diff options
Diffstat (limited to 'nixos/modules/config')
| -rw-r--r-- | nixos/modules/config/ldap.nix | 56 | ||||
| -rw-r--r-- | nixos/modules/config/pulseaudio.nix | 5 | ||||
| -rw-r--r-- | nixos/modules/config/zram.nix | 81 |
3 files changed, 116 insertions, 26 deletions
diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index 0693e896f71..f65a3fc50d5 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -38,6 +38,8 @@ let bind_timelimit ${toString cfg.bind.timeLimit} ${optionalString (cfg.bind.distinguishedName != "") "binddn ${cfg.bind.distinguishedName}" } + ${optionalString (cfg.daemon.rootpwmoddn != "") + "rootpwmoddn ${cfg.daemon.rootpwmoddn}" } ${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig } ''; }; @@ -126,6 +128,26 @@ in the end of the nslcd configuration file (nslcd.conf). '' ; } ; + + rootpwmoddn = mkOption { + default = ""; + example = "cn=admin,dc=example,dc=com"; + type = types.str; + description = '' + The distinguished name to use to bind to the LDAP server + when the root user tries to modify a user's password. + ''; + }; + + rootpwmodpw = mkOption { + default = ""; + example = "/run/keys/nslcd.rootpwmodpw"; + type = types.str; + description = '' + The path to a file containing the credentials with which + to bind to the LDAP server if the root user tries to change a user's password + ''; + }; }; bind = { @@ -203,9 +225,11 @@ in system.activationScripts = mkIf insertLdapPassword { ldap = stringAfter [ "etc" "groups" "users" ] '' if test -f "${cfg.bind.password}" ; then - echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig.source} - > /etc/ldap.conf.bindpw - mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf - chmod 600 /etc/ldap.conf + umask 0077 + conf="$(mktemp)" + printf 'bindpw %s\n' "$(cat ${cfg.bind.password})" | + cat ${ldapConfig.source} - >"$conf" + mv -fT "$conf" /etc/ldap.conf fi ''; }; @@ -232,21 +256,31 @@ in wantedBy = [ "multi-user.target" ]; preStart = '' - mkdir -p /run/nslcd - rm -f /run/nslcd/nslcd.pid; - chown nslcd.nslcd /run/nslcd - ${optionalString (cfg.bind.distinguishedName != "") '' - if test -s "${cfg.bind.password}" ; then - ln -sfT "${cfg.bind.password}" /run/nslcd/bindpw - fi - ''} + umask 0077 + conf="$(mktemp)" + { + cat ${nslcdConfig.source} + test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.password}' || + printf 'bindpw %s\n' "$(cat '${cfg.bind.password}')" + test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpw}' || + printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpw}')" + } >"$conf" + mv -fT "$conf" /etc/nslcd.conf ''; + # NOTE: because one cannot pass a custom config path to `nslcd` + # (which is only able to use `/etc/nslcd.conf`) + # changes in `nslcdConfig` won't change `serviceConfig`, + # and thus won't restart `nslcd`. + # Therefore `restartTriggers` is used on `/etc/nslcd.conf`. + restartTriggers = [ nslcdConfig.source ]; + serviceConfig = { ExecStart = "${nss_pam_ldapd}/sbin/nslcd"; Type = "forking"; PIDFile = "/run/nslcd/nslcd.pid"; Restart = "always"; + RuntimeDirectory = [ "nslcd" ]; }; }; diff --git a/nixos/modules/config/pulseaudio.nix b/nixos/modules/config/pulseaudio.nix index 67f7105fe2f..e61a3a73120 100644 --- a/nixos/modules/config/pulseaudio.nix +++ b/nixos/modules/config/pulseaudio.nix @@ -180,7 +180,7 @@ in { type = types.attrsOf types.unspecified; default = {}; description = ''Config of the pulse daemon. See <literal>man pulse-daemon.conf</literal>.''; - example = literalExample ''{ flat-volumes = "no"; }''; + example = literalExample ''{ realtime-scheduling = "yes"; }''; }; }; @@ -242,6 +242,9 @@ in { source = writeText "libao.conf" "default_driver=pulse"; } ]; + # Disable flat volumes to enable relative ones + hardware.pulseaudio.daemon.config.flat-volumes = mkDefault "no"; + # Allow PulseAudio to get realtime priority using rtkit. security.rtkit.enable = true; diff --git a/nixos/modules/config/zram.nix b/nixos/modules/config/zram.nix index c1748812821..925d945c081 100644 --- a/nixos/modules/config/zram.nix +++ b/nixos/modules/config/zram.nix @@ -6,10 +6,27 @@ let cfg = config.zramSwap; - devices = map (nr: "zram${toString nr}") (range 0 (cfg.numDevices - 1)); + # don't set swapDevices as mkDefault, so we can detect user had read our warning + # (see below) and made an action (or not) + devicesCount = if cfg.swapDevices != null then cfg.swapDevices else cfg.numDevices; + + devices = map (nr: "zram${toString nr}") (range 0 (devicesCount - 1)); modprobe = "${pkgs.kmod}/bin/modprobe"; + warnings = + assert cfg.swapDevices != null -> cfg.numDevices >= cfg.swapDevices; + flatten [ + (optional (cfg.numDevices > 1 && cfg.swapDevices == null) '' + Using several small zram devices as swap is no better than using one large. + Set either zramSwap.numDevices = 1 or explicitly set zramSwap.swapDevices. + + Previously multiple zram devices were used to enable multithreaded + compression. Linux supports multithreaded compression for 1 device + since 3.15. See https://lkml.org/lkml/2014/2/28/404 for details. + '') + ]; + in { @@ -24,9 +41,11 @@ in default = false; type = types.bool; description = '' - Enable in-memory compressed swap space provided by the zram kernel - module. - See https://www.kernel.org/doc/Documentation/blockdev/zram.txt + Enable in-memory compressed devices and swap space provided by the zram + kernel module. + See <link xlink:href="https://www.kernel.org/doc/Documentation/blockdev/zram.txt"> + https://www.kernel.org/doc/Documentation/blockdev/zram.txt + </link>. ''; }; @@ -34,7 +53,19 @@ in default = 1; type = types.int; description = '' - Number of zram swap devices to create. + Number of zram devices to create. See also + <literal>zramSwap.swapDevices</literal> + ''; + }; + + swapDevices = mkOption { + default = null; + example = 1; + type = with types; nullOr int; + description = '' + Number of zram devices to be used as swap. Must be + <literal><= zramSwap.numDevices</literal>. + Default is same as <literal>zramSwap.numDevices</literal>, recommended is 1. ''; }; @@ -44,7 +75,8 @@ in description = '' Maximum amount of memory that can be used by the zram swap devices (as a percentage of your total memory). Defaults to 1/2 of your total - RAM. + RAM. Run <literal>zramctl</literal> to check how good memory is + compressed. ''; }; @@ -58,12 +90,26 @@ in ''; }; + algorithm = mkOption { + default = "zstd"; + example = "lzo"; + type = with types; either (enum [ "lzo" "lz4" "zstd" ]) str; + description = '' + Compression algorithm. <literal>lzo</literal> has good compression, + but is slow. <literal>lz4</literal> has bad compression, but is fast. + <literal>zstd</literal> is both good compression and fast. + You can check what other algorithms are supported by your zram device with + <programlisting>cat /sys/class/block/zram*/comp_algorithm</programlisting> + ''; + }; }; }; config = mkIf cfg.enable { + inherit warnings; + system.requiredKernelConfig = with config.lib.kernelConfig; [ (isModule "ZRAM") ]; @@ -85,25 +131,25 @@ in createZramInitService = dev: nameValuePair "zram-init-${dev}" { description = "Init swap on zram-based device ${dev}"; - bindsTo = [ "dev-${dev}.swap" ]; after = [ "dev-${dev}.device" "zram-reloader.service" ]; requires = [ "dev-${dev}.device" "zram-reloader.service" ]; before = [ "dev-${dev}.swap" ]; requiredBy = [ "dev-${dev}.swap" ]; + unitConfig.DefaultDependencies = false; # needed to prevent a cycle serviceConfig = { Type = "oneshot"; RemainAfterExit = true; ExecStop = "${pkgs.runtimeShell} -c 'echo 1 > /sys/class/block/${dev}/reset'"; }; script = '' - set -u - set -o pipefail - + set -euo pipefail + # Calculate memory to use for zram - totalmem=$(${pkgs.gnugrep}/bin/grep 'MemTotal: ' /proc/meminfo | ${pkgs.gawk}/bin/awk '{print $2}') - mem=$(((totalmem * ${toString cfg.memoryPercent} / 100 / ${toString cfg.numDevices}) * 1024)) + mem=$(${pkgs.gawk}/bin/awk '/MemTotal: / { + print int($2*${toString cfg.memoryPercent}/100.0/${toString devicesCount}*1024) + }' /proc/meminfo) - echo $mem > /sys/class/block/${dev}/disksize + ${pkgs.utillinux}/sbin/zramctl --size $mem --algorithm ${cfg.algorithm} /dev/${dev} ${pkgs.utillinux}/sbin/mkswap /dev/${dev} ''; restartIfChanged = false; @@ -111,6 +157,9 @@ in in listToAttrs ((map createZramInitService devices) ++ [(nameValuePair "zram-reloader" { description = "Reload zram kernel module when number of devices changes"; + wants = [ "systemd-udevd.service" ]; + after = [ "systemd-udevd.service" ]; + unitConfig.DefaultDependencies = false; # needed to prevent a cycle serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -118,7 +167,11 @@ in ExecStart = "${modprobe} zram"; ExecStop = "${modprobe} -r zram"; }; - restartTriggers = [ cfg.numDevices ]; + restartTriggers = [ + cfg.numDevices + cfg.algorithm + cfg.memoryPercent + ]; restartIfChanged = true; })]); |