From ed6a60de1e085c2de945b76e5f9aa907b322d747 Mon Sep 17 00:00:00 2001 From: Florian Jacob Date: Sun, 13 May 2018 16:52:00 +0200 Subject: nixos/matomo: add automatic archive processing --- nixos/doc/manual/release-notes/rl-1903.xml | 17 +++++++++ nixos/modules/services/web-apps/matomo-doc.xml | 32 ++++++++++++++--- nixos/modules/services/web-apps/matomo.nix | 48 +++++++++++++++++++++++++- 3 files changed, 91 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index 65cc166c9a0..565f0cb68d5 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -276,6 +276,23 @@ which determines the used Matomo version. + + The Matomo module now also comes with the systemd service matomo-archive-processing.service + and a timer that automatically triggers archive processing every hour. + This means that you can safely + + disable browser triggers for Matomo archiving + at Administration > System > General Settings. + + + Additionally, you can enable to + + delete old visitor logs + at Administration > System > Privacy, + but make sure that you run systemctl start matomo-archive-processing.service + at least once without errors if you have already collected data before, + so that the reports get archived before the source data gets deleted. + diff --git a/nixos/modules/services/web-apps/matomo-doc.xml b/nixos/modules/services/web-apps/matomo-doc.xml index 510a335edc3..c71c22e810e 100644 --- a/nixos/modules/services/web-apps/matomo-doc.xml +++ b/nixos/modules/services/web-apps/matomo-doc.xml @@ -12,15 +12,15 @@ An automatic setup is not suported by Matomo, so you need to configure Matomo itself in the browser-based Matomo setup. +
Database Setup - You also need to configure a MariaDB or MySQL database and -user for Matomo yourself, and enter those credentials in your browser. You can use passwordless database authentication via the UNIX_SOCKET authentication plugin with the following SQL commands: - + # For MariaDB INSTALL PLUGIN unix_socket SONAME 'auth_socket'; CREATE DATABASE matomo; @@ -32,7 +32,7 @@ CREATE DATABASE matomo; CREATE USER 'matomo'@'localhost' IDENTIFIED WITH auth_socket; GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; - + Then fill in matomo as database user and database name, and leave the password field blank. This authentication works by allowing only the matomo unix user to authenticate as the @@ -46,9 +46,30 @@ database is not on the same host.
+ +
+ Archive Processing + + This module comes with the systemd service matomo-archive-processing.service + and a timer that automatically triggers archive processing every hour. + This means that you can safely + + disable browser triggers for Matomo archiving + at Administration > System > General Settings. + + + With automatic archive processing, you can now also enable to + + delete old visitor logs + at Administration > System > Privacy, + but make sure that you run systemctl start matomo-archive-processing.service + at least once without errors if you have already collected data before, + so that the reports get archived before the source data gets deleted. + +
+
Backup - You only need to take backups of your MySQL database and the /var/lib/matomo/config/config.ini.php file. Use a user @@ -57,9 +78,9 @@ .
