movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00
Code Activity

Merge remote-tracking branch 'upstream/master' into staging

Browse source 
Conflicts:
	pkgs/applications/networking/browsers/vivaldi/default.nix
	pkgs/misc/emulators/wine/base.nix
This commit is contained in:
Tuomas Tynkkynen 2016-05-03 23:12:48 +03:00
commit aadaa91379
506 changed files with 31436 additions and 5404 deletions
Download patch file Download diff file Expand all files Collapse all files

10
nixos/doc/manual/configuration/config-file.xml
View file

@ -106,11 +106,15 @@ networking.extraHosts =
'';
</programlisting>
The main difference is that preceding whitespace is
automatically stripped from each line, and that characters like
The main difference is that it strips from each line
a number of spaces equal to the minimal indentation of
the string as a whole (disregarding the indentation of
empty lines), and that characters like
<literal>"</literal> and <literal>\</literal> are not special
(making it more convenient for including things like shell
code).</para>
code).
See more info about this in the Nix manual <link
xlink:href="https://nixos.org/nix/manual/#ssec-values">here</link>.</para>
</listitem>
</varlistentry>

75
nixos/doc/manual/default.nix
View file

@ -74,6 +74,63 @@ let
</toc>
'';
manualXsltprocOptions = toString [
"--param section.autolabel 1"
"--param section.label.includes.component.label 1"
"--stringparam html.stylesheet style.css"
"--param xref.with.number.and.title 1"
"--param toc.section.depth 3"
"--stringparam admon.style ''"
"--stringparam callout.graphics.extension .gif"
"--stringparam current.docid manual"
"--param chunk.section.depth 0"
"--param chunk.first.sections 1"
"--param use.id.as.filename 1"
"--stringparam generate.toc 'book toc appendix toc'"
"--stringparam chunk.toc ${toc}"
];
olinkDB = stdenv.mkDerivation {
name = "manual-olinkdb";
inherit sources;
buildInputs = [ libxml2 libxslt ];
buildCommand = ''
${copySources}
xsltproc \
${manualXsltprocOptions} \
--stringparam collect.xref.targets only \
--stringparam targets.filename "$out/manual.db" \
--nonet --xinclude \
${docbook5_xsl}/xml/xsl/docbook/xhtml/chunktoc.xsl \
./manual.xml
# Check the validity of the man pages sources.
xmllint --noout --nonet --xinclude --noxincludenode \
--relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
./man-pages.xml
cat > "$out/olinkdb.xml" <<EOF
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE targetset SYSTEM
"file://${docbook5_xsl}/xml/xsl/docbook/common/targetdatabase.dtd" [
<!ENTITY manualtargets SYSTEM "file://$out/manual.db">
]>
<targetset>
<targetsetinfo>
Allows for cross-referencing olinks between the manpages
and the HTML/PDF manuals.
</targetsetinfo>
<document targetdoc="manual">&manualtargets;</document>
</targetset>
EOF
'';
};
in rec {
# The NixOS options in JSON format.
@ -116,18 +173,8 @@ in rec {
dst=$out/share/doc/nixos
mkdir -p $dst
xsltproc \
--param section.autolabel 1 \
--param section.label.includes.component.label 1 \
--stringparam html.stylesheet style.css \
--param xref.with.number.and.title 1 \
--param toc.section.depth 3 \
--stringparam admon.style "" \
--stringparam callout.graphics.extension .gif \
--param chunk.section.depth 0 \
--param chunk.first.sections 1 \
--param use.id.as.filename 1 \
--stringparam generate.toc "book toc appendix toc" \
--stringparam chunk.toc ${toc} \
${manualXsltprocOptions} \
--stringparam target.database.document "${olinkDB}/olinkdb.xml" \
--nonet --xinclude --output $dst/ \
${docbook5_xsl}/xml/xsl/docbook/xhtml/chunktoc.xsl ./manual.xml
@ -159,6 +206,7 @@ in rec {
dst=$out/share/doc/nixos
mkdir -p $dst
xmllint --xinclude manual.xml | dblatex -o $dst/manual.pdf - \
-P target.database.document="${olinkDB}/olinkdb.xml" \
-P doc.collab.show=0 \
-P latex.output.revhistory=0
@ -178,7 +226,7 @@ in rec {
buildCommand = ''
${copySources}
# Check the validity of the manual sources.
# Check the validity of the man pages sources.
xmllint --noout --nonet --xinclude --noxincludenode \
--relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
./man-pages.xml
@ -190,6 +238,7 @@ in rec {
--param man.output.base.dir "'$out/share/man/'" \
--param man.endnotes.are.numbered 0 \
--param man.break.after.slash 1 \
--stringparam target.database.document "${olinkDB}/olinkdb.xml" \
${docbook5_xsl}/xml/xsl/docbook/manpages/docbook.xsl \
./man-pages.xml
'';

