literal>, allowing you to track diff --git a/nixpkgs/nixos/modules/services/torrent/deluge.nix b/nixpkgs/nixos/modules/services/torrent/deluge.nix index 0c72505395d..45398cb2613 100644 --- a/nixpkgs/nixos/modules/services/torrent/deluge.nix +++ b/nixpkgs/nixos/modules/services/torrent/deluge.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.deluge; cfg_web = config.services.deluge.web; + isDeluge1 = versionOlder cfg.package.version "2.0.0"; openFilesLimit = 4096; listenPortsDefault = [ 6881 6889 ]; @@ -18,11 +19,11 @@ let preStart = if cfg.declarative then '' if [ -e ${declarativeLockFile} ]; then # Was declarative before, no need to back up anything - ln -sf ${configFile} ${configDir}/core.conf + ${if isDeluge1 then "ln -sf" else "cp"} ${configFile} ${configDir}/core.conf ln -sf ${cfg.authFile} ${configDir}/auth else # Declarative for the first time, backup stateful files - ln -sb --suffix=.stateful ${configFile} ${configDir}/core.conf + ${if isDeluge1 then "ln -s" else "cp"} -b --suffix=.stateful ${configFile} ${configDir}/core.conf ln -sb --suffix=.stateful ${cfg.authFile} ${configDir}/auth echo "Autogenerated file that signifies that this server configuration is managed declaratively by NixOS" \ > ${declarativeLockFile} @@ -141,7 +142,15 @@ in { description = '' Extra packages available at runtime to enable Deluge's plugins. For example, extraction utilities are required for the built-in "Extractor" plugin. - This always contains unzip, gnutar, xz, p7zip and bzip2. + This always contains unzip, gnutar, xz and bzip2. + ''; + }; + + package = mkOption { + type = types.package; + example = literalExample "pkgs.deluge-1_x"; + description = '' + Deluge package to use. ''; }; }; @@ -170,8 +179,15 @@ in { config = mkIf cfg.enable { + services.deluge.package = mkDefault ( + if versionAtLeast config.system.stateVersion "20.09" then + pkgs.deluge-2_x + else + pkgs.deluge-1_x + ); + # Provide a default set of `extraPackages`. - services.deluge.extraPackages = with pkgs; [ unzip gnutar xz p7zip bzip2 ]; + services.deluge.extraPackages = with pkgs; [ unzip gnutar xz bzip2 ]; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group}" @@ -189,10 +205,10 @@ in { after = [ "network.target" ]; description = "Deluge BitTorrent Daemon"; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.deluge ] ++ cfg.extraPackages; + path = [ cfg.package ] ++ cfg.extraPackages; serviceConfig = { ExecStart = '' - ${pkgs.deluge}/bin/deluged \ + ${cfg.package}/bin/deluged \ --do-not-daemonize \ --config ${configDir} ''; @@ -212,10 +228,11 @@ in { requires = [ "deluged.service" ]; description = "Deluge BitTorrent WebUI"; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.deluge ]; + path = [ cfg.package ]; serviceConfig = { ExecStart = '' - ${pkgs.deluge}/bin/deluge-web \ + ${cfg.package}/bin/deluge-web \ + ${optionalString (!isDeluge1) "--do-not-daemonize"} \ --config ${configDir} \ --port ${toString cfg.web.port} ''; @@ -234,7 +251,7 @@ in { }) ]; - environment.systemPackages = [ pkgs.deluge ]; + environment.systemPackages = [ cfg.package ]; users.users = mkIf (cfg.user == "deluge") { deluge = { diff --git a/nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix b/nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix index 07af7aa0dfe..33a828fa2cb 100644 --- a/nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix +++ b/nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix @@ -3,13 +3,14 @@ let inherit (lib) mkEnableOption mkForce mkIf mkMerge mkOption optionalAttrs recursiveUpdate types; + inherit (lib) concatMapStringsSep flatten mapAttrs mapAttrs' mapAttrsToList nameValuePair concatMapStringSep; - cfg = config.services.dokuwiki; + eachSite = config.services.dokuwiki; - user = config.services.nginx.user; + user = "dokuwiki"; group = config.services.nginx.group; - dokuwikiAclAuthConfig = pkgs.writeText "acl.auth.php" '' + dokuwikiAclAuthConfig = cfg: pkgs.writeText "acl.auth.php" '' # acl.auth.php # <?php exit()?> # @@ -18,244 +19,353 @@ let ${toString cfg.acl} ''; - dokuwikiLocalConfig = pkgs.writeText "local.php" '' + dokuwikiLocalConfig = cfg: pkgs.writeText "local.php" '' <?php $conf['savedir'] = '${cfg.stateDir}'; $conf['superuser'] = '${toString cfg.superUser}'; $conf['useacl'] = '${toString cfg.aclUse}'; + $conf['disableactions'] = '${cfg.disableActions}'; ${toString cfg.extraConfig} ''; - dokuwikiPluginsLocalConfig = pkgs.writeText "plugins.local.php" '' + dokuwikiPluginsLocalConfig = cfg: pkgs.writeText "plugins.local.php" '' <?php ${cfg.pluginsConfig} ''; -in -{ - options.services.dokuwiki = { - enable = mkEnableOption "DokuWiki web application."; + pkg = hostName: cfg: pkgs.stdenv.mkDerivation rec { + pname = "dokuwiki-${hostName}"; + version = src.version; + src = cfg.package; - hostName = mkOption { - type = types.str; - default = "localhost"; - description = "FQDN for the instance."; - }; + installPhase = '' + mkdir -p $out + cp -r * $out/ - stateDir = mkOption { - type = types.path; - default = "/var/lib/dokuwiki/data"; - description = "Location of the dokuwiki state directory."; - }; + # symlink the dokuwiki config + ln -s ${dokuwikiLocalConfig cfg} $out/share/dokuwiki/local.php - acl = mkOption { - type = types.nullOr types.lines; - default = null; - example = "* @ALL 8"; - description = '' - Access Control Lists: see <link xlink:href="https://www.dokuwiki.org/acl"/> - Mutually exclusive with services.dokuwiki.aclFile - Set this to a value other than null to take precedence over aclFile option. - ''; - }; + # symlink plugins config + ln -s ${dokuwikiPluginsLocalConfig cfg} $out/share/dokuwiki/plugins.local.php - aclFile = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl - Mutually exclusive with services.dokuwiki.acl which is preferred. - Consult documentation <link xlink:href="https://www.dokuwiki.org/acl"/> for further instructions. - Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/acl.auth.php.dist"/> - ''; - }; + # symlink acl + ln -s ${dokuwikiAclAuthConfig cfg} $out/share/dokuwiki/acl.auth.php - aclUse = mkOption { - type = types.bool; - default = true; - description = '' - Necessary for users to log in into the system. - Also limits anonymous users. When disabled, - everyone is able to create and edit content. - ''; - }; + # symlink additional plugin(s) and templates(s) + ${concatMapStringsSep "\n" (template: "ln -s ${template} $out/share/dokuwiki/lib/tpl/${template.name}") cfg.templates} + ${concatMapStringsSep "\n" (plugin: "ln -s ${plugin} $out/share/dokuwiki/lib/plugins/${plugin.name}") cfg.plugins} + ''; + }; - pluginsConfig = mkOption { - type = types.lines; - default = '' - $plugins['authad'] = 0; - $plugins['authldap'] = 0; - $plugins['authmysql'] = 0; - $plugins['authpgsql'] = 0; - ''; - description = '' - List of the dokuwiki (un)loaded plugins. - ''; - }; + siteOpts = { config, lib, name, ...}: { + options = { + enable = mkEnableOption "DokuWiki web application."; - superUser = mkOption { - type = types.nullOr types.str; - default = "@admin"; - description = '' - You can set either a username, a list of usernames (“admin1,admin2”), - or the name of a group by prepending an @ char to the groupname - Consult documentation <link xlink:href="https://www.dokuwiki.org/config:superuser"/> for further instructions. - ''; - }; + package = mkOption { + type = types.package; + default = pkgs.dokuwiki; + description = "Which dokuwiki package to use."; + }; + + hostName = mkOption { + type = types.str; + default = "localhost"; + description = "FQDN for the instance."; + }; + + stateDir = mkOption { + type = types.path; + default = "/var/lib/dokuwiki/${name}/data"; + description = "Location of the dokuwiki state directory."; + }; - usersFile = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - Location of the dokuwiki users file. List of users. Format: - login:passwordhash:Real Name:email:groups,comma,separated - Create passwordHash easily by using:$ mkpasswd -5 password `pwgen 8 1` - Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/users.auth.php.dist"/> + acl = mkOption { + type = types.nullOr types.lines; + default = null; + example = "* @ALL 8"; + description = '' + Access Control Lists: see <link xlink:href="https://www.dokuwiki.org/acl"/> + Mutually exclusive with services.dokuwiki.aclFile + Set this to a value other than null to take precedence over aclFile option. + + Warning: Consider using aclFile instead if you do not + want to store the ACL in the world-readable Nix store. ''; - }; + }; - extraConfig = mkOption { - type = types.nullOr types.lines; - default = null; - example = '' - $conf['title'] = 'My Wiki'; - $conf['userewrite'] = 1; - ''; - description = '' - DokuWiki configuration. Refer to - <link xlink:href="https://www.dokuwiki.org/config"/> - for details on supported values. - ''; - }; + aclFile = mkOption { + type = with types; nullOr str; + default = if (config.aclUse && config.acl == null) then "/var/lib/dokuwiki/${name}/users.auth.php" else null; + description = '' + Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl + Mutually exclusive with services.dokuwiki.acl which is preferred. + Consult documentation <link xlink:href="https://www.dokuwiki.org/acl"/> for further instructions. + Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/acl.auth.php.dist"/> + ''; + example = "/var/lib/dokuwiki/${name}/acl.auth.php"; + }; - poolConfig = mkOption { - type = with types; attrsOf (oneOf [ str int bool ]); - default = { - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 4; - "pm.max_requests" = 500; + aclUse = mkOption { + type = types.bool; + default = true; + description = '' + Necessary for users to log in into the system. + Also limits anonymous users. When disabled, + everyone is able to create and edit content. + ''; }; - description = '' - Options for the dokuwiki PHP pool. See the documentation on <literal>php-fpm.conf</literal> - for details on configuration directives. - ''; - }; - nginx = mkOption { - type = types.submodule ( - recursiveUpdate - (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) - { - # Enable encryption by default, - options.forceSSL.default = true; - options.enableACME.default = true; - } - ); - default = {forceSSL = true; enableACME = true;}; - example = { - serverAliases = [ - "wiki.\${config.networking.domain}" - ]; - enableACME = false; + pluginsConfig = mkOption { + type = types.lines; + default = '' + $plugins['authad'] = 0; + $plugins['authldap'] = 0; + $plugins['authmysql'] = 0; + $plugins['authpgsql'] = 0; + ''; + description = '' + List of the dokuwiki (un)loaded plugins. + ''; + }; + + superUser = mkOption { + type = types.nullOr types.str; + default = "@admin"; + description = '' + You can set either a username, a list of usernames (“admin1,admin2”), + or the name of a group by prepending an @ char to the groupname + Consult documentation <link xlink:href="https://www.dokuwiki.org/config:superuser"/> for further instructions. + ''; }; - description = '' - With this option, you can customize the nginx virtualHost which already has sensible defaults for DokuWiki. - ''; + + usersFile = mkOption { + type = with types; nullOr str; + default = if config.aclUse then "/var/lib/dokuwiki/${name}/users.auth.php" else null; + description = '' + Location of the dokuwiki users file. List of users. Format: + login:passwordhash:Real Name:email:groups,comma,separated + Create passwordHash easily by using:$ mkpasswd -5 password `pwgen 8 1` + Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/users.auth.php.dist"/> + ''; + example = "/var/lib/dokuwiki/${name}/users.auth.php"; + }; + + disableActions = mkOption { + type = types.nullOr types.str; + default = ""; + example = "search,register"; + description = '' + Disable individual action modes. Refer to + <link xlink:href="https://www.dokuwiki.org/config:action_modes"/> + for details on supported values. + ''; + }; + + extraConfig = mkOption { + type = types.nullOr types.lines; + default = null; + example = '' + $conf['title'] = 'My Wiki'; + $conf['userewrite'] = 1; + ''; + description = '' + DokuWiki configuration. Refer to + <link xlink:href="https://www.dokuwiki.org/config"/> + for details on supported values. + ''; + }; + + plugins = mkOption { + type = types.listOf types.path; + default = []; + description = '' + List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. + <note><para>These plugins need to be packaged before use, see example.</para></note> + ''; + example = '' + # Let's package the icalevents plugin + plugin-icalevents = pkgs.stdenv.mkDerivation { + name = "icalevents"; + # Download the plugin from the dokuwiki site + src = pkgs.fetchurl { + url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/2017-06-16/dokuwiki-plugin-icalevents-2017-06-16.zip"; + sha256 = "e40ed7dd6bbe7fe3363bbbecb4de481d5e42385b5a0f62f6a6ce6bf3a1f9dfa8"; + }; + sourceRoot = "."; + # We need unzip to build this package + buildInputs = [ pkgs.unzip ]; + # Installing simply means copying all files to the output directory + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + + # And then pass this theme to the plugin list like this: + plugins = [ plugin-icalevents ]; + ''; + }; + + templates = mkOption { + type = types.listOf types.path; + default = []; + description = '' + List of path(s) to respective template(s) which are copied from the 'tpl' directory. + <note><para>These templates need to be packaged before use, see example.</para></note> + ''; + example = '' + # Let's package the bootstrap3 theme + template-bootstrap3 = pkgs.stdenv.mkDerivation { + name = "bootstrap3"; + # Download the theme from the dokuwiki site + src = pkgs.fetchurl { + url = "https://github.com/giterlizzi/dokuwiki-template-bootstrap3/archive/v2019-05-22.zip"; + sha256 = "4de5ff31d54dd61bbccaf092c9e74c1af3a4c53e07aa59f60457a8f00cfb23a6"; + }; + # We need unzip to build this package + buildInputs = [ pkgs.unzip ]; + # Installing simply means copying all files to the output directory + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + + # And then pass this theme to the template list like this: + templates = [ template-bootstrap3 ]; + ''; + }; + + poolConfig = mkOption { + type = with types; attrsOf (oneOf [ str int bool ]); + default = { + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 4; + "pm.max_requests" = 500; + }; + description = '' + Options for the dokuwiki PHP pool. See the documentation on <literal>php-fpm.conf</literal> + for details on configuration directives. + ''; + }; + + nginx = mkOption { + type = types.submodule ( + recursiveUpdate + (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) + { + # Enable encryption by default, + options.forceSSL.default = true; + options.enableACME.default = true; + } + ); + default = {forceSSL = true; enableACME = true;}; + example = { + serverAliases = [ + "wiki.\${config.networking.domain}" + ]; + enableACME = false; + }; + description = '' + With this option, you can customize the nginx virtualHost which already has sensible defaults for DokuWiki. + ''; + }; + }; + }; +in +{ + # interface + options = { + services.dokuwiki = mkOption { + type = types.attrsOf (types.submodule siteOpts); + default = {}; + description = "Sepcification of one or more dokuwiki sites to service."; }; }; # implementation - config = mkIf cfg.enable { - - warnings = mkIf (cfg.superUser == null) ["Not setting services.dokuwiki.superUser will impair your ability to administer DokuWiki"]; - - assertions = [ - { - assertion = cfg.aclUse -> (cfg.acl != null || cfg.aclFile != null); - message = "Either services.dokuwiki.acl or services.dokuwiki.aclFile is mandatory when aclUse is true"; - } - { - assertion = cfg.usersFile != null -> cfg.aclUse != false; - message = "services.dokuwiki.aclUse must be true when usersFile is not null"; - } - ]; - - services.phpfpm.pools.dokuwiki = { - inherit user; - inherit group; - phpEnv = { - DOKUWIKI_LOCAL_CONFIG = "${dokuwikiLocalConfig}"; - DOKUWIKI_PLUGINS_LOCAL_CONFIG = "${dokuwikiPluginsLocalConfig}"; - } //optionalAttrs (cfg.usersFile != null) { - DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; - } //optionalAttrs (cfg.aclUse) { - DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig}" else "${toString cfg.aclFile}"; - }; - - settings = { - "listen.mode" = "0660"; - "listen.owner" = user; - "listen.group" = group; - } // cfg.poolConfig; - }; + config = mkIf (eachSite != {}) { + + warnings = mapAttrsToList (hostName: cfg: mkIf (cfg.superUser == null) "Not setting services.dokuwiki.${hostName} superUser will impair your ability to administer DokuWiki") eachSite; + + assertions = flatten (mapAttrsToList (hostName: cfg: + [{ + assertion = cfg.aclUse -> (cfg.acl != null || cfg.aclFile != null); + message = "Either services.dokuwiki.${hostName}.acl or services.dokuwiki.${hostName}.aclFile is mandatory if aclUse true"; + } + { + assertion = cfg.usersFile != null -> cfg.aclUse != false; + message = "services.dokuwiki.${hostName}.aclUse must must be true if usersFile is not null"; + } + ]) eachSite); + + services.phpfpm.pools = mapAttrs' (hostName: cfg: ( + nameValuePair "dokuwiki-${hostName}" { + inherit user; + inherit group; + phpEnv = { + DOKUWIKI_LOCAL_CONFIG = "${dokuwikiLocalConfig cfg}"; + DOKUWIKI_PLUGINS_LOCAL_CONFIG = "${dokuwikiPluginsLocalConfig cfg}"; + } // optionalAttrs (cfg.usersFile != null) { + DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; + } //optionalAttrs (cfg.aclUse) { + DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig cfg}" else "${toString cfg.aclFile}"; + }; + + settings = { + "listen.mode" = "0660"; + "listen.owner" = user; + "listen.group" = group; + } // cfg.poolConfig; + })) eachSite; services.nginx = { enable = true; - - virtualHosts = { - ${cfg.hostName} = mkMerge [ cfg.nginx { - root = mkForce "${pkgs.dokuwiki}/share/dokuwiki/"; - extraConfig = "fastcgi_param HTTPS on;"; - - locations."