+
Issues - @@ -76,6 +97,7 @@
+
Using other Web Servers than nginx diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index 9fddf832074..34ca5c2a72b 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -54,6 +54,20 @@ in { ''; }; + periodicArchiveProcessing = mkOption { + type = types.bool; + default = true; + description = '' + Enable periodic archive processing, which generates aggregated reports from the visits. + + This means that you can safely disable browser triggers for Matomo archiving, + and safely enable to delete old visitor logs. + Before deleting visitor logs, + make sure though that you run systemctl start matomo-archive-processing.service + at least once without errors if you have already collected data before. + ''; + }; + phpfpmProcessManagerConfig = mkOption { type = types.str; default = '' @@ -132,16 +146,17 @@ in { requires = [ databaseService ]; after = [ databaseService ]; path = [ cfg.package ]; + environment.PIWIK_USER_PATH = dataDir; serviceConfig = { Type = "oneshot"; User = user; # hide especially config.ini.php from other UMask = "0007"; # TODO: might get renamed to MATOMO_USER_PATH in future versions - Environment = "PIWIK_USER_PATH=${dataDir}"; # chown + chmod in preStart needs root PermissionsStartOnly = true; }; + # correct ownership and permissions in case they're not correct anymore, # e.g. after restoring from backup or moving from another system. # Note that ${dataDir}/config/config.ini.php might contain the MySQL password. @@ -169,6 +184,37 @@ in { ''; }; + # If this is run regularly via the timer, + # 'Browser trigger archiving' can be disabled in Matomo UI > Settings > General Settings. + systemd.services.matomo-archive-processing = { + description = "Archive Matomo reports"; + # the archiving can only work if the database is already up and running + requires = [ databaseService ]; + after = [ databaseService ]; + + # TODO: might get renamed to MATOMO_USER_PATH in future versions + environment.PIWIK_USER_PATH = dataDir; + serviceConfig = { + Type = "oneshot"; + User = user; + UMask = "0007"; + CPUSchedulingPolicy = "idle"; + IOSchedulingClass = "idle"; + ExecStart = "${cfg.package}/bin/matomo-console core:archive --url=https://${user}.${fqdn}"; + }; + }; + + systemd.timers.matomo-archive-processing = mkIf cfg.periodicArchiveProcessing { + description = "Automatically archive Matomo reports every hour"; + + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "hourly"; + Persistent = "yes"; + AccuracySec = "10m"; + }; + }; + systemd.services.${phpExecutionUnit} = { # stop phpfpm on package upgrade, do database upgrade via matomo_setup_update, and then restart restartTriggers = [ cfg.package ]; -- cgit 1.4.1 From 959ba6f05537551ff0937858aa46f72fb9eb063a Mon Sep 17 00:00:00 2001 From: Florian Jacob Date: Sun, 13 May 2018 16:52:37 +0200 Subject: nixos/matomo: rename matomo_setup_update to matomo-setup-update to make it consistent with other NixOS systemd services and `matomo-archive-processing.service`. Also, consistently spell Matomo with capital M. --- nixos/modules/services/web-apps/matomo.nix | 34 +++++++++++++++++------------- 1 file changed, 19 insertions(+), 15 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index 34ca5c2a72b..e5427c7a564 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -23,20 +23,24 @@ in { options = { services.matomo = { # NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963 - # matomo issue for automatic matomo setup: https://github.com/matomo-org/matomo/issues/10257 - # TODO: find a nice way to do this when more NixOS MySQL and / or matomo automatic setup stuff is implemented. + # Matomo issue for automatic Matomo setup: https://github.com/matomo-org/matomo/issues/10257 + # TODO: find a nice way to do this when more NixOS MySQL and / or Matomo automatic setup stuff is implemented. enable = mkOption { type = types.bool; default = false; description = '' - Enable matomo web analytics with php-fpm backend. + Enable Matomo web analytics with php-fpm backend. Either the nginx option or the webServerUser option is mandatory. ''; }; package = mkOption { type = types.package; - description = "Matomo package to use"; + description = '' + Matomo package for the service to use. + This can be used to point to newer releases from nixos-unstable, + as they don't get backported if they are not security-relevant. + ''; default = pkgs.matomo; defaultText = "pkgs.matomo"; }; @@ -47,7 +51,7 @@ in { example = "lighttpd"; # TODO: piwik.php might get renamed to matomo.php in future releases description = '' - Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for matomo if the nginx + Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for Matomo if the nginx option is not used. Either this option or the nginx option is mandatory. If you want to use another webserver than nginx, you need to set this to that server's user and pass fastcgi requests to `index.php` and `piwik.php` to this socket. @@ -83,7 +87,7 @@ in { catch_workers_output = yes ''; description = '' - Settings for phpfpm's process manager. You might need to change this depending on the load for matomo. + Settings for phpfpm's process manager. You might need to change this depending on the load for Matomo. ''; }; @@ -93,7 +97,7 @@ in { (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) { # enable encryption by default, - # as sensitive login and matomo data should not be transmitted in clear text. + # as sensitive login and Matomo data should not be transmitted in clear text. options.forceSSL.default = true; options.enableACME.default = true; } @@ -108,7 +112,7 @@ in { enableACME = false; }; description = '' - With this option, you can customize an nginx virtualHost which already has sensible defaults for matomo. + With this option, you can customize an nginx virtualHost which already has sensible defaults for Matomo. Either this option or the webServerUser option is mandatory. Set this to {} to just enable the virtualHost if you don't need any customization. If enabled, then by default, the is @@ -138,8 +142,8 @@ in { }; users.groups.${user} = {}; - systemd.services.matomo_setup_update = { - # everything needs to set up and up to date before matomo php files are executed + systemd.services.matomo-setup-update = { + # everything needs to set up and up to date before Matomo php files are executed requiredBy = [ "${phpExecutionUnit}.service" ]; before = [ "${phpExecutionUnit}.service" ]; # the update part of the script can only work if the database is already up and running @@ -161,7 +165,7 @@ in { # e.g. after restoring from backup or moving from another system. # Note that ${dataDir}/config/config.ini.php might contain the MySQL password. preStart = '' - # migrate data from piwik to matomo folder + # migrate data from piwik to Matomo folder if [ -d ${deprecatedDataDir} ]; then echo "Migrating from ${deprecatedDataDir} to ${dataDir}" mv -T ${deprecatedDataDir} ${dataDir} @@ -170,7 +174,7 @@ in { chmod -R ug+rwX,o-rwx ${dataDir} ''; script = '' - # Use User-Private Group scheme to protect matomo data, but allow administration / backup via matomo group + # Use User-Private Group scheme to protect Matomo data, but allow administration / backup via 'matomo' group # Copy config folder chmod g+s "${dataDir}" cp -r "${cfg.package}/config" "${dataDir}/" @@ -216,7 +220,7 @@ in { }; systemd.services.${phpExecutionUnit} = { - # stop phpfpm on package upgrade, do database upgrade via matomo_setup_update, and then restart + # stop phpfpm on package upgrade, do database upgrade via matomo-setup-update, and then restart restartTriggers = [ cfg.package ]; # stop config.ini.php from getting written with read permission for others serviceConfig.UMask = "0007"; @@ -246,13 +250,13 @@ in { # https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html # https://github.com/perusio/piwik-nginx "${user}.