From 2e0542ebacb2b8cb938d848ab743ca9df702f56e Mon Sep 17 00:00:00 2001 From: Pavol Rusnak Date: Sun, 21 Jun 2020 23:55:14 +0200 Subject: seeks: remove, upstream unmaintained --- nixos/modules/misc/ids.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 3409e7ba22e..4615d9b04ab 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -184,7 +184,7 @@ in consul = 145; mailpile = 146; redmine = 147; - seeks = 148; + #seeks = 148; # removed 2020-06-21 prosody = 149; i2pd = 150; systemd-network = 152; @@ -496,7 +496,7 @@ in #consul = 145; # unused mailpile = 146; redmine = 147; - seeks = 148; + #seeks = 148; # removed 2020-06-21 prosody = 149; i2pd = 150; systemd-network = 152; -- cgit 1.4.1 From 937359fcf1e4b6ed826aba34179ab714377546da Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Thu, 24 Sep 2020 13:28:52 -0700 Subject: nixos/update-users-groups: /etc/shadow owned by root:shadow --- nixos/modules/config/update-users-groups.pl | 6 ++++++ nixos/modules/config/users-groups.nix | 1 + nixos/modules/misc/ids.nix | 2 ++ 3 files changed, 9 insertions(+) (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index e1c7a46e430..e220aa61090 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -281,6 +281,12 @@ foreach my $u (values %usersOut) { } updateFile("/etc/shadow", \@shadowNew, 0600); +{ + my $uid = getpwnam "root"; + my $gid = getgrnam "shadow"; + my $path = "/etc/shadow"; + chown($uid, $gid, $path) || die "Failed to change ownership of $path: $!"; +} # Rewrite /etc/subuid & /etc/subgid to include default container mappings diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 0ab303d0ae4..1bb1317a8e8 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -537,6 +537,7 @@ in { input.gid = ids.gids.input; kvm.gid = ids.gids.kvm; render.gid = ids.gids.render; + shadow.gid = ids.gids.shadow; }; system.activationScripts.users = stringAfter [ "stdio" ] diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 3fabe8b42c9..81d5d04fa5e 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -346,6 +346,7 @@ in paperless = 315; #mailman = 316; # removed 2019-08-30 zigbee2mqtt = 317; + # shadow = 318; # unused # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -647,6 +648,7 @@ in paperless = 315; #mailman = 316; # removed 2019-08-30 zigbee2mqtt = 317; + shadow = 318; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal -- cgit 1.4.1 From 6c39180b3784b543272b6056b8d92d402b1085cf Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 17 Oct 2020 17:59:45 -0400 Subject: nixos/pdns-recursor: declare module user as system user --- nixos/modules/misc/ids.nix | 2 +- nixos/modules/services/networking/pdns-recursor.nix | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 81d5d04fa5e..cd21a1609c9 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -297,7 +297,7 @@ in headphones = 266; couchpotato = 267; gogs = 268; - pdns-recursor = 269; + #pdns-recursor = 269; # dynamically allocated as of 2020-20-18 #kresd = 270; # switched to "knot-resolver" with dynamic ID rpc = 271; geoip = 272; diff --git a/nixos/modules/services/networking/pdns-recursor.nix b/nixos/modules/services/networking/pdns-recursor.nix index adbc7661f65..a326eccfd65 100644 --- a/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixos/modules/services/networking/pdns-recursor.nix @@ -189,7 +189,6 @@ in { users.users.pdns-recursor = { isSystemUser = true; group = "pdns-recursor"; - uid = config.ids.uids.pdns-recursor; description = "PowerDNS Recursor daemon user"; }; -- cgit 1.4.1 From 63caecee7d9a77ae9a645d269bca06981f7666bf Mon Sep 17 00:00:00 2001 From: Thomas Depierre Date: Wed, 14 Oct 2020 14:59:42 +0200 Subject: riak-cs: delete --- nixos/doc/manual/release-notes/rl-2103.xml | 10 ++ nixos/modules/misc/ids.nix | 8 +- nixos/modules/module-list.nix | 2 - nixos/modules/services/databases/riak-cs.nix | 202 ------------------------- nixos/modules/services/databases/stanchion.nix | 194 ------------------------ pkgs/servers/nosql/riak-cs/2.1.1.nix | 70 --------- pkgs/servers/nosql/riak-cs/stanchion.nix | 65 -------- pkgs/top-level/aliases.nix | 2 + pkgs/top-level/all-packages.nix | 10 -- 9 files changed, 16 insertions(+), 547 deletions(-) delete mode 100644 nixos/modules/services/databases/riak-cs.nix delete mode 100644 nixos/modules/services/databases/stanchion.nix delete mode 100644 pkgs/servers/nosql/riak-cs/2.1.1.nix delete mode 100644 pkgs/servers/nosql/riak-cs/stanchion.nix (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index 374ea1cbd16..44c81cd673d 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -109,6 +109,16 @@ /var/lib/powerdns to /run/pdns. + + + riak-cs package removed along with services.riak-cs module. + + + + + stanchion package removed along with services.stanchion module. + + diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index cd21a1609c9..c24150bba70 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -290,8 +290,8 @@ in hound = 259; leaps = 260; ipfs = 261; - stanchion = 262; - riak-cs = 263; + # stanchion = 262; # unused, removed 2020-10-14 + # riak-cs = 263; # unused, removed 2020-10-14 infinoted = 264; sickbeard = 265; headphones = 266; @@ -593,8 +593,8 @@ in hound = 259; leaps = 260; ipfs = 261; - stanchion = 262; - riak-cs = 263; + # stanchion = 262; # unused, removed 2020-10-14 + # riak-cs = 263; # unused, removed 2020-10-14 infinoted = 264; sickbeard = 265; headphones = 266; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index aa3b71a6124..69954f04ade 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -296,8 +296,6 @@ ./services/databases/postgresql.nix ./services/databases/redis.nix ./services/databases/riak.nix - ./services/databases/riak-cs.nix - ./services/databases/stanchion.nix ./services/databases/victoriametrics.nix ./services/databases/virtuoso.nix ./services/desktops/accountsservice.nix diff --git a/nixos/modules/services/databases/riak-cs.nix b/nixos/modules/services/databases/riak-cs.nix deleted file mode 100644 index fa6ac886331..00000000000 --- a/nixos/modules/services/databases/riak-cs.nix +++ /dev/null @@ -1,202 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.riak-cs; - -in - -{ - - ###### interface - - options = { - - services.riak-cs = { - - enable = mkEnableOption "riak-cs"; - - package = mkOption { - type = types.package; - default = pkgs.riak-cs; - defaultText = "pkgs.riak-cs"; - example = literalExample "pkgs.riak-cs"; - description = '' - Riak package to use. - ''; - }; - - nodeName = mkOption { - type = types.str; - default = "riak-cs@127.0.0.1"; - description = '' - Name of the Erlang node. - ''; - }; - - anonymousUserCreation = mkOption { - type = types.bool; - default = false; - description = '' - Anonymous user creation. - ''; - }; - - riakHost = mkOption { - type = types.str; - default = "127.0.0.1:8087"; - description = '' - Name of riak hosting service. - ''; - }; - - listener = mkOption { - type = types.str; - default = "127.0.0.1:8080"; - description = '' - Name of Riak CS listening service. - ''; - }; - - stanchionHost = mkOption { - type = types.str; - default = "127.0.0.1:8085"; - description = '' - Name of stanchion hosting service. - ''; - }; - - stanchionSsl = mkOption { - type = types.bool; - default = true; - description = '' - Tell stanchion to use SSL. - ''; - }; - - distributedCookie = mkOption { - type = types.str; - default = "riak"; - description = '' - Cookie for distributed node communication. All nodes in the - same cluster should use the same cookie or they will not be able to - communicate. - ''; - }; - - dataDir = mkOption { - type = types.path; - default = "/var/db/riak-cs"; - description = '' - Data directory for Riak CS. - ''; - }; - - logDir = mkOption { - type = types.path; - default = "/var/log/riak-cs"; - description = '' - Log directory for Riak CS. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional text to be appended to riak-cs.conf. - ''; - }; - - extraAdvancedConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional text to be appended to advanced.config. - ''; - }; - }; - - }; - - ###### implementation - - config = mkIf cfg.enable { - - environment.systemPackages = [ cfg.package ]; - environment.etc."riak-cs/riak-cs.conf".text = '' - nodename = ${cfg.nodeName} - distributed_cookie = ${cfg.distributedCookie} - - platform_log_dir = ${cfg.logDir} - - riak_host = ${cfg.riakHost} - listener = ${cfg.listener} - stanchion_host = ${cfg.stanchionHost} - - anonymous_user_creation = ${if cfg.anonymousUserCreation then "on" else "off"} - - ${cfg.extraConfig} - ''; - - environment.etc."riak-cs/advanced.config".text = '' - ${cfg.extraAdvancedConfig} - ''; - - users.users.riak-cs = { - name = "riak-cs"; - uid = config.ids.uids.riak-cs; - group = "riak"; - description = "Riak CS server user"; - }; - - systemd.services.riak-cs = { - description = "Riak CS Server"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - path = [ - pkgs.utillinux # for `logger` - pkgs.bash - ]; - - environment.HOME = "${cfg.dataDir}"; - environment.RIAK_CS_DATA_DIR = "${cfg.dataDir}"; - environment.RIAK_CS_LOG_DIR = "${cfg.logDir}"; - environment.RIAK_CS_ETC_DIR = "/etc/riak"; - - preStart = '' - if ! test -e ${cfg.logDir}; then - mkdir -m 0755 -p ${cfg.logDir} - chown -R riak-cs ${cfg.logDir} - fi - - if ! test -e ${cfg.dataDir}; then - mkdir -m 0700 -p ${cfg.dataDir} - chown -R riak-cs ${cfg.dataDir} - fi - ''; - - serviceConfig = { - ExecStart = "${cfg.package}/bin/riak-cs console"; - ExecStop = "${cfg.package}/bin/riak-cs stop"; - StandardInput = "tty"; - User = "riak-cs"; - Group = "riak-cs"; - PermissionsStartOnly = true; - # Give Riak a decent amount of time to clean up. - TimeoutStopSec = 120; - LimitNOFILE = 65536; - }; - - unitConfig.RequiresMountsFor = [ - "${cfg.dataDir}" - "${cfg.logDir}" - "/etc/riak" - ]; - }; - }; -} diff --git a/nixos/modules/services/databases/stanchion.nix b/nixos/modules/services/databases/stanchion.nix deleted file mode 100644 index 97e55bc70c4..00000000000 --- a/nixos/modules/services/databases/stanchion.nix +++ /dev/null @@ -1,194 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.stanchion; - -in - -{ - - ###### interface - - options = { - - services.stanchion = { - - enable = mkEnableOption "stanchion"; - - package = mkOption { - type = types.package; - default = pkgs.stanchion; - defaultText = "pkgs.stanchion"; - example = literalExample "pkgs.stanchion"; - description = '' - Stanchion package to use. - ''; - }; - - nodeName = mkOption { - type = types.str; - default = "stanchion@127.0.0.1"; - description = '' - Name of the Erlang node. - ''; - }; - - adminKey = mkOption { - type = types.str; - default = ""; - description = '' - Name of admin user. - ''; - }; - - adminSecret = mkOption { - type = types.str; - default = ""; - description = '' - Name of admin secret - ''; - }; - - riakHost = mkOption { - type = types.str; - default = "127.0.0.1:8087"; - description = '' - Name of riak hosting service. - ''; - }; - - listener = mkOption { - type = types.str; - default = "127.0.0.1:8085"; - description = '' - Name of Riak CS listening service. - ''; - }; - - stanchionHost = mkOption { - type = types.str; - default = "127.0.0.1:8085"; - description = '' - Name of stanchion hosting service. - ''; - }; - - distributedCookie = mkOption { - type = types.str; - default = "riak"; - description = '' - Cookie for distributed node communication. All nodes in the - same cluster should use the same cookie or they will not be able to - communicate. - ''; - }; - - dataDir = mkOption { - type = types.path; - default = "/var/db/stanchion"; - description = '' - Data directory for Stanchion. - ''; - }; - - logDir = mkOption { - type = types.path; - default = "/var/log/stanchion"; - description = '' - Log directory for Stanchion. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional text to be appended to stanchion.conf. - ''; - }; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - - environment.systemPackages = [ cfg.package ]; - - environment.etc."stanchion/advanced.config".text = '' - [{stanchion, []}]. - ''; - - environment.etc."stanchion/stanchion.conf".text = '' - listener = ${cfg.listener} - - riak_host = ${cfg.riakHost} - - ${optionalString (cfg.adminKey == "") "#"} admin.key=${optionalString (cfg.adminKey != "") cfg.adminKey} - ${optionalString (cfg.adminSecret == "") "#"} admin.secret=${optionalString (cfg.adminSecret != "") cfg.adminSecret} - - platform_bin_dir = ${pkgs.stanchion}/bin - platform_data_dir = ${cfg.dataDir} - platform_etc_dir = /etc/stanchion - platform_lib_dir = ${pkgs.stanchion}/lib - platform_log_dir = ${cfg.logDir} - - nodename = ${cfg.nodeName} - - distributed_cookie = ${cfg.distributedCookie} - - ${cfg.extraConfig} - ''; - - users.users.stanchion = { - name = "stanchion"; - uid = config.ids.uids.stanchion; - group = "stanchion"; - description = "Stanchion server user"; - }; - - users.groups.stanchion.gid = config.ids.gids.stanchion; - - systemd.tmpfiles.rules = [ - "d '${cfg.logDir}' - stanchion stanchion --" - "d '${cfg.dataDir}' 0700 stanchion stanchion --" - ]; - - systemd.services.stanchion = { - description = "Stanchion Server"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - path = [ - pkgs.utillinux # for `logger` - pkgs.bash - ]; - - environment.HOME = "${cfg.dataDir}"; - environment.STANCHION_DATA_DIR = "${cfg.dataDir}"; - environment.STANCHION_LOG_DIR = "${cfg.logDir}"; - environment.STANCHION_ETC_DIR = "/etc/stanchion"; - - serviceConfig = { - ExecStart = "${cfg.package}/bin/stanchion console"; - ExecStop = "${cfg.package}/bin/stanchion stop"; - StandardInput = "tty"; - User = "stanchion"; - Group = "stanchion"; - # Give Stanchion a decent amount of time to clean up. - TimeoutStopSec = 120; - LimitNOFILE = 65536; - }; - - unitConfig.RequiresMountsFor = [ - "${cfg.dataDir}" - "${cfg.logDir}" - "/etc/stanchion" - ]; - }; - }; -} diff --git a/pkgs/servers/nosql/riak-cs/2.1.1.nix b/pkgs/servers/nosql/riak-cs/2.1.1.nix deleted file mode 100644 index 4ebcbafde5d..00000000000 --- a/pkgs/servers/nosql/riak-cs/2.1.1.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ stdenv, lib, fetchurl, unzip, erlang, git, wget, which, pam -, Carbon ? null, Cocoa ? null }: - -stdenv.mkDerivation { - name = "riak_cs-2.1.1"; - - buildInputs = [ - which unzip erlang git wget - ] ++ lib.optionals stdenv.isDarwin [ Carbon Cocoa ] - ++ lib.optional stdenv.isLinux [ pam ]; - - src = fetchurl { - url = "https://s3.amazonaws.com/downloads.basho.com/riak-cs/2.1/2.1.1/riak-cs-2.1.1.tar.gz"; - sha256 = "115cac127aac6d759c1b429a52e0d18e491c0719a6530b1b88aa52c4efdbedd5"; - }; - - - postPatch = '' - sed -i deps/node_package/priv/base/env.sh \ - -e 's@{{platform_data_dir}}@''${RIAK_DATA_DIR:-/var/db/riak-cs}@' \ - -e 's@^RUNNER_SCRIPT_DIR=.*@RUNNER_SCRIPT_DIR='$out'/bin@' \ - -e 's@^RUNNER_BASE_DIR=.*@RUNNER_BASE_DIR='$out'@' \ - -e 's@^RUNNER_ETC_DIR=.*@RUNNER_ETC_DIR=''${RIAK_ETC_DIR:-/etc/riak-cs}@' \ - -e 's@^RUNNER_LOG_DIR=.*@RUNNER_LOG_DIR=''${RIAK_LOG_DIR:-/var/log}@' - - sed -i ./Makefile \ - -e 's@rel: deps compile@rel: deps compile-src@' - ''; - - preBuild = '' - patchShebangs . - ''; - - buildPhase = '' - runHook preBuild - - make locked-deps - make rel - - runHook postBuild - ''; - - doCheck = false; - - installPhase = '' - runHook preInstall - - mkdir $out - mv rel/riak-cs/etc rel/riak-cs/riak-etc - mkdir -p rel/riak-cs/etc - mv rel/riak-cs/riak-etc rel/riak-cs/etc/riak-cs - mv rel/riak-cs/* $out - - for prog in $out/bin/*; do - substituteInPlace $prog \ - --replace '. "`cd \`dirname $0\` && /bin/pwd`/../lib/env.sh"' \ - ". $out/lib/env.sh" - done - - runHook postInstall - ''; - - meta = with lib; { - description = "Dynamo inspired NoSQL DB by Basho with S3 compatibility"; - platforms = [ "x86_64-linux" "x86_64-darwin" ]; - license = licenses.asl20; - maintainers = with maintainers; [ mdaiter ]; - knownVulnerabilities = [ "CVE-2017-3163 - see https://github.com/NixOS/nixpkgs/issues/33876" ]; - }; -} diff --git a/pkgs/servers/nosql/riak-cs/stanchion.nix b/pkgs/servers/nosql/riak-cs/stanchion.nix deleted file mode 100644 index 5fe4ce45f84..00000000000 --- a/pkgs/servers/nosql/riak-cs/stanchion.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ stdenv, lib, fetchurl, unzip, erlang, git, wget, which, pam -, Carbon ? null, Cocoa ? null }: - -stdenv.mkDerivation { - name = "stanchion-2.1.1"; - - buildInputs = [ - which unzip erlang git wget - ] ++ lib.optionals stdenv.isDarwin [ Carbon Cocoa ] - ++ lib.optional stdenv.isLinux [ pam ]; - - src = fetchurl { - url = "https://s3.amazonaws.com/downloads.basho.com/stanchion/2.1/2.1.1/stanchion-2.1.1.tar.gz"; - sha256 = "1443arwgg7qvlx3msyg99qvvhck7qxphdjslcp494i60fhr2g8ja"; - }; - - - postPatch = '' - sed -i deps/node_package/priv/base/env.sh \ - -e 's@{{platform_data_dir}}@''${RIAK_DATA_DIR:-/var/db/stanchion}@' \ - -e 's@^RUNNER_SCRIPT_DIR=.*@RUNNER_SCRIPT_DIR='$out'/bin@' \ - -e 's@^RUNNER_BASE_DIR=.*@RUNNER_BASE_DIR='$out'@' \ - -e 's@^RUNNER_ETC_DIR=.*@RUNNER_ETC_DIR=''${RIAK_ETC_DIR:-/etc/stanchion}@' \ - -e 's@^RUNNER_LOG_DIR=.*@RUNNER_LOG_DIR=''${RIAK_LOG_DIR:-/var/log}@' - ''; - - preBuild = '' - patchShebangs . - ''; - - buildPhase = '' - runHook preBuild - - make rel - - runHook postBuild - ''; - - doCheck = false; - - installPhase = '' - runHook preInstall - - mkdir $out - mv rel/stanchion/etc rel/stanchion/riak-etc - mkdir -p rel/stanchion/etc - mv rel/stanchion/riak-etc rel/stanchion/etc/stanchion - mv rel/stanchion/* $out - - for prog in $out/bin/*; do - substituteInPlace $prog \ - --replace '. "`cd \`dirname $0\` && /bin/pwd`/../lib/env.sh"' \ - ". $out/lib/env.sh" - done - - runHook postInstall - ''; - - meta = with lib; { - maintainers = with maintainers; [ mdaiter ]; - description = "Manager for Riak CS"; - platforms = [ "x86_64-linux" "x86_64-darwin" ]; - license = licenses.asl20; - }; -} diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 3538ac56ecf..6c7b6e8ab8a 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -482,6 +482,7 @@ mapAliases ({ gtk-recordmydesktop = throw "gtk-recordmydesktop has been removed from nixpkgs, as it's unmaintained and uses deprecated libraries"; # added 2019-12-10 qt-recordmydesktop = throw "qt-recordmydesktop has been removed from nixpkgs, as it's abandoned and uses deprecated libraries"; # added 2019-12-10 rfkill = throw "rfkill has been removed, as it's included in util-linux"; # added 2020-08-23 + riak-cs = throw "riak-cs is not maintained anymore"; # added 2020-10-14 rkt = throw "rkt was archived by upstream"; # added 2020-05-16 ruby_2_0_0 = throw "ruby_2_0_0 was deprecated on 2018-02-13: use a newer version of ruby"; ruby_2_1_0 = throw "ruby_2_1_0 was deprecated on 2018-02-13: use a newer version of ruby"; @@ -572,6 +573,7 @@ mapAliases ({ sqliteInteractive = sqlite-interactive; # added 2014-12-06 squid4 = squid; # added 2019-08-22 sshfsFuse = sshfs-fuse; # added 2016-09 + stanchion = throw "Stanchion was part of riak-cs which is not maintained anymore"; # added 2020-10-14 surf-webkit2 = surf; # added 2017-04-02 sup = throw "sup was deprecated on 2019-09-10: abandoned by upstream"; swfdec = throw "swfdec has been removed as broken and unmaintained."; # added 2020-08-23 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 1a81c1fcf14..2d953ffc9ec 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -16915,16 +16915,6 @@ in erlang = erlang_basho_R16B02; }; - riak-cs = callPackage ../servers/nosql/riak-cs/2.1.1.nix { - inherit (darwin.apple_sdk.frameworks) Carbon Cocoa; - erlang = erlang_basho_R16B02; - }; - - stanchion = callPackage ../servers/nosql/riak-cs/stanchion.nix { - inherit (darwin.apple_sdk.frameworks) Carbon Cocoa; - erlang = erlang_basho_R16B02; - }; - influxdb = callPackage ../servers/nosql/influxdb { }; mysql57 = callPackage ../servers/sql/mysql/5.7.x.nix { -- cgit 1.4.1 From fc856b89e5b4c8a90d643f71029a125c72a244a2 Mon Sep 17 00:00:00 2001 From: Philipp Date: Thu, 29 Oct 2020 10:32:04 +0100 Subject: nixos/murmur: add murmur group, don't run as nogroup fixes #101980 --- nixos/modules/misc/ids.nix | 2 +- nixos/modules/services/networking/murmur.nix | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index cd21a1609c9..4e0f8ba718e 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -468,7 +468,7 @@ in #minecraft = 114; # unused vault = 115; #ripped = 116; # unused - #murmur = 117; # unused + murmur = 117; foundationdb = 118; newrelic = 119; starbound = 120; diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index b384f436861..c6e5649ec47 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -278,6 +278,10 @@ in home = "/var/lib/murmur"; createHome = true; uid = config.ids.uids.murmur; + group = "murmur"; + }; + users.groups.murmur = { + gid = config.ids.gids.murmur; }; systemd.services.murmur = { @@ -300,6 +304,7 @@ in RuntimeDirectory = "murmur"; RuntimeDirectoryMode = "0700"; User = "murmur"; + Group = "murmur"; }; }; }; -- cgit 1.4.1 From 1fde3c35619bd445357077d816c72b0e589e0775 Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sun, 2 Aug 2020 23:52:37 +0100 Subject: nixos/openldap: switch to slapd.d configuration The old slapd.conf is deprecated. Replace with slapd.d, and use this opportunity to write some structured settings. Incidentally, this fixes the fact that openldap is reported up before any checks have completed, by using forking mode. --- nixos/modules/misc/ids.nix | 4 +- nixos/modules/services/databases/openldap.nix | 369 ++++++++++++++++++++------ nixos/tests/openldap.nix | 163 ++++++++++-- 3 files changed, 430 insertions(+), 106 deletions(-) (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index bafa2225040..cf0198d7b93 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -135,7 +135,7 @@ in #keys = 96; # unused #haproxy = 97; # dynamically allocated as of 2020-03-11 mongodb = 98; - openldap = 99; + #openldap = 99; # dynamically allocated as of PR#94610 #users = 100; # unused cgminer = 101; munin = 102; @@ -451,7 +451,7 @@ in keys = 96; #haproxy = 97; # dynamically allocated as of 2020-03-11 #mongodb = 98; # unused - openldap = 99; + #openldap = 99; # dynamically allocated as of PR#94610 munin = 102; #logcheck = 103; # unused #nix-ssh = 104; # unused diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 7472538b887..afe24597e03 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -1,20 +1,19 @@ { config, lib, pkgs, ... }: with lib; - let - cfg = config.services.openldap; openldap = cfg.package; dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents; - configFile = pkgs.writeText "slapd.conf" ((optionalString cfg.defaultSchemas '' - include ${openldap.out}/etc/schema/core.schema - include ${openldap.out}/etc/schema/cosine.schema - include ${openldap.out}/etc/schema/inetorgperson.schema - include ${openldap.out}/etc/schema/nis.schema + configFile = pkgs.writeText "slapd.conf" ((optionalString (cfg.defaultSchemas != null && cfg.defaultSchemas) '' + include ${openldap}/etc/schema/core.schema + include ${openldap}/etc/schema/cosine.schema + include ${openldap}/etc/schema/inetorgperson.schema + include ${openldap}/etc/schema/nis.schema '') + '' - ${cfg.extraConfig} + pidfile /run/slapd/slapd.pid + ${if cfg.extraConfig != null then cfg.extraConfig else ""} database ${cfg.database} suffix ${cfg.suffix} rootdn ${cfg.rootdn} @@ -24,20 +23,79 @@ let include ${cfg.rootpwFile} ''} directory ${cfg.dataDir} - ${cfg.extraDatabaseConfig} + ${if cfg.extraDatabaseConfig != null then cfg.extraDatabaseConfig else ""} ''); - configOpts = if cfg.configDir == null then "-f ${configFile}" - else "-F ${cfg.configDir}"; -in -{ - - ###### interface + configDir = if cfg.configDir != null then cfg.configDir else "/etc/openldap/slapd.d"; + ldapValueType = let + singleLdapValueType = types.either types.str (types.submodule { + options = { + path = mkOption { + type = types.path; + description = '' + A path containing the LDAP attribute. This is included at run-time, so + is recommended for storing secrets. + ''; + }; + }; + }); + in types.either singleLdapValueType (types.listOf singleLdapValueType); + + ldapAttrsType = + let + options = { + attrs = mkOption { + type = types.attrsOf ldapValueType; + default = {}; + description = "Attributes of the parent entry."; + }; + children = mkOption { + # Hide the child attributes, to avoid infinite recursion in e.g. documentation + # Actual Nix evaluation is lazy, so this is not an issue there + type = let + hiddenOptions = lib.mapAttrs (name: attr: attr // { visible = false; }) options; + in types.attrsOf (types.submodule { options = hiddenOptions; }); + default = {}; + description = "Child entries of the current entry, with recursively the same structure."; + example = lib.literalExample '' + { + "cn=schema" = { + # The attribute used in the DN must be defined + attrs = { cn = "schema"; }; + children = { + # This entry's DN is expanded to "cn=foo,cn=schema" + "cn=foo" = { ... }; + }; + # These includes are inserted after "cn=schema", but before "cn=foo,cn=schema" + includes = [ ... ]; + }; + } + ''; + }; + includes = mkOption { + type = types.listOf types.path; + default = []; + description = '' + LDIF files to include after the parent's attributes but before its children. + ''; + }; + }; + in types.submodule { inherit options; }; + + valueToLdif = attr: values: let + singleValueToLdif = value: if lib.isAttrs value then "${attr}:< file://${value.path}" else "${attr}: ${value}"; + in if lib.isList values