diff options
| author | Katharina Fey <kookie@spacekookie.de> | 2020-01-12 01:00:12 +0000 |
|---|---|---|
| committer | Katharina Fey <kookie@spacekookie.de> | 2020-01-12 01:00:12 +0000 |
| commit | eeaf5d25d5f6ae7ae1f5bf8a3dee4559693f8147 (patch) | |
| tree | afc41ca8dde96b41089ca324533084aef570322f /nixpkgs/nixos/modules | |
| parent | 63c4c4dda49dc69e5812faa7ef8406180998f3ae (diff) | |
| parent | e4134747f5666bcab8680aff67fa3b63384f9a0f (diff) | |
Merge commit 'e4134747f5666bcab8680aff67fa3b63384f9a0f'
Diffstat (limited to 'nixpkgs/nixos/modules')
315 files changed, 5011 insertions, 3149 deletions
diff --git a/nixpkgs/nixos/modules/config/console.nix b/nixpkgs/nixos/modules/config/console.nix new file mode 100644 index 00000000000..f662ed62d31 --- /dev/null +++ b/nixpkgs/nixos/modules/config/console.nix @@ -0,0 +1,203 @@ + +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.console; + + makeColor = i: concatMapStringsSep "," (x: "0x" + substring (2*i) 2 x); + + isUnicode = hasSuffix "UTF-8" (toUpper config.i18n.defaultLocale); + + optimizedKeymap = pkgs.runCommand "keymap" { + nativeBuildInputs = [ pkgs.buildPackages.kbd ]; + LOADKEYS_KEYMAP_PATH = "${consoleEnv}/share/keymaps/**"; + preferLocalBuild = true; + } '' + loadkeys -b ${optionalString isUnicode "-u"} "${cfg.keyMap}" > $out + ''; + + # Sadly, systemd-vconsole-setup doesn't support binary keymaps. + vconsoleConf = pkgs.writeText "vconsole.conf" '' + KEYMAP=${cfg.keyMap} + FONT=${cfg.font} + ''; + + consoleEnv = pkgs.buildEnv { + name = "console-env"; + paths = [ pkgs.kbd ] ++ cfg.packages; + pathsToLink = [ + "/share/consolefonts" + "/share/consoletrans" + "/share/keymaps" + "/share/unimaps" + ]; + }; + + setVconsole = !config.boot.isContainer; +in + +{ + ###### interface + + options.console = { + font = mkOption { + type = types.str; + default = "Lat2-Terminus16"; + example = "LatArCyrHeb-16"; + description = '' + The font used for the virtual consoles. Leave empty to use + whatever the <command>setfont</command> program considers the + default font. + ''; + }; + + keyMap = mkOption { + type = with types; either str path; + default = "us"; + example = "fr"; + description = '' + The keyboard mapping table for the virtual consoles. + ''; + }; + + colors = mkOption { + type = types.listOf types.str; + default = []; + example = [ + "002b36" "dc322f" "859900" "b58900" + "268bd2" "d33682" "2aa198" "eee8d5" + "002b36" "cb4b16" "586e75" "657b83" + "839496" "6c71c4" "93a1a1" "fdf6e3" + ]; + description = '' + The 16 colors palette used by the virtual consoles. + Leave empty to use the default colors. + Colors must be in hexadecimal format and listed in + order from color 0 to color 15. + ''; + + }; + + packages = mkOption { + type = types.listOf types.package; + default = with pkgs.kbdKeymaps; [ dvp neo ]; + defaultText = ''with pkgs.kbdKeymaps; [ dvp neo ]''; + description = '' + List of additional packages that provide console fonts, keymaps and + other resources for virtual consoles use. + ''; + }; + + extraTTYs = mkOption { + default = []; + type = types.listOf types.str; + example = ["tty8" "tty9"]; + description = '' + TTY (virtual console) devices, in addition to the consoles on + which mingetty and syslogd run, that must be initialised. + Only useful if you have some program that you want to run on + some fixed console. For example, the NixOS installation CD + opens the manual in a web browser on console 7, so it sets + <option>console.extraTTYs</option> to <literal>["tty7"]</literal>. + ''; + }; + + useXkbConfig = mkOption { + type = types.bool; + default = false; + description = '' + If set, configure the virtual console keymap from the xserver + keyboard settings. + ''; + }; + + earlySetup = mkOption { + default = false; + type = types.bool; + description = '' + Enable setting virtual console options as early as possible (in initrd). + ''; + }; + + }; + + + ###### implementation + + config = mkMerge [ + { console.keyMap = with config.services.xserver; + mkIf cfg.useXkbConfig + (pkgs.runCommand "xkb-console-keymap" { preferLocalBuild = true; } '' + '${pkgs.ckbcomp}/bin/ckbcomp' -model '${xkbModel}' -layout '${layout}' \ + -option '${xkbOptions}' -variant '${xkbVariant}' > "$out" + ''); + } + + (mkIf (!setVconsole) { + systemd.services.systemd-vconsole-setup.enable = false; + }) + + (mkIf setVconsole (mkMerge [ + { environment.systemPackages = [ pkgs.kbd ]; + + # Let systemd-vconsole-setup.service do the work of setting up the + # virtual consoles. + environment.etc."vconsole.conf".source = vconsoleConf; + # Provide kbd with additional packages. + environment.etc.kbd.source = "${consoleEnv}/share"; + + boot.initrd.preLVMCommands = mkBefore '' + kbd_mode ${if isUnicode then "-u" else "-a"} -C /dev/console + printf "\033%%${if isUnicode then "G" else "@"}" >> /dev/console + loadkmap < ${optimizedKeymap} + + ${optionalString cfg.earlySetup '' + setfont -C /dev/console $extraUtils/share/consolefonts/font.psf + ''} + ''; + + systemd.services.systemd-vconsole-setup = + { before = [ "display-manager.service" ]; + after = [ "systemd-udev-settle.service" ]; + restartTriggers = [ vconsoleConf consoleEnv ]; + }; + } + + (mkIf (cfg.colors != []) { + boot.kernelParams = [ + "vt.default_red=${makeColor 0 cfg.colors}" + "vt.default_grn=${makeColor 1 cfg.colors}" + "vt.default_blu=${makeColor 2 cfg.colors}" + ]; + }) + + (mkIf cfg.earlySetup { + boot.initrd.extraUtilsCommands = '' + mkdir -p $out/share/consolefonts + ${if substring 0 1 cfg.font == "/" then '' + font="${cfg.font}" + '' else '' + font="$(echo ${consoleEnv}/share/consolefonts/${cfg.font}.*)" + ''} + if [[ $font == *.gz ]]; then + gzip -cd $font > $out/share/consolefonts/font.psf + else + cp -L $font $out/share/consolefonts/font.psf + fi + ''; + }) + ])) + ]; + + imports = [ + (mkRenamedOptionModule [ "i18n" "consoleFont" ] [ "console" "font" ]) + (mkRenamedOptionModule [ "i18n" "consoleKeyMap" ] [ "console" "keyMap" ]) + (mkRenamedOptionModule [ "i18n" "consoleColors" ] [ "console" "colors" ]) + (mkRenamedOptionModule [ "i18n" "consolePackages" ] [ "console" "packages" ]) + (mkRenamedOptionModule [ "i18n" "consoleUseXkbConfig" ] [ "console" "useXkbConfig" ]) + (mkRenamedOptionModule [ "boot" "earlyVconsoleSetup" ] [ "console" "earlySetup" ]) + (mkRenamedOptionModule [ "boot" "extraTTYs" ] [ "console" "extraTTYs" ]) + ]; +} diff --git a/nixpkgs/nixos/modules/config/fonts/fontconfig.nix b/nixpkgs/nixos/modules/config/fonts/fontconfig.nix index 8f227c42326..3bfa1893a8b 100644 --- a/nixpkgs/nixos/modules/config/fonts/fontconfig.nix +++ b/nixpkgs/nixos/modules/config/fonts/fontconfig.nix @@ -264,6 +264,16 @@ let }; in { + imports = [ + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowBitmaps" ] [ "fonts" "fontconfig" "allowBitmaps" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowType1" ] [ "fonts" "fontconfig" "allowType1" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "fonts" "fontconfig" "useEmbeddedBitmaps" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "fonts" "fontconfig" "forceAutohint" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ]) + (mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "") + (mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "") + (mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "") + ]; options = { diff --git a/nixpkgs/nixos/modules/config/fonts/fonts.nix b/nixpkgs/nixos/modules/config/fonts/fonts.nix index abb806b601a..b9bae44b2f9 100644 --- a/nixpkgs/nixos/modules/config/fonts/fonts.nix +++ b/nixpkgs/nixos/modules/config/fonts/fonts.nix @@ -3,6 +3,9 @@ with lib; { + imports = [ + (mkRemovedOptionModule [ "fonts" "enableCoreFonts" ] "Use fonts.fonts = [ pkgs.corefonts ]; instead.") + ]; options = { diff --git a/nixpkgs/nixos/modules/config/i18n.nix b/nixpkgs/nixos/modules/config/i18n.nix index d0db8fedecd..cc2ddda9d32 100644 --- a/nixpkgs/nixos/modules/config/i18n.nix +++ b/nixpkgs/nixos/modules/config/i18n.nix @@ -58,62 +58,6 @@ with lib; ''; }; - consolePackages = mkOption { - type = types.listOf types.package; - default = with pkgs.kbdKeymaps; [ dvp neo ]; - defaultText = ''with pkgs.kbdKeymaps; [ dvp neo ]''; - description = '' - List of additional packages that provide console fonts, keymaps and - other resources. - ''; - }; - - consoleFont = mkOption { - type = types.str; - default = "Lat2-Terminus16"; - example = "LatArCyrHeb-16"; - description = '' - The font used for the virtual consoles. Leave empty to use - whatever the <command>setfont</command> program considers the - default font. - ''; - }; - - consoleUseXkbConfig = mkOption { - type = types.bool; - default = false; - description = '' - If set, configure the console keymap from the xserver keyboard - settings. - ''; - }; - - consoleKeyMap = mkOption { - type = with types; either str path; - default = "us"; - example = "fr"; - description = '' - The keyboard mapping table for the virtual consoles. - ''; - }; - - consoleColors = mkOption { - type = types.listOf types.str; - default = []; - example = [ - "002b36" "dc322f" "859900" "b58900" - "268bd2" "d33682" "2aa198" "eee8d5" - "002b36" "cb4b16" "586e75" "657b83" - "839496" "6c71c4" "93a1a1" "fdf6e3" - ]; - description = '' - The 16 colors palette used by the virtual consoles. - Leave empty to use the default colors. - Colors must be in hexadecimal format and listed in - order from color 0 to color 15. - ''; - }; - }; }; @@ -123,13 +67,6 @@ with lib; config = { - i18n.consoleKeyMap = with config.services.xserver; - mkIf config.i18n.consoleUseXkbConfig - (pkgs.runCommand "xkb-console-keymap" { preferLocalBuild = true; } '' - '${pkgs.ckbcomp}/bin/ckbcomp' -model '${xkbModel}' -layout '${layout}' \ - -option '${xkbOptions}' -variant '${xkbVariant}' > "$out" - ''); - environment.systemPackages = optional (config.i18n.supportedLocales != []) config.i18n.glibcLocales; @@ -143,14 +80,11 @@ with lib; }; # ‘/etc/locale.conf’ is used by systemd. - environment.etc = singleton - { target = "locale.conf"; - source = pkgs.writeText "locale.conf" - '' - LANG=${config.i18n.defaultLocale} - ${concatStringsSep "\n" (mapAttrsToList (n: v: ''${n}=${v}'') config.i18n.extraLocaleSettings)} - ''; - }; + environment.etc."locale.conf".source = pkgs.writeText "locale.conf" + '' + LANG=${config.i18n.defaultLocale} + ${concatStringsSep "\n" (mapAttrsToList (n: v: ''${n}=${v}'') config.i18n.extraLocaleSettings)} + ''; }; } diff --git a/nixpkgs/nixos/modules/config/ldap.nix b/nixpkgs/nixos/modules/config/ldap.nix index e008497a2a6..9c8e9d14937 100644 --- a/nixpkgs/nixos/modules/config/ldap.nix +++ b/nixpkgs/nixos/modules/config/ldap.nix @@ -224,7 +224,9 @@ in config = mkIf cfg.enable { - environment.etc = optional (!cfg.daemon.enable) ldapConfig; + environment.etc = optionalAttrs (!cfg.daemon.enable) { + "ldap.conf" = ldapConfig; + }; system.activationScripts = mkIf (!cfg.daemon.enable) { ldap = stringAfter [ "etc" "groups" "users" ] '' diff --git a/nixpkgs/nixos/modules/config/networking.nix b/nixpkgs/nixos/modules/config/networking.nix index a89667ea221..81427bb8ee6 100644 --- a/nixpkgs/nixos/modules/config/networking.nix +++ b/nixpkgs/nixos/modules/config/networking.nix @@ -16,6 +16,9 @@ let in { + imports = [ + (mkRemovedOptionModule [ "networking" "hostConf" ] "Use environment.etc.\"host.conf\" instead.") + ]; options = { @@ -41,19 +44,6 @@ in ''; }; - networking.hostConf = lib.mkOption { - type = types.lines; - default = "multi on"; - example = '' - multi on - reorder on - trim lan - ''; - description = '' - The contents of <filename>/etc/host.conf</filename>. See also <citerefentry><refentrytitle>host.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. - ''; - }; - networking.timeServers = mkOption { default = [ "0.nixos.pool.ntp.org" @@ -186,7 +176,9 @@ in ''; # /etc/host.conf: resolver configuration file - "host.conf".text = cfg.hostConf; + "host.conf".text = '' + multi on + ''; } // optionalAttrs (pkgs.stdenv.hostPlatform.libc == "glibc") { # /etc/rpc: RPC program numbers. diff --git a/nixpkgs/nixos/modules/config/pulseaudio.nix b/nixpkgs/nixos/modules/config/pulseaudio.nix index 9baad9b5854..048bbb30c73 100644 --- a/nixpkgs/nixos/modules/config/pulseaudio.nix +++ b/nixpkgs/nixos/modules/config/pulseaudio.nix @@ -215,9 +215,8 @@ in { config = mkMerge [ { - environment.etc = singleton { - target = "pulse/client.conf"; - source = clientConf; + environment.etc = { + "pulse/client.conf".source = clientConf; }; hardware.pulseaudio.configFile = mkDefault "${getBin overriddenPackage}/etc/pulse/default.pa"; @@ -228,19 +227,16 @@ in { sound.enable = true; - environment.etc = [ - { target = "asound.conf"; - source = alsaConf; } + environment.etc = { + "asound.conf".source = alsaConf; - { target = "pulse/daemon.conf"; - source = writeText "daemon.conf" (lib.generators.toKeyValue {} cfg.daemon.config); } + "pulse/daemon.conf".source = writeText "daemon.conf" + (lib.generators.toKeyValue {} cfg.daemon.config); - { target = "openal/alsoft.conf"; - source = writeText "alsoft.conf" "drivers=pulse"; } + "openal/alsoft.conf".source = writeText "alsoft.conf" "drivers=pulse"; - { target = "libao.conf"; - source = writeText "libao.conf" "default_driver=pulse"; } - ]; + "libao.conf".source = writeText "libao.conf" "default_driver=pulse"; + }; # Disable flat volumes to enable relative ones hardware.pulseaudio.daemon.config.flat-volumes = mkDefault "no"; @@ -275,9 +271,8 @@ in { }) (mkIf nonSystemWide { - environment.etc = singleton { - target = "pulse/default.pa"; - source = myConfigFile; + environment.etc = { + "pulse/default.pa".source = myConfigFile; }; systemd.user = { services.pulseaudio = { diff --git a/nixpkgs/nixos/modules/config/resolvconf.nix b/nixpkgs/nixos/modules/config/resolvconf.nix index 406c6a7ac32..7d2f252a888 100644 --- a/nixpkgs/nixos/modules/config/resolvconf.nix +++ b/nixpkgs/nixos/modules/config/resolvconf.nix @@ -33,6 +33,12 @@ let in { + imports = [ + (mkRenamedOptionModule [ "networking" "dnsSingleRequest" ] [ "networking" "resolvconf" "dnsSingleRequest" ]) + (mkRenamedOptionModule [ "networking" "dnsExtensionMechanism" ] [ "networking" "resolvconf" "dnsExtensionMechanism" ]) + (mkRenamedOptionModule [ "networking" "extraResolvconfConf" ] [ "networking" "resolvconf" "extraConfig" ]) + (mkRenamedOptionModule [ "networking" "resolvconfOptions" ] [ "networking" "resolvconf" "extraOptions" ]) + ]; options = { diff --git a/nixpkgs/nixos/modules/config/swap.nix b/nixpkgs/nixos/modules/config/swap.nix index fed3fa3bc7c..d0fc0d4a3ea 100644 --- a/nixpkgs/nixos/modules/config/swap.nix +++ b/nixpkgs/nixos/modules/config/swap.nix @@ -58,7 +58,7 @@ let device = mkOption { example = "/dev/sda3"; type = types.str; - description = "Path of the device."; + description = "Path of the device or swap file."; }; label = mkOption { diff --git a/nixpkgs/nixos/modules/config/users-groups.nix b/nixpkgs/nixos/modules/config/users-groups.nix index ae3bdeb00e6..141e43fec39 100644 --- a/nixpkgs/nixos/modules/config/users-groups.nix +++ b/nixpkgs/nixos/modules/config/users-groups.nix @@ -403,6 +403,10 @@ let filter types.shellPackage.check shells; in { + imports = [ + (mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ]) + (mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ]) + ]; ###### interface diff --git a/nixpkgs/nixos/modules/config/xdg/portal.nix b/nixpkgs/nixos/modules/config/xdg/portal.nix index bdbbfda2bb4..95fa8e05fa3 100644 --- a/nixpkgs/nixos/modules/config/xdg/portal.nix +++ b/nixpkgs/nixos/modules/config/xdg/portal.nix @@ -3,6 +3,10 @@ with lib; { + imports = [ + (mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ]) + ]; + options.xdg.portal = { enable = mkEnableOption "<link xlink:href='https://github.com/flatpak/xdg-desktop-portal'>xdg desktop integration</link>"//{ diff --git a/nixpkgs/nixos/modules/hardware/all-firmware.nix b/nixpkgs/nixos/modules/hardware/all-firmware.nix index 534fcc34276..16be8bcfdd7 100644 --- a/nixpkgs/nixos/modules/hardware/all-firmware.nix +++ b/nixpkgs/nixos/modules/hardware/all-firmware.nix @@ -6,6 +6,14 @@ let cfg = config.hardware; in { + imports = [ + (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "hardware" "enableRedistributableFirmware" ]) + (mkRenamedOptionModule [ "networking" "enableIntel3945ABGFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) + (mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) + (mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) + (mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) + ]; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/hardware/ckb-next.nix b/nixpkgs/nixos/modules/hardware/ckb-next.nix index 20b2756d8b2..fe0ca9f26d5 100644 --- a/nixpkgs/nixos/modules/hardware/ckb-next.nix +++ b/nixpkgs/nixos/modules/hardware/ckb-next.nix @@ -7,6 +7,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "hardware" "ckb" "enable" ] [ "hardware" "ckb-next" "enable" ]) + (mkRenamedOptionModule [ "hardware" "ckb" "package" ] [ "hardware" "ckb-next" "package" ]) + ]; + options.hardware.ckb-next = { enable = mkEnableOption "the Corsair keyboard/mouse driver"; diff --git a/nixpkgs/nixos/modules/hardware/ksm.nix b/nixpkgs/nixos/modules/hardware/ksm.nix index 99d46c25236..0938dbdc110 100644 --- a/nixpkgs/nixos/modules/hardware/ksm.nix +++ b/nixpkgs/nixos/modules/hardware/ksm.nix @@ -6,6 +6,10 @@ let cfg = config.hardware.ksm; in { + imports = [ + (mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ]) + ]; + options.hardware.ksm = { enable = mkEnableOption "Kernel Same-Page Merging"; sleep = mkOption { diff --git a/nixpkgs/nixos/modules/hardware/opengl.nix b/nixpkgs/nixos/modules/hardware/opengl.nix index 57cac56bd8a..89dc5008df5 100644 --- a/nixpkgs/nixos/modules/hardware/opengl.nix +++ b/nixpkgs/nixos/modules/hardware/opengl.nix @@ -31,6 +31,11 @@ let in { + + imports = [ + (mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ]) + ]; + options = { hardware.opengl = { diff --git a/nixpkgs/nixos/modules/hardware/video/nvidia.nix b/nixpkgs/nixos/modules/hardware/video/nvidia.nix index fcb30187fa2..1794bb4b433 100644 --- a/nixpkgs/nixos/modules/hardware/video/nvidia.nix +++ b/nixpkgs/nixos/modules/hardware/video/nvidia.nix @@ -198,10 +198,11 @@ in # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded. services.udev.extraRules = '' - KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'" - KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'" - KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'" - KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" + KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'" + KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'" + KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'" + KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" + KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" ''; boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ]; diff --git a/nixpkgs/nixos/modules/i18n/input-method/ibus.nix b/nixpkgs/nixos/modules/i18n/input-method/ibus.nix index 8109ef76c40..a3d97619fc4 100644 --- a/nixpkgs/nixos/modules/i18n/input-method/ibus.nix +++ b/nixpkgs/nixos/modules/i18n/input-method/ibus.nix @@ -27,6 +27,10 @@ let }; in { + imports = [ + (mkRenamedOptionModule [ "programs" "ibus" "plugins" ] [ "i18n" "inputMethod" "ibus" "engines" ]) + ]; + options = { i18n.inputMethod.ibus = { engines = mkOption { @@ -53,9 +57,17 @@ in config = mkIf (config.i18n.inputMethod.enabled == "ibus") { i18n.inputMethod.package = ibusPackage; + environment.systemPackages = [ + ibusAutostart + ]; + # Without dconf enabled it is impossible to use IBus - environment.systemPackages = with pkgs; [ - gnome3.dconf ibusAutostart + programs.dconf.enable = true; + + programs.dconf.profiles.ibus = "${ibusPackage}/etc/dconf/profile/ibus"; + + services.dbus.packages = [ + ibusAutostart ]; environment.variables = { diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix b/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix index 009f1e2c543..11319e5f4f8 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix @@ -603,9 +603,6 @@ in { source = config.system.build.squashfsStore; target = "/nix-store.squashfs"; } - { source = config.isoImage.efiSplashImage; - target = "/EFI/boot/efi-background.png"; - } { source = config.isoImage.splashImage; target = "/isolinux/background.png"; } @@ -630,8 +627,8 @@ in { source = "${efiDir}/EFI"; target = "/EFI"; } - { source = pkgs.writeText "loopback.cfg" "source /EFI/boot/grub.cfg"; - target = "/boot/grub/loopback.cfg"; + { source = (pkgs.writeTextDir "grub/loopback.cfg" "source /EFI/boot/grub.cfg") + "/grub"; + target = "/boot/grub"; } ] ++ optionals (config.boot.loader.grub.memtest86.enable && canx86BiosBoot) [ { source = "${pkgs.memtest86plus}/memtest.bin"; @@ -641,6 +638,10 @@ in { source = config.isoImage.grubTheme; target = "/EFI/boot/grub-theme"; } + ] ++ [ + { source = config.isoImage.efiSplashImage; + target = "/EFI/boot/efi-background.png"; + } ]; boot.loader.timeout = 10; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix index 7865b767f0b..901c60befb6 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix @@ -18,6 +18,7 @@ with lib; let rootfsImage = pkgs.callPackage ../../../lib/make-ext4-fs.nix ({ inherit (config.sdImage) storePaths; + compressImage = true; populateImageCommands = config.sdImage.populateRootCommands; volumeLabel = "NIXOS_SD"; } // optionalAttrs (config.sdImage.rootPartitionUUID != null) { @@ -128,10 +129,11 @@ in sdImage.storePaths = [ config.system.build.toplevel ]; - system.build.sdImage = pkgs.callPackage ({ stdenv, dosfstools, e2fsprogs, mtools, libfaketime, utillinux, bzip2 }: stdenv.mkDerivation { + system.build.sdImage = pkgs.callPackage ({ stdenv, dosfstools, e2fsprogs, + mtools, libfaketime, utillinux, bzip2, zstd }: stdenv.mkDerivation { name = config.sdImage.imageName; - nativeBuildInputs = [ dosfstools e2fsprogs mtools libfaketime utillinux bzip2 ]; + nativeBuildInputs = [ dosfstools e2fsprogs mtools libfaketime utillinux bzip2 zstd ]; inherit (config.sdImage) compressImage; @@ -146,11 +148,14 @@ in echo "file sd-image $img" >> $out/nix-support/hydra-build-products fi + echo "Decompressing rootfs image" + zstd -d --no-progress "${rootfsImage}" -o ./root-fs.img + # Gap in front of the first partition, in MiB gap=8 # Create the image file sized to fit /boot/firmware and /, plus slack for the gap. - rootSizeBlocks=$(du -B 512 --apparent-size ${rootfsImage} | awk '{ print $1 }') + rootSizeBlocks=$(du -B 512 --apparent-size ./root-fs.img | awk '{ print $1 }') firmwareSizeBlocks=$((${toString config.sdImage.firmwareSize} * 1024 * 1024 / 512)) imageSize=$((rootSizeBlocks * 512 + firmwareSizeBlocks * 512 + gap * 1024 * 1024)) truncate -s $imageSize $img @@ -168,7 +173,7 @@ in # Copy the rootfs into the SD image eval $(partx $img -o START,SECTORS --nr 2 --pairs) - dd conv=notrunc if=${rootfsImage} of=$img seek=$START count=$SECTORS + dd conv=notrunc if=./root-fs.img of=$img seek=$START count=$SECTORS # Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img eval $(partx $img -o START,SECTORS --nr 1 --pairs) diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-pc.nix b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-pc.nix index bf8b7deb59e..f2af7dcde3d 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-pc.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-pc.nix @@ -122,11 +122,10 @@ in /* fake entry, just to have a happy stage-1. Users may boot without having stage-1 though */ - fileSystems = [ + fileSystems.fake = { mountPoint = "/"; device = "/dev/something"; - } - ]; + }; nixpkgs.config = { packageOverrides = p: { diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix index 90a5128c02a..8408f56f94f 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix @@ -117,11 +117,10 @@ in /* fake entry, just to have a happy stage-1. Users may boot without having stage-1 though */ - fileSystems = [ + fileSystems.fake = { mountPoint = "/"; device = "/dev/something"; - } - ]; + }; services.mingetty = { # Some more help text. diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball.nix b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball.nix index b84096861f5..58098c45535 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball.nix @@ -41,7 +41,7 @@ in # In stage 1 of the boot, mount the CD/DVD as the root FS by label # so that we don't need to know its device. - fileSystems = [ ]; + fileSystems = { }; # boot.initrd.availableKernelModules = [ "mvsdio" "reiserfs" "ext3" "ext4" ]; diff --git a/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix index d7149b35d4c..c2f2578733b 100644 --- a/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/6chjfy4j6hjwj5f8zcbbdg02i21x1qsi-nix-2.3.1"; - i686-linux = "/nix/store/xa8z7fwszjjm4kiwrxfc8xv9c1pzzm7a-nix-2.3.1"; - aarch64-linux = "/nix/store/8cac1ivcnchlpzmdjby2f71l1fwpnymr-nix-2.3.1"; - x86_64-darwin = "/nix/store/6639l9815ggdnb4aka22qcjy7p8w4hb9-nix-2.3.1"; + x86_64-linux = "/nix/store/0q5qnh10m2sfrriszc1ysmggw659q6qm-nix-2.3.2"; + i686-linux = "/nix/store/i7ad7r5d8a5b3l22hg4a1im2qq05y6vd-nix-2.3.2"; + aarch64-linux = "/nix/store/bv06pavfw0dbqzr8w3l7s71nx27gnxa0-nix-2.3.2"; + x86_64-darwin = "/nix/store/x6mnl1nij7y4v5ihlplr4k937ayr403r-nix-2.3.2"; } diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl index f2ffe61c42c..629c56814a1 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl @@ -335,6 +335,9 @@ if (@swaps) { next unless -e $swapFilename; my $dev = findStableDevPath $swapFilename; if ($swapType =~ "partition") { + # zram devices are more likely created by configuration.nix, so + # ignore them here + next if ($swapFilename =~ /^\/dev\/zram/); push @swapDevices, "{ device = \"$dev\"; }"; } elsif ($swapType =~ "file") { # swap *files* are more likely specified in configuration.nix, so @@ -498,7 +501,7 @@ if (-f $fb_modes_file && -r $fb_modes_file) { my $console_width = $1, my $console_height = $2; if ($console_width > 1920) { push @attrs, "# High-DPI console"; - push @attrs, 'i18n.consoleFont = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";'; + push @attrs, 'console.font = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";'; } } diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-install.sh b/nixpkgs/nixos/modules/installer/tools/nixos-install.sh index 8685cb345e1..a3ff3fe2c0c 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-install.sh +++ b/nixpkgs/nixos/modules/installer/tools/nixos-install.sh @@ -14,6 +14,8 @@ extraBuildFlags=() mountPoint=/mnt channelPath= system= +verbosity=() +buildLogs= while [ "$#" -gt 0 ]; do i="$1"; shift 1 @@ -55,6 +57,12 @@ while [ "$#" -gt 0 ]; do --debug) set -x ;; + -v*|--verbose) + verbosity+=("$i") + ;; + -L|--print-build-logs) + buildLogs="$i" + ;; *) echo "$0: unknown option \`$i'" exit 1 @@ -94,7 +102,7 @@ if [[ -z $system ]]; then outLink="$tmpdir/system" nix build --out-link "$outLink" --store "$mountPoint" "${extraBuildFlags[@]}" \ --extra-substituters "$sub" \ - -f '<nixpkgs/nixos>' system -I "nixos-config=$NIXOS_CONFIG" + -f '<nixpkgs/nixos>' system -I "nixos-config=$NIXOS_CONFIG" ${verbosity[@]} ${buildLogs} system=$(readlink -f $outLink) fi @@ -103,7 +111,7 @@ fi # a progress bar. nix-env --store "$mountPoint" "${extraBuildFlags[@]}" \ --extra-substituters "$sub" \ - -p $mountPoint/nix/var/nix/profiles/system --set "$system" + -p $mountPoint/nix/var/nix/profiles/system --set "$system" ${verbosity[@]} # Copy the NixOS/Nixpkgs sources to the target as the initial contents # of the NixOS channel. @@ -115,7 +123,8 @@ if [[ -z $noChannelCopy ]]; then echo "copying channel..." mkdir -p $mountPoint/nix/var/nix/profiles/per-user/root nix-env --store "$mountPoint" "${extraBuildFlags[@]}" --extra-substituters "$sub" \ - -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channelPath" --quiet + -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channelPath" --quiet \ + ${verbosity[@]} install -m 0700 -d $mountPoint/root/.nix-defexpr ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels fi diff --git a/nixpkgs/nixos/modules/misc/documentation.nix b/nixpkgs/nixos/modules/misc/documentation.nix index deecb005270..d09afadd609 100644 --- a/nixpkgs/nixos/modules/misc/documentation.nix +++ b/nixpkgs/nixos/modules/misc/documentation.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, baseModules, extraModules, modules, ... }: +{ config, lib, pkgs, baseModules, extraModules, modules, modulesPath, ... }: with lib; @@ -22,7 +22,10 @@ let scrubbedEval = evalModules { modules = [ { nixpkgs.localSystem = config.nixpkgs.localSystem; } ] ++ manualModules; args = (config._module.args) // { modules = [ ]; }; - specialArgs = { pkgs = scrubDerivations "pkgs" pkgs; }; + specialArgs = { + pkgs = scrubDerivations "pkgs" pkgs; + inherit modulesPath; + }; }; scrubDerivations = namePrefix: pkgSet: mapAttrs (name: value: @@ -67,6 +70,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "programs" "info" "enable" ] [ "documentation" "info" "enable" ]) + (mkRenamedOptionModule [ "programs" "man" "enable" ] [ "documentation" "man" "enable" ]) + (mkRenamedOptionModule [ "services" "nixosManual" "enable" ] [ "documentation" "nixos" "enable" ]) + ]; options = { diff --git a/nixpkgs/nixos/modules/misc/ids.nix b/nixpkgs/nixos/modules/misc/ids.nix index f8b188e7b1c..bedd87a368e 100644 --- a/nixpkgs/nixos/modules/misc/ids.nix +++ b/nixpkgs/nixos/modules/misc/ids.nix @@ -80,8 +80,8 @@ in #kdm = 39; # dropped in 17.03 #ghostone = 40; # dropped in 18.03 git = 41; - fourstore = 42; - fourstorehttp = 43; + #fourstore = 42; # dropped in 20.03 + #fourstorehttp = 43; # dropped in 20.03 virtuoso = 44; rtkit = 45; dovecot2 = 46; diff --git a/nixpkgs/nixos/modules/misc/locate.nix b/nixpkgs/nixos/modules/misc/locate.nix index 737ed5c0a3f..552535c253e 100644 --- a/nixpkgs/nixos/modules/misc/locate.nix +++ b/nixpkgs/nixos/modules/misc/locate.nix @@ -7,6 +7,11 @@ let isMLocate = hasPrefix "mlocate" cfg.locate.name; isFindutils = hasPrefix "findutils" cfg.locate.name; in { + imports = [ + (mkRenamedOptionModule [ "services" "locate" "period" ] [ "services" "locate" "interval" ]) + (mkRemovedOptionModule [ "services" "locate" "includeStore" ] "Use services.locate.prunePaths" ) + ]; + options.services.locate = with types; { enable = mkOption { type = bool; diff --git a/nixpkgs/nixos/modules/misc/version.nix b/nixpkgs/nixos/modules/misc/version.nix index 773724ffbd5..0540b493003 100644 --- a/nixpkgs/nixos/modules/misc/version.nix +++ b/nixpkgs/nixos/modules/misc/version.nix @@ -10,6 +10,12 @@ let in { + imports = [ + (mkRenamedOptionModule [ "system" "nixosVersion" ] [ "system" "nixos" "version" ]) + (mkRenamedOptionModule [ "system" "nixosVersionSuffix" ] [ "system" "nixos" "versionSuffix" ]) + (mkRenamedOptionModule [ "system" "nixosRevision" ] [ "system" "nixos" "revision" ]) + (mkRenamedOptionModule [ "system" "nixosLabel" ] [ "system" "nixos" "label" ]) + ]; options.system = { @@ -92,7 +98,7 @@ in VERSION="${cfg.version} (${cfg.codeName})" VERSION_CODENAME=${toLower cfg.codeName} VERSION_ID="${cfg.version}" - PRETTY_NAME="NixOS ${cfg.version} (${cfg.codeName})" + PRETTY_NAME="NixOS ${cfg.release} (${cfg.codeName})" LOGO="nix-snowflake" HOME_URL="https://nixos.org/" DOCUMENTATION_URL="https://nixos.org/nixos/manual/index.html" diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 076e1654818..a6c1d7c5d66 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -11,6 +11,7 @@ ./config/xdg/mime.nix ./config/xdg/portal.nix ./config/appstream.nix + ./config/console.nix ./config/xdg/sounds.nix ./config/gtk/gtk-icon-cache.nix ./config/gnu.nix @@ -94,6 +95,7 @@ ./programs/adb.nix ./programs/atop.nix ./programs/autojump.nix + ./programs/bandwhich.nix ./programs/bash/bash.nix ./programs/bcc.nix ./programs/browserpass.nix @@ -254,8 +256,6 @@ ./services/continuous-integration/jenkins/default.nix ./services/continuous-integration/jenkins/job-builder.nix ./services/continuous-integration/jenkins/slave.nix - ./services/databases/4store-endpoint.nix - ./services/databases/4store.nix ./services/databases/aerospike.nix ./services/databases/cassandra.nix ./services/databases/clickhouse.nix @@ -445,6 +445,7 @@ ./services/misc/logkeys.nix ./services/misc/leaps.nix ./services/misc/lidarr.nix + ./services/misc/mame.nix ./services/misc/mathics.nix ./services/misc/matrix-synapse.nix ./services/misc/mbpfan.nix @@ -558,6 +559,7 @@ ./services/network-filesystems/yandex-disk.nix ./services/network-filesystems/xtreemfs.nix ./services/network-filesystems/ceph.nix + ./services/networking/3proxy.nix ./services/networking/amuled.nix ./services/networking/aria2.nix ./services/networking/asterisk.nix @@ -690,10 +692,13 @@ ./services/networking/skydns.nix ./services/networking/shadowsocks.nix ./services/networking/shairport-sync.nix + ./services/networking/shorewall.nix + ./services/networking/shorewall6.nix ./services/networking/shout.nix ./services/networking/sniproxy.nix ./services/networking/smokeping.nix ./services/networking/softether.nix + ./services/networking/spacecookie.nix ./services/networking/spiped.nix ./services/networking/squid.nix ./services/networking/sslh.nix @@ -722,6 +727,7 @@ ./services/networking/tvheadend.nix ./services/networking/unbound.nix ./services/networking/unifi.nix + ./services/networking/v2ray.nix ./services/networking/vsftpd.nix ./services/networking/wakeonlan.nix ./services/networking/websockify.nix @@ -800,6 +806,7 @@ ./services/web-apps/gotify-server.nix ./services/web-apps/icingaweb2/icingaweb2.nix ./services/web-apps/icingaweb2/module-monitoring.nix + ./services/web-apps/ihatemoney ./services/web-apps/limesurvey.nix ./services/web-apps/mattermost.nix ./services/web-apps/mediawiki.nix @@ -813,6 +820,7 @@ ./services/web-apps/restya-board.nix ./services/web-apps/tt-rss.nix ./services/web-apps/trac.nix + ./services/web-apps/trilium.nix ./services/web-apps/selfoss.nix ./services/web-apps/shiori.nix ./services/web-apps/virtlyst.nix @@ -847,7 +855,7 @@ ./services/x11/extra-layouts.nix ./services/x11/clight.nix ./services/x11/colord.nix - ./services/x11/compton.nix + ./services/x11/picom.nix ./services/x11/unclutter.nix ./services/x11/unclutter-xfixes.nix ./services/x11/desktop-managers/default.nix @@ -867,6 +875,7 @@ ./services/x11/hardware/digimend.nix ./services/x11/hardware/cmt.nix ./services/x11/gdk-pixbuf.nix + ./services/x11/imwheel.nix ./services/x11/redshift.nix ./services/x11/urxvtd.nix ./services/x11/window-managers/awesome.nix @@ -937,7 +946,6 @@ ./tasks/filesystems/vfat.nix ./tasks/filesystems/xfs.nix ./tasks/filesystems/zfs.nix - ./tasks/kbd.nix ./tasks/lvm.nix ./tasks/network-interfaces.nix ./tasks/network-interfaces-systemd.nix diff --git a/nixpkgs/nixos/modules/programs/bandwhich.nix b/nixpkgs/nixos/modules/programs/bandwhich.nix new file mode 100644 index 00000000000..5413044f461 --- /dev/null +++ b/nixpkgs/nixos/modules/programs/bandwhich.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.programs.bandwhich; +in { + meta.maintainers = with maintainers; [ filalex77 ]; + + options = { + programs.bandwhich = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to add bandwhich to the global environment and configure a + setcap wrapper for it. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ bandwhich ]; + security.wrappers.bandwhich = { + source = "${pkgs.bandwhich}/bin/bandwhich"; + capabilities = "cap_net_raw,cap_net_admin+ep"; + }; + }; +} diff --git a/nixpkgs/nixos/modules/programs/bash/bash.nix b/nixpkgs/nixos/modules/programs/bash/bash.nix index 548babac38c..366c07c0a35 100644 --- a/nixpkgs/nixos/modules/programs/bash/bash.nix +++ b/nixpkgs/nixos/modules/programs/bash/bash.nix @@ -40,6 +40,10 @@ let in { + imports = [ + (mkRemovedOptionModule [ "programs" "bash" "enable" ] "") + ]; + options = { programs.bash = { diff --git a/nixpkgs/nixos/modules/programs/dconf.nix b/nixpkgs/nixos/modules/programs/dconf.nix index eeebc3558bd..6702e8efd1c 100644 --- a/nixpkgs/nixos/modules/programs/dconf.nix +++ b/nixpkgs/nixos/modules/programs/dconf.nix @@ -6,7 +6,10 @@ let cfg = config.programs.dconf; mkDconfProfile = name: path: - { source = path; target = "dconf/profile/${name}"; }; + { + name = "dconf/profile/${name}"; + value.source = path; + }; in { @@ -29,16 +32,16 @@ in ###### implementation config = mkIf (cfg.profiles != {} || cfg.enable) { - environment.etc = optionals (cfg.profiles != {}) - (mapAttrsToList mkDconfProfile cfg.profiles); + environment.etc = optionalAttrs (cfg.profiles != {}) + (mapAttrs' mkDconfProfile cfg.profiles); - services.dbus.packages = [ pkgs.gnome3.dconf ]; + services.dbus.packages = [ pkgs.dconf ]; # For dconf executable - environment.systemPackages = [ pkgs.gnome3.dconf ]; + environment.systemPackages = [ pkgs.dconf ]; # Needed for unwrapped applications - environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.gnome3.dconf.lib}/lib/gio/modules" ]; + environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.dconf.lib}/lib/gio/modules" ]; }; } diff --git a/nixpkgs/nixos/modules/programs/nm-applet.nix b/nixpkgs/nixos/modules/programs/nm-applet.nix index e42219e9638..1b806071c43 100644 --- a/nixpkgs/nixos/modules/programs/nm-applet.nix +++ b/nixpkgs/nixos/modules/programs/nm-applet.nix @@ -10,5 +10,7 @@ partOf = [ "graphical-session.target" ]; serviceConfig.ExecStart = "${pkgs.networkmanagerapplet}/bin/nm-applet"; }; + + services.dbus.packages = [ pkgs.gcr ]; }; } diff --git a/nixpkgs/nixos/modules/programs/oblogout.nix b/nixpkgs/nixos/modules/programs/oblogout.nix index 720c29b1eae..a039b0623b5 100644 --- a/nixpkgs/nixos/modules/programs/oblogout.nix +++ b/nixpkgs/nixos/modules/programs/oblogout.nix @@ -1,176 +1,11 @@ -# Global configuration for oblogout. - { config, lib, pkgs, ... }: with lib; -let cfg = config.programs.oblogout; - -in { - ###### interface - - options = { - - programs.oblogout = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to install OBLogout and create <filename>/etc/oblogout.conf</filename>. - See <filename>${pkgs.oblogout}/share/doc/README</filename>. - ''; - }; - - opacity = mkOption { - type = types.int; - default = 70; - description = '' - Opacity percentage of Cairo rendered backgrounds. - ''; - }; - - bgcolor = mkOption { - type = types.str; - default = "black"; - description = '' - Colour name or hex code (#ffffff) of the background color. - ''; - }; - - buttontheme = mkOption { - type = types.str; - default = "simplistic"; - description = '' - Icon theme for the buttons, must be in the themes folder of - the package, or in - <filename>~/.themes/<name>/oblogout/</filename>. - ''; - }; - - buttons = mkOption { - type = types.str; - default = "cancel, logout, restart, shutdown, suspend, hibernate"; - description = '' - List and order of buttons to show. - ''; - }; - - cancel = mkOption { - type = types.str; - default = "Escape"; - description = '' - Cancel logout/shutdown shortcut. - ''; - }; - - shutdown = mkOption { - type = types.str; - default = "S"; - description = '' - Shutdown shortcut. - ''; - }; - - restart = mkOption { - type = types.str; - default = "R"; - description = '' - Restart shortcut. - ''; - }; - - suspend = mkOption { - type = types.str; - default = "U"; - description = '' - Suspend shortcut. - ''; - }; - - logout = mkOption { - type = types.str; - default = "L"; - description = '' - Logout shortcut. - ''; - }; - - lock = mkOption { - type = types.str; - default = "K"; - description = '' - Lock session shortcut. - ''; - }; - - hibernate = mkOption { - type = types.str; - default = "H"; - description = '' - Hibernate shortcut. - ''; - }; - - clogout = mkOption { - type = types.str; - default = "openbox --exit"; - description = '' - Command to logout. - ''; - }; - - clock = mkOption { - type = types.str; - default = ""; - description = '' - Command to lock screen. - ''; - }; - - cswitchuser = mkOption { - type = types.str; - default = ""; - description = '' - Command to switch user. - ''; - }; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.oblogout ]; - - environment.etc."oblogout.conf".text = '' - [settings] - usehal = false - - [looks] - opacity = ${toString cfg.opacity} - bgcolor = ${cfg.bgcolor} - buttontheme = ${cfg.buttontheme} - buttons = ${cfg.buttons} - [shortcuts] - cancel = ${cfg.cancel} - shutdown = ${cfg.shutdown} - restart = ${cfg.restart} - suspend = ${cfg.suspend} - logout = ${cfg.logout} - lock = ${cfg.lock} - hibernate = ${cfg.hibernate} + imports = [ + (mkRemovedOptionModule [ "programs" "oblogout" ] "programs.oblogout has been removed from NixOS. This is because the oblogout repository has been archived upstream.") + ]; - [commands] - shutdown = systemctl poweroff - restart = systemctl reboot - suspend = systemctl suspend - hibernate = systemctl hibernate - logout = ${cfg.clogout} - lock = ${cfg.clock} - switchuser = ${cfg.cswitchuser} - ''; - }; } diff --git a/nixpkgs/nixos/modules/programs/screen.nix b/nixpkgs/nixos/modules/programs/screen.nix index 4fd800dbae7..728a0eb8cea 100644 --- a/nixpkgs/nixos/modules/programs/screen.nix +++ b/nixpkgs/nixos/modules/programs/screen.nix @@ -27,6 +27,7 @@ in environment.etc.screenrc.text = cfg.screenrc; environment.systemPackages = [ pkgs.screen ]; + security.pam.services.screen = {}; }; } diff --git a/nixpkgs/nixos/modules/programs/shadow.nix b/nixpkgs/nixos/modules/programs/shadow.nix index 7eaf79d864e..fc352795c01 100644 --- a/nixpkgs/nixos/modules/programs/shadow.nix +++ b/nixpkgs/nixos/modules/programs/shadow.nix @@ -76,22 +76,18 @@ in config.users.defaultUserShell; environment.etc = - [ { # /etc/login.defs: global configuration for pwdutils. You - # cannot login without it! - source = pkgs.writeText "login.defs" loginDefs; - target = "login.defs"; - } - - { # /etc/default/useradd: configuration for useradd. - source = pkgs.writeText "useradd" - '' - GROUP=100 - HOME=/home - SHELL=${utils.toShellPath config.users.defaultUserShell} - ''; - target = "default/useradd"; - } - ]; + { # /etc/login.defs: global configuration for pwdutils. You + # cannot login without it! + "login.defs".source = pkgs.writeText "login.defs" loginDefs; + + # /etc/default/useradd: configuration for useradd. + "default/useradd".source = pkgs.writeText "useradd" + '' + GROUP=100 + HOME=/home + SHELL=${utils.toShellPath config.users.defaultUserShell} + ''; + }; security.pam.services = { chsh = { rootOK = true; }; diff --git a/nixpkgs/nixos/modules/programs/ssmtp.nix b/nixpkgs/nixos/modules/programs/ssmtp.nix index e45748af205..f794eac8af0 100644 --- a/nixpkgs/nixos/modules/programs/ssmtp.nix +++ b/nixpkgs/nixos/modules/programs/ssmtp.nix @@ -13,6 +13,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "networking" "defaultMailServer" ] [ "services" "ssmtp" ]) + (mkRenamedOptionModule [ "services" "ssmtp" "directDelivery" ] [ "services" "ssmtp" "enable" ]) + ]; + options = { services.ssmtp = { diff --git a/nixpkgs/nixos/modules/programs/sway.nix b/nixpkgs/nixos/modules/programs/sway.nix index f92d09a7ef4..e2a4018e902 100644 --- a/nixpkgs/nixos/modules/programs/sway.nix +++ b/nixpkgs/nixos/modules/programs/sway.nix @@ -4,26 +4,32 @@ with lib; let cfg = config.programs.sway; - swayPackage = pkgs.sway; - swayWrapped = pkgs.writeShellScriptBin "sway" '' - set -o errexit - - if [ ! "$_SWAY_WRAPPER_ALREADY_EXECUTED" ]; then - export _SWAY_WRAPPER_ALREADY_EXECUTED=1 - ${cfg.extraSessionCommands} - fi + wrapperOptions = types.submodule { + options = + let + mkWrapperFeature = default: description: mkOption { + type = types.bool; + inherit default; + example = !default; + description = "Whether to make use of the ${description}"; + }; + in { + base = mkWrapperFeature true '' + base wrapper to execute extra session commands and prepend a + dbus-run-session to the sway command. + ''; + gtk = mkWrapperFeature false '' + wrapGAppsHook wrapper to execute sway with required environment + variables for GTK applications. + ''; + }; + }; - if [ "$DBUS_SESSION_BUS_ADDRESS" ]; then - export DBUS_SESSION_BUS_ADDRESS - exec ${swayPackage}/bin/sway "$@" - else - exec ${pkgs.dbus}/bin/dbus-run-session ${swayPackage}/bin/sway "$@" - fi - ''; - swayJoined = pkgs.symlinkJoin { - name = "sway-joined"; - paths = [ swayWrapped swayPackage ]; + swayPackage = pkgs.sway.override { + extraSessionCommands = cfg.extraSessionCommands; + withBaseWrapper = cfg.wrapperFeatures.base; + withGtkWrapper = cfg.wrapperFeatures.gtk; }; in { options.programs.sway = { @@ -35,6 +41,15 @@ in { Please have a look at the "extraSessionCommands" example for running programs natively under Wayland''; + wrapperFeatures = mkOption { + type = wrapperOptions; + default = { }; + example = { gtk = true; }; + description = '' + Attribute set of features to enable in the wrapper. + ''; + }; + extraSessionCommands = mkOption { type = types.lines; default = ""; @@ -55,7 +70,7 @@ in { extraPackages = mkOption { type = with types; listOf package; default = with pkgs; [ - swaylock swayidle swaybg + swaylock swayidle xwayland rxvt_unicode dmenu ]; defaultText = literalExample '' @@ -75,8 +90,17 @@ in { }; config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.extraSessionCommands != "" -> cfg.wrapperFeatures.base; + message = '' + The extraSessionCommands for Sway will not be run if + wrapperFeatures.base is disabled. + ''; + } + ]; environment = { - systemPackages = [ swayJoined ] ++ cfg.extraPackages; + systemPackages = [ swayPackage ] ++ cfg.extraPackages; etc = { "sway/config".source = mkOptionDefault "${swayPackage}/etc/sway/config"; #"sway/security.d".source = mkOptionDefault "${swayPackage}/etc/sway/security.d/"; @@ -87,6 +111,8 @@ in { hardware.opengl.enable = mkDefault true; fonts.enableDefaultFonts = mkDefault true; programs.dconf.enable = mkDefault true; + # To make a Sway session available if a display manager like SDDM is enabled: + services.xserver.displayManager.sessionPackages = [ swayPackage ]; }; meta.maintainers = with lib.maintainers; [ gnidorah primeos colemickens ]; diff --git a/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix b/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix index f4df4e983e4..932a780a356 100644 --- a/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix +++ b/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix @@ -29,6 +29,13 @@ let in { + imports = [ + (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "enable" ] [ "programs" "zsh" "ohMyZsh" "enable" ]) + (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "theme" ] [ "programs" "zsh" "ohMyZsh" "theme" ]) + (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "custom" ] [ "programs" "zsh" "ohMyZsh" "custom" ]) + (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "plugins" ] [ "programs" "zsh" "ohMyZsh" "plugins" ]) + ]; + options = { programs.zsh.ohMyZsh = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix b/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix index ded17f38a61..037888fdc5a 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix @@ -6,6 +6,10 @@ let cfg = config.programs.zsh.autosuggestions; in { + imports = [ + (mkRenamedOptionModule [ "programs" "zsh" "enableAutosuggestions" ] [ "programs" "zsh" "autosuggestions" "enable" ]) + ]; + options.programs.zsh.autosuggestions = { enable = mkEnableOption "zsh-autosuggestions"; diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix b/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix index c84d26a7921..927a904369d 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix @@ -6,6 +6,13 @@ let cfg = config.programs.zsh.syntaxHighlighting; in { + imports = [ + (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) + (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "enable" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) + (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "highlighters" ] [ "programs" "zsh" "syntaxHighlighting" "highlighters" ]) + (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "patterns" ] [ "programs" "zsh" "syntaxHighlighting" "patterns" ]) + ]; + options = { programs.zsh.syntaxHighlighting = { enable = mkEnableOption "zsh-syntax-highlighting"; diff --git a/nixpkgs/nixos/modules/rename.nix b/nixpkgs/nixos/modules/rename.nix index e392fef54dd..7109ab5a109 100644 --- a/nixpkgs/nixos/modules/rename.nix +++ b/nixpkgs/nixos/modules/rename.nix @@ -4,313 +4,30 @@ with lib; { imports = [ - (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "enableIntel3945ABGFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) - (mkRenamedOptionModule [ "networking" "connman" ] [ "services" "connman" ]) - (mkRenamedOptionModule [ "networking" "defaultMailServer" ] [ "services" "ssmtp" ]) - (mkRenamedOptionModule [ "services" "ssmtp" "directDelivery" ] [ "services" "ssmtp" "enable" ]) - (mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ] - (config: - let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config; - in if enabled then [ pkgs.gutenprint ] else [ ])) - (mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ] - (config: - let value = getAttrFromPath [ "services" "ddclient" "domain" ] config; - in if value != "" then [ value ] else [])) - (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "") - (mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ]) - (mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "port" ] ["services" "kubernetes" "apiserver" "insecurePort"]) - (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") - (mkRenamedOptionModule [ "services" "kubernetes" "addons" "dashboard" "enableRBAC" ] [ "services" "kubernetes" "addons" "dashboard" "rbac" "enable" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"]) - (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "port" ] ["services" "kubernetes" "controllerManager" "insecurePort"]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "certFile" ] [ "services" "kubernetes" "apiserver" "etcd" "certFile" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]) - (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "applyManifests" ] "") - (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "cadvisorPort" ] "") - (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "allowPrivileged" ] "") - (mkRenamedOptionModule [ "services" "kubernetes" "proxy" "address" ] ["services" "kubernetes" "proxy" "bindAddress"]) - (mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") - (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ]) - (mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "defaultListenAddress" ]) - (mkRenamedOptionModule [ "services" "neo4j" "listenAddress" ] [ "services" "neo4j" "defaultListenAddress" ]) - (mkRenamedOptionModule [ "services" "neo4j" "enableBolt" ] [ "services" "neo4j" "bolt" "enable" ]) - (mkRenamedOptionModule [ "services" "neo4j" "enableHttps" ] [ "services" "neo4j" "https" "enable" ]) - (mkRenamedOptionModule [ "services" "neo4j" "certDir" ] [ "services" "neo4j" "directories" "certificates" ]) - (mkRenamedOptionModule [ "services" "neo4j" "dataDir" ] [ "services" "neo4j" "directories" "home" ]) - (mkRemovedOptionModule [ "services" "neo4j" "port" ] "Use services.neo4j.http.listenAddress instead.") - (mkRemovedOptionModule [ "services" "neo4j" "boltPort" ] "Use services.neo4j.bolt.listenAddress instead.") - (mkRemovedOptionModule [ "services" "neo4j" "httpsPort" ] "Use services.neo4j.https.listenAddress instead.") - (mkRemovedOptionModule [ "services" "misc" "nzbget" "configFile" ] "The configuration of nzbget is now managed by users through the web interface.") - (mkRemovedOptionModule [ "services" "misc" "nzbget" "dataDir" ] "The data directory for nzbget is now /var/lib/nzbget.") - (mkRemovedOptionModule [ "services" "misc" "nzbget" "openFirewall" ] "The port used by nzbget is managed through the web interface so you should adjust your firewall rules accordingly.") - (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "user" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a user setting.") - (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "group" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a group setting.") - (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerURL" ] '' - Due to incompatibility, the alertmanagerURL option has been removed, - please use 'services.prometheus2.alertmanagers' instead. - '') - (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) - (mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ]) - (mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ]) - (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ]) + /* + This file defines some renaming/removing options for backwards compatibility - (mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ]) - (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "") - - (mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ]) - - (mkRemovedOptionModule [ "services" "pykms" "verbose" ] "Use services.pykms.logLevel instead") - - (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead") - (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead") - - (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) - - # PAM - (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) - - # rmilter/rspamd - (mkRemovedOptionModule [ "services" "rmilter" ] "Use services.rspamd.