diff options
| author | Shea Levy <shea@shealevy.com> | 2018-03-28 09:36:47 -0400 |
|---|---|---|
| committer | Shea Levy <shea@shealevy.com> | 2018-03-28 09:36:47 -0400 |
| commit | 05e375d7103ac51e2da917965c37246c99f1ae4f (patch) | |
| tree | 7ec4e9a2f5b7b1e2dea7c3e059f5b40e1dac1569 /nixos | |
| parent | 335934a073d6024d54c71bf82d5f8baab13abe75 (diff) | |
| parent | c7d7abc51e5f9b9c7481a83c47b37508bf08b05b (diff) | |
| download | nixpkgs-05e375d7103ac51e2da917965c37246c99f1ae4f.tar nixpkgs-05e375d7103ac51e2da917965c37246c99f1ae4f.tar.gz nixpkgs-05e375d7103ac51e2da917965c37246c99f1ae4f.tar.bz2 nixpkgs-05e375d7103ac51e2da917965c37246c99f1ae4f.tar.lz nixpkgs-05e375d7103ac51e2da917965c37246c99f1ae4f.tar.xz nixpkgs-05e375d7103ac51e2da917965c37246c99f1ae4f.tar.zst nixpkgs-05e375d7103ac51e2da917965c37246c99f1ae4f.zip | |
Merge remote-tracking branch 'origin/master' into staging
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/hardware/video/nvidia.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/misc/ids.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/backup/almir.nix | 173 | ||||
| -rw-r--r-- | nixos/modules/services/backup/tarsnap.nix | 67 | ||||
| -rw-r--r-- | nixos/modules/services/security/tor.nix | 17 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/apache-httpd/per-server-options.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/system/boot/kexec.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 15 | ||||
| -rw-r--r-- | nixos/tests/atd.nix | 6 |
10 files changed, 94 insertions, 195 deletions
diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 4a7d6da286b..eb195228033 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -16,8 +16,6 @@ let kernelPackages.nvidia_x11 else if elem "nvidiaBeta" drivers then kernelPackages.nvidia_x11_beta - else if elem "nvidiaLegacy173" drivers then - kernelPackages.nvidia_x11_legacy173 else if elem "nvidiaLegacy304" drivers then kernelPackages.nvidia_x11_legacy304 else if elem "nvidiaLegacy340" drivers then diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 39a24cfecc5..c5dee2ca97a 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -106,7 +106,7 @@ freenet = 79; ircd = 80; bacula = 81; - almir = 82; + #almir = 82; # removed 2018-03-25, the almir package was removed in 30291227f2411abaca097773eedb49b8f259e297 during 2017-08 deluge = 83; mysql = 84; rabbitmq = 85; @@ -393,7 +393,7 @@ freenet = 79; ircd = 80; bacula = 81; - almir = 82; + #almir = 82; # removed 2018-03-25, the almir package was removed in 30291227f2411abaca097773eedb49b8f259e297 during 2017-08 deluge = 83; mysql = 84; rabbitmq = 85; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index d47600fbc61..9e232ce1f4e 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -158,7 +158,6 @@ ./services/audio/slimserver.nix ./services/audio/squeezelite.nix ./services/audio/ympd.nix - ./services/backup/almir.nix ./services/backup/bacula.nix ./services/backup/borgbackup.nix ./services/backup/crashplan.nix diff --git a/nixos/modules/services/backup/almir.nix b/nixos/modules/services/backup/almir.nix deleted file mode 100644 index fbb4ff4034f..00000000000 --- a/nixos/modules/services/backup/almir.