public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge staging-next into staging

This commit is contained in:
Frederik Rietdijk 2019-08-28 08:26:42 +02:00
parent a2538606e3 98640fd482
commit 5061fe0c2c
1209 changed files with 36685 additions and 18393 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/languages-frameworks/android.section.md
View File

@ -185,10 +185,9 @@ with import <nixpkgs> {};
androidenv.emulateApp { androidenv.emulateApp {
name = "emulate-MyAndroidApp"; name = "emulate-MyAndroidApp";
platformVersion = "24"; platformVersion = "28";
abiVersion = "armeabi-v7a"; # mips, x86 or x86_64 abiVersion = "x86_64"; # armeabi-v7a, mips, x86
systemImageType = "default"; systemImageType = "google_apis_playstore";
useGoogleAPIs = false;
} }
``` ```
@ -201,7 +200,7 @@ with import <nixpkgs> {};
androidenv.emulateApp { androidenv.emulateApp {
name = "emulate-MyAndroidApp"; name = "emulate-MyAndroidApp";
platformVersion = "24"; platformVersion = "24";
abiVersion = "armeabi-v7a"; # mips, x86 or x86_64 abiVersion = "armeabi-v7a"; # mips, x86, x86_64
systemImageType = "default"; systemImageType = "default";
useGoogleAPIs = false; useGoogleAPIs = false;
app = ./MyApp.apk; app = ./MyApp.apk;

33
doc/languages-frameworks/perl.xml
View File

@ -75,7 +75,8 @@ foo = import ../path/to/foo.nix {
It adds the contents of the <envar>PERL5LIB</envar> environment variable It adds the contents of the <envar>PERL5LIB</envar> environment variable
to <literal>#! .../bin/perl</literal> line of Perl scripts as to <literal>#! .../bin/perl</literal> line of Perl scripts as
<literal>-I<replaceable>dir</replaceable></literal> flags. This ensures <literal>-I<replaceable>dir</replaceable></literal> flags. This ensures
that a script can find its dependencies. that a script can find its dependencies. (This can cause this shebang line
to become too long for Darwin to handle; see the note below.)
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
@ -137,6 +138,36 @@ ClassC3Componentised = buildPerlPackage rec {
</programlisting> </programlisting>
</para> </para>
<para>
On Darwin, if a script has too many
<literal>-I<replaceable>dir</replaceable></literal> flags in its first line
(its “shebang line”), it will not run. This can be worked around by calling
the <literal>shortenPerlShebang</literal> function from the
<literal>postInstall</literal> phase:
<programlisting>
{ stdenv, buildPerlPackage, fetchurl, shortenPerlShebang }:
ImageExifTool = buildPerlPackage {
pname = "Image-ExifTool";
version = "11.50";
src = fetchurl {
url = "https://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-11.50.tar.gz";
sha256 = "0d8v48y94z8maxkmw1rv7v9m0jg2dc8xbp581njb6yhr7abwqdv3";
};
buildInputs = stdenv.lib.optional stdenv.isDarwin shortenPerlShebang;
postInstall = stdenv.lib.optional stdenv.isDarwin ''
shortenPerlShebang $out/bin/exiftool
'';
};
</programlisting>
This will remove the <literal>-I</literal> flags from the shebang line,
rewrite them in the <literal>use lib</literal> form, and put them on the next
line instead. This function can be given any number of Perl scripts as
arguments; it will modify them in-place.
</para>
<section xml:id="ssec-generation-from-CPAN"> <section xml:id="ssec-generation-from-CPAN">
<title>Generation from CPAN</title> <title>Generation from CPAN</title>

2
lib/default.nix
View File

@ -71,7 +71,7 @@ let
zipAttrsWithNames zipAttrsWith zipAttrs recursiveUpdateUntil zipAttrsWithNames zipAttrsWith zipAttrs recursiveUpdateUntil
recursiveUpdate matchAttrs overrideExisting getOutput getBin recursiveUpdate matchAttrs overrideExisting getOutput getBin
getLib getDev chooseDevOutputs zipWithNames zip; getLib getDev chooseDevOutputs zipWithNames zip;
inherit (lists) singleton foldr fold foldl foldl' imap0 imap1 inherit (lists) singleton forEach foldr fold foldl foldl' imap0 imap1
concatMap flatten remove findSingle findFirst any all count concatMap flatten remove findSingle findFirst any all count
optional optionals toList range partition zipListsWith zipLists optional optionals toList range partition zipListsWith zipLists
reverseList listDfs toposort sort naturalSort compareLists take reverseList listDfs toposort sort naturalSort compareLists take

13
lib/lists.nix
View File

@ -21,6 +21,19 @@ rec {
*/ */
singleton = x: [x]; singleton = x: [x];
/* Apply the function to each element in the list. Same as `map`, but arguments
flipped.
Type: forEach :: [a] -> (a -> b) -> [b]
Example:
forEach [ 1 2 ] (x:
toString x
)
=> [ "1" "2" ]
*/
forEach = xs: f: map f xs;
/* right fold a binary function `op` between successive elements of /* right fold a binary function `op` between successive elements of
`list` with `nul' as the starting value, i.e., `list` with `nul' as the starting value, i.e.,
`foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))`. `foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))`.

2
lib/options.nix
View File

@ -36,7 +36,7 @@ rec {
example ? null, example ? null,
# String describing the option. # String describing the option.
description ? null, description ? null,
# Related packages used in the manual (see `genRelatedPackages` in ../nixos/doc/manual/default.nix). # Related packages used in the manual (see `genRelatedPackages` in ../nixos/lib/make-options-doc/default.nix).
relatedPackages ? null, relatedPackages ? null,
# Option type, providing type-checking and value merging. # Option type, providing type-checking and value merging.
type ? null, type ? null,

79
maintainers/maintainer-list.nix
View File

@ -40,6 +40,12 @@
See `./scripts/check-maintainer-github-handles.sh` for an example on how to work with this data. See `./scripts/check-maintainer-github-handles.sh` for an example on how to work with this data.
*/ */
{ {
"00-matt" = {
name = "Matt Smith";
email = "matt@offtopica.uk";
github = "00-matt";
githubId = 48835712;
};
"0x4A6F" = { "0x4A6F" = {
email = "0x4A6F@shackspace.de"; email = "0x4A6F@shackspace.de";
name = "Joachim Ernst"; name = "Joachim Ernst";
@ -296,6 +302,11 @@
githubId = 17208985; githubId = 17208985;
name = "Alex Rice"; name = "Alex Rice";
}; };
alexbakker = {
email = "ab@alexbakker.me";
github = "alexbakker";
name = "Alexander Bakker";
};
alexchapman = { alexchapman = {
email = "alex@farfromthere.net"; email = "alex@farfromthere.net";
github = "AJChapman"; github = "AJChapman";
@ -324,6 +335,12 @@
githubId = 2822871; githubId = 2822871;
name = "Alistair Bill"; name = "Alistair Bill";
}; };
alkeryn = {
email = "plbraundev@gmail.com";
github = "Alkeryn";
githubId = 11599075;
name = "Pierre-Louis Braun";
};
all = { all = {
email = "nix-commits@lists.science.uu.nl"; email = "nix-commits@lists.science.uu.nl";
name = "Nix Committers"; name = "Nix Committers";
@ -571,6 +588,12 @@
githubId = 816777; githubId = 816777;
name = "Ashley Gillman"; name = "Ashley Gillman";
}; };
ashkitten = {
email = "ashlea@protonmail.com";
github = "ashkitten";
githubId = 9281956;
name = "ash lea";
};
aske = { aske = {
email = "aske@fmap.me"; email = "aske@fmap.me";
github = "aske"; github = "aske";
@ -1701,6 +1724,16 @@
fingerprint = "389A 78CB CD88 5E0C 4701 DEB9 FD42 C7D0 D414 94C8"; fingerprint = "389A 78CB CD88 5E0C 4701 DEB9 FD42 C7D0 D414 94C8";
}]; }];
}; };
dump_stack = {
email = "root@dumpstack.io";
github = "jollheef";
githubId = 1749762;
name = "Mikhail Klementev";
keys = [{
longkeyid = "rsa4096/0x1525585D1B43C62A";
fingerprint = "5DD7 C6F6 0630 F08E DAE7 4711 1525 585D 1B43 C62A";
}];
};
dxf = { dxf = {
email = "dingxiangfei2009@gmail.com"; email = "dingxiangfei2009@gmail.com";
github = "dingxiangfei2009"; github = "dingxiangfei2009";
@ -2738,6 +2771,11 @@
githubId = 26877687; githubId = 26877687;
name = "Yurii Izorkin"; name = "Yurii Izorkin";
}; };
jasoncarr = {
email = "jcarr250@gmail.com";
github = "jasoncarr0";
name = "Jason Carr";
};
j-keck = { j-keck = {
email = "jhyphenkeck@gmail.com"; email = "jhyphenkeck@gmail.com";
github = "j-keck"; github = "j-keck";
@ -2825,6 +2863,15 @@
githubId = 1383440; githubId = 1383440;
name = "Jason Gilliland"; name = "Jason Gilliland";
}; };
jdanek = {
email = "jdanek@redhat.com";
github = "jdanekrh";
keys = [{
longkeyid = "ed25519/0x69275CADF15D872E";
fingerprint = "D4A6 F051 AD58 2E7C BCED 5439 6927 5CAD F15D 872E";
}];
name = "Jiri Daněk";
};
jdehaas = { jdehaas = {
email = "qqlq@nullptr.club"; email = "qqlq@nullptr.club";
github = "jeroendehaas"; github = "jeroendehaas";
@ -3218,6 +3265,11 @@
githubId = 6282557; githubId = 6282557;
name = "Kiloreux Emperex"; name = "Kiloreux Emperex";
}; };
kim0 = {
email = "email.ahmedkamal@googlemail.com";
github = "kim0";
name = "Ahmed Kamal";
};
kimburgess = { kimburgess = {
email = "kim@acaprojects.com"; email = "kim@acaprojects.com";
github = "kimburgess"; github = "kimburgess";
@ -3236,6 +3288,11 @@
githubId = 451835; githubId = 451835;
name = "Kirill Elagin"; name = "Kirill Elagin";
}; };
kirikaza = {
email = "k@kirikaza.ru";
github = "kirikaza";
name = "Kirill Kazakov";
};
kisonecat = { kisonecat = {
email = "kisonecat@gmail.com"; email = "kisonecat@gmail.com";
github = "kisonecat"; github = "kisonecat";
@ -3353,6 +3410,11 @@
githubId = 10544; githubId = 10544;
name = "Giuluo Eulisse"; name = "Giuluo Eulisse";
}; };
ktor = {
email = "kruszewsky@gmail.com";
github = "ktor";
name = "Pawel Kruszewski";
};
ktosiek = { ktosiek = {
email = "tomasz.kontusz@gmail.com"; email = "tomasz.kontusz@gmail.com";
github = "ktosiek"; github = "ktosiek";
@ -3482,6 +3544,11 @@
githubId = 307589; githubId = 307589;
name = "Nathaniel Baxter"; name = "Nathaniel Baxter";
}; };
lightbulbjim = {
email = "chris@killred.net";
github = "lightbulbjim";
name = "Chris Rendle-Short";
};
lightdiscord = { lightdiscord = {
email = "root@arnaud.sh"; email = "root@arnaud.sh";
github = "lightdiscord"; github = "lightdiscord";
@ -5897,6 +5964,12 @@
githubId = 231788; githubId = 231788;
name = "Stephen Weinberg"; name = "Stephen Weinberg";
}; };
sterfield = {
email = "sterfield@gmail.com";
github = "sterfield";
githubId = 5747061;
name = "Guillaume Loetscher";
};
sternenseemann = { sternenseemann = {
email = "post@lukasepple.de"; email = "post@lukasepple.de";
github = "sternenseemann"; github = "sternenseemann";
@ -6495,6 +6568,12 @@
githubId = 1525767; githubId = 1525767;
name = "Vaibhav Sagar"; name = "Vaibhav Sagar";
}; };
valebes = {
email = "valebes@gmail.com";
github = "valebes";
githubid = 10956211;
name = "Valerio Besozzi";
};
valeriangalliat = { valeriangalliat = {
email = "val@codejam.info"; email = "val@codejam.info";
github = "valeriangalliat"; github = "valeriangalliat";

2
maintainers/scripts/luarocks-packages.csv
View File

@ -1,4 +1,5 @@
# nix name, luarocks name, server, version,luaversion,maintainers # nix name, luarocks name, server, version,luaversion,maintainers
alt-getopt,,,,,arobyn
ansicolors,,,,, ansicolors,,,,,
argparse,,,,, argparse,,,,,
basexx,,,,, basexx,,,,,
@ -56,6 +57,7 @@ luv,,,,,
markdown,,,,, markdown,,,,,
mediator_lua,,,,, mediator_lua,,,,,
mpack,,,,, mpack,,,,,
moonscript,,,,,arobyn
nvim-client,,,,, nvim-client,,,,,
penlight,,,,, penlight,,,,,
rapidjson,,,,, rapidjson,,,,,

1 # nix name luarocks name server version luaversion maintainers
2 alt-getopt arobyn
3 ansicolors
4 argparse
5 basexx
57 markdown
58 mediator_lua
59 mpack
60 moonscript arobyn
61 nvim-client
62 penlight
63 rapidjson

24
nixos/doc/manual/development/releases.xml
View File

@ -220,6 +220,30 @@
</itemizedlist> </itemizedlist>
</section> </section>
</section> </section>
<section xml:id="release-managers">
<title>Release Management Team</title>
<para>
For each release there are two release managers. After each release the
release manager having managed two releases steps down and the release
management team of the last release appoints a new release manager.
</para>
<para>
This makes sure a release management team always consists of one release
manager who already has managed one release and one release manager being
introduced to their role, making it easier to pass on knowledge and
experience.
</para>
<para>
A release manager's role and responsibilities are:
</para>
<itemizedlist>
<listitem><para>manage the release process</para></listitem>
<listitem><para>start discussions about features and changes for a given release</para></listitem>
<listitem><para>create a roadmap</para></listitem>
<listitem><para>release in cooperation with Eelco Dolstra</para></listitem>
<listitem><para>decide which bug fixes, features, etc... get backported after a release</para></listitem>
</itemizedlist>
</section>
<section xml:id="release-schedule"> <section xml:id="release-schedule">
<title>Release schedule</title> <title>Release schedule</title>

103
nixos/doc/manual/release-notes/rl-1909.xml
View File

@ -237,6 +237,12 @@
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para>
The <literal>shibboleth-sp</literal> package has been updated to version 3.
It is largely backward compatible, for further information refer to the
<link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes">release notes</link>
and <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2">upgrade guide</link>.
</para>
<para> <para>
Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped. Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.
</para> </para>
@ -263,6 +269,28 @@
<literal>false</literal>. <literal>false</literal>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <option>services.systemhealth</option> module has been removed from nixpkgs due to lack of maintainer.
</para>
</listitem>
<listitem>
<para>
The <option>services.mantisbt</option> module has been removed from nixpkgs due to lack of maintainer.
</para>
</listitem>
<listitem>
<para>
Squid 3 has been removed and the <option>squid</option> derivation now refers to Squid 4.
</para>
</listitem>
<listitem>
<para>
The <option>services.pdns-recursor.extraConfig</option> option has been replaced by
<option>services.pdns-recursor.settings</option>. The new option allows setting extra
configuration while being better type-checked and mergeable.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
@ -424,6 +452,81 @@
installer after creating <literal>/var/lib/nextcloud</literal>. installer after creating <literal>/var/lib/nextcloud</literal>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
There exists now <literal>lib.forEach</literal>, which is like <literal>map</literal>, but with
arguments flipped. When mapping function body spans many lines (or has nested
<literal>map</literal>s), it is often hard to follow which list is modified.
</para>
<para>
Previous solution to this problem was either to use <literal>lib.flip map</literal>
idiom or extract that anonymous mapping function to a named one. Both can still be used
but <literal>lib.forEach</literal> is preferred over <literal>lib.flip map</literal>.
</para>
<para>
The <literal>/etc/sysctl.d/nixos.conf</literal> file containing all the options set via
<link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> was moved to
<literal>/etc/sysctl.d/60-nixos.conf</literal>, as
<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
recommends prefixing all filenames in <literal>/etc/sysctl.d</literal> with a
two-digit number and a dash to simplify the ordering of the files.
</para>
</listitem>
<listitem>
<para>
We now install the sysctl snippets shipped with systemd.
<itemizedlist>
<para>This enables:</para>
<listitem>
<para>Loose reverse path filtering</para>
</listitem>
<listitem>
<para>Source route filtering</para>
</listitem>
<listitem>
<para>
<literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat)
</para>
</listitem>
</itemizedlist>
This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>.
These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>,
and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
(which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>).
</para>
</listitem>
<listitem>
<para>
Coredumps are now acquired by <literal>systemd-coredump</literal> by default.
<literal>systemd-coredump</literal> behaviour can still be modified via
<option>systemd.coredump.extraConfig</option>.
To stick to the old behaviour (having the kernel dump to a file called <literal>core</literal>
in the working directory), without piping it through <literal>systemd-coredump</literal>, set
<option>boot.kernel.sysctl."kernel.core_pattern"</option> to <literal>"core"</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>systemd.packages</literal> option now also supports generators and
shutdown scripts. Old <literal>systemd.generator-packages</literal> option has
been removed.
</para>
</listitem>
<listitem>
<para>
The <literal>rmilter</literal> package was removed with associated module and options due deprecation by upstream developer.
Use <literal>rspamd</literal> in proxy mode instead.
</para>
</listitem>
<listitem>
<para>
systemd cgroup accounting via the
<link linkend="opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link>
option is now enabled by default. It now also enables the more recent Block IO and IP accounting
features.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
</section> </section>

6
nixos/lib/build-vms.nix
View File

@ -54,11 +54,11 @@ rec {
machinesNumbered = zipLists machines (range 1 254); machinesNumbered = zipLists machines (range 1 254);
nodes_ = flip map machinesNumbered (m: nameValuePair m.fst nodes_ = forEach machinesNumbered (m: nameValuePair m.fst
[ ( { config, nodes, ... }: [ ( { config, nodes, ... }:
let let
interfacesNumbered = zipLists config.virtualisation.vlans (range 1 255); interfacesNumbered = zipLists config.virtualisation.vlans (range 1 255);
interfaces = flip map interfacesNumbered ({ fst, snd }: interfaces = forEach interfacesNumbered ({ fst, snd }:
nameValuePair "eth${toString snd}" { ipv4.addresses = nameValuePair "eth${toString snd}" { ipv4.addresses =
[ { address = "192.168.${toString fst}.${toString m.snd}"; [ { address = "192.168.${toString fst}.${toString m.snd}";
prefixLength = 24; prefixLength = 24;
@ -88,7 +88,7 @@ rec {
"${config.networking.hostName}\n")); "${config.networking.hostName}\n"));
virtualisation.qemu.options = virtualisation.qemu.options =
flip map interfacesNumbered forEach interfacesNumbered
({ fst, snd }: qemuNICFlags snd fst m.snd); ({ fst, snd }: qemuNICFlags snd fst m.snd);
}; };
} }

2
nixos/maintainers/option-usages.nix
View File

@ -102,7 +102,7 @@ let
# builtins multiply by 4 the memory usage and the time used to compute # builtins multiply by 4 the memory usage and the time used to compute
# each options. # each options.
tryCollectOptions = moduleResult: tryCollectOptions = moduleResult:
flip map (excludeOptions (collect isOption moduleResult)) (opt: forEach (excludeOptions (collect isOption moduleResult)) (opt:
{ name = showOption opt.loc; } // builtins.tryEval (strict opt.value)); { name = showOption opt.loc; } // builtins.tryEval (strict opt.value));
in in
keepNames ( keepNames (

168
nixos/modules/config/fonts/fontconfig-penultimate.nix
View File

@ -52,85 +52,11 @@ let
</fontconfig> </fontconfig>
''; '';
# local configuration file
localConf = pkgs.writeText "fc-local.conf" cfg.localConf; localConf = pkgs.writeText "fc-local.conf" cfg.localConf;
# The configuration to be included in /etc/font/ # rendering settings configuration files
penultimateConf = pkgs.runCommand "font-penultimate-conf" { # priority 10
preferLocalBuild = true;
} ''
support_folder=$out/etc/fonts/conf.d
latest_folder=$out/etc/fonts/${latestVersion}/conf.d
mkdir -p $support_folder
mkdir -p $latest_folder
ln -s ${supportFontsConf} $support_folder/../fonts.conf
ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
$latest_folder/../fonts.conf
# fontconfig-penultimate various configuration files
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$support_folder
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$latest_folder
ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf
ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf
rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf
ln -s ${antialiasConf} $support_folder/10-antialias.conf
ln -s ${antialiasConf} $latest_folder/10-antialias.conf
rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf
ln -s ${hintingConf} $support_folder/10-hinting.conf
ln -s ${hintingConf} $latest_folder/10-hinting.conf
${optionalString cfg.useEmbeddedBitmaps ''
rm $support_folder/10-no-embedded-bitmaps.conf
rm $latest_folder/10-no-embedded-bitmaps.conf
''}
rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf
ln -s ${subpixelConf} $support_folder/10-subpixel.conf
ln -s ${subpixelConf} $latest_folder/10-subpixel.conf
${optionalString (cfg.dpi != 0) ''
ln -s ${dpiConf} $support_folder/11-dpi.conf
ln -s ${dpiConf} $latest_folder/11-dpi.conf
''}
${optionalString (!cfg.includeUserConf) ''
rm $support_folder/50-user.conf
rm $latest_folder/50-user.conf
''}
# 51-local.conf
rm $latest_folder/51-local.conf
substitute \
${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \
$latest_folder/51-local.conf \
--replace local.conf /etc/fonts/${latestVersion}/local.conf
# local.conf (indirect priority 51)
${optionalString (cfg.localConf != "") ''
ln -s ${localConf} $out/etc/fonts/local.conf
ln -s ${localConf} $out/etc/fonts/${latestVersion}/local.conf
''}
ln -s ${defaultFontsConf} $support_folder/52-default-fonts.conf
ln -s ${defaultFontsConf} $latest_folder/52-default-fonts.conf
${optionalString cfg.allowBitmaps ''
rm $support_folder/53-no-bitmaps.conf
rm $latest_folder/53-no-bitmaps.conf
''}
${optionalString (!cfg.allowType1) ''
ln -s ${rejectType1} $support_folder/53-no-type1.conf
ln -s ${rejectType1} $latest_folder/53-no-type1.conf
''}
'';
hintingConf = pkgs.writeText "fc-10-hinting.conf" '' hintingConf = pkgs.writeText "fc-10-hinting.conf" ''
<?xml version='1.0'?> <?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
@ -199,6 +125,8 @@ let
</fontconfig> </fontconfig>
''; '';
# default fonts configuration file
# priority 52
defaultFontsConf = defaultFontsConf =
let genDefault = fonts: name: let genDefault = fonts: name:
optionalString (fonts != []) '' optionalString (fonts != []) ''
@ -228,7 +156,9 @@ let
</fontconfig> </fontconfig>
''; '';
rejectType1 = pkgs.writeText "fc-53-no-type1.conf" '' # reject Type 1 fonts
# priority 53
rejectType1 = pkgs.writeText "fc-53-nixos-reject-type1.conf" ''
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd"> <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig> <fontconfig>
@ -245,6 +175,88 @@ let
</fontconfig> </fontconfig>
''; '';
# The configuration to be included in /etc/font/
penultimateConf = pkgs.runCommand "fontconfig-penultimate-conf" {
preferLocalBuild = true;
} ''
support_folder=$out/etc/fonts/conf.d
latest_folder=$out/etc/fonts/${latestVersion}/conf.d
mkdir -p $support_folder
mkdir -p $latest_folder
# fonts.conf
ln -s ${supportFontsConf} $support_folder/../fonts.conf
ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
$latest_folder/../fonts.conf
# fontconfig-penultimate various configuration files
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$support_folder
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$latest_folder
ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf
ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf
rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf
ln -s ${antialiasConf} $support_folder/10-antialias.conf
ln -s ${antialiasConf} $latest_folder/10-antialias.conf
rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf
ln -s ${hintingConf} $support_folder/10-hinting.conf
ln -s ${hintingConf} $latest_folder/10-hinting.conf
${optionalString cfg.useEmbeddedBitmaps ''
rm $support_folder/10-no-embedded-bitmaps.conf
rm $latest_folder/10-no-embedded-bitmaps.conf
''}
rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf
ln -s ${subpixelConf} $support_folder/10-subpixel.conf
ln -s ${subpixelConf} $latest_folder/10-subpixel.conf
${optionalString (cfg.dpi != 0) ''
ln -s ${dpiConf} $support_folder/11-dpi.conf
ln -s ${dpiConf} $latest_folder/11-dpi.conf
''}
# 50-user.conf
${optionalString (!cfg.includeUserConf) ''
rm $support_folder/50-user.conf
rm $latest_folder/50-user.conf
''}
# 51-local.conf
rm $latest_folder/51-local.conf
substitute \
${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \
$latest_folder/51-local.conf \
--replace local.conf /etc/fonts/${latestVersion}/local.conf
# local.conf (indirect priority 51)
${optionalString (cfg.localConf != "") ''
ln -s ${localConf} $support_folder/../local.conf
ln -s ${localConf} $latest_folder/../local.conf
''}
# 52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $support_folder/52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $latest_folder/52-nixos-default-fonts.conf
# 53-no-bitmaps.conf
${optionalString cfg.allowBitmaps ''
rm $support_folder/53-no-bitmaps.conf
rm $latest_folder/53-no-bitmaps.conf
''}
${optionalString (!cfg.allowType1) ''
# 53-nixos-reject-type1.conf
ln -s ${rejectType1} $support_folder/53-nixos-reject-type1.conf
ln -s ${rejectType1} $latest_folder/53-nixos-reject-type1.conf
''}
'';
in in
{ {

66
nixos/modules/config/fonts/fontconfig.nix
View File

@ -14,11 +14,12 @@ Low number means high priority.
