diff options
Diffstat (limited to 'nixos')
21 files changed, 470 insertions, 101 deletions
diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index 7582371529321..44040217b0271 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -227,6 +227,15 @@ foreach my $u (@{$spec->{users}}) { $u->{hashedPassword} = hashPassword($u->{password}); } + if (!defined $u->{shell}) { + if (defined $existing) { + $u->{shell} = $existing->{shell}; + } else { + warn "warning: no declarative or previous shell for ‘$name’, setting shell to nologin\n"; + $u->{shell} = "/run/current-system/sw/bin/nologin"; + } + } + $u->{fakePassword} = $existing->{fakePassword} // "x"; $usersOut{$name} = $u; diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index a957633809864..e90a7d567d42c 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -153,7 +153,7 @@ let }; shell = mkOption { - type = types.either types.shellPackage types.path; + type = types.nullOr (types.either types.shellPackage types.path); default = pkgs.shadow; defaultText = "pkgs.shadow"; example = literalExample "pkgs.bashInteractive"; diff --git a/nixos/modules/hardware/opentabletdriver.nix b/nixos/modules/hardware/opentabletdriver.nix new file mode 100644 index 0000000000000..b759bcf034ee4 --- /dev/null +++ b/nixos/modules/hardware/opentabletdriver.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.hardware.opentabletdriver; +in +{ + options = { + hardware.opentabletdriver = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enable OpenTabletDriver udev rules, user service and blacklist kernel + modules known to conflict with OpenTabletDriver. + ''; + }; + + blacklistedKernelModules = mkOption { + type = types.listOf types.str; + default = [ "hid-uclogic" "wacom" ]; + description = '' + Blacklist of kernel modules known to conflict with OpenTabletDriver. + ''; + }; + + daemon = { + enable = mkOption { + default = true; + type = types.bool; + description = '' + Whether to start OpenTabletDriver daemon as a systemd user service. + ''; + }; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ opentabletdriver ]; + + services.udev.packages = with pkgs; [ opentabletdriver ]; + + boot.blacklistedKernelModules = cfg.blacklistedKernelModules; + + systemd.user.services.opentabletdriver = with pkgs; mkIf cfg.daemon.enable { + description = "Open source, cross-platform, user-mode tablet driver"; + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + + serviceConfig = { + Type = "simple"; + ExecStart = "${opentabletdriver}/bin/otd-daemon -c ${opentabletdriver}/lib/OpenTabletDriver/Configurations"; + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix index a5bc436be8262..e4ec2d6240d02 100644 --- a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix +++ b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix @@ -17,8 +17,7 @@ # The serial ports listed here are: # - ttyS0: for Tegra (Jetson TX1) # - ttyAMA0: for QEMU's -machine virt - # Also increase the amount of CMA to ensure the virtual console on the RPi3 works. - boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"]; + boot.kernelParams = ["console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"]; boot.initrd.availableKernelModules = [ # Allows early (earlier) modesetting for the Raspberry Pi @@ -30,13 +29,25 @@ sdImage = { populateFirmwareCommands = let configTxt = pkgs.writeText "config.txt" '' + [pi3] kernel=u-boot-rpi3.bin + [pi4] + kernel=u-boot-rpi4.bin + enable_gic=1 + armstub=armstub8-gic.bin + + # Otherwise the resolution will be weird in most cases, compared to + # what the pi3 firmware does by default. + disable_overscan=1 + + [all] # Boot in 64-bit mode. arm_64bit=1 - # U-Boot used to need this to work, regardless of whether UART is actually used or not. - # TODO: check when/if this can be removed. + # U-Boot needs this to work, regardless of whether UART is actually used