diff options
author | Jan Tojnar <jtojnar@gmail.com> | 2021-04-06 16:25:41 +0200 |
---|---|---|
committer | Jan Tojnar <jtojnar@gmail.com> | 2021-04-06 16:25:41 +0200 |
commit | 70babe5bcf383629a6adff3f2874d1b661462146 (patch) | |
tree | dfbbfa66d02e6ea8fd2d691defcd2307e8f9f16f /nixos/modules | |
parent | 52cd3538ff0214f0416455322cec299d2a43a436 (diff) | |
parent | c04a14edd6096a2d55d3b62ca182739dac9b7ede (diff) | |
download | nixpkgs-70babe5bcf383629a6adff3f2874d1b661462146.tar nixpkgs-70babe5bcf383629a6adff3f2874d1b661462146.tar.gz nixpkgs-70babe5bcf383629a6adff3f2874d1b661462146.tar.bz2 nixpkgs-70babe5bcf383629a6adff3f2874d1b661462146.tar.lz nixpkgs-70babe5bcf383629a6adff3f2874d1b661462146.tar.xz nixpkgs-70babe5bcf383629a6adff3f2874d1b661462146.tar.zst nixpkgs-70babe5bcf383629a6adff3f2874d1b661462146.zip |
Merge branch 'staging-next' into staging
Diffstat (limited to 'nixos/modules')
35 files changed, 277 insertions, 112 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 1da150148b2..4a2647339c5 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -591,8 +591,8 @@ in { # password or an SSH authorized key. Privileged accounts are # root and users in the wheel group. assertion = !cfg.mutableUsers -> - any id ((mapAttrsToList (name: cfg: - (name == "root" + any id ((mapAttrsToList (_: cfg: + (cfg.name == "root" || cfg.group == "wheel" || elem "wheel" cfg.extraGroups) && @@ -613,16 +613,16 @@ in { assertion = (user.hashedPassword != null) -> (builtins.match ".*:.*" user.hashedPassword == null); message = '' - The password hash of user "${name}" contains a ":" character. + The password hash of user "${user.name}" contains a ":" character. This is invalid and would break the login system because the fields of /etc/shadow (file where hashes are stored) are colon-separated. - Please check the value of option `users.users."${name}".hashedPassword`.''; + Please check the value of option `users.users."${user.name}".hashedPassword`.''; } ); warnings = builtins.filter (x: x != null) ( - flip mapAttrsToList cfg.users (name: user: + flip mapAttrsToList cfg.users (_: user: # This regex matches a subset of the Modular Crypto Format (MCF)[1] # informal standard. Since this depends largely on the OS or the # specific implementation of crypt(3) we only support the (sane) @@ -645,9 +645,9 @@ in { && user.hashedPassword != "" # login without password && builtins.match mcf user.hashedPassword == null) then '' - The password hash of user "${name}" may be invalid. You must set a + The password hash of user "${user.name}" may be invalid. You must set a valid hash or the user will be locked out of their account. Please - check the value of option `users.users."${name}".hashedPassword`.'' + check the value of option `users.users."${user.name}".hashedPassword`.'' else null )); diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 9b722a576ce..a4f1ad5b470 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -126,6 +126,7 @@ ./programs/dconf.nix ./programs/digitalbitbox/default.nix ./programs/dmrconfig.nix + ./programs/droidcam.nix ./programs/environment.nix ./programs/evince.nix ./programs/file-roller.nix @@ -233,6 +234,7 @@ ./services/audio/alsa.nix ./services/audio/jack.nix ./services/audio/icecast.nix + ./services/audio/jmusicbot.nix ./services/audio/liquidsoap.nix ./services/audio/mpd.nix ./services/audio/mpdscribble.nix diff --git a/nixos/modules/programs/droidcam.nix b/nixos/modules/programs/droidcam.nix new file mode 100644 index 00000000000..9843a1f5be2 --- /dev/null +++ b/nixos/modules/programs/droidcam.nix @@ -0,0 +1,16 @@ +{ lib, pkgs, config, ... }: + +with lib; + +{ + options.programs.droidcam = { + enable = mkEnableOption "DroidCam client"; + }; + + config = lib.mkIf config.programs.droidcam.enable { + environment.systemPackages = [ pkgs.droidcam ]; + + boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; + boot.kernelModules = [ "v4l2loopback" "snd-aloop" ]; + }; +} diff --git a/nixos/modules/programs/mininet.nix b/nixos/modules/programs/mininet.nix index ecc924325e6..6e90e7669ac 100644 --- a/nixos/modules/programs/mininet.nix +++ b/nixos/modules/programs/mininet.nix @@ -8,7 +8,7 @@ let cfg = config.programs.mininet; generatedPath = with pkgs; makeSearchPath "bin" [ - iperf ethtool iproute socat + iperf ethtool iproute2 socat ]; pyEnv = pkgs.python.withPackages(ps: [ ps.mininet-python ]); diff --git a/nixos/modules/services/audio/jmusicbot.nix b/nixos/modules/services/audio/jmusicbot.nix new file mode 100644 index 00000000000..f573bd2ab8d --- /dev/null +++ b/nixos/modules/services/audio/jmusicbot.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.jmusicbot; +in +{ + options = { + services.jmusicbot = { + enable = mkEnableOption "jmusicbot, a Discord music bot that's easy to set up and run yourself"; + + stateDir = mkOption { + type = types.path; + description = '' + The directory where config.txt and serversettings.json is saved. + If left as the default value this directory will automatically be created before JMusicBot starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions. + Untouched by the value of this option config.txt needs to be placed manually into this directory. + ''; + default = "/var/lib/jmusicbot/"; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.jmusicbot = { + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + description = "Discord music bot that's easy to set up and run yourself!"; + serviceConfig = mkMerge [{ + ExecStart = "${pkgs.jmusicbot}/bin/JMusicBot"; + WorkingDirectory = cfg.stateDir; + Restart = "always"; + RestartSec = 20; + DynamicUser = true; + } + (mkIf (cfg.stateDir == "/var/lib/jmusicbot") { StateDirectory = "jmusicbot"; })]; + }; + }; + + meta.maintainers = with maintainers; [ SuperSandro2000 ]; +} diff --git a/nixos/modules/services/hardware/sane.nix b/nixos/modules/services/hardware/sane.nix index 29e5fbaee6b..e5a01a8a27d 100644 --- a/nixos/modules/services/hardware/sane.nix +++ b/nixos/modules/services/hardware/sane.nix @@ -30,7 +30,7 @@ let }; backends = [ pkg netConf ] ++ optional config.services.saned.enable sanedConf ++ config.hardware.sane.extraBackends; - saneConfig = pkgs.mkSaneConfig { paths = backends; }; + saneConfig = pkgs.mkSaneConfig { paths = backends; inherit (config.hardware.sane) disabledDefaultBackends; }; enabled = config.hardware.sane.enable || config.services.saned.enable; @@ -73,6 +73,16 @@ in example = literalExample "[ pkgs.hplipWithPlugin ]"; }; + hardware.sane.disabledDefaultBackends = mkOption { + type = types.listOf types.str; + default = []; + example = [ "v4l" ]; + description = '' + Names of backends which are enabled by default but should be disabled. + See <literal>$SANE_CONFIG_DIR/dll.conf</literal> for the list of possible names. + ''; + }; + hardware.sane.configDir = mkOption { type = types.str; internal = true; diff --git a/nixos/modules/services/logging/vector.nix b/nixos/modules/services/logging/vector.nix index a7c54ad75fd..be36b2a41bb 100644 --- a/nixos/modules/services/logging/vector.nix +++ b/nixos/modules/services/logging/vector.nix @@ -3,7 +3,8 @@ with lib; let cfg = config.services.vector; -in { +in +{ options.services.vector = { enable = mkEnableOption "Vector"; @@ -37,25 +38,27 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; requires = [ "network-online.target" ]; - serviceConfig = let - format = pkgs.formats.toml { }; - conf = format.generate "vector.toml" cfg.settings; - validateConfig = file: - pkgs.runCommand "validate-vector-conf" { } '' - ${pkgs.vector}/bin/vector