*/ */
{ config, lib, pkgs, ... }: { config, pkgs, lib, ... }:
with lib; with lib;
let cfg = config.fonts.fontconfig; let
cfg = config.fonts.fontconfig;
fcBool = x: "<bool>" + (boolToString x) + "</bool>"; fcBool = x: "<bool>" + (boolToString x) + "</bool>";
@ -50,8 +51,8 @@ let cfg = config.fonts.fontconfig;
then "fontconfig" then "fontconfig"
else "fontconfig_${version}"; else "fontconfig_${version}";
makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; }; makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
cache = makeCache pkgs.${fcPackage}; cache = makeCache pkgs."${fcPackage}";
cache32 = makeCache pkgs.pkgsi686Linux.${fcPackage}; cache32 = makeCache pkgs.pkgsi686Linux."${fcPackage}";
in in
pkgs.writeText "fc-00-nixos-cache.conf" '' pkgs.writeText "fc-00-nixos-cache.conf" ''
<?xml version='1.0'?> <?xml version='1.0'?>
@ -108,7 +109,6 @@ let cfg = config.fonts.fontconfig;
''; '';
# local configuration file # local configuration file
# priority 51
localConf = pkgs.writeText "fc-local.conf" cfg.localConf; localConf = pkgs.writeText "fc-local.conf" cfg.localConf;
# default fonts configuration file # default fonts configuration file
@ -144,7 +144,7 @@ let cfg = config.fonts.fontconfig;
# bitmap font options # bitmap font options
# priority 53 # priority 53
rejectBitmaps = pkgs.writeText "fc-53-nixos-bitmaps.conf" '' rejectBitmaps = pkgs.writeText "fc-53-no-bitmaps.conf" ''
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd"> <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig> <fontconfig>
@ -190,64 +190,66 @@ let cfg = config.fonts.fontconfig;
''; '';
# fontconfig configuration package # fontconfig configuration package
confPkg = pkgs.runCommand "fontconfig-conf" { preferLocalBuild = true; } '' confPkg = pkgs.runCommand "fontconfig-conf" {
support_folder=$out/etc/fonts preferLocalBuild = true;
latest_folder=$out/etc/fonts/${latestVersion} } ''
support_folder=$out/etc/fonts/conf.d
latest_folder=$out/etc/fonts/${latestVersion}/conf.d
mkdir -p $support_folder/conf.d mkdir -p $support_folder
mkdir -p $latest_folder/conf.d mkdir -p $latest_folder
# fonts.conf # fonts.conf
ln -s ${supportFontsConf} $support_folder/fonts.conf ln -s ${supportFontsConf} $support_folder/../fonts.conf
ln -s ${latestPkg.out}/etc/fonts/fonts.conf \ ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
$latest_folder/fonts.conf $latest_folder/../fonts.conf
# fontconfig default config files # fontconfig default config files
ln -s ${supportPkg.out}/etc/fonts/conf.d/*.conf \ ln -s ${supportPkg.out}/etc/fonts/conf.d/*.conf \
$support_folder/conf.d/ $support_folder/
ln -s ${latestPkg.out}/etc/fonts/conf.d/*.conf \ ln -s ${latestPkg.out}/etc/fonts/conf.d/*.conf \
$latest_folder/conf.d/ $latest_folder/
# update latest 51-local.conf path to look at the latest local.conf # update latest 51-local.conf path to look at the latest local.conf
rm $latest_folder/conf.d/51-local.conf rm $latest_folder/51-local.conf
substitute ${latestPkg.out}/etc/fonts/conf.d/51-local.conf \ substitute ${latestPkg.out}/etc/fonts/conf.d/51-local.conf \
$latest_folder/conf.d/51-local.conf \ $latest_folder/51-local.conf \
--replace local.conf /etc/fonts/${latestVersion}/local.conf --replace local.conf /etc/fonts/${latestVersion}/local.conf
# 00-nixos-cache.conf # 00-nixos-cache.conf
ln -s ${cacheConfSupport} \ ln -s ${cacheConfSupport} \
$support_folder/conf.d/00-nixos-cache.conf $support_folder/00-nixos-cache.conf
ln -s ${cacheConfLatest} $latest_folder/conf.d/00-nixos-cache.conf ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf
# 10-nixos-rendering.conf # 10-nixos-rendering.conf
ln -s ${renderConf} $support_folder/conf.d/10-nixos-rendering.conf ln -s ${renderConf} $support_folder/10-nixos-rendering.conf
ln -s ${renderConf} $latest_folder/conf.d/10-nixos-rendering.conf ln -s ${renderConf} $latest_folder/10-nixos-rendering.conf
# 50-user.conf # 50-user.conf
${optionalString (!cfg.includeUserConf) '' ${optionalString (!cfg.includeUserConf) ''
rm $support_folder/conf.d/50-user.conf rm $support_folder/50-user.conf
rm $latest_folder/conf.d/50-user.conf rm $latest_folder/50-user.conf
''} ''}
# local.conf (indirect priority 51) # local.conf (indirect priority 51)
${optionalString (cfg.localConf != "") '' ${optionalString (cfg.localConf != "") ''
ln -s ${localConf} $support_folder/local.conf ln -s ${localConf} $support_folder/../local.conf
ln -s ${localConf} $latest_folder/local.conf ln -s ${localConf} $latest_folder/../local.conf
''} ''}
# 52-nixos-default-fonts.conf # 52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $support_folder/conf.d/52-nixos-default-fonts.conf ln -s ${defaultFontsConf} $support_folder/52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $latest_folder/conf.d/52-nixos-default-fonts.conf ln -s ${defaultFontsConf} $latest_folder/52-nixos-default-fonts.conf
# 53-nixos-bitmaps.conf # 53-no-bitmaps.conf
ln -s ${rejectBitmaps} $support_folder/conf.d/53-nixos-bitmaps.conf ln -s ${rejectBitmaps} $support_folder/53-no-bitmaps.conf
ln -s ${rejectBitmaps} $latest_folder/conf.d/53-nixos-bitmaps.conf ln -s ${rejectBitmaps} $latest_folder/53-no-bitmaps.conf
${optionalString (!cfg.allowType1) '' ${optionalString (!cfg.allowType1) ''
# 53-nixos-reject-type1.conf # 53-nixos-reject-type1.conf
ln -s ${rejectType1} $support_folder/conf.d/53-nixos-reject-type1.conf ln -s ${rejectType1} $support_folder/53-nixos-reject-type1.conf
ln -s ${rejectType1} $latest_folder/conf.d/53-nixos-reject-type1.conf ln -s ${rejectType1} $latest_folder/53-nixos-reject-type1.conf
''} ''}
''; '';

102
nixos/modules/config/qt5.nix Normal file
View File

@ -0,0 +1,102 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.qt5;
isQGnome = cfg.platformTheme == "gnome" && cfg.style == "adwaita";
isQtStyle = cfg.platformTheme == "gtk2" && cfg.style != "adwaita";
packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ]
else if isQtStyle then [ pkgs.qtstyleplugins ]
else throw "`qt5.platformTheme` ${cfg.platformTheme} and `qt5.style` ${cfg.style} are not compatible.";
in
{
options = {
qt5 = {
enable = mkEnableOption "Qt5 theming configuration";
platformTheme = mkOption {
type = types.enum [
"gtk2"
"gnome"
];
example = "gnome";
relatedPackages = [
"qgnomeplatform"
["libsForQt5" "qtstyleplugins"]
];
description = ''
Selects the platform theme to use for Qt5 applications.</para>
<para>The options are
<variablelist>
<varlistentry>
<term><literal>gtk</literal></term>
<listitem><para>Use GTK theme with
<link xlink:href="https://github.com/qt/qtstyleplugins">qtstyleplugins</link>
</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>gnome</literal></term>
<listitem><para>Use GNOME theme with
<link xlink:href="https://github.com/FedoraQt/QGnomePlatform">qgnomeplatform</link>
</para></listitem>
</varlistentry>
</variablelist>
'';
};
style = mkOption {
type = types.enum [
"adwaita"
"cleanlooks"
"gtk2"
"motif"
"plastique"
];
example = "adwaita";
relatedPackages = [
"adwaita-qt"
["libsForQt5" "qtstyleplugins"]
];
description = ''
Selects the style to use for Qt5 applications.</para>
<para>The options are
<variablelist>
<varlistentry>
<term><literal>adwaita</literal></term>
<listitem><para>Use Adwaita Qt style with
<link xlink:href="https://github.com/FedoraQt/adwaita-qt">adwaita</link>
</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>cleanlooks</literal></term>
<term><literal>gtk2</literal></term>
<term><literal>motif</literal></term>
<term><literal>plastique</literal></term>
<listitem><para>Use styles from
<link xlink:href="https://github.com/qt/qtstyleplugins">qtstyleplugins</link>
</para></listitem>
</varlistentry>
</variablelist>
'';
};
};
};
config = mkIf cfg.enable {
environment.variables.QT_QPA_PLATFORMTHEME = cfg.platformTheme;
environment.variables.QT_STYLE_OVERRIDE = cfg.style;
environment.systemPackages = packages;
};
}

10
nixos/modules/config/sysctl.nix
View File

@ -42,22 +42,16 @@ in
config = { config = {
environment.etc."sysctl.d/nixos.conf".text = environment.etc."sysctl.d/60-nixos.conf".text =
concatStrings (mapAttrsToList (n: v: concatStrings (mapAttrsToList (n: v:
optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n" optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
) config.boot.kernel.sysctl); ) config.boot.kernel.sysctl);
systemd.services.systemd-sysctl = systemd.services.systemd-sysctl =
{ wantedBy = [ "multi-user.target" ]; { wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ]; restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
}; };
# Enable hardlink and symlink restrictions. See
# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
# for details.
boot.kernel.sysctl."fs.protected_hardlinks" = true;
boot.kernel.sysctl."fs.protected_symlinks" = true;
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged # Hide kernel pointers (e.g. in /proc/modules) for unprivileged
# users as these make it easier to exploit kernel vulnerabilities. # users as these make it easier to exploit kernel vulnerabilities.
boot.kernel.sysctl."kernel.kptr_restrict" = 1; boot.kernel.sysctl."kernel.kptr_restrict" = 1;

1
nixos/modules/config/update-users-groups.pl
View File

@ -267,6 +267,7 @@ foreach my $line (-f "/etc/shadow" ? read_file("/etc/shadow") : ()) {
next if !defined $u; next if !defined $u;
$hashedPassword = "!" if !$spec->{mutableUsers}; $hashedPassword = "!" if !$spec->{mutableUsers};
$hashedPassword = $u->{hashedPassword} if defined $u->{hashedPassword} && !$spec->{mutableUsers}; # FIXME $hashedPassword = $u->{hashedPassword} if defined $u->{hashedPassword} && !$spec->{mutableUsers}; # FIXME
chomp $hashedPassword;
push @shadowNew, join(":", $name, $hashedPassword, @rest) . "\n"; push @shadowNew, join(":", $name, $hashedPassword, @rest) . "\n";
$shadowSeen{$name} = 1; $shadowSeen{$name} = 1;
} }

52
nixos/modules/config/vte.nix Normal file
View File

@ -0,0 +1,52 @@
# VTE
{ config, pkgs, lib, ... }:
with lib;
let
vteInitSnippet = ''
# Show current working directory in VTE terminals window title.
# Supports both bash and zsh, requires interactive shell.
. ${pkgs.vte}/etc/profile.d/vte.sh
'';
in
{
options = {
programs.bash.vteIntegration = mkOption {
default = false;
type = types.bool;
description = ''
Whether to enable Bash integration for VTE terminals.
This allows it to preserve the current directory of the shell
across terminals.
'';
};
programs.zsh.vteIntegration = mkOption {
default = false;
type = types.bool;
description = ''
Whether to enable Zsh integration for VTE terminals.
This allows it to preserve the current directory of the shell
across terminals.
'';
};
};
config = mkMerge [
(mkIf config.programs.bash.vteIntegration {
programs.bash.interactiveShellInit = mkBefore vteInitSnippet;
})
(mkIf config.programs.zsh.vteIntegration {
programs.zsh.interactiveShellInit = vteInitSnippet;
})
];
}

4
nixos/modules/installer/cd-dvd/sd-image.nix
View File

@ -73,8 +73,8 @@ in
firmwareSize = mkOption { firmwareSize = mkOption {
type = types.int; type = types.int;
# As of 2019-05-31 the Raspberry pi firmware + u-bot takes ~13MiB # As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB
default = 20; default = 30;
description = '' description = ''
Size of the /boot/firmware partition, in megabytes. Size of the /boot/firmware partition, in megabytes.
''; '';

6
nixos/modules/misc/ids.nix
View File

@ -251,7 +251,7 @@
gale = 223; gale = 223;
matrix-synapse = 224; matrix-synapse = 224;
rspamd = 225; rspamd = 225;
rmilter = 226; # rmilter = 226; # unused, removed 2019-08-22
cfdyndns = 227; cfdyndns = 227;
gammu-smsd = 228; gammu-smsd = 228;
pdnsd = 229; pdnsd = 229;
@ -340,6 +340,7 @@
cockroachdb = 313; cockroachdb = 313;
zoneminder = 314; zoneminder = 314;
paperless = 315; paperless = 315;
mailman = 316;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -559,7 +560,7 @@
gale = 223; gale = 223;
matrix-synapse = 224; matrix-synapse = 224;
rspamd = 225; rspamd = 225;
rmilter = 226; # rmilter = 226; # unused, removed 2019-08-22
cfdyndns = 227; cfdyndns = 227;
pdnsd = 229; pdnsd = 229;
octoprint = 230; octoprint = 230;
@ -640,6 +641,7 @@
cockroachdb = 313; cockroachdb = 313;
zoneminder = 314; zoneminder = 314;
paperless = 315; paperless = 315;
mailman = 316;
# When adding a gid, make sure it doesn't match an existing # When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal # uid. Users and groups with the same name should have equal

15
nixos/modules/module-list.nix
View File

@ -27,6 +27,7 @@
./config/nsswitch.nix ./config/nsswitch.nix
./config/power-management.nix ./config/power-management.nix
./config/pulseaudio.nix ./config/pulseaudio.nix
./config/qt5.nix
./config/resolvconf.nix ./config/resolvconf.nix
./config/shells-environment.nix ./config/shells-environment.nix
./config/swap.nix ./config/swap.nix
@ -37,6 +38,7 @@
./config/unix-odbc-drivers.nix ./config/unix-odbc-drivers.nix
./config/users-groups.nix ./config/users-groups.nix
./config/vpnc.nix ./config/vpnc.nix
./config/vte.nix
./config/zram.nix ./config/zram.nix
./hardware/acpilight.nix ./hardware/acpilight.nix
./hardware/all-firmware.nix ./hardware/all-firmware.nix
@ -115,6 +117,7 @@
./programs/fuse.nix ./programs/fuse.nix
./programs/gnome-disks.nix ./programs/gnome-disks.nix
./programs/gnome-documents.nix ./programs/gnome-documents.nix
./programs/gnome-terminal.nix
./programs/gpaste.nix ./programs/gpaste.nix
./programs/gnupg.nix ./programs/gnupg.nix
./programs/gphoto2.nix ./programs/gphoto2.nix
@ -285,6 +288,7 @@
./services/desktops/flatpak.nix ./services/desktops/flatpak.nix
./services/desktops/geoclue2.nix ./services/desktops/geoclue2.nix
./services/desktops/gsignond.nix ./services/desktops/gsignond.nix
./services/desktops/gvfs.nix
./services/desktops/pipewire.nix ./services/desktops/pipewire.nix
./services/desktops/gnome3/at-spi2-core.nix ./services/desktops/gnome3/at-spi2-core.nix
./services/desktops/gnome3/chrome-gnome-shell.nix ./services/desktops/gnome3/chrome-gnome-shell.nix
@ -295,9 +299,7 @@
./services/desktops/gnome3/gnome-remote-desktop.nix ./services/desktops/gnome3/gnome-remote-desktop.nix
./services/desktops/gnome3/gnome-online-miners.nix ./services/desktops/gnome3/gnome-online-miners.nix
./services/desktops/gnome3/gnome-settings-daemon.nix ./services/desktops/gnome3/gnome-settings-daemon.nix
./services/desktops/gnome3/gnome-terminal-server.nix
./services/desktops/gnome3/gnome-user-share.nix ./services/desktops/gnome3/gnome-user-share.nix
./services/desktops/gnome3/gvfs.nix
./services/desktops/gnome3/rygel.nix ./services/desktops/gnome3/rygel.nix
./services/desktops/gnome3/seahorse.nix ./services/desktops/gnome3/seahorse.nix
./services/desktops/gnome3/sushi.nix ./services/desktops/gnome3/sushi.nix
@ -385,7 +387,6 @@
./services/mail/spamassassin.nix ./services/mail/spamassassin.nix
./services/mail/rspamd.nix ./services/mail/rspamd.nix
./services/mail/rss2email.nix ./services/mail/rss2email.nix
./services/mail/rmilter.nix
./services/mail/roundcube.nix ./services/mail/roundcube.nix
./services/mail/nullmailer.nix ./services/mail/nullmailer.nix
./services/misc/airsonic.nix ./services/misc/airsonic.nix
@ -436,13 +437,13 @@
./services/misc/logkeys.nix ./services/misc/logkeys.nix
./services/misc/leaps.nix ./services/misc/leaps.nix
./services/misc/lidarr.nix ./services/misc/lidarr.nix
./services/misc/mantisbt.nix
./services/misc/mathics.nix ./services/misc/mathics.nix
./services/misc/matrix-synapse.nix ./services/misc/matrix-synapse.nix
./services/misc/mbpfan.nix ./services/misc/mbpfan.nix
./services/misc/mediatomb.nix ./services/misc/mediatomb.nix
./services/misc/mesos-master.nix ./services/misc/mesos-master.nix
./services/misc/mesos-slave.nix ./services/misc/mesos-slave.nix
./services/misc/metabase.nix
./services/misc/mwlib.nix ./services/misc/mwlib.nix
./services/misc/nix-daemon.nix ./services/misc/nix-daemon.nix
./services/misc/nix-gc.nix ./services/misc/nix-gc.nix
@ -520,7 +521,6 @@
./services/monitoring/scollector.nix ./services/monitoring/scollector.nix
./services/monitoring/smartd.nix ./services/monitoring/smartd.nix
./services/monitoring/sysstat.nix ./services/monitoring/sysstat.nix
./services/monitoring/systemhealth.nix
./services/monitoring/teamviewer.nix ./services/monitoring/teamviewer.nix
./services/monitoring/telegraf.nix ./services/monitoring/telegraf.nix
./services/monitoring/thanos.nix ./services/monitoring/thanos.nix
@ -608,6 +608,7 @@
./services/networking/iodine.nix ./services/networking/iodine.nix
./services/networking/iperf3.nix ./services/networking/iperf3.nix
./services/networking/ircd-hybrid/default.nix ./services/networking/ircd-hybrid/default.nix
./services/networking/jormungandr.nix
./services/networking/iwd.nix ./services/networking/iwd.nix
./services/networking/keepalived/default.nix ./services/networking/keepalived/default.nix
./services/networking/keybase.nix ./services/networking/keybase.nix
@ -647,6 +648,7 @@
./services/networking/nullidentdmod.nix ./services/networking/nullidentdmod.nix
./services/networking/nylon.nix ./services/networking/nylon.nix
./services/networking/ocserv.nix ./services/networking/ocserv.nix
./services/networking/ofono.nix
./services/networking/oidentd.nix ./services/networking/oidentd.nix
./services/networking/openfire.nix ./services/networking/openfire.nix
./services/networking/openntpd.nix ./services/networking/openntpd.nix
@ -787,6 +789,7 @@
./services/web-apps/mattermost.nix ./services/web-apps/mattermost.nix
./services/web-apps/mediawiki.nix ./services/web-apps/mediawiki.nix
./services/web-apps/miniflux.nix ./services/web-apps/miniflux.nix
./services/web-apps/moodle.nix
./services/web-apps/nextcloud.nix ./services/web-apps/nextcloud.nix
./services/web-apps/nexus.nix ./services/web-apps/nexus.nix
./services/web-apps/pgpkeyserver-lite.nix ./services/web-apps/pgpkeyserver-lite.nix
@ -800,6 +803,7 @@
./services/web-apps/zabbix.nix ./services/web-apps/zabbix.nix
./services/web-servers/apache-httpd/default.nix ./services/web-servers/apache-httpd/default.nix
./services/web-servers/caddy.nix ./services/web-servers/caddy.nix
./services/web-servers/darkhttpd.nix
./services/web-servers/fcgiwrap.nix ./services/web-servers/fcgiwrap.nix
./services/web-servers/hitch/default.nix ./services/web-servers/hitch/default.nix
./services/web-servers/hydron.nix ./services/web-servers/hydron.nix
@ -862,7 +866,6 @@
./system/activation/activation-script.nix ./system/activation/activation-script.nix
./system/activation/top-level.nix ./system/activation/top-level.nix
./system/boot/binfmt.nix ./system/boot/binfmt.nix
./system/boot/coredump.nix
./system/boot/emergency-mode.nix ./system/boot/emergency-mode.nix
./system/boot/grow-partition.nix ./system/boot/grow-partition.nix
./system/boot/initrd-network.nix ./system/boot/initrd-network.nix

18
nixos/modules/profiles/hardened.nix
View File

@ -14,8 +14,6 @@ with lib;
nix.allowedUsers = mkDefault [ "@users" ]; nix.allowedUsers = mkDefault [ "@users" ];
environment.memoryAllocator.provider = mkDefault "graphene-hardened";
security.hideProcessInformation = mkDefault true; security.hideProcessInformation = mkDefault true;
security.lockKernelModules = mkDefault true; security.lockKernelModules = mkDefault true;
@ -95,23 +93,17 @@ with lib;
# Disable ftrace debugging # Disable ftrace debugging
boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
# Enable reverse path filtering (that is, do not attempt to route packets # Enable strict reverse path filtering (that is, do not attempt to route
# that "obviously" do not belong to the iface's network; dropped packets are # packets that "obviously" do not belong to the iface's network; dropped
# logged as martians). # packets are logged as martians).
boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true; boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true; boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
# Ignore broadcast ICMP (mitigate SMURF) # Ignore broadcast ICMP (mitigate SMURF)
boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
# Ignore route information from sender
boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false;
# Ignore incoming ICMP redirects (note: default is needed to ensure that the # Ignore incoming ICMP redirects (note: default is needed to ensure that the
# setting is applied to interfaces added after the sysctls are set) # setting is applied to interfaces added after the sysctls are set)
boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;

10
nixos/modules/programs/dconf.nix
View File

@ -34,11 +34,11 @@ in
services.dbus.packages = [ pkgs.gnome3.dconf ]; services.dbus.packages = [ pkgs.gnome3.dconf ];
environment.variables.GIO_EXTRA_MODULES = optional cfg.enable # For dconf executable
"${pkgs.gnome3.dconf.lib}/lib/gio/modules"; environment.systemPackages = [ pkgs.gnome3.dconf ];
# https://github.com/NixOS/nixpkgs/pull/31891
#environment.variables.XDG_DATA_DIRS = optional cfg.enable # Needed for unwrapped applications
# "$(echo ${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/gsettings-desktop-schemas-*)"; environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.gnome3.dconf.lib}/lib/gio/modules" ];
}; };
} }

1
nixos/modules/programs/environment.nix
View File

@ -21,6 +21,7 @@ in
PAGER = mkDefault "less -R"; PAGER = mkDefault "less -R";
EDITOR = mkDefault "nano"; EDITOR = mkDefault "nano";
XCURSOR_PATH = [ "$HOME/.icons" ]; XCURSOR_PATH = [ "$HOME/.icons" ];
XDG_CONFIG_DIRS = [ "/etc/xdg" ]; # needs to be before profile-relative paths to allow changes through environment.etc
}; };
environment.profiles = mkAfter environment.profiles = mkAfter

36
nixos/modules/programs/gnome-terminal.nix Normal file
View File

@ -0,0 +1,36 @@
# GNOME Terminal.
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.programs.gnome-terminal;
in
{
# Added 2019-08-19
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "gnome-terminal-server" "enable" ]
[ "programs" "gnome-terminal" "enable" ])
];
options = {
programs.gnome-terminal.enable = mkEnableOption "GNOME Terminal";
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.gnome3.gnome-terminal ];
services.dbus.packages = [ pkgs.gnome3.gnome-terminal ];
systemd.packages = [ pkgs.gnome3.gnome-terminal ];
programs.bash.vteIntegration = true;
programs.zsh.vteIntegration = true;
};
}

1
nixos/modules/programs/gnupg.nix
View File

@ -84,6 +84,7 @@ in
wantedBy = [ "sockets.target" ]; wantedBy = [ "sockets.target" ];
}; };
environment.systemPackages = with pkgs; [ cfg.package ];
systemd.packages = [ cfg.package ]; systemd.packages = [ cfg.package ];
environment.interactiveShellInit = '' environment.interactiveShellInit = ''

13
nixos/modules/programs/zsh/zsh.nix
View File

@ -69,9 +69,7 @@ in
promptInit = mkOption { promptInit = mkOption {
default = '' default = ''
if [ "$TERM" != dumb ]; then autoload -U promptinit && promptinit && prompt walters && setopt prompt_sp
autoload -U promptinit && promptinit && prompt walters
fi
''; '';
description = '' description = ''
Shell script code used to initialise the zsh prompt. Shell script code used to initialise the zsh prompt.