~ /(conf/|bin/|inc/|install.php)" = { - extraConfig = "deny all;"; - }; - - locations."~ ^/data/" = { - root = "${cfg.stateDir}"; - extraConfig = "internal;"; - }; - - locations."~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { - extraConfig = "expires 365d;"; - }; - - locations."/" = { - priority = 1; - index = "doku.php"; - extraConfig = ''try_files $uri $uri/ @dokuwiki;''; - }; - - locations."@dokuwiki" = { - extraConfig = '' + virtualHosts = mapAttrs (hostName: cfg: mkMerge [ cfg.nginx { + root = mkForce "${pkg hostName cfg}/share/dokuwiki"; + extraConfig = "fastcgi_param HTTPS on;"; + + locations."~ /(conf/|bin/|inc/|install.php)" = { + extraConfig = "deny all;"; + }; + + locations."~ ^/data/" = { + root = "${cfg.stateDir}"; + extraConfig = "internal;"; + }; + + locations."~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { + extraConfig = "expires 365d;"; + }; + + locations."/" = { + priority = 1; + index = "doku.php"; + extraConfig = ''try_files $uri $uri/ @dokuwiki;''; + }; + + locations."@dokuwiki" = { + extraConfig = '' # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1&$args last; - ''; - }; + ''; + }; - locations."~ \.php$" = { - extraConfig = '' + locations."~ \.php$" = { + extraConfig = '' try_files $uri $uri/ /doku.php; include ${pkgs.nginx}/conf/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param REDIRECT_STATUS 200; - fastcgi_pass unix:${config.services.phpfpm.pools.dokuwiki.socket}; + fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}; fastcgi_param HTTPS on; - ''; - }; - }]; - }; - + ''; + }; + }]) eachSite; }; - systemd.tmpfiles.rules = [ + systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [ "d ${cfg.stateDir}/attic 0750 ${user} ${group} - -" "d ${cfg.stateDir}/cache 0750 ${user} ${group} - -" "d ${cfg.stateDir}/index 0750 ${user} ${group} - -" @@ -266,7 +376,13 @@ in "d ${cfg.stateDir}/meta 0750 ${user} ${group} - -" "d ${cfg.stateDir}/pages 0750 ${user} ${group} - -" "d ${cfg.stateDir}/tmp 0750 ${user} ${group} - -" - ]; + ] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist" + ++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist" + ) eachSite); + users.users.${user} = { + group = group; + isSystemUser = true; + }; }; } diff --git a/nixpkgs/nixos/modules/services/web-apps/mattermost.nix b/nixpkgs/nixos/modules/services/web-apps/mattermost.nix index 853347bf86e..f5c2c356afc 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mattermost.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mattermost.nix @@ -224,7 +224,7 @@ in serviceConfig = { User = "nobody"; Group = "nogroup"; - ExecStart = "${pkgs.matterircd.bin}/bin/matterircd ${concatStringsSep " " cfg.matterircd.parameters}"; + ExecStart = "${pkgs.matterircd}/bin/matterircd ${concatStringsSep " " cfg.matterircd.parameters}"; WorkingDirectory = "/tmp"; PrivateTmp = true; Restart = "always"; diff --git a/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix b/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix index e9ed53857d8..0a5b6047bb5 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix @@ -29,7 +29,7 @@ let '') cfg.skins)} ${concatStringsSep "\n" (mapAttrsToList (k: v: '' - ln -s ${v} $out/share/mediawiki/extensions/${k} + ln -s ${if v != null then v else "$src/share/mediawiki/extensions/${k}"} $out/share/mediawiki/extensions/${k} '') cfg.extensions)} ''; }; @@ -204,17 +204,28 @@ in default = {}; type = types.attrsOf types.path; description = '' - List of paths whose content is copied to the 'skins' - subdirectory of the MediaWiki installation. + Attribute set of paths whose content is copied to the <filename>skins</filename> + subdirectory of the MediaWiki installation in addition to the default skins. ''; }; extensions = mkOption { default = {}; - type = types.attrsOf types.path; + type = types.attrsOf (types.nullOr types.path); description = '' - List of paths whose content is copied to the 'extensions' - subdirectory of the MediaWiki installation. + Attribute set of paths whose content is copied to the <filename>extensions</filename> + subdirectory of the MediaWiki installation and enabled in configuration. + + Use <literal>null</literal> instead of path to enable extensions that are part of MediaWiki. + ''; + example = literalExample '' + { + Matomo = pkgs.fetchzip { + url = "https://github.com/DaSchTour/matomo-mediawiki-extension/archive/v4.0.1.tar.gz"; + sha256 = "0g5rd3zp0avwlmqagc59cg9bbkn3r7wx7p6yr80s644mj6dlvs1b"; + }; + ParserFunctions = null; + } ''; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix index 5f6f2bc7a16..f826096bf60 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix @@ -11,8 +11,8 @@ let base = pkgs.php74; in base.buildEnv { - extensions = e: with e; - base.enabledExtensions ++ [ + extensions = { enabled, all }: with all; + enabled ++ [ apcu redis memcached imagick ]; extraConfig = phpOptionsStr; diff --git a/nixpkgs/nixos/modules/services/web-apps/tt-rss.nix b/nixpkgs/nixos/modules/services/web-apps/tt-rss.nix index b92e3449894..2ea9537b93d 100644 --- a/nixpkgs/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixpkgs/nixos/modules/services/web-apps/tt-rss.nix @@ -631,9 +631,12 @@ let serviceConfig = { User = "${cfg.user}"; Group = "tt_rss"; - ExecStart = "${pkgs.php}/bin/php ${cfg.root}/update.php --daemon"; + ExecStart = "${pkgs.php}/bin/php ${cfg.root}/update.php --daemon --quiet"; StandardOutput = "syslog"; StandardError = "syslog"; + Restart = "on-failure"; + RestartSec = "60"; + SyslogIdentifier = "tt-rss"; }; wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix index c48a4409737..5fbe53221ae 100644 --- a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix +++ b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix @@ -105,7 +105,7 @@ let name = "embed-pdf-viewer-plugin"; # Download the theme from the wordpress site src = pkgs.fetchurl { - url = https://downloads.wordpress.org/plugin/embed-pdf-viewer.2.0.3.zip; + url = "https://downloads.wordpress.org/plugin/embed-pdf-viewer.2.0.3.zip"; sha256 = "1rhba5h5fjlhy8p05zf0p14c9iagfh96y91r36ni0rmk6y891lyd"; }; # We need unzip to build this package @@ -132,7 +132,7 @@ let name = "responsive-theme"; # Download the theme from the wordpress site src = pkgs.fetchurl { - url = https://downloads.wordpress.org/theme/responsive.3.14.zip; + url = "https://downloads.wordpress.org/theme/responsive.3.14.zip"; sha256 = "0rjwm811f4aa4q43r77zxlpklyb85q08f9c8ns2akcarrvj5ydx3"; }; # We need unzip to build this package diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix index 832c8b30ee9..8abee7130d7 100644 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -12,7 +12,7 @@ let httpdConf = cfg.configFile; - php = cfg.phpPackage.override { apacheHttpd = pkg.dev; /* otherwise it only gets .out */ }; + php = cfg.phpPackage.override { apacheHttpd = pkg; }; phpMajorVersion = lib.versions.major (lib.getVersion php); @@ -41,9 +41,9 @@ let "mime" "autoindex" "negotiation" "dir" "alias" "rewrite" "unixd" "slotmem_shm" "socache_shmcb" - "mpm_${cfg.multiProcessingModule}" + "mpm_${cfg.mpm}" ] - ++ (if cfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ]) + ++ (if cfg.mpm == "prefork" then [ "cgi" ] else [ "cgid" ]) ++ optional enableHttp2 "http2" ++ optional enableSSL "ssl" ++ optional enableUserDir "userdir" @@ -264,7 +264,7 @@ let PidFile ${runtimeDir}/httpd.pid - ${optionalString (cfg.multiProcessingModule != "prefork") '' + ${optionalString (cfg.mpm != "prefork") '' # mod_cgid requires this. ScriptSock ${runtimeDir}/cgisock ''} @@ -338,6 +338,7 @@ let } '' cat ${php}/etc/php.ini > $out + cat ${php.phpIni} > $out echo "$options" >> $out ''; @@ -349,6 +350,7 @@ in imports = [ (mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") (mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.") + (mkRenamedOptionModule [ "services" "httpd" "multiProcessingModule" ] [ "services" "httpd" "mpm" ]) # virtualHosts options (mkRemovedOptionModule [ "services" "httpd" "documentRoot" ] "Please define a virtual host using `services.httpd.virtualHosts`.") @@ -453,7 +455,13 @@ in type = types.str; default = "wwwrun"; description = '' - User account under which httpd runs. + User account under which httpd children processes run. + + If you require the main httpd process to run as + <literal>root</literal> add the following configuration: + <programlisting> + systemd.services.httpd.serviceConfig.User = lib.mkForce "root"; + </programlisting> ''; }; @@ -461,7 +469,7 @@ in type = types.str; default = "wwwrun"; description = '' - Group under which httpd runs. + Group under which httpd children processes run. ''; }; @@ -538,20 +546,19 @@ in ''; }; - multiProcessingModule = mkOption { + mpm = mkOption { type = types.enum [ "event" "prefork" "worker" ]; - default = "prefork"; + default = "event"; example = "worker"; description = '' Multi-processing module to be used by Apache. Available - modules are <literal>prefork</literal> (the default; - handles each request in a separate child process), - <literal>worker</literal> (hybrid approach that starts a - number of child processes each running a number of - threads) and <literal>event</literal> (a recent variant of - <literal>worker</literal> that handles persistent - connections more efficiently). + modules are <literal>prefork</literal> (handles each + request in a separate child process), <literal>worker</literal> + (hybrid approach that starts a number of child processes + each running a number of threads) and <literal>event</literal> + (the default; a recent variant of <literal>worker</literal> + that handles persistent connections more efficiently). ''; }; @@ -651,7 +658,7 @@ in services.httpd.phpOptions = '' ; Needed for PHP's mail() function. - sendmail_path = sendmail -t -i + sendmail_path = ${pkgs.system-sendmail}/bin/sendmail -t -i ; Don't advertise PHP expose_php = off @@ -702,9 +709,7 @@ in wants = concatLists (map (hostOpts: [ "acme-${hostOpts.hostName}.service" "acme-selfsigned-${hostOpts.hostName}.service" ]) vhostsACME); after = [ "network.target" "fs.target" ] ++ map (hostOpts: "acme-selfsigned-${hostOpts.hostName}.service") vhostsACME; - path = - [ pkg pkgs.coreutils pkgs.gnugrep ] - ++ optional cfg.enablePHP pkgs.system-sendmail; # Needed for PHP's mail() function. + path = [ pkg pkgs.coreutils pkgs.gnugrep ]; environment = optionalAttrs cfg.enablePHP { PHPRC = phpIni; } @@ -724,7 +729,7 @@ in ExecStart = "@${pkg}/bin/httpd httpd -f ${httpdConf}"; ExecStop = "${pkg}/bin/httpd -f ${httpdConf} -k graceful-stop"; ExecReload = "${pkg}/bin/httpd -f ${httpdConf} -k graceful"; - User = "root"; + User = cfg.user; Group = cfg.group; Type = "forking"; PIDFile = "${runtimeDir}/httpd.pid"; @@ -732,6 +737,7 @@ in RestartSec = "5s"; RuntimeDirectory = "httpd httpd/runtime"; RuntimeDirectoryMode = "0750"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; }; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix index 2e806afb42c..173c0f8561c 100644 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix @@ -137,7 +137,7 @@ in http2 = mkOption { type = types.bool; - default = false; + default = true; description = '' Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. <emphasis>However, if you use the prefork mpm, there will be severe restrictions.</emphasis> Refer to <link xlink:href="https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config"/> for details. diff --git a/nixpkgs/nixos/modules/services/web-servers/jboss/default.nix b/nixpkgs/nixos/modules/services/web-servers/jboss/default.nix index d28724281a8..ca5b8635fc0 100644 --- a/nixpkgs/nixos/modules/services/web-servers/jboss/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/jboss/default.nix @@ -24,6 +24,7 @@ in services.jboss = { enable = mkOption { + type = types.bool; default = false; description = "Whether to enable JBoss. WARNING : this package is outdated and is known to have vulnerabilities."; }; @@ -59,6 +60,7 @@ in }; useJK = mkOption { + type = types.bool; default = false; description = "Whether to use to connector to the Apache HTTP server"; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix index 8d49dc66eb1..312d2b0a21a 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix @@ -187,7 +187,7 @@ let then "/etc/nginx/nginx.conf" else configFile; - execCommand = "${cfg.package}/bin/nginx -c '${configPath}' -p '${cfg.stateDir}'"; + execCommand = "${cfg.package}/bin/nginx -c '${configPath}'"; vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost: let @@ -463,11 +463,12 @@ in ''; }; - stateDir = mkOption { - default = "/var/spool/nginx"; - description = " - Directory holding all state for nginx to run. - "; + enableSandbox = mkOption { + default = false; + type = types.bool; + description = '' + Starting Nginx web server with additional sandbox/hardening options. + ''; }; user = mkOption { @@ -636,6 +637,13 @@ in }; }; + imports = [ + (mkRemovedOptionModule [ "services" "nginx" "stateDir" ] '' + The Nginx log directory has been moved to /var/log/nginx, the cache directory + to /var/cache/nginx. The option services.nginx.stateDir has been removed. + '') + ]; + config = mkIf cfg.enable { # TODO: test user supplied config file pases syntax test @@ -680,12 +688,6 @@ in } ]; - systemd.tmpfiles.rules = [ - "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" - "d '${cfg.stateDir}/logs' 0750 ${cfg.user} ${cfg.group} - -" - "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" - ]; - systemd.services.nginx = { description = "Nginx Web Server"; wantedBy = [ "multi-user.target" ]; @@ -708,8 +710,35 @@ in # Runtime directory and mode RuntimeDirectory = "nginx"; RuntimeDirectoryMode = "0750"; + # Cache directory and mode + CacheDirectory = "nginx"; + CacheDirectoryMode = "0750"; + # Logs directory and mode + LogsDirectory = "nginx"; + LogsDirectoryMode = "0750"; # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + # Security + NoNewPrivileges = true; + } // optionalAttrs cfg.enableSandbox { + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = mkDefault true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules); + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; }; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix b/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix index 3db19c781d0..d090885a8ca 100644 --- a/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix @@ -209,14 +209,14 @@ in { user = "php"; group = "php"; phpPackage = pkgs.php; - settings = ''' + settings = { "pm" = "dynamic"; "pm.max_children" = 75; "pm.start_servers" = 10; "pm.min_spare_servers" = 5; "pm.max_spare_servers" = 20; "pm.max_requests" = 500; - '''; + }; } }''; description = '' diff --git a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix index f8a18954fc9..989866144e1 100644 --- a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix @@ -91,41 +91,47 @@ in { description = "Unit App Server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ curl ]; preStart = '' - test -f '${cfg.stateDir}/conf.json' || rm -f '${cfg.stateDir}/conf.json' + [ ! -e '${cfg.stateDir}/conf.json' ] || rm -f '${cfg.stateDir}/conf.json' ''; postStart = '' - curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' + ${pkgs.curl}/bin/curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' ''; serviceConfig = { + Type = "forking"; + PIDFile = "/run/unit/unit.pid"; ExecStart = '' ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \ - --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \ + --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' \ --user ${cfg.user} --group ${cfg.group} ''; - # User and group - User = cfg.user; - Group = cfg.group; - # Capabilities - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; + ExecStop = '' + ${pkgs.curl}/bin/curl -X DELETE --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' + ''; + # Runtime directory and mode + RuntimeDirectory = "unit"; + RuntimeDirectoryMode = "0750"; + # Access write directories + ReadWritePaths = [ cfg.stateDir cfg.logDir ]; # Security NoNewPrivileges = true; # Sandboxing - ProtectSystem = "full"; + ProtectSystem = "strict"; ProtectHome = true; - RuntimeDirectory = "unit"; - RuntimeDirectoryMode = "0750"; PrivateTmp = true; PrivateDevices = true; ProtectHostname = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; + RestrictSUIDSGID = true; PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; }; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix b/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix index 4b74c329e3d..936e211ec71 100644 --- a/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix +++ b/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix @@ -79,7 +79,25 @@ in { }; instance = mkOption { - type = types.attrs; + type = with lib.types; let + valueType = nullOr (oneOf [ + bool + int + float + str + (lazyAttrsOf valueType) + (listOf valueType) + (mkOptionType { + name = "function"; + description = "function"; + check = x: isFunction x; + merge = mergeOneOption; + }) + ]) // { + description = "Json value or lambda"; + emptyValue.value = {}; + }; + in valueType; default = { type = "normal"; }; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 32c9a40e535..1690a7d51a8 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -23,6 +23,7 @@ in options = { services.xserver.desktopManager.enlightenment.enable = mkOption { + type = types.bool; default = false; description = "Enable the Enlightenment desktop environment."; }; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix index ac8e70c52bc..bbc7feb2d04 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -72,6 +72,7 @@ in services.xserver.desktopManager.gnome3 = { enable = mkOption { + type = types.bool; default = false; description = "Enable Gnome 3 desktop manager."; }; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/kodi.