or not. + # Look in arch/arm/mach-bcm283x/Kconfig in the U-Boot tree to see if this is still + # a requirement in the future. enable_uart=1 # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel @@ -45,8 +56,17 @@ ''; in '' (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/) - cp ${pkgs.ubootRaspberryPi3_64bit}/u-boot.bin firmware/u-boot-rpi3.bin + + # Add the config cp ${configTxt} firmware/config.txt + + # Add pi3 specific files + cp ${pkgs.ubootRaspberryPi3_64bit}/u-boot.bin firmware/u-boot-rpi3.bin + + # Add pi4 specific files + cp ${pkgs.ubootRaspberryPi4_64bit}/u-boot.bin firmware/u-boot-rpi4.bin + cp ${pkgs.raspberrypi-armstubs}/armstub8-gic.bin firmware/armstub8-gic.bin + cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-4-b.dtb firmware/ ''; populateRootCommands = '' mkdir -p ./files/boot diff --git a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix b/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix index 87545e8420308..5bdec7de86e8a 100644 --- a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix +++ b/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix @@ -3,36 +3,6 @@ { config, lib, pkgs, ... }: { - imports = [ - ../../profiles/base.nix - ../../profiles/installation-device.nix - ./sd-image.nix - ]; - - boot.loader.grub.enable = false; - boot.loader.raspberryPi.enable = true; - boot.loader.raspberryPi.version = 4; + imports = [ ./sd-image-aarch64.nix ]; boot.kernelPackages = pkgs.linuxPackages_rpi4; - - boot.consoleLogLevel = lib.mkDefault 7; - - sdImage = { - firmwareSize = 128; - firmwarePartitionName = "NIXOS_BOOT"; - # This is a hack to avoid replicating config.txt from boot.loader.raspberryPi - populateFirmwareCommands = - "${config.system.build.installBootLoader} ${config.system.build.toplevel} -d ./firmware"; - # As the boot process is done entirely in the firmware partition. - populateRootCommands = ""; - }; - - fileSystems."/boot/firmware" = { - # This effectively "renames" the attrsOf entry set in sd-image.nix - mountPoint = "/boot"; - neededForBoot = true; - }; - - # the installation media is also the installation target, - # so we don't want to provide the installation configuration.nix. - installer.cloneConfig = false; } diff --git a/nixos/modules/installer/tools/nixos-enter.sh b/nixos/modules/installer/tools/nixos-enter.sh index c72ef6e9c28b3..450d776181489 100644 --- a/nixos/modules/installer/tools/nixos-enter.sh +++ b/nixos/modules/installer/tools/nixos-enter.sh @@ -69,6 +69,9 @@ mount --rbind /sys "$mountPoint/sys" # Run the activation script. Set $LOCALE_ARCHIVE to supress some Perl locale warnings. LOCALE_ARCHIVE="$system/sw/lib/locale/locale-archive" chroot "$mountPoint" "$system/activate" 1>&2 || true + + # Create /tmp + chroot "$mountPoint" systemd-tmpfiles --create --remove --exclude-prefix=/dev 1>&2 || true ) exec chroot "$mountPoint" "${command[@]}" diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index ed6a493e2761e..4341c8c238a86 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -66,6 +66,7 @@ ./hardware/tuxedo-keyboard.nix ./hardware/usb-wwan.nix ./hardware/onlykey.nix + ./hardware/opentabletdriver.nix ./hardware/wooting.nix ./hardware/uinput.nix ./hardware/video/amdgpu.nix @@ -141,6 +142,7 @@ ./programs/light.nix ./programs/mosh.nix ./programs/mininet.nix + ./programs/msmtp.nix ./programs/mtr.nix ./programs/nano.nix ./programs/neovim.nix @@ -743,6 +745,7 @@ ./services/networking/skydns.nix ./services/networking/shadowsocks.nix ./services/networking/shairport-sync.nix + ./services/networking/shellhub-agent.nix ./services/networking/shorewall.nix ./services/networking/shorewall6.nix ./services/networking/shout.nix diff --git a/nixos/modules/programs/msmtp.nix b/nixos/modules/programs/msmtp.nix new file mode 100644 index 0000000000000..217060e6b3b32 --- /dev/null +++ b/nixos/modules/programs/msmtp.nix @@ -0,0 +1,104 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.msmtp; + +in { + meta.maintainers = with maintainers; [ pacien ]; + + options = { + programs.msmtp = { + enable = mkEnableOption "msmtp - an SMTP client"; + + setSendmail = mkOption { + type = types.bool; + default = true; + description = '' + Whether to set the system sendmail to msmtp's. + ''; + }; + + defaults = mkOption { + type = types.attrs; + default = {}; + example = { + aliases = "/etc/aliases"; + port = 587; + tls = true; + }; + description = '' + Default values applied to all accounts. + See msmtp(1) for the available options. + ''; + }; + + accounts = mkOption { + type = with types; attrsOf attrs; + default = {}; + example = { + "default" = { + host = "smtp.example"; + auth = true; + user = "someone"; + passwordeval = "cat /secrets/password.txt"; + }; + }; + description = '' + Named accounts and their respective configurations. + The special name "default" allows a default account to be defined. + See msmtp(1) for the available options. + + Use `programs.msmtp.extraConfig` instead of this attribute set-based + option if ordered account inheritance is needed. + + It is advised to use the `passwordeval` setting to read the password + from a secret file to avoid having it written in the world-readable + nix store. The password file must end with a newline (`\n`). + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra lines to add to the msmtp configuration verbatim. + See msmtp(1) for the syntax and available options. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.msmtp ]; + + services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail { + program = "sendmail"; + source = "${pkgs.msmtp}/bin/sendmail"; + setuid = false; + setgid = false; + }; + + environment.etc."msmtprc".text = let + mkValueString = v: + if v == true then "on" + else if v == false then "off" + else generators.mkValueStringDefault {} v; + mkKeyValueString = k: v: "${k} ${mkValueString v}"; + mkInnerSectionString = + attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValueString attrs); + mkAccountString = name: attrs: '' + account ${name} + ${mkInnerSectionString attrs} + ''; + in '' + defaults + ${mkInnerSectionString cfg.defaults} + + ${concatStringsSep "\n" (mapAttrsToList mkAccountString cfg.accounts)} + + ${cfg.extraConfig} + ''; + }; +} diff --git a/nixos/modules/programs/ssmtp.nix b/nixos/modules/programs/ssmtp.nix index 1f49ddc91bb38..8039763faccc9 100644 --- a/nixos/modules/programs/ssmtp.nix +++ b/nixos/modules/programs/ssmtp.nix @@ -162,15 +162,16 @@ in (mkIf (cfg.authPassFile != null) { AuthPassFile = cfg.authPassFile; }) ]; - environment.etc."ssmtp/ssmtp.conf".source = - let - toStr = value: + # careful here: ssmtp REQUIRES all config lines to end with a newline char! + environment.etc."ssmtp/ssmtp.conf".text = with generators; toKeyValue { + mkKeyValue = mkKeyValueDefault { + mkValueString = value: if value == true then "YES" else if value == false then "NO" - else builtins.toString value + else mkValueStringDefault {} value ; - in - pkgs.writeText "ssmtp.conf" (concatStringsSep "\n" (mapAttrsToList (key: value: "${key}=${toStr value}") cfg.settings)); + } "="; + } cfg.settings; environment.systemPackages = [pkgs.ssmtp]; diff --git a/nixos/modules/services/misc/matrix-appservice-discord.nix b/nixos/modules/services/misc/matrix-appservice-discord.nix index 49c41ff637a8f..71d1227f4ff72 100644 --- a/nixos/modules/services/misc/matrix-appservice-discord.nix +++ b/nixos/modules/services/misc/matrix-appservice-discord.nix @@ -5,7 +5,7 @@ with lib; let dataDir = "/var/lib/matrix-appservice-discord"; registrationFile = "${dataDir}/discord-registration.yaml"; - appDir = "${pkgs.matrix-appservice-discord}/lib/node_modules/matrix-appservice-discord"; + appDir = "${pkgs.matrix-appservice-discord}/${pkgs.matrix-appservice-discord.passthru.nodeAppDir}"; cfg = config.services.matrix-appservice-discord; # TODO: switch to configGen.json once RFC42 is implemented settingsFile = pkgs.writeText "matrix-appservice-discord-settings.json" (builtins.toJSON cfg.settings); @@ -22,12 +22,6 @@ in { default = { database = { filename = "${dataDir}/discord.db"; - - # TODO: remove those old config keys once the following issues are solved: - # * https://github.com/Half-Shot/matrix-appservice-discord/issues/490 - # * https://github.com/Half-Shot/matrix-appservice-discord/issues/498 - userStorePath = "${dataDir}/user-store.db"; - roomStorePath = "${dataDir}/room-store.db"; }; # empty values necessary for registration file generation diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index b0c81a46d4d81..c8515c4b8988c 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -5,10 +5,11 @@ with lib; let cfg = config.services.grafana; opt = options.services.grafana; + declarativePlugins = pkgs.linkFarm "grafana-plugins" (builtins.map (pkg: { name = pkg.pname; path = pkg; }) cfg.declarativePlugins); envOptions = { PATHS_DATA = cfg.dataDir; - PATHS_PLUGINS = "${cfg.dataDir}/plugins"; + PATHS_PLUGINS = if builtins.isNull cfg.declarativePlugins then "${cfg.dataDir}/plugins" else declarativePlugins; PATHS_LOGS = "${cfg.dataDir}/log"; SERVER_PROTOCOL = cfg.protocol; @@ -260,6 +261,12 @@ in { defaultText = "pkgs.grafana"; type = types.package; }; + declarativePlugins = mkOption { + type = with types; nullOr (listOf path); + default = null; + description = "If non-null, then a list of packages containing Grafana plugins to install. If set, plugins cannot be manually installed."; + example = literalExample "with pkgs.grafanaPlugins; [ grafana-piechart-panel ]"; + }; dataDir = mkOption { description = "Data directory."; diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index ace62342c9c63..19741b46f24e6 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -112,17 +112,21 @@ let http://tools.ietf.org/html/rfc4366#section-3.1 ''; }; - remote_timeout = mkDefOpt types.str "30s" '' - Timeout for requests to the remote write endpoint. - ''; - relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' - List of remote write relabel configurations. - List of relabel configurations. - ''; name = mkOpt types.string '' - Name of the remote write config, which if specified must be unique among remote write configs. + Name of the remote read config, which if specified must be unique among remote read configs. The name will be used in metrics and logging in place of a generated value to help users distinguish between - remote write configs. + remote read configs. + ''; + required_matchers = mkOpt (types.attrsOf types.str) '' + An optional list of equality matchers which have to be + present in a selector to query the remote read endpoint. + ''; + remote_timeout = mkOpt types.str '' + Timeout for requests to the remote read endpoint. + ''; + read_recent = mkOpt types.bool '' + Whether reads should be made for queries for time ranges that + the local storage should have complete data for. ''; basic_auth = mkOpt (types.submodule { options = { @@ -136,30 +140,22 @@ let password_file = mkOpt types.str "HTTP password file"; }; }) '' - Sets the `Authorization` header on every remote write request with the + Sets the `Authorization` header on every remote read request with the configured username and password. password and password_file are mutually exclusive. ''; bearer_token = mkOpt types.str '' - Sets the `Authorization` header on every remote write request with + Sets the `Authorization` header on every remote read request with the configured bearer token. It is mutually exclusive with `bearer_token_file`. ''; bearer_token_file = mkOpt types.str '' - Sets the `Authorization` header on every remote write request with the bearer token + Sets the `Authorization` header