@ -213,6 +211,15 @@ in
${cfg.promptInit} ${cfg.promptInit}
# Need to disable features to support TRAMP
if [ "$TERM" = dumb ]; then
unsetopt zle prompt_cr prompt_subst
unfunction precmd preexec
unset RPS1 RPROMPT
PS1='$ '
PROMPT='$ '
fi
# Read system-wide modifications. # Read system-wide modifications.
if test -f /etc/zshrc.local; then if test -f /etc/zshrc.local; then
. /etc/zshrc.local . /etc/zshrc.local

10
nixos/modules/rename.nix
View File

@ -72,8 +72,8 @@ with lib;
# PAM # PAM
(mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])
(mkRemovedOptionModule [ "services" "rmilter" "bindInetSockets" ] "Use services.rmilter.bindSocket.* instead") # rmilter/rspamd
(mkRemovedOptionModule [ "services" "rmilter" "bindUnixSockets" ] "Use services.rmilter.bindSocket.* instead") (mkRemovedOptionModule [ "services" "rmilter" ] "Use services.rspamd.* instead to set up milter service")
# Xsession script # Xsession script
(mkRenamedOptionModule [ "services" "xserver" "displayManager" "job" "logsXsession" ] [ "services" "xserver" "displayManager" "job" "logToFile" ]) (mkRenamedOptionModule [ "services" "xserver" "displayManager" "job" "logsXsession" ] [ "services" "xserver" "displayManager" "job" "logToFile" ])
@ -178,6 +178,9 @@ with lib;
The starting time can be configured via <literal>services.postgresqlBackup.startAt</literal>. The starting time can be configured via <literal>services.postgresqlBackup.startAt</literal>.
'') '')
# phpfpm
(mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.")
# zabbixServer # zabbixServer
(mkRenamedOptionModule [ "services" "zabbixServer" "dbServer" ] [ "services" "zabbixServer" "database" "host" ]) (mkRenamedOptionModule [ "services" "zabbixServer" "dbServer" ] [ "services" "zabbixServer" "database" "host" ])
@ -226,6 +229,7 @@ with lib;
(mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.")
(mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.") (mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.")
(mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.") (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.")
(mkRemovedOptionModule [ "systemd" "coredump" "enable" ] "Enabled by default. Set boot.kernel.sysctl.\"kernel.core_pattern\" = \"core\"; to disable.")
# ZSH # ZSH
(mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])
@ -276,7 +280,7 @@ with lib;
throw "services.redshift.longitude is set to null, you can remove this" throw "services.redshift.longitude is set to null, you can remove this"
else builtins.fromJSON value)) else builtins.fromJSON value))
] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter" ] ++ (forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
"jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter"
"snmpExporter" "unifiExporter" "varnishExporter" ] "snmpExporter" "unifiExporter" "varnishExporter" ]
(opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' (opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] ''

28
nixos/modules/services/audio/roon-server.nix
View File

@ -19,6 +19,20 @@ in {
TCP: 9100 - 9200 TCP: 9100 - 9200
''; '';
}; };
user = mkOption {
type = types.str;
default = "roon-server";
description = ''
User to run the Roon Server as.
'';
};
group = mkOption {
type = types.str;
default = "roon-server";
description = ''
Group to run the Roon Server as.
'';
};
}; };
}; };
@ -33,8 +47,8 @@ in {
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.roon-server}/opt/start.sh"; ExecStart = "${pkgs.roon-server}/opt/start.sh";
LimitNOFILE = 8192; LimitNOFILE = 8192;
DynamicUser = true; User = cfg.user;
SupplementaryGroups = "audio"; Group = cfg.group;
StateDirectory = name; StateDirectory = name;
}; };
}; };
@ -45,5 +59,15 @@ in {
]; ];
allowedUDPPorts = [ 9003 ]; allowedUDPPorts = [ 9003 ];
}; };
users.groups."${cfg.group}" = {};
users.users."${cfg.user}" =
if cfg.user == "roon-server" then {
isSystemUser = true;
description = "Roon Server user";
groups = [ cfg.group "audio" ];
}
else {};
}; };
} }

1
nixos/modules/services/databases/memcached.nix
View File

@ -103,7 +103,6 @@ in
LockPersonality = true; LockPersonality = true;
RestrictRealtime = true; RestrictRealtime = true;
PrivateMounts = true; PrivateMounts = true;
PrivateUsers = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
}; };
}; };

4
nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix
View File

@ -30,9 +30,9 @@ with lib;
config = mkIf config.services.gnome3.gnome-online-accounts.enable { config = mkIf config.services.gnome3.gnome-online-accounts.enable {
environment.systemPackages = [ pkgs.gnome3.gnome-online-accounts ]; environment.systemPackages = [ pkgs.gnome-online-accounts ];
services.dbus.packages = [ pkgs.gnome3.gnome-online-accounts ]; services.dbus.packages = [ pkgs.gnome-online-accounts ];
}; };

41
nixos/modules/services/desktops/gnome3/gnome-terminal-server.nix
View File

@ -1,41 +0,0 @@
# GNOME Documents daemon.
{ config, pkgs, lib, ... }:
with lib;
{
###### interface
options = {
services.gnome3.gnome-terminal-server = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable GNOME Terminal server service,
needed for gnome-terminal.
'';
};
};
};
###### implementation
config = mkIf config.services.gnome3.gnome-terminal-server.enable {
environment.systemPackages = [ pkgs.gnome3.gnome-terminal ];
services.dbus.packages = [ pkgs.gnome3.gnome-terminal ];
systemd.packages = [ pkgs.gnome3.gnome-terminal ];
};
}

43
nixos/modules/services/desktops/gnome3/gvfs.nix
View File

@ -1,43 +0,0 @@
# gvfs backends
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
services.gnome3.gvfs = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable gvfs backends, userspace virtual filesystem used
by GNOME components via D-Bus.
'';
};
};
};
###### implementation
config = mkIf config.services.gnome3.gvfs.enable {
environment.systemPackages = [ pkgs.gnome3.gvfs ];
services.dbus.packages = [ pkgs.gnome3.gvfs ];
systemd.packages = [ pkgs.gnome3.gvfs ];
services.udev.packages = [ pkgs.libmtp.bin ];
};
}

6
nixos/modules/services/desktops/gnome3/tracker-miners.nix
View File

@ -30,11 +30,11 @@ with lib;
config = mkIf config.services.gnome3.tracker-miners.enable { config = mkIf config.services.gnome3.tracker-miners.enable {
environment.systemPackages = [ pkgs.gnome3.tracker-miners ]; environment.systemPackages = [ pkgs.tracker-miners ];
services.dbus.packages = [ pkgs.gnome3.tracker-miners ]; services.dbus.packages = [ pkgs.tracker-miners ];
systemd.packages = [ pkgs.gnome3.tracker-miners ]; systemd.packages = [ pkgs.tracker-miners ];
}; };

6
nixos/modules/services/desktops/gnome3/tracker.nix
View File

@ -30,11 +30,11 @@ with lib;
config = mkIf config.services.gnome3.tracker.enable { config = mkIf config.services.gnome3.tracker.enable {
environment.systemPackages = [ pkgs.gnome3.tracker ]; environment.systemPackages = [ pkgs.tracker ];
services.dbus.packages = [ pkgs.gnome3.tracker ]; services.dbus.packages = [ pkgs.tracker ];
systemd.packages = [ pkgs.gnome3.tracker ]; systemd.packages = [ pkgs.tracker ];
}; };

59
nixos/modules/services/desktops/gvfs.nix Normal file
View File

@ -0,0 +1,59 @@
# GVfs
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.gvfs;
in
{
# Added 2019-08-19
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "gvfs" "enable" ]
[ "services" "gvfs" "enable" ])
];
###### interface
options = {
services.gvfs = {
enable = mkEnableOption "GVfs, a userspace virtual filesystem";
# gvfs can be built with multiple configurations
package = mkOption {
type = types.package;
default = pkgs.gnome3.gvfs;
description = "Which GVfs package to use.";
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
services.dbus.packages = [ cfg.package ];
systemd.packages = [ cfg.package ];
services.udev.packages = [ pkgs.libmtp.bin ];
# Needed for unwrapped applications
environment.variables.GIO_EXTRA_MODULES = [ "${cfg.package}/lib/gio/modules" ];
};
}

24
nixos/modules/services/hardware/trezord.nix
View File

@ -5,6 +5,12 @@ let
cfg = config.services.trezord; cfg = config.services.trezord;
in { in {
### docs
meta = {
doc = ./trezord.xml;
};
### interface ### interface
options = { options = {
@ -16,6 +22,22 @@ in {
Enable Trezor bridge daemon, for use with Trezor hardware bitcoin wallets. Enable Trezor bridge daemon, for use with Trezor hardware bitcoin wallets.
''; '';
}; };
emulator.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable Trezor emulator support.
'';
};
emulator.port = mkOption {
type = types.port;
default = 21324;
description = ''
Listening port for the Trezor emulator.
'';
};
}; };
}; };
@ -44,7 +66,7 @@ in {
path = []; path = [];
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
ExecStart = "${pkgs.trezord}/bin/trezord-go"; ExecStart = "${pkgs.trezord}/bin/trezord-go ${optionalString cfg.emulator.enable "-e ${builtins.toString cfg.emulator.port}"}";
User = "trezord"; User = "trezord";
}; };
}; };

26
nixos/modules/services/hardware/trezord.xml Normal file
View File

@ -0,0 +1,26 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="trezor">
<title>Trezor</title>
<para>
Trezor is an open-source cryptocurrency hardware wallet and security token
allowing secure storage of private keys.
</para>
<para>
It offers advanced features such U2F two-factor authorization, SSH login
through
<link xlink:href="https://wiki.trezor.io/Apps:SSH_agent">Trezor SSH agent</link>,
<link xlink:href="https://wiki.trezor.io/GPG">GPG</link> and a
<link xlink:href="https://wiki.trezor.io/Trezor_Password_Manager">password manager</link>.
For more information, guides and documentation, see <link xlink:href="https://wiki.trezor.io"/>.
</para>
<para>
To enable Trezor support, add the following to your <filename>configuration.nix</filename>:
<programlisting>
<xref linkend="opt-services.trezord.enable"/> = true;
</programlisting>
This will add all necessary udev rules and start Trezor Bridge.
</para>
</chapter>

38
nixos/modules/services/logging/awstats.nix
View File

@ -4,6 +4,7 @@ with lib;
let let
cfg = config.services.awstats; cfg = config.services.awstats;
httpd = config.services.httpd;
package = pkgs.awstats; package = pkgs.awstats;
in in
@ -67,29 +68,32 @@ in
environment.etc."awstats/awstats.conf".source = pkgs.runCommand "awstats.conf" environment.etc."awstats/awstats.conf".source = pkgs.runCommand "awstats.conf"
{ preferLocalBuild = true; } { preferLocalBuild = true; }
( let ( let
cfg-httpd = config.services.httpd;
logFormat = logFormat =
if cfg-httpd.logFormat == "combined" then "1" else if httpd.logFormat == "combined" then "1" else
if cfg-httpd.logFormat == "common" then "4" else if httpd.logFormat == "common" then "4" else
throw "awstats service doesn't support Apache log format `${cfg-httpd.logFormat}`"; throw "awstats service doesn't support Apache log format `${httpd.logFormat}`";
in in
'' ''
sed \ sed \
-e 's|^\(DirData\)=.*$|\1="${cfg.vardir}"|' \ -e 's|^\(DirData\)=.*$|\1="${cfg.vardir}"|' \
-e 's|^\(DirIcons\)=.*$|\1="icons"|' \ -e 's|^\(DirIcons\)=.*$|\1="icons"|' \
-e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \ -e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \
-e 's|^\(SiteDomain\)=.*$|\1="${cfg-httpd.hostName}"|' \ -e 's|^\(SiteDomain\)=.*$|\1="${httpd.hostName}"|' \
-e 's|^\(LogFile\)=.*$|\1="${cfg-httpd.logDir}/access_log"|' \ -e 's|^\(LogFile\)=.*$|\1="${httpd.logDir}/access_log"|' \
-e 's|^\(LogFormat\)=.*$|\1=${logFormat}|' \ -e 's|^\(LogFormat\)=.*$|\1=${logFormat}|' \
< '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out" < '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out"
echo '${cfg.extraConfig}' >> "$out" echo '${cfg.extraConfig}' >> "$out"
''); '');
systemd.tmpfiles.rules = optionals cfg.service.enable [
"d '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -"
"Z '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -"
];
# The httpd sub-service showing awstats. # The httpd sub-service showing awstats.
services.httpd.enable = mkIf cfg.service.enable true; services.httpd = optionalAttrs cfg.service.enable {
services.httpd.extraSubservices = mkIf cfg.service.enable [ { function = { serverInfo, ... }: { enable = true;
extraConfig = extraConfig = ''
''
Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/" Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/"
Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/" Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/"
Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/" Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/"
@ -97,20 +101,10 @@ in
<Directory "${package.out}/wwwroot"> <Directory "${package.out}/wwwroot">
Options None Options None
AllowOverride None Require all granted
Order allow,deny
Allow from all
</Directory> </Directory>
''; '';
startupScript = };
let
inherit (serverInfo.serverConfig) user group;
in pkgs.writeScript "awstats_startup.sh"
''
mkdir -p '${cfg.vardir}'
chown '${user}:${group}' '${cfg.vardir}'
'';
};}];
systemd.services.awstats-update = mkIf (cfg.updateAt != null) { systemd.services.awstats-update = mkIf (cfg.updateAt != null) {
description = "awstats log collector"; description = "awstats log collector";

252
nixos/modules/services/mail/rmilter.nix
View File

@ -1,252 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
rspamdCfg = config.services.rspamd;
postfixCfg = config.services.postfix;
cfg = config.services.rmilter;
inetSocket = addr: port: "inet:${addr}:${toString port}";
unixSocket = sock: "unix:${sock}";
systemdSocket = if cfg.bindSocket.type == "unix" then cfg.bindSocket.path
else "${cfg.bindSocket.address}:${toString cfg.bindSocket.port}";
rmilterSocket = if cfg.bindSocket.type == "unix" then unixSocket cfg.bindSocket.path
else inetSocket cfg.bindSocket.address cfg.bindSocket.port;
rmilterConf = ''
pidfile = /run/rmilter/rmilter.pid;
bind_socket = ${if cfg.socketActivation then "fd:3" else rmilterSocket};
tempdir = /tmp;
'' + (with cfg.rspamd; if enable then ''
spamd {
servers = ${concatStringsSep ", " servers};
connect_timeout = 1s;
results_timeout = 20s;
error_time = 10;
dead_time = 300;
maxerrors = 10;
reject_message = "${rejectMessage}";
${optionalString (length whitelist != 0) "whitelist = ${concatStringsSep ", " whitelist};"}
# rspamd_metric - metric for using with rspamd
# Default: "default"
rspamd_metric = "default";
${extraConfig}
};
'' else "") + cfg.extraConfig;
rmilterConfigFile = pkgs.writeText "rmilter.conf" rmilterConf;
in
{
###### interface
options = {
services.rmilter = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to run the rmilter daemon.";
};
debug = mkOption {
type = types.bool;
default = false;
description = "Whether to run the rmilter daemon in debug mode.";
};
user = mkOption {
type = types.string;
default = "rmilter";
description = ''
User to use when no root privileges are required.
'';
};
group = mkOption {
type = types.string;
default = "rmilter";
description = ''
Group to use when no root privileges are required.
'';
};
bindSocket.type = mkOption {
type = types.enum [ "unix" "inet" ];
default = "unix";
description = ''
What kind of socket rmilter should listen on. Either "unix"
for an Unix domain socket or "inet" for a TCP socket.
'';
};
bindSocket.path = mkOption {
type = types.str;
default = "/run/rmilter.sock";
description = ''
Path to Unix domain socket to listen on.
'';
};
bindSocket.address = mkOption {
type = types.str;
default = "[::1]";
example = "0.0.0.0";
description = ''
Inet address to listen on.
'';
};
bindSocket.port = mkOption {
type = types.int;
default = 11990;
description = ''
Inet port to listen on.
'';
};
socketActivation = mkOption {
type = types.bool;
default = true;
description = ''
Enable systemd socket activation for rmilter.
Disabling socket activation is not recommended when a Unix
domain socket is used and could lead to incorrect
permissions.
'';
};
rspamd = {
enable = mkOption {
type = types.bool;
default = rspamdCfg.enable;
description = "Whether to use rspamd to filter mails";
};
servers = mkOption {
type = types.listOf types.str;
default = ["r:/run/rspamd/rspamd.sock"];
description = ''
Spamd socket definitions.
Is server name is prefixed with r: it is rspamd server.
'';
};
whitelist = mkOption {
type = types.listOf types.str;
default = [ ];
description = "list of ips or nets that should be not checked with spamd";
};
rejectMessage = mkOption {
type = types.str;
default = "Spam message rejected; If this is not spam contact abuse";
description = "reject message for spam";
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = "Custom snippet to append to end of `spamd' section";
};
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = "Custom snippet to append to rmilter config";
};
postfix = {
enable = mkOption {
type = types.bool;
default = false;
description = "Add rmilter to postfix main.conf";
};
configFragment = mkOption {
type = types.str;
description = "Addon to postfix configuration";
default = ''
smtpd_milters = ${rmilterSocket}
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
'';
};
};
};
};
###### implementation
config = mkMerge [
(mkIf cfg.enable {
warnings = [
''`config.services.rmilter' is deprecated, `rmilter' deprecated and unsupported by upstream, and will be removed from next releases. Use built-in rspamd milter instead.''
];
users.users = singleton {
name = cfg.user;
description = "rmilter daemon";
uid = config.ids.uids.rmilter;
group = cfg.group;
};
users.groups = singleton {
name = cfg.group;
gid = config.ids.gids.rmilter;
};
systemd.services.rmilter = {
description = "Rmilter Service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = true;
Restart = "always";
RuntimeDirectory = "rmilter";
RuntimeDirectoryMode = "0750";
};
};
systemd.sockets.rmilter = mkIf cfg.socketActivation {
description = "Rmilter service socket";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = systemdSocket;
SocketUser = cfg.user;
SocketGroup = cfg.group;
SocketMode = "0660";
};
};
})
(mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) {
users.users.${cfg.user}.extraGroups = [ rspamdCfg.group ];
})
(mkIf (cfg.enable && cfg.postfix.enable) {
services.postfix.extraConfig = cfg.postfix.configFragment;
users.users.${postfixCfg.user}.extraGroups = [ cfg.group ];
})
];
}

40
nixos/modules/services/mail/roundcube.nix
View File

@ -4,6 +4,7 @@ with lib;
let let
cfg = config.services.roundcube; cfg = config.services.roundcube;
fpm = config.services.phpfpm.pools.roundcube;
in in
{ {
options.services.roundcube = { options.services.roundcube = {
@ -105,7 +106,7 @@ in
extraConfig = '' extraConfig = ''
location ~* \.php$ { location ~* \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/phpfpm/roundcube; fastcgi_pass unix:${fpm.socket};
include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf; include ${pkgs.nginx}/conf/fastcgi.conf;
} }
@ -119,24 +120,27 @@ in
enable = true; enable = true;
}; };
services.phpfpm.poolConfigs.roundcube = '' services.phpfpm.pools.roundcube = {
listen = /run/phpfpm/roundcube user = "nginx";
listen.owner = nginx phpOptions = ''
listen.group = nginx error_log = 'stderr'
listen.mode = 0660 log_errors = on
user = nginx post_max_size = 25M
pm = dynamic upload_max_filesize = 25M
pm.max_children = 75
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 20
pm.max_requests = 500
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
php_admin_value[post_max_size] = 25M
php_admin_value[upload_max_filesize] = 25M
catch_workers_output = yes
''; '';
settings = mapAttrs (name: mkDefault) {
"listen.owner" = "nginx";
"listen.group" = "nginx";
"listen.mode" = "0660";
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
"catch_workers_output" = true;
};
};
systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ]; systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ];
systemd.services.roundcube-setup = let systemd.services.roundcube-setup = let

2
nixos/modules/services/misc/gitlab.nix
View File

@ -659,7 +659,7 @@ in {
fi fi
# We remove potentially broken links to old gitlab-shell versions # We remove potentially broken links to old gitlab-shell versions
rm -f ${cfg.statePath}/repositories/**/*.git/hooks rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks
${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${pkgs.git}/bin/git config --global core.autocrlf "input" ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${pkgs.git}/bin/git config --global core.autocrlf "input"
''; '';

68
nixos/modules/services/misc/mantisbt.nix
View File

@ -1,68 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.mantisbt;
freshInstall = cfg.extraConfig == "";
# combined code+config directory
mantisbt = let
config_inc = pkgs.writeText "config_inc.php" ("<?php\n" + cfg.extraConfig);
src = pkgs.fetchurl {
url = "mirror://sourceforge/mantisbt/${name}.tar.gz";
sha256 = "1pl6xn793p3mxc6ibpr2bhg85vkdlcf57yk7pfc399g47l8x4508";
};
name = "mantisbt-1.2.19";
in
# We have to copy every time; otherwise config won't be found.
pkgs.runCommand name
{ preferLocalBuild = true; allowSubstitutes = false; }
(''
mkdir -p "$out"
cd "$out"
tar -xf '${src}' --strip-components=1
ln -s '${config_inc}' config_inc.php
''
+ lib.optionalString (!freshInstall) "rm -r admin/"
);
in
{
options.services.mantisbt = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable the mantisbt web service.
This switches on httpd with PHP and database.
'';
};
urlPrefix = mkOption {
type = types.string;
default = "/mantisbt";
description = "The URL prefix under which the mantisbt service appears.";
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
The contents of config_inc.php, without leading &lt;?php.