then map singleValueToLdif values else [ (singleValueToLdif values) ]; + + attrsToLdif = dn: { attrs, children, includes, ... }: ['' + dn: ${dn} + ${lib.concatStringsSep "\n" (lib.flatten (lib.mapAttrsToList valueToLdif attrs))} + ''] ++ (map (path: "include: file://${path}\n") includes) ++ ( + lib.flatten (lib.mapAttrsToList (name: value: attrsToLdif "${name},${dn}" value) children) + ); +in { options = { - services.openldap = { - enable = mkOption { type = types.bool; default = false; @@ -77,47 +135,91 @@ in example = [ "ldaps:///" ]; }; + settings = mkOption { + type = ldapAttrsType; + description = "Configuration for OpenLDAP, in OLC format"; + example = lib.literalExample '' + { + attrs.olcLogLevel = [ "stats" ]; + children = { + "cn=schema".includes = [ + "\${pkgs.openldap}/etc/schema/core.ldif" + "\${pkgs.openldap}/etc/schema/cosine.ldif" + "\${pkgs.openldap}/etc/schema/inetorgperson.ldif" + ]; + "olcDatabase={-1}frontend" = { + attrs = { + objectClass = "olcDatabaseConfig"; + olcDatabase = "{-1}frontend"; + olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ]; + }; + }; + "olcDatabase={0}config" = { + attrs = { + objectClass = "olcDatabaseConfig"; + olcDatabase = "{0}config"; + olcAccess = [ "{0}to * by * none break" ]; + }; + }; + "olcDatabase={1}mdb" = { + attrs = { + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/db/ldap"; + olcDbIndex = [ + "objectClass eq" + "cn pres,eq" + "uid pres,eq" + "sn pres,eq,subany" + ]; + olcSuffix = "dc=example,dc=com"; + olcAccess = [ "{0}to * by * read break" ]; + }; + }; + }; + }; + ''; + }; + + # These options are translated into settings dataDir = mkOption { - type = types.path; + type = types.nullOr types.path; default = "/var/db/openldap"; description = "The database directory."; }; defaultSchemas = mkOption { - type = types.bool; + type = types.nullOr types.bool; default = true; + description = '' Include the default schemas core, cosine, inetorgperson and nis. - This setting will be ignored if configDir is set. ''; }; database = mkOption { - type = types.str; + type = types.nullOr types.str; default = "mdb"; - description = '' - Database type to use for the LDAP. - This setting will be ignored if configDir is set. - ''; + description = "Backend to use for the first database."; }; suffix = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; example = "dc=example,dc=org"; description = '' - Specify the DN suffix of queries that will be passed to this backend - database. - This setting will be ignored if configDir is set. + Specify the DN suffix of queries that will be passed to the first + database database. ''; }; rootdn = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; example = "cn=admin,dc=example,dc=org"; description = '' Specify the distinguished name that is not subject to access control or administrative limit restrictions for operations on this database. - This setting will be ignored if configDir is set. ''; }; @@ -125,10 +227,9 @@ in type = types.nullOr types.str; default = null; description = '' - Password for the root user. - This setting will be ignored if configDir is set. - Using this option will store the root password in plain text in the - world-readable nix store. To avoid this the rootpwFile can be used. + Password for the root user.Using this option will store the root + password in plain text in the world-readable nix store. To avoid this + the rootpwFile can be used. ''; }; @@ -137,25 +238,36 @@ in default = null; description = '' Password file for the root user. - The file should contain the string rootpw followed by the password. - e.g.: rootpw mysecurepassword + + If the deprecated extraConfig or + extraDatabaseConfig options are set, this should + contain rootpw followed by the password + (e.g. rootpw thePasswordHere). + + Otherwise the file should contain only the password (no trailing + newline or leading rootpw). ''; }; logLevel = mkOption { - type = types.str; - default = "0"; - example = "acl trace"; - description = "The log level selector of slapd."; + type = types.nullOr (types.listOf types.str); + default = null; + example = literalExample "[ \"acl\" \"trace\" ]"; + description = "The log level."; }; + # This option overrides settings configDir = mkOption { type = types.nullOr types.path; default = null; - description = "Use this optional config directory instead of using slapd.conf"; + description = '' + Use this optional config directory instead of generating one from the + settings option. + ''; example = "/var/db/slapd.d"; }; + # These options are deprecated extraConfig = mkOption { type = types.lines; default = ""; @@ -164,10 +276,10 @@ in "; example = literalExample '' ''' - include ${openldap.out}/etc/schema/core.schema - include ${openldap.out}/etc/schema/cosine.schema - include ${openldap.out}/etc/schema/inetorgperson.schema - include ${openldap.out}/etc/schema/nis.schema + include ${openldap}/etc/schema/core.schema + include ${openldap}/etc/schema/cosine.schema + include ${openldap}/etc/schema/inetorgperson.schema + include ${openldap}/etc/schema/nis.schema database bdb suffix dc=example,dc=org @@ -244,57 +356,156 @@ in }; meta = { - maintainers = [ lib.maintainers.mic92 ]; + maintainers = with lib.maintainters; [ mic92 kwohlfahrt ]; }; - - ###### implementation - config = mkIf cfg.enable { - assertions = [ - { - assertion = cfg.configDir != null || cfg.rootpwFile != null || cfg.rootpw != null; - message = "services.openldap: Unless configDir is set, either rootpw or rootpwFile must be set"; - } - ]; + warnings = let + deprecations = [ + { old = "logLevel"; new = "attrs.olcLogLevel"; } + { old = "defaultSchemas"; + new = "children.\"cn=schema\".includes"; + newValue = "[\n ${lib.concatStringsSep "\n " [ + "\${pkgs.openldap}/etc/schema/core.ldif" + "\${pkgs.openldap}/etc/schema/cosine.ldif" + "\${pkgs.openldap}/etc/schema/inetorgperson.ldif" + "\${pkgs.openldap}/etc/schema/nis.ldif" + ]}\n ]"; } + { old = "database"; new = "children.\"cn={1}${cfg.database}\""; newValue = "{ }"; } + { old = "suffix"; new = "children.\"cn={1}${cfg.database}\".attrs.olcSuffix"; } + { old = "dataDir"; new = "children.\"cn={1}${cfg.database}\".attrs.olcDbDirectory"; } + { old = "rootdn"; new = "children.\"cn={1}${cfg.database}\".attrs.olcRootDN"; } + { old = "rootpw"; new = "children.\"cn={1}${cfg.database}\".attrs.olcRootPW"; } + { old = "rootpwFile"; + new = "children.\"cn={1}${cfg.database}\".attrs.olcRootPW"; + newValue = "{ path = \"${cfg.rootpwFile}\"; }"; + note = "The file should contain only the password (without \"rootpw \" as before)"; } + ]; + in (optional (cfg.extraConfig != "" || cfg.extraDatabaseConfig != "") '' + The options `extraConfig` and `extraDatabaseConfig` of `services.openldap` + are deprecated. This is due to the deprecation of `slapd.conf` + upstream. Please migrate to `services.openldap.settings`. + + After deploying this configuration, you can run: + slapcat -F ${configDir} -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' + on the same host to print your current configuration in LDIF format, + which should be straightforward to convert into Nix settings. + '') ++ (flatten (map (args@{old, new, ...}: lib.optional ((lib.hasAttr old cfg) && (lib.getAttr old cfg) != null) '' + The attribute `services.openldap.${old}` is deprecated. Please set it to + `null` and use the following option instead: + + services.openldap.settings.${new} = ${args.newValue or ( + let oldValue = (getAttr old cfg); + in if (isList oldValue) then "[ ${concatStringsSep " " oldValue} ]" else oldValue + )} + '') deprecations)) ++ (optional (cfg.configDir != null && (versionOlder config.system.stateVersion "20.09")) '' + The attribute `services.openldap.settings` now exists, and may be more + useful than `services.openldap.configDir`. If you continue to use + `configDir`, ensure that `olcPidFile` is set to "/run/slapd/slapd.pid". + + Set `system.stateVersion` to "20.09" or greater to silence this message. + ''); + + assertions = [{ + assertion = !(cfg.rootpwFile != null && cfg.rootpw != null); + message = "services.openldap: at most one of rootpw or rootpwFile must be set"; + }]; environment.systemPackages = [ openldap ]; + # Literal attributes must always be set (even if other top-level attributres are deprecated) + services.openldap.settings = { + attrs = { + objectClass = "olcGlobal"; + cn = "config"; + olcPidFile = "/run/slapd/slapd.pid"; + } // (lib.optionalAttrs (cfg.logLevel != null) { + olcLogLevel = cfg.logLevel; + }); + children = { + "cn=schema" = { + attrs = { + cn = "schema"; + objectClass = "olcSchemaConfig"; + }; + includes = lib.optionals (cfg.defaultSchemas != null && cfg.defaultSchemas) [ + "${openldap}/etc/schema/core.ldif" + "${openldap}/etc/schema/cosine.ldif" + "${openldap}/etc/schema/inetorgperson.ldif" + "${openldap}/etc/schema/nis.ldif" + ]; + }; + } // (lib.optionalAttrs (cfg.database != null) { + "olcDatabase={1}${cfg.database}".attrs = { + # objectClass is case-insensitive, so don't need to capitalize ${database} + objectClass = [ "olcdatabaseconfig" "olc${cfg.database}config" ]; + olcDatabase = "{1}${cfg.database}"; + } // (lib.optionalAttrs (cfg.suffix != null) { + olcSuffix = cfg.suffix; + }) // (lib.optionalAttrs (cfg.dataDir != null) { + olcDbDirectory = cfg.dataDir; + }) // (lib.optionalAttrs (cfg.rootdn != null) { + olcRootDN = cfg.rootdn; # TODO: Optional + }) // (lib.optionalAttrs (cfg.rootpw != null || cfg.rootpwFile != null) { + olcRootPW = (if cfg.rootpwFile != null then { path = cfg.rootpwFile; } else cfg.rootpw); # TODO: Optional + }); + }); + }; + systemd.services.openldap = { description = "LDAP server"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - preStart = '' + preStart = let + dbSettings = lib.filterAttrs (name: value: lib.hasPrefix "olcDatabase=" name) cfg.settings.children; + dataDirs = lib.mapAttrsToList (name: value: value.attrs.olcDbDirectory) dbSettings; + settingsFile = pkgs.writeText "config.ldif" (lib.concatStringsSep "\n" (attrsToLdif "cn=config" cfg.settings)); + in '' mkdir -p /run/slapd chown -R "${cfg.user}:${cfg.group}" /run/slapd + + mkdir -p '${configDir}' ${lib.escapeShellArgs dataDirs} + chown "${cfg.user}:${cfg.group}" '${configDir}' ${lib.escapeShellArgs dataDirs} + + ${lib.optionalString (cfg.configDir == null) ( + if (cfg.extraConfig != "" || cfg.extraDatabaseConfig != "") then '' + rm -Rf '${configDir}'/* + # -u disables config generation, so just ignore the return code + ${openldap}/bin/slaptest -f ${configFile} -F ${configDir} || true + '' else '' + rm -Rf '${configDir}'/* + ${openldap}/bin/slapadd -F ${configDir} -n0 -l ${settingsFile} + '' + )} + chown -R "${cfg.user}:${cfg.group}" '${configDir}' + ${optionalString (cfg.declarativeContents != null) '' - rm -Rf "${cfg.dataDir}" - ''} - mkdir -p "${cfg.dataDir}" - ${optionalString (cfg.declarativeContents != null) '' - ${openldap.out}/bin/slapadd ${configOpts} -l ${dataFile} + rm -Rf '${lib.head dataDirs}'/* + ${openldap}/bin/slapadd -F ${configDir} -n1 -l ${dataFile} + chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArgs dataDirs} ''} - chown -R "${cfg.user}:${cfg.group}" "${cfg.dataDir}" - ${openldap}/bin/slaptest ${configOpts} + ${openldap}/bin/slaptest -u -F ${configDir} ''; - serviceConfig.ExecStart = - "${openldap.out}/libexec/slapd -d '${cfg.logLevel}' " + - "-u '${cfg.user}' -g '${cfg.group}' " + - "-h '${concatStringsSep " " cfg.urlList}' " + - "${configOpts}"; - }; - - users.users.openldap = - { name = cfg.user; - group = cfg.group; - uid = config.ids.uids.openldap; + serviceConfig = { + ExecStart = lib.concatStringsSep " " [ + "${openldap}/libexec/slapd" + "-u '${cfg.user}'" + "-g '${cfg.group}'" + "-h '${concatStringsSep " " cfg.urlList}'" + "-F ${configDir}" + ]; + Type = "forking"; + PIDFile = cfg.settings.attrs.olcPidFile; }; + }; - users.groups.openldap = - { name = cfg.group; - gid = config.ids.gids.openldap; - }; + users.users = lib.optionalAttrs (cfg.user == "openldap") { + openldap = { group = cfg.group; }; + }; + users.groups = lib.optionalAttrs (cfg.group == "openldap") { + openldap = {}; + }; }; } diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix index f8321a2c522..33b7b7f6608 100644 --- a/nixos/tests/openldap.nix +++ b/nixos/tests/openldap.nix @@ -1,33 +1,146 @@ -import ./make-test-python.nix { - name = "openldap"; - - machine = { pkgs, ... }: { - services.openldap = { - enable = true; - suffix = "dc=example"; - rootdn = "cn=root,dc=example"; - rootpw = "notapassword"; - database = "bdb"; - extraDatabaseConfig = '' - directory /var/db/openldap - ''; - declarativeContents = '' - dn: dc=example - objectClass: domain - dc: example - - dn: ou=users,dc=example - objectClass: organizationalUnit - ou: users - ''; - }; - }; +{ pkgs, system ? builtins.currentSystem, ... }: let + declarativeContents = '' + dn: dc=example + objectClass: domain + dc: example + dn: ou=users,dc=example + objectClass: organizationalUnit + ou: users + ''; testScript = '' machine.wait_for_unit("openldap.service") machine.succeed( - "systemctl status openldap.service", 'ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"', ) ''; +in { + # New-style configuration + current = import ./make-test-python.nix { + inherit testScript; + name = "openldap"; + + machine = { pkgs, ... }: { + services.openldap = { + inherit declarativeContents; + enable = true; + defaultSchemas = null; + dataDir = null; + database = null; + settings = { + children = { + "cn=schema" = { + includes = [ + "${pkgs.openldap}/etc/schema/core.ldif" + "${pkgs.openldap}/etc/schema/cosine.ldif" + "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + "${pkgs.openldap}/etc/schema/nis.ldif" + ]; + }; + "olcDatabase={1}mdb" = { + attrs = { + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/db/openldap"; + olcSuffix = "dc=example"; + olcRootDN = "cn=root,dc=example"; + olcRootPW = "notapassword"; + }; + }; + }; + }; + }; + }; + }; + + # Old-style configuration + shortOptions = import ./make-test-python.nix { + inherit testScript; + name = "openldap"; + + machine = { pkgs, ... }: { + services.openldap = { + inherit declarativeContents; + enable = true; + suffix = "dc=example"; + rootdn = "cn=root,dc=example"; + rootpw = "notapassword"; + }; + }; + }; + + # Manually managed configDir, for example if dynamic config is essential + manualConfigDir = import ./make-test-python.nix { + name = "openldap"; + + machine = { pkgs, ... }: { + services.openldap = { + enable = true; + configDir = "/var/db/slapd.d"; + # Silence warnings + defaultSchemas = null; + dataDir = null; + database = null; + }; + }; + + testScript = let + contents = pkgs.writeText "data.ldif" declarativeContents; + config = pkgs.writeText "config.ldif" '' + dn: cn=config + cn: config + objectClass: olcGlobal + olcLogLevel: stats + olcPidFile: /run/slapd/slapd.pid + + dn: cn=schema,cn=config + cn: schema + objectClass: olcSchemaConfig + + include: file://${pkgs.openldap}/etc/schema/core.ldif + include: file://${pkgs.openldap}/etc/schema/cosine.ldif + include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif + + dn: olcDatabase={1}mdb,cn=config + objectClass: olcDatabaseConfig + objectClass: olcMdbConfig + olcDatabase: {1}mdb + olcDbDirectory: /var/db/openldap + olcDbIndex: objectClass eq + olcSuffix: dc=example + olcRootDN: cn=root,dc=example + olcRootPW: notapassword + ''; + in '' + machine.succeed( + "mkdir -p /var/db/slapd.d /var/db/openldap", + "slapadd -F /var/db/slapd.d -n0 -l ${config}", + "slapadd -F /var/db/slapd.d -n1 -l ${contents}", + "chown -R openldap:openldap /var/db/slapd.d /var/db/openldap", + "systemctl restart openldap", + ) + '' + testScript; + }; + + # extraConfig forces use of slapd.conf, test this until that option is removed + legacyConfig = import ./make-test-python.nix { + inherit testScript; + name = "openldap"; + + machine = { pkgs, ... }: { + services.openldap = { + inherit declarativeContents; + enable = true; + suffix = "dc=example"; + rootdn = "cn=root,dc=example"; + rootpw = "notapassword"; + extraConfig = '' + # No-op + ''; + extraDatabaseConfig = '' + # No-op + ''; + }; + }; + }; } -- cgit 1.4.1 From 7ec85073ddfbedd1d0272bddd077a02798b1a4d4 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Tue, 27 Oct 2020 14:10:33 +0100 Subject: nixos/ids: remove reserved searx ids --- nixos/modules/misc/ids.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index cf0198d7b93..feb9c68301d 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -143,7 +143,7 @@ in nix-ssh = 104; dictd = 105; couchdb = 106; - searx = 107; + #searx = 107; # dynamically allocated as of 2020-10-27 kippo = 108; jenkins = 109; systemd-journal-gateway = 110; @@ -457,7 +457,7 @@ in #nix-ssh = 104; # unused dictd = 105; couchdb = 106; - searx = 107; + #searx = 107; # dynamically allocated as of 2020-10-27 kippo = 108; jenkins = 109; systemd-journal-gateway = 110; -- cgit 1.4.1 From a3f4db8679002e20cc33576b5ba80996cc7a3398 Mon Sep 17 00:00:00 2001 From: Scriptkiddi Date: Mon, 25 Jan 2021 15:54:44 +0100 Subject: nixos/dysnomia nixos/disnix: Drop modules --- nixos/modules/misc/ids.nix | 4 +- nixos/modules/module-list.nix | 2 - nixos/modules/services/misc/disnix.nix | 98 -------- nixos/modules/services/misc/dysnomia.nix | 257 --------------------- .../disnix/DisnixWebService/default.nix | 28 --- pkgs/tools/package-management/disnix/default.nix | 20 -- .../package-management/disnix/disnixos/default.nix | 20 -- .../package-management/disnix/dydisnix/default.nix | 27 --- .../package-management/disnix/dysnomia/default.nix | 71 ------ pkgs/top-level/aliases.nix | 5 + pkgs/top-level/all-packages.nix | 12 - 11 files changed, 7 insertions(+), 537 deletions(-) delete mode 100644 nixos/modules/services/misc/disnix.nix delete mode 100644 nixos/modules/services/misc/dysnomia.nix delete mode 100644 pkgs/tools/package-management/disnix/DisnixWebService/default.nix delete mode 100644 pkgs/tools/package-management/disnix/default.nix delete mode 100644 pkgs/tools/package-management/disnix/disnixos/default.nix delete mode 100644 pkgs/tools/package-management/disnix/dydisnix/default.nix delete mode 100644 pkgs/tools/package-management/disnix/dysnomia/default.nix (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index feb9c68301d..a0f5ce72f33 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -71,7 +71,7 @@ in #utmp = 29; # unused # ddclient = 30; # converted to DynamicUser = true davfs2 = 31; - #disnix = 33; # unused + #disnix = 33; # module removed osgi = 34; tor = 35; cups = 36; @@ -387,7 +387,7 @@ in utmp = 29; # ddclient = 30; # converted to DynamicUser = true davfs2 = 31; - disnix = 33; + #disnix = 33; # module removed osgi = 34; tor = 35; #cups = 36; # unused diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 0f8a7ba7904..cc8ebd531ab 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -449,8 +449,6 @@ ./services/misc/devmon.nix ./services/misc/dictd.nix ./services/misc/dwm-status.nix - ./services/misc/dysnomia.nix - ./services/misc/disnix.nix ./services/misc/docker-registry.nix ./services/misc/domoticz.nix ./services/misc/errbot.nix diff --git a/nixos/modules/services/misc/disnix.nix b/nixos/modules/services/misc/disnix.nix deleted file mode 100644 index 41483d80a2d..00000000000 --- a/nixos/modules/services/misc/disnix.nix +++ /dev/null @@ -1,98 +0,0 @@ -# Disnix server -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.disnix; - -in - -{ - - ###### interface - - options = { - - services.disnix = { - - enable = mkEnableOption "Disnix"; - - enableMultiUser = mkOption { - type = types.bool; - default = true; - description = "Whether to support multi-user mode by enabling the Disnix D-Bus service"; - }; - - useWebServiceInterface = mkEnableOption "the DisnixWebService interface running on Apache Tomcat"; - - package = mkOption { - type = types.path; - description = "The Disnix package"; - default = pkgs.disnix; - defaultText = "pkgs.disnix"; - }; - - enableProfilePath = mkEnableOption "exposing the Disnix profiles in the system's PATH"; - - profiles = mkOption { - type = types.listOf types.string; - default = [ "default" ]; - example = [ "default" ]; - description = "Names of the Disnix profiles to expose in the system's PATH"; - }; - }; - - }; - - ###### implementation - - config = mkIf cfg.enable { - dysnomia.enable = true; - - environment.systemPackages = [ pkgs.disnix ] ++ optional cfg.useWebServiceInterface pkgs.DisnixWebService; - environment.variables.PATH = lib.optionals cfg.enableProfilePath (map (profileName: "/nix/var/nix/profiles/disnix/${profileName}/bin" ) cfg.profiles); - - services.dbus.enable = true; - services.dbus.packages = [ pkgs.disnix ]; - - services.tomcat.enable = cfg.useWebServiceInterface; - services.tomcat.extraGroups = [ "disnix" ]; - services.tomcat.javaOpts = "${optionalString cfg.useWebServiceInterface "-Djava.library.path=${pkgs.libmatthew_java}/lib/jni"} "; - services.tomcat.sharedLibs = optional cfg.useWebServiceInterface "${pkgs.DisnixWebService}/share/java/DisnixConnection.jar" - ++ optional cfg.useWebServiceInterface "${pkgs.dbus_java}/share/java/dbus.jar"; - services.tomcat.webapps = optional cfg.useWebServiceInterface pkgs.DisnixWebService; - - users.groups.disnix.gid = config.ids.gids.disnix; - - systemd.services = { - disnix = mkIf cfg.enableMultiUser { - description = "Disnix server"; - wants = [ "dysnomia.target" ]; - wantedBy = [ "multi-user.target" ]; - after = [ "dbus.service" ] - ++ optional config.services.httpd.enable "httpd.service" - ++ optional config.services.mysql.enable "mysql.service" - ++ optional config.services.postgresql.enable "postgresql.service" - ++ optional config.services.tomcat.enable "tomcat.service" - ++ optional config.services.svnserve.enable "svnserve.service" - ++ optional config.services.mongodb.enable "mongodb.service" - ++ optional config.services.influxdb.enable "influxdb.service"; - - restartIfChanged = false; - - path = [ config.nix.package cfg.package config.dysnomia.package "/run/current-system/sw" ]; - - environment = { - HOME = "/root"; - } - // (if config.environment.variables ? DYSNOMIA_CONTAINERS_PATH then { inherit (config.environment.variables) DYSNOMIA_CONTAINERS_PATH; } else {}) - // (if config.environment.variables ? DYSNOMIA_MODULES_PATH then { inherit (config.environment.variables) DYSNOMIA_MODULES_PATH; } else {}); - - serviceConfig.ExecStart = "${cfg.package}/bin/disnix-service"; - }; - - }; - }; -} diff --git a/nixos/modules/services/misc/dysnomia.nix b/nixos/modules/services/misc/dysnomia.nix deleted file mode 100644 index eb94791fbbf..00000000000 --- a/nixos/modules/services/misc/dysnomia.nix +++ /dev/null @@ -1,257 +0,0 @@ -{pkgs, lib, config, ...}: - -with lib; - -let - cfg = config.dysnomia; - - printProperties = properties: - concatMapStrings (propertyName: - let - property = properties.${propertyName}; - in - if isList property then "${propertyName}=(${lib.concatMapStrings (elem: "\"${toString elem}\" ") (properties.${propertyName})})\n" - else "${propertyName}=\"${toString property}\"\n" - ) (builtins.attrNames properties); - - properties = pkgs.stdenv.mkDerivation { - name = "dysnomia-properties"; - buildCommand = '' - cat > $out << "EOF" - ${printProperties cfg.properties} - EOF - ''; - }; - - containersDir = pkgs.stdenv.mkDerivation { - name = "dysnomia-containers"; - buildCommand = '' - mkdir -p $out - cd $out - - ${concatMapStrings (containerName: - let - containerProperties = cfg.containers.${containerName}; - in - '' - cat > ${containerName} < /etc/systemd-mutable/system/dysnomia.target - fi - ''; - }; -} diff --git a/pkgs/tools/package-management/disnix/DisnixWebService/default.nix b/pkgs/tools/package-management/disnix/DisnixWebService/default.nix deleted file mode 100644 index ba3c51822e9..00000000000 --- a/pkgs/tools/package-management/disnix/DisnixWebService/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{lib, stdenv, fetchurl, apacheAnt, jdk, axis2, dbus_java }: - -stdenv.mkDerivation { - name = "DisnixWebService-0.10"; - src = fetchurl { - url = "https://github.com/svanderburg/DisnixWebService/releases/download/DisnixWebService-0.10/DisnixWebService-0.10.tar.gz"; - sha256 = "0m451msd127ay09yb8rbflg68szm8s4hh65j99f7s3mz375vc114"; - }; - buildInputs = [ apacheAnt jdk ]; - PREFIX = "\${env.out}"; - AXIS2_LIB = "${axis2}/lib"; - AXIS2_WEBAPP = "${axis2}/webapps/axis2"; - DBUS_JAVA_LIB = "${dbus_java}/share/java"; - prePatch = '' - sed -i -e "s|#JAVA_HOME=|JAVA_HOME=${jdk}|" \ - -e "s|#AXIS2_LIB=|AXIS2_LIB=${axis2}/lib|" \ - scripts/disnix-soap-client - ''; - buildPhase = "ant"; - installPhase = "ant install"; - - meta = { - description = "A SOAP interface and client for Disnix"; - license = lib.licenses.mit; - maintainers = [ lib.maintainers.sander ]; - platforms = lib.platforms.linux; - }; -} diff --git a/pkgs/tools/package-management/disnix/default.nix b/pkgs/tools/package-management/disnix/default.nix deleted file mode 100644 index 14be0924f27..00000000000 --- a/pkgs/tools/package-management/disnix/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ lib, stdenv, fetchurl, pkg-config, glib, libxml2, libxslt, getopt, gettext, nixUnstable, dysnomia, libintl, libiconv, help2man, doclifter, docbook5, dblatex, doxygen, libnixxml, autoreconfHook }: - -stdenv.mkDerivation { - name = "disnix-0.10"; - - src = fetchurl { - url = "https://github.com/svanderburg/disnix/releases/download/disnix-0.10/disnix-0.10.tar.gz"; - sha256 = "0mciqbc2h60nc0i6pd36w0m2yr96v97ybrzrqzh5f67ac1f0gqwg"; - }; - - nativeBuildInputs = [ pkg-config ]; - buildInputs = [ glib libxml2 libxslt getopt nixUnstable libintl libiconv dysnomia ]; - - meta = { - description = "A Nix-based distributed service deployment tool"; - license = lib.licenses.lgpl21Plus; - maintainers = with lib.maintainers; [ sander tomberek ]; - platforms = lib.platforms.unix; - }; -} diff --git a/pkgs/tools/package-management/disnix/disnixos/default.nix b/pkgs/tools/package-management/disnix/disnixos/default.nix deleted file mode 100644 index 1b9d2eaefcd..00000000000 --- a/pkgs/tools/package-management/disnix/disnixos/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ lib, stdenv, fetchurl, dysnomia, disnix, socat, pkg-config, getopt }: - -stdenv.mkDerivation { - name = "disnixos-0.9"; - - src = fetchurl { - url = "https://github.com/svanderburg/disnixos/releases/download/disnixos-0.9/disnixos-0.9.tar.gz"; - sha256 = "0vllm5a8d9dvz5cjiq1mmkc4r4vnljabq42ng0ml85sjn0w7xvm7"; - }; - - nativeBuildInputs = [ pkg-config ]; - buildInputs = [ socat dysnomia disnix getopt ]; - - meta = { - description = "Provides complementary NixOS infrastructure deployment to Disnix"; - license = lib.licenses.lgpl21Plus; - maintainers = [ lib.maintainers.sander ]; - platforms = lib.platforms.linux; - }; -} diff --git a/pkgs/tools/package-management/disnix/dydisnix/default.nix b/pkgs/tools/package-management/disnix/dydisnix/default.nix deleted file mode 100644 index b4c3851a50f..00000000000 --- a/pkgs/tools/package-management/disnix/dydisnix/default.