* instead to set up milter service") - - # Xsession script - (mkRenamedOptionModule [ "services" "xserver" "displayManager" "job" "logsXsession" ] [ "services" "xserver" "displayManager" "job" "logToFile" ]) - (mkRenamedOptionModule [ "services" "xserver" "displayManager" "logToJournal" ] [ "services" "xserver" "displayManager" "job" "logToJournal" ]) - - # Old Grub-related options. - (mkRenamedOptionModule [ "boot" "loader" "grub" "timeout" ] [ "boot" "loader" "timeout" ]) - (mkRenamedOptionModule [ "boot" "loader" "gummiboot" "timeout" ] [ "boot" "loader" "timeout" ]) - - # OpenSSH - (mkAliasOptionModule [ "services" "sshd" "enable" ] [ "services" "openssh" "enable" ]) - (mkAliasOptionModule [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ]) - - # libvirtd - (mkRemovedOptionModule [ "virtualisation" "libvirtd" "enableKVM" ] - "Set the option `virtualisation.libvirtd.qemuPackage' instead.") - - # ibus - (mkRenamedOptionModule [ "programs" "ibus" "plugins" ] [ "i18n" "inputMethod" "ibus" "engines" ]) - - # sandboxing - (mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ]) - (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) - - (mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ]) + It should ONLY be used when the relevant module can't define these imports + itself, such as when the module was removed completely. + See https://github.com/NixOS/nixpkgs/pull/61570 for explanation + */ + # This alias module can't be where _module.check is defined because it would + # be added to submodules as well there (mkAliasOptionModule [ "environment" "checkConfigurationOptions" ] [ "_module" "check" ]) - # opendkim - (mkRenamedOptionModule [ "services" "opendkim" "keyFile" ] [ "services" "opendkim" "keyPath" ]) - - # Enlightenment - (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "e19" "enable" ] [ "services" "xserver" "desktopManager" "enlightenment" "enable" ]) - - # Iodine - (mkRenamedOptionModule [ "services" "iodined" "enable" ] [ "services" "iodine" "server" "enable" ]) - (mkRenamedOptionModule [ "services" "iodined" "domain" ] [ "services" "iodine" "server" "domain" ]) - (mkRenamedOptionModule [ "services" "iodined" "ip" ] [ "services" "iodine" "server" "ip" ]) - (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ]) - (mkRemovedOptionModule [ "services" "iodined" "client" ] "") - - # Unity3D - (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ]) - - # murmur - (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ]) - (mkRemovedOptionModule [ "services" "murmur" "pidfile" ] "Hardcoded to /run/murmur/murmurd.pid now") - - # parsoid - (mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] "Use services.parsoid.wikis instead") - - # plexpy / tautulli - (mkRenamedOptionModule [ "services" "plexpy" ] [ "services" "tautulli" ]) - - # piwik was renamed to matomo - (mkRenamedOptionModule [ "services" "piwik" "enable" ] [ "services" "matomo" "enable" ]) - (mkRenamedOptionModule [ "services" "piwik" "webServerUser" ] [ "services" "matomo" "webServerUser" ]) - (mkRemovedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] "Use services.phpfpm.pools.<name>.settings") - (mkRemovedOptionModule [ "services" "matomo" "phpfpmProcessManagerConfig" ] "Use services.phpfpm.pools.<name>.settings") - (mkRenamedOptionModule [ "services" "piwik" "nginx" ] [ "services" "matomo" "nginx" ]) - - # tarsnap - (mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir") - - # alsa - (mkRenamedOptionModule [ "sound" "enableMediaKeys" ] [ "sound" "mediaKeys" "enable" ]) - - # postgrey - (mkMergedOptionModule [ [ "services" "postgrey" "inetAddr" ] [ "services" "postgrey" "inetPort" ] ] [ "services" "postgrey" "socket" ] (config: let - value = p: getAttrFromPath p config; - inetAddr = [ "services" "postgrey" "inetAddr" ]; - inetPort = [ "services" "postgrey" "inetPort" ]; - in - if value inetAddr == null - then { path = "/run/postgrey.sock"; } - else { addr = value inetAddr; port = value inetPort; } - )) - - # dhcpd - (mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ]) - - # locate - (mkRenamedOptionModule [ "services" "locate" "period" ] [ "services" "locate" "interval" ]) - (mkRemovedOptionModule [ "services" "locate" "includeStore" ] "Use services.locate.prunePaths" ) - - # nfs - (mkRenamedOptionModule [ "services" "nfs" "lockdPort" ] [ "services" "nfs" "server" "lockdPort" ]) - (mkRenamedOptionModule [ "services" "nfs" "statdPort" ] [ "services" "nfs" "server" "statdPort" ]) - - # KDE Plasma 5 - (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "kde5" ] [ "services" "xserver" "desktopManager" "plasma5" ]) - - # Fontconfig - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowBitmaps" ] [ "fonts" "fontconfig" "allowBitmaps" ]) - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowType1" ] [ "fonts" "fontconfig" "allowType1" ]) - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "fonts" "fontconfig" "useEmbeddedBitmaps" ]) - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "fonts" "fontconfig" "forceAutohint" ]) - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ]) - - # postgresqlBackup - (mkRemovedOptionModule [ "services" "postgresqlBackup" "period" ] '' - A systemd timer is now used instead of cron. - The starting time can be configured via <literal>services.postgresqlBackup.startAt</literal>. - '') - - # phpfpm - (mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.") - - # zabbixServer - (mkRenamedOptionModule [ "services" "zabbixServer" "dbServer" ] [ "services" "zabbixServer" "database" "host" ]) - - # Profile splitting - (mkRenamedOptionModule [ "virtualisation" "growPartition" ] [ "boot" "growPartition" ]) - - # misc/version.nix - (mkRenamedOptionModule [ "system" "nixosVersion" ] [ "system" "nixos" "version" ]) - (mkRenamedOptionModule [ "system" "nixosVersionSuffix" ] [ "system" "nixos" "versionSuffix" ]) - (mkRenamedOptionModule [ "system" "nixosRevision" ] [ "system" "nixos" "revision" ]) - (mkRenamedOptionModule [ "system" "nixosLabel" ] [ "system" "nixos" "label" ]) - - # Users - (mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ]) - (mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ]) - - # Options that are obsolete and have no replacement. - (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "") - (mkRemovedOptionModule [ "programs" "bash" "enable" ] "") - (mkRemovedOptionModule [ "services" "samba" "defaultShare" ] "") - (mkRemovedOptionModule [ "services" "syslog-ng" "serviceName" ] "") - (mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ] "") - (mkRemovedOptionModule [ "ec2" "metadata" ] "") - (mkRemovedOptionModule [ "services" "openvpn" "enable" ] "") - (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "") - (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "") - (mkRemovedOptionModule [ "services" "tor" "relay" "isBridge" ] "Use services.tor.relay.role instead.") - (mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.") - (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ] - "See the 16.09 release notes for more information.") - (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "") - (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "") + # Completely removed modules (mkRemovedOptionModule [ "services" "firefox" "syncserver" "user" ] "") (mkRemovedOptionModule [ "services" "firefox" "syncserver" "group" ] "") - (mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "") - (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ] - "Set the option `services.xserver.displayManager.sddm.package' instead.") - (mkRemovedOptionModule [ "services" "xserver" "desktopManager" "xfce" "screenLock" ] "") - (mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "") - (mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "") - (mkRemovedOptionModule [ "virtualisation" "xen" "qemu" ] "You don't need this option anymore, it will work without it.") - (mkRemovedOptionModule [ "services" "logstash" "enableWeb" ] "The web interface was removed from logstash") - (mkRemovedOptionModule [ "boot" "zfs" "enableLegacyCrypto" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.") - (mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd") - (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") - (mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.") - (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.") - (mkRemovedOptionModule [ "fonts" "enableCoreFonts" ] "Use fonts.fonts = [ pkgs.corefonts ]; instead.") (mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.") - - # ZSH - (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "enable" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "highlighters" ] [ "programs" "zsh" "syntaxHighlighting" "highlighters" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "patterns" ] [ "programs" "zsh" "syntaxHighlighting" "patterns" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "enable" ] [ "programs" "zsh" "ohMyZsh" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "theme" ] [ "programs" "zsh" "ohMyZsh" "theme" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "custom" ] [ "programs" "zsh" "ohMyZsh" "custom" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "plugins" ] [ "programs" "zsh" "ohMyZsh" "plugins" ]) - - (mkRenamedOptionModule [ "programs" "zsh" "enableAutosuggestions" ] [ "programs" "zsh" "autosuggestions" "enable" ]) - - # Xen - (mkRenamedOptionModule [ "virtualisation" "xen" "qemu-package" ] [ "virtualisation" "xen" "package-qemu" ]) - - (mkRenamedOptionModule [ "programs" "info" "enable" ] [ "documentation" "info" "enable" ]) - (mkRenamedOptionModule [ "programs" "man" "enable" ] [ "documentation" "man" "enable" ]) - (mkRenamedOptionModule [ "services" "nixosManual" "enable" ] [ "documentation" "nixos" "enable" ]) - - # ckb - (mkRenamedOptionModule [ "hardware" "ckb" "enable" ] [ "hardware" "ckb-next" "enable" ]) - (mkRenamedOptionModule [ "hardware" "ckb" "package" ] [ "hardware" "ckb-next" "package" ]) - - # binfmt - (mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ]) - - # ACME - (mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.") - (mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") - (mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") - - # KSM - (mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ]) - - # resolvconf - (mkRenamedOptionModule [ "networking" "dnsSingleRequest" ] [ "networking" "resolvconf" "dnsSingleRequest" ]) - (mkRenamedOptionModule [ "networking" "dnsExtensionMechanism" ] [ "networking" "resolvconf" "dnsExtensionMechanism" ]) - (mkRenamedOptionModule [ "networking" "extraResolvconfConf" ] [ "networking" "resolvconf" "extraConfig" ]) - (mkRenamedOptionModule [ "networking" "resolvconfOptions" ] [ "networking" "resolvconf" "extraOptions" ]) - - # BLCR (mkRemovedOptionModule [ "environment.blcr.enable" ] "The BLCR module has been removed") - - # beegfs (mkRemovedOptionModule [ "services.beegfsEnable" ] "The BeeGFS module has been removed") (mkRemovedOptionModule [ "services.beegfs" ] "The BeeGFS module has been removed") - - # osquery (mkRemovedOptionModule [ "services.osquery" ] "The osquery module has been removed") + (mkRemovedOptionModule [ "services.fourStore" ] "The fourStore module has been removed") + (mkRemovedOptionModule [ "services.fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed") - # Redis - (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") - (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") - (mkRemovedOptionModule [ "services" "redis" "dbFilename" ] "The redis module now uses /var/lib/redis/dump.rdb as database dump location.") - (mkRemovedOptionModule [ "services" "redis" "appendOnlyFilename" ] "This option was never used.") - (mkRemovedOptionModule [ "services" "redis" "pidFile" ] "This option was removed.") - - ] ++ (forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter" - "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" - "snmpExporter" "unifiExporter" "varnishExporter" ] - (opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' - The prometheus exporters are now configured using `services.prometheus.exporters'. - See the 18.03 release notes for more information. - '' )) - - ++ (forEach [ "enable" "substitutions" "preset" ] - (opt: mkRemovedOptionModule [ "fonts" "fontconfig" "ultimate" "${opt}" ] '' - The fonts.fontconfig.ultimate module and configuration is obsolete. - The repository has since been archived and activity has ceased. - https://github.com/bohoomil/fontconfig-ultimate/issues/171. - No action should be needed for font configuration, as the fonts.fontconfig - module is already used by default. - '' )); + # Do NOT add any option renames here, see top of the file + ]; } diff --git a/nixpkgs/nixos/modules/security/acme.nix b/nixpkgs/nixos/modules/security/acme.nix index 9563029f030..890c421b0ea 100644 --- a/nixpkgs/nixos/modules/security/acme.nix +++ b/nixpkgs/nixos/modules/security/acme.nix @@ -127,6 +127,9 @@ in "https://acme-staging-v02.api.letsencrypt.org/directory". '' ) + (mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.") + (mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") + (mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") ]; options = { security.acme = { @@ -238,9 +241,9 @@ in StateDirectoryMode = rights; WorkingDirectory = "/var/lib/${lpath}"; ExecStart = "${pkgs.simp_le}/bin/simp_le ${escapeShellArgs cmdline}"; - ExecStopPost = + ExecStartPost = let - script = pkgs.writeScript "acme-post-stop" '' + script = pkgs.writeScript "acme-post-start" '' #!${pkgs.runtimeShell} -e ${data.postRun} ''; diff --git a/nixpkgs/nixos/modules/security/apparmor-suid.nix b/nixpkgs/nixos/modules/security/apparmor-suid.nix index 498c2f25d1c..3c93f5440ab 100644 --- a/nixpkgs/nixos/modules/security/apparmor-suid.nix +++ b/nixpkgs/nixos/modules/security/apparmor-suid.nix @@ -4,6 +4,9 @@ let in with lib; { + imports = [ + (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) + ]; options.security.apparmor.confineSUIDApplications = mkOption { default = true; diff --git a/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix b/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix index 2255477f26e..b83dbc4202a 100644 --- a/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix +++ b/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix @@ -7,6 +7,10 @@ let sandbox = pkgs.chromium.sandbox; in { + imports = [ + (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ]) + ]; + options.security.chromiumSuidSandbox.enable = mkOption { type = types.bool; default = false; diff --git a/nixpkgs/nixos/modules/security/duosec.nix b/nixpkgs/nixos/modules/security/duosec.nix index 997328ad9e6..78a82b7154e 100644 --- a/nixpkgs/nixos/modules/security/duosec.nix +++ b/nixpkgs/nixos/modules/security/duosec.nix @@ -25,19 +25,21 @@ let accept_env_factor=${boolToStr cfg.acceptEnvFactor} ''; - loginCfgFile = optional cfg.ssh.enable - { source = pkgs.writeText "login_duo.conf" configFileLogin; - mode = "0600"; - user = "sshd"; - target = "duo/login_duo.conf"; - }; + loginCfgFile = optionalAttrs cfg.ssh.enable { + "duo/login_duo.conf" = + { source = pkgs.writeText "login_duo.conf" configFileLogin; + mode = "0600"; + user = "sshd"; + }; + }; - pamCfgFile = optional cfg.pam.enable - { source = pkgs.writeText "pam_duo.conf" configFilePam; - mode = "0600"; - user = "sshd"; - target = "duo/pam_duo.conf"; - }; + pamCfgFile = optional cfg.pam.enable { + "duo/pam_duo.conf" = + { source = pkgs.writeText "pam_duo.conf" configFilePam; + mode = "0600"; + user = "sshd"; + }; + }; in { options = { @@ -186,7 +188,7 @@ in environment.systemPackages = [ pkgs.duo-unix ]; security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; - environment.etc = loginCfgFile ++ pamCfgFile; + environment.etc = loginCfgFile // pamCfgFile; /* If PAM *and* SSH are enabled, then don't do anything special. If PAM isn't used, set the default SSH-only options. */ diff --git a/nixpkgs/nixos/modules/security/pam.nix b/nixpkgs/nixos/modules/security/pam.nix index 11227354ad3..bfc2a881387 100644 --- a/nixpkgs/nixos/modules/security/pam.nix +++ b/nixpkgs/nixos/modules/security/pam.nix @@ -475,15 +475,19 @@ let motd = pkgs.writeText "motd" config.users.motd; - makePAMService = pamService: - { source = pkgs.writeText "${pamService.name}.pam" pamService.text; - target = "pam.d/${pamService.name}"; + makePAMService = name: service: + { name = "pam.d/${name}"; + value.source = pkgs.writeText "${name}.pam" service.text; }; in { + imports = [ + (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) + ]; + ###### interface options = { @@ -707,7 +711,7 @@ in Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 Challenge-Response configurations. See the man-page ykpamcfg(1) for further - details on how to configure offline Challenge-Response validation. + details on how to configure offline Challenge-Response validation. More information can be found <link xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. @@ -756,8 +760,7 @@ in }; }; - environment.etc = - mapAttrsToList (n: v: makePAMService v) config.security.pam.services; + environment.etc = mapAttrs' makePAMService config.security.pam.services; security.pam.services = { other.text = @@ -773,11 +776,8 @@ in ''; # Most of these should be moved to specific modules. - cups = {}; - ftp = {}; i3lock = {}; i3lock-color = {}; - screen = {}; vlock = {}; xlock = {}; xscreensaver = {}; diff --git a/nixpkgs/nixos/modules/security/pam_mount.nix b/nixpkgs/nixos/modules/security/pam_mount.nix index 75f58462d13..77e22a96b55 100644 --- a/nixpkgs/nixos/modules/security/pam_mount.nix +++ b/nixpkgs/nixos/modules/security/pam_mount.nix @@ -36,8 +36,7 @@ in config = mkIf (cfg.enable || anyPamMount) { environment.systemPackages = [ pkgs.pam_mount ]; - environment.etc = [{ - target = "security/pam_mount.conf.xml"; + environment.etc."security/pam_mount.conf.xml" = { source = let extraUserVolumes = filterAttrs (n: u: u.cryptHomeLuks != null) config.users.users; @@ -66,7 +65,7 @@ in ${concatStringsSep "\n" cfg.extraVolumes} </pam_mount> ''; - }]; + }; }; } diff --git a/nixpkgs/nixos/modules/security/polkit.nix b/nixpkgs/nixos/modules/security/polkit.nix index f2b2df4004c..a6724bd7583 100644 --- a/nixpkgs/nixos/modules/security/polkit.nix +++ b/nixpkgs/nixos/modules/security/polkit.nix @@ -42,15 +42,14 @@ in security.polkit.adminIdentities = mkOption { type = types.listOf types.str; - default = [ "unix-user:0" "unix-group:wheel" ]; + default = [ "unix-group:wheel" ]; example = [ "unix-user:alice" "unix-group:admin" ]; description = '' Specifies which users are considered “administrators”, for those actions that require the user to authenticate as an administrator (i.e. have an <literal>auth_admin</literal> - value). By default, this is the <literal>root</literal> - user and all users in the <literal>wheel</literal> group. + value). By default, this is all users in the <literal>wheel</literal> group. ''; }; diff --git a/nixpkgs/nixos/modules/security/rtkit.nix b/nixpkgs/nixos/modules/security/rtkit.nix index f6dda21c600..a7b27cbcf21 100644 --- a/nixpkgs/nixos/modules/security/rtkit.nix +++ b/nixpkgs/nixos/modules/security/rtkit.nix @@ -34,9 +34,8 @@ with lib; services.dbus.packages = [ pkgs.rtkit ]; - users.users = singleton - { name = "rtkit"; - uid = config.ids.uids.rtkit; + users.users.rtkit = + { uid = config.ids.uids.rtkit; description = "RealtimeKit daemon"; }; diff --git a/nixpkgs/nixos/modules/security/sudo.nix b/nixpkgs/nixos/modules/security/sudo.nix index 10ee036be84..d899806ef05 100644 --- a/nixpkgs/nixos/modules/security/sudo.nix +++ b/nixpkgs/nixos/modules/security/sudo.nix @@ -212,7 +212,7 @@ in security.pam.services.sudo = { sshAgentAuth = true; }; - environment.etc = singleton + environment.etc.sudoers = { source = pkgs.runCommand "sudoers" { @@ -222,7 +222,6 @@ in # Make sure that the sudoers file is syntactically valid. # (currently disabled - NIXOS-66) "${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out"; - target = "sudoers"; mode = "0440"; }; diff --git a/nixpkgs/nixos/modules/security/wrappers/default.nix b/nixpkgs/nixos/modules/security/wrappers/default.nix index 47738e7962e..a0fadb018ec 100644 --- a/nixpkgs/nixos/modules/security/wrappers/default.nix +++ b/nixpkgs/nixos/modules/security/wrappers/default.nix @@ -94,6 +94,10 @@ let ) programs; in { + imports = [ + (lib.mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead") + (lib.mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead") + ]; ###### interface diff --git a/nixpkgs/nixos/modules/services/admin/oxidized.nix b/nixpkgs/nixos/modules/services/admin/oxidized.nix index da81be3f23e..94b44630ba6 100644 --- a/nixpkgs/nixos/modules/services/admin/oxidized.nix +++ b/nixpkgs/nixos/modules/services/admin/oxidized.nix @@ -111,6 +111,7 @@ in Restart = "always"; WorkingDirectory = cfg.dataDir; KillSignal = "SIGKILL"; + PIDFile = "${cfg.dataDir}/.config/oxidized/pid"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/audio/alsa.nix b/nixpkgs/nixos/modules/services/audio/alsa.nix index f632644af09..990398e6546 100644 --- a/nixpkgs/nixos/modules/services/audio/alsa.nix +++ b/nixpkgs/nixos/modules/services/audio/alsa.nix @@ -12,6 +12,9 @@ let in { + imports = [ + (mkRenamedOptionModule [ "sound" "enableMediaKeys" ] [ "sound" "mediaKeys" "enable" ]) + ]; ###### interface diff --git a/nixpkgs/nixos/modules/services/audio/mpd.nix b/nixpkgs/nixos/modules/services/audio/mpd.nix index 7932d094197..e20591b5beb 100644 --- a/nixpkgs/nixos/modules/services/audio/mpd.nix +++ b/nixpkgs/nixos/modules/services/audio/mpd.nix @@ -184,19 +184,19 @@ in { }; }; - users.users = optionalAttrs (cfg.user == name) (singleton { - inherit uid; - inherit name; - group = cfg.group; - extraGroups = [ "audio" ]; - description = "Music Player Daemon user"; - home = "${cfg.dataDir}"; - }); - - users.groups = optionalAttrs (cfg.group == name) (singleton { - inherit name; - gid = gid; - }); + users.users = optionalAttrs (cfg.user == name) { + ${name} = { + inherit uid; + group = cfg.group; + extraGroups = [ "audio" ]; + description = "Music Player Daemon user"; + home = "${cfg.dataDir}"; + }; + }; + + users.groups = optionalAttrs (cfg.group == name) { + ${name}.gid = gid; + }; }; } diff --git a/nixpkgs/nixos/modules/services/backup/bacula.nix b/nixpkgs/nixos/modules/services/backup/bacula.nix index 41bda7893a7..cef304734ae 100644 --- a/nixpkgs/nixos/modules/services/backup/bacula.nix +++ b/nixpkgs/nixos/modules/services/backup/bacula.nix @@ -44,7 +44,17 @@ let Pid Directory = "/run"; ${sd_cfg.extraStorageConfig} } - + + ${concatStringsSep "\n" (mapAttrsToList (name: value: '' + Autochanger { + Name = "${name}"; + Device = ${concatStringsSep ", " (map (a: "\"${a}\"") value.devices)}; + Changer Device = "${value.changerDevice}"; + Changer Command = "${value.changerCommand}"; + ${value.extraAutochangerConfig} + } + '') sd_cfg.autochanger)} + ${concatStringsSep "\n" (mapAttrsToList (name: value: '' Device { Name = "${name}"; @@ -103,7 +113,19 @@ let password = mkOption { # TODO: required? description = '' - Specifies the password that must be supplied for a Director to b + Specifies the password that must be supplied for the default Bacula + Console to be authorized. The same password must appear in the + Director resource of the Console configuration file. For added + security, the password is never passed across the network but instead + a challenge response hash code created with the password. This + directive is required. If you have either /dev/random or bc on your + machine, Bacula will generate a random password during the + configuration process, otherwise it will be left blank and you must + manually supply it. + + The password is plain text. It is not generated through any special + process but as noted above, it is better to use random text for + security reasons. ''; }; @@ -111,26 +133,133 @@ let default = "no"; example = "yes"; description = '' - If Monitor is set to no (default), this director will have full + If Monitor is set to <literal>no</literal>, this director will have + full access to this Storage daemon. If Monitor is set to + <literal>yes</literal>, this director will only be able to fetch the + current status of this Storage daemon. + + Please note that if this director is being used by a Monitor, we + highly recommend to set this directive to yes to avoid serious + security problems. + ''; + }; + }; + }; + + autochangerOptions = {...}: + { + options = { + changerDevice = mkOption { + description = '' + The specified name-string must be the generic SCSI device name of the + autochanger that corresponds to the normal read/write Archive Device + specified in the Device resource. This generic SCSI device name + should be specified if you have an autochanger or if you have a + standard tape drive and want to use the Alert Command (see below). + For example, on Linux systems, for an Archive Device name of + <literal>/dev/nst0</literal>, you would specify + <literal>/dev/sg0</literal> for the Changer Device name. Depending + on your exact configuration, and the number of autochangers or the + type of autochanger, what you specify here can vary. This directive + is optional. See the Using AutochangersAutochangersChapter chapter of + this manual for more details of using this and the following + autochanger directives. + ''; + }; + + changerCommand = mkOption { + description = '' + The name-string specifies an external program to be called that will + automatically change volumes as required by Bacula. Normally, this + directive will be specified only in the AutoChanger resource, which + is then used for all devices. However, you may also specify the + different Changer Command in each Device resource. Most frequently, + you will specify the Bacula supplied mtx-changer script as follows: + + <literal>"/path/mtx-changer %c %o %S %a %d"</literal> + + and you will install the mtx on your system (found in the depkgs + release). An example of this command is in the default bacula-sd.conf + file. For more details on the substitution characters that may be + specified to configure your autochanger please see the + AutochangersAutochangersChapter chapter of this manual. For FreeBSD + users, you might want to see one of the several chio scripts in + examples/autochangers. + ''; + default = "/etc/bacula/mtx-changer %c %o %S %a %d"; + }; + + devices = mkOption { + description = '' + ''; + }; + + extraAutochangerConfig = mkOption { + default = ""; + description = '' + Extra configuration to be passed in Autochanger directive. + ''; + example = '' + ''; }; }; }; + deviceOptions = {...}: { options = { archiveDevice = mkOption { # TODO: required? description = '' - The specified name-string gives the system file name of the storage device managed by this storage daemon. This will usually be the device file name of a removable storage device (tape drive), for example " /dev/nst0" or "/dev/rmt/0mbn". For a DVD-writer, it will be for example /dev/hdc. It may also be a directory name if you are archiving to disk storage. + The specified name-string gives the system file name of the storage + device managed by this storage daemon. This will usually be the + device file name of a removable storage device (tape drive), for + example <literal>/dev/nst0</literal> or + <literal>/dev/rmt/0mbn</literal>. For a DVD-writer, it will be for + example <literal>/dev/hdc</literal>. It may also be a directory name + if you are archiving to disk storage. In this case, you must supply + the full absolute path to the directory. When specifying a tape + device, it is preferable that the "non-rewind" variant of the device + file name be given. ''; }; mediaType = mkOption { # TODO: required? description = '' - The specified name-string names the type of media supported by this device, for example, "DLT7000". Media type names are arbitrary in that you set them to anything you want, but they must be known to the volume database to keep track of which storage daemons can read which volumes. In general, each different storage type should have a unique Media Type associated with it. The same name-string must appear in the appropriate Storage resource definition in the Director's configuration file. + The specified name-string names the type of media supported by this + device, for example, <literal>DLT7000</literal>. Media type names are + arbitrary in that you set them to anything you want, but they must be + known to the volume database to keep track of which storage daemons + can read which volumes. In general, each different storage type + should have a unique Media Type associated with it. The same + name-string must appear in the appropriate Storage resource + definition in the Director's configuration file. + + Even though the names you assign are arbitrary (i.e. you choose the + name you want), you should take care in specifying them because the + Media Type is used to determine which storage device Bacula will + select during restore. Thus you should probably use the same Media + Type specification for all drives where the Media can be freely + interchanged. This is not generally an issue if you have a single + Storage daemon, but it is with multiple Storage daemons, especially + if they have incompatible media. + + For example, if you specify a Media Type of <literal>DDS-4</literal> + then during the restore, Bacula will be able to choose any Storage + Daemon that handles <literal>DDS-4</literal>. If you have an + autochanger, you might want to name the Media Type in a way that is + unique to the autochanger, unless you wish to possibly use the + Volumes in other drives. You should also ensure to have unique Media + Type names if the Media is not compatible between drives. This + specification is required for all devices. + + In addition, if you are using disk storage, each Device resource will + generally have a different mount point or directory. In order for + Bacula to select the correct Device resource, each one must have a + unique Media Type. ''; }; @@ -166,8 +295,8 @@ in { default = "${config.networking.hostName}-fd"; description = '' The client name that must be used by the Director when connecting. - Generally, it is a good idea to use a name related to the machine - so that error messages can be easily identified if you have multiple + Generally, it is a good idea to use a name related to the machine so + that error messages can be easily identified if you have multiple Clients. This directive is required. ''; }; @@ -232,7 +361,8 @@ in { default = 9103; type = types.int; description = '' - Specifies port number on which the Storage daemon listens for Director connections. The default is 9103. + Specifies port number on which the Storage daemon listens for + Director connections. ''; }; @@ -251,7 +381,15 @@ in { ''; type = with types; attrsOf (submodule deviceOptions); }; - + + autochanger = mkOption { + default = {}; + description = '' + This option defines Autochanger resources in Bacula Storage Daemon. + ''; + type = with types; attrsOf (submodule autochangerOptions); + }; + extraStorageConfig = mkOption { default = ""; description = '' @@ -287,7 +425,8 @@ in { name = mkOption { default = "${config.networking.hostName}-dir"; description = '' - The director name used by the system administrator. This directive is required. + The director name used by the system administrator. This directive is + required. ''; }; @@ -295,7 +434,12 @@ in { default = 9101; type = types.int; description = '' - Specify the port (a positive integer) on which the Director daemon will listen for Bacula Console connections. This same port number must be specified in the Director resource of the Console configuration file. The default is 9101, so normally this directive need not be specified. This directive should not be used if you specify DirAddresses (N.B plural) directive. + Specify the port (a positive integer) on which the Director daemon + will listen for Bacula Console connections. This same port number + must be specified in the Director resource of the Console + configuration file. The default is 9101, so normally this directive + need not be specified. This directive should not be used if you + specify DirAddresses (N.B plural) directive. ''; }; diff --git a/nixpkgs/nixos/modules/services/backup/borgbackup.nix b/nixpkgs/nixos/modules/services/backup/borgbackup.nix index 10d42325a6b..a2eb80c55a8 100644 --- a/nixpkgs/nixos/modules/services/backup/borgbackup.nix +++ b/nixpkgs/nixos/modules/services/backup/borgbackup.nix @@ -68,7 +68,7 @@ let { BORG_PASSPHRASE = passphrase; } else { }; - mkBackupService = name: cfg: + mkBackupService = name: cfg: let userHome = config.users.users.${cfg.user}.home; in nameValuePair "borgbackup-job-${name}" { @@ -98,6 +98,23 @@ let inherit (cfg) startAt; }; + # utility function around makeWrapper + mkWrapperDrv = { + original, name, set ? {} + }: + pkgs.runCommandNoCC "${name}-wrapper" { + buildInputs = [ pkgs.makeWrapper ]; + } (with lib; '' + makeWrapper "${original}" "$out/bin/${name}" \ + ${concatStringsSep " \\\n " (mapAttrsToList (name: value: ''--set ${name} "${value}"'') set)} + ''); + + mkBorgWrapper = name: cfg: mkWrapperDrv { + original = "${pkgs.borgbackup}/bin/borg"; + name = "borg-job-${name}"; + set = { BORG_REPO = cfg.repo; } // (mkPassEnv cfg) // cfg.environment; + }; + # Paths listed in ReadWritePaths must exist before service is started mkActivationScript = name: cfg: let @@ -176,7 +193,11 @@ in { ###### interface options.services.borgbackup.jobs = mkOption { - description = "Deduplicating backups using BorgBackup."; + description = '' + Deduplicating backups using BorgBackup. + Adding a job will cause a borg-job-NAME wrapper to be added + to your system path, so that you can perform maintenance easily. + ''; default = { }; example = literalExample '' { @@ -623,6 +644,6 @@ in { users = mkMerge (mapAttrsToList mkUsersConfig repos); - environment.systemPackages = with pkgs; [ borgbackup ]; + environment.systemPackages = with pkgs; [ borgbackup ] ++ (mapAttrsToList mkBorgWrapper jobs); }); } diff --git a/nixpkgs/nixos/modules/services/backup/mysql-backup.nix b/nixpkgs/nixos/modules/services/backup/mysql-backup.nix index dbd5605143f..f58af82773f 100644 --- a/nixpkgs/nixos/modules/services/backup/mysql-backup.nix +++ b/nixpkgs/nixos/modules/services/backup/mysql-backup.nix @@ -84,13 +84,14 @@ in }; config = mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == defaultUser) (singleton - { name = defaultUser; + users.users = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = { isSystemUser = true; createHome = false; home = cfg.location; group = "nogroup"; - }); + }; + }; services.mysql.ensureUsers = [{ name = cfg.user; diff --git a/nixpkgs/nixos/modules/services/backup/postgresql-backup.nix b/nixpkgs/nixos/modules/services/backup/postgresql-backup.nix index 13a36ae32ac..580c7ce68f1 100644 --- a/nixpkgs/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixpkgs/nixos/modules/services/backup/postgresql-backup.nix @@ -35,6 +35,13 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "postgresqlBackup" "period" ] '' + A systemd timer is now used instead of cron. + The starting time can be configured via <literal>services.postgresqlBackup.startAt</literal>. + '') + ]; + options = { services.postgresqlBackup = { enable = mkOption { @@ -82,7 +89,7 @@ in { pgdumpOptions = mkOption { type = types.separatedString " "; - default = "-Cbo"; + default = "-C"; description = '' Command line options for pg_dump. This options is not used if <literal>config.services.postgresqlBackup.backupAll</literal> is enabled. diff --git a/nixpkgs/nixos/modules/services/backup/tarsnap.nix b/nixpkgs/nixos/modules/services/backup/tarsnap.nix index 4fc7c24813a..6d99a1efb61 100644 --- a/nixpkgs/nixos/modules/services/backup/tarsnap.nix +++ b/nixpkgs/nixos/modules/services/backup/tarsnap.nix @@ -23,6 +23,10 @@ let ''; in { + imports = [ + (mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir") + ]; + options = { services.tarsnap = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix index 70f96d75a46..2ed7742eda0 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix @@ -5,6 +5,10 @@ with lib; let cfg = config.services.kubernetes.addons.dashboard; in { + imports = [ + (mkRenamedOptionModule [ "services" "kubernetes" "addons" "dashboard" "enableRBAC" ] [ "services" "kubernetes" "addons" "dashboard" "rbac" "enable" ]) + ]; + options.services.kubernetes.addons.dashboard = { enable = mkEnableOption "kubernetes dashboard addon"; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix index 33796bf2e08..95bdb4c0d14 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -13,6 +13,18 @@ let )) + ".1"); in { + + imports = [ + (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) + (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "port" ] ["services" "kubernetes" "apiserver" "insecurePort"]) + (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") + (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "certFile" ] [ "services" "kubernetes" "apiserver" "etcd" "certFile" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]) + ]; + ###### interface options.services.kubernetes.apiserver = with lib.types; { diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix index 0b73d090f24..a99ef6640e9 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -7,6 +7,11 @@ let cfg = top.controllerManager; in { + imports = [ + (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"]) + (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "port" ] ["services" "kubernetes" "controllerManager" "insecurePort"]) + ]; + ###### interface options.services.kubernetes.controllerManager = with lib.types; { diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix index 3790ac9b691..3a11a6513a4 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix @@ -74,6 +74,10 @@ let }; in { + imports = [ + (mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") + ]; + ###### interface options.services.kubernetes = { @@ -262,8 +266,7 @@ in { "d /var/lib/kubernetes 0755 kubernetes kubernetes -" ]; - users.users = singleton { - name = "kubernetes"; + users.users.kubernetes = { uid = config.ids.uids.kubernetes; description = "Kubernetes user"; extraGroups = [ "docker" ]; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix index 62d893dfefc..c3d67552cc8 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -52,6 +52,12 @@ let taints = concatMapStringsSep "," (v: "${v.key}=${v.value}:${v.effect}") (mapAttrsToList (n: v: v) cfg.taints); in { + imports = [ + (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "applyManifests" ] "") + (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "cadvisorPort" ] "") + (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "allowPrivileged" ] "") + ]; + ###### interface options.services.kubernetes.kubelet = with lib.types; { diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix index 3943c908840..86d1dc2439b 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -7,6 +7,9 @@ let cfg = top.proxy; in { + imports = [ + (mkRenamedOptionModule [ "services" "kubernetes" "proxy" "address" ] ["services" "kubernetes" "proxy" "bindAddress"]) + ]; ###### interface options.services.kubernetes.proxy = with lib.types; { diff --git a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix index 9c615fbe885..326d2cbd82c 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix @@ -223,18 +223,19 @@ in { config = mkIf cfg.enable { users.groups = optional (cfg.group == "buildbot") { - name = "buildbot"; + buildbot = { }; }; - users.users = optional (cfg.user == "buildbot") { - name = "buildbot"; - description = "Buildbot User."; - isNormalUser = true; - createHome = true; - home = cfg.home; - group = cfg.group; - extraGroups = cfg.extraGroups; - useDefaultShell = true; + users.users = optionalAttrs (cfg.user == "buildbot") { + buildbot = { + description = "Buildbot User."; + isNormalUser = true; + createHome = true; + home = cfg.home; + group = cfg.group; + extraGroups = cfg.extraGroups; + useDefaultShell = true; + }; }; systemd.services.buildbot-master = { diff --git a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix index 49e04ca3622..7613692f0a3 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix @@ -137,18 +137,19 @@ in { services.buildbot-worker.workerPassFile = mkDefault (pkgs.writeText "buildbot-worker-password" cfg.workerPass); users.groups = optional (cfg.group == "bbworker") { - name = "bbworker"; + bbworker = { }; }; - users.users = optional (cfg.user == "bbworker") { - name = "bbworker"; - description = "Buildbot Worker User."; - isNormalUser = true; - createHome = true; - home = cfg.home; - group = cfg.group; - extraGroups = cfg.extraGroups; - useDefaultShell = true; + users.users = optionalAttrs (cfg.user == "bbworker") { + bbworker = { + description = "Buildbot Worker User."; + isNormalUser = true; + createHome = true; + home = cfg.home; + group = cfg.group; + extraGroups = cfg.extraGroups; + useDefaultShell = true; + }; }; systemd.services.buildbot-worker = { diff --git a/nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix b/nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix index 8126f27c2b0..2e9e1c94857 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix @@ -135,20 +135,20 @@ in { }; config = mkIf cfg.enable { - users.groups = optional (cfg.group == "gocd-agent") { - name = "gocd-agent"; - gid = config.ids.gids.gocd-agent; + users.groups = optionalAttrs (cfg.group == "gocd-agent") { + gocd-agent.gid = config.ids.gids.gocd-agent; }; - users.users = optional (cfg.user == "gocd-agent") { - name = "gocd-agent"; - description = "gocd-agent user"; - createHome = true; - home = cfg.workDir; - group = cfg.group; - extraGroups = cfg.extraGroups; - useDefaultShell = true; - uid = config.ids.uids.gocd-agent; + users.users = optionalAttrs (cfg.user == "gocd-agent") { + gocd-agent = { + description = "gocd-agent user"; + createHome = true; + home = cfg.workDir; + group = cfg.group; + extraGroups = cfg.extraGroups; + useDefaultShell = true; + uid = config.ids.uids.gocd-agent; + }; }; systemd.services.gocd-agent = { diff --git a/nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix b/nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix index 8f177da129e..4fa41ac49ed 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix @@ -143,20 +143,20 @@ in { }; config = mkIf cfg.enable { - users.groups = optional (cfg.group == "gocd-server") { - name = "gocd-server"; - gid = config.ids.gids.gocd-server; + users.groups = optionalAttrs (cfg.group == "gocd-server") { + gocd-server.gid = config.ids.gids.gocd-server; }; - users.users = optional (cfg.user == "gocd-server") { - name = "gocd-server"; - description = "gocd-server user"; - createHome = true; - home = cfg.workDir; - group = cfg.group; - extraGroups = cfg.extraGroups; - useDefaultShell = true; - uid = config.ids.uids.gocd-server; + users.users = optionalAttrs (cfg.user == "gocd-server") { + gocd-server = { + description = "gocd-server user"; + createHome = true; + home = cfg.workDir; + group = cfg.group; + extraGroups = cfg.extraGroups; + useDefaultShell = true; + uid = config.ids.uids.gocd-server; + }; }; systemd.services.gocd-server = { diff --git a/nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix b/nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix index 0ec90671388..1477c471f8a 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix @@ -150,20 +150,20 @@ in { pkgs.dejavu_fonts ]; - users.groups = optional (cfg.group == "jenkins") { - name = "jenkins"; - gid = config.ids.gids.jenkins; + users.groups = optionalAttrs (cfg.group == "jenkins") { + jenkins.gid = config.ids.gids.jenkins; }; - users.users = optional (cfg.user == "jenkins") { - name = "jenkins"; - description = "jenkins user"; - createHome = true; - home = cfg.home; - group = cfg.group; - extraGroups = cfg.extraGroups; - useDefaultShell = true; - uid = config.ids.uids.jenkins; + users.users = optionalAttrs (cfg.user == "jenkins") { + jenkins = { + description = "jenkins user"; + createHome = true; + home = cfg.home; + group = cfg.group; + extraGroups = cfg.extraGroups; + useDefaultShell = true; + uid = config.ids.uids.jenkins; + }; }; systemd.services.jenkins = { diff --git a/nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix b/nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix index 92deabc3dd3..26368cb94e4 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix @@ -51,18 +51,18 @@ in { config = mkIf (cfg.enable && !masterCfg.enable) { users.groups = optional (cfg.group == "jenkins") { - name = "jenkins"; - gid = config.ids.gids.jenkins; + jenkins.gid = config.ids.gids.jenkins; }; - users.users = optional (cfg.user == "jenkins") { - name = "jenkins"; - description = "jenkins user"; - createHome = true; - home = cfg.home; - group = cfg.group; - useDefaultShell = true; - uid = config.ids.uids.jenkins; + users.users = optionalAttrs (cfg.user == "jenkins") { + jenkins = { + description = "jenkins user"; + createHome = true; + home = cfg.home; + group = cfg.group; + useDefaultShell = true; + uid = config.ids.uids.jenkins; + }; }; }; } diff --git a/nixpkgs/nixos/modules/services/databases/4store-endpoint.nix b/nixpkgs/nixos/modules/services/databases/4store-endpoint.nix deleted file mode 100644 index 59ed0e5f0af..00000000000 --- a/nixpkgs/nixos/modules/services/databases/4store-endpoint.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.services.fourStoreEndpoint; - endpointUser = "fourstorehttp"; - run = "${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${endpointUser} -c"; -in -with lib; -{ - - ###### interface - - options = { - - services.fourStoreEndpoint = { - - enable = mkOption { - default = false; - description = "Whether to enable 4Store SPARQL endpoint."; - }; - - database = mkOption { - default = config.services.fourStore.database; - description = "RDF database name to expose via the endpoint. Defaults to local 4Store database name."; - }; - - listenAddress = mkOption { - default = null; - description = "IP address to listen on."; - }; - - port = mkOption { - default = 8080; - description = "port to listen on."; - }; - - options = mkOption { - default = ""; - description = "Extra CLI options to pass to 4Store's 4s-httpd process."; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - assertions = singleton - { assertion = cfg.enable -> cfg.database != ""; - message = "Must specify 4Store database name"; - }; - - users.users = singleton - { name = endpointUser; - uid = config.ids.uids.fourstorehttp; - description = "4Store SPARQL endpoint user"; - }; - - services.avahi.enable = true; - - systemd.services."4store-endpoint" = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - script = '' - ${run} '${pkgs.rdf4store}/bin/4s-httpd -D ${cfg.options} ${if cfg.listenAddress!=null then "-H ${cfg.listenAddress}" else "" } -p ${toString cfg.port} ${cfg.database}' - ''; - }; - - }; - -} diff --git a/nixpkgs/nixos/modules/services/databases/4store.nix b/nixpkgs/nixos/modules/services/databases/4store.nix deleted file mode 100644 index be4351c1c38..00000000000 --- a/nixpkgs/nixos/modules/services/databases/4store.