48
nixos/doc/manual/installation/installing-pxe.xml Normal file
View file

@ -0,0 +1,48 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-booting-from-pxe">
<title>Booting from the <quote>netboot</quote> media (PXE)</title>
<para>
Advanced users may wish to install NixOS using an existing PXE or
iPXE setup.
</para>
<para>
These instructions assume that you have an existing PXE or iPXE
infrastructure and simply want to add the NixOS installer as another
option. To build the necessary files from a recent version of
nixpkgs, you can run:
</para>
<programlisting>
nix-build -A netboot nixos/release.nix
</programlisting>
<para>
This will create a <literal>result</literal> directory containing: *
<literal>bzImage</literal> the Linux kernel *
<literal>initrd</literal> the initrd file *
<literal>netboot.ipxe</literal> an example ipxe script
demonstrating the appropriate kernel command line arguments for this
image
</para>
<para>
If youre using plain PXE, configure your boot loader to use the
<literal>bzImage</literal> and <literal>initrd</literal> files and
have it provide the same kernel command line arguments found in
<literal>netboot.ipxe</literal>.
</para>
<para>
If youre using iPXE, depending on how your HTTP/FTP/etc. server is
configured you may be able to use <literal>netboot.ipxe</literal>
unmodified, or you may need to update the paths to the files to
match your servers directory layout
</para>
<para>
In the future we may begin making these files available as build
products from hydra at which point we will update this documentation
with instructions on how to obtain them either for placing on a
dedicated TFTP server or to boot them directly over the internet.
</para>
</section>

1
nixos/doc/manual/installation/installing.xml
View file

@ -270,5 +270,6 @@ $ reboot</screen>
<xi:include href="installing-uefi.xml" />
<xi:include href="installing-usb.xml" />
<xi:include href="installing-pxe.xml" />
</chapter>

1
nixos/doc/manual/release-notes/release-notes.xml
View file

@ -9,6 +9,7 @@
<para>This section lists the release notes for each stable version of NixOS
and current unstable revision.</para>
<xi:include href="rl-1609.xml" />
<xi:include href="rl-1603.xml" />
<xi:include href="rl-1509.xml" />
<xi:include href="rl-1412.xml" />

48
nixos/doc/manual/release-notes/rl-1609.xml Normal file
View file

@ -0,0 +1,48 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-16.09">
<title>Release 16.09 (“Flounder”, 2016/09/??)</title>
<para>In addition to numerous new and upgraded packages, this release
has the following highlights: </para>
<itemizedlist>
<listitem>
<para>PXE "netboot" media has landed in <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14740" />.
See <xref linkend="sec-booting-from-pxe" /> for documentation.</para>
</listitem>
</itemizedlist>
<para>The following new services were added since the last release:</para>
<itemizedlist>
<listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem>
</itemizedlist>
<para>When upgrading from a previous release, please be aware of the
following incompatible changes:</para>
<itemizedlist>
<listitem>
<para>todo</para>
</listitem>
</itemizedlist>
<para>Other notable improvements:</para>
<itemizedlist>
<listitem>
<para>todo</para>
</listitem>
</itemizedlist>
</section>

20
nixos/modules/installer/netboot/netboot-base.nix Normal file
View file

@ -0,0 +1,20 @@
# This module contains the basic configuration for building netboot
# images
{ config, lib, pkgs, ... }:
with lib;
{
imports =
[ ./netboot.nix
# Profiles of this basic netboot media
../../profiles/all-hardware.nix
../../profiles/base.nix
../../profiles/installation-device.nix
];
# Allow the user to log in as root without a password.
users.extraUsers.root.initialHashedPassword = "";
}

10
nixos/modules/installer/netboot/netboot-minimal.nix Normal file
View file

@ -0,0 +1,10 @@
# This module defines a small netboot environment.
{ config, lib, ... }:
{
imports =
[ ./netboot-base.nix
../../profiles/minimal.nix
];
}

