diff options
Diffstat (limited to 'nixos')
129 files changed, 2670 insertions, 851 deletions
diff --git a/nixos/doc/manual/release-notes/release-notes.xml b/nixos/doc/manual/release-notes/release-notes.xml index bf18457c2b385..e083d51406c76 100644 --- a/nixos/doc/manual/release-notes/release-notes.xml +++ b/nixos/doc/manual/release-notes/release-notes.xml @@ -8,7 +8,7 @@ This section lists the release notes for each stable version of NixOS and current unstable revision. </para> - <xi:include href="rl-2103.xml" /> + <xi:include href="rl-2105.xml" /> <xi:include href="rl-2009.xml" /> <xi:include href="rl-2003.xml" /> <xi:include href="rl-1909.xml" /> diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 0b1d0d509d783..a6cff1a8faedd 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -6,7 +6,9 @@ <title>Release 20.09 (“Nightingale”, 2020.10/27)</title> <para> - Support is planned until the end of April 2021, handing over to 21.03. + Support is planned until the end of June 2021, handing over to 21.05. + (Plans <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0080-nixos-release-schedule.md#core-changes"> + have shifted</link> by two months since release of 20.09.) </para> <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" @@ -1538,7 +1540,7 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; <listitem> <para> Specifying <link linkend="opt-services.dovecot2.mailboxes">mailboxes</link> in the <package>dovecot2</package> module - as a list is deprecated and will break eval in 21.03. Instead, an attribute-set should be specified where the <literal>name</literal> + as a list is deprecated and will break eval in 21.05. Instead, an attribute-set should be specified where the <literal>name</literal> should be the key of the attribute. </para> <para> diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2105.xml index 24a0281310c6b..6dd14d6051e40 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2105.xml @@ -2,14 +2,14 @@ xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" - xml:id="sec-release-21.03"> - <title>Release 21.03 (“Okapi”, 2021.03/??)</title> + xml:id="sec-release-21.05"> + <title>Release 21.05 (“Okapi”, 2021.05/??)</title> <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" - xml:id="sec-release-21.03-highlights"> + xml:id="sec-release-21.05-highlights"> <title>Highlights</title> <para> @@ -20,7 +20,7 @@ <itemizedlist> <listitem> <para> - Support is planned until the end of October 2021, handing over to 21.09. + Support is planned until the end of December 2021, handing over to 21.11. </para> </listitem> <listitem> @@ -46,7 +46,7 @@ xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" - xml:id="sec-release-21.03-new-services"> + xml:id="sec-release-21.05-new-services"> <title>New Services</title> <para> @@ -82,7 +82,7 @@ xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" - xml:id="sec-release-21.03-incompatibilities"> + xml:id="sec-release-21.05-incompatibilities"> <title>Backward Incompatibilities</title> <para> @@ -466,6 +466,34 @@ self: super: ALSA OSS emulation (<varname>sound.enableOSSEmulation</varname>) is now disabled by default. </para> </listitem> + <listitem> + <para> + Thinkfan as been updated to <literal>1.2.x</literal>, which comes with a + new YAML based configuration format. For this reason, several NixOS options + of the thinkfan module have been changed to non-backward compatible types. + In addition, a new <xref linkend="opt-services.thinkfan.settings"/> option has + been added. + </para> + <para> + Please read the <link xlink:href="https://github.com/vmatare/thinkfan#readme"> + thinkfan documentation</link> before updating. + </para> + </listitem> + <listitem> + <para> + Adobe Flash Player support has been dropped from the tree. In particular, + the following packages no longer support it: + <itemizedlist> + <listitem><simpara><package>chromium</package></simpara></listitem> + <listitem><simpara><package>firefox</package></simpara></listitem> + <listitem><simpara><package>qt48</package></simpara></listitem> + <listitem><simpara><package>qt5.qtwebkit</package></simpara></listitem> + </itemizedlist> + Additionally, packages <package>flashplayer</package> and + <package>hal-flash</package> were removed along with the + <varname>services.flashpolicyd</varname> module. + </para> + </listitem> </itemizedlist> </section> @@ -473,12 +501,20 @@ self: super: xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" - xml:id="sec-release-21.03-notable-changes"> + xml:id="sec-release-21.05-notable-changes"> <title>Other Notable Changes</title> <itemizedlist> <listitem> <para> + <literal>stdenv.lib</literal> has been deprecated and will break + eval in 21.11. Please use <literal>pkgs.lib</literal> instead. + See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/108938">#108938</link> + for details. + </para> + </listitem> + <listitem> + <para> The Mailman NixOS module (<literal>services.mailman</literal>) has a new option <xref linkend="opt-services.mailman.enablePostfix" />, defaulting to true, that controls integration with Postfix. @@ -653,6 +689,17 @@ self: super: The <varname>platform</varname> grouping of these things never meant anything, and was just a historial/implementation artifact that was overdue removal. </para> </listitem> + <listitem> + <para> + <varname>services.restic</varname> now uses a dedicated cache directory for every backup defined in <varname>services.restic.backups</varname>. The old global cache directory, <literal>/root/.cache/restic</literal>, is now unused and can be removed to free up disk space. + </para> + </listitem> + <listitem> + <para> + <literal>isync</literal>: The <literal>isync</literal> compatibility wrapper was removed and the Master/Slave + terminology has been deprecated and should be replaced with Far/Near in the configuration file. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index c3120c2bf30d6..14fe180d0bc5f 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -29,6 +29,7 @@ with lib; nixpkgs.overlays = singleton (const (super: { cairo = super.cairo.override { x11Support = false; }; dbus = super.dbus.override { x11Support = false; }; + beam = super.beam_nox; networkmanager-fortisslvpn = super.networkmanager-fortisslvpn.override { withGnome = false; }; networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; networkmanager-l2tp = super.networkmanager-l2tp.override { withGnome = false; }; diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 5b3e9a8ceb7f4..1a530b9f01359 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -568,7 +568,7 @@ in { # Install all the user shells environment.systemPackages = systemShells; - environment.etc = (mapAttrs' (name: { packages, ... }: { + environment.etc = (mapAttrs' (_: { packages, name, ... }: { name = "profiles/per-user/${name}"; value.source = pkgs.buildEnv { name = "user-environment"; diff --git a/nixos/modules/hardware/i2c.nix b/nixos/modules/hardware/i2c.nix new file mode 100644 index 0000000000000..ff14b4b1c891d --- /dev/null +++ b/nixos/modules/hardware/i2c.nix @@ -0,0 +1,43 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.hardware.i2c; +in + +{ + options.hardware.i2c = { + enable = mkEnableOption '' + i2c devices support. By default access is granted to users in the "i2c" + group (will be created if non-existent) and any user with a seat, meaning + logged on the computer locally. + ''; + + group = mkOption { + type = types.str; + default = "i2c"; + description = '' + Grant access to i2c devices (/dev/i2c-*) to users in this group. + ''; + }; + }; + + config = mkIf cfg.enable { + + boot.kernelModules = [ "i2c-dev" ]; + + users.groups = mkIf (cfg.group == "i2c") { + i2c = { }; + }; + + services.udev.extraRules = '' + # allow group ${cfg.group} and users with a seat use of i2c devices + ACTION=="add", KERNEL=="i2c-[0-9]*", TAG+="uaccess", GROUP="${cfg.group}", MODE="660" + ''; + + }; + + meta.maintainers = [ maintainers.rnhmjoj ]; + +} diff --git a/nixos/modules/hardware/network/ath-user-regd.nix b/nixos/modules/hardware/network/ath-user-regd.nix new file mode 100644 index 0000000000000..b5ade5ed50105 --- /dev/null +++ b/nixos/modules/hardware/network/ath-user-regd.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + kernelVersion = config.boot.kernelPackages.kernel.version; + linuxKernelMinVersion = "5.8"; + kernelPatch = pkgs.kernelPatches.ath_regd_optional // { + extraConfig = '' + ATH_USER_REGD y + ''; + }; +in +{ + options.networking.wireless.athUserRegulatoryDomain = mkOption { + default = false; + type = types.bool; + description = '' + If enabled, sets the ATH_USER_REGD kernel config switch to true to + disable the enforcement of EEPROM regulatory restrictions for ath + drivers. Requires at least Linux ${linuxKernelMinVersion}. + ''; + }; + + config = mkIf config.networking.wireless.athUserRegulatoryDomain { + assertions = singleton { + assertion = lessThan 0 (builtins.compareVersions kernelVersion linuxKernelMinVersion); + message = "ATH_USER_REGD patch for kernels older than ${linuxKernelMinVersion} not ported yet!"; + }; + boot.kernelPatches = [ kernelPatch ]; + }; +} diff --git a/nixos/modules/hardware/sensor/hddtemp.nix b/nixos/modules/hardware/sensor/hddtemp.nix new file mode 100644 index 0000000000000..df3f75e229a2f --- /dev/null +++ b/nixos/modules/hardware/sensor/hddtemp.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: +let + inherit (lib) mkIf mkOption types; + + cfg = config.hardware.sensor.hddtemp; + + wrapper = pkgs.writeShellScript "hddtemp-wrapper" '' + set -eEuo pipefail + + file=/var/lib/hddtemp/hddtemp.db + + drives=(${toString (map (e: ''$(realpath ${lib.escapeShellArg e}) '') cfg.drives)}) + + cp ${pkgs.hddtemp}/share/hddtemp/hddtemp.db $file + ${lib.concatMapStringsSep "\n" (e: "echo ${lib.escapeShellArg e} >> $file") cfg.dbEntries} + + exec ${pkgs.hddtemp}/bin/hddtemp ${lib.escapeShellArgs cfg.extraArgs} \ + --daemon \ + --unit=${cfg.unit} \ + --file=$file \ + ''${drives[@]} + ''; + +in +{ + meta.maintainers = with lib.maintainers; [ peterhoeg ]; + + ###### interface + + options = { + hardware.sensor.hddtemp = { + enable = mkOption { + description = '' + Enable this option to support HDD/SSD temperature sensors. + ''; + type = types.bool; + default = false; + }; + + drives = mkOption { + description = "List of drives to monitor. If you pass /dev/disk/by-path/* entries the symlinks will be resolved as hddtemp doesn't like names with colons."; + type = types.listOf types.str; + }; + + unit = mkOption { + description = "Celcius or Fahrenheit"; + type = types.enum [ "C" "F" ]; + default = "C"; + }; + + dbEntries = mkOption { + description = "Additional DB entries"; + type = types.listOf types.str; + default = [ ]; + }; + + extraArgs = mkOption { + description = "Additional arguments passed to the daemon."; + type = types.listOf types.str; + default = [ ]; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + systemd.services.hddtemp = { + description = "HDD/SSD temperature"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "forking"; + ExecStart = wrapper; + StateDirectory = "hddtemp"; + PrivateTmp = true; + ProtectHome = "tmpfs"; + ProtectSystem = "strict"; + }; + }; + }; +} diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 72eb9fcfaa602..97accc7b99a03 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -5,36 +5,17 @@ with lib; let - - drivers = config.services.xserver.videoDrivers; - - # FIXME: should introduce an option like - # ‘hardware.video.nvidia.package’ for overriding the default NVIDIA - # driver. - nvidiaForKernel = kernelPackages: - if elem "nvidia" drivers then - kernelPackages.nvidia_x11 - else if elem "nvidiaBeta" drivers then - kernelPackages.nvidia_x11_beta - else if elem "nvidiaVulkanBeta" drivers then - kernelPackages.nvidia_x11_vulkan_beta - else if elem "nvidiaLegacy304" drivers then - kernelPackages.nvidia_x11_legacy304 - else if elem "nvidiaLegacy340" drivers then - kernelPackages.nvidia_x11_legacy340 - else if elem "nvidiaLegacy390" drivers then - kernelPackages.nvidia_x11_legacy390 - else null; - - nvidia_x11 = nvidiaForKernel config.boot.kernelPackages; - nvidia_libs32 = - if versionOlder nvidia_x11.version "391" then - ((nvidiaForKernel pkgs.pkgsi686Linux.linuxPackages).override { libsOnly = true; kernel = null; }).out - else - (nvidiaForKernel config.boot.kernelPackages).lib32; + nvidia_x11 = let + drivers = config.services.xserver.videoDrivers; + isDeprecated = str: (hasPrefix "nvidia" str) && (str != "nvidia"); + hasDeprecated = drivers: any isDeprecated drivers; + in if (hasDeprecated drivers) then + throw '' + Selecting an nvidia driver has been modified for NixOS 19.03. The version is now set using `hardware.nvidia.package`. + '' + else if (elem "nvidia" drivers) then cfg.package else null; enabled = nvidia_x11 != null; - cfg = config.hardware.nvidia; pCfg = cfg.prime; @@ -170,6 +151,16 @@ in GPUs stay awake even during headless mode. ''; }; + + hardware.nvidia.package = lib.mkOption { + type = lib.types.package; + default = config.boot.kernelPackages.nvidiaPackages.stable; + defaultText = "config.boot.kernelPackages.nvidiaPackages.stable"; + description = '' + The NVIDIA X11 derivation to use. + ''; + example = "config.boot.kernelPackages.nvidiaPackages.legacy340"; + }; }; config = let @@ -271,9 +262,9 @@ in }; hardware.opengl.package = mkIf (!offloadCfg.enable) nvidia_x11.out; - hardware.opengl.package32 = mkIf (!offloadCfg.enable) nvidia_libs32; + hardware.opengl.package32 = mkIf (!offloadCfg.enable) nvidia_x11.lib32; hardware.opengl.extraPackages = optional offloadCfg.enable nvidia_x11.out; - hardware.opengl.extraPackages32 = optional offloadCfg.enable nvidia_libs32; + hardware.opengl.extraPackages32 = optional offloadCfg.enable nvidia_x11.lib32; environment.systemPackages = [ nvidia_x11.bin nvidia_x11.settings ] ++ optionals nvidiaPersistencedEnabled [ nvidia_x11.persistenced ]; diff --git a/nixos/modules/hardware/video/switcheroo-control.nix b/nixos/modules/hardware/video/switcheroo-control.nix new file mode 100644 index 0000000000000..199adb2ad8f52 --- /dev/null +++ b/nixos/modules/hardware/video/switcheroo-control.nix @@ -0,0 +1,18 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + pkg = [ pkgs.switcheroo-control ]; + cfg = config.services.switcherooControl; +in { + options.services.switcherooControl = { + enable = mkEnableOption "switcheroo-control, a D-Bus service to check the availability of dual-GPU"; + }; + + config = mkIf cfg.enable { + services.dbus.packages = pkg; + environment.systemPackages = pkg; + systemd.packages = pkg; + systemd.targets.multi-user.wants = [ "switcheroo-control.service" ]; + }; +} diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index 6e3ddb875e1b4..7bc55e67134b6 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -585,6 +585,22 @@ EOF return $config; } +sub generateXserverConfig { + my $xserverEnabled = "@xserverEnabled@"; + + my $config = ""; + if ($xserverEnabled eq "1") { + $config = <<EOF; + # Enable the X11 windowing system. + services.xserver.enable = true; +EOF + } else { + $config = <<EOF; + # Enable the X11 windowing system. + # services.xserver.enable = true; +EOF + } +} if ($showHardwareConfig) { print STDOUT $hwConfig; @@ -630,6 +646,8 @@ EOF my $networkingDhcpConfig = generateNetworkingDhcpConfig(); + my $xserverConfig = generateXserverConfig(); + (my $desktopConfiguration = <<EOF)=~s/^/ /gm; @desktopConfiguration@ EOF diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index ada5f57485612..a9e5641b05a2e 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -36,6 +36,7 @@ let path = lib.optionals (lib.elem "btrfs" config.boot.supportedFilesystems) [ pkgs.btrfs-progs ]; perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/${pkgs.perl.libPrefix}"; inherit (config.system.nixos-generate-config) configuration desktopConfiguration; + xserverEnabled = config.services.xserver.enable; }; nixos-option = @@ -87,8 +88,8 @@ in desktopConfiguration = mkOption { internal = true; - type = types.str; - default = ""; + type = types.listOf types.lines; + default = []; description = '' Text to preseed the desktop configuration that <literal>nixos-generate-config</literal> saves to <literal>/etc/nixos/configuration.nix</literal>. @@ -136,6 +137,8 @@ in # keyMap = "us"; # }; + $xserverConfig + $desktopConfiguration # Configure keymap in X11 # services.xserver.layout = "us"; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 232be6ee0afab..3055459e78185 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -46,12 +46,15 @@ ./hardware/cpu/intel-microcode.nix ./hardware/digitalbitbox.nix ./hardware/device-tree.nix + ./hardware/i2c.nix + ./hardware/sensor/hddtemp.nix ./hardware/sensor/iio.nix ./hardware/keyboard/zsa.nix ./hardware/ksm.nix ./hardware/ledger.nix ./hardware/logitech.nix ./hardware/mcelog.nix + ./hardware/network/ath-user-regd.nix ./hardware/network/b43.nix ./hardware/network/intel-2200bg.nix ./hardware/nitrokey.nix @@ -77,6 +80,7 @@ ./hardware/video/displaylink.nix ./hardware/video/hidpi.nix ./hardware/video/nvidia.nix + ./hardware/video/switcheroo-control.nix ./hardware/video/uvcvideo/default.nix ./hardware/video/webcam/facetimehd.nix ./hardware/xpadneo.nix @@ -175,7 +179,6 @@ ./programs/tsm-client.nix ./programs/udevil.nix ./programs/usbtop.nix - ./programs/venus.nix ./programs/vim.nix ./programs/wavemon.nix ./programs/waybar.nix @@ -358,6 +361,7 @@ ./services/games/terraria.nix ./services/hardware/acpid.nix ./services/hardware/actkbd.nix + ./services/hardware/auto-cpufreq.nix ./services/hardware/bluetooth.nix ./services/hardware/bolt.nix ./services/hardware/brltty.nix @@ -372,6 +376,7 @@ ./services/hardware/nvidia-optimus.nix ./services/hardware/pcscd.nix ./services/hardware/pommed.nix + ./services/hardware/power-profiles-daemon.nix ./services/hardware/ratbagd.nix ./services/hardware/sane.nix ./services/hardware/sane_extra_backends/brscan4.nix @@ -455,6 +460,7 @@ ./services/misc/domoticz.nix ./services/misc/errbot.nix ./services/misc/etcd.nix + ./services/misc/etebase-server.nix ./services/misc/ethminer.nix ./services/misc/exhibitor.nix ./services/misc/felix.nix @@ -609,6 +615,8 @@ ./services/networking/atftpd.nix ./services/networking/avahi-daemon.nix ./services/networking/babeld.nix + ./services/networking/bee.nix + ./services/networking/bee-clef.nix ./services/networking/biboumi.nix ./services/networking/bind.nix ./services/networking/bitcoind.nix @@ -645,7 +653,6 @@ ./services/networking/fireqos.nix ./services/networking/firewall.nix ./services/networking/flannel.nix - ./services/networking/flashpolicyd.nix ./services/networking/freenet.nix ./services/networking/freeradius.nix ./services/networking/gale.nix @@ -873,6 +880,7 @@ ./services/web-apps/documize.nix ./services/web-apps/dokuwiki.nix ./services/web-apps/engelsystem.nix + ./services/web-apps/galene.nix ./services/web-apps/gerrit.nix ./services/web-apps/gotify-server.nix ./services/web-apps/grocy.nix @@ -885,6 +893,7 @@ ./services/web-apps/jitsi-meet.nix ./services/web-apps/keycloak.nix ./services/web-apps/limesurvey.nix + ./services/web-apps/mastodon.nix ./services/web-apps/mattermost.nix ./services/web-apps/mediawiki.nix ./services/web-apps/miniflux.nix diff --git a/nixos/modules/programs/captive-browser.nix b/nixos/modules/programs/captive-browser.nix index 4d59ea8d0fd81..1f223e2475ce4 100644 --- a/nixos/modules/programs/captive-browser.nix +++ b/nixos/modules/programs/captive-browser.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: with lib; - let cfg = config.programs.captive-browser; in @@ -27,15 +26,17 @@ in # the options below are the same as in "captive-browser.toml" browser = mkOption { type = types.str; - default = concatStringsSep " " [ "${pkgs.chromium}/bin/chromium" - "--user-data-dir=\${XDG_DATA_HOME:-$HOME/.local/share}/chromium-captive" - ''--proxy-server="socks5://$PROXY"'' - ''--host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"'' - "--no-first-run" - "--new-window" - "--incognito" - "http://cache.nixos.org/" - ]; + default = concatStringsSep " " [ + ''${pkgs.chromium}/bin/chromium'' + ''--user-data-dir=''${XDG_DATA_HOME:-$HOME/.local/share}/chromium-captive'' + ''--proxy-server="socks5://$PROXY"'' + ''--host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"'' + ''--no-first-run'' + ''--new-window'' + ''--incognito'' + ''-no-default-browser-check'' + ''http://cache.nixos.org/'' + ]; description = '' The shell (/bin/sh) command executed once the proxy starts. When browser exits, the proxy exits. An extra env var PROXY is available. @@ -81,42 +82,45 @@ in config = mkIf cfg.enable { - programs.captive-browser.dhcp-dns = mkOptionDefault ( - if config.networking.networkmanager.enable then - "${pkgs.networkmanager}/bin/nmcli dev show ${escapeShellArg cfg.interface} | ${pkgs.gnugrep}/bin/fgrep IP4.DNS" - else if config.networking.dhcpcd.enable then - "${pkgs.dhcpcd}/bin/dhcpcd -U ${escapeShellArg cfg.interface} | ${pkgs.gnugrep}/bin/fgrep domain_name_servers" - else if config.networking.useNetworkd then - "${cfg.package}/bin/systemd-networkd-dns ${escapeShellArg cfg.interface}" - else - "${config.security.wrapperDir}/udhcpc --quit --now -f -i ${escapeShellArg cfg.interface} -O dns --script ${ - pkgs.writeScript "udhcp-script" '' - #!/bin/sh - if [ "$1" = bound ]; then - echo "$dns" - fi - ''}" - ); + programs.captive-browser.dhcp-dns = + let + iface = prefix: + optionalString cfg.bindInterface (concatStringsSep " " (map escapeShellArg [ prefix cfg.interface ])); + in + mkOptionDefault ( + if config.networking.networkmanager.enable then + "${pkgs.networkmanager}/bin/nmcli dev show ${iface ""} | ${pkgs.gnugrep}/bin/fgrep IP4.DNS" + else if config.networking.dhcpcd.enable then + "${pkgs.dhcpcd}/bin/dhcpcd ${iface "-U"} | ${pkgs.gnugrep}/bin/fgrep domain_name_servers" + else if config.networking.useNetworkd then + "${cfg.package}/bin/systemd-networkd-dns ${iface ""}" + else + "${config.security.wrapperDir}/udhcpc --quit --now -f ${iface "-i"} -O dns --script ${ + pkgs.writeShellScript "udhcp-script" '' + if [ "$1" = bound ]; then + echo "$dns" + fi + ''}" + ); security.wrappers.udhcpc = { - capabilities = "cap_net_raw+p"; - source = "${pkgs.busybox}/bin/udhcpc"; + capabilities = "cap_net_raw+p"; + source = "${pkgs.busybox}/bin/udhcpc"; }; security.wrappers.captive-browser = { - capabilities = "cap_net_raw+p"; - source = pkgs.writeScript "captive-browser" '' - #!