From d8b21c22245af2d6a6582df3290921ac5ca26235 Mon Sep 17 00:00:00 2001 From: "Ricardo M. Correia" Date: Tue, 15 Apr 2014 21:13:34 +0200 Subject: nixos: Fix sysctl option merging Using pkgs.lib.mkOverride in a sysctl option would throw a bogus error. Also, if you defined a sysctl multiple times in the same configuration, only one of the values would be picked up, while the others were silently discarded. This patch should fix both issues. If you define a sysctl multiple times at your highest defined priority level, you will get a proper error with detailed location information. --- nixos/modules/config/sysctl.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index b4cd22caa79..7f6c965b67c 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -6,8 +6,12 @@ let sysctlOption = mkOptionType { name = "sysctl option value"; - check = x: isBool x || isString x || isInt x || isNull x; - merge = args: defs: (last defs).value; # FIXME: hacky way to allow overriding in configuration.nix. + check = val: + let + checkType = x: isBool x || isString x || isInt x || isNull x; + in + checkType val || (val._type or "" == "override" && checkType val.content); + merge = loc: defs: mergeOneOption loc (filterOverrides defs); }; in -- cgit 1.4.1 From d1277ddcc2aa009d05b7b6e3fbaa72262516b3ec Mon Sep 17 00:00:00 2001 From: Edward Tjörnhammar Date: Tue, 27 May 2014 22:27:31 +0200 Subject: Adding Radicale package and service --- nixos/modules/module-list.nix | 1 + nixos/modules/services/networking/radicale.nix | 48 ++++++++++++++++++++++++++ pkgs/top-level/all-packages.nix | 2 +- pkgs/top-level/python-packages.nix | 31 +++++++++++++++++ 4 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 nixos/modules/services/networking/radicale.nix (limited to 'nixos') diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c1b55cb5550..f5c0e02e47f 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -213,6 +213,7 @@ ./services/networking/prayer.nix ./services/networking/privoxy.nix ./services/networking/quassel.nix + ./services/networking/radicale.nix ./services/networking/radvd.nix ./services/networking/rdnssd.nix ./services/networking/rpcbind.nix diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix new file mode 100644 index 00000000000..fc9afc70aca --- /dev/null +++ b/nixos/modules/services/networking/radicale.nix @@ -0,0 +1,48 @@ +{config, lib, pkgs, ...}: + +with lib; + +let + + cfg = config.services.radicale; + + confFile = pkgs.writeText "radicale.conf" cfg.config; + +in + +{ + + options = { + + services.radicale.enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable Radicale CalDAV and CardDAV server + ''; + }; + + services.radicale.config = mkOption { + type = types.string; + default = ""; + description = '' + Radicale configuration, this will set the service + configuration file + ''; + }; + }; + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.pythonPackages.radicale ]; + + jobs.radicale = { + description = "A Simple Calendar and Contact Server"; + startOn = "started network-interfaces"; + exec = "${pkgs.pythonPackages.radicale}/bin/radicale -C ${confFile} -d"; + daemonType = "fork"; + }; + + }; + +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 04116d38883..05188f99147 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1155,7 +1155,7 @@ let gnuvd = callPackage ../tools/misc/gnuvd { }; goaccess = callPackage ../tools/misc/goaccess { }; - + googleAuthenticator = callPackage ../os-specific/linux/google-authenticator { }; gource = callPackage ../applications/version-management/gource {}; diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 933a073a5aa..006e05630b6 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -2233,6 +2233,37 @@ rec { }; }; + radicale = buildPythonPackage rec { + name = "radicale-${version}"; + namePrefix = ""; + version = "0.9b1"; + + src = fetchurl { + url = "http://pypi.python.org/packages/source/R/Radicale/Radicale-${version}.tar.gz"; + sha256 = "3a8451909de849f173f577ddec0a085f19040dbb6aa13d5256208a0f8e11d88d"; + }; + + propagatedBuildInputs = with pythonPackages; [ + flup + ldap + sqlalchemy + ]; + + doCheck = false; + + meta = { + homepage = "http://www.radicale.org/"; + longDescription = '' + The Radicale Project is a complete CalDAV (calendar) and CardDAV + (contact) server solution. Calendars and address books are available for + both local and remote access, possibly limited through authentication + policies. They can be viewed and edited by calendar and contact clients + on mobile phones or computers. + ''; + license = stdenv.lib.licenses.gpl3Plus; + maintainers = [ stdenv.lib.maintainers.edwtjo ]; + }; + }; raven = buildPythonPackage rec { name = "raven-3.4.1"; -- cgit 1.4.1 From 068c7fd037981a7746e627fe4a29c7a4ce034948 Mon Sep 17 00:00:00 2001 From: Gergely Risko Date: Tue, 10 Jun 2014 20:09:48 +0200 Subject: Fix nixos-rebuild.sh to depend on Nix And therefore always choose the correct architecture for the rebuilt system regardless for the PATH setting of the user. --- nixos/modules/installer/tools/nixos-rebuild.sh | 10 ++++++++++ nixos/modules/installer/tools/tools.nix | 1 + 2 files changed, 11 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh index d7b749573fa..be37e61151a 100644 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixos/modules/installer/tools/nixos-rebuild.sh @@ -97,6 +97,16 @@ if [ -n "$upgrade" -a -z "$_NIXOS_REBUILD_REEXEC" ]; then nix-channel --update nixos fi +# Make sure that we use the Nix package we depend on, not something +# else from the PATH for nix-{env,instantiate,build}. This is +# important, because NixOS defaults the architecture of the rebuilt +# system to the architecture of the nix-* binaries used. So if on an +# amd64 system the user has an i686 Nix package in her PATH, then we +# would silently downgrade the whole system to be i686 NixOS on the +# next reboot. +if [ -z "$_NIXOS_REBUILD_REEXEC" ]; then + export PATH=@nix@/bin:$PATH +fi # Re-execute nixos-rebuild from the Nixpkgs tree. if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" ]; then diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 5ebf05e340f..f7fac75eb06 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -32,6 +32,7 @@ let nixos-rebuild = makeProg { name = "nixos-rebuild"; src = ./nixos-rebuild.sh; + nix = config.nix.package; }; nixos-generate-config = makeProg { -- cgit 1.4.1 From 80721cdd41ff107c650e8349a03bea1f6f43cfbb Mon Sep 17 00:00:00 2001 From: Kirill Elagin Date: Wed, 11 Jun 2014 13:17:00 +0400 Subject: Revert "Fix configuring httpd with custom user/group." This reverts commit 08f9da2e8eb9d3da39a1f28e191bd4fb7fd2fa45. --- nixos/modules/services/web-servers/apache-httpd/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index b8359d4756b..75ec6671d15 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -594,14 +594,14 @@ in message = "SSL is enabled for HTTPD, but sslServerCert and/or sslServerKey haven't been specified."; } ]; - users.extraUsers = optional (mainCfg.user == "wwwrun") + users.extraUsers = optionalAttrs (mainCfg.user == "wwwrun") singleton { name = "wwwrun"; group = "wwwrun"; description = "Apache httpd user"; uid = config.ids.uids.wwwrun; }; - users.extraGroups = optional (mainCfg.group == "wwwrun") + users.extraGroups = optionalAttrs (mainCfg.group == "wwwrun") singleton { name = "wwwrun"; gid = config.ids.gids.wwwrun; }; -- cgit 1.4.1 From 1208dd4df0602fb2f413a643eb9a7367bf1b6443 Mon Sep 17 00:00:00 2001 From: Kirill Elagin Date: Wed, 11 Jun 2014 13:17:42 +0400 Subject: Fix configuring apache with extra user/group This fix is consistent with all the other modules. --- nixos/modules/services/web-servers/apache-httpd/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 75ec6671d15..c76f127b721 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -594,17 +594,17 @@ in message = "SSL is enabled for HTTPD, but sslServerCert and/or sslServerKey haven't been specified."; } ]; - users.extraUsers = optionalAttrs (mainCfg.user == "wwwrun") singleton + users.extraUsers = optionalAttrs (mainCfg.user == "wwwrun") (singleton { name = "wwwrun"; group = "wwwrun"; description = "Apache httpd user"; uid = config.ids.uids.wwwrun; - }; + }); - users.extraGroups = optionalAttrs (mainCfg.group == "wwwrun") singleton + users.extraGroups = optionalAttrs (mainCfg.group == "wwwrun") (singleton { name = "wwwrun"; gid = config.ids.gids.wwwrun; - }; + }); environment.systemPackages = [httpd] ++ concatMap (svc: svc.extraPath) allSubservices; -- cgit 1.4.1 From f81434bdfe5cf4946a7b731c7a158873fea0b261 Mon Sep 17 00:00:00 2001 From: Kirill Elagin Date: Wed, 11 Jun 2014 13:36:15 +0400 Subject: Fix trying to add users to non-existent groups --- nixos/modules/services/databases/openldap.nix | 2 +- nixos/modules/services/web-servers/apache-httpd/default.nix | 2 +- nixos/modules/services/web-servers/nginx/default.nix | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index c95238b3451..eae4c114fc1 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -68,7 +68,7 @@ in users.extraUsers = optionalAttrs (cfg.user == "openldap") (singleton { name = "openldap"; - group = "openldap"; + group = cfg.group; uid = config.ids.uids.openldap; }); diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index c76f127b721..6d0416fbb15 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -596,7 +596,7 @@ in users.extraUsers = optionalAttrs (mainCfg.user == "wwwrun") (singleton { name = "wwwrun"; - group = "wwwrun"; + group = mainCfg.group; description = "Apache httpd user"; uid = config.ids.uids.wwwrun; }); diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index ff94ee42d28..ef1aaee7557 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -105,7 +105,7 @@ in users.extraUsers = optionalAttrs (cfg.user == "nginx") (singleton { name = "nginx"; - group = "nginx"; + group = cfg.group; uid = config.ids.uids.nginx; }); -- cgit 1.4.1 From db8de47ce7ac0932dceb9e7cb14723f92c4aa8a1 Mon Sep 17 00:00:00 2001 From: Jaka Hudoklin Date: Wed, 18 Jun 2014 13:36:53 +0200 Subject: nixos/logstash: add enableWeb option to enable kibana web interface --- nixos/modules/services/logging/logstash.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/logging/logstash.nix b/nixos/modules/services/logging/logstash.nix index 480e35a1156..c92c8113570 100644 --- a/nixos/modules/services/logging/logstash.nix +++ b/nixos/modules/services/logging/logstash.nix @@ -17,6 +17,11 @@ in description = "Enable logstash"; }; + enableWeb = mkOption { + default = false; + description = "Enable logstash web interface"; + }; + inputConfig = mkOption { default = ''stdin { type => "example" }''; description = "Logstash input configuration"; @@ -62,7 +67,7 @@ in config = mkIf cfg.enable { systemd.services.logstash = with pkgs; { - description = "Logstash daemon"; + description = "Logstash Daemon"; wantedBy = [ "multi-user.target" ]; serviceConfig = { @@ -78,7 +83,7 @@ in output { ${cfg.outputConfig} } - ''}"; + ''} ${optionalString cfg.enableWeb "-- web"}"; }; }; }; -- cgit 1.4.1 From 6ce8f753e0fbeda2e315c6fd9c1fb58fe198db71 Mon Sep 17 00:00:00 2001 From: Bjørn Forsman Date: Tue, 24 Jun 2014 21:04:56 +0200 Subject: nixos/elasticsearch: add '.' at end of description strings Nixos option descriptions should be full sentences, ending in a full stop. (Package descriptions, on the other hand, should not.) --- nixos/modules/services/search/elasticsearch.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index 3c32e4a3dfe..70254560bd0 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -27,37 +27,37 @@ in { options.services.elasticsearch = { enable = mkOption { - description = "Whether to enable elasticsearch"; + description = "Whether to enable elasticsearch."; default = false; type = types.uniq types.bool; }; host = mkOption { - description = "Elasticsearch listen address"; + description = "Elasticsearch listen address."; default = "127.0.0.1"; type = types.str; }; port = mkOption { - description = "Elasticsearch port to listen for HTTP traffic"; + description = "Elasticsearch port to listen for HTTP traffic."; default = 9200; type = types.int; }; tcp_port = mkOption { - description = "Elasticsearch port for the node to node communication"; + description = "Elasticsearch port for the node to node communication."; default = 9300; type = types.int; }; cluster_name = mkOption { - description = "Elasticsearch name that identifies your cluster for auto-discovery"; + description = "Elasticsearch name that identifies your cluster for auto-discovery."; default = "elasticsearch"; type = types.str; }; extraConf = mkOption { - description = "Extra configuration