validate --no-topology --no-environment "${file}" - ln -s "${file}" "$out" - ''; - in { - ExecStart = "${pkgs.vector}/bin/vector --config ${validateConfig conf}"; - User = "vector"; - Group = "vector"; - Restart = "no"; - StateDirectory = "vector"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - # This group is required for accessing journald. - SupplementaryGroups = mkIf cfg.journaldAccess "systemd-journal"; - }; + serviceConfig = + let + format = pkgs.formats.toml { }; + conf = format.generate "vector.toml" cfg.settings; + validateConfig = file: + pkgs.runCommand "validate-vector-conf" { } '' + ${pkgs.vector}/bin/vector validate --no-environment "${file}" + ln -s "${file}" "$out" + ''; + in + { + ExecStart = "${pkgs.vector}/bin/vector --config ${validateConfig conf}"; + User = "vector"; + Group = "vector"; + Restart = "no"; + StateDirectory = "vector"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + # This group is required for accessing journald. + SupplementaryGroups = mkIf cfg.journaldAccess "systemd-journal"; + }; }; }; } diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index 35a6e299630..31b6afb499e 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -63,7 +63,7 @@ let }; in { - meta.maintainers = with maintainers; [ dotlambda ]; + meta.maintainers = with maintainers; [ ]; options.services.home-assistant = { enable = mkEnableOption "Home Assistant"; diff --git a/nixos/modules/services/misc/mame.nix b/nixos/modules/services/misc/mame.nix index c5d5e9e4837..34a471ea4fe 100644 --- a/nixos/modules/services/misc/mame.nix +++ b/nixos/modules/services/misc/mame.nix @@ -53,7 +53,7 @@ in description = "MAME TUN/TAP Ethernet interface"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute2 ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; diff --git a/nixos/modules/services/misc/packagekit.nix b/nixos/modules/services/misc/packagekit.nix index 325c4e84e0d..93bd206bd98 100644 --- a/nixos/modules/services/misc/packagekit.nix +++ b/nixos/modules/services/misc/packagekit.nix @@ -1,55 +1,60 @@ { config, lib, pkgs, ... }: -with lib; - let - cfg = config.services.packagekit; - packagekitConf = '' - [Daemon] - DefaultBackend=${cfg.backend} - KeepCache=false - ''; + inherit (lib) + mkEnableOption mkOption mkIf mkRemovedOptionModule types + listToAttrs recursiveUpdate; - vendorConf = '' - [PackagesNotFound] - DefaultUrl=https://github.com/NixOS/nixpkgs - CodecUrl=https://github.com/NixOS/nixpkgs - HardwareUrl=https://github.com/NixOS/nixpkgs - FontUrl=https://github.com/NixOS/nixpkgs - MimeUrl=https://github.com/NixOS/nixpkgs - ''; + iniFmt = pkgs.formats.ini { }; -in + confFiles = [ + (iniFmt.generate "PackageKit.conf" (recursiveUpdate + { + Daemon = { + DefaultBackend = "test_nop"; + KeepCache = false; + }; + } + cfg.settings)) + (iniFmt.generate "Vendor.conf" (recursiveUpdate + { + PackagesNotFound = rec { + DefaultUrl = "https://github.com/NixOS/nixpkgs"; + CodecUrl = DefaultUrl; + HardwareUrl = DefaultUrl; + FontUrl = DefaultUrl; + MimeUrl = DefaultUrl; + }; + } + cfg.vendorSettings)) + ]; + +in { + imports = [ + (mkRemovedOptionModule [ "services" "packagekit" "backend" ] "The only backend that doesn't blow up is `test_nop`.") + ]; - options = { + options.services.packagekit = { + enable = mkEnableOption '' + PackageKit provides a cross-platform D-Bus abstraction layer for + installing software. Software utilizing PackageKit can install + software regardless of the package manager. + ''; - services.packagekit = { - enable = mkEnableOption - '' - PackageKit provides a cross-platform D-Bus abstraction layer for - installing software. Software utilizing PackageKit can install - software regardless of the package manager. - ''; + settings = mkOption { + type = iniFmt.type; + default = { }; + description = "Additional settings passed straight through to PackageKit.conf"; + }; - # TODO: integrate with PolicyKit if the nix backend matures to the point - # where it will require elevated permissions - backend = mkOption { - type = types.enum [ "test_nop" ]; - default = "test_nop"; - description = '' - PackageKit supports multiple different backends and <literal>auto</literal> which - should do the right thing. - </para> - <para> - On NixOS however, we do not have a backend compatible with nix 2.0 - (refer to <link xlink:href="https://github.com/NixOS/nix/issues/233">this issue</link> so we have to force - it to <literal>test_nop</literal> for now. - ''; - }; + vendorSettings = mkOption { + type = iniFmt.type; + default = { }; + description = "Additional settings passed straight through to Vendor.conf"; }; }; @@ -59,7 +64,9 @@ in systemd.packages = with pkgs; [ packagekit ]; - environment.etc."PackageKit/PackageKit.conf".text = packagekitConf; - environment.etc."PackageKit/Vendor.conf".text = vendorConf; + environment.etc = listToAttrs (map + (e: + lib.nameValuePair "PackageKit/${e.name}" { source = e; }) + confFiles); }; } diff --git a/nixos/modules/services/monitoring/datadog-agent.nix b/nixos/modules/services/monitoring/datadog-agent.nix index d97565f15d6..b25a53435d0 100644 --- a/nixos/modules/services/monitoring/datadog-agent.nix +++ b/nixos/modules/services/monitoring/datadog-agent.nix @@ -225,7 +225,7 @@ in { }; }; config = mkIf cfg.enable { - environment.systemPackages = [ datadogPkg pkgs.sysstat pkgs.procps pkgs.iproute ]; + environment.systemPackages = [ datadogPkg pkgs.sysstat pkgs.procps pkgs.iproute2 ]; users.users.datadog = { description = "Datadog Agent User"; @@ -239,7 +239,7 @@ in { systemd.services = let makeService = attrs: recursiveUpdate { - path = [ datadogPkg pkgs.python pkgs.sysstat pkgs.procps pkgs.iproute ]; + path = [ datadogPkg pkgs.python pkgs.sysstat pkgs.procps pkgs.iproute2 ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { User = "datadog"; diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 0b65b4865b1..e0c5ceccfcc 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -25,6 +25,7 @@ let "artifactory" "bind" "bird" + "bitcoin" "blackbox" "collectd" "dnsmasq" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/bitcoin.nix b/nixos/modules/services/monitoring/prometheus/exporters/bitcoin.nix new file mode 100644 index 00000000000..43721f70b49 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/bitcoin.nix @@ -0,0 +1,82 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.bitcoin; +in +{ + port = 9332; + extraOpts = { + rpcUser = mkOption { + type = types.str; + default = "bitcoinrpc"; + description = '' + RPC user name. + ''; + }; + + rpcPasswordFile = mkOption { + type = types.path; + description = '' + File containing RPC password. + ''; + }; + + rpcScheme = mkOption { + type = types.enum [ "http" "https" ]; + default = "http"; + description = '' + Whether to connect to bitcoind over http or https. + ''; + }; + + rpcHost = mkOption { + type = types.str; + default = "localhost"; + description = '' + RPC host. + ''; + }; + + rpcPort = mkOption { + type = types.port; + default = 8332; + description = '' + RPC port number. + ''; + }; + + refreshSeconds = mkOption { + type = types.ints.unsigned; + default = 300; + description = '' + How often to ask bitcoind for metrics. + ''; + }; + + extraEnv = mkOption { + type = types.attrsOf types.str; + default = {}; + description = '' + Extra environment variables for the exporter. + ''; + }; + }; + serviceOpts = { + script = '' + export BITCOIN_RPC_PASSWORD=$(cat ${cfg.rpcPasswordFile}) + exec ${pkgs.prometheus-bitcoin-exporter}/bin/bitcoind-monitor.py + ''; + + environment = { + BITCOIN_RPC_USER = cfg.rpcUser; + BITCOIN_RPC_SCHEME = cfg.rpcScheme; + BITCOIN_RPC_HOST = cfg.rpcHost; + BITCOIN_RPC_PORT = toString cfg.rpcPort; + METRICS_ADDR = cfg.listenAddress; + METRICS_PORT = toString cfg.port; + REFRESH_SECONDS = toString cfg.refreshSeconds; + } // cfg.extraEnv; + }; +} diff --git a/nixos/modules/services/monitoring/scollector.nix b/nixos/modules/services/monitoring/scollector.nix index 6f13ce889cb..ef535585e9b 100644 --- a/nixos/modules/services/monitoring/scollector.nix +++ b/nixos/modules/services/monitoring/scollector.nix @@ -113,7 +113,7 @@ in { description = "scollector metrics collector (part of Bosun)"; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.coreutils pkgs.iproute ]; + path = [ pkgs.coreutils pkgs.iproute2 ]; serviceConfig = { User = cfg.user; diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index bfaea4e167c..ae7998913ee 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -191,7 +191,7 @@ in ExecStop = "${cfg.package}/bin/consul leave"; }); - path = with pkgs; [ iproute gnugrep gawk consul ]; + path = with pkgs; [ iproute2 gnugrep gawk consul ]; preStart = '' mkdir -m 0700 -p ${dataDir} chown -R consul ${dataDir} diff --git a/nixos/modules/services/networking/ircd-hybrid/default.nix b/nixos/modules/services/networking/ircd-hybrid/default.nix index 0781159b6ee..1f5636e4e3a 100644 --- a/nixos/modules/services/networking/ircd-hybrid/default.nix +++ b/nixos/modules/services/networking/ircd-hybrid/default.nix @@ -10,7 +10,7 @@ let name = "ircd-hybrid-service"; scripts = [ "=>/bin" ./control.in ]; substFiles = [ "=>/conf" ./ircd.conf ]; - inherit (pkgs) ircdHybrid coreutils su iproute gnugrep procps; + inherit (pkgs) ircdHybrid coreutils su iproute2 gnugrep procps; ipv6Enabled = boolToString config.networking.enableIPv6; diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix index 280158b89f6..7a25769e067 100644 --- a/nixos/modules/services/networking/libreswan.nix +++ b/nixos/modules/services/networking/libreswan.nix @@ -85,7 +85,7 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.libreswan pkgs.iproute ]; + environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ]; systemd.services.ipsec = { description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 2e680544ec2..119bd09e2fd 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -465,7 +465,7 @@ in { restartTriggers = [ configFile overrideNameserversScript ]; # useful binaries for user-specified hooks - path = [ pkgs.iproute pkgs.util-linux pkgs.coreutils ]; + path = [ pkgs.iproute2 pkgs.util-linux pkgs.coreutils ]; aliases = [ "dbus-org.freedesktop.nm-dispatcher.service" ]; }; diff --git a/nixos/modules/services/networking/openvpn.nix b/nixos/modules/services/networking/openvpn.nix index 650f9c84ac7..b4c2c944b6e 100644 --- a/nixos/modules/services/networking/openvpn.nix +++ b/nixos/modules/services/networking/openvpn.nix @@ -63,7 +63,7 @@ let wantedBy = optional cfg.autoStart "multi-user.target"; after = [ "network.target" ]; - path = [ pkgs.iptables pkgs.iproute pkgs.nettools ]; + path = [ pkgs.iptables pkgs.iproute2 pkgs.nettools ]; serviceConfig.ExecStart = "@${openvpn}/sbin/openvpn openvpn --suppress-timestamps --config ${configFile}"; serviceConfig.Restart = "always"; diff --git a/nixos/modules/services/networking/sslh.nix b/nixos/modules/services/networking/sslh.nix index 4c2740d2019..abe96f60f81 100644 --- a/nixos/modules/services/networking/sslh.nix +++ b/nixos/modules/services/networking/sslh.nix @@ -132,7 +132,7 @@ in { table = "mangle"; command = "OUTPUT ! -o lo -p tcp -m connmark --mark 0x02/0x0f -j CONNMARK --restore-mark --mask 0x0f"; } ]; in { - path = [ pkgs.iptables pkgs.iproute pkgs.procps ]; + path = [ pkgs.iptables pkgs.iproute2 pkgs.procps ]; preStart = '' # Cleanup old iptables entries which might be still there diff --git a/nixos/modules/services/networking/strongswan-swanctl/module.nix b/nixos/modules/services/networking/strongswan-swanctl/module.nix index f67eedac296..6e619f22546 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/module.