diff options
Diffstat (limited to 'nixos')
17 files changed, 346 insertions, 26 deletions
diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index 9cea2db610e..f1e1568c034 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -392,7 +392,11 @@ <filename>hardware-configuration.nix</filename> is included from <filename>configuration.nix</filename> and will be overwritten by future invocations of <command>nixos-generate-config</command>; thus, you - generally should not modify it.) + generally should not modify it.) Additionally, you may want to look at + <link xlink:href="https://github.com/NixOS/nixos-hardware">Hardware + configuration for known-hardware</link> at this point or after + installation. + </para> <note> <para> diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 5b7f391ed5a..fb8453f1d53 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -567,7 +567,6 @@ ./services/networking/bird.nix ./services/networking/bitlbee.nix ./services/networking/charybdis.nix - ./services/networking/chrony.nix ./services/networking/cjdns.nix ./services/networking/cntlm.nix ./services/networking/connman.nix @@ -650,14 +649,15 @@ ./services/networking/nntp-proxy.nix ./services/networking/nsd.nix ./services/networking/ntopng.nix - ./services/networking/ntpd.nix + ./services/networking/ntp/chrony.nix + ./services/networking/ntp/ntpd.nix + ./services/networking/ntp/openntpd.nix ./services/networking/nullidentdmod.nix ./services/networking/nylon.nix ./services/networking/ocserv.nix ./services/networking/ofono.nix ./services/networking/oidentd.nix ./services/networking/openfire.nix - ./services/networking/openntpd.nix ./services/networking/openvpn.nix ./services/networking/ostinato.nix ./services/networking/owamp.nix diff --git a/nixos/modules/programs/mtr.nix b/nixos/modules/programs/mtr.nix index 1fdec4c04f6..75b710c1584 100644 --- a/nixos/modules/programs/mtr.nix +++ b/nixos/modules/programs/mtr.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.programs.mtr; + in { options = { programs.mtr = { @@ -15,13 +16,22 @@ in { setcap wrapper for it. ''; }; + + package = mkOption { + type = types.package; + default = pkgs.mtr; + description = '' + The package to use. + ''; + }; }; }; config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ mtr ]; + environment.systemPackages = with pkgs; [ cfg.package ]; + security.wrappers.mtr-packet = { - source = "${pkgs.mtr}/bin/mtr-packet"; + source = "${cfg.package}/bin/mtr-packet"; capabilities = "cap_net_raw+p"; }; }; diff --git a/nixos/modules/services/mail/mailman.nix b/nixos/modules/services/mail/mailman.nix index 11dd5cb48db..e917209f3d1 100644 --- a/nixos/modules/services/mail/mailman.nix +++ b/nixos/modules/services/mail/mailman.nix @@ -6,16 +6,35 @@ let cfg = config.services.mailman; - pythonEnv = pkgs.python3.withPackages (ps: [ps.mailman]); + mailmanPyEnv = pkgs.python3.withPackages (ps: with ps; [mailman mailman-hyperkitty]); mailmanExe = with pkgs; stdenv.mkDerivation { name = "mailman-" + python3Packages.mailman.version; + buildInputs = [makeWrapper]; unpackPhase = ":"; installPhase = '' mkdir -p $out/bin - sed >"$out/bin/mailman" <"${pythonEnv}/bin/mailman" \ - -e "2 iexport MAILMAN_CONFIG_FILE=/etc/mailman.cfg" - chmod +x $out/bin/mailman + makeWrapper ${mailmanPyEnv}/bin/mailman $out/bin/mailman \ + --set MAILMAN_CONFIG_FILE /etc/mailman.cfg + ''; + }; + + mailmanWeb = pkgs.python3Packages.mailman-web.override { + serverEMail = cfg.siteOwner; + archiverKey = cfg.hyperkittyApiKey; + allowedHosts = cfg.webHosts; + }; + + mailmanWebPyEnv = pkgs.python3.withPackages (x: with x; [mailman-web]); + + mailmanWebExe = with pkgs; stdenv.mkDerivation { + inherit (mailmanWeb) name; + buildInputs = [makeWrapper]; + unpackPhase = ":"; + installPhase = '' + mkdir -p $out/bin + makeWrapper ${mailmanWebPyEnv}/bin/django-admin $out/bin/mailman-web \ + --set DJANGO_SETTINGS_MODULE settings ''; }; @@ -28,11 +47,30 @@ let bin_dir: ${pkgs.python3Packages.mailman}/bin var_dir: /var/lib/mailman