for elasticsearch"; + description = "Extra configuration for elasticsearch."; default = ""; type = types.str; example = '' @@ -70,7 +70,7 @@ in { }; logging = mkOption { - description = "Elasticsearch logging configuration"; + description = "Elasticsearch logging configuration."; default = '' rootLogger: INFO, console logger: @@ -95,7 +95,7 @@ in { }; extraCmdLineOptions = mkOption { - description = "Extra command line options for the elasticsearch launcher"; + description = "Extra command line options for the elasticsearch launcher."; default = []; type = types.listOf types.string; example = [ "-Djava.net.preferIPv4Stack=true" ]; -- cgit 1.4.1 From f78ce19d8ca98cf37e25a7e6eb94274b84f4cd1e Mon Sep 17 00:00:00 2001 From: Bjørn Forsman Date: Tue, 24 Jun 2014 21:10:22 +0200 Subject: nixos/elasticsearch: capitalize systemd service description --- nixos/modules/services/search/elasticsearch.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index 70254560bd0..eeae11dc4ff 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -107,7 +107,7 @@ in { config = mkIf cfg.enable { systemd.services.elasticsearch = { - description = "Elasticsearch daemon"; + description = "Elasticsearch Daemon"; wantedBy = [ "multi-user.target" ]; after = [ "network-interfaces.target" ]; environment = { ES_HOME = cfg.dataDir; }; -- cgit 1.4.1 From 4def9a762f091ec1fdf048066af3fce75bb5a305 Mon Sep 17 00:00:00 2001 From: Bjørn Forsman Date: Tue, 24 Jun 2014 21:23:14 +0200 Subject: nixos: add some missing '.' in option descriptions --- nixos/modules/config/krb5.nix | 4 ++-- nixos/modules/programs/atop.nix | 2 +- nixos/modules/services/databases/redis.nix | 24 ++++++++++++------------ nixos/modules/tasks/encrypted-devices.nix | 8 ++++---- 4 files changed, 19 insertions(+), 19 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/config/krb5.nix b/nixos/modules/config/krb5.nix index bb5a95ebc84..991b5b16cc6 100644 --- a/nixos/modules/config/krb5.nix +++ b/nixos/modules/config/krb5.nix @@ -32,12 +32,12 @@ in kdc = mkOption { default = "kerberos.mit.edu"; - description = "Kerberos Domain Controller"; + description = "Kerberos Domain Controller."; }; kerberosAdminServer = mkOption { default = "kerberos.mit.edu"; - description = "Kerberos Admin Server"; + description = "Kerberos Admin Server."; }; }; diff --git a/nixos/modules/programs/atop.nix b/nixos/modules/programs/atop.nix index e457db22333..b91bd98047e 100644 --- a/nixos/modules/programs/atop.nix +++ b/nixos/modules/programs/atop.nix @@ -22,7 +22,7 @@ in interval = 5; }; description = '' - Parameters to be written to /etc/atoprc + Parameters to be written to /etc/atoprc. ''; }; diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 4ef48df9831..2521e356bf3 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -50,7 +50,7 @@ in user = mkOption { default = "redis"; - description = "User account under which Redis runs"; + description = "User account under which Redis runs."; }; pidFile = mkOption { @@ -60,26 +60,26 @@ in port = mkOption { default = 6379; - description = "The port for Redis to listen to"; + description = "The port for Redis to listen to."; type = with types; int; }; bind = mkOption { default = null; # All interfaces - description = "The IP interface to bind to"; + description = "The IP interface to bind to."; example = "127.0.0.1"; }; unixSocket = mkOption { default = null; - description = "The path to the socket to bind to"; + description = "The path to the socket to bind to."; example = "/var/run/redis.sock"; }; logLevel = mkOption { default = "notice"; # debug, verbose, notice, warning example = "debug"; - description = "Specify the server verbosity level, options: debug, verbose, notice, warning"; + description = "Specify the server verbosity level, options: debug, verbose, notice, warning."; type = with types; string; }; @@ -110,19 +110,19 @@ in dbFilename = mkOption { default = "dump.rdb"; - description = "The filename where to dump the DB"; + description = "The filename where to dump the DB."; type = with types; string; }; dbpath = mkOption { default = "/var/lib/redis"; - description = "The DB will be written inside this directory, with the filename specified using the 