diff --git a/modules/config/swap.nix b/modules/config/swap.nix
index a0287c948af..7d4654ae287 100644
--- a/modules/config/swap.nix
+++ b/modules/config/swap.nix
@@ -58,6 +58,17 @@ with utils;
'';
};
+ priority = mkOption {
+ default = null;
+ example = 2048;
+ type = types.nullOr types.int;
+ description = ''
+ Specify the priority of the swap device. Priority is a value between 0 and 32767.
+ Higher numbers indicate higher priority.
+ null lets the kernel choose a priority, which will show up as a negative value.
+ '';
+ };
+
};
config = {
diff --git a/modules/config/system-path.nix b/modules/config/system-path.nix
index 8c36015718c..6e73118fe08 100644
--- a/modules/config/system-path.nix
+++ b/modules/config/system-path.nix
@@ -41,7 +41,6 @@ let
pkgs.nano
pkgs.ncurses
pkgs.netcat
- pkgs.ntp
pkgs.openssh
pkgs.pciutils
pkgs.perl
diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix
index fd76dfc47a1..8a23148b028 100644
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@@ -75,6 +75,7 @@ in
spamd = 56;
nslcd = 58;
nginx = 60;
+ chrony = 61;
# When adding a uid, make sure it doesn't match an existing gid.
diff --git a/modules/module-list.nix b/modules/module-list.nix
index b6193b19131..7739f2df6f6 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -36,6 +36,7 @@
./misc/nixpkgs.nix
./misc/passthru.nix
./misc/version.nix
+ ./programs/atop.nix
./programs/bash/bash.nix
./programs/bash/command-not-found.nix
./programs/blcr.nix
@@ -125,6 +126,7 @@
./services/networking/bind.nix
./services/networking/bitlbee.nix
./services/networking/cntlm.nix
+ ./services/networking/chrony.nix
./services/networking/ddclient.nix
#./services/networking/dhclient.nix
./services/networking/dhcpcd.nix
diff --git a/modules/programs/atop.nix b/modules/programs/atop.nix
new file mode 100644
index 00000000000..7fdaab9d67d
--- /dev/null
+++ b/modules/programs/atop.nix
@@ -0,0 +1,36 @@
+# Global configuration for atop.
+
+{config, pkgs, ...}:
+
+with pkgs.lib;
+
+let cfg = config.programs.atop;
+
+in
+{
+ ###### interface
+
+ options = {
+
+ programs.atop = {
+
+ settings = mkOption {
+ type = types.attrs;
+ default = {};
+ example = {
+ flags = "a1f";
+ interval = 5;
+ };
+ description = ''
+ Parameters to be written to /etc/atoprc
+ '';
+ };
+
+ };
+ };
+
+ config = mkIf (cfg.settings != {}) {
+ environment.etc."atoprc".text =
+ concatStrings (mapAttrsToList (n: v: "${n} ${toString v}\n") cfg.settings);
+ };
+}
diff --git a/modules/security/apparmor-suid.nix b/modules/security/apparmor-suid.nix
index b03047ac1f1..bc661164fdc 100644
--- a/modules/security/apparmor-suid.nix
+++ b/modules/security/apparmor-suid.nix
@@ -29,8 +29,12 @@ with pkgs.lib;