queue_dir: $var_dir/queue + template_dir: $var_dir/templates log_dir: $var_dir/log lock_dir: $var_dir/lock etc_dir: /etc ext_dir: $etc_dir/mailman.d pid_file: /run/mailman/master.pid + '' + optionalString (cfg.hyperkittyApiKey != null) '' + [archiver.hyperkitty] + class: mailman_hyperkitty.Archiver + enable: yes + configuration: ${pkgs.writeText "mailman-hyperkitty.cfg" mailmanHyperkittyCfg} + ''; + + mailmanHyperkittyCfg = '' + [general] + # This is your HyperKitty installation, preferably on the localhost. This + # address will be used by Mailman to forward incoming emails to HyperKitty + # for archiving. It does not need to be publicly available, in fact it's + # better if it is not. + base_url: ${cfg.hyperkittyBaseUrl} + + # Shared API key, must be the identical to the value in HyperKitty's + # settings. + api_key: ${cfg.hyperkittyApiKey} ''; in { @@ -51,7 +89,7 @@ in { siteOwner = mkOption { type = types.str; - default = "postmaster"; + default = "postmaster@example.org"; description = '' Certain messages that must be delivered to a human, but which can't be delivered to a list owner (e.g. a bounce from a list owner), will @@ -59,6 +97,48 @@ in { ''; }; + webRoot = mkOption { + type = types.path; + default = "${mailmanWeb}/${pkgs.python3.sitePackages}"; + defaultText = "pkgs.python3Packages.mailman-web"; + description = '' + The web root for the Hyperkity + Postorius apps provided by Mailman. + This variable can be set, of course, but it mainly exists so that site + admins can refer to it in their own hand-written httpd configuration files. + ''; + }; + + webHosts = mkOption { + type = types.listOf types.str; + default = []; + description = '' + The list of hostnames and/or IP addresses from which the Mailman Web + UI will accept requests. By default, "localhost" and "127.0.0.1" are + enabled. All additional names under which your web server accepts + requests for the UI must be listed here or incoming requests will be + rejected. + ''; + }; + + hyperkittyBaseUrl = mkOption { + type = types.str; + default = "http://localhost/hyperkitty/"; + description = '' + Where can Mailman connect to Hyperkitty's internal API, preferably on + localhost? + ''; + }; + + hyperkittyApiKey = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The shared secret used to authenticate Mailman's internal + communication with Hyperkitty. Must be set to enable support for the + Hyperkitty archiver. Note that this secret is going to be visible to + all local users in the Nix store. + ''; + }; }; }; @@ -71,25 +151,22 @@ in { { assertion = cfg.enable -> config.services.postfix.enable; message = "Mailman requires Postfix"; } - { assertion = config.services.postfix.recipientDelimiter == "+"; - message = "Postfix's recipientDelimiter must be set to '+'."; - } ]; users.users.mailman = { description = "GNU Mailman"; isSystemUser = true; }; environment = { - systemPackages = [ mailmanExe ]; + systemPackages = [ mailmanExe mailmanWebExe pkgs.sassc ]; etc."mailman.cfg".text = mailmanCfg; }; services.postfix = { relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; + recipientDelimiter = "+"; # bake recipient addresses in mail envelopes via VERP config = { transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; - # Mailman uses recipient delimiters, so we don't need special handling. - owner_request_special = "no"; + owner_request_special = "no"; # Mailman handles -owner addresses on its own }; }; @@ -109,6 +186,112 @@ in { }; }; + systemd.services.mailman-web = { + description = "Init Postorius DB"; + before = [ "httpd.service" ]; + requiredBy = [ "httpd.service" ]; + script = '' + ${mailmanWebExe}/bin/mailman-web migrate + rm -rf static + ${mailmanWebExe}/bin/mailman-web collectstatic + ${mailmanWebExe}/bin/mailman-web compress + ''; + serviceConfig = { + User = config.services.httpd.user; + Type = "oneshot"; + StateDirectory = "mailman-web"; + StateDirectoryMode = "0700"; + WorkingDirectory = "/var/lib/mailman-web"; + }; + }; + + systemd.services.mailman-daily = { + description = "Trigger daily Mailman events"; + startAt = "daily"; + serviceConfig = { + ExecStart = "${mailmanExe}/bin/mailman digests --send"; + User = "mailman"; + }; + }; + + systemd.services.hyperkitty = { + enable = cfg.hyperkittyApiKey != null; + description = "GNU Hyperkitty QCluster Process"; + after = [ "network.target" ]; + wantedBy = [ "mailman.service" "multi-user.target" ]; + serviceConfig = { + ExecStart = "${mailmanWebExe}/bin/mailman-web qcluster"; + User = config.services.httpd.user; + WorkingDirectory = "/var/lib/mailman-web"; + }; + }; + + systemd.services.hyperkitty-minutely = { + enable = cfg.hyperkittyApiKey != null; + description = "Trigger minutely Hyperkitty events"; + startAt = "minutely"; + serviceConfig = { + ExecStart = "${mailmanWebExe}/bin/mailman-web runjobs minutely"; + User = config.services.httpd.user; + WorkingDirectory = "/var/lib/mailman-web"; + }; + }; + + systemd.services.hyperkitty-quarter-hourly = { + enable = cfg.hyperkittyApiKey != null; + description = "Trigger quarter-hourly Hyperkitty events"; + startAt = "*:00/15"; + serviceConfig = { + ExecStart = "${mailmanWebExe}/bin/mailman-web runjobs quarter_hourly"; + User = config.services.httpd.user; + WorkingDirectory = "/var/lib/mailman-web"; + }; + }; + + systemd.services.hyperkitty-hourly = { + enable = cfg.hyperkittyApiKey != null; + description = "Trigger hourly Hyperkitty events"; + startAt = "hourly"; + serviceConfig = { + ExecStart = "${mailmanWebExe}/bin/mailman-web runjobs hourly"; + User = config.services.httpd.user; + WorkingDirectory = "/var/lib/mailman-web"; + }; + }; + + systemd.services.hyperkitty-daily = { + enable = cfg.hyperkittyApiKey != null; + description = "Trigger daily Hyperkitty events"; + startAt = "daily"; + serviceConfig = { + ExecStart = "${mailmanWebExe}/bin/mailman-web runjobs daily"; + User = config.services.httpd.user; + WorkingDirectory = "/var/lib/mailman-web"; + }; + }; + + systemd.services.hyperkitty-weekly = { + enable = cfg.hyperkittyApiKey != null; + description = "Trigger weekly Hyperkitty events"; + startAt = "weekly"; + serviceConfig = { + ExecStart = "${mailmanWebExe}/bin/mailman-web runjobs weekly"; + User = config.services.httpd.user; + WorkingDirectory = "/var/lib/mailman-web"; + }; + }; + + systemd.services.hyperkitty-yearly = { + enable = cfg.hyperkittyApiKey != null; + description = "Trigger yearly Hyperkitty events"; + startAt = "yearly"; + serviceConfig = { + ExecStart = "${mailmanWebExe}/bin/mailman-web runjobs yearly"; + User = config.services.httpd.user; + WorkingDirectory = "/var/lib/mailman-web"; + }; + }; + }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index b69310c34ff..84486aa98a4 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -34,6 +34,7 @@ let "node" "postfix" "postgres" + "rspamd" "snmp" "surfboard" "tor" @@ -193,6 +194,8 @@ in services.prometheus.exporters.minio.minioAddress = mkDefault "http://localhost:9000"; services.prometheus.exporters.minio.minioAccessKey = mkDefault config.services.minio.accessKey; services.prometheus.exporters.minio.minioAccessSecret = mkDefault config.services.minio.secretKey; + })] ++ [(mkIf config.services.rspamd.enable { + services.prometheus.exporters.rspamd.url = mkDefault "http://localhost:11334/stat"; })] ++ (mapAttrsToList (name: conf: mkExporterConf { inherit name; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix b/nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix new file mode 100644 index 00000000000..1f02ae20724 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix @@ -0,0 +1,92 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.rspamd; + + prettyJSON = conf: + pkgs.runCommand "rspamd-exporter-config.yml" { } '' + echo '${builtins.toJSON conf}' | ${pkgs.buildPackages.jq}/bin/jq '.' > $out + ''; + + generateConfig = extraLabels: (map (path: { + name = "rspamd_${replaceStrings [ "." " " ] [ "_" "_" ] path}"; + path = "$.