From 7f9fc8d817de86084b08b33b001e96fd12f1ff9c Mon Sep 17 00:00:00 2001 From: "Ricardo M. Correia" Date: Tue, 21 May 2013 23:30:24 +0000 Subject: [PATCH 01/12] Set the domain name of the machine The domain name was not being set before, even if the administrator properly configured the networking.domain option in /etc/nixos/configuration.nix. --- modules/tasks/network-interfaces.nix | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/modules/tasks/network-interfaces.nix b/modules/tasks/network-interfaces.nix index cb0d17459ff..d7b1988fe8d 100644 --- a/modules/tasks/network-interfaces.nix +++ b/modules/tasks/network-interfaces.nix @@ -424,13 +424,17 @@ in // mapAttrs createBridgeDevice cfg.bridges // { "network-setup" = networkSetup; }; - # Set the host name in the activation script. Don't clear it if - # it's not configured in the NixOS configuration, since it may - # have been set by dhclient in the meantime. + # Set the host and domain names in the activation script. Don't + # clear it if it's not configured in the NixOS configuration, + # since it may have been set by dhclient in the meantime. system.activationScripts.hostname = optionalString (config.networking.hostName != "") '' hostname "${config.networking.hostName}" ''; + system.activationScripts.domain = + optionalString (config.networking.domain != "") '' + domainname "${config.networking.domain}" + ''; services.udev.extraRules = '' From 2e61811284e1116e1700bd505d95161ebf07bb9d Mon Sep 17 00:00:00 2001 From: "Ricardo M. Correia" Date: Tue, 28 May 2013 17:19:15 +0000 Subject: [PATCH 02/12] transmission: Add apparmor profile --- modules/services/torrent/transmission.nix | 40 +++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/modules/services/torrent/transmission.nix b/modules/services/torrent/transmission.nix index 02ec25d1294..742e5bee70c 100644 --- a/modules/services/torrent/transmission.nix +++ b/modules/services/torrent/transmission.nix @@ -89,6 +89,11 @@ in description = "TCP port number to run the RPC/web interface."; }; + apparmor = mkOption { + type = types.uniq types.bool; + default = true; + description = "Generate apparmor profile for transmission-daemon."; + }; }; }; @@ -104,8 +109,8 @@ in # 1) Only the "transmission" user and group have access to torrents. # 2) Optionally update/force specific fields into the configuration file. serviceConfig.ExecStartPre = - if config.services.transmission.settings != {} then '' - ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir} && mkdir -p ${settingsDir} && ${pkgs.transmission}/bin/transmission-daemon -d |& sed ${attrsToSedArgs config.services.transmission.settings} > ${settingsFile}.tmp && mv ${settingsFile}.tmp ${settingsFile}" + if cfg.settings != {} then '' + ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir} && mkdir -p ${settingsDir} && ${pkgs.transmission}/bin/transmission-daemon -d |& sed ${attrsToSedArgs cfg.settings} > ${settingsFile}.tmp && mv ${settingsFile}.tmp ${settingsFile}" '' else '' ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir}" @@ -129,6 +134,37 @@ in users.extraGroups.transmission = {}; + # AppArmor profile + security.apparmor.profiles = mkIf (config.security.apparmor.enable && cfg.apparmor) [ + (pkgs.writeText "apparmor-transmission-daemon" '' + #include + + ${pkgs.transmission}/bin/transmission-daemon { + #include + #include + + ${pkgs.glibc}/lib/*.so