From 1f8d0d771c27e5c3497d2c753c12b8384476255d Mon Sep 17 00:00:00 2001 From: Bernardo Meurer Date: Wed, 2 Dec 2020 17:05:48 -0800 Subject: nixos/nomad: init MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Niklas Hambüchen --- nixos/modules/services/networking/nomad.nix | 126 ++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 nixos/modules/services/networking/nomad.nix (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix new file mode 100644 index 00000000000..4bf9313758f --- /dev/null +++ b/nixos/modules/services/networking/nomad.nix @@ -0,0 +1,126 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.nomad; + format = pkgs.formats.json { }; +in +{ + ##### interface + options = { + services.nomad = { + enable = mkEnableOption "Nomad, a distributed, highly available, datacenter-aware scheduler"; + + package = mkOption { + type = types.package; + default = pkgs.nomad; + defaultText = "pkgs.nomad"; + description = '' + The package used for the Nomad agent and CLI. + ''; + }; + + extraPackages = mkOption { + type = types.listOf types.package; + default = [ ]; + description = '' + Extra packages to add to PATH for the Nomad agent process. + ''; + example = literalExample '' + with pkgs; [ cni-plugins ] + ''; + }; + + dropPrivileges = mkOption { + type = types.bool; + default = true; + description = '' + Whether the nomad agent should be run as a non-root nomad user. + ''; + }; + + enableDocker = mkOption { + type = types.bool; + default = false; + description = '' + Enable Docker support. Needed for Nomad's docker driver. + + Note that the docker group membership is effectively equivalent + to being root, see https://github.com/moby/moby/issues/9976. + ''; + }; + + settings = mkOption { + type = format.type; + default = { + # Agrees with `StateDirectory = "nomad"` set below. + data_dir = "/var/lib/nomad"; + }; + description = '' + Configuration for Nomad. See the documentation + for supported values. + ''; + example = literalExample '' + { + # A minimal config example: + server = { + enabled = true; + bootstrap_expect = 1; # for demo; no fault tolerance + }; + client = { + enabled = true; + }; + } + ''; + }; + }; + }; + + ##### implementation + config = mkIf cfg.enable { + environment = { + etc."nomad.json".source = format.generate "nomad.json" cfg.settings; + systemPackages = [ cfg.package ]; + }; + + systemd.services.nomad = { + description = "Nomad"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + restartTriggers = [ config.environment.etc."nomad.json".source ]; + + path = cfg.extraPackages ++ (with pkgs; [ + # Client mode requires at least the following: + coreutils + iproute + iptables + ]); + + serviceConfig = { + DynamicUser = cfg.dropPrivileges; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStart = "${cfg.package}/bin/nomad agent -config=/etc/nomad.json"; + KillMode = "process"; + KillSignal = "SIGINT"; + LimitNOFILE = 65536; + LimitNPROC = "infinity"; + OOMScoreAdjust = -1000; + Restart = "on-failure"; + RestartSec = 2; + # Agrees with the default `data_dir = "/var/lib/nomad"` in `settings` above. + StateDirectory = "nomad"; + TasksMax = "infinity"; + User = optionalString cfg.dropPrivileges "nomad"; + } // (optionalAttrs cfg.enableDocker { + SupplementaryGroups = "docker"; # space-separated string + }); + unitConfig = { + StartLimitIntervalSec = 10; + StartLimitBurst = 3; + }; + }; + + # Docker support requires the Docker daemon to be running. + virtualisation.docker.enable = mkIf cfg.enableDocker true; + }; +} -- cgit 1.4.1 From e1340190a9691bb236793dfd78a055cc7f0fb147 Mon Sep 17 00:00:00 2001 From: Bernardo Meurer Date: Sun, 17 Jan 2021 18:54:06 -0800 Subject: nixos/nomad: default enableDocker to true --- nixos/modules/services/networking/nomad.