91
nixos/modules/installer/netboot/netboot.nix Normal file
View file

@ -0,0 +1,91 @@
# This module creates netboot media containing the given NixOS
# configuration.
{ config, lib, pkgs, ... }:
with lib;
{
options = {
netboot.storeContents = mkOption {
example = literalExample "[ pkgs.stdenv ]";
description = ''
This option lists additional derivations to be included in the
Nix store in the generated netboot image.
'';
};
};
config = {
boot.loader.grub.version = 2;
# Don't build the GRUB menu builder script, since we don't need it
# here and it causes a cyclic dependency.
boot.loader.grub.enable = false;
boot.initrd.postMountCommands = ''
mkdir -p /mnt-root/nix/store
mount -t squashfs /nix-store.squashfs /mnt-root/nix/store
'';
# !!! Hack - attributes expected by other modules.
system.boot.loader.kernelFile = "bzImage";
environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi pkgs.syslinux ];
boot.consoleLogLevel = mkDefault 7;
fileSystems."/" =
{ fsType = "tmpfs";
options = [ "mode=0755" ];
};
boot.initrd.availableKernelModules = [ "squashfs" ];
boot.initrd.kernelModules = [ "loop" ];
# Closures to be copied to the Nix store, namely the init
# script and the top-level system configuration directory.
netboot.storeContents =
[ config.system.build.toplevel ];
# Create the squashfs image that contains the Nix store.
system.build.squashfsStore = import ../../../lib/make-squashfs.nix {
inherit (pkgs) stdenv squashfsTools perl pathsFromGraph;
storeContents = config.netboot.storeContents;
};
# Create the initrd
system.build.netbootRamdisk = pkgs.makeInitrd {
inherit (config.boot.initrd) compressor;
prepend = [ "${config.system.build.initialRamdisk}/initrd" ];
contents =
[ { object = config.system.build.squashfsStore;
symlink = "/nix-store.squashfs";
}
];
};
system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" "#!ipxe\nkernel bzImage init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}\ninitrd initrd\nboot";
boot.loader.timeout = 10;
boot.postBootCommands =
''
# After booting, register the contents of the Nix store
# in the Nix database in the tmpfs.
${config.nix.package}/bin/nix-store --load-db < /nix/store/nix-path-registration
# nixos-rebuild also requires a "system" profile and an
# /etc/NIXOS tag.
touch /etc/NIXOS
${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
'';
};
}

1
nixos/modules/misc/ids.nix
View file

@ -264,6 +264,7 @@
taskd = 240;
factorio = 241;
emby = 242;
graylog = 243;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!

1
nixos/modules/module-list.nix
View file

@ -183,6 +183,7 @@
./services/hardware/thermald.nix
./services/logging/awstats.nix
./services/logging/fluentd.nix
./services/logging/graylog.nix
./services/logging/klogd.nix
./services/logging/logcheck.nix
./services/logging/logrotate.nix

3
nixos/modules/security/grsecurity.nix
View file

@ -234,7 +234,8 @@ in
systemd.services.grsec-lock = mkIf cfg.config.sysctl {
description = "grsecurity sysctl-lock Service";
requires = [ "systemd-sysctl.service" ];
wants = [ "systemd-sysctl.service" ];
after = [ "systemd-sysctl.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = "yes";

116
nixos/modules/services/hardware/sane_extra_backends/brscan4.nix Normal file
View file

@ -0,0 +1,116 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.sane.brscan4;
netDeviceList = attrValues cfg.netDevices;
etcFiles = pkgs.callPackage ./brscan4_etc_files.nix { netDevices = netDeviceList; };
netDeviceOpts = { name, config, ... }: {
options = {
name = mkOption {
type = types.str;
description = ''
The friendly name you give to the network device. If undefined,
the name of attribute will be used.
'';
example = literalExample "office1";
};
model = mkOption {
type = types.str;
description = ''
The model of the network device.
'';
example = literalExample "MFC-7860DW";
};
ip = mkOption {
type = with types; nullOr str;
default = null;
description = ''
The ip address of the device. If undefined, you will have to
provide a nodename.
'';
example = literalExample "192.168.1.2";
};
nodename = mkOption {
type = with types; nullOr str;
default = null;
description = ''
The node name of the device. If undefined, you will have to
provide an ip.
'';
example = literalExample "BRW0080927AFBCE";
};
};
config =
{ name = mkDefault name;
};
};
in
{
options = {
hardware.sane.brscan4.enable =
mkEnableOption "Brother's brscan4 scan backend" // {
description = ''
When enabled, will automatically register the "brscan4" sane
backend and bring configuration files to their expected location.
'';
};
hardware.sane.brscan4.netDevices = mkOption {
default = {};
example =
{ office1 = { model = "MFC-7860DW"; ip = "192.168.1.2"; };
office2 = { model = "MFC-7860DW"; nodename = "BRW0080927AFBCE"; };
};
type = types.loaOf types.optionSet;
description = ''
The list of network devices that will be registered against the brscan4
sane backend.
'';
options = [ netDeviceOpts ];
};
};
config = mkIf (config.hardware.sane.enable && cfg.enable) {
hardware.sane.extraBackends = [
pkgs.brscan4
];
environment.etc = singleton {
target = "opt/brother/scanner/brscan4";
source = "${etcFiles}/etc/opt/brother/scanner/brscan4";
};
assertions = [
{ assertion = all (x: !(null != x.ip && null != x.nodename)) netDeviceList;
message = ''
When describing a network device as part of the attribute list
`hardware.sane.brscan4.netDevices`, only one of its `ip` or `nodename`
attribute should be specified, not both!
'';
}
];
};
}

71
nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix Normal file
View file