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ lib, stdenv, fetchFromGitHub, autoconf, automake, libtool , pkg-config, glib, libxml2, libxslt, getopt, libiconv, gettext, nix, disnix, libnixxml }: - -stdenv.mkDerivation rec { - version="2020-07-04"; - name = "dydisnix-${version}"; - - src = fetchFromGitHub { - owner = "svanderburg"; - repo = "dydisnix"; - rev = "e99091f1c2329d562097e35faedee80622d387f0"; - sha256 = "sha256-XKab2hNGtWDkIEMxE1vMvqQBTP9BvHTabBVfzpH57h0="; - }; - - nativeBuildInputs = [ pkg-config autoconf automake libtool ]; - buildInputs = [ glib libxml2 libxslt getopt nix disnix libiconv gettext libnixxml ]; - preConfigure = '' - ./bootstrap - ''; - - meta = { - description = "A toolset enabling self-adaptive redeployment on top of Disnix"; - longDescription = "Dynamic Disnix is a (very experimental!) prototype extension framework for Disnix supporting dynamic (re)deployment of service-oriented systems."; - license = lib.licenses.lgpl21Plus; - maintainers = [ lib.maintainers.tomberek ]; - platforms = lib.platforms.unix; - }; -} diff --git a/pkgs/tools/package-management/disnix/dysnomia/default.nix b/pkgs/tools/package-management/disnix/dysnomia/default.nix deleted file mode 100644 index 56ba16afb47..00000000000 --- a/pkgs/tools/package-management/disnix/dysnomia/default.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ lib, stdenv, fetchurl, netcat -, systemd ? null, ejabberd ? null, mysql ? null, postgresql ? null, subversion ? null, mongodb ? null, mongodb-tools ? null, influxdb ? null, supervisor ? null, docker ? null -, enableApacheWebApplication ? false -, enableAxis2WebService ? false -, enableEjabberdDump ? false -, enableMySQLDatabase ? false -, enablePostgreSQLDatabase ? false -, enableSubversionRepository ? false -, enableTomcatWebApplication ? false -, enableMongoDatabase ? false -, enableInfluxDatabase ? false -, enableSupervisordProgram ? false -, enableDockerContainer ? true -, enableLegacy ? false -, catalinaBaseDir ? "/var/tomcat" -, jobTemplate ? "systemd" -, getopt -}: - -assert enableMySQLDatabase -> mysql != null; -assert enablePostgreSQLDatabase -> postgresql != null; -assert enableSubversionRepository -> subversion != null; -assert enableEjabberdDump -> ejabberd != null; -assert enableMongoDatabase -> (mongodb != null && mongodb-tools != null); -assert enableInfluxDatabase -> influxdb != null; -assert enableSupervisordProgram -> supervisor != null; -assert enableDockerContainer -> docker != null; - -stdenv.mkDerivation { - name = "dysnomia-0.10"; - src = fetchurl { - url = "https://github.com/svanderburg/dysnomia/releases/download/dysnomia-0.10/dysnomia-0.10.tar.gz"; - sha256 = "19zg4nhn0f9v4i7c9hhan1i4xv3ljfpl2d0s84ph8byiscvhyrna"; - }; - - preConfigure = if enableEjabberdDump then "export PATH=$PATH:${ejabberd}/sbin" else ""; - - configureFlags = [ - (if enableApacheWebApplication then "--with-apache" else "--without-apache") - (if enableAxis2WebService then "--with-axis2" else "--without-axis2") - (if enableEjabberdDump then "--with-ejabberd" else "--without-ejabberd") - (if enableMySQLDatabase then "--with-mysql" else "--without-mysql") - (if enablePostgreSQLDatabase then "--with-postgresql" else "--without-postgresql") - (if enableSubversionRepository then "--with-subversion" else "--without-subversion") - (if enableTomcatWebApplication then "--with-tomcat=${catalinaBaseDir}" else "--without-tomcat") - (if enableMongoDatabase then "--with-mongodb" else "--without-mongodb") - (if enableInfluxDatabase then "--with-influxdb" else "--without-influxdb") - (if enableSupervisordProgram then "--with-supervisord" else "--without-supervisord") - (if enableDockerContainer then "--with-docker" else "--without-docker") - "--with-job-template=${jobTemplate}" - ] ++ lib.optional enableLegacy "--enable-legacy"; - - buildInputs = [ getopt netcat ] - ++ lib.optional stdenv.isLinux systemd - ++ lib.optional enableEjabberdDump ejabberd - ++ lib.optional enableMySQLDatabase mysql.out - ++ lib.optional enablePostgreSQLDatabase postgresql - ++ lib.optional enableSubversionRepository subversion - ++ lib.optional enableMongoDatabase mongodb - ++ lib.optional enableMongoDatabase mongodb-tools - ++ lib.optional enableInfluxDatabase influxdb - ++ lib.optional enableSupervisordProgram supervisor - ++ lib.optional enableDockerContainer docker; - - meta = { - description = "Automated deployment of mutable components and services for Disnix"; - license = lib.licenses.mit; - maintainers = [ lib.maintainers.sander ]; - platforms = lib.platforms.unix; - }; -} diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 2ce4245ba30..21ef7acf4b0 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -123,6 +123,9 @@ mapAliases ({ dbus_glib = dbus-glib; # added 2018-02-25 dbus_libs = dbus; # added 2018-04-25 diffuse = throw "diffuse has been removed from nixpkgs, as it's unmaintained"; # added 2019-12-10 + disnix = throw "disnix has been removed."; # added 2021-01-27 + disnixos = throw "disnixos has been removed."; # added 2021-01-27 + DisnixWebService = throw "DisnixWebService has been removed."; # added 2021-01-27 dbus_tools = dbus.out; # added 2018-04-25 deadbeef-mpris2-plugin = deadbeefPlugins.mpris2; # added 2018-02-23 deadpixi-sam = deadpixi-sam-unstable; @@ -139,6 +142,8 @@ mapAliases ({ docker_compose = docker-compose; # 2018-11-10 draftsight = throw "draftsight has been removed, no longer available as freeware"; # added 2020-08-14 dvb_apps = throw "dvb_apps has been removed."; # added 2020-11-03 + dydisnix = throw "dydisnix has been removed."; # added 2021-01-27 + dysnomia = throw "dysnomia has been removed."; # added 2021-01-27 dwarf_fortress = dwarf-fortress; # added 2016-01-23 elasticmq = throw "elasticmq has been removed in favour of elasticmq-server-bin"; # added 2021-01-17 emacsPackagesGen = emacsPackagesFor; # added 2018-08-18 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index bb16dd7c9ef..cf9f66c3dae 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -28874,18 +28874,6 @@ in solfege = python3Packages.callPackage ../misc/solfege { }; - disnix = callPackage ../tools/package-management/disnix { }; - - dysnomia = callPackage ../tools/package-management/disnix/dysnomia (config.disnix or { - inherit (pythonPackages) supervisor; - }); - - dydisnix = callPackage ../tools/package-management/disnix/dydisnix { }; - - disnixos = callPackage ../tools/package-management/disnix/disnixos { }; - - DisnixWebService = callPackage ../tools/package-management/disnix/DisnixWebService { }; - lkproof = callPackage ../tools/typesetting/tex/lkproof { }; lice = callPackage ../tools/misc/lice {}; -- cgit 1.4.1 From 4ae1fa61ad66c0cb5e08549c9f4ae300ee956b25 Mon Sep 17 00:00:00 2001 From: Sander van der Burg Date: Sun, 28 Mar 2021 17:46:10 +0200 Subject: Revert "nixos/dysnomia nixos/disnix: Drop modules" This reverts commit a3f4db8679002e20cc33576b5ba80996cc7a3398. --- nixos/modules/misc/ids.nix | 4 +- nixos/modules/module-list.nix | 2 + nixos/modules/services/misc/disnix.nix | 98 ++++++++ nixos/modules/services/misc/dysnomia.nix | 257 +++++++++++++++++++++ .../disnix/DisnixWebService/default.nix | 28 +++ pkgs/tools/package-management/disnix/default.nix | 20 ++ .../package-management/disnix/disnixos/default.nix | 20 ++ .../package-management/disnix/dydisnix/default.nix | 27 +++ .../package-management/disnix/dysnomia/default.nix | 71 ++++++ pkgs/top-level/aliases.nix | 5 - pkgs/top-level/all-packages.nix | 12 + 11 files changed, 537 insertions(+), 7 deletions(-) create mode 100644 nixos/modules/services/misc/disnix.nix create mode 100644 nixos/modules/services/misc/dysnomia.nix create mode 100644 pkgs/tools/package-management/disnix/DisnixWebService/default.nix create mode 100644 pkgs/tools/package-management/disnix/default.nix create mode 100644 pkgs/tools/package-management/disnix/disnixos/default.nix create mode 100644 pkgs/tools/package-management/disnix/dydisnix/default.nix create mode 100644 pkgs/tools/package-management/disnix/dysnomia/default.nix (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index a0f5ce72f33..feb9c68301d 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -71,7 +71,7 @@ in #utmp = 29; # unused # ddclient = 30; # converted to DynamicUser = true davfs2 = 31; - #disnix = 33; # module removed + #disnix = 33; # unused osgi = 34; tor = 35; cups = 36; @@ -387,7 +387,7 @@ in utmp = 29; # ddclient = 30; # converted to DynamicUser = true davfs2 = 31; - #disnix = 33; # module removed + disnix = 33; osgi = 34; tor = 35; #cups = 36; # unused diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 6524cc62bb7..ca7898687b8 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -461,6 +461,8 @@ ./services/misc/devmon.nix ./services/misc/dictd.nix ./services/misc/dwm-status.nix + ./services/misc/dysnomia.nix + ./services/misc/disnix.nix ./services/misc/docker-registry.nix ./services/misc/domoticz.nix ./services/misc/errbot.nix diff --git a/nixos/modules/services/misc/disnix.nix b/nixos/modules/services/misc/disnix.nix new file mode 100644 index 00000000000..41483d80a2d --- /dev/null +++ b/nixos/modules/services/misc/disnix.nix @@ -0,0 +1,98 @@ +# Disnix server +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.disnix; + +in + +{ + + ###### interface + + options = { + + services.disnix = { + + enable = mkEnableOption "Disnix"; + + enableMultiUser = mkOption { + type = types.bool; + default = true; + description = "Whether to support multi-user mode by enabling the Disnix D-Bus service"; + }; + + useWebServiceInterface = mkEnableOption "the DisnixWebService interface running on Apache Tomcat"; + + package = mkOption { + type = types.path; + description = "The Disnix package"; + default = pkgs.disnix; + defaultText = "pkgs.disnix"; + }; + + enableProfilePath = mkEnableOption "exposing the Disnix profiles in the system's PATH"; + + profiles = mkOption { + type = types.listOf types.string; + default = [ "default" ]; + example = [ "default" ]; + description = "Names of the Disnix profiles to expose in the system's PATH"; + }; + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + dysnomia.enable = true; + + environment.systemPackages = [ pkgs.disnix ] ++ optional cfg.useWebServiceInterface pkgs.DisnixWebService; + environment.variables.PATH = lib.optionals cfg.enableProfilePath (map (profileName: "/nix/var/nix/profiles/disnix/${profileName}/bin" ) cfg.profiles); + + services.dbus.enable = true; + services.dbus.packages = [ pkgs.disnix ]; + + services.tomcat.enable = cfg.useWebServiceInterface; + services.tomcat.extraGroups = [ "disnix" ]; + services.tomcat.javaOpts = "${optionalString cfg.useWebServiceInterface "-Djava.library.path=${pkgs.libmatthew_java}/lib/jni"} "; + services.tomcat.sharedLibs = optional cfg.useWebServiceInterface "${pkgs.DisnixWebService}/share/java/DisnixConnection.jar" + ++ optional cfg.useWebServiceInterface "${pkgs.dbus_java}/share/java/dbus.jar"; + services.tomcat.webapps = optional cfg.useWebServiceInterface pkgs.DisnixWebService; + + users.groups.disnix.gid = config.ids.gids.disnix; + + systemd.services = { + disnix = mkIf cfg.enableMultiUser { + description = "Disnix server"; + wants = [ "dysnomia.target" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "dbus.service" ] + ++ optional config.services.httpd.enable "httpd.service" + ++ optional config.services.mysql.enable "mysql.service" + ++ optional config.services.postgresql.enable "postgresql.service" + ++ optional config.services.tomcat.enable "tomcat.service" + ++ optional config.services.svnserve.enable "svnserve.service" + ++ optional config.services.mongodb.enable "mongodb.service" + ++ optional config.services.influxdb.enable "influxdb.service"; + + restartIfChanged = false; + + path = [ config.nix.package cfg.package config.dysnomia.package "/run/current-system/sw" ]; + + environment = { + HOME = "/root"; + } + // (if config.environment.variables ? DYSNOMIA_CONTAINERS_PATH then { inherit (config.environment.variables) DYSNOMIA_CONTAINERS_PATH; } else {}) + // (if config.environment.variables ? DYSNOMIA_MODULES_PATH then { inherit (config.environment.variables) DYSNOMIA_MODULES_PATH; } else {}); + + serviceConfig.ExecStart = "${cfg.package}/bin/disnix-service"; + }; + + }; + }; +} diff --git a/nixos/modules/services/misc/dysnomia.nix b/nixos/modules/services/misc/dysnomia.nix new file mode 100644 index 00000000000..eb94791fbbf --- /dev/null +++ b/nixos/modules/services/misc/dysnomia.nix @@ -0,0 +1,257 @@ +{pkgs, lib, config, ...