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 4bf9313758f..e6bbb607aaa 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -40,7 +40,7 @@ in enableDocker = mkOption { type = types.bool; - default = false; + default = true; description = '' Enable Docker support. Needed for Nomad's docker driver. -- cgit 1.4.1 From 0bbed1c273e4bbb71e438768f532464db7d7a4c5 Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Sat, 23 Jan 2021 12:43:43 -0500 Subject: nixos/nomad: add newline --- nixos/modules/services/networking/nomad.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index e6bbb607aaa..a0520d4c998 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -114,6 +114,7 @@ in } // (optionalAttrs cfg.enableDocker { SupplementaryGroups = "docker"; # space-separated string }); + unitConfig = { StartLimitIntervalSec = 10; StartLimitBurst = 3; -- cgit 1.4.1 From 2861d26df5e9aeb5bc385b921a1aaac46011708e Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Sat, 23 Jan 2021 12:44:23 -0500 Subject: nixos/nomad: move data_dir default setting to allow propagation of default --- nixos/modules/services/networking/nomad.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index a0520d4c998..6c151175e5b 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -51,10 +51,7 @@ in settings = mkOption { type = format.type; - default = { - # Agrees with `StateDirectory = "nomad"` set below. - data_dir = "/var/lib/nomad"; - }; + default = {}; description = '' Configuration for Nomad. See the documentation for supported values. @@ -77,6 +74,11 @@ in ##### implementation config = mkIf cfg.enable { + services.nomad.settings = { + # Agrees with `StateDirectory = "nomad"` set below. + data_dir = mkDefault "/var/lib/nomad"; + }; + environment = { etc."nomad.json".source = format.generate "nomad.json" cfg.settings; systemPackages = [ cfg.package ]; -- cgit 1.4.1 From f1778cd90eea2c3d5dbca3aa55b6351697dad683 Mon Sep 17 00:00:00 2001 From: Phillip Cloud <417981+cpcloud@users.noreply.github.com> Date: Sat, 23 Jan 2021 17:52:19 -0500 Subject: nixos/nomad: add extraSettingsFiles option to nomad service (#109761) --- nixos/modules/services/networking/nomad.nix | 14 +++++++- nixos/tests/all-tests.nix | 1 + nixos/tests/nomad.nix | 53 +++++++++++++++++++++++++++++ 3 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 nixos/tests/nomad.nix (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 6c151175e5b..dafdae0c327 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -49,6 +49,17 @@ in ''; }; + extraSettingsPaths = mkOption { + type = types.listOf types.path; + default = []; + description = '' + Additional settings paths used to configure nomad. These can be files or directories. + ''; + example = literalExample '' + [ "/etc/nomad-mutable.json" "/run/keys/nomad-with-secrets.json" "/etc/nomad/config.d" ] + ''; + }; + settings = mkOption { type = format.type; default = {}; @@ -101,7 +112,8 @@ in serviceConfig = { DynamicUser = cfg.dropPrivileges; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ExecStart = "${cfg.package}/bin/nomad agent -config=/etc/nomad.json"; + ExecStart = "${cfg.package}/bin/nomad agent -config=/etc/nomad.json" + + concatMapStrings (path: " -config=${path}") cfg.extraSettingsPaths; KillMode = "process"; KillSignal = "SIGINT"; LimitNOFILE = 65536; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 966c7844657..523d3c051e0 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -272,6 +272,7 @@ in nginx-variants = handleTest ./nginx-variants.nix {}; nix-ssh-serve = handleTest ./nix-ssh-serve.nix {}; nixos-generate-config = handleTest ./nixos-generate-config.nix {}; + nomad = handleTest ./nomad.nix {}; novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {}; nsd = handleTest ./nsd.nix {}; nzbget = handleTest ./nzbget.nix {}; diff --git a/nixos/tests/nomad.nix b/nixos/tests/nomad.nix new file mode 100644 index 