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.almir; - - bconsoleconf = pkgs.writeText "bconsole.conf" - '' - Director { - Name = ${cfg.director_name} - DIRport = ${toString cfg.director_port} - address = ${cfg.director_address} - Password = "${cfg.director_password}" - } - ''; - - productionini = pkgs.writeText "production.ini" - '' -[app:main] -use = egg:almir - -pyramid.reload_templates = false -pyramid.debug_authorization = false -pyramid.debug_notfound = false -pyramid.debug_routematch = false -pyramid.debug_templates = false -pyramid.default_locale_name = en -pyramid.includes = - pyramid_exclog -exclog.extra_info = true - -sqlalchemy.url = ${cfg.sqlalchemy_engine_url} -timezone = ${cfg.timezone} -bconsole_config = ${bconsoleconf} - -[server:main] -use = egg:waitress#main -host = 127.0.0.1 -port = ${toString cfg.port} - - -# Begin logging configuration - -[loggers] -keys = root, almir, sqlalchemy, exc_logger - -[handlers] -keys = console - -[formatters] -keys = generic - -[logger_root] -level = WARN -handlers = console - -[logger_almir] -level = WARN -handlers = -qualname = almir - -[logger_exc_logger] -level = ERROR -handlers = -qualname = exc_logger - -[logger_sqlalchemy] -level = WARN -handlers = -qualname = sqlalchemy.engine -# "level = INFO" logs SQL queries. -# "level = DEBUG" logs SQL queries and results. -# "level = WARN" logs neither. (Recommended for production systems.) - -[handler_console] -class = StreamHandler -args = (sys.stderr,) -level = NOTSET -formatter = generic - -[formatter_generic] -format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s - ''; -in { - options = { - services.almir = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable Almir web server. Also configures postgresql database and installs bacula. - ''; - }; - - port = mkOption { - default = 35000; - type = types.int; - description = '' - Port for Almir web server to listen on. - ''; - }; - - timezone = mkOption { - description = '' - Timezone as specified in https://en.wikipedia.org/wiki/List_of_tz_database_time_zones - ''; - example = "Europe/Ljubljana"; - }; - - sqlalchemy_engine_url = mkOption { - default = "postgresql:///bacula"; - example = '' - postgresql://bacula:bacula@localhost:5432/bacula - mysql+mysqlconnector://<user>:<password>@<hostname>/<database>' - sqlite:////var/lib/bacula/bacula.db' - ''; - description = '' - Define SQL database connection to bacula catalog as specified in http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls - ''; - }; - - director_name = mkOption { - description = '' - Name of the Director to connect with bconsole. - ''; - }; - - director_password = mkOption { - description = '' - Password for Director to connect with bconsole. - ''; - }; - - director_port = mkOption { - default = 9101; - type = types.int; - description = '' - Port for Director to connect with bconsole. - ''; - }; - - director_address = mkOption { - default = "127.0.0.1"; - description = '' - IP/Hostname for Director to connect with bconsole. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - systemd.services.almir = { - after = [ "network.target" "postgresql.service" ]; - description = "Almir web app"; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.pythonPackages.almir ]; - environment.PYTHONPATH = "${pkgs.pythonPackages.almir}/lib/${pkgs.pythonPackages.python.libPrefix}/site-packages"; - serviceConfig.ExecStart = "${pkgs.pythonPackages.pyramid}/bin/pserve ${productionini}"; - }; - - environment.systemPackages = [ pkgs.pythonPackages.almir ]; - - users.extraUsers.almir = { - group = "almir"; - uid = config.ids.uids.almir; - createHome = true; - shell = "${pkgs.bash}/bin/bash"; - }; - - users.extraGroups.almir.gid = config.ids.gids.almir; - }; -} diff --git a/nixos/modules/services/backup/tarsnap.nix b/nixos/modules/services/backup/tarsnap.nix index 59e9d122fb5..4fc7c24813a 