'dbFilename' configuration"; + description = "The DB will be written inside this directory, with the filename specified using the 'dbFilename' configuration."; type = with types; string; }; slaveOf = mkOption { default = null; # { ip, port } - description = "An attribute set with two attributes: ip and port to which this redis instance acts as a slave"; + description = "An attribute set with two attributes: ip and port to which this redis instance acts as a slave."; example = { ip = "192.168.1.100"; port = 6379; }; }; @@ -154,26 +154,26 @@ in appendFsync = mkOption { default = "everysec"; # no, always, everysec - description = "How often to fsync the append-only log, options: no, always, everysec"; + description = "How often to fsync the append-only log, options: no, always, everysec."; type = with types; string; }; slowLogLogSlowerThan = mkOption { default = 10000; - description = "Log queries whose execution take longer than X in milliseconds"; + description = "Log queries whose execution take longer than X in milliseconds."; example = 1000; type = with types; int; }; slowLogMaxLen = mkOption { default = 128; - description = "Maximum number of items to keep in slow log"; + description = "Maximum number of items to keep in slow log."; type = with types; int; }; extraConfig = mkOption { default = ""; - description = "Extra configuration options for redis.conf"; + description = "Extra configuration options for redis.conf."; type = with types; string; }; }; diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix index e80762a170c..e56549149cb 100644 --- a/nixos/modules/tasks/encrypted-devices.nix +++ b/nixos/modules/tasks/encrypted-devices.nix @@ -16,28 +16,28 @@ let enable = mkOption { default = false; type = types.bool; - description = "The block device is backed by an encrypted one, adds this device as a initrd luks entry"; + description = "The block device is backed by an encrypted one, adds this device as a initrd luks entry."; }; blkDev = mkOption { default = null; example = "/dev/sda1"; type = types.uniq (types.nullOr types.string); - description = "Location of the backing encrypted device"; + description = "Location of the backing encrypted device."; }; label = mkOption { default = null; example = "rootfs"; type = types.uniq (types.nullOr types.string); - description = "Label of the backing encrypted device"; + description = "Label of the backing encrypted device."; }; keyFile = mkOption { default = null; example = "/root/.swapkey"; type = types.uniq (types.nullOr types.string); - description = "File system location of keyfile"; + description = "File system location of keyfile."; }; }; }; -- cgit 1.4.1 From 37c7d024efd30afd992a5799e42f1f93476ee0d3 Mon Sep 17 00:00:00 2001 From: Jan Malakhovski Date: Mon, 17 Feb 2014 21:37:39 +0000 Subject: nixos: change EDITOR and PAGER environment variables to mkDefaults MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Domen Kožar --- nixos/modules/programs/environment.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/programs/environment.nix b/nixos/modules/programs/environment.nix index 2ff1db48757..80c3e83fe81 100644 --- a/nixos/modules/programs/environment.nix +++ b/nixos/modules/programs/environment.nix @@ -19,8 +19,8 @@ in environment.variables = { LOCATE_PATH = "/var/cache/locatedb"; NIXPKGS_CONFIG = "/etc/nix/nixpkgs-config.nix"; - PAGER = "less -R"; - EDITOR = "nano"; + PAGER = mkDefault "less -R"; + EDITOR = mkDefault "nano"; }; environment.sessionVariables = -- cgit 1.4.1 From 3eb2d1e03e7547807558c42c1b416118703f751e Mon Sep 17 00:00:00 2001 From: Austin Seipp Date: Wed, 25 Jun 2014 22:32:45 -0500 Subject: nixos: add gitolite module Signed-off-by: Austin Seipp --- nixos/modules/misc/ids.nix | 1 + nixos/modules/module-list.nix | 1 + nixos/modules/services/misc/gitolite.nix | 66 ++++++++++++++++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 nixos/modules/services/misc/gitolite.nix (limited to 'nixos') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index f1028a479df..956215d9a97 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -134,6 +134,7 @@ teamspeak = 124; influxdb = 125; nsd = 126; + gitolite = 127; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 