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.services.fourStore; - stateDir = "/var/lib/4store"; - fourStoreUser = "fourstore"; - run = "${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${fourStoreUser}"; -in -with lib; -{ - - ###### interface - - options = { - - services.fourStore = { - - enable = mkOption { - default = false; - description = "Whether to enable 4Store RDF database server."; - }; - - database = mkOption { - default = ""; - description = "RDF database name. If it doesn't exist, it will be created. Databases are stored in ${stateDir}."; - }; - - options = mkOption { - default = ""; - description = "Extra CLI options to pass to 4Store."; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - assertions = singleton - { assertion = cfg.enable -> cfg.database != ""; - message = "Must specify 4Store database name."; - }; - - users.users = singleton - { name = fourStoreUser; - uid = config.ids.uids.fourstore; - description = "4Store database user"; - home = stateDir; - }; - - services.avahi.enable = true; - - systemd.services."4store" = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - preStart = '' - mkdir -p ${stateDir}/ - chown ${fourStoreUser} ${stateDir} - if ! test -e "${stateDir}/${cfg.database}"; then - ${run} -c '${pkgs.rdf4store}/bin/4s-backend-setup ${cfg.database}' - fi - ''; - - script = '' - ${run} -c '${pkgs.rdf4store}/bin/4s-backend -D ${cfg.options} ${cfg.database}' - ''; - }; - }; -} diff --git a/nixpkgs/nixos/modules/services/databases/cockroachdb.nix b/nixpkgs/nixos/modules/services/databases/cockroachdb.nix index 268fdcc819f..b6f94a4881a 100644 --- a/nixpkgs/nixos/modules/services/databases/cockroachdb.nix +++ b/nixpkgs/nixos/modules/services/databases/cockroachdb.nix @@ -171,17 +171,17 @@ in environment.systemPackages = [ crdb ]; - users.users = optionalAttrs (cfg.user == "cockroachdb") (singleton - { name = "cockroachdb"; + users.users = optionalAttrs (cfg.user == "cockroachdb") { + cockroachdb = { description = "CockroachDB Server User"; uid = config.ids.uids.cockroachdb; group = cfg.group; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "cockroachdb") (singleton - { name = "cockroachdb"; - gid = config.ids.gids.cockroachdb; - }); + users.groups = optionalAttrs (cfg.group == "cockroachdb") { + cockroachdb.gid = config.ids.gids.cockroachdb; + }; networking.firewall.allowedTCPPorts = lib.optionals cfg.openPorts [ cfg.http.port cfg.listen.port ]; diff --git a/nixpkgs/nixos/modules/services/databases/foundationdb.nix b/nixpkgs/nixos/modules/services/databases/foundationdb.nix index 8f8d0da7c8d..18727acc7c7 100644 --- a/nixpkgs/nixos/modules/services/databases/foundationdb.nix +++ b/nixpkgs/nixos/modules/services/databases/foundationdb.nix @@ -341,17 +341,17 @@ in environment.systemPackages = [ pkg ]; - users.users = optionalAttrs (cfg.user == "foundationdb") (singleton - { name = "foundationdb"; + users.users = optionalAttrs (cfg.user == "foundationdb") { + foundationdb = { description = "FoundationDB User"; uid = config.ids.uids.foundationdb; group = cfg.group; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "foundationdb") (singleton - { name = "foundationdb"; - gid = config.ids.gids.foundationdb; - }); + users.groups = optionalAttrs (cfg.group == "foundationdb") { + foundationdb.gid = config.ids.gids.foundationdb; + }; networking.firewall.allowedTCPPortRanges = mkIf cfg.openFirewall [ { from = cfg.listenPortStart; diff --git a/nixpkgs/nixos/modules/services/databases/influxdb.nix b/nixpkgs/nixos/modules/services/databases/influxdb.nix index 2f176a03872..dd5d69b1147 100644 --- a/nixpkgs/nixos/modules/services/databases/influxdb.nix +++ b/nixpkgs/nixos/modules/services/databases/influxdb.nix @@ -182,15 +182,15 @@ in ''; }; - users.users = optional (cfg.user == "influxdb") { - name = "influxdb"; - uid = config.ids.uids.influxdb; - description = "Influxdb daemon user"; + users.users = optionalAttrs (cfg.user == "influxdb") { + influxdb = { + uid = config.ids.uids.influxdb; + description = "Influxdb daemon user"; + }; }; - users.groups = optional (cfg.group == "influxdb") { - name = "influxdb"; - gid = config.ids.gids.influxdb; + users.groups = optionalAttrs (cfg.group == "influxdb") { + influxdb.gid = config.ids.gids.influxdb; }; }; diff --git a/nixpkgs/nixos/modules/services/databases/memcached.nix b/nixpkgs/nixos/modules/services/databases/memcached.nix index d1dfdb41bf4..89ff957babf 100644 --- a/nixpkgs/nixos/modules/services/databases/memcached.nix +++ b/nixpkgs/nixos/modules/services/databases/memcached.nix @@ -64,10 +64,9 @@ in config = mkIf config.services.memcached.enable { - users.users = optional (cfg.user == "memcached") { - name = "memcached"; - description = "Memcached server user"; - isSystemUser = true; + users.users = optionalAttrs (cfg.user == "memcached") { + memcached.description = "Memcached server user"; + memcached.isSystemUser = true; }; environment.systemPackages = [ memcached ]; diff --git a/nixpkgs/nixos/modules/services/databases/mysql.nix b/nixpkgs/nixos/modules/services/databases/mysql.nix index 5549cfa5cf4..8d520b82fb5 100644 --- a/nixpkgs/nixos/modules/services/databases/mysql.nix +++ b/nixpkgs/nixos/modules/services/databases/mysql.nix @@ -24,6 +24,10 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd") + (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") + ]; ###### interface @@ -316,6 +320,8 @@ in Type = if hasNotify then "notify" else "simple"; RuntimeDirectory = "mysqld"; RuntimeDirectoryMode = "0755"; + Restart = "on-abort"; + RestartSec = "5s"; # The last two environment variables are used for starting Galera clusters ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION"; ExecStartPost = diff --git a/nixpkgs/nixos/modules/services/databases/neo4j.nix b/nixpkgs/nixos/modules/services/databases/neo4j.nix index 5533182c311..09b453e7584 100644 --- a/nixpkgs/nixos/modules/services/databases/neo4j.nix +++ b/nixpkgs/nixos/modules/services/databases/neo4j.nix @@ -103,6 +103,18 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "defaultListenAddress" ]) + (mkRenamedOptionModule [ "services" "neo4j" "listenAddress" ] [ "services" "neo4j" "defaultListenAddress" ]) + (mkRenamedOptionModule [ "services" "neo4j" "enableBolt" ] [ "services" "neo4j" "bolt" "enable" ]) + (mkRenamedOptionModule [ "services" "neo4j" "enableHttps" ] [ "services" "neo4j" "https" "enable" ]) + (mkRenamedOptionModule [ "services" "neo4j" "certDir" ] [ "services" "neo4j" "directories" "certificates" ]) + (mkRenamedOptionModule [ "services" "neo4j" "dataDir" ] [ "services" "neo4j" "directories" "home" ]) + (mkRemovedOptionModule [ "services" "neo4j" "port" ] "Use services.neo4j.http.listenAddress instead.") + (mkRemovedOptionModule [ "services" "neo4j" "boltPort" ] "Use services.neo4j.bolt.listenAddress instead.") + (mkRemovedOptionModule [ "services" "neo4j" "httpsPort" ] "Use services.neo4j.https.listenAddress instead.") + ]; + ###### interface options.services.neo4j = { @@ -638,8 +650,7 @@ in { environment.systemPackages = [ cfg.package ]; - users.users = singleton { - name = "neo4j"; + users.users.neo4j = { uid = config.ids.uids.neo4j; description = "Neo4j daemon user"; home = cfg.directories.home; diff --git a/nixpkgs/nixos/modules/services/databases/postgresql.nix b/nixpkgs/nixos/modules/services/databases/postgresql.nix index 3bedfe96a18..c8fdd89d0d8 100644 --- a/nixpkgs/nixos/modules/services/databases/postgresql.nix +++ b/nixpkgs/nixos/modules/services/databases/postgresql.nix @@ -339,9 +339,9 @@ in '') cfg.ensureDatabases} '' + '' ${concatMapStrings (user: '' - $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc "CREATE USER ${user.name}" + $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"' ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' - $PSQL -tAc 'GRANT ${permission} ON ${database} TO ${user.name}' + $PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' '') user.ensurePermissions)} '') cfg.ensureUsers} ''; diff --git a/nixpkgs/nixos/modules/services/databases/redis.nix b/nixpkgs/nixos/modules/services/databases/redis.nix index 95128a641d9..70895fa53e4 100644 --- a/nixpkgs/nixos/modules/services/databases/redis.nix +++ b/nixpkgs/nixos/modules/services/databases/redis.nix @@ -32,6 +32,13 @@ let ''; in { + imports = [ + (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") + (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") + (mkRemovedOptionModule [ "services" "redis" "dbFilename" ] "The redis module now uses /var/lib/redis/dump.rdb as database dump location.") + (mkRemovedOptionModule [ "services" "redis" "appendOnlyFilename" ] "This option was never used.") + (mkRemovedOptionModule [ "services" "redis" "pidFile" ] "This option was removed.") + ]; ###### interface diff --git a/nixpkgs/nixos/modules/services/databases/virtuoso.nix b/nixpkgs/nixos/modules/services/databases/virtuoso.nix index 6ffc44a5274..0cc027cb1d7 100644 --- a/nixpkgs/nixos/modules/services/databases/virtuoso.nix +++ b/nixpkgs/nixos/modules/services/databases/virtuoso.nix @@ -54,9 +54,8 @@ with lib; config = mkIf cfg.enable { - users.users = singleton - { name = virtuosoUser; - uid = config.ids.uids.virtuoso; + users.users.${virtuosoUser} = + { uid = config.ids.uids.virtuoso; description = "virtuoso user"; home = stateDir; }; diff --git a/nixpkgs/nixos/modules/services/desktops/pantheon/contractor.nix b/nixpkgs/nixos/modules/services/desktops/pantheon/contractor.nix index 2638a21df73..c76145191a7 100644 --- a/nixpkgs/nixos/modules/services/desktops/pantheon/contractor.nix +++ b/nixpkgs/nixos/modules/services/desktops/pantheon/contractor.nix @@ -6,35 +6,12 @@ with lib; { - meta.maintainers = pkgs.pantheon.maintainers; - - ###### interface - - options = { - - services.pantheon.contractor = { - - enable = mkEnableOption "contractor, a desktop-wide extension service used by pantheon"; - - }; - - }; - ###### implementation config = mkIf config.services.pantheon.contractor.enable { - environment.systemPackages = with pkgs.pantheon; [ - contractor - extra-elementary-contracts - ]; - - services.dbus.packages = [ pkgs.pantheon.contractor ]; - - environment.pathsToLink = [ - "/share/contractor" - ]; + }; diff --git a/nixpkgs/nixos/modules/services/desktops/pantheon/files.nix b/nixpkgs/nixos/modules/services/desktops/pantheon/files.nix index 577aad6c298..8cee9f42b62 100644 --- a/nixpkgs/nixos/modules/services/desktops/pantheon/files.nix +++ b/nixpkgs/nixos/modules/services/desktops/pantheon/files.nix @@ -6,33 +6,8 @@ with lib; { - meta.maintainers = pkgs.pantheon.maintainers; - - ###### interface - - options = { - - services.pantheon.files = { - - enable = mkEnableOption "pantheon files daemon"; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.pantheon.files.enable { - - environment.systemPackages = [ - pkgs.pantheon.elementary-files - ]; - - services.dbus.packages = [ - pkgs.pantheon.elementary-files - ]; - - }; + imports = [ + (mkRemovedOptionModule [ "services" "pantheon" "files" "enable" ] "Use `environment.systemPackages [ pkgs.pantheon.elementary-files ];`") + ]; } diff --git a/nixpkgs/nixos/modules/services/development/lorri.nix b/nixpkgs/nixos/modules/services/development/lorri.nix index 68264ee869d..c843aa56d13 100644 --- a/nixpkgs/nixos/modules/services/development/lorri.nix +++ b/nixpkgs/nixos/modules/services/development/lorri.nix @@ -32,7 +32,7 @@ in { description = "Lorri Daemon"; requires = [ "lorri.socket" ]; after = [ "lorri.socket" ]; - path = with pkgs; [ config.nix.package gnutar gzip ]; + path = with pkgs; [ config.nix.package git gnutar gzip ]; serviceConfig = { ExecStart = "${pkgs.lorri}/bin/lorri daemon"; PrivateTmp = true; diff --git a/nixpkgs/nixos/modules/services/editors/infinoted.nix b/nixpkgs/nixos/modules/services/editors/infinoted.nix index be366761694..8b997ccbf66 100644 --- a/nixpkgs/nixos/modules/services/editors/infinoted.nix +++ b/nixpkgs/nixos/modules/services/editors/infinoted.nix @@ -111,14 +111,15 @@ in { }; config = mkIf (cfg.enable) { - users.users = optional (cfg.user == "infinoted") - { name = "infinoted"; - description = "Infinoted user"; - group = cfg.group; - isSystemUser = true; + users.users = optionalAttrs (cfg.user == "infinoted") + { infinoted = { + description = "Infinoted user"; + group = cfg.group; + isSystemUser = true; + }; }; - users.groups = optional (cfg.group == "infinoted") - { name = "infinoted"; + users.groups = optionalAttrs (cfg.group == "infinoted") + { infinoted = { }; }; systemd.services.infinoted = diff --git a/nixpkgs/nixos/modules/services/hardware/bluetooth.nix b/nixpkgs/nixos/modules/services/hardware/bluetooth.nix index 7b13beea1ca..dfa39e7f602 100644 --- a/nixpkgs/nixos/modules/services/hardware/bluetooth.nix +++ b/nixpkgs/nixos/modules/services/hardware/bluetooth.nix @@ -72,11 +72,11 @@ in { }; }; - environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ]; + environment.systemPackages = [ bluez-bluetooth ]; - environment.etc = singleton { - source = pkgs.writeText "main.conf" (generators.toINI { } cfg.config + optionalString (cfg.extraConfig != null) cfg.extraConfig); - target = "bluetooth/main.conf"; + environment.etc."bluetooth/main.conf"= { + source = pkgs.writeText "main.conf" + (generators.toINI { } cfg.config + optionalString (cfg.extraConfig != null) cfg.extraConfig); }; services.udev.packages = [ bluez-bluetooth ]; diff --git a/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix b/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix index f6ed4e25e9c..6f49a1ab6d4 100644 --- a/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix +++ b/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix @@ -67,11 +67,11 @@ in { options = { - hardware.sane.brscan4.enable = + hardware.sane.brscan4.enable = mkEnableOption "Brother's brscan4 scan backend" // { description = '' When enabled, will automatically register the "brscan4" sane - backend and bring configuration files to their expected location. + backend and bring configuration files to their expected location. ''; }; @@ -95,14 +95,11 @@ in pkgs.brscan4 ]; - environment.etc = singleton { - target = "opt/brother/scanner/brscan4"; - source = "${etcFiles}/etc/opt/brother/scanner/brscan4"; - }; + environment.etc."opt/brother/scanner/brscan4" = + { source = "${etcFiles}/etc/opt/brother/scanner/brscan4"; }; assertions = [ { assertion = all (x: !(null != x.ip && null != x.nodename)) netDeviceList; - message = '' When describing a network device as part of the attribute list `hardware.sane.brscan4.netDevices`, only one of its `ip` or `nodename` diff --git a/nixpkgs/nixos/modules/services/hardware/tcsd.nix b/nixpkgs/nixos/modules/services/hardware/tcsd.nix index 3876280ee6b..68cb5d791aa 100644 --- a/nixpkgs/nixos/modules/services/hardware/tcsd.nix +++ b/nixpkgs/nixos/modules/services/hardware/tcsd.nix @@ -137,15 +137,15 @@ in serviceConfig.ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}"; }; - users.users = optionalAttrs (cfg.user == "tss") (singleton - { name = "tss"; + users.users = optionalAttrs (cfg.user == "tss") { + tss = { group = "tss"; uid = config.ids.uids.tss; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "tss") (singleton - { name = "tss"; - gid = config.ids.gids.tss; - }); + users.groups = optionalAttrs (cfg.group == "tss") { + tss.gid = config.ids.gids.tss; + }; }; } diff --git a/nixpkgs/nixos/modules/services/hardware/tlp.nix b/nixpkgs/nixos/modules/services/hardware/tlp.nix index adc1881a525..955a6067799 100644 --- a/nixpkgs/nixos/modules/services/hardware/tlp.nix +++ b/nixpkgs/nixos/modules/services/hardware/tlp.nix @@ -103,13 +103,14 @@ in services.udev.packages = [ tlp ]; - environment.etc = [{ source = confFile; - target = "default/tlp"; - } - ] ++ optional enableRDW { - source = "${tlp}/etc/NetworkManager/dispatcher.d/99tlp-rdw-nm"; - target = "NetworkManager/dispatcher.d/99tlp-rdw-nm"; - }; + environment.etc = + { + "default/tlp".source = confFile; + } // optionalAttrs enableRDW { + "NetworkManager/dispatcher.d/99tlp-rdw-nm" = { + source = "${tlp}/etc/NetworkManager/dispatcher.d/99tlp-rdw-nm"; + }; + }; environment.systemPackages = [ tlp ]; diff --git a/nixpkgs/nixos/modules/services/hardware/udev.nix b/nixpkgs/nixos/modules/services/hardware/udev.nix index 83ab93bd7cf..168056a475e 100644 --- a/nixpkgs/nixos/modules/services/hardware/udev.nix +++ b/nixpkgs/nixos/modules/services/hardware/udev.nix @@ -221,8 +221,8 @@ in type = types.lines; description = '' Additional <command>hwdb</command> files. They'll be written - into file <filename>10-local.hwdb</filename>. Thus they are - read before all other files. + into file <filename>99-local.hwdb</filename>. Thus they are + read after all other files. ''; }; @@ -281,13 +281,10 @@ in boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ]; environment.etc = - [ { source = udevRules; - target = "udev/rules.d"; - } - { source = hwdbBin; - target = "udev/hwdb.bin"; - } - ]; + { + "udev/rules.d".source = udevRules; + "udev/hwdb.bin".source = hwdbBin; + }; system.requiredKernelConfig = with config.lib.kernelConfig; [ (isEnabled "UNIX") diff --git a/nixpkgs/nixos/modules/services/hardware/upower.nix b/nixpkgs/nixos/modules/services/hardware/upower.nix index 5e7ac7a6e65..449810b5315 100644 --- a/nixpkgs/nixos/modules/services/hardware/upower.nix +++ b/nixpkgs/nixos/modules/services/hardware/upower.nix @@ -37,6 +37,172 @@ in ''; }; + enableWattsUpPro = mkOption { + type = types.bool; + default = false; + description = '' + Enable the Watts Up Pro device. + + The Watts Up Pro contains a generic FTDI USB device without a specific + vendor and product ID. When we probe for WUP devices, we can cause + the user to get a perplexing "Device or resource busy" error when + attempting to use their non-WUP device. + + The generic FTDI device is known to also be used on: + + <itemizedlist> + <listitem><para>Sparkfun FT232 breakout board</para></listitem> + <listitem><para>Parallax Propeller</para></listitem> + </itemizedlist> + ''; + }; + + noPollBatteries = mkOption { + type = types.bool; + default = false; + description = '' + Don't poll the kernel for battery level changes. + + Some hardware will send us battery level changes through + events, rather than us having to poll for it. This option + allows disabling polling for hardware that sends out events. + ''; + }; + + ignoreLid = mkOption { + type = types.bool; + default = false; + description = '' + Do we ignore the lid state + + Some laptops are broken. The lid state is either inverted, or stuck + on or off. We can't do much to fix these problems, but this is a way + for users to make the laptop panel vanish, a state that might be used + by a couple of user-space daemons. On Linux systems, see also + logind.conf(5). + ''; + }; + + usePercentageForPolicy = mkOption { + type = types.bool; + default = true; + description = '' + Policy for warnings and action based on battery levels + + Whether battery percentage based policy should be used. The default + is to use the percentage, which + should work around broken firmwares. It is also more reliable than + the time left (frantically saving all your files is going to use more + battery than letting it rest for example). + ''; + }; + + percentageLow = mkOption { + type = types.ints.unsigned; + default = 10; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>true</literal>, the levels at which UPower will consider the + battery low. + + This will also be used for batteries which don't have time information + such as that of peripherals. + + If any value (of <literal>percentageLow</literal>, + <literal>percentageCritical</literal> and + <literal>percentageAction</literal>) is invalid, or not in descending + order, the defaults will be used. + ''; + }; + + percentageCritical = mkOption { + type = types.ints.unsigned; + default = 3; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>true</literal>, the levels at which UPower will consider the + battery critical. + + This will also be used for batteries which don't have time information + such as that of peripherals. + + If any value (of <literal>percentageLow</literal>, + <literal>percentageCritical</literal> and + <literal>percentageAction</literal>) is invalid, or not in descending + order, the defaults will be used. + ''; + }; + + percentageAction = mkOption { + type = types.ints.unsigned; + default = 2; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>true</literal>, the levels at which UPower will take action + for the critical battery level. + + This will also be used for batteries which don't have time information + such as that of peripherals. + + If any value (of <literal>percentageLow</literal>, + <literal>percentageCritical</literal> and + <literal>percentageAction</literal>) is invalid, or not in descending + order, the defaults will be used. + ''; + }; + + timeLow = mkOption { + type = types.ints.unsigned; + default = 1200; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>false</literal>, the time remaining at which UPower will + consider the battery low. + + If any value (of <literal>timeLow</literal>, + <literal>timeCritical</literal> and <literal>timeAction</literal>) is + invalid, or not in descending order, the defaults will be used. + ''; + }; + + timeCritical = mkOption { + type = types.ints.unsigned; + default = 300; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>false</literal>, the time remaining at which UPower will + consider the battery critical. + + If any value (of <literal>timeLow</literal>, + <literal>timeCritical</literal> and <literal>timeAction</literal>) is + invalid, or not in descending order, the defaults will be used. + ''; + }; + + timeAction = mkOption { + type = types.ints.unsigned; + default = 120; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>false</literal>, the time remaining at which UPower will + take action for the critical battery level. + + If any value (of <literal>timeLow</literal>, + <literal>timeCritical</literal> and <literal>timeAction</literal>) is + invalid, or not in descending order, the defaults will be used. + ''; + }; + + criticalPowerAction = mkOption { + type = types.enum [ "PowerOff" "Hibernate" "HybridSleep" ]; + default = "HybridSleep"; + description = '' + The action to take when <literal>timeAction</literal> or + <literal>percentageAction</literal> has been reached for the batteries + (UPS or laptop batteries) supplying the computer + ''; + }; + }; }; @@ -54,6 +220,21 @@ in systemd.packages = [ cfg.package ]; + environment.etc."UPower/UPower.conf".text = generators.toINI {} { + UPower = { + EnableWattsUpPro = cfg.enableWattsUpPro; + NoPollBatteries = cfg.noPollBatteries; + IgnoreLid = cfg.ignoreLid; + UsePercentageForPolicy = cfg.usePercentageForPolicy; + PercentageLow = cfg.percentageLow; + PercentageCritical = cfg.percentageCritical; + PercentageAction = cfg.percentageAction; + TimeLow = cfg.timeLow; + TimeCritical = cfg.timeCritical; + TimeAction = cfg.timeAction; + CriticalPowerAction = cfg.criticalPowerAction; + }; + }; }; } diff --git a/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix b/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix index 39bbcaf4627..50b931dcb48 100644 --- a/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix +++ b/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix @@ -43,15 +43,16 @@ in config = mkIf cfg.enable { - users.users = optional (cfg.user == defaultUserGroup) { - name = cfg.user; - description = "usbmuxd user"; - group = cfg.group; - isSystemUser = true; + users.users = optionalAttrs (cfg.user == defaultUserGroup) { + ${cfg.user} = { + description = "usbmuxd user"; + group = cfg.group; + isSystemUser = true; + }; }; users.groups = optional (cfg.group == defaultUserGroup) { - name = cfg.group; + ${cfg.group} = { }; }; # Give usbmuxd permission for Apple devices diff --git a/nixpkgs/nixos/modules/services/logging/awstats.nix b/nixpkgs/nixos/modules/services/logging/awstats.nix index a92ff3bee49..5939d7808f7 100644 --- a/nixpkgs/nixos/modules/services/logging/awstats.nix +++ b/nixpkgs/nixos/modules/services/logging/awstats.nix @@ -4,31 +4,117 @@ with lib; let cfg = config.services.awstats; - httpd = config.services.httpd; package = pkgs.awstats; -in + configOpts = {name, config, ...}: { + options = { + type = mkOption{ + type = types.enum [ "mail" "web" ]; + default = "web"; + example = "mail"; + description = '' + The type of log being collected. + ''; + }; + domain = mkOption { + type = types.str; + default = name; + description = "The domain name to collect stats for."; + example = "example.com"; + }; + + logFile = mkOption { + type = types.str; + example = "/var/spool/nginx/logs/access.log"; + description = '' + The log file to be scanned. + For mail, set this to + <literal> + journalctl $OLD_CURSOR -u postfix.service | ''${pkgs.perl}/bin/perl ''${pkgs.awstats.out}/share/awstats/tools/maillogconvert.pl standard | + </literal> + ''; + }; + + logFormat = mkOption { + type = types.str; + default = "1"; + description = '' + The log format being used. + + For mail, set this to + <literal> + %time2 %email %email_r %host %host_r %method %url %code %bytesd + </literal> + ''; + }; + + hostAliases = mkOption { + type = types.listOf types.str; + default = []; + example = "[ \"www.example.org\" ]"; + description = '' + List of aliases the site has. + ''; + }; + + extraConfig = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample '' + { + "ValidHTTPCodes" = "404"; + } + ''; + description = "Extra configuration to be appendend to awstats.\${name}.conf."; + }; + + webService = { + enable = mkEnableOption "awstats web service"; + + hostname = mkOption { + type = types.str; + default = config.domain; + description = "The hostname the web service appears under."; + }; + + urlPrefix = mkOption { + type = types.str; + default = "/awstats"; + description = "The URL prefix under which the awstats pages appear."; + }; + }; + }; + }; + webServices = filterAttrs (name: value: value.webService.enable) cfg.configs; +in { + imports = [ + (mkRemovedOptionModule [ "services" "awstats" "service" "enable" ] "Please enable per domain with `services.awstats.configs.<name>.webService.enable`") + (mkRemovedOptionModule [ "services" "awstats" "service" "urlPrefix" ] "Please set per domain with `services.awstats.configs.<name>.webService.urlPrefix`") + (mkRenamedOptionModule [ "services" "awstats" "vardir" ] [ "services" "awstats" "dataDir" ]) + ]; + options.services.awstats = { - enable = mkOption { - type = types.bool; - default = cfg.service.enable; - description = '' - Enable the awstats program (but not service). - Currently only simple httpd (Apache) configs are supported, - and awstats plugins may not work correctly. - ''; - }; - vardir = mkOption { + enable = mkEnableOption "awstats"; + + dataDir = mkOption { type = types.path; default = "/var/lib/awstats"; - description = "The directory where variable awstats data will be stored."; + description = "The directory where awstats data will be stored."; }; - extraConfig = mkOption { - type = types.lines; - default = ""; - description = "Extra configuration to be appendend to awstats.conf."; + configs = mkOption { + type = types.attrsOf (types.submodule configOpts); + default = {}; + example = literalExample '' + { + "mysite" = { + domain = "example.com"; + logFile = "/var/spool/nginx/logs/access.log"; + }; + } + ''; + description = "Attribute set of domains to collect stats for."; }; updateAt = mkOption { @@ -42,75 +128,129 @@ in <manvolnum>7</manvolnum></citerefentry>) ''; }; - - service = { - enable = mkOption { - type = types.bool; - default = false; - description = ''Enable the awstats web service. This switches on httpd.''; - }; - urlPrefix = mkOption { - type = types.str; - default = "/awstats"; - description = "The URL prefix under which the awstats service appears."; - }; - }; }; config = mkIf cfg.enable { environment.systemPackages = [ package.bin ]; - /* TODO: - - heed config.services.httpd.logPerVirtualHost, etc. - - Can't AllowToUpdateStatsFromBrowser, as CGI scripts don't have permission - to read the logs, and our httpd config apparently doesn't an option for that. - */ - environment.etc."awstats/awstats.conf".source = pkgs.runCommand "awstats.conf" + + environment.etc = mapAttrs' (name: opts: + nameValuePair "awstats/awstats.${name}.conf" { + source = pkgs.runCommand "awstats.${name}.conf" { preferLocalBuild = true; } - ( let - logFormat = - if httpd.logFormat == "combined" then "1" else - if httpd.logFormat == "common" then "4" else - throw "awstats service doesn't support Apache log format `${httpd.logFormat}`"; - in - '' - sed \ - -e 's|^\(DirData\)=.*$|\1="${cfg.vardir}"|' \ - -e 's|^\(DirIcons\)=.*$|\1="icons"|' \ - -e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \ - -e 's|^\(SiteDomain\)=.*$|\1="${httpd.hostName}"|' \ - -e 's|^\(LogFile\)=.*$|\1="${httpd.logDir}/access_log"|' \ - -e 's|^\(LogFormat\)=.*$|\1=${logFormat}|' \ - < '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out" - echo '${cfg.extraConfig}' >> "$out" - ''); - - systemd.tmpfiles.rules = optionals cfg.service.enable [ - "d '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -" - "Z '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -" - ]; - - # The httpd sub-service showing awstats. - services.httpd = optionalAttrs cfg.service.enable { - enable = true; - extraConfig = '' - Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/" - Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/" - Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/" - ScriptAlias ${cfg.service.urlPrefix}/ "${package.out}/wwwroot/cgi-bin/" - - <Directory "${package.out}/wwwroot"> - Options None - Require all granted - </Directory> - ''; - }; + ('' + sed \ + '' + # set up mail stats + + optionalString (opts.type == "mail") + '' + -e 's|^\(LogType\)=.*$|\1=M|' \ + -e 's|^\(LevelForBrowsersDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForOSDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForRefererAnalyze\)=.*$|\1=0|' \ + -e 's|^\(LevelForRobotsDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForSearchEnginesDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForFileTypesDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForWormsDetection\)=.*$|\1=0|' \ + -e 's|^\(ShowMenu\)=.*$|\1=1|' \ + -e 's|^\(ShowSummary\)=.*$|\1=HB|' \ + -e 's|^\(ShowMonthStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowDaysOfMonthStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowDaysOfWeekStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowHoursStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowDomainsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowHostsStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowAuthenticatedUsers\)=.*$|\1=0|' \ + -e 's|^\(ShowRobotsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowEMailSenders\)=.*$|\1=HBML|' \ + -e 's|^\(ShowEMailReceivers\)=.*$|\1=HBML|' \ + -e 's|^\(ShowSessionsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowPagesStats\)=.*$|\1=0|' \ + -e 's|^\(ShowFileTypesStats\)=.*$|\1=0|' \ + -e 's|^\(ShowFileSizesStats\)=.*$|\1=0|' \ + -e 's|^\(ShowBrowsersStats\)=.*$|\1=0|' \ + -e 's|^\(ShowOSStats\)=.*$|\1=0|' \ + -e 's|^\(ShowOriginStats\)=.*$|\1=0|' \ + -e 's|^\(ShowKeyphrasesStats\)=.*$|\1=0|' \ + -e 's|^\(ShowKeywordsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowMiscStats\)=.*$|\1=0|' \ + -e 's|^\(ShowHTTPErrorsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowSMTPErrorsStats\)=.*$|\1=1|' \ + '' + + + # common options + '' + -e 's|^\(DirData\)=.*$|\1="${cfg.dataDir}/${name}"|' \ + -e 's|^\(DirIcons\)=.*$|\1="icons"|' \ + -e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \ + -e 's|^\(SiteDomain\)=.*$|\1="${name}"|' \ + -e 's|^\(LogFile\)=.*$|\1="${opts.logFile}"|' \ + -e 's|^\(LogFormat\)=.*$|\1="${opts.logFormat}"|' \ + '' + + + # extra config + concatStringsSep "\n" (mapAttrsToList (n: v: '' + -e 's|^\(${n}\)=.*$|\1="${v}"|' \ + '') opts.extraConfig) + + + '' + < '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out" + ''); + }) cfg.configs; - systemd.services.awstats-update = mkIf (cfg.updateAt != null) { - description = "awstats log collector"; - script = "exec '${package.bin}/bin/awstats' -update -config=awstats.conf"; - startAt = cfg.updateAt; - }; + # create data directory with the correct permissions + systemd.tmpfiles.rules = + [ "d '${cfg.dataDir}' 755 root root - -" ] ++ + mapAttrsToList (name: opts: "d '${cfg.dataDir}/${name}' 755 root root - -") cfg.configs ++ + [ "Z '${cfg.dataDir}' 755 root root - -" ]; + + # nginx options + services.nginx.virtualHosts = mapAttrs'(name: opts: { + name = opts.webService.hostname; + value = { + locations = { + "${opts.webService.urlPrefix}/css/" = { + alias = "${package.out}/wwwroot/css/"; + }; + "${opts.webService.urlPrefix}/icons/" = { + alias = "${package.out}/wwwroot/icon/"; + }; + "${opts.webService.urlPrefix}/" = { + alias = "${cfg.dataDir}/${name}/"; + extraConfig = '' + autoindex on; + ''; + }; + }; + }; + }) webServices; + + # update awstats + systemd.services = mkIf (cfg.updateAt != null) (mapAttrs' (name: opts: + nameValuePair "awstats-${name}-update" { + description = "update awstats for ${name}"; + script = optionalString (opts.type == "mail") + '' + if [[ -f "${cfg.dataDir}/${name}-cursor" ]]; then + CURSOR="$(cat "${cfg.dataDir}/${name}-cursor" | tr -d '\n')" + if [[ -n "$CURSOR" ]]; then + echo "Using cursor: $CURSOR" + export OLD_CURSOR="--cursor $CURSOR" + fi + fi + NEW_CURSOR="$(journalctl $OLD_CURSOR -u postfix.service --show-cursor | tail -n 1 | tr -d '\n' | sed -e 's#^-- cursor: \(.*\)#\1#')" + echo "New cursor: $NEW_CURSOR" + ${package.bin}/bin/awstats -update -config=${name} + if [ -n "$NEW_CURSOR" ]; then + echo -n "$NEW_CURSOR" > ${cfg.dataDir}/${name}-cursor + fi + '' + '' + ${package.out}/share/awstats/tools/awstats_buildstaticpages.pl \ + -config=${name} -update -dir=${cfg.dataDir}/${name} \ + -awstatsprog=${package.bin}/bin/awstats + ''; + startAt = cfg.updateAt; + }) cfg.configs); }; } diff --git a/nixpkgs/nixos/modules/services/logging/logcheck.nix b/nixpkgs/nixos/modules/services/logging/logcheck.nix index 6d8be5b926d..4296b2270c2 100644 --- a/nixpkgs/nixos/modules/services/logging/logcheck.nix +++ b/nixpkgs/nixos/modules/services/logging/logcheck.nix @@ -213,13 +213,14 @@ in mapAttrsToList writeIgnoreRule cfg.ignore ++ mapAttrsToList writeIgnoreCronRule cfg.ignoreCron; - users.users = optionalAttrs (cfg.user == "logcheck") (singleton - { name = "logcheck"; + users.users = optionalAttrs (cfg.user == "logcheck") { + logcheck = { uid = config.ids.uids.logcheck; shell = "/bin/sh"; description = "Logcheck user account"; extraGroups = cfg.extraGroups; - }); + }; + }; system.activationScripts.logcheck = '' mkdir -m 700 -p /var/{lib,lock}/logcheck diff --git a/nixpkgs/nixos/modules/services/logging/logstash.nix b/nixpkgs/nixos/modules/services/logging/logstash.nix index 4943e8d7db3..21a83803fd8 100644 --- a/nixpkgs/nixos/modules/services/logging/logstash.nix +++ b/nixpkgs/nixos/modules/services/logging/logstash.nix @@ -37,6 +37,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ]) + (mkRemovedOptionModule [ "services" "logstash" "enableWeb" ] "The web interface was removed from logstash") + ]; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/logging/syslog-ng.nix b/nixpkgs/nixos/modules/services/logging/syslog-ng.nix index 65e103ac2ba..35055311680 100644 --- a/nixpkgs/nixos/modules/services/logging/syslog-ng.nix +++ b/nixpkgs/nixos/modules/services/logging/syslog-ng.nix @@ -25,6 +25,10 @@ let ]; in { + imports = [ + (mkRemovedOptionModule [ "services" "syslog-ng" "serviceName" ] "") + (mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ] "") + ]; options = { diff --git a/nixpkgs/nixos/modules/services/mail/dovecot.nix b/nixpkgs/nixos/modules/services/mail/dovecot.nix index 3fd06812c67..b5ed2c594f7 100644 --- a/nixpkgs/nixos/modules/services/mail/dovecot.nix +++ b/nixpkgs/nixos/modules/services/mail/dovecot.nix @@ -86,7 +86,7 @@ let } plugin { - quota_rule = *:storage=${cfg.quotaGlobalPerUser} + quota_rule = *:storage=${cfg.quotaGlobalPerUser} quota = maildir:User quota # per virtual mail user quota # BUG/FIXME broken, we couldn't get this working quota_status_success = DUNNO quota_status_nouser = DUNNO @@ -133,6 +133,9 @@ let }; in { + imports = [ + (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "") + ]; options.services.dovecot2 = { enable = mkEnableOption "Dovecot 2.x POP3/IMAP server"; @@ -307,36 +310,32 @@ in ++ optional cfg.enablePop3 "pop3" ++ optional cfg.enableLmtp "lmtp"; - users.users = [ - { name = "dovenull"; - uid = config.ids.uids.dovenull2; - description = "Dovecot user for untrusted logins"; - group = "dovenull"; - } - ] ++ optional (cfg.user == "dovecot2") - { name = "dovecot2"; - uid = config.ids.uids.dovecot2; + users.users = { + dovenull = + { uid = config.ids.uids.dovenull2; + description = "Dovecot user for untrusted logins"; + group = "dovenull"; + }; + } // optionalAttrs (cfg.user == "dovecot2") { + dovecot2 = + { uid = config.ids.uids.dovecot2; description = "Dovecot user"; group = cfg.group; - } - ++ optional (cfg.createMailUser && cfg.mailUser != null) - ({ name = cfg.mailUser; - description = "Virtual Mail User"; - } // optionalAttrs (cfg.mailGroup != null) { - group = cfg.mailGroup; - }); - - users.groups = optional (cfg.group == "dovecot2") - { name = "dovecot2"; - gid = config.ids.gids.dovecot2; - } - ++ optional (cfg.createMailUser && cfg.mailGroup != null) - { name = cfg.mailGroup; - } - ++ singleton - { name = "dovenull"; - gid = config.ids.gids.dovenull2; - }; + }; + } // optionalAttrs (cfg.createMailUser && cfg.mailUser != null) { + ${cfg.mailUser} = + { description = "Virtual Mail User"; } // + optionalAttrs (cfg.mailGroup != null) + { group = cfg.mailGroup; }; + }; + + users.groups = { + dovenull.gid = config.ids.gids.dovenull2; + } // optionalAttrs (cfg.group == "dovecot2") { + dovecot2.gid = config.ids.gids.dovecot2; + } // optionalAttrs (cfg.createMailUser && cfg.mailGroup != null) { + ${cfg.mailGroup} = { }; + }; environment.etc."dovecot/modules".source = modulesDir; environment.etc."dovecot/dovecot.conf".source = cfg.configFile; diff --git a/nixpkgs/nixos/modules/services/mail/dspam.nix b/nixpkgs/nixos/modules/services/mail/dspam.nix index 72b8c4c08b9..766ebc8095a 100644 --- a/nixpkgs/nixos/modules/services/mail/dspam.nix +++ b/nixpkgs/nixos/modules/services/mail/dspam.nix @@ -86,16 +86,16 @@ in { config = mkIf cfg.enable (mkMerge [ { - users.users = optionalAttrs (cfg.user == "dspam") (singleton - { name = "dspam"; + users.users = optionalAttrs (cfg.user == "dspam") { + dspam = { group = cfg.group; uid = config.ids.uids.dspam; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "dspam") (singleton - { name = "dspam"; - gid = config.ids.gids.dspam; - }); + users.groups = optionalAttrs (cfg.group == "dspam") { + dspam.gid = config.ids.gids.dspam; + }; environment.systemPackages = [ dspam ]; diff --git a/nixpkgs/nixos/modules/services/mail/exim.nix b/nixpkgs/nixos/modules/services/mail/exim.nix index 47812dd1e40..892fbd33214 100644 --- a/nixpkgs/nixos/modules/services/mail/exim.nix +++ b/nixpkgs/nixos/modules/services/mail/exim.nix @@ -87,15 +87,13 @@ in systemPackages = [ cfg.package ]; }; - users.users = singleton { - name = cfg.user; + users.users.${cfg.user} = { description = "Exim mail transfer agent user"; uid = config.ids.uids.exim; group = cfg.group; }; - users.groups = singleton { - name = cfg.group; + users.groups.${cfg.group} = { gid = config.ids.gids.exim; }; diff --git a/nixpkgs/nixos/modules/services/mail/mlmmj.nix b/nixpkgs/nixos/modules/services/mail/mlmmj.nix index 7ae00f3e501..d58d93c4214 100644 --- a/nixpkgs/nixos/modules/services/mail/mlmmj.nix +++ b/nixpkgs/nixos/modules/services/mail/mlmmj.nix @@ -94,8 +94,7 @@ in config = mkIf cfg.enable { - users.users = singleton { - name = cfg.user; + users.users.${cfg.user} = { description = "mlmmj user"; home = stateDir; createHome = true; @@ -104,8 +103,7 @@ in useDefaultShell = true; }; - users.groups = singleton { - name = cfg.group; + users.groups.${cfg.group} = { gid = config.ids.gids.mlmmj; }; diff --git a/nixpkgs/nixos/modules/services/mail/nullmailer.nix b/nixpkgs/nixos/modules/services/mail/nullmailer.nix index 2c2910e0aa9..fe3f8ef9b39 100644 --- a/nixpkgs/nixos/modules/services/mail/nullmailer.nix +++ b/nixpkgs/nixos/modules/services/mail/nullmailer.nix @@ -201,15 +201,12 @@ with lib; }; users = { - users = singleton { - name = cfg.user; + users.${cfg.user} = { description = "Nullmailer relay-only mta user"; group = cfg.group; }; - groups = singleton { - name = cfg.group; - }; + groups.${cfg.group} = { }; }; systemd.tmpfiles.rules = [ diff --git a/nixpkgs/nixos/modules/services/mail/opendkim.nix b/nixpkgs/nixos/modules/services/mail/opendkim.nix index 253823cbaf9..eb6a426684d 100644 --- a/nixpkgs/nixos/modules/services/mail/opendkim.nix +++ b/nixpkgs/nixos/modules/services/mail/opendkim.nix @@ -18,6 +18,9 @@ let ] ++ optionals (cfg.configFile != null) [ "-x" cfg.configFile ]; in { + imports = [ + (mkRenamedOptionModule [ "services" "opendkim" "keyFile" ] [ "services" "opendkim" "keyPath" ]) + ]; ###### interface @@ -88,16 +91,16 @@ in { config = mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == "opendkim") (singleton - { name = "opendkim"; + users.users = optionalAttrs (cfg.user == "opendkim") { + opendkim = { group = cfg.group; uid = config.ids.uids.opendkim; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "opendkim") (singleton - { name = "opendkim"; - gid = config.ids.gids.opendkim; - }); + users.groups = optionalAttrs (cfg.group == "opendkim") { + opendkim.gid = config.ids.gids.opendkim; + }; environment.systemPackages = [ pkgs.opendkim ]; diff --git a/nixpkgs/nixos/modules/services/mail/postfix.nix b/nixpkgs/nixos/modules/services/mail/postfix.nix index df438a0c69d..d7378821440 100644 --- a/nixpkgs/nixos/modules/services/mail/postfix.nix +++ b/nixpkgs/nixos/modules/services/mail/postfix.nix @@ -655,21 +655,20 @@ in setgid = true; }; - users.users = optional (user == "postfix") - { name = "postfix"; - description = "Postfix mail server user"; - uid = config.ids.uids.postfix; - group = group; + users.users = optionalAttrs (user == "postfix") + { postfix = { + description = "Postfix mail server user"; + uid = config.ids.uids.postfix; + group = group; + }; }; users.groups = - optional (group == "postfix") - { name = group; - gid = config.ids.gids.postfix; + optionalAttrs (group == "postfix") + { ${group}.gid = config.ids.gids.postfix; } - ++ optional (setgidGroup == "postdrop") - { name = setgidGroup; - gid = config.ids.gids.postdrop; + // optionalAttrs (setgidGroup == "postdrop") + { ${setgidGroup}.gid = config.ids.gids.postdrop; }; systemd.services.postfix = diff --git a/nixpkgs/nixos/modules/services/mail/postgrey.nix b/nixpkgs/nixos/modules/services/mail/postgrey.nix index 88fb7f0b4ad..709f6b21aa0 100644 --- a/nixpkgs/nixos/modules/services/mail/postgrey.nix +++ b/nixpkgs/nixos/modules/services/mail/postgrey.nix @@ -42,6 +42,17 @@ with lib; let }; in { + imports = [ + (mkMergedOptionModule [ [ "services" "postgrey" "inetAddr" ] [ "services" "postgrey" "inetPort" ] ] [ "services" "postgrey" "socket" ] (config: let + value = p: getAttrFromPath p config; + inetAddr = [ "services" "postgrey" "inetAddr" ]; + inetPort = [ "services" "postgrey" "inetPort" ]; + in + if value inetAddr == null + then { path = "/run/postgrey.sock"; } + else { addr = value inetAddr; port = value inetPort; } + )) + ]; options = { services.postgrey = with types; { diff --git a/nixpkgs/nixos/modules/services/mail/postsrsd.nix b/nixpkgs/nixos/modules/services/mail/postsrsd.nix index 8f12a16906c..2ebc675ab10 100644 --- a/nixpkgs/nixos/modules/services/mail/postsrsd.nix +++ b/nixpkgs/nixos/modules/services/mail/postsrsd.nix @@ -90,16 +90,16 @@ in { services.postsrsd.domain = mkDefault config.networking.hostName; - users.users = optionalAttrs (cfg.user == "postsrsd") (singleton - { name = "postsrsd"; + users.users = optionalAttrs (cfg.user == "postsrsd") { + postsrsd = { group = cfg.group; uid = config.ids.uids.postsrsd; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "postsrsd") (singleton - { name = "postsrsd"; - gid = config.ids.gids.postsrsd; - }); + users.groups = optionalAttrs (cfg.group == "postsrsd") { + postsrsd.gid = config.ids.gids.postsrsd; + }; systemd.services.postsrsd = { description = "PostSRSd SRS rewriting server"; diff --git a/nixpkgs/nixos/modules/services/mail/rspamd.nix b/nixpkgs/nixos/modules/services/mail/rspamd.nix index 7ef23ad1726..aacdbe2aeed 100644 --- a/nixpkgs/nixos/modules/services/mail/rspamd.nix +++ b/nixpkgs/nixos/modules/services/mail/rspamd.nix @@ -220,7 +220,6 @@ let in { - ###### interface options = { @@ -375,15 +374,13 @@ in # Allow users to run 'rspamc' and 'rspamadm'. environment.systemPackages = [ pkgs.rspamd ]; - users.users = singleton { - name = cfg.user; + users.users.${cfg.user} = { description = "rspamd daemon"; uid = config.ids.uids.rspamd; group = cfg.group; }; - users.groups = singleton { - name = cfg.group; + users.groups.${cfg.group} = { gid = config.ids.gids.rspamd; }; @@ -414,5 +411,6 @@ in "Socket activation never worked correctly and could at this time not be fixed and so was removed") (mkRenamedOptionModule [ "services" "rspamd" "bindSocket" ] [ "services" "rspamd" "workers" "normal" "bindSockets" ]) (mkRenamedOptionModule [ "services" "rspamd" "bindUISocket" ] [ "services" "rspamd" "workers" "controller" "bindSockets" ]) + (mkRemovedOptionModule [ "services" "rmilter" ] "Use services.rspamd.* instead to set up milter service") ]; } diff --git a/nixpkgs/nixos/modules/services/mail/spamassassin.nix b/nixpkgs/nixos/modules/services/mail/spamassassin.nix index 1fe77ce5a0c..107280f7c14 100644 --- a/nixpkgs/nixos/modules/services/mail/spamassassin.nix +++ b/nixpkgs/nixos/modules/services/mail/spamassassin.nix @@ -128,15 +128,13 @@ in systemPackages = [ pkgs.spamassassin ]; }; - users.users = singleton { - name = "spamd"; + users.users.spamd = { description = "Spam Assassin Daemon"; uid = config.ids.uids.spamd; group = "spamd"; }; - users.groups = singleton { - name = "spamd"; + users.groups.spamd = { gid = config.ids.gids.spamd; }; diff --git a/nixpkgs/nixos/modules/services/misc/apache-kafka.nix b/nixpkgs/nixos/modules/services/misc/apache-kafka.nix index 798e902ccae..f3a650a260f 100644 --- a/nixpkgs/nixos/modules/services/misc/apache-kafka.nix +++ b/nixpkgs/nixos/modules/services/misc/apache-kafka.nix @@ -124,14 +124,13 @@ in { environment.systemPackages = [cfg.package]; - users.users = singleton { - name = "apache-kafka"; + users.users.apache-kafka = { uid = config.ids.uids.apache-kafka; description = "Apache Kafka daemon user"; home = head cfg.logDirs; }; - systemd.tmpfiles.rules = map (logDir: "d '${logDir} 0700 apache-kafka - - -") cfg.logDirs; + systemd.tmpfiles.rules = map (logDir: "d '${logDir}' 0700 apache-kafka - - -") cfg.logDirs; systemd.services.apache-kafka = { description = "Apache Kafka Daemon"; diff --git a/nixpkgs/nixos/modules/services/misc/bepasty.nix b/nixpkgs/nixos/modules/services/misc/bepasty.nix index 87d36068144..f69832e5b2b 100644 --- a/nixpkgs/nixos/modules/services/misc/bepasty.nix +++ b/nixpkgs/nixos/modules/services/misc/bepasty.nix @@ -168,16 +168,12 @@ in }) ) cfg.servers; - users.users = [{ - uid = config.ids.uids.bepasty; - name = user; - group = group; - home = default_home; - }]; - - users.groups = [{ - name = group; - gid = config.ids.gids.bepasty; - }]; + users.users.${user} = + { uid = config.ids.uids.bepasty; + group = group; + home = default_home; + }; + + users.groups.${group}.gid = config.ids.gids.bepasty; }; } diff --git a/nixpkgs/nixos/modules/services/misc/cgminer.nix b/nixpkgs/nixos/modules/services/misc/cgminer.nix index b1cf5a7d110..9fcae645269 100644 --- a/nixpkgs/nixos/modules/services/misc/cgminer.nix +++ b/nixpkgs/nixos/modules/services/misc/cgminer.nix @@ -110,11 +110,12 @@ in config = mkIf config.services.cgminer.enable { - users.users = optionalAttrs (cfg.user == "cgminer") (singleton - { name = "cgminer"; + users.users = optionalAttrs (cfg.user == "cgminer") { + cgminer = { uid = config.ids.uids.cgminer; description = "Cgminer user"; - }); + }; + }; environment.systemPackages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/services/misc/couchpotato.nix b/nixpkgs/nixos/modules/services/misc/couchpotato.nix index 528af486b41..f5163cf86cf 100644 --- a/nixpkgs/nixos/modules/services/misc/couchpotato.nix +++ b/nixpkgs/nixos/modules/services/misc/couchpotato.nix @@ -29,17 +29,14 @@ in }; }; - users.users = singleton - { name = "couchpotato"; - group = "couchpotato"; + users.users.couchpotato = + { group = "couchpotato"; home = "/var/lib/couchpotato/"; description = "CouchPotato daemon user"; uid = config.ids.uids.couchpotato; }; - users.groups = singleton - { name = "couchpotato"; - gid = config.ids.gids.couchpotato; - }; + users.groups.couchpotato = + { gid = config.ids.gids.couchpotato; }; }; } diff --git a/nixpkgs/nixos/modules/services/misc/dictd.nix b/nixpkgs/nixos/modules/services/misc/dictd.nix index 8d3e294622d..d175854d2d1 100644 --- a/nixpkgs/nixos/modules/services/misc/dictd.nix +++ b/nixpkgs/nixos/modules/services/misc/dictd.nix @@ -45,18 +45,14 @@ in # get the command line client on system path to make some use of the service environment.systemPackages = [ pkgs.dict ]; - users.users = singleton - { name = "dictd"; - group = "dictd"; + users.users.dictd = + { group = "dictd"; description = "DICT.org dictd server"; home = "${dictdb}/share/dictd"; uid = config.ids.uids.dictd; }; - users.groups = singleton - { name = "dictd"; - gid = config.ids.gids.dictd; - }; + users.groups.dictd.gid = config.ids.gids.dictd; systemd.services.dictd = { description = "DICT.org Dictionary Server"; diff --git a/nixpkgs/nixos/modules/services/misc/etcd.nix b/nixpkgs/nixos/modules/services/misc/etcd.nix index e4d5322f9b5..7322e1c080b 100644 --- a/nixpkgs/nixos/modules/services/misc/etcd.nix +++ b/nixpkgs/nixos/modules/services/misc/etcd.nix @@ -186,8 +186,7 @@ in { environment.systemPackages = [ pkgs.etcdctl ]; - users.users = singleton { - name = "etcd"; + users.users.etcd = { uid = config.ids.uids.etcd; description = "Etcd daemon user"; home = cfg.dataDir; diff --git a/nixpkgs/nixos/modules/services/misc/ethminer.nix b/nixpkgs/nixos/modules/services/misc/ethminer.nix index 2958cf21447..95afb0460fb 100644 --- a/nixpkgs/nixos/modules/services/misc/ethminer.nix +++ b/nixpkgs/nixos/modules/services/misc/ethminer.nix @@ -71,7 +71,7 @@ in maxPower = mkOption { type = types.int; - default = 115; + default = 113; description = "Miner max watt usage."; }; @@ -92,7 +92,9 @@ in serviceConfig = { DynamicUser = true; + ExecStartPre = "${pkgs.ethminer}/bin/.ethminer-wrapped --list-devices"; ExecStartPost = optional (cfg.toolkit == "cuda") "+${getBin config.boot.kernelPackages.nvidia_x11}/bin/nvidia-smi -pl ${toString cfg.maxPower}"; + Restart = "always"; }; environment = { diff --git a/nixpkgs/nixos/modules/services/misc/exhibitor.nix b/nixpkgs/nixos/modules/services/misc/exhibitor.nix index 74f4f671f46..f8c79f892da 100644 --- a/nixpkgs/nixos/modules/services/misc/exhibitor.nix +++ b/nixpkgs/nixos/modules/services/misc/exhibitor.nix @@ -410,8 +410,7 @@ in sed -i 's/'"$replace_what"'/'"$replace_with"'/g' ${cfg.baseDir}/zookeeper/bin/zk*.sh ''; }; - users.users = singleton { - name = "zookeeper"; + users.users.zookeeper = { uid = config.ids.uids.zookeeper; description = "Zookeeper daemon user"; home = cfg.baseDir; diff --git a/nixpkgs/nixos/modules/services/misc/felix.nix b/nixpkgs/nixos/modules/services/misc/felix.nix index 1c5ece86825..188e45abc58 100644 --- a/nixpkgs/nixos/modules/services/misc/felix.nix +++ b/nixpkgs/nixos/modules/services/misc/felix.nix @@ -47,14 +47,10 @@ in ###### implementation config = mkIf cfg.enable { - users.groups = singleton - { name = "osgi"; - gid = config.ids.gids.osgi; - }; + users.groups.osgi.gid = config.ids.gids.osgi; - users.users = singleton - { name = "osgi"; - uid = config.ids.uids.osgi; + users.users.osgi = + { uid = config.ids.uids.osgi; description = "OSGi user"; home = "/homeless-shelter"; }; diff --git a/nixpkgs/nixos/modules/services/misc/folding-at-home.nix b/nixpkgs/nixos/modules/services/misc/folding-at-home.nix index 122c89ce068..fd2ea3948f6 100644 --- a/nixpkgs/nixos/modules/services/misc/folding-at-home.nix +++ b/nixpkgs/nixos/modules/services/misc/folding-at-home.nix @@ -42,9 +42,8 @@ in { config = mkIf cfg.enable { - users.users = singleton - { name = fahUser; - uid = config.ids.uids.foldingathome; + users.users.${fahUser} = + { uid = config.ids.uids.foldingathome; description = "Folding@Home user"; home = stateDir; }; diff --git a/nixpkgs/nixos/modules/services/misc/gitea.nix b/nixpkgs/nixos/modules/services/misc/gitea.nix index c8c59fb256e..258476dd9fe 100644 --- a/nixpkgs/nixos/modules/services/misc/gitea.nix +++ b/nixpkgs/nixos/modules/services/misc/gitea.nix @@ -394,6 +394,26 @@ in WorkingDirectory = cfg.stateDir; ExecStart = "${gitea.bin}/bin/gitea web"; Restart = "always"; + + # Filesystem + ProtectHome = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ReadWritePaths = cfg.stateDir; + # Caps + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + MemoryDenyWriteExecute = true; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; }; environment = { @@ -453,4 +473,5 @@ in timerConfig.OnCalendar = cfg.dump.interval; }; }; + meta.maintainers = with lib.maintainers; [ srhb ]; } diff --git a/nixpkgs/nixos/modules/services/misc/gitlab.nix b/nixpkgs/nixos/modules/services/misc/gitlab.nix index 07ea9c45843..aa958985379 100644 --- a/nixpkgs/nixos/modules/services/misc/gitlab.nix +++ b/nixpkgs/nixos/modules/services/misc/gitlab.nix @@ -189,6 +189,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ]) + (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "") + ]; + options = { services.gitlab = { enable = mkOption { @@ -628,20 +633,14 @@ in { # Use postfix to send out mails. services.postfix.enable = mkDefault true; - users.users = [ - { name = cfg.user; - group = cfg.group; + users.users.${cfg.user} = + { group = cfg.group; home = "${cfg.statePath}/home"; shell = "${pkgs.bash}/bin/bash"; uid = config.ids.uids.gitlab; - } - ]; + }; - users.groups = [ - { name = cfg.group; - gid = config.ids.gids.gitlab; - } - ]; + users.groups.