100644 --- a/nixos/modules/services/backup/tarsnap.nix +++ b/nixos/modules/services/backup/tarsnap.nix @@ -238,6 +238,20 @@ in Whether to produce verbose logging output. ''; }; + explicitSymlinks = mkOption { + type = types.bool; + default = false; + description = '' + Whether to follow symlinks specified as archives. + ''; + }; + followSymlinks = mkOption { + type = types.bool; + default = false; + description = '' + Whether to follow all symlinks in archive trees. + ''; + }; }; } )); @@ -285,12 +299,12 @@ in }) gcfg.archives); systemd.services = - mapAttrs' (name: cfg: nameValuePair "tarsnap-${name}" { + (mapAttrs' (name: cfg: nameValuePair "tarsnap-${name}" { description = "Tarsnap archive '${name}'"; requires = [ "network-online.target" ]; after = [ "network-online.target" ]; - path = [ pkgs.iputils pkgs.tarsnap pkgs.utillinux ]; + path = with pkgs; [ iputils tarsnap utillinux ]; # In order for the persistent tarsnap timer to work reliably, we have to # make sure that the tarsnap server is reachable after systemd starts up @@ -300,10 +314,12 @@ in while ! ping -q -c 1 v1-0-0-server.tarsnap.com &> /dev/null; do sleep 3; done ''; - script = - let run = ''tarsnap --configfile "/etc/tarsnap/${name}.conf" \ - -c -f "${name}-$(date +"%Y%m%d%H%M%S")" \ + script = let + tarsnap = ''tarsnap --configfile "/etc/tarsnap/${name}.conf"''; + run = ''${tarsnap} -c -f "${name}-$(date +"%Y%m%d%H%M%S")" \ ${optionalString cfg.verbose "-v"} \ + ${optionalString cfg.explicitSymlinks "-H"} \ + ${optionalString cfg.followSymlinks "-L"} \ ${concatStringsSep " " cfg.directories}''; in if (cfg.cachedir != null) then '' mkdir -p ${cfg.cachedir} @@ -313,7 +329,7 @@ in if [ ! -e ${cfg.cachedir}/firstrun ]; then ( flock 10 flock -u 9 - tarsnap --configfile "/etc/tarsnap/${name}.conf" --fsck + ${tarsnap} --fsck flock 9 ) 10>${cfg.cachedir}/firstrun fi @@ -329,7 +345,44 @@ in CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ]; PermissionsStartOnly = "true"; }; - }) gcfg.archives; + }) gcfg.archives) // + + (mapAttrs' (name: cfg: nameValuePair "tarsnap-restore-${name}"{ + description = "Tarsnap restore '${name}'"; + requires = [ "network-online.target" ]; + + path = with pkgs; [ iputils tarsnap utillinux ]; + + script = let + tarsnap = ''tarsnap --configfile "/etc/tarsnap/${name}.conf"''; + lastArchive = ''$(${tarsnap} --list-archives | sort | tail -1)''; + run = ''${tarsnap} -x -f "${lastArchive}" ${optionalString cfg.verbose "-v"}''; + + in if (cfg.cachedir != null) then '' + mkdir -p ${cfg.cachedir} + chmod 0700 ${cfg.cachedir} + + ( flock 9 + if [ ! -e ${cfg.cachedir}/firstrun ]; then + ( flock 10 + flock -u 9 + ${tarsnap} --fsck + flock 9 + ) 10>${cfg.cachedir}/firstrun + fi + ) 9>${cfg.cachedir}/lockf + + exec flock ${cfg.cachedir}/firstrun ${run} + '' else "exec ${run}"; + + serviceConfig = { + Type = "oneshot"; + IOSchedulingClass = "idle"; + NoNewPrivileges = "true"; + CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ]; + PermissionsStartOnly = "true"; + }; + }) gcfg.archives); # Note: the timer must be Persistent=true, so that systemd will start it even # if e.g. your laptop was asleep while the latest interval occurred. diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index fed91756e76..2c727de2102 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.tor; torDirectory = "/var/lib/tor"; + torRunDirectory = "/run/tor"; opt = name: value: optionalString (value != null) "${name} ${value}"; optint = name: value: optionalString (value != null && value != 