diff options
Diffstat (limited to 'nixos/modules')
46 files changed, 859 insertions, 680 deletions
diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix index 4cb7d81c997..c09588834cf 100644 --- a/nixos/modules/config/networking.nix +++ b/nixos/modules/config/networking.nix @@ -193,6 +193,10 @@ in cat ${escapeShellArgs cfg.hostFiles} > $out ''; + # /etc/netgroup: Network-wide groups. + netgroup.text = mkDefault '' + ''; + # /etc/host.conf: resolver configuration file "host.conf".text = '' multi on diff --git a/nixos/modules/i18n/input-method/default.nix b/nixos/modules/i18n/input-method/default.nix index 0d6dd3399bf..2e7cfaab7b7 100644 --- a/nixos/modules/i18n/input-method/default.nix +++ b/nixos/modules/i18n/input-method/default.nix @@ -29,7 +29,7 @@ in options.i18n = { inputMethod = { enabled = mkOption { - type = types.nullOr (types.enum [ "ibus" "fcitx" "nabi" "uim" "hime" ]); + type = types.nullOr (types.enum [ "ibus" "fcitx" "fcitx5" "nabi" "uim" "hime" ]); default = null; example = "fcitx"; description = '' diff --git a/nixos/modules/i18n/input-method/fcitx5.nix b/nixos/modules/i18n/input-method/fcitx5.nix new file mode 100644 index 00000000000..44962d202fe --- /dev/null +++ b/nixos/modules/i18n/input-method/fcitx5.nix @@ -0,0 +1,33 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + im = config.i18n.inputMethod; + cfg = im.fcitx5; + fcitx5Package = pkgs.fcitx5-with-addons.override { inherit (cfg) addons; }; +in + { + options = { + i18n.inputMethod.fcitx5 = { + addons = mkOption { + type = with types; listOf package; + default = []; + example = with pkgs; [ fcitx5-rime ]; + description = '' + Enabled Fcitx5 addons. + ''; + }; + }; + }; + + config = mkIf (im.enabled == "fcitx5") { + i18n.inputMethod.package = fcitx5Package; + + environment.variables = { + GTK_IM_MODULE = "fcitx"; + QT_IM_MODULE = "fcitx"; + XMODIFIERS = "@im=fcitx"; + }; + }; + } diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 43d20a556f8..1418420afcd 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -425,7 +425,12 @@ in }; isoImage.squashfsCompression = mkOption { - default = "xz -Xdict-size 100%"; + default = with pkgs.stdenv.targetPlatform; "xz -Xdict-size 100% " + + lib.optionalString (isx86_32 || isx86_64) "-Xbcj x86" + # Untested but should also reduce size for these platforms + + lib.optionalString (isAarch32 || isAarch64) "-Xbcj arm" + + lib.optionalString (isPowerPC) "-Xbcj powerpc" + + lib.optionalString (isSparc) "-Xbcj sparc"; description = '' Compression settings to use for the squashfs nix store. ''; diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh deleted file mode 100644 index e452e24d263..00000000000 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ /dev/null @@ -1,506 +0,0 @@ -#! @runtimeShell@ - -if [ -x "@runtimeShell@" ]; then export SHELL="@runtimeShell@"; fi; - -set -e -set -o pipefail - -export PATH=@path@:$PATH - -showSyntax() { - exec man nixos-rebuild - exit 1 -} - - -# Parse the command line. -origArgs=("$@") -extraBuildFlags=() -lockFlags=() -flakeFlags=() -action= -buildNix=1 -fast= -rollback= -upgrade= -upgrade_all= -repair= -profile=/nix/var/nix/profiles/system -buildHost= -targetHost= -maybeSudo=() - -while [ "$#" -gt 0 ]; do - i="$1"; shift 1 - case "$i" in - --help) - showSyntax - ;; - switch|boot|test|build|edit|dry-build|dry-run|dry-activate|build-vm|build-vm-with-bootloader) - if [ "$i" = dry-run ]; then i=dry-build; fi - action="$i" - ;; - --install-grub) - echo "$0: --install-grub deprecated, use --install-bootloader instead" >&2 - export NIXOS_INSTALL_BOOTLOADER=1 - ;; - --install-bootloader) - export NIXOS_INSTALL_BOOTLOADER=1 - ;; - --no-build-nix) - buildNix= - ;; - --rollback) - rollback=1 - ;; - --upgrade) - upgrade=1 - ;; - --upgrade-all) - upgrade=1 - upgrade_all=1 - ;; - --repair) - repair=1 - extraBuildFlags+=("$i") - ;; - --max-jobs|-j|--cores|-I|--builders) - j="$1"; shift 1 - extraBuildFlags+=("$i" "$j") - ;; - --show-trace|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q|-j*|-L|--refresh|--no-net|--impure) - extraBuildFlags+=("$i") - ;; - --option) - j="$1"; shift 1 - k="$1"; shift 1 - extraBuildFlags+=("$i" "$j" "$k") - ;; - --fast) - buildNix= - fast=1 - extraBuildFlags+=(--show-trace) - ;; - --profile-name|-p) - if [ -z "$1" ]; then - echo "$0: ‘--profile-name’ requires an argument" - exit 1 - fi - if [ "$1" != system ]; then - profile="/nix/var/nix/profiles/system-profiles/$1" - mkdir -p -m 0755 "$(dirname "$profile")" - fi - shift 1 - ;; - --build-host|h) - buildHost="$1" - shift 1 - ;; - --target-host|t) - targetHost="$1" - shift 1 - ;; - --use-remote-sudo) - maybeSudo=(sudo --) - ;; - --flake) - flake="$1" - flakeFlags=(--experimental-features 'nix-command flakes') - shift 1 - ;; - --recreate-lock-file|--no-update-lock-file|--no-write-lock-file|--no-registries|--commit-lock-file) - lockFlags+=("$i") - ;; - --update-input) - j="$1"; shift 1 - lockFlags+=("$i" "$j") - ;; - --override-input) - j="$1"; shift 1 - k="$1"; shift 1 - lockFlags+=("$i" "$j" "$k") - ;; - *) - echo "$0: unknown option \`$i'" - exit 1 - ;; - esac -done - -if [ -n "$SUDO_USER" ]; then - maybeSudo=(sudo --) -fi - -if [ -z "$buildHost" -a -n "$targetHost" ]; then - buildHost="$targetHost" -fi -if [ "$targetHost" = localhost ]; then - targetHost= -fi -if [ "$buildHost" = localhost ]; then - buildHost= -fi - -buildHostCmd() { - if [ -z "$buildHost" ]; then - "$@" - elif [ -n "$remoteNix" ]; then - ssh $SSHOPTS "$buildHost" env PATH="$remoteNix:$PATH" "${maybeSudo[@]}" "$@" - else - ssh $SSHOPTS "$buildHost" "${maybeSudo[@]}" "$@" - fi -} - -targetHostCmd() { - if [ -z "$targetHost" ]; then - "${maybeSudo[@]}" "$@" - else - ssh $SSHOPTS "$targetHost" "${maybeSudo[@]}" "$@" - fi -} - -copyToTarget() { - if ! [ "$targetHost" = "$buildHost" ]; then - if [ -z "$targetHost" ]; then - NIX_SSHOPTS=$SSHOPTS nix-copy-closure --from "$buildHost" "$1" - elif [ -z "$buildHost" ]; then - NIX_SSHOPTS=$SSHOPTS nix-copy-closure --to "$targetHost" "$1" - else - buildHostCmd nix-copy-closure --to "$targetHost" "$1" - fi - fi -} - -nixBuild() { - if [ -z "$buildHost" ]; then - nix-build "$@" - else - local instArgs=() - local buildArgs=() - - while [ "$#" -gt 0 ]; do - local i="$1"; shift 1 - case "$i" in - -o) - local out="$1"; shift 1 - buildArgs+=("--add-root" "$out" "--indirect") - ;; - -A) - local j="$1"; shift 1 - instArgs+=("$i" "$j") - ;; - -I) # We don't want this in buildArgs - shift 1 - ;; - --no-out-link) # We don't want this in buildArgs - ;; - "<"*) # nix paths - instArgs+=("$i") - ;; - *) - buildArgs+=("$i") - ;; - esac - done - - local drv="$(nix-instantiate "${instArgs[@]}" "${extraBuildFlags[@]}")" - if [ -a "$drv" ]; then - NIX_SSHOPTS=$SSHOPTS nix-copy-closure --to "$buildHost" "$drv" - buildHostCmd nix-store -r "$drv" "${buildArgs[@]}" - else - echo "nix-instantiate failed" - exit 1 - fi - fi -} - - -if [ -z "$action" ]; then showSyntax; fi - -# Only run shell scripts from the Nixpkgs tree if the action is -# "switch", "boot", or "test". With other actions (such as "build"), -# the user may reasonably expect that no code from the Nixpkgs tree is -# executed, so it's safe to run nixos-rebuild against a potentially -# untrusted tree. -canRun= -if [ "$action" = switch -o "$action" = boot -o "$action" = test ]; then - canRun=1 -fi - - -# If ‘--upgrade’ or `--upgrade-all` is given, -# run ‘nix-channel --update nixos’. -if [[ -n $upgrade && -z $_NIXOS_REBUILD_REEXEC && -z $flake ]]; then - # If --upgrade-all is passed, or there are other channels that - # contain a file called ".update-on-nixos-rebuild", update them as - # well. Also upgrade the nixos channel. - - for channelpath in /nix/var/nix/profiles/per-user/root/channels/*; do - channel_name=$(basename "$channelpath") - - if [[ "$channel_name" == "nixos" ]]; then - nix-channel --update "$channel_name" - elif [ -e "$channelpath/.update-on-nixos-rebuild" ]; then - nix-channel --update "$channel_name" - elif [[ -n $upgrade_all ]] ; then - nix-channel --update "$channel_name" - fi - done -fi - -# Make sure that we use the Nix package we depend on, not something -# else from the PATH for nix-{env,instantiate,build}. This is -# important, because NixOS defaults the architecture of the rebuilt -# system to the architecture of the nix-* binaries used. So if on an -# amd64 system the user has an i686 Nix package in her PATH, then we -# would silently downgrade the whole system to be i686 NixOS on the -# next reboot. -if [ -z "$_NIXOS_REBUILD_REEXEC" ]; then - export PATH=@nix@/bin:$PATH -fi - -# Use /etc/nixos/flake.nix if it exists. It can be a symlink to the -# actual flake. -if [[ -z $flake && -e /etc/nixos/flake.nix ]]; then - flake="$(dirname "$(readlink -f /etc/nixos/flake.nix)")" -fi - -# Re-execute nixos-rebuild from the Nixpkgs tree. -# FIXME: get nixos-rebuild from $flake. -if [[ -z $_NIXOS_REBUILD_REEXEC && -n $canRun && -z $fast && -z $flake ]]; then - if p=$(nix-build --no-out-link --expr 'with import <nixpkgs/nixos> {}; config.system.build.nixos-rebuild' "${extraBuildFlags[@]}"); then - export _NIXOS_REBUILD_REEXEC=1 - exec $p/bin/nixos-rebuild "${origArgs[@]}" - exit 1 - fi -fi - -# For convenience, use the hostname as the default configuration to -# build from the flake. -if [[ -n $flake ]]; then - if [[ $flake =~ ^(.