on every remote read request with the bearer token read from the configured file. It is mutually exclusive with `bearer_token`. ''; tls_config = mkOpt promTypes.tls_config '' - Configures the remote write request's TLS settings. + Configures the remote read request's TLS settings. ''; proxy_url = mkOpt types.str "Optional Proxy URL."; - metadata_config = { - send = mkDefOpt types.bool "true" '' - Whether metric metadata is sent to remote storage or not. - ''; - send_interval = mkDefOpt types.str "1m" '' - How frequently metric metadata is sent to remote storage. - ''; - }; }; }; @@ -172,13 +168,12 @@ let http://tools.ietf.org/html/rfc4366#section-3.1 ''; }; - remote_timeout = mkDefOpt types.str "30s" '' + remote_timeout = mkOpt types.str '' Timeout for requests to the remote write endpoint. ''; - relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' - List of remote write relabel configurations. - List of relabel configurations. - ''; + write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' + List of remote write relabel configurations. + ''; name = mkOpt types.string '' Name of the remote write config, which if specified must be unique among remote write configs. The name will be used in metrics and logging in place of a generated value to help users distinguish between @@ -212,14 +207,50 @@ let Configures the remote write request's TLS settings. ''; proxy_url = mkOpt types.str "Optional Proxy URL."; - metadata_config = { - send = mkDefOpt types.bool "true" '' - Whether metric metadata is sent to remote storage or not. - ''; - send_interval = mkDefOpt types.str "1m" '' - How frequently metric metadata is sent to remote storage. - ''; - }; + queue_config = mkOpt (types.submodule { + options = { + capacity = mkOpt types.int '' + Number of samples to buffer per shard before we block reading of more + samples from the WAL. It is recommended to have enough capacity in each + shard to buffer several requests to keep throughput up while processing + occasional slow remote requests. + ''; + max_shards = mkOpt types.int '' + Maximum number of shards, i.e. amount of concurrency. + ''; + min_shards = mkOpt types.int '' + Minimum number of shards, i.e. amount of concurrency. + ''; + max_samples_per_send = mkOpt types.int '' + Maximum number of samples per send. + ''; + batch_send_deadline = mkOpt types.str '' + Maximum time a sample will wait in buffer. + ''; + min_backoff = mkOpt types.str '' + Initial retry delay. Gets doubled for every retry. + ''; + max_backoff = mkOpt types.str '' + Maximum retry delay. + ''; + }; + }) '' + Configures the queue used to write to remote storage. + ''; + metadata_config = mkOpt (types.submodule { + options = { + send = mkOpt types.bool '' + Whether metric metadata is sent to remote storage or not. + ''; + send_interval = mkOpt types.str '' + How frequently metric metadata is sent to remote storage. + ''; + }; + }) '' + Configures the sending of series metadata to remote storage. + Metadata configuration is subject to change at any point + or be removed in future releases. + ''; }; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 3e7b303620f78..fe9d1a6590784 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -23,6 +23,7 @@ let exporterOpts = genAttrs [ "apcupsd" "bind" + "bird" "blackbox" "collectd" "dnsmasq" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/bird.nix b/nixos/modules/services/monitoring/prometheus/exporters/bird.nix new file mode 100644 index 0000000000000..d8a526eafcea9 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/bird.nix @@ -0,0 +1,46 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.bird; +in +{ + port = 9324; + extraOpts = { + birdVersion = mkOption { + type = types.enum [ 1 2 ]; + default = 2; + description = '' + Specifies whether BIRD1 or BIRD2 is in use. + ''; + }; + birdSocket = mkOption { + type = types.path; + default = "/var/run/bird.ctl"; + description = '' + Path to BIRD2 (or BIRD1 v4) socket. + ''; + }; + newMetricFormat = mkOption { + type = types.bool; + default = true; + description = '' + Enable the new more-generic metric format. + ''; + }; + }; + serviceOpts = { + serviceConfig = { + SupplementaryGroups = singleton (if cfg.birdVersion == 1 then "bird" else "bird2"); + ExecStart = '' + ${pkgs.prometheus-bird-exporter}/bin/bird_exporter \ + -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + -bird.socket ${cfg.birdSocket} \ + -bird.v2=${if cfg.birdVersion == 2 then "true" else "false"} \ + -format.new=${if cfg.newMetricFormat then "true" else "false"} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/corerad.nix b/nixos/modules/services/networking/corerad.nix index d90a5923bc62e..4acdd1d69cc49 100644 --- a/nixos/modules/services/networking/corerad.nix +++ b/nixos/modules/services/networking/corerad.nix @@ -4,13 +4,7 @@ with lib; let cfg = config.services.corerad; - - writeTOML = name: x: - pkgs.runCommandNoCCLocal name { - passAsFile = ["config"]; - config = builtins.toJSON x; - buildInputs = [ pkgs.go-toml ]; - } "jsontoml < $configPath > $out"; + settingsFormat = pkgs.formats.toml {}; in { meta.maintainers = with maintainers; [ mdlayher ]; @@ -19,7 +13,7 @@ in { enable = mkEnableOption "CoreRAD IPv6 NDP RA daemon"; settings = mkOption { - type = types.uniq types.attrs; + type = settingsFormat.type; example = literalExample '' { interfaces = [ @@ -64,7 +58,7 @@ in { config = mkIf cfg.enable { # Prefer the config file over settings if both are set. - services.corerad.configFile = mkDefault (writeTOML "corerad.toml" cfg.settings); + services.corerad.configFile = mkDefault (settingsFormat.generate "corerad.toml" cfg.settings); systemd.services.corerad = { description = "CoreRAD IPv6 NDP RA daemon"; diff --git a/nixos/modules/services/networking/shellhub-agent.nix b/nixos/modules/services/networking/shellhub-agent.nix new file mode 100644 index 0000000000000..4ce4b8250bc3c --- /dev/null +++ b/nixos/modules/services/networking/shellhub-agent.nix @@ -0,0 +1,91 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.shellhub-agent; +in { + + ###### interface + + options = { + + services.shellhub-agent = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the ShellHub Agent daemon, which allows + secure remote logins. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.shellhub-agent; + defaultText = "pkgs.shellhub-agent"; + description = '' + Which ShellHub Agent package to use. + ''; + }; + + tenantId = mkOption { + type = types.str; + example = "ba0a880c-2ada-11eb-a35e-17266ef329d6"; + description = '' + The tenant ID to use when connecting to the ShellHub + Gateway. + ''; + }; + + server = mkOption { + type = types.str; + default = "https://cloud.shellhub.io"; + description = '' + Server address of ShellHub Gateway to connect. + ''; + }; + + privateKey = mkOption { + type = types.path; + default = "/var/lib/shellhub-agent/private.key"; + description = '' + Location where to store the ShellHub Agent private + key. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.shellhub-agent = { + description = "ShellHub Agent"; + + wantedBy = [ "multi-user.target" ]; + requires = [ "local-fs.target" ]; + wants = [ "network-online.target" ]; + after = [ + "local-fs.target" + "network.target" + "network-online.target" + "time-sync.target" + ]; + + environment.SERVER_ADDRESS = cfg.server; + environment.PRIVATE_KEY = cfg.privateKey; + environment.TENANT_ID = cfg.tenantId; + + serviceConfig = { + # The service starts sessions for different users. + User = "root"; + Restart = "on-failure"; + ExecStart = "${cfg.package}/bin/agent"; + }; + }; + + environment.systemPackages = [ cfg.package ]; + }; +} diff --git a/nixos/modules/virtualisation/amazon-init.nix b/nixos/modules/virtualisation/amazon-init.nix