}: + +with lib; + +let + cfg = config.dysnomia; + + printProperties = properties: + concatMapStrings (propertyName: + let + property = properties.${propertyName}; + in + if isList property then "${propertyName}=(${lib.concatMapStrings (elem: "\"${toString elem}\" ") (properties.${propertyName})})\n" + else "${propertyName}=\"${toString property}\"\n" + ) (builtins.attrNames properties); + + properties = pkgs.stdenv.mkDerivation { + name = "dysnomia-properties"; + buildCommand = '' + cat > $out << "EOF" + ${printProperties cfg.properties} + EOF + ''; + }; + + containersDir = pkgs.stdenv.mkDerivation { + name = "dysnomia-containers"; + buildCommand = '' + mkdir -p $out + cd $out + + ${concatMapStrings (containerName: + let + containerProperties = cfg.containers.${containerName}; + in + '' + cat > ${containerName} < /etc/systemd-mutable/system/dysnomia.target + fi + ''; + }; +} diff --git a/pkgs/tools/package-management/disnix/DisnixWebService/default.nix b/pkgs/tools/package-management/disnix/DisnixWebService/default.nix new file mode 100644 index 00000000000..ba3c51822e9 --- /dev/null +++ b/pkgs/tools/package-management/disnix/DisnixWebService/default.nix @@ -0,0 +1,28 @@ +{lib, stdenv, fetchurl, apacheAnt, jdk, axis2, dbus_java }: + +stdenv.mkDerivation { + name = "DisnixWebService-0.10"; + src = fetchurl { + url = "https://github.com/svanderburg/DisnixWebService/releases/download/DisnixWebService-0.10/DisnixWebService-0.10.tar.gz"; + sha256 = "0m451msd127ay09yb8rbflg68szm8s4hh65j99f7s3mz375vc114"; + }; + buildInputs = [ apacheAnt jdk ]; + PREFIX = "\${env.out}"; + AXIS2_LIB = "${axis2}/lib"; + AXIS2_WEBAPP = "${axis2}/webapps/axis2"; + DBUS_JAVA_LIB = "${dbus_java}/share/java"; + prePatch = '' + sed -i -e "s|#JAVA_HOME=|JAVA_HOME=${jdk}|" \ + -e "s|#AXIS2_LIB=|AXIS2_LIB=${axis2}/lib|" \ + scripts/disnix-soap-client + ''; + buildPhase = "ant"; + installPhase = "ant install"; + + meta = { + description = "A SOAP interface and client for Disnix"; + license = lib.licenses.mit; + maintainers = [ lib.maintainers.sander ]; + platforms = lib.platforms.linux; + }; +} diff --git a/pkgs/tools/package-management/disnix/default.nix b/pkgs/tools/package-management/disnix/default.nix new file mode 100644 index 00000000000..14be0924f27 --- /dev/null +++ b/pkgs/tools/package-management/disnix/default.nix @@ -0,0 +1,20 @@ +{ lib, stdenv, fetchurl, pkg-config, glib, libxml2, libxslt, getopt, gettext, nixUnstable, dysnomia, libintl, libiconv, help2man, doclifter, docbook5, dblatex, doxygen, libnixxml, autoreconfHook }: + +stdenv.mkDerivation { + name = "disnix-0.10"; + + src = fetchurl { + url = "https://github.com/svanderburg/disnix/releases/download/disnix-0.10/disnix-0.10.tar.gz"; + sha256 = "0mciqbc2h60nc0i6pd36w0m2yr96v97ybrzrqzh5f67ac1f0gqwg"; + }; + + nativeBuildInputs = [ pkg-config ]; + buildInputs = [ glib libxml2 libxslt getopt nixUnstable libintl libiconv dysnomia ]; + + meta = { + description = "A Nix-based distributed service deployment tool"; + license = lib.licenses.lgpl21Plus; + maintainers = with lib.maintainers; [ sander tomberek ]; + platforms = lib.platforms.unix; + }; +} diff --git a/pkgs/tools/package-management/disnix/disnixos/default.nix b/pkgs/tools/package-management/disnix/disnixos/default.nix new file mode 100644 index 00000000000..1b9d2eaefcd --- /dev/null +++ b/pkgs/tools/package-management/disnix/disnixos/default.nix @@ -0,0 +1,20 @@ +{ lib, stdenv, fetchurl, dysnomia, disnix, socat, pkg-config, getopt }: + +stdenv.mkDerivation { + name = "disnixos-0.9"; + + src = fetchurl { + url = "https://github.com/svanderburg/disnixos/releases/download/disnixos-0.9/disnixos-0.9.tar.gz"; + sha256 = "0vllm5a8d9dvz5cjiq1mmkc4r4vnljabq42ng0ml85sjn0w7xvm7"; + }; + + nativeBuildInputs = [ pkg-config ]; + buildInputs = [ socat dysnomia disnix getopt ]; + + meta = { + description = "Provides complementary NixOS infrastructure deployment to Disnix"; + license = lib.licenses.lgpl21Plus; + maintainers = [ lib.maintainers.sander ]; + platforms = lib.platforms.linux; + }; +} diff --git a/pkgs/tools/package-management/disnix/dydisnix/default.nix b/pkgs/tools/package-management/disnix/dydisnix/default.nix new file mode 100644 index 00000000000..b4c3851a50f --- /dev/null +++ b/pkgs/tools/package-management/disnix/dydisnix/default.nix @@ -0,0 +1,27 @@ +{ lib, stdenv, fetchFromGitHub, autoconf, automake, libtool , pkg-config, glib, libxml2, libxslt, getopt, libiconv, gettext, nix, disnix, libnixxml }: + +stdenv.mkDerivation rec { + version="2020-07-04"; + name = "dydisnix-${version}"; + + src = fetchFromGitHub { + owner = "svanderburg"; + repo = "dydisnix"; + rev = "e99091f1c2329d562097e35faedee80622d387f0"; + sha256 = "sha256-XKab2hNGtWDkIEMxE1vMvqQBTP9BvHTabBVfzpH57h0="; + }; + + nativeBuildInputs = [ pkg-config autoconf automake libtool ]; + buildInputs = [ glib libxml2 libxslt getopt nix disnix libiconv gettext libnixxml ]; + preConfigure = '' + ./bootstrap + ''; + + meta = { + description = "A toolset enabling self-adaptive redeployment on top of Disnix"; + longDescription = "Dynamic Disnix is a (very experimental!) prototype extension framework for Disnix supporting dynamic (re)deployment of service-oriented systems."; + license = lib.licenses.lgpl21Plus; + maintainers = [ lib.maintainers.tomberek ]; + platforms = lib.platforms.unix; + }; +} diff --git a/pkgs/tools/package-management/disnix/dysnomia/default.nix b/pkgs/tools/package-management/disnix/dysnomia/default.nix new file mode 100644 index 00000000000..56ba16afb47 --- /dev/null +++ b/pkgs/tools/package-management/disnix/dysnomia/default.nix @@ -0,0 +1,71 @@ +{ lib, stdenv, fetchurl, netcat +, systemd ? null, ejabberd ? null, mysql ? null, postgresql ? null, subversion ? null, mongodb ? null, mongodb-tools ? null, influxdb ? null, supervisor ? null, docker ? null +, enableApacheWebApplication ? false +, enableAxis2WebService ? false +, enableEjabberdDump ? false +, enableMySQLDatabase ? false +, enablePostgreSQLDatabase ? false +, enableSubversionRepository ? false +, enableTomcatWebApplication ? false +, enableMongoDatabase ? false +, enableInfluxDatabase ? false +, enableSupervisordProgram ? false +, enableDockerContainer ? true +, enableLegacy ? false +, catalinaBaseDir ? "/var/tomcat" +, jobTemplate ? "systemd" +, getopt +}: + +assert enableMySQLDatabase -> mysql != null; +assert enablePostgreSQLDatabase -> postgresql != null; +assert enableSubversionRepository -> subversion != null; +assert enableEjabberdDump -> ejabberd != null; +assert enableMongoDatabase -> (mongodb != null && mongodb-tools != null); +assert enableInfluxDatabase -> influxdb != null; +assert enableSupervisordProgram -> supervisor != null; +assert enableDockerContainer -> docker != null; + +stdenv.mkDerivation { + name = "dysnomia-0.10"; + src = fetchurl { + url = "https://github.com/svanderburg/dysnomia/releases/download/dysnomia-0.10/dysnomia-0.10.tar.gz"; + sha256 = "19zg4nhn0f9v4i7c9hhan1i4xv3ljfpl2d0s84ph8byiscvhyrna"; + }; + + preConfigure = if enableEjabberdDump then "export PATH=$PATH:${ejabberd}/sbin" else ""; + + configureFlags = [ + (if enableApacheWebApplication then "--with-apache" else "--without-apache") + (if enableAxis2WebService then "--with-axis2" else "--without-axis2") + (if enableEjabberdDump then "--with-ejabberd" else "--without-ejabberd") + (if enableMySQLDatabase then "--with-mysql" else "--without-mysql") + (if enablePostgreSQLDatabase then "--with-postgresql" else "--without-postgresql") + (if enableSubversionRepository then "--with-subversion" else "--without-subversion") + (if enableTomcatWebApplication then "--with-tomcat=${catalinaBaseDir}" else "--without-tomcat") + (if enableMongoDatabase then "--with-mongodb" else "--without-mongodb") + (if enableInfluxDatabase then "--with-influxdb" else "--without-influxdb") + (if enableSupervisordProgram then "--with-supervisord" else "--without-supervisord") + (if enableDockerContainer then "--with-docker" else "--without-docker") + "--with-job-template=${jobTemplate}" + ] ++ lib.optional enableLegacy "--enable-legacy"; + + buildInputs = [ getopt netcat ] + ++ lib.optional stdenv.isLinux systemd + ++ lib.optional enableEjabberdDump ejabberd + ++ lib.optional enableMySQLDatabase mysql.out + ++ lib.optional enablePostgreSQLDatabase postgresql + ++ lib.optional enableSubversionRepository subversion + ++ lib.optional enableMongoDatabase mongodb + ++ lib.optional enableMongoDatabase mongodb-tools + ++ lib.optional enableInfluxDatabase influxdb + ++ lib.optional enableSupervisordProgram supervisor + ++ lib.optional enableDockerContainer docker; + + meta = { + description = "Automated deployment of mutable components and services for Disnix"; + license = lib.licenses.mit; + maintainers = [ lib.maintainers.sander ]; + platforms = lib.platforms.unix; + }; +} diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 27a933c0f93..fab7de30d4a 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -150,9 +150,6 @@ mapAliases ({ dbus_glib = dbus-glib; # added 2018-02-25 dbus_libs = dbus; # added 2018-04-25 diffuse = throw "diffuse has been removed from nixpkgs, as it's unmaintained"; # added 2019-12-10 - disnix = throw "disnix has been removed."; # added 2021-01-27 - disnixos = throw "disnixos has been removed."; # added 2021-01-27 - DisnixWebService = throw "DisnixWebService has been removed."; # added 2021-01-27 dbus_tools = dbus.out; # added 2018-04-25 deadbeef-mpris2-plugin = deadbeefPlugins.mpris2; # added 2018-02-23 deadpixi-sam = deadpixi-sam-unstable; @@ -169,8 +166,6 @@ mapAliases ({ docker_compose = docker-compose; # 2018-11-10 draftsight = throw "draftsight has been removed, no longer available as freeware"; # added 2020-08-14 dvb_apps = throw "dvb_apps has been removed."; # added 2020-11-03 - dydisnix = throw "dydisnix has been removed."; # added 2021-01-27 - dysnomia = throw "dysnomia has been removed."; # added 2021-01-27 dwarf_fortress = dwarf-fortress; # added 2016-01-23 dwm-git = throw "dwm-git has been removed from nixpkgs, as it had no updates for 2 years not serving it's purpose."; # added 2021-02-07 elasticmq = throw "elasticmq has been removed in favour of elasticmq-server-bin"; # added 2021-01-17 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index feefc47051b..43549d492a0 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -29657,6 +29657,18 @@ in solfege = python3Packages.callPackage ../misc/solfege { }; + disnix = callPackage ../tools/package-management/disnix { }; + + dysnomia = callPackage ../tools/package-management/disnix/dysnomia (config.disnix or { + inherit (pythonPackages) supervisor; + }); + + dydisnix = callPackage ../tools/package-management/disnix/dydisnix { }; + + disnixos = callPackage ../tools/package-management/disnix/disnixos { }; + + DisnixWebService = callPackage ../tools/package-management/disnix/DisnixWebService { }; + lkproof = callPackage ../tools/typesetting/tex/lkproof { }; lice = python3Packages.callPackage ../tools/misc/lice {}; -- cgit 1.4.1 From b8258843d4d78e14c08e610a202c7c331a8f0f44 Mon Sep 17 00:00:00 2001 From: Sander van der Burg Date: Sun, 28 Mar 2021 21:40:30 +0200 Subject: nixos/misc/ids: reclaim uid for disnix --- nixos/modules/misc/ids.