${pkgs.bash}/bin/bash - export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" '' - browser = """${cfg.browser}""" - dhcp-dns = """${cfg.dhcp-dns}""" - socks5-addr = """${cfg.socks5-addr}""" - ${optionalString cfg.bindInterface '' - bind-device = """${cfg.interface}""" - ''} - ''} - exec ${cfg.package}/bin/captive-browser - ''; + capabilities = "cap_net_raw+p"; + source = pkgs.writeShellScript "captive-browser" '' + export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" '' + browser = """${cfg.browser}""" + dhcp-dns = """${cfg.dhcp-dns}""" + socks5-addr = """${cfg.socks5-addr}""" + ${optionalString cfg.bindInterface '' + bind-device = """${cfg.interface}""" + ''} + ''} + exec ${cfg.package}/bin/captive-browser + ''; }; }; } diff --git a/nixos/modules/programs/cdemu.nix b/nixos/modules/programs/cdemu.nix index a59cd93cadfc0..142e293424057 100644 --- a/nixos/modules/programs/cdemu.nix +++ b/nixos/modules/programs/cdemu.nix @@ -16,18 +16,21 @@ in { ''; }; group = mkOption { + type = types.str; default = "cdrom"; description = '' Group that users must be in to use <command>cdemu</command>. ''; }; gui = mkOption { + type = types.bool; default = true; description = '' Whether to install the <command>cdemu</command> GUI (gCDEmu). ''; }; image-analyzer = mkOption { + type = types.bool; default = true; description = '' Whether to install the image analyzer. diff --git a/nixos/modules/programs/venus.nix b/nixos/modules/programs/venus.nix deleted file mode 100644 index 58faf38777d06..0000000000000 --- a/nixos/modules/programs/venus.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.services.venus; - - configFile = pkgs.writeText "venus.ini" - '' - [Planet] - name = ${cfg.name} - link = ${cfg.link} - owner_name = ${cfg.ownerName} - owner_email = ${cfg.ownerEmail} - output_theme = ${cfg.cacheDirectory}/theme - output_dir = ${cfg.outputDirectory} - cache_directory = ${cfg.cacheDirectory} - items_per_page = ${toString cfg.itemsPerPage} - ${(concatStringsSep "\n\n" - (map ({ name, feedUrl, homepageUrl }: - '' - [${feedUrl}] - name = ${name} - link = ${homepageUrl} - '') cfg.feeds))} - ''; - -in -{ - - options = { - services.venus = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Planet Venus is an awesome ‘river of news’ feed reader. It downloads - news feeds published by web sites and aggregates their content - together into a single combined feed, latest news first. - ''; - }; - - dates = mkOption { - default = "*:0/15"; - type = types.str; - description = '' - Specification (in the format described by - <citerefentry><refentrytitle>systemd.time</refentrytitle> - <manvolnum>7</manvolnum></citerefentry>) of the time at - which the Venus will collect feeds. - ''; - }; - - user = mkOption { - default = "root"; - type = types.str; - description = '' - User for running venus script. - ''; - }; - - group = mkOption { - default = "root"; - type = types.str; - description = '' - Group for running venus script. - ''; - }; - - name = mkOption { - default = "NixOS Planet"; - type = types.str; - description = '' - Your planet's name. - ''; - }; - - link = mkOption { - default = "https://planet.nixos.org"; - type = types.str; - description = '' - Link to the main page. - ''; - }; - - ownerName = mkOption { - default = "Rok Garbas"; - type = types.str; - description = '' - Your name. - ''; - }; - - ownerEmail = mkOption { - default = "some@example.com"; - type = types.str; - description = '' - Your e-mail address. - ''; - }; - - outputTheme = mkOption { - default = "${pkgs.venus}/themes/classic_fancy"; - type = types.path; - description = '' - Directory containing a config.ini file which is merged with this one. - This is typically used to specify templating and bill of material - information. - ''; - }; - - outputDirectory = mkOption { - type = types.path; - description = '' - Directory to place output files. - ''; - }; - - cacheDirectory = mkOption { - default = "/var/cache/venus"; - type = types.path; - description = '' - Where cached feeds are stored. - ''; - }; - - itemsPerPage = mkOption { - default = 15; - type = types.int; - description = '' - How many items to put on each page. - ''; - }; - - feeds = mkOption { - default = []; - example = [ - { - name = "Rok Garbas"; - feedUrl= "http://url/to/rss/feed.xml"; - homepageUrl = "http://garbas.si"; - } - ]; - description = '' - List of feeds. - ''; - }; - - }; - }; - - config = mkIf cfg.enable { - - system.activationScripts.venus = - '' - mkdir -p ${cfg.outputDirectory} - chown ${cfg.user}:${cfg.group} ${cfg.outputDirectory} -R - rm -rf ${cfg.cacheDirectory}/theme - mkdir -p ${cfg.cacheDirectory}/theme - cp -R ${cfg.outputTheme}/* ${cfg.cacheDirectory}/theme - chown ${cfg.user}:${cfg.group} ${cfg.cacheDirectory} -R - ''; - - systemd.services.venus = - { description = "Planet Venus Feed Reader"; - path = [ pkgs.venus ]; - script = "exec venus-planet ${configFile}"; - serviceConfig.User = "${cfg.user}"; - serviceConfig.Group = "${cfg.group}"; - startAt = cfg.dates; - }; - - }; -} diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index c6f705bb2d6c4..2d07e421efe45 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -70,6 +70,8 @@ with lib; '') (mkRemovedOptionModule [ "services" "seeks" ] "") + (mkRemovedOptionModule [ "services" "venus" ] "The corresponding package was removed from nixpkgs.") + (mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.") # Do NOT add any option renames here, see top of the file ]; diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 6b62e5043cafa..c33a92580d4cd 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -346,7 +346,7 @@ let webroot = mkOption { type = types.nullOr types.str; default = null; - example = "/var/lib/acme/acme-challenges"; + example = "/var/lib/acme/acme-challenge"; description = '' Where the webroot of the HTTP vhost is located. <filename>.well-known/acme-challenge/</filename> directory @@ -579,12 +579,12 @@ in { example = literalExample '' { "example.com" = { - webroot = "/var/www/challenges/"; + webroot = "/var/lib/acme/acme-challenge/"; email = "foo@example.com"; extraDomainNames = [ "www.example.com" "foo.example.com" ]; }; "bar.example.com" = { - webroot = "/var/www/challenges/"; + webroot = "/var/lib/acme/acme-challenge/"; email = "bar@example.com"; }; } diff --git a/nixos/modules/services/audio/snapserver.nix b/nixos/modules/services/audio/snapserver.nix index f614f0ba3e10c..a261b87607805 100644 --- a/nixos/modules/services/audio/snapserver.nix +++ b/nixos/modules/services/audio/snapserver.nix @@ -48,8 +48,8 @@ let ++ [ "--stream.port ${toString cfg.port}" ] ++ optionalNull cfg.sampleFormat "--stream.sampleformat ${cfg.sampleFormat}" ++ optionalNull cfg.codec "--stream.codec ${cfg.codec}" - ++ optionalNull cfg.streamBuffer "--stream.stream_buffer ${cfg.streamBuffer}" - ++ optionalNull cfg.buffer "--stream.buffer ${cfg.buffer}" + ++ optionalNull cfg.streamBuffer "--stream.stream_buffer ${toString cfg.streamBuffer}" + ++ optionalNull cfg.buffer "--stream.buffer ${toString cfg.buffer}" ++ optional cfg.sendToMuted "--stream.send_to_muted" # tcp json rpc ++ [ "--tcp.enabled ${toString cfg.tcp.enable}" ] @@ -198,13 +198,14 @@ in { type = with types; attrsOf (submodule { options = { location = mkOption { - type = types.path; + type = types.oneOf [ types.path types.str ]; description = '' - The location of the pipe. + The location of the pipe, file, Librespot/Airplay/process binary, or a TCP address. + Use an empty string for alsa. ''; }; type = mkOption { - type = types.enum [ "pipe" "file" "process" "spotify" "airplay" ]; + type = types.enum [ "pipe" "librespot" "airplay" "file" "process" "tcp" "alsa" "spotify" ]; default = "pipe"; description = '' The type of input stream. @@ -219,13 +220,21 @@ in { example = literalExample '' # for type == "pipe": { - mode = "listen"; + mode = "create"; }; # for type == "process": { params = "--param1 --param2"; logStderr = "true"; }; + # for type == "tcp": + { + mode = "client"; + } + # for type == "alsa": + { + device = "hw:0,0"; + } ''; }; inherit sampleFormat; @@ -255,6 +264,11 @@ in { config = mkIf cfg.enable { + # https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85 + warnings = filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then '' + services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead. + '' else "") cfg.streams); + systemd.services.snapserver = { after = [ "network.target" ]; description = "Snapserver"; @@ -272,7 +286,7 @@ in { ProtectKernelTunables = true; ProtectControlGroups = true; ProtectKernelModules = true; - RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX"; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; RestrictNamespaces = true; RuntimeDirectory = name; StateDirectory = name; diff --git a/nixos/modules/services/backup/mysql-backup.nix b/nixos/modules/services/backup/mysql-backup.nix index 31d606b141a8d..506ded5e9e8c4 100644 --- a/nixos/modules/services/backup/mysql-backup.nix +++ b/nixos/modules/services/backup/mysql-backup.nix @@ -48,6 +48,7 @@ in }; user = mkOption { + type = types.str; default = defaultUser; description = '' User to be used to perform backup. @@ -56,12 +57,14 @@ in databases = mkOption { default = []; + type = types.listOf types.str; description = '' List of database names to dump. ''; }; location = mkOption { + type = types.path; default = "/var/backup/mysql"; description = '' Location to put the gzipped MySQL database dumps. @@ -70,6 +73,7 @@ in singleTransaction = mkOption { default = false; + type = types.bool; description = '' Whether to create database dump in a single transaction ''; diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix index 428861a7598a1..f4bd3aa447e5e 100644 --- a/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixos/modules/services/backup/postgresql-backup.nix @@ -48,6 +48,7 @@ in { startAt = mkOption { default = "*-*-* 01:15:00"; + type = types.str; description = '' This option defines (see <literal>systemd.time</literal> for format) when the databases should be dumped. @@ -70,6 +71,7 @@ in { databases = mkOption { default = []; + type = types.listOf types.str; description = '' List of database names to dump. ''; @@ -77,6 +79,7 @@ in { location = mkOption { default = "/var/backup/postgresql"; + type = types.path; description = '' Location to put the gzipped PostgreSQL database dumps. ''; diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix index d869835bf07e6..573f0efa9da41 100644 --- a/nixos/modules/services/backup/restic.nix +++ b/nixos/modules/services/backup/restic.nix @@ -243,9 +243,11 @@ in restartIfChanged = false; serviceConfig = { Type = "oneshot"; - ExecStart = [ "${resticCmd} backup ${concatStringsSep " " backup.extraBackupArgs} ${backupPaths}" ] ++ pruneCmd; + ExecStart = [ "${resticCmd} backup --cache-dir=%C/restic-backups-${name} ${concatStringsSep " " backup.extraBackupArgs} ${backupPaths}" ] ++ pruneCmd; User = backup.user; RuntimeDirectory = "restic-backups-${name}"; + CacheDirectory = "restic-backups-${name}"; + CacheDirectoryMode = "0700"; } // optionalAttrs (backup.s3CredentialsFile != null) { EnvironmentFile = backup.s3CredentialsFile; }; diff --git a/nixos/modules/services/cluster/hadoop/default.nix b/nixos/modules/services/cluster/hadoop/default.nix index 171d4aced651e..41ac46e538e35 100644 --- a/nixos/modules/services/cluster/hadoop/default.nix +++ b/nixos/modules/services/cluster/hadoop/default.nix @@ -7,6 +7,7 @@ with lib; options.services.hadoop = { coreSite = mkOption { default = {}; + type = types.attrsOf types.anything; example = literalExample '' { "fs.defaultFS" = "hdfs://localhost"; @@ -17,6 +18,7 @@ with lib; hdfsSite = mkOption { default = {}; + type = types.attrsOf types.anything; example = literalExample '' { "dfs.nameservices" = "namenode1"; @@ -27,6 +29,7 @@ with lib; mapredSite = mkOption { default = {}; + type = types.attrsOf types.anything; example = literalExample '' { "mapreduce.map.cpu.vcores" = "1"; @@ -37,6 +40,7 @@ with lib; yarnSite = mkOption { default = {}; + type = types.attrsOf types.anything; example = literalExample '' { "yarn.resourcemanager.ha.id" = "resourcemanager1"; diff --git a/nixos/modules/services/cluster/k3s/default.nix b/nixos/modules/services/cluster/k3s/default.nix index f0317fdbd160f..e62fbc94415ca 100644 --- a/nixos/modules/services/cluster/k3s/default.nix +++ b/nixos/modules/services/cluster/k3s/default.nix @@ -47,6 +47,7 @@ in extraFlags = mkOption { description = "Extra flags to pass to the k3s command."; + type = types.str; default = ""; example = "--no-deploy traefik --cluster-cidr 10.24.0.0/16"; }; diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index 2b6e45ba1b905..479027f1b2708 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -241,7 +241,17 @@ in description = "Kubernetes Kubelet Service"; wantedBy = [ "kubernetes.target" ]; after = [ "network.target" "docker.service" "kube-apiserver.service" ]; - path = with pkgs; [ gitMinimal openssh docker util-linux iproute ethtool thin-provisioning-tools iptables socat ] ++ top.path; + path = with pkgs; [ + gitMinimal + openssh + docker + util-linux + iproute + ethtool + thin-provisioning-tools + iptables + socat + ] ++ lib.optional config.boot.zfs.enabled config.boot.zfs.package ++ top.path; preStart = '' ${concatMapStrings (img: '' echo "Seeding docker image: ${img}" diff --git a/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixos/modules/services/continuous-integration/buildbot/master.nix index d30d94c53cc33..a49f5f8100dc9 100644 --- a/nixos/modules/services/continuous-integration/buildbot/master.nix +++ b/nixos/modules/services/continuous-integration/buildbot/master.nix @@ -223,7 +223,7 @@ in { }; pythonPackages = mkOption { - type = types.listOf types.package; + type = types.functionTo (types.listOf types.package); default = pythonPackages: with pythonPackages; [ ]; defaultText = "pythonPackages: with pythonPackages; [ ]"; description = "Packages to add the to the PYTHONPATH of the buildbot process."; @@ -283,5 +283,5 @@ in { '') ]; - meta.maintainers = with lib.maintainers; [ nand0p mic92 ]; + meta.maintainers = with lib.maintainers; [ nand0p mic92 lopsided98 ]; } diff --git a/nixos/modules/services/continuous-integration/gocd-agent/default.nix b/nixos/modules/services/continuous-integration/gocd-agent/default.nix index 2e9e1c94857a0..8cae08bf1fa02 100644 --- a/nixos/modules/services/continuous-integration/gocd-agent/default.nix +++ b/nixos/modules/services/continuous-integration/gocd-agent/default.nix @@ -90,6 +90,7 @@ in { }; startupOptions = mkOption { + type = types.listOf types.str; default = [ "-Xms${cfg.initialJavaHeapSize}" "-Xmx${cfg.maxJavaHeapMemory}" @@ -105,6 +106,7 @@ in { extraOptions = mkOption { default = [ ]; + type = types.listOf types.str; example = [ "-X debug" "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006" diff --git a/nixos/modules/services/continuous-integration/gocd-server/default.nix b/nixos/modules/services/continuous-integration/gocd-server/default.nix index 4fa41ac49edfc..4c829664a0a5c 100644 --- a/nixos/modules/services/continuous-integration/gocd-server/default.nix +++ b/nixos/modules/services/continuous-integration/gocd-server/default.nix @@ -27,6 +27,7 @@ in { extraGroups = mkOption { default = [ ]; + type = types.listOf types.str; example = [ "wheel" "docker" ]; description = '' List of extra groups that the "gocd-server" user should be a part of. @@ -92,6 +93,7 @@ in { }; startupOptions = mkOption { + type = types.listOf types.str; default = [ "-Xms${cfg.initialJavaHeapSize}" "-Xmx${cfg.maxJavaHeapMemory}" @@ -113,6 +115,7 @@ in { extraOptions = mkOption { default = [ ]; + type = types.listOf types.str; example = [ "-X debug" "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005" diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix index 4aed493c0fb0a..9f9b86ee61cbb 100644 --- a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix +++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix @@ -7,14 +7,21 @@ Platform-specific code is in the respective default.nix files. */ { config, lib, options, pkgs, ... }: - let - inherit (lib) mkOption mkIf types filterAttrs literalExample mkRenamedOptionModule; + inherit (lib) + filterAttrs + literalExample + mkIf + mkOption + mkRemovedOptionModule + mkRenamedOptionModule + types + ; cfg = config.services.hercules-ci-agent; - format = pkgs.formats.toml {}; + format = pkgs.formats.toml { }; settingsModule = { config, ... }: { freeformType = format.type; @@ -28,10 +35,14 @@ let }; concurrentTasks = mkOption { description = '' - Number of tasks to perform simultaneously, such as evaluations, derivations. + Number of tasks to perform simultaneously. + + A task is a single derivation build or an evaluation. + At minimum, you need 2 concurrent tasks for <literal>x86_64-linux</literal> + in your cluster, to allow for import from derivation. - You must have a total capacity across agents of at least 2 concurrent tasks on <literal>x86_64-linux</literal> - to allow for import from derivation. + <literal>concurrentTasks</literal> can be around the CPU core count or lower if memory is + the bottleneck. ''; type = types.int; default = 4; @@ -77,61 +88,39 @@ let }; }; + # TODO (roberth, >=2022) remove checkNix = if !cfg.checkNix then "" - else if lib.versionAtLeast config.nix.package.version "2.4.0" + else if lib.versionAtLeast config.nix.package.version "2.3.10" then "" - else pkgs.stdenv.mkDerivation { - name = "hercules-ci-check-system-nix-src"; - inherit (config.nix.package) src patches; - configurePhase = ":"; - buildPhase = '' - echo "Checking in-memory pathInfoCache expiry" - if ! grep 'struct PathInfoCacheValue' src/libstore/store-api.hh >/dev/null; then - cat 1>&2 <<EOF - - You are deploying Hercules CI Agent on a system with an incompatible - nix-daemon. Please - - either upgrade Nix to version 2.4.0 (when released), - - or set option services.hercules-ci-agent.patchNix = true; - - or set option nix.package to a build of Nix 2.3 with this patch applied: - https://github.com/NixOS/nix/pull/3405 - - The patch is required for Nix-daemon clients that expect a change in binary - cache contents while running, like the agent's evaluator. Without it, import - from derivation will fail if your cluster has more than one machine. - We are conservative with changes to the overall system, which is why we - keep changes to a minimum and why we ask for confirmation in the form of - services.hercules-ci-agent.patchNix = true before applying. - - EOF - exit 1 - fi - ''; - installPhase = "touch $out"; - }; + else + pkgs.stdenv.mkDerivation { + name = "hercules-ci-check-system-nix-src"; + inherit (config.nix.package) src patches; + configurePhase = ":"; + buildPhase = '' + echo "Checking in-memory pathInfoCache expiry" + if ! grep 'PathInfoCacheValue' src/libstore/store-api.hh >/dev/null; then + cat 1>&2 <<EOF + + You are deploying Hercules CI Agent on a system with an incompatible + nix-daemon. Please make sure nix.package is set to a Nix version of at + least 2.3.10 or a master version more recent than Mar 12, 2020. + EOF + exit 1 + fi + ''; + installPhase = "touch $out"; + }; - patchedNix = lib.mkIf (!lib.versionAtLeast pkgs.nix.version "2.4.0") ( - if lib.versionAtLeast pkgs.nix.version "2.4pre" - then lib.warn "Hercules CI Agent module will not patch 2.4 pre-release. Make sure it includes (equivalently) PR #3043, commit d048577909 or is no older than 2020-03-13." pkgs.nix - else pkgs.nix.overrideAttrs ( - o: { - patches = (o.patches or []) ++ [ backportNix3398 ]; - } - ) - ); - - backportNix3398 = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/hercules-ci/hercules-ci-agent/hercules-ci-agent-0.7.3/for-upstream/issue-3398-path-info-cache-ttls-backport-2.3.patch"; - sha256 = "0jfckqjir9il2il7904yc1qyadw366y7xqzg81sp9sl3f1pw70ib"; - }; in { imports = [ - (mkRenamedOptionModule ["services" "hercules-ci-agent" "extraOptions"] ["services" "hercules-ci-agent" "settings"]) - (mkRenamedOptionModule ["services" "hercules-ci-agent" "baseDirectory"] ["services" "hercules-ci-agent" "settings" "baseDirectory"]) - (mkRenamedOptionModule ["services" "hercules-ci-agent" "concurrentTasks"] ["services" "hercules-ci-agent" "settings" "concurrentTasks"]) + (mkRenamedOptionModule [ "services" "hercules-ci-agent" "extraOptions" ] [ "services" "hercules-ci-agent" "settings" ]) + (mkRenamedOptionModule [ "services" "hercules-ci-agent" "baseDirectory" ] [ "services" "hercules-ci-agent" "settings" "baseDirectory" ]) + (mkRenamedOptionModule [ "services" "hercules-ci-agent" "concurrentTasks" ] [ "services" "hercules-ci-agent" "settings" "concurrentTasks" ]) + (mkRemovedOptionModule [ "services" "hercules-ci-agent" "patchNix" ] "Nix versions packaged in this version of Nixpkgs don't need a patched nix-daemon to work correctly in Hercules CI Agent clusters.") ]; options.services.hercules-ci-agent = { @@ -147,15 +136,6 @@ in Support is available at <link xlink:href="mailto:help@hercules-ci.com">help@hercules-ci.com</link>. ''; }; - patchNix = mkOption { - type = types.bool; - default = false; - description = '' - Fix Nix 2.3 cache path metadata caching behavior. Has the effect of <literal>nix.package = patch pkgs.nix;</literal> - - This option will be removed when Hercules CI Agent moves to Nix 2.4 (upcoming Nix release). - ''; - }; checkNix = mkOption { type = types.bool; default = true; @@ -206,7 +186,6 @@ in # even shortly after the previous lookup. This *also* applies to the daemon. narinfo-cache-negative-ttl = 0 ''; - nix.package = mkIf cfg.patchNix patchedNix; services.hercules-ci-agent.tomlFile = format.generate "hercules-ci-agent.toml" cfg.settings; }; diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix index 79d1ce5805457..e8a42e59de0d0 100644 --- a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix +++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix @@ -7,9 +7,7 @@ Code that is shared with nix-darwin goes in common.nix. */ { pkgs, config, lib, ... }: - let - inherit (lib) mkIf mkDefault; cfg = config.services.hercules-ci-agent; @@ -21,7 +19,7 @@ in { imports = [ ./common.nix - (lib.mkRenamedOptionModule ["services" "hercules-ci-agent" "user"] ["systemd" "services" "hercules-ci-agent" "serviceConfig" "User"]) + (lib.mkRenamedOptionModule [ "services" "hercules-ci-agent" "user" ] [ "systemd" "services" "hercules-ci-agent" "serviceConfig" "User" ]) ]; config = mkIf cfg.enable { @@ -80,6 +78,8 @@ in isSystemUser = true; }; - users.groups.hercules-ci-agent = {}; + users.groups.hercules-ci-agent = { }; }; + + meta.maintainers = [ lib.maintainers.roberth ]; } diff --git a/nixos/modules/services/development/hoogle.nix b/nixos/modules/services/development/hoogle.nix index bd55483f46d80..6d6c88b9b2aa9 100644 --- a/nixos/modules/services/development/hoogle.nix +++ b/nixos/modules/services/development/hoogle.nix @@ -41,7 +41,6 @@ in { haskellPackages = mkOption { description = "Which haskell package set to use."; default = pkgs.haskellPackages; - type = types.package; defaultText = "pkgs.haskellPackages"; }; diff --git a/nixos/modules/services/hardware/auto-cpufreq.nix b/nixos/modules/services/hardware/auto-cpufreq.nix new file mode 100644 index 0000000000000..72c4eccaff72e --- /dev/null +++ b/nixos/modules/services/hardware/auto-cpufreq.