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/kodi.nix index e997b9a1134..bdae9c3afdb 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/kodi.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/kodi.nix @@ -10,6 +10,7 @@ in options = { services.xserver.desktopManager.kodi = { enable = mkOption { + type = types.bool; default = false; description = "Enable the kodi multimedia center."; }; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix index 01fe230b8a4..5fcc8590232 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -109,7 +109,7 @@ in # Without this, elementary LightDM greeter will pre-select non-existent `default` session # https://github.com/elementary/greeter/issues/368 - services.xserver.displayManager.defaultSession = "pantheon"; + services.xserver.displayManager.defaultSession = mkDefault "pantheon"; services.xserver.displayManager.sessionCommands = '' if test "$XDG_CURRENT_DESKTOP" = "Pantheon"; then diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.xml b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.xml index 9541f2cfd4e..7905ceebd9a 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.xml +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.xml @@ -1,7 +1,7 @@ <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="chap-pantheon"> - <title>Pantheon Destkop</title> + <title>Pantheon Desktop</title> <para> Pantheon is the desktop environment created for the elementary OS distribution. It is written from scratch in Vala, utilizing GNOME technologies with GTK 3 and Granite. </para> diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix index d7bef68e5bc..622ea62f3a9 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix @@ -93,16 +93,17 @@ in }; wayland = mkOption { + type = types.bool; default = true; description = '' Allow GDM to run on Wayland instead of Xserver. Note to enable Wayland with Nvidia you need to enable the <option>nvidiaWayland</option>. ''; - type = types.bool; }; nvidiaWayland = mkOption { + type = types.bool; default = false; description = '' Whether to allow wayland to be used with the proprietary diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/startx.nix b/nixpkgs/nixos/modules/services/x11/display-managers/startx.nix index 57046984358..3980203b945 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/startx.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/startx.nix @@ -15,6 +15,7 @@ in options = { services.xserver.displayManager.startx = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to enable the dummy "startx" pseudo-display manager, diff --git a/nixpkgs/nixos/modules/services/x11/gdk-pixbuf.nix b/nixpkgs/nixos/modules/services/x11/gdk-pixbuf.nix index 9ad926369ec..3fd6fed91e1 100644 --- a/nixpkgs/nixos/modules/services/x11/gdk-pixbuf.nix +++ b/nixpkgs/nixos/modules/services/x11/gdk-pixbuf.nix @@ -19,7 +19,7 @@ let continue fi GDK_PIXBUF_MODULEDIR="$module_dir" \ - ${pkgs.gdk-pixbuf.dev}/bin/gdk-pixbuf-query-loaders + ${pkgs.stdenv.hostPlatform.emulator pkgs.buildPackages} ${pkgs.gdk-pixbuf.dev}/bin/gdk-pixbuf-query-loaders done ) > "$out" ''; diff --git a/nixpkgs/nixos/modules/services/x11/hardware/digimend.nix b/nixpkgs/nixos/modules/services/x11/hardware/digimend.nix index a9f5640905a..b1b1682f00b 100644 --- a/nixpkgs/nixos/modules/services/x11/hardware/digimend.nix +++ b/nixpkgs/nixos/modules/services/x11/hardware/digimend.nix @@ -16,12 +16,7 @@ in services.xserver.digimend = { - enable = mkOption { - default = false; - description = '' - Whether to enable the digimend drivers for Huion/XP-Pen/etc. tablets. - ''; - }; + enable = mkEnableOption "the digimend drivers for Huion/XP-Pen/etc. tablets"; }; diff --git a/nixpkgs/nixos/modules/services/x11/hardware/wacom.nix b/nixpkgs/nixos/modules/services/x11/hardware/wacom.nix index a27889c36a7..dad2b308d1b 100644 --- a/nixpkgs/nixos/modules/services/x11/hardware/wacom.nix +++ b/nixpkgs/nixos/modules/services/x11/hardware/wacom.nix @@ -15,6 +15,7 @@ in services.xserver.wacom = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to enable the Wacom touchscreen/digitizer/tablet. diff --git a/nixpkgs/nixos/modules/services/x11/picom.nix b/nixpkgs/nixos/modules/services/x11/picom.nix index e3bd21be73e..1289edd2904 100644 --- a/nixpkgs/nixos/modules/services/x11/picom.nix +++ b/nixpkgs/nixos/modules/services/x11/picom.nix @@ -1,39 +1,48 @@ { config, lib, pkgs, ... }: with lib; -with builtins; let cfg = config.services.picom; - pairOf = x: with types; addCheck (listOf x) (y: length y == 2); - - floatBetween = a: b: with lib; with types; - addCheck str (x: versionAtLeast x a && versionOlder x b); - - toConf = attrs: concatStringsSep "\n" - (mapAttrsToList - (k: v: let - sep = if isAttrs v then ":" else "="; - # Basically a tinkered lib.generators.mkKeyValueDefault - mkValueString = v: - if isBool v then boolToString v - else if isInt v then toString v - else if isFloat v then toString v - else if isString v then ''"${escape [ ''"'' ] v}"'' - else if isList v then "[ " - + concatMapStringsSep " , " mkValueString v - + " ]" - else if isAttrs v then "{ " - + concatStringsSep " " - (mapAttrsToList - (key: value: "${toString key}=${mkValueString value};") - v) - + " }" - else abort "picom.mkValueString: unexpected type (v = ${v})"; - in "${escape [ sep ] k}${sep}${mkValueString v};") - attrs); + pairOf = x: with types; + addCheck (listOf x) (y: length y == 2) + // { description = "pair of ${x.description}"; }; + + floatBetween = a: b: with types; + let + # toString prints floats with hardcoded high precision + floatToString = f: builtins.toJSON f; + in + addCheck float (x: x <= b && x >= a) + // { description = "a floating point number in " + + "range [${floatToString a}, ${floatToString b}]"; }; + + mkDefaultAttrs = mapAttrs (n: v: mkDefault v); + + # Basically a tinkered lib.generators.mkKeyValueDefault + # It either serializes a top-level definition "key: { values };" + # or an expression "key = { values };" + mkAttrsString = top: + mapAttrsToList (k: v: + let sep = if (top && isAttrs v) then ":" else "="; + in "${escape [ sep ] k}${sep}${mkValueString v};"); + + # This serializes a Nix expression to the libconfig format. + mkValueString = v: + if types.bool.check v then boolToString v + else if types.int.check v then toString v + else if types.float.check v then toString v + else if types.str.check v then "\"${escape [ "\"" ] v}\"" + else if builtins.isList v then "[ ${concatMapStringsSep " , " mkValueString v} ]" + else if types.attrs.check v then "{ ${concatStringsSep " " (mkAttrsString false v) } }" + else throw '' + invalid expression used in option services.picom.settings: + ${v} + ''; + + toConf = attrs: concatStringsSep "\n" (mkAttrsString true cfg.settings); configFile = pkgs.writeText "picom.conf" (toConf cfg.settings); @@ -61,7 +70,7 @@ in { }; fadeDelta = mkOption { - type = types.addCheck types.int (x: x > 0); + type = types.ints.positive; default = 10; example = 5; description = '' @@ -70,12 +79,11 @@ in { }; fadeSteps = mkOption { - type = pairOf (floatBetween "0.01" "1.01"); - default = [ "0.028" "0.03" ]; - example = [ "0.04" "0.04" ]; + type = pairOf (floatBetween 0.01 1); + default = [ 0.028 0.03 ]; + example = [ 0.04 0.04 ]; description = '' Opacity change between fade steps (in and out). - (numbers in range 0.01 - 1.0) ''; }; @@ -111,11 +119,11 @@ in { }; shadowOpacity = mkOption { - type = floatBetween "0.0" "1.01"; - default = "0.75"; - example = "0.8"; + type = floatBetween 0 1; + default = 0.75; + example = 0.8; description = '' - Window shadows opacity (number in range 0.0 - 1.0). + Window shadows opacity. ''; }; @@ -134,29 +142,29 @@ in { }; activeOpacity = mkOption { - type = floatBetween "0.0" "1.01"; - default = "1.0"; - example = "0.8"; + type = floatBetween 0 1; + default = 1.0; + example = 0.8; description = '' - Opacity of active windows (number in range 0.0 - 1.0). + Opacity of active windows. ''; }; inactiveOpacity = mkOption { - type = floatBetween "0.1" "1.01"; - default = "1.0"; - example = "0.8"; + type = floatBetween 0.1 1; + default = 1.0; + example = 0.8; description = '' - Opacity of inactive windows (number in range 0.1 - 1.0). + Opacity of inactive windows. ''; }; menuOpacity = mkOption { - type = floatBetween "0.0" "1.01"; - default = "1.0"; - example = "0.8"; + type = floatBetween 0 1; + default = 1.0; + example = 0.8; description = '' - Opacity of dropdown and popup menu (number in range 0.0 - 1.0). + Opacity of dropdown and popup menu. ''; }; @@ -210,7 +218,7 @@ in { }; refreshRate = mkOption { - type = types.addCheck types.int (x: x >= 0); + type = types.ints.unsigned; default = 0; example = 60; description = '' @@ -218,54 +226,69 @@ in { ''; }; - settings = let - configTypes = with types; oneOf [ bool int float str ]; - # types.loaOf converts lists to sets - loaOf = t: with types; either (listOf t) (attrsOf t); + settings = with types; + let + scalar = oneOf [ bool int float str ] + // { description = "scalar types"; }; + + libConfig = oneOf [ scalar (listOf libConfig) (attrsOf libConfig) ] + // { description = "libconfig type"; }; + + topLevel = attrsOf libConfig + // { description = '' + libconfig configuration. The format consists of an attributes + set (called a group) of settings. Each setting can be a scalar type + (boolean, integer, floating point number or string), a list of + scalars or a group itself + ''; + }; + in mkOption { - type = loaOf (types.either configTypes (loaOf (types.either configTypes (loaOf configTypes)))); - default = {}; + type = topLevel; + default = { }; + example = literalExample '' + blur = + { method = "gaussian"; + size = 10; + deviation = 5.0; + }; + ''; description = '' - Additional Picom configuration. + Picom settings. Use this option to configure Picom settings not exposed + in a NixOS option or to bypass one. For the available options see the + CONFIGURATION FILES section at <literal>picom(1)</literal>. ''; }; }; config = mkIf cfg.enable { - services.picom.settings = let - # Hard conversion to float, literally lib.toInt but toFloat - toFloat = str: let - may_be_float = builtins.fromJSON str; - in if builtins.isFloat may_be_float - then may_be_float - else throw "Could not convert ${str} to float."; - in { + services.picom.settings = mkDefaultAttrs { # fading - fading = mkDefault cfg.fade; - fade-delta = mkDefault cfg.fadeDelta; - fade-in-step = mkDefault (toFloat (elemAt cfg.fadeSteps 0)); - fade-out-step = mkDefault (toFloat (elemAt cfg.fadeSteps 1)); - fade-exclude = mkDefault cfg.fadeExclude; + fading = cfg.fade; + fade-delta = cfg.fadeDelta; + fade-in-step = elemAt cfg.fadeSteps 0; + fade-out-step = elemAt cfg.fadeSteps 1; + fade-exclude = cfg.fadeExclude; # shadows - shadow = mkDefault cfg.shadow; - shadow-offset-x = mkDefault (elemAt cfg.shadowOffsets 0); - shadow-offset-y = mkDefault (elemAt cfg.shadowOffsets 1); - shadow-opacity = mkDefault (toFloat cfg.shadowOpacity); - shadow-exclude = mkDefault cfg.shadowExclude; + shadow = cfg.shadow; + shadow-offset-x = elemAt cfg.shadowOffsets 0; + shadow-offset-y = elemAt cfg.shadowOffsets 1; + shadow-opacity = cfg.shadowOpacity; + shadow-exclude = cfg.shadowExclude; # opacity - active-opacity = mkDefault (toFloat cfg.activeOpacity); - inactive-opacity = mkDefault (toFloat cfg.inactiveOpacity); + active-opacity = cfg.activeOpacity; + inactive-opacity = cfg.inactiveOpacity; - wintypes = mkDefault cfg.wintypes; + wintypes = cfg.wintypes; - opacity-rule = mkDefault cfg.opacityRules; + opacity-rule = cfg.opacityRules; # other options - backend = mkDefault cfg.backend; - vsync = mkDefault cfg.vSync; - refresh-rate = mkDefault cfg.refreshRate; + backend = cfg.backend; + vsync = cfg.vSync; + refresh-rate = cfg.refreshRate; }; systemd.user.services.picom = { diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/berry.nix b/nixpkgs/nixos/modules/services/x11/window-managers/berry.nix new file mode 100644 index 00000000000..0d2285e7a60 --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/window-managers/berry.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.berry; +in +{ + ###### interface + options = { + services.xserver.windowManager.berry.enable = mkEnableOption "berry"; + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "berry"; + start = '' + ${pkgs.berry}/bin/berry & + waitPID=$! + ''; + }; + environment.systemPackages = [ pkgs.berry ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/default.nix b/nixpkgs/nixos/modules/services/x11/window-managers/default.nix index 04a9fc46628..87702c58727 100644 --- a/nixpkgs/nixos/modules/services/x11/window-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/window-managers/default.nix @@ -10,6 +10,7 @@ in imports = [ ./2bwm.nix ./afterstep.nix + ./berry.nix ./bspwm.nix ./cwm.nix ./dwm.nix @@ -21,6 +22,7 @@ in ./i3.nix ./jwm.nix ./leftwm.nix + ./lwm.nix ./metacity.nix ./mwm.nix ./openbox.nix @@ -28,12 +30,15 @@ in ./notion.nix ./ratpoison.nix ./sawfish.nix + ./smallwm.nix ./stumpwm.nix ./spectrwm.nix + ./tinywm.nix ./twm.nix ./windowmaker.nix ./wmii.nix ./xmonad.nix + ./yeahwm.nix ./qtile.nix ./none.nix ]; diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/lwm.nix b/nixpkgs/nixos/modules/services/x11/window-managers/lwm.nix new file mode 100644 index 00000000000..e2aa062fd13 --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/window-managers/lwm.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.lwm; +in +{ + ###### interface + options = { + services.xserver.windowManager.lwm.enable = mkEnableOption "lwm"; + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "lwm"; + start = '' + ${pkgs.lwm}/bin/lwm & + waitPID=$! + ''; + }; + environment.systemPackages = [ pkgs.lwm ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/smallwm.nix b/nixpkgs/nixos/modules/services/x11/window-managers/smallwm.nix new file mode 100644 index 00000000000..091ba4f92b9 --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/window-managers/smallwm.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.smallwm; +in +{ + ###### interface + options = { + services.xserver.windowManager.smallwm.enable = mkEnableOption "smallwm"; + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "smallwm"; + start = '' + ${pkgs.smallwm}/bin/smallwm & + waitPID=$! + ''; + }; + environment.systemPackages = [ pkgs.smallwm ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/tinywm.nix b/nixpkgs/nixos/modules/services/x11/window-managers/tinywm.nix new file mode 100644 index 00000000000..8e5d9b9170c --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/window-managers/tinywm.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.tinywm; +in +{ + ###### interface + options = { + services.xserver.windowManager.tinywm.enable = mkEnableOption "tinywm"; + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "tinywm"; + start = '' + ${pkgs.tinywm}/bin/tinywm & + waitPID=$! + ''; + }; + environment.systemPackages = [ pkgs.tinywm ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/yeahwm.nix b/nixpkgs/nixos/modules/services/x11/window-managers/yeahwm.nix new file mode 100644 index 00000000000..351bd7dfe48 --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/window-managers/yeahwm.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.yeahwm; +in +{ + ###### interface + options = { + services.xserver.windowManager.yeahwm.enable = mkEnableOption "yeahwm"; + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "yeahwm"; + start = '' + ${pkgs.yeahwm}/bin/yeahwm & + waitPID=$! + ''; + }; + environment.systemPackages = [ pkgs.yeahwm ]; + }; +} diff --git a/nixpkgs/nixos/modules/system/boot/binfmt.nix b/nixpkgs/nixos/modules/system/boot/binfmt.nix index a677ab4cb71..9eeae0c3ef4 100644 --- a/nixpkgs/nixos/modules/system/boot/binfmt.nix +++ b/nixpkgs/nixos/modules/system/boot/binfmt.nix @@ -268,9 +268,10 @@ in { mkdir -p -m 0755 /run/binfmt ${lib.concatStringsSep "\n" (lib.mapAttrsToList activationSnippet config.boot.binfmt.registrations)} ''; - systemd.additionalUpstreamSystemUnits = lib.mkIf (config.boot.binfmt.registrations != {}) - [ "proc-sys-fs-binfmt_misc.automount" - "proc-sys-fs-binfmt_misc.mount" - ]; + systemd.additionalUpstreamSystemUnits = lib.mkIf (config.boot.binfmt.registrations != {}) [ + "proc-sys-fs-binfmt_misc.automount" + "proc-sys-fs-binfmt_misc.mount" + "systemd-binfmt.service" + ]; }; } diff --git a/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix b/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix index 5a334e69056..f7ef2610370 100644 --- a/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix @@ -55,7 +55,7 @@ in <screen> <prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key - <prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed_25519_key + <prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key </screen> <warning> @@ -83,6 +83,12 @@ in Authorized keys for the root user on initrd. ''; }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Verbatim contents of <filename>sshd_config</filename>."; + }; }; imports = @@ -126,6 +132,8 @@ in '' else '' UseDNS no ''} + + ${cfg.extraConfig} ''; in mkIf (config.boot.initrd.network.enable && cfg.enable) { assertions = [ diff --git a/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi-builder.nix b/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi-builder.nix index 7eb52e3d021..e75aa9d1387 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi-builder.