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index feb9c68301d..1fd56adfe10 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -71,7 +71,7 @@ in #utmp = 29; # unused # ddclient = 30; # converted to DynamicUser = true davfs2 = 31; - #disnix = 33; # unused + disnix = 33; osgi = 34; tor = 35; cups = 36; -- cgit 1.4.1 From c0853b6e2c673b774ed846cbd16c5abea7c6b085 Mon Sep 17 00:00:00 2001 From: Johannes Arnold Date: Wed, 5 May 2021 14:47:46 +0200 Subject: nixos/monero: use isSystemUser = true --- nixos/modules/misc/ids.nix | 4 ++-- nixos/modules/services/networking/monero.nix | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 1fd56adfe10..05cc5002aaf 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -315,7 +315,7 @@ in restya-board = 284; mighttpd2 = 285; hass = 286; - monero = 287; + #monero = 287; # dynamically allocated as of 2021-05-08 ceph = 288; duplicati = 289; monetdb = 290; @@ -617,7 +617,7 @@ in restya-board = 284; mighttpd2 = 285; hass = 286; - monero = 287; + # monero = 287; # dynamically allocated as of 2021-05-08 ceph = 288; duplicati = 289; monetdb = 290; diff --git a/nixos/modules/services/networking/monero.nix b/nixos/modules/services/networking/monero.nix index 7a43d351768..952d1d47ca6 100644 --- a/nixos/modules/services/networking/monero.nix +++ b/nixos/modules/services/networking/monero.nix @@ -205,15 +205,14 @@ in config = mkIf cfg.enable { users.users.monero = { - uid = config.ids.uids.monero; + isSystemUser = true; + group = "monero"; description = "Monero daemon user"; home = cfg.dataDir; createHome = true; }; - users.groups.monero = { - gid = config.ids.gids.monero; - }; + users.groups.monero = { }; systemd.services.monero = { description = "monero daemon"; -- cgit 1.4.1 From f5f8341c76ffad22ae52c622be97c94ccbd2a847 Mon Sep 17 00:00:00 2001 From: talyz Date: Wed, 28 Apr 2021 16:56:06 +0200 Subject: nixos/geoipupdate: Replace the old `geoip-updater` module Our old bespoke GeoIP updater doesn't seem to be working anymore. Instead of trying to fix it, replace it with the official updater from MaxMind. --- .../from_md/release-notes/rl-2111.section.xml | 20 +- nixos/doc/manual/release-notes/rl-2111.section.md | 7 + nixos/modules/misc/ids.nix | 2 +- nixos/modules/module-list.nix | 2 +- nixos/modules/services/misc/geoip-updater.nix | 306 --------------------- nixos/modules/services/misc/geoipupdate.nix | 145 ++++++++++ 6 files changed, 171 insertions(+), 311 deletions(-) delete mode 100644 nixos/modules/services/misc/geoip-updater.nix create mode 100644 nixos/modules/services/misc/geoipupdate.nix (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index e861b4fe7e2..e0b52ffa342 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -19,18 +19,32 @@
New Services - - + + + + geoipupdate, + a GeoIP database updater from MaxMind. Available as + services.geoipupdate. + + +
Backward Incompatibilities - + The staticjinja package has been upgraded from 1.0.4 to 2.0.0 + + + services.geoip-updater was broken and has + been replaced by + services.geoipupdate. + +
diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 9a6da7f22bd..d4604447f83 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -8,8 +8,15 @@ In addition to numerous new and upgraded packages, this release has the followin ## New Services +* [geoipupdate](https://github.com/maxmind/geoipupdate), a GeoIP + database updater from MaxMind. Available as + [services.geoipupdate](options.html#opt-services.geoipupdate.enable). + ## Backward Incompatibilities * The `staticjinja` package has been upgraded from 1.0.4 to 2.0.0 +* `services.geoip-updater` was broken and has been replaced by + [services.geoipupdate](options.html#opt-services.geoipupdate.enable). + ## Other Notable Changes diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 05cc5002aaf..7ea2940292b 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -300,7 +300,7 @@ in #pdns-recursor = 269; # dynamically allocated as of 2020-20-18 #kresd = 270; # switched to "knot-resolver" with dynamic ID rpc = 271; - geoip = 272; + #geoip = 272; # new module uses DynamicUser fcron = 273; sonarr = 274; radarr = 275; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index ebafb5ef5aa..42f0471c4cf 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -492,7 +492,7 @@ ./services/misc/freeswitch.nix ./services/misc/fstrim.nix ./services/misc/gammu-smsd.nix - ./services/misc/geoip-updater.nix + ./services/misc/geoipupdate.nix ./services/misc/gitea.nix #./services/misc/gitit.nix ./services/misc/gitlab.nix diff --git a/nixos/modules/services/misc/geoip-updater.nix b/nixos/modules/services/misc/geoip-updater.nix deleted file mode 100644 index baf0a8d73d1..00000000000 --- a/nixos/modules/services/misc/geoip-updater.nix +++ /dev/null @@ -1,306 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.geoip-updater; - - dbBaseUrl = "https://geolite.maxmind.com/download/geoip/database"; - - randomizedTimerDelaySec = "3600"; - - # Use writeScriptBin instead of writeScript, so that argv[0] (logged to the - # journal) doesn't include the long nix store path hash. (Prefixing the - # ExecStart= command with '@' doesn't work because we start a shell (new - # process) that creates a new argv[0].) - geoip-updater = pkgs.writeScriptBin "geoip-updater" '' - #!${pkgs.runtimeShell} - skipExisting=0 - debug() - { - echo "<7>$@" - } - info() - { - echo "<6>$@" - } - error() - { - echo "<3>$@" - } - die() - { - error "$@" - exit 1 - } - waitNetworkOnline() - { - ret=1 - for i in $(seq 6); do - curl_out=$("${pkgs.curl.bin}/bin/curl" \ - --silent --fail --show-error --max-time 60 "${dbBaseUrl}" 2>&1) - if [ $? -eq 0 ]; then - debug "Server is reachable (try $i)" - ret=0 - break - else - debug "Server is unreachable (try $i): $curl_out" - sleep 10 - fi - done - return $ret - } - dbFnameTmp() - { - dburl=$1 - echo "${cfg.databaseDir}/.$(basename "$dburl")" - } - dbFnameTmpDecompressed() - { - dburl=$1 - echo "${cfg.databaseDir}/.$(basename "$dburl")" | sed 's/\.\(gz\|xz\)$//' - } - dbFname() - { - dburl=$1 - echo "${cfg.databaseDir}/$(basename "$dburl")" | sed 's/\.\(gz\|xz\)$//' - } - downloadDb() - { - dburl=$1 - curl_out=$("${pkgs.curl.bin}/bin/curl" \ - --silent --fail --show-error --max-time 900 -L -o "$(dbFnameTmp "$dburl")" "$dburl" 2>&1) - if [ $? -ne 0 ]; then - error "Failed to download $dburl: $curl_out" - return 1 - fi - } - decompressDb() - { - fn=$(dbFnameTmp "$1") - ret=0 - case "$fn" in - *.gz) - cmd_out=$("${pkgs.gzip}/bin/gzip" --decompress --force "$fn" 2>&1) - ;; - *.xz) - cmd_out=$("${pkgs.xz.bin}/bin/xz" --decompress --force "$fn" 2>&1) - ;; - *) - cmd_out=$(echo "File \"$fn\" is neither a .gz nor .xz file") - false - ;; - esac - if [ $? -ne 0 ]; then - error "$cmd_out" - ret=1 - fi - } - atomicRename() - { - dburl=$1 - mv "$(dbFnameTmpDecompressed "$dburl")" "$(dbFname "$dburl")" - } - removeIfNotInConfig() - { - # Arg 1 is the full path of an installed DB. - # If the corresponding database is not specified in the NixOS config we - # remove it. - db=$1 - for cdb in ${lib.concatStringsSep " " cfg.databases}; do - confDb=$(echo "$cdb" | sed 's/\.\(gz\|xz\)$//') - if [ "$(basename "$db")" = "$(basename "$confDb")" ]; then - return 0 - fi - done - rm "$db" - if [ $? -eq 0 ]; then - debug "Removed $(basename "$db") (not listed in services.geoip-updater.databases)" - else - error "Failed to remove $db" - fi - } - removeUnspecifiedDbs() - { - for f in "${cfg.databaseDir}/"*; do - test -f "$f" || continue - case "$f" in - *.dat|*.mmdb|*.csv) - removeIfNotInConfig "$f" - ;; - *) - debug "Not removing \"$f\" (unknown file extension)" - ;; - esac - done - } - downloadAndInstall() - { - dburl=$1 - if [ "$skipExisting" -eq 1 -a -f "$(dbFname "$dburl")" ]; then - debug "Skipping existing file: $(dbFname "$dburl")" - return 0 - fi - downloadDb "$dburl" || return 1 - decompressDb "$dburl" || return 1 - atomicRename "$dburl" || return 1 - info "Updated $(basename "$(dbFname "$dburl")")" - } - for arg in "$@"; do - case "$arg" in - --skip-existing) - skipExisting=1 - info "Option --skip-existing is set: not updating existing databases" - ;; - *) - error "Unknown argument: $arg";; - esac - done - waitNetworkOnline || die "Network is down (${dbBaseUrl} is unreachable)" - test -d "${cfg.databaseDir}" || die "Database directory (${cfg.databaseDir}) doesn't exist" - debug "Starting update of GeoIP databases in ${cfg.databaseDir}" - all_ret=0 - for db in ${lib.concatStringsSep " \\\n " cfg.databases}; do - downloadAndInstall "${dbBaseUrl}/$db" || all_ret=1 - done - removeUnspecifiedDbs || all_ret=1 - if [ $all_ret -eq 0 ]; then - info "Completed GeoIP database update in ${cfg.databaseDir}" - else - error "Completed GeoIP database update in ${cfg.databaseDir}, with error(s)" - fi - # Hack to work around systemd journal race: - # https://github.com/systemd/systemd/issues/2913 - sleep 2 - exit $all_ret - ''; - -in - -{ - options = { - services.geoip-updater = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Whether to enable periodic downloading of GeoIP databases from - maxmind.com. You might want to enable this if you, for instance, use - ntopng or Wireshark. - ''; - }; - - interval = mkOption { - type = types.str; - default = "weekly"; - description = '' - Update the GeoIP databases at this time / interval. - The format is described in - systemd.time - 7. - To prevent load spikes on maxmind.com, the timer interval is - randomized by an additional delay of ${randomizedTimerDelaySec} - seconds. Setting a shorter interval than this is not recommended. - ''; - }; - - databaseDir = mkOption { - type = types.path; - default = "/var/lib/geoip-databases"; - description = '' - Directory that will contain GeoIP databases. - ''; - }; - - databases = mkOption { - type = types.listOf types.str; - default = [ - "GeoLiteCountry/GeoIP.dat.gz" - "GeoIPv6.dat.gz" - "GeoLiteCity.dat.xz" - "GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz" - "asnum/GeoIPASNum.dat.gz" - "asnum/GeoIPASNumv6.dat.gz" - "GeoLite2-Country.mmdb.gz" - "GeoLite2-City.mmdb.gz" - ]; - description = '' - Which GeoIP databases to update. The full URL is ${dbBaseUrl}/ + - the_database. - ''; - }; - - }; - - }; - - config = mkIf cfg.enable { - - assertions = [ - { assertion = (builtins.filter - (x: builtins.match ".*\\.(gz|xz)$" x == null) cfg.databases) == []; - message = '' - services.geoip-updater.databases supports only .gz and .xz databases. - - Current value: - ${toString cfg.databases} - - Offending element(s): - ${toString (builtins.filter (x: builtins.match ".*\\.(gz|xz)$" x == null) cfg.databases)}; - ''; - } - ]; - - users.users.geoip = { - group = "root"; - description = "GeoIP database updater"; - uid = config.ids.uids.geoip; - }; - - systemd.timers.geoip-updater = - { description = "GeoIP Updater Timer"; - partOf = [ "geoip-updater.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = cfg.interval; - timerConfig.Persistent = "true"; - timerConfig.RandomizedDelaySec = randomizedTimerDelaySec; - }; - - systemd.services.geoip-updater = { - description = "GeoIP Updater"; - after = [ "network-online.target" "nss-lookup.target" ]; - wants = [ "network-online.target" ]; - preStart = '' - mkdir -p "${cfg.databaseDir}" - chmod 755 "${cfg.databaseDir}" - chown geoip:root "${cfg.databaseDir}" - ''; - serviceConfig = { - ExecStart = "${geoip-updater}/bin/geoip-updater"; - User = "geoip"; - PermissionsStartOnly = true; - }; - }; - - systemd.services.geoip-updater-setup = { - description = "GeoIP Updater Setup"; - after = [ "network-online.target" "nss-lookup.target" ]; - wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; - conflicts = [ "geoip-updater.service" ]; - preStart = '' - mkdir -p "${cfg.databaseDir}" - chmod 755 "${cfg.databaseDir}" - chown geoip:root "${cfg.databaseDir}" - ''; - serviceConfig = { - ExecStart = "${geoip-updater}/bin/geoip-updater --skip-existing"; - User = "geoip"; - PermissionsStartOnly = true; - # So it won't be (needlessly) restarted: - RemainAfterExit = true; - }; - }; - - }; -} diff --git a/nixos/modules/services/misc/geoipupdate.nix b/nixos/modules/services/misc/geoipupdate.nix new file mode 100644 index 00000000000..5d87be928d9 --- /dev/null +++ b/nixos/modules/services/misc/geoipupdate.nix @@ -0,0 +1,145 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.geoipupdate; +in +{ + imports = [ + (lib.mkRemovedOptionModule [ "services" "geoip-updater" ] "services.geoip-updater has been removed, use services.geoipupdate instead.") + ]; + + options = { + services.geoipupdate = { + enable = lib.mkEnableOption '' + periodic downloading of GeoIP databases using + geoipupdate. + ''; + + interval = lib.mkOption { + type = lib.types.str; + default = "weekly"; + description = '' + Update the GeoIP databases at this time / interval. + The format is described in + systemd.time + 7. + ''; + }; + + settings = lib.mkOption { + description = '' + geoipupdate configuration + options. See + + for a full list of available options. + ''; + type = lib.types.submodule { + freeformType = + with lib.types; + let + type = oneOf [str int bool]; + in + attrsOf (either type (listOf type)); + + options = { + + AccountID = lib.mkOption { + type = lib.types.int; + description = '' + Your MaxMind account ID. + ''; + }; + + EditionIDs = lib.mkOption { + type = with lib.types; listOf (either str int); + example = [ + "GeoLite2-ASN" + "GeoLite2-City" + "GeoLite2-Country" + ]; + description = '' + List of database edition IDs. This includes new string + IDs like GeoIP2-City and old + numeric IDs like 106. + ''; + }; + + LicenseKey = lib.mkOption { + type = lib.types.path; + description = '' + A file containing the MaxMind + license key. + ''; + }; + + DatabaseDirectory = lib.mkOption { + type = lib.types.path; + default = "/var/lib/GeoIP"; + example = "/run/GeoIP"; + description = '' + The directory to store the database files in. The + directory will be automatically created, the owner + changed to geoip and permissions + set to world readable. This applies if the directory + already exists as well, so don't use a directory with + sensitive contents. + ''; + }; + + }; + }; + }; + }; + + }; + + config = lib.mkIf cfg.enable { + + services.geoipupdate.settings = { + LockFile = "/run/geoipupdate/.lock"; + }; + + systemd.services.geoipupdate = { + description = "GeoIP Updater"; + after = [ "network-online.target" "nss-lookup.target" ]; + wants = [ "network-online.target" ]; + startAt = cfg.interval; + serviceConfig = { + ExecStartPre = + let + geoipupdateKeyValue = lib.generators.toKeyValue { + mkKeyValue = lib.flip lib.generators.mkKeyValueDefault " " rec { + mkValueString = v: with builtins; + if isInt v then toString v + else if isString v then v + else if true == v then "1" + else if false == v then "0" + else if isList v then lib.concatMapStringsSep " " mkValueString v + else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}"; + }; + }; + + geoipupdateConf = pkgs.writeText "discourse.conf" (geoipupdateKeyValue cfg.settings); + + script = '' + mkdir -p "${cfg.settings.DatabaseDirectory}" + chmod 755 "${cfg.settings.DatabaseDirectory}" + chown geoip "${cfg.settings.DatabaseDirectory}" + + cp ${geoipupdateConf} /run/geoipupdate/GeoIP.conf + ${pkgs.replace-secret}/bin/replace-secret '${cfg.settings.LicenseKey}' \ + '${cfg.settings.LicenseKey}' \ + /run/geoipupdate/GeoIP.conf + ''; + in + "+${pkgs.writeShellScript "start-pre-full-privileges" script}"; + ExecStart = "${pkgs.geoipupdate}/bin/geoipupdate -f /run/geoipupdate/GeoIP.conf"; + User = "geoip"; + DynamicUser = true; + ReadWritePaths = cfg.settings.DatabaseDirectory; + RuntimeDirectory = "geoipupdate"; + RuntimeDirectoryMode = 0700; + }; + }; + }; +} -- cgit 1.4.1 From 336130a90f64d34aa8465d200fdc1d2725fd31b9 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Thu, 10 Jun 2021 02:33:10 +0200 Subject: nixos/gale: remove This should have been removed along the package in 3f7d959. --- nixos/modules/misc/ids.nix | 4 +- nixos/modules/module-list.nix | 1 - nixos/modules/services/networking/gale.nix | 181 ----------------------------- 3 files changed, 2 insertions(+), 184 deletions(-) delete mode 100644 nixos/modules/services/networking/gale.nix (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 7ea2940292b..2cbbbc522e1 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -252,7 +252,7 @@ in postsrsd = 220; opendkim = 221; dspam = 222; - gale = 223; + # gale = 223; removed 2021-06-10 matrix-synapse = 224; rspamd = 225; # rmilter = 226; # unused, removed 2019-08-22 @@ -562,7 +562,7 @@ in postsrsd = 220; opendkim = 221; dspam = 222; - gale = 223; + # gale = 223; removed 2021-06-10 matrix-synapse = 224; rspamd = 225; # rmilter = 226; # unused, removed 2019-08-22 diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 0c9a7055aa7..06f9a05cf66 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -692,7 +692,6 @@ ./services/networking/flannel.nix ./services/networking/freenet.nix ./services/networking/freeradius.nix - ./services/networking/gale.nix ./services/networking/gateone.nix ./services/networking/gdomap.nix ./services/networking/ghostunnel.nix diff --git a/nixos/modules/services/networking/gale.nix b/nixos/modules/services/networking/gale.nix deleted file mode 100644 index cb954fd836b..00000000000 --- a/nixos/modules/services/networking/gale.nix +++ /dev/null @@ -1,181 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.gale; - # we convert the path to a string to avoid it being copied to the nix store, - # otherwise users could read the private key as all files in the store are - # world-readable - keyPath = toString cfg.keyPath; - # ...but we refer to the pubkey file using a path so that we can ensure the - # config gets rebuilt if the public key changes (we can assume the private key - # will never change without the public key having changed) - gpubFile = cfg.keyPath + "/${cfg.domain}.gpub"; - home = "/var/lib/gale"; - keysPrepared = cfg.keyPath != null && lib.pathExists cfg.keyPath; -in -{ - options = { - services.gale = { - enable = mkEnableOption "the Gale messaging daemon"; - - user = mkOption { - default = "gale"; - type = types.str; - description = "Username for the Gale daemon."; - }; - - group = mkOption { - default = "gale"; - type = types.str; - description = "Group name for the Gale daemon."; - }; - - setuidWrapper = mkOption { - default = null; - description = "Configuration for the Gale gksign setuid wrapper."; - }; - - domain = mkOption { - default = ""; - type = types.str; - description = "Domain name for the Gale system."; - }; - - keyPath = mkOption { - default = null; - type = types.nullOr types.path; - description = '' - Directory containing the key pair for this Gale domain. The expected - filename will be taken from the domain option with ".gpri" and ".gpub" - appended. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional text to be added to /etc/gale/conf. - ''; - }; - }; - }; - - config = mkMerge [ - (mkIf cfg.enable { - assertions = [{ - assertion = cfg.domain != ""; - message = "A domain must be set for Gale."; - }]; - - warnings = mkIf (!keysPrepared) [ - "You must run gale-install in order to generate a domain key." - ]; - - system.activationScripts.gale = mkIf cfg.enable ( - stringAfter [ "users" "groups" ] '' - chmod 755 ${home} - mkdir -m 0777 -p ${home}/auth/cache - mkdir -m 1777 -p ${home}/auth/local # GALE_DOMAIN.gpub - mkdir -m 0700 -p ${home}/auth/private # ROOT.gpub - mkdir -m 0755 -p ${home}/auth/trusted # ROOT - mkdir -m 0700 -p ${home}/.gale - mkdir -m 0700 -p ${home}/.gale/auth - mkdir -m 0700 -p ${home}/.gale/auth/private # GALE_DOMAIN.gpri - - ln -sf ${pkgs.gale}/etc/gale/auth/trusted/ROOT "${home}/auth/trusted/ROOT" - chown ${cfg.user}:${cfg.group} ${home} ${home}/auth ${home}/auth/* - chown ${cfg.user}:${cfg.group} ${home}/.gale ${home}/.gale/auth ${home}/.gale/auth/private - '' - ); - - environment = { - etc = { - "gale/auth".source = home + "/auth"; # symlink /var/lib/gale/auth - "gale/conf".text = '' - GALE_USER ${cfg.user} - GALE_DOMAIN ${cfg.domain} - ${cfg.extraConfig} - ''; - }; - - systemPackages = [ pkgs.gale ]; - }; - - users.users.${cfg.user} = { - description = "Gale daemon"; - uid = config.ids.uids.gale; - group = cfg.group; - home = home; - createHome = true; - }; - - users.groups = [{ - name = cfg.group; - gid = config.ids.gids.gale; - }]; - }) - (mkIf (cfg.enable && keysPrepared) { - assertions = [ - { - assertion = cfg.keyPath != null - && lib.pathExists (cfg.keyPath + "/${cfg.domain}.gpub"); - message = "Couldn't find a Gale public key for ${cfg.domain}."; - } - { - assertion = cfg.keyPath != null - && lib.pathExists (cfg.keyPath + "/${cfg.domain}.gpri"); - message = "Couldn't find a Gale private key for ${cfg.domain}."; - } - ]; - - services.gale.setuidWrapper = { - program = "gksign"; - source = "${pkgs.gale}/bin/gksign"; - owner = cfg.user; - group = cfg.group; - setuid = true; - setgid = false; - }; - - security.wrappers.gksign = cfg.setuidWrapper; - - systemd.services.gale-galed = { - description = "Gale messaging daemon"; - wantedBy = [ "multi-user.target" ]; - wants = [ "gale-gdomain.service" ]; - after = [ "network.target" ]; - - preStart = '' - install -m 0640 -o ${cfg.user} -g ${cfg.group} ${keyPath}/${cfg.domain}.gpri "${home}/.gale/auth/private/" - install -m 0644 -o ${cfg.user} -g ${cfg.group} ${gpubFile} "${home}/.gale/auth/private/${cfg.domain}.gpub" - install -m 0644 -o ${cfg.user} -g ${cfg.group} ${gpubFile} "${home}/auth/local/${cfg.domain}.gpub" - ''; - - serviceConfig = { - Type = "forking"; - ExecStart = "@${pkgs.gale}/bin/galed galed"; - User = cfg.user; - Group = cfg.group; - PermissionsStartOnly = true; - }; - }; - - systemd.services.gale-gdomain = { - description = "Gale AKD daemon"; - wantedBy = [ "multi-user.target" ]; - requires = [ "gale-galed.service" ]; - after = [ "gale-galed.service" ]; - - serviceConfig = { - Type = "forking"; - ExecStart = "@${pkgs.gale}/bin/gdomain gdomain"; - User = cfg.user; - Group = cfg.group; - }; - }; - }) - ]; -} -- cgit 1.4.1 From ac7b8724b59974c0d74f2feacc4a2a787a5cf122 Mon Sep 17 00:00:00 2001 From: Jörg Thalheim Date: Sat, 12 Dec 2020 09:29:40 +0100 Subject: nixos/nix-serve: don't run as nogroup nogroup is insecure if shared --- nixos/modules/misc/ids.nix | 2 +- nixos/modules/services/networking/nix-serve.nix | 8 ++------ nixos/tests/all-tests.nix | 1 + nixos/tests/nix-serve.nix | 22 ++++++++++++++++++++++ .../tools/package-management/nix-serve/default.nix | 12 ++++++++++-- 5 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 nixos/tests/nix-serve.nix (limited to 'nixos/modules/misc/ids.nix') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 2cbbbc522e1..858c7ee53db 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -229,7 +229,7 @@ in grafana = 196; skydns = 197; # ripple-rest = 198; # unused, removed 2017-08-12 - nix-serve = 199; + # nix-serve = 199; # unused, removed 2020-12-12 tvheadend = 200; uwsgi = 201; gitit = 202; diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix index b17f35c769b..7fc145f2303 100644 --- a/nixos/modules/services/networking/nix-serve.nix +++ b/nixos/modules/services/networking/nix-serve.nix @@ -69,13 +69,9 @@ in ExecStart = "${pkgs.nix-serve}/bin/nix-serve " + "--listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}"; User = "nix-serve"; - Group = "nogroup"; + Group = "nix-serve"; + DynamicUser = true; }; }; - - users.users.nix-serve = { - description = "Nix-serve user"; - uid = config.ids.uids.nix-serve; - }; }; } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 76e5077f42d..b018bd6c131 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -295,6 +295,7 @@ in nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {}; nginx-sso = handleTest ./nginx-sso.nix {}; nginx-variants = handleTest ./nginx-variants.nix {}; + nix-serve = handleTest ./nix-ssh-serve.nix {}; nix-ssh-serve = handleTest ./nix-ssh-serve.nix {}; nixos-generate-config = handleTest ./nixos-generate-config.nix {}; nomad = handleTest ./nomad.nix {}; diff --git a/nixos/tests/nix-serve.nix b/nixos/tests/nix-serve.nix new file mode 100644 index 00000000000..ab82f4be43e --- /dev/null +++ b/nixos/tests/nix-serve.nix @@ -0,0 +1,22 @@ +import ./make-test-python.nix ({ pkgs, ... }: +{ + name = "nix-serve"; + machine = { pkgs, ... }: { + services.nix-serve.enable = true; + environment.systemPackages = [ + pkgs.hello + ]; + }; + testScript = let + pkgHash = builtins.head ( + builtins.match "${builtins.storeDir}/([^-]+).+" (toString pkgs.hello) + ); + in '' + start_all() + machine.wait_for_unit("nix-serve.service") + machine.wait_for_open_port(5000) + machine.succeed( + "curl --fail -g http://0.0.0.0:5000/nar/${pkgHash}.nar -o /tmp/hello.nar" + ) + ''; +}) diff --git a/pkgs/tools/package-management/nix-serve/default.nix b/pkgs/tools/package-management/nix-serve/default.nix index f85adee4917..a1edfdd1367 100644 --- a/pkgs/tools/package-management/nix-serve/default.nix +++ b/pkgs/tools/package-management/nix-serve/default.nix @@ -1,5 +1,11 @@ -{ lib, stdenv, fetchFromGitHub, - bzip2, nix, perl, makeWrapper, +{ lib +, stdenv +, fetchFromGitHub +, bzip2 +, nix +, perl +, makeWrapper +, nixosTests }: with lib; @@ -30,6 +36,8 @@ stdenv.mkDerivation { --add-flags $out/libexec/nix-serve/nix-serve.psgi ''; + passthru.tests.nix-serve = nixosTests.nix-serve; + meta = { homepage = "https://github.com/edolstra/nix-serve"; description = "A utility for sharing a Nix store as a binary cache"; -- cgit 1.4.1