diff --git a/modules/installer/tools/nixos-rebuild.sh b/modules/installer/tools/nixos-rebuild.sh index fb26279e7c7..16ec49bde9b 100644 --- a/modules/installer/tools/nixos-rebuild.sh +++ b/modules/installer/tools/nixos-rebuild.sh @@ -141,7 +141,7 @@ fi if nixos=$(nix-instantiate --find-file nixos "${extraBuildFlags[@]}"); then suffix=$(@shell@ $nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}") if [ -n "$suffix" ]; then - echo -n "$suffix" > "$nixos/.version-suffix" + echo -n "$suffix" > "$nixos/.version-suffix" || true fi fi diff --git a/modules/module-list.nix b/modules/module-list.nix index 7739f2df6f6..93a868f5f0d 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -189,6 +189,7 @@ ./services/web-servers/apache-httpd/default.nix ./services/web-servers/jboss/default.nix ./services/web-servers/lighttpd/default.nix + ./services/web-servers/lighttpd/cgit.nix ./services/web-servers/lighttpd/gitweb.nix ./services/web-servers/nginx/default.nix ./services/web-servers/tomcat.nix diff --git a/modules/services/misc/disnix.nix b/modules/services/misc/disnix.nix index 8d04c81ad68..c50af6fb095 100644 --- a/modules/services/misc/disnix.nix +++ b/modules/services/misc/disnix.nix @@ -119,12 +119,13 @@ in jobs = { disnix = { description = "Disnix server"; - - startOn = "started dbus" - + optionalString config.services.httpd.enable " and started httpd" - + optionalString config.services.mysql.enable " and started mysql" - + optionalString config.services.tomcat.enable " and started tomcat" - + optionalString config.services.svnserve.enable " and started svnserve"; + + wantedBy = [ "multi-user.target" ]; + after = [ "dbus.service" ] + ++ optional config.services.httpd.enable "httpd.service" + ++ optional config.services.mysql.enable "mysql.service" + ++ optional config.services.tomcat.enable "tomcat.service" + ++ optional config.services.svnserve.enable "svnserve.service"; restartIfChanged = false; diff --git a/modules/services/networking/openvpn.nix b/modules/services/networking/openvpn.nix index 63b6cc90f07..1e862591406 100644 --- a/modules/services/networking/openvpn.nix +++ b/modules/services/networking/openvpn.nix @@ -49,7 +49,7 @@ let in { description = "OpenVPN instance ‘${name}’"; - wantedBy = optional cfg.autoStart [ "multi-user.target" ]; + wantedBy = optional cfg.autoStart "multi-user.target"; after = [ "network-interfaces.target" ]; path = [ pkgs.iptables pkgs.iproute pkgs.nettools ]; diff --git a/modules/services/scheduling/atd.nix b/modules/services/scheduling/atd.nix index 68bc6f6466f..88bec2cb2f3 100644 --- a/modules/services/scheduling/atd.nix +++ b/modules/services/scheduling/atd.nix @@ -17,7 +17,7 @@ in options = { services.atd.enable = mkOption { - default = true; + default = false; description = '' Whether to enable the `at' daemon, a command scheduler. ''; diff --git a/modules/services/security/tor.nix b/modules/services/security/tor.nix index ebbe1569576..2dafb4595c6 100644 --- a/modules/services/security/tor.nix +++ b/modules/services/security/tor.nix @@ -135,7 +135,9 @@ in A bridge relay can't be an exit relay. - You need to set enableRelay to true for this option to take effect. + You need to set relay.enable to true for this option to take effect. + + The bridge is set up with an obfuscated transport proxy. See https://www.torproject.org/bridges.html.en for more info. ''; @@ -278,7 +280,10 @@ in ${optint "RelayBandwidthRate" cfg.relay.bandwidthRate} ${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst} ${if cfg.relay.isExit then opt "ExitPolicy" cfg.relay.exitPolicy else "ExitPolicy reject *:*"} - ${if cfg.relay.isBridge then "BridgeRelay 1" else ""} + ${if cfg.relay.isBridge then '' + BridgeRelay 1 + ServerTransportPlugin obfs2,obfs3 exec ${pkgs.pythonPackages.obfsproxy}/bin/obfsproxy managed + '' else ""} ''; services.tor.client.privoxy.config = '' diff --git a/modules/services/torrent/transmission.nix b/modules/services/torrent/transmission.nix index 02ec25d1294..4c989f09fea 100644 --- a/modules/services/torrent/transmission.nix +++ b/modules/services/torrent/transmission.nix @@ -89,6 +89,11 @@ in description = "TCP port number to run the RPC/web interface."; }; + apparmor = mkOption { + type = types.uniq types.bool; + default = true; + description = "Generate apparmor profile for transmission-daemon."; + }; }; }; @@ -99,13 +104,15 @@ in systemd.services.transmission = { description = "Transmission BitTorrent Daemon"; - after = [ "network.target" ]; + after = [ "network.target" ] ++ optional (config.security.apparmor.enable && cfg.apparmor) "apparmor.service"; + requires = mkIf (config.security.apparmor.enable && cfg.apparmor) [ "apparmor.service" ]; wantedBy = [ "multi-user.target" ]; + # 1) Only the "transmission" user and group have access to torrents. # 2) Optionally update/force specific fields into the configuration file. serviceConfig.ExecStartPre = - if config.services.transmission.settings != {} then '' - ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir} && mkdir -p ${settingsDir} && ${pkgs.transmission}/bin/transmission-daemon -d |& sed ${attrsToSedArgs config.services.transmission.settings} > ${settingsFile}.tmp && mv ${settingsFile}.tmp ${settingsFile}" + if cfg.settings != {} then '' + ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir} && mkdir -p ${settingsDir} && ${pkgs.transmission}/bin/transmission-daemon -d |& sed ${attrsToSedArgs cfg.settings} > ${settingsFile}.tmp && mv ${settingsFile}.tmp ${settingsFile}" '' else '' ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir}" @@ -129,6 +136,37 @@ in users.extraGroups.transmission = {}; + # AppArmor profile + security.apparmor.profiles = mkIf (config.security.apparmor.enable && cfg.apparmor) [ + (pkgs.writeText "apparmor-transmission-daemon" '' + #include + + ${pkgs.transmission}/bin/transmission-daemon { + #include + #include + + ${pkgs.glibc}/lib/*.so mr, + ${pkgs.libevent}/lib/libevent*.so* mr, + ${pkgs.curl}/lib/libcurl*.so* mr, + ${pkgs.openssl}/lib/libssl*.so* mr, + ${pkgs.openssl}/lib/libcrypto*.so* mr, + ${pkgs.zlib}/lib/libz*.so* mr, + ${pkgs.libssh2}/lib/libssh2*.so* mr, + + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/vm/overcommit_memory r, + + ${pkgs.transmission}/share/transmission/** r, + + owner ${settingsDir}/** rw, + + ${cfg.settings.download-dir}/** rw, + ${optionalString cfg.settings.incomplete-dir-enabled '' + ${cfg.settings.incomplete-dir}/** rw, + ''} + } + '') + ]; }; } diff --git a/modules/services/web-servers/lighttpd/cgit.nix b/modules/services/web-servers/lighttpd/cgit.nix new file mode 100644 index 00000000000..b22b05e305b --- /dev/null +++ b/modules/services/web-servers/lighttpd/cgit.nix @@ -0,0 +1,71 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.services.lighttpd.cgit; + configFile = pkgs.writeText "cgitrc" + '' + ${cfg.configText} + ''; +in +{ + + options.services.lighttpd.cgit = { + + enable = mkOption { + default = false; + type = types.uniq types.bool; + description = '' + If true, enable cgit (fast web interface for git repositories) as a + sub-service in lighttpd. cgit will be accessible at + http://yourserver/cgit + ''; + }; + + configText = mkOption { + default = ""; + example = '' + cache-size=1000 + scan-path=/srv/git + ''; + type = types.string; + description = '' + Verbatim contents of the cgit runtime configuration file. Documentation + (with cgitrc example file) is available in "man cgitrc". Or online: + http://git.zx2c4.com/cgit/tree/cgitrc.5.txt + ''; + }; + + }; + + config = mkIf cfg.enable { + + # make the cgitrc manpage available + environment.systemPackages = [ pkgs.cgit ]; + + services.lighttpd.extraConfig = '' + server.modules += ( + "mod_cgi", + "mod_alias", + "mod_setenv" + ) + + $HTTP["url"] =~ "^/cgit" { + cgi.assign = ( + "cgit.cgi" => "${pkgs.cgit}/cgit/cgit.cgi" + ) + alias.url = ( + "/cgit.css" => "${pkgs.cgit}/cgit/cgit.css", + "/cgit.png" => "${pkgs.cgit}/cgit/cgit.png", + "/cgit" => "${pkgs.cgit}/cgit/cgit.cgi" + ) + setenv.add-environment = ( + "CGIT_CONFIG" => "${configFile}" + ) + } + ''; + + }; + +} diff --git a/modules/services/web-servers/lighttpd/default.nix