@ -0,0 +1,71 @@
{ stdenv, lib, brscan4, netDevices ? [] }:
/*
Testing
-------
No net devices:
~~~
nix-shell -E 'with import <nixpkgs> { }; brscan4-etc-files'
~~~
Two net devices:
~~~
nix-shell -E 'with import <nixpkgs> { }; brscan4-etc-files.override{netDevices=[{name="a"; model="MFC-7860DW"; nodename="BRW0080927AFBCE";} {name="b"; model="MFC-7860DW"; ip="192.168.1.2";}];}'
~~~
*/
with lib;
let
addNetDev = nd: ''
brsaneconfig4 -a \
name="${nd.name}" \
model="${nd.model}" \
${if (hasAttr "nodename" nd && nd.nodename != null) then
''nodename="${nd.nodename}"'' else
''ip="${nd.ip}"''}'';
addAllNetDev = xs: concatStringsSep "\n" (map addNetDev xs);
in
stdenv.mkDerivation rec {
name = "brscan4-etc-files-0.4.3-3";
src = "${brscan4}/opt/brother/scanner/brscan4";
nativeBuildInputs = [ brscan4 ];
configurePhase = ":";
buildPhase = ''
TARGET_DIR="$out/etc/opt/brother/scanner/brscan4"
mkdir -p "$TARGET_DIR"
cp -rp "./models4" "$TARGET_DIR"
cp -rp "./Brsane4.ini" "$TARGET_DIR"
cp -rp "./brsanenetdevice4.cfg" "$TARGET_DIR"
export BRSANENETDEVICE4_CFG_FILENAME="$TARGET_DIR/brsanenetdevice4.cfg"
printf '${addAllNetDev netDevices}\n'
${addAllNetDev netDevices}
'';
installPhase = ":";
dontStrip = true;
dontPatchELF = true;
meta = {
description = "Brother brscan4 sane backend driver etc files";
homepage = http://www.brother.com;
platforms = stdenv.lib.platforms.linux;
license = stdenv.lib.licenses.unfree;
maintainers = with stdenv.lib.maintainers; [ jraygauthier ];
};
}

161
nixos/modules/services/logging/graylog.nix Normal file
View file

@ -0,0 +1,161 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.graylog;
configBool = b: if b then "true" else "false";
confFile = pkgs.writeText "graylog.conf" ''
is_master = ${configBool cfg.isMaster}
node_id_file = ${cfg.nodeIdFile}
password_secret = ${cfg.passwordSecret}
root_username = ${cfg.rootUsername}
root_password_sha2 = ${cfg.rootPasswordSha2}
elasticsearch_cluster_name = ${cfg.elasticsearchClusterName}
elasticsearch_discovery_zen_ping_multicast_enabled = ${configBool cfg.elasticsearchDiscoveryZenPingMulticastEnabled}
elasticsearch_discovery_zen_ping_unicast_hosts = ${cfg.elasticsearchDiscoveryZenPingUnicastHosts}
message_journal_dir = ${cfg.messageJournalDir}
mongodb_uri = ${cfg.mongodbUri}
${cfg.extraConfig}
'';
in
{
###### interface
options = {
services.graylog = {
enable = mkEnableOption "Graylog";
package = mkOption {
type = types.package;
default = pkgs.graylog;
defaultText = "pkgs.graylog";
example = literalExample "pkgs.graylog";
description = "Graylog package to use.";
};
user = mkOption {
type = types.str;
default = "graylog";
example = literalExample "graylog";
description = "User account under which graylog runs";
};
isMaster = mkOption {
type = types.bool;
default = true;
description = "Whether this is the master instance of your Graylog cluster";
};
nodeIdFile = mkOption {
type = types.str;
default = "/var/lib/graylog/server/node-id";
description = "Path of the file containing the graylog node-id";
};
passwordSecret = mkOption {
type = types.str;
description = ''
You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
Generate one by using for example: pwgen -N 1 -s 96
'';
};
rootUsername = mkOption {
type = types.str;
default = "admin";
description = "Name of the default administrator user";
};
rootPasswordSha2 = mkOption {
type = types.str;
example = "e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e952";
description = ''
You MUST specify a hash password for the root user (which you only need to initially set up the
system and in case you lose connectivity to your authentication backend)
This password cannot be changed using the API or via the web interface. If you need to change it,
modify it here.
Create one by using for example: echo -n yourpassword | shasum -a 256
and use the resulting hash value as string for the option
'';
};
elasticsearchClusterName = mkOption {
type = types.str;
example = "graylog";
description = "This must be the same as for your Elasticsearch cluster";
};
elasticsearchDiscoveryZenPingMulticastEnabled = mkOption {
type = types.bool;
default = false;
description = "Whether to use elasticsearch multicast discovery";
};
elasticsearchDiscoveryZenPingUnicastHosts = mkOption {
type = types.str;
default = "127.0.0.1:9300";
description = "Tells Graylogs Elasticsearch client how to find other cluster members. See Elasticsearch documentation for details";
};
messageJournalDir = mkOption {
type = types.str;
default = "/var/lib/graylog/data/journal";
description = "The directory which will be used to store the message journal. The directory must be exclusively used by Graylog and must not contain any other files than the ones created by Graylog itself";
};
mongodbUri = mkOption {
type = types.str;
default = "mongodb://localhost/graylog";
description = "MongoDB connection string. See http://docs.mongodb.org/manual/reference/connection-string/ for details";
};
extraConfig = mkOption {
type = types.str;
default = "";
description = "Any other configuration options you might want to add";
};
};
};
###### implementation
config = mkIf cfg.enable {
users.extraUsers = mkIf (cfg.user == "graylog") {
graylog = {
uid = config.ids.uids.graylog;
description = "Graylog server daemon user";
};
};
systemd.services.graylog = with pkgs; {
description = "Graylog Server";
wantedBy = [ "multi-user.target" ];
environment = {
JAVA_HOME = jre;
GRAYLOG_CONF = "${confFile}";
};
path = [ pkgs.openjdk8 pkgs.which pkgs.procps ];
preStart = ''
mkdir -p /var/lib/graylog -m 755
chown -R ${cfg.user} /var/lib/graylog
mkdir -p ${cfg.messageJournalDir} -m 755
chown -R ${cfg.user} ${cfg.messageJournalDir}
'';
serviceConfig = {
User="${cfg.user}";
PermissionsStartOnly=true;
ExecStart = "${cfg.package}/bin/graylogctl run";
};
};
};
}