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix @@ -63,7 +63,7 @@ in { description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl"; wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; - path = with pkgs; [ kmod iproute iptables util-linux ]; + path = with pkgs; [ kmod iproute2 iptables util-linux ]; environment = { STRONGSWAN_CONF = pkgs.writeTextFile { name = "strongswan.conf"; diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index f6170b81365..401f7be4028 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -152,7 +152,7 @@ in systemd.services.strongswan = { description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ kmod iproute iptables util-linux ]; # XXX Linux + path = with pkgs; [ kmod iproute2 iptables util-linux ]; # XXX Linux after = [ "network-online.target" ]; environment = { STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 9f76f7f7cd0..34c86934535 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -63,7 +63,7 @@ let preSetup = mkOption { example = literalExample '' - ${pkgs.iproute}/bin/ip netns add foo + ${pkgs.iproute2}/bin/ip netns add foo ''; default = ""; type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; @@ -278,7 +278,7 @@ let wantedBy = [ "multi-user.target" "wireguard-${interfaceName}.service" ]; environment.DEVICE = interfaceName; environment.WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; - path = with pkgs; [ iproute wireguard-tools ]; + path = with pkgs; [ iproute2 wireguard-tools ]; serviceConfig = { Type = "oneshot"; @@ -333,7 +333,7 @@ let after = [ "network.target" "network-online.target" ]; wantedBy = [ "multi-user.target" ]; environment.DEVICE = name; - path = with pkgs; [ kmod iproute wireguard-tools ]; + path = with pkgs; [ kmod iproute2 wireguard-tools ]; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index cf0d72d5c53..b901b19cf31 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -243,7 +243,7 @@ in restartTriggers = [ fail2banConf jailConf pathsConf ]; reloadIfChanged = true; - path = [ cfg.package cfg.packageFirewall pkgs.iproute ]; + path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ]; unitConfig.Documentation = "man:fail2ban(1)"; diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 72de11a9254..033ff5ef4b5 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -108,8 +108,8 @@ in { partOf = optional config.networking.firewall.enable "firewall.service"; path = with pkgs; if config.networking.nftables.enable - then [ nftables iproute systemd ] - else [ iptables ipset iproute systemd ]; + then [ nftables iproute2 systemd ] + else [ iptables ipset iproute2 systemd ]; # The sshguard ipsets must exist before we invoke # iptables. sshguard creates the ipsets after startup if diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 03c70102c8c..d4ae4c93468 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -1188,9 +1188,12 @@ in systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container"; systemd.services.systemd-random-seed.unitConfig.ConditionVirtualization = "!container"; - boot.kernel.sysctl = mkIf (!cfg.coredump.enable) { - "kernel.core_pattern" = "core"; - }; + boot.kernel.sysctl."kernel.core_pattern" = mkIf (!cfg.coredump.enable) "core"; + + # Increase numeric PID range (set directly instead of copying a one-line file from systemd) + # https://github.com/systemd/systemd/pull/12226 + boot.kernel.sysctl."kernel.pid_max" = mkIf