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi-builder.nix @@ -3,8 +3,8 @@ pkgs.substituteAll { src = ./raspberrypi-builder.sh; isExecutable = true; - inherit (pkgs) bash; - path = [pkgs.coreutils pkgs.gnused pkgs.gnugrep]; + inherit (pkgs.buildPackages) bash; + path = with pkgs.buildPackages; [coreutils gnused gnugrep]; firmware = pkgs.raspberrypifw; inherit configTxt; } diff --git a/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix b/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix index 1dc397e521b..a4352ab9a24 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix @@ -20,7 +20,7 @@ let extlinuxConfBuilder = import ../generic-extlinux-compatible/extlinux-conf-builder.nix { - inherit pkgs; + pkgs = pkgs.buildPackages; }; in pkgs.substituteAll { diff --git a/nixpkgs/nixos/modules/system/boot/networkd.nix b/nixpkgs/nixos/modules/system/boot/networkd.nix index 3078f84f6e9..9b34b12e73a 100644 --- a/nixpkgs/nixos/modules/system/boot/networkd.nix +++ b/nixpkgs/nixos/modules/system/boot/networkd.nix @@ -205,7 +205,7 @@ let "IPv6HopLimit" "IPv4ProxyARP" "IPv6ProxyNDP" "IPv6ProxyNDPAddress" "IPv6PrefixDelegation" "IPv6MTUBytes" "Bridge" "Bond" "VRF" "VLAN" "IPVLAN" "MACVLAN" "VXLAN" "Tunnel" "ActiveSlave" "PrimarySlave" - "ConfigureWithoutCarrier" "Xfrm" + "ConfigureWithoutCarrier" "Xfrm" "KeepConfiguration" ]) # Note: For DHCP the values both, none, v4, v6 are deprecated (assertValueOneOf "DHCP" ["yes" "no" "ipv4" "ipv6" "both" "none" "v4" "v6"]) @@ -228,6 +228,7 @@ let (assertValueOneOf "ActiveSlave" boolValues) (assertValueOneOf "PrimarySlave" boolValues) (assertValueOneOf "ConfigureWithoutCarrier" boolValues) + (assertValueOneOf "KeepConfiguration" (boolValues ++ ["static" "dhcp-on-stop" "dhcp"])) ]; checkAddress = checkUnitConfig "Address" [ @@ -274,15 +275,16 @@ let ]) ]; - checkDhcp = checkUnitConfig "DHCP" [ + checkDhcpV4 = checkUnitConfig "DHCPv4" [ (assertOnlyFields [ - "UseDNS" "UseNTP" "UseMTU" "Anonymize" "SendHostname" "UseHostname" - "Hostname" "UseDomains" "UseRoutes" "UseTimezone" "CriticalConnection" - "ClientIdentifier" "VendorClassIdentifier" "UserClass" "DUIDType" - "DUIDRawData" "IAID" "RequestBroadcast" "RouteMetric" "RouteTable" - "ListenPort" "RapidCommit" + "UseDNS" "RoutesToDNS" "UseNTP" "UseMTU" "Anonymize" "SendHostname" "UseHostname" + "Hostname" "UseDomains" "UseRoutes" "UseTimezone" + "ClientIdentifier" "VendorClassIdentifier" "UserClass" "MaxAttempts" + "DUIDType" "DUIDRawData" "IAID" "RequestBroadcast" "RouteMetric" "RouteTable" + "ListenPort" "SendRelease" ]) (assertValueOneOf "UseDNS" boolValues) + (assertValueOneOf "RoutesToDNS" boolValues) (assertValueOneOf "UseNTP" boolValues) (assertValueOneOf "UseMTU" boolValues) (assertValueOneOf "Anonymize" boolValues) @@ -291,13 +293,50 @@ let (assertValueOneOf "UseDomains" ["yes" "no" "route"]) (assertValueOneOf "UseRoutes" boolValues) (assertValueOneOf "UseTimezone" boolValues) - (assertValueOneOf "CriticalConnection" boolValues) + (assertMinimum "MaxAttempts" 0) (assertValueOneOf "RequestBroadcast" boolValues) (assertInt "RouteTable") (assertMinimum "RouteTable" 0) + (assertValueOneOf "SendRelease" boolValues) + ]; + + checkDhcpV6 = checkUnitConfig "DHCPv6" [ + (assertOnlyFields [ + "UseDns" "UseNTP" "RapidCommit" "ForceDHCPv6PDOtherInformation" + "PrefixDelegationHint" + ]) + (assertValueOneOf "UseDNS" boolValues) + (assertValueOneOf "UseNTP" boolValues) (assertValueOneOf "RapidCommit" boolValues) + (assertValueOneOf "ForceDHCPv6PDOtherInformation" boolValues) + ]; + + checkIpv6PrefixDelegation = checkUnitConfig "IPv6PrefixDelegation" [ + (assertOnlyFields [ + "Managed" "OtherInformation" "RouterLifetimeSec" + "RouterPreference" "EmitDNS" "DNS" "EmitDomains" "Domains" + "DNSLifetimeSec" + ]) + (assertValueOneOf "Managed" boolValues) + (assertValueOneOf "OtherInformation" boolValues) + (assertValueOneOf "RouterPreference" ["high" "medium" "low" "normal" "default"]) + (assertValueOneOf "EmitDNS" boolValues) + (assertValueOneOf "EmitDomains" boolValues) + (assertMinimum "DNSLifetimeSec" 0) + ]; + + checkIpv6Prefix = checkUnitConfig "IPv6Prefix" [ + (assertOnlyFields [ + "AddressAutoconfiguration" "OnLink" "Prefix" + "PreferredLifetimeSec" "ValidLifetimeSec" + ]) + (assertValueOneOf "AddressAutoconfiguration" boolValues) + (assertValueOneOf "OnLink" boolValues) + (assertMinimum "PreferredLifetimeSec" 0) + (assertMinimum "ValidLifetimeSec" 0) ]; + checkDhcpServer = checkUnitConfig "DHCPServer" [ (assertOnlyFields [ "PoolOffset" "PoolSize" "DefaultLeaseTimeSec" "MaxLeaseTimeSec" @@ -621,6 +660,22 @@ let }; }; + ipv6PrefixOptions = { + options = { + ipv6PrefixConfig = mkOption { + default = {}; + example = { Prefix = "fd00::/64"; }; + type = types.addCheck (types.attrsOf unitOption) checkIpv6Prefix; + description = '' + Each attribute in this set specifies an option in the + <literal>[IPv6Prefix]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + }; + }; + networkOptions = commonNetworkOptions // { @@ -636,13 +691,55 @@ let ''; }; + # systemd.network.networks.*.dhcpConfig has been deprecated in favor of ….dhcpV4Config + # Produce a nice warning message so users know it is gone. dhcpConfig = mkOption { + visible = false; + apply = _: throw "The option `systemd.network.networks.*.dhcpConfig` can no longer be used since it's been removed. Please use `systemd.network.networks.*.dhcpV4Config` instead."; + }; + + dhcpV4Config = mkOption { + default = {}; + example = { UseDNS = true; UseRoutes = true; }; + type = types.addCheck (types.attrsOf unitOption) checkDhcpV4; + description = '' + Each attribute in this set specifies an option in the + <literal>[DHCPv4]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + + dhcpV6Config = mkOption { default = {}; example = { UseDNS = true; UseRoutes = true; }; - type = types.addCheck (types.attrsOf unitOption) checkDhcp; + type = types.addCheck (types.attrsOf unitOption) checkDhcpV6; + description = '' + Each attribute in this set specifies an option in the + <literal>[DHCPv6]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + + ipv6PrefixDelegationConfig = mkOption { + default = {}; + example = { EmitDNS = true; Managed = true; OtherInformation = true; }; + type = types.addCheck (types.attrsOf unitOption) checkIpv6PrefixDelegation; description = '' Each attribute in this set specifies an option in the - <literal>[DHCP]</literal> section of the unit. See + <literal>[IPv6PrefixDelegation]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + + ipv6Prefixes = mkOption { + default = []; + example = { AddressAutoconfiguration = true; OnLink = true; }; + type = with types; listOf (submodule ipv6PrefixOptions); + description = '' + A list of ipv6Prefix sections to be added to the unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details. ''; @@ -973,11 +1070,26 @@ let ${concatStringsSep "\n" (map (s: "Tunnel=${s}") def.tunnel)} ${concatStringsSep "\n" (map (s: "Xfrm=${s}") def.xfrm)} - ${optionalString (def.dhcpConfig != { }) '' - [DHCP] - ${attrsToSection def.dhcpConfig} + ${optionalString (def.dhcpV4Config != { }) '' + [DHCPv4] + ${attrsToSection def.dhcpV4Config} ''} + ${optionalString (def.dhcpV6Config != {}) '' + [DHCPv6] + ${attrsToSection def.dhcpV6Config} + + ''} + ${optionalString (def.ipv6PrefixDelegationConfig != {}) '' + [IPv6PrefixDelegation] + ${attrsToSection def.ipv6PrefixDelegationConfig} + + ''} + ${flip concatMapStrings def.ipv6Prefixes (x: '' + [IPv6Prefix] + ${attrsToSection x.ipv6PrefixConfig} + + '')} ${optionalString (def.dhcpServerConfig != { }) '' [DHCPServer] ${attrsToSection def.dhcpServerConfig} @@ -1054,6 +1166,7 @@ in }; config = mkMerge [ + # .link units are honored by udev, no matter if systemd-networkd is enabled or not. { systemd.network.units = mapAttrs' (n: v: nameValuePair "${n}.link" (linkToUnit n v)) cfg.links; @@ -1073,7 +1186,7 @@ in systemd.services.systemd-networkd = { wantedBy = [ "multi-user.target" ]; - restartTriggers = attrNames unitFiles; + restartTriggers = map (x: x.source) (attrValues unitFiles); # prevent race condition with interface renaming (#39069) requires = [ "systemd-udev-settle.service" ]; after = [ "systemd-udev-settle.service" ]; diff --git a/nixpkgs/nixos/modules/system/boot/resolved.nix b/nixpkgs/nixos/modules/system/boot/resolved.nix index da61c64faf8..b7aaef575ac 100644 --- a/nixpkgs/nixos/modules/system/boot/resolved.nix +++ b/nixpkgs/nixos/modules/system/boot/resolved.nix @@ -138,6 +138,10 @@ in users.users.resolved.group = "systemd-resolve"; + # add resolve to nss hosts database if enabled and nscd enabled + # system.nssModules is configured in nixos/modules/system/boot/systemd.nix + system.nssDatabases.hosts = optional config.services.nscd.enable "resolve [!UNAVAIL=return]"; + systemd.additionalUpstreamSystemUnits = [ "systemd-resolved.service" ]; diff --git a/nixpkgs/nixos/modules/system/boot/stage-1.nix b/nixpkgs/nixos/modules/system/boot/stage-1.nix index 9e3ee5cf0a3..dfd158e2d75 100644 --- a/nixpkgs/nixos/modules/system/boot/stage-1.nix +++ b/nixpkgs/nixos/modules/system/boot/stage-1.nix @@ -137,6 +137,8 @@ let ''} # Copy secrets if needed. + # + # TODO: move out to a separate script; see #85000. ${optionalString (!config.boot.loader.supportsInitrdSecrets) (concatStringsSep "\n" (mapAttrsToList (dest: source: let source' = if source == null then dest else source; in @@ -579,6 +581,25 @@ in message = "boot.resumeDevice has to be an absolute path." + " Old \"x:y\" style is no longer supported."; } + # TODO: remove when #85000 is fixed + { assertion = !config.boot.loader.supportsInitrdSecrets -> + all (source: + builtins.isPath source || + (builtins.isString source && hasPrefix source builtins.storeDir)) + (attrValues config.boot.initrd.secrets); + message = '' + boot.loader.initrd.secrets values must be unquoted paths when + using a bootloader that doesn't natively support initrd + secrets, e.g.: + + boot.initrd.secrets = { + "/etc/secret" = /path/to/secret; + }; + + Note that this will result in all secrets being stored + world-readable in the Nix store! + ''; + } ]; system.build = diff --git a/nixpkgs/nixos/modules/system/boot/systemd.nix b/nixpkgs/nixos/modules/system/boot/systemd.nix index 7f207e6c7ef..99892a28115 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd.nix @@ -164,7 +164,6 @@ let "systemd-timedated.service" "systemd-localed.service" "systemd-hostnamed.service" - "systemd-binfmt.service" "systemd-exit.service" "systemd-update-done.service" ] ++ optionals config.services.journald.enableHttpGateway [ @@ -201,8 +200,23 @@ let ]; makeJobScript = name: text: - let mkScriptName = s: "unit-script-" + (replaceChars [ "\\" "@" ] [ "-" "_" ] (shellEscape s) ); - in pkgs.writeTextFile { name = mkScriptName name; executable = true; inherit text; }; + let + scriptName = replaceChars [ "\\" "@" ] [ "-" "_" ] (shellEscape name); + out = pkgs.writeTextFile { + # The derivation name is different from the script file name + # to keep the script file name short to avoid cluttering logs. + name = "unit-script-${scriptName}"; + executable = true; + destination = "/bin/${scriptName}"; + text = '' + #!${pkgs.runtimeShell} -e + ${text} + ''; + checkPhase = '' + ${pkgs.stdenv.shell} -n "$out/bin/${scriptName}" + ''; + }; + in "${out}/bin/${scriptName}"; unitConfig = { config, options, ... }: { config = { @@ -250,40 +264,28 @@ let environment.PATH = config.path; } (mkIf (config.preStart != "") - { serviceConfig.ExecStartPre = makeJobScript "${name}-pre-start" '' - #! ${pkgs.runtimeShell} -e - ${config.preStart} - ''; + { serviceConfig.ExecStartPre = + makeJobScript "${name}-pre-start" config.preStart; }) (mkIf (config.script != "") - { serviceConfig.ExecStart = makeJobScript "${name}-start" '' - #! ${pkgs.runtimeShell} -e - ${config.script} - '' + " " + config.scriptArgs; + { serviceConfig.ExecStart = + makeJobScript "${name}-start" config.script + " " + config.scriptArgs; }) (mkIf (config.postStart != "") - { serviceConfig.ExecStartPost = makeJobScript "${name}-post-start" '' - #! ${pkgs.runtimeShell} -e - ${config.postStart} - ''; + { serviceConfig.ExecStartPost = + makeJobScript "${name}-post-start" config.postStart; }) (mkIf (config.reload != "") - { serviceConfig.ExecReload = makeJobScript "${name}-reload" '' - #! ${pkgs.runtimeShell} -e - ${config.reload} - ''; + { serviceConfig.ExecReload = + makeJobScript "${name}-reload" config.reload; }) (mkIf (config.preStop != "") - { serviceConfig.ExecStop = makeJobScript "${name}-pre-stop" '' - #! ${pkgs.runtimeShell} -e - ${config.preStop} - ''; + { serviceConfig.ExecStop = + makeJobScript "${name}-pre-stop" config.preStop; }) (mkIf (config.postStop != "") - { serviceConfig.ExecStopPost = makeJobScript "${name}-post-stop" '' - #! ${pkgs.runtimeShell} -e - ${config.postStop} - ''; + { serviceConfig.ExecStopPost = + makeJobScript "${name}-post-stop" config.postStop; }) ]; }; @@ -405,6 +407,8 @@ let "hibernate" "hybrid-sleep" "suspend-then-hibernate" "lock" ]; + proxy_env = config.networking.proxy.envVars; + in { @@ -593,17 +597,33 @@ in each other's limit. The value may be specified in the following units: s, min, h, ms, us. To turn off any kind of rate limiting, set either value to 0. + + See <option>services.journald.rateLimitBurst</option> for important + considerations when setting this value. ''; }; services.journald.rateLimitBurst = mkOption { - default = 1000; + default = 10000; type = types.int; description = '' Configures the rate limiting burst limit (number of messages per interval) that is applied to all messages generated on the system. This rate limiting is applied per-service, so that two services which log do not interfere with each other's limit. + + Note that the effective rate limit is multiplied by a factor derived + from the available free disk space for the journal as described on + <link xlink:href="https://www.freedesktop.org/software/systemd/man/journald.conf.html"> + journald.conf(5)</link>. + + Note that the total amount of logs stored is limited by journald settings + such as <literal>SystemMaxUse</literal>, which defaults to a 4 GB cap. + + It is thus recommended to compute what period of time that you will be + able to store logs for when an application logs at full burst rate. + With default settings for log lines that are 100 Bytes long, this can + amount to just a few hours. ''; }; @@ -811,6 +831,23 @@ in system.build.units = cfg.units; + system.nssModules = [ systemd.out ]; + system.nssDatabases = { + hosts = (mkMerge [ + [ "mymachines" ] + (mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last + ) + ]); + passwd = (mkMerge [ + [ "mymachines" ] + (mkAfter [ "systemd" ]) + ]); + group = (mkMerge [ + [ "mymachines" ] + (mkAfter [ "systemd" ]) + ]); + }; + environment.systemPackages = [ systemd ]; environment.etc = let @@ -894,6 +931,13 @@ in "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; + "tmpfiles.d/00-nixos.conf".text = '' + # This file is created automatically and should not be modified. + # Please change the option ‘systemd.tmpfiles.rules’ instead. + + ${concatStringsSep "\n" cfg.tmpfiles.rules} + ''; + "tmpfiles.d/home.conf".source = "${systemd}/example/tmpfiles.d/home.conf"; "tmpfiles.d/journal-nocow.conf".source = "${systemd}/example/tmpfiles.d/journal-nocow.conf"; "tmpfiles.d/portables.conf".source = "${systemd}/example/tmpfiles.d/portables.conf"; @@ -906,13 +950,6 @@ in "tmpfiles.d/var.conf".source = "${systemd}/example/tmpfiles.d/var.