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.auto-cpufreq; +in { + options = { + services.auto-cpufreq = { + enable = mkEnableOption "auto-cpufreq daemon"; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.auto-cpufreq ]; + + systemd.packages = [ pkgs.auto-cpufreq ]; + systemd.services.auto-cpufreq.path = with pkgs; [ bash coreutils ]; + }; +} diff --git a/nixos/modules/services/hardware/bluetooth.nix b/nixos/modules/services/hardware/bluetooth.nix index 6f5a6d3bf2886..da36ae68b3fc4 100644 --- a/nixos/modules/services/hardware/bluetooth.nix +++ b/nixos/modules/services/hardware/bluetooth.nix @@ -1,12 +1,39 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.hardware.bluetooth; - bluez-bluetooth = cfg.package; + package = cfg.package; + + inherit (lib) + mkDefault mkEnableOption mkIf mkOption + mkRenamedOptionModule mkRemovedOptionModule + concatStringsSep escapeShellArgs + optional optionals optionalAttrs recursiveUpdate types; + + cfgFmt = pkgs.formats.ini { }; + + # bluez will complain if some of the sections are not found, so just make them + # empty (but present in the file) for now + defaults = { + General.ControllerMode = "dual"; + Controller = { }; + GATT = { }; + Policy.AutoEnable = cfg.powerOnBoot; + }; + + hasDisabledPlugins = builtins.length cfg.disabledPlugins > 0; -in { +in +{ + imports = [ + (mkRenamedOptionModule [ "hardware" "bluetooth" "config" ] [ "hardware" "bluetooth" "settings" ]) + (mkRemovedOptionModule [ "hardware" "bluetooth" "extraConfig" ] '' + Use hardware.bluetooth.settings instead. + + This is part of the general move to use structured settings instead of raw + text for config as introduced by RFC0042: + https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md + '') + ]; ###### interface @@ -18,7 +45,7 @@ in { hsphfpd.enable = mkEnableOption "support for hsphfpd[-prototype] implementation"; powerOnBoot = mkOption { - type = types.bool; + type = types.bool; default = true; description = "Whether to power up the default Bluetooth controller on boot."; }; @@ -38,8 +65,15 @@ in { ''; }; - config = mkOption { - type = with types; attrsOf (attrsOf (oneOf [ bool int str ])); + disabledPlugins = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "Built-in plugins to disable"; + }; + + settings = mkOption { + type = cfgFmt.type; + default = { }; example = { General = { ControllerMode = "bredr"; @@ -47,79 +81,65 @@ in { }; description = "Set configuration for system-wide bluetooth (/etc/bluetooth/main.conf)."; }; - - extraConfig = mkOption { - type = with types; nullOr lines; - default = null; - example = '' - [General] - ControllerMode = bredr - ''; - description = '' - Set additional configuration for system-wide bluetooth (/etc/bluetooth/main.conf). - ''; - }; }; - }; ###### implementation config = mkIf cfg.enable { - warnings = optional (cfg.extraConfig != null) "hardware.bluetooth.`extraConfig` is deprecated, please use hardware.bluetooth.`config`."; + environment.systemPackages = [ package ] + ++ optional cfg.hsphfpd.enable pkgs.hsphfpd; - hardware.bluetooth.config = { - Policy = { - AutoEnable = mkDefault cfg.powerOnBoot; - }; - }; - - environment.systemPackages = [ bluez-bluetooth ] - ++ optionals cfg.hsphfpd.enable [ pkgs.hsphfpd ]; - - environment.etc."bluetooth/main.conf"= { - source = pkgs.writeText "main.conf" - (generators.toINI { } cfg.config + optionalString (cfg.extraConfig != null) cfg.extraConfig); - }; - - services.udev.packages = [ bluez-bluetooth ]; - services.dbus.packages = [ bluez-bluetooth ] - ++ optionals cfg.hsphfpd.enable [ pkgs.hsphfpd ]; - systemd.packages = [ bluez-bluetooth ]; + environment.etc."bluetooth/main.conf".source = + cfgFmt.generate "main.conf" (recursiveUpdate defaults cfg.settings); + services.udev.packages = [ package ]; + services.dbus.packages = [ package ] + ++ optional cfg.hsphfpd.enable pkgs.hsphfpd; + systemd.packages = [ package ]; systemd.services = { - bluetooth = { + bluetooth = + let + # `man bluetoothd` will refer to main.conf in the nix store but bluez + # will in fact load the configuration file at /etc/bluetooth/main.conf + # so force it here to avoid any ambiguity and things suddenly breaking + # if/when the bluez derivation is changed. + args = [ "-f /etc/bluetooth/main.conf" ] + ++ optional hasDisabledPlugins + "--noplugin=${concatStringsSep "," cfg.disabledPlugins}"; + in + { + wantedBy = [ "bluetooth.target" ]; + aliases = [ "dbus-org.bluez.service" ]; + serviceConfig.ExecStart = [ + "" + "${package}/libexec/bluetooth/bluetoothd ${escapeShellArgs args}" + ]; + # restarting can leave people without a mouse/keyboard + unitConfig.X-RestartIfChanged = false; + }; + } + // (optionalAttrs cfg.hsphfpd.enable { + hsphfpd = { + after = [ "bluetooth.service" ]; + requires = [ "bluetooth.service" ]; wantedBy = [ "bluetooth.target" ]; - aliases = [ "dbus-org.bluez.service" ]; - # restarting can leave people without a mouse/keyboard - unitConfig.X-RestartIfChanged = false; + + description = "A prototype implementation used for connecting HSP/HFP Bluetooth devices"; + serviceConfig.ExecStart = "${pkgs.hsphfpd}/bin/hsphfpd.pl"; }; - } - // (optionalAttrs cfg.hsphfpd.enable { - hsphfpd = { - after = [ "bluetooth.service" ]; - requires = [ "bluetooth.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "A prototype implementation used for connecting HSP/HFP Bluetooth devices"; - serviceConfig.ExecStart = "${pkgs.hsphfpd}/bin/hsphfpd.pl"; - }; - }) - ; + }); systemd.user.services = { obex.aliases = [ "dbus-org.bluez.obex.service" ]; } - // (optionalAttrs cfg.hsphfpd.enable { - telephony_client = { - wantedBy = [ "default.target"]; - - description = "telephony_client for hsphfpd"; - serviceConfig.ExecStart = "${pkgs.hsphfpd}/bin/telephony_client.pl"; - }; - }) - ; + // optionalAttrs cfg.hsphfpd.enable { + telephony_client = { + wantedBy = [ "default.target" ]; + description = "telephony_client for hsphfpd"; + serviceConfig.ExecStart = "${pkgs.hsphfpd}/bin/telephony_client.pl"; + }; + }; }; - } diff --git a/nixos/modules/services/hardware/power-profiles-daemon.nix b/nixos/modules/services/hardware/power-profiles-daemon.nix new file mode 100644 index 0000000000000..70b7a72b8bae0 --- /dev/null +++ b/nixos/modules/services/hardware/power-profiles-daemon.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.power-profiles-daemon; + package = pkgs.power-profiles-daemon; +in + +{ + + ###### interface + + options = { + + services.power-profiles-daemon = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable power-profiles-daemon, a DBus daemon that allows + changing system behavior based upon user-selected power profiles. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + assertions = [ + { assertion = !config.services.tlp.enable; + message = '' + You have set services.power-profiles-daemon.enable = true; + which conflicts with services.tlp.enable = true; + ''; + } + ]; + + services.dbus.packages = [ package ]; + + services.udev.packages = [ package ]; + + systemd.packages = [ package ]; + + }; + +} diff --git a/nixos/modules/services/hardware/thinkfan.nix b/nixos/modules/services/hardware/thinkfan.nix index 3bda61ed1a938..7a5a7e1c41ce2 100644 --- a/nixos/modules/services/hardware/thinkfan.nix +++ b/nixos/modules/services/hardware/thinkfan.nix @@ -5,49 +5,95 @@ with lib; let cfg = config.services.thinkfan; - configFile = pkgs.writeText "thinkfan.conf" '' - # ATTENTION: There is only very basic sanity checking on the configuration. - # That means you can set your temperature limits as insane as you like. You - # can do anything stupid, e.g. turn off your fan when your CPU reaches 70°C. - # - # That's why this program is called THINKfan: You gotta think for yourself. - # - ###################################################################### - # - # IBM/Lenovo Thinkpads (thinkpad_acpi, /proc/acpi/ibm) - # ==================================================== - # - # IMPORTANT: - # - # To keep your HD from overheating, you have to specify a correction value for - # the sensor that has the HD's temperature. You need to do this because - # thinkfan uses only the highest temperature it can find in the system, and - # that'll most likely never be your HD, as most HDs are already out of spec - # when they reach 55 °C. - # Correction values are applied from left to right in the same order as the - # temperatures are read from the file. - # - # For example: - # tp_thermal /proc/acpi/ibm/thermal (0, 0, 10) - # will add a fixed value of 10 °C the 3rd value read from that file. Check out - # http://www.thinkwiki.org/wiki/Thermal_Sensors to find out how much you may - # want to add to certain temperatures. - - ${cfg.fan} - ${cfg.sensors} - - # Syntax: - # (LEVEL, LOW, HIGH) - # LEVEL is the fan level to use (0-7 with thinkpad_acpi) - # LOW is the temperature at which to step down to the previous level - # HIGH is the temperature at which to step up to the next level - # All numbers are integers. - # - - ${cfg.levels} - ''; + settingsFormat = pkgs.formats.yaml { }; + configFile = settingsFormat.generate "thinkfan.yaml" cfg.settings; + thinkfan = pkgs.thinkfan.override { inherit (cfg) smartSupport; }; + + # fan-speed and temperature levels + levelType = with types; + let + tuple = ts: mkOptionType { + name = "tuple"; + merge = mergeOneOption; + check = xs: all id (zipListsWith (t: x: t.check x) ts xs); + description = "tuple of" + concatMapStrings (t: " (${t.description})") ts; + }; + level = ints.unsigned; + special = enum [ "level auto" "level full-speed" "level disengage" ]; + in + tuple [ (either level special) level level ]; + + # sensor or fan config + sensorType = name: types.submodule { + freeformType = types.attrsOf settingsFormat.type; + options = { + type = mkOption { + type = types.enum [ "hwmon" "atasmart" "tpacpi" "nvml" ]; + description = '' + The ${name} type, can be + <literal>hwmon</literal> for standard ${name}s, - thinkfan = pkgs.thinkfan.override { smartSupport = cfg.smartSupport; }; + <literal>atasmart</literal> to read the temperature via + S.M.A.R.T (requires smartSupport to be enabled), + + <literal>tpacpi</literal> for the legacy thinkpac_acpi driver, or + + <literal>nvml</literal> for the (proprietary) nVidia driver. + ''; + }; + query = mkOption { + type = types.str; + description = '' + The query string used to match one or more ${name}s: can be + a fullpath to the temperature file (single ${name}) or a fullpath + to a driver directory (multiple ${name}s). + + <note><para> + When multiple ${name}s match, the query can be restricted using the + <option>name</option> or <option>indices</option> options. + </para></note> + ''; + }; + indices = mkOption { + type = with types; nullOr (listOf ints.unsigned); + default = null; + description = '' + A list of ${name}s to pick in case multiple ${name}s match the query. + + <note><para>Indices start from 0.</para></note> + ''; + }; + } // optionalAttrs (name == "sensor") { + correction = mkOption { + type = with types; nullOr (listOf int); + default = null; + description = '' + A list of values to be added to the temperature of each sensor, + can be used to equalize small discrepancies in temperature ratings. + ''; + }; + }; + }; + + # removes NixOS special and unused attributes + sensorToConf = { type, query, ... }@args: + (filterAttrs (k: v: v != null && !(elem k ["type" "query"])) args) + // { "${type}" = query; }; + + syntaxNote = name: '' + <note><para> + This section slightly departs from the thinkfan.conf syntax. + The type and path must be specified like this: + <literal> + type = "tpacpi"; + query = "/proc/acpi/ibm/${name}"; + </literal> + instead of a single declaration like: + <literal> + - tpacpi: /proc/acpi/ibm/${name} + </literal> + </para></note> + ''; in { @@ -59,76 +105,93 @@ in { type = types.bool; default = false; description = '' - Whether to enable thinkfan, fan controller for IBM/Lenovo ThinkPads. + Whether to enable thinkfan, a fan control program. + + <note><para> + This module targets IBM/Lenovo thinkpads by default, for + other hardware you will have configure it more carefully. + </para></note> ''; + relatedPackages = [ "thinkfan" ]; }; smartSupport = mkOption { type = types.bool; default = false; description = '' - Whether to build thinkfan with SMART support to read temperatures + Whether to build thinkfan with S.M.A.R.T. support to read temperatures directly from hard disks. ''; }; sensors = mkOption { - type = types.lines; - default = '' - tp_thermal /proc/acpi/ibm/thermal (0,0,10) - ''; - description ='' - thinkfan can read temperatures from three possible sources: - - /proc/acpi/ibm/thermal - Which is provided by the thinkpad_acpi kernel - module (keyword tp_thermal) - - /sys/class/hwmon/*/temp*_input - Which may be provided by any hwmon drivers (keyword - hwmon) - - S.M.A.R.T. (requires smartSupport to be enabled) - Which reads the temperature directly from the hard - disk using libatasmart (keyword atasmart) - - Multiple sensors may be added, in which case they will be - numbered in their order of appearance. - ''; + type = types.listOf (sensorType "sensor"); + default = [ + { type = "tpacpi"; + query = "/proc/acpi/ibm/thermal"; + } + ]; + description = '' + List of temperature sensors thinkfan will monitor. + '' + syntaxNote "thermal"; }; - fan = mkOption { - type = types.str; - default = "tp_fan /proc/acpi/ibm/fan"; - description ='' - Specifies the fan we want to use. - On anything other than a Thinkpad you'll probably - use some PWM control file in /sys/class/hwmon. - A sysfs fan would be specified like this: - pwm_fan /sys/class/hwmon/hwmon2/device/pwm1 - ''; + fans = mkOption { + type = types.listOf (sensorType "fan"); + default = [ + { type = "tpacpi"; + query = "/proc/acpi/ibm/fan"; + } + ]; + description = '' + List of fans thinkfan will control. + '' + syntaxNote "fan"; }; levels = mkOption { - type = types.lines; - default = '' - (0, 0, 55) - (1, 48, 60) - (2, 50, 61) - (3, 52, 63) - (6, 56, 65) - (7, 60, 85) - (127, 80, 32767) - ''; + type = types.listOf levelType; + default = [ + [0 0 55] + [1 48 60] + [2 50 61] + [3 52 63] + [6 56 65] + [7 60 85] + ["level auto" 80 32767] + ]; description = '' - (LEVEL, LOW, HIGH) - LEVEL is the fan level to use (0-7 with thinkpad_acpi). + [LEVEL LOW HIGH] + + LEVEL is the fan level to use: it can be an integer (0-7 with thinkpad_acpi), + "level auto" (to keep the default firmware behavior), "level full-speed" or + "level disengage" (to run the fan as fast as possible). LOW is the temperature at which to step down to the previous level. HIGH is the temperature at which to step up to the next level. All numbers are integers. ''; }; + extraArgs = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "-b" "0" ]; + description = '' + A list of extra command line arguments to pass to thinkfan. + Check the thinkfan(1) manpage for available arguments. + ''; + }; + + settings = mkOption { + type = types.attrsOf settingsFormat.type; + default = { }; + description = '' + Thinkfan settings. Use this option to configure thinkfan + settings not exposed in a NixOS option or to bypass one. + Before changing this, read the <literal>thinkfan.conf(5)</literal> + manpage and take a look at the example config file at + <link xlink:href="https://github.com/vmatare/thinkfan/blob/master/examples/thinkfan.yaml"/> + ''; + }; }; @@ -138,12 +201,21 @@ in { environment.systemPackages = [ thinkfan ]; - systemd.services.thinkfan = { - description = "Thinkfan"; - after = [ "basic.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ thinkfan ]; - serviceConfig.ExecStart = "${thinkfan}/bin/thinkfan -n -c ${configFile}"; + services.thinkfan.settings = mapAttrs (k: v: mkDefault v) { + sensors = map sensorToConf cfg.sensors; + fans = map sensorToConf cfg.fans; + levels = cfg.levels; + }; + + systemd.packages = [ thinkfan ]; + + systemd.services = { + thinkfan.environment.THINKFAN_ARGS = escapeShellArgs ([ "-c" configFile ] ++ cfg.extraArgs); + + # must be added manually, see issue #81138 + thinkfan.wantedBy = [ "multi-user.target" ]; + thinkfan-wakeup.wantedBy = [ "sleep.target" ]; + thinkfan-sleep.wantedBy = [ "sleep.target" ]; }; boot.extraModprobeConfig = "options thinkpad_acpi experimental=1 fan_control=1"; diff --git a/nixos/modules/services/hardware/xow.nix b/nixos/modules/services/hardware/xow.nix index a18d60ad83bec..311181176bd83 100644 --- a/nixos/modules/services/hardware/xow.nix +++ b/nixos/modules/services/hardware/xow.nix @@ -10,7 +10,10 @@ in { config = lib.mkIf cfg.enable { hardware.uinput.enable = true; + boot.extraModprobeConfig = lib.readFile "${pkgs.xow}/lib/modprobe.d/xow-blacklist.conf"; + systemd.packages = [ pkgs.xow ]; + systemd.services.xow.wantedBy = [ "multi-user.target" ]; services.udev.packages = [ pkgs.xow ]; }; diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 03e7e40e388e1..a2298152b023f 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -463,7 +463,7 @@ in environment.systemPackages = [ dovecotPkg ]; warnings = mkIf (any isList options.services.dovecot2.mailboxes.definitions) [ - "Declaring `services.dovecot2.mailboxes' as a list is deprecated and will break eval in 21.03! See the release notes for more info for migration." + "Declaring `services.dovecot2.mailboxes' as a list is deprecated and will break eval in 21.05! See the release notes for more info for migration." ]; assertions = [ diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 1dcdcab8d481c..63c0961b7568b 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -560,6 +560,7 @@ in transport = mkOption { default = ""; + type = types.lines; description = " Entries for the transport map, cf. man-page transport(8). "; @@ -573,6 +574,7 @@ in dnsBlacklistOverrides = mkOption { default = ""; + type = types.lines; description = "contents of check_client_access for overriding dnsBlacklists"; }; diff --git a/nixos/modules/services/misc/etebase-server.nix b/nixos/modules/services/misc/etebase-server.nix new file mode 100644 index 0000000000000..d9d12698d79dc --- /dev/null +++ b/nixos/modules/services/misc/etebase-server.nix @@ -0,0 +1,205 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.etebase-server; + + pythonEnv = pkgs.python3.withPackages (ps: with ps; + [ etebase-server daphne ]); + + dbConfig = { + sqlite3 = '' + engine = django.db.backends.sqlite3 + name = ${cfg.dataDir}/db.sqlite3 + ''; + }; + + defaultConfigIni = toString (pkgs.writeText "etebase-server.ini" '' + [global] + debug = false + secret_file = ${if cfg.secretFile != null then cfg.secretFile else ""} + media_root = ${cfg.dataDir}/media + + [allowed_hosts] + allowed_host1 = ${cfg.host} + + [database] + ${dbConfig."${cfg.database.type}"} + ''); + + configIni = if cfg.customIni != null then cfg.customIni else defaultConfigIni; + + defaultUser = "etebase-server"; +in +{ + options = { + services.etebase-server = { + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + Whether to enable the Etebase server. + + Once enabled you need to create an admin user using the + shell command <literal>etebase-server createsuperuser</literal>. + Then you can login and create accounts on your-etebase-server.com/admin + ''; + }; + + secretFile = mkOption { + default = null; + type = with types; nullOr str; + description = '' + The path to a file containing the secret + used as django's SECRET_KEY. + ''; + }; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/etebase-server"; + description = "Directory to store the Etebase server data."; + }; + + port = mkOption { + type = with types; nullOr port; + default = 8001; + description = "Port to listen on."; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open ports in the firewall for the server. + ''; + }; + + host = mkOption { + type = types.str; + default = "0.0.0.0"; + example = "localhost"; + description = '' + Host to listen on. + ''; + }; + + unixSocket = mkOption { + type = with types; nullOr str; + default = null; + description = "The path to the socket to bind to."; + example = "/run/etebase-server/etebase-server.sock"; + }; + + database = { + type = mkOption { + type = types.enum [ "sqlite3" ]; + default = "sqlite3"; + description = '' + Database engine to use. + Currently only sqlite3 is supported. + Other options can be configured using <literal>extraConfig</literal>. + ''; + }; + }; + + customIni = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Custom etebase-server.ini. + + See <literal>etebase-src/etebase-server.ini.example</literal> for available options. + + Setting this option overrides the default config which is generated from the options + <literal>secretFile</literal>, <literal>host</literal> and <literal>database</literal>. + ''; + example = literalExample '' + [global] + debug = false + secret_file = /path/to/secret + media_root = /path/to/media + + [allowed_hosts] + allowed_host1 = example.com + + [database] + engine = django.db.backends.sqlite3 + name = db.sqlite3 + ''; + }; + + user = mkOption { + type = types.str; + default = defaultUser; + description = "User under which Etebase server runs."; + }; + }; + }; + + config = mkIf cfg.enable { + + environment.systemPackages = with pkgs; [ + (runCommand "etebase-server" { + buildInputs = [ makeWrapper ]; + } '' + makeWrapper ${pythonEnv}/bin/etebase-server \ + $out/bin/etebase-server \ + --run "cd ${cfg.dataDir}" \ + --prefix ETEBASE_EASY_CONFIG_PATH : "${configIni}" + '') + ]; + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" + ]; + + systemd.services.etebase-server = { + description = "An Etebase (EteSync 2.0) server"; + after = [ "network.target" "systemd-tmpfiles-setup.