diff options
Diffstat (limited to 'nixos/modules/services')
20 files changed, 550 insertions, 76 deletions
diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix index 3ceaa6f5ff3..3d307b1abcf 100644 --- a/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -111,7 +111,10 @@ in config = mkIf cfg.enable { systemd.services.gitlab-runner = { path = cfg.packages; - environment = config.networking.proxy.envVars; + environment = config.networking.proxy.envVars // { + # Gitlab runner will not start if the HOME variable is not set + HOME = cfg.workDir; + }; description = "Gitlab Runner"; after = [ "network.target" ] ++ optional hasDocker "docker.service"; diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index c04cc1283b2..3f2857100f5 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -224,26 +224,17 @@ in environment.systemPackages = [ cfg.package ]; - systemd.services.redis_init = - { description = "Redis Server Initialisation"; - - wantedBy = [ "redis.service" ]; - before = [ "redis.service" ]; - - serviceConfig.Type = "oneshot"; - - script = '' - install -d -m0700 -o ${cfg.user} ${cfg.dbpath} - chown -R ${cfg.user} ${cfg.dbpath} - ''; - }; - systemd.services.redis = { description = "Redis Server"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + preStart = '' + install -d -m0700 -o ${cfg.user} ${cfg.dbpath} + chown -R ${cfg.user} ${cfg.dbpath} + ''; + serviceConfig = { ExecStart = "${cfg.package}/bin/redis-server ${redisConfig}"; User = cfg.user; diff --git a/nixos/modules/services/desktops/gnome3/gnome-user-share.nix b/nixos/modules/services/desktops/gnome3/gnome-user-share.nix index 1f6ce2ae968..f8396287770 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-user-share.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-user-share.nix @@ -12,14 +12,7 @@ with lib; services.gnome3.gnome-user-share = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable GNOME User Share, a service that exports the - contents of the Public folder in your home directory on the local network. - ''; - }; + enable = mkEnableOption "GNOME User Share, a user-level file sharing service for GNOME"; }; @@ -30,12 +23,13 @@ with lib; config = mkIf config.services.gnome3.gnome-user-share.enable { - environment.systemPackages = [ pkgs.gnome3.gnome-user-share ]; + environment.systemPackages = [ + pkgs.gnome3.gnome-user-share + ]; - services.xserver.displayManager.sessionCommands = with pkgs.gnome3; '' - # Don't let gnome-control-center depend upon gnome-user-share - export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${gnome-user-share}/share/gsettings-schemas/${gnome-user-share.name} - ''; + systemd.packages = [ + pkgs.gnome3.gnome-user-share + ]; }; diff --git a/nixos/modules/services/editors/emacs.xml b/nixos/modules/services/editors/emacs.xml index acd69f18376..8ced302bad1 100644 --- a/nixos/modules/services/editors/emacs.xml +++ b/nixos/modules/services/editors/emacs.xml @@ -9,6 +9,7 @@ Damien Cassou @DamienCassou Thomas Tuegel @ttuegel Rodney Lorrimar @rvl + Adam Hoese @adisbladis --> <para> <link xlink:href="https://www.gnu.org/software/emacs/">Emacs</link> is an @@ -130,15 +131,6 @@ Emacs packages through nixpkgs. </para> - <note> - <para> - This documentation describes the new Emacs packages framework in NixOS - 16.03 (<varname>emacsPackagesNg</varname>) which should not be confused - with the previous and deprecated framework - (<varname>emacs24Packages</varname>). - </para> - </note> - <para> The first step to declare the list of packages you want in your Emacs installation is to create a dedicated derivation. This can be done in a @@ -164,7 +156,7 @@ $ ./result/bin/emacs let myEmacs = pkgs.emacs; <co xml:id="ex-emacsNix-2" /> - emacsWithPackages = (pkgs.emacsPackagesNgGen myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" /> + emacsWithPackages = (pkgs.emacsPackagesGen myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" /> in emacsWithPackages (epkgs: (with epkgs.melpaStablePackages; [ <co xml:id="ex-emacsNix-4" /> magit # ; Integrate git <C-x g> @@ -262,10 +254,10 @@ in <example xml:id="module-services-emacs-querying-packages"> <title>Querying Emacs packages</title> <programlisting><![CDATA[ -nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.elpaPackages -nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.melpaPackages -nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.melpaStablePackages -nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.orgPackages +nix-env -f "<nixpkgs>" -qaP -A emacsPackages.elpaPackages +nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaPackages +nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaStablePackages +nix-env -f "<nixpkgs>" -qaP -A emacsPackages.orgPackages ]]></programlisting> </example> </para> diff --git a/nixos/modules/services/hardware/fwupd.nix b/nixos/modules/services/hardware/fwupd.nix index cad9fa20de0..223adfee96e 100644 --- a/nixos/modules/services/hardware/fwupd.nix +++ b/nixos/modules/services/hardware/fwupd.nix @@ -8,8 +8,8 @@ let cfg = config.services.fwupd; originalEtc = let - mkEtcFile = n: nameValuePair n { source = "${pkgs.fwupd}/etc/${n}"; }; - in listToAttrs (map mkEtcFile pkgs.fwupd.filesInstalledToEtc); + mkEtcFile = n: nameValuePair n { source = "${cfg.package}/etc/${n}"; }; + in listToAttrs (map mkEtcFile cfg.package.filesInstalledToEtc); extraTrustedKeys = let mkName = p: "pki/fwupd/${baseNameOf (toString p)}"; @@ -24,7 +24,7 @@ let "fwupd/remotes.d/fwupd-tests.conf" = { source = pkgs.runCommand "fwupd-tests-enabled.conf" {} '' sed "s,^Enabled=false,Enabled=true," \ - "${pkgs.fwupd.installedTests}/etc/fwupd/remotes.d/fwupd-tests.conf" > "$out" + "${cfg.package.installedTests}/etc/fwupd/remotes.d/fwupd-tests.conf" > "$out" ''; }; } else {}; @@ -77,13 +77,21 @@ in { <link xlink:href="https://github.com/hughsie/fwupd/blob/master/data/installed-tests/README.md">installed tests</link>. ''; }; + + package = mkOption { + type = types.package; + default = pkgs.fwupd; + description = '' + Which fwupd package to use. + ''; + }; }; }; ###### implementation config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.fwupd ]; + environment.systemPackages = [ cfg.package ]; environment.etc = { "fwupd/daemon.conf" = { @@ -102,11 +110,11 @@ in { } // originalEtc // extraTrustedKeys // testRemote; - services.dbus.packages = [ pkgs.fwupd ]; + services.dbus.packages = [ cfg.package ]; - services.udev.packages = [ pkgs.fwupd ]; + services.udev.packages = [ cfg.package ]; - systemd.packages = [ pkgs.fwupd ]; + systemd.packages = [ cfg.package ]; systemd.tmpfiles.rules = [ "d /var/lib/fwupd 0755 root root -" diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 139011dca23..cdbb776454b 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -344,8 +344,7 @@ in systemd.services.dovecot2 = { description = "Dovecot IMAP/POP3 server"; - after = [ "keys.target" "network.target" ]; - wants = [ "keys.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ cfg.configFile ]; diff --git a/nixos/modules/services/mail/mailman.nix b/nixos/modules/services/mail/mailman.nix new file mode 100644 index 00000000000..11dd5cb48db --- /dev/null +++ b/nixos/modules/services/mail/mailman.nix @@ -0,0 +1,114 @@ +{ config, pkgs, lib, ... }: # mailman.nix + +with lib; + +let + + cfg = config.services.mailman; + + pythonEnv = pkgs.python3.withPackages (ps: [ps.mailman]); + + mailmanExe = with pkgs; stdenv.mkDerivation { + name = "mailman-" + python3Packages.mailman.version; + unpackPhase = ":"; + installPhase = '' + mkdir -p $out/bin + sed >"$out/bin/mailman" <"${pythonEnv}/bin/mailman" \ + -e "2 iexport MAILMAN_CONFIG_FILE=/etc/mailman.cfg" + chmod +x $out/bin/mailman + ''; + }; + + mailmanCfg = '' + [mailman] + site_owner: ${cfg.siteOwner} + layout: fhs + + [paths.fhs] + bin_dir: ${pkgs.python3Packages.mailman}/bin + var_dir: /var/lib/mailman + queue_dir: $var_dir/queue + log_dir: $var_dir/log + lock_dir: $var_dir/lock + etc_dir: /etc + ext_dir: $etc_dir/mailman.d + pid_file: /run/mailman/master.pid + ''; + +in { + + ###### interface + + options = { + + services.mailman = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Enable Mailman on this host. Requires an active Postfix installation."; + }; + + siteOwner = mkOption { + type = types.str; + default = "postmaster"; + description = '' + Certain messages that must be delivered to a human, but which can't + be delivered to a list owner (e.g. a bounce from a list owner), will + be sent to this address. It should point to a human. + ''; + }; + + + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + assertions = [ + { assertion = cfg.enable -> config.services.postfix.enable; + message = "Mailman requires Postfix"; + } + { assertion = config.services.postfix.recipientDelimiter == "+"; + message = "Postfix's recipientDelimiter must be set to '+'."; + } + ]; + + users.users.mailman = { description = "GNU Mailman"; isSystemUser = true; }; + + environment = { + systemPackages = [ mailmanExe ]; + etc."mailman.cfg".text = mailmanCfg; + }; + + services.postfix = { + relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; + config = { + transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; + local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; + # Mailman uses recipient delimiters, so we don't need special handling. + owner_request_special = "no"; + }; + }; + + systemd.services.mailman = { + description = "GNU Mailman Master Process"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${mailmanExe}/bin/mailman start"; + ExecStop = "${mailmanExe}/bin/mailman stop"; + User = "mailman"; + Type = "forking"; + StateDirectory = "mailman"; + StateDirectoryMode = "0700"; + RuntimeDirectory = "mailman"; + PIDFile = "/run/mailman/master.pid"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index aa781f93b66..3826f728afd 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -8,7 +8,9 @@ let nix = cfg.package.out; - isNix20 = versionAtLeast (getVersion nix) "2.0pre"; + nixVersion = getVersion nix; + + isNix20 = versionAtLeast nixVersion "2.0pre"; makeNixBuildUser = nr: { name = "nixbld${toString nr}"; @@ -61,6 +63,9 @@ let builders = ''} system-features = ${toString cfg.systemFeatures} + ${optionalString (versionAtLeast nixVersion "2.3pre") '' + sandbox-fallback = false + ''} $extraOptions END '' + optionalString cfg.checkConfig ( diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index f9b7550af23..463b1b882ac 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -156,6 +156,8 @@ in { }; }; + systemd.enableCgroupAccounting = true; + security.wrappers."apps.plugin" = { source = "${pkgs.netdata}/libexec/netdata/plugins.d/apps.plugin.org"; capabilities = "cap_dac_read_search,cap_sys_ptrace+ep"; diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index 03771c8b5aa..bc0966e6b8e 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -916,9 +916,8 @@ in systemd.services.nsd = { description = "NSD authoritative only domain name service"; - after = [ "keys.target" "network.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - wants = [ "keys.target" ]; serviceConfig = { ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf"; diff --git a/nixos/modules/services/networking/softether.nix b/nixos/modules/services/networking/softether.nix index 2e1ce3ccc50..2aa3ad4be03 100644 --- a/nixos/modules/services/networking/softether.nix +++ b/nixos/modules/services/networking/softether.nix @@ -70,8 +70,6 @@ in systemd.services.softether-init = { description = "SoftEther VPN services initial task"; - after = [ "keys.target" ]; - wants = [ "keys.target" ]; wantedBy = [ "network.target" ]; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/networking/strongswan-swanctl/module.nix b/nixos/modules/services/networking/strongswan-swanctl/module.nix index 817b5ec55f7..0fec3ef00ad 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/module.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix @@ -62,9 +62,8 @@ in { systemd.services.strongswan-swanctl = { description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl"; wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" "keys.target" ]; - wants = [ "keys.target" ]; - path = with pkgs; [ kmod iproute iptables utillinux ]; + after = [ "network-online.target" ]; + path = with pkgs; [ kmod iproute iptables utillinux ]; environment = { STRONGSWAN_CONF = pkgs.writeTextFile { name = "strongswan.conf"; diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 41b69039ba7..4ff9c486059 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -151,8 +151,7 @@ in description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux - wants = [ "keys.target" ]; - after = [ "network-online.target" "keys.target" ]; + after = [ "network-online.target" ]; environment = { STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; }; diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 8176c168ca9..d5962ba9af9 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -70,7 +70,7 @@ in }; storageBackend = mkOption { - type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" ]; + type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" "raft" ]; default = "inmem"; description = "The name of the type of storage backend"; }; diff --git a/nixos/modules/services/torrent/magnetico.nix b/nixos/modules/services/torrent/magnetico.nix new file mode 100644 index 00000000000..02fa2ac0750 --- /dev/null +++ b/nixos/modules/services/torrent/magnetico.nix @@ -0,0 +1,214 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.magnetico; + + dataDir = "/var/lib/magnetico"; + + credFile = with cfg.web; + if credentialsFile != null + then credentialsFile + else pkgs.writeText "magnetico-credentials" + (concatStrings (mapAttrsToList + (user: hash: "${user}:${hash}\n") + cfg.web.credentials)); + + # default options in magneticod/main.go + dbURI = concatStrings + [ "sqlite3://${dataDir}/database.sqlite3" + "?