index 8c12e0e49bf5b..c5470b7af09b0 100644 --- a/nixos/modules/virtualisation/amazon-init.nix +++ b/nixos/modules/virtualisation/amazon-init.nix @@ -7,7 +7,7 @@ let echo "attempting to fetch configuration from EC2 user data..." export HOME=/root - export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.git pkgs.gnutar pkgs.gzip pkgs.gnused config.system.build.nixos-rebuild]}:$PATH + export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.git pkgs.gnutar pkgs.gzip pkgs.gnused pkgs.xz config.system.build.nixos-rebuild]}:$PATH export NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels userData=/etc/ec2-metadata/user-data diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index 26398afb3cf51..757d73421b8f2 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -56,10 +56,10 @@ let ip -6 route add $HOST_ADDRESS6 dev eth0 ip -6 route add default via $HOST_ADDRESS6 fi - - ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} fi + ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} + # Start the regular stage 1 script. exec "$1" '' @@ -223,8 +223,8 @@ let ${ipcall cfg "ip route" "$LOCAL_ADDRESS" "localAddress"} ${ipcall cfg "ip -6 route" "$LOCAL_ADDRESS6" "localAddress6"} fi - ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} fi + ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} '' ); diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix index a46dd65eb4910..ee9fe62187d33 100644 --- a/nixos/modules/virtualisation/oci-containers.nix +++ b/nixos/modules/virtualisation/oci-containers.nix @@ -176,10 +176,10 @@ let description = '' Define which other containers this one depends on. They will be added to both After and Requires for the unit. - Use the same name as the attribute under <literal>virtualisation.oci-containers</literal>. + Use the same name as the attribute under <literal>virtualisation.oci-containers.containers</literal>. ''; example = literalExample '' - virtualisation.oci-containers = { + virtualisation.oci-containers.containers = { node1 = {}; node2 = { dependsOn = [ "node1" ]; diff --git a/nixos/tests/grafana.nix b/nixos/tests/grafana.nix index 4b453ece7f1ef..4ba091b893f42 100644 --- a/nixos/tests/grafana.nix +++ b/nixos/tests/grafana.nix @@ -17,6 +17,10 @@ let }; extraNodeConfs = { + declarativePlugins = { + services.grafana.declarativePlugins = [ pkgs.grafanaPlugins.grafana-clock-panel ]; + }; + postgresql = { services.grafana.database = { host = "127.0.0.1:5432"; @@ -52,7 +56,7 @@ let nameValuePair dbName (mkMerge [ baseGrafanaConf (extraNodeConfs.${dbName} or {}) - ])) [ "sqlite" "postgresql" "mysql" ]); + ])) [ "sqlite" "declarativePlugins" "postgresql" "mysql" ]); in { name = "grafana"; @@ -66,6 +70,14 @@ in { testScript = '' start_all() + with subtest("Declarative plugins installed"): + declarativePlugins.wait_for_unit("grafana.service") + declarativePlugins.wait_for_open_port(3000) + declarativePlugins.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/plugins | grep -q grafana-clock-panel" + ) + declarativePlugins.shutdown() + with subtest("Successful API query as admin user with sqlite db"): sqlite.wait_for_unit("grafana.service") sqlite.wait_for_open_port(3000) diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 4dcea39cef173..f611d961769ab 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -96,6 +96,31 @@ let ''; }; + bird = { + exporterConfig = { + enable = true; + }; + metricProvider = { + services.bird2.enable = true; + services.bird2.config = '' + protocol kernel MyObviousTestString { + ipv4 { + import all; + export none; + }; + } + + protocol device { + } + ''; + }; + exporterTest = '' + wait_for_unit("prometheus-bird-exporter.service") + wait_for_open_port(9324) + succeed("curl -sSf http://localhost:9324/metrics | grep -q 'MyObviousTestString'") + ''; + }; + blackbox = { exporterConfig = { enable = true; |