If left empty, the admin directory will be accessible.
'';
};
};
config = mkIf cfg.enable {
services.mysql.enable = true;
services.httpd.enable = true;
services.httpd.enablePHP = true;
# The httpd sub-service showing mantisbt.
services.httpd.extraSubservices = [ { function = { ... }: {
extraConfig =
''
Alias ${cfg.urlPrefix} "${mantisbt}"
'';
};}];
};
}

2
nixos/modules/services/misc/matrix-synapse.nix
View File

@ -684,7 +684,7 @@ in {
fi fi
''; '';
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "notify";
User = "matrix-synapse"; User = "matrix-synapse";
Group = "matrix-synapse"; Group = "matrix-synapse";
WorkingDirectory = cfg.dataDir; WorkingDirectory = cfg.dataDir;

103
nixos/modules/services/misc/metabase.nix Normal file
View File

@ -0,0 +1,103 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.metabase;
inherit (lib) mkEnableOption mkIf mkOption;
inherit (lib) optional optionalAttrs types;
dataDir = "/var/lib/metabase";
in {
options = {
services.metabase = {
enable = mkEnableOption "Metabase service";
listen = {
ip = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
IP address that Metabase should listen on.
'';
};
port = mkOption {
type = types.port;
default = 3000;
description = ''
Listen port for Metabase.
'';
};
};
ssl = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable SSL (https) support.
'';
};
port = mkOption {
type = types.port;
default = 8443;
description = ''
Listen port over SSL (https) for Metabase.
'';
};
keystore = mkOption {
type = types.nullOr types.path;
default = "${dataDir}/metabase.jks";
example = "/etc/secrets/keystore.jks";
description = ''
<link xlink:href="https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores">Java KeyStore</link> file containing the certificates.
'';
};
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Open ports in the firewall for Metabase.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.metabase = {
description = "Metabase server";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
environment = {
MB_PLUGINS_DIR = "${dataDir}/plugins";
MB_DB_FILE = "${dataDir}/metabase.db";
MB_JETTY_HOST = cfg.listen.ip;
MB_JETTY_PORT = toString cfg.listen.port;
} // optionalAttrs (cfg.ssl.enable) {
MB_JETTY_SSL = true;
MB_JETTY_SSL_PORT = toString cfg.ssl.port;
MB_JETTY_SSL_KEYSTORE = cfg.ssl.keystore;
};
serviceConfig = {
DynamicUser = true;
StateDirectory = baseNameOf dataDir;
ExecStart = "${pkgs.metabase}/bin/metabase";
};
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.listen.port ] ++ optional cfg.ssl.enable cfg.ssl.port;
};
};
}

41
nixos/modules/services/misc/zoneminder.nix
View File

@ -2,6 +2,7 @@
let let
cfg = config.services.zoneminder; cfg = config.services.zoneminder;
fpm = config.services.phpfpm.pools.zoneminder;
pkg = pkgs.zoneminder; pkg = pkgs.zoneminder;
dirName = pkg.dirName; dirName = pkg.dirName;
@ -19,8 +20,6 @@ let
useCustomDir = cfg.storageDir != null; useCustomDir = cfg.storageDir != null;
socket = "/run/phpfpm/${dirName}.sock";
zms = "/cgi-bin/zms"; zms = "/cgi-bin/zms";
dirs = dirList: [ dirName ] ++ map (e: "${dirName}/${e}") dirList; dirs = dirList: [ dirName ] ++ map (e: "${dirName}/${e}") dirList;
@ -201,7 +200,10 @@ in {
"zoneminder/80-nixos.conf".source = configFile; "zoneminder/80-nixos.conf".source = configFile;
}; };
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.port ]; networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [
cfg.port
6802 # zmtrigger
];
services = { services = {
fcgiwrap = lib.mkIf useNginx { fcgiwrap = lib.mkIf useNginx {
@ -274,7 +276,7 @@ in {
fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param HTTP_PROXY ""; fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:${socket}; fastcgi_pass unix:${fpm.socket};
} }
} }
''; '';
@ -284,30 +286,27 @@ in {
phpfpm = lib.mkIf useNginx { phpfpm = lib.mkIf useNginx {
pools.zoneminder = { pools.zoneminder = {
listen = socket; inherit user group;
phpOptions = '' phpOptions = ''
date.timezone = "${config.time.timeZone}" date.timezone = "${config.time.timeZone}"
${lib.concatStringsSep "\n" (map (e: ${lib.concatStringsSep "\n" (map (e:
"extension=${e.pkg}/lib/php/extensions/${e.name}.so") phpExtensions)} "extension=${e.pkg}/lib/php/extensions/${e.name}.so") phpExtensions)}
''; '';
extraConfig = '' settings = lib.mapAttrs (name: lib.mkDefault) {
user = ${user} "listen.owner" = user;
group = ${group} "listen.group" = group;
"listen.mode" = "0660";
listen.owner = ${user} "pm" = "dynamic";
listen.group = ${group} "pm.start_servers" = 1;
listen.mode = 0660 "pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 2;
pm = dynamic "pm.max_requests" = 500;
pm.start_servers = 1 "pm.max_children" = 5;
pm.min_spare_servers = 1 "pm.status_path" = "/$pool-status";
pm.max_spare_servers = 2 "ping.path" = "/$pool-ping";
pm.max_requests = 500 };
pm.max_children = 5
pm.status_path = /$pool-status
ping.path = /$pool-ping
'';
}; };
}; };
}; };

11
nixos/modules/services/monitoring/cadvisor.nix
View File

@ -84,6 +84,16 @@ in {
type = types.bool; type = types.bool;
description = "Cadvisor storage driver, enable secure communication."; description = "Cadvisor storage driver, enable secure communication.";
}; };
extraOptions = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Additional cadvisor options.
See <link xlink:href='https://github.com/google/cadvisor/blob/master/docs/runtime_options.md'/> for available options.
'';
};
}; };
}; };
@ -112,6 +122,7 @@ in {
-logtostderr=true \ -logtostderr=true \
-listen_ip="${cfg.listenAddress}" \ -listen_ip="${cfg.listenAddress}" \
-port="${toString cfg.port}" \ -port="${toString cfg.port}" \
${escapeShellArgs cfg.extraOptions} \
${optionalString (cfg.storageDriver != null) '' ${optionalString (cfg.storageDriver != null) ''
-storage_driver "${cfg.storageDriver}" \ -storage_driver "${cfg.storageDriver}" \
-storage_driver_user "${cfg.storageDriverHost}" \ -storage_driver_user "${cfg.storageDriverHost}" \

12
nixos/modules/services/monitoring/riemann-tools.nix
View File

@ -11,7 +11,7 @@ let
healthLauncher = writeScriptBin "riemann-health" '' healthLauncher = writeScriptBin "riemann-health" ''
#!/bin/sh #!/bin/sh
exec ${pkgs.riemann-tools}/bin/riemann-health --host ${riemannHost} exec ${pkgs.riemann-tools}/bin/riemann-health ${builtins.concatStringsSep " " cfg.extraArgs} --host ${riemannHost}
''; '';
@ -34,8 +34,16 @@ in {
Address of the host riemann node. Defaults to localhost. Address of the host riemann node. Defaults to localhost.
''; '';
}; };
extraArgs = mkOption {
type = types.listOf types.string;
default = [];
description = ''
A list of commandline-switches forwarded to a riemann-tool.
See for example `riemann-health --help` for available options.
'';
example = ["-p 5555" "--timeout=30" "--attribute=myattribute=42"];
};
}; };
}; };
config = mkIf cfg.enableHealth { config = mkIf cfg.enableHealth {

133
nixos/modules/services/monitoring/systemhealth.nix
View File

@ -1,133 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.systemhealth;
systemhealth = with pkgs; stdenv.mkDerivation {
name = "systemhealth-1.0";
src = fetchurl {
url = "https://www.brianlane.com/downloads/systemhealth/systemhealth-1.0.tar.bz2";
sha256 = "1q69lz7hmpbdpbz36zb06nzfkj651413n9icx0njmyr3xzq1j9qy";
};
buildInputs = [ python ];
installPhase = ''
mkdir -p $out/bin
# Make it work for kernels 3.x, not so different than 2.6
sed -i 's/2\.6/4.0/' system_health.py
cp system_health.py $out/bin
'';
};
rrdDir = "/var/lib/health/rrd";
htmlDir = "/var/lib/health/html";
configFile = rrdDir + "/.syshealthrc";
# The program will try to read $HOME/.syshealthrc, so we set the proper home.
command = "HOME=${rrdDir} ${systemhealth}/bin/system_health.py";
cronJob = ''
*/5 * * * * wwwrun ${command} --log
5 * * * * wwwrun ${command} --graph
'';
nameEqualName = s: "${s} = ${s}";
interfacesSection = concatStringsSep "\n" (map nameEqualName cfg.interfaces);
driveLine = d: "${d.path} = ${d.name}";
drivesSection = concatStringsSep "\n" (map driveLine cfg.drives);
in
{
options = {
services.systemhealth = {
enable = mkOption {
default = false;
description = ''
Enable the system health monitor and its generation of graphs.
'';
};
urlPrefix = mkOption {
default = "/health";
description = ''
The URL prefix under which the System Health web pages appear in httpd.
'';
};
interfaces = mkOption {
default = [ "lo" ];
example = [ "lo" "eth0" "eth1" ];
description = ''
Interfaces to monitor (minimum one).
'';
};
drives = mkOption {
default = [ ];
example = [ { name = "root"; path = "/"; } ];
description = ''
Drives to monitor.
'';
};
};
};
config = mkIf cfg.enable {
services.cron.systemCronJobs = [ cronJob ];
system.activationScripts.systemhealth = stringAfter [ "var" ]
''
mkdir -p ${rrdDir} ${htmlDir}
chown wwwrun:wwwrun ${rrdDir} ${htmlDir}
cat >${configFile} << EOF
[paths]
rrdtool = ${pkgs.rrdtool}/bin/rrdtool
loadavg_rrd = loadavg
ps = /run/current-system/sw/bin/ps
df = /run/current-system/sw/bin/df
meminfo_rrd = meminfo
uptime_rrd = uptime
rrd_path = ${rrdDir}
png_path = ${htmlDir}
[processes]
[interfaces]
${interfacesSection}
[drives]
${drivesSection}
[graphs]
width = 400
time = ['-3hours', '-32hours', '-8days', '-5weeks', '-13months']
height = 100
[external]
EOF
chown wwwrun:wwwrun ${configFile}
${pkgs.su}/bin/su -s "/bin/sh" -c "${command} --check" wwwrun
${pkgs.su}/bin/su -s "/bin/sh" -c "${command} --html" wwwrun
'';
services.httpd.extraSubservices = [
{ function = f: {
extraConfig = ''
Alias ${cfg.urlPrefix} ${htmlDir}
<Directory ${htmlDir}>
Order allow,deny
Allow from all
</Directory>
'';
};
}
];
};
}

2
nixos/modules/services/monitoring/ups.nix
View File

@ -225,7 +225,7 @@ in
'' ''
maxstartdelay = ${toString cfg.maxStartDelay} maxstartdelay = ${toString cfg.maxStartDelay}
${flip concatStringsSep (flip map (attrValues cfg.ups) (ups: ups.summary)) " ${flip concatStringsSep (forEach (attrValues cfg.ups) (ups: ups.summary)) "
"} "}
''; '';

1
nixos/modules/services/network-filesystems/u9fs.nix
View File

@ -55,6 +55,7 @@ in
sockets.u9fs = { sockets.u9fs = {
description = "U9fs Listening Socket"; description = "U9fs Listening Socket";
wantedBy = [ "sockets.target" ]; wantedBy = [ "sockets.target" ];
after = [ "network.target" ];
inherit (cfg) listenStreams; inherit (cfg) listenStreams;
socketConfig.Accept = "yes"; socketConfig.Accept = "yes";
}; };

21
nixos/modules/services/networking/cjdns.nix
View File

@ -44,9 +44,7 @@ let
parseModules = x: parseModules = x:
x // { connectTo = mapAttrs (name: value: { inherit (value) password publicKey; }) x.connectTo; }; x // { connectTo = mapAttrs (name: value: { inherit (value) password publicKey; }) x.connectTo; };
# would be nice to merge 'cfg' with a //, cjdrouteConf = builtins.toJSON ( recursiveUpdate {
# but the json nesting is wacky.
cjdrouteConf = builtins.toJSON ( {
admin = { admin = {
bind = cfg.admin.bind; bind = cfg.admin.bind;
password = "@CJDNS_ADMIN_PASSWORD@"; password = "@CJDNS_ADMIN_PASSWORD@";
@ -71,7 +69,7 @@ let
security = [ { exemptAngel = 1; setuser = "nobody"; } ]; security = [ { exemptAngel = 1; setuser = "nobody"; } ];
}); } cfg.extraConfig);
in in
@ -91,6 +89,16 @@ in
''; '';
}; };
extraConfig = mkOption {
type = types.attrs;
default = {};
example = { router.interface.tunDevice = "tun10"; };
description = ''
Extra configuration, given as attrs, that will be merged recursively
with the rest of the JSON generated by this module, at the root node.
'';
};
confFile = mkOption { confFile = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;
@ -246,7 +254,10 @@ in
if cfg.confFile != null then "${pkg}/bin/cjdroute < ${cfg.confFile}" else if cfg.confFile != null then "${pkg}/bin/cjdroute < ${cfg.confFile}" else
'' ''
source /etc/cjdns.keys source /etc/cjdns.keys
echo '${cjdrouteConf}' | sed \ (cat <<'EOF'
${cjdrouteConf}
EOF
) | sed \
-e "s/@CJDNS_ADMIN_PASSWORD@/$CJDNS_ADMIN_PASSWORD/g" \ -e "s/@CJDNS_ADMIN_PASSWORD@/$CJDNS_ADMIN_PASSWORD/g" \
-e "s/@CJDNS_PRIVATE_KEY@/$CJDNS_PRIVATE_KEY/g" \ -e "s/@CJDNS_PRIVATE_KEY@/$CJDNS_PRIVATE_KEY/g" \
| ${pkg}/bin/cjdroute | ${pkg}/bin/cjdroute

2
nixos/modules/services/networking/consul.nix
View File

@ -15,7 +15,7 @@ let
++ cfg.extraConfigFiles; ++ cfg.extraConfigFiles;
devices = attrValues (filterAttrs (_: i: i != null) cfg.interface); devices = attrValues (filterAttrs (_: i: i != null) cfg.interface);
systemdDevices = flip map devices systemdDevices = forEach devices
(i: "sys-subsystem-net-devices-${utils.escapeSystemdPath i}.device"); (i: "sys-subsystem-net-devices-${utils.escapeSystemdPath i}.device");
in in
{ {

8
nixos/modules/services/networking/dnschain.nix
View File

@ -136,10 +136,16 @@ in
"/.dns/127.0.0.1#${toString cfg.dns.port}" "/.dns/127.0.0.1#${toString cfg.dns.port}"
]; ];
services.pdns-recursor.forwardZones = mkIf cfgs.pdns-recursor.resolveDNSChainQueries services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveDNSChainQueries {
forwardZones =
{ bit = "127.0.0.1:${toString cfg.dns.port}"; { bit = "127.0.0.1:${toString cfg.dns.port}";
dns = "127.0.0.1:${toString cfg.dns.port}"; dns = "127.0.0.1:${toString cfg.dns.port}";
}; };
luaConfig =''
addNTA("bit", "namecoin doesn't support DNSSEC")
addNTA("dns", "namecoin doesn't support DNSSEC")
'';
};
users.users = singleton { users.users = singleton {
name = username; name = username;

2
nixos/modules/services/networking/hylafax/systemd.nix
View File

@ -7,7 +7,7 @@ let
inherit (lib) concatStringsSep optionalString; inherit (lib) concatStringsSep optionalString;
cfg = config.services.hylafax; cfg = config.services.hylafax;
mapModems = lib.flip map (lib.attrValues cfg.modems); mapModems = lib.forEach (lib.attrValues cfg.modems);
mkConfigFile = name: conf: mkConfigFile = name: conf:
# creates hylafax config file, # creates hylafax config file,

97
nixos/modules/services/networking/jormungandr.nix Normal file
View File

@ -0,0 +1,97 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.jormungandr;
inherit (lib) mkEnableOption mkIf mkOption;
inherit (lib) optionalString types;
dataDir = "/var/lib/jormungandr";
# Default settings so far, as the service matures we will
# move these out as separate settings
configSettings = {
storage = dataDir;
p2p = {
public_address = "/ip4/127.0.0.1/tcp/8299";
messages = "high";
blocks = "high";
};
rest = {
listen = "127.0.0.1:8607";
};
};
configFile = if cfg.configFile == null then
pkgs.writeText "jormungandr.yaml" (builtins.toJSON configSettings)
else cfg.configFile;
in {
options = {
services.jormungandr = {
enable = mkEnableOption "jormungandr service";
configFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/lib/jormungandr/node.yaml";
description = ''
The path of the jormungandr blockchain configuration file in YAML format.
If no file is specified, a file is generated using the other options.
'';
};
secretFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/etc/secret/jormungandr.yaml";
description = ''
The path of the jormungandr blockchain secret node configuration file in
YAML format. Do not store this in nix store!
'';
};
genesisBlockHash = mkOption {
type = types.nullOr types.string;
default = null;
example = "d70495af81ae8600aca3e642b2427327cb6001ec4d7a0037e96a00dabed163f9";
description = ''
Set the genesis block hash (the hash of the block0) so we can retrieve
the genesis block (and the blockchain configuration) from the existing
storage or from the network.
'';
};
genesisBlockFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/lib/jormungandr/block-0.bin";
description = ''
The path of the genesis block file if we are hosting it locally.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.jormungandr = {
description = "jormungandr server";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
serviceConfig = {
DynamicUser = true;
StateDirectory = baseNameOf dataDir;
ExecStart = ''
${pkgs.jormungandr}/bin/jormungandr --config ${configFile} \
${optionalString (cfg.secretFile != null) " --secret ${cfg.secretFile}"} \
${optionalString (cfg.genesisBlockHash != null) " --genesis-block-hash ${cfg.genesisBlockHash}"} \
${optionalString (cfg.genesisBlockFile != null) " --genesis-block ${cfg.genesisBlockFile}"}
'';
};
};
};
}

44
nixos/modules/services/networking/ofono.nix Normal file
View File

@ -0,0 +1,44 @@
# Ofono daemon.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.ofono;
plugin_path =
lib.concatMapStringsSep ":"
(plugin: "${plugin}/lib/ofono/plugins")
cfg.plugins
;
in
{
###### interface
options = {
services.ofono = {
enable = mkEnableOption "Ofono";
plugins = mkOption {
type = types.listOf types.package;
default = [];
example = literalExample "[ pkgs.modem-manager-gui ]";
description = ''
The list of plugins to install.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
services.dbus.packages = [ pkgs.ofono ];
systemd.packages = [ pkgs.ofono ];
systemd.services.ofono.environment.OFONO_PLUGIN_PATH = mkIf (cfg.plugins != []) plugin_path;
};
}

83
nixos/modules/services/networking/pdns-recursor.nix
View File

@ -7,24 +7,26 @@ let
username = "pdns-recursor"; username = "pdns-recursor";
cfg = config.services.pdns-recursor; cfg = config.services.pdns-recursor;
zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones;
configFile = pkgs.writeText "recursor.conf" '' oneOrMore = type: with types; either type (listOf type);
local-address=${cfg.dns.address} valueType = with types; oneOf [ int str bool path ];
local-port=${toString cfg.dns.port} configType = with types; attrsOf (nullOr (oneOrMore valueType));
allow-from=${concatStringsSep "," cfg.dns.allowFrom}
webserver-address=${cfg.api.address} toBool = val: if val then "yes" else "no";
webserver-port=${toString cfg.api.port} serialize = val: with types;
webserver-allow-from=${concatStringsSep "," cfg.api.allowFrom} if str.check val then val
else if int.check val then toString val
else if path.check val then toString val
else if bool.check val then toBool val
else if builtins.isList val then (concatMapStringsSep "," serialize val)
else "";
forward-zones=${concatStringsSep "," zones} configFile = pkgs.writeText "recursor.conf"
export-etc-hosts=${if cfg.exportHosts then "yes" else "no"} (concatStringsSep "\n"
dnssec=${cfg.dnssecValidation} (flip mapAttrsToList cfg.settings
serve-rfc1918=${if cfg.serveRFC1918 then "yes" else "no"} (name: val: "${name}=${serialize val}")));
${cfg.extraConfig} mkDefaultAttrs = mapAttrs (n: v: mkDefault v);
'';
in { in {
options.services.pdns-recursor = { options.services.pdns-recursor = {
@ -117,18 +119,56 @@ in {
''; '';
}; };
extraConfig = mkOption { settings = mkOption {
type = configType;
default = { };
example = literalExample ''
{
loglevel = 8;
log-common-errors = true;
}
'';
description = ''
PowerDNS Recursor settings. Use this option to configure Recursor
settings not exposed in a NixOS option or to bypass one.
See the full documentation at
<link xlink:href="https://doc.powerdns.com/recursor/settings.html"/>
for the available options.
'';
};
luaConfig = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
description = '' description = ''
Extra options to be appended to the configuration file. The content Lua configuration file for PowerDNS Recursor. See
<link xlink:href="https://doc.powerdns.com/recursor/lua-config/index.html"/>.
''; '';
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.users.${username} = { services.pdns-recursor.settings = mkDefaultAttrs {
local-address = cfg.dns.address;
local-port = cfg.dns.port;
allow-from = cfg.dns.allowFrom;
webserver-address = cfg.api.address;
webserver-port = cfg.api.port;
webserver-allow-from = cfg.api.allowFrom;
forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones;
export-etc-hosts = cfg.exportHosts;
dnssec = cfg.dnssecValidation;
serve-rfc1918 = cfg.serveRFC1918;
lua-config-file = pkgs.writeText "recursor.lua" cfg.luaConfig;
log-timestamp = false;
disable-syslog = true;
};
users.users."${username}" = {
home = dataDir; home = dataDir;
createHome = true; createHome = true;
uid = config.ids.uids.pdns-recursor; uid = config.ids.uids.pdns-recursor;
@ -150,8 +190,7 @@ in {
AmbientCapabilities = "cap_net_bind_service"; AmbientCapabilities = "cap_net_bind_service";
ExecStart = ''${pkgs.pdns-recursor}/bin/pdns_recursor \ ExecStart = ''${pkgs.pdns-recursor}/bin/pdns_recursor \
--config-dir=${dataDir} \ --config-dir=${dataDir} \
--socket-dir=${dataDir} \ --socket-dir=${dataDir}
--disable-syslog
''; '';
}; };
@ -165,4 +204,10 @@ in {
''; '';
}; };
}; };
imports = [
(mkRemovedOptionModule [ "services" "pdns-recursor" "extraConfig" ]
"To change extra Recursor settings use services.pdns-recursor.settings instead.")
];
} }

6
nixos/modules/services/networking/shadowsocks.nix
View File

@ -35,10 +35,10 @@ in
}; };
localAddress = mkOption { localAddress = mkOption {
type = types.str; type = types.coercedTo types.str singleton (types.listOf types.str);
default = "0.0.0.0"; default = [ "[::0]" "0.0.0.0" ];
description = '' description = ''
Local address to which the server binds. Local addresses to which the server binds.