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Restart = "always"; + WorkingDirectory = cfg.dataDir; + }; + environment = { + PYTHONPATH="${pythonEnv}/${pkgs.python3.sitePackages}"; + ETEBASE_EASY_CONFIG_PATH="${configIni}"; + }; + preStart = '' + # Auto-migrate on first run or if the package has changed + versionFile="${cfg.dataDir}/src-version" + if [[ $(cat "$versionFile" 2>/dev/null) != ${pkgs.etebase-server} ]]; then + ${pythonEnv}/bin/etebase-server migrate + echo ${pkgs.etebase-server} > "$versionFile" + fi + ''; + script = + let + networking = if cfg.unixSocket != null + then "-u ${cfg.unixSocket}" + else "-b 0.0.0.0 -p ${toString cfg.port}"; + in '' + cd "${pythonEnv}/lib/etebase-server"; + ${pythonEnv}/bin/daphne ${networking} \ + etebase_server.asgi:application + ''; + }; + + users = optionalAttrs (cfg.user == defaultUser) { + users.${defaultUser} = { + group = defaultUser; + home = cfg.dataDir; + }; + + groups.${defaultUser} = {}; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + }; +} diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index de4d1bf1987a1..61faeab7d3212 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -454,7 +454,7 @@ in { authentication = mkOption { type = with types; nullOr str; default = null; - description = "Authentitcation type to use, see http://api.rubyonrails.org/classes/ActionMailer/Base.html"; + description = "Authentication type to use, see http://api.rubyonrails.org/classes/ActionMailer/Base.html"; }; enableStartTLSAuto = mkOption { diff --git a/nixos/modules/services/misc/pykms.nix b/nixos/modules/services/misc/pykms.nix index d6aeae48ccb62..2f752bcc7ed6b 100644 --- a/nixos/modules/services/misc/pykms.nix +++ b/nixos/modules/services/misc/pykms.nix @@ -1,12 +1,12 @@ { config, lib, pkgs, ... }: with lib; - let cfg = config.services.pykms; libDir = "/var/lib/pykms"; -in { +in +{ meta.maintainers = with lib.maintainers; [ peterhoeg ]; imports = [ @@ -46,14 +46,14 @@ in { }; logLevel = mkOption { - type = types.enum [ "CRITICAL" "ERROR" "WARNING" "INFO" "DEBUG" "MINI" ]; + type = types.enum [ "CRITICAL" "ERROR" "WARNING" "INFO" "DEBUG" "MININFO" ]; default = "INFO"; description = "How much to log"; }; extraArgs = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = "Additional arguments"; }; }; @@ -74,8 +74,9 @@ in { ExecStartPre = "${getBin pykms}/libexec/create_pykms_db.sh ${libDir}/clients.db"; ExecStart = lib.concatStringsSep " " ([ "${getBin pykms}/bin/server" - "--logfile STDOUT" - "--loglevel ${cfg.logLevel}" + "--logfile=STDOUT" + "--loglevel=${cfg.logLevel}" + "--sqlite=${libDir}/clients.db" ] ++ cfg.extraArgs ++ [ cfg.listenAddress (toString cfg.port) diff --git a/nixos/modules/services/misc/rippled.nix b/nixos/modules/services/misc/rippled.nix index ef34e3a779f01..2fce3b9dc94c7 100644 --- a/nixos/modules/services/misc/rippled.nix +++ b/nixos/modules/services/misc/rippled.nix @@ -389,6 +389,7 @@ in extraConfig = mkOption { default = ""; + type = types.lines; description = '' Extra lines to be added verbatim to the rippled.cfg configuration file. ''; diff --git a/nixos/modules/services/misc/svnserve.nix b/nixos/modules/services/misc/svnserve.nix index f70e3ca7fef0a..5fa262ca3b945 100644 --- a/nixos/modules/services/misc/svnserve.nix +++ b/nixos/modules/services/misc/svnserve.nix @@ -24,6 +24,7 @@ in }; svnBaseDir = mkOption { + type = types.str; default = "/repos"; description = "Base directory from which Subversion repositories are accessed."; }; diff --git a/nixos/modules/services/misc/synergy.nix b/nixos/modules/services/misc/synergy.nix index 5b7cf3ac46c3c..7990a9f6f4cec 100644 --- a/nixos/modules/services/misc/synergy.nix +++ b/nixos/modules/services/misc/synergy.nix @@ -23,12 +23,14 @@ in screenName = mkOption { default = ""; + type = types.str; description = '' Use the given name instead of the hostname to identify ourselves to the server. ''; }; serverAddress = mkOption { + type = types.str; description = '' The server address is of the form: [hostname][:port]. The hostname must be the address or hostname of the server. The @@ -46,10 +48,12 @@ in enable = mkEnableOption "the Synergy server (send keyboard and mouse events)"; configFile = mkOption { + type = types.path; default = "/etc/synergy-server.conf"; description = "The Synergy server configuration file."; }; screenName = mkOption { + type = types.str; default = ""; description = '' Use the given name instead of the hostname to identify @@ -57,6 +61,7 @@ in ''; }; address = mkOption { + type = types.str; default = ""; description = "Address on which to listen for clients."; }; diff --git a/nixos/modules/services/misc/weechat.nix b/nixos/modules/services/misc/weechat.nix index c6ff540ea12f4..b71250f62e0f3 100644 --- a/nixos/modules/services/misc/weechat.nix +++ b/nixos/modules/services/misc/weechat.nix @@ -20,6 +20,7 @@ in type = types.str; }; binary = mkOption { + type = types.path; description = "Binary to execute (by default \${weechat}/bin/weechat)."; example = literalExample '' ''${pkgs.weechat}/bin/weechat-headless diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 1fd85c66f843d..940f281893710 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -56,6 +56,7 @@ let "unifi-poller" "varnish" "wireguard" + "flow" ] (name: import (./. + "/exporters/${name}.nix") { inherit config lib pkgs options; } ); @@ -238,9 +239,6 @@ in services.prometheus.exporters.minio.minioAccessSecret = mkDefault config.services.minio.secretKey; })] ++ [(mkIf config.services.prometheus.exporters.rtl_433.enable { hardware.rtl-sdr.enable = mkDefault true; - })] ++ [(mkIf config.services.nginx.enable { - systemd.services.prometheus-nginx-exporter.after = [ "nginx.service" ]; - systemd.services.prometheus-nginx-exporter.requires = [ "nginx.service" ]; })] ++ [(mkIf config.services.postfix.enable { services.prometheus.exporters.postfix.group = mkDefault config.services.postfix.setgidGroup; })] ++ (mapAttrsToList (name: conf: diff --git a/nixos/modules/services/monitoring/prometheus/exporters/flow.nix b/nixos/modules/services/monitoring/prometheus/exporters/flow.nix new file mode 100644 index 0000000000000..6a35f46308fe9 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/flow.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.flow; +in { + port = 9590; + extraOpts = { + brokers = mkOption { + type = types.listOf types.str; + example = literalExample ''[ "kafka.example.org:19092" ]''; + description = "List of Kafka brokers to connect to."; + }; + + asn = mkOption { + type = types.ints.positive; + example = 65542; + description = "The ASN being monitored."; + }; + + partitions = mkOption { + type = types.listOf types.int; + default = []; + description = '' + The number of the partitions to consume, none means all. + ''; + }; + + topic = mkOption { + type = types.str; + example = "pmacct.acct"; + description = "The Kafka topic to consume from."; + }; + }; + + serviceOpts = { + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${pkgs.prometheus-flow-exporter}/bin/flow-exporter \ + -asn ${toString cfg.asn} \ + -topic ${cfg.topic} \ + -brokers ${concatStringsSep "," cfg.brokers} \ + ${optionalString (cfg.partitions != []) "-partitions ${concatStringsSep "," cfg.partitions}"} \ + -addr ${cfg.listenAddress}:${toString cfg.port} ${concatStringsSep " " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix b/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix index 56cddfc55b719..5ee8c346be1dc 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix @@ -42,7 +42,7 @@ in ''; }; }; - serviceOpts = { + serviceOpts = mkMerge ([{ serviceConfig = { ExecStart = '' ${pkgs.prometheus-nginx-exporter}/bin/nginx-prometheus-exporter \ @@ -54,7 +54,10 @@ in ${concatStringsSep " \\\n " cfg.extraFlags} ''; }; - }; + }] ++ [(mkIf config.services.nginx.enable { + after = [ "nginx.service" ]; + requires = [ "nginx.service" ]; + })]); imports = [ (mkRenamedOptionModule [ "telemetryEndpoint" ] [ "telemetryPath" ]) (mkRemovedOptionModule [ "insecure" ] '' diff --git a/nixos/modules/services/network-filesystems/netatalk.nix b/nixos/modules/services/network-filesystems/netatalk.nix index ca9d32311f5f3..33e851210bc6f 100644 --- a/nixos/modules/services/network-filesystems/netatalk.nix +++ b/nixos/modules/services/network-filesystems/netatalk.nix @@ -46,6 +46,7 @@ in enable = mkEnableOption "the Netatalk AFP fileserver"; port = mkOption { + type = types.port; default = 548; description = "TCP port to be used for AFP."; }; @@ -68,6 +69,7 @@ in }; path = mkOption { + type = types.str; default = ""; example = "afp-data"; description = "Share not the whole user home but this subdirectory path."; @@ -75,6 +77,7 @@ in basedirRegex = mkOption { example = "/home"; + type = types.str; description = "Regex which matches the parent directory of the user homes."; }; diff --git a/nixos/modules/services/network-filesystems/openafs/server.nix b/nixos/modules/services/network-filesystems/openafs/server.nix index d782f78216563..4fce650b01336 100644 --- a/nixos/modules/services/network-filesystems/openafs/server.nix +++ b/nixos/modules/services/network-filesystems/openafs/server.nix @@ -61,6 +61,7 @@ in { }; advertisedAddresses = mkOption { + type = types.listOf types.str; default = []; description = "List of IP addresses this server is advertised under. See NetInfo(5)"; }; diff --git a/nixos/modules/services/network-filesystems/xtreemfs.nix b/nixos/modules/services/network-filesystems/xtreemfs.nix index 27a9fe847c581..6cc8a05ee00b0 100644 --- a/nixos/modules/services/network-filesystems/xtreemfs.nix +++ b/nixos/modules/services/network-filesystems/xtreemfs.nix @@ -92,6 +92,7 @@ in enable = mkEnableOption "XtreemFS"; homeDir = mkOption { + type = types.path; default = "/var/lib/xtreemfs"; description = '' XtreemFS home dir for the xtreemfs user. @@ -109,6 +110,7 @@ in uuid = mkOption { example = "eacb6bab-f444-4ebf-a06a-3f72d7465e40"; + type = types.str; description = '' Must be set to a unique identifier, preferably a UUID according to RFC 4122. UUIDs can be generated with `uuidgen` command, found in @@ -117,11 +119,13 @@ in }; port = mkOption { default = 32638; + type = types.port; description = '' The port to listen on for incoming connections (TCP). ''; }; address = mkOption { + type = types.str; example = "127.0.0.1"; default = ""; description = '' @@ -131,12 +135,14 @@ in }; httpPort = mkOption { default = 30638; + type = types.port; description = '' Specifies the listen port for the HTTP service that returns the status page. ''; }; syncMode = mkOption { + type = types.enum [ "ASYNC" "SYNC_WRITE_METADATA" "SYNC_WRITE" "FDATASYNC" "ASYNC" ]; default = "FSYNC"; example = "FDATASYNC"; description = '' @@ -229,6 +235,7 @@ in uuid = mkOption { example = "eacb6bab-f444-4ebf-a06a-3f72d7465e41"; + type = types.str; description = '' Must be set to a unique identifier, preferably a UUID according to RFC 4122. UUIDs can be generated with `uuidgen` command, found in @@ -237,12 +244,14 @@ in }; port = mkOption { default = 32636; + type = types.port; description = '' The port to listen on for incoming connections (TCP). ''; }; address = mkOption { example = "127.0.0.1"; + type = types.str; default = ""; description = '' If specified, it defines the interface to listen on. If not @@ -251,6 +260,7 @@ in }; httpPort = mkOption { default = 30636; + type = types.port; description = '' Specifies the listen port for the HTTP service that returns the status page. @@ -258,6 +268,7 @@ in }; syncMode = mkOption { default = "FSYNC"; + type = types.enum [ "ASYNC" "SYNC_WRITE_METADATA" "SYNC_WRITE" "FDATASYNC" "ASYNC" ]; example = "FDATASYNC"; description = '' The sync mode influences how operations are committed to the disk @@ -367,6 +378,7 @@ in uuid = mkOption { example = "eacb6bab-f444-4ebf-a06a-3f72d7465e42"; + type = types.str; description = '' Must be set to a unique identifier, preferably a UUID according to RFC 4122. UUIDs can be generated with `uuidgen` command, found in @@ -375,12 +387,14 @@ in }; port = mkOption { default = 32640; + type = types.port; description = '' The port to listen on for incoming connections (TCP and UDP). ''; }; address = mkOption { example = "127.0.0.1"; + type = types.str; default = ""; description = '' If specified, it defines the interface to listen on. If not @@ -389,6 +403,7 @@ in }; httpPort = mkOption { default = 30640; + type = types.port; description = '' Specifies the listen port for the HTTP service that returns the status page. diff --git a/nixos/modules/services/network-filesystems/yandex-disk.nix b/nixos/modules/services/network-filesystems/yandex-disk.nix index cc73f13bf77ac..a5b1f9d4ab630 100644 --- a/nixos/modules/services/network-filesystems/yandex-disk.nix +++ b/nixos/modules/services/network-filesystems/yandex-disk.nix @@ -46,12 +46,14 @@ in user = mkOption { default = null; + type = types.nullOr types.str; description = '' The user the yandex-disk daemon should run as. ''; }; directory = mkOption { + type = types.path; default = "/home/Yandex.Disk"; description = "The directory to use for Yandex.Disk storage"; }; diff --git a/nixos/modules/services/networking/bee-clef.nix b/nixos/modules/services/networking/bee-clef.nix new file mode 100644 index 0000000000000..719714b289827 --- /dev/null +++ b/nixos/modules/services/networking/bee-clef.nix @@ -0,0 +1,107 @@ +{ config, lib, pkgs, ... }: + +# NOTE for now nothing is installed into /etc/bee-clef/. the config files are used as read-only from the nix store. + +with lib; +let + cfg = config.services.bee-clef; +in { + meta = { + maintainers = with maintainers; [ attila-lendvai ]; + }; + + ### interface + + options = { + services.bee-clef = { + enable = mkEnableOption "clef external signer instance for Ethereum Swarm Bee"; + + dataDir = mkOption { + type = types.nullOr types.str; + default = "/var/lib/bee-clef"; + description = '' + Data dir for bee-clef. Beware that some helper scripts may not work when changed! + The service itself should work fine, though. + ''; + }; + + passwordFile = mkOption { + type = types.nullOr types.str; + default = "/var/lib/bee-clef/password"; + description = "Password file for bee-clef."; + }; + + user = mkOption { + type = types.str; + default = "bee-clef"; + description = '' + User the bee-clef daemon should execute under. + ''; + }; + + group = mkOption { + type = types.str; + default = "bee-clef"; + description = '' + Group the bee-clef daemon should execute under. + ''; + }; + }; + }; + + ### implementation + + config = mkIf cfg.enable { + # if we ever want to have rules.js under /etc/bee-clef/ + # environment.etc."bee-clef/rules.js".source = ${pkgs.bee-clef}/rules.js + + systemd.packages = [ pkgs.bee-clef ]; # include the upstream bee-clef.service file + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}/' 0750 ${cfg.user} ${cfg.group}" + "d '${cfg.dataDir}/keystore' 0700 ${cfg.user} ${cfg.group}" + ]; + + systemd.services.bee-clef = { + path = [ + # these are needed for the ensure-clef-account script + pkgs.coreutils + pkgs.gnused + pkgs.gawk + ]; + + wantedBy = [ "bee.service" "multi-user.target" ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStartPre = ''${pkgs.bee-clef}/share/bee-clef/ensure-clef-account "${cfg.dataDir}" "${pkgs.bee-clef}/share/bee-clef/"''; + ExecStart = [ + "" # this hides/overrides what's in the original entry + "${pkgs.bee-clef}/share/bee-clef/bee-clef-service start" + ]; + ExecStop = [ + "" # this hides/overrides what's in the original entry + "${pkgs.bee-clef}/share/bee-clef/bee-clef-service stop" + ]; + Environment = [ + "CONFIGDIR=${cfg.dataDir}" + "PASSWORD_FILE=${cfg.passwordFile}" + ]; + }; + }; + + users.users = optionalAttrs (cfg.user == "bee-clef") { + bee-clef = { + group = cfg.group; + home = cfg.dataDir; + isSystemUser = true; + description = "Daemon user for the bee-clef service"; + }; + }; + + users.groups = optionalAttrs (cfg.group == "bee-clef") { + bee-clef = {}; + }; + }; +} diff --git a/nixos/modules/services/networking/bee.nix b/nixos/modules/services/networking/bee.nix new file mode 100644 index 0000000000000..8a77ce23ab4d6 --- /dev/null +++ b/nixos/modules/services/networking/bee.nix @@ -0,0 +1,149 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.bee; + format = pkgs.formats.yaml {}; + configFile = format.generate "bee.yaml" cfg.settings; +in { + meta = { + # doc = ./bee.xml; + maintainers = with maintainers; [ attila-lendvai ]; + }; + + ### interface + + options = { + services.bee = { + enable = mkEnableOption "Ethereum Swarm Bee"; + + package = mkOption { + type = types.package; + default = pkgs.bee; + defaultText = "pkgs.bee"; + example = "pkgs.bee-unstable"; + description = "The package providing the bee binary for the service."; + }; + + settings = mkOption { + type = format.type; + description = '' + Ethereum Swarm Bee configuration. Refer to + <link xlink:href="https://gateway.ethswarm.org/bzz/docs.swarm.eth/docs/installation/configuration/"/> + for details on supported values. + ''; + }; + + daemonNiceLevel = mkOption { + type = types.int; + default = 0; + description = '' + Daemon process priority for bee. + 0 is the default Unix process priority, 19 is the lowest. + ''; + }; + + user = mkOption { + type = types.str; + default = "bee"; + description = '' + User the bee binary should execute under. + ''; + }; + + group = mkOption { + type = types.str; + default = "bee"; + description = '' + Group the bee binary should execute under. + ''; + }; + }; + }; + + ### implementation + + config = mkIf cfg.enable { + assertions = [ + { assertion = (hasAttr "password" cfg.settings) != true; + message = '' + `services.bee.settings.password` is insecure. Use `services.bee.settings.password-file` or `systemd.services.bee.serviceConfig.EnvironmentFile` instead. + ''; + } + { assertion = (hasAttr "swap-endpoint" cfg.settings) || (cfg.settings.swap-enable or true == false); + message = '' + In a swap-enabled network a working Ethereum blockchain node is required. You must specify one using `services.bee.settings.swap-endpoint`, or disable `services.bee.settings.swap-enable` = false. + ''; + } + ]; + + warnings = optional (! config.services.bee-clef.enable) "The bee service requires an external signer. Consider setting `config.services.bee-clef.enable` = true"; + + services.bee.settings = { + data-dir = lib.mkDefault "/var/lib/bee"; + password-file = lib.mkDefault "/var/lib/bee/password"; + clef-signer-enable = lib.mkDefault true; + clef-signer-endpoint = lib.mkDefault "/var/lib/bee-clef/clef.ipc"; + swap-endpoint = lib.mkDefault "https://rpc.slock.it/goerli"; + }; + + systemd.packages = [ cfg.package ]; # include the upstream bee.service file + + systemd.tmpfiles.rules = [ + "d '${cfg.settings.data-dir}' 0750 ${cfg.user} ${cfg.group}" + ]; + + systemd.services.bee = { + requires = optional config.services.bee-clef.enable + "bee-clef.service"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Nice = cfg.daemonNiceLevel; + User = cfg.user; + Group = cfg.group; + ExecStart = [ + "" # this hides/overrides what's in the original entry + "${cfg.package}/bin/bee --config=${configFile} start" + ]; + }; + + preStart = with cfg.settings; '' + if ! test -f ${password-file}; then + < /dev/urandom tr -dc _A-Z-a-z-0-9 2> /dev/null | head -c32 > ${password-file} + chmod 0600 ${password-file} + echo "Initialized ${password-file} from /dev/urandom" + fi + if [ ! -f ${data-dir}/keys/libp2p.key ]; then + ${cfg.package}/bin/bee init --config=${configFile} >/dev/null + echo " +Logs: journalctl -f -u bee.service + +Bee has SWAP enabled by default and it needs ethereum endpoint to operate. +It is recommended to use external signer with bee. +Check documentation for more info: +- SWAP https://docs.ethswarm.org/docs/installation/manual#swap-bandwidth-incentives +- External signer https://docs.ethswarm.org/docs/installation/bee-clef + +After you finish configuration run 'sudo bee-get-addr'." + fi + ''; + }; + + users.users = optionalAttrs (cfg.user == "bee") { + bee = { + group = cfg.group; + home = cfg.settings.data-dir; + isSystemUser = true; + description = "Daemon user for Ethereum Swarm Bee"; + extraGroups = optional config.services.bee-clef.enable + config.services.bee-clef.group; + }; + }; + + users.groups = optionalAttrs (cfg.group == "bee") { + bee = {}; + }; + }; +} diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index faad886357590..e507e8ce9eebc 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -8,6 +8,35 @@ let bindUser = "named"; + bindZoneOptions = { + name = mkOption { + type = types.str; + description = "Name of the zone."; + }; + master = mkOption { + description = "Master=false means slave server"; + type = types.bool; + }; + file = mkOption { + type = types.either types.str types.path; + description = "Zone file resource records contain columns of data, separated by whitespace, that define the record."; + }; + masters = mkOption { + type = types.listOf types.str; + description = "List of servers for inclusion in stub and secondary zones."; + }; + slaves = mkOption { + type = types.listOf types.str; + description = "Addresses who may request zone transfers."; + default = []; + }; + extraConfig = mkOption { + type = types.str; + description = "Extra zone config to be appended at the end of the zone section."; + default = ""; + }; + }; + confFile = pkgs.writeText "named.conf" '' include "/etc/bind/rndc.key"; @@ -72,6 +101,7 @@ in cacheNetworks = mkOption { default = ["127.0.0.0/24"]; + type = types.listOf types.str; description = " What networks are allowed to use us as a resolver. Note that this is for recursive queries -- all networks are @@ -83,6 +113,7 @@ in blockedNetworks = mkOption { default = []; + type = types.listOf types.str; description = " What networks are just blocked. "; @@ -90,6 +121,7 @@ in ipv4Only = mkOption { default = false; + type = types.bool; description = " Only use ipv4, even if the host supports ipv6. "; @@ -97,6 +129,7 @@ in forwarders = mkOption { default = config.networking.nameservers; + type = types.listOf types.str; description = " List of servers we should forward requests to. "; @@ -120,10 +153,9 @@ in zones = mkOption { default = []; + type = types.listOf (types.submodule [ { options = bindZoneOptions; } ]); description = " List of zones we claim authority over. - master=false means slave server; slaves means addresses - who may request zone transfer. "; example = [{ name = "example.com"; diff --git a/nixos/modules/services/networking/dnscrypt-proxy2.nix b/nixos/modules/services/networking/dnscrypt-proxy2.nix index ff8a2ab307746..afc2a6d1c757c 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy2.