JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into gcc-6

Browse Source
This commit is contained in:
Eelco Dolstra 2016-12-21 15:51:18 +01:00
commit 3373a55cac
No known key found for this signature in database
GPG Key ID: 8170B4726D7198DE
1440 changed files with 47512 additions and 21655 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/CONTRIBUTING.md vendored
View File

@ -32,4 +32,4 @@ See the nixpkgs manual for more details on how to [Submit changes to nixpkgs](ht
## Reviewing contributions
See the nixpkgs manual for more details on how to [Review contributions](http://hydra.nixos.org/job/nixpkgs/trunk/manual/latest/download-by-type/doc/manual#chap-reviewing-contributions).
See the nixpkgs manual for more details on how to [Review contributions](https://nixos.org/nixpkgs/manual/#sec-reviewing-contributions).

4
.mention-bot
View File

@ -1,10 +1,12 @@
{
"userBlacklist": [
"civodul",
"jhasse"
"jhasse",
"shlevy"
],
"alwaysNotifyForPaths": [
{ "name": "FRidh", "files": ["pkgs/top-level/python-packages.nix", "pkgs/development/interpreters/python/*", "pkgs/development/python-modules/*" ] },
{ "name": "LnL7", "files": ["pkgs/stdenv/darwin/*", "pkgs/os-specific/darwin/*"] },
{ "name": "copumpkin", "files": ["pkgs/stdenv/darwin/*", "pkgs/os-specific/darwin/apple-source-releases/*"] }
],
"fileBlacklist": ["pkgs/top-level/all-packages.nix"]

2
.travis.yml
View File

@ -4,7 +4,7 @@ matrix:
- os: linux
sudo: false
script:
- ./maintainers/scripts/travis-nox-review-pr.sh nixpkgs-verify nixpkgs-manual nixpkgs-tarball
- ./maintainers/scripts/travis-nox-review-pr.sh nixpkgs-verify nixpkgs-manual nixpkgs-tarball nixpkgs-unstable
- ./maintainers/scripts/travis-nox-review-pr.sh nixos-options nixos-manual
- os: linux
sudo: required

43
doc/functions.xml
View File

@ -8,6 +8,15 @@
The nixpkgs repository has several utility functions to manipulate Nix expressions.
</para>
<section xml:id="sec-overrides">
<title>Overriding</title>
<para>
Sometimes one wants to override parts of
<literal>nixpkgs</literal>, e.g. derivation attributes, the results of
derivations or even the whole package set.
</para>
<section xml:id="sec-pkgs-overridePackages">
<title>pkgs.overridePackages</title>
@ -258,6 +267,40 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>
</section>
</section>
<section xml:id="sec-generators">
<title>Generators</title>
<para>
Generators are functions that create file formats from nix
data structures, e.g. for configuration files.
There are generators available for: <literal>INI</literal>,
<literal>JSON</literal> and <literal>YAML</literal>
</para>
<para>
All generators follow a similar call interface: <code>generatorName
configFunctions data</code>, where <literal>configFunctions</literal> is a
set of user-defined functions that format variable parts of the content.
They each have common defaults, so often they do not need to be set
manually. An example is <code>mkSectionName ? (name: libStr.escape [ "[" "]"
] name)</code> from the <literal>INI</literal> generator. It gets the name
of a section and returns a sanitized name. The default
<literal>mkSectionName</literal> escapes <literal>[</literal> and
<literal>]</literal> with a backslash.
</para>
<note><para>Nix store paths can be converted to strings by enclosing a
derivation attribute like so: <code>"${drv}"</code>.</para></note>
<para>
Detailed documentation for each generator can be found in
<literal>lib/generators.nix</literal>.
</para>
</section>
<section xml:id="sec-fhs-environments">
<title>buildFHSUserEnv</title>

2
doc/languages-frameworks/beam.xml
View File

@ -248,7 +248,7 @@ $ nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA beamPackages.ibrowse
development. Many times we need to create a
<literal>shell.nix</literal> file and do our development inside
of the environment specified by that file. This file looks a lot
like the packageing described above. The main difference is that
like the packaging described above. The main difference is that
<literal>src</literal> points to project root and we call the
package directly.
</para>

2
doc/languages-frameworks/haskell.md
View File

@ -633,7 +633,7 @@ Now the builds succeeds.
Of course, in the concrete example of `ghc-events` this whole exercise is not
an ideal solution, because `ghc-events` can analyze the output emitted by any
version of GHC later than 6.12 regardless of the compiler version that was used
to build the `ghc-events' executable, so strictly speaking there's no reason to
to build the `ghc-events` executable, so strictly speaking there's no reason to
prefer one built with GHC 7.8.x in the first place. However, for users who
cannot use GHC 7.10.x at all for some reason, the approach of downgrading to an
older version might be useful.

126
doc/languages-frameworks/python.md
View File

@ -97,7 +97,7 @@ We will first have a look at how Python packages are packaged on Nix. Then, we w
#### Python packaging on Nix
On Nix all packages are built by functions. The main function in Nix for building Python packages is [`buildPythonPackage`](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/python-modules/generic/default.nix).
On Nix all packages are built by functions. The main function in Nix for building Python packages is [`buildPythonPackage`](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/interpreters/python/build-python-package.nix).
Let's see how we would build the `toolz` package. According to [`python-packages.nix`](https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/python-packages.nix) `toolz` is build using
```nix
@ -141,13 +141,15 @@ with import <nixpkgs> {};
pkgs.python35Packages.buildPythonPackage rec {
name = "toolz-${version}";
version = "0.7.4";
version = "0.8.0";
src = pkgs.fetchurl{
url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
sha256 = "e8451af61face57b7c5d09e71c0d27b8005f001ead56e9fdf470417e5cc6d479";
};
doCheck = false;
meta = {
homepage = "http://github.com/pytoolz/toolz/";
description = "List processing tools and functional utilities";
@ -170,18 +172,18 @@ with import <nixpkgs> {};
( let
toolz = pkgs.python35Packages.buildPythonPackage rec {
name = "toolz-${version}";
version = "0.7.4";
version = "0.8.0";
src = pkgs.fetchurl{
url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
sha256 = "e8451af61face57b7c5d09e71c0d27b8005f001ead56e9fdf470417e5cc6d479";
};
doCheck = false;
meta = {
homepage = "http://github.com/pytoolz/toolz/";
description = "List processing tools and functional utilities";
license = licenses.bsd3;
maintainers = with maintainers; [ fridh ];
};
};
@ -308,11 +310,10 @@ Note also the line `doCheck = false;`, we explicitly disabled running the test-s
#### Develop local package
As a Python developer you're likely aware of [development mode](http://pythonhosted.org/setuptools/setuptools.html#development-mode) (`python setup.py develop`);
As a Python developer you're likely aware of [development mode](http://setuptools.readthedocs.io/en/latest/setuptools.html#development-mode) (`python setup.py develop`);
instead of installing the package this command creates a special link to the project code.
That way, you can run updated code without having to reinstall after each and every change you make.
Development mode is also available on Nix as [explained](http://nixos.org/nixpkgs/manual/#ssec-python-development) in the Nixpkgs manual.
Let's see how you can use it.
Development mode is also available. Let's see how you can use it.
In the previous Nix expression the source was fetched from an url. We can also refer to a local source instead using
@ -409,10 +410,10 @@ and in this case the `python35` interpreter is automatically used.
### Interpreters
Versions 2.6, 2.7, 3.3, 3.4 and 3.5 of the CPython interpreter are as respectively
Versions 2.6, 2.7, 3.3, 3.4 and 3.5 of the CPython interpreter are available as respectively
`python26`, `python27`, `python33`, `python34` and `python35`. The PyPy interpreter
is available as `pypy`. The aliases `python2` and `python3` correspond to respectively `python27` and
`python35`. The default interpreter, `python`, maps to `python3`.
`python35`. The default interpreter, `python`, maps to `python2`.
The Nix expressions for the interpreters can be found in
`pkgs/development/interpreters/python`.
@ -434,17 +435,20 @@ Each interpreter has the following attributes:
- `withPackages`. Simpler interface to `buildEnv`. See section *python.withPackages function* for usage and documentation.
- `sitePackages`. Alias for `lib/${libPrefix}/site-packages`.
- `executable`. Name of the interpreter executable, e.g. `python3.4`.
- `pkgs`. Set of Python packages for that specific interpreter. The package set can be modified by overriding the interpreter and passing `packageOverrides`.
### Building packages and applications
Python packages (libraries) and applications that use `setuptools` or
`distutils` are typically built with respectively the `buildPythonPackage` and
`buildPythonApplication` functions.
Python libraries and applications that use `setuptools` or
`distutils` are typically build with respectively the `buildPythonPackage` and
`buildPythonApplication` functions. These two functions also support installing a `wheel`.
All Python packages reside in `pkgs/top-level/python-packages.nix` and all
applications elsewhere. Some packages are also defined in
applications elsewhere. In case a package is used as both a library and an application,
then the package should be in `pkgs/top-level/python-packages.nix` since only those packages are made
available for all interpreter versions. The preferred location for library expressions is in
`pkgs/development/python-modules`. It is important that these packages are
called in `pkgs/top-level/python-packages.nix` and not elsewhere, to guarantee
called from `pkgs/top-level/python-packages.nix` and not elsewhere, to guarantee
the right version of the package is built.
Based on the packages defined in `pkgs/top-level/python-packages.nix` an
@ -462,14 +466,14 @@ and the aliases
* `pkgs.python2Packages` pointing to `pkgs.python27Packages`
* `pkgs.python3Packages` pointing to `pkgs.python35Packages`
* `pkgs.pythonPackages` pointing to `pkgs.python3Packages`
* `pkgs.pythonPackages` pointing to `pkgs.python2Packages`
#### `buildPythonPackage` function
The `buildPythonPackage` function is implemented in
`pkgs/development/interpreters/python/build-python-package.nix`
and can be used as:
The following is an example:
twisted = buildPythonPackage {
name = "twisted-8.1.0";
@ -520,7 +524,7 @@ All parameters from `mkDerivation` function are still supported.
* `postShellHook`: Hook to execute commands after `shellHook`.
* `makeWrapperArgs`: A list of strings. Arguments to be passed to `makeWrapper`, which wraps generated binaries. By default, the arguments to `makeWrapper` set `PATH` and `PYTHONPATH` environment variables before calling the binary. Additional arguments here can allow a developer to set environment variables which will be available when the binary is run. For example, `makeWrapperArgs = ["--set FOO BAR" "--set BAZ QUX"]`.
* `installFlags`: A list of strings. Arguments to be passed to `pip install`. To pass options to `python setup.py install`, use `--install-option`. E.g., `installFlags=["--install-option='--cpp_implementation'"].
* `format`: Format of the source. Options are `setup` for when the source has a `setup.py` and `setuptools` is used to build a wheel, and `wheel` in case the source is already a binary wheel. The default value is `setup`.
* `format`: Format of the source. Valid options are `setuptools` (default), `flit`, `wheel`, and `other`. `setuptools` is for when the source has a `setup.py` and `setuptools` is used to build a wheel, `flit`, in case `flit` should be used to build a wheel, and `wheel` in case a wheel is provided. In case you need to provide your own `buildPhase` and `installPhase` you can use `other`.
* `catchConflicts` If `true`, abort package build if a package name appears more than once in dependency tree. Default is `true`.
* `checkInputs` Dependencies needed for running the `checkPhase`. These are added to `buildInputs` when `doCheck = true`.
@ -697,59 +701,55 @@ should also be done when packaging `A`.
### How to override a Python package?
Recursively updating a package can be done with `pkgs.overridePackages` as explained in the Nixpkgs manual.
Python attribute sets are created for each interpreter version. We will therefore override the attribute set for the interpreter version we're interested.
In the following example we change the name of the package `pandas` to `foo`.
```
newpkgs = pkgs.overridePackages(self: super: rec {
python35Packages = (super.python35Packages.override { self = python35Packages;})
// { pandas = super.python35Packages.pandas.override {name = "foo";};
};
});
```
This can be tested with
```
We can override the interpreter and pass `packageOverrides`.
In the following example we rename the `pandas` package and build it.
```nix
with import <nixpkgs> {};
(let
newpkgs = pkgs.overridePackages(self: super: rec {
python35Packages = (super.python35Packages.override { self = python35Packages;})
// { pandas = super.python35Packages.pandas.override {name = "foo";};
let
python = let
packageOverrides = self: super: {
pandas = super.pandas.override {name="foo";};
};
});
in newpkgs.python35.withPackages (ps: [ps.blaze])
).env
```
A typical use case is to switch to another version of a certain package. For example, in the Nixpkgs repository we have multiple versions of `django` and `scipy`.
In the following example we use a different version of `scipy`. All packages in `newpkgs` will now use the updated `scipy` version.
in pkgs.python35.override {inherit packageOverrides;};
in python.pkgs.pandas
```
Using `nix-build` on this expression will build the package `pandas`
but with the new name `foo`.
All packages in the package set will use the renamed package.
A typical use case is to switch to another version of a certain package.
For example, in the Nixpkgs repository we have multiple versions of `django` and `scipy`.
In the following example we use a different version of `scipy` and create an environment that uses it.
All packages in the Python package set will now use the updated `scipy` version.
```nix
with import <nixpkgs> {};
(let
newpkgs = pkgs.overridePackages(self: super: rec {
python35Packages = super.python35Packages.override {
self = python35Packages // { scipy = python35Packages.scipy_0_17;};
(
let
packageOverrides = self: super: {
scipy = super.scipy_0_17;
};
});
in newpkgs.python35.withPackages (ps: [ps.blaze])
in (pkgs.python35.override {inherit packageOverrides;}).withPackages (ps: [ps.blaze])
).env
```
The requested package `blaze` depends upon `pandas` which itself depends on `scipy`.
The requested package `blaze` depends on `pandas` which itself depends on `scipy`.
A similar example but now using `django`
If you want the whole of Nixpkgs to use your modifications, then you can use `pkgs.overridePackages`
as explained in this manual. In the following example we build a `inkscape` using a different version of `numpy`.
```
with import <nixpkgs> {};
(let
newpkgs = pkgs.overridePackages(self: super: rec {
python27Packages = (super.python27Packages.override {self = python27Packages;})
// { django = super.python27Packages.django_1_9; };
let
pkgs = import <nixpkgs> {};
newpkgs = pkgs.overridePackages ( pkgsself: pkgssuper: {
python27 = let
packageOverrides = self: super: {
numpy = super.numpy_1_10;
};
in pkgssuper.python27.override {inherit packageOverrides;};
} );
in newpkgs.python27.withPackages (ps: [ps.django_guardian ])
).env
in newpkgs.inkscape
```
### `python setup.py bdist_wheel` cannot create .whl
@ -770,9 +770,9 @@ or the current time:
nix-shell --run "SOURCE_DATE_EPOCH=$(date +%s) python3 setup.py bdist_wheel"
```
or unset:
"""
```
nix-shell --run "unset SOURCE_DATE_EPOCH; python3 setup.py bdist_wheel"
"""
```
### `install_data` / `data_files` problems

1
doc/manual.xml
View File

@ -20,6 +20,7 @@
<xi:include href="package-notes.xml" />
<xi:include href="coding-conventions.xml" />
<xi:include href="submitting-changes.xml" />
<xi:include href="reviewing-contributions.xml" />
<xi:include href="contributing.xml" />
</book>

134
doc/package-notes.xml
View File

@ -382,4 +382,138 @@ it. Place the resulting <filename>package.nix</filename> file into
</section>
<section xml:id="sec-steam">
<title>Steam</title>
<section xml:id="sec-steam-nix">
<title>Steam in Nix</title>
<para>
Steam is distributed as a <filename>.deb</filename> file, for now only
as an i686 package (the amd64 package only has documentation).
When unpacked, it has a script called <filename>steam</filename> that
in ubuntu (their target distro) would go to <filename>/usr/bin
</filename>. When run for the first time, this script copies some
files to the user's home, which include another script that is the
ultimate responsible for launching the steam binary, which is also
in $HOME.
</para>
<para>
Nix problems and constraints:
<itemizedlist>
<listitem><para>We don't have <filename>/bin/bash</filename> and many
scripts point there. Similarly for <filename>/usr/bin/python</filename>
.</para></listitem>
<listitem><para>We don't have the dynamic loader in <filename>/lib
</filename>.</para></listitem>
<listitem><para>The <filename>steam.sh</filename> script in $HOME can
not be patched, as it is checked and rewritten by steam.</para></listitem>
<listitem><para>The steam binary cannot be patched, it's also checked.</para></listitem>
</itemizedlist>
</para>
<para>
The current approach to deploy Steam in NixOS is composing a FHS-compatible
chroot environment, as documented
<link xlink:href="http://sandervanderburg.blogspot.nl/2013/09/composing-fhs-compatible-chroot.html">here</link>.
This allows us to have binaries in the expected paths without disrupting the system,
and to avoid patching them to work in a non FHS environment.
</para>
</section>
<section xml:id="sec-steam-play">
<title>How to play</title>
<para>
For 64-bit systems it's important to have
<programlisting>hardware.opengl.driSupport32Bit = true;</programlisting>
in your <filename>/etc/nixos/configuration.nix</filename>. You'll also need
<programlisting>hardware.pulseaudio.support32Bit = true;</programlisting>
if you are using PulseAudio - this will enable 32bit ALSA apps integration.
To use the Steam controller, you need to add
<programlisting>services.udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
KERNEL=="uinput", MODE="0660", GROUP="users", OPTIONS+="static_node=uinput"
'';</programlisting>
to your configuration.
</para>
</section>
<section xml:id="sec-steam-troub">
<title>Troubleshooting</title>
<para>
<variablelist>
<varlistentry>
<term>Steam fails to start. What do I do?</term>
<listitem><para>Try to run
<programlisting>strace steam</programlisting>
to see what is causing steam to fail.</para></listitem>
</varlistentry>
<varlistentry>
<term>Using the FOSS Radeon drivers</term>
<listitem><itemizedlist><listitem><para>
The open source radeon drivers need a newer libc++ than is provided
by the default runtime, which leads to a crash on launch. Use
<programlisting>environment.systemPackages = [(pkgs.steam.override { newStdcpp = true; })];</programlisting>
in your config if you get an error like
<programlisting>
libGL error: unable to load driver: radeonsi_dri.so
libGL error: driver pointer missing
libGL error: failed to load driver: radeonsi
libGL error: unable to load driver: swrast_dri.so
libGL error: failed to load driver: swrast</programlisting></para></listitem>
<listitem><para>
Steam ships statically linked with a version of libcrypto that
conflics with the one dynamically loaded by radeonsi_dri.so.
If you get the error
<programlisting>steam.sh: line 713: 7842 Segmentation fault (core dumped)</programlisting>
have a look at <link xlink:href="https://github.com/NixOS/nixpkgs/pull/20269">this pull request</link>.
</para></listitem>
</itemizedlist></listitem></varlistentry>
<varlistentry>
<term>Java</term>
<listitem><orderedlist>
<listitem><para>
There is no java in steam chrootenv by default. If you get a message like
<programlisting>/home/foo/.local/share/Steam/SteamApps/common/towns/towns.sh: line 1: java: command not found</programlisting>
You need to add
<programlisting> steam.override { withJava = true; };</programlisting>
to your configuration.
</para></listitem>
</orderedlist></listitem></varlistentry>
</variablelist>
</para>
</section>
<section xml:id="sec-steam-run">
<title>steam-run</title>
<para>
The FHS-compatible chroot used for steam can also be used to run
other linux games that expect a FHS environment.
To do it, add
<programlisting>pkgs.(steam.override {
nativeOnly = true;
newStdcpp = true;
}).run</programlisting>
to your configuration, rebuild, and run the game with
<programlisting>steam-run ./foo</programlisting>
</para>
</section>
</section>
</chapter>

0
nixos/doc/manual/development/reviewing-contributions.xml → doc/reviewing-contributions.xml
View File

2
lib/attrsets.nix
View File

@ -391,7 +391,7 @@ rec {
);
in f [] [rhs lhs];
/* A recursive variant of the update operator //. The recusion
/* A recursive variant of the update operator //. The recursion
stops when one of the attribute values is not an attribute set,
in which case the right hand side value takes precedence over the
left hand side value.