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; - "tmpfiles.d/nixos.conf".text = '' - # This file is created automatically and should not be modified. - # Please change the option ‘systemd.tmpfiles.rules’ instead. - - ${concatStringsSep "\n" cfg.tmpfiles.rules} - ''; - "systemd/system-generators" = { source = hooks "generators" cfg.generators; }; "systemd/system-shutdown" = { source = hooks "shutdown" cfg.shutdown; }; }); @@ -1018,7 +1055,7 @@ in systemd.targets.local-fs.unitConfig.X-StopOnReconfiguration = true; systemd.targets.remote-fs.unitConfig.X-StopOnReconfiguration = true; systemd.targets.network-online.wantedBy = [ "multi-user.target" ]; - systemd.services.systemd-binfmt.wants = [ "proc-sys-fs-binfmt_misc.mount" ]; + systemd.services.systemd-importd.environment = proxy_env; # Don't bother with certain units in containers. systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container"; diff --git a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix index 43347161a84..71eed4d6f1a 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix @@ -433,7 +433,16 @@ in services.zfs.zed.settings = { ZED_EMAIL_PROG = mkDefault "${pkgs.mailutils}/bin/mail"; - PATH = lib.makeBinPath [ packages.zfsUser pkgs.utillinux pkgs.gawk pkgs.gnused pkgs.gnugrep pkgs.coreutils pkgs.curl ]; + PATH = lib.makeBinPath [ + packages.zfsUser + pkgs.coreutils + pkgs.curl + pkgs.gawk + pkgs.gnugrep + pkgs.gnused + pkgs.nettools + pkgs.utillinux + ]; }; environment.etc = genAttrs diff --git a/nixpkgs/nixos/modules/virtualisation/containers.nix b/nixpkgs/nixos/modules/virtualisation/containers.nix index dad211ef55b..7d184575640 100644 --- a/nixpkgs/nixos/modules/virtualisation/containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/containers.nix @@ -1,824 +1,125 @@ { config, lib, pkgs, ... }: - -with lib; - let - - # The container's init script, a small wrapper around the regular - # NixOS stage-2 init script. - containerInit = (cfg: - let - renderExtraVeth = (name: cfg: - '' - echo "Bringing ${name} up" - ip link set dev ${name} up - ${optionalString (cfg.localAddress != null) '' - echo "Setting ip for ${name}" - ip addr add ${cfg.localAddress} dev ${name} - ''} - ${optionalString (cfg.localAddress6 != null) '' - echo "Setting ip6 for ${name}" - ip -6 addr add ${cfg.localAddress6} dev ${name} - ''} - ${optionalString (cfg.hostAddress != null) '' - echo "Setting route to host for ${name}" - ip route add ${cfg.hostAddress} dev ${name} - ''} - ${optionalString (cfg.hostAddress6 != null) '' - echo "Setting route6 to host for ${name}" - ip -6 route add ${cfg.hostAddress6} dev ${name} - ''} - '' - ); - in - pkgs.writeScript "container-init" - '' - #! ${pkgs.runtimeShell} -e - - # Initialise the container side of the veth pair. - if [ -n "$HOST_ADDRESS" ] || [ -n "$HOST_ADDRESS6" ] || - [ -n "$LOCAL_ADDRESS" ] || [ -n "$LOCAL_ADDRESS6" ] || - [ -n "$HOST_BRIDGE" ]; then - ip link set host0 name eth0 - ip link set dev eth0 up - - if [ -n "$LOCAL_ADDRESS" ]; then - ip addr add $LOCAL_ADDRESS dev eth0 - fi - if [ -n "$LOCAL_ADDRESS6" ]; then - ip -6 addr add $LOCAL_ADDRESS6 dev eth0 - fi - if [ -n "$HOST_ADDRESS" ]; then - ip route add $HOST_ADDRESS dev eth0 - ip route add default via $HOST_ADDRESS - fi - if [ -n "$HOST_ADDRESS6" ]; then - ip -6 route add $HOST_ADDRESS6 dev eth0 - ip -6 route add default via $HOST_ADDRESS6 - fi - - ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} - fi - - # Start the regular stage 1 script. - exec "$1" - '' - ); - - nspawnExtraVethArgs = (name: cfg: "--network-veth-extra=${name}"); - - startScript = cfg: - '' - mkdir -p -m 0755 "$root/etc" "$root/var/lib" - mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers - if ! [ -e "$root/etc/os-release" ]; then - touch "$root/etc/os-release" - fi - - if ! [ -e "$root/etc/machine-id" ]; then - touch "$root/etc/machine-id" - fi - - mkdir -p -m 0755 \ - "/nix/var/nix/profiles/per-container/$INSTANCE" \ - "/nix/var/nix/gcroots/per-container/$INSTANCE" - - cp --remove-destination /etc/resolv.conf "$root/etc/resolv.conf" - - if [ "$PRIVATE_NETWORK" = 1 ]; then - extraFlags+=" --private-network" - fi - - if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || - [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then - extraFlags+=" --network-veth" - fi - - if [ -n "$HOST_PORT" ]; then - OIFS=$IFS - IFS="," - for i in $HOST_PORT - do - extraFlags+=" --port=$i" - done - IFS=$OIFS - fi - - if [ -n "$HOST_BRIDGE" ]; then - extraFlags+=" --network-bridge=$HOST_BRIDGE" - fi - - extraFlags+=" ${concatStringsSep " " (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)}" - - for iface in $INTERFACES; do - extraFlags+=" --network-interface=$iface" - done - - for iface in $MACVLANS; do - extraFlags+=" --network-macvlan=$iface" - done - - # If the host is 64-bit and the container is 32-bit, add a - # --personality flag. - ${optionalString (config.nixpkgs.localSystem.system == "x86_64-linux") '' - if [ "$(< ''${SYSTEM_PATH:-/nix/var/nix/profiles/per-container/$INSTANCE/system}/system)" = i686-linux ]; then - extraFlags+=" --personality=x86" - fi - ''} - - # Run systemd-nspawn without startup notification (we'll - # wait for the container systemd to signal readiness). - exec ${config.systemd.package}/bin/systemd-nspawn \ - --keep-unit \ - -M "$INSTANCE" -D "$root" $extraFlags \ - $EXTRA_NSPAWN_FLAGS \ - --notify-ready=yes \ - --bind-ro=/nix/store \ - --bind-ro=/nix/var/nix/db \ - --bind-ro=/nix/var/nix/daemon-socket \ - --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ - --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ - ${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \ - --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ - --setenv HOST_BRIDGE="$HOST_BRIDGE" \ - --setenv HOST_ADDRESS="$HOST_ADDRESS" \ - --setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \ - --setenv HOST_ADDRESS6="$HOST_ADDRESS6" \ - --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \ - --setenv HOST_PORT="$HOST_PORT" \ - --setenv PATH="$PATH" \ - ${optionalString cfg.ephemeral "--ephemeral"} \ - ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then - ''--capability="${concatStringsSep "," cfg.additionalCapabilities}"'' else "" - } \ - ${if cfg.tmpfs != null && cfg.tmpfs != [] then - ''--tmpfs=${concatStringsSep " --tmpfs=" cfg.tmpfs}'' else "" - } \ - ${containerInit cfg} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init" - ''; - - preStartScript = cfg: - '' - # Clean up existing machined registration and interfaces. - machinectl terminate "$INSTANCE" 2> /dev/null || true - - if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || - [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then - ip link del dev "ve-$INSTANCE" 2> /dev/null || true - ip link del dev "vb-$INSTANCE" 2> /dev/null || true - fi - - ${concatStringsSep "\n" ( - mapAttrsToList (name: cfg: - ''ip link del dev ${name} 2> /dev/null || true '' - ) cfg.extraVeths - )} - ''; - - postStartScript = (cfg: - let - ipcall = cfg: ipcmd: variable: attribute: - if cfg.${attribute} == null then - '' - if [ -n "${variable}" ]; then - ${ipcmd} add ${variable} dev $ifaceHost - fi - '' - else - ''${ipcmd} add ${cfg.${attribute}} dev $ifaceHost''; - renderExtraVeth = name: cfg: - if cfg.hostBridge != null then - '' - # Add ${name} to bridge ${cfg.hostBridge} - ip link set dev ${name} master ${cfg.hostBridge} up - '' - else - '' - echo "Bring ${name} up" - ip link set dev ${name} up - # Set IPs and routes for ${name} - ${optionalString (cfg.hostAddress != null) '' - ip addr add ${cfg.hostAddress} dev ${name} - ''} - ${optionalString (cfg.hostAddress6 != null) '' - ip -6 addr add ${cfg.hostAddress6} dev ${name} - ''} - ${optionalString (cfg.localAddress != null) '' - ip route add ${cfg.localAddress} dev ${name} - ''} - ${optionalString (cfg.localAddress6 != null) '' - ip -6 route add ${cfg.localAddress6} dev ${name} - ''} - ''; - in - '' - if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || - [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then - if [ -z "$HOST_BRIDGE" ]; then - ifaceHost=ve-$INSTANCE - ip link set dev $ifaceHost up - - ${ipcall cfg "ip addr" "$HOST_ADDRESS" "hostAddress"} - ${ipcall cfg "ip -6 addr" "$HOST_ADDRESS6" "hostAddress6"} - ${ipcall cfg "ip route" "$LOCAL_ADDRESS" "localAddress"} - ${ipcall cfg "ip -6 route" "$LOCAL_ADDRESS6" "localAddress6"} - fi - ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} - fi - '' - ); - - serviceDirectives = cfg: { - ExecReload = pkgs.writeScript "reload-container" - '' - #! ${pkgs.runtimeShell} -e - ${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \ - bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" - ''; - - SyslogIdentifier = "container %i"; - - EnvironmentFile = "-/etc/containers/%i.conf"; - - Type = "notify"; - - RuntimeDirectory = lib.optional cfg.ephemeral "containers/%i"; - - # Note that on reboot, systemd-nspawn returns 133, so this - # unit will be restarted. On poweroff, it returns 0, so the - # unit won't be restarted. - RestartForceExitStatus = "133"; - SuccessExitStatus = "133"; - - # Some containers take long to start - # especially when you automatically start many at once - TimeoutStartSec = cfg.timeoutStartSec; - - Restart = "on-failure"; - - Slice = "machine.slice"; - Delegate = true; - - # Hack: we don't want to kill systemd-nspawn, since we call - # "machinectl poweroff" in preStop to shut down the - # container cleanly. But systemd requires sending a signal - # (at least if we want remaining processes to be killed - # after the timeout). So send an ignored signal. - KillMode = "mixed"; - KillSignal = "WINCH"; - - DevicePolicy = "closed"; - DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; + cfg = config.virtualisation.containers; + + inherit (lib) mkOption types; + + # Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator + toTOML = name: value: pkgs.runCommandNoCC name { + nativeBuildInputs = [ pkgs.remarshal ]; + value = builtins.toJSON value; + passAsFile = [ "value" ]; + } '' + json2toml "$valuePath" "$out" + ''; + + # Copy configuration files to avoid having the entire sources in the system closure + copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} '' + cp ${filePath} $out + ''; +in +{ + meta = { + maintainers = [] ++ lib.teams.podman.members; }; + options.virtualisation.containers = { - system = config.nixpkgs.localSystem.system; - - bindMountOpts = { name, ... }: { - - options = { - mountPoint = mkOption { - example = "/mnt/usb"; - type = types.str; - description = "Mount point on the container file system."; - }; - hostPath = mkOption { - default = null; - example = "/home/alice"; - type = types.nullOr types.str; - description = "Location of the host path to be mounted."; - }; - isReadOnly = mkOption { - default = true; + enable = + mkOption { type = types.bool; - description = "Determine whether the mounted path will be accessed in read-only mode."; + default = false; + description = '' + This option enables the common /etc/containers configuration module. + ''; }; - }; - - config = { - mountPoint = mkDefault name; - }; - }; - - allowedDeviceOpts = { ... }: { - options = { - node = mkOption { - example = "/dev/net/tun"; - type = types.str; - description = "Path to device node"; - }; - modifier = mkOption { - example = "rw"; - type = types.str; + registries = { + search = mkOption { + type = types.listOf types.str; + default = [ "docker.io" "quay.io" ]; description = '' - Device node access modifier. Takes a combination - <literal>r</literal> (read), <literal>w</literal> (write), and - <literal>m</literal> (mknod). See the - <literal>systemd.resource-control(5)</literal> man page for more - information.''; + List of repositories to search. + ''; }; - }; - }; - - - mkBindFlag = d: - let flagPrefix = if d.isReadOnly then " --bind-ro=" else " --bind="; - mountstr = if d.hostPath != null then "${d.hostPath}:${d.mountPoint}" else "${d.mountPoint}"; - in flagPrefix + mountstr ; - mkBindFlags = bs: concatMapStrings mkBindFlag (lib.attrValues bs); + insecure = mkOption { + default = []; + type = types.listOf types.str; + description = '' + List of insecure repositories. + ''; + }; - networkOptions = { - hostBridge = mkOption { - type = types.nullOr types.str; - default = null; - example = "br0"; - description = '' - Put the host-side of the veth-pair into the named bridge. - Only one of hostAddress* or hostBridge can be given. - ''; + block = mkOption { + default = []; + type = types.listOf types.str; + description = '' + List of blocked repositories. + ''; + }; }; - forwardPorts = mkOption { - type = types.listOf (types.submodule { - options = { - protocol = mkOption { - type = types.str; - default = "tcp"; - description = "The protocol specifier for port forwarding between host and container"; - }; - hostPort = mkOption { - type = types.int; - description = "Source port of the external interface on host"; - }; - containerPort = mkOption { - type = types.nullOr types.int; - default = null; - description = "Target port of container"; + policy = mkOption { + default = {}; + type = types.attrs; + example = lib.literalExample '' + { + default = [ { type = "insecureAcceptAnything"; } ]; + transports = { + docker-daemon = { + "" = [ { type = "insecureAcceptAnything"; } ]; + }; }; - }; - }); - default = []; - example = [ { protocol = "tcp"; hostPort = 8080; containerPort = 80; } ]; - description = '' - List of forwarded ports from host to container. Each forwarded port - is specified by protocol, hostPort and containerPort. By default, - protocol is tcp and hostPort and containerPort are assumed to be - the same if containerPort is not explicitly given. - ''; - }; - - - hostAddress = mkOption { - type = types.nullOr types.str; - default = null; - example = "10.231.136.1"; - description = '' - The IPv4 address assigned to the host interface. - (Not used when hostBridge is set.) + } ''; - }; - - hostAddress6 = mkOption { - type = types.nullOr types.str; - default = null; - example = "fc00::1"; description = '' - The IPv6 address assigned to the host interface. - (Not used when hostBridge is set.) + Signature verification policy file. + If this option is empty the default policy file from + <literal>skopeo</literal> will be used. ''; }; - localAddress = mkOption { - type = types.nullOr types.str; - default = null; - example = "10.231.136.2"; - description = '' - The IPv4 address assigned to the interface in the container. - If a hostBridge is used, this should be given with netmask to access - the whole network. Otherwise the default netmask is /32 and routing is - set up from localAddress to hostAddress and back. - ''; - }; - - localAddress6 = mkOption { - type = types.nullOr types.str; - default = null; - example = "fc00::2"; + users = mkOption { + default = []; + type = types.listOf types.str; description = '' - The IPv6 address assigned to the interface in the container. - If a hostBridge is used, this should be given with netmask to access - the whole network. Otherwise the default netmask is /128 and routing is - set up from localAddress6 to hostAddress6 and back. + List of users to set up subuid/subgid mappings for. + This is a requirement for running rootless containers. ''; }; }; - dummyConfig = - { - extraVeths = {}; - additionalCapabilities = []; - ephemeral = false; - timeoutStartSec = "15s"; - allowedDevices = []; - hostAddress = null; - hostAddress6 = null; - localAddress = null; - localAddress6 = null; - tmpfs = null; - }; - -in - -{ - options = { - - boot.isContainer = mkOption { - type = types.bool; - default = false; - description = '' - Whether this NixOS machine is a lightweight container running - in another NixOS system. - ''; - }; + config = lib.mkIf cfg.enable { - boot.enableContainers = mkOption { - type = types.bool; - default = !config.boot.isContainer; - description = '' - Whether to enable support for NixOS containers. - ''; + environment.etc."containers/registries.conf".source = toTOML "registries.conf" { + registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; }; - containers = mkOption { - type = types.attrsOf (types.submodule ( - { config, options, name, ... }: - { - options = { - - config = mkOption { - description = '' - A specification of the desired configuration of this - container, as a NixOS module. - ''; - type = lib.mkOptionType { - name = "Toplevel NixOS config"; - merge = loc: defs: (import ../../lib/eval-config.nix { - inherit system; - modules = - let - extraConfig = { - _file = "module at ${__curPos.file}:${toString __curPos.line}"; - config = { - boot.isContainer = true; - networking.hostName = mkDefault name; - networking.useDHCP = false; - assertions = [ - { - assertion = config.privateNetwork -> stringLength name < 12; - message = '' - Container name `${name}` is too long: When `privateNetwork` is enabled, container names can - not be longer than 11 characters, because the container's interface name is derived from it. - This might be fixed in the future. See https://github.com/NixOS/nixpkgs/issues/38509 - ''; - } - ]; - }; - }; - in [ extraConfig ] ++ (map (x: x.value) defs); - prefix = [ "containers" name ]; - }).config; - }; - }; - - path = mkOption { - type = types.path; - example = "/nix/var/nix/profiles/containers/webserver"; - description = '' - As an alternative to specifying - <option>config</option>, you can specify the path to - the evaluated NixOS system configuration, typically a - symlink to a system profile. - ''; - }; - - additionalCapabilities = mkOption { - type = types.listOf types.str; - default = []; - example = [ "CAP_NET_ADMIN" "CAP_MKNOD" ]; - description = '' - Grant additional capabilities to the container. See the - capabilities(7) and systemd-nspawn(1) man pages for more - information. - ''; - }; - - ephemeral = mkOption { - type = types.bool; - default = false; - description = '' - Runs container in ephemeral mode with the empty root filesystem at boot. - This way container will be bootstrapped from scratch on each boot - and will be cleaned up on shutdown leaving no traces behind. - Useful for completely stateless, reproducible containers. - - Note that this option might require to do some adjustments to the container configuration, - e.g. you might want to set - <varname>systemd.network.networks.