13f2656c287..3bce68670fc 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -147,6 +147,7 @@ ./services/misc/felix.nix ./services/misc/folding-at-home.nix ./services/misc/gpsd.nix + ./services/misc/gitolite.nix ./services/misc/nix-daemon.nix ./services/misc/nix-gc.nix ./services/misc/nix-ssh-serve.nix diff --git a/nixos/modules/services/misc/gitolite.nix b/nixos/modules/services/misc/gitolite.nix new file mode 100644 index 00000000000..7e7629c0561 --- /dev/null +++ b/nixos/modules/services/misc/gitolite.nix @@ -0,0 +1,66 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.gitolite; + pubkeyFile = pkgs.writeText "gitolite-admin.pub" cfg.adminPubkey; +in +{ + options = { + services.gitolite = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable gitolite management under the + gitolite user. The Gitolite home + directory is /var/lib/gitolite. After + switching to a configuration with Gitolite enabled, you can + then run git clone + git@host:gitolite-admin.git to manage it further. + ''; + }; + + adminPubkey = mkOption { + type = types.str; + description = '' + Initial administrative public key for Gitolite. This should + be an SSH Public Key. Note that this key will only be used + once, upon the first initialization of the Gitolite user. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + users.extraUsers.gitolite = { + description = "Gitolite user"; + home = "/var/lib/gitolite"; + createHome = true; + uid = config.ids.uids.gitolite; + useDefaultShell = true; + }; + + systemd.services."gitolite-init" = { + description = "Gitolite initialization"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.User = "gitolite"; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + + path = [ pkgs.gitolite pkgs.git pkgs.perl pkgs.bash pkgs.openssh ]; + script = '' + cd /var/lib/gitolite + mkdir -p .gitolite/logs + if [ ! -d repositories ]; then + gitolite setup -pk ${pubkeyFile} + fi + gitolite setup # Upgrade if needed + ''; + }; + + environment.systemPackages = [ pkgs.gitolite pkgs.git ]; + }; +} -- cgit 1.4.1 From 13162e8cdb924fc5ea8cd010ebbc85a0a2def607 Mon Sep 17 00:00:00 2001 From: Austin Seipp Date: Wed, 25 Jun 2014 22:55:43 -0500 Subject: Fix gitolite docs Signed-off-by: Austin Seipp --- nixos/modules/services/misc/gitolite.nix | 2 +- pkgs/applications/version-management/gitolite/default.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/misc/gitolite.nix b/nixos/modules/services/misc/gitolite.nix index 7e7629c0561..84435f92c11 100644 --- a/nixos/modules/services/misc/gitolite.nix +++ b/nixos/modules/services/misc/gitolite.nix @@ -18,7 +18,7 @@ in directory is /var/lib/gitolite. After switching to a configuration with Gitolite enabled, you can then run git clone - git@host:gitolite-admin.git to manage it further. + gitolite@host:gitolite-admin.git to manage it further. ''; }; diff --git a/pkgs/applications/version-management/gitolite/default.nix b/pkgs/applications/version-management/gitolite/default.nix index 8447330ef3c..011b9fc9d04 100644 --- a/pkgs/applications/version-management/gitolite/default.nix +++ b/pkgs/applications/version-management/gitolite/default.nix @@ -27,4 +27,4 @@ stdenv.mkDerivation rec { platforms = stdenv.lib.platforms.unix; maintainers = [ stdenv.lib.maintainers.thoughtpolice ]; }; -} \ No newline at end of file +} -- cgit 1.4.1 From a3331eb87b25d954766af9652e1415a783dae76c Mon Sep 17 00:00:00 2001 From: Luca Bruno Date: Thu, 26 Jun 2014 10:15:34 +0200 Subject: nixos/sshd: drop mode from auth keys file. Closes #2559 --- nixos/modules/services/networking/ssh/sshd.