3
lib/default.nix
View File

@ -27,6 +27,7 @@ let
# misc
debug = import ./debug.nix;
generators = import ./generators.nix;
misc = import ./deprecated.nix;
# domain-specific
@ -39,7 +40,7 @@ in
customisation maintainers meta sources
modules options types
licenses platforms systems
debug misc
debug generators misc
sandbox fetchers;
}
# !!! don't include everything at top-level; perhaps only the most

93
lib/generators.nix Normal file
View File

@ -0,0 +1,93 @@
/* Functions that generate widespread file
* formats from nix data structures.
*
* They all follow a similar interface:
* generator { config-attrs } data
*
* Tests can be found in ./tests.nix
* Documentation in the manual, #sec-generators
*/
with import ./trivial.nix;
let
libStr = import ./strings.nix;
libAttr = import ./attrsets.nix;
flipMapAttrs = flip libAttr.mapAttrs;
in
rec {
/* Generate a line of key k and value v, separated by
* character sep. If sep appears in k, it is escaped.
* Helper for synaxes with different separators.
*
* mkKeyValueDefault ":" "f:oo" "bar"
* > "f\:oo:bar"
*/
mkKeyValueDefault = sep: k: v:
"${libStr.escape [sep] k}${sep}${toString v}";
/* Generate a key-value-style config file from an attrset.
*
* mkKeyValue is the same as in toINI.
*/
toKeyValue = {
mkKeyValue ? mkKeyValueDefault "="
}: attrs:
let mkLine = k: v: mkKeyValue k v + "\n";
in libStr.concatStrings (libAttr.mapAttrsToList mkLine attrs);
/* Generate an INI-style config file from an
* attrset of sections to an attrset of key-value pairs.
*
* generators.toINI {} {
* foo = { hi = "${pkgs.hello}"; ciao = "bar"; };
* baz = { "also, integers" = 42; };
* }
*
*> [baz]
*> also, integers=42
*>
*> [foo]
*> ciao=bar
*> hi=/nix/store/y93qql1p5ggfnaqjjqhxcw0vqw95rlz0-hello-2.10
*
* The mk* configuration attributes can generically change
* the way sections and key-value strings are generated.
*
* For more examples see the test cases in ./tests.nix.
*/
toINI = {
# apply transformations (e.g. escapes) to section names
mkSectionName ? (name: libStr.escape [ "[" "]" ] name),
# format a setting line from key and value
mkKeyValue ? mkKeyValueDefault "="
}: attrsOfAttrs:
let
# map function to string for each key val
mapAttrsToStringsSep = sep: mapFn: attrs:
libStr.concatStringsSep sep
(libAttr.mapAttrsToList mapFn attrs);
mkSection = sectName: sectValues: ''
[${mkSectionName sectName}]
'' + toKeyValue { inherit mkKeyValue; } sectValues;
in
# map input to ini sections
mapAttrsToStringsSep "\n" mkSection attrsOfAttrs;
/* Generates JSON from an arbitrary (non-function) value.
* For more information see the documentation of the builtin.
*/
toJSON = {}: builtins.toJSON;
/* YAML has been a strict superset of JSON since 1.2, so we
* use toJSON. Before it only had a few differences referring
* to implicit typing rules, so it should work with older
* parsers as well.
*/
toYAML = {}@args: toJSON args;
}

19
lib/maintainers.nix
View File

@ -48,6 +48,7 @@
aske = "Kirill Boltaev <aske@fmap.me>";
asppsa = "Alastair Pharo <asppsa@gmail.com>";
astsmtl = "Alexander Tsamutali <astsmtl@yandex.ru>";
asymmetric = "Lorenzo Manacorda <lorenzo@mailbox.org>";
aszlig = "aszlig <aszlig@redmoonstudios.org>";
auntie = "Jonathan Glines <auntieNeo@gmail.com>";
avnik = "Alexander V. Nikolaev <avn@avnik.info>";
@ -88,6 +89,7 @@
chris-martin = "Chris Martin <ch.martin@gmail.com>";
chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
christopherpoole = "Christopher Mark Poole <mail@christopherpoole.net>";
ckampka = "Christian Kampka <christian@kampka.net>";
cko = "Christine Koppelt <christine.koppelt@gmail.com>";
cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
cmcdragonkai = "Roger Qiu <roger.qiu@matrix.ai>";
@ -116,6 +118,7 @@
deepfire = "Kosyrev Serge <_deepfire@feelingofgreen.ru>";
demin-dmitriy = "Dmitriy Demin <demindf@gmail.com>";
DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
DerTim1 = "Tim Digel <tim.digel@active-group.de>";
desiderius = "Didier J. Devroye <didier@devroye.name>";
devhell = "devhell <\"^\"@regexmail.net>";
dezgeg = "Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>";
@ -128,6 +131,8 @@
doublec = "Chris Double <chris.double@double.co.nz>";
drets = "Dmytro Rets <dmitryrets@gmail.com>";
drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
dtzWill = "Will Dietz <nix@wdtz.org>";
e-user = "Alexander Kahl <nixos@sodosopa.io>";
ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
eduarrrd = "Eduard Bachmakov <e.bachmakov@gmail.com>";
@ -137,6 +142,7 @@
ehmry = "Emery Hemingway <emery@vfemail.net>";
eikek = "Eike Kettner <eike.kettner@posteo.de>";
elasticdog = "Aaron Bull Schaefer <aaron@elasticdog.com>";
eleanor = "Dejan Lukan <dejan@proteansec.com>";
elitak = "Eric Litak <elitak@gmail.com>";
ellis = "Ellis Whitehead <nixos@ellisw.net>";
epitrochoid = "Mabry Cervin <mpcervin@uncg.edu>";
@ -182,6 +188,7 @@
gridaphobe = "Eric Seidel <eric@seidel.io>";
guibert = "David Guibert <david.guibert@gmail.com>";
guillaumekoenig = "Guillaume Koenig <guillaume.edward.koenig@gmail.com>";
guyonvarch = "Joris Guyonvarch <joris@guyonvarch.me>";
hakuch = "Jesse Haber-Kucharsky <hakuch@gmail.com>";
havvy = "Ryan Scheel <ryan.havvy@gmail.com>";
hbunke = "Hendrik Bunke <bunke.hendrik@gmail.com>";
@ -197,8 +204,10 @@
jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
javaguirre = "Javier Aguirre <contacto@javaguirre.net>";
jb55 = "William Casarin <bill@casarin.me>";
jbedo = "Justin Bedő <cu@cua0.org>";
jcumming = "Jack Cummings <jack@mudshark.org>";
jefdaj = "Jeffrey David Johnson <jefdaj@gmail.com>";
jerith666 = "Matt McHenry <github@matt.mchenryfamily.org>";
jfb = "James Felix Black <james@yamtime.com>";
jgeerds = "Jascha Geerds <jascha@jgeerds.name>";
jgillich = "Jakob Gillich <jakob@gillich.me>";
@ -235,6 +244,7 @@
leonardoce = "Leonardo Cecchi <leonardo.cecchi@gmail.com>";
lethalman = "Luca Bruno <lucabru@src.gnome.org>";
lewo = "Antoine Eiche <lewo@abesis.fr>";
lheckemann = "Linus Heckemann <git@sphalerite.org>";
lhvwb = "Nathaniel Baxter <nathaniel.baxter@gmail.com>";
lihop = "Leroy Hopson <nixos@leroy.geek.nz>";
linquize = "Linquize <linquize@yahoo.com.hk>";
@ -266,12 +276,14 @@
matthiasbeyer = "Matthias Beyer <mail@beyermatthias.de>";
maurer = "Matthew Maurer <matthew.r.maurer+nix@gmail.com>";
mbakke = "Marius Bakke <mbakke@fastmail.com>";
mbbx6spp = "Susan Potter <me@susanpotter.net>";
mbe = "Brandon Edens <brandonedens@gmail.com>";
mboes = "Mathieu Boespflug <mboes@tweag.net>";
mcmtroffaes = "Matthias C. M. Troffaes <matthias.troffaes@gmail.com>";
mdaiter = "Matthew S. Daiter <mdaiter8121@gmail.com>";
meditans = "Carlo Nucera <meditans@gmail.com>";
meisternu = "Matt Miemiec <meister@krutt.org>";
mguentner = "Maximilian Güntner <code@klandest.in>";
mic92 = "Jörg Thalheim <joerg@higgsboson.tk>";
michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
michalrus = "Michal Rus <m@michalrus.com>";
@ -281,9 +293,11 @@
mingchuan = "Ming Chuan <ming@culpring.com>";
mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
mirrexagon = "Andrew Abbott <mirrexagon@mirrexagon.com>";
mjanczyk = "Marcin Janczyk <m@dragonvr.pl>";
mlieberman85 = "Michael Lieberman <mlieberman85@gmail.com>";
modulistic = "Pablo Costa <modulistic@gmail.com>";
mog = "Matthew O'Gorman <mog-lists@rldn.net>";
montag451 = "montag451 <montag451@laposte.net>";
moosingin3space = "Nathan Moos <moosingin3space@gmail.com>";
moretea = "Maarten Hoogendoorn <maarten@moretea.nl>";
mornfall = "Petr Ročkai <me@mornfall.net>";
@ -316,6 +330,7 @@
ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
odi = "Oliver Dunkl <oliver.dunkl@gmail.com>";
offline = "Jaka Hudoklin <jakahudoklin@gmail.com>";
okasu = "Okasu <oka.sux@gmail.com>";
olcai = "Erik Timan <dev@timan.info>";
olejorgenb = "Ole Jørgen Brønner <olejorgenb@yahoo.no>";
orbekk = "KJ Ørbekk <kjetil.orbekk@gmail.com>";
@ -329,6 +344,7 @@
palo = "Ingolf Wanger <palipalo9@googlemail.com>";
pashev = "Igor Pashev <pashev.igor@gmail.com>";
pawelpacana = "Paweł Pacana <pawel.pacana@gmail.com>";
periklis = "theopompos@gmail.com";
pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
peterhoeg = "Peter Hoeg <peter@hoeg.com>";
peti = "Peter Simons <simons@cryp.to>";
@ -372,6 +388,7 @@
retrry = "Tadas Barzdžius <retrry@gmail.com>";
rick68 = "Wei-Ming Yang <rick68@gmail.com>";
rickynils = "Rickard Nilsson <rickynils@gmail.com>";
rlupton20 = "Richard Lupton <richard.lupton@gmail.com>";
rnhmjoj = "Michele Guerini Rocco <micheleguerinirocco@me.com>";
rob = "Rob Vermaas <rob.vermaas@gmail.com>";
robberer = "Longrin Wischnewski <robberer@freakmail.de>";
@ -458,6 +475,7 @@
vbgl = "Vincent Laporte <Vincent.Laporte@gmail.com>";
vbmithr = "Vincent Bernardoff <vb@luminar.eu.org>";
vcunat = "Vladimír Čunát <vcunat@gmail.com>";
vdemeester = "Vincent Demeester <vincent@sbr.pm>";
veprbl = "Dmitry Kalinkin <veprbl@gmail.com>";
viric = "Lluís Batlle i Rossell <viric@viric.name>";
vizanto = "Danny Wilson <danny@prime.vc>";
@ -465,6 +483,7 @@
vlstill = "Vladimír Štill <xstill@fi.muni.cz>";
vmandela = "Venkateswara Rao Mandela <venkat.mandela@gmail.com>";
volhovm = "Mikhail Volkhov <volhovm.cs@gmail.com>";
volth = "Jaroslavas Pocepko <jaroslavas@volth.com>";
vozz = "Oliver Hunt <oliver.huntuk@gmail.com>";
vrthra = "Rahul Gopinath <rahul@gopinath.org>";
wedens = "wedens <kirill.wedens@gmail.com>";

3
lib/modules.nix
View File

@ -375,10 +375,13 @@ rec {
if def._type or "" == "merge" then
concatMap dischargeProperties def.contents
else if def._type or "" == "if" then
if isBool def.condition then
if def.condition then
dischargeProperties def.content
else
[ ]
else
throw "mkIf called with a non-Boolean condition"
else
[ def ];

6
lib/sources.nix
View File

@ -12,8 +12,7 @@ rec {
# Bring in a path as a source, filtering out all Subversion and CVS
# directories, as well as backup files (*~).
cleanSource =
let filter = name: type: let baseName = baseNameOf (toString name); in ! (
cleanSourceFilter = name: type: let baseName = baseNameOf (toString name); in ! (
# Filter out Subversion and CVS directories.
(type == "directory" && (baseName == ".git" || baseName == ".svn" || baseName == "CVS" || baseName == ".hg")) ||
# Filter out backup files.
@ -24,7 +23,8 @@ rec {
# Filter out nix-build result symlinks
(type == "symlink" && lib.hasPrefix "result" baseName)
);
in src: builtins.filterSource filter src;
cleanSource = builtins.filterSource cleanSourceFilter;
# Get all files ending with the specified suffices from the given

90
lib/tests.nix
View File

@ -130,4 +130,94 @@ runTests {
expected = false;
};
/* Generator tests */
# these tests assume attributes are converted to lists
# in alphabetical order
testMkKeyValueDefault = {
expr = generators.mkKeyValueDefault ":" "f:oo" "bar";
expected = ''f\:oo:bar'';
};
testToKeyValue = {
expr = generators.toKeyValue {} {
key = "value";
"other=key" = "baz";
};
expected = ''
key=value
other\=key=baz
'';
};
testToINIEmpty = {
expr = generators.toINI {} {};
expected = "";
};
testToINIEmptySection = {
expr = generators.toINI {} { foo = {}; bar = {}; };
expected = ''
[bar]
[foo]
'';
};
testToINIDefaultEscapes = {
expr = generators.toINI {} {
"no [ and ] allowed unescaped" = {
"and also no = in keys" = 42;
};
};
expected = ''
[no \[ and \] allowed unescaped]
and also no \= in keys=42
'';
};
testToINIDefaultFull = {
expr = generators.toINI {} {
"section 1" = {
attribute1 = 5;
x = "Me-se JarJar Binx";
};
"foo[]" = {
"he\\h=he" = "this is okay";
};
};
expected = ''
[foo\[\]]
he\h\=he=this is okay
[section 1]
attribute1=5
x=Me-se JarJar Binx
'';
};
/* right now only invocation check */
testToJSONSimple =
let val = {
foobar = [ "baz" 1 2 3 ];
};
in {
expr = generators.toJSON {} val;
# trival implementation
expected = builtins.toJSON val;
};
/* right now only invocation check */
testToYAMLSimple =
let val = {
list = [ { one = 1; } { two = 2; } ];
all = 42;
};
in {
expr = generators.toYAML {} val;
# trival implementation
expected = builtins.toJSON val;
};
}

3
lib/trivial.nix
View File

@ -138,7 +138,4 @@ rec {
*/
warn = msg: builtins.trace "WARNING: ${msg}";
info = msg: builtins.trace "INFO: ${msg}";
fetchMD5warn = name: context : data : info
"Deprecated use of MD5 hash in ${name} to fetch ${context}" data;
}

10
lib/types.nix
View File

@ -333,7 +333,15 @@ rec {
name = "either";
description = "${t1.description} or ${t2.description}";
check = x: t1.check x || t2.check x;
merge = mergeOneOption;
merge = loc: defs:
let
defList = map (d: d.value) defs;
in
if all (x: t1.check x) defList
then t1.merge loc defs
else if all (x: t2.check x) defList
then t2.merge loc defs
else mergeOneOption loc defs;
typeMerge = f':
let mt1 = t1.typeMerge (elemAt f'.wrapped 0).functor;
mt2 = t2.typeMerge (elemAt f'.wrapped 1).functor;

6
maintainers/scripts/travis-nox-review-pr.sh
View File

@ -38,6 +38,12 @@ while test -n "$1"; do
nix-build $TRAVIS_BUILD_DIR/pkgs/top-level/release.nix --attr tarball --show-trace
;;
nixpkgs-unstable)
echo "=== Checking nixpkgs unstable job"
nix-instantiate $TRAVIS_BUILD_DIR/pkgs/top-level/release.nix --attr unstable --show-trace
;;
nixpkgs-lint)
echo "=== Checking nixpkgs lint"

131
maintainers/scripts/update.nix Executable file
View File

@ -0,0 +1,131 @@
{ package ? null
, maintainer ? null
}:
# TODO: add assert statements
let
pkgs = import ./../../default.nix { };
packagesWith = cond: return: set:
pkgs.lib.flatten
(pkgs.lib.mapAttrsToList
(name: pkg:
let
result = builtins.tryEval (
if pkgs.lib.isDerivation pkg && cond name pkg
then [(return name pkg)]
else if pkg.recurseForDerivations or false || pkg.recurseForRelease or false
then packagesWith cond return pkg
else []
);
in
if result.success then result.value
else []
)
set
);
packagesWithUpdateScriptAndMaintainer = maintainer':
let
maintainer =
if ! builtins.hasAttr maintainer' pkgs.lib.maintainers then
builtins.throw "Maintainer with name `${maintainer'} does not exist in `lib/maintainers.nix`."
else
builtins.getAttr maintainer' pkgs.lib.maintainers;
in
packagesWith (name: pkg: builtins.hasAttr "updateScript" pkg &&
(if builtins.hasAttr "maintainers" pkg.meta
then (if builtins.isList pkg.meta.maintainers
then builtins.elem maintainer pkg.meta.maintainers
else maintainer == pkg.meta.maintainers
)
else false
)
)
(name: pkg: pkg)
pkgs;
packageByName = name:
let
package = pkgs.lib.attrByPath (pkgs.lib.splitString "." name) null pkgs;
in
if package == null then
builtins.throw "Package with an attribute name `${name}` does not exists."
else if ! builtins.hasAttr "updateScript" package then
builtins.throw "Package with an attribute name `${name}` does have an `passthru.updateScript` defined."
else
package;
packages =
if package != null then
[ (packageByName package) ]
else if maintainer != null then
packagesWithUpdateScriptAndMaintainer maintainer
else
builtins.throw "No arguments provided.\n\n${helpText}";
helpText = ''
Please run:
% nix-shell maintainers/scripts/update.nix --argstr maintainer garbas
to run all update scripts for all packages that lists \`garbas\` as a maintainer
and have \`updateScript\` defined, or:
% nix-shell maintainers/scripts/update.nix --argstr package garbas
to run update script for specific package.
'';
runUpdateScript = package: ''
echo -ne " - ${package.name}: UPDATING ..."\\r
${package.updateScript} &> ${(builtins.parseDrvName package.name).name}.log
CODE=$?
if [ "$CODE" != "0" ]; then
echo " - ${package.name}: ERROR "
echo ""
echo "--- SHOWING ERROR LOG FOR ${package.name} ----------------------"
echo ""
cat ${(builtins.parseDrvName package.name).name}.log
echo ""
echo "--- SHOWING ERROR LOG FOR ${package.name} ----------------------"
exit $CODE
else
rm ${(builtins.parseDrvName package.name).name}.log
fi
echo " - ${package.name}: DONE. "
'';
in pkgs.stdenv.mkDerivation {
name = "nixpkgs-update-script";
buildCommand = ''
echo ""
echo "----------------------------------------------------------------"
echo ""
echo "Not possible to update packages using \`nix-build\`"
echo ""
echo "${helpText}"
echo "----------------------------------------------------------------"
exit 1
'';
shellHook = ''
echo ""
echo "Going to be running update for following packages:"
echo "${builtins.concatStringsSep "\n" (map (x: " - ${x.name}") packages)}"
echo ""
read -n1 -r -p "Press space to continue..." confirm
if [ "$confirm" = "" ]; then
echo ""
echo "Running update for:"
${builtins.concatStringsSep "\n" (map runUpdateScript packages)}
echo ""
echo "Packages updated!"
exit 0
else
echo "Aborting!"
exit 1
fi
'';
}

8
nixos/doc/manual/administration/container-networking.xml
View File

@ -47,4 +47,12 @@ where <literal>eth0</literal> should be replaced with the desired
external interface. Note that <literal>ve-+</literal> is a wildcard
that matches all container interfaces.</para>
<para>If you are using Network Manager, you need to explicitly prevent
it from managing container interfaces:
<programlisting>
networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
</programlisting>
</para>
</section>

2
nixos/doc/manual/configuration/modularity.xml
View File

@ -129,7 +129,7 @@ default; run <literal>nix-env -i nix-repl</literal> to get it. A
typical use:
<screen>
$ nix-repl '&lt;nixos>'
$ nix-repl '&lt;nixpkgs/nixos>'
nix-repl> config.networking.hostName
"mandark"

1
nixos/doc/manual/development/development.xml
View File

@ -18,7 +18,6 @@ NixOS.</para>
<xi:include href="building-nixos.xml" />
<xi:include href="nixos-tests.xml" />
<xi:include href="testing-installer.xml" />
<xi:include href="reviewing-contributions.xml" />
<xi:include href="releases.xml" />
</part>

5
nixos/doc/manual/installation/upgrading.xml
View File

@ -101,6 +101,11 @@ channel by running
which is equivalent to the more verbose <literal>nix-channel --update
nixos; nixos-rebuild switch</literal>.</para>
<note><para>Channels are set per user. This means that running <literal>
nix-channel --add</literal> as a non root user (or without sudo) will not
affect configuration in <literal>/etc/nixos/configuration.nix</literal>
</para></note>
<warning><para>It is generally safe to switch back and forth between
channels. The only exception is that a newer NixOS may also have a
newer Nix version, which may involve an upgrade of Nixs database

2
nixos/doc/manual/man-nixos-rebuild.xml
View File

@ -68,7 +68,7 @@ desired operation. It must be one of the following:
<listitem>
<para>Build and activate the new configuration, and make it the
boot default. That is, the configuration is added to the GRUB
boot menu as the default meny entry, so that subsequent reboots
boot menu as the default menu entry, so that subsequent reboots
will boot the system into the new configuration. Previous
configurations activated with <command>nixos-rebuild
switch</command> or <command>nixos-rebuild boot</command> remain

20
nixos/doc/manual/release-notes/rl-1703.xml
View File

@ -68,6 +68,26 @@ following incompatible changes:</para>
that may be in /etc.
</para>
</listitem>
<listitem>
<para>
Parsoid service now uses YAML configuration format.
<literal>service.parsoid.interwikis</literal> is now called
<literal>service.parsoid.wikis</literal> and is a list of either API URLs
or attribute sets as specified in parsoid's documentation.
</para>
</listitem>
<listitem>
<para>
<literal>Ntpd</literal> was replaced by
<literal>systemd-timesyncd</literal> as the default service to synchronize
system time with a remote NTP server. The old behavior can be restored by
setting <literal>services.ntp.enable</literal> to <literal>true</literal>.
Upstream time servers for all NTP implementations are now configured using
<literal>networking.timeServers</literal>.
</para>
</listitem>
</itemizedlist>