${fqdn}" = mkMerge [ cfg.nginx { - # don't allow to override the root easily, as it will almost certainly break matomo. + # don't allow to override the root easily, as it will almost certainly break Matomo. # disadvantage: not shown as default in docs. root = mkForce "${cfg.package}/share"; # define locations here instead of as the submodule option's default # so that they can easily be extended with additional locations if required - # without needing to redefine the matomo ones. + # without needing to redefine the Matomo ones. # disadvantage: not shown as default in docs. locations."/" = { index = "index.php"; -- cgit 1.4.1 From eab69d998bf728551b525c00c4f771018da00f1f Mon Sep 17 00:00:00 2001 From: Robert Irelan Date: Tue, 5 Feb 2019 20:44:48 -0800 Subject: Remove option config.services.tt-rss.checkForUpdates (forced to false) Force this option to false. Leaving this as true (currently the default) is dangerous. If the TT-RSS installation upgrades itself to a newer version requiring a schema update, the installation will break the next time the TT-RSS systemd service is restarted. Ideally, the installation itself should be immutable (see https://github.com/NixOS/nixpkgs/issues/55300). --- nixos/modules/services/web-apps/tt-rss.nix | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index 90b35d19ea1..6070182a092 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -46,7 +46,17 @@ let define('SINGLE_USER_MODE', ${boolToString cfg.singleUserMode}); define('SIMPLE_UPDATE_MODE', ${boolToString cfg.simpleUpdateMode}); - define('CHECK_FOR_UPDATES', ${boolToString cfg.checkForUpdates}); + + // Never check for updates - the running version of the code should be + // controlled entirely by the version of TT-RSS active in the current Nix + // profile. If TT-RSS updates itself to a version requiring a database + // schema upgrade, and then the SystemD tt-rss.service is restarted, the + // old code copied from the Nix store will overwrite the updated version, + // causing the code to detect the need for a schema "upgrade" (since the + // schema version in the database is different than in the code), but the + // update schema operation in TT-RSS will do nothing because the schema + // version in the database is newer than that in the code. + define('CHECK_FOR_UPDATES', false); define('FORCE_ARTICLE_PURGE', ${toString cfg.forceArticlePurge}); define('SESSION_COOKIE_LIFETIME', ${toString cfg.sessionCookieLifetime}); @@ -399,14 +409,6 @@ let ''; }; - checkForUpdates = mkOption { - type = types.bool; - default = true; - description = '' - Check for updates automatically if running Git version - ''; - }; - enableGZipOutput = mkOption { type = types.bool; default = true; @@ -474,6 +476,14 @@ let }; }; + imports = [ + (mkRemovedOptionModule ["services" "tt-rss" "checkForUpdates"] '' + This option was removed because setting this to true will cause TT-RSS + to be unable to start if an automatic update of the code in + services.tt-rss.root leads to a database schema upgrade that is not + supported by the code active in the Nix store. + '') + ]; ###### implementation -- cgit 1.4.1 From 488a3f09cd4c30a3833c9209a6e489fa33771d91 Mon Sep 17 00:00:00 2001 From: Robert Helgesson Date: Sun, 10 Feb 2019 13:08:54 +0100 Subject: nixos/wpa_supplicant: use `` Fixes #55505 --- nixos/doc/manual/configuration/wireless.xml | 5 ++++- .../modules/services/networking/wpa_supplicant.nix | 21 ++++++++++++++++++--- 2 files changed, 22 insertions(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/configuration/wireless.xml b/nixos/doc/manual/configuration/wireless.xml index 999447234ad..f7e99ff0e35 100644 --- a/nixos/doc/manual/configuration/wireless.xml +++ b/nixos/doc/manual/configuration/wireless.xml @@ -29,7 +29,10 @@ networks are set, it will default to using a configuration file at /etc/wpa_supplicant.conf. You should edit this file yourself to define wireless networks, WPA keys and so on (see - wpa_supplicant.conf(5)). + + wpa_supplicant.conf + 5 + ). diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 8622212f085..cdfe98aa034 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -86,7 +86,12 @@ in { ''; description = '' Use this option to configure advanced authentication methods like EAP. - See wpa_supplicant.conf(5) for example configurations. + See + + wpa_supplicant.conf + 5 + + for example configurations. Mutually exclusive with psk and pskRaw. ''; @@ -122,7 +127,12 @@ in { ''; description = '' Extra configuration lines appended to the network block. - See wpa_supplicant.conf(5) for available options. + See + + wpa_supplicant.conf + 5 + + for available options. ''; }; @@ -174,7 +184,12 @@ in { ''; description = '' Extra lines appended to the configuration file. - See wpa_supplicant.conf(5) for available options. + See + + wpa_supplicant.conf + 5 + + for available options. ''; }; }; -- cgit 1.4.1 From faac33bc77d4f6c2c010991302954ee6638a10d9 Mon Sep 17 00:00:00 2001 From: Florian Jacob Date: Sun, 10 Feb 2019 23:29:48 +0100 Subject: nixos/matomo: 3.8.0 introduces matomo.{php,js} files --- nixos/modules/services/web-apps/matomo.nix | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index 9fddf832074..2415880b62a 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -45,12 +45,11 @@ in { type = types.nullOr types.str; default = null; example = "lighttpd"; - # TODO: piwik.php might get renamed to matomo.php in future releases description = '' Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for matomo if the nginx option is not used. Either this option or the nginx option is mandatory. If you want to use another webserver than nginx, you need to set this to that server's user - and pass fastcgi requests to `index.php` and `piwik.php` to this socket. + and pass fastcgi requests to `index.php`, `matomo.php` and `piwik.php` (legacy name) to this socket. ''; }; @@ -215,8 +214,11 @@ in { locations."= /index.php".extraConfig = '' fastcgi_pass unix:${phpSocket}; ''; - # TODO: might get renamed to matomo.php in future versions - # allow piwik.php for tracking + # allow matomo.php for tracking + locations."= /matomo.php".extraConfig = '' + fastcgi_pass unix:${phpSocket}; + ''; + # allow piwik.php for tracking (deprecated name) locations."= /piwik.php".extraConfig = '' fastcgi_pass unix:${phpSocket}; ''; @@ -237,8 +239,11 @@ in { locations."= /robots.txt".extraConfig = '' return 200 "User-agent: *\nDisallow: /\n"; ''; - # TODO: might get renamed to matomo.js in future versions - # let browsers cache piwik.js + # let browsers cache matomo.js + locations."= /matomo.js".extraConfig = '' + expires 1M; + ''; + # let browsers cache piwik.js (deprecated name) locations."= /piwik.js".extraConfig = '' expires 1M; ''; -- cgit 1.4.1 From 9522ca5ce98af6a5b227adaa5164697385150366 Mon Sep 17 00:00:00 2001 From: Johan Thomsen Date: Mon, 11 Feb 2019 13:47:45 +0100 Subject: nixos/flannel: add options to configure kubernetes as config backend for flannel --- nixos/modules/services/networking/flannel.nix | 31 ++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/networking/flannel.nix b/nixos/modules/services/networking/flannel.nix index b93e28e34ef..cb39a53b5f9 100644 --- a/nixos/modules/services/networking/flannel.nix +++ b/nixos/modules/services/networking/flannel.nix @@ -73,11 +73,26 @@ in { }; }; + kubeconfig = mkOption { + description = '' + Path to kubeconfig to use for storing flannel config using the + Kubernetes API + ''; + type = types.nullOr types.path; + default = null; + }; + network = mkOption { description = " IPv4 network in CIDR format to use for the entire flannel network."; type = types.str; }; + storageBackend = mkOption { + description = "Determines where flannel stores its configuration at runtime"; + type = types.enum ["etcd" "kubernetes"]; + default = "etcd"; + }; + subnetLen = mkOption { description = '' The size of the subnet allocated to each host. Defaults to 24 (i.e. /24) @@ -122,17 +137,21 @@ in { after = [ "network.target" ]; environment = { FLANNELD_PUBLIC_IP = cfg.publicIp; + FLANNELD_IFACE = cfg.iface; + } // optionalAttrs (cfg.storageBackend == "etcd") { FLANNELD_ETCD_ENDPOINTS = concatStringsSep "," cfg.etcd.endpoints; FLANNELD_ETCD_KEYFILE = cfg.etcd.keyFile; FLANNELD_ETCD_CERTFILE = cfg.etcd.certFile; FLANNELD_ETCD_CAFILE = cfg.etcd.caFile; - FLANNELD_IFACE = cfg.iface; ETCDCTL_CERT_FILE = cfg.etcd.certFile; ETCDCTL_KEY_FILE = cfg.etcd.keyFile; ETCDCTL_CA_FILE = cfg.etcd.caFile; ETCDCTL_PEERS = concatStringsSep "," cfg.etcd.endpoints; + } // optionalAttrs (cfg.storageBackend == "kubernetes") { + FLANNELD_KUBE_SUBNET_MGR = "true"; + FLANNELD_KUBECONFIG_FILE = cfg.kubeconfig; }; - preStart = '' + preStart = mkIf (cfg.storageBackend == "etcd") '' echo "setting network configuration" until ${pkgs.etcdctl.bin}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' do @@ -149,6 +168,12 @@ in { serviceConfig.ExecStart = "${cfg.package}/bin/flannel"; }; - services.etcd.enable = mkDefault (cfg.etcd.endpoints == ["http://127.0.0.1:2379"]); + services.etcd.enable = mkDefault (cfg.storageBackend == "etcd" && cfg.etcd.endpoints == ["http://127.0.0.1:2379"]); + + # for some reason, flannel doesn't let you configure this path + # see: https://github.com/coreos/flannel/blob/master/Documentation/configuration.md#configuration + environment.etc."kube-flannel/net-conf.json" = mkIf (cfg.storageBackend == "kubernetes") { + source = pkgs.writeText "net-conf.json" (builtins.toJSON networkConfig); + }; }; } -- cgit 1.4.1 From adc9da617884b240f3799875b8e3b1ae3ae3185e Mon Sep 17 00:00:00 2001 From: Johan Thomsen Date: Tue, 12 Feb 2019 18:26:08 +0100 Subject: nixos/flannel: fix flannel nixos test, add test to all-tests.nix --- nixos/tests/all-tests.nix | 1 + nixos/tests/flannel.nix | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 7e207fa419f..229f2c3abf7 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -73,6 +73,7 @@ in ferm = handleTest ./ferm.nix {}; firefox = handleTest ./firefox.nix {}; firewall = handleTest ./firewall.nix {}; + flannel = handleTestOn ["x86_64-linux"] ./flannel.nix {}; flatpak = handleTest ./flatpak.nix {}; fsck = handleTest ./fsck.nix {}; fwupd = handleTestOn ["x86_64-linux"] ./fwupd.nix {}; # libsmbios is unsupported on aarch64 diff --git a/nixos/tests/flannel.nix b/nixos/tests/flannel.nix index fb66fe28209..0b261a68477 100644 --- a/nixos/tests/flannel.nix +++ b/nixos/tests/flannel.nix @@ -21,8 +21,9 @@ import ./make-test.nix ({ pkgs, ...} : rec { services = { etcd = { enable = true; - listenClientUrls = ["http://etcd:2379"]; - listenPeerUrls = ["http://etcd:2380"]; + listenClientUrls = ["http://0.0.0.0:2379"]; # requires ip-address for binding + listenPeerUrls = ["http://0.0.0.0:2380"]; # requires ip-address for binding + advertiseClientUrls = ["http://etcd:2379"]; initialAdvertisePeerUrls = ["http://etcd:2379"]; initialCluster = ["etcd=http://etcd:2379"]; }; -- cgit 1.4.1 From b93ea9c26f5630716b435bbf52f7559f9853d76e Mon Sep 17 00:00:00 2001 From: Alexandre Mazari Date: Tue, 12 Feb 2019 22:32:11 +0100 Subject: zoneminder: fix build issue when using createLocally database --- nixos/modules/services/misc/zoneminder.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index a40e9e84613..ae7de7850d9 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -205,15 +205,13 @@ in { mysql = lib.mkIf cfg.database.createLocally { ensureDatabases = [ cfg.database.name ]; - ensureUsers = { + ensureUsers = [{ name = cfg.database.username; - ensurePermissions = [ - { "${cfg.database.name}.