''; '';
}; };

2
nixos/modules/services/networking/ssh/sshd.nix
View File

@ -502,7 +502,7 @@ in
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
message = "cannot enable X11 forwarding without setting xauth location";}] message = "cannot enable X11 forwarding without setting xauth location";}]
++ flip map cfg.listenAddresses ({ addr, ... }: { ++ forEach cfg.listenAddresses ({ addr, ... }: {
assertion = addr != null; assertion = addr != null;
message = "addr must be specified in each listenAddresses entry"; message = "addr must be specified in each listenAddresses entry";
}); });

2
nixos/modules/services/networking/stubby.nix
View File

@ -168,7 +168,7 @@ in
default = defaultUpstream; default = defaultUpstream;
type = types.lines; type = types.lines;
description = '' description = ''
Add additional upstreams. See <citerefentry><refentrytitle>stubby Replace default upstreams. See <citerefentry><refentrytitle>stubby
</refentrytitle><manvolnum>1</manvolnum></citerefentry> for an </refentrytitle><manvolnum>1</manvolnum></citerefentry> for an
example of the entry formatting. In Strict mode, at least one of the example of the entry formatting. In Strict mode, at least one of the
following settings must be supplied for each nameserver: following settings must be supplied for each nameserver:

1
nixos/modules/services/networking/unifi.nix
View File

@ -176,6 +176,7 @@ in
Type = "simple"; Type = "simple";
ExecStart = "${(removeSuffix "\n" cmd)} start"; ExecStart = "${(removeSuffix "\n" cmd)} start";
ExecStop = "${(removeSuffix "\n" cmd)} stop"; ExecStop = "${(removeSuffix "\n" cmd)} stop";
Restart = "on-failure";
User = "unifi"; User = "unifi";
UMask = "0077"; UMask = "0077";
WorkingDirectory = "${stateDir}"; WorkingDirectory = "${stateDir}";

1
nixos/modules/services/search/elasticsearch.nix
View File

@ -131,6 +131,7 @@ in {
description = "Extra elasticsearch plugins"; description = "Extra elasticsearch plugins";
default = []; default = [];
type = types.listOf types.package; type = types.listOf types.package;
example = lib.literalExample "[ pkgs.elasticsearchPlugins.discovery-ec2 ]";
}; };
}; };

14
nixos/modules/services/security/sshguard.nix
View File

@ -106,14 +106,24 @@ in {
path = with pkgs; [ iptables ipset iproute systemd ]; path = with pkgs; [ iptables ipset iproute systemd ];
postStart = '' # The sshguard ipsets must exist before we invoke
# iptables. sshguard creates the ipsets after startup if
# necessary, but if we let sshguard do it, we can't reliably add
# the iptables rules because postStart races with the creation
# of the ipsets. So instead, we create both the ipsets and
# firewall rules before sshguard starts.
preStart = ''
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP
${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
''; '';
preStop = '' postStop = ''
${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP
${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
${pkgs.ipset}/bin/ipset -quiet destroy sshguard4
${pkgs.ipset}/bin/ipset -quiet destroy sshguard6
''; '';
unitConfig.Documentation = "man:sshguard(8)"; unitConfig.Documentation = "man:sshguard(8)";

14
nixos/modules/services/security/usbguard.nix
View File

@ -39,6 +39,16 @@ in {
services.usbguard = { services.usbguard = {
enable = mkEnableOption "USBGuard daemon"; enable = mkEnableOption "USBGuard daemon";
package = mkOption {
type = types.package;
default = pkgs.usbguard;
defaultText = "pkgs.usbguard";
description = ''
The usbguard package to use. If you do not need the Qt GUI, use
<literal>pkgs.usbguard-nox</literal> to save disk space.
'';
};
ruleFile = mkOption { ruleFile = mkOption {
type = types.path; type = types.path;
default = "/var/lib/usbguard/rules.conf"; default = "/var/lib/usbguard/rules.conf";
@ -179,7 +189,7 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.usbguard ]; environment.systemPackages = [ cfg.package ];
systemd.services.usbguard = { systemd.services.usbguard = {
description = "USBGuard daemon"; description = "USBGuard daemon";
@ -195,7 +205,7 @@ in {
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
ExecStart = ''${pkgs.usbguard}/bin/usbguard-daemon -P -k -c ${daemonConfFile}''; ExecStart = ''${cfg.package}/bin/usbguard-daemon -P -k -c ${daemonConfFile}'';
Restart = "on-failure"; Restart = "on-failure";
}; };
}; };

28
nixos/modules/services/torrent/transmission.nix
View File

@ -84,6 +84,18 @@ in
The directory where transmission will create files. The directory where transmission will create files.
''; '';
}; };
user = mkOption {
type = types.str;
default = "transmission";
description = "User account under which Transmission runs.";
};
group = mkOption {
type = types.str;
default = "transmission";
description = "Group account under which Transmission runs.";
};
}; };
}; };
@ -99,7 +111,8 @@ in
serviceConfig.ExecStartPre = preStart; serviceConfig.ExecStartPre = preStart;
serviceConfig.ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f --port ${toString config.services.transmission.port}"; serviceConfig.ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f --port ${toString config.services.transmission.port}";
serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
serviceConfig.User = "transmission"; serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
# NOTE: transmission has an internal umask that also must be set (in settings.json) # NOTE: transmission has an internal umask that also must be set (in settings.json)
serviceConfig.UMask = "0002"; serviceConfig.UMask = "0002";
}; };
@ -107,14 +120,19 @@ in
# It's useful to have transmission in path, e.g. for remote control # It's useful to have transmission in path, e.g. for remote control
environment.systemPackages = [ pkgs.transmission ]; environment.systemPackages = [ pkgs.transmission ];
users.groups.transmission.gid = config.ids.gids.transmission; users.users = optionalAttrs (cfg.user == "transmission") (singleton
users.users.transmission = { { name = "transmission";
group = "transmission"; group = cfg.group;
uid = config.ids.uids.transmission; uid = config.ids.uids.transmission;
description = "Transmission BitTorrent user"; description = "Transmission BitTorrent user";
home = homeDir; home = homeDir;
createHome = true; createHome = true;
}; });
users.groups = optionalAttrs (cfg.group == "transmission") (singleton
{ name = "transmission";
gid = config.ids.gids.transmission;
});
# AppArmor profile # AppArmor profile
security.apparmor.profiles = mkIf apparmor [ security.apparmor.profiles = mkIf apparmor [

41
nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix
View File

@ -1,14 +1,16 @@
{ config, lib, pkgs, ... }: with lib; let { config, lib, pkgs, ... }: with lib; let
cfg = config.services.icingaweb2; cfg = config.services.icingaweb2;
fpm = config.services.phpfpm.pools.${poolName};
poolName = "icingaweb2"; poolName = "icingaweb2";
phpfpmSocketName = "/var/run/phpfpm/${poolName}.sock";
defaultConfig = { defaultConfig = {
global = { global = {
module_path = "${pkgs.icingaweb2}/modules${optionalString (builtins.length config.modulePath > 0) ":${concatStringsSep ":" config.modulePath}"}"; module_path = "${pkgs.icingaweb2}/modules";
}; };
}; };
in { in {
meta.maintainers = with maintainers; [ das_j ];
options.services.icingaweb2 = with types; { options.services.icingaweb2 = with types; {
enable = mkEnableOption "the icingaweb2 web interface"; enable = mkEnableOption "the icingaweb2 web interface";
@ -162,26 +164,25 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") { services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
${poolName} = '' "${poolName}" = {
listen = "${phpfpmSocketName}" user = "icingaweb2";
listen.owner = nginx phpOptions = ''
listen.group = nginx
listen.mode = 0600
user = icingaweb2
pm = dynamic
pm.max_children = 75
pm.start_servers = 2
pm.min_spare_servers = 2
pm.max_spare_servers = 10
'';
};
services.phpfpm.phpOptions = mkIf (cfg.pool == "${poolName}")
''
extension = ${pkgs.phpPackages.imagick}/lib/php/extensions/imagick.so extension = ${pkgs.phpPackages.imagick}/lib/php/extensions/imagick.so
date.timezone = "${cfg.timezone}" date.timezone = "${cfg.timezone}"
''; '';
settings = mapAttrs (name: mkDefault) {
"listen.owner" = "nginx";
"listen.group" = "nginx";
"listen.mode" = "0600";
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 10;
};
};
};
systemd.services."phpfpm-${poolName}".serviceConfig.ReadWritePaths = [ "/etc/icingaweb2" ]; systemd.services."phpfpm-${poolName}".serviceConfig.ReadWritePaths = [ "/etc/icingaweb2" ];
@ -206,7 +207,7 @@ in {
include ${config.services.nginx.package}/conf/fastcgi.conf; include ${config.services.nginx.package}/conf/fastcgi.conf;
try_files $uri =404; try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${phpfpmSocketName}; fastcgi_pass unix:${fpm.socket};
fastcgi_param SCRIPT_FILENAME ${pkgs.icingaweb2}/public/index.php; fastcgi_param SCRIPT_FILENAME ${pkgs.icingaweb2}/public/index.php;
''; '';
}; };

37
nixos/modules/services/web-apps/limesurvey.nix
View File

@ -120,15 +120,15 @@ in
}; };
poolConfig = mkOption { poolConfig = mkOption {
type = types.lines; type = with types; attrsOf (oneOf [ str int bool ]);
default = '' default = {
pm = dynamic "pm" = "dynamic";
pm.max_children = 32 "pm.max_children" = 32;
pm.start_servers = 2 "pm.start_servers" = 2;
pm.min_spare_servers = 2 "pm.min_spare_servers" = 2;
pm.max_spare_servers = 4 "pm.max_spare_servers" = 4;
pm.max_requests = 500 "pm.max_requests" = 500;
''; };
description = '' description = ''
Options for the LimeSurvey PHP pool. See the documentation on <literal>php-fpm.conf</literal> Options for the LimeSurvey PHP pool. See the documentation on <literal>php-fpm.conf</literal>
for details on configuration directives. for details on configuration directives.
@ -203,17 +203,12 @@ in
}; };
services.phpfpm.pools.limesurvey = { services.phpfpm.pools.limesurvey = {
listen = "/run/phpfpm/limesurvey.sock"; inherit user group;
extraConfig = '' phpEnv.LIMESURVEY_CONFIG = "${limesurveyConfig}";
listen.owner = ${config.services.httpd.user}; settings = {
listen.group = ${config.services.httpd.group}; "listen.owner" = config.services.httpd.user;
user = ${user}; "listen.group" = config.services.httpd.group;
group = ${group}; } // cfg.poolConfig;
env[LIMESURVEY_CONFIG] = ${limesurveyConfig}
${cfg.poolConfig}
'';
}; };
services.httpd = { services.httpd = {
@ -241,7 +236,7 @@ in
<Directory "${pkg}/share/limesurvey"> <Directory "${pkg}/share/limesurvey">
<FilesMatch "\.php$"> <FilesMatch "\.php$">
<If "-f %{REQUEST_FILENAME}"> <If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:${fpm.listen}|fcgi://localhost/" SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
</If> </If>
</FilesMatch> </FilesMatch>

10
nixos/modules/services/web-apps/matomo.nix
View File

@ -176,7 +176,7 @@ in {
# Use User-Private Group scheme to protect Matomo data, but allow administration / backup via 'matomo' group # Use User-Private Group scheme to protect Matomo data, but allow administration / backup via 'matomo' group
# Copy config folder # Copy config folder
chmod g+s "${dataDir}" chmod g+s "${dataDir}"
cp -r "${cfg.package}/config" "${dataDir}/" cp -r "${cfg.package}/share/config" "${dataDir}/"
chmod -R u+rwX,g+rwX,o-rwx "${dataDir}" chmod -R u+rwX,g+rwX,o-rwx "${dataDir}"
# check whether user setup has already been done # check whether user setup has already been done
@ -225,15 +225,16 @@ in {
serviceConfig.UMask = "0007"; serviceConfig.UMask = "0007";
}; };
services.phpfpm.poolConfigs = let services.phpfpm.pools = let
# workaround for when both are null and need to generate a string, # workaround for when both are null and need to generate a string,
# which is illegal, but as assertions apparently are being triggered *after* config generation, # which is illegal, but as assertions apparently are being triggered *after* config generation,
# we have to avoid already throwing errors at this previous stage. # we have to avoid already throwing errors at this previous stage.
socketOwner = if (cfg.nginx != null) then config.services.nginx.user socketOwner = if (cfg.nginx != null) then config.services.nginx.user
else if (cfg.webServerUser != null) then cfg.webServerUser else ""; else if (cfg.webServerUser != null) then cfg.webServerUser else "";
in { in {
${pool} = '' ${pool} = {
listen = "${phpSocket}" listen = phpSocket;
extraConfig = ''
listen.owner = ${socketOwner} listen.owner = ${socketOwner}
listen.group = root listen.group = root
listen.mode = 0600 listen.mode = 0600
@ -242,6 +243,7 @@ in {
${cfg.phpfpmProcessManagerConfig} ${cfg.phpfpmProcessManagerConfig}
''; '';
}; };
};
services.nginx.virtualHosts = mkIf (cfg.nginx != null) { services.nginx.virtualHosts = mkIf (cfg.nginx != null) {

39
nixos/modules/services/web-apps/mediawiki.nix
View File

@ -312,17 +312,17 @@ in
}; };
poolConfig = mkOption { poolConfig = mkOption {
type = types.lines; type = with types; attrsOf (oneOf [ str int bool ]);
default = '' default = {
pm = dynamic "pm" = "dynamic";
pm.max_children = 32 "pm.max_children" = 32;
pm.start_servers = 2 "pm.start_servers" = 2;
pm.min_spare_servers = 2 "pm.min_spare_servers" = 2;
pm.max_spare_servers = 4 "pm.max_spare_servers" = 4;
pm.max_requests = 500 "pm.max_requests" = 500;
''; };
description = '' description = ''
Options for MediaWiki's PHP pool. See the documentation on <literal>php-fpm.conf</literal> Options for the MediaWiki PHP pool. See the documentation on <literal>php-fpm.conf</literal>
for details on configuration directives. for details on configuration directives.
''; '';
}; };
@ -379,17 +379,12 @@ in
}; };
services.phpfpm.pools.mediawiki = { services.phpfpm.pools.mediawiki = {
listen = "/run/phpfpm/mediawiki.sock"; inherit user group;
extraConfig = '' phpEnv.MEDIAWIKI_CONFIG = "${mediawikiConfig}";
listen.owner = ${config.services.httpd.user} settings = {
listen.group = ${config.services.httpd.group} "listen.owner" = config.services.httpd.user;
user = ${user} "listen.group" = config.services.httpd.group;
group = ${group} } // cfg.poolConfig;
env[MEDIAWIKI_CONFIG] = ${mediawikiConfig}
${cfg.poolConfig}
'';
}; };
services.httpd = { services.httpd = {
@ -403,7 +398,7 @@ in
<Directory "${pkg}/share/mediawiki"> <Directory "${pkg}/share/mediawiki">
<FilesMatch "\.php$"> <FilesMatch "\.php$">
<If "-f %{REQUEST_FILENAME}"> <If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:${fpm.listen}|fcgi://localhost/" SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
</If> </If>
</FilesMatch> </FilesMatch>

300
nixos/modules/services/web-apps/moodle.nix Normal file
View File

@ -0,0 +1,300 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption types;
inherit (lib) concatStringsSep literalExample mapAttrsToList optional optionalString;
cfg = config.services.moodle;
fpm = config.services.phpfpm.pools.moodle;
user = "moodle";
group = config.services.httpd.group;
stateDir = "/var/lib/moodle";
moodleConfig = pkgs.writeText "config.php" ''
<?php // Moodle configuration file
unset($CFG);
global $CFG;
$CFG = new stdClass();
$CFG->dbtype = '${ { "mysql" = "mariadb"; "pgsql" = "pgsql"; }.${cfg.database.type} }';
$CFG->dblibrary = 'native';
$CFG->dbhost = '${cfg.database.host}';
$CFG->dbname = '${cfg.database.name}';
$CFG->dbuser = '${cfg.database.user}';
${optionalString (cfg.database.passwordFile != null) "$CFG->dbpass = file_get_contents('${cfg.database.passwordFile}');"}
$CFG->prefix = 'mdl_';
$CFG->dboptions = array (
'dbpersist' => 0,
'dbport' => '${toString cfg.database.port}',
${optionalString (cfg.database.socket != null) "'dbsocket' => '${cfg.database.socket}',"}
'dbcollation' => 'utf8mb4_unicode_ci',
);
$CFG->wwwroot = '${if cfg.virtualHost.enableSSL then "https" else "http"}://${cfg.virtualHost.hostName}';
$CFG->dataroot = '${stateDir}';
$CFG->admin = 'admin';
$CFG->directorypermissions = 02777;
$CFG->disableupdateautodeploy = true;
$CFG->pathtogs = '${pkgs.ghostscript}/bin/gs';
$CFG->pathtophp = '${pkgs.php}/bin/php';
$CFG->pathtodu = '${pkgs.coreutils}/bin/du';
$CFG->aspellpath = '${pkgs.aspell}/bin/aspell';
$CFG->pathtodot = '${pkgs.graphviz}/bin/dot';
require_once('${cfg.package}/share/moodle/lib/setup.php');
// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!
'';
mysqlLocal = cfg.database.createLocally && cfg.database.type == "mysql";
pgsqlLocal = cfg.database.createLocally && cfg.database.type == "pgsql";
in
{
# interface
options.services.moodle = {
enable = mkEnableOption "Moodle web application";
package = mkOption {
type = types.package;
default = pkgs.moodle;
defaultText = "pkgs.moodle";
description = "The Moodle package to use.";
};
initialPassword = mkOption {
type = types.str;
example = "correcthorsebatterystaple";
description = ''
Specifies the initial password for the admin, i.e. the password assigned if the user does not already exist.
The password specified here is world-readable in the Nix store, so it should be changed promptly.
'';
};
database = {
type = mkOption {
type = types.enum [ "mysql" "pgsql" ];
default = "mysql";
description = ''Database engine to use.'';
};
host = mkOption {
type = types.str;
default = "localhost";
description = "Database host address.";
};
port = mkOption {
type = types.int;
description = "Database host port.";
default = {
"mysql" = 3306;
"pgsql" = 5432;
}.${cfg.database.type};
defaultText = "3306";
};
name = mkOption {
type = types.str;
default = "moodle";
description = "Database name.";
};
user = mkOption {
type = types.str;
default = "moodle";
description = "Database user.";
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/moodle-dbpassword";
description = ''
A file containing the password corresponding to
<option>database.user</option>.
'';
};
socket = mkOption {
type = types.nullOr types.path;
default =
if mysqlLocal then "/run/mysqld/mysqld.sock"
else if pgsqlLocal then "/run/postgresql"
else null;
defaultText = "/run/mysqld/mysqld.sock";
description = "Path to the unix socket file to use for authentication.";
};
createLocally = mkOption {
type = types.bool;
default = true;
description = "Create the database and database user locally.";
};
};
virtualHost = mkOption {
type = types.submodule ({
options = import ../web-servers/apache-httpd/per-server-options.nix {
inherit lib;
forMainServer = false;
};
});
example = {
hostName = "moodle.example.org";
enableSSL = true;
adminAddr = "webmaster@example.org";
sslServerCert = "/var/lib/acme/moodle.example.org/full.pem";
sslServerKey = "/var/lib/acme/moodle.example.org/key.pem";
};
description = ''
Apache configuration can be done by adapting <option>services.httpd.virtualHosts</option>.
See <xref linkend="opt-services.httpd.virtualHosts"/> for further information.
'';
};
poolConfig = mkOption {
type = with types; attrsOf (oneOf [ str int bool ]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
description = ''
Options for the Moodle PHP pool. See the documentation on <literal>php-fpm.conf</literal>
for details on configuration directives.
'';
};
};
# implementation
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
message = "services.moodle.database.user must be set to ${user} if services.moodle.database.createLocally is set true";
}
{ assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
message = "a password cannot be specified if services.moodle.database.createLocally is set to true";
}
];
services.mysql = mkIf mysqlLocal {
enable = true;
package = mkDefault pkgs.mariadb;
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = {
"${cfg.database.name}.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, CREATE TEMPORARY TABLES, DROP, INDEX, ALTER";
};
}
];
};
services.postgresql = mkIf pgsqlLocal {
enable = true;
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
}
];
};
services.phpfpm.pools.moodle = {
inherit user group;
phpEnv.MOODLE_CONFIG = "${moodleConfig}";
phpOptions = ''
zend_extension = opcache.so
opcache.enable = 1
'';
settings = {
"listen.owner" = config.services.httpd.user;
"listen.group" = config.services.httpd.group;
} // cfg.poolConfig;
};
services.httpd = {
enable = true;
adminAddr = mkDefault cfg.virtualHost.adminAddr;
extraModules = [ "proxy_fcgi" ];
virtualHosts = [ (mkMerge [
cfg.virtualHost {
documentRoot = mkForce "${cfg.package}/share/moodle";
extraConfig = ''
<Directory "${cfg.package}/share/moodle">
<FilesMatch "\.php$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
</If>
</FilesMatch>
Options -Indexes
DirectoryIndex index.php
</Directory>
'';
}
]) ];
};
systemd.tmpfiles.rules = [
"d '${stateDir}' 0750 ${user} ${group} - -"
];
systemd.services.moodle-init = {
wantedBy = [ "multi-user.target" ];
before = [ "phpfpm-moodle.service" ];
after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service";
environment.MOODLE_CONFIG = moodleConfig;
script = ''
${pkgs.php}/bin/php ${cfg.package}/share/moodle/admin/cli/check_database_schema.php && rc=$? || rc=$?