00000000000..bd052152bd6 --- /dev/null +++ b/nixos/tests/nomad.nix @@ -0,0 +1,53 @@ +import ./make-test-python.nix ( + { lib, ... }: { + name = "nomad"; + nodes = { + server = { pkgs, lib, ... }: { + networking = { + interfaces.eth1.ipv4.addresses = lib.mkOverride 0 [{ + address = "192.168.1.1"; + prefixLength = 16; + }]; + }; + + environment.etc."nomad.custom.json".source = + (pkgs.formats.json { }).generate "nomad.custom.json" { + region = "universe"; + datacenter = "earth"; + }; + + services.nomad = { + enable = true; + + settings = { + server = { + enabled = true; + bootstrap_expect = 1; + }; + }; + + extraSettingsPaths = [ "/etc/nomad.custom.json" ]; + enableDocker = false; + }; + }; + }; + + testScript = '' + server.wait_for_unit("nomad.service") + + # wait for healthy server + server.wait_until_succeeds( + "[ $(nomad operator raft list-peers | grep true | wc -l) == 1 ]" + ) + + # wait for server liveness + server.succeed("[ $(nomad server members | grep -o alive | wc -l) == 1 ]") + + # check the region + server.succeed("nomad server members | grep -o universe") + + # check the datacenter + server.succeed("[ $(nomad server members | grep -o earth | wc -l) == 1 ]") + ''; + } +) -- cgit 1.4.1 From 3e00482ba879e3b061d0dcf3f37d3263c48bfa34 Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Mon, 18 Jan 2021 09:02:05 -0500 Subject: nixos/nomad: add assertion for the value of dropPrivileges and its relation to data_dir --- nixos/modules/services/networking/nomad.nix | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index dafdae0c327..04f15fe1366 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -135,6 +135,13 @@ in }; }; + assertions = [ + { + assertion = cfg.dropPrivileges -> cfg.settings.data_dir == "/var/lib/nomad"; + message = "settings.data_dir must be equal to \"/var/lib/nomad\" if dropPrivileges is true"; + } + ]; + # Docker support requires the Docker daemon to be running. virtualisation.docker.enable = mkIf cfg.enableDocker true; }; -- cgit 1.4.1 From f3aa71b7ec19f380192e9e31c6f208988777e341 Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Mon, 18 Jan 2021 09:03:52 -0500 Subject: nixos/nomad: describe the nomad cluster manager responsibilities --- nixos/modules/services/networking/nomad.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 04f15fe1366..b58b5c9182c 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -66,6 +66,19 @@ in description = '' Configuration for Nomad. See the documentation for supported values. + + Notes about `data_dir`: + + If `data_dir` is set to a value other than the default value of + `"/var/lib/nomad"` it is the Nomad cluster manager's responsibility + to make sure that this directory exist and has the appropriate + permissions. One way to do this is with the `ExecStartPre` feature of + systemd. + + Additionally, if `dropPrivileges` is `true` then `data_dir` + **cannot** be customized. Setting `dropPrivileges` to `true` enables + the `DynamicUser` feature of systemd which directly manages and + operates on `StateDirectory`. ''; example = literalExample '' { -- cgit 1.4.1 From 58fe45936e89afef1e3ac35f80d07eb6b0a7ab20 Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Mon, 18 Jan 2021 09:05:59 -0500 Subject: nixos/nomad: move serviceConfig into mkMerge and mkIf for docker SupplementaryGroups --- nixos/modules/services/networking/nomad.nix | 39 +++++++++++++++-------------- 1 file changed, 20 insertions(+), 19 deletions(-) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index b58b5c9182c..10fe63f8425 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -122,25 +122,26 @@ in iptables ]); - serviceConfig = { - DynamicUser = cfg.dropPrivileges; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ExecStart = "${cfg.package}/bin/nomad agent -config=/etc/nomad.json" + - concatMapStrings (path: " -config=${path}") cfg.extraSettingsPaths; - KillMode = "process"; - KillSignal = "SIGINT"; - LimitNOFILE = 65536; - LimitNPROC = "infinity"; - OOMScoreAdjust = -1000; - Restart = "on-failure"; - RestartSec = 2; - # Agrees with the default `data_dir = "/var/lib/nomad"` in `settings` above. - StateDirectory = "nomad"; - TasksMax = "infinity"; - User = optionalString cfg.dropPrivileges "nomad"; - } // (optionalAttrs cfg.enableDocker { - SupplementaryGroups = "docker"; # space-separated string - }); + serviceConfig = mkMerge [ + { + DynamicUser = cfg.dropPrivileges; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStart = "${cfg.package}/bin/nomad agent -config=/etc/nomad.json" + + concatMapStrings (path: " -config=${path}") cfg.extraSettingsPaths; + KillMode = "process"; + KillSignal = "SIGINT"; + LimitNOFILE = 65536; + LimitNPROC = "infinity"; + OOMScoreAdjust = -1000; + Restart = "on-failure"; + RestartSec = 2; + # Agrees with the default `data_dir = "/var/lib/nomad"` in `settings` above. + StateDirectory = "nomad"; + TasksMax = "infinity"; + User = optionalString cfg.dropPrivileges "nomad"; + } + (mkIf cfg.enableDocker { SupplementaryGroups = "docker"; }) # space-separated string + ]; unitConfig = { StartLimitIntervalSec = 10; -- cgit 1.4.1 From b80c4544592fe8cf665c4e76b91f912c50877c51 Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Mon, 18 Jan 2021 09:07:09 -0500 Subject: nixos/nomad: add mkIf for StateDirectory --- nixos/modules/services/networking/nomad.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 10fe63f8425..0845b4f97b8 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -135,12 +135,11 @@ in OOMScoreAdjust = -1000; Restart = "on-failure"; RestartSec = 2; - # Agrees with the default `data_dir = "/var/lib/nomad"` in `settings` above. - StateDirectory = "nomad"; TasksMax = "infinity"; User = optionalString cfg.dropPrivileges "nomad"; } (mkIf cfg.enableDocker { SupplementaryGroups = "docker"; }) # space-separated string + (mkIf (cfg.settings.data_dir == "/var/lib/nomad") { StateDirectory = "nomad"; }) ]; unitConfig = { -- cgit 1.4.1 From b72a46713f12a311a9e5455a8fc446cd981850bb Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Mon, 18 Jan 2021 09:07:56 -0500 Subject: nixos/nomad: reformat SupplementaryGroups expression --- nixos/modules/services/networking/nomad.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 0845b4f97b8..3f06490faa7 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -138,7 +138,9 @@ in TasksMax = "infinity"; User = optionalString cfg.dropPrivileges "nomad"; } - (mkIf cfg.enableDocker { SupplementaryGroups = "docker"; }) # space-separated string + (mkIf cfg.enableDocker { + SupplementaryGroups = "docker"; # space-separated string + }) (mkIf (cfg.settings.data_dir == "/var/lib/nomad") { StateDirectory = "nomad"; }) ]; -- cgit 1.4.1 From bddb7ac4066574c868091a5bbd10f770bdae0c32 Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Mon, 18 Jan 2021 09:17:32 -0500 Subject: nixos/nomad: fix typo and spell out ExecStartPre usage --- nixos/modules/services/networking/nomad.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 3f06490faa7..80dcbe16f12 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -71,9 +71,10 @@ in If `data_dir` is set to a value other than the default value of `"/var/lib/nomad"` it is the Nomad cluster manager's responsibility - to make sure that this directory exist and has the appropriate - permissions. One way to do this is with the `ExecStartPre` feature of - systemd. + to make sure that this directory exists and has the appropriate + permissions. One way to ensure this is the case to create the + directory and adjust its permissions as needed using the + `ExecStartPre` feature of systemd. Additionally, if `dropPrivileges` is `true` then `data_dir` **cannot** be customized. Setting `dropPrivileges` to `true` enables -- cgit 1.4.1 From 5d0b3b7228b6a89033adb7df07db82efb7951b6f Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Tue, 19 Jan 2021 07:21:31 -0500 Subject: nixos/nomad: fix markup and remove suggestion --- nixos/modules/services/networking/nomad.nix | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 80dcbe16f12..7951930c3a1 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -67,19 +67,19 @@ in Configuration for Nomad. See the documentation for supported values. - Notes about `data_dir`: - - If `data_dir` is set to a value other than the default value of - `"/var/lib/nomad"` it is the Nomad cluster manager's responsibility - to make sure that this directory exists and has the appropriate - permissions. One way to ensure this is the case to create the - directory and adjust its permissions as needed using the - `ExecStartPre` feature of systemd. - - Additionally, if `dropPrivileges` is `true` then `data_dir` - **cannot** be customized. Setting `dropPrivileges` to `true` enables - the `DynamicUser` feature of systemd which directly manages and - operates on `StateDirectory`. + Notes about data_dir: + + If data_dir is set to a value other than the + default value of "/var/lib/nomad" it is the Nomad + cluster manager's responsibility to make sure that this directory + exists and has the appropriate permissions. + + Additionally, if dropPrivileges is + true then data_dir + cannot be customized. Setting + dropPrivileges to true enables + the DynamicUser feature of systemd which directly + manages and operates on StateDirectory. ''; example = literalExample '' { -- cgit 1.4.1 From 12b9249cf3cf4024b9ac4956e577126163110755 Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Tue, 19 Jan 2021 07:24:04 -0500 Subject: nixos/nomad: unconditionally set user to nomad --- nixos/modules/services/networking/nomad.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 7951930c3a1..571baf67154 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -137,7 +137,7 @@ in Restart = "on-failure"; RestartSec = 2; TasksMax = "infinity"; - User = optionalString cfg.dropPrivileges "nomad"; + User = "nomad"; } (mkIf cfg.enableDocker { SupplementaryGroups = "docker"; # space-separated string -- cgit 1.4.1 From 5ce4ce61746c19f09ae1504a49f3216de6770055 Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Sat, 23 Jan 2021 18:04:26 -0500 Subject: nixos/nomad: make formatting consistent in mkMerge call --- nixos/modules/services/networking/nomad.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 571baf67154..87b4ff18818 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -142,7 +142,9 @@ in (mkIf cfg.enableDocker { SupplementaryGroups = "docker"; # space-separated string }) - (mkIf (cfg.settings.data_dir == "/var/lib/nomad") { StateDirectory = "nomad"; }) + (mkIf (cfg.settings.data_dir == "/var/lib/nomad") { + StateDirectory = "nomad"; + }) ]; unitConfig = { -- cgit 1.4.1 From 2a3cb407b04d322fd72bedc74b2751c40c36b4f1 Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Sat, 23 Jan 2021 18:20:17 -0500 Subject: nixos/nomad: only set User if privileges are dropped --- nixos/modules/services/networking/nomad.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 87b4ff18818..60fefa2a1da 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -137,7 +137,7 @@ in Restart = "on-failure"; RestartSec = 2; TasksMax = "infinity"; - User = "nomad"; + User = optionalString cfg.dropPrivileges "nomad"; } (mkIf cfg.enableDocker { SupplementaryGroups = "docker"; # space-separated string -- cgit 1.4.1 From c7c3b9e4ae1396ee7c8291794a69141ff40508e3 Mon Sep 17 00:00:00 2001 From: Phillip Cloud Date: Sat, 23 Jan 2021 19:44:28 -0500 Subject: nixos/nomad: remove User setting entirely --- nixos/modules/services/networking/nomad.