*" = "ALL PRIVILEGES"; } - ]; + ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; }; initialDatabases = [ { inherit (cfg.database) name; schema = "${pkg}/share/zoneminder/db/zm_create.sql"; } ]; - }; + }]; }; nginx = lib.mkIf useNginx { -- cgit 1.4.1 From 94136fdc1b6c0eb71d10b27a9a2cb597d73ca33e Mon Sep 17 00:00:00 2001 From: Johan Thomsen Date: Wed, 13 Feb 2019 17:17:52 +0100 Subject: nixos/flannel: node name needs to be configured for flannel to work with kubernetes storage backend --- nixos/modules/services/networking/flannel.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/services/networking/flannel.nix b/nixos/modules/services/networking/flannel.nix index cb39a53b5f9..6c43573851b 100644 --- a/nixos/modules/services/networking/flannel.nix +++ b/nixos/modules/services/networking/flannel.nix @@ -87,6 +87,15 @@ in { type = types.str; }; + nodeName = mkOption { + description = '' + Needed when running with Kubernetes as backend as this cannot be auto-detected"; + ''; + type = types.nullOr types.str; + default = with config.networking; (hostName + optionalString (!isNull domain) ".${domain}"); + example = "node1.example.com"; + }; + storageBackend = mkOption { description = "Determines where flannel stores its configuration at runtime"; type = types.enum ["etcd" "kubernetes"]; @@ -150,6 +159,7 @@ in { } // optionalAttrs (cfg.storageBackend == "kubernetes") { FLANNELD_KUBE_SUBNET_MGR = "true"; FLANNELD_KUBECONFIG_FILE = cfg.kubeconfig; + NODE_NAME = cfg.nodeName; }; preStart = mkIf (cfg.storageBackend == "etcd") '' echo "setting network configuration" -- cgit 1.4.1 From 5eef3590ae0d6215c8b3764aa11266d1eed9ad39 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Wed, 13 Feb 2019 19:58:02 -0500 Subject: nixos/phpfpm: allow configuring php.ini files per-pool --- nixos/modules/services/web-servers/phpfpm/default.nix | 9 ++++++--- nixos/modules/services/web-servers/phpfpm/pool-options.nix | 9 +++++++++ 2 files changed, 15 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix index 152c89a2cae..97c730061bd 100644 --- a/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixos/modules/services/web-servers/phpfpm/default.nix @@ -14,11 +14,13 @@ let mapPoolConfig = n: p: { phpPackage = cfg.phpPackage; + phpOptions = cfg.phpOptions; config = p; }; mapPool = n: p: { phpPackage = p.phpPackage; + phpOptions = p.phpOptions; config = '' listen = ${p.listen} ${p.extraConfig} @@ -35,8 +37,8 @@ let ${conf} ''; - phpIni = pkgs.runCommand "php.ini" { - inherit (cfg) phpPackage phpOptions; + phpIni = pool: pkgs.runCommand "php.ini" { + inherit (pool) phpPackage phpOptions; nixDefaults = '' sendmail_path = "/run/wrappers/bin/sendmail -t -i" ''; @@ -156,6 +158,7 @@ in { ''; serviceConfig = let cfgFile = fpmCfgFile pool poolConfig.config; + iniFile = phpIni poolConfig; in { Slice = "phpfpm.slice"; PrivateDevices = true; @@ -164,7 +167,7 @@ in { # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; Type = "notify"; - ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${phpIni}"; + ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${iniFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"; }; } diff --git a/nixos/modules/services/web-servers/phpfpm/pool-options.nix b/nixos/modules/services/web-servers/phpfpm/pool-options.nix index 40c83cddb95..d9ad7eff71f 100644 --- a/nixos/modules/services/web-servers/phpfpm/pool-options.nix +++ b/nixos/modules/services/web-servers/phpfpm/pool-options.nix @@ -25,6 +25,15 @@ with lib; { ''; }; + phpOptions = mkOption { + type = types.lines; + default = fpmCfg.phpOptions; + defaultText = "config.services.phpfpm.phpOptions"; + description = '' + "Options appended