*)\#([^\#\"]*)$ ]]; then - flake="${BASH_REMATCH[1]}" - flakeAttr="${BASH_REMATCH[2]}" - fi - if [[ -z $flakeAttr ]]; then - read -r hostname < /proc/sys/kernel/hostname - if [[ -z $hostname ]]; then - hostname=default - fi - flakeAttr="nixosConfigurations.\"$hostname\"" - else - flakeAttr="nixosConfigurations.\"$flakeAttr\"" - fi -fi - -# Resolve the flake. -if [[ -n $flake ]]; then - flake=$(nix "${flakeFlags[@]}" flake info --json "${extraBuildFlags[@]}" "${lockFlags[@]}" -- "$flake" | jq -r .url) -fi - -# Find configuration.nix and open editor instead of building. -if [ "$action" = edit ]; then - if [[ -z $flake ]]; then - NIXOS_CONFIG=${NIXOS_CONFIG:-$(nix-instantiate --find-file nixos-config)} - if [[ -d $NIXOS_CONFIG ]]; then - NIXOS_CONFIG=$NIXOS_CONFIG/default.nix - fi - exec ${EDITOR:-nano} "$NIXOS_CONFIG" - else - exec nix "${flakeFlags[@]}" edit "${lockFlags[@]}" -- "$flake#$flakeAttr" - fi - exit 1 -fi - - -tmpDir=$(mktemp -t -d nixos-rebuild.XXXXXX) -SSHOPTS="$NIX_SSHOPTS -o ControlMaster=auto -o ControlPath=$tmpDir/ssh-%n -o ControlPersist=60" - -cleanup() { - for ctrl in "$tmpDir"/ssh-*; do - ssh -o ControlPath="$ctrl" -O exit dummyhost 2>/dev/null || true - done - rm -rf "$tmpDir" -} -trap cleanup EXIT - - - -# If the Nix daemon is running, then use it. This allows us to use -# the latest Nix from Nixpkgs (below) for expression evaluation, while -# still using the old Nix (via the daemon) for actual store access. -# This matters if the new Nix in Nixpkgs has a schema change. It -# would upgrade the schema, which should only happen once we actually -# switch to the new configuration. -# If --repair is given, don't try to use the Nix daemon, because the -# flag can only be used directly. -if [ -z "$repair" ] && systemctl show nix-daemon.socket nix-daemon.service | grep -q ActiveState=active; then - export NIX_REMOTE=${NIX_REMOTE-daemon} -fi - - -# First build Nix, since NixOS may require a newer version than the -# current one. -if [ -n "$rollback" -o "$action" = dry-build ]; then - buildNix= -fi - -nixSystem() { - machine="$(uname -m)" - if [[ "$machine" =~ i.86 ]]; then - machine=i686 - fi - echo $machine-linux -} - -prebuiltNix() { - machine="$1" - if [ "$machine" = x86_64 ]; then - echo @nix_x86_64_linux@ - elif [[ "$machine" =~ i.86 ]]; then - echo @nix_i686_linux@ - else - echo "$0: unsupported platform" - exit 1 - fi -} - -remotePATH= - -if [[ -n $buildNix && -z $flake ]]; then - echo "building Nix..." >&2 - nixDrv= - if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then - if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then - if ! nixStorePath="$(nix-instantiate --eval '<nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix>' -A $(nixSystem) | sed -e 's/^"//' -e 's/"$//')"; then - nixStorePath="$(prebuiltNix "$(uname -m)")" - fi - if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \ - --option extra-binary-caches https://cache.nixos.org/; then - echo "warning: don't know how to get latest Nix" >&2 - fi - # Older version of nix-store -r don't support --add-root. - [ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix - if [ -n "$buildHost" ]; then - remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")" - remoteNix="$remoteNixStorePath/bin" - if ! buildHostCmd nix-store -r $remoteNixStorePath \ - --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then - remoteNix= - echo "warning: don't know how to get latest Nix" >&2 - fi - fi - fi - fi - if [ -a "$nixDrv" ]; then - nix-store -r "$nixDrv"'!'"out" --add-root $tmpDir/nix --indirect >/dev/null - if [ -n "$buildHost" ]; then - nix-copy-closure --to "$buildHost" "$nixDrv" - # The nix build produces multiple outputs, we add them all to the remote path - for p in $(buildHostCmd nix-store -r "$(readlink "$nixDrv")" "${buildArgs[@]}"); do - remoteNix="$remoteNix${remoteNix:+:}$p/bin" - done - fi - fi - PATH="$tmpDir/nix/bin:$PATH" -fi - - -# Update the version suffix if we're building from Git (so that -# nixos-version shows something useful). -if [[ -n $canRun && -z $flake ]]; then - if nixpkgs=$(nix-instantiate --find-file nixpkgs "${extraBuildFlags[@]}"); then - suffix=$($SHELL $nixpkgs/nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}" || true) - if [ -n "$suffix" ]; then - echo -n "$suffix" > "$nixpkgs/.version-suffix" || true - fi - fi -fi - - -if [ "$action" = dry-build ]; then - extraBuildFlags+=(--dry-run) -fi - - -# Either upgrade the configuration in the system profile (for "switch" -# or "boot"), or just build it and create a symlink "result" in the -# current directory (for "build" and "test"). -if [ -z "$rollback" ]; then - echo "building the system configuration..." >&2 - if [ "$action" = switch -o "$action" = boot ]; then - if [[ -z $flake ]]; then - pathToConfig="$(nixBuild '<nixpkgs/nixos>' --no-out-link -A system "${extraBuildFlags[@]}")" - else - outLink=$tmpDir/result - nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.toplevel" \ - "${extraBuildFlags[@]}" "${lockFlags[@]}" --out-link $outLink - pathToConfig="$(readlink -f $outLink)" - fi - copyToTarget "$pathToConfig" - targetHostCmd nix-env -p "$profile" --set "$pathToConfig" - elif [ "$action" = test -o "$action" = build -o "$action" = dry-build -o "$action" = dry-activate ]; then - if [[ -z $flake ]]; then - pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A system -k "${extraBuildFlags[@]}")" - else - nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.toplevel" "${extraBuildFlags[@]}" "${lockFlags[@]}" - pathToConfig="$(readlink -f ./result)" - fi - elif [ "$action" = build-vm ]; then - if [[ -z $flake ]]; then - pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vm -k "${extraBuildFlags[@]}")" - else - nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.vm" \ - "${extraBuildFlags[@]}" "${lockFlags[@]}" - pathToConfig="$(readlink -f ./result)" - fi - elif [ "$action" = build-vm-with-bootloader ]; then - if [[ -z $flake ]]; then - pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vmWithBootLoader -k "${extraBuildFlags[@]}")" - else - nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.vmWithBootLoader" \ - "${extraBuildFlags[@]}" "${lockFlags[@]}" - pathToConfig="$(readlink -f ./result)" - fi - else - showSyntax - fi - # Copy build to target host if we haven't already done it - if ! [ "$action" = switch -o "$action" = boot ]; then - copyToTarget "$pathToConfig" - fi -else # [ -n "$rollback" ] - if [ "$action" = switch -o "$action" = boot ]; then - targetHostCmd nix-env --rollback -p "$profile" - pathToConfig="$profile" - elif [ "$action" = test -o "$action" = build ]; then - systemNumber=$( - targetHostCmd nix-env -p "$profile" --list-generations | - sed -n '/current/ {g; p;}; s/ *\([0-9]*\).*/\1/; h' - ) - pathToConfig="$profile"-${systemNumber}-link - if [ -z "$targetHost" ]; then - ln -sT "$pathToConfig" ./result - fi - else - showSyntax - fi -fi - - -# If we're not just building, then make the new configuration the boot -# default and/or activate it now. -if [ "$action" = switch -o "$action" = boot -o "$action" = test -o "$action" = dry-activate ]; then - if ! targetHostCmd $pathToConfig/bin/switch-to-configuration "$action"; then - echo "warning: error(s) occurred while switching to the new configuration" >&2 - exit 1 - fi -fi - - -if [ "$action" = build-vm ]; then - cat >&2 <<EOF - -Done. The virtual machine can be started by running $(echo $pathToConfig/bin/run-*-vm) -EOF -fi diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 0582812f92d..ada5f574856 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -28,17 +28,7 @@ let ]; }; - nixos-rebuild = - let fallback = import ./nix-fallback-paths.nix; in - makeProg { - name = "nixos-rebuild"; - src = ./nixos-rebuild.sh; - inherit (pkgs) runtimeShell; - nix = config.nix.package.out; - nix_x86_64_linux = fallback.x86_64-linux; - nix_i686_linux = fallback.i686-linux; - path = makeBinPath [ pkgs.jq ]; - }; + nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package.out; }; nixos-generate-config = makeProg { name = "nixos-generate-config"; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index cf0198d7b93..feb9c68301d 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -143,7 +143,7 @@ in nix-ssh = 104; dictd = 105; couchdb = 106; - searx = 107; + #searx = 107; # dynamically allocated as of 2020-10-27 kippo = 108; jenkins = 109; systemd-journal-gateway = 110; @@ -457,7 +457,7 @@ in #nix-ssh = 104; # unused dictd = 105; couchdb = 106; - searx = 107; + #searx = 107; # dynamically allocated as of 2020-10-27 kippo = 108; jenkins = 109; systemd-journal-gateway = 110; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 8fd5d4519fd..a71c804428d 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -82,6 +82,7 @@ ./hardware/xpadneo.nix ./i18n/input-method/default.nix ./i18n/input-method/fcitx.nix + ./i18n/input-method/fcitx5.nix ./i18n/input-method/hime.nix ./i18n/input-method/ibus.nix ./i18n/input-method/nabi.nix @@ -101,6 +102,7 @@ ./misc/version.nix ./misc/nixops-autoluks.nix ./programs/adb.nix + ./programs/appgate-sdp.nix ./programs/atop.nix ./programs/autojump.nix ./programs/bandwhich.nix @@ -226,6 +228,7 @@ ./services/audio/icecast.nix ./services/audio/liquidsoap.nix ./services/audio/mpd.nix + ./services/audio/mpdscribble.nix ./services/audio/mopidy.nix ./services/audio/roon-server.nix ./services/audio/slimserver.nix @@ -492,6 +495,7 @@ ./services/misc/nix-ssh-serve.nix ./services/misc/novacomd.nix ./services/misc/nzbget.nix + ./services/misc/nzbhydra2.nix ./services/misc/octoprint.nix ./services/misc/osrm.nix ./services/misc/packagekit.nix @@ -896,6 +900,7 @@ ./services/web-apps/selfoss.nix ./services/web-apps/shiori.nix ./services/web-apps/virtlyst.nix + ./services/web-apps/whitebophir.nix ./services/web-apps/wordpress.nix ./services/web-apps/youtrack.nix ./services/web-apps/zabbix.nix @@ -951,6 +956,7 @@ ./services/x11/urxvtd.nix ./services/x11/window-managers/awesome.nix ./services/x11/window-managers/default.nix + ./services/x11/window-managers/clfswm.nix ./services/x11/window-managers/fluxbox.nix ./services/x11/window-managers/icewm.nix ./services/x11/window-managers/bspwm.nix diff --git a/nixos/modules/profiles/all-hardware.nix b/nixos/modules/profiles/all-hardware.nix index 19f821ae17f..d460c52dbef 100644 --- a/nixos/modules/profiles/all-hardware.nix +++ b/nixos/modules/profiles/all-hardware.nix @@ -3,8 +3,10 @@ # enabled in the initrd. Its primary use is in the NixOS installation # CDs. -{ ... }: - +{ pkgs, lib,... }: +let + platform = pkgs.stdenv.hostPlatform; +in { # The initrd has to contain any module that might be necessary for @@ -42,7 +44,10 @@ "virtio_net" "virtio_pci" "virtio_blk" "virtio_scsi" "virtio_balloon" "virtio_console" # VMware support. - "mptspi" "vmw_balloon" "vmwgfx" "vmw_vmci" "vmw_vsock_vmci_transport" "vmxnet3" "vsock" + "mptspi" "vmxnet3" "vsock" + ] ++ lib.optional platform.isx86 "vmw_balloon" + ++ lib.optionals (!platform.isAarch64) [ # not sure where else they're missing + "vmw_vmci" "vmwgfx" "vmw_vsock_vmci_transport" # Hyper-V support. "hv_storvsc" diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index c8e5045f6dc..2e5953dc6f4 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -40,7 +40,7 @@ let } ''} - ${credentialsPlaceholder cfg.credentials} + ${optionalString (cfg.credentials != []) (credentialsPlaceholder cfg.credentials)} ${cfg.extraConfig} ''; @@ -234,9 +234,10 @@ in { ExecStartPre = pkgs.writeShellScript "mpd-start-pre" '' set -euo pipefail install -m 600 ${mpdConf} /run/mpd/mpd.conf - ${pkgs.replace}/bin/replace-literal -fe ${ + ${optionalString (cfg.credentials != []) + "${pkgs.replace}/bin/replace-literal -fe ${ concatStringsSep " -a " (imap0 (i: c: "\"{{password-${toString i}}}\" \"$(cat ${c.passwordFile})\"") cfg.credentials) - } /run/mpd/mpd.conf + } /run/mpd/mpd.conf"} ''; RuntimeDirectory = "mpd"; Type = "notify"; diff --git a/nixos/modules/services/audio/mpdscribble.nix b/nixos/modules/services/audio/mpdscribble.nix new file mode 100644 index 00000000000..642d8743935 --- /dev/null +++ b/nixos/modules/services/audio/mpdscribble.nix @@ -0,0 +1,202 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.mpdscribble; + mpdCfg = config.services.mpd; + + endpointUrls = { + "last.fm" = "http://post.audioscrobbler.com"; + "libre.fm" = "http://turtle.libre.fm"; + "jamendo" = "http://postaudioscrobbler.jamendo.com"; + "listenbrainz" = "http://proxy.listenbrainz.org"; + }; + + mkSection = secname: secCfg: '' + [${secname}] + url = ${secCfg.url} + username = ${secCfg.username} + password = {{${secname}_PASSWORD}} + journal = /var/lib/mpdscribble/${secname}.journal + ''; + + endpoints = concatStringsSep "\n" (mapAttrsToList mkSection cfg.endpoints); + cfgTemplate = pkgs.writeText "mpdscribble.conf" '' + ## This file was automatically genenrated by NixOS and will be overwritten. + ## Do not edit. Edit your NixOS configuration instead. + + ## mpdscribble - an audioscrobbler for the Music Player Daemon. + ## http://mpd.wikia.com/wiki/Client:mpdscribble + + # HTTP proxy URL. + ${optionalString (cfg.proxy != null) "proxy = ${cfg.proxy}"} + + # The location of the mpdscribble log file. The special value + # "syslog" makes mpdscribble use the local syslog daemon. On most + # systems, log messages will appear in /var/log/daemon.log then. + # "-" means log to stderr (the current terminal). + log = - + + # How verbose mpdscribble's logging should be. Default is 1. + verbose = ${toString cfg.verbose} + + # How often should mpdscribble save the journal file? [seconds] + journal_interval = ${toString cfg.journalInterval} + + # The host running MPD, possibly protected by a password + # ([PASSWORD@]HOSTNAME). + host = ${(optionalString (cfg.passwordFile != null) "{{MPD_PASSWORD}}@") + cfg.host} + + # The port that the MPD listens on and mpdscribble should try to + # connect to. + port = ${toString cfg.port} + + ${endpoints} + ''; + + cfgFile = "/run/mpdscribble/mpdscribble.conf"; + + replaceSecret = secretFile: placeholder: targetFile: + optionalString (secretFile != null) '' + ${pkgs.replace}/bin/replace-literal -ef ${placeholder} "$(cat ${secretFile})" ${targetFile}''; + + preStart = pkgs.writeShellScript "mpdscribble-pre-start" '' + cp -f "${cfgTemplate}" "${cfgFile}" + ${replaceSecret cfg.passwordFile "{{MPD_PASSWORD}}" cfgFile} + ${concatStringsSep "\n" (mapAttrsToList (secname: cfg: + replaceSecret cfg.passwordFile "{{${secname}_PASSWORD}}" cfgFile) + cfg.endpoints)} + ''; + + localMpd = (cfg.host == "localhost" || cfg.host == "127.0.0.1"); + +in { + ###### interface + + options.services.mpdscribble = { + + enable = mkEnableOption "mpdscribble"; + + proxy = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + HTTP proxy URL. + ''; + }; + + verbose = mkOption { + default = 1; + type = types.int; + description = '' + Log level for the mpdscribble daemon. + ''; + }; + + journalInterval = mkOption { + default = 600; + example = 60; + type = types.int; + description = '' + How often should mpdscribble save the journal file? [seconds] + ''; + }; + + host = mkOption { + default = (if mpdCfg.network.listenAddress != "any" then + mpdCfg.network.listenAddress + else + "localhost"); + type = types.str; + description = '' + Host for the mpdscribble daemon to search for a mpd daemon on. + ''; + }; + + passwordFile = mkOption { + default = if localMpd then + (findFirst + (c: any (x: x == "read") c.permissions) + { passwordFile = null; } + mpdCfg.credentials).passwordFile + else + null; + type = types.nullOr types.str; + description = '' + File containing the password for the mpd daemon. + If there is a local mpd configured using <option>services.mpd.credentials</option> + the default is automatically set to a matching passwordFile of the local mpd. + ''; + }; + + port = mkOption { + default = mpdCfg.network.port; + type = types.port; + description = '' + Port for the mpdscribble daemon to search for a mpd daemon on. + ''; + }; + + endpoints = mkOption { + type = (let + endpoint = { name, ... }: { + options = { + url = mkOption { + type = types.str; + default = endpointUrls.