diff options
Diffstat (limited to 'nixos')
20 files changed, 250 insertions, 129 deletions
diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index 2c6309474b3..fef6b2f86c8 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -31,11 +31,12 @@ let else p; describe = args: let + title = args.title or null; name = args.name or (lib.concatStringsSep "." args.path); path = args.path or [ args.name ]; package = args.package or (lib.attrByPath path (throw "Invalid package attribute path `${toString path}'") pkgs); in "<listitem>" - + "<para><literal>pkgs.${name} (${package.meta.name})</literal>" + + "<para><literal>${lib.optionalString (title != null) "${title} aka "}pkgs.${name} (${package.meta.name})</literal>" + lib.optionalString (!package.meta.available) " <emphasis>[UNAVAILABLE]</emphasis>" + ": ${package.meta.description or "???"}.</para>" + lib.optionalString (args ? comment) "\n<para>${args.comment}</para>" @@ -51,7 +52,7 @@ let // lib.optionalAttrs (opt ? example) { example = substFunction opt.example; } // lib.optionalAttrs (opt ? default) { default = substFunction opt.default; } // lib.optionalAttrs (opt ? type) { type = substFunction opt.type; } - // lib.optionalAttrs (opt ? relatedPackages) { relatedPackages = genRelatedPackages opt.relatedPackages; }); + // lib.optionalAttrs (opt ? relatedPackages && opt.relatedPackages != []) { relatedPackages = genRelatedPackages opt.relatedPackages; }); # We need to strip references to /nix/store/* from options, # including any `extraSources` if some modules came from elsewhere, diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml index 72f96f1ca1a..f57fd75c782 100644 --- a/nixos/doc/manual/release-notes/rl-1809.xml +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -288,11 +288,24 @@ inherit (pkgs.nixos { </listitem> <listitem> <para> - Recommented way to access the Kubernetes Dashboard is with HTTPS (TLS) + Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS) Therefore; public service port for the dashboard has changed to 443 (container port 8443) and scheme to https. </para> </listitem> + <listitem> + <para> + The option <varname>services.kubernetes.apiserver.address</varname> + was renamed to <varname>services.kubernetes.apiserver.bindAddress</varname>. + Note that the default value has changed from 127.0.0.1 to 0.0.0.0. + </para> + </listitem> + <listitem> + <para> + The option <varname>services.kubernetes.apiserver.publicAddress</varname> + was not used and thus has been removed. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/maintainers/scripts/azure/create-azure.sh b/nixos/maintainers/scripts/azure/create-azure.sh index a834566be8f..2b22cb53661 100755 --- a/nixos/maintainers/scripts/azure/create-azure.sh +++ b/nixos/maintainers/scripts/azure/create-azure.sh @@ -5,4 +5,4 @@ export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation export TIMESTAMP=$(date +%Y%m%d%H%M) nix-build '<nixpkgs/nixos>' \ - -A config.system.build.azureImage --argstr system x86_64-linux -o azure --option extra-binary-caches https://hydra.nixos.org -j 10 + -A config.system.build.azureImage --argstr system x86_64-linux -o azure -j 10 diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index a20910353f3..c7a6c943bc2 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -26,16 +26,16 @@ with lib; fonts.fontconfig.enable = false; - nixpkgs.config.packageOverrides = pkgs: { - dbus = pkgs.dbus.override { x11Support = false; }; - networkmanager-fortisslvpn = pkgs.networkmanager-fortisslvpn.override { withGnome = false; }; - networkmanager-l2tp = pkgs.networkmanager-l2tp.override { withGnome = false; }; - networkmanager-openconnect = pkgs.networkmanager-openconnect.override { withGnome = false; }; - networkmanager-openvpn = pkgs.networkmanager-openvpn.override { withGnome = false; }; - networkmanager-vpnc = pkgs.networkmanager-vpnc.override { withGnome = false; }; - networkmanager-iodine = pkgs.networkmanager-iodine.override { withGnome = false; }; - pinentry = pkgs.pinentry_ncurses; - gobjectIntrospection = pkgs.gobjectIntrospection.override { x11Support = false; }; - }; + nixpkgs.overlays = singleton (const (super: { + dbus = super.dbus.override { x11Support = false; }; + networkmanager-fortisslvpn = super.networkmanager-fortisslvpn.override { withGnome = false; }; + networkmanager-l2tp = super.networkmanager-l2tp.override { withGnome = false; }; + networkmanager-openconnect = super.networkmanager-openconnect.override { withGnome = false; }; + networkmanager-openvpn = super.networkmanager-openvpn.override { withGnome = false; }; + networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; + networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; + pinentry = super.pinentry_ncurses; + gobjectIntrospection = super.gobjectIntrospection.override { x11Support = false; }; + })); }; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 71e0bf1461f..cae353d4d73 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -473,6 +473,7 @@ ./services/networking/dnschain.nix ./services/networking/dnscrypt-proxy.nix ./services/networking/dnscrypt-wrapper.nix + ./services/networking/dnsdist.nix ./services/networking/dnsmasq.nix ./services/networking/ejabberd.nix ./services/networking/fakeroute.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 9b9e9e7109d..2df737452fb 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -32,6 +32,8 @@ with lib; (mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ]) (mkRenamedOptionModule [ "services" "kibana" "host" ] [ "services" "kibana" "listenAddress" ]) (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) + (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ]) (mkRenamedOptionModule [ "services" "mpd" "network" "host" ] [ "services" "mpd" "network" "listenAddress" ]) (mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "listenAddress" ]) diff --git a/nixos/modules/services/cluster/kubernetes/dashboard.nix b/nixos/modules/services/cluster/kubernetes/dashboard.nix index 8c1f35ec651..9c1f814b683 100644 --- a/nixos/modules/services/cluster/kubernetes/dashboard.nix +++ b/nixos/modules/services/cluster/kubernetes/dashboard.nix @@ -4,16 +4,6 @@ with lib; let cfg = config.services.kubernetes.addons.dashboard; - - name = "k8s.gcr.io/kubernetes-dashboard-amd64"; - version = "v1.8.3"; - - image = pkgs.dockerTools.pullImage { - imageName = name; - imageDigest = "sha256:dc4026c1b595435ef5527ca598e1e9c4343076926d7d62b365c44831395adbd0"; - finalImageTag = version; - sha256 = "18ajcg0q1vignfjk2sm4xj4wzphfz8wah69ps8dklqfvv0164mc8"; - }; in { options.services.kubernetes.addons.dashboard = { enable = mkEnableOption "kubernetes dashboard addon"; @@ -23,10 +13,27 @@ in { type = types.bool; default = elem "RBAC" config.services.kubernetes.apiserver.authorizationMode; }; + + version = mkOption { + description = "Which version of the kubernetes dashboard to deploy"; + type = types.str; + default = "v1.8.3"; + }; + + image = mkOption { + description = "Docker image to seed for the kubernetes dashboard container."; + type = types.attrs; + default = { + imageName = "k8s.gcr.io/kubernetes-dashboard-amd64"; + imageDigest = "sha256:dc4026c1b595435ef5527ca598e1e9c4343076926d7d62b365c44831395adbd0"; + finalImageTag = cfg.version; + sha256 = "18ajcg0q1vignfjk2sm4xj4wzphfz8wah69ps8dklqfvv0164mc8"; + }; + }; }; config = mkIf cfg.enable { - services.kubernetes.kubelet.seedDockerImages = [image]; + services.kubernetes.kubelet.seedDockerImages = [(pkgs.dockerTools.pullImage