${cfg.group}.gid = config.ids.gids.gitlab; systemd.tmpfiles.rules = [ "d /run/gitlab 0755 ${cfg.user} ${cfg.group} -" diff --git a/nixpkgs/nixos/modules/services/misc/gpsd.nix b/nixpkgs/nixos/modules/services/misc/gpsd.nix index 3bfcb636a3c..f954249942a 100644 --- a/nixpkgs/nixos/modules/services/misc/gpsd.nix +++ b/nixpkgs/nixos/modules/services/misc/gpsd.nix @@ -86,17 +86,13 @@ in config = mkIf cfg.enable { - users.users = singleton - { name = "gpsd"; - inherit uid; + users.users.gpsd = + { inherit uid; description = "gpsd daemon user"; home = "/var/empty"; }; - users.groups = singleton - { name = "gpsd"; - inherit gid; - }; + users.groups.gpsd = { inherit gid; }; systemd.services.gpsd = { description = "GPSD daemon"; diff --git a/nixpkgs/nixos/modules/services/misc/headphones.nix b/nixpkgs/nixos/modules/services/misc/headphones.nix index 4a77045be28..3ee0a4458bd 100644 --- a/nixpkgs/nixos/modules/services/misc/headphones.nix +++ b/nixpkgs/nixos/modules/services/misc/headphones.nix @@ -59,19 +59,19 @@ in config = mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == name) (singleton { - name = name; - uid = config.ids.uids.headphones; - group = cfg.group; - description = "headphones user"; - home = cfg.dataDir; - createHome = true; - }); + users.users = optionalAttrs (cfg.user == name) { + ${name} = { + uid = config.ids.uids.headphones; + group = cfg.group; + description = "headphones user"; + home = cfg.dataDir; + createHome = true; + }; + }; - users.groups = optionalAttrs (cfg.group == name) (singleton { - name = name; - gid = config.ids.gids.headphones; - }); + users.groups = optionalAttrs (cfg.group == name) { + ${name}.gid = config.ids.gids.headphones; + }; systemd.services.headphones = { description = "Headphones Server"; diff --git a/nixpkgs/nixos/modules/services/misc/home-assistant.nix b/nixpkgs/nixos/modules/services/misc/home-assistant.nix index 74702c97f55..cc113ca2d0c 100644 --- a/nixpkgs/nixos/modules/services/misc/home-assistant.nix +++ b/nixpkgs/nixos/modules/services/misc/home-assistant.nix @@ -11,6 +11,9 @@ let (recursiveUpdate defaultConfig cfg.config) else cfg.config)); configFile = pkgs.runCommand "configuration.yaml" { preferLocalBuild = true; } '' ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out + # Hack to support secrets, that are encoded as custom yaml objects, + # https://www.home-assistant.io/docs/configuration/secrets/ + sed -i -e "s/'\!secret \(.*\)'/\!secret \1/" $out ''; lovelaceConfigJSON = pkgs.writeText "ui-lovelace.json" @@ -98,6 +101,10 @@ in { { homeassistant = { name = "Home"; + latitude = "!secret latitude"; + longitude = "!secret longitude"; + elevation = "!secret elevation"; + unit_system = "metric"; time_zone = "UTC"; }; frontend = { }; @@ -108,6 +115,8 @@ in { description = '' Your <filename>configuration.yaml</filename> as a Nix attribute set. Beware that setting this option will delete your previous <filename>configuration.yaml</filename>. + <link xlink:href="https://www.home-assistant.io/docs/configuration/secrets/">Secrets</link> + are encoded as strings as shown in the example. ''; }; diff --git a/nixpkgs/nixos/modules/services/misc/mame.nix b/nixpkgs/nixos/modules/services/misc/mame.nix new file mode 100644 index 00000000000..c5d5e9e4837 --- /dev/null +++ b/nixpkgs/nixos/modules/services/misc/mame.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.mame; + mame = "mame${lib.optionalString pkgs.stdenv.is64bit "64"}"; +in +{ + options = { + services.mame = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to setup TUN/TAP Ethernet interface for MAME emulator. + ''; + }; + user = mkOption { + type = types.str; + description = '' + User from which you run MAME binary. + ''; + }; + hostAddr = mkOption { + type = types.str; + description = '' + IP address of the host system. Usually an address of the main network + adapter or the adapter through which you get an internet connection. + ''; + example = "192.168.31.156"; + }; + emuAddr = mkOption { + type = types.str; + description = '' + IP address of the guest system. The same you set inside guest OS under + MAME. Should be on the same subnet as <option>services.mame.hostAddr</option>. + ''; + example = "192.168.31.155"; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.mame ]; + + security.wrappers."${mame}" = { + source = "${pkgs.mame}/bin/${mame}"; + capabilities = "cap_net_admin,cap_net_raw+eip"; + }; + + systemd.services.mame = { + description = "MAME TUN/TAP Ethernet interface"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.iproute ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.mame}/bin/taputil.sh -c ${cfg.user} ${cfg.emuAddr} ${cfg.hostAddr} -"; + ExecStop = "${pkgs.mame}/bin/taputil.sh -d ${cfg.user}"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ gnidorah ]; +} diff --git a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix index 50661b873f6..750f4a292fb 100644 --- a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix @@ -657,57 +657,42 @@ in { }; config = mkIf cfg.enable { - users.users = [ - { name = "matrix-synapse"; + users.users.matrix-synapse = { group = "matrix-synapse"; home = cfg.dataDir; createHome = true; shell = "${pkgs.bash}/bin/bash"; uid = config.ids.uids.matrix-synapse; - } ]; + }; - users.groups = [ - { name = "matrix-synapse"; - gid = config.ids.gids.matrix-synapse; - } ]; + users.groups.matrix-synapse = { + gid = config.ids.gids.matrix-synapse; + }; - services.postgresql.enable = mkIf usePostgresql (mkDefault true); + services.postgresql = mkIf (usePostgresql && cfg.create_local_database) { + enable = mkDefault true; + ensureDatabases = [ cfg.database_name ]; + ensureUsers = [{ + name = cfg.database_user; + ensurePermissions = { "DATABASE \"${cfg.database_name}\"" = "ALL PRIVILEGES"; }; + }]; + }; systemd.services.matrix-synapse = { description = "Synapse Matrix homeserver"; - after = [ "network.target" "postgresql.service" ]; + after = [ "network.target" ] ++ lib.optional config.services.postgresql.enable "postgresql.service" ; wantedBy = [ "multi-user.target" ]; preStart = '' ${cfg.package}/bin/homeserver \ --config-path ${configFile} \ --keys-directory ${cfg.dataDir} \ --generate-keys - '' + optionalString (usePostgresql && cfg.create_local_database) '' - if ! test -e "${cfg.dataDir}/db-created"; then - ${pkgs.sudo}/bin/sudo -u ${pg.superUser} \ - ${pg.package}/bin/createuser \ - --login \ - --no-createdb \ - --no-createrole \ - --encrypted \ - ${cfg.database_user} - ${pkgs.sudo}/bin/sudo -u ${pg.superUser} \ - ${pg.package}/bin/createdb \ - --owner=${cfg.database_user} \ - --encoding=UTF8 \ - --lc-collate=C \ - --lc-ctype=C \ - --template=template0 \ - ${cfg.database_name} - touch "${cfg.dataDir}/db-created" - fi ''; serviceConfig = { Type = "notify"; User = "matrix-synapse"; Group = "matrix-synapse"; WorkingDirectory = cfg.dataDir; - PermissionsStartOnly = true; ExecStart = '' ${cfg.package}/bin/homeserver \ ${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) } diff --git a/nixpkgs/nixos/modules/services/misc/mediatomb.nix b/nixpkgs/nixos/modules/services/misc/mediatomb.nix index 107fb57fe1c..529f584a201 100644 --- a/nixpkgs/nixos/modules/services/misc/mediatomb.nix +++ b/nixpkgs/nixos/modules/services/misc/mediatomb.nix @@ -266,19 +266,19 @@ in { serviceConfig.User = "${cfg.user}"; }; - users.groups = optionalAttrs (cfg.group == "mediatomb") (singleton { - name = "mediatomb"; - gid = gid; - }); + users.groups = optionalAttrs (cfg.group == "mediatomb") { + mediatomb.gid = gid; + }; - users.users = optionalAttrs (cfg.user == "mediatomb") (singleton { - name = "mediatomb"; - isSystemUser = true; - group = cfg.group; - home = "${cfg.dataDir}"; - createHome = true; - description = "Mediatomb DLNA Server User"; - }); + users.users = optionalAttrs (cfg.user == "mediatomb") { + mediatomb = { + isSystemUser = true; + group = cfg.group; + home = "${cfg.dataDir}"; + createHome = true; + description = "Mediatomb DLNA Server User"; + }; + }; networking.firewall = { allowedUDPPorts = [ 1900 cfg.port ]; diff --git a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix index dcec4d4fc6c..17c3582db0f 100644 --- a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix +++ b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix @@ -12,8 +12,9 @@ let isNix23 = versionAtLeast nixVersion "2.3pre"; - makeNixBuildUser = nr: - { name = "nixbld${toString nr}"; + makeNixBuildUser = nr: { + name = "nixbld${toString nr}"; + value = { description = "Nix build user ${toString nr}"; /* For consistency with the setgid(2), setuid(2), and setgroups(2) @@ -23,8 +24,9 @@ let group = "nixbld"; extraGroups = [ "nixbld" ]; }; + }; - nixbldUsers = map makeNixBuildUser (range 1 cfg.nrBuildUsers); + nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers)); nixConf = assert versionAtLeast nixVersion "2.2"; @@ -68,6 +70,10 @@ let in { + imports = [ + (mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ]) + (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) + ]; ###### interface @@ -441,7 +447,7 @@ in users.users = nixbldUsers; - services.xserver.displayManager.hiddenUsers = map ({ name, ... }: name) nixbldUsers; + services.xserver.displayManager.hiddenUsers = attrNames nixbldUsers; system.activationScripts.nix = stringAfter [ "etc" "users" ] '' diff --git a/nixpkgs/nixos/modules/services/misc/nixos-manual.nix b/nixpkgs/nixos/modules/services/misc/nixos-manual.nix index 20ba3d8ef0b..ab73f49d4be 100644 --- a/nixpkgs/nixos/modules/services/misc/nixos-manual.nix +++ b/nixpkgs/nixos/modules/services/misc/nixos-manual.nix @@ -52,7 +52,7 @@ in }; }) (mkIf (cfg.showManual && cfgd.enable && cfgd.nixos.enable) { - boot.extraTTYs = [ "tty${toString cfg.ttyNumber}" ]; + console.extraTTYs = [ "tty${toString cfg.ttyNumber}" ]; systemd.services.nixos-manual = { description = "NixOS Manual"; diff --git a/nixpkgs/nixos/modules/services/misc/nzbget.nix b/nixpkgs/nixos/modules/services/misc/nzbget.nix index eb7b4c05d82..715ec891cd6 100644 --- a/nixpkgs/nixos/modules/services/misc/nzbget.nix +++ b/nixpkgs/nixos/modules/services/misc/nzbget.nix @@ -27,6 +27,12 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "misc" "nzbget" "configFile" ] "The configuration of nzbget is now managed by users through the web interface.") + (mkRemovedOptionModule [ "services" "misc" "nzbget" "dataDir" ] "The data directory for nzbget is now /var/lib/nzbget.") + (mkRemovedOptionModule [ "services" "misc" "nzbget" "openFirewall" ] "The port used by nzbget is managed through the web interface so you should adjust your firewall rules accordingly.") + ]; + # interface options = { diff --git a/nixpkgs/nixos/modules/services/misc/octoprint.nix b/nixpkgs/nixos/modules/services/misc/octoprint.nix index 8950010773c..651ed374388 100644 --- a/nixpkgs/nixos/modules/services/misc/octoprint.nix +++ b/nixpkgs/nixos/modules/services/misc/octoprint.nix @@ -86,16 +86,16 @@ in config = mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == "octoprint") (singleton - { name = "octoprint"; + users.users = optionalAttrs (cfg.user == "octoprint") { + octoprint = { group = cfg.group; uid = config.ids.uids.octoprint; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "octoprint") (singleton - { name = "octoprint"; - gid = config.ids.gids.octoprint; - }); + users.groups = optionalAttrs (cfg.group == "octoprint") { + octoprint.gid = config.ids.gids.octoprint; + }; systemd.tmpfiles.rules = [ "d '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" diff --git a/nixpkgs/nixos/modules/services/misc/parsoid.nix b/nixpkgs/nixos/modules/services/misc/parsoid.nix index c757093e5c1..61626e78f8b 100644 --- a/nixpkgs/nixos/modules/services/misc/parsoid.nix +++ b/nixpkgs/nixos/modules/services/misc/parsoid.nix @@ -26,6 +26,10 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] "Use services.parsoid.wikis instead") + ]; + ##### interface options = { diff --git a/nixpkgs/nixos/modules/services/misc/pykms.nix b/nixpkgs/nixos/modules/services/misc/pykms.nix index e2d1254602b..25aa27ae767 100644 --- a/nixpkgs/nixos/modules/services/misc/pykms.nix +++ b/nixpkgs/nixos/modules/services/misc/pykms.nix @@ -9,6 +9,10 @@ let in { meta.maintainers = with lib.maintainers; [ peterhoeg ]; + imports = [ + (mkRemovedOptionModule [ "services" "pykms" "verbose" ] "Use services.pykms.logLevel instead") + ]; + options = { services.pykms = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/services/misc/redmine.nix b/nixpkgs/nixos/modules/services/misc/redmine.nix index bf9a6914a48..3b8c14d196f 100644 --- a/nixpkgs/nixos/modules/services/misc/redmine.nix +++ b/nixpkgs/nixos/modules/services/misc/redmine.nix @@ -66,7 +66,7 @@ in type = types.package; default = pkgs.redmine; description = "Which Redmine package to use."; - example = "pkgs.redmine.override { ruby = pkgs.ruby_2_4; }"; + example = "pkgs.redmine.override { ruby = pkgs.ruby_2_7; }"; }; user = mkOption { @@ -367,17 +367,17 @@ in }; - users.users = optionalAttrs (cfg.user == "redmine") (singleton - { name = "redmine"; + users.users = optionalAttrs (cfg.user == "redmine") { + redmine = { group = cfg.group; home = cfg.stateDir; uid = config.ids.uids.redmine; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "redmine") (singleton - { name = "redmine"; - gid = config.ids.gids.redmine; - }); + users.groups = optionalAttrs (cfg.group == "redmine") { + redmine.gid = config.ids.gids.redmine; + }; warnings = optional (cfg.database.password != "") ''config.services.redmine.database.password will be stored as plaintext diff --git a/nixpkgs/nixos/modules/services/misc/ripple-data-api.nix b/nixpkgs/nixos/modules/services/misc/ripple-data-api.nix index 042b496d35e..9fab462f7e3 100644 --- a/nixpkgs/nixos/modules/services/misc/ripple-data-api.nix +++ b/nixpkgs/nixos/modules/services/misc/ripple-data-api.nix @@ -185,9 +185,8 @@ in { ]; }; - users.users = singleton - { name = "ripple-data-api"; - description = "Ripple data api user"; + users.users.ripple-data-api = + { description = "Ripple data api user"; uid = config.ids.uids.ripple-data-api; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/rippled.nix b/nixpkgs/nixos/modules/services/misc/rippled.nix index cdf61730de3..ef34e3a779f 100644 --- a/nixpkgs/nixos/modules/services/misc/rippled.nix +++ b/nixpkgs/nixos/modules/services/misc/rippled.nix @@ -406,9 +406,8 @@ in config = mkIf cfg.enable { - users.users = singleton - { name = "rippled"; - description = "Ripple server user"; + users.users.rippled = + { description = "Ripple server user"; uid = config.ids.uids.rippled; home = cfg.databasePath; createHome = true; diff --git a/nixpkgs/nixos/modules/services/misc/rogue.nix b/nixpkgs/nixos/modules/services/misc/rogue.nix index aae02e384c9..d56d103b5f3 100644 --- a/nixpkgs/nixos/modules/services/misc/rogue.nix +++ b/nixpkgs/nixos/modules/services/misc/rogue.nix @@ -40,7 +40,7 @@ in config = mkIf cfg.enable { - boot.extraTTYs = [ cfg.tty ]; + console.extraTTYs = [ cfg.tty ]; systemd.services.rogue = { description = "Rogue dungeon crawling game"; diff --git a/nixpkgs/nixos/modules/services/misc/serviio.nix b/nixpkgs/nixos/modules/services/misc/serviio.nix index 9868192724b..0ead6a81691 100644 --- a/nixpkgs/nixos/modules/services/misc/serviio.nix +++ b/nixpkgs/nixos/modules/services/misc/serviio.nix @@ -63,20 +63,15 @@ in { }; }; - users.users = [ - { - name = "serviio"; - group = "serviio"; + users.users.serviio = + { group = "serviio"; home = cfg.dataDir; description = "Serviio Media Server User"; createHome = true; isSystemUser = true; - } - ]; + }; - users.groups = [ - { name = "serviio";} - ]; + users.groups.serviio = { }; networking.firewall = { allowedTCPPorts = [ diff --git a/nixpkgs/nixos/modules/services/misc/sickbeard.nix b/nixpkgs/nixos/modules/services/misc/sickbeard.nix index 5cfbbe516ae..a32dbfa3108 100644 --- a/nixpkgs/nixos/modules/services/misc/sickbeard.nix +++ b/nixpkgs/nixos/modules/services/misc/sickbeard.nix @@ -63,19 +63,19 @@ in config = mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == name) (singleton { - name = name; - uid = config.ids.uids.sickbeard; - group = cfg.group; - description = "sickbeard user"; - home = cfg.dataDir; - createHome = true; - }); + users.users = optionalAttrs (cfg.user == name) { + ${name} = { + uid = config.ids.uids.sickbeard; + group = cfg.group; + description = "sickbeard user"; + home = cfg.dataDir; + createHome = true; + }; + }; - users.groups = optionalAttrs (cfg.group == name) (singleton { - name = name; - gid = config.ids.gids.sickbeard; - }); + users.groups = optionalAttrs (cfg.group == name) { + ${name}.gid = config.ids.gids.sickbeard; + }; systemd.services.sickbeard = { description = "Sickbeard Server"; diff --git a/nixpkgs/nixos/modules/services/misc/siproxd.nix b/nixpkgs/nixos/modules/services/misc/siproxd.nix index dcaf73aca44..ae7b27de8e7 100644 --- a/nixpkgs/nixos/modules/services/misc/siproxd.nix +++ b/nixpkgs/nixos/modules/services/misc/siproxd.nix @@ -161,8 +161,7 @@ in config = mkIf cfg.enable { - users.users = singleton { - name = "siproxyd"; + users.users.siproxyd = { uid = config.ids.uids.siproxd; }; diff --git a/nixpkgs/nixos/modules/services/misc/taskserver/default.nix b/nixpkgs/nixos/modules/services/misc/taskserver/default.nix index 8a57277fafe..a894caed1a3 100644 --- a/nixpkgs/nixos/modules/services/misc/taskserver/default.nix +++ b/nixpkgs/nixos/modules/services/misc/taskserver/default.nix @@ -368,16 +368,16 @@ in { (mkIf cfg.enable { environment.systemPackages = [ nixos-taskserver ]; - users.users = optional (cfg.user == "taskd") { - name = "taskd"; - uid = config.ids.uids.taskd; - description = "Taskserver user"; - group = cfg.group; + users.users = optionalAttrs (cfg.user == "taskd") { + taskd = { + uid = config.ids.uids.taskd; + description = "Taskserver user"; + group = cfg.group; + }; }; - users.groups = optional (cfg.group == "taskd") { - name = "taskd"; - gid = config.ids.gids.taskd; + users.groups = optionalAttrs (cfg.group == "taskd") { + taskd.gid = config.ids.gids.taskd; }; services.taskserver.config = { diff --git a/nixpkgs/nixos/modules/services/misc/tautulli.nix b/nixpkgs/nixos/modules/services/misc/tautulli.nix index 50e45036647..aded33629f1 100644 --- a/nixpkgs/nixos/modules/services/misc/tautulli.nix +++ b/nixpkgs/nixos/modules/services/misc/tautulli.nix @@ -6,6 +6,10 @@ let cfg = config.services.tautulli; in { + imports = [ + (mkRenamedOptionModule [ "services" "plexpy" ] [ "services" "tautulli" ]) + ]; + options = { services.tautulli = { enable = mkEnableOption "Tautulli Plex Monitor"; diff --git a/nixpkgs/nixos/modules/services/misc/uhub.nix b/nixpkgs/nixos/modules/services/misc/uhub.nix index 753580c3e40..d1b38831028 100644 --- a/nixpkgs/nixos/modules/services/misc/uhub.nix +++ b/nixpkgs/nixos/modules/services/misc/uhub.nix @@ -41,31 +41,31 @@ in enable = mkOption { type = types.bool; default = false; - description = "Whether to enable the uhub ADC hub."; + description = "Whether to enable the uhub ADC hub."; }; port = mkOption { type = types.int; default = 1511; - description = "TCP port to bind the hub to."; + description = "TCP port to bind the hub to."; }; address = mkOption { type = types.str; default = "any"; - description = "Address to bind the hub to."; + description = "Address to bind the hub to."; }; enableTLS = mkOption { type = types.bool; default = false; - description = "Whether to enable TLS support."; + description = "Whether to enable TLS support."; }; hubConfig = mkOption { type = types.lines; default = ""; - description = "Contents of uhub configuration file."; + description = "Contents of uhub configuration file."; }; aclConfig = mkOption { @@ -77,11 +77,11 @@ in plugins = { authSqlite = { - enable = mkOption { + enable = mkOption { type = types.bool; default = false; description = "Whether to enable the Sqlite authentication database plugin"; - }; + }; file = mkOption { type = types.path; example = "/var/db/uhub-users"; @@ -161,14 +161,8 @@ in config = mkIf cfg.enable { users = { - users = singleton { - name = "uhub"; - uid = config.ids.uids.uhub; - }; - groups = singleton { - name = "uhub"; - gid = config.ids.gids.uhub; - }; + users.uhub.uid = config.ids.uids.uhub; + groups.uhub.gid = config.ids.gids.uhub; }; systemd.services.uhub = { diff --git a/nixpkgs/nixos/modules/services/misc/zookeeper.nix b/nixpkgs/nixos/modules/services/misc/zookeeper.nix index 5d91e44a199..f6af7c75eba 100644 --- a/nixpkgs/nixos/modules/services/misc/zookeeper.nix +++ b/nixpkgs/nixos/modules/services/misc/zookeeper.nix @@ -146,8 +146,7 @@ in { ''; }; - users.users = singleton { - name = "zookeeper"; + users.users.zookeeper = { uid = config.ids.uids.zookeeper; description = "Zookeeper daemon user"; home = cfg.dataDir; diff --git a/nixpkgs/nixos/modules/services/monitoring/collectd.nix b/nixpkgs/nixos/modules/services/monitoring/collectd.nix index 731ac743b7c..ef3663c62e0 100644 --- a/nixpkgs/nixos/modules/services/monitoring/collectd.nix +++ b/nixpkgs/nixos/modules/services/monitoring/collectd.nix @@ -129,9 +129,10 @@ in { }; }; - users.users = optional (cfg.user == "collectd") { - name = "collectd"; - isSystemUser = true; + users.users = optionalAttrs (cfg.user == "collectd") { + collectd = { + isSystemUser = true; + }; }; }; } diff --git a/nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix b/nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix index 02a9f316fc3..2c5fe47242e 100644 --- a/nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix +++ b/nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix @@ -22,9 +22,9 @@ let # Generate Datadog configuration files for each configured checks. # This works because check configurations have predictable paths, # and because JSON is a valid subset of YAML. - makeCheckConfigs = entries: mapAttrsToList (name: conf: { - source = pkgs.writeText "${name}-check-conf.yaml" (builtins.toJSON conf); - target = "datadog-agent/conf.d/${name}.d/conf.yaml"; + makeCheckConfigs = entries: mapAttrs' (name: conf: { + name = "datadog-agent/conf.d/${name}.d/conf.yaml"; + value.source = pkgs.writeText "${name}-check-conf.yaml" (builtins.toJSON conf); }) entries; defaultChecks = { @@ -34,10 +34,11 @@ let # Assemble all check configurations and the top-level agent # configuration. - etcfiles = with pkgs; with builtins; [{ - source = writeText "datadog.yaml" (toJSON ddConf); - target = "datadog-agent/datadog.yaml"; - }] ++ makeCheckConfigs (cfg.checks // defaultChecks); + etcfiles = with pkgs; with builtins; + { "datadog-agent/datadog.yaml" = { + source = writeText "datadog.yaml" (toJSON ddConf); + }; + } // makeCheckConfigs (cfg.checks // defaultChecks); # Apply the configured extraIntegrations to the provided agent # package. See the documentation of `dd-agent/integrations-core.nix` @@ -204,7 +205,7 @@ in { config = mkIf cfg.enable { environment.systemPackages = [ datadogPkg pkgs.sysstat pkgs.procps pkgs.iproute ]; - users.extraUsers.datadog = { + users.users.datadog = { description = "Datadog Agent User"; uid = config.ids.uids.datadog; group = "datadog"; @@ -212,7 +213,7 @@ in { createHome = true; }; - users.extraGroups.datadog.gid = config.ids.gids.datadog; + users.groups.datadog.gid = config.ids.gids.datadog; systemd.services = let makeService = attrs: recursiveUpdate { @@ -224,7 +225,7 @@ in { Restart = "always"; RestartSec = 2; }; - restartTriggers = [ datadogPkg ] ++ map (etc: etc.source) etcfiles; + restartTriggers = [ datadogPkg ] ++ attrNames etcfiles; } attrs; in { datadog-agent = makeService { diff --git a/nixpkgs/nixos/modules/services/monitoring/dd-agent/dd-agent.nix b/nixpkgs/nixos/modules/services/monitoring/dd-agent/dd-agent.nix index 5ee6b092a6a..e91717fb205 100644 --- a/nixpkgs/nixos/modules/services/monitoring/dd-agent/dd-agent.nix +++ b/nixpkgs/nixos/modules/services/monitoring/dd-agent/dd-agent.nix @@ -78,37 +78,35 @@ let etcfiles = let defaultConfd = import ./dd-agent-defaults.nix; - in (map (f: { source = "${pkgs.dd-agent}/agent/conf.d-system/${f}"; - target = "dd-agent/conf.d/${f}"; - }) defaultConfd) ++ [ - { source = ddConf; - target = "dd-agent/datadog.conf"; - } - { source = diskConfig; - target = "dd-agent/conf.d/disk.yaml"; - } - { source = networkConfig; - target = "dd-agent/conf.d/network.yaml"; - } ] ++ - (optional (cfg.postgresqlConfig != null) - { source = postgresqlConfig; - target = "dd-agent/conf.d/postgres.yaml"; - }) ++ - (optional (cfg.nginxConfig != null) - { source = nginxConfig; - target = "dd-agent/conf.d/nginx.yaml"; - }) ++ - (optional (cfg.mongoConfig != null) - { source = mongoConfig; - target = "dd-agent/conf.d/mongo.yaml"; - }) ++ - (optional (cfg.processConfig != null) - { source = processConfig; - target = "dd-agent/conf.d/process.yaml"; - }) ++ - (optional (cfg.jmxConfig != null) - { source = jmxConfig; - target = "dd-agent/conf.d/jmx.yaml"; + in + listToAttrs (map (f: { + name = "dd-agent/conf.d/${f}"; + value.source = "${pkgs.dd-agent}/agent/conf.d-system/${f}"; + }) defaultConfd) // + { + "dd-agent/datadog.conf".source = ddConf; + "dd-agent/conf.d/disk.yaml".source = diskConfig; + "dd-agent/conf.d/network.yaml".source = networkConfig; + } // + (optionalAttrs (cfg.postgresqlConfig != null) + { + "dd-agent/conf.d/postgres.yaml".source = postgresqlConfig; + }) // + (optionalAttrs (cfg.nginxConfig != null) + { + "dd-agent/conf.d/nginx.yaml".source = nginxConfig; + }) // + (optionalAttrs (cfg.mongoConfig != null) + { + "dd-agent/conf.d/mongo.yaml".source = mongoConfig; + }) // + (optionalAttrs (cfg.processConfig != null) + { + "dd-agent/conf.d/process.yaml".source = processConfig; + }) // + (optionalAttrs (cfg.jmxConfig != null) + { + "dd-agent/conf.d/jmx.yaml".source = jmxConfig; }); in { diff --git a/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix b/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix index fe19ed56195..9b65c76ce02 100644 --- a/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix +++ b/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix @@ -46,8 +46,7 @@ in { config = mkIf cfg.enable { - users.users = singleton { - name = "fusion-inventory"; + users.users.fusion-inventory = { description = "FusionInventory user"; isSystemUser = true; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/graphite.nix b/nixpkgs/nixos/modules/services/monitoring/graphite.nix index f7874af3df2..dd147bb3793 100644 --- a/nixpkgs/nixos/modules/services/monitoring/graphite.nix +++ b/nixpkgs/nixos/modules/services/monitoring/graphite.nix @@ -632,8 +632,7 @@ in { cfg.web.enable || cfg.api.enable || cfg.seyren.enable || cfg.pager.enable || cfg.beacon.enable ) { - users.users = singleton { - name = "graphite"; + users.users.graphite = { uid = config.ids.uids.graphite; description = "Graphite daemon user"; home = dataDir; diff --git a/nixpkgs/nixos/modules/services/monitoring/heapster.nix b/nixpkgs/nixos/modules/services/monitoring/heapster.nix index 6da0831b4c5..585632943fd 100644 --- a/nixpkgs/nixos/modules/services/monitoring/heapster.nix +++ b/nixpkgs/nixos/modules/services/monitoring/heapster.nix @@ -49,8 +49,7 @@ in { }; }; - users.users = singleton { - name = "heapster"; + users.users.heapsterrs = { uid = config.ids.uids.heapster; description = "Heapster user"; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/munin.nix b/nixpkgs/nixos/modules/services/monitoring/munin.nix index 8af0650c738..1ebf7ee6a76 100644 --- a/nixpkgs/nixos/modules/services/monitoring/munin.nix +++ b/nixpkgs/nixos/modules/services/monitoring/munin.nix @@ -317,18 +317,16 @@ in environment.systemPackages = [ pkgs.munin ]; - users.users = [{ - name = "munin"; + users.users.munin = { description = "Munin monitoring user"; group = "munin"; uid = config.ids.uids.munin; home = "/var/lib/munin"; - }]; + }; - users.groups = [{ - name = "munin"; + users.groups.munin = { gid = config.ids.gids.munin; - }]; + }; }) (mkIf nodeCfg.enable { diff --git a/nixpkgs/nixos/modules/services/monitoring/nagios.nix b/nixpkgs/nixos/modules/services/monitoring/nagios.nix index 6a3b9776946..3ca79dddaf5 100644 --- a/nixpkgs/nixos/modules/services/monitoring/nagios.nix +++ b/nixpkgs/nixos/modules/services/monitoring/nagios.nix @@ -8,6 +8,7 @@ let nagiosState = "/var/lib/nagios"; nagiosLogDir = "/var/log/nagios"; + urlPath = "/nagios"; nagiosObjectDefs = cfg.objectDefs; @@ -16,32 +17,39 @@ let preferLocalBuild = true; } "mkdir -p $out; ln -s $nagiosObjectDefs $out/"; - nagiosCfgFile = pkgs.writeText "nagios.cfg" - '' - # Paths for state and logs. - log_file=${nagiosLogDir}/current - log_archive_path=${nagiosLogDir}/archive - status_file=${nagiosState}/status.dat - object_cache_file=${nagiosState}/objects.cache - temp_file=${nagiosState}/nagios.tmp - lock_file=/run/nagios.lock # Not used I think. - state_retention_file=${nagiosState}/retention.dat - query_socket=${nagiosState}/nagios.qh - check_result_path=${nagiosState} - command_file=${nagiosState}/nagios.cmd - - # Configuration files. - #resource_file=resource.cfg - cfg_dir=${nagiosObjectDefsDir} - - # Uid/gid that the daemon runs under. - nagios_user=nagios - nagios_group=nagios - - # Misc. options. - illegal_macro_output_chars=`~$&|'"<> - retain_state_information=1 - ''; # " + nagiosCfgFile = let + default = { + log_file="${nagiosLogDir}/current"; + log_archive_path="${nagiosLogDir}/archive"; + status_file="${nagiosState}/status.dat"; + object_cache_file="${nagiosState}/objects.cache"; + temp_file="${nagiosState}/nagios.tmp"; + lock_file="/run/nagios.lock"; + state_retention_file="${nagiosState}/retention.dat"; + query_socket="${nagiosState}/nagios.qh"; + check_result_path="${nagiosState}"; + command_file="${nagiosState}/nagios.cmd"; + cfg_dir="${nagiosObjectDefsDir}"; + nagios_user="nagios"; + nagios_group="nagios"; + illegal_macro_output_chars="`~$&|'\"<>"; + retain_state_information="1"; + }; + lines = mapAttrsToList (key: value: "${key}=${value}") (default // cfg.extraConfig); + content = concatStringsSep "\n" lines; + file = pkgs.writeText "nagios.cfg" content; + validated = pkgs.runCommand "nagios-checked.cfg" {preferLocalBuild=true;} '' + cp ${file} nagios.cfg + # nagios checks the existence of /var/lib/nagios, but + # it does not exists in the build sandbox, so we fake it + mkdir lib + lib=$(readlink -f lib) + sed -i s@=${nagiosState}@=$lib@ nagios.cfg + ${pkgs.nagios}/bin/nagios -v nagios.cfg && cp ${file} $out + ''; + defaultCfgFile = if cfg.validateConfig then validated else file; + in + if cfg.mainConfigFile == null then defaultCfgFile else cfg.mainConfigFile; # Plain configuration for the Nagios web-interface with no # authentication. @@ -49,12 +57,12 @@ let '' main_config_file=${cfg.mainConfigFile} use_authentication=0 - url_html_path=${cfg.urlPath} + url_html_path=${urlPath} ''; extraHttpdConfig = '' - ScriptAlias ${cfg.urlPath}/cgi-bin ${pkgs.nagios}/sbin + ScriptAlias ${urlPath}/cgi-bin ${pkgs.nagios}/sbin <Directory "${pkgs.nagios}/sbin"> Options ExecCGI @@ -62,7 +70,7 @@ let SetEnv NAGIOS_CGI_CONFIG ${cfg.cgiConfigFile} </Directory> - Alias ${cfg.urlPath} ${pkgs.nagios}/share + Alias ${urlPath} ${pkgs.nagios}/share <Directory "${pkgs.nagios}/share"> Options None @@ -72,16 +80,15 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "nagios" "urlPath" ] "The urlPath option has been removed as it is hard coded to /nagios in the nagios package.") + ]; + + meta.maintainers = with lib.maintainers; [ symphorien ]; + options = { services.nagios = { - enable = mkOption { - default = false; - description = " - Whether to use <link - xlink:href='http://www.nagios.org/'>Nagios</link> to monitor - your system or network. - "; - }; + enable = mkEnableOption "<link xlink:href='http://www.nagios.org/'>Nagios</link> to monitor your system or network."; objectDefs = mkOption { description = " @@ -89,12 +96,14 @@ in the hosts, host groups, services and contacts for the network that you want Nagios to monitor. "; + type = types.listOf types.path; + example = literalExample "[ ./objects.cfg ]"; }; plugins = mkOption { type = types.listOf types.package; - default = [pkgs.nagiosPluginsOfficial pkgs.ssmtp]; - defaultText = "[pkgs.nagiosPluginsOfficial pkgs.ssmtp]"; + default = with pkgs; [ nagiosPluginsOfficial ssmtp mailutils ]; + defaultText = "[pkgs.nagiosPluginsOfficial pkgs.ssmtp pkgs.mailutils]"; description = " Packages to be added to the Nagios <envar>PATH</envar>. Typically used to add plugins, but can be anything. @@ -102,14 +111,29 @@ in }; mainConfigFile = mkOption { - type = types.package; - default = nagiosCfgFile; - defaultText = "nagiosCfgFile"; + type = types.nullOr types.package; + default = null; description = " - Derivation for the main configuration file of Nagios. + If non-null, overrides the main configuration file of Nagios. "; }; + extraConfig = mkOption { + type = types.attrsOf types.str; + example = { + debug_level = "-1"; + debug_file = "/var/log/nagios/debug.log"; + }; + default = {}; + description = "Configuration to add to /etc/nagios.cfg"; + }; + + validateConfig = mkOption { + type = types.bool; + default = pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform; + description = "if true, the syntax of the nagios configuration file is checked at build time"; + }; + cgiConfigFile = mkOption { type = types.package; default = nagiosCGICfgFile; @@ -121,6 +145,7 @@ in }; enableWebInterface = mkOption { + type = types.bool; default = false; description = " Whether to enable the Nagios web interface. You should also @@ -128,13 +153,20 @@ in "; }; - urlPath = mkOption { - default = "/nagios"; - description = " - The URL path under which the Nagios web interface appears. - That is, you can access the Nagios web interface through - <literal>http://<replaceable>server</replaceable>/<replaceable>urlPath</replaceable></literal>. - "; + virtualHost = mkOption { + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); + example = literalExample '' + { hostName = "example.org"; + adminAddr = "webmaster@example.org"; + enableSSL = true; + sslServerCert = "/var/lib/acme/example.org/full.pem"; + sslServerKey = "/var/lib/acme/example.org/key.pem"; + } + ''; + description = '' + Apache configuration can be done by adapting <option>services.httpd.virtualHosts</option>. + See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. + ''; }; }; }; @@ -152,16 +184,12 @@ in # This isn't needed, it's just so that the user can type "nagiostats # -c /etc/nagios.cfg". - environment.etc = [ - { source = cfg.mainConfigFile; - target = "nagios.cfg"; - } - ]; + environment.etc."nagios.cfg".source = nagiosCfgFile; environment.systemPackages = [ pkgs.nagios ]; systemd.services.nagios = { description = "Nagios monitoring daemon"; - path = [ pkgs.nagios ]; + path = [ pkgs.nagios ] ++ cfg.plugins; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; @@ -172,16 +200,13 @@ in RestartSec = 2; LogsDirectory = "nagios"; StateDirectory = "nagios"; + ExecStart = "${pkgs.nagios}/bin/nagios /etc/nagios.cfg"; + X-ReloadIfChanged = nagiosCfgFile; }; - - script = '' - for i in ${toString cfg.plugins}; do - export PATH=$i/bin:$i/sbin:$i/libexec:$PATH - done - exec ${pkgs.nagios}/bin/nagios ${cfg.mainConfigFile} - ''; }; - services.httpd.extraConfig = optionalString cfg.enableWebInterface extraHttpdConfig; + services.httpd.virtualHosts = optionalAttrs cfg.enableWebInterface { + ${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { extraConfig = extraHttpdConfig; } ]; + }; }; } diff --git a/nixpkgs/nixos/modules/services/monitoring/netdata.nix b/nixpkgs/nixos/modules/services/monitoring/netdata.nix index 3ffde8e9bce..f8225af2042 100644 --- a/nixpkgs/nixos/modules/services/monitoring/netdata.nix +++ b/nixpkgs/nixos/modules/services/monitoring/netdata.nix @@ -179,13 +179,14 @@ in { { domain = "netdata"; type = "hard"; item = "nofile"; value = "30000"; } ]; - users.users = optional (cfg.user == defaultUser) { - name = defaultUser; - isSystemUser = true; + users.users = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = { + isSystemUser = true; + }; }; - users.groups = optional (cfg.group == defaultUser) { - name = defaultUser; + users.groups = optionalAttrs (cfg.group == defaultUser) { + ${defaultUser} = { }; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix index 11d85e9c4fc..9af6b1d94f3 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix @@ -27,6 +27,15 @@ let "--log.format ${cfg.logFormat}" ); in { + imports = [ + (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "user" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a user setting.") + (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "group" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a group setting.") + (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerURL" ] '' + Due to incompatibility, the alertmanagerURL option has been removed, + please use 'services.prometheus2.alertmanagers' instead. + '') + ]; + options = { services.prometheus.alertmanager = { enable = mkEnableOption "Prometheus Alertmanager"; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix index 191c0bff9c8..b67f697ca0d 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix @@ -464,6 +464,11 @@ let }; in { + + imports = [ + (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) + ]; + options.services.prometheus = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix index 53f32b8fadc..36ebffa4463 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -160,6 +160,24 @@ let }; in { + + imports = (lib.forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter" + "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" + "snmpExporter" "unifiExporter" "varnishExporter" ] + (opt: lib.mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' + The prometheus exporters are now configured using `services.prometheus.exporters'. + See the 18.03 release notes for more information. + '' )) + + ++ (lib.forEach [ "enable" "substitutions" "preset" ] + (opt: lib.mkRemovedOptionModule [ "fonts" "fontconfig" "ultimate" "${opt}" ] '' + The fonts.fontconfig.ultimate module and configuration is obsolete. + The repository has since been archived and activity has ceased. + https://github.com/bohoomil/fontconfig-ultimate/issues/171. + No action should be needed for font configuration, as the fonts.fontconfig + module is already used by default. + '' )); + options.services.prometheus.exporters = mkOption { type = types.submodule { options = (mkSubModules); diff --git a/nixpkgs/nixos/modules/services/monitoring/statsd.nix b/nixpkgs/nixos/modules/services/monitoring/statsd.nix index ea155821ecc..17836e95a6f 100644 --- a/nixpkgs/nixos/modules/services/monitoring/statsd.nix +++ b/nixpkgs/nixos/modules/services/monitoring/statsd.nix @@ -125,8 +125,7 @@ in message = "Only builtin backends (graphite, console, repeater) or backends enumerated in `pkgs.nodePackages` are allowed!"; }) cfg.backends; - users.users = singleton { - name = "statsd"; + users.use.statsdrs = { uid = config.ids.uids.statsd; description = "Statsd daemon user"; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/sysstat.nix b/nixpkgs/nixos/modules/services/monitoring/sysstat.nix index d668faa53cc..ca2cff82723 100644 --- a/nixpkgs/nixos/modules/services/monitoring/sysstat.nix +++ b/nixpkgs/nixos/modules/services/monitoring/sysstat.nix @@ -5,15 +5,10 @@ let in { options = { services.sysstat = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable sar system activity collection. - ''; - }; + enable = mkEnableOption "sar system activity collection"; collect-frequency = mkOption { + type = types.str; default = "*:00/10"; description = '' OnCalendar specification for sysstat-collect @@ -21,6 +16,7 @@ in { }; collect-args = mkOption { + type = types.str; default = "1 1"; description = '' Arguments to pass sa1 when collecting statistics @@ -33,13 +29,13 @@ in { systemd.services.sysstat = { description = "Resets System Activity Logs"; wantedBy = [ "multi-user.target" ]; - preStart = "test -d /var/log/sa || mkdir -p /var/log/sa"; serviceConfig = { User = "root"; RemainAfterExit = true; Type = "oneshot"; ExecStart = "${pkgs.sysstat}/lib/sa/sa1 --boot"; + LogsDirectory = "sa"; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/telegraf.nix b/nixpkgs/nixos/modules/services/monitoring/telegraf.nix index d8786732668..5d131557e8b 100644 --- a/nixpkgs/nixos/modules/services/monitoring/telegraf.nix +++ b/nixpkgs/nixos/modules/services/monitoring/telegraf.nix @@ -63,10 +63,9 @@ in { }; }; - users.users = [{ - name = "telegraf"; + users.users.telegraf = { uid = config.ids.uids.telegraf; description = "telegraf daemon user"; - }]; + }; }; } diff --git a/nixpkgs/nixos/modules/services/monitoring/ups.nix b/nixpkgs/nixos/modules/services/monitoring/ups.nix index 1bdc4e4410f..a45e806d4ad 100644 --- a/nixpkgs/nixos/modules/services/monitoring/ups.nix +++ b/nixpkgs/nixos/modules/services/monitoring/ups.nix @@ -214,14 +214,12 @@ in environment.NUT_STATEPATH = "/var/lib/nut/"; }; - environment.etc = [ - { source = pkgs.writeText "nut.conf" + environment.etc = { + "nut/nut.conf".source = pkgs.writeText "nut.conf" '' MODE = ${cfg.mode} ''; - target = "nut/nut.conf"; - } - { source = pkgs.writeText "ups.conf" + "nut/ups.conf".source = pkgs.writeText "ups.conf" '' maxstartdelay = ${toString cfg.maxStartDelay} @@ -229,25 +227,15 @@ in "} ''; - target = "nut/ups.conf"; - } - { source = cfg.schedulerRules; - target = "nut/upssched.conf"; - } + "nut/upssched.conf".source = cfg.schedulerRules; # These file are containing private informations and thus should not # be stored inside the Nix store. /* - { source = ; - target = "nut/upsd.conf"; - } - { source = ; - target = "nut/upsd.users"; - } - { source = ; - target = "nut/upsmon.conf; - } + "nut/upsd.conf".source = ""; + "nut/upsd.users".source = ""; + "nut/upsmon.conf".source = ""; */ - ]; + }; power.ups.schedulerRules = mkDefault "${pkgs.nut}/etc/upssched.conf.sample"; @@ -259,21 +247,16 @@ in /* - users.users = [ - { name = "nut"; - uid = 84; + users.users.nut = + { uid = 84; home = "/var/lib/nut"; createHome = true; group = "nut"; description = "UPnP A/V Media Server user"; - } - ]; - - users.groups = [ - { name = "nut"; - gid = 84; - } - ]; + }; + + users.groups."nut" = + { gid = 84; }; */ }; diff --git a/nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix b/nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix index e9f1590760a..b4e4378ce1e 100644 --- a/nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix +++ b/nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix @@ -44,6 +44,11 @@ let in { + imports = [ + (lib.mkRenamedOptionModule [ "services" "zabbixServer" "dbServer" ] [ "services" "zabbixServer" "database" "host" ]) + (lib.mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.") + ]; + # interface options = { diff --git a/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix b/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix index 543a7b25d5d..d17959a6a30 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix @@ -371,15 +371,14 @@ in in generators.toINI {} totalConfig; - users.users = singleton { - name = "ceph"; + users.users.ceph = { uid = config.ids.uids.ceph; description = "Ceph daemon user"; group = "ceph"; extraGroups = [ "disk" ]; }; - users.groups = singleton { - name = "ceph"; + + users.groups.ceph = { gid = config.ids.gids.ceph; }; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/davfs2.nix b/nixpkgs/nixos/modules/services/network-filesystems/davfs2.nix index 100d458d536..4b6f85e4a2c 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/davfs2.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/davfs2.nix @@ -57,18 +57,19 @@ in environment.systemPackages = [ pkgs.davfs2 ]; environment.etc."davfs2/davfs2.conf".source = cfgFile; - users.groups = optionalAttrs (cfg.davGroup == "davfs2") (singleton { - name = "davfs2"; - gid = config.ids.gids.davfs2; - }); + users.groups = optionalAttrs (cfg.davGroup == "davfs2") { + davfs2.gid = config.ids.gids.davfs2; + }; + + users.users = optionalAttrs (cfg.davUser == "davfs2") { + davfs2 = { + createHome = false; + group = cfg.davGroup; + uid = config.ids.uids.davfs2; + description = "davfs2 user"; + }; + }; - users.users = optionalAttrs (cfg.davUser == "davfs2") (singleton { - name = "davfs2"; - createHome = false; - group = cfg.davGroup; - uid = config.ids.uids.davfs2; - description = "davfs2 user"; - }); }; } diff --git a/nixpkgs/nixos/modules/services/network-filesystems/drbd.nix b/nixpkgs/nixos/modules/services/network-filesystems/drbd.nix index 4ab74ed8e1c..916e7eaaaa9 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/drbd.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/drbd.nix @@ -47,10 +47,8 @@ let cfg = config.services.drbd; in options drbd usermode_helper=/run/current-system/sw/bin/drbdadm ''; - environment.etc = singleton - { source = pkgs.writeText "drbd.conf" cfg.config; - target = "drbd.conf"; - }; + environment.etc.drbd.conf = + { source = pkgs.writeText "drbd.conf" cfg.config; }; systemd.services.drbd = { after = [ "systemd-udev.settle.service" "network.target" ]; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix b/nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix index 1a78f9a76a3..1b62bfa8203 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix @@ -11,6 +11,10 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "nfs" "lockdPort" ] [ "services" "nfs" "server" "lockdPort" ]) + (mkRenamedOptionModule [ "services" "nfs" "statdPort" ] [ "services" "nfs" "server" "statdPort" ]) + ]; ###### interface diff --git a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix index 875ab70bfc7..a3c22ce6948 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix @@ -65,6 +65,9 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "samba" "defaultShare" ] "") + ]; ###### interface diff --git a/nixpkgs/nixos/modules/services/networking/3proxy.nix b/nixpkgs/nixos/modules/services/networking/3proxy.nix new file mode 100644 index 00000000000..26aa1667946 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/3proxy.nix @@ -0,0 +1,424 @@ +{ config, lib, pkgs, ... }: +with lib; +let + pkg = pkgs._3proxy; + cfg = config.services._3proxy; + optionalList = list: if list == [ ] then "*" else concatMapStringsSep "," toString list; +in { + options.services._3proxy = { + enable = mkEnableOption "3proxy"; + confFile = mkOption { + type = types.path; + example = "/var/lib/3proxy/3proxy.conf"; + description = '' + Ignore all other 3proxy options and load configuration from this file. + ''; + }; + usersFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/3proxy/3proxy.passwd"; + description = '' + Load users and passwords from this file. + + Example users file with plain-text passwords: + + <literal> + test1:CL:password1 + test2:CL:password2 + </literal> + + Example users file with md5-crypted passwords: + + <literal> + test1:CR:$1$tFkisVd2$1GA8JXkRmTXdLDytM/i3a1 + test2:CR:$1$rkpibm5J$Aq1.9VtYAn0JrqZ8M.1ME. + </literal> + + You can generate md5-crypted passwords via https://unix4lyfe.org/crypt/ + Note that htpasswd tool generates incompatible md5-crypted passwords. + Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/How-To-(incomplete)#USERS">documentation</link> for more information. + ''; + }; + services = mkOption { + type = types.listOf (types.submodule { + options = { + type = mkOption { + type = types.enum [ + "proxy" + "socks" + "pop3p" + "ftppr" + "admin" + "dnspr" + "tcppm" + "udppm" + ]; + example = "proxy"; + description = '' + Service type. The following values are valid: + + <itemizedlist> + <listitem><para> + <literal>"proxy"</literal>: HTTP/HTTPS proxy (default port 3128). + </para></listitem> + <listitem><para> + <literal>"socks"</literal>: SOCKS 4/4.5/5 proxy (default port 1080). + </para></listitem> + <listitem><para> + <literal>"pop3p"</literal>: POP3 proxy (default port 110). + </para></listitem> + <listitem><para> + <literal>"ftppr"</literal>: FTP proxy (default port 21). + </para></listitem> + <listitem><para> + <literal>"admin"</literal>: Web interface (default port 80). + </para></listitem> + <listitem><para> + <literal>"dnspr"</literal>: Caching DNS proxy (default port 53). + </para></listitem> + <listitem><para> + <literal>"tcppm"</literal>: TCP portmapper. + </para></listitem> + <listitem><para> + <literal>"udppm"</literal>: UDP portmapper. + </para></listitem> + </itemizedlist> + ''; + }; + bindAddress = mkOption { + type = types.str; + default = "[::]"; + example = "127.0.0.1"; + description = '' + Address used for service. + ''; + }; + bindPort = mkOption { + type = types.nullOr types.int; + default = null; + example = 3128; + description = '' + Override default port used for service. + ''; + }; + maxConnections = mkOption { + type = types.int; + default = 100; + example = 1000; + description = '' + Maximum number of simulationeous connections to this service. + ''; + }; + auth = mkOption { + type = types.listOf (types.enum [ "none" "iponly" "strong" ]); + example = [ "iponly" "strong" ]; + description = '' + Authentication type. The following values are valid: + + <itemizedlist> + <listitem><para> + <literal>"none"</literal>: disables both authentication and authorization. You can not use ACLs. + </para></listitem> + <listitem><para> + <literal>"iponly"</literal>: specifies no authentication. ACLs authorization is used. + </para></listitem> + <listitem><para> + <literal>"strong"</literal>: authentication by username/password. If user is not registered his access is denied regardless of ACLs. + </para></listitem> + </itemizedlist> + + Double authentication is possible, e.g. + + <literal> + { + auth = [ "iponly" "strong" ]; + acl = [ + { + rule = "allow"; + targets = [ "192.168.0.0/16" ]; + } + { + rule = "allow" + users = [ "user1" "user2" ]; + } + ]; + } + </literal> + In this example strong username authentication is not required to access 192.168.0.0/16. + ''; + }; + acl = mkOption { + type = types.listOf (types.submodule { + options = { + rule = mkOption { + type = types.enum [ "allow" "deny" ]; + example = "allow"; + description = '' + ACL rule. The following values are valid: + + <itemizedlist> + <listitem><para> + <literal>"allow"</literal>: connections allowed. + </para></listitem> + <listitem><para> + <literal>"deny"</literal>: connections not allowed. + </para></listitem> + </itemizedlist> + ''; + }; + users = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "user1" "user2" "user3" ]; + description = '' + List of users, use empty list for any. + ''; + }; + sources = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "127.0.0.1" "192.168.1.0/24" ]; + description = '' + List of source IP range, use empty list for any. + ''; + }; + targets = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "127.0.0.1" "192.168.1.0/24" ]; + description = '' + List of target IP ranges, use empty list for any. + May also contain host names instead of addresses. + It's possible to use wildmask in the begginning and in the the end of hostname, e.g. *badsite.com or *badcontent*. + Hostname is only checked if hostname presents in request. + ''; + }; + targetPorts = mkOption { + type = types.listOf types.int; + default = [ ]; + example = [ 80 443 ]; + description = '' + List of target ports, use empty list for any. + ''; + }; + }; + }); + default = [ ]; + example = literalExample '' + [ + { + rule = "allow"; + users = [ "user1" ]; + } + { + rule = "allow"; + sources = [ "192.168.1.0/24" ]; + } + { + rule = "deny"; + } + ] + ''; + description = '' + Use this option to limit user access to resources. + ''; + }; + extraArguments = mkOption { + type = types.nullOr types.str; + default = null; + example = "-46"; + description = '' + Extra arguments for service. + Consult "Options" section in <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/3proxy.cfg">documentation</link> for available arguments. + ''; + }; + extraConfig = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Extra configuration for service. Use this to configure things like bandwidth limiter or ACL-based redirection. + Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/3proxy.cfg">documentation</link> for available options. + ''; + }; + }; + }); + default = [ ]; + example = literalExample '' + [ + { + type = "proxy"; + bindAddress = "192.168.1.24"; + bindPort = 3128; + auth = [ "none" ]; + } + { + type = "proxy"; + bindAddress = "10.10.1.20"; + bindPort = 3128; + auth = [ "iponly" ]; + } + { + type = "socks"; + bindAddress = "172.17.0.1"; + bindPort = 1080; + auth = [ "strong" ]; + } + ] + ''; + description = '' + Use this option to define 3proxy services. + ''; + }; + denyPrivate = mkOption { + type = types.bool; + default = true; + description = '' + Whether to deny access to private IP ranges including loopback. + ''; + }; + privateRanges = mkOption { + type = types.listOf types.str; + default = [ + "0.0.0.0/8" + "127.0.0.0/8" + "10.0.0.0/8" + "100.64.0.0/10" + "172.16.0.0/12" + "192.168.0.0/16" + "::" + "::1" + "fc00::/7" + ]; + example = [ + "0.0.0.0/8" + "127.0.0.0/8" + "10.0.0.0/8" + "100.64.0.0/10" + "172.16.0.0/12" + "192.168.0.0/16" + "::" + "::1" + "fc00::/7" + ]; + description = '' + What IP ranges to deny access when denyPrivate is set tu true. + ''; + }; + resolution = mkOption { + type = types.submodule { + options = { + nserver = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "127.0.0.53" "192.168.1.3:5353/tcp" ]; + description = '' + List of nameservers to use. + + Up to 5 nservers may be specified. If no nserver is configured, + default system name resolution functions are used. + ''; + }; + nscache = mkOption { + type = types.int; + default = 65535; + example = 65535; + description = "Set name cache size for IPv4."; + }; + nscache6 = mkOption { + type = types.int; + default = 65535; + example = 65535; + description = "Set name cache size for IPv6."; + }; + nsrecord = mkOption { + type = types.attrsOf types.str; + default = { }; + example = { + "files.local" = "192.168.1.12"; + "site.local" = "192.168.1.43"; + }; + description = "Adds static nsrecords."; + }; + }; + }; + default = { }; + description = '' + Use this option to configure name resolution and DNS caching. + ''; + }; + extraConfig = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Extra configuration, appended to the 3proxy configuration file. + Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/3proxy.cfg">documentation</link> for available options. + ''; + }; + }; + + config = mkIf cfg.enable { + services._3proxy.confFile = mkDefault (pkgs.writeText "3proxy.conf" '' + # log to stdout + log + + ${concatMapStringsSep "\n" (x: "nserver " + x) cfg.resolution.nserver} + + nscache ${toString cfg.resolution.nscache} + nscache6 ${toString cfg.resolution.nscache6} + + ${concatMapStringsSep "\n" (x: "nsrecord " + x) + (mapAttrsToList (name: value: "${name} ${value}") + cfg.resolution.nsrecord)} + + ${optionalString (cfg.usersFile != null) + ''users $"${cfg.usersFile}"'' + } + + ${concatMapStringsSep "\n" (service: '' + auth ${concatStringsSep " " service.auth} + + ${optionalString (cfg.denyPrivate) + "deny * * ${optionalList cfg.privateRanges}"} + + ${concatMapStringsSep "\n" (acl: + "${acl.rule} ${ + concatMapStringsSep " " optionalList [ + acl.users + acl.sources + acl.targets + acl.targetPorts + ] + }") service.acl} + + maxconn ${toString service.maxConnections} + + ${optionalString (service.extraConfig != null) service.extraConfig} + + ${service.type} -i${toString service.bindAddress} ${ + optionalString (service.bindPort != null) + "-p${toString service.bindPort}" + } ${ + optionalString (service.extraArguments != null) service.extraArguments + } + + flush + '') cfg.services} + ${optionalString (cfg.extraConfig != null) cfg.extraConfig} + ''); + systemd.services."3proxy" = { + description = "Tiny free proxy server"; + documentation = [ "https://github.com/z3APA3A/3proxy/wiki" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + StateDirectory = "3proxy"; + ExecStart = "${pkg}/bin/3proxy ${cfg.confFile}"; + Restart = "on-failure"; + }; + }; + }; + + meta.maintainers = with maintainers; [ misuzu ]; +} diff --git a/nixpkgs/nixos/modules/services/networking/bind.nix b/nixpkgs/nixos/modules/services/networking/bind.nix index d09c6735e12..e3b95afb3d8 100644 --- a/nixpkgs/nixos/modules/services/networking/bind.nix +++ b/nixpkgs/nixos/modules/services/networking/bind.nix @@ -178,9 +178,8 @@ in networking.resolvconf.useLocalResolver = mkDefault true; - users.users = singleton - { name = bindUser; - uid = config.ids.uids.bind; + users.users.