3
nixos/lib/build-vms.nix
View File

@ -9,6 +9,8 @@ rec {
inherit pkgs;
qemu = pkgs.qemu_test;
# Build a virtual network from an attribute set `{ machine1 =
# config1; ... machineN = configN; }', where `machineX' is the
@ -27,6 +29,7 @@ rec {
[ ../modules/virtualisation/qemu-vm.nix
../modules/testing/test-instrumentation.nix # !!! should only get added for automated test runs
{ key = "no-manual"; services.nixosManual.enable = false; }
{ key = "qemu"; system.build.qemu = qemu; }
] ++ optional minimal ../modules/testing/minimal-kernel.nix;
extraArgs = { inherit nodes; };
};

15
nixos/lib/make-disk-image.nix
View File

@ -27,6 +27,10 @@
, name ? "nixos-disk-image"
# This prevents errors while checking nix-store validity, see
# https://github.com/NixOS/nix/issues/1134
, fixValidity ? true
, format ? "raw"
}:
@ -61,9 +65,6 @@ pkgs.vmTools.runInLinuxVM (
# Create an empty filesystem and mount it.
mkfs.${fsType} -L nixos $rootDisk
${optionalString (fsType == "ext4") ''
tune2fs -c 0 -i 0 $rootDisk
''}
mkdir /mnt
mount $rootDisk /mnt
@ -71,9 +72,11 @@ pkgs.vmTools.runInLinuxVM (
printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""
${if fixValidity then ''
# Add missing size/hash fields to the database. FIXME:
# exportReferencesGraph should provide these directly.
${config.nix.package.out}/bin/nix-store --verify --check-contents --option build-users-group ""
'' else ""}
# In case the bootloader tries to write to /dev/sda…
ln -s vda /dev/xvda
@ -97,7 +100,9 @@ pkgs.vmTools.runInLinuxVM (
umount /mnt
# Do a fsck to make sure resize2fs works.
fsck.${fsType} -f -y $rootDisk
# Make sure resize2fs works
${optionalString (fsType == "ext4") ''
tune2fs -c 0 -i 0 $rootDisk
''}
''
)

2
nixos/lib/make-squashfs.nix
View File

@ -25,6 +25,6 @@ stdenv.mkDerivation {
# Generate the squashfs image.
mksquashfs nix-path-registration $storePaths $out \
-keep-as-directory -all-root
-keep-as-directory -all-root -comp xz
'';
}

5
nixos/lib/make-system-tarball.sh
View File

@ -52,9 +52,10 @@ $extraCommands
mkdir -p $out/tarball
tar cvJf $out/tarball/$fileName.tar.xz * $extraArgs
rm env-vars
tar --sort=name --mtime='1970-01-01' -cvJf $out/tarball/$fileName.tar.xz * $extraArgs
mkdir -p $out/nix-support
echo $system > $out/nix-support/system
echo "file system-tarball $out/tarball/$fileName.tar.xz" > $out/nix-support/hydra-build-products

25
nixos/lib/test-driver/Machine.pm
View File

@ -504,6 +504,31 @@ sub screenshot {
}, { image => $name } );
}
# Get the text of TTY<n>
sub getTTYText {
my ($self, $tty) = @_;
my ($status, $out) = $self->execute("fold -w 80 /dev/vcs${tty}");
return $out;
}
# Wait until TTY<n>'s text matches a particular regular expression
sub waitUntilTTYMatches {
my ($self, $tty, $regexp) = @_;
$self->nest("waiting for $regexp to appear on tty $tty", sub {
retry sub {
return 1 if $self->getTTYText($tty) =~ /$regexp/;
}
});
}
# Debugging: Dump the contents of the TTY<n>
sub dumpTTYContents {
my ($self, $tty) = @_;
$self->execute("fold -w 80 /dev/vcs${tty} | systemd-cat");
}
# Take a screenshot and return the result as text using optical character
# recognition.

4
nixos/lib/testing.nix
View File

@ -29,7 +29,7 @@ rec {
cp ${./test-driver/Logger.pm} $libDir/Logger.pm
wrapProgram $out/bin/nixos-test-driver \
--prefix PATH : "${lib.makeBinPath [ qemu_kvm vde2 netpbm coreutils ]}" \
--prefix PATH : "${lib.makeBinPath [ qemu vde2 netpbm coreutils ]}" \
--prefix PERL5LIB : "${with perlPackages; lib.makePerlPath [ TermReadLineGnu XMLWriter IOTty FileSlurp ]}:$out/lib/perl5/site_perl"
'';
};
@ -93,7 +93,7 @@ rec {
vms = map (m: m.config.system.build.vm) (lib.attrValues nodes);
ocrProg = tesseract.override { enableLanguages = [ "eng" ]; };
ocrProg = tesseract;
# Generate onvenience wrappers for running the test driver
# interactively with the specified network, and for starting the

10
nixos/maintainers/scripts/ec2/create-amis.sh
View File

@ -1,4 +1,8 @@
#! /bin/sh -e
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p qemu ec2_ami_tools jq ec2_api_tools awscli
# To start with do: nix-shell -p awscli --run "aws configure"
set -o pipefail
#set -x
@ -15,7 +19,7 @@ rm -f ec2-amis.nix
types="hvm pv"
stores="ebs s3"
regions="eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
regions="eu-west-1 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
for type in $types; do
link=$stateDir/$type
@ -57,7 +61,7 @@ for type in $types; do
ami=$(aws ec2 copy-image \
--region "$region" \
--source-region "$prevRegion" --source-image-id "$prevAmi" \
--name "$name" --description "$description" | json -q .ImageId)
--name "$name" --description "$description" | jq -r '.ImageId')
if [ "$ami" = null ]; then break; fi
else

12
nixos/modules/config/fonts/fontconfig.nix
View File

@ -301,9 +301,7 @@ in
};
style = mkOption {
type = types.str // {
check = flip elem ["none" "slight" "medium" "full"];
};
type = types.enum ["none" "slight" "medium" "full"];
default = "full";
description = ''
TrueType hinting style, one of <literal>none</literal>,
@ -329,9 +327,7 @@ in
default = "rgb";
type = types.enum ["rgb" "bgr" "vrgb" "vbgr" "none"];
description = ''
Subpixel order, one of <literal>none</literal>,
<literal>rgb</literal>, <literal>bgr</literal>,
<literal>vrgb</literal>, or <literal>vbgr</literal>.
Subpixel order.
'';
};
@ -339,9 +335,7 @@ in
default = "default";
type = types.enum ["none" "default" "light" "legacy"];
description = ''
FreeType LCD filter, one of <literal>none</literal>,
<literal>default</literal>, <literal>light</literal>, or
<literal>legacy</literal>.
FreeType LCD filter.
'';
};

4
nixos/modules/config/gnu.nix
View File

@ -7,8 +7,8 @@ with lib;
gnu = mkOption {
type = types.bool;
default = false;
description =
'' When enabled, GNU software is chosen by default whenever a there is
description = ''
When enabled, GNU software is chosen by default whenever a there is
a choice between GNU and non-GNU software (e.g., GNU lsh
vs. OpenSSH).
'';

1
nixos/modules/config/i18n.nix
View File

@ -44,6 +44,7 @@ in
consolePackages = mkOption {
type = types.listOf types.package;
default = with pkgs.kbdKeymaps; [ dvp neo ];
defaultText = ''with pkgs.kbdKeymaps; [ dvp neo ]'';
description = ''
List of additional packages that provide console fonts, keymaps and
other resources.

12
nixos/modules/config/networking.nix
View File

@ -84,6 +84,18 @@ in
'';
};
networking.timeServers = mkOption {
default = [
"0.nixos.pool.ntp.org"
"1.nixos.pool.ntp.org"
"2.nixos.pool.ntp.org"
"3.nixos.pool.ntp.org"
];
description = ''
The set of NTP servers from which to synchronise.
'';
};
networking.proxy = {
default = lib.mkOption {

34
nixos/modules/config/nsswitch.nix
View File

@ -10,9 +10,21 @@ let
inherit (config.services.samba) nsswins;
ldap = (config.users.ldap.enable && config.users.ldap.nsswitch);
in
hostArray = [ "files" "mymachines" ]
++ optionals nssmdns [ "mdns_minimal [!UNAVAIL=return]" ]
++ optionals nsswins [ "wins" ]
++ [ "dns" ]
++ optionals nssmdns [ "mdns" ]
++ ["myhostname" ];
{
passwdArray = [ "files" ]
++ optionals ldap [ "ldap" ]
++ [ "mymachines" ];
shadowArray = [ "files" ]
++ optionals ldap [ "ldap" ];
in {
options = {
# NSS modules. Hacky!
@ -39,16 +51,18 @@ in
# Name Service Switch configuration file. Required by the C
# library. !!! Factor out the mdns stuff. The avahi module
# should define an option used by this module.
environment.etc."nsswitch.conf".text =
''
passwd: files ${optionalString ldap "ldap"}
group: files ${optionalString ldap "ldap"}
shadow: files ${optionalString ldap "ldap"}
hosts: files ${optionalString nssmdns "mdns_minimal [NOTFOUND=return]"} dns ${optionalString nssmdns "mdns"} ${optionalString nsswins "wins"} myhostname mymachines
networks: files dns
environment.etc."nsswitch.conf".text = ''
passwd: ${concatStringsSep " " passwdArray}
group: ${concatStringsSep " " passwdArray}
shadow: ${concatStringsSep " " shadowArray}
hosts: ${concatStringsSep " " hostArray}
networks: files
ethers: files
services: files
protocols: files
rpc: files
'';
# Systemd provides nss-myhostname to ensure that our hostname
@ -56,7 +70,7 @@ in
# configured IP addresses, or ::1 and 127.0.0.2 as
# fallbacks. Systemd also provides nss-mymachines to return IP
# addresses of local containers.
system.nssModules = [ config.systemd.package ];
system.nssModules = [ config.systemd.package.out ];
};
}

1
nixos/modules/config/system-path.nix
View File

@ -118,6 +118,7 @@ in
"/share/terminfo"
"/share/themes"
"/share/vim-plugins"
"/share/vulkan"
];
system.path = pkgs.buildEnv {

6
nixos/modules/hardware/opengl.nix
View File

@ -135,6 +135,12 @@ in
environment.sessionVariables.LD_LIBRARY_PATH =
[ "/run/opengl-driver/lib" "/run/opengl-driver-32/lib" ];
environment.extraInit = ''
export XDG_DATA_DIRS=$XDG_DATA_DIRS:/run/opengl-driver/share
'' + optionalString cfg.driSupport32Bit ''
export XDG_DATA_DIRS=$XDG_DATA_DIRS:/run/opengl-driver-32/share
'';
hardware.opengl.package = mkDefault (makePackage pkgs);
hardware.opengl.package32 = mkDefault (makePackage pkgs_i686);

2
nixos/modules/hardware/video/amdgpu-pro.nix
View File

@ -45,10 +45,8 @@ in
"amd/amdapfxx.blb".source = package + "/etc/amd/amdapfxx.blb";
"gbm/gbm.conf".source = package + "/etc/gbm/gbm.conf";
"OpenCL/vendors/amdocl64.icd".source = package + "/etc/OpenCL/vendors/amdocl64.icd";
"vulkan/icd.d/amd_icd64.json".source = package + "/etc/vulkan/icd.d/amd_icd64.json";
} // optionalAttrs opengl.driSupport32Bit {
"OpenCL/vendors/amdocl32.icd".source = package32 + "/etc/OpenCL/vendors/amdocl32.icd";
"vulkan/icd.d/amd_icd32.json".source = package32 + "/etc/vulkan/icd.d/amd_icd32.json";
};
};

39
nixos/modules/hardware/video/bumblebee.nix
View File

@ -13,6 +13,8 @@ let
useDisplayDevice = cfg.connectDisplay;
};
useBbswitch = cfg.pmMethod == "bbswitch";
primus = pkgs.primus.override {
inherit useNvidia;
};
@ -22,25 +24,26 @@ in
{
options = {
hardware.bumblebee.enable = mkOption {
hardware.bumblebee = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enable the bumblebee daemon to manage Optimus hybrid video cards.
This should power off secondary GPU until its use is requested
by running an application with optirun.
Only nvidia driver is supported so far.
'';
};
hardware.bumblebee.group = mkOption {
group = mkOption {
default = "wheel";
example = "video";
type = types.str;
description = ''Group for bumblebee socket'';
};
hardware.bumblebee.connectDisplay = mkOption {
connectDisplay = mkOption {
default = false;
type = types.bool;
description = ''
@ -52,28 +55,38 @@ in
'';
};
hardware.bumblebee.driver = mkOption {
driver = mkOption {
default = "nvidia";
type = types.enum [ "nvidia" "nouveau" ];
description = ''
Set driver used by bumblebeed. Supported are nouveau and nvidia.
'';
};
pmMethod = mkOption {
default = "auto";
type = types.enum [ "auto" "bbswitch" "nouveau" "switcheroo" "none" ];
description = ''
Set preferred power management method for unused card.
'';
};
config = mkIf config.hardware.bumblebee.enable {
boot.blacklistedKernelModules = [ "nouveau" "nvidia" ];
boot.kernelModules = [ "bbswitch" ];
boot.extraModulePackages = [ kernel.bbswitch ] ++ optional useNvidia kernel.nvidia_x11;
};
};
config = mkIf cfg.enable {
boot.blacklistedKernelModules = [ "nvidia-drm" "nvidia" "nouveau" ];
boot.kernelModules = optional useBbswitch [ "bbswitch" ];
boot.extraModulePackages = optional useBbswitch kernel.bbswitch ++ optional useNvidia kernel.nvidia_x11;
environment.systemPackages = [ bumblebee primus ];
systemd.services.bumblebeed = {
description = "Bumblebee Hybrid Graphics Switcher";
wantedBy = [ "display-manager.service" ];
path = [ kernel.bbswitch bumblebee ];
wantedBy = [ "multi-user.target" ];
before = [ "display-manager.service" ];
serviceConfig = {
ExecStart = "${bumblebee}/bin/bumblebeed --use-syslog -g ${cfg.group} --driver ${cfg.driver}";
ExecStart = "${bumblebee}/bin/bumblebeed --use-syslog -g ${cfg.group} --driver ${cfg.driver} --pm-method ${cfg.pmMethod}";
};
};
};

96
nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
View File

@ -1,20 +1,41 @@
# This module defines a NixOS installation CD that contains X11 and
# KDE 4.
# KDE 5.
{ config, lib, pkgs, ... }:
with lib;
{
imports = [ ./installation-cd-base.nix ../../profiles/graphical.nix ];
imports = [ ./installation-cd-base.nix ];
# Provide wicd for easy wireless configuration.
#networking.wicd.enable = true;
services.xserver = {
enable = true;
# Automatically login as root.
displayManager.slim = {
enable = true;
defaultUser = "root";
autoLogin = true;
};
desktopManager.kde5 = {
enable = true;
enableQt4Support = false;
};
# Enable touchpad support for many laptops.
synaptics.enable = true;
};
environment.systemPackages =
[ # Include gparted for partitioning disks.
[ pkgs.glxinfo
# Include gparted for partitioning disks.
pkgs.gparted
# Firefox for reading the manual.
pkgs.firefox
# Include some editors.
pkgs.vim
pkgs.bvi # binary editor
@ -32,80 +53,21 @@ with lib;
# Don't start the X server by default.
services.xserver.autorun = mkForce false;
# Auto-login as root.
services.xserver.displayManager.kdm.extraConfig =
''
[X-*-Core]
AllowRootLogin=true
AutoLoginEnable=true
AutoLoginUser=root
AutoLoginPass=""
'';
# Custom kde-workspace adding some icons on the desktop
system.activationScripts.installerDesktop = let
openManual = pkgs.writeScript "nixos-manual.sh" ''
#!${pkgs.stdenv.shell}
cd ${config.system.build.manual.manual}/share/doc/nixos/
konqueror ./index.html
'';
desktopFile = pkgs.writeText "nixos-manual.desktop" ''
[Desktop Entry]
Version=1.0
Type=Application
Name=NixOS Manual
Exec=${openManual}
Icon=konqueror
Exec=firefox ${config.system.build.manual.manual}/share/doc/nixos/index.html
Icon=text-html
'';
in ''
mkdir -p /root/Desktop
ln -sfT ${desktopFile} /root/Desktop/nixos-manual.desktop
ln -sfT ${pkgs.kde4.konsole}/share/applications/kde4/konsole.desktop /root/Desktop/konsole.desktop
ln -sfT ${pkgs.kde5.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop
'';
services.xserver.desktopManager.kde4.kdeWorkspacePackage = let
pkg = pkgs.kde4.kde_workspace;
plasmaInit = pkgs.writeText "00-defaultLayout.js" ''
loadTemplate("org.kde.plasma-desktop.defaultPanel")
for (var i = 0; i < screenCount; ++i) {
var desktop = new Activity
desktop.name = i18n("Desktop")
desktop.screen = i
desktop.wallpaperPlugin = 'image'
desktop.wallpaperMode = 'SingleImage'
var folderview = desktop.addWidget("folderview");
folderview.writeConfig("url", "desktop:/");
//Create more panels for other screens
if (i > 0){
var panel = new Panel
panel.screen = i
panel.location = 'bottom'
panel.height = screenGeometry(i).height > 1024 ? 35 : 27
var tasks = panel.addWidget("tasks")
tasks.writeConfig("showOnlyCurrentScreen", true);
}
}
'';
in
pkgs.runCommand pkg.name
{ inherit (pkg) meta; }
''
mkdir -p $out
cp -prf ${pkg}/* $out/
chmod a+w $out/share/apps/plasma-desktop/init
cp -f ${plasmaInit} $out/share/apps/plasma-desktop/init/00-defaultLayout.js
'';
# Disable large stuff that's not very useful on the installation CD.
services.xserver.desktopManager.kde4.enablePIM = false;
}

26
nixos/modules/installer/netboot/netboot.nix
View File

@ -26,11 +26,6 @@ with lib;
# here and it causes a cyclic dependency.
boot.loader.grub.enable = false;
boot.initrd.postMountCommands = ''
mkdir -p /mnt-root/nix/store
mount -t squashfs /nix-store.squashfs /mnt-root/nix/store
'';
# !!! Hack - attributes expected by other modules.
system.boot.loader.kernelFile = "bzImage";
environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi pkgs.syslinux ];
@ -42,6 +37,27 @@ with lib;
options = [ "mode=0755" ];
};
# In stage 1, mount a tmpfs on top of /nix/store (the squashfs
# image) to make this a live CD.
fileSystems."/nix/.ro-store" =
{ fsType = "squashfs";
device = "../nix-store.squashfs";
options = [ "loop" ];
neededForBoot = true;
};
fileSystems."/nix/.rw-store" =
{ fsType = "tmpfs";
options = [ "mode=0755" ];
neededForBoot = true;
};
fileSystems."/nix/store" =
{ fsType = "unionfs-fuse";
device = "unionfs";
options = [ "allow_other" "cow" "nonempty" "chroot=/mnt-root" "max_files=32768" "hide_meta_files" "dirs=/nix/.rw-store=rw:/nix/.ro-store=ro" ];
};
boot.initrd.availableKernelModules = [ "squashfs" ];
boot.initrd.kernelModules = [ "loop" ];

6
nixos/modules/installer/tools/nixos-rebuild.sh
View File

@ -126,9 +126,9 @@ targetHostCmd() {
copyToTarget() {
if ! [ "$targetHost" = "$buildHost" ]; then
if [ -z "$targetHost" ]; then
NIX_SSHOPTS=$SSH_OPTS nix-copy-closure --from "$buildHost" "$1"
NIX_SSHOPTS=$SSHOPTS nix-copy-closure --from "$buildHost" "$1"
elif [ -z "$buildHost" ]; then
NIX_SSHOPTS=$SSH_OPTS nix-copy-closure --to "$targetHost" "$1"
NIX_SSHOPTS=$SSHOPTS nix-copy-closure --to "$targetHost" "$1"
else
buildHostCmd nix-copy-closure --to "$targetHost" "$1"
fi
@ -169,7 +169,7 @@ nixBuild() {
local drv="$(nix-instantiate "${instArgs[@]}" "${extraBuildFlags[@]}")"
if [ -a "$drv" ]; then
NIX_SSHOPTS=$SSH_OPTS nix-copy-closure --to "$buildHost" "$drv"
NIX_SSHOPTS=$SSHOPTS nix-copy-closure --to "$buildHost" "$drv"
buildHostCmd nix-store -r "$drv" "${buildArgs[@]}"
else
echo "nix-instantiate failed"

2
nixos/modules/installer/virtualbox-demo.nix
View File

@ -18,5 +18,5 @@ with lib;
# Add some more video drivers to give X11 a shot at working in
# VMware and QEMU.
services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" ];
services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" "modesetting" ];
}

14
nixos/modules/misc/ids.nix
View File

@ -58,7 +58,6 @@
#utmp = 29; # unused
ddclient = 30;
davfs2 = 31;
privoxy = 32;
#disnix = 33; # unused
osgi = 34;
tor = 35;
@ -84,7 +83,7 @@
spamd = 56;
#networkmanager = 57; # unused
nslcd = 58;
#scanner = 59; # unused
scanner = 59;
nginx = 60;
chrony = 61;
#systemd-journal = 62; # unused
@ -212,7 +211,6 @@
lambdabot = 191;
asterisk = 192;
plex = 193;
bird = 195;
grafana = 196;
skydns = 197;
ripple-rest = 198;
@ -279,6 +277,10 @@
hound = 259;
leaps = 260;
ipfs = 261;
stanchion = 262;
riak-cs = 263;
infinoted = 264;
keystone = 265;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -319,7 +321,6 @@
utmp = 29;
#ddclient = 30; # unused
davfs2 = 31;
privoxy = 32;
disnix = 33;
osgi = 34;
tor = 35;
@ -469,7 +470,6 @@
#asterisk = 192; # unused
plex = 193;
sabnzbd = 194;
bird = 195;
#grafana = 196; #unused
#skydns = 197; #unused
#ripple-rest = 198; #unused
@ -528,6 +528,10 @@
hound = 259;
leaps = 260;
ipfs = 261;
stanchion = 262;
riak-cs = 263;
infinoted = 264;
keystone = 265;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