_journal_mode=WAL" + "&_busy_timeout=3000" + "&_foreign_keys=true" + ]; + + crawlerArgs = with cfg.crawler; escapeShellArgs + ([ "--database=${dbURI}" + "--indexer-addr=${address}:${toString port}" + "--indexer-max-neighbors=${toString maxNeighbors}" + "--leech-max-n=${toString maxLeeches}" + ] ++ extraOptions); + + webArgs = with cfg.web; escapeShellArgs + ([ "--database=${dbURI}" + (if (cfg.web.credentialsFile != null || cfg.web.credentials != { }) + then "--credentials=${toString credFile}" + else "--no-auth") + ] ++ extraOptions); + +in { + + ###### interface + + options.services.magnetico = { + enable = mkEnableOption "Magnetico, Bittorrent DHT crawler"; + + crawler.address = mkOption { + type = types.str; + default = "0.0.0.0"; + example = "1.2.3.4"; + description = '' + Address to be used for indexing DHT nodes. + ''; + }; + + crawler.port = mkOption { + type = types.port; + default = 0; + description = '' + Port to be used for indexing DHT nodes. + This port should be added to + <option>networking.firewall.allowedTCPPorts</option>. + ''; + }; + + crawler.maxNeighbors = mkOption { + type = types.ints.positive; + default = 1000; + description = '' + Maximum number of simultaneous neighbors of an indexer. + Be careful changing this number: high values can very + easily cause your network to be congested or even crash + your router. + ''; + }; + + crawler.maxLeeches = mkOption { + type = types.ints.positive; + default = 200; + description = '' + Maximum number of simultaneous leeches. + ''; + }; + + crawler.extraOptions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra command line arguments to pass to magneticod. + ''; + }; + + web.address = mkOption { + type = types.str; + default = "localhost"; + example = "1.2.3.4"; + description = '' + Address the web interface will listen to. + ''; + }; + + web.port = mkOption { + type = types.port; + default = 8080; + description = '' + Port the web interface will listen to. + ''; + }; + + web.credentials = mkOption { + type = types.attrsOf types.str; + default = {}; + example = lib.literalExample '' + { + myuser = "$2y$12$YE01LZ8jrbQbx6c0s2hdZO71dSjn2p/O9XsYJpz.5968yCysUgiaG"; + } + ''; + description = '' + The credentials to access the web interface, in case authentication is + enabled, in the format <literal>username:hash</literal>. If unset no + authentication will be required. + + Usernames must start with a lowercase ([a-z]) ASCII character, might + contain non-consecutive underscores except at the end, and consists of + small-case a-z characters and digits 0-9. The + <command>htpasswd</command> tool from the <package>apacheHttpd + </package> package may be used to generate the hash: <command>htpasswd + -bnBC 12 username password</command> + + <warning> + <para> + The hashes will be stored world-readable in the nix store. + Consider using the <literal>credentialsFile</literal> option if you + don't want this. + </para> + </warning> + ''; + }; + + web.credentialsFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + The path to the file holding the credentials to access the web + interface. If unset no authentication will be required. + + The file must constain user names and password hashes in the format + <literal>username:hash </literal>, one for each line. Usernames must + start with a lowecase ([a-z]) ASCII character, might contain + non-consecutive underscores except at the end, and consists of + small-case a-z characters and digits 0-9. + The <command>htpasswd</command> tool from the <package>apacheHttpd + </package> package may be used to generate the hash: + <command>htpasswd -bnBC 12 username password</command> + ''; + }; + + web.extraOptions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra command line arguments to pass to magneticow. + ''; + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + users.users.magnetico = { + description = "Magnetico daemons user"; + }; + + systemd.services.magneticod = { + description = "Magnetico DHT crawler"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + User = "magnetico"; + Restart = "on-failure"; + ExecStart = "${pkgs.magnetico}/bin/magneticod ${crawlerArgs}"; + }; + }; + + systemd.services.magneticow = { + description = "Magnetico web interface"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" "magneticod.service"]; + + serviceConfig = { + User = "magnetico"; + StateDirectory = "magnetico"; + Restart = "on-failure"; + ExecStart = "${pkgs.magnetico}/bin/magneticow ${webArgs}"; + }; + }; + + assertions = + [ + { + assertion = cfg.web.credentialsFile != null || cfg.web.credentials != { }; + message = '' + The options services.magnetico.web.credentialsFile and + services.magnetico.web.credentials are mutually exclusives. + ''; + } + ]; + + }; + +} diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 12200c879be..098160ee369 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -670,8 +670,7 @@ in { description = "Apache HTTPD"; wantedBy = [ "multi-user.target" ]; - wants = [ "keys.target" ]; - after = [ "network.target" "fs.target" "keys.target" ]; + after = [ "network.target" "fs.target" ]; path = [ httpd pkgs.coreutils pkgs.gnugrep ] diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index c1a51fbf8b4..5c65a2388d6 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -4,23 +4,25 @@ with lib; let cfg = config.services.nginx; + certs = config.security.acme.certs; + vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts; + acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs; virtualHosts = mapAttrs (vhostName: vhostConfig: let serverName = if vhostConfig.serverName != null then vhostConfig.serverName else vhostName; - acmeDirectory = config.security.acme.directory; in vhostConfig // { inherit serverName; } // (optionalAttrs vhostConfig.enableACME { - sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem"; - sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem"; - sslTrustedCertificate = "${acmeDirectory}/${serverName}/fullchain.pem"; + sslCertificate = "${certs.${serverName}.directory}/fullchain.pem"; + sslCertificateKey = "${certs.${serverName}.directory}/key.pem"; + sslTrustedCertificate = "${certs.${serverName}.directory}/full.pem"; }) // (optionalAttrs (vhostConfig.useACMEHost != null) { - sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem"; - sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem"; - sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem"; + sslCertificate = "${certs.${vhostConfig.useACMEHost}.directory}/fullchain.pem"; + sslCertificateKey = "${certs.${vhostConfig.useACMEHost}.directory}/key.pem"; + sslTrustedCertificate = "${certs.${vhostConfig.useACMEHost}.directory}/fullchain.pem"; }) ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; @@ -646,8 +648,9 @@ in systemd.services.nginx = { description = "Nginx Web Server"; - after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts); + after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts; stopIfChanged = false; preStart = '' @@ -680,8 +683,6 @@ in security.acme.certs = filterAttrs (n: v: v != {}) ( let - vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts; - acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs; acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = { user = cfg.user; group = lib.mkDefault cfg.group; diff --git a/nixos/modules/services/x11/desktop-managers/default.nix b/nixos/modules/services/x11/desktop-managers/default.nix index 671a959cdde..dfb84113e13 100644 --- a/nixos/modules/services/x11/desktop-managers/default.nix +++ b/nixos/modules/services/x11/desktop-managers/default.nix @@ -18,7 +18,7 @@ in # determines the default: later modules (if enabled) are preferred. # E.g., if Plasma 5 is enabled, it supersedes xterm. imports = [ - ./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix + ./none.nix ./xterm.nix ./xfce.nix ./xfce4-14.nix ./plasma5.nix ./lumina.nix ./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix ./maxx.nix ./mate.nix ./pantheon.nix ./surf-display.nix ]; diff --git a/nixos/modules/services/x11/desktop-managers/xfce4-14.nix b/nixos/modules/services/x11/desktop-managers/xfce4-14.nix new file mode 100644 index 00000000000..16329c093f9 --- /dev/null +++ b/nixos/modules/services/x11/desktop-managers/xfce4-14.nix @@ -0,0 +1,157 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.desktopManager.xfce4-14; +in + +{ + # added 2019-08-18 + # needed to preserve some semblance of UI familarity + # with original XFCE module + imports = [ + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "extraSessionCommands" ] + [ "services" "xserver" "displayManager" "sessionCommands" ]) + ]; + + options = { + services.xserver.desktopManager.xfce4-14 = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the Xfce desktop environment."; + }; + + # TODO: support thunar plugins + # thunarPlugins = mkOption { + # default = []; + # type = types.listOf types.package; + # example = literalExample "[ pkgs.xfce4-14.thunar-archive-plugin ]"; + # description = '' + # A list of plugin that should be installed with Thunar. + # ''; + # }; + + noDesktop = mkOption { + type = types.bool; + default = false; + description = "Don't install XFCE desktop components (xfdesktop, panel and notification daemon)."; + }; + + enableXfwm = mkOption { + type = types.bool; + default = true; + description = "Enable the XFWM (default) window manager."; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs.xfce4-14 // pkgs; [ + glib # for gsettings + gtk3.out # gtk-update-icon-cache + + gnome3.adwaita-icon-theme + hicolor-icon-theme + tango-icon-theme + xfce4-icon-theme + + desktop-file-utils + shared-mime-info # for update-mime-database + + # For a polkit authentication agent + polkit_gnome + + # Needed by Xfce's xinitrc script + xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ + + exo + garcon + gtk-xfce-engine + libxfce4ui + xfconf + + mousepad + ristretto + xfce4-appfinder + xfce4-screenshooter + xfce4-session + xfce4-settings + xfce4-terminal + + # TODO: resync patch for plugins + #(thunar.override { thunarPlugins = cfg.thunarPlugins; }) + thunar + ] # TODO: NetworkManager doesn't belong here + ++ optional config.networking.networkmanager.enable networkmanagerapplet + ++ optional config.hardware.pulseaudio.enable xfce4-pulseaudio-plugin + ++ optional config.powerManagement.enable xfce4-power-manager + ++ optional cfg.enableXfwm xfwm4 + ++ optionals (!cfg.noDesktop) [ + xfce4-panel + xfce4-notifyd + xfdesktop + ]; + + environment.pathsToLink = [ + "/share/xfce4" + "/lib/xfce4" + "/share/gtksourceview-3.0" + "/share/gtksourceview-4.0" + ]; + + # Use the correct gnome3 packageSet + networking.networkmanager.basePackages = mkIf config.networking.networkmanager.enable { + inherit (pkgs) networkmanager modemmanager wpa_supplicant crda; + inherit (pkgs.gnome3) networkmanager-openvpn networkmanager-vpnc + networkmanager-openconnect networkmanager-fortisslvpn + networkmanager-iodine networkmanager-l2tp; + }; + + services.xserver.desktopManager.session = [{ + name = "xfce4-14"; + bgSupport = true; + start = '' + # Set GTK_PATH so that GTK+ can find the theme engines. + export GTK_PATH="${config.system.path}/lib/gtk-2.0:${config.system.path}/lib/gtk-3.0" + + # Set GTK_DATA_PREFIX so that GTK+ can find the Xfce themes. + export GTK_DATA_PREFIX=${config.system.path} + + ${pkgs.runtimeShell} ${pkgs.xfce4-14.xinitrc} & + waitPID=$! + ''; + }]; + + services.xserver.updateDbusEnvironment = true; + services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; + + # Enable helpful DBus services. + services.udisks2.enable = true; + security.polkit.enable = true; + services.accounts-daemon.enable = true; + services.upower.enable = config.powerManagement.enable; + services.gnome3.glib-networking.enable = true; + services.gvfs.enable = true; + services.gvfs.package = pkgs.xfce.gvfs; + services.tumbler.enable = true; + services.dbus.packages = + optional config.services.printing.enable pkgs.system-config-printer; + services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager + + # Enable default programs + programs.dconf.enable = true; + + # Shell integration for VTE terminals + programs.bash.vteIntegration = mkDefault true; + programs.zsh.vteIntegration = mkDefault true; + + # Systemd services + systemd.packages = with pkgs.xfce4-14; [ + thunar + ] ++ optional (!cfg.noDesktop) xfce4-notifyd; + + }; +} diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 0e87e6adbab..bf6b048654b 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -109,7 +109,7 @@ let # Allow the user to setup a custom session type. if test -x ~/.xsession; then - exec ~/.xsession + eval exec ~/.xsession "$@" fi if test "$1"; then |