${name} or ""; + description = + "The url endpoint where the scrobble API is listening."; + }; + username = mkOption { + type = types.str; + description = '' + Username for the scrobble service. + ''; + }; + passwordFile = mkOption { + type = types.nullOr types.str; + description = + "File containing the password, either as MD5SUM or cleartext."; + }; + }; + }; + in types.attrsOf (types.submodule endpoint)); + default = { }; + example = { + "last.fm" = { + username = "foo"; + passwordFile = "/run/secrets/lastfm_password"; + }; + }; + description = '' + Endpoints to scrobble to. + If the endpoint is one of "${ + concatStringsSep "\", \"" (attrNames endpointUrls) + }" the url is set automatically. + ''; + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + systemd.services.mpdscribble = { + after = [ "network.target" ] ++ (optional localMpd "mpd.service"); + description = "mpdscribble mpd scrobble client"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + StateDirectory = "mpdscribble"; + RuntimeDirectory = "mpdscribble"; + RuntimeDirectoryMode = "700"; + # TODO use LoadCredential= instead of running preStart with full privileges? + ExecStartPre = "+${preStart}"; + ExecStart = + "${pkgs.mpdscribble}/bin/mpdscribble --no-daemon --conf ${cfgFile}"; + }; + }; + }; + +} diff --git a/nixos/modules/services/backup/tarsnap.nix b/nixos/modules/services/backup/tarsnap.nix index e1200731c2c..d31b92abde0 100644 --- a/nixos/modules/services/backup/tarsnap.nix +++ b/nixos/modules/services/backup/tarsnap.nix @@ -29,13 +29,7 @@ in options = { services.tarsnap = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable periodic tarsnap backups. - ''; - }; + enable = mkEnableOption "periodic tarsnap backups"; keyfile = mkOption { type = types.str; @@ -279,7 +273,8 @@ in Tarsnap archive configurations. Each attribute names an archive to be created at a given time interval, according to the options associated with it. When uploading to the tarsnap server, - archive names are suffixed by a 1 second resolution timestamp. + archive names are suffixed by a 1 second resolution timestamp, + with the format <literal>%Y%m%d%H%M%S</literal>. For each member of the set is created a timer which triggers the instanced <literal>tarsnap-archive-name</literal> service unit. You may use diff --git a/nixos/modules/services/databases/firebird.nix b/nixos/modules/services/databases/firebird.nix index 95837aa1cea..36dbb87f730 100644 --- a/nixos/modules/services/databases/firebird.nix +++ b/nixos/modules/services/databases/firebird.nix @@ -59,6 +59,7 @@ in port = mkOption { default = "3050"; + type = types.port; description = '' Port Firebird uses. ''; @@ -66,6 +67,7 @@ in user = mkOption { default = "firebird"; + type = types.str; description = '' User account under which firebird runs. ''; @@ -73,6 +75,7 @@ in baseDir = mkOption { default = "/var/db/firebird"; # ubuntu is using /var/lib/firebird/2.1/data/.. ? + type = types.str; description = '' Location containing data/ and system/ directories. data/ stores the databases, system/ stores the password database security2.fdb. diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix index f54bb6cc9b1..ca7b20eb049 100644 --- a/nixos/modules/services/databases/memcached.nix +++ b/nixos/modules/services/databases/memcached.nix @@ -17,39 +17,44 @@ in options = { services.memcached = { - enable = mkEnableOption "Memcached"; user = mkOption { + type = types.str; default = "memcached"; description = "The user to run Memcached as"; }; listen = mkOption { + type = types.str; default = "127.0.0.1"; - description = "The IP address to bind to"; + description = "The IP address to bind to."; }; port = mkOption { + type = types.port; default = 11211; - description = "The port to bind to"; + description = "The port to bind to."; }; enableUnixSocket = mkEnableOption "unix socket at /run/memcached/memcached.sock"; maxMemory = mkOption { + type = types.ints.unsigned; default = 64; description = "The maximum amount of memory to use for storage, in megabytes."; }; maxConnections = mkOption { + type = types.ints.unsigned; default = 1024; - description = "The maximum number of simultaneous connections"; + description = "The maximum number of simultaneous connections."; }; extraOptions = mkOption { + type = types.listOf types.str; default = []; - description = "A list of extra options that will be added as a suffix when running memcached"; + description = "A list of extra options that will be added as a suffix when running memcached."; }; }; diff --git a/nixos/modules/services/databases/mongodb.nix b/nixos/modules/services/databases/mongodb.nix index 4af0b9d44e1..db1e5fedf50 100644 --- a/nixos/modules/services/databases/mongodb.nix +++ b/nixos/modules/services/databases/mongodb.nix @@ -41,16 +41,19 @@ in }; user = mkOption { + type = types.str; default = "mongodb"; description = "User account under which MongoDB runs"; }; bind_ip = mkOption { + type = types.str; default = "127.0.0.1"; description = "IP to bind to"; }; quiet = mkOption { + type = types.bool; default = false; description = "quieter output"; }; @@ -68,16 +71,19 @@ in }; dbpath = mkOption { + type = types.str; default = "/var/db/mongodb"; description = "Location where MongoDB stores its files"; }; pidFile = mkOption { + type = types.str; default = "/run/mongodb.pid"; description = "Location of MongoDB pid file"; }; replSetName = mkOption { + type = types.str; default = ""; description = '' If this instance is part of a replica set, set its name here. @@ -86,6 +92,7 @@ in }; extraConfig = mkOption { + type = types.lines; default = ""; example = '' storage.journal.enabled: false diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 94a5c573768..f0efc659cff 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -244,7 +244,7 @@ in { }; }; - meta.maintainers = with lib.maintainters; [ mic92 kwohlfahrt ]; + meta.maintainers = with lib.maintainers; [ mic92 kwohlfahrt ]; config = mkIf cfg.enable { assertions = map (opt: { diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 9628d30e76a..117e6366225 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -122,12 +122,29 @@ in }; slaveOf = mkOption { - default = null; # { ip, port } - description = "An attribute set with two attributes: ip and port to which this redis instance acts as a slave."; + type = with types; nullOr (submodule ({ ... }: { + options = { + ip = mkOption { + type = str; + description = "IP of the Redis master"; + example = "192.168.1.100"; + }; + + port = mkOption { + type = port; + description = "port of the Redis master"; + default = 6379; + }; + }; + })); + + default = null; + description = "IP and port to which this redis instance acts as a slave."; example = { ip = "192.168.1.100"; port = 6379; }; }; masterAuth = mkOption { + type = with types; nullOr str; default = null; description = ''If the master is password protected (using the requirePass configuration) it is possible to tell the slave to authenticate before starting the replication synchronization diff --git a/nixos/modules/services/databases/virtuoso.nix b/nixos/modules/services/databases/virtuoso.nix index 6eb09e0a58f..8b01622ecb0 100644 --- a/nixos/modules/services/databases/virtuoso.nix +++ b/nixos/modules/services/databases/virtuoso.nix @@ -16,28 +16,33 @@ with lib; enable = mkEnableOption "Virtuoso Opensource database server"; config = mkOption { + type = types.lines; default = ""; description = "Extra options to put into Virtuoso configuration file."; }; parameters = mkOption { + type = types.lines; default = ""; description = "Extra options to put into [Parameters] section of Virtuoso configuration file."; }; listenAddress = mkOption { + type = types.str; default = "1111"; example = "myserver:1323"; description = "ip:port or port to listen on."; }; httpListenAddress = mkOption { + type = types.nullOr types.str; default = null; example = "myserver:8080"; description = "ip:port or port for Virtuoso HTTP server to listen on."; }; dirsAllowed = mkOption { + type = types.nullOr types.str; # XXX Maybe use a list in the future? default = null; example = "/www, /home/"; description = "A list of directories Virtuoso is allowed to access"; diff --git a/nixos/modules/services/editors/emacs.xml b/nixos/modules/services/editors/emacs.xml index 302aa1ed7c4..fd99ee9442c 100644 --- a/nixos/modules/services/editors/emacs.xml +++ b/nixos/modules/services/editors/emacs.xml @@ -156,7 +156,7 @@ $ ./result/bin/emacs let myEmacs = pkgs.emacs; <co xml:id="ex-emacsNix-2" /> - emacsWithPackages = (pkgs.emacsPackagesGen myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" /> + emacsWithPackages = (pkgs.emacsPackagesFor myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" /> in emacsWithPackages (epkgs: (with epkgs.melpaStablePackages; [ <co xml:id="ex-emacsNix-4" /> magit # ; Integrate git <C-x g> @@ -254,10 +254,10 @@ in <example xml:id="module-services-emacs-querying-packages"> <title>Querying Emacs packages</title> <programlisting><![CDATA[ -nix-env -f "<nixpkgs>" -qaP -A emacsPackages.elpaPackages -nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaPackages -nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaStablePackages -nix-env -f "<nixpkgs>" -qaP -A emacsPackages.orgPackages +nix-env -f "<nixpkgs>" -qaP -A emacs.pkgs.elpaPackages +nix-env -f "<nixpkgs>" -qaP -A emacs.pkgs.melpaPackages +nix-env -f "<nixpkgs>" -qaP -A emacs.pkgs.melpaStablePackages +nix-env -f "<nixpkgs>" -qaP -A emacs.pkgs.orgPackages ]]></programlisting> </example> </para> diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 795a76f748a..1dcdcab8d48 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -25,8 +25,6 @@ let clientRestrictions = concatStringsSep ", " (clientAccess ++ dnsBl); - smtpTlsSecurityLevel = if cfg.useDane then "dane" else "may"; - mainCf = let escape = replaceStrings ["$"] ["$$"]; mkList = items: "\n " + concatStringsSep ",\n " items; @@ -510,14 +508,6 @@ in ''; }; - useDane = mkOption { - type = types.bool; - default = false; - description = '' - Sets smtp_tls_security_level to "dane" rather than "may". See postconf(5) for details. - ''; - }; - sslCert = mkOption { type = types.str; default = ""; @@ -819,13 +809,13 @@ in // optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; } // optionalAttrs (cfg.tlsTrustedAuthorities != "") { smtp_tls_CAfile = cfg.tlsTrustedAuthorities; - smtp_tls_security_level = smtpTlsSecurityLevel; + smtp_tls_security_level = mkDefault "may"; } // optionalAttrs (cfg.sslCert != "") { smtp_tls_cert_file = cfg.sslCert; smtp_tls_key_file = cfg.sslKey; - smtp_tls_security_level = smtpTlsSecurityLevel; + smtp_tls_security_level = mkDefault "may"; smtpd_tls_cert_file = cfg.sslCert; smtpd_tls_key_file = cfg.sslKey; @@ -969,5 +959,9 @@ in imports = [ (mkRemovedOptionModule [ "services" "postfix" "sslCACert" ] "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig.") + + (mkChangedOptionModule [ "services" "postfix" "useDane" ] + [ "services" "postfix" "config" "smtp_tls_security_level" ] + (config: mkIf config.services.postfix.useDane "dane")) ]; } diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index af80e99746b..2735185ec88 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -349,7 +349,7 @@ in { DOMAIN = cfg.domain; STATIC_ROOT_PATH = cfg.staticRootPath; - LFS_JWT_SECRET = "#jwtsecret#"; + LFS_JWT_SECRET = "#lfsjwtsecret#"; ROOT_URL = cfg.rootUrl; } (mkIf cfg.enableUnixSocket { @@ -381,6 +381,7 @@ in security = { SECRET_KEY = "#secretkey#"; + INTERNAL_TOKEN = "#internaltoken#"; INSTALL_LOCK = true; }; @@ -396,6 +397,10 @@ in mailer = mkIf (cfg.mailerPasswordFile != null) { PASSWD = "#mailerpass#"; }; + + oauth2 = { + JWT_SECRET = "#oauth2jwtsecret#"; + }; }; services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) { @@ -453,12 +458,22 @@ in description = "gitea"; after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service"; wantedBy = [ "multi-user.target" ]; - path = [ gitea pkgs.gitAndTools.git ]; - + path = [ gitea pkgs.git ]; + + # In older versions the secret naming for JWT was kind of confusing. + # The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET + # wasn't persistant at all. + # To fix that, there is now the file oauth2_jwt_secret containing the + # values for JWT_SECRET and the file jwt_secret gets renamed to + # lfs_jwt_secret. + # We have to consider this to stay compatible with older installations. preStart = let runConfig = "${cfg.stateDir}/custom/conf/app.ini"; secretKey = "${cfg.stateDir}/custom/conf/secret_key"; - jwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; + oauth2JwtSecret = "${cfg.stateDir}/custom/conf/oauth2_jwt_secret"; + oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET + lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET + internalToken = "${cfg.stateDir}/custom/conf/internal_token"; in '' # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' @@ -468,24 +483,41 @@ in ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} fi - if [ ! -e ${jwtSecret} ]; then - ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret} + # Migrate LFS_JWT_SECRET filename + if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then + mv ${oldLfsJwtSecret} ${lfsJwtSecret} + fi + + if [ ! -e ${oauth2JwtSecret} ]; then + ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret} + fi + + if [ ! -e ${lfsJwtSecret} ]; then + ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret} + fi + + if [ ! -e ${internalToken} ]; then + ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} fi - KEY="$(head -n1 ${secretKey})" + SECRETKEY="$(head -n1 ${secretKey})" DBPASS="$(head -n1 ${cfg.database.passwordFile})" - JWTSECRET="$(head -n1 ${jwtSecret})" + OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})" + LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})" + INTERNALTOKEN="$(head -n1 ${internalToken})" ${if (cfg.mailerPasswordFile == null) then '' MAILERPASSWORD="#mailerpass#" '' else '' MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" ''} - sed -e "s,#secretkey#,$KEY,g" \ + sed -e "s,#secretkey#,$SECRETKEY,g" \ -e "s,#dbpass#,$DBPASS,g" \ - -e "s,#jwtsecret#,$JWTSECRET,g" \ + -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \ + -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \ + -e "s,#internaltoken#,$INTERNALTOKEN,g" \ -e "s,#mailerpass#,$MAILERPASSWORD,g" \ -i ${runConfig} - chmod 640 ${runConfig} ${secretKey} ${jwtSecret} + chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken} ''} # update all hooks' binary paths @@ -605,5 +637,5 @@ in timerConfig.OnCalendar = cfg.dump.interval; }; }; - meta.maintainers = with lib.maintainers; [ srhb ]; + meta.maintainers = with lib.maintainers; [ srhb ma27 ]; } diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 35a9dccdff2..de4d1bf1987 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -736,7 +736,7 @@ in { environment = gitlabEnv; path = with pkgs; [ postgresqlPackage - gitAndTools.git + git ruby openssh nodejs @@ -764,7 +764,7 @@ in { path = with pkgs; [ openssh procps # See https://gitlab.com/gitlab-org/gitaly/issues/1562 - gitAndTools.git + git cfg.packages.gitaly.rubyEnv cfg.packages.gitaly.rubyEnv.wrappedRuby gzip @@ -806,7 +806,7 @@ in { wantedBy = [ "multi-user.target" ]; path = with pkgs; [ exiftool - gitAndTools.git + git gnutar gzip openssh @@ -854,7 +854,7 @@ in { environment = gitlabEnv; path = with pkgs; [ postgresqlPackage - gitAndTools.git + git openssh nodejs procps diff --git a/nixos/modules/services/misc/gitolite.nix b/nixos/modules/services/misc/gitolite.nix index 59cbdac319c..190ea9212d2 100644 --- a/nixos/modules/services/misc/gitolite.nix +++ b/nixos/modules/services/misc/gitolite.nix @@ -227,6 +227,6 @@ in }; environment.systemPackages = [ pkgs.gitolite pkgs.git ] - ++ optional cfg.enableGitAnnex pkgs.gitAndTools.git-annex; + ++ optional cfg.enableGitAnnex pkgs.git-annex; }); } diff --git a/nixos/modules/services/misc/matrix-synapse.xml b/nixos/modules/services/misc/matrix-synapse.xml index fbfa838b168..5544c2035fb 100644 --- a/nixos/modules/services/misc/matrix-synapse.xml +++ b/nixos/modules/services/misc/matrix-synapse.xml @@ -69,6 +69,9 @@ in { # i.e. to delegate from the host being accessible as ${config.networking.domain} # to another host actually running the Matrix homeserver. "${config.networking.domain}" = { + <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/server".extraConfig</link> = let # use 443 instead of the default 8448 port to unite diff --git a/nixos/modules/services/misc/nzbhydra2.nix b/nixos/modules/services/misc/nzbhydra2.nix new file mode 100644 index 00000000000..c396b4b8f6e --- /dev/null +++ b/nixos/modules/services/misc/nzbhydra2.nix @@ -0,0 +1,78 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let cfg = config.services.nzbhydra2; + +in { + options = { + services.nzbhydra2 = { + enable = mkEnableOption "NZBHydra2"; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/nzbhydra2"; + description = "The directory where NZBHydra2 stores its data files."; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = + "Open ports in the firewall for the NZBHydra2 web interface."; + }; + + package = mkOption { + type = types.package; + default = pkgs.nzbhydra2; + defaultText = "pkgs.nzbhydra2"; + description = "NZBHydra2 package to use."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.tmpfiles.rules = + [ "d '${cfg.dataDir}' 0700 nzbhydra2 nzbhydra2 - -" ]; + + systemd.services.nzbhydra2 = { + description = "NZBHydra2"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + User = "nzbhydra2"; + Group = "nzbhydra2"; + ExecStart = + "${cfg.package}/bin/nzbhydra2 --nobrowser --datafolder '${cfg.dataDir}'"; + Restart = "on-failure"; + # Hardening + NoNewPrivileges = true; + PrivateTmp = true; + PrivateDevices = true; + DevicePolicy = "closed"; + ProtectSystem = "strict"; + ReadWritePaths = cfg.dataDir; + ProtectHome = "read-only"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies ="AF_UNIX AF_INET AF_INET6 AF_NETLINK"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + LockPersonality = true; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ 5076 ]; }; + + users.users.nzbhydra2 = { + group = "nzbhydra2"; + isSystemUser = true; + }; + + users.groups.nzbhydra2 = {}; + }; +} diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix index 1313bdaccc4..8b53eb471db 100644 --- a/nixos/modules/services/misc/redmine.nix +++ b/nixos/modules/services/misc/redmine.nix @@ -230,7 +230,7 @@ in production = { scm_subversion_command = "${pkgs.subversion}/bin/svn"; scm_mercurial_command = "${pkgs.mercurial}/bin/hg"; - scm_git_command = "${pkgs.gitAndTools.git}/bin/git"; + scm_git_command = "${pkgs.git}/bin/git"; scm_cvs_command = "${pkgs.cvs}/bin/cvs"; scm_bazaar_command = "${pkgs.breezy}/bin/bzr"; scm_darcs_command = "${pkgs.darcs}/bin/darcs"; @@ -299,7 +299,7 @@ in breezy cvs darcs - gitAndTools.git + git mercurial subversion ]; diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index 4f9be38f7f1..9103a6f932d 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -370,6 +370,14 @@ let List of file service discovery configurations. ''; + gce_sd_configs = mkOpt (types.listOf promTypes.gce_sd_config) '' + List of Google Compute Engine service discovery configurations. + + See <link + xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config">the + relevant Prometheus configuration docs</link> for more detail. + ''; + static_configs = mkOpt (types.listOf promTypes.static_config) '' List of labeled target groups for this job. ''; @@ -555,6 +563,52 @@ let }; }; + promTypes.gce_sd_config = types.submodule { + options = { + # Use `mkOption` instead of `mkOpt` for project and zone because they are + # required configuration values for `gce_sd_config`. + project = mkOption { + type = types.str; + description = '' + The GCP Project. + ''; + }; + + zone = mkOption { + type = types.str; + description = '' + The zone of the scrape targets. If you need multiple zones use multiple + gce_sd_configs. + ''; + }; + + filter = mkOpt types.str '' + Filter can be used optionally to filter the instance list by other + criteria Syntax of this filter string is described here in the filter + query parameter section: <link + xlink:href="https://cloud.google.com/compute/docs/reference/latest/instances/list" + />. + ''; + + refresh_interval = mkDefOpt types.str "60s" '' + Refresh interval to re-read the cloud instance list. + ''; + + port = mkDefOpt types.port "80" '' + The port to scrape metrics from. If using the public IP address, this + must instead be specified in the relabeling rule. + ''; + + tag_separator = mkDefOpt types.str "," '' + The tag separator used to separate concatenated GCE instance network tags. + + See the GCP documentation on network tags for more information: <link + xlink:href="https://cloud.google.com/vpc/docs/add-remove-network-tags" + /> + ''; + }; + }; + promTypes.relabel_config = types.submodule { options = { source_labels = mkOpt (types.listOf types.str) '' diff --git a/nixos/modules/services/networking/iwd.nix b/nixos/modules/services/networking/iwd.nix index 6be67a8b96f..99e5e78badd 100644 --- a/nixos/modules/services/networking/iwd.nix +++ b/nixos/modules/services/networking/iwd.nix @@ -22,6 +22,11 @@ in { systemd.packages = [ pkgs.iwd ]; + systemd.network.links."80-iwd" = { + matchConfig.Type = "wlan"; + linkConfig.NamePolicy = "keep kernel"; + }; + systemd.services.iwd.wantedBy = [ "multi-user.target" ]; }; diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index c6e5649ec47..b03630208df 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -109,6 +109,13 @@ in description = "Host to bind to. Defaults binding on all addresses."; }; + package = mkOption { + type = types.package; + default = pkgs.murmur; + defaultText = "pkgs.murmur"; + description = "Overridable attribute of the murmur package to use."; + }; + password = mkOption { type = types.str; default = ""; @@ -299,7 +306,7 @@ in Type = if forking then "forking" else "simple"; PIDFile = mkIf forking "/run/murmur/murmurd.pid"; EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile; - ExecStart = "${pkgs.murmur}/bin/murmurd -ini /run/murmur/murmurd.ini"; + ExecStart = "${cfg.package}/bin/murmurd -ini /run/murmur/murmurd.ini"; Restart = "always"; RuntimeDirectory = "murmur"; RuntimeDirectoryMode = "0700"; diff --git a/nixos/modules/services/networking/searx.nix b/nixos/modules/services/networking/searx.nix index 60fb3d5d6d4..a515e4a3dc3 100644 --- a/nixos/modules/services/networking/searx.nix +++ b/nixos/modules/services/networking/searx.nix @@ -1,34 +1,114 @@ -{ config, lib, pkgs, ... }: +{ options, config, lib, pkgs, ... }: with lib; let - + runDir = "/run/searx"; cfg = config.services.searx; - configFile = cfg.configFile; + generateConfig = '' + cd ${runDir} + + # write NixOS settings as JSON + cat <<'EOF' > settings.yml + ${builtins.toJSON cfg.settings} + EOF + + # substitute environment variables + env -0 | while IFS='=' read -r -d ''' n v; do + sed "s#@$n@#$v#g" -i settings.yml + done + + # set strict permissions + chmod 400 settings.yml + ''; + + settingType = with types; (oneOf + [ bool int float str + (listOf settingType) + (attrsOf settingType) + ]) // { description = "JSON value"; }; in { + imports = [ + (mkRenamedOptionModule + [ "services" "searx" "configFile" ] + [ "services" "searx" "settingsFile" ]) + ]; + ###### interface options = { services.searx = { - enable = mkEnableOption - "the searx server. See https://github.com/asciimoo/searx"; + enable = mkOption { + type = types.bool; + default = false; + relatedPackages = [ "searx" ]; + description = "Whether to enable Searx, the meta search engine."; + }; - configFile = mkOption { + environmentFile = mkOption { type = types.nullOr types.path; default = null; - description = " - The path of the Searx server configuration file. If no file - is specified, a default file is used (default config file has - debug mode enabled). - "; + description = '' + Environment file (see <literal>systemd.exec(5)</literal> + "EnvironmentFile=" section for the syntax) to define variables for + Searx. This option can be used to safely include secret keys into the + Searx configuration. + ''; + }; + + settings = mkOption { + type = types.attrsOf settingType; + default = { }; + example = literalExample '' + { server.port = 8080; + server.bind_address = "0.0.0.0"; + server.secret_key = "@SEARX_SECRET_KEY@"; + + engines = lib.singleton + { name = "wolframalpha"; + shortcut = "wa"; + api_key = "@WOLFRAM_API_KEY@"; + engine = "wolframalpha_api"; + }; + } + ''; + description = '' + Searx settings. These will be merged with (taking precedence over) + the default configuration. It's also possible to refer to + environment variables + (defined in <xref linkend="opt-services.searx.environmentFile"/>) + using the syntax <literal>@VARIABLE_NAME@</literal>. + <note> + <para> + For available settings, see the Searx + <link xlink:href="https://searx.github.io/searx/admin/settings.html">docs</link>. + </para> + </note> + ''; + }; + + settingsFile = mkOption { + type = types.path; + default = "${runDir}/settings.yml"; + description = '' + The path of the Searx server settings.yml file. If no file is + specified, a default file is used (default config file has debug mode + enabled). Note: setting this options overrides + <xref linkend="opt-services.searx.settings"/>. + <warning> + <para> + This file, along with any secret key it contains, will be copied + into the world-readable Nix store. + </para> + </warning> + ''; }; package = mkOption { @@ -38,6 +118,38 @@ in description = "searx package to use."; }; + runInUwsgi = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run searx in uWSGI as a "vassal", instead of using its + built-in HTTP server. This is the recommended mode for public or + large instances, but is unecessary for LAN or local-only use. + <warning> + <para> + The built-in HTTP server logs all queries by default. + </para> + </warning> + ''; + }; + + uwsgiConfig = mkOption { + type = options.services.uwsgi.instance.type; + default = { http = ":8080"; }; + example = literalExample '' + { + disable-logging = true; + http = ":8080"; # serve via HTTP... + socket = "/run/searx/searx.sock"; # ...or UNIX socket + } + ''; + description = '' + Additional configuration of the uWSGI vassal running searx. It + should notably specify on which interfaces and ports the vassal + should listen. + ''; + }; + }; }; @@ -45,36 +157,74 @@ in ###### implementation - config = mkIf config.services.searx.enable { + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; users.users.searx = - { uid = config.ids.uids.searx; - description = "Searx user"; - createHome = true; - home = "/var/lib/searx"; + { description = "Searx daemon user"; + group = "searx"; + isSystemUser = true; }; - users.groups.searx = - { gid = config.ids.gids.searx; + users.groups.searx = { }; + + systemd.services.searx-init = { + description = "Initialise Searx settings"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + User = "searx"; + RuntimeDirectory = "searx"; + RuntimeDirectoryMode = "750"; + } // optionalAttrs (cfg.environmentFile != null) + { EnvironmentFile = builtins.toPath cfg.environmentFile; }; + script = generateConfig; + }; + + systemd.services.searx = mkIf (!cfg.runInUwsgi) { + description = "Searx server, the meta search engine."; + wantedBy = [ "network.target" "multi-user.target" ]; + requires = [ "searx-init.service" ]; + after = [ "searx-init.service" ]; + serviceConfig = { + User = "searx"; + Group = "searx"; + ExecStart = "${cfg.package}/bin/searx-run"; + } // optionalAttrs (cfg.environmentFile != null) + { EnvironmentFile = builtins.toPath cfg.environmentFile; }; + environment.SEARX_SETTINGS_PATH = cfg.settingsFile; + }; + + systemd.services.uwsgi = mkIf (cfg.runInUwsgi) + { requires = [ "searx-init.service" ]; + after = [ "searx-init.service" ]; }; - systemd.services.searx = - { - description = "Searx server, the meta search engine."; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "searx"; - ExecStart = "${cfg.package}/bin/searx-run"; - }; - } // (optionalAttrs (configFile != null) { - environment.SEARX_SETTINGS_PATH = configFile; - }); + services.searx.settings = { + # merge NixOS settings with defaults settings.yml + use_default_settings = mkDefault true; + }; - environment.systemPackages = [ cfg.package ]; + services.uwsgi = mkIf (cfg.runInUwsgi) { + enable = true; + plugins = [ "python3" ]; + + instance.type = "emperor"; + instance.vassals.searx = { + type = "normal"; + strict = true; + immediate-uid = "searx"; + immediate-gid = "searx"; + lazy-apps = true; + enable-threads = true; + module = "searx.webapp"; + env = [ "SEARX_SETTINGS_PATH=${cfg.settingsFile}" ]; + pythonPackages = self: [ cfg.package ]; + } // cfg.uwsgiConfig; + }; }; - meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + meta.maintainers = with maintainers; [ rnhmjoj ]; } diff --git a/nixos/modules/services/security/fprintd.nix b/nixos/modules/services/security/fprintd.nix index cbac4ef05b8..48f8a9616c3 100644 --- a/nixos/modules/services/security/fprintd.nix +++ b/nixos/modules/services/security/fprintd.nix @@ -43,9 +43,9 @@ in config = mkIf cfg.enable { - services.dbus.packages = [ pkgs.fprintd ]; + services.dbus.packages = [ cfg.package ]; - environment.systemPackages = [ pkgs.fprintd ]; + environment.systemPackages = [ cfg.package ]; systemd.packages = [ cfg.package ]; diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 390dcfccfec..54c2c2dea23 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -909,8 +909,11 @@ in networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = - concatMap (o: optional (isInt o && o > 0 || o ? "port" && isInt o.port && o.port > 0) o.port) - (flatten [ + concatMap (o: + if isInt o && o > 0 then [o] + else if o ? "port" && isInt o.port && o.port > 0 then [o.port] + else [] + ) (flatten [ cfg.settings.ORPort cfg.settings.DirPort ]); diff --git a/nixos/modules/services/web-apps/ihatemoney/default.nix b/nixos/modules/services/web-apps/ihatemoney/default.nix index 68769ac8c03..b4987fa4702 100644 --- a/nixos/modules/services/web-apps/ihatemoney/default.nix +++ b/nixos/modules/services/web-apps/ihatemoney/default.nix @@ -44,7 +44,7 @@ let in { options.services.ihatemoney = { - enable = mkEnableOption "ihatemoney webapp. Note that this will set uwsgi to emperor mode running as root"; + enable = mkEnableOption "ihatemoney webapp. Note that this will set uwsgi to emperor mode"; backend = mkOption { type = types.enum [ "sqlite" "postgresql" ]; default = "sqlite"; @@ -116,16 +116,13 @@ in services.uwsgi = { enable = true; plugins = [ "python3" ]; - # the vassal needs to be able to setuid - user = "root"; - group = "root"; instance = { type = "emperor"; vassals.ihatemoney = { type = "normal"; strict = true; - uid = user; - gid = group; + immediate-uid = user; + immediate-gid = group; # apparently flask uses threads: https://github.com/spiral-project/ihatemoney/commit/c7815e48781b6d3a457eaff1808d179402558f8c enable-threads = true; module = "wsgi:application"; diff --git a/nixos/modules/services/web-apps/whitebophir.nix b/nixos/modules/services/web-apps/whitebophir.nix new file mode 100644 index 00000000000..a19812547c4 --- /dev/null +++ b/nixos/modules/services/web-apps/whitebophir.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.whitebophir; +in { + options = { + services.whitebophir = { + enable = mkEnableOption "whitebophir, an online collaborative whiteboard server (persistent state will be maintained under <filename>/var/lib/whitebophir</filename>)"; + + package = mkOption { + default = pkgs.whitebophir; + defaultText = "pkgs.whitebophir"; + type = types.package; + description = "Whitebophir package to use."; + }; + + port = mkOption { + type = types.port; + default = 5001; + description = "Port to bind to."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.whitebophir = { + description = "Whitebophir Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = { + PORT = "${toString cfg.port}"; + WBO_HISTORY_DIR = "/var/lib/whitebophir"; + }; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${cfg.package}/bin/whitebophir"; + Restart = "always"; + StateDirectory = "whitebophir"; + }; + }; + }; +} diff --git a/nixos/modules/services/web-servers/uwsgi.nix b/nixos/modules/services/web-servers/uwsgi.nix index 936e211ec71..506cd364a65 100644 --- a/nixos/modules/services/web-servers/uwsgi.nix +++ b/nixos/modules/services/web-servers/uwsgi.nix @@ -5,11 +5,24 @@ with lib; let cfg = config.services.uwsgi; + isEmperor = cfg.instance.type == "emperor"; + + imperialPowers = + [ + # spawn other user processes + "CAP_SETUID" "CAP_SETGID" + "CAP_SYS_CHROOT" + # transfer capabilities + "CAP_SETPCAP" + # create other user sockets + "CAP_CHOWN" + ]; + buildCfg = name: c: let plugins = if any (n: !any (m: m == n) cfg.plugins) (c.plugins or []) - then throw "`plugins` attribute in UWSGI configuration contains plugins not in config.services.uwsgi.plugins" + then throw "`plugins` attribute in uWSGI configuration contains plugins not in config.services.uwsgi.plugins" else c.plugins or cfg.plugins; hasPython = v: filter (n: n == "python${v}") plugins != []; @@ -18,7 +31,7 @@ let python = if hasPython2 && hasPython3 then - throw "`plugins` attribute in UWSGI configuration shouldn't contain both python2 and python3" + throw "`plugins` attribute in uWSGI configuration shouldn't contain both python2 and python3" else if hasPython2 then cfg.package.python2 else if hasPython3 then cfg.package.python3 else null; @@ -43,7 +56,7 @@ let oldPaths = filter (x: x != null) (map getPath env'); in env' ++ [ "PATH=${optionalString (oldPaths != []) "${last oldPaths}:"}${pythonEnv}/bin" ]; } - else if c.type == "emperor" + else if isEmperor then { emperor = if builtins.typeOf c.vassals != "set" then c.vassals else pkgs.buildEnv { @@ -51,7 +64,7 @@ let paths = mapAttrsToList buildCfg c.vassals; }; } // removeAttrs c [ "type" "vassals" ] - else throw "`type` attribute in UWSGI configuration should be either 'normal' or 'emperor'"; + else throw "`type` attribute in uWSGI configuration should be either 'normal' or 'emperor'"; }; in pkgs.writeTextDir "${name}.json" (builtins.toJSON uwsgiCfg); @@ -79,7 +92,7 @@ in { }; instance = mkOption { - type = with lib.types; let + type = with types; let valueType = nullOr (oneOf [ bool int @@ -137,31 +150,65 @@ in { user = mkOption { type = types.str; default = "uwsgi"; - description = "User account under which uwsgi runs."; + description = "User account under which uWSGI runs."; }; group = mkOption { type = types.str; default = "uwsgi"; - description = "Group account under which uwsgi runs."; + description = "Group account under which uWSGI runs."; + }; + + capabilities = mkOption { + type = types.listOf types.str; + apply = caps: caps ++ optionals isEmperor imperialPowers; + default = [ ]; + example = literalExample '' + [ + "CAP_NET_BIND_SERVICE" # bind on ports <1024 + "CAP_NET_RAW" # open raw sockets + ] + ''; + description = '' + Grant capabilities to the uWSGI instance. See the + <literal>capabilities(7)</literal> for available values. + <note> + <para> + uWSGI runs as an unprivileged user (even as Emperor) with the minimal + capabilities required. This option can be used to add fine-grained + permissions without running the service as root. + </para> + <para> + When in Emperor mode, any capability to be inherited by a vassal must + be specified again in the vassal configuration using <literal>cap</literal>. + See the uWSGI <link + xlink:href="https://uwsgi-docs.readthedocs.io/en/latest/Capabilities.html">docs</link> + for more information. + </para> + </note> + ''; }; }; }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = optional (cfg.runDir != "/run/uwsgi") '' + d ${cfg.runDir} 775 ${cfg.user} ${cfg.group} + ''; + systemd.services.uwsgi = { wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -p ${cfg.runDir} - chown ${cfg.user}:${cfg.group} ${cfg.runDir} - ''; serviceConfig = { + User = cfg.user; + Group = cfg.group; Type = "notify"; - ExecStart = "${cfg.package}/bin/uwsgi --uid ${cfg.user} --gid ${cfg.group} --json ${buildCfg "server" cfg.instance}/server.json"; + ExecStart = "${cfg.package}/bin/uwsgi --json ${buildCfg "server" cfg.instance}/server.json"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; NotifyAccess = "main"; KillSignal = "SIGQUIT"; + AmbientCapabilities = cfg.capabilities; + CapabilityBoundingSet = cfg.capabilities; }; }; diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 68a65d77d62..a36a47d376b 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -19,7 +19,7 @@ let defaultFavoriteAppsOverride = '' [org.gnome.shell] - favorite-apps=[ 'org.gnome.Geary.