12
nixos/modules/module-list.nix
View File

@ -133,9 +133,11 @@
./services/cluster/fleet.nix
./services/cluster/kubernetes.nix
./services/cluster/panamax.nix
./services/computing/boinc/client.nix
./services/computing/torque/server.nix
./services/computing/torque/mom.nix
./services/computing/slurm/slurm.nix
./services/continuous-integration/buildbot/master.nix
./services/continuous-integration/buildkite-agent.nix
./services/continuous-integration/hydra/default.nix
./services/continuous-integration/gitlab-runner.nix
@ -159,6 +161,8 @@
./services/databases/postgresql.nix
./services/databases/redis.nix
./services/databases/riak.nix
./services/databases/riak-cs.nix
./services/databases/stanchion.nix
./services/databases/virtuoso.nix
./services/desktops/accountsservice.nix
./services/desktops/geoclue2.nix
@ -178,6 +182,7 @@
./services/desktops/telepathy.nix
./services/development/hoogle.nix
./services/editors/emacs.nix
./services/editors/infinoted.nix
./services/games/factorio.nix
./services/games/ghost-one.nix
./services/games/minecraft-server.nix
@ -346,6 +351,7 @@
./services/networking/connman.nix
./services/networking/consul.nix
./services/networking/coturn.nix
./services/networking/dante.nix
./services/networking/ddclient.nix
./services/networking/dhcpcd.nix
./services/networking/dhcpd.nix
@ -354,6 +360,7 @@
./services/networking/dnsmasq.nix
./services/networking/ejabberd.nix
./services/networking/fan.nix
./services/networking/fakeroute.nix
./services/networking/ferm.nix
./services/networking/firefox/sync-server.nix
./services/networking/firewall.nix
@ -478,6 +485,7 @@
./services/security/torify.nix
./services/security/tor.nix
./services/security/torsocks.nix
./services/system/cgmanager.nix
./services/system/cloud-init.nix
./services/system/dbus.nix
./services/system/kerberos.nix
@ -519,6 +527,7 @@
./services/x11/colord.nix
./services/x11/compton.nix
./services/x11/unclutter.nix
./services/x11/unclutter-xfixes.nix
./services/x11/desktop-managers/default.nix
./services/x11/display-managers/auto.nix
./services/x11/display-managers/default.nix
@ -539,7 +548,6 @@
./services/x11/window-managers/fluxbox.nix
./services/x11/window-managers/icewm.nix
./services/x11/window-managers/bspwm.nix
./services/x11/window-managers/bspwm-unstable.nix
./services/x11/window-managers/metacity.nix
./services/x11/window-managers/none.nix
./services/x11/window-managers/twm.nix
@ -612,6 +620,7 @@
./virtualisation/docker.nix
./virtualisation/libvirtd.nix
./virtualisation/lxc.nix
./virtualisation/lxcfs.nix
./virtualisation/lxd.nix
./virtualisation/amazon-options.nix
./virtualisation/openvswitch.nix
@ -622,4 +631,5 @@
./virtualisation/vmware-guest.nix
./virtualisation/xen-dom0.nix
./virtualisation/xe-guest-utilities.nix
./virtualisation/openstack/keystone.nix
]

4
nixos/modules/profiles/base.nix
View File

@ -7,7 +7,7 @@
# Include some utilities that are useful for installing or repairing
# the system.
environment.systemPackages = [
pkgs.w3m # needed for the manual anyway
pkgs.w3m-nox # needed for the manual anyway
pkgs.testdisk # useful for repairing boot problems
pkgs.mssys # for writing Microsoft boot sectors / MBRs
pkgs.efibootmgr
@ -42,8 +42,6 @@
# Some compression/archiver tools.
pkgs.unzip
pkgs.zip
pkgs.dar # disk archiver
pkgs.cabextract
];
# Include support for various filesystems.

2
nixos/modules/profiles/minimal.nix
View File

@ -14,4 +14,6 @@ with lib;
programs.man.enable = mkDefault false;
programs.info.enable = mkDefault false;
sound.enable = mkDefault false;
}

1
nixos/modules/programs/java.nix
View File

@ -34,6 +34,7 @@ in
package = mkOption {
default = pkgs.jdk;
defaultText = "pkgs.jdk";
description = ''
Java package to install. Typical values are pkgs.jdk or pkgs.jre.
'';

2
nixos/modules/programs/ssh.nix
View File

@ -165,7 +165,7 @@ in
config = {
programs.ssh.setXAuthLocation =
mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11);
mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.forwardX11);
assertions =
[ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;

8
nixos/modules/rename.nix
View File

@ -30,6 +30,8 @@ with lib;
(mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ])
(mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "")
(mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ])
# Old Grub-related options.
(mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
(mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])
@ -142,6 +144,12 @@ with lib;
# murmur
(mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ])
# parsoid
(mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] [ "services" "parsoid" "wikis" ])
# tarsnap
(mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir")
# Options that are obsolete and have no replacement.
(mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "")
(mkRemovedOptionModule [ "programs" "bash" "enable" ] "")

1
nixos/modules/security/acme.nix
View File

@ -178,6 +178,7 @@ in
path = [ pkgs.simp_le ];
preStart = ''
mkdir -p '${cfg.directory}'
chown '${data.user}:${data.group}' '${cfg.directory}'
if [ ! -d '${cpath}' ]; then
mkdir '${cpath}'
fi

2
nixos/modules/security/acme.xml
View File

@ -75,7 +75,7 @@ options for the <literal>security.acme</literal> module.</para>
<programlisting>
security.acme.certs."foo.example.com" = {
webroot = "/var/www/challenges";
webroot = config.security.acme.directory + "/acme-challenge";
email = "foo@example.com";
user = "nginx";
group = "nginx";

12
nixos/modules/security/duosec.nix
View File

@ -73,7 +73,7 @@ in
};
failmode = mkOption {
type = types.str;
type = types.enum [ "safe" "enum" ];
default = "safe";
description = ''
On service or configuration errors that prevent Duo
@ -115,7 +115,7 @@ in
};
prompts = mkOption {
type = types.int;
type = types.enum [ 1 2 3 ];
default = 3;
description = ''
If a user fails to authenticate with a second factor, Duo
@ -181,13 +181,7 @@ in
config = mkIf (cfg.ssh.enable || cfg.pam.enable) {
assertions =
[ { assertion = cfg.failmode == "safe" || cfg.failmode == "secure";
message = "Invalid value for failmode (must be safe or secure).";
}
{ assertion = cfg.prompts == 1 || cfg.prompts == 2 || cfg.prompts == 3;
message = "Invalid value for prompts (must be 1, 2, or 3).";
}
{ assertion = !cfg.pam.enable;
[ { assertion = !cfg.pam.enable;
message = "PAM support is currently not implemented.";
}
];

85
nixos/modules/security/grsecurity.nix
View File

@ -6,14 +6,6 @@ let
cfg = config.security.grsecurity;
grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock";
# Ascertain whether ZFS is required for booting the system; grsecurity is
# currently incompatible with ZFS, rendering the system unbootable.
zfsNeededForBoot = filter
(fs: (fs.neededForBoot
|| elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ])
&& fs.fsType == "zfs")
config.system.build.fileSystems != [];
# Ascertain whether NixOS container support is required
containerSupportRequired =
config.boot.enableContainers && config.containers != {};
@ -27,7 +19,14 @@ in
options.security.grsecurity = {
enable = mkEnableOption "grsecurity/PaX";
enable = mkOption {
type = types.bool;
example = true;
default = false;
description = ''
Enable grsecurity/PaX.
'';
};
lockTunables = mkOption {
type = types.bool;
@ -58,19 +57,10 @@ in
config = mkIf cfg.enable {
# Allow the user to select a different package set, subject to the stated
# required kernel config
boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos;
boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos;
boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi";
system.requiredKernelConfig = with config.lib.kernelConfig;
[ (isEnabled "GRKERNSEC")
(isEnabled "PAX")
(isYes "GRKERNSEC_SYSCTL")
(isYes "GRKERNSEC_SYSCTL_DISTRO")
(isNo "GRKERNSEC_NO_RBAC")
];
boot.kernelParams = [ "grsec_sysfs_restrict=0" ]
++ optional cfg.disableEfiRuntimeServices "noefi";
nixpkgs.config.grsecurity = true;
@ -120,26 +110,63 @@ in
boot.kernel.sysctl = {
# Read-only under grsecurity
"kernel.kptr_restrict" = mkForce null;
# All grsec tunables default to off, those not enabled below are
# *disabled*. We use mkDefault to allow expert users to override
# our choices, but use mkForce where tunables would outright
# conflict with other settings.
# Enable all chroot restrictions by default (overwritten as
# necessary below)
"kernel.grsecurity.chroot_caps" = mkDefault 1;
"kernel.grsecurity.chroot_deny_bad_rename" = mkDefault 1;
"kernel.grsecurity.chroot_deny_chmod" = mkDefault 1;
"kernel.grsecurity.chroot_deny_chroot" = mkDefault 1;
"kernel.grsecurity.chroot_deny_fchdir" = mkDefault 1;
"kernel.grsecurity.chroot_deny_mknod" = mkDefault 1;
"kernel.grsecurity.chroot_deny_mount" = mkDefault 1;
"kernel.grsecurity.chroot_deny_pivot" = mkDefault 1;
"kernel.grsecurity.chroot_deny_shmat" = mkDefault 1;
"kernel.grsecurity.chroot_deny_sysctl" = mkDefault 1;
"kernel.grsecurity.chroot_deny_unix" = mkDefault 1;
"kernel.grsecurity.chroot_enforce_chdir" = mkDefault 1;
"kernel.grsecurity.chroot_findtask" = mkDefault 1;
"kernel.grsecurity.chroot_restrict_nice" = mkDefault 1;
# Enable various grsec protections
"kernel.grsecurity.consistent_setxid" = mkDefault 1;
"kernel.grsecurity.deter_bruteforce" = mkDefault 1;
"kernel.grsecurity.fifo_restrictions" = mkDefault 1;
"kernel.grsecurity.harden_ipc" = mkDefault 1;
"kernel.grsecurity.harden_ptrace" = mkDefault 1;
"kernel.grsecurity.harden_tty" = mkDefault 1;
"kernel.grsecurity.ip_blackhole" = mkDefault 1;
"kernel.grsecurity.linking_restrictions" = mkDefault 1;
"kernel.grsecurity.ptrace_readexec" = mkDefault 1;
# Enable auditing
"kernel.grsecurity.audit_ptrace" = mkDefault 1;
"kernel.grsecurity.forkfail_logging" = mkDefault 1;
"kernel.grsecurity.rwxmap_logging" = mkDefault 1;
"kernel.grsecurity.signal_logging" = mkDefault 1;
"kernel.grsecurity.timechange_logging" = mkDefault 1;
} // optionalAttrs config.nix.useSandbox {
# chroot(2) restrictions that conflict with sandboxed Nix builds
"kernel.grsecurity.chroot_caps" = mkForce 0;
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
"kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
"kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
} // optionalAttrs containerSupportRequired {
# chroot(2) restrictions that conflict with NixOS lightweight containers
"kernel.grsecurity.chroot_caps" = mkForce 0;
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
"kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
"kernel.grsecurity.chroot_caps" = mkForce 0;
# Disable privileged IO by default, unless X is enabled
} // optionalAttrs (!config.services.xserver.enable) {
"kernel.grsecurity.disable_priv_io" = mkDefault 1;
};
assertions = [
{ assertion = !zfsNeededForBoot;
message = "grsecurity is currently incompatible with ZFS";
}
];
};
}

74
nixos/modules/security/grsecurity.xml
View File

@ -51,6 +51,13 @@
# nixos-rebuild boot
# reboot
</programlisting>
<note><para>
Enabling the grsecurity module overrides
<option>boot.kernelPackages</option>, to reduce the risk of
misconfiguration. <xref linkend="sec-grsec-custom-kernel" />
describes how to use a custom kernel package set.
</para></note>
For most users, further configuration should be unnecessary. All users
are encouraged to look over <xref linkend="sec-grsec-security" /> before
using the system, however. If you experience problems, please refer to
@ -144,15 +151,8 @@
a TCP simultaneous OPEN on that port before the connection is actually
established.</para></listitem>
<listitem><para><filename class="directory">/sys</filename> hardening:
breaks systemd.</para></listitem>
<listitem><para>Trusted path execution: a desirable feature, but
requires some more work to operate smoothly on NixOS.</para></listitem>
<listitem><para>Module hardening: would break user initiated module
loading. Might enable this at some point, depending on the potential
breakage.</para></listitem>
</itemizedlist>
</para></listitem>
@ -205,31 +205,42 @@
</para>
<para>
To use a custom kernel with upstream's recommended settings for server
deployments:
To build a custom kernel using upstream's recommended settings for server
deployments, while still using the NixOS module:
<programlisting>
boot.kernelPackages =
let
kernel = pkgs.linux_grsec_nixos.override {
nixpkgs.config.packageOverrides = super: {
linux_grsec_nixos = super.linux_grsec_nixos.override {
extraConfig = ''
GRKERNSEC_CONFIG_AUTO y
GRKERNSEC_CONFIG_SERVER y
GRKERNSEC_CONFIG_SECURITY y
'';
};
self = pkgs.linuxPackagesFor kernel self;
in self;
}
</programlisting>
</para>
<para>
The wikibook provides an exhaustive listing of
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
</para>
<para>
The NixOS module makes several assumptions about the kernel and so may be
incompatible with your customised kernel. Most of these assumptions are
encoded as assertions &#x2014; mismatches should ideally result in a build
failure. Currently, the only way to work around incompatibilities is to
eschew the NixOS module and do all configuration yourself.
The NixOS module makes several assumptions about the kernel and so
may be incompatible with your customised kernel. Currently, the only way
to work around incompatibilities is to eschew the NixOS module.
If not using the NixOS module, a custom grsecurity package set can
be specified inline instead, as in
<programlisting>
boot.kernelPackages =
let
kernel = pkgs.linux_grsec_nixos.override {
extraConfig = /* as above */;
};
self = pkgs.linuxPackagesFor kernel self;
in self;
</programlisting>
</para>
</sect1>
@ -277,6 +288,10 @@
<option>security.grsecurity.disableEfiRuntimeServices</option> to override
this behavior.</para></listitem>
<listitem><para>User initiated autoloading of modules (e.g., when
using fuse or loop devices) is disallowed; either load requisite modules
as root or add them to<option>boot.kernelModules</option>.</para></listitem>
<listitem><para>Virtualization: KVM is the preferred virtualization
solution. Xen, Virtualbox, and VMWare are
<emphasis>unsupported</emphasis> and most likely require a custom kernel.
@ -310,6 +325,19 @@
</programlisting>
</para></listitem>
<listitem><para>
The gitlab service (<xref linkend="module-services-gitlab" />)
requires a variant of the <literal>ruby</literal> interpreter
built without `mprotect()` hardening, as in
<programlisting>
services.gitlab.packages.gitlab = pkgs.gitlab.override {
ruby = pkgs.ruby.overrideAttrs (attrs: {
postFixup = "paxmark m $out/bin/ruby";
});
};
</programlisting>
</para></listitem>
</itemizedlist>
</sect1>
@ -332,13 +360,19 @@
<listitem><para>
<literal>pax_sanitize_slab={off|fast|full}</literal>: control kernel
slab object sanitization
slab object sanitization. Defaults to <literal>fast</literal>
</para></listitem>
<listitem><para>
<literal>pax_size_overflow_report_only</literal>: log size overflow
violations but leave the violating task running
</para></listitem>
<listitem><para>
<literal>grsec_sysfs_restrict=[0|1]</literal>: toggle sysfs
restrictions. The NixOS module sets this to <literal>0</literal>
for systemd compatibility
</para></listitem>
</itemizedlist>
</para>

2
nixos/modules/security/hidepid.nix
View File

@ -19,7 +19,9 @@ with lib;
config = mkIf config.security.hideProcessInformation {
users.groups.proc.gid = config.ids.gids.proc;
users.groups.proc.members = [ "polkituser" ];
boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
};
}

2
nixos/modules/services/backup/crashplan.nix
View File

@ -49,7 +49,7 @@ with lib;
ensureDir ${crashplan.vardir}/backupArchives 700
ensureDir ${crashplan.vardir}/log 777
cp -avn ${crashplan}/conf.template/* ${crashplan.vardir}/conf
for x in app.asar bin EULA.txt install.vars lang lib libjniwrap64.so libjniwrap.so libjtux64.so libjtux.so libmd564.so libmd5.so share skin upgrade; do
for x in app.asar bin install.vars lang lib libc42archive64.so libc52archive.so libjniwrap64.so libjniwrap.so libjtux64.so libjtux.so libleveldb64.so libleveldb.so libmd564.so libmd5.so share skin upgrade; do
rm -f ${crashplan.vardir}/$x;
ln -sf ${crashplan}/$x ${crashplan.vardir}/$x;
done