$interface.dhcpConfig.ClientIdentifier</varname> to "mac" - if you use <varname>macvlans</varname> option. - This way dhcp client identifier will be stable between the container restarts. - - Note that the container journal will not be linked to the host if this option is enabled. - ''; - }; - - enableTun = mkOption { - type = types.bool; - default = false; - description = '' - Allows the container to create and setup tunnel interfaces - by granting the <literal>NET_ADMIN</literal> capability and - enabling access to <literal>/dev/net/tun</literal>. - ''; - }; - - privateNetwork = mkOption { - type = types.bool; - default = false; - description = '' - Whether to give the container its own private virtual - Ethernet interface. The interface is called - <literal>eth0</literal>, and is hooked up to the interface - <literal>ve-<replaceable>container-name</replaceable></literal> - on the host. If this option is not set, then the - container shares the network interfaces of the host, - and can bind to any port on any interface. - ''; - }; - - interfaces = mkOption { - type = types.listOf types.str; - default = []; - example = [ "eth1" "eth2" ]; - description = '' - The list of interfaces to be moved into the container. - ''; - }; - - macvlans = mkOption { - type = types.listOf types.str; - default = []; - example = [ "eth1" "eth2" ]; - description = '' - The list of host interfaces from which macvlans will be - created. For each interface specified, a macvlan interface - will be created and moved to the container. - ''; - }; - - extraVeths = mkOption { - type = with types; attrsOf (submodule { options = networkOptions; }); - default = {}; - description = '' - Extra veth-pairs to be created for the container - ''; - }; - - autoStart = mkOption { - type = types.bool; - default = false; - description = '' - Whether the container is automatically started at boot-time. - ''; - }; - - timeoutStartSec = mkOption { - type = types.str; - default = "1min"; - description = '' - Time for the container to start. In case of a timeout, - the container processes get killed. - See <citerefentry><refentrytitle>systemd.time</refentrytitle> - <manvolnum>7</manvolnum></citerefentry> - for more information about the format. - ''; - }; - - bindMounts = mkOption { - type = with types; loaOf (submodule bindMountOpts); - default = {}; - example = literalExample '' - { "/home" = { hostPath = "/home/alice"; - isReadOnly = false; }; - } - ''; - - description = - '' - An extra list of directories that is bound to the container. - ''; - }; - - allowedDevices = mkOption { - type = with types; listOf (submodule allowedDeviceOpts); - default = []; - example = [ { node = "/dev/net/tun"; modifier = "rw"; } ]; - description = '' - A list of device nodes to which the containers has access to. - ''; - }; - - tmpfs = mkOption { - type = types.listOf types.str; - default = []; - example = [ "/var" ]; - description = '' - Mounts a set of tmpfs file systems into the container. - Multiple paths can be specified. - Valid items must conform to the --tmpfs argument - of systemd-nspawn. See systemd-nspawn(1) for details. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - example = [ "--drop-capability=CAP_SYS_CHROOT" ]; - description = '' - Extra flags passed to the systemd-nspawn command. - See systemd-nspawn(1) for details. - ''; - }; - - } // networkOptions; - - config = mkMerge - [ - (mkIf options.config.isDefined { - path = config.config.system.build.toplevel; - }) + users.extraUsers = builtins.listToAttrs ( + ( + builtins.foldl' ( + acc: user: { + values = acc.values ++ [ + { + name = user; + value = { + subUidRanges = [ { startUid = acc.offset; count = 65536; } ]; + subGidRanges = [ { startGid = acc.offset; count = 65536; } ]; + }; + } ]; - })); - - default = {}; - example = literalExample - '' - { webserver = - { path = "/nix/var/nix/profiles/webserver"; - }; - database = - { config = - { config, pkgs, ... }: - { services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql_9_6; - - system.stateVersion = "17.03"; - }; - }; + offset = acc.offset + 65536; } - ''; - description = '' - A set of NixOS system configurations to be run as lightweight - containers. Each container appears as a service - <literal>container-<replaceable>name</replaceable></literal> - on the host system, allowing it to be started and stopped via - <command>systemctl</command>. - ''; - }; + ) + { values = []; offset = 100000; } (lib.unique cfg.users) + ).values + ); + environment.etc."containers/policy.json".source = + if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) + else copyFile "${pkgs.skopeo.src}/default-policy.json"; }; - - config = mkIf (config.boot.enableContainers) (let - - unit = { - description = "Container '%i'"; - - unitConfig.RequiresMountsFor = "/var/lib/containers/%i"; - - path = [ pkgs.iproute ]; - - environment = { - root = "/var/lib/containers/%i"; - INSTANCE = "%i"; - }; - - preStart = preStartScript dummyConfig; - - script = startScript dummyConfig; - - postStart = postStartScript dummyConfig; - - preStop = "machinectl poweroff $INSTANCE"; - - restartIfChanged = false; - - serviceConfig = serviceDirectives dummyConfig; - }; - in { - systemd.targets.multi-user.wants = [ "machines.target" ]; - - systemd.services = listToAttrs (filter (x: x.value != null) ( - # The generic container template used by imperative containers - [{ name = "container@"; value = unit; }] - # declarative containers - ++ (mapAttrsToList (name: cfg: nameValuePair "container@${name}" (let - containerConfig = cfg // ( - if cfg.enableTun then - { - allowedDevices = cfg.allowedDevices - ++ [ { node = "/dev/net/tun"; modifier = "rw"; } ]; - additionalCapabilities = cfg.additionalCapabilities - ++ [ "CAP_NET_ADMIN" ]; - } - else {}); - in - recursiveUpdate unit { - preStart = preStartScript containerConfig; - script = startScript containerConfig; - postStart = postStartScript containerConfig; - serviceConfig = serviceDirectives containerConfig; - unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "/var/lib/containers/%i"; - environment.root = if containerConfig.ephemeral then "/run/containers/%i" else "/var/lib/containers/%i"; - } // ( - if containerConfig.autoStart then - { - wantedBy = [ "machines.target" ]; - wants = [ "network.target" ]; - after = [ "network.target" ]; - restartTriggers = [ - containerConfig.path - config.environment.etc."containers/${name}.conf".source - ]; - restartIfChanged = true; - } - else {}) - )) config.containers) - )); - - # Generate a configuration file in /etc/containers for each - # container so that container@.target can get the container - # configuration. - environment.etc = - let mkPortStr = p: p.protocol + ":" + (toString p.hostPort) + ":" + (if p.containerPort == null then toString p.hostPort else toString p.containerPort); - in mapAttrs' (name: cfg: nameValuePair "containers/${name}.conf" - { text = - '' - SYSTEM_PATH=${cfg.path} - ${optionalString cfg.privateNetwork '' - PRIVATE_NETWORK=1 - ${optionalString (cfg.hostBridge != null) '' - HOST_BRIDGE=${cfg.hostBridge} - ''} - ${optionalString (length cfg.forwardPorts > 0) '' - HOST_PORT=${concatStringsSep "," (map mkPortStr cfg.forwardPorts)} - ''} - ${optionalString (cfg.hostAddress != null) '' - HOST_ADDRESS=${cfg.hostAddress} - ''} - ${optionalString (cfg.hostAddress6 != null) '' - HOST_ADDRESS6=${cfg.hostAddress6} - ''} - ${optionalString (cfg.localAddress != null) '' - LOCAL_ADDRESS=${cfg.localAddress} - ''} - ${optionalString (cfg.localAddress6 != null) '' - LOCAL_ADDRESS6=${cfg.localAddress6} - ''} - ''} - INTERFACES="${toString cfg.interfaces}" - MACVLANS="${toString cfg.macvlans}" - ${optionalString cfg.autoStart '' - AUTO_START=1 - ''} - EXTRA_NSPAWN_FLAGS="${mkBindFlags cfg.bindMounts + - optionalString (cfg.extraFlags != []) - (" " + concatStringsSep " " cfg.extraFlags)}" - ''; - }) config.containers; - - # Generate /etc/hosts entries for the containers. - networking.extraHosts = concatStrings (mapAttrsToList (name: cfg: optionalString (cfg.localAddress != null) - '' - ${head (splitString "/" cfg.localAddress)} ${name}.containers - '') config.containers); - - networking.dhcpcd.denyInterfaces = [ "ve-*" "vb-*" ]; - - services.udev.extraRules = optionalString config.networking.networkmanager.enable '' - # Don't manage interfaces created by nixos-container. - ENV{INTERFACE}=="v[eb]-*", ENV{NM_UNMANAGED}="1" - ''; - - environment.systemPackages = [ pkgs.nixos-container ]; - - boot.kernelModules = [ - "bridge" - "macvlan" - "tap" - "tun" - ]; - }); } diff --git a/nixpkgs/nixos/modules/virtualisation/cri-o.nix b/nixpkgs/nixos/modules/virtualisation/cri-o.nix index 14a435f6c8b..2af4214302d 100644 --- a/nixpkgs/nixos/modules/virtualisation/cri-o.nix +++ b/nixpkgs/nixos/modules/virtualisation/cri-o.nix @@ -4,8 +4,21 @@ with lib; let cfg = config.virtualisation.cri-o; + + # Copy configuration files to avoid having the entire sources in the system closure + copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} '' + cp ${filePath} $out + ''; in { + imports = [ + (mkRenamedOptionModule [ "virtualisation" "cri-o" "registries" ] [ "virtualisation" "containers" "registries" "search" ]) + ]; + + meta = { + maintainers = lib.teams.podman.members; + }; + options.virtualisation.cri-o = { enable = mkEnableOption "Container Runtime Interface for OCI (CRI-O)"; @@ -32,20 +45,14 @@ in default = "/pause"; description = "Pause command to be executed"; }; - - registries = mkOption { - type = types.listOf types.str; - default = [ "docker.io" "quay.io" ]; - description = "Registries to be configured for unqualified image pull"; - }; }; config = mkIf cfg.enable { environment.systemPackages = with pkgs; - [ cri-o cri-tools conmon cni-plugins iptables runc utillinux ]; - environment.etc."crictl.yaml".text = '' - runtime-endpoint: unix:///var/run/crio/crio.sock - ''; + [ cri-o cri-tools conmon iptables runc utillinux ]; + + environment.etc."crictl.yaml".source = copyFile "${pkgs.cri-o.src}/crictl.yaml"; + environment.etc."crio/crio.conf".text = '' [crio] storage_driver = "${cfg.storageDriver}" @@ -53,35 +60,21 @@ in [crio.image] pause_image = "${cfg.pauseImage}" pause_command = "${cfg.pauseCommand}" - registries = [ - ${concatMapStringsSep ", " (x: "\"" + x + "\"") cfg.registries} - ] + + [crio.network] + plugin_dirs = ["${pkgs.cni-plugins}/bin/"] + network_dir = "/etc/cni/net.d/" [crio.runtime] conmon = "${pkgs.conmon}/bin/conmon" log_level = "${cfg.logLevel}" manage_network_ns_lifecycle = true ''; - environment.etc."containers/policy.json".text = '' - {"default": [{"type": "insecureAcceptAnything"}]} - ''; - environment.etc."cni/net.d/20-cri-o-bridge.conf".text = '' - { - "cniVersion": "0.3.1", - "name": "crio-bridge", - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] - } - } - ''; + + environment.etc."cni/net.d/10-crio-bridge.conf".source = copyFile "${pkgs.cri-o.src}/contrib/cni/10-crio-bridge.conf"; + + # Enable common /etc/containers configuration + virtualisation.containers.enable = true; systemd.services.crio = { description = "Container Runtime Interface for OCI (CRI-O)"; diff --git a/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix b/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix index 3b4e55d39d7..24de8cf1afb 100644 --- a/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix +++ b/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix @@ -291,21 +291,43 @@ let self = { "19.03".sa-east-1.hvm-ebs = "ami-0c6a43c6e0ad1f4e2"; "19.03".ap-south-1.hvm-ebs = "ami-0303deb1b5890f878"; - # 19.09.981.205691b7cbe - "19.09".eu-west-1.hvm-ebs = "ami-0ebd3156e21e9642f"; - "19.09".eu-west-2.hvm-ebs = "ami-02a2b5480a79084b7"; - "19.09".eu-west-3.hvm-ebs = "ami-09aa175c7588734f7"; - "19.09".eu-central-1.hvm-ebs = "ami-00a7fafd7e237a330"; - "19.09".us-east-1.hvm-ebs = "ami-00a8eeaf232a74f84"; - "19.09".us-east-2.hvm-ebs = "ami-093efd3a57a1e03a8"; - "19.09".us-west-1.hvm-ebs = "ami-0913e9a2b677fac30"; - "19.09".us-west-2.hvm-ebs = "ami-02d9a19f77b47882a"; - "19.09".ca-central-1.hvm-ebs = "ami-0627dd3f7b3627a29"; - "19.09".ap-southeast-1.hvm-ebs = "ami-083614e4d08f2164d"; - "19.09".ap-southeast-2.hvm-ebs = "ami-0048c704185ded6dc"; - "19.09".ap-northeast-1.hvm-ebs = "ami-0329e7fc2d7f60bd0"; - "19.09".ap-northeast-2.hvm-ebs = "ami-03d4ae7d0b5fc364f"; - "19.09".ap-south-1.hvm-ebs = "ami-0b599690b35aeef23"; + # 19.09.2243.84af403f54f + "19.09".eu-west-1.hvm-ebs = "ami-071082f0fa035374f"; + "19.09".eu-west-2.hvm-ebs = "ami-0d9dc33c54d1dc4c3"; + "19.09".eu-west-3.hvm-ebs = "ami-09566799591d1bfed"; + "19.09".eu-central-1.hvm-ebs = "ami-015f8efc2be419b79"; + "19.09".eu-north-1.hvm-ebs = "ami-07fc0a32d885e01ed"; + "19.09".us-east-1.hvm-ebs = "ami-03330d8b51287412f"; + "19.09".us-east-2.hvm-ebs = "ami-0518b4c84972e967f"; + "19.09".us-west-1.hvm-ebs = "ami-06ad07e61a353b4a6"; + "19.09".us-west-2.hvm-ebs = "ami-0e31e30925cf3ce4e"; + "19.09".ca-central-1.hvm-ebs = "ami-07df50fc76702a36d"; + "19.09".ap-southeast-1.hvm-ebs = "ami-0f71ae5d4b0b78d95"; + "19.09".ap-southeast-2.hvm-ebs = "ami-057bbf2b4bd62d210"; + "19.09".ap-northeast-1.hvm-ebs = "ami-02a62555ca182fb5b"; + "19.09".ap-northeast-2.hvm-ebs = "ami-0219dde0e6b7b7b93"; + "19.09".ap-south-1.hvm-ebs = "ami-066f7f2a895c821a1"; + "19.09".ap-east-1.hvm-ebs = "ami-055b2348db2827ff1"; + "19.09".sa-east-1.hvm-ebs = "ami-018aab68377227e06"; - latest = self."19.09"; + # 20.03.1554.94e39623a49 + "20.03".eu-west-1.hvm-ebs = "ami-02c34db5766cc7013"; + "20.03".eu-west-2.hvm-ebs = "ami-0e32bd8c7853883f1"; + "20.03".eu-west-3.hvm-ebs = "ami-061edb1356c1d69fd"; + "20.03".eu-central-1.hvm-ebs = "ami-0a1a94722dcbff94c"; + "20.03".eu-north-1.hvm-ebs = "ami-02699abfacbb6464b"; + "20.03".us-east-1.hvm-ebs = "ami-0c5e7760748b74e85"; + "20.03".us-east-2.hvm-ebs = "ami-030296bb256764655"; + "20.03".us-west-1.hvm-ebs = "ami-050be818e0266b741"; + "20.03".us-west-2.hvm-ebs = "ami-06562f78dca68eda2"; + "20.03".ca-central-1.hvm-ebs = "ami-02365684a173255c7"; + "20.03".ap-southeast-1.hvm-ebs = "ami-0dbf353e168d155f7"; + "20.03".ap-southeast-2.hvm-ebs = "ami-04c0f3a75f63daddd"; + "20.03".ap-northeast-1.hvm-ebs = "ami-093d9cc49c191eb6c"; + "20.03".ap-northeast-2.hvm-ebs = "ami-0087df91a7b6ebd45"; + "20.03".ap-south-1.hvm-ebs = "ami-0a1a6b569af04af9d"; + "20.03".ap-east-1.hvm-ebs = "ami-0d18fdd309cdefa86"; + "20.03".sa-east-1.hvm-ebs = "ami-09859378158ae971d"; + + latest = self."20.03"; }; in self diff --git a/nixpkgs/nixos/modules/virtualisation/ecs-agent.nix b/nixpkgs/nixos/modules/virtualisation/ecs-agent.nix index fc51b159579..93fefe56d1a 100644 --- a/nixpkgs/nixos/modules/virtualisation/ecs-agent.nix +++ b/nixpkgs/nixos/modules/virtualisation/ecs-agent.nix @@ -38,9 +38,8 @@ in { if [ ! -z "$ECS_DATADIR" ]; then mkdir -p "$ECS_DATADIR" fi - ${cfg.package.bin}/bin/agent + ${cfg.package}/bin/agent ''; }; }; } - diff --git a/nixpkgs/nixos/modules/virtualisation/libvirtd.nix b/nixpkgs/nixos/modules/virtualisation/libvirtd.nix index 4f22099443f..f89e5d544b2 100644 --- a/nixpkgs/nixos/modules/virtualisation/libvirtd.nix +++ b/nixpkgs/nixos/modules/virtualisation/libvirtd.nix @@ -7,10 +7,8 @@ let cfg = config.virtualisation.libvirtd; vswitch = config.virtualisation.vswitch; configFile = pkgs.writeText "libvirtd.conf" '' - unix_sock_group = "libvirtd" - unix_sock_rw_perms = "0770" - auth_unix_ro = "none" - auth_unix_rw = "none" + auth_unix_ro = "polkit" + auth_unix_rw = "polkit" ${cfg.extraConfig} ''; qemuConfigFile = pkgs.writeText "qemu.conf" '' @@ -269,5 +267,14 @@ in { systemd.sockets.libvirtd .wantedBy = [ "sockets.target" ]; systemd.sockets.libvirtd-tcp.wantedBy = [ "sockets.target" ]; + + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirtd")) { + return polkit.Result.YES; + } + }); + ''; }; } diff --git a/nixpkgs/nixos/modules/virtualisation/lxd.nix b/nixpkgs/nixos/modules/virtualisation/lxd.nix index de48d3a780e..53b89a9f55b 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxd.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxd.nix @@ -108,7 +108,7 @@ in ''; serviceConfig = { - ExecStart = "@${cfg.package.bin}/bin/lxd lxd --group lxd"; + ExecStart = "@${cfg.package}/bin/lxd lxd --group lxd"; Type = "simple"; KillMode = "process"; # when stopping, leave the containers alone LimitMEMLOCK = "infinity"; diff --git a/nixpkgs/nixos/modules/virtualisation/nixos-containers.nix b/nixpkgs/nixos/modules/virtualisation/nixos-containers.nix new file mode 100644 index 00000000000..b0fa03917c8 --- /dev/null +++ b/nixpkgs/nixos/modules/virtualisation/nixos-containers.nix @@ -0,0 +1,844 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + # The container's init script, a small wrapper around the regular + # NixOS stage-2 init script. + containerInit = (cfg: + let + renderExtraVeth = (name: cfg: + '' + echo "Bringing ${name} up" + ip link set dev ${name} up + ${optionalString (cfg.localAddress != null) '' + echo "Setting ip for ${name}" + ip addr add ${cfg.localAddress} dev ${name} + ''} + ${optionalString (cfg.localAddress6 != null) '' + echo "Setting ip6 for ${name}" + ip -6 addr add ${cfg.localAddress6} dev ${name} + ''} + ${optionalString (cfg.hostAddress != null) '' + echo "Setting route to host for ${name}" + ip route add ${cfg.hostAddress} dev ${name} + ''} + ${optionalString (cfg.hostAddress6 != null) '' + echo "Setting route6 to host for ${name}" + ip -6 route add ${cfg.hostAddress6} dev ${name} + ''} + '' + ); + in + pkgs.writeScript "container-init" + '' + #! ${pkgs.runtimeShell} -e + + # Initialise the container side of the veth pair. + if [ -n "$HOST_ADDRESS" ] || [ -n "$HOST_ADDRESS6" ] || + [ -n "$LOCAL_ADDRESS" ] || [ -n "$LOCAL_ADDRESS6" ] || + [ -n "$HOST_BRIDGE" ]; then + ip link set host0 name eth0 + ip link set dev eth0 up + + if [ -n "$LOCAL_ADDRESS" ]; then + ip addr add $LOCAL_ADDRESS dev eth0 + fi + if [ -n "$LOCAL_ADDRESS6" ]; then + ip -6 addr add $LOCAL_ADDRESS6 dev eth0 + fi + if [ -n "$HOST_ADDRESS" ]; then + ip route add $HOST_ADDRESS dev eth0 + ip route add default via $HOST_ADDRESS + fi + if [ -n "$HOST_ADDRESS6" ]; then + ip -6 route add $HOST_ADDRESS6 dev eth0 + ip -6 route add default via $HOST_ADDRESS6 + fi + + ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} + fi + + # Start the regular stage 1 script. + exec "$1" + '' + ); + + nspawnExtraVethArgs = (name: cfg: "--network-veth-extra=${name}"); + + startScript = cfg: + '' + mkdir -p -m 0755 "$root/etc" "$root/var/lib" + mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers + if ! [ -e "$root/etc/os-release" ]; then + touch "$root/etc/os-release" + fi + + if ! [ -e "$root/etc/machine-id" ]; then + touch "$root/etc/machine-id" + fi + + mkdir -p -m 0755 \ + "/nix/var/nix/profiles/per-container/$INSTANCE" \ + "/nix/var/nix/gcroots/per-container/$INSTANCE" + + cp --remove-destination /etc/resolv.conf "$root/etc/resolv.conf" + + if [ "$PRIVATE_NETWORK" = 1 ]; then + extraFlags+=" --private-network" + fi + + if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || + [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then + extraFlags+=" --network-veth" + fi + + if [ -n "$HOST_PORT" ]; then + OIFS=$IFS + IFS="," + for i in $HOST_PORT + do + extraFlags+=" --port=$i" + done + IFS=$OIFS + fi + + if [ -n "$HOST_BRIDGE" ]; then + extraFlags+=" --network-bridge=$HOST_BRIDGE" + fi + + extraFlags+=" ${concatStringsSep " " (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)}" + + for iface in $INTERFACES; do + extraFlags+=" --network-interface=$iface" + done + + for iface in $MACVLANS; do + extraFlags+=" --network-macvlan=$iface" + done + + # If the host is 64-bit and the container is 32-bit, add a + # --personality flag. + ${optionalString (config.nixpkgs.localSystem.system == "x86_64-linux") '' + if [ "$(< ''${SYSTEM_PATH:-/nix/var/nix/profiles/per-container/$INSTANCE/system}/system)" = i686-linux ]; then + extraFlags+=" --personality=x86" + fi + ''} + + # Run systemd-nspawn without startup notification (we'll + # wait for the container systemd to signal readiness). + exec ${config.systemd.package}/bin/systemd-nspawn \ + --keep-unit \ + -M "$INSTANCE" -D "$root" $extraFlags \ + $EXTRA_NSPAWN_FLAGS \ + --notify-ready=yes \ + --bind-ro=/nix/store \ + --bind-ro=/nix/var/nix/db \ + --bind-ro=/nix/var/nix/daemon-socket \ + --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ + --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ + ${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \ + --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ + --setenv HOST_BRIDGE="$HOST_BRIDGE" \ + --setenv HOST_ADDRESS="$HOST_ADDRESS" \ + --setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \ + --setenv HOST_ADDRESS6="$HOST_ADDRESS6" \ + --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \ + --setenv HOST_PORT="$HOST_PORT" \ + --setenv PATH="$PATH" \ + ${optionalString cfg.ephemeral "--ephemeral"} \ + ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then + ''--capability="${concatStringsSep "," cfg.additionalCapabilities}"'' else "" + } \ + ${if cfg.tmpfs != null && cfg.tmpfs != [] then + ''--tmpfs=${concatStringsSep " --tmpfs=" cfg.tmpfs}'' else "" + } \ + ${containerInit cfg} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init" + ''; + + preStartScript = cfg: + '' + # Clean up existing machined registration and interfaces. + machinectl terminate "$INSTANCE" 2> /dev/null || true + + if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || + [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then + ip link del dev "ve-$INSTANCE" 2> /dev/null || true + ip link del dev "vb-$INSTANCE" 2> /dev/null || true + fi + + ${concatStringsSep "\n" ( + mapAttrsToList (name: cfg: + ''ip link del dev ${name} 2> /dev/null || true '' + ) cfg.extraVeths + )} + ''; + + postStartScript = (cfg: + let + ipcall = cfg: ipcmd: variable: attribute: + if cfg.${attribute} == null then + '' + if [ -n "${variable}" ]; then + ${ipcmd} add ${variable} dev $ifaceHost + fi + '' + else + ''${ipcmd} add ${cfg.${attribute}} dev $ifaceHost''; + renderExtraVeth = name: cfg: + if cfg.hostBridge != null then + '' + # Add ${name} to bridge ${cfg.hostBridge} + ip link set dev ${name} master ${cfg.hostBridge} up + '' + else + '' + echo "Bring ${name} up" + ip link set dev ${name} up + # Set IPs and routes for ${name} + ${optionalString (cfg.hostAddress != null) '' + ip addr add ${cfg.hostAddress} dev ${name} + ''} + ${optionalString (cfg.hostAddress6 != null) '' + ip -6 addr add ${cfg.hostAddress6} dev ${name} + ''} + ${optionalString (cfg.localAddress != null) '' + ip route add ${cfg.localAddress} dev ${name} + ''} + ${optionalString (cfg.localAddress6 != null) '' + ip -6 route add ${cfg.localAddress6} dev ${name} + ''} + ''; + in + '' + if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || + [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then + if [ -z "$HOST_BRIDGE" ]; then + ifaceHost=ve-$INSTANCE + ip link set dev $ifaceHost up + + ${ipcall cfg "ip addr" "$HOST_ADDRESS" "hostAddress"} + ${ipcall cfg "ip -6 addr" "$HOST_ADDRESS6" "hostAddress6"} + ${ipcall cfg "ip route" "$LOCAL_ADDRESS" "localAddress"} + ${ipcall cfg "ip -6 route" "$LOCAL_ADDRESS6" "localAddress6"} + fi + ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} + fi + '' + ); + + serviceDirectives = cfg: { + ExecReload = pkgs.writeScript "reload-container" + '' + #! ${pkgs.runtimeShell} -e + ${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \ + bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" + ''; + + SyslogIdentifier = "container %i"; + + EnvironmentFile = "-/etc/containers/%i.conf"; + + Type = "notify"; + + RuntimeDirectory = lib.optional cfg.ephemeral "containers/%i"; + + # Note that on reboot, systemd-nspawn returns 133, so this + # unit will be restarted. On poweroff, it returns 0, so the + # unit won't be restarted. + RestartForceExitStatus = "133"; + SuccessExitStatus = "133"; + + # Some containers take long to start + # especially when you automatically start many at once + TimeoutStartSec = cfg.timeoutStartSec; + + Restart = "on-failure"; + + Slice = "machine.slice"; + Delegate = true; + + # Hack: we don't want to kill systemd-nspawn, since we call + # "machinectl poweroff" in preStop to shut down the + # container cleanly. But systemd requires sending a signal + # (at least if we want remaining processes to be killed + # after the timeout). So send an ignored signal. + KillMode = "mixed"; + KillSignal = "WINCH"; + + DevicePolicy = "closed"; + DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; + }; + + + system = config.nixpkgs.localSystem.system; + + bindMountOpts = { name, ... }: { + + options = { + mountPoint = mkOption { + example = "/mnt/usb"; + type = types.str; + description = "Mount point on the container file system."; + }; + hostPath = mkOption { + default = null; + example = "/home/alice"; + type = types.nullOr types.str; + description = "Location of the host path to be mounted."; + }; + isReadOnly = mkOption { + default = true; + type = types.bool; + description = "Determine whether the mounted path will be accessed in read-only mode."; + }; + }; + + config = { + mountPoint = mkDefault name; + }; + + }; + + allowedDeviceOpts = { ... }: { + options = { + node = mkOption { + example = "/dev/net/tun"; + type = types.str; + description = "Path to device node"; + }; + modifier = mkOption { + example = "rw"; + type = types.str; + description = '' + Device node access modifier. Takes a combination + <literal>r</literal> (read), <literal>w</literal> (write), and + <literal>m</literal> (mknod). See the + <literal>systemd.resource-control(5)</literal> man page for more + information.''; + }; + }; + }; + + + mkBindFlag = d: + let flagPrefix = if d.isReadOnly then " --bind-ro=" else " --bind="; + mountstr = if d.hostPath != null then "${d.hostPath}:${d.mountPoint}" else "${d.mountPoint}"; + in flagPrefix + mountstr ; + + mkBindFlags = bs: concatMapStrings mkBindFlag (lib.attrValues bs); + + networkOptions = { + hostBridge = mkOption { + type = types.nullOr types.str; + default = null; + example = "br0"; + description = '' + Put the host-side of the veth-pair into the named bridge. + Only one of hostAddress* or hostBridge can be given. + ''; + }; + + forwardPorts = mkOption { + type = types.listOf (types.submodule { + options = { + protocol = mkOption { + type = types.str; + default = "tcp"; + description = "The protocol specifier for port forwarding between host and container"; + }; + hostPort = mkOption { + type = types.int; + description = "Source port of the external interface on host"; + }; + containerPort = mkOption { + type = types.nullOr types.int; + default = null; + description = "Target port of container"; + }; + }; + }); + default = []; + example = [ { protocol = "tcp"; hostPort = 8080; containerPort = 80; } ]; + description = '' + List of forwarded ports from host to container. Each forwarded port + is specified by protocol, hostPort and containerPort. By default, + protocol is tcp and hostPort and containerPort are assumed to be + the same if containerPort is not explicitly given. + ''; + }; + + + hostAddress = mkOption { + type = types.nullOr types.str; + default = null; + example = "10.231.136.1"; + description = '' + The IPv4 address assigned to the host interface. + (Not used when hostBridge is set.) + ''; + }; + + hostAddress6 = mkOption { + type = types.nullOr types.str; + default = null; + example = "fc00::1"; + description = '' + The IPv6 address assigned to the host interface. + (Not used when hostBridge is set.) + ''; + }; + + localAddress = mkOption { + type = types.nullOr types.str; + default = null; + example = "10.231.136.2"; + description = '' + The IPv4 address assigned to the interface in the container. + If a hostBridge is used, this should be given with netmask to access + the whole network. Otherwise the default netmask is /32 and routing is + set up from localAddress to hostAddress and back. + ''; + }; + + localAddress6 = mkOption { + type = types.nullOr types.str; + default = null; + example = "fc00::2"; + description = '' + The IPv6 address assigned to the interface in the container. + If a hostBridge is used, this should be given with netmask to access + the whole network. Otherwise the default netmask is /128 and routing is + set up from localAddress6 to hostAddress6 and back. + ''; + }; + + }; + + dummyConfig = + { + extraVeths = {}; + additionalCapabilities = []; + ephemeral = false; + timeoutStartSec = "15s"; + allowedDevices = []; + hostAddress = null; + hostAddress6 = null; + localAddress = null; + localAddress6 = null; + tmpfs = null; + }; + +in + +{ + options = { + + boot.isContainer = mkOption { + type = types.bool; + default = false; + description = '' + Whether this NixOS machine is a lightweight container running + in another NixOS system. If set to true, support for nested + containers is disabled by default, but can be reenabled by + setting <option>boot.enableContainers</option> to true. + ''; + }; + + boot.enableContainers = mkOption { + type = types.bool; + default = !config.boot.isContainer; + description = '' + Whether to enable support for NixOS containers. Defaults to true + (at no cost if containers are not actually used), but only if the + system is not itself a lightweight container of a host. + To enable support for nested containers, this option has to be + explicitly set to true (in the outer container). + ''; + }; + + containers = mkOption { + type = types.attrsOf (types.submodule ( + { config, options, name, ... }: + { + options = { + + config = mkOption { + description = '' + A specification of the desired configuration of this + container, as a NixOS module. + ''; + type = let + confPkgs = if config.pkgs == null then pkgs else config.pkgs; + in lib.mkOptionType { + name = "Toplevel NixOS config"; + merge = loc: defs: (import (confPkgs.path + "/nixos/lib/eval-config.nix") { + inherit system; + pkgs = confPkgs; + baseModules = import (confPkgs.path + "/nixos/modules/module-list.nix"); + inherit (confPkgs) lib; + modules = + let + extraConfig = { + _file = "module at ${__curPos.file}:${toString __curPos.line}"; + config = { + boot.isContainer = true; + networking.hostName = mkDefault name; + networking.useDHCP = false; + assertions = [ + { + assertion = config.privateNetwork -> stringLength name < 12; + message = '' + Container name `${name}` is too long: When `privateNetwork` is enabled, container names can + not be longer than 11 characters, because the container's interface name is derived from it. + This might be fixed in the future. See https://github.com/NixOS/nixpkgs/issues/38509 + ''; + } + ]; + }; + }; + in [ extraConfig ] ++ (map (x: x.value) defs); + prefix = [ "containers" name ]; + }).config; + }; + }; + + path = mkOption { + type = types.path; + example = "/nix/var/nix/profiles/containers/webserver"; + description = '' + As an alternative to specifying + <option>config</option>, you can specify the path to + the evaluated NixOS system configuration, typically a + symlink to a system profile. + ''; + }; + + additionalCapabilities = mkOption { + type = types.listOf types.str; + default = []; + example = [ "CAP_NET_ADMIN" "CAP_MKNOD" ]; + description = '' + Grant additional capabilities to the container. See the + capabilities(7) and systemd-nspawn(1) man pages for more + information. + ''; + }; + + pkgs = mkOption { + type = types.nullOr types.attrs; + default = null; + example = literalExample "pkgs"; + description = '' + Customise which nixpkgs to use for this container. + ''; + }; + + ephemeral = mkOption { + type = types.bool; + default = false; + description = '' + Runs container in ephemeral mode with the empty root filesystem at boot. + This way container will be bootstrapped from scratch on each boot + and will be cleaned up on shutdown leaving no traces behind. + Useful for completely stateless, reproducible containers. + + Note that this option might require to do some adjustments to the container configuration, + e.g. you might want to set + <varname>systemd.network.networks.$interface.dhcpV4Config.ClientIdentifier</varname> to "mac" + if you use <varname>macvlans</varname> option. + This way dhcp client identifier will be stable between the container restarts. + + Note that the container journal will not be linked to the host if this option is enabled. + ''; + }; + + enableTun = mkOption { + type = types.bool; + default = false; + description = '' + Allows the container to create and setup tunnel interfaces + by granting the <literal>NET_ADMIN</literal> capability and + enabling access to <literal>/dev/net/tun</literal>. + ''; + }; + + privateNetwork = mkOption { + type = types.bool; + default = false; + description = '' + Whether to give the container its own private virtual + Ethernet interface. The interface is called + <literal>eth0</literal>, and is hooked up to the interface + <literal>ve-<replaceable>container-name</replaceable></literal> + on the host. If this option is not set, then the + container shares the network interfaces of the host, + and can bind to any port on any interface. + ''; + }; + + interfaces = mkOption { + type = types.listOf types.str; + default = []; + example = [ "eth1" "eth2" ]; + description = '' + The list of interfaces to be moved into the container. + ''; + }; + + macvlans = mkOption { + type = types.listOf types.str; + default = []; + example = [ "eth1" "eth2" ]; + description = '' + The list of host interfaces from which macvlans will be + created. For each interface specified, a macvlan interface + will be created and moved to the container. + ''; + }; + + extraVeths = mkOption { + type = with types; attrsOf (submodule { options = networkOptions; }); + default = {}; + description = '' + Extra veth-pairs to be created for the container. + ''; + }; + + autoStart = mkOption { + type = types.bool; + default = false; + description = '' + Whether the container is automatically started at boot-time. + ''; + }; + + timeoutStartSec = mkOption { + type = types.str; + default = "1min"; + description = '' + Time for the container to start. In case of a timeout, + the container processes get killed. + See <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry> + for more information about the format. + ''; + }; + + bindMounts = mkOption { + type = with types; loaOf (submodule bindMountOpts); + default = {}; + example = literalExample '' + { "/home" = { hostPath = "/home/alice"; + isReadOnly = false; }; + } + ''; + + description = + '' + An extra list of directories that is bound to the container. + ''; + }; + + allowedDevices = mkOption { + type = with types; listOf (submodule allowedDeviceOpts); + default = []; + example = [ { node = "/dev/net/tun"; modifier = "rw"; } ]; + description = '' + A list of device nodes to which the containers has access to. + ''; + }; + + tmpfs = mkOption { + type = types.listOf types.str; + default = []; + example = [ "/var" ]; + description = '' + Mounts a set of tmpfs file systems into the container. + Multiple paths can be specified. + Valid items must conform to the --tmpfs argument + of systemd-nspawn. See systemd-nspawn(1) for details. + ''; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + example = [ "--drop-capability=CAP_SYS_CHROOT" ]; + description = '' + Extra flags passed to the systemd-nspawn command. + See systemd-nspawn(1) for details. + ''; + }; + + } // networkOptions; + + config = mkMerge + [ + (mkIf options.config.isDefined { + path = config.config.system.build.toplevel; + }) + ]; + })); + + default = {}; + example = literalExample + '' + { webserver = + { path = "/nix/var/nix/profiles/webserver"; + }; + database = + { config = + { config, pkgs, ... }: + { services.postgresql.enable = true; + services.postgresql.package = pkgs.postgresql_9_6; + + system.stateVersion = "17.03"; + }; + }; + } + ''; + description = '' + A set of NixOS system configurations to be run as lightweight + containers. Each container appears as a service + <literal>container-<replaceable>name</replaceable></literal> + on the host system, allowing it to be started and stopped via + <command>systemctl</command>. + ''; + }; + + }; + + + config = mkIf (config.boot.enableContainers) (let + + unit = { + description = "Container '%i'"; + + unitConfig.RequiresMountsFor = "/var/lib/containers/%i"; + + path = [ pkgs.iproute ]; + + environment = { + root = "/var/lib/containers/%i"; + INSTANCE = "%i"; + }; + + preStart = preStartScript dummyConfig; + + script = startScript dummyConfig; + + postStart = postStartScript dummyConfig; + + preStop = "machinectl poweroff $INSTANCE"; + + restartIfChanged = false; + + serviceConfig = serviceDirectives dummyConfig; + }; + in { + systemd.targets.multi-user.wants = [ "machines.target" ]; + + systemd.services = listToAttrs (filter (x: x.value != null) ( + # The generic container template used by imperative containers + [{ name = "container@"; value = unit; }] + # declarative containers + ++ (mapAttrsToList (name: cfg: nameValuePair "container@${name}" (let + containerConfig = cfg // ( + if cfg.enableTun then + { + allowedDevices = cfg.allowedDevices + ++ [ { node = "/dev/net/tun"; modifier = "rw"; } ]; + additionalCapabilities = cfg.additionalCapabilities + ++ [ "CAP_NET_ADMIN" ]; + } + else {}); + in + recursiveUpdate unit { + preStart = preStartScript containerConfig; + script = startScript containerConfig; + postStart = postStartScript containerConfig; + serviceConfig = serviceDirectives containerConfig; + unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "/var/lib/containers/%i"; + environment.root = if containerConfig.ephemeral then "/run/containers/%i" else "/var/lib/containers/%i"; + } // ( + if containerConfig.autoStart then + { + wantedBy = [ "machines.target" ]; + wants = [ "network.target" ]; + after = [ "network.target" ]; + restartTriggers = [ + containerConfig.path + config.environment.etc."containers/${name}.conf".source + ]; + restartIfChanged = true; + } + else {}) + )) config.containers) + )); + + # Generate a configuration file in /etc/containers for each + # container so that container@.target can get the container + # configuration. + environment.etc = + let mkPortStr = p: p.protocol + ":" + (toString p.hostPort) + ":" + (if p.containerPort == null then toString p.hostPort else toString p.containerPort); + in mapAttrs' (name: cfg: nameValuePair "containers/${name}.conf" + { text = + '' + SYSTEM_PATH=${cfg.path} + ${optionalString cfg.privateNetwork '' + PRIVATE_NETWORK=1 + ${optionalString (cfg.hostBridge != null) '' + HOST_BRIDGE=${cfg.hostBridge} + ''} + ${optionalString (length cfg.forwardPorts > 0) '' + HOST_PORT=${concatStringsSep "," (map mkPortStr cfg.forwardPorts)} + ''} + ${optionalString (cfg.hostAddress != null) '' + HOST_ADDRESS=${cfg.hostAddress} + ''} + ${optionalString (cfg.hostAddress6 != null) '' + HOST_ADDRESS6=${cfg.hostAddress6} + ''} + ${optionalString (cfg.localAddress != null) '' + LOCAL_ADDRESS=${cfg.localAddress} + ''} + ${optionalString (cfg.localAddress6 != null) '' + LOCAL_ADDRESS6=${cfg.localAddress6} + ''} + ''} + INTERFACES="${toString cfg.interfaces}" + MACVLANS="${toString cfg.macvlans}" + ${optionalString cfg.autoStart '' + AUTO_START=1 + ''} + EXTRA_NSPAWN_FLAGS="${mkBindFlags cfg.bindMounts + + optionalString (cfg.extraFlags != []) + (" " + concatStringsSep " " cfg.extraFlags)}" + ''; + }) config.containers; + + # Generate /etc/hosts entries for the containers. + networking.extraHosts = concatStrings (mapAttrsToList (name: cfg: optionalString (cfg.localAddress != null) + '' + ${head (splitString "/" cfg.localAddress)} ${name}.containers + '') config.containers); + + networking.dhcpcd.denyInterfaces = [ "ve-*" "vb-*" ]; + + services.udev.extraRules = optionalString config.networking.networkmanager.enable '' + # Don't manage interfaces created by nixos-container. + ENV{INTERFACE}=="v[eb]-*", ENV{NM_UNMANAGED}="1" + ''; + + environment.systemPackages = [ pkgs.nixos-container ]; + + boot.kernelModules = [ + "bridge" + "macvlan" + "tap" + "tun" + ]; + }); +} diff --git a/nixpkgs/nixos/modules/virtualisation/docker-containers.nix b/nixpkgs/nixos/modules/virtualisation/oci-containers.nix index 5ab990a3d7c..a46dd65eb49 100644 --- a/nixpkgs/nixos/modules/virtualisation/docker-containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/oci-containers.nix @@ -1,17 +1,20 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; let - cfg = config.docker-containers; + cfg = config.virtualisation.oci-containers; + proxy_env = config.networking.proxy.envVars; - dockerContainer = + defaultBackend = options.virtualisation.oci-containers.backend.default; + + containerOptions = { ... }: { options = { image = mkOption { type = with types; str; - description = "Docker image to run."; + description = "OCI image to run."; example = "library/hello-world"; }; @@ -58,18 +61,19 @@ let log-driver = mkOption { type = types.str; - default = "none"; + default = "journald"; description = '' Logging driver for the container. The default of - <literal>"none"</literal> means that the container's logs will be - handled as part of the systemd unit. Setting this to - <literal>"journald"</literal> will result in duplicate logging, but - the container's logs will be visible to the <command>docker - logs</command> command. - - For more details and a full list of logging drivers, refer to the - <link xlink:href="https://docs.docker.com/engine/reference/run/#logging-drivers---log-driver"> - Docker engine documentation</link> + <literal>"journald"</literal> means that the container's logs will be + handled as part of the systemd unit. + + For more details and a full list of logging drivers, refer to respective backends documentation. + + For Docker: + <link xlink:href="https://docs.docker.com/engine/reference/run/#logging-drivers---log-driver">Docker engine documentation</link> + + For Podman: + Refer to the docker-run(1) man page. ''; }; @@ -172,10 +176,10 @@ let description = '' Define which other containers this one depends on. They will be added to both After and Requires for the unit. - Use the same name as the attribute under <literal>services.docker-containers</literal>. + Use the same name as the attribute under <literal>virtualisation.oci-containers</literal>. ''; example = literalExample '' - services.docker-containers = { + virtualisation.oci-containers = { node1 = {}; node2 = { dependsOn = [ "node1" ]; @@ -184,10 +188,10 @@ let ''; }; - extraDockerOptions = mkOption { + extraOptions = mkOption { type = with types; listOf str; default = []; - description = "Extra options for <command>docker run</command>."; + description = "Extra options for <command>${defaultBackend} run</command>."; example = literalExample '' ["--network=host"] ''; @@ -205,24 +209,31 @@ let }; mkService = name: container: let - mkAfter = map (x: "docker-${x}.service") container.dependsOn; - in rec { + dependsOn = map (x: "${cfg.backend}-${x}.service") container.dependsOn; + in { wantedBy = [] ++ optional (container.autoStart) "multi-user.target"; - after = [ "docker.service" "docker.socket" ] ++ mkAfter; - requires = after; - path = [ pkgs.docker ]; + after = lib.optionals (cfg.backend == "docker") [ "docker.service" "docker.socket" ] ++ dependsOn; + requires = dependsOn; + environment = proxy_env; + + path = + if cfg.backend == "docker" then [ pkgs.docker ] + else if cfg.backend == "podman" then [ config.virtualisation.podman.package ] + else throw "Unhandled backend: ${cfg.backend}"; preStart = '' - docker rm -f ${name} || true + ${cfg.backend} rm -f ${name} || true ${optionalString (container.imageFile != null) '' - docker load -i ${container.imageFile} + ${cfg.backend} load -i ${container.imageFile} ''} ''; - postStop = "docker rm -f ${name} || true"; - + postStop = "${cfg.backend} rm -f ${name} || true"; + serviceConfig = { + StandardOutput = "null"; + StandardError = "null"; ExecStart = concatStringsSep " \\\n " ([ - "${pkgs.docker}/bin/docker run" + "${config.system.path}/bin/${cfg.backend} run" "--rm" "--name=${name}" "--log-driver=${container.log-driver}" @@ -233,12 +244,12 @@ let ++ optional (container.user != null) "-u ${escapeShellArg container.user}" ++ map (v: "-v ${escapeShellArg v}") container.volumes ++ optional (container.workdir != null) "-w ${escapeShellArg container.workdir}" - ++ map escapeShellArg container.extraDockerOptions + ++ map escapeShellArg container.extraOptions ++ [container.image] ++ map escapeShellArg container.cmd ); - ExecStop = ''${pkgs.bash}/bin/sh -c "[ $SERVICE_RESULT = success ] || docker stop ${name}"''; + ExecStop = ''${pkgs.bash}/bin/sh -c "[ $SERVICE_RESULT = success ] || ${cfg.backend} stop ${name}"''; ### There is no generalized way of supporting `reload` for docker ### containers. Some containers may respond well to SIGHUP sent to their @@ -263,19 +274,50 @@ let }; in { + imports = [ + ( + lib.mkChangedOptionModule + [ "docker-containers" ] + [ "virtualisation" "oci-containers" ] + (oldcfg: { + backend = "docker"; + containers = lib.mapAttrs (n: v: builtins.removeAttrs (v // { + extraOptions = v.extraDockerOptions or []; + }) [ "extraDockerOptions" ]) oldcfg.docker-containers; + }) + ) + ]; + + options.virtualisation.oci-containers = { + + backend = mkOption { + type = types.enum [ "podman" "docker" ]; + default = + # TODO: Once https://github.com/NixOS/nixpkgs/issues/77925 is resolved default to podman + # if versionAtLeast config.system.stateVersion "20.09" then "podman" + # else "docker"; + "docker"; + description = "The underlying Docker implementation to use."; + }; - options.docker-containers = mkOption { - default = {}; - type = types.attrsOf (types.submodule dockerContainer); - description = "Docker containers to run as systemd services."; - }; - - config = mkIf (cfg != {}) { - - systemd.services = mapAttrs' (n: v: nameValuePair "docker-${n}" (mkService n v)) cfg; - - virtualisation.docker.enable = true; + containers = mkOption { + default = {}; + type = types.attrsOf (types.submodule containerOptions); + description = "OCI (Docker) containers to run as systemd services."; + }; }; + config = lib.mkIf (cfg.containers != {}) (lib.mkMerge [ + { + systemd.services = mapAttrs' (n: v: nameValuePair "${cfg.backend}-${n}" (mkService n v)) cfg.containers; + } + (lib.mkIf (cfg.backend == "podman") { + virtualisation.podman.enable = true; + }) + (lib.mkIf (cfg.backend == "docker") { + virtualisation.docker.enable = true; + }) + ]); + } diff --git a/nixpkgs/nixos/modules/virtualisation/podman.nix b/nixpkgs/nixos/modules/virtualisation/podman.nix new file mode 100644 index 00000000000..652850bf500 --- /dev/null +++ b/nixpkgs/nixos/modules/virtualisation/podman.nix @@ -0,0 +1,123 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.virtualisation.podman; + + inherit (lib) mkOption types; + + podmanPackage = (pkgs.podman.override { inherit (cfg) extraPackages; }); + + # Provides a fake "docker" binary mapping to podman + dockerCompat = pkgs.runCommandNoCC "${podmanPackage.pname}-docker-compat-${podmanPackage.version}" { + outputs = [ "out" "man" ]; + inherit (podmanPackage) meta; + } '' + mkdir -p $out/bin + ln -s ${podmanPackage}/bin/podman $out/bin/docker + + mkdir -p $man/share/man/man1 + for f in ${podmanPackage.man}/share/man/man1/*; do + basename=$(basename $f | sed s/podman/docker/g) + ln -s $f $man/share/man/man1/$basename + done + ''; + + # Copy configuration files to avoid having the entire sources in the system closure + copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} '' + cp ${filePath} $out + ''; + +in +{ + meta = { + maintainers = lib.teams.podman.members; + }; + + options.virtualisation.podman = { + + enable = + mkOption { + type = types.bool; + default = false; + description = '' + This option enables Podman, a daemonless container engine for + developing, managing, and running OCI Containers on your Linux System. + + It is a drop-in replacement for the <command>docker</command> command. + ''; + }; + + dockerCompat = mkOption { + type = types.bool; + default = false; + description = '' + Create an alias mapping <command>docker</command> to <command>podman</command>. + ''; + }; + + extraPackages = mkOption { + type = with types; listOf package; + default = [ ]; + example = lib.literalExample '' + [ + pkgs.gvisor + ] + ''; + description = '' + Extra packages to be installed in the Podman wrapper. + ''; + }; + + libpod = mkOption { + default = {}; + description = "Libpod configuration"; + type = types.submodule { + options = { + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration that should be put in the libpod.conf + configuration file + ''; + + }; + }; + }; + }; + + package = lib.mkOption { + type = types.package; + default = podmanPackage; + internal = true; + description = '' + The final Podman package (including extra packages). + ''; + }; + + + }; + + config = lib.mkIf cfg.enable { + + environment.systemPackages = [ cfg.package ] + ++ lib.optional cfg.dockerCompat dockerCompat; + + environment.etc."containers/libpod.conf".text = '' + cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"] + + '' + cfg.libpod.extraConfig; + + environment.etc."cni/net.d/87-podman-bridge.conflist".source = copyFile "${pkgs.podman-unwrapped.src}/cni/87-podman-bridge.conflist"; + + # Enable common /etc/containers configuration + virtualisation.containers.enable = true; + + assertions = [{ + assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable; + message = "Option dockerCompat conflicts with docker"; + }]; + + }; + +} diff --git a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix index 31d332e9f07..ac86330c098 100644 --- a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix @@ -189,9 +189,18 @@ let mkdir /boot/grub echo '(hd0) /dev/vda' > /boot/grub/device.map - # Install GRUB and generate the GRUB boot menu. - touch /etc/NIXOS + # This is needed for systemd-boot to find ESP, and udev is not available here to create this + mkdir -p /dev/block + ln -s /dev/vda2 /dev/block/254:2 + + # Set up system profile (normally done by nixos-rebuild / nix-env --set) mkdir -p /nix/var/nix/profiles + ln -s ${config.system.build.toplevel} /nix/var/nix/profiles/system-1-link + ln -s /nix/var/nix/profiles/system-1-link /nix/var/nix/profiles/system + + # Install bootloader + touch /etc/NIXOS + export NIXOS_INSTALL_BOOTLOADER=1 ${config.system.build.toplevel}/bin/switch-to-configuration boot umount /boot @@ -499,7 +508,7 @@ in # FIXME: Consolidate this one day. virtualisation.qemu.options = mkMerge [ (mkIf (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [ - "-vga std" "-usb" "-device usb-tablet,bus=usb-bus.0" + "-usb" "-device usb-tablet,bus=usb-bus.0" ]) (mkIf (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ "-device virtio-gpu-pci" "-device usb-ehci,id=usb0" "-device usb-kbd" "-device usb-tablet" diff --git a/nixpkgs/nixos/modules/virtualisation/rkt.nix b/nixpkgs/nixos/modules/virtualisation/rkt.nix deleted file mode 100644 index fd662b52df5..00000000000 --- a/nixpkgs/nixos/modules/virtualisation/rkt.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.virtualisation.rkt; -in -{ - options.virtualisation.rkt = { - enable = mkEnableOption "rkt metadata service"; - - gc = { - automatic = mkOption { - default = true; - type = types.bool; - description = "Automatically run the garbage collector at a specific time."; - }; - - dates = mkOption { - default = "03:15"; - type = types.str; - description = '' - Specification (in the format described by - <citerefentry><refentrytitle>systemd.time</refentrytitle> - <manvolnum>7</manvolnum></citerefentry>) of the time at - which the garbage collector will run. - ''; - }; - - options = mkOption { - default = "--grace-period=24h"; - type = types.str; - description = '' - Options given to <filename>rkt gc</filename> when the - garbage collector is run automatically. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.rkt ]; - - systemd.services.rkt = { - description = "rkt metadata service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - ExecStart = "${pkgs.rkt}/bin/rkt metadata-service"; - }; - }; - - systemd.services.rkt-gc = { - description = "rkt garbage collection"; - startAt = optionalString cfg.gc.automatic cfg.gc.dates; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.rkt}/bin/rkt gc ${cfg.gc.options}"; - }; - }; - - users.groups.rkt = {}; - }; -} diff --git a/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix b/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix index 7f0af9901b9..7b2a66c4348 100644 --- a/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix @@ -103,6 +103,7 @@ in }; forwardDns = mkOption { + type = types.bool; default = false; description = '' If set to <literal>true</literal>, the DNS queries from the @@ -135,14 +136,8 @@ in }; }; - virtualisation.xen.trace = - mkOption { - default = false; - description = - '' - Enable Xen tracing. - ''; - }; + virtualisation.xen.trace = mkEnableOption "Xen tracing"; + }; |