69
nixos/modules/services/mail/rmilter.nix
View file

@ -7,9 +7,14 @@ let
rspamdCfg = config.services.rspamd;
cfg = config.services.rmilter;
inetSockets = map (sock: let s = stringSplit ":" sock; in "inet:${last s}:${head s}") cfg.bindInetSockets;
unixSockets = map (sock: "unix:${sock}") cfg.bindUnixSockets;
allSockets = unixSockets ++ inetSockets;
rmilterConf = ''
pidfile = /run/rmilter/rmilter.pid;
bind_socket = ${cfg.bindSocket};
bind_socket = ${if cfg.socketActivation then "fd:3" else concatStringsSep ", " allSockets};
tempdir = /tmp;
'' + (with cfg.rspamd; if enable then ''
@ -68,14 +73,37 @@ in
'';
};
bindSocket = mkOption {
type = types.string;
default = "unix:/run/rmilter/rmilter.sock";
description = "Socket to listed for MTA requests";
bindUnixSockets = mkOption {
type = types.listOf types.str;
default = ["/run/rmilter.sock"];
description = ''
Unix domain sockets to listen for MTA requests.
'';
example = ''
"unix:/run/rmilter/rmilter.sock" or
"inet:11990@127.0.0.1"
'';
[ "/run/rmilter.sock"]
'';
};
bindInetSockets = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Inet addresses to listen (in format accepted by systemd.socket)
'';
example = ''
["127.0.0.1:11990"]
'';
};
socketActivation = mkOption {
type = types.bool;
default = true;
description = ''
Enable systemd socket activation for rmilter.
(disabling socket activation not recommended
when unix socket used, and follow to wrong
permissions on unix domain socket.)
'';
};
rspamd = {
@ -86,7 +114,7 @@ in
servers = mkOption {
type = types.listOf types.str;
default = ["r:0.0.0.0:11333"];
default = ["r:/run/rspamd.sock"];
description = ''
Spamd socket definitions.
Is server name is prefixed with r: it is rspamd server.
@ -129,7 +157,7 @@ in
type = types.str;
description = "Addon to postfix configuration";
default = ''
smtpd_milters = ${cfg.bindSocket}
smtpd_milters = ${head allSockets}
# or for TCP socket
# # smtpd_milters = inet:localhost:9900
milter_protocol = 6
@ -169,21 +197,30 @@ milter_default_action = accept
serviceConfig = {
ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}";
ExecReload = "/bin/kill -USR1 $MAINPID";
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = true;
Restart = "always";
RuntimeDirectory = "rmilter";
RuntimeDirectoryPermissions="0755";
};
preStart = ''
${pkgs.coreutils}/bin/mkdir -p /run/rmilter
${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} /run/rmilter
'';
};
services.postfix.extraConfig = optionalString cfg.postfix.enable cfg.postfix.configFragment;
systemd.sockets.rmilter = mkIf cfg.socketActivation {
description = "Rmilter service socket";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = cfg.bindUnixSockets ++ cfg.bindInetSockets;
SocketUser = cfg.user;
SocketGroup = cfg.group;
SocketMode = "0660";
};
};
services.postfix.extraConfig = optionalString cfg.postfix.enable cfg.postfix.configFragment;
users.users.postfix.extraGroups = [ cfg.group ];
};
}