120
nixos/modules/services/backup/tarsnap.nix
View File

@ -1,25 +1,25 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, utils, ... }:
with lib;
let
cfg = config.services.tarsnap;
gcfg = config.services.tarsnap;
configFile = name: cfg: ''
cachedir ${config.services.tarsnap.cachedir}/${name}
keyfile ${cfg.keyfile}
${optionalString (cfg.cachedir != null) "cachedir ${cfg.cachedir}"}
${optionalString cfg.nodump "nodump"}
${optionalString cfg.printStats "print-stats"}
${optionalString cfg.printStats "humanize-numbers"}
${optionalString (cfg.checkpointBytes != null) ("checkpoint-bytes "+cfg.checkpointBytes)}
${optionalString cfg.aggressiveNetworking "aggressive-networking"}
${concatStringsSep "\n" (map (v: "exclude "+v) cfg.excludes)}
${concatStringsSep "\n" (map (v: "include "+v) cfg.includes)}
${concatStringsSep "\n" (map (v: "exclude ${v}") cfg.excludes)}
${concatStringsSep "\n" (map (v: "include ${v}") cfg.includes)}
${optionalString cfg.lowmem "lowmem"}
${optionalString cfg.verylowmem "verylowmem"}
${optionalString (cfg.maxbw != null) ("maxbw "+toString cfg.maxbw)}
${optionalString (cfg.maxbwRateUp != null) ("maxbw-rate-up "+toString cfg.maxbwRateUp)}
${optionalString (cfg.maxbwRateDown != null) ("maxbw-rate-down "+toString cfg.maxbwRateDown)}
${optionalString (cfg.maxbw != null) "maxbw ${toString cfg.maxbw}"}
${optionalString (cfg.maxbwRateUp != null) "maxbw-rate-up ${toString cfg.maxbwRateUp}"}
${optionalString (cfg.maxbwRateDown != null) "maxbw-rate-down ${toString cfg.maxbwRateDown}"}
'';
in
{
@ -60,34 +60,13 @@ in
'';
};
cachedir = mkOption {
type = types.nullOr types.path;
default = "/var/cache/tarsnap";
description = ''
The cache allows tarsnap to identify previously stored data
blocks, reducing archival time and bandwidth usage.
Should the cache become desynchronized or corrupted, tarsnap
will refuse to run until you manually rebuild the cache with
<command>tarsnap --fsck</command>.
Note that each individual archive (specified below) has its own cache
directory specified under <literal>cachedir</literal>; this is because
tarsnap locks the cache during backups, meaning multiple services
archives cannot be backed up concurrently or overlap with a shared
cache.
Set to <literal>null</literal> to disable caching.
'';
};
archives = mkOption {
type = types.attrsOf (types.submodule (
type = types.attrsOf (types.submodule ({ config, ... }:
{
options = {
keyfile = mkOption {
type = types.str;
default = config.services.tarsnap.keyfile;
default = gcfg.keyfile;
description = ''
Set a specific keyfile for this archive. This defaults to
<literal>"/root/tarsnap.key"</literal> if left unspecified.
@ -107,6 +86,21 @@ in
'';
};
cachedir = mkOption {
type = types.nullOr types.path;
default = "/var/cache/tarsnap/${utils.escapeSystemdPath config.keyfile}";
description = ''
The cache allows tarsnap to identify previously stored data
blocks, reducing archival time and bandwidth usage.
Should the cache become desynchronized or corrupted, tarsnap
will refuse to run until you manually rebuild the cache with
<command>tarsnap --fsck</command>.
Set to <literal>null</literal> to disable caching.
'';
};
nodump = mkOption {
type = types.bool;
default = true;
@ -262,8 +256,8 @@ in
archive names are suffixed by a 1 second resolution timestamp.
For each member of the set is created a timer which triggers the
instanced <literal>tarsnap@</literal> service unit. You may use
<command>systemctl start tarsnap@archive-name</command> to
instanced <literal>tarsnap-archive-name</literal> service unit. You may use
<command>systemctl start tarsnap-archive-name</command> to
manually trigger creation of <literal>archive-name</literal> at
any time.
'';
@ -271,63 +265,73 @@ in
};
};
config = mkIf cfg.enable {
config = mkIf gcfg.enable {
assertions =
(mapAttrsToList (name: cfg:
{ assertion = cfg.directories != [];
message = "Must specify paths for tarsnap to back up";
}) cfg.archives) ++
}) gcfg.archives) ++
(mapAttrsToList (name: cfg:
{ assertion = !(cfg.lowmem && cfg.verylowmem);
message = "You cannot set both lowmem and verylowmem";
}) cfg.archives);
}) gcfg.archives);
systemd.services."tarsnap@" = {
description = "Tarsnap archive '%i'";
systemd.services =
mapAttrs' (name: cfg: nameValuePair "tarsnap-${name}" {
description = "Tarsnap archive '${name}'";
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
path = [ pkgs.iputils pkgs.tarsnap pkgs.coreutils ];
path = [ pkgs.iputils pkgs.tarsnap pkgs.utillinux ];
# In order for the persistent tarsnap timer to work reliably, we have to
# make sure that the tarsnap server is reachable after systemd starts up
# the service - therefore we sleep in a loop until we can ping the
# endpoint.
preStart = "while ! ping -q -c 1 v1-0-0-server.tarsnap.com &> /dev/null; do sleep 3; done";
scriptArgs = "%i";
script = ''
mkdir -p -m 0755 ${dirOf cfg.cachedir}
mkdir -p -m 0700 ${cfg.cachedir}
chown root:root ${cfg.cachedir}
chmod 0700 ${cfg.cachedir}
mkdir -p -m 0700 ${cfg.cachedir}/$1
DIRS=`cat /etc/tarsnap/$1.dirs`
exec tarsnap --configfile /etc/tarsnap/$1.conf -c -f $1-$(date +"%Y%m%d%H%M%S") $DIRS
preStart = ''
while ! ping -q -c 1 v1-0-0-server.tarsnap.com &> /dev/null; do sleep 3; done
'';
script =
let run = ''tarsnap --configfile "/etc/tarsnap/${name}.conf" -c -f "${name}-$(date +"%Y%m%d%H%M%S")" ${concatStringsSep " " cfg.directories}'';
in if (cfg.cachedir != null) then ''
mkdir -p ${cfg.cachedir}
chmod 0700 ${cfg.cachedir}
( flock 9
if [ ! -e ${cfg.cachedir}/firstrun ]; then
( flock 10
flock -u 9
tarsnap --configfile "/etc/tarsnap/${name}.conf" --fsck
flock 9
) 10>${cfg.cachedir}/firstrun
fi
) 9>${cfg.cachedir}/lockf
exec flock ${cfg.cachedir}/firstrun ${run}
'' else "exec ${run}";
serviceConfig = {
Type = "oneshot";
IOSchedulingClass = "idle";
NoNewPrivileges = "true";
CapabilityBoundingSet = "CAP_DAC_READ_SEARCH";
CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
PermissionsStartOnly = "true";
};
};
}) gcfg.archives;
# Note: the timer must be Persistent=true, so that systemd will start it even
# if e.g. your laptop was asleep while the latest interval occurred.
systemd.timers = mapAttrs' (name: cfg: nameValuePair "tarsnap@${name}"
systemd.timers = mapAttrs' (name: cfg: nameValuePair "tarsnap-${name}"
{ timerConfig.OnCalendar = cfg.period;
timerConfig.Persistent = "true";
wantedBy = [ "timers.target" ];
}) cfg.archives;
}) gcfg.archives;
environment.etc =
(mapAttrs' (name: cfg: nameValuePair "tarsnap/${name}.conf"
mapAttrs' (name: cfg: nameValuePair "tarsnap/${name}.conf"
{ text = configFile name cfg;
}) cfg.archives) //
(mapAttrs' (name: cfg: nameValuePair "tarsnap/${name}.dirs"
{ text = concatStringsSep " " cfg.directories;
}) cfg.archives);
}) gcfg.archives;
environment.systemPackages = [ pkgs.tarsnap ];
};

2
nixos/modules/services/cluster/fleet.nix
View File

@ -28,7 +28,7 @@ in {
etcdServers = mkOption {
type = types.listOf types.str;
default = [ "http://127.0.0.1:4001" ];
default = [ "http://127.0.0.1:2379" ];
description = ''
Fleet list of etcd endpoints to use.
'';

606
nixos/modules/services/cluster/kubernetes.nix
View File

@ -5,28 +5,62 @@ with lib;
let
cfg = config.services.kubernetes;
skipAttrs = attrs: map (filterAttrs (k: v: k != "enable"))
(filter (v: !(hasAttr "enable" v) || v.enable) attrs);
infraContainer = pkgs.dockerTools.buildImage {
name = "pause";
tag = "latest";
contents = cfg.package.pause;
config.Cmd = "/bin/pause";
};
kubeconfig = pkgs.writeText "kubeconfig" (builtins.toJSON {
apiVersion = "v1";
kind = "Config";
clusters = [{
name = "local";
cluster.certificate-authority = cfg.kubeconfig.caFile;
cluster.server = cfg.kubeconfig.server;
}];
users = [{
name = "kubelet";
user = {
client-certificate = cfg.kubeconfig.certFile;
client-key = cfg.kubeconfig.keyFile;
};
}];
contexts = [{
context = {
cluster = "local";
user = "kubelet";
};
current-context = "kubelet-context";
}];
});
policyFile = pkgs.writeText "kube-policy"
concatStringsSep "\n" (map (builtins.toJSON cfg.apiserver.authorizationPolicy));
cniConfig = pkgs.buildEnv {
name = "kubernetes-cni-config";
paths = imap (i: entry:
pkgs.writeTextDir "${10+i}-${entry.type}.conf" (builtins.toJSON entry)
) cfg.kubelet.cni.config;
};
manifests = pkgs.buildEnv {
name = "kubernetes-manifests";
paths = mapAttrsToList (name: manifest:
pkgs.writeTextDir "${name}.json" (builtins.toJSON manifest)
) cfg.kubelet.manifests;
};
in {
###### interface
options.services.kubernetes = {
package = mkOption {
description = "Kubernetes package to use.";
type = types.package;
};
verbose = mkOption {
description = "Kubernetes enable verbose mode for debugging";
default = false;
type = types.bool;
};
etcdServers = mkOption {
description = "Kubernetes list of etcd servers to watch.";
default = [ "127.0.0.1:4001" ];
type = types.listOf types.str;
};
roles = mkOption {
description = ''
Kubernetes role that this machine should take.
@ -38,18 +72,76 @@ in {
type = types.listOf (types.enum ["master" "node"]);
};
package = mkOption {
description = "Kubernetes package to use.";
type = types.package;
default = pkgs.kubernetes;
};
verbose = mkOption {
description = "Kubernetes enable verbose mode for debugging";
default = false;
type = types.bool;
};
etcd = {
servers = mkOption {
description = "List of etcd servers. By default etcd is started, except if this option is changed.";
default = ["http://127.0.0.1:2379"];
type = types.listOf types.str;
};
keyFile = mkOption {
description = "Etcd key file";
default = null;
type = types.nullOr types.path;
};
certFile = mkOption {
description = "Etcd cert file";
default = null;
type = types.nullOr types.path;
};
caFile = mkOption {
description = "Etcd ca file";
default = null;
type = types.nullOr types.path;
};
};
kubeconfig = {
server = mkOption {
description = "Kubernetes apiserver server address";
default = "http://${cfg.apiserver.address}:${toString cfg.apiserver.port}";
type = types.str;
};
caFile = mkOption {
description = "Certificate authrority file to use to connect to kuberentes apiserver";
type = types.nullOr types.path;
default = null;
};
certFile = mkOption {
description = "Client certificate file to use to connect to kubernetes";
type = types.nullOr types.path;
default = null;
};
keyFile = mkOption {
description = "Client key file to use to connect to kubernetes";
type = types.nullOr types.path;
default = null;
};
};
dataDir = mkOption {
description = "Kubernetes root directory for managing kubelet files.";
default = "/var/lib/kubernetes";
type = types.path;
};
dockerCfg = mkOption {
description = "Kubernetes contents of dockercfg file.";
default = "";
type = types.lines;
};
apiserver = {
enable = mkOption {
description = "Whether to enable kubernetes apiserver.";
@ -72,6 +164,16 @@ in {
type = types.str;
};
advertiseAddress = mkOption {
description = ''
Kubernetes apiserver IP address on which to advertise the apiserver
to members of the cluster. This address must be reachable by the rest
of the cluster.
'';
default = null;
type = types.nullOr types.str;
};
port = mkOption {
description = "Kubernetes apiserver listening port.";
default = 8080;
@ -80,41 +182,36 @@ in {
securePort = mkOption {
description = "Kubernetes apiserver secure port.";
default = 6443;
default = 443;
type = types.int;
};
tlsCertFile = mkOption {
description = "Kubernetes apiserver certificate file.";
default = "";
type = types.str;
default = null;
type = types.nullOr types.path;
};
tlsPrivateKeyFile = mkOption {
tlsKeyFile = mkOption {
description = "Kubernetes apiserver private key file.";
default = "";
type = types.str;
default = null;
type = types.nullOr types.path;
};
clientCaFile = mkOption {
description = "Kubernetes apiserver CA file for client auth.";
default = "";
type = types.str;
default = null;
type = types.nullOr types.path;
};
tokenAuth = mkOption {
description = ''
Kubernetes apiserver token authentication file. See
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/authentication.html"/>
<link xlink:href="http://kubernetes.io/docs/admin/authentication.html"/>
'';
default = {};
example = literalExample ''
{
alice = "abc123";
bob = "xyz987";
}
'';
type = types.attrsOf types.str;
default = null;
example = ''token,user,uid,"group1,group2,group3"'';
type = types.nullOr types.lines;
};
authorizationMode = mkOption {
@ -148,13 +245,13 @@ in {
allowPrivileged = mkOption {
description = "Whether to allow privileged containers on kubernetes.";
default = false;
default = true;
type = types.bool;
};
portalNet = mkOption {
description = "Kubernetes CIDR notation IP range from which to assign portal IPs";
default = "10.10.10.10/16";
default = "10.10.10.10/24";
type = types.str;
};
@ -171,9 +268,9 @@ in {
admissionControl = mkOption {
description = ''
Kubernetes admission control plugins to use. See
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/admission-controllers.html"/>
<link xlink:href="http://kubernetes.io/docs/admin/admission-controllers/"/>
'';
default = ["AlwaysAdmit"];
default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota"];
example = [
"NamespaceLifecycle" "NamespaceExists" "LimitRanger"
"SecurityContextDeny" "ServiceAccount" "ResourceQuota"
@ -181,15 +278,40 @@ in {
type = types.listOf types.str;
};
serviceAccountKey = mkOption {
serviceAccountKeyFile = mkOption {
description = ''
Kubernetes apiserver PEM-encoded x509 RSA private or public key file,
used to verify ServiceAccount tokens.
used to verify ServiceAccount tokens. By default tls private key file
is used.
'';
default = null;
type = types.nullOr types.path;
};
kubeletClientCaFile = mkOption {
description = "Path to a cert file for connecting to kubelet";
default = null;
type = types.nullOr types.path;
};
kubeletClientCertFile = mkOption {
description = "Client certificate to use for connections to kubelet";
default = null;
type = types.nullOr types.path;
};
kubeletClientKeyFile = mkOption {
description = "Key to use for connections to kubelet";
default = null;
type = types.nullOr types.path;
};
kubeletHttps = mkOption {
description = "Whether to use https for connections to kubelet";
default = true;
type = types.bool;
};
extraOpts = mkOption {
description = "Kubernetes apiserver extra command line options.";
default = "";
@ -216,10 +338,10 @@ in {
type = types.int;
};
master = mkOption {
description = "Kubernetes apiserver address";
default = "${cfg.apiserver.address}:${toString cfg.apiserver.port}";
type = types.str;
leaderElect = mkOption {
description = "Whether to start leader election before executing main loop";
type = types.bool;
default = false;
};
extraOpts = mkOption {
@ -248,13 +370,13 @@ in {
type = types.int;
};
master = mkOption {
description = "Kubernetes apiserver address";
default = "${cfg.apiserver.address}:${toString cfg.apiserver.port}";
type = types.str;
leaderElect = mkOption {
description = "Whether to start leader election before executing main loop";
type = types.bool;
default = false;
};
serviceAccountPrivateKey = mkOption {
serviceAccountKeyFile = mkOption {
description = ''
Kubernetes controller manager PEM-encoded private RSA key file used to
sign service account tokens
@ -272,6 +394,12 @@ in {
type = types.nullOr types.path;
};
clusterCidr = mkOption {
description = "Kubernetes controller manager CIDR Range for Pods in cluster";
default = "10.10.0.0/16";
type = types.str;
};
extraOpts = mkOption {
description = "Kubernetes controller manager extra command line options.";
default = "";
@ -292,6 +420,12 @@ in {
type = types.bool;
};
registerSchedulable = mkOption {
description = "Register the node as schedulable. No-op if register-node is false.";
default = true;
type = types.bool;
};
address = mkOption {
description = "Kubernetes kubelet info server listening address.";
default = "0.0.0.0";
@ -304,6 +438,18 @@ in {
type = types.int;
};
tlsCertFile = mkOption {
description = "File containing x509 Certificate for HTTPS.";
default = null;
type = types.nullOr types.path;
};
tlsKeyFile = mkOption {
description = "File containing x509 private key matching tlsCertFile.";
default = null;
type = types.nullOr types.path;
};
healthz = {
bind = mkOption {
description = "Kubernetes kubelet healthz listening address.";
@ -326,19 +472,10 @@ in {
allowPrivileged = mkOption {
description = "Whether to allow kubernetes containers to request privileged mode.";
default = false;
default = true;
type = types.bool;
};
apiServers = mkOption {
description = ''
Kubernetes kubelet list of Kubernetes API servers for publishing events,
and reading pods and services.
'';
default = ["${cfg.apiserver.address}:${toString cfg.apiserver.port}"];
type = types.listOf types.str;
};
cadvisorPort = mkOption {
description = "Kubernetes kubelet local cadvisor port.";
default = 4194;
@ -347,16 +484,62 @@ in {
clusterDns = mkOption {
description = "Use alternative dns.";
default = "";
default = "10.10.0.1";
type = types.str;
};
clusterDomain = mkOption {
description = "Use alternative domain.";
default = "kubernetes.io";
default = "cluster.local";
type = types.str;
};
networkPlugin = mkOption {
description = "Network plugin to use by kubernetes";
type = types.nullOr (types.enum ["cni" "kubenet"]);
default = "kubenet";
};
cni = {
packages = mkOption {
description = "List of network plugin packages to install";
type = types.listOf types.package;
default = [];
};
config = mkOption {
description = "Kubernetes CNI configuration";
type = types.listOf types.attrs;
default = [];
example = literalExample ''
[{
"cniVersion": "0.2.0",
"name": "mynet",
"type": "bridge",
"bridge": "cni0",
"isGateway": true,
"ipMasq": true,
"ipam": {
"type": "host-local",
"subnet": "10.22.0.0/16",
"routes": [
{ "dst": "0.0.0.0/0" }
]
}
} {
"cniVersion": "0.2.0",
"type": "loopback"
}]
'';
};
};
manifests = mkOption {
description = "List of manifests to bootstrap with kubelet";
type = types.attrsOf types.attrs;
default = {};
};
extraOpts = mkOption {
description = "Kubernetes kubelet extra command line options.";
default = "";
@ -377,12 +560,6 @@ in {
type = types.str;
};
master = mkOption {
description = "Kubernetes apiserver address";
default = "${cfg.apiserver.address}:${toString cfg.apiserver.port}";
type = types.str;
};
extraOpts = mkOption {
description = "Kubernetes proxy extra command line options.";
default = "";
@ -390,23 +567,23 @@ in {
};
};
kube2sky = {
enable = mkEnableOption "Whether to enable kube2sky dns service.";
dns = {
enable = mkEnableOption "kubernetes dns service.";
port = mkOption {
description = "Kubernetes dns listening port";
default = 53;
type = types.int;
};
domain = mkOption {
description = "Kuberntes kube2sky domain under which all DNS names will be hosted.";
description = "Kuberntes dns domain under which to create names.";
default = cfg.kubelet.clusterDomain;
type = types.str;
};
master = mkOption {
description = "Kubernetes apiserver address";
default = "${cfg.apiserver.address}:${toString cfg.apiserver.port}";
type = types.str;
};
extraOpts = mkOption {
description = "Kubernetes kube2sky extra command line options.";
description = "Kubernetes dns extra command line options.";
default = "";
type = types.str;
};
@ -416,50 +593,118 @@ in {
###### implementation
config = mkMerge [
(mkIf cfg.kubelet.enable {
systemd.services.kubelet = {
description = "Kubernetes Kubelet Service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "docker.service" "kube-apiserver.service" ];
path = with pkgs; [ gitMinimal openssh docker utillinux iproute ethtool thin-provisioning-tools iptables ];
preStart = ''
docker load < ${infraContainer}
rm /opt/cni/bin/* || true
${concatMapStringsSep "\n" (p: "ln -fs ${p.plugins}/* /opt/cni/bin") cfg.kubelet.cni.packages}
'';
serviceConfig = {
ExecStart = ''${cfg.package}/bin/kubelet \
--pod-manifest-path=${manifests} \
--kubeconfig=${kubeconfig} \
--require-kubeconfig \
--address=${cfg.kubelet.address} \
--port=${toString cfg.kubelet.port} \
--register-node=${if cfg.kubelet.registerNode then "true" else "false"} \
--register-schedulable=${if cfg.kubelet.registerSchedulable then "true" else "false"} \
${optionalString (cfg.kubelet.tlsCertFile != null)
"--tls-cert-file=${cfg.kubelet.tlsCertFile}"} \
${optionalString (cfg.kubelet.tlsKeyFile != null)
"--tls-private-key-file=${cfg.kubelet.tlsKeyFile}"} \
--healthz-bind-address=${cfg.kubelet.healthz.bind} \
--healthz-port=${toString cfg.kubelet.healthz.port} \
--hostname-override=${cfg.kubelet.hostname} \
--allow-privileged=${if cfg.kubelet.allowPrivileged then "true" else "false"} \
--root-dir=${cfg.dataDir} \
--cadvisor_port=${toString cfg.kubelet.cadvisorPort} \
${optionalString (cfg.kubelet.clusterDns != "")
"--cluster-dns=${cfg.kubelet.clusterDns}"} \
${optionalString (cfg.kubelet.clusterDomain != "")
"--cluster-domain=${cfg.kubelet.clusterDomain}"} \
--pod-infra-container-image=pause \
${optionalString (cfg.kubelet.networkPlugin != null)
"--network-plugin=${cfg.kubelet.networkPlugin}"} \
--cni-conf-dir=${cniConfig} \
--reconcile-cidr \
--hairpin-mode=hairpin-veth \
${optionalString cfg.verbose "--v=6 --log_flush_frequency=1s"} \
${cfg.kubelet.extraOpts}
'';
WorkingDirectory = cfg.dataDir;
};
};
environment.etc = mapAttrs' (name: manifest:
nameValuePair "kubernetes/manifests/${name}.json" {
text = builtins.toJSON manifest;
mode = "0755";
}
) cfg.kubelet.manifests;
# Allways include cni plugins
services.kubernetes.kubelet.cni.packages = [pkgs.cni];
})
(mkIf cfg.apiserver.enable {
systemd.services.kube-apiserver = {
description = "Kubernetes Api Server";
description = "Kubernetes Kubelet Service";
wantedBy = [ "multi-user.target" ];
requires = ["kubernetes-setup.service"];
after = [ "network.target" "etcd.service" "kubernetes-setup.service" ];
after = [ "network.target" "docker.service" ];
serviceConfig = {
ExecStart = let
authorizationPolicyFile =
pkgs.writeText "kubernetes-policy"
(builtins.toJSON cfg.apiserver.authorizationPolicy);
tokenAuthFile =
pkgs.writeText "kubernetes-auth"
(concatImapStringsSep "\n" (i: v: v + "," + (toString i))
(mapAttrsToList (name: token: token + "," + name) cfg.apiserver.tokenAuth));
in ''${cfg.package}/bin/kube-apiserver \
--etcd-servers=${concatMapStringsSep "," (f: "http://${f}") cfg.etcdServers} \
--insecure-bind-address=${cfg.apiserver.address} \
ExecStart = ''${cfg.package}/bin/kube-apiserver \
--etcd-servers=${concatStringsSep "," cfg.etcd.servers} \
${optionalString (cfg.etcd.caFile != null)
"--etcd-cafile=${cfg.etcd.caFile}"} \
${optionalString (cfg.etcd.certFile != null)
"--etcd-certfile=${cfg.etcd.certFile}"} \
${optionalString (cfg.etcd.keyFile != null)
"--etcd-keyfile=${cfg.etcd.keyFile}"} \
--insecure-port=${toString cfg.apiserver.port} \
--bind-address=${cfg.apiserver.publicAddress} \
--bind-address=0.0.0.0 \
${optionalString (cfg.apiserver.advertiseAddress != null)
"--advertise-address=${cfg.apiserver.advertiseAddress}"} \
--allow-privileged=${if cfg.apiserver.allowPrivileged then "true" else "false"} \
${optionalString (cfg.apiserver.tlsCertFile!="")
${optionalString (cfg.apiserver.tlsCertFile != null)
"--tls-cert-file=${cfg.apiserver.tlsCertFile}"} \
${optionalString (cfg.apiserver.tlsPrivateKeyFile!="")
"--tls-private-key-file=${cfg.apiserver.tlsPrivateKeyFile}"} \
${optionalString (cfg.apiserver.tokenAuth!=[])
"--token-auth-file=${tokenAuthFile}"} \
${optionalString (cfg.apiserver.clientCaFile!="")
${optionalString (cfg.apiserver.tlsKeyFile != null)
"--tls-private-key-file=${cfg.apiserver.tlsKeyFile}"} \
${optionalString (cfg.apiserver.tokenAuth != null)
"--token-auth-file=${cfg.apiserver.tokenAuth}"} \
--kubelet-https=${if cfg.apiserver.kubeletHttps then "true" else "false"} \
${optionalString (cfg.apiserver.kubeletClientCaFile != null)
"--kubelet-certificate-authority=${cfg.apiserver.kubeletClientCaFile}"} \
${optionalString (cfg.apiserver.kubeletClientCertFile != null)
"--kubelet-client-certificate=${cfg.apiserver.kubeletClientCertFile}"} \
${optionalString (cfg.apiserver.kubeletClientKeyFile != null)
"--kubelet-client-key=${cfg.apiserver.kubeletClientKeyFile}"} \
${optionalString (cfg.apiserver.clientCaFile != null)
"--client-ca-file=${cfg.apiserver.clientCaFile}"} \
--authorization-mode=${cfg.apiserver.authorizationMode} \
${optionalString (cfg.apiserver.authorizationMode == "ABAC")
"--authorization-policy-file=${authorizationPolicyFile}"} \
"--authorization-policy-file=${policyFile}"} \
--secure-port=${toString cfg.apiserver.securePort} \
--service-cluster-ip-range=${cfg.apiserver.portalNet} \
${optionalString (cfg.apiserver.runtimeConfig != "")
"--runtime-config=${cfg.apiserver.runtimeConfig}"} \
--admission_control=${concatStringsSep "," cfg.apiserver.admissionControl} \
${optionalString (cfg.apiserver.serviceAccountKey!=null)
"--service-account-key-file=${cfg.apiserver.serviceAccountKey}"} \
--logtostderr=true \
${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
${optionalString (cfg.apiserver.serviceAccountKeyFile!=null)
"--service-account-key-file=${cfg.apiserver.serviceAccountKeyFile}"} \
${optionalString cfg.verbose "--v=6"} \
${optionalString cfg.verbose "--log-flush-frequency=1s"} \
${cfg.apiserver.extraOpts}
'';
WorkingDirectory = cfg.dataDir;
User = "kubernetes";
Group = "kubernetes";
AmbientCapabilities = "cap_net_bind_service";
Restart = "on-failure";
RestartSec = 5;
};
};
})
@ -468,17 +713,20 @@ in {
systemd.services.kube-scheduler = {
description = "Kubernetes Scheduler Service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "kubernetes-apiserver.service" ];
after = [ "kube-apiserver.service" ];
serviceConfig = {
ExecStart = ''${cfg.package}/bin/kube-scheduler \
--address=${cfg.scheduler.address} \
--port=${toString cfg.scheduler.port} \
--master=${cfg.scheduler.master} \
--logtostderr=true \
${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
--leader-elect=${if cfg.scheduler.leaderElect then "true" else "false"} \
--kubeconfig=${kubeconfig} \
${optionalString cfg.verbose "--v=6"} \
${optionalString cfg.verbose "--log-flush-frequency=1s"} \
${cfg.scheduler.extraOpts}
'';
WorkingDirectory = cfg.dataDir;
User = "kubernetes";
Group = "kubernetes";
};
};
})
@ -487,113 +735,94 @@ in {
systemd.services.kube-controller-manager = {
description = "Kubernetes Controller Manager Service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "kubernetes-apiserver.service" ];
after = [ "kube-apiserver.service" ];
serviceConfig = {
ExecStart = ''${cfg.package}/bin/kube-controller-manager \
--address=${cfg.controllerManager.address} \
--port=${toString cfg.controllerManager.port} \
--master=${cfg.controllerManager.master} \
${optionalString (cfg.controllerManager.serviceAccountPrivateKey!=null)
"--service-account-private-key-file=${cfg.controllerManager.serviceAccountPrivateKey}"} \
--kubeconfig=${kubeconfig} \
--leader-elect=${if cfg.controllerManager.leaderElect then "true" else "false"} \
${if (cfg.controllerManager.serviceAccountKeyFile!=null)
then "--service-account-private-key-file=${cfg.controllerManager.serviceAccountKeyFile}"
else "--service-account-private-key-file=/var/run/kubernetes/apiserver.key"} \
${optionalString (cfg.controllerManager.rootCaFile!=null)
"--root-ca-file=${cfg.controllerManager.rootCaFile}"} \
--logtostderr=true \
${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
${optionalString (cfg.controllerManager.clusterCidr!=null)
"--cluster-cidr=${cfg.controllerManager.clusterCidr}"} \
--allocate-node-cidrs=true \
${optionalString cfg.verbose "--v=6"} \
${optionalString cfg.verbose "--log-flush-frequency=1s"} \
${cfg.controllerManager.extraOpts}
'';
WorkingDirectory = cfg.dataDir;
User = "kubernetes";
Group = "kubernetes";
};
};
})
(mkIf cfg.kubelet.enable {
systemd.services.kubelet = {
description = "Kubernetes Kubelet Service";
wantedBy = [ "multi-user.target" ];
requires = ["kubernetes-setup.service"];
after = [ "network.target" "etcd.service" "docker.service" "kubernetes-setup.service" ];
path = [ pkgs.gitMinimal pkgs.openssh ];
script = ''
export PATH="/bin:/sbin:/usr/bin:/usr/sbin:$PATH"
exec ${cfg.package}/bin/kubelet \
--api-servers=${concatMapStringsSep "," (f: "http://${f}") cfg.kubelet.apiServers} \
--register-node=${if cfg.kubelet.registerNode then "true" else "false"} \
--address=${cfg.kubelet.address} \
--port=${toString cfg.kubelet.port} \
--healthz-bind-address=${cfg.kubelet.healthz.bind} \
--healthz-port=${toString cfg.kubelet.healthz.port} \
--hostname-override=${cfg.kubelet.hostname} \
--allow-privileged=${if cfg.kubelet.allowPrivileged then "true" else "false"} \
--root-dir=${cfg.dataDir} \
--cadvisor_port=${toString cfg.kubelet.cadvisorPort} \
${optionalString (cfg.kubelet.clusterDns != "")
''--cluster-dns=${cfg.kubelet.clusterDns}''} \
${optionalString (cfg.kubelet.clusterDomain != "")
''--cluster-domain=${cfg.kubelet.clusterDomain}''} \
--logtostderr=true \
${optionalString cfg.verbose "--v=6 --log_flush_frequency=1s"} \
${cfg.kubelet.extraOpts}
'';
serviceConfig.WorkingDirectory = cfg.dataDir;
};
})
(mkIf cfg.proxy.enable {
systemd.services.kube-proxy = {
description = "Kubernetes Proxy Service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "etcd.service" ];
after = [ "kube-apiserver.service" ];
path = [pkgs.iptables];
serviceConfig = {
ExecStart = ''${cfg.package}/bin/kube-proxy \
--master=${cfg.proxy.master} \
--kubeconfig=${kubeconfig} \
--bind-address=${cfg.proxy.address} \
--logtostderr=true \
${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
${cfg.proxy.extraOpts}
${optionalString cfg.verbose "--v=6"} \
${optionalString cfg.verbose "--log-flush-frequency=1s"} \
${cfg.controllerManager.extraOpts}
'';
Restart = "always"; # Retry connection
RestartSec = "5s";
WorkingDirectory = cfg.dataDir;
};
};
})
(mkIf cfg.kube2sky.enable {
systemd.services.kube2sky = {
description = "Kubernetes Dns Bridge Service";
(mkIf cfg.dns.enable {
systemd.services.kube-dns = {
description = "Kubernetes Dns Service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "skydns.service" "etcd.service" "kubernetes-apiserver.service" ];
after = [ "kube-apiserver.service" ];
serviceConfig = {
ExecStart = ''${cfg.package}/bin/kube2sky \
-etcd-server=http://${head cfg.etcdServers} \
-domain=${cfg.kube2sky.domain} \
-kube_master_url=http://${cfg.kube2sky.master} \
-logtostderr=true \
${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
${cfg.kube2sky.extraOpts}
ExecStart = ''${cfg.package}/bin/kube-dns \
--kubecfg-file=${kubeconfig} \
--dns-port=${toString cfg.dns.port} \
--domain=${cfg.dns.domain} \
${optionalString cfg.verbose "--v=6"} \
${optionalString cfg.verbose "--log-flush-frequency=1s"} \
${cfg.dns.extraOpts}
'';
WorkingDirectory = cfg.dataDir;
User = "kubernetes";
Group = "kubernetes";
AmbientCapabilities = "cap_net_bind_service";
SendSIGHUP = true;
};
};
})
(mkIf cfg.kubelet.enable {
boot.kernelModules = ["br_netfilter"];
})
(mkIf (any (el: el == "master") cfg.roles) {
virtualisation.docker.enable = mkDefault true;
services.kubernetes.kubelet.enable = mkDefault true;
services.kubernetes.kubelet.allowPrivileged = mkDefault true;
services.kubernetes.apiserver.enable = mkDefault true;
services.kubernetes.scheduler.enable = mkDefault true;
services.kubernetes.controllerManager.enable = mkDefault true;
services.kubernetes.kube2sky.enable = mkDefault true;
services.etcd.enable = mkDefault (cfg.etcd.servers == ["http://127.0.0.1:2379"]);
})
(mkIf (any (el: el == "node") cfg.roles) {
virtualisation.docker.enable = mkDefault true;
virtualisation.docker.logDriver = mkDefault "json-file";
services.kubernetes.kubelet.enable = mkDefault true;
services.kubernetes.proxy.enable = mkDefault true;
})
(mkIf (any (el: el == "node" || el == "master") cfg.roles) {
services.etcd.enable = mkDefault true;
services.skydns.enable = mkDefault true;
services.skydns.domain = mkDefault cfg.kubelet.clusterDomain;
services.kubernetes.dns.enable = mkDefault true;
})
(mkIf (
@ -601,24 +830,16 @@ in {
cfg.scheduler.enable ||
cfg.controllerManager.enable ||
cfg.kubelet.enable ||
cfg.proxy.enable
cfg.proxy.enable ||
cfg.dns.enable
) {
systemd.services.kubernetes-setup = {
description = "Kubernetes setup.";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /var/run/kubernetes
chown kubernetes /var/lib/kubernetes
rm ${cfg.dataDir}/.dockercfg || true
ln -fs ${pkgs.writeText "kubernetes-dockercfg" cfg.dockerCfg} ${cfg.dataDir}/.dockercfg
'';
};
services.kubernetes.package = mkDefault pkgs.kubernetes;
systemd.tmpfiles.rules = [
"d /opt/cni/bin 0755 root root -"
"d /var/run/kubernetes 0755 kubernetes kubernetes -"
"d /var/lib/kubernetes 0755 kubernetes kubernetes -"
];
environment.systemPackages = [ cfg.package ];
users.extraUsers = singleton {
name = "kubernetes";
uid = config.ids.uids.kubernetes;
@ -630,6 +851,5 @@ in {
};
users.extraGroups.kubernetes.gid = config.ids.gids.kubernetes;
})
];
}