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy2.nix @@ -87,6 +87,7 @@ in NoNewPrivileges = true; NonBlocking = true; PrivateDevices = true; + ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; @@ -107,8 +108,13 @@ in SystemCallFilter = [ "@system-service" "@chown" + "~@aio" + "~@keyring" + "~@memlock" "~@resources" - "@privileged" + "~@setuid" + "~@sync" + "~@timer" ]; }; }; diff --git a/nixos/modules/services/networking/epmd.nix b/nixos/modules/services/networking/epmd.nix index 692b75e4f0865..f7cdc0fe79c04 100644 --- a/nixos/modules/services/networking/epmd.nix +++ b/nixos/modules/services/networking/epmd.nix @@ -53,4 +53,6 @@ in }; }; }; + + meta.maintainers = teams.beam.members; } diff --git a/nixos/modules/services/networking/flashpolicyd.nix b/nixos/modules/services/networking/flashpolicyd.nix deleted file mode 100644 index d3ac78430ca34..0000000000000 --- a/nixos/modules/services/networking/flashpolicyd.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.flashpolicyd; - - flashpolicyd = pkgs.stdenv.mkDerivation { - name = "flashpolicyd-0.6"; - - src = pkgs.fetchurl { - name = "flashpolicyd_v0.6.zip"; - url = "https://download.adobe.com/pub/adobe/devnet/flashplayer/articles/socket_policy_files/flashpolicyd_v0.6.zip"; - sha256 = "16zk237233npwfq1m4ksy4g5lzy1z9fp95w7pz0cdlpmv0fv9sm3"; - }; - - buildInputs = [ pkgs.unzip pkgs.perl ]; - - installPhase = "mkdir $out; cp -pr * $out/; chmod +x $out/*/*.pl"; - }; - - flashpolicydWrapper = pkgs.writeScriptBin "flashpolicyd" - '' - #! ${pkgs.runtimeShell} - exec ${flashpolicyd}/Perl_xinetd/in.flashpolicyd.pl \ - --file=${pkgs.writeText "flashpolixy.xml" cfg.policy} \ - 2> /dev/null - ''; - -in - -{ - - ###### interface - - options = { - - services.flashpolicyd = { - - enable = mkOption { - type = types.bool; - default = false; - description = - '' - Whether to enable the Flash Policy server. This is - necessary if you want Flash applications to make - connections to your server. - ''; - }; - - policy = mkOption { - type = types.lines; - default = - '' - <?xml version="1.0"?> - <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> - <cross-domain-policy> - <site-control permitted-cross-domain-policies="master-only"/> - <allow-access-from domain="*" to-ports="*" /> - </cross-domain-policy> - ''; - description = "The policy to be served. The default is to allow connections from any domain to any port."; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - services.xinetd.enable = true; - - services.xinetd.services = singleton - { name = "flashpolicy"; - port = 843; - unlisted = true; - server = "${flashpolicydWrapper}/bin/flashpolicyd"; - }; - - }; - -} diff --git a/nixos/modules/services/networking/ircd-hybrid/default.nix b/nixos/modules/services/networking/ircd-hybrid/default.nix index 91d0bf437d693..0781159b6ee73 100644 --- a/nixos/modules/services/networking/ircd-hybrid/default.nix +++ b/nixos/modules/services/networking/ircd-hybrid/default.nix @@ -40,6 +40,7 @@ in serverName = mkOption { default = "hades.arpa"; + type = types.str; description = " IRCD server name. "; @@ -47,6 +48,7 @@ in sid = mkOption { default = "0NL"; + type = types.str; description = " IRCD server unique ID in a net of servers. "; @@ -54,6 +56,7 @@ in description = mkOption { default = "Hybrid-7 IRC server."; + type = types.str; description = " IRCD server description. "; @@ -62,6 +65,7 @@ in rsaKey = mkOption { default = null; example = literalExample "/root/certificates/irc.key"; + type = types.nullOr types.path; description = " IRCD server RSA key. "; @@ -70,6 +74,7 @@ in certificate = mkOption { default = null; example = literalExample "/root/certificates/irc.pem"; + type = types.nullOr types.path; description = " IRCD server SSL certificate. There are some limitations - read manual. "; @@ -77,6 +82,7 @@ in adminEmail = mkOption { default = "<bit-bucket@example.com>"; + type = types.str; example = "<name@domain.tld>"; description = " IRCD server administrator e-mail. @@ -86,6 +92,7 @@ in extraIPs = mkOption { default = []; example = ["127.0.0.1"]; + type = types.listOf types.str; description = " Extra IP's to bind. "; @@ -93,6 +100,7 @@ in extraPort = mkOption { default = "7117"; + type = types.str; description = " Extra port to avoid filtering. "; diff --git a/nixos/modules/services/networking/jitsi-videobridge.nix b/nixos/modules/services/networking/jitsi-videobridge.nix index 5482e997a4018..80f35d56e2dbf 100644 --- a/nixos/modules/services/networking/jitsi-videobridge.nix +++ b/nixos/modules/services/networking/jitsi-videobridge.nix @@ -191,6 +191,16 @@ in Whether to open ports in the firewall for the videobridge. ''; }; + + apis = mkOption { + type = with types; listOf str; + description = '' + What is passed as --apis= parameter. If this is empty, "none" is passed. + Needed for monitoring jitsi. + ''; + default = []; + example = literalExample "[ \"colibri\" \"rest\" ]"; + }; }; config = mkIf cfg.enable { @@ -221,7 +231,7 @@ in "export ${toVarName name}=$(cat ${xmppConfig.passwordFile})\n" ) cfg.xmppConfigs)) + '' - ${pkgs.jitsi-videobridge}/bin/jitsi-videobridge --apis=none + ${pkgs.jitsi-videobridge}/bin/jitsi-videobridge --apis=${if (cfg.apis == []) then "none" else concatStringsSep "," cfg.apis} ''; serviceConfig = { diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix index 074830fc3521e..4131ff8be5d02 100644 --- a/nixos/modules/services/networking/kresd.nix +++ b/nixos/modules/services/networking/kresd.nix @@ -140,7 +140,7 @@ in { # Try cleaning up the previously default location of cache file. # Note that /var/cache/* should always be safe to remove. - # TODO: remove later, probably between 20.09 and 21.03 + # TODO: remove later, probably between 20.09 and 21.05 systemd.tmpfiles.rules = [ "R /var/cache/kresd" ]; }; } diff --git a/nixos/modules/services/networking/mailpile.nix b/nixos/modules/services/networking/mailpile.nix index b79ee11d17db2..4673a2580b602 100644 --- a/nixos/modules/services/networking/mailpile.nix +++ b/nixos/modules/services/networking/mailpile.nix @@ -21,11 +21,13 @@ in enable = mkEnableOption "Mailpile the mail client"; hostname = mkOption { + type = types.str; default = "localhost"; description = "Listen to this hostname or ip."; }; port = mkOption { - default = "33411"; + type = types.port; + default = 33411; description = "Listen on this port."; }; }; diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix index f04dac01d9b8e..ae9258b27122f 100644 --- a/nixos/modules/services/networking/prayer.nix +++ b/nixos/modules/services/networking/prayer.nix @@ -44,7 +44,8 @@ in enable = mkEnableOption "the prayer webmail http server"; port = mkOption { - default = "2080"; + default = 2080; + type = types.port; description = '' Port the prayer http server is listening to. ''; diff --git a/nixos/modules/services/networking/quassel.nix b/nixos/modules/services/networking/quassel.nix index 2958fb9a8b334..bfbd3b46ab4d9 100644 --- a/nixos/modules/services/networking/quassel.nix +++ b/nixos/modules/services/networking/quassel.nix @@ -45,6 +45,7 @@ in }; interfaces = mkOption { + type = types.listOf types.str; default = [ "127.0.0.1" ]; description = '' The interfaces the Quassel daemon will be listening to. If `[ 127.0.0.1 ]', @@ -54,6 +55,7 @@ in }; portNumber = mkOption { + type = types.port; default = 4242; description = '' The port number the Quassel daemon will be listening to. @@ -62,6 +64,7 @@ in dataDir = mkOption { default = "/home/${user}/.config/quassel-irc.org"; + type = types.str; description = '' The directory holding configuration files, the SQlite database and the SSL Cert. ''; @@ -69,6 +72,7 @@ in user = mkOption { default = null; + type = types.nullOr types.str; description = '' The existing user the Quassel daemon should run as. If left empty, a default "quassel" user will be created. ''; diff --git a/nixos/modules/services/networking/radvd.nix b/nixos/modules/services/networking/radvd.nix index f4b00c9b356ef..53fac4b7b72dc 100644 --- a/nixos/modules/services/networking/radvd.nix +++ b/nixos/modules/services/networking/radvd.nix @@ -33,6 +33,7 @@ in }; services.radvd.config = mkOption { + type = types.lines; example = '' interface eth0 { diff --git a/nixos/modules/services/networking/resilio.nix b/nixos/modules/services/networking/resilio.nix index 6193d7340fc4a..4701b0e8143d2 100644 --- a/nixos/modules/services/networking/resilio.nix +++ b/nixos/modules/services/networking/resilio.nix @@ -183,6 +183,7 @@ in sharedFolders = mkOption { default = []; + type = types.listOf (types.attrsOf types.anything); example = [ { secret = "AHMYFPCQAHBM7LQPFXQ7WV6Y42IGUXJ5Y"; directory = "/home/user/sync_test"; diff --git a/nixos/modules/services/networking/sabnzbd.nix b/nixos/modules/services/networking/sabnzbd.nix index ff5aef7d1cb47..43566dfd25c5f 100644 --- a/nixos/modules/services/networking/sabnzbd.nix +++ b/nixos/modules/services/networking/sabnzbd.nix @@ -18,16 +18,19 @@ in enable = mkEnableOption "the sabnzbd server"; configFile = mkOption { + type = types.path; default = "/var/lib/sabnzbd/sabnzbd.ini"; description = "Path to config file."; }; user = mkOption { default = "sabnzbd"; + type = types.str; description = "User to run the service as"; }; group = mkOption { + type = types.str; default = "sabnzbd"; description = "Group to run the service as"; }; diff --git a/nixos/modules/services/networking/shairport-sync.nix b/nixos/modules/services/networking/shairport-sync.nix index b4b86a2d55bee..ac526c0e9f6f4 100644 --- a/nixos/modules/services/networking/shairport-sync.nix +++ b/nixos/modules/services/networking/shairport-sync.nix @@ -28,6 +28,7 @@ in }; arguments = mkOption { + type = types.str; default = "-v -o pa"; description = '' Arguments to pass to the daemon. Defaults to a local pulseaudio @@ -36,6 +37,7 @@ in }; user = mkOption { + type = types.str; default = "shairport"; description = '' User account name under which to run shairport-sync. The account diff --git a/nixos/modules/services/networking/ssh/lshd.nix b/nixos/modules/services/networking/ssh/lshd.nix index e46d62bf1e82f..862ff7df05407 100644 --- a/nixos/modules/services/networking/ssh/lshd.nix +++ b/nixos/modules/services/networking/ssh/lshd.nix @@ -29,6 +29,7 @@ in portNumber = mkOption { default = 22; + type = types.port; description = '' The port on which to listen for connections. ''; @@ -36,6 +37,7 @@ in interfaces = mkOption { default = []; + type = types.listOf types.str; description = '' List of network interfaces where listening for connections. When providing the empty list, `[]', lshd listens on all @@ -46,6 +48,7 @@ in hostKey = mkOption { default = "/etc/lsh/host-key"; + type = types.str; description = '' Path to the server's private key. Note that this key must have been created, e.g., using "lsh-keygen --server | @@ -79,6 +82,7 @@ in loginShell = mkOption { default = null; + type = types.nullOr types.str; description = '' If non-null, override the default login shell with the specified value. @@ -88,6 +92,7 @@ in srpKeyExchange = mkOption { default = false; + type = types.bool; description = '' Whether to enable SRP key exchange and user authentication. ''; @@ -106,6 +111,7 @@ in }; subsystems = mkOption { + type = types.listOf types.path; description = '' List of subsystem-path pairs, where the head of the pair denotes the subsystem name, and the tail denotes the path to diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 486f3ab05386d..77c579279abe5 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -538,6 +538,7 @@ in extraConfig = mkOption { default = {}; + type = types.attrsOf types.anything; description = '' Extra config to pass to oauth2-proxy. ''; diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix index be6734f439f3d..553638ad49658 100644 --- a/nixos/modules/services/security/oauth2_proxy_nginx.nix +++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix @@ -31,7 +31,7 @@ in proxyPass = cfg.proxy; extraConfig = '' proxy_set_header X-Scheme $scheme; - proxy_set_header X-Auth-Request-Redirect $request_uri; + proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; ''; }; locations."/oauth2/auth" = { diff --git a/nixos/modules/services/web-apps/galene.nix b/nixos/modules/services/web-apps/galene.nix new file mode 100644 index 0000000000000..769490e915ac8 --- /dev/null +++ b/nixos/modules/services/web-apps/galene.nix @@ -0,0 +1,178 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.galene; + defaultstateDir = "/var/lib/galene"; + defaultrecordingsDir = "${cfg.stateDir}/recordings"; + defaultgroupsDir = "${cfg.stateDir}/groups"; + defaultdataDir = "${cfg.stateDir}/data"; +in +{ + options = { + services.galene = { + enable = mkEnableOption "Galene Service."; + + stateDir = mkOption { + default = defaultstateDir; + type = types.str; + description = '' + The directory where Galene stores its internal state. If left as the default + value this directory will automatically be created before the Galene server + starts, otherwise the sysadmin is responsible for ensuring the directory + exists with appropriate ownership and permissions. + ''; + }; + + user = mkOption { + type = types.str; + default = "galene"; + description = "User account under which galene runs."; + }; + + group = mkOption { + type = types.str; + default = "galene"; + description = "Group under which galene runs."; + }; + + insecure = mkOption { + type = types.bool; + default = false; + description = '' + Whether Galene should listen in http or in https. If left as the default + value (false), Galene needs to be fed a private key and a certificate. + ''; + }; + + certFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/path/to/your/cert.pem"; + description = '' + Path to the server's certificate. The file is copied at runtime to + Galene's data directory where it needs to reside. + ''; + }; + + keyFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/path/to/your/key.pem"; + description = '' + Path to the server's private key. The file is copied at runtime to + Galene's data directory where it needs to reside. + ''; + }; + + httpAddress = mkOption { + type = types.str; + default = ""; + description = "HTTP listen address for galene."; + }; + + httpPort = mkOption { + type = types.port; + default = 8443; + description = "HTTP listen port."; + }; + + staticDir = mkOption { + type = types.str; + default = "${cfg.package.static}/static"; + example = "/var/lib/galene/static"; + description = "Web server directory."; + }; + + recordingsDir = mkOption { + type = types.str; + default = defaultrecordingsDir; + example = "/var/lib/galene/recordings"; + description = "Recordings directory."; + }; + + dataDir = mkOption { + type = types.str; + default = defaultdataDir; + example = "/var/lib/galene/data"; + description = "Data directory."; + }; + + groupsDir = mkOption { + type = types.str; + default = defaultgroupsDir; + example = "/var/lib/galene/groups"; + description = "Web server directory."; + }; + + package = mkOption { + default = pkgs.galene; + defaultText = "pkgs.galene"; + type = types.package; + description = '' + Package for running Galene. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.insecure || (cfg.certFile != null && cfg.keyFile != null); + message = '' + Galene needs both certFile and keyFile defined for encryption, or + the insecure flag. + ''; + } + ]; + + systemd.services.galene = { + description = "galene"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + preStart = '' + install -m 700 -o '${cfg.user}' -g '${cfg.group}' ${cfg.certFile} ${cfg.dataDir}/cert.pem + install -m 700 -o '${cfg.user}' -g '${cfg.group}' ${cfg.keyFile} ${cfg.dataDir}/key.pem + ''; + + serviceConfig = mkMerge [ + { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + WorkingDirectory = cfg.stateDir; + ExecStart = ''${cfg.package}/bin/galene \ + ${optionalString (cfg.insecure) "-insecure"} \ + -data ${cfg.dataDir} \ + -groups ${cfg.groupsDir} \ + -recordings ${cfg.recordingsDir} \ + -static ${cfg.staticDir}''; + Restart = "always"; + # Upstream Requirements + LimitNOFILE = 65536; + StateDirectory = [ ] ++ + optional (cfg.stateDir == defaultstateDir) "galene" ++ + optional (cfg.dataDir == defaultdataDir) "galene/data" ++ + optional (cfg.groupsDir == defaultgroupsDir) "galene/groups" ++ + optional (cfg.recordingsDir == defaultrecordingsDir) "galene/recordings"; + } + ]; + }; + + users.users = mkIf (cfg.user == "galene") + { + galene = { + description = "galene Service"; + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = mkIf (cfg.group == "galene") { + galene = { }; + }; + }; + meta.maintainers = with lib.maintainers; [ rgrunbla ]; +} diff --git a/nixos/modules/services/web-apps/hedgedoc.nix b/nixos/modules/services/web-apps/hedgedoc.nix index 3f646d7db0cd7..d940f3d3daecd 100644 --- a/nixos/modules/services/web-apps/hedgedoc.nix +++ b/nixos/modules/services/web-apps/hedgedoc.nix @@ -5,6 +5,10 @@ with lib; let cfg = config.services.hedgedoc; + # 21.03 will not be an official release - it was instead 21.05. This + # versionAtLeast statement remains set to 21.03 for backwards compatibility. + # See https://github.com/NixOS/nixpkgs/pull/108899 and + # https://github.com/NixOS/rfcs/blob/master/rfcs/0080-nixos-release-schedule.md. name = if versionAtLeast config.system.stateVersion "21.03" then "hedgedoc" else "codimd"; diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix new file mode 100644 index 0000000000000..24aea356de4e8 --- /dev/null +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -0,0 +1,566 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.mastodon; + # We only want to create a database if we're actually going to connect to it. + databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == "/run/postgresql"; + + env = { + RAILS_ENV = "production"; + NODE_ENV = "production"; + + DB_USER = cfg.database.user; + + REDIS_HOST = cfg.redis.host; + REDIS_PORT = toString(cfg.redis.port); + DB_HOST = cfg.database.host; + DB_PORT = toString(cfg.database.port); + DB_NAME = cfg.database.name; + LOCAL_DOMAIN = cfg.localDomain; + SMTP_SERVER = cfg.smtp.host; + SMTP_PORT = toString(cfg.smtp.port); + SMTP_FROM_ADDRESS = cfg.smtp.fromAddress; + PAPERCLIP_ROOT_PATH = "/var/lib/mastodon/public-system"; + PAPERCLIP_ROOT_URL = "/system"; + ES_ENABLED = if (cfg.elasticsearch.host != null) then "true" else "false"; + ES_HOST = cfg.elasticsearch.host; + ES_PORT = toString(cfg.elasticsearch.port); + + TRUSTED_PROXY_IP = cfg.trustedProxy; + } + // (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {}) + // cfg.extraConfig; + + cfgService = { + # User and group + User = cfg.user; + Group = cfg.group; + # State directory and mode + StateDirectory = "mastodon"; + StateDirectoryMode = "0750"; + # Logs directory and mode + LogsDirectory = "mastodon"; + LogsDirectoryMode = "0750"; + # Access write directories + UMask = "0027"; + # Sandboxing + PrivateTmp = true; + }; + + envFile = pkgs.writeText "mastodon.env" (lib.concatMapStrings (s: s + "\n") ( + (lib.concatLists (lib.mapAttrsToList (name: value: + if value != null then [ + "${name}=\"${toString value}\"" + ] else [] + ) env)))); + + mastodonEnv = pkgs.writeShellScriptBin "mastodon-env" '' + set -a + source "${envFile}" + source /var/lib/mastodon/.secrets_env + eval -- "\$@" + ''; + +in { + + options = { + services.mastodon = { + enable = lib.mkEnableOption "Mastodon, a federated social network server"; + + configureNginx = lib.mkOption { + description = '' + Configure nginx as a reverse proxy for mastodon. + Note that this makes some assumptions on your setup, and sets settings that will + affect other virtualHosts running on your nginx instance, if any. + Alternatively you can configure a reverse-proxy of your choice to serve these paths: + + <code>/ -> $(nix-instantiate --eval '<nixpkgs>' -A mastodon.outPath)/public</code> + + <code>/ -> 127.0.0.1:{{ webPort }} </code>(If there was no file in the directory above.) + + <code>/system/ -> /var/lib/mastodon/public-system/</code> + + <code>/api/v1/streaming/ -> 127.0.0.1:{{ streamingPort }}</code> + + Make sure that websockets are forwarded properly. You might want to set up caching + of some requests. Take a look at mastodon's provided nginx configuration at + <code>https://github.com/tootsuite/mastodon/blob/master/dist/nginx.conf</code>. + ''; + type = lib.types.bool; + default = false; + }; + + user = lib.mkOption { + description = '' + User under which mastodon runs. If it is set to "mastodon", + that user will be created, otherwise it should be set to the + name of a user created elsewhere. In both cases, + <package>mastodon</package> and a package containing only + the shell script <code>mastodon-env</code> will be added to + the user's package set. To run a command from + <package>mastodon</package> such as <code>tootctl</code> + with the environment configured by this module use + <code>mastodon-env</code>, as in: + + <code>mastodon-env tootctl accounts create newuser --email newuser@example.com</code> + ''; + type = lib.types.str; + default = "mastodon"; + }; + + group = lib.mkOption { + description = '' + Group under which mastodon runs. + If it is set to "mastodon", a group will be created. + ''; + type = lib.types.str; + default = "mastodon"; + }; + + streamingPort = lib.mkOption { + description = "TCP port used by the mastodon-streaming service."; + type = lib.types.port; + default = 55000; + }; + + webPort = lib.mkOption { + description = "TCP port used by the mastodon-web service."; + type = lib.types.port; + default = 55001; + }; + + sidekiqPort = lib.mkOption { + description = "TCP port used by the mastodon-sidekiq service"; + type = lib.types.port; + default = 55002; + }; + + vapidPublicKeyFile = lib.mkOption { + description = '' + Path to file containing the public key used for Web Push + Voluntary Application Server Identification. A new keypair can + be generated by running: + + <code>nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys</code> + + If <option>mastodon.vapidPrivateKeyFile</option>does not + exist, it and this file will be created with a new keypair. + ''; + default = "/var/lib/mastodon/secrets/vapid-public-key"; + type = lib.types.str; + }; + + localDomain = lib.mkOption { + description = "The domain serving your Mastodon instance."; + example = "social.example.org"; + type = lib.types.str; + }; + + secretKeyBaseFile = lib.mkOption { + description = '' + Path to file containing the secret key base. + A new secret key base can be generated by running: + + <code>nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret</code> + + If this file does not exist, it will be created with a new secret key base. + ''; + default = "/var/lib/mastodon/secrets/secret-key-base"; + type = lib.types.str; + }; + + otpSecretFile = lib.mkOption { + description = '' + Path to file containing the OTP secret. + A new OTP secret can be generated by running: + + <code>nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret</code> + + If this file does not exist, it will be created with a new OTP secret. + ''; + default = "/var/lib/mastodon/secrets/otp-secret"; + type = lib.types.str; + }; + + vapidPrivateKeyFile = lib.mkOption { + description = '' + Path to file containing the private key used for Web Push + Voluntary Application Server Identification. A new keypair can + be generated by running: + + <code>nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys</code> + + If this file does not exist, it will be created with a new + private key. + ''; + default = "/var/lib/mastodon/secrets/vapid-private-key"; + type = lib.types.str; + }; + + trustedProxy = lib.mkOption { + description = '' + You need to set it to the IP from which your reverse proxy sends requests to Mastodon's web process, + otherwise Mastodon will record the reverse proxy's own IP as the IP of all requests, which would be + bad because IP addresses are used for important rate limits and security functions. + ''; + type = lib.types.str; + default = "127.0.0.1"; + }; + + enableUnixSocket = lib.mkOption { + description = '' + Instead of binding to an IP address like 127.0.0.1, you may bind to a Unix socket. This variable + is process-specific, e.g. you need different values for every process, and it works for both web (Puma) + processes and streaming API (Node.js) processes. + ''; + type = lib.types.bool; + default = true; + }; + + redis = { + createLocally = lib.mkOption { + description = "Configure local Redis server for Mastodon."; + type = lib.types.bool; + default = true; + }; + + host = lib.mkOption { + description = "Redis host."; + type = lib.types.str; + default = "127.0.0.1"; + }; + + port = lib.mkOption { + description = "Redis port."; + type = lib.types.port; + default = 6379; + }; + }; + + database = { + createLocally = lib.mkOption { + description = "Configure local PostgreSQL database server for Mastodon."; + type = lib.types.bool; + default = true; + }; + + host = lib.mkOption { + type = lib.types.str; + default = "/run/postgresql"; + example = "192.168.23.42"; + description = "Database host address or unix socket."; + }; + + port = lib.mkOption { + type = lib.types.int; + default = 5432; + description = "Database host port."; + }; + + name = lib.mkOption { + type = lib.types.str; + default = "mastodon"; + description = "Database name."; + }; + + user = lib.mkOption { + type = lib.types.str; + default = "mastodon"; + description = "Database user."; + }; + + passwordFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = "/var/lib/mastodon/secrets/db-password"; + example = "/run/keys/mastodon-db-password"; + description = '' + A file containing the password corresponding to + <option>database.user</option>. + ''; + }; + }; + + smtp = { + createLocally = lib.mkOption { + description = "Configure local Postfix SMTP server for Mastodon."; + type = lib.types.bool; + default = true; + }; + + authenticate = lib.mkOption { + description = "Authenticate with the SMTP server using username and password."; + type = lib.types.bool; + default = true; + }; + + host = lib.mkOption { + description = "SMTP host used when sending emails to users."; + type = lib.types.str; + default = "127.0.0.1"; + }; + + port = lib.mkOption { + description = "SMTP port used when sending emails to users."; + type = lib.types.port; + default = 25; + }; + + fromAddress = lib.mkOption { + description = ''"From" address used when sending Emails to users.''; + type = lib.types.str; + }; + + user = lib.mkOption { + description = "SMTP login name."; + type = lib.types.str; + }; + + passwordFile = lib.mkOption { + description = '' + Path to file containing the SMTP password. + ''; + default = "/var/lib/mastodon/secrets/smtp-password"; + example = "/run/keys/mastodon-smtp-password"; + type = lib.types.str; + }; + }; + + elasticsearch = { + host = lib.mkOption { + description = '' + Elasticsearch host. + If it is not null, Elasticsearch full text search will be enabled. + ''; + type = lib.types.nullOr lib.types.str; + default = null; + }; + + port = lib.mkOption { + description = "Elasticsearch port."; + type = lib.types.port; + default = 9200; + }; + }; + + package = lib.mkOption { + type = lib.types.package; + default = pkgs.mastodon; + defaultText = "pkgs.mastodon"; + description = "Mastodon package to use."; + }; + + extraConfig = lib.mkOption { + type = lib.types.attrs; + default = {}; + description = '' + Extra environment variables to pass to all mastodon services. + ''; + }; + + automaticMigrations = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Do automatic database migrations. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user); + message = ''For local automatic database provisioning (services.mastodon.database.createLocally == true) with peer authentication (services.mastodon.database.host == "/run/postgresql") to work services.mastodon.user and services.mastodon.database.user must be identical.''; + } + ]; + + systemd.services.mastodon-init-dirs = { + script = '' + umask 077 + + if ! test -f ${cfg.secretKeyBaseFile}; then + mkdir -p $(dirname ${cfg.secretKeyBaseFile}) + bin/rake secret > ${cfg.secretKeyBaseFile} + fi + if ! test -f ${cfg.otpSecretFile}; then + mkdir -p $(dirname ${cfg.otpSecretFile}) + bin/rake secret > ${cfg.otpSecretFile} + fi + if ! test -f ${cfg.vapidPrivateKeyFile}; then + mkdir -p $(dirname ${cfg.vapidPrivateKeyFile}) $(dirname ${cfg.vapidPublicKeyFile}) + keypair=$(bin/rake webpush:generate_keys) + echo $keypair | grep --only-matching "Private -> [^ ]\+" | sed 's/^Private -> //' > ${cfg.vapidPrivateKeyFile} + echo $keypair | grep --only-matching "Public -> [^ ]\+" | sed 's/^Public -> //' > ${cfg.vapidPublicKeyFile} + fi + + cat > /var/lib/mastodon/.secrets_env <<EOF + SECRET_KEY_BASE="$(cat ${cfg.secretKeyBaseFile})" + OTP_SECRET="$(cat ${cfg.otpSecretFile})" + VAPID_PRIVATE_KEY="$(cat ${cfg.vapidPrivateKeyFile})" + VAPID_PUBLIC_KEY="$(cat ${cfg.vapidPublicKeyFile})" + DB_PASS="$(cat ${cfg.database.passwordFile})" + '' + (if cfg.smtp.authenticate then '' + SMTP_PASSWORD="$(cat ${cfg.smtp.passwordFile})" + '' else "") + '' + EOF + ''; + environment = env; + serviceConfig = { + Type = "oneshot"; + WorkingDirectory = cfg.package; + } // cfgService; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services.mastodon-init-db = lib.mkIf cfg.automaticMigrations { + script = '' + if [ `psql ${cfg.database.name} -c \ + "select count(*) from pg_class c \ + join pg_namespace s on s.oid = c.relnamespace \ + where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \ + and s.nspname not like 'pg_temp%';" | sed -n 3p` -eq 0 ]; then + SAFETY_ASSURED=1 rake db:schema:load + rake db:seed + else + rake db:migrate + fi + ''; + path = [ cfg.package pkgs.postgresql ]; + environment = env; + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + WorkingDirectory = cfg.package; + } // cfgService; + after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []); + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services.mastodon-streaming = { + after = [ "network.target" ] + ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []) + ++ (if cfg.automaticMigrations then [ "mastodon-init-db.service" ] else [ "mastodon-init-dirs.service" ]); + description = "Mastodon streaming"; + wantedBy = [ "multi-user.target" ]; + environment = env // (if cfg.enableUnixSocket + then { SOCKET = "/run/mastodon-streaming/streaming.socket"; } + else { PORT = toString(cfg.streamingPort); } + ); + serviceConfig = { + ExecStart = "${cfg.package}/run-streaming.sh"; + Restart = "always"; + RestartSec = 20; + EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + WorkingDirectory = cfg.package; + # Runtime directory and mode + RuntimeDirectory = "mastodon-streaming"; + RuntimeDirectoryMode = "0750"; + } // cfgService; + }; + + systemd.services.mastodon-web = { + after = [ "network.target" ] + ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []) + ++ (if cfg.automaticMigrations then [ "mastodon-init-db.service" ] else [ "mastodon-init-dirs.service" ]); + description = "Mastodon web"; + wantedBy = [ "multi-user.target" ]; + environment = env // (if cfg.enableUnixSocket + then { SOCKET = "/run/mastodon-web/web.socket"; } + else { PORT = toString(cfg.webPort); } + ); + serviceConfig = { + ExecStart = "${cfg.package}/bin/puma -C config/puma.rb"; + Restart = "always"; + RestartSec = 20; + EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + WorkingDirectory = cfg.package; + # Runtime directory and mode + RuntimeDirectory = "mastodon-web"; + RuntimeDirectoryMode = "0750"; + } // cfgService; + path = with pkgs; [ file imagemagick ffmpeg ]; + }; + + systemd.services.mastodon-sidekiq = { + after = [ "network.target" ] + ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []) + ++ (if cfg.automaticMigrations then [ "mastodon-init-db.service" ] else [ "mastodon-init-dirs.service" ]); + description = "Mastodon sidekiq"; + wantedBy = [ "multi-user.target" ]; + environment = env // { + PORT = toString(cfg.sidekiqPort); + }; + serviceConfig = { + ExecStart = "${cfg.package}/bin/sidekiq -c 25 -r ${cfg.package}"; + Restart = "always"; + RestartSec = 20; + EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + WorkingDirectory = cfg.package; + } // cfgService; + path = with pkgs; [ file imagemagick ffmpeg ]; + }; + + services.nginx = lib.mkIf cfg.configureNginx { + enable = true; + recommendedProxySettings = true; # required for redirections to work + virtualHosts."${cfg.localDomain}" = { + root = "${cfg.package}/public/"; + forceSSL = true; # mastodon only supports https + enableACME = true; + + locations."/system/".alias = "/var/lib/mastodon/public-system/"; + + locations."/" = { + tryFiles = "$uri @proxy"; + }; + + locations."@proxy" = { + proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}"); + proxyWebsockets = true; + }; + + locations."/api/v1/streaming/" = { + proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-streaming/streaming.socket" else "http://127.0.0.1:${toString(cfg.streamingPort)}/"); + proxyWebsockets = true; + }; + }; + }; + + services.postfix = lib.mkIf (cfg.smtp.createLocally && cfg.smtp.host == "127.0.0.1") { + enable = true; + }; + services.redis = lib.mkIf (cfg.redis.createLocally && cfg.redis.host == "127.0.0.1") { + enable = true; + }; + services.postgresql = lib.mkIf databaseActuallyCreateLocally { + enable = true; + ensureUsers = [ + { + name = cfg.database.user; + ensurePermissions."DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; + } + ]; + ensureDatabases = [ cfg.database.name ]; + }; + + users.users = lib.mkMerge [ + (lib.mkIf (cfg.user == "mastodon") { + mastodon = { + isSystemUser = true; + home = cfg.package; + inherit (cfg) group; + }; + }) + (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package mastodonEnv ]) + (lib.mkIf cfg.configureNginx {${config.services.nginx.user}.extraGroups = [ cfg.user ];}) + ]; + + users.groups.mastodon = lib.mkIf (cfg.group == "mastodon") { }; + }; + + meta.maintainers = with lib.maintainers; [ happy-river erictapen ]; + +} diff --git a/nixos/modules/services/web-apps/mediawiki.nix b/nixos/modules/services/web-apps/mediawiki.nix index 0a5b6047bb58a..1db1652022a34 100644 --- a/nixos/modules/services/web-apps/mediawiki.nix +++ b/nixos/modules/services/web-apps/mediawiki.nix @@ -180,6 +180,7 @@ in }; name = mkOption { + type = types.str; default = "MediaWiki"; example = "Foobar Wiki"; description = "Name of the wiki."; diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index da019aa25079d..23ebbdb7f71b0 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -6,17 +6,19 @@ let cfg = config.services.nextcloud; fpm = config.services.phpfpm.pools.nextcloud; - phpPackage = - let - base = pkgs.php74; - in - base.buildEnv { - extensions = { enabled, all }: with all; - enabled ++ [ - apcu redis memcached imagick - ]; - extraConfig = phpOptionsStr; - }; + phpPackage = pkgs.php74.buildEnv { + extensions = { enabled, all }: + (with all; + enabled + ++ [ imagick ] # Always enabled + # Optionally enabled depending on caching settings + ++ optional cfg.caching.apcu apcu + ++ optional cfg.caching.redis redis + ++ optional cfg.caching.memcached memcached + ) + ++ cfg.phpExtraExtensions all; # Enabled by user + extraConfig = toKeyValue phpOptions; + }; toKeyValue = generators.toKeyValue { mkKeyValue = generators.mkKeyValueDefault {} " = "; @@ -27,7 +29,6 @@ let post_max_size = cfg.maxUploadSize; memory_limit = cfg.maxUploadSize; } // cfg.phpOptions; - phpOptionsStr = toKeyValue phpOptions; occ = pkgs.writeScriptBin "nextcloud-occ" '' #! ${pkgs.runtimeShell} @@ -116,6 +117,21 @@ in { ''; }; + phpExtraExtensions = mkOption { + type = with types; functionTo (listOf package); + default = all: []; + defaultText = "all: []"; + description = '' + Additional PHP extensions to use for nextcloud. + By default, only extensions necessary for a vanilla nextcloud installation are enabled, + but you may choose from the list of available extensions and add further ones. + This is sometimes necessary to be able to install a certain nextcloud app that has additional requirements. + ''; + example = literalExample '' + all: [ all.pdlib all.bz2 ] + ''; + }; + phpOptions = mkOption { type = types.attrsOf types.str; default = { @@ -228,7 +244,8 @@ in { type = types.nullOr types.str; default = null; description = '' - The full path to a file that contains the admin's password. + The full path to a file that contains the admin's password. Must be + readable by user <literal>nextcloud</literal>. ''; }; @@ -351,7 +368,7 @@ in { '') ++ (optional (versionOlder cfg.package.version "18") (upgradeWarning 17 "20.03")) ++ (optional (versionOlder cfg.package.version "19") (upgradeWarning 18 "20.09")) - ++ (optional (versionOlder cfg.package.version "20") (upgradeWarning 19 "21.03")); + ++ (optional (versionOlder cfg.package.version "20") (upgradeWarning 19 "21.05")); services.nextcloud.package = with pkgs; mkDefault ( @@ -363,6 +380,10 @@ in { '' else if versionOlder stateVersion "20.03" then nextcloud17 else if versionOlder stateVersion "20.09" then nextcloud18 + # 21.03 will not be an official release - it was instead 21.05. + # This versionOlder statement remains set to 21.03 for backwards compatibility. + # See https://github.com/NixOS/nixpkgs/pull/108899 and + # https://github.com/NixOS/rfcs/blob/master/rfcs/0080-nixos-release-schedule.md. else if versionOlder stateVersion "21.03" then nextcloud19 else nextcloud20 ); @@ -466,6 +487,28 @@ in { path = [ occ ]; script = '' chmod og+x ${cfg.home} + + ${optionalString (c.dbpassFile != null) '' + if [ ! -r "${c.dbpassFile}" ]; then + echo "dbpassFile ${c.dbpassFile} is not readable by nextcloud:nextcloud! Aborting..." + exit 1 + fi + if [ -z "$(<${c.dbpassFile})" ]; then + echo "dbpassFile ${c.dbpassFile} is empty!" + exit 1 + fi + ''} + ${optionalString (c.adminpassFile != null) '' + if [ ! -r "${c.adminpassFile}" ]; then + echo "adminpassFile ${c.adminpassFile} is not readable by nextcloud:nextcloud! Aborting..." + exit 1 + fi + if [ -z "$(<${c.adminpassFile})" ]; then + echo "adminpassFile ${c.adminpassFile} is empty!" + exit 1 + fi + ''} + ln -sf ${cfg.package}/apps ${cfg.home}/ # create nextcloud directories. @@ -511,7 +554,6 @@ in { pools.nextcloud = { user = "nextcloud"; group = "nextcloud"; - phpOptions = phpOptionsStr; phpPackage = phpPackage; phpEnv = { NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config"; @@ -561,10 +603,10 @@ in { priority = 210; extraConfig = '' location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; + return 301 /remote.php/dav; } location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; + return 301 /remote.php/dav; } try_files $uri $uri/ =404; ''; @@ -572,7 +614,7 @@ in { "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = '' return 404; ''; - "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)".extraConfig = '' + "~ ^/(?:\\.(?!well-known)|autotest|occ|issue|indie|db_|console)".extraConfig = '' return 404; ''; "~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)" = { diff --git a/nixos/modules/services/web-apps/nextcloud.xml b/nixos/modules/services/web-apps/nextcloud.xml index f71c8df6c6d48..6cbfda118c4f6 100644 --- a/nixos/modules/services/web-apps/nextcloud.xml +++ b/nixos/modules/services/web-apps/nextcloud.xml @@ -182,6 +182,17 @@ </para> </section> + <section xml:id="installing-apps-php-extensions-nextcloud"> + <title>Installing Apps and PHP extensions</title> + + <para> + Nextcloud apps are installed statefully through the web interface. + + Some apps may require extra PHP extensions to be installed. + This can be configured with the <xref linkend="opt-services.nextcloud.phpExtraExtensions" /> setting. + </para> + </section> + <section xml:id="module-services-nextcloud-maintainer-info"> <title>Maintainer information</title> diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index de3c7d693d47b..7f50b8fd8d441 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -126,10 +126,14 @@ let </IfModule> ''; - luaSetPaths = '' + luaSetPaths = let + # support both lua and lua.withPackages derivations + luaversion = cfg.package.lua5.lua.luaversion or cfg.package.lua5.luaversion; + in + '' <IfModule mod_lua.c> - LuaPackageCPath ${cfg.package.lua5}/lib/lua/${cfg.package.lua5.lua.luaversion}/?.so - LuaPackagePath ${cfg.package.lua5}/share/lua/${cfg.package.lua5.lua.luaversion}/?.lua + LuaPackageCPath ${cfg.package.lua5}/lib/lua/${luaversion}/?.so + LuaPackagePath ${cfg.package.lua5}/share/lua/${luaversion}/?.lua </IfModule> ''; @@ -333,7 +337,7 @@ let ${sslConf} - ${if cfg.package.luaSupport then luaSetPaths else ""} + ${optionalString cfg.package.luaSupport luaSetPaths} # Fascist default - deny access to everything. <Directory /> diff --git a/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix b/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix index 173c0f8561c0f..394f9a305546c 100644 --- a/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix +++ b/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix @@ -112,7 +112,7 @@ in acmeRoot = mkOption { type = types.str; - default = "/var/lib/acme/acme-challenges"; + default = "/var/lib/acme/acme-challenge"; description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here"; }; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index d6f463be9e811..fa8614e8ec174 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -79,6 +79,8 @@ let include ${pkgs.mailcap}/etc/nginx/mime.types; include ${cfg.package}/conf/fastcgi.conf; include ${cfg.package}/conf/uwsgi_params; + + default_type application/octet-stream; ''; configFile = pkgs.writers.writeNginxConfig "nginx.conf" '' @@ -404,6 +406,7 @@ in logError = mkOption { default = "stderr"; + type = types.str; description = " Configures logging. The first parameter defines a file that will store the log. The diff --git a/nixos/modules/services/web-servers/nginx/location-options.nix b/nixos/modules/services/web-servers/nginx/location-options.nix index 5a7f5188b6cfe..d8c976f202fd1 100644 --- a/nixos/modules/services/web-servers/nginx/location-options.nix +++ b/nixos/modules/services/web-servers/nginx/location-options.nix @@ -52,7 +52,7 @@ with lib; default = false; example = true; description = '' - Whether to supporty proxying websocket connections with HTTP/1.1. + Whether to support proxying websocket connections with HTTP/1.1. ''; }; diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix index 894271d1e55e4..2a264bf2e9a6f 100644 --- a/nixos/modules/services/web-servers/unit/default.nix +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -28,10 +28,12 @@ in { description = "Group account under which unit runs."; }; stateDir = mkOption { + type = types.path; default = "/var/spool/unit"; description = "Unit data directory."; }; logDir = mkOption { + type = types.path; default = "/var/log/unit"; description = "Unit log directory."; }; diff --git a/nixos/modules/services/x11/clight.nix b/nixos/modules/services/x11/clight.nix index 4daf6d8d9db7e..873f425fb8be4 100644 --- a/nixos/modules/services/x11/clight.nix +++ b/nixos/modules/services/x11/clight.nix @@ -11,14 +11,21 @@ let else if isBool v then boolToString v else if isString v then ''"${escape [''"''] v}"'' else if isList v then "[ " + concatMapStringsSep ", " toConf v + " ]" + else if isAttrs v then "\n{\n" + convertAttrs v + "\n}" else abort "clight.toConf: unexpected type (v = ${v})"; - clightConf = pkgs.writeText "clight.conf" - (concatStringsSep "\n" (mapAttrsToList - (name: value: "${toString name} = ${toConf value};") - (filterAttrs - (_: value: value != null) - cfg.settings))); + getSep = v: + if isAttrs v then ":" + else "="; + + convertAttrs = attrs: concatStringsSep "\n" (mapAttrsToList + (name: value: "${toString name} ${getSep value} ${toConf