${bindUser} = + { uid = config.ids.uids.bind; description = "BIND daemon user"; }; diff --git a/nixpkgs/nixos/modules/services/networking/bitlbee.nix b/nixpkgs/nixos/modules/services/networking/bitlbee.nix index 274b3617160..54fe70f7ccc 100644 --- a/nixpkgs/nixos/modules/services/networking/bitlbee.nix +++ b/nixpkgs/nixos/modules/services/networking/bitlbee.nix @@ -161,8 +161,7 @@ in config = mkMerge [ (mkIf config.services.bitlbee.enable { - users.users = singleton { - name = "bitlbee"; + users.users.bitlbee = { uid = bitlbeeUid; description = "BitlBee user"; home = "/var/lib/bitlbee"; diff --git a/nixpkgs/nixos/modules/services/networking/charybdis.nix b/nixpkgs/nixos/modules/services/networking/charybdis.nix index da26246e703..43829d36e41 100644 --- a/nixpkgs/nixos/modules/services/networking/charybdis.nix +++ b/nixpkgs/nixos/modules/services/networking/charybdis.nix @@ -71,15 +71,13 @@ in config = mkIf cfg.enable (lib.mkMerge [ { - users.users = singleton { - name = cfg.user; + users.users.${cfg.user} = { description = "Charybdis IRC daemon user"; uid = config.ids.uids.ircd; group = cfg.group; }; - users.groups = singleton { - name = cfg.group; + users.groups.${cfg.group} = { gid = config.ids.gids.ircd; }; diff --git a/nixpkgs/nixos/modules/services/networking/connman.nix b/nixpkgs/nixos/modules/services/networking/connman.nix index cac517f410e..e8eadc4e187 100644 --- a/nixpkgs/nixos/modules/services/networking/connman.nix +++ b/nixpkgs/nixos/modules/services/networking/connman.nix @@ -11,8 +11,13 @@ let ${cfg.extraConfig} ''; + enableIwd = cfg.wifi.backend == "iwd"; in { + imports = [ + (mkRenamedOptionModule [ "networking" "connman" ] [ "services" "connman" ]) + ]; + ###### interface options = { @@ -52,6 +57,17 @@ in { ''; }; + wifi = { + backend = mkOption { + type = types.enum [ "wpa_supplicant" "iwd" ]; + default = "wpa_supplicant"; + description = '' + Specify the Wi-Fi backend used. + Currently supported are <option>wpa_supplicant</option> or <option>iwd</option>. + ''; + }; + }; + extraFlags = mkOption { type = with types; listOf str; default = [ ]; @@ -73,9 +89,6 @@ in { assertion = !config.networking.useDHCP; message = "You can not use services.connman with networking.useDHCP"; }{ - assertion = config.networking.wireless.enable; - message = "You must use services.connman with networking.wireless"; - }{ assertion = !config.networking.networkmanager.enable; message = "You can not use services.connman with networking.networkmanager"; }]; @@ -85,12 +98,18 @@ in { systemd.services.connman = { description = "Connection service"; wantedBy = [ "multi-user.target" ]; - after = [ "syslog.target" ]; + after = [ "syslog.target" ] ++ optional enableIwd "iwd.service"; + requires = optional enableIwd "iwd.service"; serviceConfig = { Type = "dbus"; BusName = "net.connman"; Restart = "on-failure"; - ExecStart = "${pkgs.connman}/sbin/connmand --config=${configFile} --nodaemon ${toString cfg.extraFlags}"; + ExecStart = toString ([ + "${pkgs.connman}/sbin/connmand" + "--config=${configFile}" + "--nodaemon" + ] ++ optional enableIwd "--wifi=iwd_agent" + ++ cfg.extraFlags); StandardOutput = "null"; }; }; @@ -121,7 +140,12 @@ in { networking = { useDHCP = false; - wireless.enable = true; + wireless = { + enable = mkIf (!enableIwd) true; + iwd = mkIf enableIwd { + enable = true; + }; + }; networkmanager.enable = false; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/coturn.nix b/nixpkgs/nixos/modules/services/networking/coturn.nix index c430ce5af92..1bfbc307c59 100644 --- a/nixpkgs/nixos/modules/services/networking/coturn.nix +++ b/nixpkgs/nixos/modules/services/networking/coturn.nix @@ -294,16 +294,14 @@ in { }; config = mkIf cfg.enable { - users.users = [ - { name = "turnserver"; - uid = config.ids.uids.turnserver; + users.users.turnserver = + { uid = config.ids.uids.turnserver; description = "coturn TURN server user"; - } ]; - users.groups = [ - { name = "turnserver"; - gid = config.ids.gids.turnserver; + }; + users.groups.turnserver = + { gid = config.ids.gids.turnserver; members = [ "turnserver" ]; - } ]; + }; systemd.services.coturn = { description = "coturn TURN server"; diff --git a/nixpkgs/nixos/modules/services/networking/ddclient.nix b/nixpkgs/nixos/modules/services/networking/ddclient.nix index 04ce5ca3a87..053efe71270 100644 --- a/nixpkgs/nixos/modules/services/networking/ddclient.nix +++ b/nixpkgs/nixos/modules/services/networking/ddclient.nix @@ -30,6 +30,14 @@ with lib; { + imports = [ + (mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ] + (config: + let value = getAttrFromPath [ "services" "ddclient" "domain" ] config; + in if value != "" then [ value ] else [])) + (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "") + ]; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/networking/dhcpcd.nix b/nixpkgs/nixos/modules/services/networking/dhcpcd.nix index 7b278603455..6fbc014db71 100644 --- a/nixpkgs/nixos/modules/services/networking/dhcpcd.nix +++ b/nixpkgs/nixos/modules/services/networking/dhcpcd.nix @@ -185,11 +185,7 @@ in environment.systemPackages = [ dhcpcd ]; - environment.etc = - [ { source = exitHook; - target = "dhcpcd.exit-hook"; - } - ]; + environment.etc."dhcpcd.exit-hook".source = exitHook; powerManagement.resumeCommands = mkIf config.systemd.services.dhcpcd.enable '' diff --git a/nixpkgs/nixos/modules/services/networking/dhcpd.nix b/nixpkgs/nixos/modules/services/networking/dhcpd.nix index 0b2063bc424..67f7d811887 100644 --- a/nixpkgs/nixos/modules/services/networking/dhcpd.nix +++ b/nixpkgs/nixos/modules/services/networking/dhcpd.nix @@ -182,6 +182,10 @@ in { + imports = [ + (mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ]) + ]; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/networking/dnschain.nix b/nixpkgs/nixos/modules/services/networking/dnschain.nix index b837bf816a1..003609ea705 100644 --- a/nixpkgs/nixos/modules/services/networking/dnschain.nix +++ b/nixpkgs/nixos/modules/services/networking/dnschain.nix @@ -147,8 +147,7 @@ in ''; }; - users.users = singleton { - name = username; + users.users.${username} = { description = "DNSChain daemon user"; home = dataDir; createHome = true; @@ -180,4 +179,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix index 79f9e1a4308..e53fb7a1578 100644 --- a/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -197,4 +197,7 @@ in { }; }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/dnsmasq.nix b/nixpkgs/nixos/modules/services/networking/dnsmasq.nix index 714a5903bff..377d7bc5705 100644 --- a/nixpkgs/nixos/modules/services/networking/dnsmasq.nix +++ b/nixpkgs/nixos/modules/services/networking/dnsmasq.nix @@ -86,8 +86,7 @@ in services.dbus.packages = [ dnsmasq ]; - users.users = singleton { - name = "dnsmasq"; + users.users.dnsmasq = { uid = config.ids.uids.dnsmasq; description = "Dnsmasq daemon user"; }; diff --git a/nixpkgs/nixos/modules/services/networking/ejabberd.nix b/nixpkgs/nixos/modules/services/networking/ejabberd.nix index 6a38f85c48a..a5af25b983b 100644 --- a/nixpkgs/nixos/modules/services/networking/ejabberd.nix +++ b/nixpkgs/nixos/modules/services/networking/ejabberd.nix @@ -94,18 +94,18 @@ in { config = mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - users.users = optionalAttrs (cfg.user == "ejabberd") (singleton - { name = "ejabberd"; + users.users = optionalAttrs (cfg.user == "ejabberd") { + ejabberd = { group = cfg.group; home = cfg.spoolDir; createHome = true; uid = config.ids.uids.ejabberd; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "ejabberd") (singleton - { name = "ejabberd"; - gid = config.ids.gids.ejabberd; - }); + users.groups = optionalAttrs (cfg.group == "ejabberd") { + ejabberd.gid = config.ids.gids.ejabberd; + }; systemd.services.ejabberd = { description = "ejabberd server"; diff --git a/nixpkgs/nixos/modules/services/networking/fakeroute.nix b/nixpkgs/nixos/modules/services/networking/fakeroute.nix index 82a9fb729d8..7916ad4098a 100644 --- a/nixpkgs/nixos/modules/services/networking/fakeroute.nix +++ b/nixpkgs/nixos/modules/services/networking/fakeroute.nix @@ -60,4 +60,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/firewall.nix b/nixpkgs/nixos/modules/services/networking/firewall.nix index 5919962837a..15aaf741067 100644 --- a/nixpkgs/nixos/modules/services/networking/firewall.nix +++ b/nixpkgs/nixos/modules/services/networking/firewall.nix @@ -42,16 +42,7 @@ let kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false); - helpers = - '' - # Helper command to manipulate both the IPv4 and IPv6 tables. - ip46tables() { - iptables -w "$@" - ${optionalString config.networking.enableIPv6 '' - ip6tables -w "$@" - ''} - } - ''; + helpers = import ./helpers.nix { inherit config lib; }; writeShScript = name: text: let dir = pkgs.writeScriptBin name '' #! ${pkgs.runtimeShell} -e @@ -271,7 +262,7 @@ let apply = canonicalizePortList; example = [ 22 80 ]; description = - '' + '' List of TCP ports on which incoming connections are accepted. ''; @@ -282,7 +273,7 @@ let default = [ ]; example = [ { from = 8999; to = 9003; } ]; description = - '' + '' A range of TCP ports on which incoming connections are accepted. ''; diff --git a/nixpkgs/nixos/modules/services/networking/gale.nix b/nixpkgs/nixos/modules/services/networking/gale.nix index 7083d87c407..cb954fd836b 100644 --- a/nixpkgs/nixos/modules/services/networking/gale.nix +++ b/nixpkgs/nixos/modules/services/networking/gale.nix @@ -104,14 +104,13 @@ in systemPackages = [ pkgs.gale ]; }; - users.users = [{ - name = cfg.user; + users.users.${cfg.user} = { description = "Gale daemon"; uid = config.ids.uids.gale; group = cfg.group; home = home; createHome = true; - }]; + }; users.groups = [{ name = cfg.group; diff --git a/nixpkgs/nixos/modules/services/networking/git-daemon.nix b/nixpkgs/nixos/modules/services/networking/git-daemon.nix index a638a3083fb..6f2e149433f 100644 --- a/nixpkgs/nixos/modules/services/networking/git-daemon.nix +++ b/nixpkgs/nixos/modules/services/networking/git-daemon.nix @@ -104,16 +104,16 @@ in config = mkIf cfg.enable { - users.users = if cfg.user != "git" then {} else singleton - { name = "git"; + users.users = optionalAttrs (cfg.user != "git") { + git = { uid = config.ids.uids.git; description = "Git daemon user"; }; + }; - users.groups = if cfg.group != "git" then {} else singleton - { name = "git"; - gid = config.ids.gids.git; - }; + users.groups = optionalAttrs (cfg.group != "git") { + git.gid = config.ids.gids.git; + }; systemd.services.git-daemon = { after = [ "network.target" ]; diff --git a/nixpkgs/nixos/modules/services/networking/gnunet.nix b/nixpkgs/nixos/modules/services/networking/gnunet.nix index 178a832c166..69d4ed04775 100644 --- a/nixpkgs/nixos/modules/services/networking/gnunet.nix +++ b/nixpkgs/nixos/modules/services/networking/gnunet.nix @@ -42,6 +42,7 @@ in services.gnunet = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to run the GNUnet daemon. GNUnet is GNU's anonymous @@ -51,6 +52,7 @@ in fileSharing = { quota = mkOption { + type = types.int; default = 1024; description = '' Maximum file system usage (in MiB) for file sharing. @@ -60,6 +62,7 @@ in udp = { port = mkOption { + type = types.port; default = 2086; # assigned by IANA description = '' The UDP port for use by GNUnet. @@ -69,6 +72,7 @@ in tcp = { port = mkOption { + type = types.port; default = 2086; # assigned by IANA description = '' The TCP port for use by GNUnet. @@ -78,6 +82,7 @@ in load = { maxNetDownBandwidth = mkOption { + type = types.int; default = 50000; description = '' Maximum bandwidth usage (in bits per second) for GNUnet @@ -86,6 +91,7 @@ in }; maxNetUpBandwidth = mkOption { + type = types.int; default = 50000; description = '' Maximum bandwidth usage (in bits per second) for GNUnet @@ -94,6 +100,7 @@ in }; hardNetUpBandwidth = mkOption { + type = types.int; default = 0; description = '' Hard bandwidth limit (in bits per second) when uploading @@ -111,6 +118,7 @@ in }; extraOptions = mkOption { + type = types.lines; default = ""; description = '' Additional options that will be copied verbatim in `gnunet.conf'. diff --git a/nixpkgs/nixos/modules/services/networking/hans.nix b/nixpkgs/nixos/modules/services/networking/hans.nix index 4f60300f5ff..8334dc68d62 100644 --- a/nixpkgs/nixos/modules/services/networking/hans.nix +++ b/nixpkgs/nixos/modules/services/networking/hans.nix @@ -135,8 +135,7 @@ in }; }; - users.users = singleton { - name = hansUser; + users.users.${hansUser} = { description = "Hans daemon user"; isSystemUser = true; }; diff --git a/nixpkgs/nixos/modules/services/networking/helpers.nix b/nixpkgs/nixos/modules/services/networking/helpers.nix new file mode 100644 index 00000000000..d7d42de0e3a --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/helpers.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: '' + # Helper command to manipulate both the IPv4 and IPv6 tables. + ip46tables() { + iptables -w "$@" + ${ + lib.optionalString config.networking.enableIPv6 '' + ip6tables -w "$@" + '' + } + } +'' diff --git a/nixpkgs/nixos/modules/services/networking/i2pd.nix b/nixpkgs/nixos/modules/services/networking/i2pd.nix index f2be417738e..326d34f6ca9 100644 --- a/nixpkgs/nixos/modules/services/networking/i2pd.nix +++ b/nixpkgs/nixos/modules/services/networking/i2pd.nix @@ -158,10 +158,10 @@ let (sec "addressbook") (strOpt "defaulturl" cfg.addressbook.defaulturl) ] ++ (optionalEmptyList "subscriptions" cfg.addressbook.subscriptions) - ++ (flip map - (collect (proto: proto ? port && proto ? address && proto ? name) cfg.proto) + ++ (flip mapAttrs + (collect (name: proto: proto ? port && proto ? address && proto ? name) cfg.proto) (proto: let protoOpts = [ - (sec proto.name) + (sec name) (boolOpt "enabled" proto.enable) (strOpt "address" proto.address) (intOpt "port" proto.port) @@ -181,10 +181,10 @@ let tunnelConf = let opts = [ notice - (flip map - (collect (tun: tun ? port && tun ? destination) cfg.outTunnels) + (flip mapAttrs + (collect (name: tun: tun ? port && tun ? destination) cfg.outTunnels) (tun: let outTunOpts = [ - (sec tun.name) + (sec name) "type = client" (intOpt "port" tun.port) (strOpt "destination" tun.destination) @@ -204,10 +204,10 @@ let ++ (if tun ? crypto.tagsToSend then optionalNullInt "crypto.tagstosend" tun.crypto.tagsToSend else []); in concatStringsSep "\n" outTunOpts)) - (flip map - (collect (tun: tun ? port && tun ? address) cfg.inTunnels) + (flip mapAttrs + (collect (name: tun: tun ? port && tun ? address) cfg.inTunnels) (tun: let inTunOpts = [ - (sec tun.name) + (sec name) "type = server" (intOpt "port" tun.port) (strOpt "host" tun.address) @@ -235,6 +235,10 @@ in { + imports = [ + (mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ]) + ]; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/networking/iodine.nix b/nixpkgs/nixos/modules/services/networking/iodine.nix index 344f84374bb..f9ca26c2796 100644 --- a/nixpkgs/nixos/modules/services/networking/iodine.nix +++ b/nixpkgs/nixos/modules/services/networking/iodine.nix @@ -11,6 +11,13 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "iodined" "enable" ] [ "services" "iodine" "server" "enable" ]) + (mkRenamedOptionModule [ "services" "iodined" "domain" ] [ "services" "iodine" "server" "domain" ]) + (mkRenamedOptionModule [ "services" "iodined" "ip" ] [ "services" "iodine" "server" "ip" ]) + (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ]) + (mkRemovedOptionModule [ "services" "iodined" "client" ] "") + ]; ### configuration @@ -140,8 +147,7 @@ in }; }; - users.users = singleton { - name = iodinedUser; + users.users.${iodinedUser} = { uid = config.ids.uids.iodined; description = "Iodine daemon user"; }; diff --git a/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix b/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix index f5abe61a1ba..b236552eb65 100644 --- a/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix +++ b/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix @@ -112,9 +112,8 @@ in config = mkIf config.services.ircdHybrid.enable { - users.users = singleton - { name = "ircd"; - description = "IRCD owner"; + users.users.ircd = + { description = "IRCD owner"; group = "ircd"; uid = config.ids.uids.ircd; }; diff --git a/nixpkgs/nixos/modules/services/networking/kippo.nix b/nixpkgs/nixos/modules/services/networking/kippo.nix index bdea6a1d1ca..553415a2f32 100644 --- a/nixpkgs/nixos/modules/services/networking/kippo.nix +++ b/nixpkgs/nixos/modules/services/networking/kippo.nix @@ -73,12 +73,11 @@ in ${cfg.extraConfig} ''; - users.users = singleton { - name = "kippo"; + users.users.kippo = { description = "kippo web server privilege separation user"; uid = 108; # why does config.ids.uids.kippo give an error? }; - users.groups = singleton { name = "kippo";gid=108; }; + users.groups.kippo.gid = 108; systemd.services.kippo = with pkgs; { description = "Kippo Web Server"; diff --git a/nixpkgs/nixos/modules/services/networking/kresd.nix b/nixpkgs/nixos/modules/services/networking/kresd.nix index fc516c01230..5eb50a13ca9 100644 --- a/nixpkgs/nixos/modules/services/networking/kresd.nix +++ b/nixpkgs/nixos/modules/services/networking/kresd.nix @@ -13,6 +13,17 @@ in { meta.maintainers = [ maintainers.vcunat /* upstream developer */ ]; + imports = [ + (mkChangedOptionModule [ "services" "kresd" "interfaces" ] [ "services" "kresd" "listenPlain" ] + (config: + let value = getAttrFromPath [ "services" "kresd" "interfaces" ] config; + in map + (iface: if elem ":" (stringToCharacters iface) then "[${iface}]:53" else "${iface}:53") # Syntax depends on being IPv6 or IPv4. + value + ) + ) + ]; + ###### interface options.services.kresd = { enable = mkOption { @@ -39,11 +50,12 @@ in Directory for caches. They are intended to survive reboots. ''; }; - interfaces = mkOption { + listenPlain = mkOption { type = with types; listOf str; - default = [ "::1" "127.0.0.1" ]; + default = [ "[::1]:53" "127.0.0.1:53" ]; description = '' - What addresses the server should listen on. (UDP+TCP 53) + What addresses and ports the server should listen on. + For detailed syntax see ListenStream in man systemd.socket. ''; }; listenTLS = mkOption { @@ -51,7 +63,7 @@ in default = []; example = [ "198.51.100.1:853" "[2001:db8::1]:853" "853" ]; description = '' - Addresses on which kresd should provide DNS over TLS (see RFC 7858). + Addresses and ports on which kresd should provide DNS over TLS (see RFC 7858). For detailed syntax see ListenStream in man systemd.socket. ''; }; @@ -62,24 +74,17 @@ in config = mkIf cfg.enable { environment.etc."kresd.conf".source = configFile; # not required - users.users = singleton - { name = "kresd"; - uid = config.ids.uids.kresd; + users.users.kresd = + { uid = config.ids.uids.kresd; group = "kresd"; description = "Knot-resolver daemon user"; }; - users.groups = singleton - { name = "kresd"; - gid = config.ids.gids.kresd; - }; + users.groups.kresd.gid = config.ids.gids.kresd; systemd.sockets.kresd = rec { wantedBy = [ "sockets.target" ]; before = wantedBy; - listenStreams = map - # Syntax depends on being IPv6 or IPv4. - (iface: if elem ":" (stringToCharacters iface) then "[${iface}]:53" else "${iface}:53") - cfg.interfaces; + listenStreams = cfg.listenPlain; socketConfig = { ListenDatagram = listenStreams; FreeBind = true; diff --git a/nixpkgs/nixos/modules/services/networking/matterbridge.nix b/nixpkgs/nixos/modules/services/networking/matterbridge.nix index 682eaa6eb29..bad35133459 100644 --- a/nixpkgs/nixos/modules/services/networking/matterbridge.nix +++ b/nixpkgs/nixos/modules/services/networking/matterbridge.nix @@ -92,14 +92,15 @@ in warnings = optional options.services.matterbridge.configFile.isDefined "The option services.matterbridge.configFile is insecure and should be replaced with services.matterbridge.configPath"; - users.users = optional (cfg.user == "matterbridge") - { name = "matterbridge"; - group = "matterbridge"; - isSystemUser = true; + users.users = optionalAttrs (cfg.user == "matterbridge") + { matterbridge = { + group = "matterbridge"; + isSystemUser = true; + }; }; - users.groups = optional (cfg.group == "matterbridge") - { name = "matterbridge"; + users.groups = optionalAttrs (cfg.group == "matterbridge") + { matterbridge = { }; }; systemd.services.matterbridge = { diff --git a/nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix b/nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix index e0a6c112e3c..dbc35e2e71c 100644 --- a/nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix +++ b/nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix @@ -49,10 +49,11 @@ in { config = mkIf cfg.enable { - users.users = optional (cfg.user == "mjpg-streamer") { - name = "mjpg-streamer"; - uid = config.ids.uids.mjpg-streamer; - group = cfg.group; + users.users = optionalAttrs (cfg.user == "mjpg-streamer") { + mjpg-streamer = { + uid = config.ids.uids.mjpg-streamer; + group = cfg.group; + }; }; systemd.services.mjpg-streamer = { diff --git a/nixpkgs/nixos/modules/services/networking/monero.nix b/nixpkgs/nixos/modules/services/networking/monero.nix index 831e4d60d8d..b9536430868 100644 --- a/nixpkgs/nixos/modules/services/networking/monero.nix +++ b/nixpkgs/nixos/modules/services/networking/monero.nix @@ -197,17 +197,15 @@ in config = mkIf cfg.enable { - users.users = singleton { - name = "monero"; + users.users.monero = { uid = config.ids.uids.monero; description = "Monero daemon user"; home = dataDir; createHome = true; }; - users.groups = singleton { - name = "monero"; - gid = config.ids.gids.monero; + users.groups.monero = { + gid = config.ids.gids.monero; }; systemd.services.monero = { @@ -224,15 +222,17 @@ in }; }; - assertions = singleton { - assertion = cfg.mining.enable -> cfg.mining.address != ""; - message = '' + assertions = singleton { + assertion = cfg.mining.enable -> cfg.mining.address != ""; + message = '' You need a Monero address to receive mining rewards: specify one using option monero.mining.address. - ''; - }; + ''; + }; }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/murmur.nix b/nixpkgs/nixos/modules/services/networking/murmur.nix index 082953d2f6a..3054ae1b201 100644 --- a/nixpkgs/nixos/modules/services/networking/murmur.nix +++ b/nixpkgs/nixos/modules/services/networking/murmur.nix @@ -46,6 +46,11 @@ let ''; in { + imports = [ + (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ]) + (mkRemovedOptionModule [ "services" "murmur" "pidfile" ] "Hardcoded to /run/murmur/murmurd.pid now") + ]; + options = { services.murmur = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/services/networking/mxisd.nix b/nixpkgs/nixos/modules/services/networking/mxisd.nix index a3d61922e57..482d6ff456b 100644 --- a/nixpkgs/nixos/modules/services/networking/mxisd.nix +++ b/nixpkgs/nixos/modules/services/networking/mxisd.nix @@ -93,23 +93,19 @@ in { }; config = mkIf cfg.enable { - users.users = [ + users.users.mxisd = { - name = "mxisd"; group = "mxisd"; home = cfg.dataDir; createHome = true; shell = "${pkgs.bash}/bin/bash"; uid = config.ids.uids.mxisd; - } - ]; + }; - users.groups = [ + users.groups.mxisd = { - name = "mxisd"; gid = config.ids.gids.mxisd; - } - ]; + }; systemd.services.mxisd = { description = "a federated identity server for the matrix ecosystem"; diff --git a/nixpkgs/nixos/modules/services/networking/namecoind.nix b/nixpkgs/nixos/modules/services/networking/namecoind.nix index c8ee0a2f564..ead7f085943 100644 --- a/nixpkgs/nixos/modules/services/networking/namecoind.nix +++ b/nixpkgs/nixos/modules/services/networking/namecoind.nix @@ -154,16 +154,14 @@ in config = ${configFile} ''; - users.users = singleton { - name = "namecoin"; + users.users.namecoin = { uid = config.ids.uids.namecoin; description = "Namecoin daemon user"; home = dataDir; createHome = true; }; - users.groups = singleton { - name = "namecoin"; + users.groups.namecoin = { gid = config.ids.gids.namecoin; }; @@ -201,4 +199,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/nat.nix b/nixpkgs/nixos/modules/services/networking/nat.nix index 5681bda51cb..f1238bc6b16 100644 --- a/nixpkgs/nixos/modules/services/networking/nat.nix +++ b/nixpkgs/nixos/modules/services/networking/nat.nix @@ -7,26 +7,33 @@ with lib; let - cfg = config.networking.nat; dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}"; + helpers = import ./helpers.nix { inherit config lib; }; + flushNat = '' - iptables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true - iptables -w -t nat -F nixos-nat-pre 2>/dev/null || true - iptables -w -t nat -X nixos-nat-pre 2>/dev/null || true - iptables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true - iptables -w -t nat -F nixos-nat-post 2>/dev/null || true - iptables -w -t nat -X nixos-nat-post 2>/dev/null || true + ${helpers} + ip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true + ip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true + ip46tables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -F nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -D OUTPUT -j nixos-nat-out 2>/dev/null || true + ip46tables -w -t nat -F nixos-nat-out 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-out 2>/dev/null || true ${cfg.extraStopCommands} ''; setupNat = '' + ${helpers} # Create subchain where we store rules - iptables -w -t nat -N nixos-nat-pre - iptables -w -t nat -N nixos-nat-post + ip46tables -w -t nat -N nixos-nat-pre + ip46tables -w -t nat -N nixos-nat-post + ip46tables -w -t nat -N nixos-nat-out # We can't match on incoming interface in POSTROUTING, so # mark packets coming from the internal interfaces. @@ -88,8 +95,9 @@ let ${cfg.extraCommands} # Append our chains to the nat tables - iptables -w -t nat -A PREROUTING -j nixos-nat-pre - iptables -w -t nat -A POSTROUTING -j nixos-nat-post + ip46tables -w -t nat -A PREROUTING -j nixos-nat-pre + ip46tables -w -t nat -A POSTROUTING -j nixos-nat-post + ip46tables -w -t nat -A OUTPUT -j nixos-nat-out ''; in diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index 90d1032c41b..e817f295a44 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -308,6 +308,7 @@ in { if [ "$2" != "up" ]; then logger "exit: event $2 != up" + exit fi # coreutils and iproute are in PATH too @@ -336,6 +337,7 @@ in { }; imports = [ + (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] '' This option was removed because allowing (multiple) regular users to override host entries affecting the whole system opens up a huge attack @@ -360,62 +362,59 @@ in { } ]; - environment.etc = with pkgs; [ - { source = configFile; - target = "NetworkManager/NetworkManager.conf"; - } - { source = "${networkmanager-openvpn}/lib/NetworkManager/VPN/nm-openvpn-service.name"; - target = "NetworkManager/VPN/nm-openvpn-service.name"; - } - { source = "${networkmanager-vpnc}/lib/NetworkManager/VPN/nm-vpnc-service.name"; - target = "NetworkManager/VPN/nm-vpnc-service.name"; - } - { source = "${networkmanager-openconnect}/lib/NetworkManager/VPN/nm-openconnect-service.name"; - target = "NetworkManager/VPN/nm-openconnect-service.name"; - } - { source = "${networkmanager-fortisslvpn}/lib/NetworkManager/VPN/nm-fortisslvpn-service.name"; - target = "NetworkManager/VPN/nm-fortisslvpn-service.name"; - } - { source = "${networkmanager-l2tp}/lib/NetworkManager/VPN/nm-l2tp-service.name"; - target = "NetworkManager/VPN/nm-l2tp-service.name"; - } - { source = "${networkmanager-iodine}/lib/NetworkManager/VPN/nm-iodine-service.name"; - target = "NetworkManager/VPN/nm-iodine-service.name"; + environment.etc = with pkgs; { + "NetworkManager/NetworkManager.conf".source = configFile; + + "NetworkManager/VPN/nm-openvpn-service.name".source = + "${networkmanager-openvpn}/lib/NetworkManager/VPN/nm-openvpn-service.name"; + + "NetworkManager/VPN/nm-vpnc-service.name".source = + "${networkmanager-vpnc}/lib/NetworkManager/VPN/nm-vpnc-service.name"; + + "NetworkManager/VPN/nm-openconnect-service.name".source = + "${networkmanager-openconnect}/lib/NetworkManager/VPN/nm-openconnect-service.name"; + + "NetworkManager/VPN/nm-fortisslvpn-service.name".source = + "${networkmanager-fortisslvpn}/lib/NetworkManager/VPN/nm-fortisslvpn-service.name"; + + "NetworkManager/VPN/nm-l2tp-service.name".source = + "${networkmanager-l2tp}/lib/NetworkManager/VPN/nm-l2tp-service.name"; + + "NetworkManager/VPN/nm-iodine-service.name".source = + "${networkmanager-iodine}/lib/NetworkManager/VPN/nm-iodine-service.name"; } - ] ++ optional (cfg.appendNameservers != [] || cfg.insertNameservers != []) - { source = overrideNameserversScript; - target = "NetworkManager/dispatcher.d/02overridedns"; - } - ++ lib.imap1 (i: s: { - inherit (s) source; - target = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; - mode = "0544"; - }) cfg.dispatcherScripts - ++ optional cfg.enableStrongSwan - { source = "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; - target = "NetworkManager/VPN/nm-strongswan-service.name"; - }; + // optionalAttrs (cfg.appendNameservers != [] || cfg.insertNameservers != []) + { + "NetworkManager/dispatcher.d/02overridedns".source = overrideNameserversScript; + } + // optionalAttrs cfg.enableStrongSwan + { + "NetworkManager/VPN/nm-strongswan-service.name".source = + "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; + } + // listToAttrs (lib.imap1 (i: s: + { + name = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; + value = { mode = "0544"; inherit (s) source; }; + }) cfg.dispatcherScripts); environment.systemPackages = cfg.packages; - users.groups = [{ - name = "networkmanager"; - gid = config.ids.gids.networkmanager; - } - { - name = "nm-openvpn"; - gid = config.ids.gids.nm-openvpn; - }]; - users.users = [{ - name = "nm-openvpn"; - uid = config.ids.uids.nm-openvpn; - extraGroups = [ "networkmanager" ]; - } - { - name = "nm-iodine"; - isSystemUser = true; - group = "networkmanager"; - }]; + users.groups = { + networkmanager.gid = config.ids.gids.networkmanager; + nm-openvpn.gid = config.ids.gids.nm-openvpn; + }; + + users.users = { + nm-openvpn = { + uid = config.ids.uids.nm-openvpn; + extraGroups = [ "networkmanager" ]; + }; + nm-iodine = { + isSystemUser = true; + group = "networkmanager"; + }; + }; systemd.packages = cfg.packages; diff --git a/nixpkgs/nixos/modules/services/networking/nntp-proxy.nix b/nixpkgs/nixos/modules/services/networking/nntp-proxy.nix index d24d6f77a49..cc061bf6e3b 100644 --- a/nixpkgs/nixos/modules/services/networking/nntp-proxy.nix +++ b/nixpkgs/nixos/modules/services/networking/nntp-proxy.nix @@ -210,9 +210,8 @@ in config = mkIf cfg.enable { - users.users = singleton - { name = proxyUser; - uid = config.ids.uids.nntp-proxy; + users.users.${proxyUser} = + { uid = config.ids.uids.nntp-proxy; description = "NNTP-Proxy daemon user"; }; diff --git a/nixpkgs/nixos/modules/services/networking/nsd.nix b/nixpkgs/nixos/modules/services/networking/nsd.nix index bc0966e6b8e..344396638a6 100644 --- a/nixpkgs/nixos/modules/services/networking/nsd.nix +++ b/nixpkgs/nixos/modules/services/networking/nsd.nix @@ -899,13 +899,9 @@ in environment.systemPackages = [ nsdPkg ]; - users.groups = singleton { - name = username; - gid = config.ids.gids.nsd; - }; + users.groups.${username}.gid = config.ids.gids.nsd; - users.users = singleton { - name = username; + users.users.${username} = { description = "NSD service user"; home = stateDir; createHome = true; diff --git a/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix b/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix index c74476c7a15..da9d960cc14 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix @@ -79,14 +79,10 @@ in environment.systemPackages = [ pkgs.chrony ]; - users.groups = singleton - { name = "chrony"; - gid = config.ids.gids.chrony; - }; + users.groups.chrony.gid = config.ids.gids.chrony; - users.users = singleton - { name = "chrony"; - uid = config.ids.uids.chrony; + users.users.chrony = + { uid = config.ids.uids.chrony; group = "chrony"; description = "chrony daemon user"; home = stateDir; diff --git a/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix b/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix index 1197c84f045..b5403cb747d 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix @@ -104,9 +104,8 @@ in systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "ntpd.service"; }; - users.users = singleton - { name = ntpUser; - uid = config.ids.uids.ntp; + users.users.${ntpUser} = + { uid = config.ids.uids.ntp; description = "NTP daemon user"; home = stateDir; }; diff --git a/nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix b/nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix index 471d15b1687..67a04d48d30 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix @@ -60,8 +60,7 @@ in environment.etc."ntpd.conf".text = configFile; - users.users = singleton { - name = "ntp"; + users.users.ntp = { uid = config.ids.uids.ntp; description = "OpenNTP daemon user"; home = "/var/empty"; diff --git a/nixpkgs/nixos/modules/services/networking/openvpn.nix b/nixpkgs/nixos/modules/services/networking/openvpn.nix index 05be97e66a3..dcd7e9e5fa4 100644 --- a/nixpkgs/nixos/modules/services/networking/openvpn.nix +++ b/nixpkgs/nixos/modules/services/networking/openvpn.nix @@ -73,6 +73,9 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "openvpn" "enable" ] "") + ]; ###### interface diff --git a/nixpkgs/nixos/modules/services/networking/owamp.nix b/nixpkgs/nixos/modules/services/networking/owamp.nix index dbb2e3b4c40..637ed618b89 100644 --- a/nixpkgs/nixos/modules/services/networking/owamp.nix +++ b/nixpkgs/nixos/modules/services/networking/owamp.nix @@ -17,16 +17,13 @@ in ###### implementation config = mkIf cfg.enable { - users.users = singleton { - name = "owamp"; + users.users.owamp = { group = "owamp"; description = "Owamp daemon"; isSystemUser = true; }; - users.groups = singleton { - name = "owamp"; - }; + users.groups.owamp = { }; systemd.services.owamp = { description = "Owamp server"; diff --git a/nixpkgs/nixos/modules/services/networking/pdns-recursor.nix b/nixpkgs/nixos/modules/services/networking/pdns-recursor.nix index e55ea363378..6ff181377fc 100644 --- a/nixpkgs/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixpkgs/nixos/modules/services/networking/pdns-recursor.nix @@ -219,4 +219,6 @@ in { "To change extra Recursor settings use services.pdns-recursor.settings instead.") ]; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/pdnsd.nix b/nixpkgs/nixos/modules/services/networking/pdnsd.nix index f5b174dd7b7..24b5bbc5104 100644 --- a/nixpkgs/nixos/modules/services/networking/pdnsd.nix +++ b/nixpkgs/nixos/modules/services/networking/pdnsd.nix @@ -62,15 +62,13 @@ in }; config = mkIf cfg.enable { - users.users = singleton { - name = pdnsdUser; + users.users.${pdnsdUser} = { uid = config.ids.uids.pdnsd; group = pdnsdGroup; description = "pdnsd user"; }; - users.groups = singleton { - name = pdnsdGroup; + users.groups.${pdnsdGroup} = { gid = config.ids.gids.pdnsd; }; diff --git a/nixpkgs/nixos/modules/services/networking/polipo.nix b/nixpkgs/nixos/modules/services/networking/polipo.nix index dbe3b738097..1ff9388346b 100644 --- a/nixpkgs/nixos/modules/services/networking/polipo.nix +++ b/nixpkgs/nixos/modules/services/networking/polipo.nix @@ -85,17 +85,15 @@ in config = mkIf cfg.enable { - users.users = singleton - { name = "polipo"; - uid = config.ids.uids.polipo; + users.users.polipo = + { uid = config.ids.uids.polipo; description = "Polipo caching proxy user"; home = "/var/cache/polipo"; createHome = true; }; - users.groups = singleton - { name = "polipo"; - gid = config.ids.gids.polipo; + users.groups.polipo = + { gid = config.ids.gids.polipo; members = [ "polipo" ]; }; diff --git a/nixpkgs/nixos/modules/services/networking/pppd.nix b/nixpkgs/nixos/modules/services/networking/pppd.nix index e96c27bd84b..b31bfa64235 100644 --- a/nixpkgs/nixos/modules/services/networking/pppd.nix +++ b/nixpkgs/nixos/modules/services/networking/pppd.nix @@ -64,11 +64,13 @@ in enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); mkEtc = peerCfg: { - "ppp/peers/${peerCfg.name}".text = peerCfg.config; + name = "ppp/peers/${peerCfg.name}"; + value.text = peerCfg.config; }; mkSystemd = peerCfg: { - "pppd-${peerCfg.name}" = { + name = "pppd-${peerCfg.name}"; + value = { restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; before = [ "network.target" ]; wants = [ "network.target" ]; @@ -124,8 +126,8 @@ in }; }; - etcFiles = map mkEtc enabledConfigs; - systemdConfigs = map mkSystemd enabledConfigs; + etcFiles = listToAttrs (map mkEtc enabledConfigs); + systemdConfigs = listToAttrs (map mkSystemd enabledConfigs); in mkIf cfg.enable { environment.etc = mkMerge etcFiles; diff --git a/nixpkgs/nixos/modules/services/networking/prayer.nix b/nixpkgs/nixos/modules/services/networking/prayer.nix index c936417e68c..9c9eeba23da 100644 --- a/nixpkgs/nixos/modules/services/networking/prayer.nix +++ b/nixpkgs/nixos/modules/services/networking/prayer.nix @@ -72,17 +72,14 @@ in config = mkIf config.services.prayer.enable { environment.systemPackages = [ prayer ]; - users.users = singleton - { name = prayerUser; - uid = config.ids.uids.prayer; + users.users.${prayerUser} = + { uid = config.ids.uids.prayer; description = "Prayer daemon user"; home = stateDir; }; - users.groups = singleton - { name = prayerGroup; - gid = config.ids.gids.prayer; - }; + users.groups.${prayerGroup} = + { gid = config.ids.gids.prayer; }; systemd.services.prayer = { wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/services/networking/privoxy.nix b/nixpkgs/nixos/modules/services/networking/privoxy.nix index 49ca839a2c3..1f41c720adf 100644 --- a/nixpkgs/nixos/modules/services/networking/privoxy.nix +++ b/nixpkgs/nixos/modules/services/networking/privoxy.nix @@ -109,4 +109,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/quassel.nix b/nixpkgs/nixos/modules/services/networking/quassel.nix index b495b3948fb..52ecd90b7c6 100644 --- a/nixpkgs/nixos/modules/services/networking/quassel.nix +++ b/nixpkgs/nixos/modules/services/networking/quassel.nix @@ -92,17 +92,21 @@ in message = "Quassel needs a certificate file in order to require SSL"; }]; - users.users = mkIf (cfg.user == null) [ - { name = "quassel"; + users.users = optionalAttrs (cfg.user == null) { + quassel = { + name = "quassel"; description = "Quassel IRC client daemon"; group = "quassel"; uid = config.ids.uids.quassel; - }]; + }; + }; - users.groups = mkIf (cfg.user == null) [ - { name = "quassel"; + users.groups = optionalAttrs (cfg.user == null) { + quassel = { + name = "quassel"; gid = config.ids.gids.quassel; - }]; + }; + }; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' - ${user} - - -" diff --git a/nixpkgs/nixos/modules/services/networking/radicale.nix b/nixpkgs/nixos/modules/services/networking/radicale.nix index 1daced4a6c7..30bf22586f8 100644 --- a/nixpkgs/nixos/modules/services/networking/radicale.nix +++ b/nixpkgs/nixos/modules/services/networking/radicale.nix @@ -59,18 +59,15 @@ in config = mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - users.users = singleton - { name = "radicale"; - uid = config.ids.uids.radicale; + users.users.radicale = + { uid = config.ids.uids.radicale; description = "radicale user"; home = "/var/lib/radicale"; createHome = true; }; - users.groups = singleton - { name = "radicale"; - gid = config.ids.gids.radicale; - }; + users.groups.radicale = + { gid = config.ids.gids.radicale; }; systemd.services.radicale = { description = "A Simple Calendar and Contact Server"; diff --git a/nixpkgs/nixos/modules/services/networking/searx.nix b/nixpkgs/nixos/modules/services/networking/searx.nix index 9412d0ef8a6..60fb3d5d6d4 100644 --- a/nixpkgs/nixos/modules/services/networking/searx.nix +++ b/nixpkgs/nixos/modules/services/networking/searx.nix @@ -75,4 +75,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/shairport-sync.nix b/nixpkgs/nixos/modules/services/networking/shairport-sync.nix index 68e005ab81d..2e988e0ca2e 100644 --- a/nixpkgs/nixos/modules/services/networking/shairport-sync.nix +++ b/nixpkgs/nixos/modules/services/networking/shairport-sync.nix @@ -55,9 +55,8 @@ in services.avahi.publish.enable = true; services.avahi.publish.userServices = true; - users.users = singleton - { name = cfg.user; - description = "Shairport user"; + users.users.${cfg.user} = + { description = "Shairport user"; isSystemUser = true; createHome = true; home = "/var/lib/shairport-sync"; diff --git a/nixpkgs/nixos/modules/services/networking/shorewall.nix b/nixpkgs/nixos/modules/services/networking/shorewall.nix new file mode 100644 index 00000000000..0f94d414fcf --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/shorewall.nix @@ -0,0 +1,75 @@ +{ config, lib, pkgs, ... }: +let + types = lib.types; + cfg = config.services.shorewall; +in { + options = { + services.shorewall = { + enable = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Shorewall IPv4 Firewall. + <warning> + <para> + Enabling this service WILL disable the existing NixOS + firewall! Default firewall rules provided by packages are not + considered at the moment. + </para> + </warning> + ''; + }; + package = lib.mkOption { + type = types.package; + default = pkgs.shorewall; + defaultText = "pkgs.shorewall"; + description = "The shorewall package to use."; + }; + configs = lib.mkOption { + type = types.attrsOf types.str; + default = {}; + description = '' + This option defines the Shorewall configs. + The attribute name defines the name of the config, + and the attribute value defines the content of the config. + ''; + apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text); + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.firewall.enable = false; + systemd.services.shorewall = { + description = "Shorewall IPv4 Firewall"; + after = [ "ipset.target" ]; + before = [ "network-pre.target" ]; + wants = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = lib.attrValues cfg.configs; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = "${cfg.package}/bin/shorewall start"; + ExecReload = "${cfg.package}/bin/shorewall reload"; + ExecStop = "${cfg.package}/bin/shorewall stop"; + }; + preStart = '' + install -D -d -m 750 /var/lib/shorewall + install -D -d -m 755 /var/lock/subsys + touch /var/log/shorewall.log + chown 750 /var/log/shorewall.log + ''; + }; + environment = { + etc = lib.mapAttrsToList + (name: file: + { source = file; + target = "shorewall/${name}"; + }) + cfg.configs; + systemPackages = [ cfg.package ]; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/shorewall6.nix b/nixpkgs/nixos/modules/services/networking/shorewall6.nix new file mode 100644 index 00000000000..9c22a037c0b --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/shorewall6.nix @@ -0,0 +1,75 @@ +{ config, lib, pkgs, ... }: +let + types = lib.types; + cfg = config.services.shorewall6; +in { + options = { + services.shorewall6 = { + enable = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Shorewall IPv6 Firewall. + <warning> + <para> + Enabling this service WILL disable the existing NixOS + firewall! Default firewall rules provided by packages are not + considered at the moment. + </para> + </warning> + ''; + }; + package = lib.mkOption { + type = types.package; + default = pkgs.shorewall; + defaultText = "pkgs.shorewall"; + description = "The shorewall package to use."; + }; + configs = lib.mkOption { + type = types.attrsOf types.str; + default = {}; + description = '' + This option defines the Shorewall configs. + The attribute name defines the name of the config, + and the attribute value defines the content of the config. + ''; + apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text); + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.firewall.enable = false; + systemd.services.shorewall6 = { + description = "Shorewall IPv6 Firewall"; + after = [ "ipset.target" ]; + before = [ "network-pre.target" ]; + wants = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = lib.attrValues cfg.configs; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = "${cfg.package}/bin/shorewall6 start"; + ExecReload = "${cfg.package}/bin/shorewall6 reload"; + ExecStop = "${cfg.package}/bin/shorewall6 stop"; + }; + preStart = '' + install -D -d -m 750 /var/lib/shorewall6 + install -D -d -m 755 /var/lock/subsys + touch /var/log/shorewall6.log + chown 750 /var/log/shorewall6.log + ''; + }; + environment = { + etc = lib.mapAttrsToList + (name: file: + { source = file; + target = "shorewall6/${name}"; + }) + cfg.configs; + systemPackages = [ cfg.package ]; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/shout.nix b/nixpkgs/nixos/modules/services/networking/shout.nix index e548ec66962..a808a7f39d0 100644 --- a/nixpkgs/nixos/modules/services/networking/shout.nix +++ b/nixpkgs/nixos/modules/services/networking/shout.nix @@ -82,8 +82,7 @@ in { }; config = mkIf cfg.enable { - users.users = singleton { - name = "shout"; + users.users.shout = { uid = config.ids.uids.shout; description = "Shout daemon user"; home = shoutHome; diff --git a/nixpkgs/nixos/modules/services/networking/smokeping.nix b/nixpkgs/nixos/modules/services/networking/smokeping.nix index b48b0b3a9d6..37ee2a80389 100644 --- a/nixpkgs/nixos/modules/services/networking/smokeping.nix +++ b/nixpkgs/nixos/modules/services/networking/smokeping.nix @@ -280,8 +280,7 @@ in fping6.source = "${pkgs.fping}/bin/fping6"; }; environment.systemPackages = [ pkgs.fping ]; - users.users = singleton { - name = cfg.user; + users.users.${cfg.user} = { isNormalUser = false; isSystemUser = true; uid = config.ids.uids.smokeping; diff --git a/nixpkgs/nixos/modules/services/networking/spacecookie.nix b/nixpkgs/nixos/modules/services/networking/spacecookie.nix new file mode 100644 index 00000000000..c4d06df6ad4 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/spacecookie.