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 60fefa2a1da..9f1b443b89b 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -137,7 +137,6 @@ in Restart = "on-failure"; RestartSec = 2; TasksMax = "infinity"; - User = optionalString cfg.dropPrivileges "nomad"; } (mkIf cfg.enableDocker { SupplementaryGroups = "docker"; # space-separated string -- cgit 1.4.1 From c6d4dae35dc9e06d8fa0e145fc6909643a0a05b3 Mon Sep 17 00:00:00 2001 From: ajs124 Date: Thu, 8 Apr 2021 13:33:09 +0200 Subject: treewide: fix eval without aliases after 9378fdf87e0626e8c63a90a378c38444ff54808b --- nixos/modules/services/cluster/kubernetes/kubelet.nix | 2 +- nixos/modules/services/networking/gvpe.nix | 2 +- nixos/modules/services/networking/libreswan.nix | 6 +++--- nixos/modules/services/networking/mullvad-vpn.nix | 2 +- nixos/modules/services/networking/nomad.nix | 2 +- nixos/modules/services/networking/quagga.nix | 2 +- nixos/modules/services/networking/rxe.nix | 4 ++-- nixos/modules/services/networking/wg-quick.nix | 8 ++++---- nixos/modules/services/system/cloud-init.nix | 2 +- nixos/modules/system/boot/initrd-openvpn.nix | 2 +- nixos/modules/tasks/network-interfaces.nix | 2 +- nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix | 2 +- 12 files changed, 18 insertions(+), 18 deletions(-) (limited to 'nixos/modules/services/networking/nomad.nix') diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index 7efcf8ac6c5..b5346b1cd44 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -266,7 +266,7 @@ in gitMinimal openssh util-linux - iproute + iproute2 ethtool thin-provisioning-tools iptables diff --git a/nixos/modules/services/networking/gvpe.nix b/nixos/modules/services/networking/gvpe.nix index b851facf1e3..4fad37ba15e 100644 --- a/nixos/modules/services/networking/gvpe.nix +++ b/nixos/modules/services/networking/gvpe.nix @@ -27,7 +27,7 @@ let text = '' #! /bin/sh - export PATH=$PATH:${pkgs.iproute}/sbin + export PATH=$PATH:${pkgs.iproute2}/sbin ip link set $IFNAME up ip address add ${cfg.ipAddress} dev $IFNAME diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix index 7a25769e067..81bc4e1cf95 100644 --- a/nixos/modules/services/networking/libreswan.nix +++ b/nixos/modules/services/networking/libreswan.nix @@ -91,7 +91,7 @@ in description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; path = [ "${pkgs.libreswan}" - "${pkgs.iproute}" + "${pkgs.iproute2}" "${pkgs.procps}" "${pkgs.nssTools}" "${pkgs.iptables}" @@ -115,8 +115,8 @@ in ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS"; ExecStop = "${libexec}/whack --shutdown"; ExecStopPost = [ - "${pkgs.iproute}/bin/ip xfrm policy flush" - "${pkgs.iproute}/bin/ip xfrm state flush" + "${pkgs.iproute2}/bin/ip xfrm policy flush" + "${pkgs.iproute2}/bin/ip xfrm state flush" "${ipsec} --stopnflog" ]; ExecReload = "${libexec}/whack --listen"; diff --git a/nixos/modules/services/networking/mullvad-vpn.nix b/nixos/modules/services/networking/mullvad-vpn.nix index 6f595ca4be2..8ce71f26b3e 100644 --- a/nixos/modules/services/networking/mullvad-vpn.nix +++ b/nixos/modules/services/networking/mullvad-vpn.nix @@ -28,7 +28,7 @@ with lib; "systemd-resolved.service" ]; path = [ - pkgs.iproute + pkgs.iproute2 # Needed for ping "/run/wrappers" ]; diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 9f1b443b89b..48689f1195c 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -119,7 +119,7 @@ in path = cfg.extraPackages ++ (with pkgs; [ # Client mode requires at least the following: coreutils - iproute + iproute2 iptables ]); diff --git a/nixos/modules/services/networking/quagga.nix b/nixos/modules/services/networking/quagga.nix index 5acdd5af8f8..7c169fe62d8 100644 --- a/nixos/modules/services/networking/quagga.nix +++ b/nixos/modules/services/networking/quagga.nix @@ -164,7 +164,7 @@ in preStart = '' install -m 0755 -o quagga -g quagga -d /run/quagga - ${pkgs.iproute}/bin/ip route flush proto zebra + ${pkgs.iproute2}/bin/ip route flush proto zebra ''; } else diff --git a/nixos/modules/services/networking/rxe.nix b/nixos/modules/services/networking/rxe.nix index c7d174a00de..868e2c81ccb 100644 --- a/nixos/modules/services/networking/rxe.nix +++ b/nixos/modules/services/networking/rxe.nix @@ -39,11 +39,11 @@ in { Type = "oneshot"; RemainAfterExit = true; ExecStart = map ( x: - "${pkgs.iproute}/bin/rdma link add rxe_${x} type rxe netdev ${x}" + "${pkgs.iproute2}/bin/rdma link add rxe_${x} type rxe netdev ${x}" ) cfg.interfaces; ExecStop = map ( x: - "${pkgs.iproute}/bin/rdma link delete rxe_${x}" + "${pkgs.iproute2}/bin/rdma link delete rxe_${x}" ) cfg.interfaces; }; }; diff --git a/nixos/modules/services/networking/wg-quick.nix b/nixos/modules/services/networking/wg-quick.nix index 02fe40a22a1..3b76de58548 100644 --- a/nixos/modules/services/networking/wg-quick.nix +++ b/nixos/modules/services/networking/wg-quick.nix @@ -57,7 +57,7 @@ let preUp = mkOption { example = literalExample '' - ${pkgs.iproute}/bin/ip netns add foo + ${pkgs.iproute2}/bin/ip netns add foo ''; default = ""; type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; @@ -68,7 +68,7 @@ let preDown = mkOption { example = literalExample '' - ${pkgs.iproute}/bin/ip netns del foo + ${pkgs.iproute2}/bin/ip netns del foo ''; default = ""; type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; @@ -79,7 +79,7 @@ let postUp = mkOption { example = literalExample '' - ${pkgs.iproute}/bin/ip netns add foo + ${pkgs.iproute2}/bin/ip netns add foo ''; default = ""; type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; @@ -90,7 +90,7 @@ let postDown = mkOption { example = literalExample '' - ${pkgs.iproute}/bin/ip netns del foo + ${pkgs.iproute2}/bin/ip netns del foo ''; default = ""; type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; diff --git a/nixos/modules/services/system/cloud-init.nix b/nixos/modules/services/system/cloud-init.nix index f83db30c1f0..eb82b738e49 100644 --- a/nixos/modules/services/system/cloud-init.nix +++ b/nixos/modules/services/system/cloud-init.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.cloud-init; path = with pkgs; [ cloud-init - iproute + iproute2 nettools openssh shadow diff --git a/nixos/modules/system/boot/initrd-openvpn.nix b/nixos/modules/system/boot/initrd-openvpn.nix index e59bc7b6678..b35fb0b57c0 100644 --- a/nixos/modules/system/boot/initrd-openvpn.nix +++ b/nixos/modules/system/boot/initrd-openvpn.nix @@ -55,7 +55,7 @@ in # The shared libraries are required for DNS resolution boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.openvpn}/bin/openvpn - copy_bin_and_libs ${pkgs.iproute}/bin/ip + copy_bin_and_libs ${pkgs.iproute2}/bin/ip cp -pv ${pkgs.glibc}/lib/libresolv.so.2 $out/lib cp -pv ${pkgs.glibc}/lib/libnss_dns.so.2 $out/lib diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index b5d97849658..f501f85b2a9 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1144,7 +1144,7 @@ in environment.systemPackages = [ pkgs.host - pkgs.iproute + pkgs.iproute2 pkgs.iputils pkgs.nettools ] diff --git a/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix b/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix index 5831c8692f6..94f17605e00 100644 --- a/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix +++ b/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix @@ -43,7 +43,7 @@ import ./make-test-python.nix ({pkgs, ...}: { # Everyone on the "isp" machine will be able to add routes to the kernel. security.wrappers.add-dhcpd-lease = { source = pkgs.writeShellScript "add-dhcpd-lease" '' - exec ${pkgs.iproute}/bin/ip -6 route replace "$1" via "$2" + exec ${pkgs.iproute2}/bin/ip -6 route replace "$1" via "$2" ''; capabilities = "cap_net_admin+ep"; }; -- cgit 1.4.1