cfg.image)]; services.kubernetes.addonManager.addons = { kubernetes-dashboard-deployment = { @@ -36,7 +43,7 @@ in { labels = { k8s-addon = "kubernetes-dashboard.addons.k8s.io"; k8s-app = "kubernetes-dashboard"; - version = version; + version = cfg.version; "kubernetes.io/cluster-service" = "true"; "addonmanager.kubernetes.io/mode" = "Reconcile"; }; @@ -52,7 +59,7 @@ in { labels = { k8s-addon = "kubernetes-dashboard.addons.k8s.io"; k8s-app = "kubernetes-dashboard"; - version = version; + version = cfg.version; "kubernetes.io/cluster-service" = "true"; }; annotations = { @@ -63,7 +70,7 @@ in { priorityClassName = "system-cluster-critical"; containers = [{ name = "kubernetes-dashboard"; - image = "${name}:${version}"; + image = with cfg.image; "${imageName}:${finalImageTag}"; ports = [{ containerPort = 8443; protocol = "TCP"; diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index e624f41601b..20f2308508c 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -73,7 +73,9 @@ let mkKubeConfigOptions = prefix: { server = mkOption { description = "${prefix} kube-apiserver server address."; - default = "http://${cfg.apiserver.address}:${toString cfg.apiserver.port}"; + default = "http://${if cfg.apiserver.advertiseAddress != null + then cfg.apiserver.advertiseAddress + else "127.0.0.1"}:${toString cfg.apiserver.port}"; type = types.str; }; @@ -103,12 +105,18 @@ let keyFile = mkDefault cfg.kubeconfig.keyFile; }; - cniConfig = pkgs.buildEnv { - name = "kubernetes-cni-config"; - paths = imap (i: entry: - pkgs.writeTextDir "${toString (10+i)}-${entry.type}.conf" (builtins.toJSON entry) - ) cfg.kubelet.cni.config; - }; + cniConfig = + if cfg.kubelet.cni.config != [] && !(isNull cfg.kubelet.cni.configDir) then + throw "Verbatim CNI-config and CNI configDir cannot both be set." + else if !(isNull cfg.kubelet.cni.configDir) then + cfg.kubelet.cni.configDir + else + (pkgs.buildEnv { + name = "kubernetes-cni-config"; + paths = imap (i: entry: + pkgs.writeTextDir "${toString (10+i)}-${entry.type}.conf" (builtins.toJSON entry) + ) cfg.kubelet.cni.config; + }); manifests = pkgs.buildEnv { name = "kubernetes-manifests"; @@ -244,18 +252,13 @@ in { type = types.listOf types.str; }; - address = mkOption { - description = "Kubernetes apiserver listening address."; - default = "127.0.0.1"; - type = types.str; - }; - - publicAddress = mkOption { + bindAddress = mkOption { description = '' - Kubernetes apiserver public listening address used for read only and - secure port. + The IP address on which to listen for the --secure-port port. + The associated interface(s) must be reachable by the rest + of the cluster, and by CLI/web clients. ''; - default = cfg.apiserver.address; + default = "0.0.0.0"; type = types.str; }; @@ -670,6 +673,12 @@ in { }] ''; }; + + configDir = mkOption { + description = "Path to Kubernetes CNI configuration directory."; + type = types.nullOr types.path; + default = null; + }; }; manifests = mkOption { @@ -892,7 +901,7 @@ in { (mkIf cfg.apiserver.enable { systemd.services.kube-apiserver = { - description = "Kubernetes Kubelet Service"; + description = "Kubernetes APIServer Service"; wantedBy = [ "kubernetes.target" ]; after = [ "network.target" "docker.service" ]; serviceConfig = { @@ -906,7 +915,7 @@ in { ${optionalString (cfg.etcd.keyFile != null) "--etcd-keyfile=${cfg.etcd.keyFile}"} \ --insecure-port=${toString cfg.apiserver.port} \ - --bind-address=${toString cfg.apiserver.address} \ + --bind-address=${cfg.apiserver.bindAddress} \ ${optionalString (cfg.apiserver.advertiseAddress != null) "--advertise-address=${cfg.apiserver.advertiseAddress}"} \ --allow-privileged=${boolToString cfg.apiserver.allowPrivileged}\ diff --git