[ "$rc" == 1 ] && ${pkgs.php}/bin/php ${cfg.package}/share/moodle/admin/cli/upgrade.php \
--non-interactive \
--allow-unstable
[ "$rc" == 2 ] && ${pkgs.php}/bin/php ${cfg.package}/share/moodle/admin/cli/install_database.php \
--agree-license \
--adminpass=${cfg.initialPassword}
true
'';
serviceConfig = {
User = user;
Group = group;
Type = "oneshot";
};
};
systemd.services.moodle-cron = {
description = "Moodle cron service";
after = [ "moodle-init.service" ];
environment.MOODLE_CONFIG = moodleConfig;
serviceConfig = {
User = user;
Group = group;
ExecStart = "${pkgs.php}/bin/php ${cfg.package}/share/moodle/admin/cli/cron.php";
};
};
systemd.timers.moodle-cron = {
description = "Moodle cron timer";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "minutely";
};
};
systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service";
users.users."${user}".group = group;
};
}

34
nixos/modules/services/web-apps/nextcloud.nix
View File

@ -4,6 +4,7 @@ with lib;
let let
cfg = config.services.nextcloud; cfg = config.services.nextcloud;
fpm = config.services.phpfpm.pools.nextcloud;
phpPackage = pkgs.php73; phpPackage = pkgs.php73;
phpPackages = pkgs.php73Packages; phpPackages = pkgs.php73Packages;
@ -410,25 +411,20 @@ in {
}; };
services.phpfpm = { services.phpfpm = {
pools.nextcloud = let pools.nextcloud = {
phpAdminValues = (toKeyValue user = "nextcloud";
(foldr (a: b: a // b) {} group = "nginx";
(mapAttrsToList (k: v: { "php_admin_value[${k}]" = v; }) phpOptions = phpOptionsExtensions + phpOptionsStr;
phpOptions)));
in {
phpOptions = phpOptionsExtensions;
phpPackage = phpPackage; phpPackage = phpPackage;
listen = "/run/phpfpm/nextcloud"; phpEnv = {
extraConfig = '' NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
listen.owner = nginx PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
listen.group = nginx };
user = nextcloud settings = mapAttrs (name: mkDefault) {
group = nginx "listen.owner" = "nginx";
${cfg.poolConfig} "listen.group" = "nginx";
env[NEXTCLOUD_CONFIG_DIR] = ${cfg.home}/config };
env[PATH] = /run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin extraConfig = cfg.poolConfig;
${phpAdminValues}
'';
}; };
}; };
@ -489,7 +485,7 @@ in {
fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
fastcgi_param modHeadersAvailable true; fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true; fastcgi_param front_controller_active true;
fastcgi_pass unix:/run/phpfpm/nextcloud; fastcgi_pass unix:${fpm.socket};
fastcgi_intercept_errors on; fastcgi_intercept_errors on;
fastcgi_request_buffering off; fastcgi_request_buffering off;
fastcgi_read_timeout 120s; fastcgi_read_timeout 120s;

35
nixos/modules/services/web-apps/restya-board.nix
View File

@ -9,11 +9,11 @@ with lib;
let let
cfg = config.services.restya-board; cfg = config.services.restya-board;
fpm = config.services.phpfpm.pools.${poolName};
runDir = "/run/restya-board"; runDir = "/run/restya-board";
poolName = "restya-board"; poolName = "restya-board";
phpfpmSocketName = "/run/phpfpm/${poolName}.sock";
in in
@ -179,8 +179,9 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.phpfpm.pools = { services.phpfpm.pools = {
${poolName} = { "${poolName}" = {
listen = phpfpmSocketName; inherit (cfg) user group;
phpOptions = '' phpOptions = ''
date.timezone = "CET" date.timezone = "CET"
@ -191,20 +192,18 @@ in
auth_password = ${cfg.email.password} auth_password = ${cfg.email.password}
''} ''}
''; '';
extraConfig = '' settings = mapAttrs (name: mkDefault) {
listen.owner = nginx "listen.owner" = "nginx";
listen.group = nginx "listen.group" = "nginx";
listen.mode = 0600 "listen.mode" = "0600";
user = ${cfg.user} "pm" = "dynamic";
group = ${cfg.group} "pm.max_children" = 75;
pm = dynamic "pm.start_servers" = 10;
pm.max_children = 75 "pm.min_spare_servers" = 5;
pm.start_servers = 10 "pm.max_spare_servers" = 20;
pm.min_spare_servers = 5 "pm.max_requests" = 500;
pm.max_spare_servers = 20 "catch_workers_output" = 1;
pm.max_requests = 500 };
catch_workers_output = 1
'';
}; };
}; };
@ -241,7 +240,7 @@ in
tryFiles = "$uri =404"; tryFiles = "$uri =404";
extraConfig = '' extraConfig = ''
include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${phpfpmSocketName}; fastcgi_pass unix:${fpm.socket};
fastcgi_index index.php; fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PHP_VALUE "upload_max_filesize=9G \n post_max_size=9G \n max_execution_time=200 \n max_input_time=200 \n memory_limit=256M"; fastcgi_param PHP_VALUE "upload_max_filesize=9G \n post_max_size=9G \n max_execution_time=200 \n max_input_time=200 \n memory_limit=256M";

33
nixos/modules/services/web-apps/selfoss.nix
View File

@ -4,7 +4,6 @@ let
cfg = config.services.selfoss; cfg = config.services.selfoss;
poolName = "selfoss_pool"; poolName = "selfoss_pool";
phpfpmSocketName = "/run/phpfpm/${poolName}.sock";
dataDir = "/var/lib/selfoss"; dataDir = "/var/lib/selfoss";
@ -115,22 +114,22 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") { "${poolName}" = {
${poolName} = '' user = "nginx";
listen = "${phpfpmSocketName}"; settings = mapAttrs (name: mkDefault) {
listen.owner = nginx "listen.owner" = "nginx";
listen.group = nginx "listen.group" = "nginx";
listen.mode = 0600 "listen.mode" = "0600";
user = nginx "pm" = "dynamic";
pm = dynamic "pm.max_children" = 75;
pm.max_children = 75 "pm.start_servers" = 10;
pm.start_servers = 10 "pm.min_spare_servers" = 5;
pm.min_spare_servers = 5 "pm.max_spare_servers" = 20;
pm.max_spare_servers = 20 "pm.max_requests" = 500;
pm.max_requests = 500 "catch_workers_output" = 1;
catch_workers_output = 1 };
''; };
}; };
systemd.services.selfoss-config = { systemd.services.selfoss-config = {

31
nixos/modules/services/web-apps/tt-rss.nix
View File

@ -520,21 +520,20 @@ let
]; ];
services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") { services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
${poolName} = { "${poolName}" = {
listen = "/var/run/phpfpm/${poolName}.sock"; inherit (cfg) user;
extraConfig = '' settings = mapAttrs (name: mkDefault) {
listen.owner = nginx "listen.owner" = "nginx";
listen.group = nginx "listen.group" = "nginx";
listen.mode = 0600 "listen.mode" = "0600";
user = ${cfg.user} "pm" = "dynamic";
pm = dynamic "pm.max_children" = 75;
pm.max_children = 75 "pm.start_servers" = 10;
pm.start_servers = 10 "pm.min_spare_servers" = 5;
pm.min_spare_servers = 5 "pm.max_spare_servers" = 20;
pm.max_spare_servers = 20 "pm.max_requests" = 500;
pm.max_requests = 500 "catch_workers_output" = 1;
catch_workers_output = 1 };
'';
}; };
}; };
@ -552,7 +551,7 @@ let
locations."~ \.php$" = { locations."~ \.php$" = {
extraConfig = '' extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.listen}; fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.socket};
fastcgi_index index.php; fastcgi_index index.php;
''; '';
}; };

34
nixos/modules/services/web-apps/wordpress.nix
View File

@ -216,15 +216,15 @@ let
}; };
poolConfig = mkOption { poolConfig = mkOption {
type = types.lines; type = with types; attrsOf (oneOf [ str int bool ]);
default = '' default = {
pm = dynamic "pm" = "dynamic";
pm.max_children = 32 "pm.max_children" = 32;
pm.start_servers = 2 "pm.start_servers" = 2;
pm.min_spare_servers = 2 "pm.min_spare_servers" = 2;
pm.max_spare_servers = 4 "pm.max_spare_servers" = 4;
pm.max_requests = 500 "pm.max_requests" = 500;
''; };
description = '' description = ''
Options for the WordPress PHP pool. See the documentation on <literal>php-fpm.conf</literal> Options for the WordPress PHP pool. See the documentation on <literal>php-fpm.conf</literal>
for details on configuration directives. for details on configuration directives.
@ -280,15 +280,11 @@ in
services.phpfpm.pools = mapAttrs' (hostName: cfg: ( services.phpfpm.pools = mapAttrs' (hostName: cfg: (
nameValuePair "wordpress-${hostName}" { nameValuePair "wordpress-${hostName}" {
listen = "/run/phpfpm/wordpress-${hostName}.sock"; inherit user group;
extraConfig = '' settings = {
listen.owner = ${config.services.httpd.user} "listen.owner" = config.services.httpd.user;
listen.group = ${config.services.httpd.group} "listen.group" = config.services.httpd.group;
user = ${user} } // cfg.poolConfig;
group = ${group}
${cfg.poolConfig}
'';
} }
)) eachSite; )) eachSite;
@ -303,7 +299,7 @@ in
<Directory "${pkg hostName cfg}/share/wordpress"> <Directory "${pkg hostName cfg}/share/wordpress">
<FilesMatch "\.php$"> <FilesMatch "\.php$">
<If "-f %{REQUEST_FILENAME}"> <If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/run/phpfpm/wordpress-${hostName}.sock|fcgi://localhost/" SetHandler "proxy:unix:${config.services.phpfpm.pools."wordpress-${hostName}".socket}|fcgi://localhost/"
</If> </If>
</FilesMatch> </FilesMatch>

34
nixos/modules/services/web-apps/zabbix.nix
View File

@ -133,15 +133,15 @@ in
}; };
poolConfig = mkOption { poolConfig = mkOption {
type = types.lines; type = with types; attrsOf (oneOf [ str int bool ]);
default = '' default = {
pm = dynamic "pm" = "dynamic";
pm.max_children = 32 "pm.max_children" = 32;
pm.start_servers = 2 "pm.start_servers" = 2;
pm.min_spare_servers = 2 "pm.min_spare_servers" = 2;
pm.max_spare_servers = 4 "pm.max_spare_servers" = 4;
pm.max_requests = 500 "pm.max_requests" = 500;
''; };
description = '' description = ''
Options for the Zabbix PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives. Options for the Zabbix PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.
''; '';
@ -160,6 +160,8 @@ in
]; ];
services.phpfpm.pools.zabbix = { services.phpfpm.pools.zabbix = {
inherit user;
group = config.services.httpd.group;
phpOptions = '' phpOptions = ''
# https://www.zabbix.com/documentation/current/manual/installation/install # https://www.zabbix.com/documentation/current/manual/installation/install
memory_limit = 128M memory_limit = 128M
@ -177,15 +179,11 @@ in
'' + optionalString (cfg.database.type == "oracle") '' '' + optionalString (cfg.database.type == "oracle") ''
extension=${pkgs.phpPackages.oci8}/lib/php/extensions/oci8.so extension=${pkgs.phpPackages.oci8}/lib/php/extensions/oci8.so
''; '';
listen = "/run/phpfpm/zabbix.sock"; phpEnv.ZABBIX_CONFIG = zabbixConfig;
extraConfig = '' settings = {
listen.owner = ${config.services.httpd.user}; "listen.owner" = config.services.httpd.user;
listen.group = ${config.services.httpd.group}; "listen.group" = config.services.httpd.group;
user = ${user}; } // cfg.poolConfig;
group = ${config.services.httpd.group};
env[ZABBIX_CONFIG] = ${zabbixConfig}
${cfg.poolConfig}
'';
}; };
services.httpd = { services.httpd = {

2
nixos/modules/services/web-servers/caddy.nix
View File

@ -70,7 +70,7 @@ in {
{ CADDYPATH = cfg.dataDir; }; { CADDYPATH = cfg.dataDir; };
serviceConfig = { serviceConfig = {
ExecStart = '' ExecStart = ''
${cfg.package.bin}/bin/caddy -root=/var/tmp -conf=${configFile} \ ${cfg.package}/bin/caddy -root=/var/tmp -conf=${configFile} \
-ca=${cfg.ca} -email=${cfg.email} ${optionalString cfg.agree "-agree"} -ca=${cfg.ca} -email=${cfg.email} ${optionalString cfg.agree "-agree"}
''; '';
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

77
nixos/modules/services/web-servers/darkhttpd.nix Normal file
View File

@ -0,0 +1,77 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.darkhttpd;
args = concatStringsSep " " ([
cfg.rootDir
"--port ${toString cfg.port}"
"--addr ${cfg.address}"
] ++ cfg.extraArgs
++ optional cfg.hideServerId "--no-server-id"
++ optional config.networking.enableIPv6 "--ipv6");
in {
options.services.darkhttpd = with types; {
enable = mkEnableOption "DarkHTTPd web server";
port = mkOption {
default = 80;
type = ints.u16;
description = ''
Port to listen on.
Pass 0 to let the system choose any free port for you.
'';
};
address = mkOption {
default = "127.0.0.1";
type = str;
description = ''
Address to listen on.
Pass `all` to listen on all interfaces.
'';
};
rootDir = mkOption {
type = path;
description = ''
Path from which to serve files.
'';
};
hideServerId = mkOption {
type = bool;
default = true;
description = ''
Don't identify the server type in headers or directory listings.
'';
};
extraArgs = mkOption {
type = listOf str;
default = [];
description = ''
Additional configuration passed to the executable.
'';
};
};
config = mkIf cfg.enable {
systemd.services.darkhttpd = {
description = "Dark HTTPd";
wants = [ "network.target" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = true;
ExecStart = "${cfg.package}/bin/darkhttpd ${args}";
AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
Restart = "on-failure";
RestartSec = "2s";
};
};
};
}

33
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -162,6 +162,10 @@ let
${cfg.appendConfig} ${cfg.appendConfig}
''; '';
configPath = if cfg.enableReload
then "/etc/nginx/nginx.conf"
else configFile;
vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost: vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost:
let let
onlySSL = vhost.onlySSL || vhost.enableSSL; onlySSL = vhost.onlySSL || vhost.enableSSL;
@ -431,6 +435,16 @@ in
"; ";
}; };
enableReload = mkOption {
default = false;
type = types.bool;
description = ''
Reload nginx when configuration file changes (instead of restart).
The configuration file is exposed at <filename>/etc/nginx/nginx.conf</filename>.
See also <literal>systemd.services.*.restartIfChanged</literal>.
'';
};
stateDir = mkOption { stateDir = mkOption {
default = "/var/spool/nginx"; default = "/var/spool/nginx";
description = " description = "
@ -638,10 +652,10 @@ in
preStart = preStart =
'' ''
${cfg.preStart} ${cfg.preStart}
${cfg.package}/bin/nginx -c ${configFile} -p ${cfg.stateDir} -t ${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir} -t
''; '';
serviceConfig = { serviceConfig = {
ExecStart = "${cfg.package}/bin/nginx -c ${configFile} -p ${cfg.stateDir}"; ExecStart = "${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always"; Restart = "always";
RestartSec = "10s"; RestartSec = "10s";
@ -649,6 +663,21 @@ in
}; };
}; };
environment.etc."nginx/nginx.conf" = mkIf cfg.enableReload {
source = configFile;
};
systemd.services.nginx-config-reload = mkIf cfg.enableReload {
wantedBy = [ "nginx.service" ];
restartTriggers = [ configFile ];
script = ''
if ${pkgs.systemd}/bin/systemctl -q is-active nginx.service ; then
${pkgs.systemd}/bin/systemctl reload nginx.service
fi
'';
serviceConfig.RemainAfterExit = true;
};
security.acme.certs = filterAttrs (n: v: v != {}) ( security.acme.certs = filterAttrs (n: v: v != {}) (
let let
vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts; vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;

252
nixos/modules/services/web-servers/phpfpm/default.nix
View File

@ -4,41 +4,27 @@ with lib;
let let
cfg = config.services.phpfpm; cfg = config.services.phpfpm;
enabled = cfg.poolConfigs != {} || cfg.pools != {};
stateDir = "/run/phpfpm"; runtimeDir = "/run/phpfpm";
poolConfigs = toStr = value:
(mapAttrs mapPoolConfig cfg.poolConfigs) // if true == value then "yes"
(mapAttrs mapPool cfg.pools); else if false == value then "no"
else toString value;
mapPoolConfig = n: p: { fpmCfgFile = pool: poolOpts: pkgs.writeText "phpfpm-${pool}.conf" ''
phpPackage = cfg.phpPackage;
phpOptions = cfg.phpOptions;
config = p;
};
mapPool = n: p: {
phpPackage = p.phpPackage;
phpOptions = p.phpOptions;
config = ''
listen = ${p.listen}
${p.extraConfig}
'';
};
fpmCfgFile = pool: conf: pkgs.writeText "phpfpm-${pool}.conf" ''
[global] [global]
error_log = syslog ${concatStringsSep "\n" (mapAttrsToList (n: v: "${n} = ${toStr v}") cfg.settings)}
daemonize = no ${optionalString (cfg.extraConfig != null) cfg.extraConfig}
${cfg.extraConfig}
[${pool}] [${pool}]
${conf} ${concatStringsSep "\n" (mapAttrsToList (n: v: "${n} = ${toStr v}") poolOpts.settings)}
${concatStringsSep "\n" (mapAttrsToList (n: v: "env[${n}] = ${toStr v}") poolOpts.phpEnv)}
${optionalString (poolOpts.extraConfig != null) poolOpts.extraConfig}
''; '';
phpIni = pool: pkgs.runCommand "php.ini" { phpIni = poolOpts: pkgs.runCommand "php.ini" {
inherit (pool) phpPackage phpOptions; inherit (poolOpts) phpPackage phpOptions;
preferLocalBuild = true; preferLocalBuild = true;
nixDefaults = '' nixDefaults = ''
sendmail_path = "/run/wrappers/bin/sendmail -t -i" sendmail_path = "/run/wrappers/bin/sendmail -t -i"
@ -48,13 +34,138 @@ let
cat $phpPackage/etc/php.ini $nixDefaultsPath $phpOptionsPath > $out cat $phpPackage/etc/php.ini $nixDefaultsPath $phpOptionsPath > $out
''; '';
poolOpts = { name, ... }:
let
poolOpts = cfg.pools."${name}";
in
{
options = {
socket = mkOption {
type = types.str;
readOnly = true;
description = ''
Path to the unix socket file on which to accept FastCGI requests.
<note><para>This option is read-only and managed by NixOS.</para></note>
'';
};
listen = mkOption {
type = types.str;
default = "";
example = "/path/to/unix/socket";
description = ''
The address on which to accept FastCGI requests.
'';
};
phpPackage = mkOption {
type = types.package;
default = cfg.phpPackage;
defaultText = "config.services.phpfpm.phpPackage";
description = ''
The PHP package to use for running this PHP-FPM pool.
'';
};
phpOptions = mkOption {
type = types.lines;
default = cfg.phpOptions;
defaultText = "config.services.phpfpm.phpOptions";
description = ''
"Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool."
'';
};
phpEnv = lib.mkOption {
type = with types; attrsOf str;
default = {};
description = ''
Environment variables used for this PHP-FPM pool.
'';
example = literalExample ''
{
HOSTNAME = "$HOSTNAME";
TMP = "/tmp";
TMPDIR = "/tmp";
TEMP = "/tmp";
}
'';
};
user = mkOption {
type = types.str;
description = "User account under which this pool runs.";
};
group = mkOption {
type = types.str;
description = "Group account under which this pool runs.";
};
settings = mkOption {
type = with types; attrsOf (oneOf [ str int bool ]);
default = {};
description = ''
PHP-FPM pool directives. Refer to the "List of pool directives" section of
<link xlink:href="https://www.php.net/manual/en/install.fpm.configuration.php"/>
for details. Note that settings names must be enclosed in quotes (e.g.
<literal>"pm.max_children"</literal> instead of <literal>pm.max_children</literal>).
'';
example = literalExample ''
{
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
}
'';
};
extraConfig = mkOption {
type = with types; nullOr lines;
default = null;
description = ''
Extra lines that go into the pool configuration.
See the documentation on <literal>php-fpm.conf</literal> for
details on configuration directives.
'';
};
};
config = {
socket = if poolOpts.listen == "" then "${runtimeDir}/${name}.sock" else poolOpts.listen;
group = mkDefault poolOpts.user;
settings = mapAttrs (name: mkDefault){
listen = poolOpts.socket;
user = poolOpts.user;
group = poolOpts.group;
};
};
};
in { in {
options = { options = {
services.phpfpm = { services.phpfpm = {
settings = mkOption {
type = with types; attrsOf (oneOf [ str int bool ]);
default = {};
description = ''
PHP-FPM global directives. Refer to the "List of global php-fpm.conf directives" section of
<link xlink:href="https://www.php.net/manual/en/install.fpm.configuration.php"/>
for details. Note that settings names must be enclosed in quotes (e.g.
<literal>"pm.max_children"</literal> instead of <literal>pm.max_children</literal>).
You need not specify the options <literal>error_log</literal> or
<literal>daemonize</literal> here, since they are generated by NixOS.
'';
};
extraConfig = mkOption { extraConfig = mkOption {
type = types.lines; type = with types; nullOr lines;
default = ""; default = null;
description = '' description = ''
Extra configuration that should be put in the global section of Extra configuration that should be put in the global section of
the PHP-FPM configuration file. Do not specify the options the PHP-FPM configuration file. Do not specify the options
@ -80,64 +191,56 @@ in {
'' ''
date.timezone = "CET" date.timezone = "CET"
''; '';
description =
"Options appended to the PHP configuration file <filename>php.ini</filename>.";
};
poolConfigs = mkOption {
default = {};
type = types.attrsOf types.lines;
example = literalExample ''
{ mypool = '''
listen = /run/phpfpm/mypool
user = nobody
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
''';
}
'';
description = '' description = ''
A mapping between PHP-FPM pool names and their configurations. Options appended to the PHP configuration file <filename>php.ini</filename>.
See the documentation on <literal>php-fpm.conf</literal> for
details on configuration directives. If no pools are defined,
the phpfpm service is disabled.
''; '';
}; };
pools = mkOption { pools = mkOption {
type = types.attrsOf (types.submodule (import ./pool-options.nix { type = types.attrsOf (types.submodule poolOpts);
inherit lib config;
}));
default = {}; default = {};
example = literalExample '' example = literalExample ''
{ {
mypool = { mypool = {
listen = "/path/to/unix/socket"; user = "php";
group = "php";
phpPackage = pkgs.php; phpPackage = pkgs.php;
extraConfig = ''' settings = '''
user = nobody "pm" = "dynamic";
pm = dynamic "pm.max_children" = 75;
pm.max_children = 75 "pm.start_servers" = 10;
pm.start_servers = 10 "pm.min_spare_servers" = 5;
pm.min_spare_servers = 5 "pm.max_spare_servers" = 20;
pm.max_spare_servers = 20 "pm.max_requests" = 500;
pm.max_requests = 500
'''; ''';
} }
}''; }'';
description = '' description = ''
PHP-FPM pools. If no pools or poolConfigs are defined, the PHP-FPM PHP-FPM pools. If no pools are defined, the PHP-FPM
service is disabled. service is disabled.
''; '';
}; };
}; };
}; };
config = mkIf enabled { config = mkIf (cfg.pools != {}) {
warnings =
mapAttrsToList (pool: poolOpts: ''
Using config.services.phpfpm.pools.${pool}.listen is deprecated and will become unsupported in a future release. Please reference the read-only option config.services.phpfpm.pools.${pool}.socket to access the path of your socket.
'') (filterAttrs (pool: poolOpts: poolOpts.listen != "") cfg.pools) ++
mapAttrsToList (pool: poolOpts: ''
Using config.services.phpfpm.pools.${pool}.extraConfig is deprecated and will become unsupported in a future release. Please migrate your configuration to config.services.phpfpm.pools.${pool}.settings.
'') (filterAttrs (pool: poolOpts: poolOpts.extraConfig != null) cfg.pools) ++
optional (cfg.extraConfig != null) ''
Using config.services.phpfpm.extraConfig is deprecated and will become unsupported in a future release. Please migrate your configuration to config.services.phpfpm.settings.
''
;
services.phpfpm.settings = {
error_log = "syslog";
daemonize = false;
};
systemd.slices.phpfpm = { systemd.slices.phpfpm = {
description = "PHP FastCGI Process manager pools slice"; description = "PHP FastCGI Process manager pools slice";
@ -148,18 +251,15 @@ in {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };
systemd.services = flip mapAttrs' poolConfigs (pool: poolConfig: systemd.services = mapAttrs' (pool: poolOpts:
nameValuePair "phpfpm-${pool}" { nameValuePair "phpfpm-${pool}" {
description = "PHP FastCGI Process Manager service for pool ${pool}"; description = "PHP FastCGI Process Manager service for pool ${pool}";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "phpfpm.target" ]; wantedBy = [ "phpfpm.target" ];
partOf = [ "phpfpm.target" ]; partOf = [ "phpfpm.target" ];
preStart = ''
mkdir -p ${stateDir}
'';
serviceConfig = let serviceConfig = let
cfgFile = fpmCfgFile pool poolConfig.config; cfgFile = fpmCfgFile pool poolOpts;
iniFile = phpIni poolConfig; iniFile = phpIni poolOpts;
in { in {
Slice = "phpfpm.slice"; Slice = "phpfpm.slice";
PrivateDevices = true; PrivateDevices = true;
@ -168,10 +268,12 @@ in {
# XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
Type = "notify"; Type = "notify";
ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${iniFile}"; ExecStart = "${poolOpts.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${iniFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
RuntimeDirectory = "phpfpm";
RuntimeDirectoryPreserve = true; # Relevant when multiple processes are running
}; };
} }
); ) cfg.pools;
}; };
} }

57
nixos/modules/services/web-servers/phpfpm/pool-options.nix
View File

@ -1,57 +0,0 @@
{ lib, config }:
let
fpmCfg = config.services.phpfpm;
in
with lib; {
options = {
listen = mkOption {
type = types.str;
example = "/path/to/unix/socket";
description = ''
The address on which to accept FastCGI requests.
'';
};
phpPackage = mkOption {
type = types.package;
default = fpmCfg.phpPackage;
defaultText = "config.services.phpfpm.phpPackage";
description = ''
The PHP package to use for running this PHP-FPM pool.
'';
};
phpOptions = mkOption {
type = types.lines;
default = fpmCfg.phpOptions;
defaultText = "config.services.phpfpm.phpOptions";
description = ''
"Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool."
'';
};
extraConfig = mkOption {
type = types.lines;
example = ''
user = nobody
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
'';
description = ''
Extra lines that go into the pool configuration.
See the documentation on <literal>php-fpm.conf</literal> for
details on configuration directives.