0) "${name} ${toString value}"; @@ -38,6 +39,7 @@ let ''} ${optint "ControlPort" cfg.controlPort} + ${optionalString cfg.controlSocket.enable "ControlSocket ${torRunDirectory}/control GroupWritable RelaxDirModeCheck"} '' # Client connection config + optionalString cfg.client.enable '' @@ -140,6 +142,17 @@ in ''; }; + controlSocket = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Wheter to enable Tor control socket. Control socket is created + in <literal>${torRunDirectory}/control</literal> + ''; + }; + }; + client = { enable = mkOption { type = types.bool; @@ -692,7 +705,7 @@ in # Translated from the upstream contrib/dist/tor.service.in preStart = '' - install -o tor -g tor -d ${torDirectory}/onion + install -o tor -g tor -d ${torDirectory}/onion ${torRunDirectory} ${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config ''; @@ -716,7 +729,7 @@ in DevicePolicy = "closed"; InaccessibleDirectories = "/home"; ReadOnlyDirectories = "/"; - ReadWriteDirectories = torDirectory; + ReadWriteDirectories = [torDirectory torRunDirectory]; NoNewPrivileges = "yes"; }; }; diff --git a/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix b/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix index 1d53ce65900..4bbd041b6e0 100644 --- a/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix +++ b/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix @@ -118,7 +118,7 @@ with lib; default = []; example = [ { urlPath = "/foo/bar.png"; - files = "/home/eelco/some-file.png"; + file = "/home/eelco/some-file.png"; } ]; description = '' diff --git a/nixos/modules/system/boot/kexec.nix b/nixos/modules/system/boot/kexec.nix index 14ebe66e632..3fc1af28f62 100644 --- a/nixos/modules/system/boot/kexec.nix +++ b/nixos/modules/system/boot/kexec.nix @@ -1,7 +1,7 @@ { config, pkgs, lib, ... }: { - config = lib.mkIf (pkgs.kexectools != null) { + config = lib.mkIf (pkgs.kexectools.meta.available) { environment.systemPackages = [ pkgs.kexectools ]; systemd.services."prepare-kexec" = diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 2391e85f9f7..bd2d52c30b4 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -523,6 +523,14 @@ in ''; }; + systemd.enableCgroupAccounting = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable cgroup accounting. + ''; + }; + systemd.extraConfig = mkOption { default = ""; type = types.lines; @@ -724,6 +732,13 @@ in "systemd/system.conf".text = '' [Manager] + ${optionalString config.systemd.enableCgroupAccounting '' + DefaultCPUAccounting=yes + DefaultIOAccounting=yes + DefaultBlockIOAccounting=yes + DefaultMemoryAccounting=yes + DefaultTasksAccounting=yes + ''} ${config.systemd.extraConfig} ''; diff --git a/nixos/tests/atd.nix b/nixos/tests/atd.nix index c2c0a716e0d..5260c8ddfb8 100644 --- a/nixos/tests/atd.nix +++ b/nixos/tests/atd.nix @@ -17,20 +17,14 @@ import ./make-test.nix ({ pkgs, lib, ... }: startAll; $machine->fail("test -f ~root/at-1"); - $machine->fail("test -f ~root/batch-1"); $machine->fail("test -f ~alice/at-1"); - $machine->fail("test -f ~alice/batch-1"); $machine->succeed("echo 'touch ~root/at-1' | at now+1min"); - $machine->succeed("echo 'touch ~root/batch-1' | batch"); $machine->succeed("su - alice -c \"echo 'touch at-1' | at now+1min\""); - $machine->succeed("su - alice -c \"echo 'touch batch-1' | batch\""); $machine->succeed("sleep 1.5m"); $machine->succeed("test -f ~root/at-1"); - $machine->succeed("test -f ~root/batch-1"); $machine->succeed("test -f ~alice/at-1"); - $machine->succeed("test -f ~alice/batch-1"); ''; }) |