${path}"; + labels = extraLabels; + }) [ + "actions.'add header'" + "actions.'no action'" + "actions.'rewrite subject'" + "actions.'soft reject'" + "actions.greylist" + "actions.reject" + "bytes_allocated" + "chunks_allocated" + "chunks_freed" + "chunks_oversized" + "connections" + "control_connections" + "ham_count" + "learned" + "pools_allocated" + "pools_freed" + "read_only" + "scanned" + "shared_chunks_allocated" + "spam_count" + "total_learns" + ]) ++ [{ + name = "rspamd_statfiles"; + type = "object"; + path = "$.statfiles[*]"; + labels = recursiveUpdate { + symbol = "$.symbol"; + type = "$.type"; + } extraLabels; + values = { + revision = "$.revision"; + size = "$.size"; + total = "$.total"; + used = "$.used"; + languages = "$.languages"; + users = "$.users"; + }; + }]; +in +{ + port = 7980; + extraOpts = { + listenAddress = {}; # not used + + url = mkOption { + type = types.str; + description = '' + URL to the rspamd metrics endpoint. + Defaults to http://localhost:11334/stat when + <option>services.rspamd.enable</option> is true. + ''; + }; + + extraLabels = mkOption { + type = types.attrsOf types.str; + default = { + host = config.networking.hostName; + }; + defaultText = "{ host = config.networking.hostName; }"; + example = literalExample '' + { + host = config.networking.hostName; + custom_label = "some_value"; + } + ''; + description = "Set of labels added to each metric."; + }; + }; + serviceOpts.serviceConfig.ExecStart = '' + ${pkgs.prometheus-json-exporter}/bin/prometheus-json-exporter \ + --port ${toString cfg.port} \ + ${cfg.url} ${prettyJSON (generateConfig cfg.extraLabels)} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; +} diff --git a/nixos/modules/services/networking/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index 77f70257700..c74476c7a15 100644 --- a/nixos/modules/services/networking/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -9,11 +9,11 @@ let keyFile = "${stateDir}/chrony.keys"; configFile = pkgs.writeText "chrony.conf" '' - ${concatMapStringsSep "\n" (server: "server " + server) cfg.servers} + ${concatMapStringsSep "\n" (server: "server " + server + " iburst") cfg.servers} ${optionalString (cfg.initstepslew.enabled && (cfg.servers != [])) - "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}" + "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.servers}" } driftfile ${stateDir}/chrony.drift @@ -24,7 +24,7 @@ let ${cfg.extraConfig} ''; - chronyFlags = "-m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; + chronyFlags = "-n -m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; in { options = { @@ -48,7 +48,6 @@ in default = { enabled = true; threshold = 1000; # by default, same threshold as 'ntpd -g' (1000s) - servers = cfg.servers; }; description = '' Allow chronyd to make a rapid measurement of the system clock error at @@ -76,6 +75,8 @@ in }; config = mkIf cfg.enable { + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; + environment.systemPackages = [ pkgs.chrony ]; users.groups = singleton @@ -115,7 +116,7 @@ in unitConfig.ConditionCapability = "CAP_SYS_TIME"; serviceConfig = - { Type = "forking"; + { Type = "simple"; ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}"; ProtectHome = "yes"; diff --git a/nixos/modules/services/networking/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix index 588d1c6edb0..1197c84f045 100644 --- a/nixos/modules/services/networking/ntpd.nix +++ b/nixos/modules/services/networking/ntp/ntpd.nix @@ -96,6 +96,7 @@ in ###### implementation config = mkIf config.services.ntp.enable { + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; # Make tools such as ntpq available in the system path. environment.systemPackages = [ pkgs.ntp ]; diff --git a/nixos/modules/services/networking/openntpd.nix b/nixos/modules/services/networking/ntp/openntpd.nix index f3920aa8064..471d15b1687 100644 --- a/nixos/modules/services/networking/openntpd.nix +++ b/nixos/modules/services/networking/ntp/openntpd.nix @@ -52,6 +52,7 @@ in ###### implementation