mr, + ${pkgs.libevent}/lib/libevent*.so* mr, + ${pkgs.curl}/lib/libcurl*.so* mr, + ${pkgs.openssl}/lib/libssl*.so* mr, + ${pkgs.openssl}/lib/libcrypto*.so* mr, + ${pkgs.zlib}/lib/libz*.so* mr, + ${pkgs.libssh2}/lib/libssh2*.so* mr, + + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/vm/overcommit_memory r, + + ${pkgs.transmission}/share/transmission/** r, + + owner ${settingsDir}/** rw, + + ${cfg.settings.download-dir}/** rw, + ${optionalString cfg.settings.incomplete-dir-enabled '' + ${cfg.settings.incomplete-dir}/** rw, + ''} + } + '') + ]; }; } From 0a0beadecd5bce5fca73baae2dc075d15f8dd85e Mon Sep 17 00:00:00 2001 From: "Ricardo M. Correia" Date: Tue, 28 May 2013 17:48:08 +0000 Subject: [PATCH 03/12] transmission: Add apparmor service dependency --- modules/services/torrent/transmission.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/services/torrent/transmission.nix b/modules/services/torrent/transmission.nix index 742e5bee70c..4c989f09fea 100644 --- a/modules/services/torrent/transmission.nix +++ b/modules/services/torrent/transmission.nix @@ -104,8 +104,10 @@ in systemd.services.transmission = { description = "Transmission BitTorrent Daemon"; - after = [ "network.target" ]; + after = [ "network.target" ] ++ optional (config.security.apparmor.enable && cfg.apparmor) "apparmor.service"; + requires = mkIf (config.security.apparmor.enable && cfg.apparmor) [ "apparmor.service" ]; wantedBy = [ "multi-user.target" ]; + # 1) Only the "transmission" user and group have access to torrents. # 2) Optionally update/force specific fields into the configuration file. serviceConfig.ExecStartPre = From 08eba4c114871e5f138263aecf0824c90a32a703 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Sat, 1 Jun 2013 11:38:49 +0200 Subject: [PATCH 04/12] atd: don't enable at daemon by default The at daemon doesn't work on NixOS [1], so enabling it by default doesn't seem useful. I'd argue that it shouldn't be enabled by default even if it worked, actually. [1] http://lists.science.uu.nl/pipermail/nix-dev/2013-April/011048.html --- modules/services/scheduling/atd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/scheduling/atd.nix b/modules/services/scheduling/atd.nix index 68bc6f6466f..88bec2cb2f3 100644 --- a/modules/services/scheduling/atd.nix +++ b/modules/services/scheduling/atd.nix @@ -17,7 +17,7 @@ in options = { services.atd.enable = mkOption { - default = true; + default = false; description = '' Whether to enable the `at' daemon, a command scheduler. ''; From 70fd5422a7a0d17e1d2236a07fc2ae841f9bc9a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sun, 2 Jun 2013 14:27:39 +0200 Subject: [PATCH 05/12] Adding iw to systemPackages. --- modules/tasks/network-interfaces.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/tasks/network-interfaces.nix b/modules/tasks/network-interfaces.nix index d7b1988fe8d..75f2e1af4be 100644 --- a/modules/tasks/network-interfaces.nix +++ b/modules/tasks/network-interfaces.nix @@ -244,6 +244,7 @@ in pkgs.iputils pkgs.nettools pkgs.wirelesstools + pkgs.iw pkgs.rfkill pkgs.openresolv ] From b1f82e428a58ffcb7d0582a2201726d0a1b8c55f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= Date: Fri, 31 May 2013 23:53:13 +0200 Subject: [PATCH 06/12] lighttpd: add cgit sub-service (cgit is "a hyperfast web frontend for git repositories written in C") cgit is enabled like this (assuming lighttpd is already enabled): services.lighttpd.cgit.enable = true; and configured verbatim like this (contents of the cgitrc file): services.lighttpd.cgit.configText = '' cache-size=1000 scan-path=/srv/git ''; cgit will be available from this URL: http://yourserver/cgit In lighttpd, I've ensured that the cache dir for cgit is created if cgit is enabled. --- modules/module-list.nix | 1 + .../services/web-servers/lighttpd/cgit.nix | 71 +++++++++++++++++++ .../services/web-servers/lighttpd/default.nix | 6 ++ 3 files changed, 78 insertions(+) create mode 100644 modules/services/web-servers/lighttpd/cgit.nix diff --git a/modules/module-list.nix b/modules/module-list.nix index 7739f2df6f6..93a868f5f0d 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -189,6 +189,7 @@ ./services/web-servers/apache-httpd/default.nix ./services/web-servers/jboss/default.nix ./services/web-servers/lighttpd/default.nix + ./services/web-servers/lighttpd/cgit.nix ./services/web-servers/lighttpd/gitweb.nix ./services/web-servers/nginx/default.nix ./services/web-servers/tomcat.nix diff --git a/modules/services/web-servers/lighttpd/cgit.nix b/modules/services/web-servers/lighttpd/cgit.nix new file mode 100644 index 00000000000..b22b05e305b --- /dev/null +++ b/modules/services/web-servers/lighttpd/cgit.nix @@ -0,0 +1,71 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.services.lighttpd.cgit; + configFile = pkgs.writeText "cgitrc" + '' + ${cfg.configText} + ''; +in +{ + + options.services.lighttpd.cgit = { + + enable = mkOption { + default = false; + type = types.uniq types.bool; + description = '' + If true, enable cgit (fast web interface for git repositories) as a + sub-service in lighttpd. cgit will be accessible at + http://yourserver/cgit + ''; + }; + + configText = mkOption { + default = ""; + example = '' + cache-size=1000 + scan-path=/srv/git + ''; + type = types.string; + description = '' + Verbatim contents of the cgit runtime configuration file. Documentation + (with cgitrc example file) is available in "man cgitrc". Or online: + http://git.zx2c4.com/cgit/tree/cgitrc.5.txt + ''; + }; + + }; + + config = mkIf cfg.enable { + + # make the cgitrc manpage available + environment.systemPackages = [ pkgs.cgit ]; + + services.lighttpd.extraConfig = '' + server.modules += ( + "mod_cgi", + "mod_alias", + "mod_setenv" + ) + + $HTTP["url"] =~ "^/cgit" { + cgi.assign = ( + "cgit.cgi" => "${pkgs.cgit}/cgit/cgit.cgi" + ) + alias.url = ( + "/cgit.css" => "${pkgs.cgit}/cgit/cgit.css", + "/cgit.png" => "${pkgs.cgit}/cgit/cgit.png", + "/cgit" => "${pkgs.cgit}/cgit/cgit.cgi" + ) + setenv.add-environment = ( + "CGIT_CONFIG" => "${configFile}" + ) + } + ''; + + }; + +} diff --git a/modules/services/web-servers/lighttpd/default.nix b/modules/services/web-servers/lighttpd/default.nix index 1d1cd6fa178..5ed32d0147c 100644 --- a/modules/services/web-servers/lighttpd/default.nix +++ b/modules/services/web-servers/lighttpd/default.nix @@ -131,6 +131,12 @@ in description = "Lighttpd Web Server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + preStart = '' + ${if cfg.cgit.enable then '' + mkdir -p /var/cache/cgit + chown lighttpd:lighttpd /var/cache/cgit + '' else ""} + ''; serviceConfig.ExecStart = "${pkgs.lighttpd}/sbin/lighttpd -D -f ${configFile}"; # SIGINT => graceful shutdown serviceConfig.KillSignal = "SIGINT"; From 3d48da72a99252580db03bf0df4d02c095a46a5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= Date: Sun, 2 Jun 2013 19:26:55 +0200 Subject: [PATCH 07/12] lighttpd: gitweb: add extraConfig option So that we can append custom configuration text to the end of the generated gitweb.conf file. --- modules/services/web-servers/lighttpd/gitweb.