59
nixos/modules/services/mail/rspamd.nix
View file

@ -6,6 +6,35 @@ let
cfg = config.services.rspamd;
mkBindSockets = socks: concatStringsSep "\n" (map (each: " bind_socket = \"${each}\"") socks);
rspamdConf =
''
.include "$CONFDIR/common.conf"
options {
pidfile = "$RUNDIR/rspamd.pid";
.include "$CONFDIR/options.inc"
}
logging {
type = "file";
filename = "$LOGDIR/rspamd.log";
.include "$CONFDIR/logging.inc"
}
worker {
${mkBindSockets cfg.bindSocket}
.include "$CONFDIR/worker-normal.inc"
}
worker {
${mkBindSockets cfg.bindUISocket}
.include "$CONFDIR/worker-controller.inc"
}
'';
rspamdConfFile = pkgs.writeText "rspamd.conf" rspamdConf;
in
{
@ -26,6 +55,32 @@ in
description = "Whether to run the rspamd daemon in debug mode.";
};
bindSocket = mkOption {
type = types.listOf types.str;
default = [
"/run/rspamd.sock mode=0666 owner=${cfg.user}"
];
description = ''
List of sockets to listen, in format acceptable by rspamd
'';
example = ''
bindSocket = [
"/run/rspamd.sock mode=0666 owner=rspamd"
"*:11333"
];
'';
};
bindUISocket = mkOption {
type = types.listOf types.str;
default = [
"localhost:11334"
];
description = ''
List of sockets for web interface, in format acceptable by rspamd
'';
};
user = mkOption {
type = types.string;
default = "rspamd";
@ -62,7 +117,7 @@ in
users.extraGroups = singleton {
name = cfg.group;
gid = config.ids.gids.spamd;
gid = config.ids.gids.rspamd;
};
systemd.services.rspamd = {
@ -72,7 +127,7 @@ in
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -f";
ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -c ${rspamdConfFile} -f";
RuntimeDirectory = "/var/lib/rspamd";
PermissionsStartOnly = true;
Restart = "always";

4
nixos/modules/services/misc/taskserver/default.nix
View file

@ -449,7 +449,7 @@ in {
};
};
})
(mkIf needToCreateCA {
(mkIf (cfg.enable && needToCreateCA) {
systemd.services.taskserver-ca = {
wantedBy = [ "taskserver.service" ];
after = [ "taskserver-init.service" ];
@ -533,7 +533,7 @@ in {
'';
};
})
(mkIf (cfg.listenHost != "localhost") {
(mkIf (cfg.enable && cfg.listenHost != "localhost") {
networking.firewall.allowedTCPPorts = [ cfg.listenPort ];
})
{ meta.doc = ./taskserver.xml; }

54
nixos/modules/services/networking/copy-com.nix
View file

@ -1,54 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.copy-com;
in
{
options = {
services.copy-com = {
enable = mkOption {
default = false;
description = "
Enable the Copy.com client.
NOTE: before enabling the client for the first time, it must be
configured by first running CopyConsole (command line) or CopyAgent
(graphical) as the appropriate user.
";
};
user = mkOption {
description = "The user for which the Copy.com client should be run.";
};
debug = mkOption {
default = false;
description = "Output more (debugging) messages to the console.";
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.postfix ];
systemd.services."copy-com-${cfg.user}" = {
description = "Copy.com client";
wants = [ "network-online.target" ];
after = [ "network-online.target" "local-fs.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.copy-com}/bin/CopyConsole ${if cfg.debug then "-consoleOutput -debugToConsole=dirwatch,path-watch,csm_path,csm -debug -console" else ""}";
User = "${cfg.user}";
};
};
};
}

1
nixos/modules/services/search/elasticsearch.nix
View file

@ -145,6 +145,7 @@ in {
# Install plugins
ln -sfT ${esPlugins}/plugins ${cfg.dataDir}/plugins
ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib
ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules
if [ "$(id -u)" = 0 ]; then chown -R elasticsearch ${cfg.dataDir}; fi
'';
postStart = mkBefore ''

28
nixos/modules/services/security/fail2ban.nix
View file

@ -99,34 +99,32 @@ in
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
partOf = optional config.networking.firewall.enable "firewall.service";
restartTriggers = [ fail2banConf jailConf ];
path = [ pkgs.fail2ban pkgs.iptables ];
preStart =
''
mkdir -p /run/fail2ban -m 0755
mkdir -p /var/lib/fail2ban
'';
unitConfig.Documentation = "man:fail2ban(1)";
serviceConfig =
{ ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
{ Type = "forking";
ExecStart = "${pkgs.fail2ban}/bin/fail2ban-client -x start";
ExecStop = "${pkgs.fail2ban}/bin/fail2ban-client stop";
ExecReload = "${pkgs.fail2ban}/bin/fail2ban-client reload";
PIDFile = "/run/fail2ban/fail2ban.pid";
Restart = "always";
ReadOnlyDirectories = "/";
ReadWriteDirectories = "/run /var/tmp /var/lib";
ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib";
PrivateTmp = "true";
RuntimeDirectory = "fail2ban";
CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
};
postStart =
''
# Wait for the server to start listening.
for ((n = 0; n < 20; n++)); do
if fail2ban-client ping; then break; fi
sleep 0.5
done
# Reload its configuration.
fail2ban-client reload
'';
};
# Add some reasonable default jails. The special "DEFAULT" jail