config = mkIf cfg.enable { + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; services.timesyncd.enable = mkForce false; # Add ntpctl to the environment for status checking diff --git a/nixos/modules/services/web-apps/restya-board.nix b/nixos/modules/services/web-apps/restya-board.nix index f220669c910..1e7882488ac 100644 --- a/nixos/modules/services/web-apps/restya-board.nix +++ b/nixos/modules/services/web-apps/restya-board.nix @@ -216,7 +216,6 @@ in index index.html index.php; gzip on; - gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; diff --git a/nixos/modules/services/web-apps/zabbix.nix b/nixos/modules/services/web-apps/zabbix.nix index dac243b20e9..09538726b7c 100644 --- a/nixos/modules/services/web-apps/zabbix.nix +++ b/nixos/modules/services/web-apps/zabbix.nix @@ -179,7 +179,7 @@ in '' + optionalString (cfg.database.type == "oracle") '' extension=${pkgs.phpPackages.oci8}/lib/php/extensions/oci8.so ''; - phpEnv.ZABBIX_CONFIG = zabbixConfig; + phpEnv.ZABBIX_CONFIG = "${zabbixConfig}"; settings = { "listen.owner" = config.services.httpd.user; "listen.group" = config.services.httpd.group; @@ -197,7 +197,7 @@ in <Directory "${cfg.package}/share/zabbix"> <FilesMatch "\.php$"> <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.listen}|fcgi://localhost/" + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" </If> </FilesMatch> AllowOverride all diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index b94b338fd4a..e597f34700a 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -94,7 +94,6 @@ let ${optionalString (cfg.recommendedGzipSettings) '' gzip on; - gzip_disable "msie6"; gzip_proxied any; gzip_comp_level 5; gzip_types diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 71df4e8f0a4..30c5250221c 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -240,6 +240,8 @@ in services.avahi.enable = mkDefault true; + xdg.portal.extraPortals = [ pkgs.gnome3.gnome-shell ]; + services.geoclue2.enable = mkDefault true; services.geoclue2.enableDemoAgent = false; # GNOME has its own geoclue agent diff --git a/nixos/tests/plasma5.nix b/nixos/tests/plasma5.nix index 788c8719c8d..88d4ff33436 100644 --- a/nixos/tests/plasma5.nix +++ b/nixos/tests/plasma5.nix @@ -30,6 +30,7 @@ import ./make-test.nix ({ pkgs, ...} : enable = true; user = "alice"; }; + hardware.pulseaudio.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then virtualisation.memorySize = 1024; environment.systemPackages = [ sddm_theme ]; }; diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 02d83f82f33..9826b56b74d 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -297,6 +297,22 @@ let ''; }; + rspamd = { + exporterConfig = { + enable = true; + }; + metricProvider = { + services.rspamd.enable = true; + }; + exporterTest = '' + waitForUnit("rspamd.service"); + waitForUnit("prometheus-rspamd-exporter.service"); + waitForOpenPort(11334); + waitForOpenPort(7980); + waitUntilSucceeds("curl -sSf localhost:7980/metrics | grep -q 'rspamd_scanned{host=\"rspamd\"} 0'"); + ''; + }; + snmp = { exporterConfig = { enable = true; diff --git a/nixos/tests/xfce.nix b/nixos/tests/xfce.nix index 12d8a050d47..6cb4fae2021 100644 --- a/nixos/tests/xfce.nix +++ b/nixos/tests/xfce.nix @@ -17,6 +17,10 @@ import ./make-test.nix ({ pkgs, ...} : { services.xserver.desktopManager.xfce.enable = true; environment.systemPackages = [ pkgs.xorg.xmessage ]; + + hardware.pulseaudio.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then + + virtualisation.memorySize = 1024; }; testScript = diff --git a/nixos/tests/xfce4-14.nix b/nixos/tests/xfce4-14.nix index d9b10aabaa1..94378f0c8d3 100644 --- a/nixos/tests/xfce4-14.nix +++ b/nixos/tests/xfce4-14.nix @@ -12,6 +12,10 @@ import ./make-test.nix ({ pkgs, ...} : { services.xserver.displayManager.auto.user = "alice"; services.xserver.desktopManager.xfce4-14.enable = true; + + hardware.pulseaudio.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then + + virtualisation.memorySize = 1024; }; testScript = |