2
nixos/modules/services/cluster/panamax.nix
View File

@ -46,7 +46,7 @@ in {
fleetctlEndpoint = mkOption {
type = types.str;
default = "http://127.0.0.1:4001";
default = "http://127.0.0.1:2379";
description = ''
Panamax fleetctl endpoint.
'';

88
nixos/modules/services/computing/boinc/client.nix Normal file
View File

@ -0,0 +1,88 @@
{config, lib, pkgs, ...}:
with lib;
let
cfg = config.services.boinc;
allowRemoteGuiRpcFlag = optionalString cfg.allowRemoteGuiRpc "--allow_remote_gui_rpc";
in
{
options.services.boinc = {
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether to enable the BOINC distributed computing client. If this
option is set to true, the boinc_client daemon will be run as a
background service. The boinccmd command can be used to control the
daemon.
'';
};
package = mkOption {
type = types.package;
default = pkgs.boinc;
defaultText = "pkgs.boinc";
description = ''
Which BOINC package to use.
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/boinc";
description = ''
The directory in which to store BOINC's configuration and data files.
'';
};
allowRemoteGuiRpc = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
If set to true, any remote host can connect to and control this BOINC
client (subject to password authentication). If instead set to false,
only the hosts listed in <varname>dataDir</varname>/remote_hosts.cfg will be allowed to
connect.
See also: <link xlink:href="http://boinc.berkeley.edu/wiki/Controlling_BOINC_remotely#Remote_access"/>
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [cfg.package];
users.users.boinc = {
createHome = false;
description = "BOINC Client";
home = cfg.dataDir;
isSystemUser = true;
};
systemd.services.boinc = {
description = "BOINC Client";
after = ["network.target" "local-fs.target"];
wantedBy = ["multi-user.target"];
preStart = ''
mkdir -p ${cfg.dataDir}
chown boinc ${cfg.dataDir}
'';
script = ''
${cfg.package}/bin/boinc_client --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag}
'';
serviceConfig = {
PermissionsStartOnly = true; # preStart must be run as root
User = "boinc";
Nice = 10;
};
};
};
meta = {
maintainers = with lib.maintainers; [kierdavis];
};
}

250
nixos/modules/services/continuous-integration/buildbot/master.nix Normal file
View File

@ -0,0 +1,250 @@
# NixOS module for Buildbot continous integration server.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.buildbot-master;
escapeStr = s: escape ["'"] s;
masterCfg = pkgs.writeText "master.cfg" ''
from buildbot.plugins import *
factory = util.BuildFactory()
c = BuildmasterConfig = dict(
workers = [${concatStringsSep "," cfg.workers}],
protocols = { 'pb': {'port': ${cfg.bpPort} } },
title = '${escapeStr cfg.title}',
titleURL = '${escapeStr cfg.titleUrl}',
buildbotURL = '${escapeStr cfg.buildbotUrl}',
db = dict(db_url='${escapeStr cfg.dbUrl}'),
www = dict(port=${toString cfg.port}),
change_source = [ ${concatStringsSep "," cfg.changeSource} ],
schedulers = [ ${concatStringsSep "," cfg.schedulers} ],
builders = [ ${concatStringsSep "," cfg.builders} ],
status = [ ${concatStringsSep "," cfg.status} ],
)
for step in [ ${concatStringsSep "," cfg.factorySteps} ]:
factory.addStep(step)
${cfg.extraConfig}
'';
configFile = if cfg.masterCfg == null then masterCfg else cfg.masterCfg;
in {
options = {
services.buildbot-master = {
factorySteps = mkOption {
type = types.listOf types.str;
description = "Factory Steps";
default = [];
example = [
"steps.Git(repourl='git://github.com/buildbot/pyflakes.git', mode='incremental')"
"steps.ShellCommand(command=['trial', 'pyflakes'])"
];
};
changeSource = mkOption {
type = types.listOf types.str;
description = "List of Change Sources.";
default = [];
example = [
"changes.GitPoller('git://github.com/buildbot/pyflakes.git', workdir='gitpoller-workdir', branch='master', pollinterval=300)"
];
};
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable the Buildbot continuous integration server.";
};
extraConfig = mkOption {
type = types.str;
description = "Extra configuration to append to master.cfg";
default = "";
};
masterCfg = mkOption {
type = with types; nullOr path;
description = ''
Optionally pass path to raw master.cfg file.
Other options in this configuration will be ignored.
'';
default = null;
example = literalExample ''
pkgs.writeText "master.cfg" "BuildmasterConfig = c = {}"
'';
};
schedulers = mkOption {
type = types.listOf types.str;
description = "List of Schedulers.";
default = [
"schedulers.SingleBranchScheduler(name='all', change_filter=util.ChangeFilter(branch='master'), treeStableTimer=None, builderNames=['runtests'])"
"schedulers.ForceScheduler(name='force',builderNames=['runtests'])"
];
};
builders = mkOption {
type = types.listOf types.str;
description = "List of Builders.";
default = [
"util.BuilderConfig(name='runtests',workernames=['default-worker'],factory=factory)"
];
};
workers = mkOption {
type = types.listOf types.str;
description = "List of Workers.";
default = [
"worker.Worker('default-worker', 'password')"
];
example = [ "worker.LocalWorker('default-worker')" ];
};
status = mkOption {
default = [];
type = types.listOf types.str;
description = "List of status notification endpoints.";
};
user = mkOption {
default = "buildbot";
type = types.str;
description = "User the buildbot server should execute under.";
};
group = mkOption {
default = "buildbot";
type = types.str;
description = "Primary group of buildbot user.";
};
extraGroups = mkOption {
type = types.listOf types.str;
default = [ "nixbld" ];
description = "List of extra groups that the buildbot user should be a part of.";
};
home = mkOption {
default = "/home/buildbot";
type = types.path;
description = "Buildbot home directory.";
};
buildbotDir = mkOption {
default = "${cfg.home}/master";
type = types.path;
description = "Specifies the Buildbot directory.";
};
bpPort = mkOption {
default = "9989";
type = types.string;
example = "tcp:10000:interface=127.0.0.1";
description = "Port where the master will listen to Buildbot Worker.";
};
listenAddress = mkOption {
default = "0.0.0.0";
type = types.str;
description = "Specifies the bind address on which the buildbot HTTP interface listens.";
};
buildbotUrl = mkOption {
default = "http://localhost:8010/";
type = types.str;
description = "Specifies the Buildbot URL.";
};
title = mkOption {
default = "Buildbot";
type = types.str;
description = "Specifies the Buildbot Title.";
};
titleUrl = mkOption {
default = "Buildbot";
type = types.str;
description = "Specifies the Buildbot TitleURL.";
};
dbUrl = mkOption {
default = "sqlite:///state.sqlite";
type = types.str;
description = "Specifies the database connection string.";
};
port = mkOption {
default = 8010;
type = types.int;
description = "Specifies port number on which the buildbot HTTP interface listens.";
};
package = mkOption {
type = types.package;
default = pkgs.buildbot-ui;
description = ''
Package to use for buildbot.
<literal>buildbot-full</literal> is required in order to use local workers.
'';
example = pkgs.buildbot-full;
};
packages = mkOption {
default = [ ];
example = [ pkgs.git ];
type = types.listOf types.package;
description = "Packages to add to PATH for the buildbot process.";
};
};
};
config = mkIf cfg.enable {
users.extraGroups = optional (cfg.group == "buildbot") {
name = "buildbot";
};
users.extraUsers = optional (cfg.user == "buildbot") {
name = "buildbot";
description = "buildbot user";
isNormalUser = true;
createHome = true;
home = cfg.home;
group = cfg.group;
extraGroups = cfg.extraGroups;
useDefaultShell = true;
};
systemd.services.buildbot-master = {
description = "Buildbot Continuous Integration Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = cfg.packages;
serviceConfig = {
Type = "forking";
User = cfg.user;
Group = cfg.group;
WorkingDirectory = cfg.home;
ExecStart = "${cfg.package}/bin/buildbot start ${cfg.buildbotDir}";
};
preStart = ''
mkdir -vp ${cfg.buildbotDir}
chown -c ${cfg.user}:${cfg.group} ${cfg.buildbotDir}
ln -sf ${configFile} ${cfg.buildbotDir}/master.cfg
${cfg.package}/bin/buildbot create-master ${cfg.buildbotDir}
'';
postStart = ''
until [[ $(${pkgs.curl}/bin/curl -s --head -w '\n%{http_code}' http://localhost:${toString cfg.port} | tail -n1) =~ ^(200|403)$ ]]; do
sleep 1
done
'';
};
};
}

1
nixos/modules/services/continuous-integration/gocd-agent/default.nix
View File

@ -37,6 +37,7 @@ in {
packages = mkOption {
default = [ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ];
defaultText = "[ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ]";
type = types.listOf types.package;
description = ''
Packages to add to PATH for the Go.CD agent process.

1
nixos/modules/services/continuous-integration/gocd-server/default.nix
View File

@ -68,6 +68,7 @@ in {
packages = mkOption {
default = [ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ];
defaultText = "[ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ]";
type = types.listOf types.package;
description = ''
Packages to add to PATH for the Go.CD server's process.