2
nixos/modules/services/x11/desktop-managers/gnome3.nix
View file

@ -165,6 +165,8 @@ in {
'';
};
services.xserver.updateDbusEnvironment = true;
environment.variables.GIO_EXTRA_MODULES = [ "${gnome3.dconf}/lib/gio/modules"
"${gnome3.glib_networking.out}/lib/gio/modules"
"${gnome3.gvfs}/lib/gio/modules" ];

5
nixos/modules/services/x11/desktop-managers/xfce.nix
View file

@ -42,10 +42,13 @@ in
# Set GTK_DATA_PREFIX so that GTK+ can find the Xfce themes.
export GTK_DATA_PREFIX=${config.system.path}
exec ${pkgs.stdenv.shell} ${pkgs.xfce.xinitrc}
${pkgs.stdenv.shell} ${pkgs.xfce.xinitrc} &
waitPID=$!
'';
};
services.xserver.updateDbusEnvironment = true;
environment.systemPackages =
[ pkgs.gtk # To get GTK+'s themes.
pkgs.hicolor_icon_theme

8
nixos/modules/services/x11/display-managers/default.nix
View file

@ -126,6 +126,14 @@ let
(*) echo "$0: Desktop manager '$desktopManager' not found.";;
esac
${optionalString (cfg.startDbusSession && cfg.updateDbusEnvironment) ''
${pkgs.glib}/bin/gdbus call --session \
--dest org.freedesktop.DBus --object-path /org/freedesktop/DBus \
--method org.freedesktop.DBus.UpdateActivationEnvironment \
"{$(env | ${pkgs.gnused}/bin/sed "s/'/\\\\'/g; s/\([^=]*\)=\(.*\)/'\1':'\2'/" \
| ${pkgs.coreutils}/bin/paste -sd,)}"
''}
test -n "$waitPID" && wait "$waitPID"
exit 0
'';

9
nixos/modules/services/x11/xserver.nix
View file

@ -233,6 +233,15 @@ in
'';
};
updateDbusEnvironment = mkOption {
type = types.bool;
default = false;
description = ''
Whether to update the DBus activation environment after launching the
desktop manager.
'';
};
layout = mkOption {
type = types.str;
default = "us";