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/services/web-servers/lighttpd/gitweb.nix b/modules/services/web-servers/lighttpd/gitweb.nix index 88c63064a04..3c710e5b09e 100644 --- a/modules/services/web-servers/lighttpd/gitweb.nix +++ b/modules/services/web-servers/lighttpd/gitweb.nix @@ -7,7 +7,9 @@ let gitwebConfigFile = pkgs.writeText "gitweb.conf" '' # path to git projects (.git) $projectroot = "${cfg.projectroot}"; + ${cfg.extraConfig} ''; + in { @@ -30,6 +32,14 @@ in ''; }; + extraConfig = mkOption { + default = ""; + type = types.uniq types.string; + description = '' + Verbatim configuration text appended to the generated gitweb.conf file. + ''; + }; + }; config = mkIf cfg.enable { From e776c0623d95592256a5a6380113fa989e983541 Mon Sep 17 00:00:00 2001 From: Sander van der Burg Date: Mon, 3 Jun 2013 01:34:22 +0200 Subject: [PATCH 08/12] Fixed disnix service to use systemd's dependency facilities --- modules/services/misc/disnix.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/modules/services/misc/disnix.nix b/modules/services/misc/disnix.nix index 8d04c81ad68..c50af6fb095 100644 --- a/modules/services/misc/disnix.nix +++ b/modules/services/misc/disnix.nix @@ -119,12 +119,13 @@ in jobs = { disnix = { description = "Disnix server"; - - startOn = "started dbus" - + optionalString config.services.httpd.enable " and started httpd" - + optionalString config.services.mysql.enable " and started mysql" - + optionalString config.services.tomcat.enable " and started tomcat" - + optionalString config.services.svnserve.enable " and started svnserve"; + + wantedBy = [ "multi-user.target" ]; + after = [ "dbus.service" ] + ++ optional config.services.httpd.enable "httpd.service" + ++ optional config.services.mysql.enable "mysql.service" + ++ optional config.services.tomcat.enable "tomcat.service" + ++ optional config.services.svnserve.enable "svnserve.service"; restartIfChanged = false; From 824b5b645a3d6cb3d937e7cc25d2fa47e6971df1 Mon Sep 17 00:00:00 2001 From: Mathijs Kwik Date: Sun, 2 Jun 2013 10:23:03 +0200 Subject: [PATCH 09/12] openvpn: fix type error either use - optional cond "target" or - optionals cond ["target1" "target2"] --- modules/services/networking/openvpn.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/networking/openvpn.nix b/modules/services/networking/openvpn.nix index 63b6cc90f07..1e862591406 100644 --- a/modules/services/networking/openvpn.nix +++ b/modules/services/networking/openvpn.nix @@ -49,7 +49,7 @@ let in { description = "OpenVPN instance ‘${name}’"; - wantedBy = optional cfg.autoStart [ "multi-user.target" ]; + wantedBy = optional cfg.autoStart "multi-user.target"; after = [ "network-interfaces.target" ]; path = [ pkgs.iptables pkgs.iproute pkgs.nettools ]; From 6e6061e6b39b59127538f9b926c210d1a1951822 Mon Sep 17 00:00:00 2001 From: Evgeny Egorochkin Date: Tue, 4 Jun 2013 13:02:37 +0300 Subject: [PATCH 10/12] TOR: add obfsproxy support by default for TOR bridges --- modules/services/security/tor.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/services/security/tor.nix b/modules/services/security/tor.nix index ebbe1569576..2dafb4595c6 100644 --- a/modules/services/security/tor.nix +++ b/modules/services/security/tor.nix @@ -135,7 +135,9 @@ in A bridge relay can't be an exit relay. - You need to set enableRelay to true for this option to take effect. + You need to set relay.enable to true for this option to take effect. + + The bridge is set up with an obfuscated transport proxy. See https://www.torproject.org/bridges.html.en for more info. ''; @@ -278,7 +280,10 @@ in ${optint "RelayBandwidthRate" cfg.relay.bandwidthRate} ${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst} ${if cfg.relay.isExit then opt "ExitPolicy" cfg.relay.exitPolicy else "ExitPolicy reject *:*"} - ${if cfg.relay.isBridge then "BridgeRelay 1" else ""} + ${if cfg.relay.isBridge then '' + BridgeRelay 1 + ServerTransportPlugin obfs2,obfs3 exec ${pkgs.pythonPackages.obfsproxy}/bin/obfsproxy managed + '' else ""} ''; services.tor.client.privoxy.config = '' From d210f30fa75fe6a06d5292f30251b8896d5ba0f6 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 4 Jun 2013 14:05:07 +0200 Subject: [PATCH 11/12] Omit GRUB if boot.loader.grub.device is set to "nodev" If we only need to generate a GRUB boot menu, we don't need GRUB itself. This cuts 38 MiB from EC2 system closures (in particular because it gets rid of the need for the 32-bit Glibc). --- modules/system/boot/loader/grub/grub.nix | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/modules/system/boot/loader/grub/grub.nix b/modules/system/boot/loader/grub/grub.nix index 490502c5a36..1552d2cb102 100644 --- a/modules/system/boot/loader/grub/grub.nix +++ b/modules/system/boot/loader/grub/grub.nix @@ -6,7 +6,14 @@ let cfg = config.boot.loader.grub; - grub = if cfg.version == 1 then pkgs.grub else pkgs.grub2; + realGrub = if cfg.version == 1 then pkgs.grub else pkgs.grub2; + + grub = + # Don't include GRUB if we're only generating a GRUB menu (e.g., + # in EC2 instances). + if cfg.devices == ["nodev"] + then null + else realGrub; f = x: if x == null then "" else "" + x; @@ -14,8 +21,8 @@ let { splashImage = f config.boot.loader.grub.splashImage; grub = f grub; shell = "${pkgs.stdenv.shell}"; - fullVersion = (builtins.parseDrvName config.system.build.grub.name).version; - inherit (config.boot.loader.grub) + fullVersion = (builtins.parseDrvName realGrub.name).version; + inherit (cfg) version extraConfig extraPerEntryConfig extraEntries extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout default devices; @@ -141,7 +148,7 @@ in splashImage = mkOption { default = - if config.boot.loader.grub.version == 1 + if cfg.version == 1 then pkgs.fetchurl { url = http://www.gnome-look.org/CONTENT/content-files/36909-soft-tux.xpm.gz; sha256 = "14kqdx2lfqvh40h6fjjzqgff1mwk74dmbjvmqphi6azzra7z8d59"; @@ -196,7 +203,7 @@ in ###### implementation - config = mkIf config.boot.loader.grub.enable { + config = mkIf cfg.enable { boot.loader.grub.devices = optional (cfg.device != "") cfg.device; @@ -212,7 +219,7 @@ in # set at once. system.boot.loader.id = "grub"; - environment.systemPackages = mkIf config.boot.loader.grub.enable [ grub ]; + environment.systemPackages = [ grub ]; }; From 365307ada1b6f3fc85b131cdcaaa9fcf19864a31 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 5 Jun 2013 17:09:34 +0200 Subject: [PATCH 12/12] nixos-rebuild: Handle .version-suffix not being writable Reported by @vcunat. --- modules/installer/tools/nixos-rebuild.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/installer/tools/nixos-rebuild.sh b/modules/installer/tools/nixos-rebuild.sh index fb26279e7c7..16ec49bde9b 100644 --- a/modules/installer/tools/nixos-rebuild.sh +++ b/modules/installer/tools/nixos-rebuild.sh @@ -141,7 +141,7 @@ fi if nixos=$(nix-instantiate --find-file nixos "${extraBuildFlags[@]}"); then suffix=$(@shell@ $nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}") if [ -n "$suffix" ]; then - echo -n "$suffix" > "$nixos/.version-suffix" + echo -n "$suffix" > "$nixos/.version-suffix" || true fi fi