2
nixos/modules/services/continuous-integration/hydra/default.nix
View File

@ -343,7 +343,7 @@ in
{ wantedBy = [ "multi-user.target" ];
requires = [ "hydra-init.service" ];
after = [ "hydra-init.service" "network.target" ];
path = [ pkgs.nettools ];
path = [ cfg.package pkgs.nettools ];
environment = env;
serviceConfig =
{ ExecStart = "@${cfg.package}/bin/hydra-evaluator hydra-evaluator";

2
nixos/modules/services/databases/couchdb.nix
View File

@ -162,7 +162,7 @@ in {
if [ "$(id -u)" = 0 ]; then
chown ${cfg.user}:${cfg.group} `dirname ${cfg.uriFile}`;
(-f ${cfg.uriFile} && chown ${cfg.user}:${cfg.group} ${cfg.uriFile}) || true
(test -f ${cfg.uriFile} && chown ${cfg.user}:${cfg.group} ${cfg.uriFile}) || true
chown ${cfg.user}:${cfg.group} ${cfg.databaseDir}
chown ${cfg.user}:${cfg.group} ${cfg.viewIndexDir}
chown ${cfg.user}:${cfg.group} ${cfg.configFile}

4
nixos/modules/services/databases/mysql.nix
View File

@ -52,9 +52,7 @@ in
package = mkOption {
type = types.package;
default = pkgs.mysql;
defaultText = "pkgs.mysql";
example = literalExample "pkgs.mysql55";
example = literalExample "pkgs.mysql";
description = "
Which MySQL derivation to use.
";

202
nixos/modules/services/databases/riak-cs.nix Normal file
View File

@ -0,0 +1,202 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.riak-cs;
in
{
###### interface
options = {
services.riak-cs = {
enable = mkEnableOption "riak-cs";
package = mkOption {
type = types.package;
default = pkgs.riak-cs;
defaultText = "pkgs.riak-cs";
example = literalExample "pkgs.riak-cs";
description = ''
Riak package to use.
'';
};
nodeName = mkOption {
type = types.str;
default = "riak-cs@127.0.0.1";
description = ''
Name of the Erlang node.
'';
};
anonymousUserCreation = mkOption {
type = types.bool;
default = false;
description = ''
Anonymous user creation.
'';
};
riakHost = mkOption {
type = types.str;
default = "127.0.0.1:8087";
description = ''
Name of riak hosting service.
'';
};
listener = mkOption {
type = types.str;
default = "127.0.0.1:8080";
description = ''
Name of Riak CS listening service.
'';
};
stanchionHost = mkOption {
type = types.str;
default = "127.0.0.1:8085";
description = ''
Name of stanchion hosting service.
'';
};
stanchionSsl = mkOption {
type = types.bool;
default = true;
description = ''
Tell stanchion to use SSL.
'';
};
distributedCookie = mkOption {
type = types.str;
default = "riak";
description = ''
Cookie for distributed node communication. All nodes in the
same cluster should use the same cookie or they will not be able to
communicate.
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/db/riak-cs";
description = ''
Data directory for Riak CS.
'';
};
logDir = mkOption {
type = types.path;
default = "/var/log/riak-cs";
description = ''
Log directory for Riak CS.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Additional text to be appended to <filename>riak-cs.conf</filename>.
'';
};
extraAdvancedConfig = mkOption {
type = types.lines;
default = "";
description = ''
Additional text to be appended to <filename>advanced.config</filename>.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
environment.etc."riak-cs/riak-cs.conf".text = ''
nodename = ${cfg.nodeName}
distributed_cookie = ${cfg.distributedCookie}
platform_log_dir = ${cfg.logDir}
riak_host = ${cfg.riakHost}
listener = ${cfg.listener}
stanchion_host = ${cfg.stanchionHost}
anonymous_user_creation = ${if cfg.anonymousUserCreation then "on" else "off"}
${cfg.extraConfig}
'';
environment.etc."riak-cs/advanced.config".text = ''
${cfg.extraAdvancedConfig}
'';
users.extraUsers.riak-cs = {
name = "riak-cs";
uid = config.ids.uids.riak-cs;
group = "riak";
description = "Riak CS server user";
};
systemd.services.riak-cs = {
description = "Riak CS Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
path = [
pkgs.utillinux # for `logger`
pkgs.bash
];
environment.HOME = "${cfg.dataDir}";
environment.RIAK_CS_DATA_DIR = "${cfg.dataDir}";
environment.RIAK_CS_LOG_DIR = "${cfg.logDir}";
environment.RIAK_CS_ETC_DIR = "/etc/riak";
preStart = ''
if ! test -e ${cfg.logDir}; then
mkdir -m 0755 -p ${cfg.logDir}
chown -R riak-cs ${cfg.logDir}
fi
if ! test -e ${cfg.dataDir}; then
mkdir -m 0700 -p ${cfg.dataDir}
chown -R riak-cs ${cfg.dataDir}
fi
'';
serviceConfig = {
ExecStart = "${cfg.package}/bin/riak-cs console";
ExecStop = "${cfg.package}/bin/riak-cs stop";
StandardInput = "tty";
User = "riak-cs";
Group = "riak-cs";
PermissionsStartOnly = true;
# Give Riak a decent amount of time to clean up.
TimeoutStopSec = 120;
LimitNOFILE = 65536;
};
unitConfig.RequiresMountsFor = [
"${cfg.dataDir}"
"${cfg.logDir}"
"/etc/riak"
];
};
};
}

14
nixos/modules/services/databases/riak.nix
View File

@ -20,6 +20,8 @@ in
package = mkOption {
type = types.package;
default = pkgs.riak;
defaultText = "pkgs.riak";
example = literalExample "pkgs.riak";
description = ''
Riak package to use.
@ -68,6 +70,14 @@ in
'';
};
extraAdvancedConfig = mkOption {
type = types.lines;
default = "";
description = ''
Additional text to be appended to <filename>advanced.config</filename>.
'';
};
};
};
@ -88,6 +98,10 @@ in
${cfg.extraConfig}
'';
environment.etc."riak/advanced.config".text = ''
${cfg.extraAdvancedConfig}
'';
users.extraUsers.riak = {
name = "riak";
uid = config.ids.uids.riak;

212
nixos/modules/services/databases/stanchion.nix Normal file
View File

@ -0,0 +1,212 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.stanchion;
in
{
###### interface
options = {
services.stanchion = {
enable = mkEnableOption "stanchion";
package = mkOption {
type = types.package;
default = pkgs.stanchion;
defaultText = "pkgs.stanchion";
example = literalExample "pkgs.stanchion";
description = ''
Stanchion package to use.
'';
};
nodeName = mkOption {
type = types.str;
default = "stanchion@127.0.0.1";
description = ''
Name of the Erlang node.
'';
};
adminKey = mkOption {
type = types.str;
default = "";
description = ''
Name of admin user.
'';
};
adminSecret = mkOption {
type = types.str;
default = "";
description = ''
Name of admin secret
'';
};
riakHost = mkOption {
type = types.str;
default = "127.0.0.1:8087";
description = ''
Name of riak hosting service.
'';
};
listener = mkOption {
type = types.str;
default = "127.0.0.1:8085";
description = ''
Name of Riak CS listening service.
'';
};
stanchionHost = mkOption {
type = types.str;
default = "127.0.0.1:8085";
description = ''
Name of stanchion hosting service.
'';
};
stanchionSsl = mkOption {
type = types.bool;
default = true;
description = ''
Tell stanchion to use SSL.
'';
};
distributedCookie = mkOption {
type = types.str;
default = "riak";
description = ''
Cookie for distributed node communication. All nodes in the
same cluster should use the same cookie or they will not be able to
communicate.
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/db/stanchion";
description = ''
Data directory for Stanchion.
'';
};
logDir = mkOption {
type = types.path;
default = "/var/log/stanchion";
description = ''
Log directory for Stanchino.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Additional text to be appended to <filename>stanchion.conf</filename>.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
environment.etc."stanchion/advanced.config".text = ''
[{stanchion, []}].
'';
environment.etc."stanchion/stanchion.conf".text = ''
listener = ${cfg.listener}
riak_host = ${cfg.riakHost}
${optionalString (cfg.adminKey == "") "#"} admin.key=${optionalString (cfg.adminKey != "") cfg.adminKey}
${optionalString (cfg.adminSecret == "") "#"} admin.secret=${optionalString (cfg.adminSecret != "") cfg.adminSecret}
platform_bin_dir = ${pkgs.stanchion}/bin
platform_data_dir = ${cfg.dataDir}
platform_etc_dir = /etc/stanchion
platform_lib_dir = ${pkgs.stanchion}/lib
platform_log_dir = ${cfg.logDir}
nodename = ${cfg.nodeName}
distributed_cookie = ${cfg.distributedCookie}
stanchion_ssl=${if cfg.stanchionSsl then "on" else "off"}
${cfg.extraConfig}
'';
users.extraUsers.stanchion = {
name = "stanchion";
uid = config.ids.uids.stanchion;
group = "stanchion";
description = "Stanchion server user";
};
users.extraGroups.stanchion.gid = config.ids.gids.stanchion;
systemd.services.stanchion = {
description = "Stanchion Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
path = [
pkgs.utillinux # for `logger`
pkgs.bash
];
environment.HOME = "${cfg.dataDir}";
environment.STANCHION_DATA_DIR = "${cfg.dataDir}";
environment.STANCHION_LOG_DIR = "${cfg.logDir}";
environment.STANCHION_ETC_DIR = "/etc/stanchion";
preStart = ''
if ! test -e ${cfg.logDir}; then
mkdir -m 0755 -p ${cfg.logDir}
chown -R stanchion:stanchion ${cfg.logDir}
fi
if ! test -e ${cfg.dataDir}; then
mkdir -m 0700 -p ${cfg.dataDir}
chown -R stanchion:stanchion ${cfg.dataDir}
fi
'';
serviceConfig = {
ExecStart = "${cfg.package}/bin/stanchion console";
ExecStop = "${cfg.package}/bin/stanchion stop";
StandardInput = "tty";
User = "stanchion";
Group = "stanchion";
PermissionsStartOnly = true;
# Give Stanchion a decent amount of time to clean up.
TimeoutStopSec = 120;
LimitNOFILE = 65536;
};
unitConfig.RequiresMountsFor = [
"${cfg.dataDir}"
"${cfg.logDir}"
"/etc/stanchion"
];
};
};
}

6
nixos/modules/services/desktops/profile-sync-daemon.nix
View File

@ -86,6 +86,12 @@ in {
};
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.users != [];
message = "services.psd.users must contain at least one user";
}
];
systemd = {
services = {
psd = {

158
nixos/modules/services/editors/infinoted.nix Normal file
View File

@ -0,0 +1,158 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.infinoted;
in {
options.services.infinoted = {
enable = mkEnableOption "infinoted";
package = mkOption {
type = types.package;
default = pkgs.libinfinity.override { daemon = true; };
defaultText = "pkgs.libinfinity.override { daemon = true; }";
description = ''
Package providing infinoted
'';
};
keyFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Private key to use for TLS
'';
};
certificateFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Server certificate to use for TLS
'';
};
certificateChain = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Chain of CA-certificates to which our `certificateFile` is relative.
Optional for TLS.
'';
};
securityPolicy = mkOption {
type = types.enum ["no-tls" "allow-tls" "require-tls"];
default = "require-tls";
description = ''
How strictly to enforce clients connection with TLS.
'';
};
port = mkOption {
type = types.int;
default = 6523;
description = ''
Port to listen on
'';
};
rootDirectory = mkOption {
type = types.path;
default = "/var/lib/infinoted/documents/";
description = ''
Root of the directory structure to serve
'';
};
plugins = mkOption {
type = types.listOf types.str;
default = [ "note-text" "note-chat" "logging" "autosave" ];
description = ''
Plugins to enable
'';
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
File to read server-wide password from
'';
};
extraConfig = mkOption {
type = types.lines;
default = ''
[autosave]
interval=10
'';
description = ''
Additional configuration to append to infinoted.conf
'';
};
user = mkOption {
type = types.str;
default = "infinoted";
description = ''
What to call the dedicated user under which infinoted is run
'';
};
group = mkOption {
type = types.str;
default = "infinoted";
description = ''
What to call the primary group of the dedicated user under which infinoted is run
'';
};
};
config = mkIf (cfg.enable) {
users.extraUsers = optional (cfg.user == "infinoted")
{ name = "infinoted";
description = "Infinoted user";
group = cfg.group;
};
users.extraGroups = optional (cfg.group == "infinoted")
{ name = "infinoted";
};
systemd.services.infinoted =
{ description = "Gobby Dedicated Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "simple";
Restart = "always";
ExecStart = "${cfg.package}/bin/infinoted-0.6 --config-file=/var/lib/infinoted/infinoted.conf";
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = true;
};
preStart = ''
mkdir -p /var/lib/infinoted
install -o ${cfg.user} -g ${cfg.group} -m 0600 /dev/null /var/lib/infinoted/infinoted.conf
cat >>/var/lib/infinoted/infinoted.conf <<EOF
[infinoted]
${optionalString (cfg.keyFile != null) ''key-file=${cfg.keyFile}''}
${optionalString (cfg.certificateFile != null) ''certificate-file=${cfg.certificateFile}''}
${optionalString (cfg.certificateChain != null) ''certificate-chain=${cfg.certificateChain}''}
port=${toString cfg.port}
security-policy=${cfg.securityPolicy}
root-directory=${cfg.rootDirectory}
plugins=${concatStringsSep ";" cfg.plugins}
${optionalString (cfg.passwordFile != null) ''password=$(head -n 1 ${cfg.passwordFile})''}
${cfg.extraConfig}
EOF
install -o ${cfg.user} -g ${cfg.group} -m 0750 -d ${cfg.rootDirectory}
'';
};
};
}

6
nixos/modules/services/games/terraria.nix
View File

@ -64,7 +64,7 @@ in
};
worldPath = mkOption {
type = types.path;
type = types.nullOr types.path;
default = null;
description = ''
The path to the world file (<literal>.wld</literal>) which should be loaded.
@ -126,8 +126,8 @@ in
User = "terraria";
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.tmux.bin}/bin/tmux -S /var/lib/terraria/terraria.sock new -d ${pkgs.terraria-server}/bin/TerrariaServer ${concatStringsSep " " flags}";
ExecStop = "${pkgs.tmux.bin}/bin/tmux -S /var/lib/terraria/terraria.sock send-keys Enter \"exit\" Enter";
ExecStart = "${getBin pkgs.tmux}/bin/tmux -S /var/lib/terraria/terraria.sock new -d ${pkgs.terraria-server}/bin/TerrariaServer ${concatStringsSep " " flags}";
ExecStop = "${getBin pkgs.tmux}/bin/tmux -S /var/lib/terraria/terraria.sock send-keys Enter \"exit\" Enter";
};
postStart = ''

2
nixos/modules/services/hardware/brltty.nix
View File

@ -39,6 +39,8 @@ in {
ProtectSystem = "full";
SystemCallArchitectures = "native";
};
wants = [ "systemd-udev-settle.service" ];
after = [ "local-fs.target" "systemd-udev-settle.service" ];
before = [ "sysinit.target" ];
wantedBy = [ "sysinit.target" ];
};

99
nixos/modules/services/hardware/sane.nix
View File

@ -7,9 +7,35 @@ let
pkg = if config.hardware.sane.snapshot
then pkgs.sane-backends-git
else pkgs.sane-backends;
backends = [ pkg ] ++ config.hardware.sane.extraBackends;
sanedConf = pkgs.writeTextFile {
name = "saned.conf";
destination = "/etc/sane.d/saned.conf";
text = ''
localhost
${config.services.saned.extraConfig}
'';
};
netConf = pkgs.writeTextFile {
name = "net.conf";
destination = "/etc/sane.d/net.conf";
text = ''
${lib.optionalString config.services.saned.enable "localhost"}
${config.hardware.sane.netConf}
'';
};
env = {
SANE_CONFIG_DIR = config.hardware.sane.configDir;
LD_LIBRARY_PATH = [ "${saneConfig}/lib/sane" ];
};
backends = [ pkg netConf ] ++ optional config.services.saned.enable sanedConf ++ config.hardware.sane.extraBackends;
saneConfig = pkgs.mkSaneConfig { paths = backends; };
enabled = config.hardware.sane.enable || config.services.saned.enable;
in
{
@ -51,27 +77,86 @@ in
hardware.sane.configDir = mkOption {
type = types.string;
internal = true;
description = "The value of SANE_CONFIG_DIR.";
};
hardware.sane.netConf = mkOption {
type = types.lines;
default = "";
example = "192.168.0.16";
description = ''
Network hosts that should be probed for remote scanners.
'';
};
services.saned.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable saned network daemon for remote connection to scanners.
saned would be runned from <literal>scanner</literal> user; to allow
access to hardware that doesn't have <literal>scanner</literal> group
you should add needed groups to this user.
'';
};
services.saned.extraConfig = mkOption {
type = types.lines;
default = "";
example = "192.168.0.0/24";
description = ''
Extra saned configuration lines.
'';
};
};
###### implementation
config = mkIf config.hardware.sane.enable {
config = mkMerge [
(mkIf enabled {
hardware.sane.configDir = mkDefault "${saneConfig}/etc/sane.d";
environment.systemPackages = backends;
environment.sessionVariables = {
SANE_CONFIG_DIR = config.hardware.sane.configDir;
LD_LIBRARY_PATH = [ "${saneConfig}/lib/sane" ];
};
environment.sessionVariables = env;
services.udev.packages = backends;
users.extraGroups."scanner".gid = config.ids.gids.scanner;
})
(mkIf config.services.saned.enable {
networking.firewall.connectionTrackingModules = [ "sane" ];
systemd.services."saned@" = {
description = "Scanner Service";
environment = mapAttrs (name: val: toString val) env;
serviceConfig = {
User = "scanner";
Group = "scanner";
ExecStart = "${pkg}/bin/saned";
};
};
systemd.sockets.saned = {
description = "saned incoming socket";
wantedBy = [ "sockets.target" ];
listenStreams = [ "0.0.0.0:6566" "[::]:6566" ];
socketConfig = {
# saned needs to distinguish between IPv4 and IPv6 to open matching data sockets.
BindIPv6Only = "ipv6-only";
Accept = true;
MaxConnections = 1;
};
};
users.extraUsers."scanner" = {
uid = config.ids.uids.scanner;
group = "scanner";
};
})
];
}

6
nixos/modules/services/logging/syslogd.nix
View File

@ -100,6 +100,12 @@ in
config = mkIf cfg.enable {
assertions =
[ { assertion = !config.services.rsyslogd.enable;
message = "rsyslogd conflicts with syslogd";
}
];
environment.systemPackages = [ pkgs.sysklogd ];
services.syslogd.extraParams = optional cfg.enableNetworkInput "-r";

36
nixos/modules/services/mail/postsrsd.nix
View File

@ -20,17 +20,29 @@ in {
description = "Whether to enable the postsrsd SRS server for Postfix.";
};
domain = mkOption {
type = types.str;
description = "Domain name for rewrite";
};
secretsFile = mkOption {
type = types.path;
default = "/var/lib/postsrsd/postsrsd.secret";
description = "Secret keys used for signing and verification";
};
domain = mkOption {
type = types.str;
description = "Domain name for rewrite";
};
separator = mkOption {
type = types.enum ["-" "=" "+"];
default = "=";
description = "First separator character in generated addresses";
};
# bindAddress = mkOption { # uncomment once 1.5 is released
# type = types.str;
# default = "127.0.0.1";
# description = "Socket listen address";
# };
forwardPort = mkOption {
type = types.int;
default = 10001;
@ -43,6 +55,18 @@ in {
description = "Port for the reverse SRS lookup";
};
timeout = mkOption {
type = types.int;
default = 1800;
description = "Timeout for idle client connections in seconds";
};
excludeDomains = mkOption {
type = types.listOf types.str;
default = [];
description = "Origin domains to exclude from rewriting in addition to primary domain";
};
user = mkOption {
type = types.str;
default = "postsrsd";
@ -86,7 +110,7 @@ in {
path = [ pkgs.coreutils ];
serviceConfig = {
ExecStart = ''${pkgs.postsrsd}/sbin/postsrsd "-s${cfg.secretsFile}" "-d${cfg.domain}" -f${toString cfg.forwardPort} -r${toString cfg.reversePort}'';
ExecStart = ''${pkgs.postsrsd}/sbin/postsrsd "-s${cfg.secretsFile}" "-d${cfg.domain}" -a${cfg.separator} -f${toString cfg.forwardPort} -r${toString cfg.reversePort} -t${toString cfg.timeout} "-X${concatStringsSep "," cfg.excludeDomains}"'';
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = true;

2
nixos/modules/services/mail/rmilter.nix
View File

@ -203,7 +203,7 @@ milter_default_action = accept
PermissionsStartOnly = true;
Restart = "always";
RuntimeDirectory = "rmilter";
RuntimeDirectoryPermissions="0755";
RuntimeDirectoryMode = "0755";
};
};

3
nixos/modules/services/misc/dictd.nix
View File

@ -25,7 +25,8 @@ in
DBs = mkOption {
type = types.listOf types.package;
default = with pkgs.dictdDBs; [ wiktionary wordnet ];
example = [ pkgs.dictdDBs.nld2eng ];
defaultText = "with pkgs.dictdDBs; [ wiktionary wordnet ]";
example = literalExample "[ pkgs.dictdDBs.nld2eng ]";
description = ''List of databases to make available.'';
};

1
nixos/modules/services/misc/disnix.nix
View File

@ -41,6 +41,7 @@ in
type = types.path;
description = "The Disnix package";
default = pkgs.disnix;
defaultText = "pkgs.disnix";
};
};

5
nixos/modules/services/misc/gitlab.nix
View File

@ -164,18 +164,21 @@ in {
packages.gitlab = mkOption {
type = types.package;
default = pkgs.gitlab;
defaultText = "pkgs.gitlab";
description = "Reference to the gitlab package";
};
packages.gitlab-shell = mkOption {
type = types.package;
default = pkgs.gitlab-shell;
defaultText = "pkgs.gitlab-shell";
description = "Reference to the gitlab-shell package";
};
packages.gitlab-workhorse = mkOption {
type = types.package;
default = pkgs.gitlab-workhorse;
defaultText = "pkgs.gitlab-workhorse";
description = "Reference to the gitlab-workhorse package";
};
@ -425,7 +428,7 @@ in {
TimeoutSec = "300";
Restart = "on-failure";
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
ExecStart="${cfg.packages.gitlab.env}/bin/bundle exec \"sidekiq -q post_receive -q mailers -q system_hook -q project_web_hook -q gitlab_shell -q common -q default -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
ExecStart="${cfg.packages.gitlab.env}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
};
};