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.spacecookie; + configFile = pkgs.writeText "spacecookie.json" (lib.generators.toJSON {} { + inherit (cfg) hostname port root; + }); +in { + + options = { + + services.spacecookie = { + + enable = mkEnableOption "spacecookie"; + + hostname = mkOption { + type = types.str; + default = "localhost"; + description = "The hostname the service is reachable via. Clients will use this hostname for further requests after loading the initial gopher menu."; + }; + + port = mkOption { + type = types.port; + default = 70; + description = "Port the gopher service should be exposed on."; + }; + + root = mkOption { + type = types.path; + default = "/srv/gopher"; + description = "The root directory spacecookie serves via gopher."; + }; + }; + }; + + config = mkIf cfg.enable { + + systemd.sockets.spacecookie = { + description = "Socket for the Spacecookie Gopher Server"; + wantedBy = [ "sockets.target" ]; + listenStreams = [ "[::]:${toString cfg.port}" ]; + socketConfig = { + BindIPv6Only = "both"; + }; + }; + + systemd.services.spacecookie = { + description = "Spacecookie Gopher Server"; + wantedBy = [ "multi-user.target" ]; + requires = [ "spacecookie.socket" ]; + + serviceConfig = { + Type = "notify"; + ExecStart = "${pkgs.haskellPackages.spacecookie}/bin/spacecookie ${configFile}"; + FileDescriptorStoreMax = 1; + + DynamicUser = true; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateUsers = true; + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + + # AF_UNIX for communication with systemd + # AF_INET replaced by BindIPv6Only=both + RestrictAddressFamilies = "AF_UNIX AF_INET6"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix index 91fc7d72bc6..b0e2e303cbc 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix @@ -74,6 +74,10 @@ let in { + imports = [ + (mkAliasOptionModule [ "services" "sshd" "enable" ] [ "services" "openssh" "enable" ]) + (mkAliasOptionModule [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ]) + ]; ###### interface diff --git a/nixpkgs/nixos/modules/services/networking/supybot.nix b/nixpkgs/nixos/modules/services/networking/supybot.nix index 64eb1106832..92c84bd0e1e 100644 --- a/nixpkgs/nixos/modules/services/networking/supybot.nix +++ b/nixpkgs/nixos/modules/services/networking/supybot.nix @@ -45,8 +45,7 @@ in environment.systemPackages = [ pkgs.pythonPackages.limnoria ]; - users.users = singleton { - name = "supybot"; + users.users.supybotrs = { uid = config.ids.uids.supybot; group = "supybot"; description = "Supybot IRC bot user"; @@ -55,7 +54,6 @@ in }; users.groups.supybot = { - name = "supybot"; gid = config.ids.gids.supybot; }; diff --git a/nixpkgs/nixos/modules/services/networking/syncthing.nix b/nixpkgs/nixos/modules/services/networking/syncthing.nix index b3f2af5b179..47b10e408c0 100644 --- a/nixpkgs/nixos/modules/services/networking/syncthing.nix +++ b/nixpkgs/nixos/modules/services/networking/syncthing.nix @@ -112,12 +112,12 @@ in { addresses = [ "tcp://192.168.0.10:51820" ]; }; }; - type = types.attrsOf (types.submodule ({ config, ... }: { + type = types.attrsOf (types.submodule ({ name, ... }: { options = { name = mkOption { type = types.str; - default = config._module.args.name; + default = name; description = '' Name of the device ''; @@ -175,7 +175,7 @@ in { devices = [ "bigbox" ]; }; }; - type = types.attrsOf (types.submodule ({ config, ... }: { + type = types.attrsOf (types.submodule ({ name, ... }: { options = { enable = mkOption { @@ -190,7 +190,7 @@ in { path = mkOption { type = types.str; - default = config._module.args.name; + default = name; description = '' The path to the folder which should be shared. ''; @@ -198,7 +198,7 @@ in { id = mkOption { type = types.str; - default = config._module.args.name; + default = name; description = '' The id of the folder. Must be the same on all devices. ''; @@ -206,7 +206,7 @@ in { label = mkOption { type = types.str; - default = config._module.args.name; + default = name; description = '' The label of the folder. ''; diff --git a/nixpkgs/nixos/modules/services/networking/tcpcrypt.nix b/nixpkgs/nixos/modules/services/networking/tcpcrypt.nix index a0ccb995009..18f2e135124 100644 --- a/nixpkgs/nixos/modules/services/networking/tcpcrypt.nix +++ b/nixpkgs/nixos/modules/services/networking/tcpcrypt.nix @@ -29,8 +29,7 @@ in config = mkIf cfg.enable { - users.users = singleton { - name = "tcpcryptd"; + users.users.tcpcryptd = { uid = config.ids.uids.tcpcryptd; description = "tcpcrypt daemon user"; }; diff --git a/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix b/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix index 1d349215169..f88e34827d0 100644 --- a/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix +++ b/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix @@ -56,9 +56,8 @@ in config = mkIf config.services.toxBootstrapd.enable { - users.users = singleton - { name = "tox-bootstrapd"; - uid = config.ids.uids.tox-bootstrapd; + users.users.tox-bootstrapd = + { uid = config.ids.uids.tox-bootstrapd; description = "Tox bootstrap daemon user"; inherit home; createHome = true; diff --git a/nixpkgs/nixos/modules/services/networking/unbound.nix b/nixpkgs/nixos/modules/services/networking/unbound.nix index 3cf82e8839b..baed83591e1 100644 --- a/nixpkgs/nixos/modules/services/networking/unbound.nix +++ b/nixpkgs/nixos/modules/services/networking/unbound.nix @@ -53,6 +53,13 @@ in enable = mkEnableOption "Unbound domain name server"; + package = mkOption { + type = types.package; + default = pkgs.unbound; + defaultText = "pkgs.unbound"; + description = "The unbound package to use"; + }; + allowedAccess = mkOption { default = [ "127.0.0.0/24" ]; type = types.listOf types.str; @@ -94,7 +101,7 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.unbound ]; + environment.systemPackages = [ cfg.package ]; users.users.unbound = { description = "unbound daemon user"; @@ -114,7 +121,7 @@ in mkdir -m 0755 -p ${stateDir}/dev/ cp ${confFile} ${stateDir}/unbound.conf ${optionalString cfg.enableRootTrustAnchor '' - ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" + ${cfg.package}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" chown unbound ${stateDir} ${rootTrustAnchorFile} ''} touch ${stateDir}/dev/random @@ -122,7 +129,7 @@ in ''; serviceConfig = { - ExecStart = "${pkgs.unbound}/bin/unbound -d -c ${stateDir}/unbound.conf"; + ExecStart = "${cfg.package}/bin/unbound -d -c ${stateDir}/unbound.conf"; ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random"; ProtectSystem = true; diff --git a/nixpkgs/nixos/modules/services/networking/v2ray.nix b/nixpkgs/nixos/modules/services/networking/v2ray.nix new file mode 100644 index 00000000000..a1774cdffbb --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/v2ray.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + options = { + + services.v2ray = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run v2ray server. + + Either <literal>configFile</literal> or <literal>config</literal> must be specified. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/etc/v2ray/config.json"; + description = '' + The absolute path to the configuration file. + + Either <literal>configFile</literal> or <literal>config</literal> must be specified. + + See <link xlink:href="https://v2ray.com/en/configuration/overview.html"/>. + ''; + }; + + config = mkOption { + type = types.nullOr (types.attrsOf types.unspecified); + default = null; + example = { + inbounds = [{ + port = 1080; + listen = "127.0.0.1"; + protocol = "http"; + }]; + outbounds = [{ + protocol = "freedom"; + }]; + }; + description = '' + The configuration object. + + Either `configFile` or `config` must be specified. + + See <link xlink:href="https://v2ray.com/en/configuration/overview.html"/>. + ''; + }; + }; + + }; + + config = let + cfg = config.services.v2ray; + configFile = if cfg.configFile != null + then cfg.configFile + else (pkgs.writeText "v2ray.json" (builtins.toJSON cfg.config)); + + in mkIf cfg.enable { + assertions = [ + { + assertion = (cfg.configFile == null) != (cfg.config == null); + message = "Either but not both `configFile` and `config` should be specified for v2ray."; + } + ]; + + systemd.services.v2ray = { + description = "v2ray Daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.v2ray ]; + script = '' + exec v2ray -config ${configFile} + ''; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/vsftpd.nix b/nixpkgs/nixos/modules/services/networking/vsftpd.nix index 90093d9a78d..47990dbb377 100644 --- a/nixpkgs/nixos/modules/services/networking/vsftpd.nix +++ b/nixpkgs/nixos/modules/services/networking/vsftpd.nix @@ -279,21 +279,22 @@ in message = "vsftpd: If enableVirtualUsers is true, you need to setup both the userDbPath and localUsers options."; }]; - users.users = - [ { name = "vsftpd"; - uid = config.ids.uids.vsftpd; - description = "VSFTPD user"; - home = if cfg.localRoot != null - then cfg.localRoot # <= Necessary for virtual users. - else "/homeless-shelter"; - } - ] ++ optional cfg.anonymousUser - { name = "ftp"; + users.users = { + "vsftpd" = { + uid = config.ids.uids.vsftpd; + description = "VSFTPD user"; + home = if cfg.localRoot != null + then cfg.localRoot # <= Necessary for virtual users. + else "/homeless-shelter"; + }; + } // optionalAttrs cfg.anonymousUser { + "ftp" = { name = "ftp"; uid = config.ids.uids.ftp; group = "ftp"; description = "Anonymous FTP user"; home = cfg.anonymousUserHome; }; + }; users.groups.ftp.gid = config.ids.gids.ftp; diff --git a/nixpkgs/nixos/modules/services/networking/yggdrasil.nix b/nixpkgs/nixos/modules/services/networking/yggdrasil.nix index 5d65f8e3413..9e675ecd6f4 100644 --- a/nixpkgs/nixos/modules/services/networking/yggdrasil.nix +++ b/nixpkgs/nixos/modules/services/networking/yggdrasil.nix @@ -12,11 +12,11 @@ let configFileProvided = (cfg.configFile != null); generateConfig = ( if configProvided && configFileProvided then - "${pkgs.jq}/bin/jq -s add /run/yggdrasil/configFile.json ${configAsFile}" + "${pkgs.jq}/bin/jq -s add ${configAsFile} ${cfg.configFile}" else if configProvided then "cat ${configAsFile}" else if configFileProvided then - "cat /run/yggdrasil/configFile.json" + "cat ${cfg.configFile}" else "${cfg.package}/bin/yggdrasil -genconf" ); @@ -147,7 +147,7 @@ in { RuntimeDirectory = "yggdrasil"; RuntimeDirectoryMode = "0700"; BindReadOnlyPaths = mkIf configFileProvided - [ "${cfg.configFile}:/run/yggdrasil/configFile.json" ]; + [ "${cfg.configFile}" ]; # TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails # to set up the network adapter when DynamicUser is set. See diff --git a/nixpkgs/nixos/modules/services/networking/znc/default.nix b/nixpkgs/nixos/modules/services/networking/znc/default.nix index 0a9848a4934..a7315896c50 100644 --- a/nixpkgs/nixos/modules/services/networking/znc/default.nix +++ b/nixpkgs/nixos/modules/services/networking/znc/default.nix @@ -287,20 +287,22 @@ in ''; }; - users.users = optional (cfg.user == defaultUser) - { name = defaultUser; - description = "ZNC server daemon owner"; - group = defaultUser; - uid = config.ids.uids.znc; - home = cfg.dataDir; - createHome = true; + users.users = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = + { description = "ZNC server daemon owner"; + group = defaultUser; + uid = config.ids.uids.znc; + home = cfg.dataDir; + createHome = true; + }; }; - users.groups = optional (cfg.user == defaultUser) - { name = defaultUser; - gid = config.ids.gids.znc; - members = [ defaultUser ]; - }; + users.groups = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = + { gid = config.ids.gids.znc; + members = [ defaultUser ]; + }; + }; }; } diff --git a/nixpkgs/nixos/modules/services/printing/cupsd.nix b/nixpkgs/nixos/modules/services/printing/cupsd.nix index 1071c05d514..59306d625e6 100644 --- a/nixpkgs/nixos/modules/services/printing/cupsd.nix +++ b/nixpkgs/nixos/modules/services/printing/cupsd.nix @@ -112,6 +112,15 @@ in { + imports = [ + (mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ] + (config: + let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config; + in if enabled then [ pkgs.gutenprint ] else [ ])) + (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "") + (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "") + ]; + ###### interface options = { @@ -279,9 +288,8 @@ in config = mkIf config.services.printing.enable { - users.users = singleton - { name = "cups"; - uid = config.ids.uids.cups; + users.users.cups = + { uid = config.ids.uids.cups; group = "lp"; description = "CUPS printing services"; }; diff --git a/nixpkgs/nixos/modules/services/scheduling/atd.nix b/nixpkgs/nixos/modules/services/scheduling/atd.nix index a32907647a0..93ed9231d3c 100644 --- a/nixpkgs/nixos/modules/services/scheduling/atd.nix +++ b/nixpkgs/nixos/modules/services/scheduling/atd.nix @@ -57,17 +57,13 @@ in security.pam.services.atd = {}; - users.users = singleton - { name = "atd"; - uid = config.ids.uids.atd; + users.users.atd = + { uid = config.ids.uids.atd; description = "atd user"; home = "/var/empty"; }; - users.groups = singleton - { name = "atd"; - gid = config.ids.gids.atd; - }; + users.groups.atd.gid = config.ids.gids.atd; systemd.services.atd = { description = "Job Execution Daemon (atd)"; diff --git a/nixpkgs/nixos/modules/services/scheduling/fcron.nix b/nixpkgs/nixos/modules/services/scheduling/fcron.nix index e43ca014e14..42bed21bf25 100644 --- a/nixpkgs/nixos/modules/services/scheduling/fcron.nix +++ b/nixpkgs/nixos/modules/services/scheduling/fcron.nix @@ -86,7 +86,8 @@ in services.fcron.systab = systemCronJobs; - environment.etc = + environment.etc = listToAttrs + (map (x: { name = x.target; value = x; }) [ (allowdeny "allow" (cfg.allow)) (allowdeny "deny" cfg.deny) # see man 5 fcron.conf @@ -112,7 +113,7 @@ in gid = config.ids.gids.fcron; mode = "0644"; } - ]; + ]); environment.systemPackages = [ pkgs.fcron ]; users.users.fcron = { diff --git a/nixpkgs/nixos/modules/services/search/hound.nix b/nixpkgs/nixos/modules/services/search/hound.nix index 6740928db9a..7a44489efe6 100644 --- a/nixpkgs/nixos/modules/services/search/hound.nix +++ b/nixpkgs/nixos/modules/services/search/hound.nix @@ -88,19 +88,19 @@ in { }; config = mkIf cfg.enable { - users.groups = optional (cfg.group == "hound") { - name = "hound"; - gid = config.ids.gids.hound; + users.groups = optionalAttrs (cfg.group == "hound") { + hound.gid = config.ids.gids.hound; }; - users.users = optional (cfg.user == "hound") { - name = "hound"; - description = "hound code search"; - createHome = true; - home = cfg.home; - group = cfg.group; - extraGroups = cfg.extraGroups; - uid = config.ids.uids.hound; + users.users = optionalAttrs (cfg.user == "hound") { + hound = { + description = "hound code search"; + createHome = true; + home = cfg.home; + group = cfg.group; + extraGroups = cfg.extraGroups; + uid = config.ids.uids.hound; + }; }; systemd.services.hound = { diff --git a/nixpkgs/nixos/modules/services/search/kibana.nix b/nixpkgs/nixos/modules/services/search/kibana.nix index 43a63aa8fdc..2beb265ee5d 100644 --- a/nixpkgs/nixos/modules/services/search/kibana.nix +++ b/nixpkgs/nixos/modules/services/search/kibana.nix @@ -198,8 +198,7 @@ in { environment.systemPackages = [ cfg.package ]; - users.users = singleton { - name = "kibana"; + users.users.kibana = { uid = config.ids.uids.kibana; description = "Kibana service user"; home = cfg.dataDir; diff --git a/nixpkgs/nixos/modules/services/search/solr.nix b/nixpkgs/nixos/modules/services/search/solr.nix index 5ef7d9893a4..b2176225493 100644 --- a/nixpkgs/nixos/modules/services/search/solr.nix +++ b/nixpkgs/nixos/modules/services/search/solr.nix @@ -100,18 +100,18 @@ in }; }; - users.users = optionalAttrs (cfg.user == "solr") (singleton - { name = "solr"; + users.users = optionalAttrs (cfg.user == "solr") { + solr = { group = cfg.group; home = cfg.stateDir; createHome = true; uid = config.ids.uids.solr; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "solr") (singleton - { name = "solr"; - gid = config.ids.gids.solr; - }); + users.groups = optionalAttrs (cfg.group == "solr") { + solr.gid = config.ids.gids.solr; + }; }; diff --git a/nixpkgs/nixos/modules/services/security/clamav.nix b/nixpkgs/nixos/modules/services/security/clamav.nix index 04b433f8f2b..aaf6fb0479b 100644 --- a/nixpkgs/nixos/modules/services/security/clamav.nix +++ b/nixpkgs/nixos/modules/services/security/clamav.nix @@ -30,6 +30,10 @@ let ''; in { + imports = [ + (mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ]) + ]; + options = { services.clamav = { daemon = { @@ -79,18 +83,15 @@ in config = mkIf (cfg.updater.enable || cfg.daemon.enable) { environment.systemPackages = [ pkg ]; - users.users = singleton { - name = clamavUser; + users.users.${clamavUser} = { uid = config.ids.uids.clamav; group = clamavGroup; description = "ClamAV daemon user"; home = stateDir; }; - users.groups = singleton { - name = clamavGroup; - gid = config.ids.gids.clamav; - }; + users.groups.${clamavGroup} = + { gid = config.ids.gids.clamav; }; environment.etc."clamav/freshclam.conf".source = freshclamConfigFile; environment.etc."clamav/clamd.conf".source = clamdConfigFile; diff --git a/nixpkgs/nixos/modules/services/security/fprot.nix b/nixpkgs/nixos/modules/services/security/fprot.nix index 47449039146..f203f2abc03 100644 --- a/nixpkgs/nixos/modules/services/security/fprot.nix +++ b/nixpkgs/nixos/modules/services/security/fprot.nix @@ -48,22 +48,18 @@ in { services.fprot.updater.licenseKeyfile = mkDefault "${pkgs.fprot}/opt/f-prot/license.key"; environment.systemPackages = [ pkgs.fprot ]; - environment.etc = singleton { + environment.etc."f-prot.conf" = { source = "${pkgs.fprot}/opt/f-prot/f-prot.conf"; - target = "f-prot.conf"; }; - users.users = singleton - { name = fprotUser; - uid = config.ids.uids.fprot; + users.users.${fprotUser} = + { uid = config.ids.uids.fprot; description = "F-Prot daemon user"; home = stateDir; }; - users.groups = singleton - { name = fprotGroup; - gid = config.ids.gids.fprot; - }; + users.groups.${fprotGroup} = + { gid = config.ids.gids.fprot; }; services.cron.systemCronJobs = [ "*/${toString cfg.updater.frequency} * * * * root start fprot-updater" ]; diff --git a/nixpkgs/nixos/modules/services/security/tor.nix b/nixpkgs/nixos/modules/services/security/tor.nix index ed862387cce..18c105b2f57 100644 --- a/nixpkgs/nixos/modules/services/security/tor.nix +++ b/nixpkgs/nixos/modules/services/security/tor.nix @@ -106,6 +106,12 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ]) + (mkRemovedOptionModule [ "services" "tor" "relay" "isBridge" ] "Use services.tor.relay.role instead.") + (mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.") + ]; + options = { services.tor = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/services/security/torify.nix b/nixpkgs/nixos/modules/services/security/torify.nix index 08da726437e..39551190dd3 100644 --- a/nixpkgs/nixos/modules/services/security/torify.nix +++ b/nixpkgs/nixos/modules/services/security/torify.nix @@ -25,6 +25,7 @@ in services.tor.tsocks = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to build tsocks wrapper script to relay application traffic via Tor. @@ -40,6 +41,7 @@ in }; server = mkOption { + type = types.str; default = "localhost:9050"; example = "192.168.0.20"; description = '' @@ -48,6 +50,7 @@ in }; config = mkOption { + type = types.lines; default = ""; description = '' Extra configuration. Contents will be added verbatim to TSocks diff --git a/nixpkgs/nixos/modules/services/security/torsocks.nix b/nixpkgs/nixos/modules/services/security/torsocks.nix index c60c745443b..47ac95c4626 100644 --- a/nixpkgs/nixos/modules/services/security/torsocks.nix +++ b/nixpkgs/nixos/modules/services/security/torsocks.nix @@ -112,10 +112,9 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ]; - environment.etc = - [ { source = pkgs.writeText "torsocks.conf" (configFile cfg.server); - target = "tor/torsocks.conf"; - } - ]; + environment.etc."tor/torsocks.conf" = + { + source = pkgs.writeText "torsocks.conf" (configFile cfg.server); + }; }; } diff --git a/nixpkgs/nixos/modules/services/system/dbus.nix b/nixpkgs/nixos/modules/services/system/dbus.nix index 936646a5fd7..4a60fec1ca8 100644 --- a/nixpkgs/nixos/modules/services/system/dbus.nix +++ b/nixpkgs/nixos/modules/services/system/dbus.nix @@ -68,10 +68,7 @@ in environment.systemPackages = [ pkgs.dbus.daemon pkgs.dbus ]; - environment.etc = singleton - { source = configDir; - target = "dbus-1"; - }; + environment.etc."dbus-1".source = configDir; users.users.messagebus = { uid = config.ids.uids.messagebus; diff --git a/nixpkgs/nixos/modules/services/system/localtime.nix b/nixpkgs/nixos/modules/services/system/localtime.nix index c3c0b432b49..74925c5e2c4 100644 --- a/nixpkgs/nixos/modules/services/system/localtime.nix +++ b/nixpkgs/nixos/modules/services/system/localtime.nix @@ -35,6 +35,10 @@ in { # Install the systemd unit. systemd.packages = [ pkgs.localtime.out ]; + users.users.localtimed = { + description = "Taskserver user"; + }; + systemd.services.localtime = { wantedBy = [ "multi-user.target" ]; serviceConfig.Restart = "on-failure"; diff --git a/nixpkgs/nixos/modules/services/torrent/magnetico.nix b/nixpkgs/nixos/modules/services/torrent/magnetico.nix index 719827713ff..7465c10e002 100644 --- a/nixpkgs/nixos/modules/services/torrent/magnetico.nix +++ b/nixpkgs/nixos/modules/services/torrent/magnetico.nix @@ -213,4 +213,6 @@ in { }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/torrent/transmission.nix b/nixpkgs/nixos/modules/services/torrent/transmission.nix index 7409eb8cdcb..aa1acdf7d20 100644 --- a/nixpkgs/nixos/modules/services/torrent/transmission.nix +++ b/nixpkgs/nixos/modules/services/torrent/transmission.nix @@ -7,6 +7,7 @@ let apparmor = config.security.apparmor.enable; homeDir = cfg.home; + downloadDirPermissions = cfg.downloadDirPermissions; downloadDir = "${homeDir}/Downloads"; incompleteDir = "${homeDir}/.incomplete"; @@ -16,16 +17,14 @@ let # for users in group "transmission" to have access to torrents fullSettings = { umask = 2; download-dir = downloadDir; incomplete-dir = incompleteDir; } // cfg.settings; - # Directories transmission expects to exist and be ug+rwx. - directoriesToManage = [ homeDir settingsDir fullSettings.download-dir fullSettings.incomplete-dir ]; - preStart = pkgs.writeScript "transmission-pre-start" '' #!${pkgs.runtimeShell} set -ex - for DIR in ${escapeShellArgs directoriesToManage}; do + for DIR in "${homeDir}" "${settingsDir}" "${fullSettings.download-dir}" "${fullSettings.incomplete-dir}"; do mkdir -p "$DIR" - chmod 770 "$DIR" done + chmod 700 "${homeDir}" "${settingsDir}" + chmod ${downloadDirPermissions} "${fullSettings.download-dir}" "${fullSettings.incomplete-dir}" cp -f ${settingsFile} ${settingsDir}/settings.json ''; in @@ -71,6 +70,16 @@ in ''; }; + downloadDirPermissions = mkOption { + type = types.str; + default = "770"; + example = "775"; + description = '' + The permissions to set for download-dir and incomplete-dir. + They will be applied on every service start. + ''; + }; + port = mkOption { type = types.int; default = 9091; @@ -109,7 +118,7 @@ in # 1) Only the "transmission" user and group have access to torrents. # 2) Optionally update/force specific fields into the configuration file. serviceConfig.ExecStartPre = preStart; - serviceConfig.ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f --port ${toString config.services.transmission.port}"; + serviceConfig.ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f --port ${toString config.services.transmission.port} --config-dir ${settingsDir}"; serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; serviceConfig.User = cfg.user; serviceConfig.Group = cfg.group; diff --git a/nixpkgs/nixos/modules/services/ttys/agetty.nix b/nixpkgs/nixos/modules/services/ttys/agetty.nix index f127d8a0276..f3a629f7af7 100644 --- a/nixpkgs/nixos/modules/services/ttys/agetty.nix +++ b/nixpkgs/nixos/modules/services/ttys/agetty.nix @@ -102,7 +102,7 @@ in enable = mkDefault config.boot.isContainer; }; - environment.etc = singleton + environment.etc.issue = { # Friendly greeting on the virtual consoles. source = pkgs.writeText "issue" '' @@ -110,7 +110,6 @@ in ${config.services.mingetty.helpLine} ''; - target = "issue"; }; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/frab.nix b/nixpkgs/nixos/modules/services/web-apps/frab.nix index a9a30b40922..1b5890d6b0c 100644 --- a/nixpkgs/nixos/modules/services/web-apps/frab.nix +++ b/nixpkgs/nixos/modules/services/web-apps/frab.nix @@ -173,15 +173,13 @@ in config = mkIf cfg.enable { environment.systemPackages = [ frab-rake ]; - users.users = [ - { name = cfg.user; - group = cfg.group; + users.users.${cfg.user} = + { group = cfg.group; home = "${cfg.statePath}"; isSystemUser = true; - } - ]; + }; - users.groups = [ { name = cfg.group; } ]; + users.groups.${cfg.group} = { }; systemd.tmpfiles.rules = [ "d '${cfg.statePath}/system/attachments' - ${cfg.user} ${cfg.group} - -" diff --git a/nixpkgs/nixos/modules/services/web-apps/ihatemoney/default.nix b/nixpkgs/nixos/modules/services/web-apps/ihatemoney/default.nix new file mode 100644 index 00000000000..68769ac8c03 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/ihatemoney/default.nix @@ -0,0 +1,141 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.services.ihatemoney; + user = "ihatemoney"; + group = "ihatemoney"; + db = "ihatemoney"; + python3 = config.services.uwsgi.package.python3; + pkg = python3.pkgs.ihatemoney; + toBool = x: if x then "True" else "False"; + configFile = pkgs.writeText "ihatemoney.cfg" '' + from secrets import token_hex + # load a persistent secret key + SECRET_KEY_FILE = "/var/lib/ihatemoney/secret_key" + SECRET_KEY = "" + try: + with open(SECRET_KEY_FILE) as f: + SECRET_KEY = f.read() + except FileNotFoundError: + pass + if not SECRET_KEY: + print("ihatemoney: generating a new secret key") + SECRET_KEY = token_hex(50) + with open(SECRET_KEY_FILE, "w") as f: + f.write(SECRET_KEY) + del token_hex + del SECRET_KEY_FILE + + # "normal" configuration + DEBUG = False + SQLALCHEMY_DATABASE_URI = '${ + if cfg.backend == "sqlite" + then "sqlite:////var/lib/ihatemoney/ihatemoney.sqlite" + else "postgresql:///${db}"}' + SQLALCHEMY_TRACK_MODIFICATIONS = False + MAIL_DEFAULT_SENDER = ("${cfg.defaultSender.name}", "${cfg.defaultSender.email}") + ACTIVATE_DEMO_PROJECT = ${toBool cfg.enableDemoProject} + ADMIN_PASSWORD = "${toString cfg.adminHashedPassword /*toString null == ""*/}" + ALLOW_PUBLIC_PROJECT_CREATION = ${toBool cfg.enablePublicProjectCreation} + ACTIVATE_ADMIN_DASHBOARD = ${toBool cfg.enableAdminDashboard} + + ${cfg.extraConfig} + ''; +in + { + options.services.ihatemoney = { + enable = mkEnableOption "ihatemoney webapp. Note that this will set uwsgi to emperor mode running as root"; + backend = mkOption { + type = types.enum [ "sqlite" "postgresql" ]; + default = "sqlite"; + description = '' + The database engine to use for ihatemoney. + If <literal>postgresql</literal> is selected, then a database called + <literal>${db}</literal> will be created. If you disable this option, + it will however not be removed. + ''; + }; + adminHashedPassword = mkOption { + type = types.nullOr types.str; + default = null; + description = "The hashed password of the administrator. To obtain it, run <literal>ihatemoney generate_password_hash</literal>"; + }; + uwsgiConfig = mkOption { + type = types.attrs; + example = { + http = ":8000"; + }; + description = "Additionnal configuration of the UWSGI vassal running ihatemoney. It should notably specify on which interfaces and ports the vassal should listen."; + }; + defaultSender = { + name = mkOption { + type = types.str; + default = "Budget manager"; + description = "The display name of the sender of ihatemoney emails"; + }; + email = mkOption { + type = types.str; + default = "ihatemoney@${config.networking.hostName}"; + description = "The email of the sender of ihatemoney emails"; + }; + }; + enableDemoProject = mkEnableOption "access to the demo project in ihatemoney"; + enablePublicProjectCreation = mkEnableOption "permission to create projects in ihatemoney by anyone"; + enableAdminDashboard = mkEnableOption "ihatemoney admin dashboard"; + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Extra configuration appended to ihatemoney's configuration file. It is a python file, so pay attention to indentation."; + }; + }; + config = mkIf cfg.enable { + services.postgresql = mkIf (cfg.backend == "postgresql") { + enable = true; + ensureDatabases = [ db ]; + ensureUsers = [ { + name = user; + ensurePermissions = { + "DATABASE ${db}" = "ALL PRIVILEGES"; + }; + } ]; + }; + systemd.services.postgresql = mkIf (cfg.backend == "postgresql") { + wantedBy = [ "uwsgi.service" ]; + before = [ "uwsgi.service" ]; + }; + systemd.tmpfiles.rules = [ + "d /var/lib/ihatemoney 770 ${user} ${group}" + ]; + users = { + users.${user} = { + isSystemUser = true; + inherit group; + }; + groups.${group} = {}; + }; + services.uwsgi = { + enable = true; + plugins = [ "python3" ]; + # the vassal needs to be able to setuid + user = "root"; + group = "root"; + instance = { + type = "emperor"; + vassals.ihatemoney = { + type = "normal"; + strict = true; + uid = user; + gid = group; + # apparently flask uses threads: https://github.com/spiral-project/ihatemoney/commit/c7815e48781b6d3a457eaff1808d179402558f8c + enable-threads = true; + module = "wsgi:application"; + chdir = "${pkg}/${pkg.pythonModule.sitePackages}/ihatemoney"; + env = [ "IHATEMONEY_SETTINGS_FILE_PATH=${configFile}" ]; + pythonPackages = self: [ self.ihatemoney ]; + } // cfg.uwsgiConfig; + }; + }; + }; + } + + diff --git a/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix b/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix index bd524524130..e00a47191c6 100644 --- a/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix @@ -3,7 +3,7 @@ let inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption; - inherit (lib) mapAttrs optional optionalString types; + inherit (lib) literalExample mapAttrs optional optionalString types; cfg = config.services.limesurvey; fpm = config.services.phpfpm.pools.limesurvey; @@ -100,19 +100,15 @@ in }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); - example = { - hostName = "survey.example.org"; - enableSSL = true; - adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/survey.example.org/full.pem"; - sslServerKey = "/var/lib/acme/survey.example.org/key.pem"; - }; + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); + example = literalExample '' + { + hostName = "survey.example.org"; + adminAddr = "webmaster@example.org"; + forceSSL = true; + enableACME = true; + } + ''; description = '' Apache configuration can be done by adapting <literal>services.httpd.virtualHosts.<name></literal>. See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. @@ -184,7 +180,7 @@ in config = { tempdir = "${stateDir}/tmp"; uploaddir = "${stateDir}/upload"; - force_ssl = mkIf cfg.virtualHost.enableSSL "on"; + force_ssl = mkIf (cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL) "on"; config.defaultlang = "en"; }; }; @@ -215,38 +211,36 @@ in enable = true; adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${pkg}/share/limesurvey"; - extraConfig = '' - Alias "/tmp" "${stateDir}/tmp" - <Directory "${stateDir}"> - AllowOverride all - Require all granted - Options -Indexes +FollowSymlinks - </Directory> - - Alias "/upload" "${stateDir}/upload" - <Directory "${stateDir}/upload"> - AllowOverride all - Require all granted - Options -Indexes - </Directory> - - <Directory "${pkg}/share/limesurvey"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" - </If> - </FilesMatch> - - AllowOverride all - Options -Indexes - DirectoryIndex index.php - </Directory> - ''; - } - ]) ]; + virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${pkg}/share/limesurvey"; + extraConfig = '' + Alias "/tmp" "${stateDir}/tmp" + <Directory "${stateDir}"> + AllowOverride all + Require all granted + Options -Indexes +FollowSymlinks + </Directory> + + Alias "/upload" "${stateDir}/upload" + <Directory "${stateDir}/upload"> + AllowOverride all + Require all granted + Options -Indexes + </Directory> + + <Directory "${pkg}/share/limesurvey"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" + </If> + </FilesMatch> + + AllowOverride all + Options -Indexes + DirectoryIndex index.php + </Directory> + ''; + } ]; }; systemd.tmpfiles.rules = [ diff --git a/nixpkgs/nixos/modules/services/web-apps/matomo.nix b/nixpkgs/nixos/modules/services/web-apps/matomo.nix index 352cc4c647b..75da474dc44 100644 --- a/nixpkgs/nixos/modules/services/web-apps/matomo.nix +++ b/nixpkgs/nixos/modules/services/web-apps/matomo.nix @@ -18,6 +18,14 @@ let in join config.networking.hostName config.networking.domain; in { + imports = [ + (mkRenamedOptionModule [ "services" "piwik" "enable" ] [ "services" "matomo" "enable" ]) + (mkRenamedOptionModule [ "services" "piwik" "webServerUser" ] [ "services" "matomo" "webServerUser" ]) + (mkRemovedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] "Use services.phpfpm.pools.<name>.settings") + (mkRemovedOptionModule [ "services" "matomo" "phpfpmProcessManagerConfig" ] "Use services.phpfpm.pools.<name>.settings") + (mkRenamedOptionModule [ "services" "piwik" "nginx" ] [ "services" "matomo" "nginx" ]) + ]; + options = { services.matomo = { # NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963 diff --git a/nixpkgs/nixos/modules/services/web-apps/mattermost.nix b/nixpkgs/nixos/modules/services/web-apps/mattermost.nix index 8c7fc4056ad..41c52b9653b 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mattermost.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mattermost.nix @@ -146,17 +146,17 @@ in config = mkMerge [ (mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == "mattermost") (singleton { - name = "mattermost"; - group = cfg.group; - uid = config.ids.uids.mattermost; - home = cfg.statePath; - }); - - users.groups = optionalAttrs (cfg.group == "mattermost") (singleton { - name = "mattermost"; - gid = config.ids.gids.mattermost; - }); + users.users = optionalAttrs (cfg.user == "mattermost") { + mattermost = { + group = cfg.group; + uid = config.ids.uids.mattermost; + home = cfg.statePath; + }; + }; + + users.groups = optionalAttrs (cfg.group == "mattermost") { + mattermost.gid = config.ids.gids.mattermost; + }; services.postgresql.enable = cfg.localDatabaseCreate; diff --git a/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix b/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix index 43edc04e1a4..8a109b39bb5 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix @@ -64,7 +64,7 @@ let $wgScriptPath = ""; ## The protocol and server name to use in fully-qualified URLs - $wgServer = "${if cfg.virtualHost.enableSSL then "https" else "http"}://${cfg.virtualHost.hostName}"; + $wgServer = "${if cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL then "https" else "http"}://${cfg.virtualHost.hostName}"; ## The URL path to static resources (images, scripts, etc.) $wgResourceBasePath = $wgScriptPath; @@ -290,19 +290,13 @@ in }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); example = literalExample '' { hostName = "mediawiki.example.org"; - enableSSL = true; adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/mediawiki.example.org/full.pem"; - sslServerKey = "/var/lib/acme/mediawiki.example.org/key.pem"; + forceSSL = true; + enableACME = true; } ''; description = '' @@ -389,31 +383,28 @@ in services.httpd = { enable = true; - adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${pkg}/share/mediawiki"; - extraConfig = '' - <Directory "${pkg}/share/mediawiki"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" - </If> - </FilesMatch> - - Require all granted - DirectoryIndex index.php - AllowOverride All - </Directory> - '' + optionalString (cfg.uploadsDir != null) '' - Alias "/images" "${cfg.uploadsDir}" - <Directory "${cfg.uploadsDir}"> - Require all granted - </Directory> - ''; - } - ]) ]; + virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${pkg}/share/mediawiki"; + extraConfig = '' + <Directory "${pkg}/share/mediawiki"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" + </If> + </FilesMatch> + + Require all granted + DirectoryIndex index.php + AllowOverride All + </Directory> + '' + optionalString (cfg.uploadsDir != null) '' + Alias "/images" "${cfg.uploadsDir}" + <Directory "${cfg.uploadsDir}"> + Require all granted + </Directory> + ''; + } ]; }; systemd.tmpfiles.rules = [ diff --git a/nixpkgs/nixos/modules/services/web-apps/moodle.nix b/nixpkgs/nixos/modules/services/web-apps/moodle.nix index ac59f9e0012..595d070d940 100644 --- a/nixpkgs/nixos/modules/services/web-apps/moodle.nix +++ b/nixpkgs/nixos/modules/services/web-apps/moodle.nix @@ -32,7 +32,7 @@ let 'dbcollation' => 'utf8mb4_unicode_ci', ); - $CFG->wwwroot = '${if cfg.virtualHost.enableSSL then "https" else "http"}://${cfg.virtualHost.hostName}'; + $CFG->wwwroot = '${if cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL then "https" else "http"}://${cfg.virtualHost.hostName}'; $CFG->dataroot = '${stateDir}'; $CFG->admin = 'admin'; @@ -140,19 +140,15 @@ in }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); - example = { - hostName = "moodle.example.org"; - enableSSL = true; - adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/moodle.example.org/full.pem"; - sslServerKey = "/var/lib/acme/moodle.example.org/key.pem"; - }; + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); + example = literalExample '' + { + hostName = "moodle.example.org"; + adminAddr = "webmaster@example.org"; + forceSSL = true; + enableACME = true; + } + ''; description = '' Apache configuration can be done by adapting <option>services.httpd.virtualHosts</option>. See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. @@ -241,22 +237,20 @@ in enable = true; adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${cfg.package}/share/moodle"; - extraConfig = '' - <Directory "${cfg.package}/share/moodle"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" - </If> - </FilesMatch> - Options -Indexes - DirectoryIndex index.php - </Directory> - ''; - } - ]) ]; + virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${cfg.package}/share/moodle"; + extraConfig = '' + <Directory "${cfg.package}/share/moodle"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" + </If> + </FilesMatch> + Options -Indexes + DirectoryIndex index.php + </Directory> + ''; + } ]; }; systemd.tmpfiles.rules = [ diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix index b67f0880878..f1dabadc119 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix @@ -31,8 +31,12 @@ let occ = pkgs.writeScriptBin "nextcloud-occ" '' #! ${pkgs.stdenv.shell} cd ${pkgs.nextcloud} - exec /run/wrappers/bin/sudo -u nextcloud \ - NEXTCLOUD_CONFIG_DIR="${cfg.home}/config" \ + sudo=exec + if [[ "$USER" != nextcloud ]]; then + sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR' + fi + export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config" + $sudo \ ${phpPackage}/bin/php \ -c ${pkgs.writeText "php.ini" phpOptionsStr}\ occ $* @@ -58,7 +62,7 @@ in { https = mkOption { type = types.bool; default = false; - description = "Enable if there is a TLS terminating proxy in front of nextcloud."; + description = "Use https for generated links."; }; maxUploadSize = mkOption { @@ -420,6 +424,7 @@ in { nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable { serviceConfig.Type = "oneshot"; serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all"; + serviceConfig.User = "nextcloud"; startAt = cfg.autoUpdateApps.startAt; }; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/restya-board.nix b/nixpkgs/nixos/modules/services/web-apps/restya-board.nix index 2c2f36ac598..9d0a3f65253 100644 --- a/nixpkgs/nixos/modules/services/web-apps/restya-board.nix +++ b/nixpkgs/nixos/modules/services/web-apps/restya-board.nix @@ -116,7 +116,7 @@ in }; passwordFile = mkOption { - type = types.nullOr types.str; + type = types.nullOr types.path; default = null; description = '' The database user's password. 'null' if no password is set. @@ -285,7 +285,7 @@ in sed -i "s/^.*'R_DB_PASSWORD'.*$/define('R_DB_PASSWORD', 'restya');/g" "${runDir}/server/php/config.inc.php" '' else '' sed -i "s/^.*'R_DB_HOST'.*$/define('R_DB_HOST', '${cfg.database.host}');/g" "${runDir}/server/php/config.inc.php" - sed -i "s/^.*'R_DB_PASSWORD'.*$/define('R_DB_PASSWORD', '$(<${cfg.database.dbPassFile})');/g" "${runDir}/server/php/config.inc.php" + sed -i "s/^.*'R_DB_PASSWORD'.*$/define('R_DB_PASSWORD', ${if cfg.database.passwordFile == null then "''" else "'file_get_contents(${cfg.database.passwordFile})'"});/g" "${runDir}/server/php/config.inc.php ''} sed -i "s/^.*'R_DB_PORT'.*$/define('R_DB_PORT', '${toString cfg.database.port}');/g" "${runDir}/server/php/config.inc.php" sed -i "s/^.*'R_DB_NAME'.*$/define('R_DB_NAME', '${cfg.database.name}');/g" "${runDir}/server/php/config.inc.php" diff --git a/nixpkgs/nixos/modules/services/web-apps/trilium.nix b/nixpkgs/nixos/modules/services/web-apps/trilium.nix new file mode 100644 index 00000000000..6f47193c62b --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/trilium.nix @@ -0,0 +1,137 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.trilium-server; + configIni = pkgs.writeText "trilium-config.ini" '' + [General] + # Instance name can be used to distinguish between different instances + instanceName=${cfg.instanceName} + + # Disable automatically generating desktop icon + noDesktopIcon=true + + [Network] + # host setting is relevant only for web deployments - set the host on which the server will listen + host=${cfg.host} + # port setting is relevant only for web deployments, desktop builds run on random free port + port=${toString cfg.port} + # true for TLS/SSL/HTTPS (secure), false for HTTP (unsecure). + https=false + ''; +in +{ + + options.services.trilium-server = with lib; { + enable = mkEnableOption "trilium-server"; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/trilium"; + description = '' + The directory storing the nodes database and the configuration. + ''; + }; + + instanceName = mkOption { + type = types.str; + default = "Trilium"; + description = '' + Instance name used to distinguish between different instances + ''; + }; + + host = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + The host address to bind to (defaults to localhost). + ''; + }; + + port = mkOption { + type = types.int; + default = 8080; + description = '' + The port number to bind to. + ''; + }; + + nginx = mkOption { + default = {}; + description = '' + Configuration for nginx reverse proxy. + ''; + + type = types.submodule { + options = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Configure the nginx reverse proxy settings. + ''; + }; + + hostName = mkOption { + type = types.str; + description = '' + The hostname use to setup the virtualhost configuration + ''; + }; + }; + }; + }; + }; + + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + meta.maintainers = with lib.maintainers; [ kampka ]; + + users.groups.trilium = {}; + users.users.trilium = { + description = "Trilium User"; + group = "trilium"; + home = cfg.dataDir; + isSystemUser = true; + }; + + systemd.services.trilium-server = { + wantedBy = [ "multi-user.target" ]; + environment.TRILIUM_DATA_DIR = cfg.dataDir; + serviceConfig = { + ExecStart = "${pkgs.trilium-server}/bin/trilium-server"; + User = "trilium"; + Group = "trilium"; + PrivateTmp = "true"; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${cfg.dataDir} 0750 trilium trilium - -" + "L+ ${cfg.dataDir}/config.ini - - - - ${configIni}" + ]; + + } + + (lib.mkIf cfg.nginx.enable { + services.nginx = { + enable = true; + virtualHosts."${cfg.nginx.hostName}" = { + locations."/" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}/"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + ''; + }; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }) + ]); +} diff --git a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix index f1370c2854b..ad4f39fbf52 100644 --- a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix +++ b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix @@ -3,7 +3,7 @@ let inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption types; inherit (lib) any attrValues concatMapStringsSep flatten literalExample; - inherit (lib) mapAttrs' mapAttrsToList nameValuePair optional optionalAttrs optionalString; + inherit (lib) mapAttrs mapAttrs' mapAttrsToList nameValuePair optional optionalAttrs optionalString; eachSite = config.services.wordpress; user = "wordpress"; @@ -127,7 +127,7 @@ let <note><para>These themes need to be packaged before use, see example.</para></note> ''; example = '' - # For shits and giggles, let's package the responsive theme + # Let's package the responsive theme responsiveTheme = pkgs.stdenv.mkDerivation { name = "responsive-theme"; # Download the theme from the wordpress site @@ -209,18 +209,12 @@ let }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); example = literalExample '' { - enableSSL = true; adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/wordpress.example.org/full.pem"; - sslServerKey = "/var/lib/acme/wordpress.example.org/key.pem"; + forceSSL = true; + enableACME = true; } ''; description = '' @@ -304,41 +298,37 @@ in services.httpd = { enable = true; extraModules = [ "proxy_fcgi" ]; - virtualHosts = mapAttrsToList (hostName: cfg: - (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${pkg hostName cfg}/share/wordpress"; - extraConfig = '' - <Directory "${pkg hostName cfg}/share/wordpress"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${config.services.phpfpm.pools."wordpress-${hostName}".socket}|fcgi://localhost/" - </If> - </FilesMatch> - - # standard wordpress .htaccess contents - <IfModule mod_rewrite.c> - RewriteEngine On - RewriteBase / - RewriteRule ^index\.php$ - [L] - RewriteCond %{REQUEST_FILENAME} !-f - RewriteCond %{REQUEST_FILENAME} !-d - RewriteRule . /index.php [L] - </IfModule> - - DirectoryIndex index.php - Require all granted - Options +FollowSymLinks - </Directory> - - # https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php - <Files wp-config.php> - Require all denied - </Files> - ''; - } - ]) - ) eachSite; + virtualHosts = mapAttrs (hostName: cfg: mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${pkg hostName cfg}/share/wordpress"; + extraConfig = '' + <Directory "${pkg hostName cfg}/share/wordpress"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${config.services.phpfpm.pools."wordpress-${hostName}".socket}|fcgi://localhost/" + </If> + </FilesMatch> + + # standard wordpress .htaccess contents + <IfModule mod_rewrite.c> + RewriteEngine On + RewriteBase / + RewriteRule ^index\.php$ - [L] + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule . /index.php [L] + </IfModule> + + DirectoryIndex index.php + Require all granted + Options +FollowSymLinks + </Directory> + + # https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php + <Files wp-config.php> + Require all denied + </Files> + ''; + } ]) eachSite; }; systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [ diff --git a/nixpkgs/nixos/modules/services/web-apps/zabbix.nix b/nixpkgs/nixos/modules/services/web-apps/zabbix.nix index 09538726b7c..ee8447810c6 100644 --- a/nixpkgs/nixos/modules/services/web-apps/zabbix.nix +++ b/nixpkgs/nixos/modules/services/web-apps/zabbix.nix @@ -113,19 +113,15 @@ in }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); - example = { - hostName = "zabbix.example.org"; - enableSSL = true; - adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/zabbix.example.org/full.pem"; - sslServerKey = "/var/lib/acme/zabbix.example.org/key.pem"; - }; + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); + example = literalExample '' + { + hostName = "zabbix.example.org"; + adminAddr = "webmaster@example.org"; + forceSSL = true; + enableACME = true; + } + ''; description = '' Apache configuration can be done by adapting <literal>services.httpd.virtualHosts.<name></literal>. See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. @@ -190,23 +186,21 @@ in enable = true; adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${cfg.package}/share/zabbix"; - extraConfig = '' - <Directory "${cfg.package}/share/zabbix"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" - </If> - </FilesMatch> - AllowOverride all - Options -Indexes - DirectoryIndex index.php - </Directory> - ''; - } - ]) ]; + virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${cfg.package}/share/zabbix"; + extraConfig = '' + <Directory "${cfg.package}/share/zabbix"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" + </If> + </FilesMatch> + AllowOverride all + Options -Indexes + DirectoryIndex index.php + </Directory> + ''; + } ]; }; users.users.${user} = mapAttrs (name: mkDefault) { diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix index f5a6051b4b5..4460f89ec5c 100644 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -18,22 +18,20 @@ let mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { apacheHttpd = httpd; }; - defaultListen = cfg: if cfg.enableSSL - then [{ip = "*"; port = 443;}] - else [{ip = "*"; port = 80;}]; + vhosts = attrValues mainCfg.virtualHosts; - getListen = cfg: - if cfg.listen == [] - then defaultListen cfg - else cfg.listen; + mkListenInfo = hostOpts: + if hostOpts.listen != [] then hostOpts.listen + else ( + optional (hostOpts.onlySSL || hostOpts.addSSL || hostOpts.forceSSL) { ip = "*"; port = 443; ssl = true; } ++ + optional (!hostOpts.onlySSL) { ip = "*"; port = 80; ssl = false; } + ); - listenToString = l: "${l.ip}:${toString l.port}"; + listenInfo = unique (concatMap mkListenInfo vhosts); - allHosts = [mainCfg] ++ mainCfg.virtualHosts; + enableSSL = any (listen: listen.ssl) listenInfo; - enableSSL = any (vhost: vhost.enableSSL) allHosts; - - enableUserDir = any (vhost: vhost.enableUserDir) allHosts; + enableUserDir = any (vhost: vhost.enableUserDir) vhosts; # NOTE: generally speaking order of modules is very important modules = @@ -115,122 +113,137 @@ let </IfModule> ''; - - perServerConf = isMainServer: cfg: let - - # Canonical name must not include a trailing slash. - canonicalNames = - let defaultPort = (head (defaultListen cfg)).port; in - map (port: - (if cfg.enableSSL then "https" else "http") + "://" + - cfg.hostName + - (if port != defaultPort then ":${toString port}" else "") - ) (map (x: x.port) (getListen cfg)); - - maybeDocumentRoot = fold (svc: acc: - if acc == null then svc.documentRoot else assert svc.documentRoot == null; acc - ) null ([ cfg ]); - - documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else - pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out"; - - documentRootConf = '' - DocumentRoot "${documentRoot}" - - <Directory "${documentRoot}"> - Options Indexes FollowSymLinks - AllowOverride None - ${allGranted} - </Directory> - ''; - - # If this is a vhost, the include the entries for the main server as well. - robotsTxt = concatStringsSep "\n" (filter (x: x != "") ([ cfg.robotsEntries ] ++ lib.optional (!isMainServer) mainCfg.robotsEntries)); - - in '' - ${concatStringsSep "\n" (map (n: "ServerName ${n}") canonicalNames)} - - ${concatMapStrings (alias: "ServerAlias ${alias}\n") cfg.serverAliases} - - ${if cfg.sslServerCert != null then '' - SSLCertificateFile ${cfg.sslServerCert} - SSLCertificateKeyFile ${cfg.sslServerKey} - ${if cfg.sslServerChain != null then '' - SSLCertificateChainFile ${cfg.sslServerChain} - '' else ""} - '' else ""} - - ${if cfg.enableSSL then '' - SSLEngine on - '' else if enableSSL then /* i.e., SSL is enabled for some host, but not this one */ - '' - SSLEngine off - '' else ""} - - ${if isMainServer || cfg.adminAddr != null then '' - ServerAdmin ${cfg.adminAddr} - '' else ""} - - ${if !isMainServer && mainCfg.logPerVirtualHost then '' - ErrorLog ${mainCfg.logDir}/error-${cfg.hostName}.log - CustomLog ${mainCfg.logDir}/access-${cfg.hostName}.log ${cfg.logFormat} - '' else ""} - - ${optionalString (robotsTxt != "") '' - Alias /robots.txt ${pkgs.writeText "robots.txt" robotsTxt} - ''} - - ${if isMainServer || maybeDocumentRoot != null then documentRootConf else ""} - - ${if cfg.enableUserDir then '' - - UserDir public_html - UserDir disabled root - - <Directory "/home/*/public_html"> - AllowOverride FileInfo AuthConfig Limit Indexes - Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec - <Limit GET POST OPTIONS> - ${allGranted} - </Limit> - <LimitExcept GET POST OPTIONS> - ${allDenied} - </LimitExcept> - </Directory> - - '' else ""} - - ${if cfg.globalRedirect != null && cfg.globalRedirect != "" then '' - RedirectPermanent / ${cfg.globalRedirect} - '' else ""} - - ${ - let makeFileConf = elem: '' - Alias ${elem.urlPath} ${elem.file} - ''; - in concatMapStrings makeFileConf cfg.servedFiles - } - - ${ - let makeDirConf = elem: '' - Alias ${elem.urlPath} ${elem.dir}/ - <Directory ${elem.dir}> - Options +Indexes - ${allGranted} - AllowOverride All - </Directory> - ''; - in concatMapStrings makeDirConf cfg.servedDirs - } - - ${cfg.extraConfig} - ''; + mkVHostConf = hostOpts: + let + adminAddr = if hostOpts.adminAddr != null then hostOpts.adminAddr else mainCfg.adminAddr; + listen = filter (listen: !listen.ssl) (mkListenInfo hostOpts); + listenSSL = filter (listen: listen.ssl) (mkListenInfo hostOpts); + + useACME = hostOpts.enableACME || hostOpts.useACMEHost != null; + sslCertDir = + if hostOpts.enableACME then config.security.acme.certs.