pkgs.stdenv.is64bit (lib.mkDefault 4194304); + boot.kernelParams = optional (!cfg.enableUnifiedCgroupHierarchy) "systemd.unified_cgroup_hierarchy=0"; }; diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 9ba6ccfbe71..11bd159319a 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -101,7 +101,7 @@ let unitConfig.ConditionCapability = "CAP_NET_ADMIN"; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute2 ]; serviceConfig = { Type = "oneshot"; @@ -185,7 +185,7 @@ let # Restart rather than stop+start this unit to prevent the # network from dying during switch-to-configuration. stopIfChanged = false; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute2 ]; script = '' state="/run/nixos/network/addresses/${i.name}" @@ -258,7 +258,7 @@ let wantedBy = [ "network-setup.service" (subsystemDevice i.name) ]; partOf = [ "network-setup.service" ]; before = [ "network-setup.service" ]; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute2 ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -284,7 +284,7 @@ let before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute2 ]; script = '' # Remove Dead Interfaces echo "Removing old bridge ${n}..." @@ -372,7 +372,7 @@ let wants = deps; # if one or more interface fails, the switch should continue to run serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; - path = [ pkgs.iproute config.virtualisation.vswitch.package ]; + path = [ pkgs.iproute2 config.virtualisation.vswitch.package ]; preStart = '' echo "Resetting Open vSwitch ${n}..." ovs-vsctl --if-exists del-br ${n} -- add-br ${n} \ @@ -413,7 +413,7 @@ let before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; - path = [ pkgs.iproute pkgs.gawk ]; + path = [ pkgs.iproute2 pkgs.gawk ]; script = '' echo "Destroying old bond ${n}..." ${destroyBond n} @@ -451,7 +451,7 @@ let before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute2 ]; script = '' # Remove Dead Interfaces ip link show "${n}" >/dev/null 2>&1 && ip link delete "${n}" @@ -476,7 +476,7 @@ let before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute2 ]; script = '' # Remove Dead Interfaces ip link show "${n}" >/dev/null 2>&1 && ip link delete "${n}" @@ -504,7 +504,7 @@ let before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute2 ]; script = '' # Remove Dead Interfaces ip link show "${n}" >/dev/null 2>&1 && ip link delete "${n}" diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 23e1e611a71..1c145e8ff47 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -259,7 +259,7 @@ in wants = deps; # if one or more interface fails, the switch should continue to run serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; - path = [ pkgs.iproute config.virtualisation.vswitch.package ]; + path = [ pkgs.iproute2 config.virtualisation.vswitch.package ]; preStart = '' echo "Resetting Open vSwitch ${n}..." ovs-vsctl --if-exists del-br ${n} -- add-br ${n} \ diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index f730ec82bdf..b5d97849658 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1171,7 +1171,7 @@ in wantedBy = [ "network.target" ]; after = [ "network-pre.target" ]; unitConfig.ConditionCapability = "CAP_NET_ADMIN"; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute2 ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; script = '' @@ -1249,7 +1249,7 @@ in ${optionalString (current.type == "mesh" && current.meshID!=null) "${pkgs.iw}/bin/iw dev ${device} set meshid ${current.meshID}"} ${optionalString (current.type == "monitor" && current.flags!=null) "${pkgs.iw}/bin/iw dev ${device} set monitor ${current.flags}"} ${optionalString (current.type == "managed" && current.fourAddr!