'';
};
};
}

258
nixos/modules/services/x11/desktop-managers/gnome3.nix
View File

@ -3,7 +3,9 @@
with lib; with lib;
let let
cfg = config.services.xserver.desktopManager.gnome3; cfg = config.services.xserver.desktopManager.gnome3;
serviceCfg = config.services.gnome3;
# Prioritize nautilus by default when opening directories # Prioritize nautilus by default when opening directories
mimeAppsList = pkgs.writeTextFile { mimeAppsList = pkgs.writeTextFile {
@ -29,10 +31,10 @@ let
chmod -R a+w $out/share/gsettings-schemas/nixos-gsettings-overrides chmod -R a+w $out/share/gsettings-schemas/nixos-gsettings-overrides
cat - > $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/nixos-defaults.gschema.override <<- EOF cat - > $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/nixos-defaults.gschema.override <<- EOF
[org.gnome.desktop.background] [org.gnome.desktop.background]
picture-uri='${pkgs.nixos-artwork.wallpapers.simple-dark-gray}/share/artwork/gnome/nix-wallpaper-simple-dark-gray.png' picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray}/share/artwork/gnome/nix-wallpaper-simple-dark-gray.png'
[org.gnome.desktop.screensaver] [org.gnome.desktop.screensaver]
picture-uri='${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom}/share/artwork/gnome/nix-wallpaper-simple-dark-gray_bottom.png' picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom}/share/artwork/gnome/nix-wallpaper-simple-dark-gray_bottom.png'
[org.gnome.shell] [org.gnome.shell]
favorite-apps=[ 'org.gnome.Epiphany.desktop', 'evolution.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop', 'org.gnome.Software.desktop' ] favorite-apps=[ 'org.gnome.Epiphany.desktop', 'evolution.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop', 'org.gnome.Software.desktop' ]
@ -45,10 +47,19 @@ let
flashbackEnabled = cfg.flashback.enableMetacity || length cfg.flashback.customSessions > 0; flashbackEnabled = cfg.flashback.enableMetacity || length cfg.flashback.customSessions > 0;
in { in
{
options = { options = {
services.gnome3 = {
core-os-services.enable = mkEnableOption "essential services for GNOME3";
core-shell.enable = mkEnableOption "GNOME Shell services";
core-utilities.enable = mkEnableOption "GNOME core utilities";
games.enable = mkEnableOption "GNOME games";
};
services.xserver.desktopManager.gnome3 = { services.xserver.desktopManager.gnome3 = {
enable = mkOption { enable = mkOption {
default = false; default = false;
@ -121,69 +132,13 @@ in {
}; };
config = mkIf cfg.enable { config = mkMerge [
(mkIf (cfg.enable || flashbackEnabled) {
services.gnome3.core-os-services.enable = true;
services.gnome3.core-shell.enable = true;
services.gnome3.core-utilities.enable = mkDefault true;
# Enable helpful DBus services. services.xserver.displayManager.extraSessionFilePackages = [ pkgs.gnome3.gnome-session ];
security.polkit.enable = true;
services.udisks2.enable = true;
services.accounts-daemon.enable = true;
services.dleyna-renderer.enable = mkDefault true;
services.dleyna-server.enable = mkDefault true;
services.gnome3.at-spi2-core.enable = true;
services.gnome3.evolution-data-server.enable = true;
services.gnome3.glib-networking.enable = true;
services.gnome3.gnome-keyring.enable = true;
services.gnome3.gnome-online-accounts.enable = mkDefault true;
services.gnome3.gnome-remote-desktop.enable = mkDefault true;
services.gnome3.gnome-settings-daemon.enable = true;
services.gnome3.gnome-terminal-server.enable = mkDefault true;
services.gnome3.gnome-user-share.enable = mkDefault true;
services.gnome3.gvfs.enable = true;
services.gnome3.rygel.enable = mkDefault true;
services.gnome3.seahorse.enable = mkDefault true;
services.gnome3.sushi.enable = mkDefault true;
services.gnome3.tracker.enable = mkDefault true;
services.gnome3.tracker-miners.enable = mkDefault true;
hardware.pulseaudio.enable = mkDefault true;
services.telepathy.enable = mkDefault true;
networking.networkmanager.enable = mkDefault true;
services.upower.enable = config.powerManagement.enable;
services.dbus.packages =
optional config.services.printing.enable pkgs.system-config-printer ++
optional flashbackEnabled pkgs.gnome3.gnome-screensaver;
services.colord.enable = mkDefault true;
services.packagekit.enable = mkDefault true;
hardware.bluetooth.enable = mkDefault true;
services.hardware.bolt.enable = mkDefault true;
services.xserver.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center
systemd.packages = [ pkgs.gnome3.vino ];
xdg.portal.enable = true;
xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
# Enable default programs
programs.evince.enable = mkDefault true;
programs.file-roller.enable = mkDefault true;
programs.gnome-disks.enable = mkDefault true;
programs.gnome-documents.enable = mkDefault true;
# If gnome3 is installed, build vim for gtk3 too.
nixpkgs.config.vim.gui = "gtk3";
fonts.fonts = [
pkgs.dejavu_fonts pkgs.cantarell-fonts
pkgs.source-sans-pro
pkgs.source-code-pro # Default monospace font in 3.32
];
services.xserver.displayManager.extraSessionFilePackages = [ pkgs.gnome3.gnome-session ]
++ map
(wm: pkgs.gnome3.gnome-flashback.mkSessionForWm {
inherit (wm) wmName wmLabel wmCommand;
}) (optional cfg.flashback.enableMetacity {
wmName = "metacity";
wmLabel = "Metacity";
wmCommand = "${pkgs.gnome3.metacity}/bin/metacity";
} ++ cfg.flashback.customSessions);
environment.extraInit = '' environment.extraInit = ''
${concatMapStrings (p: '' ${concatMapStrings (p: ''
@ -198,16 +153,99 @@ in {
'') cfg.sessionPath} '') cfg.sessionPath}
''; '';
environment.systemPackages = cfg.sessionPath;
environment.variables.GNOME_SESSION_DEBUG = mkIf cfg.debug "1";
# Override GSettings schemas
environment.variables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas";
# If gnome3 is installed, build vim for gtk3 too.
nixpkgs.config.vim.gui = "gtk3";
})
(mkIf flashbackEnabled {
services.xserver.displayManager.extraSessionFilePackages = map
(wm: pkgs.gnome3.gnome-flashback.mkSessionForWm {
inherit (wm) wmName wmLabel wmCommand;
}) (optional cfg.flashback.enableMetacity {
wmName = "metacity";
wmLabel = "Metacity";
wmCommand = "${pkgs.gnome3.metacity}/bin/metacity";
} ++ cfg.flashback.customSessions);
security.pam.services.gnome-screensaver = {
enableGnomeKeyring = true;
};
services.dbus.packages = [
pkgs.gnome3.gnome-screensaver
];
})
(mkIf serviceCfg.core-os-services.enable {
hardware.bluetooth.enable = mkDefault true;
hardware.pulseaudio.enable = mkDefault true;
programs.dconf.enable = true;
security.polkit.enable = true;
services.accounts-daemon.enable = true;
services.dleyna-renderer.enable = mkDefault true;
services.dleyna-server.enable = mkDefault true;
services.gnome3.at-spi2-core.enable = true;
services.gnome3.evolution-data-server.enable = true;
services.gnome3.gnome-keyring.enable = true;
services.gnome3.gnome-online-accounts.enable = mkDefault true;
services.gnome3.gnome-online-miners.enable = true;
services.gnome3.tracker-miners.enable = mkDefault true;
services.gnome3.tracker.enable = mkDefault true;
services.hardware.bolt.enable = mkDefault true;
services.packagekit.enable = mkDefault true;
services.udisks2.enable = true;
services.upower.enable = config.powerManagement.enable;
services.xserver.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center
xdg.portal.enable = true;
xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
networking.networkmanager.enable = mkDefault true;
# Use the correct gnome3 packageSet
networking.networkmanager.basePackages = {
inherit (pkgs) networkmanager modemmanager wpa_supplicant crda;
inherit (pkgs.gnome3) networkmanager-openvpn networkmanager-vpnc
networkmanager-openconnect networkmanager-fortisslvpn
networkmanager-iodine networkmanager-l2tp;
};
services.xserver.updateDbusEnvironment = true;
# Needed for themes and backgrounds
environment.pathsToLink = [
"/share" # TODO: https://github.com/NixOS/nixpkgs/issues/47173
];
})
(mkIf serviceCfg.core-shell.enable {
services.colord.enable = mkDefault true;
services.gnome3.glib-networking.enable = true;
services.gnome3.gnome-remote-desktop.enable = mkDefault true;
services.gnome3.gnome-settings-daemon.enable = true;
services.gnome3.gnome-user-share.enable = mkDefault true;
services.gnome3.rygel.enable = mkDefault true;
services.gvfs.enable = true;
services.telepathy.enable = mkDefault true;
systemd.packages = [ pkgs.gnome3.vino ];
services.dbus.packages =
optional config.services.printing.enable pkgs.system-config-printer;
services.geoclue2.enable = mkDefault true; services.geoclue2.enable = mkDefault true;
# GNOME should have its own geoclue agent services.geoclue2.enableDemoAgent = false; # GNOME has its own geoclue agent
services.geoclue2.enableDemoAgent = false;
services.geoclue2.appConfig.gnome-datetime-panel = { services.geoclue2.appConfig."gnome-datetime-panel" = {
isAllowed = true; isAllowed = true;
isSystem = true; isSystem = true;
}; };
services.geoclue2.appConfig.gnome-color-panel = { services.geoclue2.appConfig."gnome-color-panel" = {
isAllowed = true; isAllowed = true;
isSystem = true; isSystem = true;
}; };
@ -216,44 +254,72 @@ in {
isSystem = true; isSystem = true;
}; };
environment.variables.GNOME_SESSION_DEBUG = optionalString cfg.debug "1"; fonts.fonts = with pkgs; [
cantarell-fonts
dejavu_fonts
source-code-pro # Default monospace font in 3.32
source-sans-pro
];
# Override default mimeapps environment.systemPackages = with pkgs.gnome3; [
environment.variables.XDG_DATA_DIRS = [ "${mimeAppsList}/share" ]; adwaita-icon-theme
gnome-backgrounds
gnome-bluetooth
gnome-control-center
gnome-getting-started-docs
gnome-shell
gnome-shell-extensions
gnome-themes-extra
gnome-user-docs
pkgs.glib # for gsettings
pkgs.gnome-menus
pkgs.gtk3.out # for gtk-launch
pkgs.hicolor-icon-theme
pkgs.shared-mime-info # for update-mime-database
pkgs.xdg-user-dirs # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/
vino
];
})
# Override GSettings schemas (mkIf serviceCfg.core-utilities.enable {
environment.variables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; environment.systemPackages = (with pkgs.gnome3; removePackagesByName [
baobab eog epiphany evince gucharmap nautilus totem yelp gnome-calculator
gnome-contacts gnome-font-viewer gnome-screenshot gnome-system-monitor simple-scan
gnome-terminal evolution file-roller gedit gnome-clocks gnome-music gnome-tweaks
pkgs.gnome-photos nautilus-sendto dconf-editor vinagre gnome-weather gnome-logs
gnome-maps gnome-characters gnome-calendar accerciser gnome-nettool gnome-packagekit
gnome-software gnome-power-manager gnome-todo pkgs.gnome-usage
] config.environment.gnome3.excludePackages);
# Enable default programs
programs.evince.enable = mkDefault true;
programs.file-roller.enable = mkDefault true;
programs.gnome-disks.enable = mkDefault true;
programs.gnome-documents.enable = mkDefault true;
programs.gnome-terminal.enable = mkDefault true;
services.gnome3.seahorse.enable = mkDefault true;
services.gnome3.sushi.enable = mkDefault true;
# Let nautilus find extensions # Let nautilus find extensions
# TODO: Create nautilus-with-extensions package # TODO: Create nautilus-with-extensions package
environment.variables.NAUTILUS_EXTENSION_DIR = "${config.system.path}/lib/nautilus/extensions-3.0"; environment.variables.NAUTILUS_EXTENSION_DIR = "${config.system.path}/lib/nautilus/extensions-3.0";
services.xserver.updateDbusEnvironment = true; # Override default mimeapps for nautilus
environment.variables.XDG_DATA_DIRS = [ "${mimeAppsList}/share" ];
environment.variables.GIO_EXTRA_MODULES = [ "${lib.getLib pkgs.gnome3.dconf}/lib/gio/modules"
"${pkgs.gnome3.gvfs}/lib/gio/modules" ];
environment.systemPackages = pkgs.gnome3.corePackages ++ cfg.sessionPath
++ (pkgs.gnome3.removePackagesByName pkgs.gnome3.optionalPackages config.environment.gnome3.excludePackages) ++ [
pkgs.xdg-user-dirs # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/
];
# Use the correct gnome3 packageSet
networking.networkmanager.basePackages =
{ inherit (pkgs) networkmanager modemmanager wpa_supplicant crda;
inherit (pkgs.gnome3) networkmanager-openvpn networkmanager-vpnc
networkmanager-openconnect networkmanager-fortisslvpn
networkmanager-iodine networkmanager-l2tp; };
# Needed for themes and backgrounds
environment.pathsToLink = [ environment.pathsToLink = [
"/share"
"/share/nautilus-python/extensions" "/share/nautilus-python/extensions"
]; ];
})
security.pam.services.gnome-screensaver = mkIf flashbackEnabled { (mkIf serviceCfg.games.enable {
enableGnomeKeyring = true; environment.systemPackages = (with pkgs.gnome3; removePackagesByName [
}; aisleriot atomix five-or-more four-in-a-row gnome-chess gnome-klotski
}; gnome-mahjongg gnome-mines gnome-nibbles gnome-robots gnome-sudoku
gnome-taquin gnome-tetravex hitori iagno lightsoff quadrapassel
swell-foop tali
] config.environment.gnome3.excludePackages);
})
];
} }

3
nixos/modules/services/x11/desktop-managers/lxqt.nix
View File

@ -58,7 +58,8 @@ in
# Link some extra directories in /run/current-system/software/share # Link some extra directories in /run/current-system/software/share
environment.pathsToLink = [ "/share" ]; environment.pathsToLink = [ "/share" ];
environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ]; services.gvfs.enable = true;
services.gvfs.package = pkgs.gvfs;
services.upower.enable = config.powerManagement.enable; services.upower.enable = config.powerManagement.enable;
}; };

8
nixos/modules/services/x11/desktop-managers/mate.nix
View File

@ -94,17 +94,19 @@ in
]; ];
programs.dconf.enable = true; programs.dconf.enable = true;
# Shell integration for VTE terminals
programs.bash.vteIntegration = mkDefault true;
programs.zsh.vteIntegration = mkDefault true;
services.gnome3.at-spi2-core.enable = true; services.gnome3.at-spi2-core.enable = true;
services.gnome3.gnome-keyring.enable = true; services.gnome3.gnome-keyring.enable = true;
services.gnome3.gnome-settings-daemon.enable = true; services.gnome3.gnome-settings-daemon.enable = true;
services.gnome3.gnome-settings-daemon.package = pkgs.mate.mate-settings-daemon; services.gnome3.gnome-settings-daemon.package = pkgs.mate.mate-settings-daemon;
services.gnome3.gvfs.enable = true; services.gvfs.enable = true;
services.upower.enable = config.powerManagement.enable; services.upower.enable = config.powerManagement.enable;
security.pam.services.mate-screensaver.unixAuth = true; security.pam.services.mate-screensaver.unixAuth = true;
environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gnome3.gvfs}/lib/gio/modules" ];
environment.pathsToLink = [ "/share" ]; environment.pathsToLink = [ "/share" ];
}; };

22
nixos/modules/services/x11/desktop-managers/pantheon.nix
View File

@ -99,10 +99,6 @@ in
fi fi
'') cfg.sessionPath} '') cfg.sessionPath}
# Makes qt applications look less alien
export QT_QPA_PLATFORMTHEME=gtk3
export QT_STYLE_OVERRIDE=adwaita
# Settings from elementary-default-settings # Settings from elementary-default-settings
export GTK_CSD=1 export GTK_CSD=1
export GTK_MODULES=$GTK_MODULES:pantheon-filechooser-module export GTK_MODULES=$GTK_MODULES:pantheon-filechooser-module
@ -129,7 +125,7 @@ in
services.gnome3.gnome-keyring.enable = true; services.gnome3.gnome-keyring.enable = true;
services.gnome3.gnome-settings-daemon.enable = true; services.gnome3.gnome-settings-daemon.enable = true;
services.gnome3.gnome-settings-daemon.package = pkgs.pantheon.elementary-settings-daemon; services.gnome3.gnome-settings-daemon.package = pkgs.pantheon.elementary-settings-daemon;
services.gnome3.gvfs.enable = true; services.gvfs.enable = true;
services.gnome3.rygel.enable = mkDefault true; services.gnome3.rygel.enable = mkDefault true;
services.gsignond.enable = mkDefault true; services.gsignond.enable = mkDefault true;
services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ]; services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ];
@ -146,9 +142,19 @@ in
isSystem = true; isSystem = true;
}; };
programs.dconf.enable = true;
programs.evince.enable = mkDefault true; programs.evince.enable = mkDefault true;
programs.file-roller.enable = mkDefault true; programs.file-roller.enable = mkDefault true;
# Shell integration for VTE terminals
programs.bash.vteIntegration = mkDefault true;
programs.zsh.vteIntegration = mkDefault true;
# Harmonize Qt5 applications under Pantheon
qt5.enable = true;
qt5.platformTheme = "gnome";
qt5.style = "adwaita";
networking.networkmanager.enable = mkDefault true; networking.networkmanager.enable = mkDefault true;
networking.networkmanager.basePackages = networking.networkmanager.basePackages =
{ inherit (pkgs) networkmanager modemmanager wpa_supplicant crda; { inherit (pkgs) networkmanager modemmanager wpa_supplicant crda;
@ -161,11 +167,6 @@ in
environment.variables.GNOME_SESSION_DEBUG = optionalString cfg.debug "1"; environment.variables.GNOME_SESSION_DEBUG = optionalString cfg.debug "1";
environment.variables.GIO_EXTRA_MODULES = [
"${lib.getLib pkgs.gnome3.dconf}/lib/gio/modules"
"${pkgs.gnome3.gvfs}/lib/gio/modules"
];
environment.pathsToLink = [ environment.pathsToLink = [
# FIXME: modules should link subdirs of `/share` rather than relying on this # FIXME: modules should link subdirs of `/share` rather than relying on this
"/share" "/share"
@ -187,7 +188,6 @@ in
glib-networking glib-networking
gnome-menus gnome-menus
gnome3.adwaita-icon-theme gnome3.adwaita-icon-theme
gnome3.dconf
gtk3.out gtk3.out
hicolor-icon-theme hicolor-icon-theme
lightlocker lightlocker

7
nixos/modules/services/x11/desktop-managers/xfce.nix
View File

@ -66,7 +66,6 @@ in
exo exo
garcon garcon
gtk-xfce-engine gtk-xfce-engine
gvfs
libxfce4ui libxfce4ui
tumbler tumbler
xfconf xfconf
@ -100,10 +99,6 @@ in
"/share/gtksourceview-2.0" "/share/gtksourceview-2.0"
]; ];
environment.variables = {
GIO_EXTRA_MODULES = [ "${pkgs.xfce.gvfs}/lib/gio/modules" ];
};
services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ];
services.xserver.desktopManager.session = [{ services.xserver.desktopManager.session = [{
@ -128,5 +123,7 @@ in
# Enable helpful DBus services. # Enable helpful DBus services.
services.udisks2.enable = true; services.udisks2.enable = true;
services.upower.enable = config.powerManagement.enable; services.upower.enable = config.powerManagement.enable;
services.gvfs.enable = true;
services.gvfs.package = pkgs.xfce.gvfs;
}; };
} }

2
nixos/modules/services/x11/xautolock.nix
View File

@ -129,7 +129,7 @@ in
assertion = cfg.killer != null -> cfg.killtime >= 10; assertion = cfg.killer != null -> cfg.killtime >= 10;
message = "killtime has to be at least 10 minutes according to `man xautolock`"; message = "killtime has to be at least 10 minutes according to `man xautolock`";
} }
] ++ (lib.flip map [ "locker" "notifier" "nowlocker" "killer" ] ] ++ (lib.forEach [ "locker" "notifier" "nowlocker" "killer" ]
(option: (option:
{ {
assertion = cfg.${option} != null -> builtins.substring 0 1 cfg.${option} == "/"; assertion = cfg.${option} != null -> builtins.substring 0 1 cfg.${option} == "/";

2
nixos/modules/services/x11/xserver.nix
View File

@ -78,7 +78,7 @@ let
in imap1 mkHead cfg.xrandrHeads; in imap1 mkHead cfg.xrandrHeads;
xrandrDeviceSection = let xrandrDeviceSection = let
monitors = flip map xrandrHeads (h: '' monitors = forEach xrandrHeads (h: ''
Option "monitor-${h.config.output}" "${h.name}" Option "monitor-${h.config.output}" "${h.name}"
''); '');
# First option is indented through the space in the config but any # First option is indented through the space in the config but any

66
nixos/modules/system/boot/coredump.nix
View File

@ -1,66 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
{
options = {
systemd.coredump = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enables storing core dumps in systemd.
Note that this alone is not enough to enable core dumps. The maximum
file size for core dumps must be specified in limits.conf as well. See
<option>security.pam.loginLimits</option> and the limits.conf(5)
man page (these specify the core dump limits for user login sessions)
and <option>systemd.extraConfig</option> (where e.g.
<literal>DefaultLimitCORE=1000000</literal> can be specified to set
the core dump limit for systemd system-level services).
'';
};
extraConfig = mkOption {
default = "";
type = types.lines;
example = "Storage=journal";
description = ''
Extra config options for systemd-coredump. See coredump.conf(5) man page
for available options.
'';
};
};
};
config = mkMerge [
(mkIf config.systemd.coredump.enable {
systemd.additionalUpstreamSystemUnits = [ "systemd-coredump.socket" "systemd-coredump@.service" ];
environment.etc."systemd/coredump.conf".text =
''
[Coredump]
${config.systemd.coredump.extraConfig}
'';
# Have the kernel pass core dumps to systemd's coredump helper binary.
# From systemd's 50-coredump.conf file. See:
# <https://github.com/systemd/systemd/blob/v218/sysctl.d/50-coredump.conf.in>
boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %P %u %g %s %t %c %e";
})
(mkIf (!config.systemd.coredump.enable) {
boot.kernel.sysctl."kernel.core_pattern" = mkDefault "core";
systemd.extraConfig =
''
DefaultLimitCORE=0:infinity
'';
})
];
}

1
nixos/modules/system/boot/kernel.nix
View File

@ -36,6 +36,7 @@ in
boot.kernelPackages = mkOption { boot.kernelPackages = mkOption {
default = pkgs.linuxPackages; default = pkgs.linuxPackages;
type = types.unspecified // { merge = mergeEqualOption; };
apply = kernelPackages: kernelPackages.extend (self: super: { apply = kernelPackages: kernelPackages.extend (self: super: {
kernel = super.kernel.override { kernel = super.kernel.override {
inherit randstructSeed; inherit randstructSeed;

2
nixos/modules/system/boot/loader/grub/grub.nix
View File

@ -684,7 +684,7 @@ in
assertion = if args.efiSysMountPoint == null then true else hasPrefix "/" args.efiSysMountPoint; assertion = if args.efiSysMountPoint == null then true else hasPrefix "/" args.efiSysMountPoint;
message = "EFI paths must be absolute, not ${args.efiSysMountPoint}"; message = "EFI paths must be absolute, not ${args.efiSysMountPoint}";
} }
] ++ flip map args.devices (device: { ] ++ forEach args.devices (device: {
assertion = device == "nodev" || hasPrefix "/" device; assertion = device == "nodev" || hasPrefix "/" device;
message = "GRUB devices must be absolute paths, not ${device} in ${args.path}"; message = "GRUB devices must be absolute paths, not ${device} in ${args.path}";
})); }));

88
nixos/modules/system/boot/networkd.nix
View File

@ -55,6 +55,27 @@ let
(assertMacAddress "MACAddress") (assertMacAddress "MACAddress")
]; ];
# NOTE The PrivateKey directive is missing on purpose here, please
# do not add it to this list. The nix store is world-readable let's
# refrain ourselves from providing a footgun.
checkWireGuard = checkUnitConfig "WireGuard" [
(assertOnlyFields [
"PrivateKeyFile" "ListenPort" "FwMark"
])
(assertRange "FwMark" 1 4294967295)
];
# NOTE The PresharedKey directive is missing on purpose here, please
# do not add it to this list. The nix store is world-readable,let's
# refrain ourselves from providing a footgun.
checkWireGuardPeer = checkUnitConfig "WireGuardPeer" [
(assertOnlyFields [
"PublicKey" "PresharedKeyFile" "AllowedIPs"
"Endpoint" "PersistentKeepalive"
])
(assertRange "PersistentKeepalive" 1 65535)
];
checkVlan = checkUnitConfig "VLAN" [ checkVlan = checkUnitConfig "VLAN" [
(assertOnlyFields ["Id" "GVRP" "MVRP" "LooseBinding" "ReorderHeader"]) (assertOnlyFields ["Id" "GVRP" "MVRP" "LooseBinding" "ReorderHeader"])
(assertRange "Id" 0 4094) (assertRange "Id" 0 4094)
@ -320,6 +341,46 @@ let
''; '';
}; };
wireguardConfig = mkOption {
default = {};
example = {
PrivateKeyFile = "/etc/wireguard/secret.key";
ListenPort = 51820;
FwMark = 42;
};
type = types.addCheck (types.attrsOf unitOption) checkWireGuard;
description = ''
Each attribute in this set specifies an option in the
<literal>[WireGuard]</literal> section of the unit. See
<citerefentry><refentrytitle>systemd.netdev</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
Use <literal>PrivateKeyFile</literal> instead of
<literal>PrivateKey</literal>: the nix store is
world-readable.
