diff options
author | Gregor Kleen <pngwjpgh@users.noreply.github.com> | 2018-04-21 22:34:01 +0200 |
---|---|---|
committer | Gregor Kleen <pngwjpgh@users.noreply.github.com> | 2018-04-21 22:34:01 +0200 |
commit | e11cb1d2a9846d9bd71773ed113be37c9ffa7311 (patch) | |
tree | d69f7102ad7890c3df91044ec8027be01cbafa6e /nixos | |
parent | 1eea73eaa8185bd6f4fe2a0facc90652277ea399 (diff) | |
parent | 595efb966d38eb9480cf332adc0ffcb92855e685 (diff) | |
download | nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.tar nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.tar.gz nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.tar.bz2 nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.tar.lz nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.tar.xz nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.tar.zst nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.zip |
Merge branch 'master' of github.com:NixOS/nixpkgs into feat/acme/delay
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/computing/boinc/client.nix | 46 | ||||
-rw-r--r-- | nixos/modules/services/networking/nsd.nix | 135 |
2 files changed, 175 insertions, 6 deletions
diff --git a/nixos/modules/services/computing/boinc/client.nix b/nixos/modules/services/computing/boinc/client.nix index e43b6bbb253..8abe3c5b8c9 100644 --- a/nixos/modules/services/computing/boinc/client.nix +++ b/nixos/modules/services/computing/boinc/client.nix @@ -6,6 +6,13 @@ let cfg = config.services.boinc; allowRemoteGuiRpcFlag = optionalString cfg.allowRemoteGuiRpc "--allow_remote_gui_rpc"; + fhsEnv = pkgs.buildFHSUserEnv { + name = "boinc-fhs-env"; + targetPkgs = pkgs': [ cfg.package ] ++ cfg.extraEnvPackages; + runScript = "/bin/boinc_client"; + }; + fhsEnvExecutable = "${fhsEnv}/bin/${fhsEnv.name}"; + in { options.services.boinc = { @@ -49,6 +56,43 @@ in See also: <link xlink:href="http://boinc.berkeley.edu/wiki/Controlling_BOINC_remotely#Remote_access"/> ''; }; + + extraEnvPackages = mkOption { + type = types.listOf types.package; + default = []; + example = "[ pkgs.virtualbox ]"; + description = '' + Additional packages to make available in the environment in which + BOINC will run. Common choices are: + <variablelist> + <varlistentry> + <term><varname>pkgs.virtualbox</varname></term> + <listitem><para> + The VirtualBox virtual machine framework. Required by some BOINC + projects, such as ATLAS@home. + </para></listitem> + </varlistentry> + <varlistentry> + <term><varname>pkgs.ocl-icd</varname></term> + <listitem><para> + OpenCL infrastructure library. Required by BOINC projects that + use OpenCL, in addition to a device-specific OpenCL driver. + </para></listitem> + </varlistentry> + <varlistentry> + <term><varname>pkgs.linuxPackages.nvidia_x11</varname></term> + <listitem><para> + Provides CUDA libraries. Required by BOINC projects that use + CUDA. Note that this requires an NVIDIA graphics device to be + present on the system. + </para><para> + Also provides OpenCL drivers for NVIDIA GPUs; + <varname>pkgs.ocl-icd</varname> is also needed in this case. + </para></listitem> + </varlistentry> + </variablelist> + ''; + }; }; config = mkIf cfg.enable { @@ -70,7 +114,7 @@ in chown boinc ${cfg.dataDir} ''; script = '' - ${cfg.package}/bin/boinc_client --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag} + ${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag} ''; serviceConfig = { PermissionsStartOnly = true; # preStart must be run as root diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index 4241e6fccea..0b52b1d3e30 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -250,6 +250,46 @@ let Use imports or pkgs.lib.readFile if you don't want this data in your config file. ''; }; + + dnssec = mkEnableOption "DNSSEC"; + + dnssecPolicy = { + algorithm = mkOption { + type = types.str; + default = "RSASHA256"; + description = "Which algorithm to use for DNSSEC"; + }; + keyttl = mkOption { + type = types.str; + default = "1h"; + description = "TTL for dnssec records"; + }; + coverage = mkOption { + type = types.str; + default = "1y"; + description = '' + The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time. + ''; + }; + zsk = mkOption { + type = keyPolicy; + default = { keySize = 2048; + prePublish = "1w"; + postPublish = "1w"; + rollPeriod = "1mo"; + }; + description = "Key policy for zone signing keys"; + }; + ksk = mkOption { + type = keyPolicy; + default = { keySize = 4096; + prePublish = "1mo"; + postPublish = "1mo"; + rollPeriod = "0"; + }; + description = "Key policy for key signing keys"; + }; + }; maxRefreshSecs = mkOption { type = types.nullOr types.int; @@ -367,10 +407,61 @@ let and stats_noreset. ''; }; + }; + }; + keyPolicy = types.submodule { + options = { + keySize = mkOption { + type = types.int; + description = "Key size in bits"; + }; + prePublish = mkOption { + type = types.str; + description = "How long in advance to publish new keys"; + }; + postPublish = mkOption { + type = types.str; + description = "How long after deactivation to keep a key in the zone"; + }; + rollPeriod = mkOption { + type = types.str; + description = "How frequently to change keys"; + }; }; }; + dnssecZones = (filterAttrs (n: v: if v ? dnssec then v.dnssec else false) zoneConfigs); + + dnssec = length (attrNames dnssecZones) != 0; + + signZones = optionalString dnssec '' + mkdir -p ${stateDir}/dnssec + chown ${username}:${username} ${stateDir}/dnssec + chmod 0600 ${stateDir}/dnssec + + ${concatStrings (mapAttrsToList signZone dnssecZones)} + ''; + signZone = name: zone: '' + ${pkgs.bind}/bin/dnssec-keymgr -g ${pkgs.bind}/bin/dnssec-keygen -s ${pkgs.bind}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name} + ${pkgs.bind}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name} + ${nsdPkg}/sbin/nsd-checkzone ${name} ${stateDir}/zones/${name}.signed && mv -v ${stateDir}/zones/${name}.signed ${stateDir}/zones/${name} + ''; + policyFile = name: policy: pkgs.writeText "${name}.policy" '' + zone ${name} { + algorithm ${policy.algorithm}; + key-size zsk ${toString policy.zsk.keySize}; + key-size ksk ${toString policy.ksk.keySize}; + keyttl ${policy.keyttl}; + pre-publish zsk ${policy.zsk.prePublish}; + pre-publish ksk ${policy.ksk.prePublish}; + post-publish zsk ${policy.zsk.postPublish}; + post-publish ksk ${policy.ksk.postPublish}; + roll-period zsk ${policy.zsk.rollPeriod}; + roll-period ksk ${policy.ksk.rollPeriod}; + coverage ${policy.coverage}; + }; + ''; in { # options are ordered alphanumerically @@ -380,6 +471,14 @@ in bind8Stats = mkEnableOption "BIND8 like statistics"; + dnssecInterval = mkOption { + type = types.str; + default = "1h"; + description = '' + How often to check whether dnssec key rollover is required + ''; + }; + extraConfig = mkOption { type = types.str; default = ""; @@ -741,7 +840,6 @@ in }; - zones = mkOption { type = types.attrsOf zoneOptions; default = {}; @@ -785,7 +883,6 @@ in serverGroup1. ''; }; - }; config = mkIf cfg.enable { @@ -832,9 +929,9 @@ in mkdir -m 0700 -p "${stateDir}/var" cat > "${stateDir}/don't touch anything in here" << EOF - Everything in this directory except NSD's state in var is - automatically generated and will be purged and redeployed - by the nsd.service pre-start script. + Everything in this directory except NSD's state in var and dnssec + is automatically generated and will be purged and redeployed by + the nsd.service pre-start script. EOF chown ${username}:${username} -R "${stateDir}/private" @@ -848,6 +945,34 @@ in ''; }; + nixpkgs.config = mkIf dnssec { + bind.enablePython = true; + }; + + systemd.timers."nsd-dnssec" = mkIf dnssec { + description = "Automatic DNSSEC key rollover"; + + wantedBy = [ "nsd.service" ]; + + timerConfig = { + OnActiveSec = cfg.dnssecInterval; + OnUnitActiveSec = cfg.dnssecInterval; + }; + }; + + systemd.services."nsd-dnssec" = mkIf dnssec { + description = "DNSSEC key rollover"; + + wantedBy = [ "nsd.service" ]; + before = [ "nsd.service" ]; + + script = signZones; + + postStop = '' + ${pkgs.systemd}/bin/systemctl kill -s SIGHUP nsd.service + ''; + }; + }; meta.maintainers = with lib.maintainers; [ hrdinka ]; |