a/nixos/modules/services/cluster/kubernetes/dns.nix b/nixos/modules/services/cluster/kubernetes/dns.nix index 9751e5f7cf0..43bbb50a48d 100644 --- a/nixos/modules/services/cluster/kubernetes/dns.nix +++ b/nixos/modules/services/cluster/kubernetes/dns.nix @@ -4,28 +4,6 @@ with lib; let version = "1.14.10"; - - k8s-dns-kube-dns = pkgs.dockerTools.pullImage { - imageName = "k8s.gcr.io/k8s-dns-kube-dns-amd64"; - imageDigest = "sha256:b99fc3eee2a9f052f7eb4cc00f15eb12fc405fa41019baa2d6b79847ae7284a8"; - finalImageTag = version; - sha256 = "0x583znk9smqn0fix7ld8sm5jgaxhqhx3fq97b1wkqm7iwhvl3pj"; - }; - - k8s-dns-dnsmasq-nanny = pkgs.dockerTools.pullImage { - imageName = "k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64"; - imageDigest = "sha256:bbb2a290a568125b3b996028958eb773f33b5b87a6b37bf38a28f8b62dddb3c8"; - finalImageTag = version; - sha256 = "1fihml7s2mfwgac51cbqpylkwbivc8nyhgi4vb820s83zvl8a6y1"; - }; - - k8s-dns-sidecar = pkgs.dockerTools.pullImage { - imageName = "k8s.gcr.io/k8s-dns-sidecar-amd64"; - imageDigest = "sha256:4f1ab957f87b94a5ec1edc26fae50da2175461f00afecf68940c4aa079bd08a4"; - finalImageTag = version; - sha256 = "08l1bv5jgrhvjzpqpbinrkgvv52snc4fzyd8ya9v18ns2klyz7m0"; - }; - cfg = config.services.kubernetes.addons.dns; in { options.services.kubernetes.addons.dns = { @@ -48,13 +26,46 @@ in { default = "cluster.local"; type = types.str; }; + + kube-dns = mkOption { + description = "Docker image to seed for the kube-dns main container."; + type = types.attrs; + default = { + imageName = "k8s.gcr.io/k8s-dns-kube-dns-amd64"; + imageDigest = "sha256:b99fc3eee2a9f052f7eb4cc00f15eb12fc405fa41019baa2d6b79847ae7284a8"; + finalImageTag = version; + sha256 = "0x583znk9smqn0fix7ld8sm5jgaxhqhx3fq97b1wkqm7iwhvl3pj"; + }; + }; + + dnsmasq-nanny = mkOption { + description = "Docker image to seed for the kube-dns dnsmasq container."; + type = types.attrs; + default = { + imageName = "k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64"; + imageDigest = "sha256:bbb2a290a568125b3b996028958eb773f33b5b87a6b37bf38a28f8b62dddb3c8"; + finalImageTag = version; + sha256 = "1fihml7s2mfwgac51cbqpylkwbivc8nyhgi4vb820s83zvl8a6y1"; + }; + }; + + sidecar = mkOption { + description = "Docker image to seed for the kube-dns sidecar container."; + type = types.attrs; + default = { + imageName = "k8s.gcr.io/k8s-dns-sidecar-amd64"; + imageDigest = "sha256:4f1ab957f87b94a5ec1edc26fae50da2175461f00afecf68940c4aa079bd08a4"; + finalImageTag = version; + sha256 = "08l1bv5jgrhvjzpqpbinrkgvv52snc4fzyd8ya9v18ns2klyz7m0"; + }; + }; }; config = mkIf cfg.enable { - services.kubernetes.kubelet.seedDockerImages = [ - k8s-dns-kube-dns - k8s-dns-dnsmasq-nanny - k8s-dns-sidecar + services.kubernetes.kubelet.seedDockerImages = with pkgs.dockerTools; [ + (pullImage cfg.kube-dns) + (pullImage cfg.dnsmasq-nanny) + (pullImage cfg.sidecar) ]; services.kubernetes.addonManager.addons = { @@ -88,7 +99,7 @@ in { containers = [ { name = "kubedns"; - image = "k8s.gcr.io/k8s-dns-kube-dns-amd64:${version}"; + image = with cfg.kube-dns; "${imageName}:${finalImageTag}"; resources = { limits.memory = "170Mi"; requests = { @@ -154,7 +165,7 @@ in { } { name = "dnsmasq"; - image = "k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64:${version}"; + image = with cfg.dnsmasq-nanny; "${imageName}:${finalImageTag}"; livenessProbe = { httpGet = { path = "/healthcheck/dnsmasq"; @@ -206,7 +217,7 @@ in { } { name = "sidecar"; - image = "k8s.gcr.io/k8s-dns-sidecar-amd64:${version}"; + image = with cfg.sidecar; "${imageName}:${finalImageTag}"; livenessProbe = { httpGet = { path = "/metrics"; diff --git a/nixos/modules/services/networking/dnsdist.nix b/nixos/modules/services/networking/dnsdist.nix new file mode 100644 index 00000000000..12eee136e63 --- /dev/null +++ b/nixos/modules/services/networking/dnsdist.nix @@ -0,0 +1,61 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.dnsdist; + configFile = pkgs.writeText "dndist.conf" '' + setLocal('${cfg.listenAddress}:${toString cfg.listenPort}') + ${cfg.extraConfig} + ''; +in { + options = { + services.dnsdist = { + enable = mkEnableOption "dnsdist domain name server"; + + listenAddress = mkOption { + type = types.str; + description = "Listen IP Address"; + default = "0.0.0.0"; + }; + listenPort = mkOption { + type = types.int; + description = "Listen port"; + default = 53; + }; + + extraConfig = mkOption { + type = types.lines; + default = '' + ''; + description = '' + Extra lines to be added verbatim to dnsdist.conf. + ''; + }; + }; + }; + + config = mkIf config.services.dnsdist.enable { + systemd.services.dnsdist = { + description = "dnsdist load balancer"; + wantedBy = [ "multi-user.target" ]; + after = ["network.target"]; + + serviceConfig = { + Restart="on-failure"; + RestartSec="1"; + DynamicUser = true; + StartLimitInterval="0"; + PrivateTmp=true; + PrivateDevices=true; + CapabilityBoundingSet="CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; + ExecStart = "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}"; + ProtectSystem="full"; + ProtectHome=true; + RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6"; + LimitNOFILE="16384"; + TasksMax="8192"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index c27ae3f66f6..89d8590093d 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -50,7 +50,7 @@ let # NAT from external ports to internal ports. ${concatMapStrings (fwd: '' iptables -w -t nat -A nixos-nat-pre \ - -i ${cfg.externalInterface} -p ${fwd.proto} \ + -i ${toString cfg.externalInterface} -p ${fwd.proto} \ --dport ${builtins.toString fwd.sourcePort} \ -j DNAT --to-destination ${fwd.destination} @@ -81,7 +81,7 @@ let ${optionalString (cfg.dmzHost != null) '' iptables -w -t nat -A nixos-nat-pre \ - -i ${cfg.externalInterface} -j DNAT \ + -i ${toString cfg.externalInterface} -j DNAT \ --to-destination ${cfg.dmzHost} ''} diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index e3c9b5282b8..77bcdae8019 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -163,12 +163,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; path = [ data.package ]; - restartTriggers = - let - drvlist = [ config.environment.etc."tinc/${network}/tinc.conf".source ] - ++ mapAttrsToList (host: _: config.environment.etc."tinc/${network}/hosts/${host}".source) data.hosts; - in # drvlist might be too long to be used directly - [ (builtins.hashString "sha256" (concatMapStrings (d: d.outPath) drvlist)) ]; + restartTriggers = [ config.environment.etc."tinc/${network}/tinc.conf".source ]; serviceConfig = { Type = "simple"; Restart = "always"; @@ -207,7 +202,8 @@ in ${concatStringsSep "\n" (mapAttrsToList (network: data: optionalString (versionAtLeast data.package.version "1.1pre") '' makeWrapper ${data.package}/bin/tinc "$out/bin/tinc.${network}" \ - --add-flags "--pidfile=/run/tinc.${network}.pid" + --add-flags "--pidfile=/run/tinc.${network}.pid" \ + --add-flags "--config=/etc/tinc/${network}" '') cfg.networks)} ''; }; diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index f069a9883a7..07936faaa13 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -60,7 +60,7 @@ in }; interfaces = mkOption { - default = [ "127.0.0.1" "::1" ]; + default = [ "127.0.0.1" ] ++ optional config.networking.enableIPv6 "::1"; type = types.listOf types.str; description = "What addresses the server should listen on."; }; @@ -112,8 +112,8 @@ in mkdir -m 0755 -p ${stateDir}/dev/ cp ${confFile} ${stateDir}/unbound.conf ${optionalString cfg.enableRootTrustAnchor '' - ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" - chown unbound ${stateDir} ${rootTrustAnchorFile} + ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" + chown unbound ${stateDir} ${rootTrustAnchorFile} ''} touch ${stateDir}/dev/random ${pkgs.utillinux}/bin/mount --bind -n /dev/urandom ${stateDir}/dev/random @@ -126,6 +126,8 @@ in ProtectSystem = true; ProtectHome = true; PrivateDevices = true; + Restart = "always"; + RestartSec = "5s"; }; }; diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 806252f49b8..c2de1c45a39 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -39,7 +39,7 @@ let ''} ${optint "ControlPort" cfg.controlPort} - ${optionalString cfg.controlSocket.enable "ControlSocket ${torRunDirectory}/control GroupWritable RelaxDirModeCheck"} + ${optionalString cfg.controlSocket.enable "ControlPort unix:${torRunDirectory}/control GroupWritable RelaxDirModeCheck"} '' # Client connection config + optionalString cfg.client.enable '' @@ -695,19 +695,38 @@ in uid = config.ids.uids.tor; }; + # We have to do this instead of using RuntimeDirectory option in + # the service below because systemd has no way to set owners of + # RuntimeDirectory and putting this into the service below + # requires that service to relax it's sandbox since this needs + # writable /run + systemd.services.tor-init = + { description = "Tor Daemon Init"; + wantedBy = [ "tor.service" ]; + after = [ "local-fs.target" ]; + script = '' + install -m 0700 -o tor -g tor -d ${torDirectory} ${torDirectory}/onion + install -m 0750 -o tor -g tor -d ${torRunDirectory} + ''; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + }; + systemd.services.tor = { description = "Tor Daemon"; path = [ pkgs.tor ]; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + after = [ "tor-init.service" "network.target" ]; restartTriggers = [ torRcFile ]; serviceConfig = { Type = "simple"; # Translated from the upstream contrib/dist/tor.service.in ExecStartPre = "${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config"; - ExecStart = "${pkgs.tor}/bin/tor -f ${torRcFile} --RunAsDaemon 0"; + ExecStart = "${pkgs.tor}/bin/tor -f ${torRcFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; KillSignal = "SIGINT"; TimeoutSec = 30; @@ -715,20 +734,18 @@ in LimitNOFILE = 32768; # Hardening - # Note: DevicePolicy is set to 'closed', although the - # minimal permissions are really: - # DeviceAllow /dev/null rw - # DeviceAllow /dev/urandom r - # .. but we can't specify DeviceAllow multiple times. 'closed' - # is close enough. - RuntimeDirectory = "tor"; - StateDirectory = [ "tor" "tor/onion" ]; - PrivateTmp = "yes"; - DevicePolicy = "closed"; - InaccessibleDirectories = "/home"; - ReadOnlyDirectories = "/"; - ReadWriteDirectories = [torDirectory torRunDirectory]; + # this seems to unshare /run despite what systemd.exec(5) says + PrivateTmp = mkIf (!cfg.controlSocket.enable) "yes"; + PrivateDevices = "yes"; + ProtectHome = "yes"; + ProtectSystem = "strict"; + InaccessiblePaths = "/home"; + ReadOnlyPaths = "/"; + ReadWritePaths = [ torDirectory torRunDirectory ]; NoNewPrivileges = "yes"; + + # tor.service.in has this in, but this line it fails to spawn a namespace when using hidden services + #CapabilityBoundingSet = "CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE"; }; }; diff --git a/nixos/modules/services/x11/window-managers/awesome.nix b/nixos/modules/services/x11/window-managers/awesome.nix index 71eb02ec595..089e9f769f0 100644 --- a/nixos/modules/services/x11/window-managers/awesome.nix +++ b/nixos/modules/services/x11/window-managers/awesome.nix @@ -37,6 +37,11 @@ in apply = pkg: if pkg == null then pkgs.awesome else pkg; }; + noArgb = mkOption { + default = false; + type = types.bool; + description = "Disable client transparency support, which can be greatly detrimental to performance in some setups"; + }; }; }; @@ -50,7 +55,7 @@ in { name = "awesome"; start = '' - ${awesome}/bin/awesome ${makeSearchPath cfg.luaModules} & + ${awesome}/bin/awesome ${lib.optionalString cfg.noArgb "--no-argb"} ${makeSearchPath cfg.luaModules} & waitPID=$! ''; }; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 1404231f837..3048cd02683 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -244,6 +244,13 @@ in "ati_unfree" "amdgpu" "amdgpu-pro" "nv" "nvidia" "nvidiaLegacy340" "nvidiaLegacy304" ]; + # TODO(@oxij): think how to easily add the rest, like those nvidia things + relatedPackages = concatLists + (mapAttrsToList (n: v: + optional (hasPrefix "xf86video" n) { + path = [ "xorg" n ]; + title = removePrefix "xf86video" n; + }) pkgs.xorg); description = '' The names of the video drivers the configuration supports. They will be tried in order until one that diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index de735e9ba11..c54cfd4e1aa 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -414,12 +414,15 @@ in ${packages.zfsUser}/sbin/zfs set nixos:shutdown-time="$(date)" "${pool}" ''; }; + createZfsService = serv: + nameValuePair serv { + after = [ "systemd-modules-load.service" ]; + wantedBy = [ "zfs.target" ]; + }; - in listToAttrs (map createImportService dataPools ++ map createSyncService allPools) // { - "zfs-mount" = { after = [ "systemd-modules-load.service" ]; }; - "zfs-share" = { after = [ "systemd-modules-load.service" ]; }; - "zfs-zed" = { after = [ "systemd-modules-load.service" ]; }; - }; + in listToAttrs (map createImportService dataPools ++ + map createSyncService allPools ++ + map createZfsService [ "zfs-mount" "zfs-share" "zfs-zed" ]); systemd.targets."zfs-import" = let diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index cb756842f36..dd2108ccc37 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -2,13 +2,13 @@ with lib; let - diskSize = 30720; + diskSize = 2048; in { system.build.azureImage = import ../../lib/make-disk-image.nix { name = "azure-image"; postVM = '' - ${pkgs.vmTools.qemu-220}/bin/qemu-img convert -f raw -o subformat=fixed -O vpc $diskImage $out/disk.vhd + ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -o subformat=fixed,force_size -O vpc $diskImage $out/disk.vhd ''; configFile = ./azure-config-user.nix; format = "raw"; diff --git a/nixos/modules/virtualisation/azure-qemu-220-no-etc-install.patch b/nixos/modules/virtualisation/azure-qemu-220-no-etc-install.patch deleted file mode 100644 index 81d29feea3d..00000000000 --- a/nixos/modules/virtualisation/azure-qemu-220-no-etc-install.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/Makefile b/Makefile -index d6b9dc1..ce7c493 100644 ---- a/Makefile -+++ b/Makefile -@@ -384,8 +384,7 @@ install-confdir: - install-sysconfig: install-datadir install-confdir - $(INSTALL_DATA) $(SRC_PATH)/sysconfigs/target/target-x86_64.conf "$(DESTDIR)$(qemu_confdir)" - --install: all $(if $(BUILD_DOCS),install-doc) install-sysconfig \ --install-datadir install-localstatedir -+install: all $(if $(BUILD_DOCS),install-doc) install-datadir - ifneq ($(TOOLS),) - $(call install-prog,$(TOOLS),$(DESTDIR)$(bindir)) - endif diff --git a/nixos/tests/morty.nix b/nixos/tests/morty.nix index e052ee98806..0a5324259ad 100644 --- a/nixos/tests/morty.nix +++ b/nixos/tests/morty.nix @@ -22,9 +22,9 @@ import ./make-test.nix ({ pkgs, ... }: testScript = { nodes , ... }: '' - startAll; + $mortyProxyWithKey->waitForUnit("default.target"); - $mortyProxyWithKey->waitForUnit("morty"); + $mortyProxyWithKey->waitForOpenPort(3001); $mortyProxyWithKey->succeed("curl -L 127.0.0.1:3001 | grep MortyProxy"); ''; |