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index e4b29a0b909..b563a781f1d 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -56,7 +56,6 @@ let authKeysFiles = let mkAuthKeyFile = u: { target = "ssh/authorized_keys.d/${u.name}"; - mode = "0444"; source = pkgs.writeText "${u.name}-authorized_keys" '' ${concatStringsSep "\n" u.openssh.authorizedKeys.keys} ${concatMapStrings (f: readFile f + "\n") u.openssh.authorizedKeys.keyFiles} -- cgit 1.4.1 From 865787ef3273566fe5b979638e3a0bbf08836595 Mon Sep 17 00:00:00 2001 From: aszlig Date: Fri, 27 Jun 2014 08:34:59 +0200 Subject: nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig --- nixos/tests/openssh.nix | 48 +++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 39 insertions(+), 9 deletions(-) (limited to 'nixos') diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 0b9714c275d..d4ce95e49f7 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -1,4 +1,21 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test.nix ({ pkgs, ... }: + +let + snakeOilPrivateKey = pkgs.writeText "privkey.snakeoil" '' + -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49 + AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN + r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA== + -----END EC PRIVATE KEY----- + ''; + + snakeOilPublicKey = pkgs.lib.concatStrings [ + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA" + "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa" + "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil" + ]; + +in { nodes = { @@ -9,6 +26,9 @@ import ./make-test.nix ({ pkgs, ... }: { services.openssh.enable = true; security.pam.services.sshd.limits = [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; + users.extraUsers.root.openssh.authorizedKeys.keys = [ + snakeOilPublicKey + ]; }; client = @@ -23,15 +43,25 @@ import ./make-test.nix ({ pkgs, ... }: { $server->waitForUnit("sshd"); - $server->succeed("mkdir -m 700 /root/.ssh"); - $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys"); + subtest "manual-authkey", sub { + $server->succeed("mkdir -m 700 /root/.ssh"); + $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys"); + + $client->succeed("mkdir -m 700 /root/.ssh"); + $client->copyFileFromHost("key", "/root/.ssh/id_dsa"); + $client->succeed("chmod 600 /root/.ssh/id_dsa"); - $client->succeed("mkdir -m 700 /root/.ssh"); - $client->copyFileFromHost("key", "/root/.ssh/id_dsa"); - $client->succeed("chmod 600 /root/.ssh/id_dsa"); + $client->waitForUnit("network.target"); + $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2"); + $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024"); + }; - $client->waitForUnit("network.target"); - $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2"); - $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024"); + subtest "configured-authkey", sub { + $client->succeed("cat ${snakeOilPrivateKey} > privkey.snakeoil"); + $client->succeed("chmod 600 privkey.snakeoil"); + $client->succeed("ssh -o UserKnownHostsFile=/dev/null" . + " -o StrictHostKeyChecking=no -i privkey.snakeoil" . + " server true"); + }; ''; }) -- cgit 1.4.1 From da32f052b1390a77c58c8c1c3fae62db1abd050e Mon Sep 17 00:00:00 2001 From: aszlig Date: Fri, 27 Jun 2014 09:19:30 +0200 Subject: Revert "nixos/sshd: drop mode from auth keys file". This reverts commit a3331eb87b25d954766af9652e1415a783dae76c. See https://github.com/NixOS/nixpkgs/issues/2559#issuecomment-47313334 for a description why this is not a good idea. I guess it's better to implement a sane way to remove all files in authorized_keys.d, especially because it is also backwards-compatible. Reopens #2559. Signed-off-by: aszlig --- nixos/modules/services/networking/ssh/sshd.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos') diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index b563a781f1d..e4b29a0b909 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -56,6 +56,7 @@ let authKeysFiles = let mkAuthKeyFile = u: { target = "ssh/authorized_keys.d/${u.name}"; + mode = "0444"; source = pkgs.writeText "${u.name}-authorized_keys" '' ${concatStringsSep "\n" u.openssh.authorizedKeys.keys} ${concatMapStrings (f: readFile f + "\n") u.openssh.authorizedKeys.keyFiles} -- cgit 1.4.1 From 622673495b6b00843c2bbacc932b377e2389cc8b Mon Sep 17 00:00:00 2001 From: aszlig Date: Fri, 27 Jun 2014 09:39:12 +0200 Subject: nixos/log2html: Remove schema from jQuery URLs. This allows viewing test logs for example when using a Hydra running with HTTPS. Signed-off-by: aszlig --- nixos/lib/test-driver/log2html.xsl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/lib/test-driver/log2html.xsl b/nixos/lib/test-driver/log2html.xsl index 8e907d85ffa..ce8a9c6de2b 100644 --- a/nixos/lib/test-driver/log2html.xsl +++ b/nixos/lib/test-driver/log2html.xsl @@ -9,8 +9,8 @@ - - + +