value};") + attrs); + + clightConf = pkgs.writeText "clight.conf" (convertAttrs + (filterAttrs + (_: value: value != null) + cfg.settings)); in { options.services.clight = { enable = mkOption { @@ -49,9 +56,10 @@ in { }; settings = let - validConfigTypes = with types; either int (either str (either bool float)); + validConfigTypes = with types; oneOf [ int str bool float ]; + collectionTypes = with types; oneOf [ validConfigTypes (listOf validConfigTypes) ]; in mkOption { - type = with types; attrsOf (nullOr (either validConfigTypes (listOf validConfigTypes))); + type = with types; attrsOf (nullOr (either collectionTypes (attrsOf collectionTypes))); default = {}; example = { captures = 20; gamma_long_transition = true; ac_capture_timeouts = [ 120 300 60 ]; }; description = '' @@ -69,10 +77,10 @@ in { services.upower.enable = true; services.clight.settings = { - gamma_temp = with cfg.temperature; mkDefault [ day night ]; + gamma.temp = with cfg.temperature; mkDefault [ day night ]; } // (optionalAttrs (config.location.provider == "manual") { - latitude = mkDefault config.location.latitude; - longitude = mkDefault config.location.longitude; + daytime.latitude = mkDefault config.location.latitude; + daytime.longitude = mkDefault config.location.longitude; }); services.geoclue2.appConfig.clightc = { diff --git a/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixos/modules/services/x11/desktop-managers/cinnamon.nix index a404143a03d4b..14dcf009a7d13 100644 --- a/nixos/modules/services/x11/desktop-managers/cinnamon.nix +++ b/nixos/modules/services/x11/desktop-managers/cinnamon.nix @@ -25,6 +25,7 @@ in sessionPath = mkOption { default = []; + type = types.listOf types.package; example = literalExample "[ pkgs.gnome3.gpaste ]"; description = '' Additional list of packages to be added to the session search path. diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index a36a47d376b6e..99e6edfba26e2 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -118,6 +118,7 @@ in sessionPath = mkOption { default = []; + type = types.listOf types.package; example = literalExample "[ pkgs.gnome3.gpaste ]"; description = '' Additional list of packages to be added to the session search path. @@ -196,12 +197,11 @@ in config = mkMerge [ (mkIf (cfg.enable || flashbackEnabled) { # Seed our configuration into nixos-generate-config - system.nixos-generate-config.desktopConfiguration = '' + system.nixos-generate-config.desktopConfiguration = ['' # Enable the GNOME 3 Desktop Environment. - services.xserver.enable = true; services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome3.enable = true; - ''; + '']; services.gnome3.core-os-services.enable = true; services.gnome3.core-shell.enable = true; diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index cf02a71248b17..195da75e74437 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -42,6 +42,7 @@ in sessionPath = mkOption { default = []; + type = types.listOf types.package; example = literalExample "[ pkgs.gnome3.gpaste ]"; description = '' Additional list of packages to be added to the session search path. diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index d6cf86d3a2e61..44ee079b81737 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -184,12 +184,11 @@ in config = mkMerge [ (mkIf cfg.enable { # Seed our configuration into nixos-generate-config - system.nixos-generate-config.desktopConfiguration = '' + system.nixos-generate-config.desktopConfiguration = ['' # Enable the Plasma 5 Desktop Environment. - services.xserver.enable = true; services.xserver.displayManager.sddm.enable = true; services.xserver.desktopManager.plasma5.enable = true; - ''; + '']; services.xserver.desktopManager.session = singleton { name = "plasma5"; diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix index de932e6e840ae..9c1dc1d1c12d9 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix @@ -88,6 +88,7 @@ in cursorTheme = { package = mkOption { + type = types.package; default = pkgs.gnome3.adwaita-icon-theme; defaultText = "pkgs.gnome3.adwaita-icon-theme"; description = '' diff --git a/nixos/modules/services/x11/window-managers/exwm.nix b/nixos/modules/services/x11/window-managers/exwm.nix index 0743f35c1d316..4b707d3984969 100644 --- a/nixos/modules/services/x11/window-managers/exwm.nix +++ b/nixos/modules/services/x11/window-managers/exwm.nix @@ -21,6 +21,7 @@ in enable = mkEnableOption "exwm"; loadScript = mkOption { default = "(require 'exwm)"; + type = types.lines; example = literalExample '' (require 'exwm) (exwm-enable) diff --git a/nixos/modules/services/x11/window-managers/herbstluftwm.nix b/nixos/modules/services/x11/window-managers/herbstluftwm.nix index e3ea61cb9a6be..548097a412d23 100644 --- a/nixos/modules/services/x11/window-managers/herbstluftwm.nix +++ b/nixos/modules/services/x11/window-managers/herbstluftwm.nix @@ -11,6 +11,15 @@ in services.xserver.windowManager.herbstluftwm = { enable = mkEnableOption "herbstluftwm"; + package = mkOption { + type = types.package; + default = pkgs.herbstluftwm; + defaultText = "pkgs.herbstluftwm"; + description = '' + Herbstluftwm package to use. + ''; + }; + configFile = mkOption { default = null; type = with types; nullOr path; @@ -31,8 +40,8 @@ in (cfg.configFile != null) ''-c "${cfg.configFile}"'' ; - in "${pkgs.herbstluftwm}/bin/herbstluftwm ${configFileClause}"; + in "${cfg.package}/bin/herbstluftwm ${configFileClause}"; }; - environment.systemPackages = [ pkgs.herbstluftwm ]; + environment.systemPackages = [ cfg.package ]; }; } diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index eb8c4c17e987e..8858559d8f27d 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -441,6 +441,7 @@ in serverFlagsSection = mkOption { default = ""; + type = types.lines; example = '' Option "BlankTime" "0" @@ -649,7 +650,7 @@ in xorg.xprop xorg.xauth pkgs.xterm - pkgs.xdg_utils + pkgs.xdg-utils xorg.xf86inputevdev.out # get evdev.4 man page ] ++ optional (elem "virtualbox" cfg.videoDrivers) xorg.xrefresh; diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index ed7226331d70e..363d8e47a0ff1 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -156,6 +156,16 @@ in description = "List of modules that are always loaded by the initrd."; }; + boot.initrd.includeDefaultModules = mkOption { + type = types.bool; + default = true; + description = '' + This option, if set, adds a collection of default kernel modules + to <option>boot.initrd.availableKernelModules</option> and + <option>boot.initrd.kernelModules</option>. + ''; + }; + system.modulesTree = mkOption { type = types.listOf types.path; internal = true; @@ -195,7 +205,8 @@ in config = mkMerge [ (mkIf config.boot.initrd.enable { boot.initrd.availableKernelModules = - [ # Note: most of these (especially the SATA/PATA modules) + optionals config.boot.initrd.includeDefaultModules ([ + # Note: most of these (especially the SATA/PATA modules) # shouldn't be included by default since nixos-generate-config # detects them, but I'm keeping them for now for backwards # compatibility. @@ -235,10 +246,11 @@ in # x86 RTC needed by the stage 2 init script. "rtc_cmos" - ]; + ]); boot.initrd.kernelModules = - [ # For LVM. + optionals config.boot.initrd.includeDefaultModules [ + # For LVM. "dm_mod" ]; }) diff --git a/nixos/modules/system/boot/systemd-lib.nix b/nixos/modules/system/boot/systemd-lib.nix index fa109394fedbe..2dbf15031a088 100644 --- a/nixos/modules/system/boot/systemd-lib.nix +++ b/nixos/modules/system/boot/systemd-lib.nix @@ -92,10 +92,12 @@ in rec { checkUnitConfig = group: checks: attrs: let # We're applied at the top-level type (attrsOf unitOption), so the actual - # unit options might contain attributes from mkOverride that we need to + # unit options might contain attributes from mkOverride and mkIf that we need to # convert into single values before checking them. defs = mapAttrs (const (v: - if v._type or "" == "override" then v.content else v + if v._type or "" == "override" then v.content + else if v._type or "" == "if" then v.content + else v )) attrs; errors = concatMap (c: c group defs) checks; in if errors == [] then true diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index a055072f9c967..a9b5b134d889d 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -7,8 +7,9 @@ let addCheckDesc = desc: elemType: check: types.addCheck elemType check // { description = "${elemType.description} (with check: ${desc})"; }; - nonEmptyStr = addCheckDesc "non-empty" types.str - (x: x != "" && ! (all (c: c == " " || c == "\t") (stringToCharacters x))); + + isNonEmpty = s: (builtins.match "[ \t\n]*" s) == null; + nonEmptyStr = addCheckDesc "non-empty" types.str isNonEmpty; fileSystems' = toposort fsBefore (attrValues config.fileSystems); @@ -28,10 +29,10 @@ let coreFileSystemOpts = { name, config, ... }: { options = { - mountPoint = mkOption { example = "/mnt/usb"; - type = nonEmptyStr; + type = addCheckDesc "non-empty without trailing slash" types.str + (s: isNonEmpty s && (builtins.match ".+/" s) == null); description = "Location of the mounted the file system."; }; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 16ba0b746789b..59676e996785c 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -17,20 +17,8 @@ let inInitrd = any (fs: fs == "zfs") config.boot.initrd.supportedFilesystems; inSystem = any (fs: fs == "zfs") config.boot.supportedFilesystems; - enableZfs = inInitrd || inSystem; - - kernel = config.boot.kernelPackages; - - packages = if config.boot.zfs.enableUnstable then { - zfs = kernel.zfsUnstable; - zfsUser = pkgs.zfsUnstable; - } else { - zfs = kernel.zfs; - zfsUser = pkgs.zfs; - }; - autosnapPkg = pkgs.zfstools.override { - zfs = packages.zfsUser; + zfs = cfgZfs.package; }; zfsAutoSnap = "${autosnapPkg}/bin/zfs-auto-snapshot"; @@ -111,6 +99,20 @@ in options = { boot.zfs = { + package = mkOption { + readOnly = true; + type = types.package; + default = if config.boot.zfs.enableUnstable then pkgs.zfsUnstable else pkgs.zfs; + description = "Configured ZFS userland tools package."; + }; + + enabled = mkOption { + readOnly = true; + type = types.bool; + default = inInitrd || inSystem; + description = "True if ZFS filesystem support is enabled"; + }; + enableUnstable = mkOption { type = types.bool; default = false; @@ -324,39 +326,53 @@ in }; }; - services.zfs.zed.settings = mkOption { - type = with types; attrsOf (oneOf [ str int bool (listOf str) ]); - example = literalExample '' - { - ZED_DEBUG_LOG = "/tmp/zed.debug.log"; + services.zfs.zed = { + enableMail = mkEnableOption "ZED's ability to send emails" // { + default = cfgZfs.package.enableMail; + }; - ZED_EMAIL_ADDR = [ "root" ]; - ZED_EMAIL_PROG = "mail"; - ZED_EMAIL_OPTS = "-s '@SUBJECT@' @ADDRESS@"; + settings = mkOption { + type = with types; attrsOf (oneOf [ str int bool (listOf str) ]); + example = literalExample '' + { + ZED_DEBUG_LOG = "/tmp/zed.debug.log"; - ZED_NOTIFY_INTERVAL_SECS = 3600; - ZED_NOTIFY_VERBOSE = false; + ZED_EMAIL_ADDR = [ "root" ]; + ZED_EMAIL_PROG = "mail"; + ZED_EMAIL_OPTS = "-s '@SUBJECT@' @ADDRESS@"; - ZED_USE_ENCLOSURE_LEDS = true; - ZED_SCRUB_AFTER_RESILVER = false; - } - ''; - description = '' - ZFS Event Daemon /etc/zfs/zed.d/zed.rc content - - See - <citerefentry><refentrytitle>zed</refentrytitle><manvolnum>8</manvolnum></citerefentry> - for details on ZED and the scripts in /etc/zfs/zed.d to find the possible variables - ''; + ZED_NOTIFY_INTERVAL_SECS = 3600; + ZED_NOTIFY_VERBOSE = false; + + ZED_USE_ENCLOSURE_LEDS = true; + ZED_SCRUB_AFTER_RESILVER = false; + } + ''; + description = '' + ZFS Event Daemon /etc/zfs/zed.d/zed.rc content + + See + <citerefentry><refentrytitle>zed</refentrytitle><manvolnum>8</manvolnum></citerefentry> + for details on ZED and the scripts in /etc/zfs/zed.d to find the possible variables + ''; + }; }; }; ###### implementation config = mkMerge [ - (mkIf enableZfs { + (mkIf cfgZfs.enabled { assertions = [ { + assertion = cfgZED.enableMail -> cfgZfs.package.enableMail; + message = '' + To allow ZED to send emails, ZFS needs to be configured to enable + this. To do so, one must override the `zfs` package and set + `enableMail` to true. + ''; + } + { assertion = config.networking.hostId != null; message = "ZFS requires networking.hostId to be set"; } @@ -366,20 +382,24 @@ in } ]; - virtualisation.lxd.zfsSupport = true; - boot = { kernelModules = [ "zfs" ]; - extraModulePackages = with packages; [ zfs ]; + + extraModulePackages = [ + (if config.boot.zfs.enableUnstable then + config.boot.kernelPackages.zfsUnstable + else + config.boot.kernelPackages.zfs) + ]; }; boot.initrd = mkIf inInitrd { kernelModules = [ "zfs" ] ++ optional (!cfgZfs.enableUnstable) "spl"; extraUtilsCommands = '' - copy_bin_and_libs ${packages.zfsUser}/sbin/zfs - copy_bin_and_libs ${packages.zfsUser}/sbin/zdb - copy_bin_and_libs ${packages.zfsUser}/sbin/zpool + copy_bin_and_libs ${cfgZfs.package}/sbin/zfs + copy_bin_and_libs ${cfgZfs.package}/sbin/zdb + copy_bin_and_libs ${cfgZfs.package}/sbin/zpool ''; extraUtilsCommandsTest = mkIf inInitrd '' @@ -431,9 +451,9 @@ in }; services.zfs.zed.settings = { - ZED_EMAIL_PROG = mkDefault "${pkgs.mailutils}/bin/mail"; + ZED_EMAIL_PROG = mkIf cfgZED.enableMail (mkDefault "${pkgs.mailutils}/bin/mail"); PATH = lib.makeBinPath [ - packages.zfsUser + cfgZfs.package pkgs.coreutils pkgs.curl pkgs.gawk @@ -461,18 +481,18 @@ in "vdev_clear-led.sh" ] ) - (file: { source = "${packages.zfsUser}/etc/${file}"; }) + (file: { source = "${cfgZfs.package}/etc/${file}"; }) // { "zfs/zed.d/zed.rc".text = zedConf; - "zfs/zpool.d".source = "${packages.zfsUser}/etc/zfs/zpool.d/"; + "zfs/zpool.d".source = "${cfgZfs.package}/etc/zfs/zpool.d/"; }; - system.fsPackages = [ packages.zfsUser ]; # XXX: needed? zfs doesn't have (need) a fsck - environment.systemPackages = [ packages.zfsUser ] + system.fsPackages = [ cfgZfs.package ]; # XXX: needed? zfs doesn't have (need) a fsck + environment.systemPackages = [ cfgZfs.package ] ++ optional cfgSnapshots.enable autosnapPkg; # so the user can run the command to see flags - services.udev.packages = [ packages.zfsUser ]; # to hook zvol naming, etc. - systemd.packages = [ packages.zfsUser ]; + services.udev.packages = [ cfgZfs.package ]; # to hook zvol naming, etc. + systemd.packages = [ cfgZfs.package ]; systemd.services = let getPoolFilesystems = pool: @@ -506,8 +526,8 @@ in environment.ZFS_FORCE = optionalString cfgZfs.forceImportAll "-f"; script = (importLib { # See comments at importLib definition. - zpoolCmd="${packages.zfsUser}/sbin/zpool"; - awkCmd="${pkgs.gawk}/bin/awk"; + zpoolCmd = "${cfgZfs.package}/sbin/zpool"; + awkCmd = "${pkgs.gawk}/bin/awk"; inherit cfgZfs; }) + '' poolImported "${pool}" && exit @@ -522,7 +542,7 @@ in ${optionalString (if isBool cfgZfs.requestEncryptionCredentials then cfgZfs.requestEncryptionCredentials else cfgZfs.requestEncryptionCredentials != []) '' - ${packages.zfsUser}/sbin/zfs list -rHo name,keylocation ${pool} | while IFS=$'\t' read ds kl; do + ${cfgZfs.package}/sbin/zfs list -rHo name,keylocation ${pool} | while IFS=$'\t' read ds kl; do (${optionalString (!isBool cfgZfs.requestEncryptionCredentials) '' if ! echo '${concatStringsSep "\n" cfgZfs.requestEncryptionCredentials}' | grep -qFx "$ds"; then continue @@ -532,10 +552,10 @@ in none ) ;; prompt ) - ${config.systemd.package}/bin/systemd-ask-password "Enter key for $ds:" | ${packages.zfsUser}/sbin/zfs load-key "$ds" + ${config.systemd.package}/bin/systemd-ask-password "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds" ;; * ) - ${packages.zfsUser}/sbin/zfs load-key "$ds" + ${cfgZfs.package}/sbin/zfs load-key "$ds" ;; esac) < /dev/null # To protect while read ds kl in case anything reads stdin done @@ -561,7 +581,7 @@ in RemainAfterExit = true; }; script = '' - ${packages.zfsUser}/sbin/zfs set nixos:shutdown-time="$(date)" "${pool}" + ${cfgZfs.package}/sbin/zfs set nixos:shutdown-time="$(date)" "${pool}" ''; }; createZfsService = serv: @@ -587,7 +607,7 @@ in systemd.targets.zfs.wantedBy = [ "multi-user.target" ]; }) - (mkIf (enableZfs && cfgSnapshots.enable) { + (mkIf (cfgZfs.enabled && cfgSnapshots.enable) { systemd.services = let descr = name: if name == "frequent" then "15 mins" else if name == "hourly" then "hour" @@ -625,7 +645,7 @@ in }) snapshotNames); }) - (mkIf (enableZfs && cfgScrub.enable) { + (mkIf (cfgZfs.enabled && cfgScrub.enable) { systemd.services.zfs-scrub = { description = "ZFS pools scrubbing"; after = [ "zfs-import.target" ]; @@ -633,11 +653,11 @@ in Type = "oneshot"; }; script = '' - ${packages.zfsUser}/bin/zpool scrub ${ + ${cfgZfs.package}/bin/zpool scrub ${ if cfgScrub.pools != [] then (concatStringsSep " " cfgScrub.pools) else - "$(${packages.zfsUser}/bin/zpool list -H -o name)" + "$(${cfgZfs.package}/bin/zpool list -H -o name)" } ''; }; @@ -652,11 +672,11 @@ in }; }) - (mkIf (enableZfs && cfgTrim.enable) { + (mkIf (cfgZfs.enabled && cfgTrim.enable) { systemd.services.zpool-trim = { description = "ZFS pools trim"; after = [ "zfs-import.target" ]; - path = [ packages.zfsUser ]; + path = [ cfgZfs.package ]; startAt = cfgTrim.interval; # By default we ignore errors returned by the trim command, in case: # - HDDs are mixed with SSDs diff --git a/nixos/modules/testing/service-runner.nix b/nixos/modules/testing/service-runner.nix index 99a9f979068da..76e9d4a68c416 100644 --- a/nixos/modules/testing/service-runner.nix +++ b/nixos/modules/testing/service-runner.nix @@ -52,7 +52,7 @@ let # Run the ExecStartPre program. FIXME: this could be a list. my $preStart = <<END_CMD; - ${service.serviceConfig.ExecStartPre or ""} + ${concatStringsSep "\n" (service.serviceConfig.ExecStartPre or [])} END_CMD if (defined $preStart && $preStart ne "\n") { print STDERR "running ExecStartPre: $preStart\n"; @@ -79,7 +79,7 @@ let # Run the ExecStartPost program. my $postStart = <<END_CMD; - ${service.serviceConfig.ExecStartPost or ""} + ${concatStringsSep "\n" (service.serviceConfig.ExecStartPost or [])} END_CMD if (defined $postStart && $postStart ne "\n") { print STDERR "running ExecStartPost: $postStart\n"; diff --git a/nixos/modules/virtualisation/cri-o.nix b/nixos/modules/virtualisation/cri-o.nix index aa416e7990a8b..8d352e36ef99a 100644 --- a/nixos/modules/virtualisation/cri-o.nix +++ b/nixos/modules/virtualisation/cri-o.nix @@ -103,7 +103,10 @@ in cgroup_manager = "systemd" log_level = "${cfg.logLevel}" pinns_path = "${cfg.package}/bin/pinns" - hooks_dir = [] + hooks_dir = [ + ${lib.optionalString config.virtualisation.containers.ociSeccompBpfHook.enable + ''"${config.boot.kernelPackages.oci-seccomp-bpf-hook}",''} + ] ${optionalString (cfg.runtime != null) '' default_runtime = "${cfg.runtime}" diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index 689f664b676d5..b1415bf021dd9 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -157,6 +157,7 @@ in systemd.services.docker = { wantedBy = optional cfg.enableOnBoot "multi-user.target"; + requires = [ "docker.socket" ]; environment = proxy_env; serviceConfig = { Type = "notify"; diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 103e689abae85..4b2adf4cc699b 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -5,13 +5,12 @@ with lib; let - cfg = config.virtualisation.lxd; - zfsCfg = config.boot.zfs; - -in +in { + imports = [ + (mkRemovedOptionModule [ "virtualisation" "lxd" "zfsPackage" ] "Override zfs in an overlay instead to override it globally") + ]; -{ ###### interface options = { @@ -51,18 +50,10 @@ in ''; }; - zfsPackage = mkOption { - type = types.package; - default = with pkgs; if zfsCfg.enableUnstable then zfsUnstable else zfs; - defaultText = "pkgs.zfs"; - description = '' - The ZFS package to use with LXD. - ''; - }; - zfsSupport = mkOption { type = types.bool; - default = false; + default = config.boot.zfs.enabled; + defaultText = "config.boot.zfs.enabled"; description = '' Enables lxd to use zfs as a storage for containers. @@ -87,7 +78,6 @@ in }; ###### implementation - config = mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; @@ -110,7 +100,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "systemd-udev-settle.service" ]; - path = lib.optional cfg.zfsSupport cfg.zfsPackage; + path = lib.optional config.boot.zfs.enabled config.boot.zfs.package; preStart = '' mkdir -m 0755 -p /var/lib/lxc/rootfs diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index 7bec1b1ff26e8..f06977f88fc16 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -463,21 +463,15 @@ in { config, options, name, ... }: { options = { - config = mkOption { description = '' A specification of the desired configuration of this container, as a NixOS module. ''; - type = let - confPkgs = if config.pkgs == null then pkgs else config.pkgs; - in lib.mkOptionType { + type = lib.mkOptionType { name = "Toplevel NixOS config"; - merge = loc: defs: (import (confPkgs.path + "/nixos/lib/eval-config.nix") { + merge = loc: defs: (import "${toString config.nixpkgs}/nixos/lib/eval-config.nix" { inherit system; - pkgs = confPkgs; - baseModules = import (confPkgs.path + "/nixos/modules/module-list.nix"); - inherit (confPkgs) lib; modules = let extraConfig = { @@ -526,12 +520,18 @@ in ''; }; - pkgs = mkOption { - type = types.nullOr types.attrs; - default = null; - example = literalExample "pkgs"; + nixpkgs = mkOption { + type = types.path; + default = pkgs.path; + defaultText = "pkgs.path"; description = '' - Customise which nixpkgs to use for this container. + A path to the nixpkgs that provide the modules, pkgs and lib for evaluating the container. + + To only change the <literal>pkgs</literal> argument used inside the container modules, + set the <literal>nixpkgs.*</literal> options in the container <option>config</option>. + Setting <literal>config.nixpkgs.pkgs = pkgs</literal> speeds up the container evaluation + by reusing the system pkgs, but the <literal>nixpkgs.config</literal> option in the + container config is ignored in this case. ''; }; @@ -672,14 +672,31 @@ in ''; }; + # Removed option. See `checkAssertion` below for the accompanying error message. + pkgs = mkOption { visible = false; }; } // networkOptions; - config = mkMerge - [ - (mkIf options.config.isDefined { - path = config.config.system.build.toplevel; - }) - ]; + config = let + # Throw an error when removed option `pkgs` is used. + # Because this is a submodule we cannot use `mkRemovedOptionModule` or option `assertions`. + optionPath = "containers.