${hostOpts.hostName}.directory + else if hostOpts.useACMEHost != null then config.security.acme.certs.${hostOpts.useACMEHost}.directory + else abort "This case should never happen."; + + sslServerCert = if useACME then "${sslCertDir}/full.pem" else hostOpts.sslServerCert; + sslServerKey = if useACME then "${sslCertDir}/key.pem" else hostOpts.sslServerKey; + sslServerChain = if useACME then "${sslCertDir}/fullchain.pem" else hostOpts.sslServerChain; + + acmeChallenge = optionalString useACME '' + Alias /.well-known/acme-challenge/ "${hostOpts.acmeRoot}/.well-known/acme-challenge/" + <Directory "${hostOpts.acmeRoot}"> + AllowOverride None + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + Require method GET POST OPTIONS + Require all granted + </Directory> + ''; + in + optionalString (listen != []) '' + <VirtualHost ${concatMapStringsSep " " (listen: "${listen.ip}:${toString listen.port}") listen}> + ServerName ${hostOpts.hostName} + ${concatMapStrings (alias: "ServerAlias ${alias}\n") hostOpts.serverAliases} + ServerAdmin ${adminAddr} + <IfModule mod_ssl.c> + SSLEngine off + </IfModule> + ${acmeChallenge} + ${if hostOpts.forceSSL then '' + <IfModule mod_rewrite.c> + RewriteEngine on + RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC] + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + </IfModule> + '' else mkVHostCommonConf hostOpts} + </VirtualHost> + '' + + optionalString (listenSSL != []) '' + <VirtualHost ${concatMapStringsSep " " (listen: "${listen.ip}:${toString listen.port}") listenSSL}> + ServerName ${hostOpts.hostName} + ${concatMapStrings (alias: "ServerAlias ${alias}\n") hostOpts.serverAliases} + ServerAdmin ${adminAddr} + SSLEngine on + SSLCertificateFile ${sslServerCert} + SSLCertificateKeyFile ${sslServerKey} + ${optionalString (sslServerChain != null) "SSLCertificateChainFile ${sslServerChain}"} + ${acmeChallenge} + ${mkVHostCommonConf hostOpts} + </VirtualHost> + '' + ; + + mkVHostCommonConf = hostOpts: + let + documentRoot = if hostOpts.documentRoot != null + then hostOpts.documentRoot + else pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out" + ; + in + '' + ${optionalString mainCfg.logPerVirtualHost '' + ErrorLog ${mainCfg.logDir}/error-${hostOpts.hostName}.log + CustomLog ${mainCfg.logDir}/access-${hostOpts.hostName}.log ${hostOpts.logFormat} + ''} + + ${optionalString (hostOpts.robotsEntries != "") '' + Alias /robots.txt ${pkgs.writeText "robots.txt" hostOpts.robotsEntries} + ''} + + DocumentRoot "${documentRoot}" + + <Directory "${documentRoot}"> + Options Indexes FollowSymLinks + AllowOverride None + ${allGranted} + </Directory> + + ${optionalString hostOpts.enableUserDir '' + UserDir public_html + UserDir disabled root + <Directory "/home/*/public_html"> + AllowOverride FileInfo AuthConfig Limit Indexes + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + <Limit GET POST OPTIONS> + Require all granted + </Limit> + <LimitExcept GET POST OPTIONS> + Require all denied + </LimitExcept> + </Directory> + ''} + + ${optionalString (hostOpts.globalRedirect != null && hostOpts.globalRedirect != "") '' + RedirectPermanent / ${hostOpts.globalRedirect} + ''} + + ${ + let makeFileConf = elem: '' + Alias ${elem.urlPath} ${elem.file} + ''; + in concatMapStrings makeFileConf hostOpts.servedFiles + } + ${ + let makeDirConf = elem: '' + Alias ${elem.urlPath} ${elem.dir}/ + <Directory ${elem.dir}> + Options +Indexes + ${allGranted} + AllowOverride All + </Directory> + ''; + in concatMapStrings makeDirConf hostOpts.servedDirs + } + + ${hostOpts.extraConfig} + '' + ; confFile = pkgs.writeText "httpd.conf" '' ServerRoot ${httpd} - + ServerName ${config.networking.hostName} DefaultRuntimeDir ${runtimeDir}/runtime PidFile ${runtimeDir}/httpd.pid @@ -246,10 +259,9 @@ let </IfModule> ${let - listen = concatMap getListen allHosts; - toStr = listen: "Listen ${listenToString listen}\n"; - uniqueListen = uniqList {inputList = map toStr listen;}; - in concatStrings uniqueListen + toStr = listen: "Listen ${listen.ip}:${toString listen.port} ${if listen.ssl then "https" else "http"}"; + uniqueListen = uniqList {inputList = map toStr listenInfo;}; + in concatStringsSep "\n" uniqueListen } User ${mainCfg.user} @@ -297,17 +309,9 @@ let ${allGranted} </Directory> - # Generate directives for the main server. - ${perServerConf true mainCfg} + ${mainCfg.extraConfig} - ${let - makeVirtualHost = vhost: '' - <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}> - ${perServerConf false vhost} - </VirtualHost> - ''; - in concatMapStrings makeVirtualHost mainCfg.virtualHosts - } + ${concatMapStringsSep "\n" mkVHostConf vhosts} ''; # Generate the PHP configuration file. Should probably be factored @@ -329,6 +333,21 @@ in imports = [ (mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") (mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.") + + # virtualHosts options + (mkRemovedOptionModule [ "services" "httpd" "documentRoot" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "enableSSL" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "enableUserDir" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "globalRedirect" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "hostName" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "listen" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "robotsEntries" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "servedDirs" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "servedFiles" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "serverAliases" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "sslServerCert" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "sslServerChain" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "sslServerKey" ] "Please define a virtual host using `services.httpd.virtualHosts`.") ]; ###### interface @@ -367,7 +386,7 @@ in type = types.lines; default = ""; description = '' - Cnfiguration lines appended to the generated Apache + Configuration lines appended to the generated Apache configuration file. Note that this mechanism may not work when <option>configFile</option> is overridden. ''; @@ -391,9 +410,25 @@ in ''; }; + adminAddr = mkOption { + type = types.str; + example = "admin@example.org"; + description = "E-mail address of the server administrator."; + }; + + logFormat = mkOption { + type = types.str; + default = "common"; + example = "combined"; + description = '' + Log format for log files. Possible values are: combined, common, referer, agent. + See <link xlink:href="https://httpd.apache.org/docs/2.4/logs.html"/> for more details. + ''; + }; + logPerVirtualHost = mkOption { type = types.bool; - default = false; + default = true; description = '' If enabled, each virtual host gets its own <filename>access.log</filename> and @@ -429,26 +464,28 @@ in }; virtualHosts = mkOption { - type = types.listOf (types.submodule ( - { options = import ./per-server-options.nix { - inherit lib; - forMainServer = false; + type = with types; attrsOf (submodule (import ./per-server-options.nix)); + default = { + localhost = { + documentRoot = "${httpd}/htdocs"; + }; + }; + example = literalExample '' + { + "foo.example.com" = { + forceSSL = true; + documentRoot = "/var/www/foo.example.com" + }; + "bar.example.com" = { + addSSL = true; + documentRoot = "/var/www/bar.example.com"; }; - })); - default = []; - example = [ - { hostName = "foo"; - documentRoot = "/data/webroot-foo"; - } - { hostName = "bar"; - documentRoot = "/data/webroot-bar"; } - ]; + ''; description = '' - Specification of the virtual hosts served by Apache. Each + Specification of the virtual hosts served by Apache. Each element should be an attribute set specifying the - configuration of the virtual host. The available options - are the non-global options permissible for the main host. + configuration of the virtual host. ''; }; @@ -530,17 +567,11 @@ in sslProtocols = mkOption { type = types.str; - default = "All -SSLv2 -SSLv3 -TLSv1"; + default = "All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"; example = "All -SSLv2 -SSLv3"; description = "Allowed SSL/TLS protocol versions."; }; - } - - # Include the options shared between the main server and virtual hosts. - // (import ./per-server-options.nix { - inherit lib; - forMainServer = true; - }); + }; }; @@ -549,23 +580,52 @@ in config = mkIf config.services.httpd.enable { - assertions = [ { assertion = mainCfg.enableSSL == true - -> mainCfg.sslServerCert != null - && mainCfg.sslServerKey != null; - message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; } - ]; + assertions = [ + { + assertion = all (hostOpts: !hostOpts.enableSSL) vhosts; + message = '' + The option `services.httpd.virtualHosts.<name>.enableSSL` no longer has any effect; please remove it. + Select one of `services.httpd.virtualHosts.<name>.addSSL`, `services.httpd.virtualHosts.<name>.forceSSL`, + or `services.httpd.virtualHosts.<name>.onlySSL`. + ''; + } + { + assertion = all (hostOpts: with hostOpts; !(addSSL && onlySSL) && !(forceSSL && onlySSL) && !(addSSL && forceSSL)) vhosts; + message = '' + Options `services.httpd.virtualHosts.<name>.addSSL`, + `services.httpd.virtualHosts.<name>.onlySSL` and `services.httpd.virtualHosts.<name>.forceSSL` + are mutually exclusive. + ''; + } + { + assertion = all (hostOpts: !(hostOpts.enableACME && hostOpts.useACMEHost != null)) vhosts; + message = '' + Options `services.httpd.virtualHosts.<name>.enableACME` and + `services.httpd.virtualHosts.<name>.useACMEHost` are mutually exclusive. + ''; + } + ]; - users.users = optionalAttrs (mainCfg.user == "wwwrun") (singleton - { name = "wwwrun"; + users.users = optionalAttrs (mainCfg.user == "wwwrun") { + wwwrun = { group = mainCfg.group; description = "Apache httpd user"; uid = config.ids.uids.wwwrun; - }); + }; + }; - users.groups = optionalAttrs (mainCfg.group == "wwwrun") (singleton - { name = "wwwrun"; - gid = config.ids.gids.wwwrun; - }); + users.groups = optionalAttrs (mainCfg.group == "wwwrun") { + wwwrun.gid = config.ids.gids.wwwrun; + }; + + security.acme.certs = mapAttrs (name: hostOpts: { + user = mainCfg.user; + group = mkDefault mainCfg.group; + email = if hostOpts.adminAddr != null then hostOpts.adminAddr else mainCfg.adminAddr; + webroot = hostOpts.acmeRoot; + extraDomains = genAttrs hostOpts.serverAliases (alias: null); + postRun = "systemctl reload httpd.service"; + }) (filterAttrs (name: hostOpts: hostOpts.enableACME) mainCfg.virtualHosts); environment.systemPackages = [httpd]; @@ -605,10 +665,14 @@ in ]; systemd.services.httpd = + let + vhostsACME = filter (hostOpts: hostOpts.enableACME) vhosts; + in { description = "Apache HTTPD"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "fs.target" ]; + wants = concatLists (map (hostOpts: [ "acme-${hostOpts.hostName}.service" "acme-selfsigned-${hostOpts.hostName}.service" ]) vhostsACME); + after = [ "network.target" "fs.target" ] ++ map (hostOpts: "acme-selfsigned-${hostOpts.hostName}.service") vhostsACME; path = [ httpd pkgs.coreutils pkgs.gnugrep ] diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix index c36207d5460..f2e92cda05f 100644 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix @@ -1,174 +1,235 @@ -# This file defines the options that can be used both for the Apache -# main server configuration, and for the virtual hosts. (The latter -# has additional options that affect the web server as a whole, like -# the user/group to run under.) - -{ forMainServer, lib }: - -with lib; - +{ config, lib, name, ... }: +let + inherit (lib) mkOption types; +in { + options = { + + hostName = mkOption { + type = types.str; + default = name; + description = "Canonical hostname for the server."; + }; + + serverAliases = mkOption { + type = types.listOf types.str; + default = []; + example = ["www.example.org" "www.example.org:8080" "example.org"]; + description = '' + Additional names of virtual hosts served by this virtual host configuration. + ''; + }; + + listen = mkOption { + type = with types; listOf (submodule ({ + options = { + port = mkOption { + type = types.port; + description = "Port to listen on"; + }; + ip = mkOption { + type = types.str; + default = "*"; + description = "IP to listen on. 0.0.0.0 for IPv4 only, * for all."; + }; + ssl = mkOption { + type = types.bool; + default = false; + description = "Whether to enable SSL (https) support."; + }; + }; + })); + default = []; + example = [ + { ip = "195.154.1.1"; port = 443; ssl = true;} + { ip = "192.154.1.1"; port = 80; } + { ip = "*"; port = 8080; } + ]; + description = '' + Listen addresses and ports for this virtual host. + <note><para> + This option overrides <literal>addSSL</literal>, <literal>forceSSL</literal> and <literal>onlySSL</literal>. + </para></note> + ''; + }; + + enableSSL = mkOption { + type = types.bool; + visible = false; + default = false; + }; + + addSSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable HTTPS in addition to plain HTTP. This will set defaults for + <literal>listen</literal> to listen on all interfaces on the respective default + ports (80, 443). + ''; + }; + + onlySSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable HTTPS and reject plain HTTP connections. This will set + defaults for <literal>listen</literal> to listen on all interfaces on port 443. + ''; + }; + + forceSSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to add a separate nginx server block that permanently redirects (301) + all plain HTTP traffic to HTTPS. This will set defaults for + <literal>listen</literal> to listen on all interfaces on the respective default + ports (80, 443), where the non-SSL listens are used for the redirect vhosts. + ''; + }; + + enableACME = mkOption { + type = types.bool; + default = false; + description = '' + Whether to ask Let's Encrypt to sign a certificate for this vhost. + Alternately, you can use an existing certificate through <option>useACMEHost</option>. + ''; + }; + + useACMEHost = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + A host of an existing Let's Encrypt certificate to use. + This is useful if you have many subdomains and want to avoid hitting the + <link xlink:href="https://letsencrypt.org/docs/rate-limits/">rate limit</link>. + Alternately, you can generate a certificate through <option>enableACME</option>. + <emphasis>Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using <xref linkend="opt-security.acme.certs"/>.</emphasis> + ''; + }; + + acmeRoot = mkOption { + type = types.str; + default = "/var/lib/acme/acme-challenges"; + description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here"; + }; + + sslServerCert = mkOption { + type = types.path; + example = "/var/host.cert"; + description = "Path to server SSL certificate."; + }; + + sslServerKey = mkOption { + type = types.path; + example = "/var/host.key"; + description = "Path to server SSL certificate key."; + }; + + sslServerChain = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/ca.pem"; + description = "Path to server SSL chain file."; + }; + + adminAddr = mkOption { + type = types.nullOr types.str; + default = null; + example = "admin@example.org"; + description = "E-mail address of the server administrator."; + }; + + documentRoot = mkOption { + type = types.nullOr types.path; + default = null; + example = "/data/webserver/docs"; + description = '' + The path of Apache's document root directory. If left undefined, + an empty directory in the Nix store will be used as root. + ''; + }; + + servedDirs = mkOption { + type = types.listOf types.attrs; + default = []; + example = [ + { urlPath = "/nix"; + dir = "/home/eelco/Dev/nix-homepage"; + } + ]; + description = '' + This option provides a simple way to serve static directories. + ''; + }; + + servedFiles = mkOption { + type = types.listOf types.attrs; + default = []; + example = [ + { urlPath = "/foo/bar.png"; + file = "/home/eelco/some-file.png"; + } + ]; + description = '' + This option provides a simple way to serve individual, static files. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + <Directory /home> + Options FollowSymlinks + AllowOverride All + </Directory> + ''; + description = '' + These lines go to httpd.conf verbatim. They will go after + directories and directory aliases defined by default. + ''; + }; + + enableUserDir = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable serving <filename>~/public_html</filename> as + <literal>/~<replaceable>username</replaceable></literal>. + ''; + }; + + globalRedirect = mkOption { + type = types.nullOr types.str; + default = null; + example = http://newserver.example.org/; + description = '' + If set, all requests for this host are redirected permanently to + the given URL. + ''; + }; + + logFormat = mkOption { + type = types.str; + default = "common"; + example = "combined"; + description = '' + Log format for Apache's log files. Possible values are: combined, common, referer, agent. + ''; + }; + + robotsEntries = mkOption { + type = types.lines; + default = ""; + example = "Disallow: /foo/"; + description = '' + Specification of pages to be ignored by web crawlers. See <link + xlink:href='http://www.robotstxt.org/'/> for details. + ''; + }; - hostName = mkOption { - type = types.str; - default = "localhost"; - description = "Canonical hostname for the server."; - }; - - serverAliases = mkOption { - type = types.listOf types.str; - default = []; - example = ["www.example.org" "www.example.org:8080" "example.org"]; - description = '' - Additional names of virtual hosts served by this virtual host configuration. - ''; - }; - - listen = mkOption { - type = types.listOf (types.submodule ( - { - options = { - port = mkOption { - type = types.int; - description = "port to listen on"; - }; - ip = mkOption { - type = types.str; - default = "*"; - description = "Ip to listen on. 0.0.0.0 for ipv4 only, * for all."; - }; - }; - } )); - description = '' - List of { /* ip: "*"; */ port = 80;} to listen on - ''; - - default = []; - }; - - enableSSL = mkOption { - type = types.bool; - default = false; - description = "Whether to enable SSL (https) support."; }; - - # Note: sslServerCert and sslServerKey can be left empty, but this - # only makes sense for virtual hosts (they will inherit from the - # main server). - - sslServerCert = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/host.cert"; - description = "Path to server SSL certificate."; - }; - - sslServerKey = mkOption { - type = types.path; - example = "/var/host.key"; - description = "Path to server SSL certificate key."; - }; - - sslServerChain = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/ca.pem"; - description = "Path to server SSL chain file."; - }; - - adminAddr = mkOption ({ - type = types.nullOr types.str; - example = "admin@example.org"; - description = "E-mail address of the server administrator."; - } // (if forMainServer then {} else {default = null;})); - - documentRoot = mkOption { - type = types.nullOr types.path; - default = null; - example = "/data/webserver/docs"; - description = '' - The path of Apache's document root directory. If left undefined, - an empty directory in the Nix store will be used as root. - ''; - }; - - servedDirs = mkOption { - type = types.listOf types.attrs; - default = []; - example = [ - { urlPath = "/nix"; - dir = "/home/eelco/Dev/nix-homepage"; - } - ]; - description = '' - This option provides a simple way to serve static directories. - ''; - }; - - servedFiles = mkOption { - type = types.listOf types.attrs; - default = []; - example = [ - { urlPath = "/foo/bar.png"; - file = "/home/eelco/some-file.png"; - } - ]; - description = '' - This option provides a simple way to serve individual, static files. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - example = '' - <Directory /home> - Options FollowSymlinks - AllowOverride All - </Directory> - ''; - description = '' - These lines go to httpd.conf verbatim. They will go after - directories and directory aliases defined by default. - ''; - }; - - enableUserDir = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable serving <filename>~/public_html</filename> as - <literal>/~<replaceable>username</replaceable></literal>. - ''; - }; - - globalRedirect = mkOption { - type = types.nullOr types.str; - default = null; - example = http://newserver.example.org/; - description = '' - If set, all requests for this host are redirected permanently to - the given URL. - ''; - }; - - logFormat = mkOption { - type = types.str; - default = "common"; - example = "combined"; - description = '' - Log format for Apache's log files. Possible values are: combined, common, referer, agent. - ''; - }; - - robotsEntries = mkOption { - type = types.lines; - default = ""; - example = "Disallow: /foo/"; - description = '' - Specification of pages to be ignored by web crawlers. See <link - xlink:href='http://www.robotstxt.org/'/> for details. - ''; - }; - } diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix index eb90dae94df..c8602e5975b 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix @@ -47,7 +47,7 @@ let '')); configFile = pkgs.writers.writeNginxConfig "nginx.conf" '' - user ${cfg.user} ${cfg.group}; + pid /run/nginx/nginx.pid; error_log ${cfg.logError}; daemon off; @@ -178,6 +178,8 @@ let then "/etc/nginx/nginx.conf" else configFile; + execCommand = "${cfg.package}/bin/nginx -c '${configPath}' -p '${cfg.stateDir}'"; + vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost: let onlySSL = vhost.onlySSL || vhost.enableSSL; @@ -366,12 +368,7 @@ in preStart = mkOption { type = types.lines; - default = '' - test -d ${cfg.stateDir}/logs || mkdir -m 750 -p ${cfg.stateDir}/logs - test `stat -c %a ${cfg.stateDir}` = "750" || chmod 750 ${cfg.stateDir} - test `stat -c %a ${cfg.stateDir}/logs` = "750" || chmod 750 ${cfg.stateDir}/logs - chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir} - ''; + default = ""; description = " Shell commands executed before the service's nginx is started. "; @@ -673,23 +670,36 @@ in } ]; + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/logs' 0750 ${cfg.user} ${cfg.group} - -" + "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.nginx = { description = "Nginx Web Server"; wantedBy = [ "multi-user.target" ]; wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts); after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts; stopIfChanged = false; - preStart = - '' + preStart = '' ${cfg.preStart} - ${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir} -t - ''; + ${execCommand} -t + ''; serviceConfig = { - ExecStart = "${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir}"; + ExecStart = execCommand; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Restart = "always"; RestartSec = "10s"; StartLimitInterval = "1min"; + # User and group + User = cfg.user; + Group = cfg.group; + # Runtime directory and mode + RuntimeDirectory = "nginx"; + RuntimeDirectoryMode = "0750"; + # Capabilities + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; }; }; @@ -698,11 +708,18 @@ in }; systemd.services.nginx-config-reload = mkIf cfg.enableReload { - wantedBy = [ "nginx.service" ]; + wants = [ "nginx.service" ]; + wantedBy = [ "multi-user.target" ]; restartTriggers = [ configFile ]; + # commented, because can cause extra delays during activate for this config: + # services.nginx.virtualHosts."_".locations."/".proxyPass = "http://blabla:3000"; + # stopIfChanged = false; + serviceConfig.Type = "oneshot"; + serviceConfig.TimeoutSec = 60; script = '' if ${pkgs.systemd}/bin/systemctl -q is-active nginx.service ; then - ${pkgs.systemd}/bin/systemctl reload nginx.service + ${execCommand} -t && \ + ${pkgs.systemd}/bin/systemctl reload nginx.service fi ''; serviceConfig.RemainAfterExit = true; @@ -723,15 +740,16 @@ in listToAttrs acmePairs ); - users.users = optionalAttrs (cfg.user == "nginx") (singleton - { name = "nginx"; + users.users = optionalAttrs (cfg.user == "nginx") { + nginx = { group = cfg.group; uid = config.ids.uids.nginx; - }); + }; + }; + + users.groups = optionalAttrs (cfg.group == "nginx") { + nginx.gid = config.ids.gids.nginx; + }; - users.groups = optionalAttrs (cfg.group == "nginx") (singleton - { name = "nginx"; - gid = config.ids.gids.nginx; - }); }; } diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix index 2b3749d8a74..3d9e391ecf2 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix @@ -67,7 +67,7 @@ with lib; return = mkOption { type = types.nullOr types.str; default = null; - example = "301 http://example.com$request_uri;"; + example = "301 http://example.com$request_uri"; description = '' Adds a return directive, for e.g. redirections. ''; diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix index 7e488f33a41..455854e2a96 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -207,6 +207,7 @@ with lib; default = null; description = '' Basic Auth password file for a vhost. + Can be created via: <command>htpasswd -c <filename> <username></command> ''; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix b/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix index 7698f8c3a26..2c73da10394 100644 --- a/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix @@ -146,6 +146,10 @@ let }; in { + imports = [ + (mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.") + (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "") + ]; options = { services.phpfpm = { diff --git a/nixpkgs/nixos/modules/services/web-servers/tomcat.nix b/nixpkgs/nixos/modules/services/web-servers/tomcat.nix index 68261c50324..6d12925829f 100644 --- a/nixpkgs/nixos/modules/services/web-servers/tomcat.nix +++ b/nixpkgs/nixos/modules/services/web-servers/tomcat.nix @@ -194,14 +194,10 @@ in config = mkIf config.services.tomcat.enable { - users.groups = singleton - { name = "tomcat"; - gid = config.ids.gids.tomcat; - }; + users.groups.tomcat.gid = config.ids.gids.tomcat; - users.users = singleton - { name = "tomcat"; - uid = config.ids.uids.tomcat; + users.users.tomcat = + { uid = config.ids.uids.tomcat; description = "Tomcat user"; home = "/homeless-shelter"; extraGroups = cfg.extraGroups; diff --git a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix index 32f6d475b34..2303dfa9540 100644 --- a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix @@ -85,7 +85,7 @@ in { systemd.tmpfiles.rules = [ "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.logDir}' 0750 ${cfg.user} ${cfg.group} - -" - ]; + ]; systemd.services.unit = { description = "Unit App Server"; @@ -93,34 +93,50 @@ in { wantedBy = [ "multi-user.target" ]; path = with pkgs; [ curl ]; preStart = '' - test -f '/run/unit/control.unit.sock' || rm -f '/run/unit/control.unit.sock' + test -f '${cfg.stateDir}/conf.json' || rm -f '${cfg.stateDir}/conf.json' ''; postStart = '' curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' ''; serviceConfig = { - User = cfg.user; - Group = cfg.group; - AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; - CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; ExecStart = '' ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \ --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \ --user ${cfg.user} --group ${cfg.group} ''; + # User and group + User = cfg.user; + Group = cfg.group; + # Capabilities + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; + # Security + NoNewPrivileges = true; + # Sanboxing + ProtectSystem = "full"; + ProtectHome = true; RuntimeDirectory = "unit"; RuntimeDirectoryMode = "0750"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + PrivateMounts = true; }; }; - users.users = optionalAttrs (cfg.user == "unit") (singleton { - name = "unit"; - group = cfg.group; + users.users = optionalAttrs (cfg.user == "unit") { + unit.group = cfg.group; isSystemUser = true; - }); + }; + + users.groups = optionalAttrs (cfg.group == "unit") { + unit = { }; + }; - users.groups = optionalAttrs (cfg.group == "unit") (singleton { - name = "unit"; - }); }; } diff --git a/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix b/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix index af70f32f32d..3481b5e6040 100644 --- a/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix +++ b/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix @@ -5,10 +5,6 @@ with lib; let cfg = config.services.uwsgi; - uwsgi = pkgs.uwsgi.override { - plugins = cfg.plugins; - }; - buildCfg = name: c: let plugins = @@ -23,8 +19,8 @@ let python = if hasPython2 && hasPython3 then throw "`plugins` attribute in UWSGI configuration shouldn't contain both python2 and python3" - else if hasPython2 then uwsgi.python2 - else if hasPython3 then uwsgi.python3 + else if hasPython2 then cfg.package.python2 + else if hasPython3 then cfg.package.python3 else null; pythonEnv = python.withPackages (c.pythonPackages or (self: [])); @@ -77,6 +73,11 @@ in { description = "Where uWSGI communication sockets can live"; }; + package = mkOption { + type = types.package; + internal = true; + }; + instance = mkOption { type = types.attrs; default = { @@ -138,7 +139,7 @@ in { ''; serviceConfig = { Type = "notify"; - ExecStart = "${uwsgi}/bin/uwsgi --uid ${cfg.user} --gid ${cfg.group} --json ${buildCfg "server" cfg.instance}/server.json"; + ExecStart = "${cfg.package}/bin/uwsgi --uid ${cfg.user} --gid ${cfg.group} --json ${buildCfg "server" cfg.instance}/server.json"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; NotifyAccess = "main"; @@ -146,15 +147,19 @@ in { }; }; - users.users = optionalAttrs (cfg.user == "uwsgi") (singleton - { name = "uwsgi"; + users.users = optionalAttrs (cfg.user == "uwsgi") { + uwsgi = { group = cfg.group; uid = config.ids.uids.uwsgi; - }); + }; + }; + + users.groups = optionalAttrs (cfg.group == "uwsgi") { + uwsgi.gid = config.ids.gids.uwsgi; + }; - users.groups = optionalAttrs (cfg.group == "uwsgi") (singleton - { name = "uwsgi"; - gid = config.ids.gids.uwsgi; - }); + services.uwsgi.package = pkgs.uwsgi.override { + inherit (cfg) plugins; + }; }; } diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/cde.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/cde.nix new file mode 100644 index 00000000000..c1b6d3bf064 --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/cde.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + xcfg = config.services.xserver; + cfg = xcfg.desktopManager.cde; +in { + options.services.xserver.desktopManager.cde = { + enable = mkEnableOption "Common Desktop Environment"; + }; + + config = mkIf (xcfg.enable && cfg.enable) { + services.rpcbind.enable = true; + + services.xinetd.enable = true; + services.xinetd.services = [ + { + name = "cmsd"; + protocol = "udp"; + user = "root"; + server = "${pkgs.cdesktopenv}/opt/dt/bin/rpc.cmsd"; + extraConfig = '' + type = RPC UNLISTED + rpc_number = 100068 + rpc_version = 2-5 + only_from = 127.0.0.1/0 + ''; + } + ]; + + users.groups.mail = {}; + security.wrappers = { + dtmail = { + source = "${pkgs.cdesktopenv}/bin/dtmail"; + group = "mail"; + setgid = true; + }; + }; + + system.activationScripts.setup-cde = '' + mkdir -p /var/dt/{tmp,appconfig/appmanager} + chmod a+w+t /var/dt/{tmp,appconfig/appmanager} + ''; + + services.xserver.desktopManager.session = [ + { name = "CDE"; + start = '' + exec ${pkgs.cdesktopenv}/opt/dt/bin/Xsession + ''; + }]; + }; + + meta.maintainers = [ maintainers.gnidorah ]; +} diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix index 671a959cdde..970fa620c6b 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix @@ -20,7 +20,7 @@ in imports = [ ./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix ./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix ./maxx.nix - ./mate.nix ./pantheon.nix ./surf-display.nix + ./mate.nix ./pantheon.nix ./surf-display.nix ./cde.nix ]; options = { @@ -86,23 +86,14 @@ in }; default = mkOption { - type = types.str; - default = ""; + type = types.nullOr types.str; + default = null; example = "none"; - description = "Default desktop manager loaded if none have been chosen."; - apply = defaultDM: - if defaultDM == "" && cfg.session.list != [] then - (head cfg.session.list).name - else if any (w: w.name == defaultDM) cfg.session.list then - defaultDM - else - builtins.trace '' - Default desktop manager (${defaultDM}) not found at evaluation time. - These are the known valid session names: - ${concatMapStringsSep "\n " (w: "services.xserver.desktopManager.default = \"${w.name}\";") cfg.session.list} - It's also possible the default can be found in one of these packages: - ${concatMapStringsSep "\n " (p: p.name) config.services.xserver.displayManager.extraSessionFilePackages} - '' defaultDM; + description = '' + <emphasis role="strong">Deprecated</emphasis>, please use <xref linkend="opt-services.xserver.displayManager.defaultSession"/> instead. + + Default desktop manager loaded if none have been chosen. + ''; }; }; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 3745069f6ea..26b662a2a64 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -16,6 +16,10 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "e19" "enable" ] [ "services" "xserver" "desktopManager" "enlightenment" "enable" ]) + ]; + options = { services.xserver.desktopManager.enlightenment.enable = mkOption { @@ -64,10 +68,7 @@ in security.wrappers = (import "${e.enlightenment}/e-wrappers.nix").security.wrappers; - environment.etc = singleton - { source = xcfg.xkbDir; - target = "X11/xkb"; - }; + environment.etc."X11/xkb".source = xcfg.xkbDir; fonts.fonts = [ pkgs.dejavu_fonts pkgs.ubuntu_font_family ]; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix index 6725595e1cf..6d9bd284bc7 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -144,7 +144,7 @@ in services.gnome3.core-shell.enable = true; services.gnome3.core-utilities.enable = mkDefault true; - services.xserver.displayManager.extraSessionFilePackages = [ pkgs.gnome3.gnome-session ]; + services.xserver.displayManager.sessionPackages = [ pkgs.gnome3.gnome-session ]; environment.extraInit = '' ${concatMapStrings (p: '' @@ -171,7 +171,7 @@ in }) (mkIf flashbackEnabled { - services.xserver.displayManager.extraSessionFilePackages = map + services.xserver.displayManager.sessionPackages = map (wm: pkgs.gnome3.gnome-flashback.mkSessionForWm { inherit (wm) wmName wmLabel wmCommand; }) (optional cfg.flashback.enableMetacity { diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix index fe63f36cf96..4a6f2ca727d 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix @@ -98,7 +98,6 @@ in services.gnome3.at-spi2-core.enable = true; services.gnome3.gnome-keyring.enable = true; - services.gnome3.gnome-settings-daemon.enable = true; services.udev.packages = [ pkgs.mate.mate-settings-daemon ]; services.gvfs.enable = true; services.upower.enable = config.powerManagement.enable; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix index 80dab135ee2..b46a2d189ef 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.xserver.desktopManager.pantheon; + serviceCfg = config.services.pantheon; nixos-gsettings-desktop-schemas = pkgs.pantheon.elementary-gsettings-schemas.override { extraGSettingsOverridePackages = cfg.extraGSettingsOverridePackages; @@ -19,6 +20,16 @@ in options = { + services.pantheon = { + + contractor = { + enable = mkEnableOption "contractor, a desktop-wide extension service used by Pantheon"; + }; + + apps.enable = mkEnableOption "Pantheon default applications"; + + }; + services.xserver.desktopManager.pantheon = { enable = mkOption { type = types.bool; @@ -41,6 +52,18 @@ in ]; }; + extraWingpanelIndicators = mkOption { + default = null; + type = with types; nullOr (listOf package); + description = "Indicators to add to Wingpanel."; + }; + + extraSwitchboardPlugs = mkOption { + default = null; + type = with types; nullOr (listOf package); + description = "Plugs to add to Switchboard."; + }; + extraGSettingsOverrides = mkOption { default = ""; type = types.lines; @@ -67,124 +90,88 @@ in }; - config = mkIf cfg.enable { + config = mkMerge [ + (mkIf cfg.enable { - services.xserver.displayManager.extraSessionFilePackages = [ pkgs.pantheon.elementary-session-settings ]; + services.xserver.displayManager.sessionPackages = [ pkgs.pantheon.elementary-session-settings ]; - # Ensure lightdm is used when Pantheon is enabled - # Without it screen locking will be nonfunctional because of the use of lightlocker + # Ensure lightdm is used when Pantheon is enabled + # Without it screen locking will be nonfunctional because of the use of lightlocker + warnings = optional (config.services.xserver.displayManager.lightdm.enable != true) + '' + Using Pantheon without LightDM as a displayManager will break screenlocking from the UI. + ''; - warnings = optional (config.services.xserver.displayManager.lightdm.enable != true) - '' - Using Pantheon without LightDM as a displayManager will break screenlocking from the UI. + services.xserver.displayManager.lightdm.greeters.pantheon.enable = mkDefault true; + + # Without this, elementary LightDM greeter will pre-select non-existent `default` session + # https://github.com/elementary/greeter/issues/368 + services.xserver.displayManager.defaultSession = "pantheon"; + + services.xserver.displayManager.sessionCommands = '' + if test "$XDG_CURRENT_DESKTOP" = "Pantheon"; then + ${concatMapStrings (p: '' + if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then + export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} + fi + + if [ -d "${p}/lib/girepository-1.0" ]; then + export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib + fi + '') cfg.sessionPath} + fi ''; - services.xserver.displayManager.lightdm.greeters.pantheon.enable = mkDefault true; - - # If not set manually Pantheon session cannot be started - # Known issue of https://github.com/NixOS/nixpkgs/pull/43992 - services.xserver.desktopManager.default = mkForce "pantheon"; - - services.xserver.displayManager.sessionCommands = '' - if test "$XDG_CURRENT_DESKTOP" = "Pantheon"; then - ${concatMapStrings (p: '' - if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then - export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} - fi - - if [ -d "${p}/lib/girepository-1.0" ]; then - export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib - fi - '') cfg.sessionPath} - fi - ''; - - hardware.bluetooth.enable = mkDefault true; - hardware.pulseaudio.enable = mkDefault true; - security.polkit.enable = true; - services.accounts-daemon.enable = true; - services.bamf.enable = true; - services.colord.enable = mkDefault true; - services.pantheon.files.enable = mkDefault true; - services.tumbler.enable = mkDefault true; - services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); - services.dbus.packages = with pkgs.pantheon; [ - switchboard-plug-power - elementary-default-settings - ]; - services.pantheon.contractor.enable = mkDefault true; - services.gnome3.at-spi2-core.enable = true; - services.gnome3.evolution-data-server.enable = true; - services.gnome3.glib-networking.enable = true; - # TODO: gnome-keyring's xdg autostarts will still be in the environment (from elementary-session-settings) if disabled forcefully - services.gnome3.gnome-keyring.enable = true; - services.gnome3.gnome-settings-daemon.enable = true; - services.udev.packages = [ pkgs.pantheon.elementary-settings-daemon ]; - services.gvfs.enable = true; - services.gnome3.rygel.enable = mkDefault true; - services.gsignond.enable = mkDefault true; - services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ]; - services.udisks2.enable = true; - services.upower.enable = config.powerManagement.enable; - services.xserver.libinput.enable = mkDefault true; - services.xserver.updateDbusEnvironment = true; - services.zeitgeist.enable = mkDefault true; - services.geoclue2.enable = mkDefault true; - # pantheon has pantheon-agent-geoclue2 - services.geoclue2.enableDemoAgent = false; - services.geoclue2.appConfig."io.elementary.desktop.agent-geoclue2" = { - isAllowed = true; - isSystem = true; - }; - - programs.dconf.enable = true; - programs.evince.enable = mkDefault true; - programs.file-roller.enable = mkDefault true; - # Otherwise you can't store NetworkManager Secrets with - # "Store the password only for this user" - programs.nm-applet.enable = true; - - # Shell integration for VTE terminals - programs.bash.vteIntegration = mkDefault true; - programs.zsh.vteIntegration = mkDefault true; - - # Harmonize Qt5 applications under Pantheon - qt5.enable = true; - qt5.platformTheme = "gnome"; - qt5.style = "adwaita"; - - networking.networkmanager.enable = mkDefault true; - - # Override GSettings schemas - environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; - - environment.sessionVariables.GNOME_SESSION_DEBUG = optionalString cfg.debug "1"; - - # Settings from elementary-default-settings - environment.sessionVariables.GTK_CSD = "1"; - environment.sessionVariables.GTK_MODULES = "pantheon-filechooser-module"; - environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini"; - - environment.pathsToLink = [ - # FIXME: modules should link subdirs of `/share` rather than relying on this - "/share" - ]; - - environment.systemPackages = - pkgs.pantheon.artwork ++ pkgs.pantheon.desktop ++ pkgs.pantheon.services ++ cfg.sessionPath - ++ (with pkgs; gnome3.removePackagesByName - ([ - gnome3.geary - gnome3.epiphany - gnome3.gnome-font-viewer - ] ++ pantheon.apps) config.environment.pantheon.excludePackages) - ++ (with pkgs; - [ - adwaita-qt + # Default services + hardware.bluetooth.enable = mkDefault true; + hardware.pulseaudio.enable = mkDefault true; + security.polkit.enable = true; + services.accounts-daemon.enable = true; + services.bamf.enable = true; + services.colord.enable = mkDefault true; + services.tumbler.enable = mkDefault true; + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + services.dbus.packages = with pkgs.pantheon; [ + switchboard-plug-power + elementary-default-settings # accountsservice extensions + ]; + services.pantheon.apps.enable = mkDefault true; + services.pantheon.contractor.enable = mkDefault true; + services.gnome3.at-spi2-core.enable = true; + services.gnome3.evolution-data-server.enable = true; + services.gnome3.glib-networking.enable = true; + services.gnome3.gnome-keyring.enable = true; + services.gvfs.enable = true; + services.gnome3.rygel.enable = mkDefault true; + services.gsignond.enable = mkDefault true; + services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ]; + services.udisks2.enable = true; + services.upower.enable = config.powerManagement.enable; + services.xserver.libinput.enable = mkDefault true; + services.xserver.updateDbusEnvironment = true; + services.zeitgeist.enable = mkDefault true; + services.geoclue2.enable = mkDefault true; + # pantheon has pantheon-agent-geoclue2 + services.geoclue2.enableDemoAgent = false; + services.geoclue2.appConfig."io.elementary.desktop.agent-geoclue2" = { + isAllowed = true; + isSystem = true; + }; + # Use gnome-settings-daemon fork + services.udev.packages = [ + pkgs.pantheon.elementary-settings-daemon + ]; + systemd.packages = [ + pkgs.pantheon.elementary-settings-daemon + ]; + programs.dconf.enable = true; + networking.networkmanager.enable = mkDefault true; + + # Global environment + environment.systemPackages = with pkgs; [ desktop-file-utils glib - glib-networking gnome-menus gnome3.adwaita-icon-theme gtk3.out @@ -196,19 +183,111 @@ in shared-mime-info sound-theme-freedesktop xdg-user-dirs - ]); + ] ++ (with pkgs.pantheon; [ + # Artwork + elementary-gtk-theme + elementary-icon-theme + elementary-sound-theme + elementary-wallpapers + + # Desktop + elementary-default-settings + elementary-session-settings + elementary-shortcut-overlay + gala + (switchboard-with-plugs.override { + plugs = cfg.extraSwitchboardPlugs; + }) + (wingpanel-with-indicators.override { + indicators = cfg.extraWingpanelIndicators; + }) + + # Services + cerbere + elementary-capnet-assist + elementary-dpms-helper + elementary-settings-daemon + pantheon-agent-geoclue2 + pantheon-agent-polkit + ]) ++ (gnome3.removePackagesByName [ + gnome3.geary + gnome3.epiphany + gnome3.gnome-font-viewer + ] config.environment.pantheon.excludePackages); - fonts.fonts = with pkgs; [ - open-sans - roboto-mono - pantheon.elementary-redacted-script # needed by screenshot-tool - ]; + programs.evince.enable = mkDefault true; + programs.file-roller.enable = mkDefault true; - fonts.fontconfig.defaultFonts = { - monospace = [ "Roboto Mono" ]; - sansSerif = [ "Open Sans" ]; - }; + # Settings from elementary-default-settings + environment.sessionVariables.GTK_CSD = "1"; + environment.sessionVariables.GTK3_MODULES = [ "pantheon-filechooser-module" ]; + environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini"; - }; + # Override GSettings schemas + environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; + + environment.sessionVariables.GNOME_SESSION_DEBUG = mkIf cfg.debug "1"; + + environment.pathsToLink = [ + # FIXME: modules should link subdirs of `/share` rather than relying on this + "/share" + ]; + + # Otherwise you can't store NetworkManager Secrets with + # "Store the password only for this user" + programs.nm-applet.enable = true; + # Shell integration for VTE terminals + programs.bash.vteIntegration = mkDefault true; + programs.zsh.vteIntegration = mkDefault true; + + # Harmonize Qt5 applications under Pantheon + qt5.enable = true; + qt5.platformTheme = "gnome"; + qt5.style = "adwaita"; + + # Default Fonts + fonts.fonts = with pkgs; [ + open-sans + roboto-mono + ]; + + fonts.fontconfig.defaultFonts = { + monospace = [ "Roboto Mono" ]; + sansSerif = [ "Open Sans" ]; + }; + }) + + (mkIf serviceCfg.apps.enable { + environment.systemPackages = (with pkgs.pantheon; pkgs.gnome3.removePackagesByName [ + elementary-calculator + elementary-calendar + elementary-camera + elementary-code + elementary-files + elementary-music + elementary-photos + elementary-screenshot-tool + elementary-terminal + elementary-videos + ] config.environment.pantheon.excludePackages); + + # needed by screenshot-tool + fonts.fonts = [ + pkgs.pantheon.elementary-redacted-script + ]; + }) + + (mkIf serviceCfg.contractor.enable { + environment.systemPackages = with pkgs.pantheon; [ + contractor + extra-elementary-contracts + ]; + + environment.pathsToLink = [ + "/share/contractor" + ]; + }) + + ]; } diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix index da8bdcb78c4..2538858ac0f 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -33,6 +33,7 @@ in imports = [ (mkRemovedOptionModule [ "services" "xserver" "desktopManager" "plasma5" "enableQt4Support" ] "Phonon no longer supports Qt 4.") + (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "kde5" ] [ "services" "xserver" "desktopManager" "plasma5" ]) ]; config = mkMerge [ @@ -169,7 +170,7 @@ in ++ lib.optional (cfg.phononBackend == "vlc") libsForQt5.phonon-backend-vlc # Optional hardware support features - ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt ] + ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt openobex obexftp ] ++ lib.optional config.networking.networkmanager.enable plasma-nm ++ lib.optional config.hardware.pulseaudio.enable plasma-pa ++ lib.optional config.powerManagement.enable powerdevil @@ -182,10 +183,7 @@ in "/share" ]; - environment.etc = singleton { - source = xcfg.xkbDir; - target = "X11/xkb"; - }; + environment.etc."X11/xkb".source = xcfg.xkbDir; # Enable GTK applications to load SVG icons services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix index 140dde828da..9aeb0bbd2a8 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix @@ -118,7 +118,7 @@ in { }; config = mkIf cfg.enable { - services.xserver.displayManager.extraSessionFilePackages = [ + services.xserver.displayManager.sessionPackages = [ pkgs.surf-display ]; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix index 0b70ad5f29c..a08b1947f65 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -31,6 +31,7 @@ in (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "xfce" "extraSessionCommands" ] [ "services" "xserver" "displayManager" "sessionCommands" ]) + (mkRemovedOptionModule [ "services" "xserver" "desktopManager" "xfce" "screenLock" ] "") ]; options = { diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/account-service-util.nix b/nixpkgs/nixos/modules/services/x11/display-managers/account-service-util.nix new file mode 100644 index 00000000000..1dbe703b566 --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/display-managers/account-service-util.nix @@ -0,0 +1,39 @@ +{ accountsservice +, glib +, gobject-introspection +, python3 +, wrapGAppsHook +}: + +python3.pkgs.buildPythonApplication { + name = "set-session"; + + format = "other"; + + src = ./set-session.py; + + dontUnpack = true; + + strictDeps = false; + + nativeBuildInputs = [ + wrapGAppsHook + gobject-introspection + ]; + + buildInputs = [ + accountsservice + glib + ]; + + propagatedBuildInputs = with python3.pkgs; [ + pygobject3 + ordered-set + ]; + + installPhase = '' + mkdir -p $out/bin + cp $src $out/bin/set-session + chmod +x $out/bin/set-session + ''; +} diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/default.nix b/nixpkgs/nixos/modules/services/x11/display-managers/default.nix index b66856fd4d4..1efd0739376 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/default.nix @@ -27,16 +27,7 @@ let Xft.hintstyle: hintslight ''; - mkCases = session: - concatStrings ( - mapAttrsToList (name: starts: '' - (${name}) - ${concatMapStringsSep "\n " (n: n.start) starts} - ;; - '') (lib.groupBy (n: n.name) session) - ); - - # file provided by services.xserver.displayManager.session.wrapper + # file provided by services.xserver.displayManager.sessionData.wrapper xsessionWrapper = pkgs.writeScript "xsession-wrapper" '' #! ${pkgs.bash}/bin/bash @@ -116,98 +107,47 @@ let # Run the supplied session command. Remove any double quotes with eval. eval exec "$@" else - # Fall back to the default window/desktopManager - exec ${cfg.displayManager.session.script} + # TODO: Do we need this? Should not the session always exist? + echo "error: unknown session $1" 1>&2 + exit 1 fi ''; - # file provided by services.xserver.displayManager.session.script - xsession = wm: dm: pkgs.writeScript "xsession" - '' - #! ${pkgs.bash}/bin/bash - - # Legacy session script used to construct .desktop files from - # `services.xserver.displayManager.session` entries. Called from - # `sessionWrapper`. - - # Expected parameters: - # $1 = <desktop-manager>+<window-manager> - - # The first argument of this script is the session type. - sessionType="$1" - if [ "$sessionType" = default ]; then sessionType=""; fi - - # The session type is "<desktop-manager>+<window-manager>", so - # extract those (see: - # http://wiki.bash-hackers.org/syntax/pe#substring_removal). - windowManager="''${sessionType##*+}" - : ''${windowManager:=${cfg.windowManager.default}} - desktopManager="''${sessionType%%+*}" - : ''${desktopManager:=${cfg.desktopManager.default}} - - # Start the window manager. - case "$windowManager" in - ${mkCases wm} - (*) echo "$0: Window manager '$windowManager' not found.";; - esac - - # Start the desktop manager. - case "$desktopManager" in - ${mkCases dm} - (*) echo "$0: Desktop manager '$desktopManager' not found.";; - esac - - ${optionalString cfg.updateDbusEnvironment '' - ${lib.getBin pkgs.dbus}/bin/dbus-update-activation-environment --systemd --all - ''} - - test -n "$waitPID" && wait "$waitPID" - - ${config.systemd.package}/bin/systemctl --user stop graphical-session.target - - exit 0 - ''; - - # Desktop Entry Specification: - # - https://standards.freedesktop.org/desktop-entry-spec/latest/ - # - https://standards.freedesktop.org/desktop-entry-spec/latest/ar01s06.html - mkDesktops = names: pkgs.runCommand "desktops" + installedSessions = pkgs.runCommand "desktops" { # trivial derivation preferLocalBuild = true; allowSubstitutes = false; } '' - mkdir -p "$out/share/xsessions" - ${concatMapStrings (n: '' - cat - > "$out/share/xsessions/${n}.desktop" << EODESKTOP - [Desktop Entry] - Version=1.0 - Type=XSession - TryExec=${cfg.displayManager.session.script} - Exec=${cfg.displayManager.session.script} "${n}" - Name=${n} - Comment= - EODESKTOP - '') names} + mkdir -p "$out/share/"{xsessions,wayland-sessions} ${concatMapStrings (pkg: '' + for n in ${concatStringsSep " " pkg.providedSessions}; do + if ! test -f ${pkg}/share/wayland-sessions/$n.desktop -o \ + -f ${pkg}/share/xsessions/$n.desktop; then + echo "Couldn't find provided session name, $n.desktop, in session package ${pkg.name}:" + echo " ${pkg}" + return 1 + fi + done + if test -d ${pkg}/share/xsessions; then ${xorg.lndir}/bin/lndir ${pkg}/share/xsessions $out/share/xsessions fi - '') cfg.displayManager.extraSessionFilePackages} - - ${concatMapStrings (pkg: '' if test -d ${pkg}/share/wayland-sessions; then - mkdir -p "$out/share/wayland-sessions" ${xorg.lndir}/bin/lndir ${pkg}/share/wayland-sessions $out/share/wayland-sessions fi - '') cfg.displayManager.extraSessionFilePackages} + '') cfg.displayManager.sessionPackages} ''; + dmDefault = cfg.desktopManager.default; + wmDefault = cfg.windowManager.default; + + defaultSessionFromLegacyOptions = concatStringsSep "+" (filter (s: s != null) ([ dmDefault ] ++ optional (wmDefault != "none") wmDefault)); + in { - options = { services.xserver.displayManager = { @@ -262,11 +202,24 @@ in ''; }; - extraSessionFilePackages = mkOption { - type = types.listOf types.package; + sessionPackages = mkOption { + type = with types; listOf (package // { + description = "package with provided sessions"; + check = p: assertMsg + (package.check p && p ? providedSessions + && p.providedSessions != [] && all isString p.providedSessions) + '' + Package, '${p.name}', did not specify any session names, as strings, in + 'passthru.providedSessions'. This is required when used as a session package. + + The session names can be looked up in: + ${p}/share/xsessions + ${p}/share/wayland-sessions + ''; + }); default = []; description = '' - A list of packages containing xsession files to be passed to the display manager. + A list of packages containing x11 or wayland session files to be passed to the display manager. ''; }; @@ -297,18 +250,50 @@ in inside the display manager with the desktop manager name followed by the window manager name. ''; - apply = list: rec { - wm = filter (s: s.manage == "window") list; - dm = filter (s: s.manage == "desktop") list; - names = flip concatMap dm - (d: map (w: d.name + optionalString (w.name != "none") ("+" + w.name)) - (filter (w: d.name != "none" || w.name != "none") wm)); - desktops = mkDesktops names; - script = xsession wm dm; + }; + + sessionData = mkOption { + description = "Data exported for display managers’ convenience"; + internal = true; + default = {}; + apply = val: { wrapper = xsessionWrapper; + desktops = installedSessions; + sessionNames = concatMap (p: p.providedSessions) cfg.displayManager.sessionPackages; + # We do not want to force users to set defaultSession when they have only single DE. + autologinSession = + if cfg.displayManager.defaultSession != null then + cfg.displayManager.defaultSession + else if cfg.displayManager.sessionData.sessionNames != [] then + head cfg.displayManager.sessionData.sessionNames + else + null; }; }; + defaultSession = mkOption { + type = with types; nullOr str // { + description = "session name"; + check = d: + assertMsg (d != null -> (str.check d && elem d cfg.displayManager.sessionData.sessionNames)) '' + Default graphical session, '${d}', not found. + Valid names for 'services.xserver.displayManager.defaultSession' are: + ${concatStringsSep "\n " cfg.displayManager.sessionData.sessionNames} + ''; + }; + default = + if dmDefault != null || wmDefault != null then + defaultSessionFromLegacyOptions + else + null; + example = "gnome"; + description = '' + Graphical session to pre-select in the session chooser (only effective for GDM and LightDM). + + On GDM, LightDM and SDDM, it will also be used as a session for auto-login. + ''; + }; + job = { preStart = mkOption { @@ -357,6 +342,27 @@ in }; config = { + assertions = [ + { + assertion = cfg.desktopManager.default != null || cfg.windowManager.default != null -> cfg.displayManager.defaultSession == defaultSessionFromLegacyOptions; + message = "You cannot use both services.xserver.displayManager.defaultSession option and legacy options (services.xserver.desktopManager.default and services.xserver.windowManager.default)."; + } + ]; + + warnings = + mkIf (dmDefault != null || wmDefault != null) [ + '' + The following options are deprecated: + ${concatStringsSep "\n " (map ({c, t}: t) (filter ({c, t}: c != null) [ + { c = dmDefault; t = "- services.xserver.desktopManager.default"; } + { c = wmDefault; t = "- services.xserver.windowManager.default"; } + ]))} + Please use + services.xserver.displayManager.defaultSession = "${concatStringsSep "+" (filter (s: s != null) [ dmDefault wmDefault ])}"; + instead. + '' + ]; + services.xserver.displayManager.xserverBin = "${xorg.xorgserver.out}/bin/X"; systemd.user.targets.graphical-session = { @@ -365,11 +371,75 @@ in StopWhenUnneeded = false; }; }; + + # Create desktop files and scripts for starting sessions for WMs/DMs + # that do not have upstream session files (those defined using services.