to the PHP configuration file php.ini used for this PHP-FPM pool." + ''; + }; + extraConfig = mkOption { type = types.lines; example = '' -- cgit 1.4.1 From 33b3272692868d9a746f4f703c1d917fb7b9adb6 Mon Sep 17 00:00:00 2001 From: Florian Jacob Date: Sun, 10 Feb 2019 12:48:32 +0100 Subject: nixos/cups: Fix Unable to encrypt connection: Unable to create server credentials by creating /var/lib/cups/ssl directory. --- nixos/modules/services/printing/cupsd.nix | 4 ++++ nixos/tests/printing.nix | 2 ++ 2 files changed, 6 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index 1031d6f3d7e..3a43ebbb889 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -316,6 +316,10 @@ in mkdir -m 0755 -p ${cfg.tempDir} mkdir -m 0755 -p /var/lib/cups + # While cups will automatically create self-signed certificates if accessed via TLS, + # this directory to store the certificates needs to be created manually. + mkdir -m 0700 -p /var/lib/cups/ssl + # Backwards compatibility if [ ! -L /etc/cups ]; then mv /etc/cups/* /var/lib/cups diff --git a/nixos/tests/printing.nix b/nixos/tests/printing.nix index d85abf3c105..7026637ead1 100644 --- a/nixos/tests/printing.nix +++ b/nixos/tests/printing.nix @@ -39,6 +39,8 @@ import ./make-test.nix ({pkgs, ... }: { $client->waitForUnit("cups.service"); $client->sleep(10); # wait until cups is fully initialized $client->succeed("lpstat -r") =~ /scheduler is running/ or die; + # check local encrypted connections work without error + $client->succeed("lpstat -E -r") =~ /scheduler is running/ or die; # Test that UNIX socket is used for connections. $client->succeed("lpstat -H") =~ "/var/run/cups/cups.sock" or die; # Test that HTTP server is available too. -- cgit 1.4.1 From 98419a0f6453a99e9f57da7edcc53d662561a4f2 Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Thu, 14 Feb 2019 16:55:16 -0500 Subject: nixos/tests/switch-test: Ensures the test fails on failure (#55744) The `| tee` invocation always masked the return value of the switch-to-configuration test. ``` ~ $ false | tee && echo "oh no" oh no ``` The added wrapper script will still output everything to stderr, while passing failures to the test harness. --- nixos/tests/switch-test.nix | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index 32010838e67..0dba3697980 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -18,8 +18,17 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = {nodes, ...}: let originalSystem = nodes.machine.config.system.build.toplevel; otherSystem = nodes.other.config.system.build.toplevel; + + # Ensures failures pass through using pipefail, otherwise failing to + # switch-to-configuration is hidden by the success of `tee`. + stderrRunner = pkgs.writeScript "stderr-runner" '' + #! ${pkgs.stdenv.shell} + set -e + set -o pipefail + exec env -i "$@" | tee /dev/stderr + ''; in '' - $machine->succeed("env -i ${originalSystem}/bin/switch-to-configuration test | tee /dev/stderr"); - $machine->succeed("env -i ${otherSystem}/bin/switch-to-configuration test | tee /dev/stderr"); + $machine->succeed("${stderrRunner} ${originalSystem}/bin/switch-to-configuration test"); + $machine->succeed("${stderrRunner} ${otherSystem}/bin/switch-to-configuration test"); ''; }) -- cgit 1.4.1 From a1525c5d482ec2ca84c4210d53c224005fc37414 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 15 Feb 2019 17:50:07 -0500 Subject: docs: give matomo an ID --- nixos/modules/services/web-apps/matomo-doc.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/web-apps/matomo-doc.xml b/nixos/modules/services/web-apps/matomo-doc.xml index c71c22e810e..20d2de9f418 100644 --- a/nixos/modules/services/web-apps/matomo-doc.xml +++ b/nixos/modules/services/web-apps/matomo-doc.xml @@ -47,7 +47,7 @@
-
+
Archive Processing This module comes with the systemd service matomo-archive-processing.service -- cgit 1.4.1