network inet raw,
${pkgs.glibc}/lib/*.so mr,
- /var/setuid-wrappers/ping.real mixr,
- ${pkgs.iputils}/sbin/ping mixr,
+ ${pkgs.libcap}/lib/libcap.so* mr,
+ ${pkgs.attr}/lib/libattr.so* mr,
+
+ ${pkgs.iputils}/bin/ping mixr,
+ /var/setuid-wrappers/ping.real r,
+
#/etc/modules.conf r,
## Site-specific additions and overrides. See local/README for details.
diff --git a/modules/security/apparmor.nix b/modules/security/apparmor.nix
index 8aa933e2996..d4aa0598dd3 100644
--- a/modules/security/apparmor.nix
+++ b/modules/security/apparmor.nix
@@ -53,12 +53,12 @@ with pkgs.lib;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
- ExecStart = concatMapStrings (profile: ''
- ${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}"
- '') cfg.profiles;
- ExecStop = concatMapStrings (profile: ''
- ${pkgs.apparmor}/sbin/apparmor_parser -Rv "${profile}"
- '') cfg.profiles;
+ ExecStart = concatMapStrings (profile:
+ ''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
+ ) cfg.profiles;
+ ExecStop = concatMapStrings (profile:
+ ''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
+ ) cfg.profiles;
};
};
diff --git a/modules/services/backup/bacula.nix b/modules/services/backup/bacula.nix
index 05192f797fc..525df340048 100644
--- a/modules/services/backup/bacula.nix
+++ b/modules/services/backup/bacula.nix
@@ -7,6 +7,7 @@ with pkgs.lib;
let
libDir = "/var/lib/bacula";
+
fd_cfg = config.services.bacula-fd;
fd_conf = pkgs.writeText "bacula-fd.conf"
''
@@ -96,6 +97,17 @@ let
${dir_cfg.extraConfig}
'';
+ # TODO: by default use this config
+ bconsole_conf = pkgs.writeText "bconsole.conf"
+ ''
+ Director {
+ Name = ${dir_cfg.name};
+ Address = "localhost";
+ DirPort = ${toString dir_cfg.port};
+ Password = "${dir_cfg.password}";
+ }
+ '';
+
directorOptions = {name, config, ...}:
{
options = {
@@ -342,7 +354,8 @@ in {
description = "Bacula File Daemon";
wantedBy = [ "multi-user.target" ];
path = [ pkgs.bacula ];
- serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-fd -f -u bacula -g bacula -c ${fd_conf}";
+ serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-fd -f -u root -g bacula -c ${fd_conf}";
+ serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
};
systemd.services.bacula-sd = mkIf sd_cfg.enable {
@@ -351,6 +364,7 @@ in {
wantedBy = [ "multi-user.target" ];
path = [ pkgs.bacula ];
serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-sd -f -u bacula -g bacula -c ${sd_conf}";
+ serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
};
services.postgresql.enable = dir_cfg.enable == true;
@@ -361,6 +375,7 @@ in {
wantedBy = [ "multi-user.target" ];
path = [ pkgs.bacula ];
serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-dir -f -u bacula -g bacula -c ${dir_conf}";
+ serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
preStart = ''
if ! test -e "${libDir}/db-created"; then
${pkgs.postgresql}/bin/createuser --no-superuser --no-createdb --no-createrole bacula
diff --git a/modules/services/networking/chrony.nix b/modules/services/networking/chrony.nix
new file mode 100644
index 00000000000..5e9818858e0
--- /dev/null
+++ b/modules/services/networking/chrony.nix
@@ -0,0 +1,118 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+let
+
+ inherit (pkgs) chrony;
+
+ stateDir = "/var/lib/chrony";
+
+ chronyUser = "chrony";
+
+ cfg = config.services.chrony;
+
+ configFile = pkgs.writeText "chrony.conf" ''
+ ${toString (map (server: "server " + server + "\n") cfg.servers)}
+
+ ${optionalString cfg.initstepslew.enabled ''
+ initstepslew ${toString cfg.initstepslew.threshold} ${toString (map (server: server + " ") cfg.initstepslew.servers)}
+ ''}
+
+ driftfile ${stateDir}/chrony.drift
+
+ ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}
+
+ ${cfg.extraConfig}
+ '';
+
+ chronyFlags = "-m -f ${configFile} -u ${chronyUser}";
+
+in
+
+{
+
+ ###### interface
+
+ options = {
+
+ services.chrony = {
+
+ enable = mkOption {
+ default = false;
+ description = ''
+ Whether to synchronise your machine's time using chrony.
+ Make sure you disable NTP if you enable this service.
+ '';
+ };
+
+ servers = mkOption {
+ default = [
+ "0.pool.ntp.org"
+ "1.pool.ntp.org"
+ "2.pool.ntp.org"
+ ];
+ description = ''
+ The set of NTP servers from which to synchronise.
+ '';
+ };
+
+ initstepslew = mkOption {
+ default = {
+ enabled = true;
+ threshold = 1000; # by default, same threshold as 'ntpd -g' (1000s)
+ servers = cfg.servers;
+ };
+ description = ''
+ Allow chronyd to make a rapid measurement of the system clock error at
+ boot time, and to correct the system clock by stepping before normal
+ operation begins.
+ '';
+ };
+
+ extraConfig = mkOption {
+ default = "";
+ description = ''
+ Extra configuration directives that should be added to
+ chrony.conf
+ '';
+ };
+ };
+
+ };
+
+
+ ###### implementation
+
+ config = mkIf config.services.chrony.enable {
+
+ # Make chronyc available in the system path
+ environment.systemPackages = [ pkgs.chrony ];
+
+ users.extraUsers = singleton
+ { name = chronyUser;
+ uid = config.ids.uids.chrony;
+ description = "chrony daemon user";
+ home = stateDir;
+ };
+
+ jobs.chronyd =
+ { description = "chrony daemon";
+
+ wantedBy = [ "ip-up.target" ];
+ partOf = [ "ip-up.target" ];
+
+ path = [ chrony ];
+
+ preStart =
+ ''
+ mkdir -m 0755 -p ${stateDir}
+ chown ${chronyUser} ${stateDir}
+ '';
+
+ exec = "chronyd -n ${chronyFlags}";
+ };
+
+ };
+
+}
diff --git a/modules/services/networking/gnunet.nix b/modules/services/networking/gnunet.nix
index 37df4acd63d..e0c41dcb188 100644
--- a/modules/services/networking/gnunet.nix
+++ b/modules/services/networking/gnunet.nix
@@ -126,6 +126,10 @@ in
createHome = true;
};
+ users.extraGroups = singleton
+ { name = "gnunet";
+ };