b/modules/services/web-servers/lighttpd/default.nix index 1d1cd6fa178..5ed32d0147c 100644 --- a/modules/services/web-servers/lighttpd/default.nix +++ b/modules/services/web-servers/lighttpd/default.nix @@ -131,6 +131,12 @@ in description = "Lighttpd Web Server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + preStart = '' + ${if cfg.cgit.enable then '' + mkdir -p /var/cache/cgit + chown lighttpd:lighttpd /var/cache/cgit + '' else ""} + ''; serviceConfig.ExecStart = "${pkgs.lighttpd}/sbin/lighttpd -D -f ${configFile}"; # SIGINT => graceful shutdown serviceConfig.KillSignal = "SIGINT"; diff --git a/modules/services/web-servers/lighttpd/gitweb.nix b/modules/services/web-servers/lighttpd/gitweb.nix index 88c63064a04..3c710e5b09e 100644 --- a/modules/services/web-servers/lighttpd/gitweb.nix +++ b/modules/services/web-servers/lighttpd/gitweb.nix @@ -7,7 +7,9 @@ let gitwebConfigFile = pkgs.writeText "gitweb.conf" '' # path to git projects (.git) $projectroot = "${cfg.projectroot}"; + ${cfg.extraConfig} ''; + in { @@ -30,6 +32,14 @@ in ''; }; + extraConfig = mkOption { + default = ""; + type = types.uniq types.string; + description = '' + Verbatim configuration text appended to the generated gitweb.conf file. + ''; + }; + }; config = mkIf cfg.enable { diff --git a/modules/system/boot/loader/grub/grub.nix b/modules/system/boot/loader/grub/grub.nix index 490502c5a36..1552d2cb102 100644 --- a/modules/system/boot/loader/grub/grub.nix +++ b/modules/system/boot/loader/grub/grub.nix @@ -6,7 +6,14 @@ let cfg = config.boot.loader.grub; - grub = if cfg.version == 1 then pkgs.grub else pkgs.grub2; + realGrub = if cfg.version == 1 then pkgs.grub else pkgs.grub2; + + grub = + # Don't include GRUB if we're only generating a GRUB menu (e.g., + # in EC2 instances). + if cfg.devices == ["nodev"] + then null + else realGrub; f = x: if x == null then "" else "" + x; @@ -14,8 +21,8 @@ let { splashImage = f config.boot.loader.grub.splashImage; grub = f grub; shell = "${pkgs.stdenv.shell}"; - fullVersion = (builtins.parseDrvName config.system.build.grub.name).version; - inherit (config.boot.loader.grub) + fullVersion = (builtins.parseDrvName realGrub.name).version; + inherit (cfg) version extraConfig extraPerEntryConfig extraEntries extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout default devices; @@ -141,7 +148,7 @@ in splashImage = mkOption { default = - if config.boot.loader.grub.version == 1 + if cfg.version == 1 then pkgs.fetchurl { url = http://www.gnome-look.org/CONTENT/content-files/36909-soft-tux.xpm.gz; sha256 = "14kqdx2lfqvh40h6fjjzqgff1mwk74dmbjvmqphi6azzra7z8d59"; @@ -196,7 +203,7 @@ in ###### implementation - config = mkIf config.boot.loader.grub.enable { + config = mkIf cfg.enable { boot.loader.grub.devices = optional (cfg.device != "") cfg.device; @@ -212,7 +219,7 @@ in # set at once. system.boot.loader.id = "grub"; - environment.systemPackages = mkIf config.boot.loader.grub.enable [ grub ]; + environment.systemPackages = [ grub ]; }; diff --git a/modules/tasks/network-interfaces.nix b/modules/tasks/network-interfaces.nix index cb0d17459ff..75f2e1af4be 100644 --- a/modules/tasks/network-interfaces.nix +++ b/modules/tasks/network-interfaces.nix @@ -244,6 +244,7 @@ in pkgs.iputils pkgs.nettools pkgs.wirelesstools + pkgs.iw pkgs.rfkill pkgs.openresolv ] @@ -424,13 +425,17 @@ in // mapAttrs createBridgeDevice cfg.bridges // { "network-setup" = networkSetup; }; - # Set the host name in the activation script. Don't clear it if - # it's not configured in the NixOS configuration, since it may - # have been set by dhclient in the meantime. + # Set the host and domain names in the activation script. Don't + # clear it if it's not configured in the NixOS configuration, + # since it may have been set by dhclient in the meantime. system.activationScripts.hostname = optionalString (config.networking.hostName != "") '' hostname "${config.networking.hostName}" ''; + system.activationScripts.domain = + optionalString (config.networking.domain != "") '' + domainname "${config.networking.domain}" + ''; services.udev.extraRules = ''