${name}.pkgs"; + files = showFiles options.pkgs.files; + checkAssertion = if options.pkgs.isDefined then throw '' + The option definition `${optionPath}' in ${files} no longer has any effect; please remove it. + + Alternatively, you can use the following options: + - containers.${name}.nixpkgs + This sets the nixpkgs (and thereby the modules, pkgs and lib) that + are used for evaluating the container. + + - containers.${name}.config.nixpkgs.pkgs + This only sets the `pkgs` argument used inside the container modules. + '' + else null; + in { + path = builtins.seq checkAssertion + mkIf options.config.isDefined config.config.system.build.toplevel; + }; })); default = {}; diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix index 98da5a096d911..0223c0df1f222 100644 --- a/nixos/modules/virtualisation/podman.nix +++ b/nixos/modules/virtualisation/podman.nix @@ -105,6 +105,16 @@ in })); }; + systemd.packages = [ cfg.package ]; + + systemd.services.podman.serviceConfig = { + ExecStart = [ "" "${cfg.package}/bin/podman $LOGGING system service" ]; + }; + + systemd.sockets.podman.wantedBy = [ "sockets.target" ]; + + systemd.tmpfiles.packages = [ cfg.package ]; + assertions = [ { assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index bf3615f2fe71b..5360cff22f3c6 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -7,7 +7,7 @@ # the VM in the host. On the other hand, the root filesystem is a # read/writable disk image persistent across VM reboots. -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, options, ... }: with lib; with import ../../lib/qemu-flags.nix { inherit pkgs; }; @@ -266,6 +266,8 @@ in options = { + virtualisation.fileSystems = options.fileSystems; + virtualisation.memorySize = mkOption { default = 384; @@ -659,6 +661,7 @@ in # attribute should be disregarded for the purpose of building a VM # test image (since those filesystems don't exist in the VM). fileSystems = mkVMOverride ( + cfg.fileSystems // { "/".device = cfg.bootDevice; ${if cfg.writableStore then "/nix/.ro-store" else "/nix/store"} = { device = "store"; diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index 5ad647769bbd9..5b57ca860da29 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -57,7 +57,8 @@ in virtualisation.xen.bootParams = mkOption { - default = ""; + default = []; + type = types.listOf types.str; description = '' Parameters passed to the Xen hypervisor at boot time. @@ -68,6 +69,7 @@ in mkOption { default = 0; example = 512; + type = types.addCheck types.int (n: n >= 0); description = '' Amount of memory (in MiB) allocated to Domain 0 on boot. @@ -78,6 +80,7 @@ in virtualisation.xen.bridge = { name = mkOption { default = "xenbr0"; + type = types.str; description = '' Name of bridge the Xen domUs connect to. ''; diff --git a/nixos/tests/agda.nix b/nixos/tests/agda.nix index bbdeb7395aa7e..3773907cff557 100644 --- a/nixos/tests/agda.nix +++ b/nixos/tests/agda.nix @@ -23,6 +23,13 @@ in }; testScript = '' + assert ( + "${pkgs.agdaPackages.lib.interfaceFile "Everything.agda"}" == "Everything.agdai" + ), "wrong interface file for Everything.agda" + assert ( + "${pkgs.agdaPackages.lib.interfaceFile "tmp/Everything.agda.md"}" == "tmp/Everything.agdai" + ), "wrong interface file for tmp/Everything.agda.md" + # Minimal script that typechecks machine.succeed("touch TestEmpty.agda") machine.succeed("agda TestEmpty.agda") @@ -36,6 +43,10 @@ in "cp ${hello-world} HelloWorld.agda" ) machine.succeed("agda -l standard-library -i . -c HelloWorld.agda") + # Check execution + assert "Hello World!" in machine.succeed( + "./HelloWorld" + ), "HelloWorld does not run properly" ''; } ) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index d267ddeb4cf4e..444580bc0bed6 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -189,6 +189,7 @@ in kernel-latest = handleTest ./kernel-latest.nix {}; kernel-lts = handleTest ./kernel-lts.nix {}; kernel-testing = handleTest ./kernel-testing.nix {}; + kernel-latest-ath-user-regd = handleTest ./kernel-latest-ath-user-regd.nix {}; keycloak = discoverTests (import ./keycloak.nix); keymap = handleTest ./keymap.nix {}; knot = handleTest ./knot.nix {}; @@ -344,7 +345,6 @@ in sanoid = handleTest ./sanoid.nix {}; sbt = handleTest ./sbt.nix {}; sbt-extras = handleTest ./sbt-extras.nix {}; - scala = handleTest ./scala.nix {}; sddm = handleTest ./sddm.nix {}; searx = handleTest ./searx.nix {}; service-runner = handleTest ./service-runner.nix {}; @@ -413,6 +413,7 @@ in vector = handleTest ./vector.nix {}; victoriametrics = handleTest ./victoriametrics.nix {}; virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {}; + vscodium = handleTest ./vscodium.nix {}; wasabibackend = handleTest ./wasabibackend.nix {}; wireguard = handleTest ./wireguard {}; wordpress = handleTest ./wordpress.nix {}; diff --git a/nixos/tests/bees.nix b/nixos/tests/bees.nix index 6e6a9c3446b06..58a9c29513567 100644 --- a/nixos/tests/bees.nix +++ b/nixos/tests/bees.nix @@ -8,7 +8,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: ${pkgs.btrfs-progs}/bin/mkfs.btrfs -f -L aux2 /dev/vdc ''; virtualisation.emptyDiskImages = [ 4096 4096 ]; - fileSystems = lib.mkVMOverride { + virtualisation.fileSystems = { "/aux1" = { # filesystem configured to be deduplicated device = "/dev/disk/by-label/aux1"; fsType = "btrfs"; diff --git a/nixos/tests/containers-custom-pkgs.nix b/nixos/tests/containers-custom-pkgs.nix index 397a4a905e6d9..1412c32bfb5f1 100644 --- a/nixos/tests/containers-custom-pkgs.nix +++ b/nixos/tests/containers-custom-pkgs.nix @@ -1,42 +1,34 @@ -# Test for NixOS' container support. - import ./make-test-python.nix ({ pkgs, lib, ...} : let - customPkgs = pkgs // { - hello = pkgs.hello.overrideAttrs(old: { - name = "custom-hello"; + customPkgs = pkgs.appendOverlays [ (self: super: { + hello = super.hello.overrideAttrs (old: { + name = "custom-hello"; }); - }; + }) ]; in { - name = "containers-hosts"; + name = "containers-custom-pkgs"; meta = with lib.maintainers; { - maintainers = [ adisbladis ]; + maintainers = [ adisbladis earvstedt ]; }; - machine = - { ... }: - { - virtualisation.memorySize = 256; - virtualisation.vlans = []; + machine = { config, ... }: { + assertions = let + helloName = (builtins.head config.containers.test.config.system.extraDependencies).name; + in [ { + assertion = helloName == "custom-hello"; + message = "Unexpected value: ${helloName}"; + } ]; - containers.simple = { - autoStart = true; - pkgs = customPkgs; - config = {pkgs, config, ... }: { - environment.systemPackages = [ - pkgs.hello - ]; - }; + containers.test = { + autoStart = true; + config = { pkgs, config, ... }: { + nixpkgs.pkgs = customPkgs; + system.extraDependencies = [ pkgs.hello ]; }; - }; + }; - testScript = '' - start_all() - machine.wait_for_unit("default.target") - machine.succeed( - "test $(nixos-container run simple -- readlink -f /run/current-system/sw/bin/hello) = ${customPkgs.hello}/bin/hello" - ) - ''; + # This test only consists of evaluating the test machine + testScript = ""; }) diff --git a/nixos/tests/fsck.nix b/nixos/tests/fsck.nix index e522419fde2b9..5453f3bc48b59 100644 --- a/nixos/tests/fsck.nix +++ b/nixos/tests/fsck.nix @@ -4,7 +4,7 @@ import ./make-test-python.nix { machine = { lib, ... }: { virtualisation.emptyDiskImages = [ 1 ]; - fileSystems = lib.mkVMOverride { + virtualisation.fileSystems = { "/mnt" = { device = "/dev/vdb"; fsType = "ext4"; diff --git a/nixos/tests/glusterfs.nix b/nixos/tests/glusterfs.nix index cb07bc09511dd..ef09264a02167 100644 --- a/nixos/tests/glusterfs.nix +++ b/nixos/tests/glusterfs.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({pkgs, lib, ...}: let client = { pkgs, ... } : { environment.systemPackages = [ pkgs.glusterfs ]; - fileSystems = pkgs.lib.mkVMOverride + virtualisation.fileSystems = { "/gluster" = { device = "server1:/gv0"; fsType = "glusterfs"; @@ -22,7 +22,7 @@ let virtualisation.emptyDiskImages = [ 1024 ]; - fileSystems = pkgs.lib.mkVMOverride + virtualisation.fileSystems = { "/data" = { device = "/dev/disk/by-label/data"; fsType = "ext4"; diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index d3f1f3172965a..0c26eaa310d49 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -18,7 +18,7 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : { boot.initrd.postDeviceCommands = '' ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb ''; - fileSystems = lib.mkVMOverride { + virtualisation.fileSystems = { "/efi" = { device = "/dev/disk/by-label/EFISYS"; fsType = "vfat"; diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 5fa4704d02b6a..789add331b793 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -76,8 +76,8 @@ let def assemble_qemu_flags(): flags = "-cpu max" ${if system == "x86_64-linux" - then ''flags += " -m 768"'' - else ''flags += " -m 512 -enable-kvm -machine virt,gic-version=host"'' + then ''flags += " -m 1024"'' + else ''flags += " -m 768 -enable-kvm -machine virt,gic-version=host"'' } return flags diff --git a/nixos/tests/kernel-latest-ath-user-regd.nix b/nixos/tests/kernel-latest-ath-user-regd.nix new file mode 100644 index 0000000000000..11a3959e692e9 --- /dev/null +++ b/nixos/tests/kernel-latest-ath-user-regd.nix @@ -0,0 +1,17 @@ +import ./make-test-python.nix ({ pkgs, ...} : { + name = "kernel-latest-ath-user-regd"; + meta = with pkgs.lib.maintainers; { + maintainers = [ veehaitch ]; + }; + + machine = { pkgs, ... }: + { + boot.kernelPackages = pkgs.linuxPackages_latest; + networking.wireless.athUserRegulatoryDomain = true; + }; + + testScript = + '' + assert "CONFIG_ATH_USER_REGD=y" in machine.succeed("zcat /proc/config.gz") + ''; +}) diff --git a/nixos/tests/locate.nix b/nixos/tests/locate.nix index 67ae610fe0127..e8ba41812a8f5 100644 --- a/nixos/tests/locate.nix +++ b/nixos/tests/locate.nix @@ -7,7 +7,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: nodes = rec { a = { environment.systemPackages = with pkgs; [ sshfs ]; - fileSystems = lib.mkVMOverride { + virtualisation.fileSystems = { "/ssh" = { device = "alice@b:/"; fsType = "fuse.sshfs"; diff --git a/nixos/tests/misc.nix b/nixos/tests/misc.nix index fda2e60a41b6f..fb19b7060562f 100644 --- a/nixos/tests/misc.nix +++ b/nixos/tests/misc.nix @@ -16,7 +16,7 @@ import ./make-test-python.nix ({ pkgs, ...} : rec { environment.variables.EDITOR = mkOverride 0 "emacs"; documentation.nixos.enable = mkOverride 0 true; systemd.tmpfiles.rules = [ "d /tmp 1777 root root 10d" ]; - fileSystems = mkVMOverride { "/tmp2" = + virtualisation.fileSystems = { "/tmp2" = { fsType = "tmpfs"; options = [ "mode=1777" "noauto" ]; }; diff --git a/nixos/tests/nextcloud/basic.nix b/nixos/tests/nextcloud/basic.nix index 78142d3796648..0b8e1937128c9 100644 --- a/nixos/tests/nextcloud/basic.nix +++ b/nixos/tests/nextcloud/basic.nix @@ -15,7 +15,7 @@ in { echo "http://nextcloud/remote.php/webdav/ ${adminuser} ${adminpass}" > /tmp/davfs2-secrets chmod 600 /tmp/davfs2-secrets ''; - fileSystems = pkgs.lib.mkVMOverride { + virtualisation.fileSystems = { "/mnt/dav" = { device = "http://nextcloud/remote.php/webdav/"; fsType = "davfs"; @@ -42,6 +42,7 @@ in { enable = true; startAt = "20:00"; }; + phpExtraExtensions = all: [ all.bz2 ]; }; environment.systemPackages = [ cfg.services.nextcloud.occ ]; diff --git a/nixos/tests/nfs/kerberos.nix b/nixos/tests/nfs/kerberos.nix index 078f0b7814cea..75d1210496b00 100644 --- a/nixos/tests/nfs/kerberos.nix +++ b/nixos/tests/nfs/kerberos.nix @@ -40,7 +40,7 @@ in networking.domain = "nfs.test"; networking.hostName = "client"; - fileSystems = lib.mkVMOverride + virtualisation.fileSystems = { "/data" = { device = "server.nfs.test:/"; fsType = "nfs"; diff --git a/nixos/tests/nfs/simple.nix b/nixos/tests/nfs/simple.nix index 630c68a5b05d0..6a01089c0828c 100644 --- a/nixos/tests/nfs/simple.nix +++ b/nixos/tests/nfs/simple.nix @@ -4,7 +4,7 @@ let client = { pkgs, ... }: - { fileSystems = pkgs.lib.mkVMOverride + { virtualisation.fileSystems = { "/data" = { # nfs4 exports the export with fsid=0 as a virtual root directory device = if (version == 4) then "server:/" else "server:/data"; diff --git a/nixos/tests/nixos-generate-config.nix b/nixos/tests/nixos-generate-config.nix index 5daa55a8abbea..7bf8d4da7b6d4 100644 --- a/nixos/tests/nixos-generate-config.nix +++ b/nixos/tests/nixos-generate-config.nix @@ -11,12 +11,11 @@ import ./make-test-python.nix ({ lib, ... } : { } ''; - system.nixos-generate-config.desktopConfiguration = '' + system.nixos-generate-config.desktopConfiguration = ['' # DESKTOP - # services.xserver.enable = true; - # services.xserver.displayManager.gdm.enable = true; - # services.xserver.desktopManager.gnome3.enable = true; - ''; + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome3.enable = true; + '']; }; testScript = '' start_all() diff --git a/nixos/tests/orangefs.nix b/nixos/tests/orangefs.nix index 24b7737058c83..fe9f9cc37ea03 100644 --- a/nixos/tests/orangefs.nix +++ b/nixos/tests/orangefs.nix @@ -9,7 +9,7 @@ let virtualisation.emptyDiskImages = [ 4096 ]; - fileSystems = pkgs.lib.mkVMOverride + virtualisation.fileSystems = { "/data" = { device = "/dev/disk/by-label/data"; fsType = "ext4"; diff --git a/nixos/tests/power-profiles-daemon.nix b/nixos/tests/power-profiles-daemon.nix new file mode 100644 index 0000000000000..e073677bee9d7 --- /dev/null +++ b/nixos/tests/power-profiles-daemon.nix @@ -0,0 +1,45 @@ +import ./make-test-python.nix ({ pkgs, ... }: + +{ + name = "power-profiles-daemon"; + meta = with pkgs.lib.maintainers; { + maintainers = [ mvnetbiz ]; + }; + machine = { pkgs, ... }: { + services.power-profiles-daemon.enable = true; + environment.systemPackages = [ pkgs.glib ]; + }; + + testScript = '' + def get_profile(): + return machine.succeed( + """gdbus call --system --dest net.hadess.PowerProfiles --object-path /net/hadess/PowerProfiles \ + --method org.freedesktop.DBus.Properties.Get 'net.hadess.PowerProfiles' 'ActiveProfile' + """ + ) + + + def set_profile(profile): + return machine.succeed( + """gdbus call --system --dest net.hadess.PowerProfiles --object-path /net/hadess/PowerProfiles \ + --method org.freedesktop.DBus.Properties.Set 'net.hadess.PowerProfiles' 'ActiveProfile' "<'{profile}'>" + """.format( + profile=profile + ) + ) + + + machine.wait_for_unit("multi-user.target") + + set_profile("power-saver") + profile = get_profile() + if not "power-saver" in profile: + raise Exception("Unable to set power-saver profile") + + + set_profile("balanced") + profile = get_profile() + if not "balanced" in profile: + raise Exception("Unable to set balanced profile") + ''; +}) diff --git a/nixos/tests/samba.nix b/nixos/tests/samba.nix index 142269752b34f..d1d50caabfa53 100644 --- a/nixos/tests/samba.nix +++ b/nixos/tests/samba.nix @@ -8,7 +8,7 @@ import ./make-test-python.nix ({ pkgs, ... }: nodes = { client = { pkgs, ... }: - { fileSystems = pkgs.lib.mkVMOverride + { virtualisation.fileSystems = { "/public" = { fsType = "cifs"; device = "//server/public"; diff --git a/nixos/tests/scala.nix b/nixos/tests/scala.nix deleted file mode 100644 index 4fc3f8aa7b0ad..0000000000000 --- a/nixos/tests/scala.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ system ? builtins.currentSystem, - config ? {}, - pkgs ? import ../.. { inherit system config; } -}: - -with pkgs.lib; - -let - common = name: package: (import ./make-test-python.nix ({ - inherit name; - meta = with pkgs.lib.maintainers; { - maintainers = [ nequissimus ]; - }; - - nodes = { - scala = { ... }: { - environment.systemPackages = [ package ]; - }; - }; - - testScript = '' - start_all() - - scala.succeed("scalac -version 2>&1 | grep '^Scala compiler version ${package.version}'") - ''; - }) { inherit system; }); - -in with pkgs; { - scala_2_10 = common "scala_2_10" scala_2_10; - scala_2_11 = common "scala_2_11" scala_2_11; - scala_2_12 = common "scala_2_12" scala_2_12; - scala_2_13 = common "scala_2_13" scala_2_13; -} diff --git a/nixos/tests/snapcast.nix b/nixos/tests/snapcast.nix index a69b7afe99da7..2fef636251401 100644 --- a/nixos/tests/snapcast.nix +++ b/nixos/tests/snapcast.nix @@ -4,6 +4,8 @@ let port = 10004; tcpPort = 10005; httpPort = 10080; + tcpStreamPort = 10006; + bufferSize = 742; in { name = "snapcast"; meta = with pkgs.lib.maintainers; { @@ -17,18 +19,27 @@ in { port = port; tcp.port = tcpPort; http.port = httpPort; + buffer = bufferSize; streams = { mpd = { type = "pipe"; location = "/run/snapserver/mpd"; + query.mode = "create"; }; bluetooth = { type = "pipe"; location = "/run/snapserver/bluetooth"; }; + tcp = { + type = "tcp"; + location = "127.0.0.1:${toString tcpStreamPort}"; + }; }; }; }; + client = { + environment.systemPackages = [ pkgs.snapcast ]; + }; }; testScript = '' @@ -42,6 +53,7 @@ in { server.wait_until_succeeds("ss -ntl | grep -q ${toString port}") server.wait_until_succeeds("ss -ntl | grep -q ${toString tcpPort}") server.wait_until_succeeds("ss -ntl | grep -q ${toString httpPort}") + server.wait_until_succeeds("ss -ntl | grep -q ${toString tcpStreamPort}") with subtest("check that pipes are created"): server.succeed("test -p /run/snapserver/mpd") @@ -54,5 +66,12 @@ in { server.succeed( "curl --fail http://localhost:${toString httpPort}/jsonrpc -d '{json.dumps(get_rpc_version)}'" ) + + with subtest("test a connection"): + client.execute("systemd-run snapclient -h server -p ${toString port}") + server.wait_until_succeeds( + "journalctl -o cat -u snapserver.service | grep -q 'Hello from'" + ) + client.wait_until_succeeds("journalctl -o cat -u run-\* | grep -q ${toString bufferSize}") ''; }) diff --git a/nixos/tests/snapper.nix b/nixos/tests/snapper.nix index 018102d7f6409..098d8d9d72f55 100644 --- a/nixos/tests/snapper.nix +++ b/nixos/tests/snapper.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix ({ ... }: virtualisation.emptyDiskImages = [ 4096 ]; - fileSystems = lib.mkVMOverride { + virtualisation.fileSystems = { "/home" = { device = "/dev/disk/by-label/aux"; fsType = "btrfs"; diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index f7c13a587c58e..e0685f53a9454 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { environment.systemPackages = [ pkgs.cryptsetup ]; - fileSystems = lib.mkVMOverride { + virtualisation.fileSystems = { "/test-x-initrd-mount" = { device = "/dev/vdb"; fsType = "ext2"; diff --git a/nixos/tests/vscodium.nix b/nixos/tests/vscodium.nix new file mode 100644 index 0000000000000..ca75da35b1e19 --- /dev/null +++ b/nixos/tests/vscodium.nix @@ -0,0 +1,47 @@ +import ./make-test-python.nix ({ pkgs, ...} : + +{ + name = "vscodium"; + meta = with pkgs.lib.maintainers; { + maintainers = [ turion ]; + }; + + machine = { ... }: + + { + imports = [ + ./common/user-account.nix + ./common/x11.nix + ]; + + virtualisation.memorySize = 2047; + services.xserver.enable = true; + test-support.displayManager.auto.user = "alice"; + environment.systemPackages = with pkgs; [ + vscodium + ]; + }; + + enableOCR = true; + + testScript = { nodes, ... }: '' + # Start up X + start_all() + machine.wait_for_x() + + # Start VSCodium with a file that doesn't exist yet + machine.fail("ls /home/alice/foo.txt") + machine.succeed("su - alice -c 'codium foo.txt' &") + + # Wait for the window to appear + machine.wait_for_text("VSCodium") + + # Save file + machine.send_key("ctrl-s") + + # Wait until the file has been saved + machine.wait_for_file("/home/alice/foo.txt") + + machine.screenshot("VSCodium") + ''; +}) diff --git a/nixos/tests/xmpp/prosody.nix b/nixos/tests/xmpp/prosody.nix index e7755e24bab41..2eb06d88287f0 100644 --- a/nixos/tests/xmpp/prosody.nix +++ b/nixos/tests/xmpp/prosody.nix @@ -85,7 +85,7 @@ in import ../make-test-python.nix { server.succeed('prosodyctl status | grep "Prosody is running"') server.succeed("create-prosody-users") - client.succeed('send-message 2>&1 | grep "XMPP SCRIPT TEST SUCCESS"') + client.succeed("send-message") server.succeed("delete-prosody-users") ''; } diff --git a/nixos/tests/xmpp/xmpp-sendmessage.nix b/nixos/tests/xmpp/xmpp-sendmessage.nix index 30945e68300a8..47a77f524c6af 100644 --- a/nixos/tests/xmpp/xmpp-sendmessage.nix +++ b/nixos/tests/xmpp/xmpp-sendmessage.nix @@ -23,8 +23,26 @@ class CthonTest(ClientXMPP): def __init__(self, jid, password): ClientXMPP.__init__(self, jid, password) self.add_event_handler("session_start", self.session_start) + self.test_succeeded = False async def session_start(self, event): + try: + # Exceptions in event handlers are printed to stderr but not + # propagated, they do not make the script terminate with a non-zero + # exit code. We use the `test_succeeded` flag as a workaround and + # check it later at the end of the script to exit with a proper + # exit code. + # Additionally, this flag ensures that this event handler has been + # actually run by ClientXMPP, which may well not be the case. + await self.test_xmpp_server() + self.test_succeeded = True + finally: + # Even if an exception happens in `test_xmpp_server()`, we still + # need to disconnect explicitly, otherwise the process will hang + # forever. + self.disconnect(wait=True) + + async def test_xmpp_server(self): log = logging.getLogger(__name__) self.send_presence() self.get_roster() @@ -42,11 +60,12 @@ class CthonTest(ClientXMPP): log.error("ERROR: Cannot run upload command. XEP_0363 seems broken") sys.exit(1) log.info('Upload success!') + # Test MUC - self.plugin['xep_0045'].join_muc('testMucRoom', 'cthon98', wait=True) + # TODO: use join_muc_wait() after slixmpp 1.8.0 is released. + self.plugin['xep_0045'].join_muc('testMucRoom', 'cthon98') log.info('MUC join success!') log.info('XMPP SCRIPT TEST SUCCESS') - self.disconnect(wait=True) if __name__ == '__main__': @@ -62,4 +81,7 @@ if __name__ == '__main__': ct.register_plugin('xep_0045') ct.connect(("server", 5222)) ct.process(forever=False) + + if not ct.test_succeeded: + sys.exit(1) '' diff --git a/nixos/tests/zfs.nix b/nixos/tests/zfs.nix index 03aa5e5399c65..ba5eb7cd528eb 100644 --- a/nixos/tests/zfs.nix +++ b/nixos/tests/zfs.nix @@ -29,7 +29,7 @@ let # Setup regular fileSystems machinery to ensure forceImportAll can be # tested via the regular service units. - fileSystems = lib.mkVMOverride { + virtualisation.fileSystems = { "/forcepool" = { device = "forcepool"; fsType = "zfs"; |