+
# The user tools that talk to `gnunetd' should come from the same source,
# so install them globally.
environment.systemPackages = [ pkgs.gnunet ];
diff --git a/modules/services/networking/networkmanager.nix b/modules/services/networking/networkmanager.nix
index b82f34aa901..88f1e08b377 100644
--- a/modules/services/networking/networkmanager.nix
+++ b/modules/services/networking/networkmanager.nix
@@ -94,7 +94,7 @@ in {
}
];
- environment.systemPackages = cfg.packages;
+ environment.systemPackages = cfg.packages ++ [ networkmanager_openvpn ];
users.extraGroups = singleton {
name = "networkmanager";
diff --git a/modules/services/networking/ntpd.nix b/modules/services/networking/ntpd.nix
index be3fcbd6543..e5e164021d3 100644
--- a/modules/services/networking/ntpd.nix
+++ b/modules/services/networking/ntpd.nix
@@ -58,6 +58,9 @@ in
config = mkIf config.services.ntp.enable {
+ # Make tools such as ntpq available in the system path
+ environment.systemPackages = [ pkgs.ntp ];
+
users.extraUsers = singleton
{ name = ntpUser;
uid = config.ids.uids.ntp;
diff --git a/modules/services/networking/openvpn.nix b/modules/services/networking/openvpn.nix
index 4ea6fa135b0..63b6cc90f07 100644
--- a/modules/services/networking/openvpn.nix
+++ b/modules/services/networking/openvpn.nix
@@ -15,7 +15,6 @@ let
upScript = ''
#! /bin/sh
- exec > /var/log/openvpn-${name}-up 2>&1
export PATH=${path}
# For convenience in client scripts, extract the remote domain
@@ -34,13 +33,13 @@ let
downScript = ''
#! /bin/sh
- exec > /var/log/openvpn-${name}-down 2>&1
export PATH=${path}
${cfg.down}
'';
configFile = pkgs.writeText "openvpn-config-${name}"
''
+ errors-to-stderr
${optionalString (cfg.up != "" || cfg.down != "") "script-security 2"}
${cfg.config}
${optionalString (cfg.up != "") "up ${pkgs.writeScript "openvpn-${name}-up" upScript}"}
@@ -50,12 +49,13 @@ let
in {
description = "OpenVPN instance ‘${name}’";
- startOn = mkDefault "started network-interfaces";
- stopOn = mkDefault "stopping network-interfaces";
+ wantedBy = optional cfg.autoStart [ "multi-user.target" ];
+ after = [ "network-interfaces.target" ];
path = [ pkgs.iptables pkgs.iproute pkgs.nettools ];
- exec = "${openvpn}/sbin/openvpn --config ${configFile}";
+ serviceConfig.ExecStart = "@${openvpn}/sbin/openvpn openvpn --config ${configFile}";
+ serviceConfig.Restart = "always";
};
in
@@ -144,6 +144,12 @@ in
'';
};
+ autoStart = mkOption {
+ default = true;
+ type = types.bool;
+ description = "Whether this OpenVPN instance should be started automatically.";
+ };
+
};
};
@@ -155,7 +161,7 @@ in
config = mkIf (cfg.servers != {}) {
- jobs = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers);
+ systemd.services = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers);
environment.systemPackages = [ openvpn ];
diff --git a/modules/services/web-servers/apache-httpd/mediawiki.nix b/modules/services/web-servers/apache-httpd/mediawiki.nix