{display,desktop,window}Manager.session options). + services.xserver.displayManager.sessionPackages = + let + dms = filter (s: s.manage == "desktop") cfg.displayManager.session; + wms = filter (s: s.manage == "window") cfg.displayManager.session; + + # Script responsible for starting the window manager and the desktop manager. + xsession = dm: wm: pkgs.writeScript "xsession" '' + #! ${pkgs.bash}/bin/bash + + # Legacy session script used to construct .desktop files from + # `services.xserver.displayManager.session` entries. Called from + # `sessionWrapper`. + + # Start the window manager. + ${wm.start} + + # Start the desktop manager. + ${dm.start} + + ${optionalString cfg.updateDbusEnvironment '' + ${lib.getBin pkgs.dbus}/bin/dbus-update-activation-environment --systemd --all + ''} + + test -n "$waitPID" && wait "$waitPID" + + ${config.systemd.package}/bin/systemctl --user stop graphical-session.target + + exit 0 + ''; + in + # We will generate every possible pair of WM and DM. + concatLists ( + crossLists + (dm: wm: let + sessionName = "${dm.name}${optionalString (wm.name != "none") ("+" + wm.name)}"; + script = xsession dm wm; + in + optional (dm.name != "none" || wm.name != "none") + (pkgs.writeTextFile { + name = "${sessionName}-xsession"; + destination = "/share/xsessions/${sessionName}.desktop"; + # Desktop Entry Specification: + # - https://standards.freedesktop.org/desktop-entry-spec/latest/ + # - https://standards.freedesktop.org/desktop-entry-spec/latest/ar01s06.html + text = '' + [Desktop Entry] + Version=1.0 + Type=XSession + TryExec=${script} + Exec=${script} + Name=${sessionName} + ''; + } // { + providedSessions = [ sessionName ]; + }) + ) + [dms wms] + ); }; imports = [ - (mkRemovedOptionModule [ "services" "xserver" "displayManager" "desktopManagerHandlesLidAndPower" ] + (mkRemovedOptionModule [ "services" "xserver" "displayManager" "desktopManagerHandlesLidAndPower" ] "The option is no longer necessary because all display managers have already delegated lid management to systemd.") + (mkRenamedOptionModule [ "services" "xserver" "displayManager" "job" "logsXsession" ] [ "services" "xserver" "displayManager" "job" "logToFile" ]) + (mkRenamedOptionModule [ "services" "xserver" "displayManager" "logToJournal" ] [ "services" "xserver" "displayManager" "job" "logToJournal" ]) + (mkRenamedOptionModule [ "services" "xserver" "displayManager" "extraSessionFilesPackages" ] [ "services" "xserver" "displayManager" "sessionPackages" ]) ]; } diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix index 912ec5bd38e..2f8c8cc9013 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix @@ -31,44 +31,9 @@ let load-module module-position-event-sounds ''; - dmDefault = config.services.xserver.desktopManager.default; - wmDefault = config.services.xserver.windowManager.default; - hasDefaultUserSession = dmDefault != "none" || wmDefault != "none"; - defaultSessionName = dmDefault + optionalString (wmDefault != "none") ("+" + wmDefault); - - setSessionScript = pkgs.python3.pkgs.buildPythonApplication { - name = "set-session"; - - format = "other"; - - src = ./set-session.py; - - dontUnpack = true; - - strictDeps = false; - - nativeBuildInputs = with pkgs; [ - wrapGAppsHook - gobject-introspection - ]; - - buildInputs = with pkgs; [ - accountsservice - glib - ]; - - propagatedBuildInputs = with pkgs.python3.pkgs; [ - pygobject3 - ordered-set - ]; - - installPhase = '' - mkdir -p $out/bin - cp $src $out/bin/set-session - chmod +x $out/bin/set-session - ''; - }; + defaultSessionName = config.services.xserver.displayManager.defaultSession; + setSessionScript = pkgs.callPackage ./account-service-util.nix { }; in { @@ -186,7 +151,7 @@ in environment = { GDM_X_SERVER_EXTRA_ARGS = toString (filter (arg: arg != "-terminate") cfg.xserverArgs); - XDG_DATA_DIRS = "${cfg.session.desktops}/share/"; + XDG_DATA_DIRS = "${cfg.sessionData.desktops}/share/"; } // optionalAttrs (xSessionWrapper != null) { # Make GDM use this wrapper before running the session, which runs the # configured setupCommands. This relies on a patched GDM which supports @@ -194,23 +159,28 @@ in GDM_X_SESSION_WRAPPER = "${xSessionWrapper}"; }; execCmd = "exec ${gdm}/bin/gdm"; - preStart = optionalString config.hardware.pulseaudio.enable '' - mkdir -p /run/gdm/.config/pulse - ln -sf ${pulseConfig} /run/gdm/.config/pulse/default.pa - chown -R gdm:gdm /run/gdm/.config - '' + optionalString config.services.gnome3.gnome-initial-setup.enable '' - # Create stamp file for gnome-initial-setup to prevent run. - mkdir -p /run/gdm/.config - cat - > /run/gdm/.config/gnome-initial-setup-done <<- EOF - yes - EOF - '' + optionalString hasDefaultUserSession '' - ${setSessionScript}/bin/set-session ${defaultSessionName} + preStart = optionalString (defaultSessionName != null) '' + # Set default session in session chooser to a specified values – basically ignore session history. + ${setSessionScript}/bin/set-session ${cfg.sessionData.autologinSession} ''; }; - # Because sd_login_monitor_new requires /run/systemd/machines - systemd.services.display-manager.wants = [ "systemd-machined.service" ]; + systemd.tmpfiles.rules = [ + "d /run/gdm/.config 0711 gdm gdm -" + ] ++ optionals config.hardware.pulseaudio.enable [ + "L+ /run/gdm/.config/pulse - - - - ${pulseConfig}" + ] ++ optionals config.services.gnome3.gnome-initial-setup.enable [ + # Create stamp file for gnome-initial-setup to prevent it starting in GDM. + "f /run/gdm/.config/gnome-initial-setup-done 0711 gdm gdm - yes" + ]; + + systemd.services.display-manager.wants = [ + # Because sd_login_monitor_new requires /run/systemd/machines + "systemd-machined.service" + # setSessionScript wants AccountsService + "accounts-daemon.service" + ]; + systemd.services.display-manager.after = [ "rc-local.service" "systemd-machined.service" @@ -281,7 +251,7 @@ in customDconfDb = pkgs.stdenv.mkDerivation { name = "gdm-dconf-db"; buildCommand = '' - ${pkgs.gnome3.dconf}/bin/dconf compile $out ${customDconf}/dconf + ${pkgs.dconf}/bin/dconf compile $out ${customDconf}/dconf ''; }; in pkgs.stdenv.mkDerivation { @@ -326,7 +296,7 @@ in ${optionalString cfg.gdm.debug "Enable=true"} ''; - environment.etc."gdm/Xsession".source = config.services.xserver.displayManager.session.wrapper; + environment.etc."gdm/Xsession".source = config.services.xserver.displayManager.sessionData.wrapper; # GDM LFS PAM modules, adapted somehow to NixOS security.pam.services = { diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix index fa9445af32e..0025f9b3603 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix @@ -53,9 +53,8 @@ in Whether to enable lightdm-mini-greeter as the lightdm greeter. Note that this greeter starts only the default X session. - You can configure the default X session by - <option>services.xserver.desktopManager.default</option> and - <option>services.xserver.windowManager.default</option>. + You can configure the default X session using + <xref linkend="opt-services.xserver.displayManager.defaultSession"/>. ''; }; diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix index 29cb6ccbc06..77c94114e6d 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix @@ -35,6 +35,9 @@ in name = "io.elementary.greeter"; }; + # Show manual login card. + services.xserver.displayManager.lightdm.extraSeatDefaults = "greeter-show-manual-login=true"; + environment.etc."lightdm/io.elementary.greeter.conf".source = "${pkgs.pantheon.elementary-greeter}/etc/lightdm/io.elementary.greeter.conf"; environment.etc."wingpanel.d/io.elementary.greeter.whitelist".source = "${pkgs.pantheon.elementary-default-settings}/etc/wingpanel.d/io.elementary.greeter.whitelist"; diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix index cf4c05acbcc..f7face0adb7 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix @@ -8,10 +8,9 @@ let dmcfg = xcfg.displayManager; xEnv = config.systemd.services.display-manager.environment; cfg = dmcfg.lightdm; + sessionData = dmcfg.sessionData; - dmDefault = xcfg.desktopManager.default; - wmDefault = xcfg.windowManager.default; - hasDefaultUserSession = dmDefault != "none" || wmDefault != "none"; + setSessionScript = pkgs.callPackage ./account-service-util.nix { }; inherit (pkgs) lightdm writeScript writeText; @@ -45,22 +44,19 @@ let greeter-user = ${config.users.users.lightdm.name} greeters-directory = ${cfg.greeter.package} ''} - sessions-directory = ${dmcfg.session.desktops}/share/xsessions + sessions-directory = ${dmcfg.sessionData.desktops}/share/xsessions:${dmcfg.sessionData.desktops}/share/wayland-sessions ${cfg.extraConfig} [Seat:*] xserver-command = ${xserverWrapper} - session-wrapper = ${dmcfg.session.wrapper} + session-wrapper = ${dmcfg.sessionData.wrapper} ${optionalString cfg.greeter.enable '' greeter-session = ${cfg.greeter.name} ''} ${optionalString cfg.autoLogin.enable '' autologin-user = ${cfg.autoLogin.user} autologin-user-timeout = ${toString cfg.autoLogin.timeout} - autologin-session = ${defaultSessionName} - ''} - ${optionalString hasDefaultUserSession '' - user-session=${defaultSessionName} + autologin-session = ${sessionData.autologinSession} ''} ${optionalString (dmcfg.setupCommands != "") '' display-setup-script=${pkgs.writeScript "lightdm-display-setup" '' @@ -71,7 +67,6 @@ let ${cfg.extraSeatDefaults} ''; - defaultSessionName = dmDefault + optionalString (wmDefault != "none") ("+" + wmDefault); in { # Note: the order in which lightdm greeter modules are imported @@ -199,11 +194,9 @@ in LightDM auto-login requires services.xserver.displayManager.lightdm.autoLogin.user to be set ''; } - { assertion = cfg.autoLogin.enable -> dmDefault != "none" || wmDefault != "none"; + { assertion = cfg.autoLogin.enable -> sessionData.autologinSession != null; message = '' - LightDM auto-login requires that services.xserver.desktopManager.default and - services.xserver.windowManager.default are set to valid values. The current - default session: ${defaultSessionName} is not valid. + LightDM auto-login requires that services.xserver.displayManager.defaultSession is set. ''; } { assertion = !cfg.greeter.enable -> (cfg.autoLogin.enable && cfg.autoLogin.timeout == 0); @@ -214,6 +207,20 @@ in } ]; + # Set default session in session chooser to a specified values – basically ignore session history. + # Auto-login is already covered by a config value. + services.xserver.displayManager.job.preStart = optionalString (!cfg.autoLogin.enable && dmcfg.defaultSession != null) '' + ${setSessionScript}/bin/set-session ${dmcfg.defaultSession} + ''; + + # setSessionScript needs session-files in XDG_DATA_DIRS + services.xserver.displayManager.job.environment.XDG_DATA_DIRS = "${dmcfg.sessionData.desktops}/share/"; + + # setSessionScript wants AccountsService + systemd.services.display-manager.wants = [ + "accounts-daemon.service" + ]; + # lightdm relaunches itself via just `lightdm`, so needs to be on the PATH services.xserver.displayManager.job.execCmd = '' export PATH=${lightdm}/sbin:$PATH diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix index 899dd8665a2..4224c557ed6 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix @@ -50,8 +50,8 @@ let MinimumVT=${toString (if xcfg.tty != null then xcfg.tty else 7)} ServerPath=${xserverWrapper} XephyrPath=${pkgs.xorg.xorgserver.out}/bin/Xephyr - SessionCommand=${dmcfg.session.wrapper} - SessionDir=${dmcfg.session.desktops}/share/xsessions + SessionCommand=${dmcfg.sessionData.wrapper} + SessionDir=${dmcfg.sessionData.desktops}/share/xsessions XauthPath=${pkgs.xorg.xauth}/bin/xauth DisplayCommand=${Xsetup} DisplayStopCommand=${Xstop} @@ -59,26 +59,27 @@ let [Wayland] EnableHidpi=${if cfg.enableHidpi then "true" else "false"} - SessionDir=${dmcfg.session.desktops}/share/wayland-sessions + SessionDir=${dmcfg.sessionData.desktops}/share/wayland-sessions ${optionalString cfg.autoLogin.enable '' [Autologin] User=${cfg.autoLogin.user} - Session=${defaultSessionName}.desktop + Session=${autoLoginSessionName}.desktop Relogin=${boolToString cfg.autoLogin.relogin} ''} ${cfg.extraConfig} ''; - defaultSessionName = - let - dm = xcfg.desktopManager.default; - wm = xcfg.windowManager.default; - in dm + optionalString (wm != "none") ("+" + wm); + autoLoginSessionName = dmcfg.sessionData.autologinSession; in { + imports = [ + (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ] + "Set the option `services.xserver.displayManager.sddm.package' instead.") + ]; + options = { services.xserver.displayManager.sddm = { @@ -205,11 +206,9 @@ in SDDM auto-login requires services.xserver.displayManager.sddm.autoLogin.user to be set ''; } - { assertion = cfg.autoLogin.enable -> elem defaultSessionName dmcfg.session.names; + { assertion = cfg.autoLogin.enable -> autoLoginSessionName != null; message = '' - SDDM auto-login requires that services.xserver.desktopManager.default and - services.xserver.windowManager.default are set to valid values. The current - default session: ${defaultSessionName} is not valid. + SDDM auto-login requires that services.xserver.displayManager.defaultSession is set. ''; } ]; diff --git a/nixpkgs/nixos/modules/services/x11/extra-layouts.nix b/nixpkgs/nixos/modules/services/x11/extra-layouts.nix index 1af98a1318b..f48216ff446 100644 --- a/nixpkgs/nixos/modules/services/x11/extra-layouts.nix +++ b/nixpkgs/nixos/modules/services/x11/extra-layouts.nix @@ -141,7 +141,7 @@ in }); xkbcomp = super.xorg.xkbcomp.overrideAttrs (old: { - configureFlags = "--with-xkb-config-root=${self.xkb_patched}/share/X11/xkb"; + configureFlags = [ "--with-xkb-config-root=${self.xkb_patched}/share/X11/xkb" ]; }); }; @@ -158,6 +158,12 @@ in }); + environment.sessionVariables = { + # runtime override supported by multiple libraries e. g. libxkbcommon + # https://xkbcommon.org/doc/current/group__include-path.html + XKB_CONFIG_ROOT = "${pkgs.xkb_patched}/etc/X11/xkb"; + }; + services.xserver = { xkbDir = "${pkgs.xkb_patched}/etc/X11/xkb"; exportConfiguration = config.services.xserver.displayManager.startx.enable; diff --git a/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix b/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix index 71065dfc26b..f6b0e7c09f5 100644 --- a/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix +++ b/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix @@ -198,12 +198,13 @@ in { environment.systemPackages = [ pkgs.xorg.xf86inputlibinput ]; - environment.etc = [ - (let cfgPath = "X11/xorg.conf.d/40-libinput.conf"; in { - source = pkgs.xorg.xf86inputlibinput.out + "/share/" + cfgPath; - target = cfgPath; - }) - ]; + environment.etc = + let cfgPath = "X11/xorg.conf.d/40-libinput.conf"; + in { + ${cfgPath} = { + source = pkgs.xorg.xf86inputlibinput.out + "/share/" + cfgPath; + }; + }; services.udev.packages = [ pkgs.libinput.out ]; diff --git a/nixpkgs/nixos/modules/services/x11/imwheel.nix b/nixpkgs/nixos/modules/services/x11/imwheel.nix new file mode 100644 index 00000000000..3923df498e7 --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/imwheel.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.xserver.imwheel; +in + { + options = { + services.xserver.imwheel = { + enable = mkEnableOption "IMWheel service"; + + extraOptions = mkOption { + type = types.listOf types.str; + default = [ "--buttons=45" ]; + example = [ "--debug" ]; + description = '' + Additional command-line arguments to pass to + <command>imwheel</command>. + ''; + }; + + rules = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample '' + ".*" = ''' + None, Up, Button4, 8 + None, Down, Button5, 8 + Shift_L, Up, Shift_L|Button4, 4 + Shift_L, Down, Shift_L|Button5, 4 + Control_L, Up, Control_L|Button4 + Control_L, Down, Control_L|Button5 + '''; + ''; + description = '' + Window class translation rules. + /etc/X11/imwheelrc is generated based on this config + which means this config is global for all users. + See <link xlink:href="http://imwheel.sourceforge.net/imwheel.1.html">offical man pages</link> + for more informations. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.imwheel ]; + + environment.etc."X11/imwheel/imwheelrc".source = + pkgs.writeText "imwheelrc" (concatStringsSep "\n\n" + (mapAttrsToList + (rule: conf: "\"${rule}\"\n${conf}") cfg.rules + )); + + systemd.user.services.imwheel = { + description = "imwheel service"; + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + serviceConfig = { + ExecStart = "${pkgs.imwheel}/bin/imwheel " + escapeShellArgs ([ + "--detach" + "--kill" + ] ++ cfg.extraOptions); + ExecStop = "${pkgs.procps}/bin/pkill imwheel"; + Restart = "on-failure"; + }; + }; + }; + } diff --git a/nixpkgs/nixos/modules/services/x11/compton.nix b/nixpkgs/nixos/modules/services/x11/picom.nix index a94a76ff0c0..e3bd21be73e 100644 --- a/nixpkgs/nixos/modules/services/x11/compton.nix +++ b/nixpkgs/nixos/modules/services/x11/picom.nix @@ -5,7 +5,7 @@ with builtins; let - cfg = config.services.compton; + cfg = config.services.picom; pairOf = x: with types; addCheck (listOf x) (y: length y == 2); @@ -31,20 +31,24 @@ let (key: value: "${toString key}=${mkValueString value};") v) + " }" - else abort "compton.mkValueString: unexpected type (v = ${v})"; + else abort "picom.mkValueString: unexpected type (v = ${v})"; in "${escape [ sep ] k}${sep}${mkValueString v};") attrs); - configFile = pkgs.writeText "compton.conf" (toConf cfg.settings); + configFile = pkgs.writeText "picom.conf" (toConf cfg.settings); in { - options.services.compton = { + imports = [ + (mkAliasOptionModule [ "services" "compton" ] [ "services" "picom" ]) + ]; + + options.services.picom = { enable = mkOption { type = types.bool; default = false; description = '' - Whether of not to enable Compton as the X.org composite manager. + Whether of not to enable Picom as the X.org composite manager. ''; }; @@ -85,7 +89,7 @@ in { ]; description = '' List of conditions of windows that should not be faded. - See <literal>compton(1)</literal> man page for more examples. + See <literal>picom(1)</literal> man page for more examples. ''; }; @@ -125,7 +129,7 @@ in { ]; description = '' List of conditions of windows that should have no shadow. - See <literal>compton(1)</literal> man page for more examples. + See <literal>picom(1)</literal> man page for more examples. ''; }; @@ -192,7 +196,7 @@ in { apply = x: let res = x != "none"; - msg = "The type of services.compton.vSync has changed to bool:" + msg = "The type of services.picom.vSync has changed to bool:" + " interpreting ${x} as ${boolToString res}"; in if isBool x then x @@ -222,13 +226,13 @@ in { type = loaOf (types.either configTypes (loaOf (types.either configTypes (loaOf configTypes)))); default = {}; description = '' - Additional Compton configuration. + Additional Picom configuration. ''; }; }; config = mkIf cfg.enable { - services.compton.settings = let + services.picom.settings = let # Hard conversion to float, literally lib.toInt but toFloat toFloat = str: let may_be_float = builtins.fromJSON str; @@ -264,8 +268,8 @@ in { refresh-rate = mkDefault cfg.refreshRate; }; - systemd.user.services.compton = { - description = "Compton composite manager"; + systemd.user.services.picom = { + description = "Picom composite manager"; wantedBy = [ "graphical-session.target" ]; partOf = [ "graphical-session.target" ]; @@ -275,13 +279,15 @@ in { }; serviceConfig = { - ExecStart = "${pkgs.compton}/bin/compton --config ${configFile}"; + ExecStart = "${pkgs.picom}/bin/picom --config ${configFile}"; RestartSec = 3; Restart = "always"; }; }; - environment.systemPackages = [ pkgs.compton ]; + environment.systemPackages = [ pkgs.picom ]; }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/x11/unclutter.nix b/nixpkgs/nixos/modules/services/x11/unclutter.nix index 5f16a680050..2478aaabb79 100644 --- a/nixpkgs/nixos/modules/services/x11/unclutter.nix +++ b/nixpkgs/nixos/modules/services/x11/unclutter.nix @@ -71,4 +71,7 @@ in { serviceConfig.Restart = "always"; }; }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/x11/urxvtd.nix b/nixpkgs/nixos/modules/services/x11/urxvtd.nix index d916fa5bb39..9bfcfa9b065 100644 --- a/nixpkgs/nixos/modules/services/x11/urxvtd.nix +++ b/nixpkgs/nixos/modules/services/x11/urxvtd.nix @@ -45,4 +45,6 @@ in { environment.variables.RXVT_SOCKET = "/run/user/$(id -u)/urxvtd-socket"; }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/default.nix b/nixpkgs/nixos/modules/services/x11/window-managers/default.nix index c17f3830d0e..04a9fc46628 100644 --- a/nixpkgs/nixos/modules/services/x11/window-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/window-managers/default.nix @@ -59,15 +59,14 @@ in }; default = mkOption { - type = types.str; - default = "none"; + type = types.nullOr types.str; + default = null; example = "wmii"; - description = "Default window manager loaded if none have been chosen."; - apply = defaultWM: - if any (w: w.name == defaultWM) cfg.session then - defaultWM - else - throw "Default window manager (${defaultWM}) not found."; + description = '' + <emphasis role="strong">Deprecated</emphasis>, please use <xref linkend="opt-services.xserver.displayManager.defaultSession"/> instead. + + Default window manager loaded if none have been chosen. + ''; }; }; diff --git a/nixpkgs/nixos/modules/services/x11/xserver.nix b/nixpkgs/nixos/modules/services/x11/xserver.nix index 70f01dbdbf5..7029919170a 100644 --- a/nixpkgs/nixos/modules/services/x11/xserver.nix +++ b/nixpkgs/nixos/modules/services/x11/xserver.nix @@ -149,6 +149,8 @@ in [ ./display-managers/default.nix ./window-managers/default.nix ./desktop-managers/default.nix + (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ] + "See the 16.09 release notes for more information.") ]; @@ -329,9 +331,9 @@ in }; xkbOptions = mkOption { - type = types.str; + type = types.commas; default = "terminate:ctrl_alt_bksp"; - example = "grp:caps_toggle, grp_led:scroll"; + example = "grp:caps_toggle,grp_led:scroll"; description = '' X keyboard options; layout switching goes here. ''; @@ -588,19 +590,15 @@ in ]; environment.etc = - (optionals cfg.exportConfiguration - [ { source = "${configFile}"; - target = "X11/xorg.conf"; - } + (optionalAttrs cfg.exportConfiguration + { + "X11/xorg.conf".source = "${configFile}"; # -xkbdir command line option does not seems to be passed to xkbcomp. - { source = "${cfg.xkbDir}"; - target = "X11/xkb"; - } - ]) + "X11/xkb".source = "${cfg.xkbDir}"; + }) # localectl looks into 00-keyboard.conf - ++ [ - { - text = '' + //{ + "X11/xorg.conf.d/00-keyboard.conf".text = '' Section "InputClass" Identifier "Keyboard catchall" MatchIsKeyboard "on" @@ -610,16 +608,12 @@ in Option "XkbVariant" "${cfg.xkbVariant}" EndSection ''; - target = "X11/xorg.conf.d/00-keyboard.conf"; } - ] # Needed since 1.18; see https://bugs.freedesktop.org/show_bug.cgi?id=89023#c5 - ++ (let cfgPath = "/X11/xorg.conf.d/10-evdev.conf"; in - [{ - source = xorg.xf86inputevdev.out + "/share" + cfgPath; - target = cfgPath; - }] - ); + // (let cfgPath = "/X11/xorg.conf.d/10-evdev.conf"; in + { + ${cfgPath}.source = xorg.xf86inputevdev.out + "/share" + cfgPath; + }); environment.systemPackages = [ xorg.xorgserver.out diff --git a/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl b/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl index 12a80a12d19..641cf9faadc 100644 --- a/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl @@ -214,17 +214,7 @@ while (my ($unit, $state) = each %{$activePrev}) { # Reload the changed mount unit to force a remount. $unitsToReload{$unit} = 1; recordUnit($reloadListFile, $unit); - } elsif ($unit =~ /\.socket$/) { - my $unitInfo = parseUnit($newUnitFile); - # If a socket unit has been changed, the corresponding - # service unit has to be stopped before the socket can - # be restarted. The service will be started again on demand. - my $serviceUnit = $unitInfo->{'Unit'} // "$baseName.service"; - $unitsToStop{$serviceUnit} = 1; - $unitsToStop{$unit} = 1; - $unitsToStart{$unit} = 1; - recordUnit($startListFile, $unit); - } elsif ($unit =~ /\.path$/ || $unit =~ /\.slice$/) { + } elsif ($unit =~ /\.socket$/ || $unit =~ /\.path$/ || $unit =~ /\.slice$/) { # FIXME: do something? } else { my $unitInfo = parseUnit($newUnitFile); diff --git a/nixpkgs/nixos/modules/system/boot/binfmt.nix b/nixpkgs/nixos/modules/system/boot/binfmt.nix index a32c9dc1f2b..a677ab4cb71 100644 --- a/nixpkgs/nixos/modules/system/boot/binfmt.nix +++ b/nixpkgs/nixos/modules/system/boot/binfmt.nix @@ -134,6 +134,10 @@ let }; in { + imports = [ + (lib.mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ]) + ]; + options = { boot.binfmt = { registrations = mkOption { diff --git a/nixpkgs/nixos/modules/system/boot/grow-partition.nix b/nixpkgs/nixos/modules/system/boot/grow-partition.nix index 8c9b1502558..71a86c74772 100644 --- a/nixpkgs/nixos/modules/system/boot/grow-partition.nix +++ b/nixpkgs/nixos/modules/system/boot/grow-partition.nix @@ -7,6 +7,9 @@ with lib; { + imports = [ + (mkRenamedOptionModule [ "virtualisation" "growPartition" ] [ "boot" "growPartition" ]) + ]; options = { boot.growPartition = mkEnableOption "grow the root partition on boot"; diff --git a/nixpkgs/nixos/modules/system/boot/kernel.nix b/nixpkgs/nixos/modules/system/boot/kernel.nix index 8a309f3bc5f..6edb9082e75 100644 --- a/nixpkgs/nixos/modules/system/boot/kernel.nix +++ b/nixpkgs/nixos/modules/system/boot/kernel.nix @@ -256,9 +256,8 @@ in # Create /etc/modules-load.d/nixos.conf, which is read by # systemd-modules-load.service to load required kernel modules. - environment.etc = singleton - { target = "modules-load.d/nixos.conf"; - source = kernelModulesConf; + environment.etc = + { "modules-load.d/nixos.conf".source = kernelModulesConf; }; systemd.services.systemd-modules-load = diff --git a/nixpkgs/nixos/modules/system/boot/loader/loader.nix b/nixpkgs/nixos/modules/system/boot/loader/loader.nix index 7fbda9ef0f5..01475f79b9c 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/loader.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/loader.nix @@ -3,6 +3,11 @@ with lib; { + imports = [ + (mkRenamedOptionModule [ "boot" "loader" "grub" "timeout" ] [ "boot" "loader" "timeout" ]) + (mkRenamedOptionModule [ "boot" "loader" "gummiboot" "timeout" ] [ "boot" "loader" "timeout" ]) + ]; + options = { boot.loader.timeout = mkOption { default = 5; @@ -12,4 +17,4 @@ with lib; ''; }; }; -}
\ No newline at end of file +} diff --git a/nixpkgs/nixos/modules/system/boot/luksroot.nix b/nixpkgs/nixos/modules/system/boot/luksroot.nix index a4029d766b0..0bb8396a44f 100644 --- a/nixpkgs/nixos/modules/system/boot/luksroot.nix +++ b/nixpkgs/nixos/modules/system/boot/luksroot.nix @@ -126,7 +126,7 @@ let gpg-agent --daemon --scdaemon-program $out/bin/scdaemon > /dev/null 2> /dev/null ''} - + # Disable all input echo for the whole stage. We could use read -s # instead but that would ocasionally leak characters between read # invocations. @@ -417,6 +417,9 @@ let in { + imports = [ + (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "") + ]; options = { diff --git a/nixpkgs/nixos/modules/system/boot/networkd.nix b/nixpkgs/nixos/modules/system/boot/networkd.nix index 226769f1059..3e289a63139 100644 --- a/nixpkgs/nixos/modules/system/boot/networkd.nix +++ b/nixpkgs/nixos/modules/system/boot/networkd.nix @@ -11,7 +11,7 @@ let checkLink = checkUnitConfig "Link" [ (assertOnlyFields [ "Description" "Alias" "MACAddressPolicy" "MACAddress" "NamePolicy" "Name" "OriginalName" - "MTUBytes" "BitsPerSecond" "Duplex" "AutoNegotiation" "WakeOnLan" "Port" + "MTUBytes" "BitsPerSecond" "Duplex" "AutoNegotiation" "WakeOnLan" "Port" "Advertise" "TCPSegmentationOffload" "TCP6SegmentationOffload" "GenericSegmentationOffload" "GenericReceiveOffload" "LargeReceiveOffload" "RxChannels" "TxChannels" "OtherChannels" "CombinedChannels" @@ -276,7 +276,7 @@ let (assertValueOneOf "ARP" boolValues) (assertValueOneOf "Multicast" boolValues) (assertValueOneOf "Unmanaged" boolValues) - (assertValueOneOf "RequiredForOnline" boolValues) + (assertValueOneOf "RequiredForOnline" (boolValues ++ ["off" "no-carrier" "dormant" "degraded-carrier" "carrier" "degraded" "enslaved" "routable"])) ]; @@ -872,10 +872,10 @@ let ''; }; - unitFiles = map (name: { - target = "systemd/network/${name}"; - source = "${cfg.units.${name}.unit}/${name}"; - }) (attrNames cfg.units); + unitFiles = listToAttrs (map (name: { + name = "systemd/network/${name}"; + value.source = "${cfg.units.${name}.unit}/${name}"; + }) (attrNames cfg.units)); in { @@ -938,7 +938,7 @@ in systemd.services.systemd-networkd = { wantedBy = [ "multi-user.target" ]; - restartTriggers = map (f: f.source) (unitFiles); + restartTriggers = attrNames unitFiles; # prevent race condition with interface renaming (#39069) requires = [ "systemd-udev-settle.service" ]; after = [ "systemd-udev-settle.service" ]; diff --git a/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix b/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix index 3ddd45b1348..1e2435e36f0 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix @@ -126,7 +126,7 @@ in { systemd.services."systemd-nspawn@".serviceConfig.ExecStart = [ "" # deliberately empty. signals systemd to override the ExecStart # Only difference between upstream is that we do not pass the -U flag - "${pkgs.systemd}/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --settings=override --machine=%i" + "${config.systemd.package}/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --settings=override --machine=%i" ]; } ]; diff --git a/nixpkgs/nixos/modules/system/boot/systemd.nix b/nixpkgs/nixos/modules/system/boot/systemd.nix index 9e3c6149f92..c438bb216e7 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd.nix @@ -240,7 +240,7 @@ let serviceConfig = { name, config, ... }: { config = mkMerge [ { # Default path for systemd services. Should be quite minimal. - path = + path = mkAfter [ pkgs.coreutils pkgs.findutils pkgs.gnugrep @@ -408,7 +408,6 @@ let in { - ###### interface options = { @@ -1006,5 +1005,7 @@ in [ (mkRenamedOptionModule [ "boot" "systemd" "sockets" ] [ "systemd" "sockets" ]) (mkRenamedOptionModule [ "boot" "systemd" "targets" ] [ "systemd" "targets" ]) (mkRenamedOptionModule [ "boot" "systemd" "services" ] [ "systemd" "services" ]) + (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ]) + (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.") ]; } diff --git a/nixpkgs/nixos/modules/tasks/filesystems/nfs.nix b/nixpkgs/nixos/modules/tasks/filesystems/nfs.nix index e0e8bb1f03d..ddcc0ed8f5a 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/nfs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/nfs.nix @@ -25,6 +25,9 @@ let ''; nfsConfFile = pkgs.writeText "nfs.conf" cfg.extraConfig; + requestKeyConfFile = pkgs.writeText "request-key.conf" '' + create id_resolver * * ${pkgs.nfs-utils}/bin/nfsidmap -t 600 %k %d + ''; cfg = config.services.nfs; @@ -57,9 +60,12 @@ in systemd.packages = [ pkgs.nfs-utils ]; + environment.systemPackages = [ pkgs.keyutils ]; + environment.etc = { "idmapd.conf".source = idmapdConfFile; "nfs.conf".source = nfsConfFile; + "request-key.conf".source = requestKeyConfFile; }; systemd.services.nfs-blkmap = diff --git a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix index fe11917c609..d14ba98ec48 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix @@ -12,6 +12,7 @@ let cfgSnapFlags = cfgSnapshots.flags; cfgScrub = config.services.zfs.autoScrub; cfgTrim = config.services.zfs.trim; + cfgZED = config.services.zfs.zed; inInitrd = any (fs: fs == "zfs") config.boot.initrd.supportedFilesystems; inSystem = any (fs: fs == "zfs") config.boot.supportedFilesystems; @@ -87,10 +88,25 @@ let } ''; + zedConf = generators.toKeyValue { + mkKeyValue = generators.mkKeyValueDefault { + mkValueString = v: + if isInt v then toString v + else if isString v then "\"${v}\"" + else if true == v then "1" + else if false == v then "0" + else if isList v then "\"" + (concatStringsSep " " v) + "\"" + else err "this value is" (toString v); + } "="; + } cfgZED.settings; in { + imports = [ + (mkRemovedOptionModule [ "boot" "zfs" "enableLegacyCrypto" ] "The corresponding package was removed from nixpkgs.") + ]; + ###### interface options = { @@ -312,6 +328,32 @@ in ''; }; }; + + services.zfs.zed.settings = mkOption { + type = with types; attrsOf (oneOf [ str int bool (listOf str) ]); + example = literalExample '' + { + ZED_DEBUG_LOG = "/tmp/zed.debug.log"; + + ZED_EMAIL_ADDR = [ "root" ]; + ZED_EMAIL_PROG = "mail"; + ZED_EMAIL_OPTS = "-s '@SUBJECT@' @ADDRESS@"; + + ZED_NOTIFY_INTERVAL_SECS = 3600; + ZED_NOTIFY_VERBOSE = false; + + ZED_USE_ENCLOSURE_LEDS = true; + ZED_SCRUB_AFTER_RESILVER = false; + } + ''; + description = '' + ZFS Event Daemon /etc/zfs/zed.d/zed.rc content + + See + <citerefentry><refentrytitle>zed</refentrytitle><manvolnum>8</manvolnum></citerefentry> + for details on ZED and the scripts in /etc/zfs/zed.d to find the possible variables + ''; + }; }; ###### implementation @@ -389,8 +431,32 @@ in zfsSupport = true; }; - environment.etc."zfs/zed.d".source = "${packages.zfsUser}/etc/zfs/zed.d/"; - environment.etc."zfs/zpool.d".source = "${packages.zfsUser}/etc/zfs/zpool.d/"; + services.zfs.zed.settings = { + ZED_EMAIL_PROG = mkDefault "${pkgs.mailutils}/bin/mail"; + }; + + environment.etc = genAttrs + (map + (file: "zfs/zed.d/${file}") + [ + "all-syslog.sh" + "pool_import-led.sh" + "resilver_finish-start-scrub.sh" + "statechange-led.sh" + "vdev_attach-led.sh" + "zed-functions.sh" + "data-notify.sh" + "resilver_finish-notify.sh" + "scrub_finish-notify.sh" + "statechange-notify.sh" + "vdev_clear-led.sh" + ] + ) + (file: { source = "${packages.zfsUser}/etc/${file}"; }) + // { + "zfs/zed.d/zed.rc".text = zedConf; + "zfs/zpool.d".source = "${packages.zfsUser}/etc/zfs/zpool.d/"; + }; system.fsPackages = [ packages.zfsUser ]; # XXX: needed? zfs doesn't have (need) a fsck environment.systemPackages = [ packages.zfsUser ] diff --git a/nixpkgs/nixos/modules/tasks/kbd.nix b/nixpkgs/nixos/modules/tasks/kbd.nix deleted file mode 100644 index c6ba998b19e..00000000000 --- a/nixpkgs/nixos/modules/tasks/kbd.nix +++ /dev/null @@ -1,127 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - makeColor = n: value: "COLOR_${toString n}=${value}"; - makeColorCS = - let positions = [ "0" "1" "2" "3" "4" "5" "6" "7" "8" "9" "A" "B" "C" "D" "E" "F" ]; - in n: value: "\\033]P${elemAt positions (n - 1)}${value}"; - colors = concatImapStringsSep "\n" makeColor config.i18n.consoleColors; - - isUnicode = hasSuffix "UTF-8" (toUpper config.i18n.defaultLocale); - - optimizedKeymap = pkgs.runCommand "keymap" { - nativeBuildInputs = [ pkgs.buildPackages.kbd ]; - LOADKEYS_KEYMAP_PATH = "${kbdEnv}/share/keymaps/**"; - preferLocalBuild = true; - } '' - loadkeys -b ${optionalString isUnicode "-u"} "${config.i18n.consoleKeyMap}" > $out - ''; - - # Sadly, systemd-vconsole-setup doesn't support binary keymaps. - vconsoleConf = pkgs.writeText "vconsole.conf" '' - KEYMAP=${config.i18n.consoleKeyMap} - FONT=${config.i18n.consoleFont} - ${colors} - ''; - - kbdEnv = pkgs.buildEnv { - name = "kbd-env"; - paths = [ pkgs.kbd ] ++ config.i18n.consolePackages; - pathsToLink = [ "/share/consolefonts" "/share/consoletrans" "/share/keymaps" "/share/unimaps" ]; - }; - - setVconsole = !config.boot.isContainer; -in - -{ - ###### interface - - options = { - - # most options are defined in i18n.nix - - # FIXME: still needed? - boot.extraTTYs = mkOption { - default = []; - type = types.listOf types.str; - example = ["tty8" "tty9"]; - description = '' - Tty (virtual console) devices, in addition to the consoles on - which mingetty and syslogd run, that must be initialised. - Only useful if you have some program that you want to run on - some fixed console. For example, the NixOS installation CD - opens the manual in a web browser on console 7, so it sets - <option>boot.extraTTYs</option> to <literal>["tty7"]</literal>. - ''; - }; - - boot.earlyVconsoleSetup = mkOption { - default = false; - type = types.bool; - description = '' - Enable setting font as early as possible (in initrd). - ''; - }; - - }; - - - ###### implementation - - config = mkMerge [ - (mkIf (!setVconsole) { - systemd.services.systemd-vconsole-setup.enable = false; - }) - - (mkIf setVconsole (mkMerge [ - { environment.systemPackages = [ pkgs.kbd ]; - - # Let systemd-vconsole-setup.service do the work of setting up the - # virtual consoles. - environment.etc."vconsole.conf".source = vconsoleConf; - # Provide kbd with additional packages. - environment.etc.kbd.source = "${kbdEnv}/share"; - - boot.initrd.preLVMCommands = mkBefore '' - kbd_mode ${if isUnicode then "-u" else "-a"} -C /dev/console - printf "\033%%${if isUnicode then "G" else "@"}" >> /dev/console - loadkmap < ${optimizedKeymap} - - ${optionalString config.boot.earlyVconsoleSetup '' - setfont -C /dev/console $extraUtils/share/consolefonts/font.psf - ''} - - ${concatImapStringsSep "\n" (n: color: '' - printf "${makeColorCS n color}" >> /dev/console - '') config.i18n.consoleColors} - ''; - - systemd.services.systemd-vconsole-setup = - { before = [ "display-manager.service" ]; - after = [ "systemd-udev-settle.service" ]; - restartTriggers = [ vconsoleConf kbdEnv ]; - }; - } - - (mkIf config.boot.earlyVconsoleSetup { - boot.initrd.extraUtilsCommands = '' - mkdir -p $out/share/consolefonts - ${if substring 0 1 config.i18n.consoleFont == "/" then '' - font="${config.i18n.consoleFont}" - '' else '' - font="$(echo ${kbdEnv}/share/consolefonts/${config.i18n.consoleFont}.*)" - ''} - if [[ $font == *.gz ]]; then - gzip -cd $font > $out/share/consolefonts/font.psf - else - cp -L $font $out/share/consolefonts/font.psf - fi - ''; - }) - ])) - ]; - -} diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix index 9ffa1089ee6..e25dc0c0b39 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix @@ -60,8 +60,8 @@ in let domains = cfg.search ++ (optional (cfg.domain != null) cfg.domain); genericNetwork = override: - let gateway = optional (cfg.defaultGateway != null) cfg.defaultGateway.address - ++ optional (cfg.defaultGateway6 != null) cfg.defaultGateway6.address; + let gateway = optional (cfg.defaultGateway != null && (cfg.defaultGateway.address or "") != "") cfg.defaultGateway.address + ++ optional (cfg.defaultGateway6 != null && (cfg.defaultGateway6.address or "") != "") cfg.defaultGateway6.address; in optionalAttrs (gateway != [ ]) { routes = override [ { diff --git a/nixpkgs/nixos/modules/virtualisation/container-config.nix b/nixpkgs/nixos/modules/virtualisation/container-config.nix index f7a37d8c9f3..6ff6bdd30c2 100644 --- a/nixpkgs/nixos/modules/virtualisation/container-config.nix +++ b/nixpkgs/nixos/modules/virtualisation/container-config.nix @@ -10,6 +10,7 @@ with lib; nix.optimise.automatic = mkDefault false; # the store is host managed services.udisks2.enable = mkDefault false; powerManagement.enable = mkDefault false; + documentation.nixos.enable = mkDefault false; networking.useHostResolvConf = mkDefault true; diff --git a/nixpkgs/nixos/modules/virtualisation/containers.nix b/nixpkgs/nixos/modules/virtualisation/containers.nix index 09678ce9ea7..02de5801da2 100644 --- a/nixpkgs/nixos/modules/virtualisation/containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/containers.nix @@ -225,12 +225,6 @@ let fi ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} fi - - # Get the leader PID so that we can signal it in - # preStop. We can't use machinectl there because D-Bus - # might be shutting down. FIXME: in systemd 219 we can - # just signal systemd-nspawn to do a clean shutdown. - machinectl show "$INSTANCE" | sed 's/Leader=\(.*\)/\1/;t;d' > "/run/containers/$INSTANCE.pid" '' ); @@ -715,14 +709,7 @@ in postStart = postStartScript dummyConfig; - preStop = - '' - pid="$(cat /run/containers/$INSTANCE.pid)" - if [ -n "$pid" ]; then - kill -RTMIN+4 "$pid" - fi - rm -f "/run/containers/$INSTANCE.pid" - ''; + preStop = "machinectl poweroff $INSTANCE"; restartIfChanged = false; diff --git a/nixpkgs/nixos/modules/virtualisation/docker-containers.nix b/nixpkgs/nixos/modules/virtualisation/docker-containers.nix index 59b0943f591..760cb9122a2 100644 --- a/nixpkgs/nixos/modules/virtualisation/docker-containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/docker-containers.nix @@ -186,7 +186,7 @@ let ++ map escapeShellArg container.cmd ); ExecStartPre = "-${pkgs.docker}/bin/docker rm -f %n"; - ExecStop = "${pkgs.docker}/bin/docker stop %n"; + ExecStop = ''${pkgs.bash}/bin/sh -c "[ $SERVICE_RESULT = success ] || ${pkgs.docker}/bin/docker stop %n"''; ExecStopPost = "-${pkgs.docker}/bin/docker rm -f %n"; ### There is no generalized way of supporting `reload` for docker diff --git a/nixpkgs/nixos/modules/virtualisation/ec2-data.nix b/nixpkgs/nixos/modules/virtualisation/ec2-data.nix index 82451787e8a..62912535018 100644 --- a/nixpkgs/nixos/modules/virtualisation/ec2-data.nix +++ b/nixpkgs/nixos/modules/virtualisation/ec2-data.nix @@ -7,6 +7,10 @@ with lib; { + imports = [ + (mkRemovedOptionModule [ "ec2" "metadata" ] "") + ]; + config = { systemd.services.apply-ec2-data = diff --git a/nixpkgs/nixos/modules/virtualisation/libvirtd.nix b/nixpkgs/nixos/modules/virtualisation/libvirtd.nix index 9bdea78296f..52d852894ce 100644 --- a/nixpkgs/nixos/modules/virtualisation/libvirtd.nix +++ b/nixpkgs/nixos/modules/virtualisation/libvirtd.nix @@ -28,6 +28,11 @@ let in { + imports = [ + (mkRemovedOptionModule [ "virtualisation" "libvirtd" "enableKVM" ] + "Set the option `virtualisation.libvirtd.qemuPackage' instead.") + ]; + ###### interface options.virtualisation.libvirtd = { diff --git a/nixpkgs/nixos/modules/virtualisation/lxc.nix b/nixpkgs/nixos/modules/virtualisation/lxc.nix index 9b5adaf0824..f484d5ee59a 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxc.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxc.nix @@ -58,7 +58,7 @@ in '' This is the config file for managing unprivileged user network administration access in LXC. See <citerefentry> - <refentrytitle>lxc-user-net</refentrytitle><manvolnum>5</manvolnum> + <refentrytitle>lxc-usernet</refentrytitle><manvolnum>5</manvolnum> </citerefentry>. ''; }; diff --git a/nixpkgs/nixos/modules/virtualisation/lxd.nix b/nixpkgs/nixos/modules/virtualisation/lxd.nix index 505c11abd20..b4934a86cf5 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxd.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxd.nix @@ -35,6 +35,18 @@ in with nixos. ''; }; + recommendedSysctlSettings = mkOption { + type = types.bool; + default = false; + description = '' + enables various settings to avoid common pitfalls when + running containers requiring many file operations. + Fixes errors like "Too many open files" or + "neighbour: ndisc_cache: neighbor table overflow!". + See https://lxd.readthedocs.io/en/latest/production-setup/ + for details. + ''; + }; }; }; @@ -69,8 +81,11 @@ in ExecStart = "@${pkgs.lxd.bin}/bin/lxd lxd --group lxd"; Type = "simple"; KillMode = "process"; # when stopping, leave the containers alone + LimitMEMLOCK = "infinity"; + LimitNOFILE = "1048576"; + LimitNPROC = "infinity"; + TasksMax = "infinity"; }; - }; users.groups.lxd.gid = config.ids.gids.lxd; @@ -79,5 +94,16 @@ in subUidRanges = [ { startUid = 1000000; count = 65536; } ]; subGidRanges = [ { startGid = 1000000; count = 65536; } ]; }; + + boot.kernel.sysctl = mkIf cfg.recommendedSysctlSettings { + "fs.inotify.max_queued_events" = 1048576; + "fs.inotify.max_user_instances" = 1048576; + "fs.inotify.max_user_watches" = 1048576; + "vm.max_map_count" = 262144; + "kernel.dmesg_restrict" = 1; + "net.ipv4.neigh.default.gc_thresh3" = 8192; + "net.ipv6.neigh.default.gc_thresh3" = 8192; + "kernel.keys.maxkeys" = 2000; + }; }; } diff --git a/nixpkgs/nixos/modules/virtualisation/vmware-guest.nix b/nixpkgs/nixos/modules/virtualisation/vmware-guest.nix index f418f849759..962a9059ea4 100644 --- a/nixpkgs/nixos/modules/virtualisation/vmware-guest.nix +++ b/nixpkgs/nixos/modules/virtualisation/vmware-guest.nix @@ -8,6 +8,10 @@ let xf86inputvmmouse = pkgs.xorg.xf86inputvmmouse; in { + imports = [ + (mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ]) + ]; + options.virtualisation.vmware.guest = { enable = mkEnableOption "VMWare Guest Support"; headless = mkOption { diff --git a/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix b/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix index 06d5c63476f..7f0af9901b9 100644 --- a/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix @@ -9,6 +9,11 @@ let in { + imports = [ + (mkRemovedOptionModule [ "virtualisation" "xen" "qemu" ] "You don't need this option anymore, it will work without it.") + (mkRenamedOptionModule [ "virtualisation" "xen" "qemu-package" ] [ "virtualisation" "xen" "package-qemu" ]) + ]; + ###### interface options = { @@ -228,26 +233,19 @@ in environment.etc = - [ { source = "${cfg.package}/etc/xen/xl.conf"; - target = "xen/xl.conf"; - } - { source = "${cfg.package}/etc/xen/scripts"; - target = "xen/scripts"; - } - { text = '' - source ${cfg.package}/etc/default/xendomains - - ${cfg.domains.extraConfig} - ''; - target = "default/xendomains"; - } - ] - ++ lib.optionals (builtins.compareVersions cfg.package.version "4.10" >= 0) [ + { + "xen/xl.conf".source = "${cfg.package}/etc/xen/xl.conf"; + "xen/scripts".source = "${cfg.package}/etc/xen/scripts"; + "default/xendomains".text = '' + source ${cfg.package}/etc/default/xendomains + + ${cfg.domains.extraConfig} + ''; + } + // optionalAttrs (builtins.compareVersions cfg.package.version "4.10" >= 0) { # in V 4.10 oxenstored requires /etc/xen/oxenstored.conf to start - { source = "${cfg.package}/etc/xen/oxenstored.conf"; - target = "xen/oxenstored.conf"; - } - ]; + "xen/oxenstored.conf".source = "${cfg.package}/etc/xen/oxenstored.conf"; + }; # Xen provides udev rules. services.udev.packages = [ cfg.package ]; |