diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2017-08-06 10:03:25 +0200 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2017-08-06 10:03:25 +0200 |
| commit | f779df87b1aa3c7f55258bbe93fc450ffd00296a (patch) | |
| tree | 8f99b674d689f483981d4ef49643f9056732707a /nixos/modules/services | |
| parent | 8fcb0703634aae35501e0e21315fd18ae18da673 (diff) | |
| parent | e619ace733fee725da5a1b84e5cce68d610ba35e (diff) | |
| download | nixpkgs-f779df87b1aa3c7f55258bbe93fc450ffd00296a.tar nixpkgs-f779df87b1aa3c7f55258bbe93fc450ffd00296a.tar.gz nixpkgs-f779df87b1aa3c7f55258bbe93fc450ffd00296a.tar.bz2 nixpkgs-f779df87b1aa3c7f55258bbe93fc450ffd00296a.tar.lz nixpkgs-f779df87b1aa3c7f55258bbe93fc450ffd00296a.tar.xz nixpkgs-f779df87b1aa3c7f55258bbe93fc450ffd00296a.tar.zst nixpkgs-f779df87b1aa3c7f55258bbe93fc450ffd00296a.zip | |
Merge branch 'master' into staging
Let's drop i686-linux here as well.
Diffstat (limited to 'nixos/modules/services')
| -rw-r--r-- | nixos/modules/services/networking/avahi-daemon.nix | 10 | ||||
| -rw-r--r-- | nixos/modules/services/networking/nat.nix | 68 | ||||
| -rw-r--r-- | nixos/modules/services/networking/tlsdated.nix | 111 | ||||
| -rw-r--r-- | nixos/modules/services/networking/unifi.nix | 31 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/atlassian/confluence.nix | 53 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/atlassian/jira.nix | 51 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 32 | ||||
| -rw-r--r-- | nixos/modules/services/x11/desktop-managers/gnome3.nix | 2 |
8 files changed, 212 insertions, 146 deletions
diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index f4d0fc822de..9ccdacb20e9 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -22,6 +22,7 @@ let ${optionalString (interfaces!=null) "allow-interfaces=${concatStringsSep "," interfaces}"} ${optionalString (domainName!=null) "domain-name=${domainName}"} allow-point-to-point=${yesNo allowPointToPoint} + ${optionalString (cacheEntriesMax!=null) "cache-entries-max=${toString cacheEntriesMax}"} [wide-area] enable-wide-area=${yesNo wideArea} @@ -166,6 +167,15 @@ in ''; }; + cacheEntriesMax = mkOption { + default = null; + type = types.nullOr types.int; + description = '' + Number of resource records to be cached per interface. Use 0 to + disable caching. Avahi daemon defaults to 4096 if not set. + ''; + }; + }; }; diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index 08ba2fdb164..366bb2ed7a8 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -48,7 +48,7 @@ let # NAT from external ports to internal ports. ${concatMapStrings (fwd: '' iptables -w -t nat -A nixos-nat-pre \ - -i ${cfg.externalInterface} -p tcp \ + -i ${cfg.externalInterface} -p ${fwd.proto} \ --dport ${builtins.toString fwd.sourcePort} \ -j DNAT --to-destination ${fwd.destination} '') cfg.forwardPorts} @@ -133,12 +133,19 @@ in destination = mkOption { type = types.str; example = "10.0.0.1:80"; - description = "Forward tcp connection to destination ip:port"; + description = "Forward connection to destination ip:port"; + }; + + proto = mkOption { + type = types.str; + default = "tcp"; + example = "udp"; + description = "Protocol of forwarded connection"; }; }; }); default = []; - example = [ { sourcePort = 8080; destination = "10.0.0.1:80"; } ]; + example = [ { sourcePort = 8080; destination = "10.0.0.1:80"; proto = "tcp"; } ]; description = '' List of forwarded ports from the external interface to @@ -151,38 +158,41 @@ in ###### implementation - config = mkIf config.networking.nat.enable { + config = mkMerge [ + { networking.firewall.extraCommands = mkBefore flushNat; } + (mkIf config.networking.nat.enable { - environment.systemPackages = [ pkgs.iptables ]; + environment.systemPackages = [ pkgs.iptables ]; - boot = { - kernelModules = [ "nf_nat_ftp" ]; - kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = mkOverride 99 true; - "net.ipv4.conf.default.forwarding" = mkOverride 99 true; + boot = { + kernelModules = [ "nf_nat_ftp" ]; + kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = mkOverride 99 true; + "net.ipv4.conf.default.forwarding" = mkOverride 99 true; + }; }; - }; - networking.firewall = mkIf config.networking.firewall.enable { - extraCommands = mkMerge [ (mkBefore flushNat) setupNat ]; - extraStopCommands = flushNat; - }; + networking.firewall = mkIf config.networking.firewall.enable { + extraCommands = setupNat; + extraStopCommands = flushNat; + }; - systemd.services = mkIf (!config.networking.firewall.enable) { nat = { - description = "Network Address Translation"; - wantedBy = [ "network.target" ]; - after = [ "network-pre.target" "systemd-modules-load.service" ]; - path = [ pkgs.iptables ]; - unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + systemd.services = mkIf (!config.networking.firewall.enable) { nat = { + description = "Network Address Translation"; + wantedBy = [ "network.target" ]; + after = [ "network-pre.target" "systemd-modules-load.service" ]; + path = [ pkgs.iptables ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; - script = flushNat + setupNat; + script = flushNat + setupNat; - postStop = flushNat; - }; }; - }; + postStop = flushNat; + }; }; + }) + ]; } diff --git a/nixos/modules/services/networking/tlsdated.nix b/nixos/modules/services/networking/tlsdated.nix deleted file mode 100644 index 757cce28760..00000000000 --- a/nixos/modules/services/networking/tlsdated.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - inherit (pkgs) coreutils tlsdate; - - cfg = config.services.tlsdated; -in - -{ - - ###### interface - - options = { - - services.tlsdated = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable tlsdated daemon. - ''; - }; - - extraOptions = mkOption { - type = types.string; - default = ""; - description = '' - Additional command line arguments to pass to tlsdated. - ''; - }; - - sources = mkOption { - type = types.listOf (types.submodule { - options = { - host = mkOption { - type = types.string; - description = '' - Remote hostname. - ''; - }; - port = mkOption { - type = types.int; - description = '' - Remote port. - ''; - }; - proxy = mkOption { - type = types.nullOr types.string; - default = null; - description = '' - The proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as followed: - - http://127.0.0.1:8118 - socks4a://127.0.0.1:9050 - socks5://127.0.0.1:9050 - - The proxy support should not leak DNS requests and is suitable for use with Tor. - ''; - }; - }; - }); - default = [ - { - host = "encrypted.google.com"; - port = 443; - proxy = null; - } - ]; - description = '' - You can list one or more sources to fetch time from. - ''; - }; - - }; - - }; - - ###### implementation - - config = mkIf cfg.enable { - - # Make tools such as tlsdate available in the system path - environment.systemPackages = [ tlsdate ]; - - systemd.services.tlsdated = { - description = "tlsdated daemon"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - # XXX because pkgs.tlsdate is compiled to run as nobody:nogroup, we - # hard-code base-path to /tmp and use PrivateTmp. - ExecStart = "${tlsdate}/bin/tlsdated -f ${pkgs.writeText "tlsdated.confg" '' - base-path /tmp - - ${concatMapStrings (src: '' - source - host ${src.host} - port ${toString src.port} - proxy ${if src.proxy == null then "none" else src.proxy} - end - '') cfg.sources} - ''} ${cfg.extraOptions}"; - PrivateTmp = "yes"; - }; - }; - - }; - -} diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index