index 04899839b7a..dcc05b03891 100644
--- a/modules/services/web-servers/apache-httpd/mediawiki.nix
+++ b/modules/services/web-servers/apache-httpd/mediawiki.nix
@@ -72,11 +72,11 @@ let
# Unpack Mediawiki and put the config file in its root directory.
mediawikiRoot = pkgs.stdenv.mkDerivation rec {
- name= "mediawiki-1.20.3";
+ name= "mediawiki-1.20.5";
src = pkgs.fetchurl {
url = "http://download.wikimedia.org/mediawiki/1.20/${name}.tar.gz";
- sha256 = "046jcq54xla490sx0pn0w169wj74lqj3n87r39s59in6494lwp4a";
+ sha256 = "0ix6khrilfdncjqnh41xjs0bd49i1q0rywycjaixjfpwj6vjbqbl";
};
skins = config.skins;
diff --git a/modules/services/web-servers/apache-httpd/zabbix.nix b/modules/services/web-servers/apache-httpd/zabbix.nix
index 385e9ab5644..6191d63584a 100644
--- a/modules/services/web-servers/apache-httpd/zabbix.nix
+++ b/modules/services/web-servers/apache-httpd/zabbix.nix
@@ -27,7 +27,6 @@ in
''
post_max_size = 32M
max_execution_time = 300
- mbstring.func_overload = 2
'';
extraConfig = ''
diff --git a/modules/services/x11/desktop-managers/kde4.nix b/modules/services/x11/desktop-managers/kde4.nix
index 6e0d5057126..dcc3859820c 100644
--- a/modules/services/x11/desktop-managers/kde4.nix
+++ b/modules/services/x11/desktop-managers/kde4.nix
@@ -42,6 +42,8 @@ let
phononBackendPackages = flip concatMap cfg.phononBackends
(name: attrByPath [name] (throw "unknown phonon backend `${name}'") phononBackends);
+
+ wantsUdisks2 = pkgs.kde4.kdelibs.wantsUdisks2 or false;
in
{
@@ -155,7 +157,8 @@ in
};
# Enable helpful DBus services.
- services.udisks.enable = true;
+ services.udisks.enable = ! wantsUdisks2;
+ services.udisks2.enable = wantsUdisks2;
services.upower.enable = config.powerManagement.enable;
security.pam.services = [ { name = "kde"; allowNullPassword = true; startSession = true; } ];
diff --git a/modules/system/boot/systemd-unit-options.nix b/modules/system/boot/systemd-unit-options.nix
index 9069d03b9f0..f863daf2250 100644
--- a/modules/system/boot/systemd-unit-options.nix
+++ b/modules/system/boot/systemd-unit-options.nix
@@ -215,6 +215,16 @@ rec {
socketOptions = unitOptions // {
+ listenStreams = mkOption {
+ default = [];
+ types = types.listOf types.string;
+ example = [ "0.0.0.0:993" "/run/my-socket" ];
+ description = ''
+ For each item in this list, a ListenStream
+ option in the [Socket] section will be created.
+ '';
+ };
+
socketConfig = mkOption {
default = {};
example = { ListenStream = "/run/my-socket"; };
diff --git a/modules/system/boot/systemd.nix b/modules/system/boot/systemd.nix
index 4957bfeed34..11c2cfc6ace 100644
--- a/modules/system/boot/systemd.nix
+++ b/modules/system/boot/systemd.nix
@@ -275,6 +275,7 @@ let
[Socket]
${attrsToSection def.socketConfig}
+ ${concatStringsSep "\n" (map (s: "ListenStream=${s}") def.listenStreams)}
'';
};
diff --git a/modules/tasks/filesystems.nix b/modules/tasks/filesystems.nix
index a95bb0673a2..cc7f1f40742 100644
--- a/modules/tasks/filesystems.nix
+++ b/modules/tasks/filesystems.nix
@@ -7,6 +7,8 @@ let
fileSystems = attrValues config.fileSystems;
+ prioOption = prio: optionalString (prio !=null) " pri=${toString prio}";
+
fileSystemOpts = { name, ... }: {
options = {
@@ -167,7 +169,7 @@ in
# Swap devices.
${flip concatMapStrings config.swapDevices (sw:
- "${sw.device} none swap\n"
+ "${sw.device} none swap${prioOption sw.priority}\n"
)}
'';
diff --git a/modules/tasks/filesystems/btrfs.nix b/modules/tasks/filesystems/btrfs.nix
index 57a7e5e302d..d95a32e2e3f 100644
--- a/modules/tasks/filesystems/btrfs.nix
+++ b/modules/tasks/filesystems/btrfs.nix
@@ -17,12 +17,13 @@ in
boot.initrd.extraUtilsCommands = mkIf inInitrd
''
- cp -v ${pkgs.btrfsProgs}/bin/btrfsck $out/bin
+ mkdir -p $out/bin
cp -v ${pkgs.btrfsProgs}/bin/btrfs $out/bin
+ ln -sv btrfs $out/bin/btrfsck
+ ln -sv btrfsck $out/bin/fsck.btrfs
# !!! Increases uncompressed initrd by 240k
cp -pv ${pkgs.zlib}/lib/libz.so* $out/lib
cp -pv ${pkgs.lzo}/lib/liblzo2.so* $out/lib
- ln -sv btrfsck $out/bin/fsck.btrfs
'';
boot.initrd.extraUtilsCommandsTest = mkIf inInitrd