48
nixos/modules/services/misc/matrix-synapse.nix
View File

@ -59,7 +59,12 @@ uploads_path: "/var/lib/matrix-synapse/uploads"
max_upload_size: "${cfg.max_upload_size}"
max_image_pixels: "${cfg.max_image_pixels}"
dynamic_thumbnails: ${fromBool cfg.dynamic_thumbnails}
url_preview_enabled: False
url_preview_enabled: ${fromBool cfg.url_preview_enabled}
${optionalString (cfg.url_preview_enabled == true) ''
url_preview_ip_range_blacklist: ${builtins.toJSON cfg.url_preview_ip_range_blacklist}
url_preview_ip_range_whitelist: ${builtins.toJSON cfg.url_preview_ip_range_whitelist}
url_preview_url_blacklist: ${builtins.toJSON cfg.url_preview_url_blacklist}
''}
recaptcha_private_key: "${cfg.recaptcha_private_key}"
recaptcha_public_key: "${cfg.recaptcha_public_key}"
enable_registration_captcha: ${fromBool cfg.enable_registration_captcha}
@ -355,6 +360,47 @@ in {
default = "10K";
description = "Number of events to cache in memory.";
};
url_preview_enabled = mkOption {
type = types.bool;
default = false;
description = ''
Is the preview URL API enabled? If enabled, you *must* specify an
explicit url_preview_ip_range_blacklist of IPs that the spider is
denied from accessing.
'';
};
url_preview_ip_range_blacklist = mkOption {
type = types.listOf types.str;
default = [];
description = ''
List of IP address CIDR ranges that the URL preview spider is denied
from accessing.
'';
};
url_preview_ip_range_whitelist = mkOption {
type = types.listOf types.str;
default = [];
description = ''
List of IP address CIDR ranges that the URL preview spider is allowed
to access even if they are specified in
url_preview_ip_range_blacklist.
'';
};
url_preview_url_blacklist = mkOption {
type = types.listOf types.str;
default = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"169.254.0.0/16"
];
description = ''
Optional list of URL matches that the URL preview spider is
denied from accessing.
'';
};
recaptcha_private_key = mkOption {
type = types.str;
default = "";

4
nixos/modules/services/misc/nix-daemon.nix
View File

@ -172,8 +172,8 @@ in
sshKey = "/root/.ssh/id_buildfarm";
system = "x86_64-linux";
maxJobs = 2;
supportedFeatures = "kvm";
mandatoryFeatures = "perf";
supportedFeatures = [ "kvm" ];
mandatoryFeatures = [ "perf" ];
}
];
description = ''

35
nixos/modules/services/misc/parsoid.nix
View File

@ -6,20 +6,21 @@ let
cfg = config.services.parsoid;
conf = ''
exports.setup = function( parsoidConfig ) {
${toString (mapAttrsToList (name: str: "parsoidConfig.setInterwiki('${name}', '${str}');") cfg.interwikis)}
parsoidConfig.serverInterface = "${cfg.interface}";
parsoidConfig.serverPort = ${toString cfg.port};
parsoidConfig.useSelser = true;
${cfg.extraConfig}
confTree = {
worker_heartbeat_timeout = 300000;
logging = { level = "info"; };
services = [{
module = "lib/index.js";
entrypoint = "apiServiceWorker";
conf = {
mwApis = map (x: if isAttrs x then x else { uri = x; }) cfg.wikis;
serverInterface = cfg.interface;
serverPort = cfg.port;
};
}];
};
'';
confFile = builtins.toFile "localsettings.js" conf;
confFile = pkgs.writeText "config.yml" (builtins.toJSON (recursiveUpdate confTree cfg.extraConfig));
in
{
@ -38,9 +39,9 @@ in
'';
};
interwikis = mkOption {
type = types.attrsOf types.str;
example = { localhost = "http://localhost/api.php"; };
wikis = mkOption {
type = types.listOf (types.either types.str types.attrs);
example = [ "http://localhost/api.php" ];
description = ''
Used MediaWiki API endpoints.
'';
@ -71,8 +72,8 @@ in
};
extraConfig = mkOption {
type = types.lines;
default = "";
type = types.attrs;
default = {};
description = ''
Extra configuration to add to parsoid configuration.
'';

5
nixos/modules/services/monitoring/collectd.nix
View File

@ -9,7 +9,7 @@ let
BaseDir "${cfg.dataDir}"
PIDFile "${cfg.pidFile}"
AutoLoadPlugin ${if cfg.autoLoadPlugin then "true" else "false"}
Hostname ${config.networking.hostName}
Hostname "${config.networking.hostName}"
LoadPlugin syslog
<Plugin "syslog">
@ -108,7 +108,8 @@ in {
};
preStart = ''
mkdir -m 0700 -p ${cfg.dataDir}
mkdir -p ${cfg.dataDir}
chmod 755 ${cfg.dataDir}
install -D /dev/null ${cfg.pidFile}
if [ "$(id -u)" = 0 ]; then
chown -R ${cfg.user} ${cfg.dataDir};

19
nixos/modules/services/monitoring/prometheus/default.nix
View File

@ -25,9 +25,16 @@ let
scrape_configs = cfg.scrapeConfigs;
};
generatedPrometheusYml = writePrettyJSON "prometheus.yml" promConfig;
prometheusYml =
if cfg.configText != null then
pkgs.writeText "prometheus.yml" cfg.configText
else generatedPrometheusYml;
cmdlineArgs = cfg.extraFlags ++ [
"-storage.local.path=${cfg.dataDir}/metrics"
"-config.file=${writePrettyJSON "prometheus.yml" promConfig}"
"-config.file=${prometheusYml}"
"-web.listen-address=${cfg.listenAddress}"
"-alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}"
"-alertmanager.timeout=${toString cfg.alertmanagerTimeout}s"
@ -359,6 +366,16 @@ in {
'';
};
configText = mkOption {
type = types.nullOr types.lines;
default = null;
description = ''
If non-null, this option defines the text that is written to
prometheus.yml. If null, the contents of prometheus.yml is generated
from the structured config options.
'';
};
globalConfig = mkOption {
type = promTypes.globalConfig;
default = {};

14
nixos/modules/services/network-filesystems/ipfs.nix
View File

@ -47,6 +47,18 @@ in
'';
};
gatewayAddress = mkOption {
type = types.str;
default = "/ip4/127.0.0.1/tcp/8080";
description = "Where the IPFS Gateway can be reached";
};
apiAddress = mkOption {
type = types.str;
default = "/ip4/127.0.0.1/tcp/5001";
description = "Where IPFS exposes its API to";
};
enableGC = mkOption {
type = types.bool;
default = false;
@ -98,6 +110,8 @@ in
cd ${cfg.dataDir}
${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c "${ipfs}/bin/ipfs init"
fi
${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c "${ipfs}/bin/ipfs config Addresses.API ${cfg.apiAddress}"
${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c "${ipfs}/bin/ipfs config Addresses.Gateway ${cfg.gatewayAddress}"
'';
serviceConfig = {

76
nixos/modules/services/network-filesystems/tahoe.nix
View File

@ -138,6 +138,45 @@ in
'';
};
helper.enable = mkEnableOption "helper service";
sftpd.enable = mkEnableOption "SFTP service";
sftpd.port = mkOption {
default = null;
type = types.nullOr types.int;
description = ''
The port on which the SFTP server will listen.
This is the correct setting to tweak if you want Tahoe's SFTP
daemon to listen on a different port.
'';
};
sftpd.hostPublicKeyFile = mkOption {
default = null;
type = types.nullOr types.path;
description = ''
Path to the SSH host public key.
'';
};
sftpd.hostPrivateKeyFile = mkOption {
default = null;
type = types.nullOr types.path;
description = ''
Path to the SSH host private key.
'';
};
sftpd.accounts.file = mkOption {
default = null;
type = types.nullOr types.path;
description = ''
Path to the accounts file.
'';
};
sftpd.accounts.url = mkOption {
default = null;
type = types.nullOr types.str;
description = ''
URL of the accounts server.
'';
};
package = mkOption {
default = pkgs.tahoelafs;
defaultText = "pkgs.tahoelafs";
@ -194,6 +233,12 @@ in
serviceConfig = {
Type = "simple";
PIDFile = pidfile;
# Believe it or not, Tahoe is very brittle about the order of
# arguments to $(tahoe start). The node directory must come first,
# and arguments which alter Twisted's behavior come afterwards.
ExecStart = ''
${settings.package}/bin/tahoe start ${nodedir} -n -l- --pidfile=${pidfile}
'';
};
preStart = ''
if [ \! -d ${nodedir} ]; then
@ -209,12 +254,6 @@ in
# ln -s /etc/tahoe-lafs/introducer-${node}.cfg ${nodedir}/tahoe.cfg
cp /etc/tahoe-lafs/introducer-${node}.cfg ${nodedir}/tahoe.cfg
'';
# Believe it or not, Tahoe is very brittle about the order of
# arguments to $(tahoe start). The node directory must come first,
# and arguments which alter Twisted's behavior come afterwards.
script = ''
tahoe start ${nodedir} -n -l- --pidfile=${pidfile}
'';
});
users.extraUsers = flip mapAttrs' cfg.introducers (node: _:
nameValuePair "tahoe.introducer-${node}" {
@ -256,6 +295,19 @@ in
[helper]
enabled = ${if settings.helper.enable then "true" else "false"}
[sftpd]
enabled = ${if settings.sftpd.enable then "true" else "false"}
${optionalString (settings.sftpd.port != null)
"port = ${toString settings.sftpd.port}"}
${optionalString (settings.sftpd.hostPublicKeyFile != null)
"host_pubkey_file = ${settings.sftpd.hostPublicKeyFile}"}
${optionalString (settings.sftpd.hostPrivateKeyFile != null)
"host_privkey_file = ${settings.sftpd.hostPrivateKeyFile}"}
${optionalString (settings.sftpd.accounts.file != null)
"accounts.file = ${settings.sftpd.accounts.file}"}
${optionalString (settings.sftpd.accounts.url != null)
"accounts.url = ${settings.sftpd.accounts.url}"}
'';
});
# Actually require Tahoe, so that we will have it installed.
@ -281,6 +333,12 @@ in
serviceConfig = {
Type = "simple";
PIDFile = pidfile;
# Believe it or not, Tahoe is very brittle about the order of
# arguments to $(tahoe start). The node directory must come first,
# and arguments which alter Twisted's behavior come afterwards.
ExecStart = ''
${settings.package}/bin/tahoe start ${nodedir} -n -l- --pidfile=${pidfile}
'';
};
preStart = ''
if [ \! -d ${nodedir} ]; then
@ -296,12 +354,6 @@ in
# ln -s /etc/tahoe-lafs/${node}.cfg ${nodedir}/tahoe.cfg
cp /etc/tahoe-lafs/${node}.cfg ${nodedir}/tahoe.cfg
'';
# Believe it or not, Tahoe is very brittle about the order of
# arguments to $(tahoe start). The node directory must come first,
# and arguments which alter Twisted's behavior come afterwards.
script = ''
tahoe start ${nodedir} -n -l- --pidfile=${pidfile}
'';
});
users.extraUsers = flip mapAttrs' cfg.nodes (node: _:
nameValuePair "tahoe.${node}" {

13
nixos/modules/services/network-filesystems/yandex-disk.nix
View File

@ -55,6 +55,15 @@ in
description = "The directory to use for Yandex.Disk storage";
};
excludes = mkOption {
default = "";
type = types.string;
example = "data,backup";
description = ''
Comma-separated list of directories which are excluded from synchronization.
'';
};
};
};
@ -86,7 +95,7 @@ in
chown ${u} ${dir}
if ! test -d "${cfg.directory}" ; then
mkdir -p -m 755 ${cfg.directory} ||
(mkdir -p -m 755 ${cfg.directory} && chown ${u} ${cfg.directory}) ||
exit 1
fi
@ -94,7 +103,7 @@ in
-c '${pkgs.yandex-disk}/bin/yandex-disk token -p ${cfg.password} ${cfg.username} ${dir}/token'
${pkgs.su}/bin/su -s ${pkgs.stdenv.shell} ${u} \
-c '${pkgs.yandex-disk}/bin/yandex-disk start --no-daemon -a ${dir}/token -d ${cfg.directory}'
-c '${pkgs.yandex-disk}/bin/yandex-disk start --no-daemon -a ${dir}/token -d ${cfg.directory} --exclude-dirs=${cfg.excludes}'
'';
};

92
nixos/modules/services/networking/bird.nix
View File

@ -1,76 +1,68 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkEnableOption mkIf mkOption singleton types;
inherit (pkgs) bird;
cfg = config.services.bird;
inherit (lib) mkEnableOption mkIf mkOption types;
configFile = pkgs.writeText "bird.conf" ''
${cfg.config}
generic = variant:
let
cfg = config.services.${variant};
pkg = pkgs.${variant};
birdc = if variant == "bird6" then "birdc6" else "birdc";
configFile = pkgs.stdenv.mkDerivation {
name = "${variant}.conf";
text = cfg.config;
preferLocalBuild = true;
buildCommand = ''
echo -n "$text" > $out
${pkg}/bin/${variant} -d -p -c $out
'';
in
{
};
in {
###### interface
options = {
services.bird = {
services.${variant} = {
enable = mkEnableOption "BIRD Internet Routing Daemon";
config = mkOption {
type = types.string;
type = types.lines;
description = ''
BIRD Internet Routing Daemon configuration file.
<link xlink:href='http://bird.network.cz/'/>
'';
};
user = mkOption {
type = types.string;
default = "bird";
description = ''
BIRD Internet Routing Daemon user.
'';
};
group = mkOption {
type = types.string;
default = "bird";
description = ''
BIRD Internet Routing Daemon group.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
users.extraUsers = singleton {
name = cfg.user;
description = "BIRD Internet Routing Daemon user";
uid = config.ids.uids.bird;
group = cfg.group;
};
users.extraGroups = singleton {
name = cfg.group;
gid = config.ids.gids.bird;
};
systemd.services.bird = {
systemd.services.${variant} = {
description = "BIRD Internet Routing Daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${bird}/bin/bird -d -c ${configFile} -s /var/run/bird.ctl -u ${cfg.user} -g ${cfg.group}";
Type = "forking";
Restart = "on-failure";
ExecStart = "${pkg}/bin/${variant} -c ${configFile} -u ${variant} -g ${variant}";
ExecReload = "${pkg}/bin/${birdc} configure";
ExecStop = "${pkg}/bin/${birdc} down";
CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_SETUID" "CAP_SETGID"
# see bird/sysdep/linux/syspriv.h
"CAP_NET_BIND_SERVICE" "CAP_NET_BROADCAST" "CAP_NET_ADMIN" "CAP_NET_RAW" ];
ProtectSystem = "full";
ProtectHome = "yes";
SystemCallFilter="~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
MemoryDenyWriteExecute = "yes";
};
};
users = {
extraUsers.${variant} = {
description = "BIRD Internet Routing Daemon user";
group = "${variant}";
};
extraGroups.${variant} = {};
};
};
};
inherit (config.services) bird bird6;
in {
imports = [(generic "bird") (generic "bird6")];
}

4
nixos/modules/services/networking/chrony.nix
View File

@ -31,7 +31,7 @@ in
};
servers = mkOption {
default = config.services.ntp.servers;
default = config.networking.timeServers;
description = ''
The set of NTP servers from which to synchronise.
'';
@ -102,7 +102,7 @@ in
home = stateDir;
};
systemd.services.ntpd.enable = mkForce false;
systemd.services.timesyncd.enable = mkForce false;
systemd.services.chronyd =
{ description = "chrony NTP daemon";

56
nixos/modules/services/networking/cjdns.nix
View File

@ -19,30 +19,21 @@ let
type = types.str;
description = "Public key at the opposite end of the tunnel.";
};
hostname = mkOption {
default = "";
example = "foobar.hype";
type = types.str;
description = "Optional hostname to add to /etc/hosts; prevents reverse lookup failures.";
};
};
};
# Additional /etc/hosts entries for peers with an associated hostname
cjdnsExtraHosts = import (pkgs.runCommand "cjdns-hosts" {}
# Generate a builder that produces an output usable as a Nix string value
''
exec >$out
echo \'\'
${concatStringsSep "\n" (mapAttrsToList (k: v:
optionalString (v.hostname != "")
"echo $(${pkgs.cjdns}/bin/publictoip6 ${v.publicKey}) ${v.hostname}")
(cfg.ETHInterface.connectTo // cfg.UDPInterface.connectTo))}
echo \'\'
'');
parseModules = x:
x // { connectTo = mapAttrs (name: value: { inherit (value) password publicKey; }) x.connectTo; };
# check for the required attributes, otherwise
# permit attributes not undefined here
checkPeers = x:
x // {
connectTo = mapAttrs
(name: value:
if !hasAttr "publicKey" value then abort "cjdns peer ${name} missing a publicKey" else
if !hasAttr "password" value then abort "cjdns peer ${name} missing a password" else
value
)
x.connectTo;
};
# would be nice to merge 'cfg' with a //,
# but the json nesting is wacky.
@ -53,8 +44,8 @@ let
};
authorizedPasswords = map (p: { password = p; }) cfg.authorizedPasswords;
interfaces = {
ETHInterface = if (cfg.ETHInterface.bind != "") then [ (parseModules cfg.ETHInterface) ] else [ ];
UDPInterface = if (cfg.UDPInterface.bind != "") then [ (parseModules cfg.UDPInterface) ] else [ ];
ETHInterface = if (cfg.ETHInterface.bind != "") then [ (checkPeers cfg.ETHInterface) ] else [ ];
UDPInterface = if (cfg.UDPInterface.bind != "") then [ (checkPeers cfg.UDPInterface) ] else [ ];
};
privateKey = "@CJDNS_PRIVATE_KEY@";
@ -134,11 +125,11 @@ in
'';
};
connectTo = mkOption {
type = types.attrsOf ( types.submodule ( connectToSubmodule ) );
type = types.attrsOf (types.attrsOf types.str);
default = { };
example = {
"192.168.1.1:27313" = {
hostname = "homer.hype";
user = "foobar";
password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM";
publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k";
};
@ -179,11 +170,11 @@ in
};
connectTo = mkOption {
type = types.attrsOf ( types.submodule ( connectToSubmodule ) );
type = types.attrsOf (types.attrsOf types.str);
default = { };
example = {
"01:02:03:04:05:06" = {
hostname = "homer.hype";
user = "foobar";
password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM";
publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k";
};
@ -207,8 +198,9 @@ in
systemd.services.cjdns = {
description = "cjdns: routing engine designed for security, scalability, speed and ease of use";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" "sleep.target"];
after = [ "network-online.target" ];
bindsTo = [ "network-online.target" ];
preStart = if cfg.confFile != null then "" else ''
[ -e /etc/cjdns.keys ] && source /etc/cjdns.keys
@ -244,7 +236,9 @@ in
serviceConfig = {
Type = "forking";
Restart = "on-failure";
Restart = "always";
StartLimitInterval = 0;
RestartSec = 1;
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW";
ProtectSystem = "full";
@ -254,8 +248,6 @@ in
};
};
networking.extraHosts = cjdnsExtraHosts;
assertions = [
{ assertion = ( cfg.ETHInterface.bind != "" || cfg.UDPInterface.bind != "" || cfg.confFile != null );
message = "Neither cjdns.ETHInterface.bind nor cjdns.UDPInterface.bind defined.";

61
nixos/modules/services/networking/dante.nix Normal file
View File

@ -0,0 +1,61 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.dante;
confFile = pkgs.writeText "dante-sockd.conf" ''
user.privileged: root
user.unprivileged: dante
${cfg.config}
'';
in
{
meta = {
maintainers = with maintainers; [ arobyn ];
};
options = {
services.dante = {
enable = mkEnableOption "Dante SOCKS proxy";
config = mkOption {
default = null;
type = types.nullOr types.str;
description = ''
Contents of Dante's configuration file
NOTE: user.privileged/user.unprivileged are set by the service
'';
};
};
};
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.config != null;
message = "please provide Dante configuration file contents";
}
];
users.users.dante = {
description = "Dante SOCKS proxy daemon user";
isSystemUser = true;
group = "dante";
};
users.groups.dante = {};
systemd.services.dante = {
description = "Dante SOCKS v4 and v5 compatible proxy server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.dante}/bin/sockd -f ${confFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
};
};
};
}

63
nixos/modules/services/networking/fakeroute.nix Normal file
View File

@ -0,0 +1,63 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.fakeroute;
routeConf = pkgs.writeText "route.conf" (concatStringsSep "\n" cfg.route);
in
{
###### interface
options = {
services.fakeroute = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable the fakeroute service.
'';
};
route = mkOption {
type = types.listOf types.str;
default = [];
example = [
"216.102.187.130"
"4.0.1.122"
"198.116.142.34"
"63.199.8.242"
];
description = ''
Fake route that will appear after the real
one to any host running a traceroute.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
systemd.services.fakeroute = {
description = "Fakeroute Daemon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "forking";
User = "root";
ExecStart = "${pkgs.fakeroute}/bin/fakeroute -f ${routeConf}";
};
};
};
}

1
nixos/modules/services/networking/ferm.nix
View File

@ -51,6 +51,7 @@ in {
before = [ "network-pre.target" ];
wants = [ "network-pre.target" ];
wantedBy = [ "multi-user.target" ];
reloadIfChanged = true;
serviceConfig = {
Type="oneshot";
RemainAfterExit = "yes";

Some files were not shown because too many files have changed in this diff Show More