=null) "${pkgs.iw}/bin/iw dev ${device} set 4addr ${if current.fourAddr then "on" else "off"}"} - ${optionalString (current.mac != null) "${pkgs.iproute}/bin/ip link set dev ${device} address ${current.mac}"} + ${optionalString (current.mac != null) "${pkgs.iproute2}/bin/ip link set dev ${device} address ${current.mac}"} ''; # Udev script to execute for a new WLAN interface. The script configures the new WLAN interface. @@ -1260,7 +1260,7 @@ in ${optionalString (new.type == "mesh" && new.meshID!=null) "${pkgs.iw}/bin/iw dev ${device} set meshid ${new.meshID}"} ${optionalString (new.type == "monitor" && new.flags!=null) "${pkgs.iw}/bin/iw dev ${device} set monitor ${new.flags}"} ${optionalString (new.type == "managed" && new.fourAddr!=null) "${pkgs.iw}/bin/iw dev ${device} set 4addr ${if new.fourAddr then "on" else "off"}"} - ${optionalString (new.mac != null) "${pkgs.iproute}/bin/ip link set dev ${device} address ${new.mac}"} + ${optionalString (new.mac != null) "${pkgs.iproute2}/bin/ip link set dev ${device} address ${new.mac}"} ''; # Udev attributes for systemd to name the device and to create a .device target. diff --git a/nixos/modules/virtualisation/brightbox-image.nix b/nixos/modules/virtualisation/brightbox-image.nix index 4498e3a7361..9641b693f18 100644 --- a/nixos/modules/virtualisation/brightbox-image.nix +++ b/nixos/modules/virtualisation/brightbox-image.nix @@ -119,7 +119,7 @@ in wants = [ "network-online.target" ]; after = [ "network-online.target" ]; - path = [ pkgs.wget pkgs.iproute ]; + path = [ pkgs.wget pkgs.iproute2 ]; script = '' diff --git a/nixos/modules/virtualisation/ec2-data.nix b/nixos/modules/virtualisation/ec2-data.nix index 62912535018..1b764e7e4d8 100644 --- a/nixos/modules/virtualisation/ec2-data.nix +++ b/nixos/modules/virtualisation/ec2-data.nix @@ -19,7 +19,7 @@ with lib; wantedBy = [ "multi-user.target" "sshd.service" ]; before = [ "sshd.service" ]; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute2 ]; script = '' diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index b6b1ffa3958..cff48d20b2b 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -110,7 +110,7 @@ in systemd.services.google-network-daemon = { description = "Google Compute Engine Network Daemon"; after = [ "network-online.target" "network.target" "google-instance-setup.service" ]; - path = with pkgs; [ iproute ]; + path = with pkgs; [ iproute2 ]; serviceConfig = { ExecStart = "${gce}/bin/google_network_daemon"; StandardOutput="journal+console"; diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index a853917a6de..f15d5875841 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -739,7 +739,7 @@ in unitConfig.RequiresMountsFor = "/var/lib/containers/%i"; - path = [ pkgs.iproute ]; + path = [ pkgs.iproute2 ]; environment = { root = "/var/lib/containers/%i"; diff --git a/nixos/modules/virtualisation/xe-guest-utilities.nix b/nixos/modules/virtualisation/xe-guest-utilities.nix index 675cf929737..25ccbaebc07 100644 --- a/nixos/modules/virtualisation/xe-guest-utilities.nix +++ b/nixos/modules/virtualisation/xe-guest-utilities.nix @@ -17,7 +17,7 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "xe-linux-distribution.service" ]; requires = [ "proc-xen.mount" ]; - path = [ pkgs.coreutils pkgs.iproute ]; + path = [ pkgs.coreutils pkgs.iproute2 ]; serviceConfig = { PIDFile = "/run/xe-daemon.pid"; ExecStart = "${pkgs.xe-guest-utilities}/bin/xe-daemon -p /run/xe-daemon.pid"; diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index b649d64be3c..fea43727f2f 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -245,7 +245,7 @@ in # Xen provides udev rules. services.udev.packages = [ cfg.package ]; - services.udev.path = [ pkgs.bridge-utils pkgs.iproute ]; + services.udev.path = [ pkgs.bridge-utils pkgs.iproute2 ]; systemd.services.xen-store = { description = "Xen Store Daemon"; |