72
nixos/modules/virtualisation/ec2-amis.nix
View file

@ -90,40 +90,40 @@
"15.09".us-west-2.pv-ebs = "ami-005fb160";
"15.09".us-west-2.pv-s3 = "ami-cd55bbad";
"16.03".ap-northeast-1.hvm-ebs = "ami-885040e6";
"16.03".ap-northeast-1.hvm-s3 = "ami-d15a4abf";
"16.03".ap-northeast-1.pv-ebs = "ami-7f455511";
"16.03".ap-northeast-1.pv-s3 = "ami-6d7d6d03";
"16.03".ap-southeast-1.hvm-ebs = "ami-478a5f24";
"16.03".ap-southeast-1.hvm-s3 = "ami-b2885dd1";
"16.03".ap-southeast-1.pv-ebs = "ami-55b46136";
"16.03".ap-southeast-1.pv-s3 = "ami-92b762f1";
"16.03".ap-southeast-2.hvm-ebs = "ami-26b09345";
"16.03".ap-southeast-2.hvm-s3 = "ami-52ac8f31";
"16.03".ap-southeast-2.pv-ebs = "ami-1fb3907c";
"16.03".ap-southeast-2.pv-s3 = "ami-49b1922a";
"16.03".eu-central-1.hvm-ebs = "ami-2bd63744";
"16.03".eu-central-1.hvm-s3 = "ami-82d435ed";
"16.03".eu-central-1.pv-ebs = "ami-b729c8d8";
"16.03".eu-central-1.pv-s3 = "ami-a12dccce";
"16.03".eu-west-1.hvm-ebs = "ami-87c242f4";
"16.03".eu-west-1.hvm-s3 = "ami-b6c343c5";
"16.03".eu-west-1.pv-ebs = "ami-6bc94918";
"16.03".eu-west-1.pv-s3 = "ami-00cb4b73";
"16.03".sa-east-1.hvm-ebs = "ami-845cd3e8";
"16.03".sa-east-1.hvm-s3 = "ami-8142cded";
"16.03".sa-east-1.pv-ebs = "ami-1643cc7a";
"16.03".sa-east-1.pv-s3 = "ami-1646c97a";
"16.03".us-east-1.hvm-ebs = "ami-2cc4d046";
"16.03".us-east-1.hvm-s3 = "ami-9bc9ddf1";
"16.03".us-east-1.pv-ebs = "ami-7df4e017";
"16.03".us-east-1.pv-s3 = "ami-90f2e6fa";
"16.03".us-west-1.hvm-ebs = "ami-d8116db8";
"16.03".us-west-1.hvm-s3 = "ami-a7166ac7";
"16.03".us-west-1.pv-ebs = "ami-e90c7089";
"16.03".us-west-1.pv-s3 = "ami-5b0c703b";
"16.03".us-west-2.hvm-ebs = "ami-b339ccd3";
"16.03".us-west-2.hvm-s3 = "ami-2c3bce4c";
"16.03".us-west-2.pv-ebs = "ami-0625d066";
"16.03".us-west-2.pv-s3 = "ami-7414e114";
"16.03".ap-northeast-1.hvm-ebs = "ami-b6edf5d8";
"16.03".ap-northeast-1.hvm-s3 = "ami-b1e3fbdf";
"16.03".ap-northeast-1.pv-ebs = "ami-6190880f";
"16.03".ap-northeast-1.pv-s3 = "ami-908d95fe";
"16.03".ap-southeast-1.hvm-ebs = "ami-35b16656";
"16.03".ap-southeast-1.hvm-s3 = "ami-41be6922";
"16.03".ap-southeast-1.pv-ebs = "ami-4cb96e2f";
"16.03".ap-southeast-1.pv-s3 = "ami-3bb96e58";
"16.03".ap-southeast-2.hvm-ebs = "ami-debc91bd";
"16.03".ap-southeast-2.hvm-s3 = "ami-55bc9136";
"16.03".ap-southeast-2.pv-ebs = "ami-b38ba6d0";
"16.03".ap-southeast-2.pv-s3 = "ami-9e8ba6fd";
"16.03".eu-central-1.hvm-ebs = "ami-7c967413";
"16.03".eu-central-1.hvm-s3 = "ami-b29072dd";
"16.03".eu-central-1.pv-ebs = "ami-7a947615";
"16.03".eu-central-1.pv-s3 = "ami-729b791d";
"16.03".eu-west-1.hvm-ebs = "ami-ff27a98c";
"16.03".eu-west-1.hvm-s3 = "ami-6c21af1f";
"16.03".eu-west-1.pv-ebs = "ami-a33cb2d0";
"16.03".eu-west-1.pv-s3 = "ami-ec38b69f";
"16.03".sa-east-1.hvm-ebs = "ami-5bef6637";
"16.03".sa-east-1.hvm-s3 = "ami-55f87139";
"16.03".sa-east-1.pv-ebs = "ami-76e56c1a";
"16.03".sa-east-1.pv-s3 = "ami-e1f8718d";
"16.03".us-east-1.hvm-ebs = "ami-4bfd1926";
"16.03".us-east-1.hvm-s3 = "ami-60c5210d";
"16.03".us-east-1.pv-ebs = "ami-c0c92dad";
"16.03".us-east-1.pv-s3 = "ami-f9d63294";
"16.03".us-west-1.hvm-ebs = "ami-13aad473";
"16.03".us-west-1.hvm-s3 = "ami-e1a8d681";
"16.03".us-west-1.pv-ebs = "ami-c0a6d8a0";
"16.03".us-west-1.pv-s3 = "ami-6aa9d70a";
"16.03".us-west-2.hvm-ebs = "ami-265dad46";
"16.03".us-west-2.hvm-s3 = "ami-cd40b0ad";
"16.03".us-west-2.pv-ebs = "ami-7b4aba1b";
"16.03".us-west-2.pv-s3 = "ami-0849b968";
}

13
nixos/release.nix
View file

@ -103,6 +103,19 @@ in rec {
# Build the initial ramdisk so Hydra can keep track of its size over time.
initialRamdisk = buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.initialRamdisk);
netboot.x86_64-linux = let build = (import lib/eval-config.nix {
system = "x86_64-linux";
modules = [
./modules/installer/netboot/netboot-minimal.nix
versionModule
];
}).config.system.build;
in
pkgs.symlinkJoin {name="netboot"; paths=[
build.netbootRamdisk
build.kernel
build.netbootIpxeScript
];};
iso_minimal = forAllSystems (system: makeIso {
module = ./modules/installer/cd-dvd/installation-cd-minimal.nix;

43
nixos/tests/boot.nix
View file

@ -44,5 +44,44 @@ in {
usb => glob("${iso}/iso/*.iso"),
bios => '${pkgs.OVMF}/FV/OVMF.fd'
'';
}
netboot = let
config = (import ../lib/eval-config.nix {
inherit system;
modules =
[ ../modules/installer/netboot/netboot.nix
../modules/testing/test-instrumentation.nix
{ key = "serial"; }
];
}).config;
ipxeScriptDir = pkgs.writeTextFile {
name = "ipxeScriptDir";
text = ''
#!ipxe
dhcp
kernel bzImage init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} console=ttyS0
initrd initrd
boot
'';
destination = "/boot.ipxe";
};
ipxeBootDir = pkgs.symlinkJoin {
name = "ipxeBootDir";
paths = [
config.system.build.netbootRamdisk
config.system.build.kernel
ipxeScriptDir
];
};
in
makeTest {
name = "boot-netboot";
nodes = { };
testScript =
''
my $machine = createMachine({ qemuFlags => '-boot order=n -net nic,model=e1000 -net user,tftp=${ipxeBootDir}/,bootfile=boot.ipxe -m 2000M' });
$machine->start;
$machine->waitForUnit("multi-user.target");
$machine->shutdown;
'';
};
}