a8cff638d3b..8e5f0bfc070 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -3,7 +3,12 @@ with lib; let cfg = config.services.unifi; stateDir = "/var/lib/unifi"; - cmd = "@${pkgs.jre}/bin/java java -jar ${stateDir}/lib/ace.jar"; + cmd = '' + @${pkgs.jre}/bin/java java \ + ${optionalString (cfg.initialJavaHeapSize != null) "-Xms${(toString cfg.initialJavaHeapSize)}m"} \ + ${optionalString (cfg.maximumJavaHeapSize != null) "-Xmx${(toString cfg.maximumJavaHeapSize)}m"} \ + -jar ${stateDir}/lib/ace.jar + ''; mountPoints = [ { what = "${pkgs.unifi}/dl"; @@ -58,6 +63,26 @@ in ''; }; + services.unifi.initialJavaHeapSize = mkOption { + type = types.nullOr types.int; + default = null; + example = 1024; + description = '' + Set the initial heap size for the JVM in MB. If this option isn't set, the + JVM will decide this value at runtime. + ''; + }; + + services.unifi.maximumJavaHeapSize = mkOption { + type = types.nullOr types.int; + default = null; + example = 4096; + description = '' + Set the maximimum heap size for the JVM in MB. If this option isn't set, the + JVM will decide this value at runtime. + ''; + }; + }; config = mkIf cfg.enable { @@ -121,8 +146,8 @@ in serviceConfig = { Type = "simple"; - ExecStart = "${cmd} start"; - ExecStop = "${cmd} stop"; + ExecStart = "${(removeSuffix "\n" cmd)} start"; + ExecStop = "${(removeSuffix "\n" cmd)} stop"; User = "unifi"; PermissionsStartOnly = true; UMask = "0077"; diff --git a/nixos/modules/services/web-apps/atlassian/confluence.nix b/nixos/modules/services/web-apps/atlassian/confluence.nix index c1d7d4ea06d..2344b9922d0 100644 --- a/nixos/modules/services/web-apps/atlassian/confluence.nix +++ b/nixos/modules/services/web-apps/atlassian/confluence.nix @@ -6,7 +6,22 @@ let cfg = config.services.confluence; - pkg = pkgs.atlassian-confluence; + pkg = pkgs.atlassian-confluence.override (optionalAttrs cfg.sso.enable { + enableSSO = cfg.sso.enable; + crowdProperties = '' + application.name ${cfg.sso.applicationName} + application.password ${cfg.sso.applicationPassword} + application.login.url ${cfg.sso.crowd}/console/ + + crowd.server.url ${cfg.sso.crowd}/services/ + crowd.base.url ${cfg.sso.crowd}/ + + session.isauthenticated session.isauthenticated + session.tokenkey session.tokenkey + session.validationinterval ${toString cfg.sso.validationInterval} + session.lastvalidation session.lastvalidation + ''; + }); in @@ -76,6 +91,42 @@ in }; }; + sso = { + enable = mkEnableOption "SSO with Atlassian Crowd"; + + crowd = mkOption { + type = types.str; + example = "http://localhost:8095/crowd"; + description = "Crowd Base URL without trailing slash"; + }; + + applicationName = mkOption { + type = types.str; + example = "jira"; + description = "Exact name of this Confluence instance in Crowd"; + }; + + applicationPassword = mkOption { + type = types.str; + description = "Application password of this Confluence instance in Crowd"; + }; + + validationInterval = mkOption { + type = types.int; + default = 2; + example = 0; + description = '' + Set to 0, if you want authentication checks to occur on each + request. Otherwise set to the number of minutes between request + to validate if the user is logged in or out of the Crowd SSO + server. Setting this value to 1 or higher will increase the + performance of Crowd's integration. + ''; + }; + }; + + + jrePackage = let jreSwitch = unfree: free: if config.nixpkgs.config.allowUnfree or false then unfree else free; in mkOption { diff --git a/nixos/modules/services/web-apps/atlassian/jira.nix b/nixos/modules/services/web-apps/atlassian/jira.nix index 0ab94d95eee..19b6a8d3085 100644 --- a/nixos/modules/services/web-apps/atlassian/jira.nix +++ b/nixos/modules/services/web-apps/atlassian/jira.nix @@ -6,7 +6,22 @@ let cfg = config.services.jira; - pkg = pkgs.atlassian-jira; + pkg = pkgs.atlassian-jira.override { + enableSSO = cfg.sso.enable; + crowdProperties = '' + application.name ${cfg.sso.applicationName} + application.password ${cfg.sso.applicationPassword} + application.login.url ${cfg.sso.crowd}/console/ + + crowd.server.url ${cfg.sso.crowd}/services/ + crowd.base.url ${cfg.sso.crowd}/ + + session.isauthenticated session.isauthenticated + session.tokenkey session.tokenkey + session.validationinterval ${toString cfg.sso.validationInterval} + session.lastvalidation session.lastvalidation + ''; + }; in @@ -82,6 +97,40 @@ in }; }; + sso = { + enable = mkEnableOption "SSO with Atlassian Crowd"; + + crowd = mkOption { + type = types.str; + example = "http://localhost:8095/crowd"; + description = "Crowd Base URL without trailing slash"; + }; + + applicationName = mkOption { + type = types.str; + example = "jira"; + description = "Exact name of this JIRA instance in Crowd"; + }; + + applicationPassword = mkOption { + type = types.str; + description = "Application password of this JIRA instance in Crowd"; + }; + + validationInterval = mkOption { + type = types.int; + default = 2; + example = 0; + description = '' + Set to 0, if you want authentication checks to occur on each + request. Otherwise set to the number of minutes between request + to validate if the user is logged in or out of the Crowd SSO + server. Setting this value to 1 or higher will increase the + performance of Crowd's integration. + ''; + }; + }; + jrePackage = let jreSwitch = unfree: free: if config.nixpkgs.config.allowUnfree or false then unfree else free; in mkOption { diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 2310912d0fd..2f691b0e9df 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -36,6 +36,11 @@ let http { include ${cfg.package}/conf/mime.types; include ${cfg.package}/conf/fastcgi.conf; + include ${cfg.package}/conf/uwsgi_params; + + ${optionalString (cfg.resolver.addresses != []) '' + resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"}; + ''} ${optionalString (cfg.recommendedOptimisation) '' # optimisation @@ -116,6 +121,7 @@ let http { include ${cfg.package}/conf/mime.types; include ${cfg.package}/conf/fastcgi.conf; + include ${cfg.package}/conf/uwsgi_params; ${cfg.httpConfig} }''} @@ -383,6 +389,32 @@ in description = "Path to DH parameters file."; }; + resolver = mkOption { + type = types.submodule { + options = { + addresses = mkOption { + type = types.listOf types.str; + default = []; + example = literalExample ''[ "[::1]" "127.0.0.1:5353" ]''; + description = "List of resolvers to use"; + }; + valid = mkOption { + type = types.str; + default = ""; + example = "30s"; + description = '' + By default, nginx caches answers using the TTL value of a response. + An optional valid parameter allows overriding it + ''; + }; + }; + }; + description = '' + Configures name servers used to resolve names of upstream servers into addresses + ''; + default = {}; + }; + virtualHosts = mkOption { type = types.attrsOf (types.submodule (import ./vhost-options.nix { inherit config lib; diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index c043884f8e0..2434aa1654a 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -176,7 +176,7 @@ in { services.xserver.updateDbusEnvironment = true; - environment.variables.GIO_EXTRA_MODULES = [ "${gnome3.dconf}/lib/gio/modules" + environment.variables.GIO_EXTRA_MODULES = [ "${lib.getLib gnome3.dconf}/lib/gio/modules" "${gnome3.glib_networking.out}/lib/gio/modules" "${gnome3.gvfs}/lib/gio/modules" ]; environment.systemPackages = gnome3.corePackages ++ cfg.sessionPath |