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop' ] + favorite-apps=[ 'org.gnome.Epiphany.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop' ] ''; nixos-gsettings-desktop-schemas = let @@ -409,9 +409,7 @@ in baobab cheese eog - /* Not in good standing on nixos: - * https://github.com/NixOS/nixpkgs/issues/98819 - /* epiphany */ + epiphany gedit gnome-calculator gnome-calendar diff --git a/nixos/modules/services/x11/window-managers/clfswm.nix b/nixos/modules/services/x11/window-managers/clfswm.nix index 176c1f46127..171660c53ac 100644 --- a/nixos/modules/services/x11/window-managers/clfswm.nix +++ b/nixos/modules/services/x11/window-managers/clfswm.nix @@ -15,10 +15,10 @@ in services.xserver.windowManager.session = singleton { name = "clfswm"; start = '' - ${pkgs.clfswm}/bin/clfswm & + ${pkgs.lispPackages.clfswm}/bin/clfswm & waitPID=$! ''; }; - environment.systemPackages = [ pkgs.clfswm ]; + environment.systemPackages = [ pkgs.lispPackages.clfswm ]; }; } diff --git a/nixos/modules/services/x11/window-managers/default.nix b/nixos/modules/services/x11/window-managers/default.nix index 87702c58727..9ca24310e56 100644 --- a/nixos/modules/services/x11/window-managers/default.nix +++ b/nixos/modules/services/x11/window-managers/default.nix @@ -13,6 +13,7 @@ in ./berry.nix ./bspwm.nix ./cwm.nix + ./clfswm.nix ./dwm.nix ./evilwm.nix ./exwm.nix diff --git a/nixos/modules/services/x11/window-managers/exwm.nix b/nixos/modules/services/x11/window-managers/exwm.nix index 88e13f4dbfb..3e97d28d83b 100644 --- a/nixos/modules/services/x11/window-managers/exwm.nix +++ b/nixos/modules/services/x11/window-managers/exwm.nix @@ -48,7 +48,7 @@ in description = '' Extra packages available to Emacs. The value must be a function which receives the attrset defined in - <varname>emacsPackages</varname> as the sole argument. + <varname>emacs.pkgs</varname> as the sole argument. ''; }; }; diff --git a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix index 337afe9ef62..ba936b26573 100644 --- a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix +++ b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix @@ -20,7 +20,7 @@ let timeoutStr = if blCfg.timeout == null then "-1" else toString blCfg.timeout; isAarch64 = pkgs.stdenv.hostPlatform.isAarch64; - optional = pkgs.stdenv.lib.optionalString; + optional = pkgs.lib.optionalString; configTxt = pkgs.writeText "config.txt" ('' diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 86bfde6349c..cb9735ae04f 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -22,7 +22,7 @@ let rootModules = config.boot.initrd.availableKernelModules ++ config.boot.initrd.kernelModules; kernel = modulesTree; firmware = firmware; - allowMissing = true; + allowMissing = false; }; @@ -513,7 +513,12 @@ in }; boot.initrd.compressor = mkOption { - default = "gzip"; + default = ( + if lib.versionAtLeast config.boot.kernelPackages.kernel.version "5.9" + then "zstd" + else "gzip" + ); + defaultText = "zstd if the kernel supports it (5.9+), gzip if not."; type = types.unspecified; # We don't have a function type... description = '' The compressor to use on the initrd image. May be any of: diff --git a/nixos/modules/system/boot/tmp.nix b/nixos/modules/system/boot/tmp.nix index 837e308cbea..5bb299adb15 100644 --- a/nixos/modules/system/boot/tmp.nix +++ b/nixos/modules/system/boot/tmp.nix @@ -34,6 +34,7 @@ with lib; { what = "tmpfs"; where = "/tmp"; + type = "tmpfs"; mountConfig.Options = [ "mode=1777" "strictatime" "rw" "nosuid" "nodev" "size=50%" ]; } ]; diff --git a/nixos/modules/virtualisation/azure-agent.nix b/nixos/modules/virtualisation/azure-agent.nix index 81413792eda..41f3fa0e664 100644 --- a/nixos/modules/virtualisation/azure-agent.nix +++ b/nixos/modules/virtualisation/azure-agent.nix @@ -146,7 +146,7 @@ in services.logrotate = { enable = true; - config = '' + extraConfig = '' /var/log/waagent.log { compress monthly diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index ec257801b33..689f664b676 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -155,13 +155,11 @@ in users.groups.docker.gid = config.ids.gids.docker; systemd.packages = [ cfg.package ]; - # TODO: remove once docker 20.10 is released - systemd.enableUnifiedCgroupHierarchy = false; - systemd.services.docker = { wantedBy = optional cfg.enableOnBoot "multi-user.target"; environment = proxy_env; serviceConfig = { + Type = "notify"; ExecStart = [ "" '' @@ -215,13 +213,10 @@ in message = "Option enableNvidia requires 32bit support libraries"; }]; } - (mkIf cfg.enableNvidia { - environment.etc."nvidia-container-runtime/config.toml".source = "${pkgs.nvidia-docker}/etc/config.toml"; - }) ]); imports = [ - (mkRemovedOptionModule ["virtualisation" "docker" "socketActivation"] "This option was removed in favor of starting docker at boot") + (mkRemovedOptionModule ["virtualisation" "docker" "socketActivation"] "This option was removed and socket activation is now always active") ]; } diff --git a/nixos/modules/virtualisation/ec2-amis.nix b/nixos/modules/virtualisation/ec2-amis.nix index 3da63078a21..892af513b03 100644 --- a/nixos/modules/virtualisation/ec2-amis.nix +++ b/nixos/modules/virtualisation/ec2-amis.nix @@ -329,24 +329,24 @@ let self = { "20.03".ap-east-1.hvm-ebs = "ami-0d18fdd309cdefa86"; "20.03".sa-east-1.hvm-ebs = "ami-09859378158ae971d"; - # 20.09.1632.a6a3a368dda - "20.09".eu-west-1.hvm-ebs = "ami-01a79d5ce435f4db3"; - "20.09".eu-west-2.hvm-ebs = "ami-0cbe14f32904e6331"; - "20.09".eu-west-3.hvm-ebs = "ami-07f493412d6213de6"; - "20.09".eu-central-1.hvm-ebs = "ami-01d4a0c2248cbfe38"; - "20.09".eu-north-1.hvm-ebs = "ami-0003f54dd99d68e0f"; - "20.09".us-east-1.hvm-ebs = "ami-068a62d478710462d"; - "20.09".us-east-2.hvm-ebs = "ami-01ac677ff61399caa"; - "20.09".us-west-1.hvm-ebs = "ami-04befdb203b4b17f6"; - "20.09".us-west-2.hvm-ebs = "ami-0fb7bd4a43261c6b2"; - "20.09".ca-central-1.hvm-ebs = "ami-06d5ee429f153f856"; - "20.09".ap-southeast-1.hvm-ebs = "ami-0db0304e23c535b2a"; - "20.09".ap-southeast-2.hvm-ebs = "ami-045983c4db7e36447"; - "20.09".ap-northeast-1.hvm-ebs = "ami-0beb18d632cf64e5a"; - "20.09".ap-northeast-2.hvm-ebs = "ami-0dd0316af578862db"; - "20.09".ap-south-1.hvm-ebs = "ami-008d15ced81c88aed"; - "20.09".ap-east-1.hvm-ebs = "ami-071f49713f86ea965"; - "20.09".sa-east-1.hvm-ebs = "ami-05ded1ae35209b5a8"; + # 20.09.2016.19db3e5ea27 + "20.09".eu-west-1.hvm-ebs = "ami-0057cb7d614329fa2"; + "20.09".eu-west-2.hvm-ebs = "ami-0d46f16e0bb0ec8fd"; + "20.09".eu-west-3.hvm-ebs = "ami-0e8985c3ea42f87fe"; + "20.09".eu-central-1.hvm-ebs = "ami-0eed77c38432886d2"; + "20.09".eu-north-1.hvm-ebs = "ami-0be5bcadd632bea14"; + "20.09".us-east-1.hvm-ebs = "ami-0a2cce52b42daccc8"; + "20.09".us-east-2.hvm-ebs = "ami-09378bf487b07a4d8"; + "20.09".us-west-1.hvm-ebs = "ami-09b4337b2a9e77485"; + "20.09".us-west-2.hvm-ebs = "ami-081d3bb5fbee0a1ac"; + "20.09".ca-central-1.hvm-ebs = "ami-020c24c6c607e7ac7"; + "20.09".ap-southeast-1.hvm-ebs = "ami-08f648d5db009e67d"; + "20.09".ap-southeast-2.hvm-ebs = "ami-0be390efaccbd40f9"; + "20.09".ap-northeast-1.hvm-ebs = "ami-0c3311601cbe8f927"; + "20.09".ap-northeast-2.hvm-ebs = "ami-0020146701f4d56cf"; + "20.09".ap-south-1.hvm-ebs = "ami-0117e2bd876bb40d1"; + "20.09".ap-east-1.hvm-ebs = "ami-0c42f97e5b1fda92f"; + "20.09".sa-east-1.hvm-ebs = "ami-021637976b094959d"; latest = self."20.09"; }; in self diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix index 36c0ca8dfea..98da5a096d9 100644 --- a/nixos/modules/virtualisation/podman.nix +++ b/nixos/modules/virtualisation/podman.nix @@ -2,7 +2,6 @@ let cfg = config.virtualisation.podman; toml = pkgs.formats.toml { }; - nvidia-docker = pkgs.nvidia-docker.override { containerRuntimePath = "${pkgs.runc}/bin/runc"; }; inherit (lib) mkOption types; @@ -100,8 +99,8 @@ in containersConf.extraConfig = lib.optionalString cfg.enableNvidia (builtins.readFile (toml.generate "podman.nvidia.containers.conf" { engine = { - conmon_env_vars = [ "PATH=${lib.makeBinPath [ nvidia-docker ]}" ]; - runtimes.nvidia = [ "${nvidia-docker}/bin/nvidia-container-runtime" ]; + conmon_env_vars = [ "PATH=${lib.makeBinPath [ pkgs.nvidia-podman ]}" ]; + runtimes.nvidia = [ "${pkgs.nvidia-podman}/bin/nvidia-container-runtime" ]; }; })); }; @@ -111,14 +110,7 @@ in assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable; message = "Option dockerCompat conflicts with docker"; } - { - assertion = cfg.enableNvidia -> !config.virtualisation.docker.enableNvidia; - message = "Option enableNvidia conflicts with docker.enableNvidia"; - } ]; } - (lib.mkIf cfg.enableNvidia { - environment.etc."nvidia-container-runtime/config.toml".source = "${nvidia-docker}/etc/podman-config.toml"; - }) ]); } |