'';
};
wireguardPeers = mkOption {
default = [];
example = [ { wireguardPeerConfig={
Endpoint = "192.168.1.1:51820";
PublicKey = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
PresharedKeyFile = "/etc/wireguard/psk.key";
AllowedIPs = [ "10.0.0.1/32" ];
PersistentKeepalive = 15;
};}];
type = with types; listOf (submodule wireguardPeerOptions);
description = ''
Each item in this array specifies an option in the
<literal>[WireGuardPeer]</literal> section of the unit. See
<citerefentry><refentrytitle>systemd.netdev</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
Use <literal>PresharedKeyFile</literal> instead of
<literal>PresharedKey</literal>: the nix store is
world-readable.
'';
};
vlanConfig = mkOption { vlanConfig = mkOption {
default = {}; default = {};
example = { Id = "4"; }; example = { Id = "4"; };
@ -450,6 +511,23 @@ let
}; };
}; };
wireguardPeerOptions = {
options = {
wireguardPeerConfig = mkOption {
default = {};
example = { };
type = types.addCheck (types.attrsOf unitOption) checkWireGuardPeer;
description = ''
Each attribute in this set specifies an option in the
<literal>[WireGuardPeer]</literal> section of the unit. See
<citerefentry><refentrytitle>systemd.network</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
};
};
networkOptions = commonNetworkOptions // { networkOptions = commonNetworkOptions // {
networkConfig = mkOption { networkConfig = mkOption {
@ -732,6 +810,16 @@ let
${attrsToSection def.bondConfig} ${attrsToSection def.bondConfig}
''} ''}
${optionalString (def.wireguardConfig != { }) ''
[WireGuard]
${attrsToSection def.wireguardConfig}
''}
${flip concatMapStrings def.wireguardPeers (x: ''
[WireGuardPeer]
${attrsToSection x.wireguardPeerConfig}
'')}
${def.extraConfig} ${def.extraConfig}
''; '';
}; };

4
nixos/modules/system/boot/stage-1-init.sh
View File

@ -44,13 +44,13 @@ EOF
*) to ignore the error and continue *) to ignore the error and continue
EOF EOF
read reply read -n 1 reply
if [ -n "$allowShell" -a "$reply" = f ]; then if [ -n "$allowShell" -a "$reply" = f ]; then
exec setsid @shell@ -c "exec @shell@ < /dev/$console >/dev/$console 2>/dev/$console" exec setsid @shell@ -c "exec @shell@ < /dev/$console >/dev/$console 2>/dev/$console"
elif [ -n "$allowShell" -a "$reply" = i ]; then elif [ -n "$allowShell" -a "$reply" = i ]; then
echo "Starting interactive shell..." echo "Starting interactive shell..."
setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail setsid @shell@ -c "exec @shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail
elif [ "$reply" = r ]; then elif [ "$reply" = r ]; then
echo "Rebooting..." echo "Rebooting..."
reboot -f reboot -f

31
nixos/modules/system/boot/systemd.nix
View File

@ -76,6 +76,10 @@ let
"systemd-journald-dev-log.socket" "systemd-journald-dev-log.socket"
"syslog.socket" "syslog.socket"
# Coredumps.
"systemd-coredump.socket"
"systemd-coredump@.service"
# SysV init compatibility. # SysV init compatibility.
"systemd-initctl.socket" "systemd-initctl.socket"
"systemd-initctl.service" "systemd-initctl.service"
@ -533,13 +537,23 @@ in
}; };
systemd.enableCgroupAccounting = mkOption { systemd.enableCgroupAccounting = mkOption {
default = false; default = true;
type = types.bool; type = types.bool;
description = '' description = ''
Whether to enable cgroup accounting. Whether to enable cgroup accounting.
''; '';
}; };
systemd.coredump.extraConfig = mkOption {
default = "";
type = types.lines;
example = "Storage=journal";
description = ''
Extra config options for systemd-coredump. See coredump.conf(5) man page
for available options.
'';
};
systemd.extraConfig = mkOption { systemd.extraConfig = mkOption {
default = ""; default = "";
type = types.lines; type = types.lines;
@ -790,11 +804,12 @@ in
[Manager] [Manager]
${optionalString config.systemd.enableCgroupAccounting '' ${optionalString config.systemd.enableCgroupAccounting ''
DefaultCPUAccounting=yes DefaultCPUAccounting=yes
DefaultBlockIOAccounting=yes
DefaultIOAccounting=yes DefaultIOAccounting=yes
DefaultBlockIOAccounting=yes DefaultBlockIOAccounting=yes
DefaultMemoryAccounting=yes DefaultIPAccounting=yes
DefaultTasksAccounting=yes
''} ''}
DefaultLimitCORE=infinity
${config.systemd.extraConfig} ${config.systemd.extraConfig}
''; '';
@ -818,6 +833,12 @@ in
${config.services.journald.extraConfig} ${config.services.journald.extraConfig}
''; '';
"systemd/coredump.conf".text =
''
[Coredump]
${config.systemd.coredump.extraConfig}
'';
"systemd/logind.conf".text = '' "systemd/logind.conf".text = ''
[Login] [Login]
KillUserProcesses=${if config.services.logind.killUserProcesses then "yes" else "no"} KillUserProcesses=${if config.services.logind.killUserProcesses then "yes" else "no"}
@ -831,6 +852,10 @@ in
[Sleep] [Sleep]
''; '';
# install provided sysctl snippets
"sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf";
"sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf";
"tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf"; "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf";
"tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf";

8
nixos/modules/tasks/network-interfaces-systemd.nix
View File

@ -74,7 +74,7 @@ in
enable = true; enable = true;
networks."99-main" = genericNetwork mkDefault; networks."99-main" = genericNetwork mkDefault;
} }
(mkMerge (flip map interfaces (i: { (mkMerge (forEach interfaces (i: {
netdevs = mkIf i.virtual ({ netdevs = mkIf i.virtual ({
"40-${i.name}" = { "40-${i.name}" = {
netdevConfig = { netdevConfig = {
@ -90,7 +90,7 @@ in
name = mkDefault i.name; name = mkDefault i.name;
DHCP = mkForce (dhcpStr DHCP = mkForce (dhcpStr
(if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ])); (if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ]));
address = flip map (interfaceIps i) address = forEach (interfaceIps i)
(ip: "${ip.address}/${toString ip.prefixLength}"); (ip: "${ip.address}/${toString ip.prefixLength}");
networkConfig.IPv6PrivacyExtensions = "kernel"; networkConfig.IPv6PrivacyExtensions = "kernel";
} ]; } ];
@ -102,7 +102,7 @@ in
Kind = "bridge"; Kind = "bridge";
}; };
}; };
networks = listToAttrs (flip map bridge.interfaces (bi: networks = listToAttrs (forEach bridge.interfaces (bi:
nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) { nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) {
DHCP = mkOverride 0 (dhcpStr false); DHCP = mkOverride 0 (dhcpStr false);
networkConfig.Bridge = name; networkConfig.Bridge = name;
@ -173,7 +173,7 @@ in
}; };
networks = listToAttrs (flip map bond.interfaces (bi: networks = listToAttrs (forEach bond.interfaces (bi:
nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) { nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) {
DHCP = mkOverride 0 (dhcpStr false); DHCP = mkOverride 0 (dhcpStr false);
networkConfig.Bond = name; networkConfig.Bond = name;

12
nixos/modules/tasks/network-interfaces.nix
View File

@ -926,7 +926,7 @@ in
warnings = concatMap (i: i.warnings) interfaces; warnings = concatMap (i: i.warnings) interfaces;
assertions = assertions =
(flip map interfaces (i: { (forEach interfaces (i: {
# With the linux kernel, interface name length is limited by IFNAMSIZ # With the linux kernel, interface name length is limited by IFNAMSIZ
# to 16 bytes, including the trailing null byte. # to 16 bytes, including the trailing null byte.
# See include/linux/if.h in the kernel sources # See include/linux/if.h in the kernel sources
@ -934,12 +934,12 @@ in
message = '' message = ''
The name of networking.interfaces."${i.name}" is too long, it needs to be less than 16 characters. The name of networking.interfaces."${i.name}" is too long, it needs to be less than 16 characters.
''; '';
})) ++ (flip map slaveIfs (i: { })) ++ (forEach slaveIfs (i: {
assertion = i.ipv4.addresses == [ ] && i.ipv6.addresses == [ ]; assertion = i.ipv4.addresses == [ ] && i.ipv6.addresses == [ ];
message = '' message = ''
The networking.interfaces."${i.name}" must not have any defined ips when it is a slave. The networking.interfaces."${i.name}" must not have any defined ips when it is a slave.
''; '';
})) ++ (flip map interfaces (i: { })) ++ (forEach interfaces (i: {
assertion = i.preferTempAddress -> cfg.enableIPv6; assertion = i.preferTempAddress -> cfg.enableIPv6;
message = '' message = ''
Temporary addresses are only needed when IPv6 is enabled. Temporary addresses are only needed when IPv6 is enabled.
@ -967,8 +967,8 @@ in
"net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6);
"net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces);
} // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces)
(i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) (i: forEach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true)))
// listToAttrs (flip map (filter (i: i.preferTempAddress) interfaces) // listToAttrs (forEach (filter (i: i.preferTempAddress) interfaces)
(i: nameValuePair "net.ipv6.conf.${i.name}.use_tempaddr" 2)); (i: nameValuePair "net.ipv6.conf.${i.name}.use_tempaddr" 2));
# Capabilities won't work unless we have at-least a 4.3 Linux # Capabilities won't work unless we have at-least a 4.3 Linux
@ -1050,7 +1050,7 @@ in
${cfg.localCommands} ${cfg.localCommands}
''; '';
}; };
} // (listToAttrs (flip map interfaces (i: } // (listToAttrs (forEach interfaces (i:
let let
deviceDependency = if (config.boot.isContainer || i.name == "lo") deviceDependency = if (config.boot.isContainer || i.name == "lo")
then [] then []

38
nixos/modules/virtualisation/containers.nix
View File

@ -138,7 +138,7 @@ let
--bind-ro=/nix/var/nix/daemon-socket \ --bind-ro=/nix/var/nix/daemon-socket \
--bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \
--bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \
--link-journal=try-guest \ ${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \
--setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \
--setenv HOST_BRIDGE="$HOST_BRIDGE" \ --setenv HOST_BRIDGE="$HOST_BRIDGE" \
--setenv HOST_ADDRESS="$HOST_ADDRESS" \ --setenv HOST_ADDRESS="$HOST_ADDRESS" \
@ -147,6 +147,7 @@ let
--setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \ --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \
--setenv HOST_PORT="$HOST_PORT" \ --setenv HOST_PORT="$HOST_PORT" \
--setenv PATH="$PATH" \ --setenv PATH="$PATH" \
${optionalString cfg.ephemeral "--ephemeral"} \
${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then
''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else "" ''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else ""
} \ } \
@ -247,6 +248,8 @@ let
Type = "notify"; Type = "notify";
RuntimeDirectory = lib.optional cfg.ephemeral "containers/%i";
# Note that on reboot, systemd-nspawn returns 133, so this # Note that on reboot, systemd-nspawn returns 133, so this
# unit will be restarted. On poweroff, it returns 0, so the # unit will be restarted. On poweroff, it returns 0, so the
# unit won't be restarted. # unit won't be restarted.
@ -419,6 +422,7 @@ let
{ {
extraVeths = {}; extraVeths = {};
additionalCapabilities = []; additionalCapabilities = [];
ephemeral = false;
allowedDevices = []; allowedDevices = [];
hostAddress = null; hostAddress = null;
hostAddress6 = null; hostAddress6 = null;
@ -511,6 +515,26 @@ in
information. information.
''; '';
}; };
ephemeral = mkOption {
type = types.bool;
default = false;
description = ''
Runs container in ephemeral mode with the empty root filesystem at boot.
This way container will be bootstrapped from scratch on each boot
and will be cleaned up on shutdown leaving no traces behind.
Useful for completely stateless, reproducible containers.
Note that this option might require to do some adjustments to the container configuration,
e.g. you might want to set
<varname>systemd.network.networks.$interface.dhcpConfig.ClientIdentifier</varname> to "mac"
if you use <varname>macvlans</varname> option.
This way dhcp client identifier will be stable between the container restarts.
Note that the container journal will not be linked to the host if this option is enabled.
'';
};
enableTun = mkOption { enableTun = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -659,12 +683,14 @@ in
unit = { unit = {
description = "Container '%i'"; description = "Container '%i'";
unitConfig.RequiresMountsFor = [ "/var/lib/containers/%i" ]; unitConfig.RequiresMountsFor = "/var/lib/containers/%i";
path = [ pkgs.iproute ]; path = [ pkgs.iproute ];
environment.INSTANCE = "%i"; environment = {
environment.root = "/var/lib/containers/%i"; root = "/var/lib/containers/%i";
INSTANCE = "%i";
};
preStart = preStartScript dummyConfig; preStart = preStartScript dummyConfig;
@ -703,11 +729,13 @@ in
} }
else {}); else {});
in in
unit // { recursiveUpdate unit {
preStart = preStartScript containerConfig; preStart = preStartScript containerConfig;
script = startScript containerConfig; script = startScript containerConfig;
postStart = postStartScript containerConfig; postStart = postStartScript containerConfig;
serviceConfig = serviceDirectives containerConfig; serviceConfig = serviceDirectives containerConfig;
unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "/var/lib/containers/%i";
environment.root = if containerConfig.ephemeral then "/run/containers/%i" else "/var/lib/containers/%i";
} // ( } // (
if containerConfig.autoStart then if containerConfig.autoStart then
{ {

10
nixos/modules/virtualisation/google-compute-config.nix
View File

@ -159,12 +159,6 @@ in
# functionality/features (e.g. TCP Window scaling). # functionality/features (e.g. TCP Window scaling).
"net.ipv4.tcp_syncookies" = mkDefault "1"; "net.ipv4.tcp_syncookies" = mkDefault "1";
# ignores source-routed packets
"net.ipv4.conf.all.accept_source_route" = mkDefault "0";
# ignores source-routed packets
"net.ipv4.conf.default.accept_source_route" = mkDefault "0";
# ignores ICMP redirects # ignores ICMP redirects
"net.ipv4.conf.all.accept_redirects" = mkDefault "0"; "net.ipv4.conf.all.accept_redirects" = mkDefault "0";
@ -186,10 +180,10 @@ in
# don't allow traffic between networks or act as a router # don't allow traffic between networks or act as a router
"net.ipv4.conf.default.send_redirects" = mkDefault "0"; "net.ipv4.conf.default.send_redirects" = mkDefault "0";
# reverse path filtering - IP spoofing protection # strict reverse path filtering - IP spoofing protection
"net.ipv4.conf.all.rp_filter" = mkDefault "1"; "net.ipv4.conf.all.rp_filter" = mkDefault "1";
# reverse path filtering - IP spoofing protection # strict path filtering - IP spoofing protection
"net.ipv4.conf.default.rp_filter" = mkDefault "1"; "net.ipv4.conf.default.rp_filter" = mkDefault "1";
# ignores ICMP broadcasts to avoid participating in Smurf attacks # ignores ICMP broadcasts to avoid participating in Smurf attacks

13
nixos/modules/virtualisation/libvirtd.nix
View File

@ -104,6 +104,18 @@ in {
''; '';
}; };
onBoot = mkOption {
type = types.enum ["start" "ignore" ];
default = "start";
description = ''
Specifies the action to be done to / on the guests when the host boots.
The "start" option starts all guests that were running prior to shutdown
regardless of their autostart settings. The "ignore" option will not
start the formally running guest on boot. However, any guest marked as
autostart will still be automatically started by libvirtd.
'';
};
onShutdown = mkOption { onShutdown = mkOption {
type = types.enum ["shutdown" "suspend" ]; type = types.enum ["shutdown" "suspend" ];
default = "suspend"; default = "suspend";
@ -221,6 +233,7 @@ in {
path = with pkgs; [ coreutils libvirt gawk ]; path = with pkgs; [ coreutils libvirt gawk ];
restartIfChanged = false; restartIfChanged = false;
environment.ON_BOOT = "${cfg.onBoot}";
environment.ON_SHUTDOWN = "${cfg.onShutdown}"; environment.ON_SHUTDOWN = "${cfg.onShutdown}";
}; };

15
nixos/tests/all-tests.nix
View File

@ -47,6 +47,7 @@ in
codimd = handleTest ./codimd.nix {}; codimd = handleTest ./codimd.nix {};
colord = handleTest ./colord.nix {}; colord = handleTest ./colord.nix {};
containers-bridge = handleTest ./containers-bridge.nix {}; containers-bridge = handleTest ./containers-bridge.nix {};
containers-ephemeral = handleTest ./containers-ephemeral.nix {};
containers-extra_veth = handleTest ./containers-extra_veth.nix {}; containers-extra_veth = handleTest ./containers-extra_veth.nix {};
containers-hosts = handleTest ./containers-hosts.nix {}; containers-hosts = handleTest ./containers-hosts.nix {};
containers-imperative = handleTest ./containers-imperative.nix {}; containers-imperative = handleTest ./containers-imperative.nix {};
@ -73,7 +74,7 @@ in
#ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {}; #ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {};
ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {}; ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {};
ecryptfs = handleTest ./ecryptfs.nix {}; ecryptfs = handleTest ./ecryptfs.nix {};
ejabberd = handleTest ./ejabberd.nix {}; ejabberd = handleTest ./xmpp/ejabberd.nix {};
elk = handleTestOn ["x86_64-linux"] ./elk.nix {}; elk = handleTestOn ["x86_64-linux"] ./elk.nix {};
env = handleTest ./env.nix {}; env = handleTest ./env.nix {};
etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {}; etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {};
@ -93,8 +94,10 @@ in
gitlab = handleTest ./gitlab.nix {}; gitlab = handleTest ./gitlab.nix {};
gitolite = handleTest ./gitolite.nix {}; gitolite = handleTest ./gitolite.nix {};
gjs = handleTest ./gjs.nix {}; gjs = handleTest ./gjs.nix {};
glusterfs = handleTest ./glusterfs.nix {};
gnome3-xorg = handleTest ./gnome3-xorg.nix {}; gnome3-xorg = handleTest ./gnome3-xorg.nix {};
gnome3 = handleTest ./gnome3.nix {}; gnome3 = handleTest ./gnome3.nix {};
gnome-photos = handleTest ./gnome-photos.nix {};
gocd-agent = handleTest ./gocd-agent.nix {}; gocd-agent = handleTest ./gocd-agent.nix {};
gocd-server = handleTest ./gocd-server.nix {}; gocd-server = handleTest ./gocd-server.nix {};
google-oslogin = handleTest ./google-oslogin {}; google-oslogin = handleTest ./google-oslogin {};
@ -114,6 +117,7 @@ in
hound = handleTest ./hound.nix {}; hound = handleTest ./hound.nix {};
hydra = handleTest ./hydra {}; hydra = handleTest ./hydra {};
i3wm = handleTest ./i3wm.nix {}; i3wm = handleTest ./i3wm.nix {};
icingaweb2 = handleTest ./icingaweb2.nix {};
iftop = handleTest ./iftop.nix {}; iftop = handleTest ./iftop.nix {};
incron = handleTest ./incron.nix {}; incron = handleTest ./incron.nix {};
influxdb = handleTest ./influxdb.nix {}; influxdb = handleTest ./influxdb.nix {};
@ -124,6 +128,7 @@ in
jackett = handleTest ./jackett.nix {}; jackett = handleTest ./jackett.nix {};
jellyfin = handleTest ./jellyfin.nix {}; jellyfin = handleTest ./jellyfin.nix {};
jenkins = handleTest ./jenkins.nix {}; jenkins = handleTest ./jenkins.nix {};
jormungandr = handleTest ./jormungandr.nix {};
kafka = handleTest ./kafka.nix {}; kafka = handleTest ./kafka.nix {};
kerberos = handleTest ./kerberos/default.nix {}; kerberos = handleTest ./kerberos/default.nix {};
kernel-latest = handleTest ./kernel-latest.nix {}; kernel-latest = handleTest ./kernel-latest.nix {};
@ -138,6 +143,7 @@ in
latestKernel.login = handleTest ./login.nix { latestKernel = true; }; latestKernel.login = handleTest ./login.nix { latestKernel = true; };
ldap = handleTest ./ldap.nix {}; ldap = handleTest ./ldap.nix {};
leaps = handleTest ./leaps.nix {}; leaps = handleTest ./leaps.nix {};
libxmlb = handleTest ./libxmlb.nix {};
lidarr = handleTest ./lidarr.nix {}; lidarr = handleTest ./lidarr.nix {};
lightdm = handleTest ./lightdm.nix {}; lightdm = handleTest ./lightdm.nix {};
limesurvey = handleTest ./limesurvey.nix {}; limesurvey = handleTest ./limesurvey.nix {};
@ -150,10 +156,12 @@ in
mediawiki = handleTest ./mediawiki.nix {}; mediawiki = handleTest ./mediawiki.nix {};
memcached = handleTest ./memcached.nix {}; memcached = handleTest ./memcached.nix {};
mesos = handleTest ./mesos.nix {}; mesos = handleTest ./mesos.nix {};
metabase = handleTest ./metabase.nix {};
miniflux = handleTest ./miniflux.nix {}; miniflux = handleTest ./miniflux.nix {};
minio = handleTest ./minio.nix {}; minio = handleTest ./minio.nix {};
misc = handleTest ./misc.nix {}; misc = handleTest ./misc.nix {};
mongodb = handleTest ./mongodb.nix {}; mongodb = handleTest ./mongodb.nix {};
moodle = handleTest ./moodle.nix {};
morty = handleTest ./morty.nix {}; morty = handleTest ./morty.nix {};
mosquitto = handleTest ./mosquitto.nix {}; mosquitto = handleTest ./mosquitto.nix {};
mpd = handleTest ./mpd.nix {}; mpd = handleTest ./mpd.nix {};
@ -217,7 +225,8 @@ in
prometheus = handleTest ./prometheus.nix {}; prometheus = handleTest ./prometheus.nix {};
prometheus2 = handleTest ./prometheus-2.nix {}; prometheus2 = handleTest ./prometheus-2.nix {};
prometheus-exporters = handleTest ./prometheus-exporters.nix {}; prometheus-exporters = handleTest ./prometheus-exporters.nix {};
prosody = handleTest ./prosody.nix {}; prosody = handleTest ./xmpp/prosody.nix {};
prosodyMysql = handleTest ./xmpp/prosody-mysql.nix {};
proxy = handleTest ./proxy.nix {}; proxy = handleTest ./proxy.nix {};
quagga = handleTest ./quagga.nix {}; quagga = handleTest ./quagga.nix {};
quake3 = handleTest ./quake3.nix {}; quake3 = handleTest ./quake3.nix {};
@ -249,6 +258,7 @@ in
systemd = handleTest ./systemd.nix {}; systemd = handleTest ./systemd.nix {};
systemd-confinement = handleTest ./systemd-confinement.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {};
systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};
systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {};
pdns-recursor = handleTest ./pdns-recursor.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {};
taskserver = handleTest ./taskserver.nix {}; taskserver = handleTest ./taskserver.nix {};
telegraf = handleTest ./telegraf.nix {}; telegraf = handleTest ./telegraf.nix {};
@ -256,6 +266,7 @@ in
tinydns = handleTest ./tinydns.nix {}; tinydns = handleTest ./tinydns.nix {};
tor = handleTest ./tor.nix {}; tor = handleTest ./tor.nix {};
transmission = handleTest ./transmission.nix {}; transmission = handleTest ./transmission.nix {};
trezord = handleTest ./trezord.nix {};
udisks2 = handleTest ./udisks2.nix {}; udisks2 = handleTest ./udisks2.nix {};
upnp = handleTest ./upnp.nix {}; upnp = handleTest ./upnp.nix {};
uwsgi = handleTest ./uwsgi.nix {}; uwsgi = handleTest ./uwsgi.nix {};

Some files were not shown because too many files have changed in this diff Show More