diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2019-08-14 13:46:33 +0200 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2019-08-14 13:46:33 +0200 |
commit | cff9e6429a4341e924594f5e057b03ca8101b314 (patch) | |
tree | f8c1a31c9ad11b4c417b9c331747f3b3dc47bdf4 /nixos/modules/services | |
parent | a6055b7d8705d3c3a008e67cde1d43cf5727f76b (diff) | |
parent | 8d56f2472e47a3f1f388b69c0ecc24421910d555 (diff) |
Merge staging-next into staging
Diffstat (limited to 'nixos/modules/services')
30 files changed, 474 insertions, 268 deletions
diff --git a/nixos/modules/services/admin/oxidized.nix b/nixos/modules/services/admin/oxidized.nix index 687cdfb5ba57..39112c3970d5 100644 --- a/nixos/modules/services/admin/oxidized.nix +++ b/nixos/modules/services/admin/oxidized.nix @@ -97,8 +97,8 @@ in preStart = '' mkdir -p ${cfg.dataDir}/.config/oxidized - cp -v ${cfg.routerDB} ${cfg.dataDir}/.config/oxidized/router.db - cp -v ${cfg.configFile} ${cfg.dataDir}/.config/oxidized/config + ln -f -s ${cfg.routerDB} ${cfg.dataDir}/.config/oxidized/router.db + ln -f -s ${cfg.configFile} ${cfg.dataDir}/.config/oxidized/config ''; serviceConfig = { diff --git a/nixos/modules/services/backup/automysqlbackup.nix b/nixos/modules/services/backup/automysqlbackup.nix index b845f370fb70..1884f3536a97 100644 --- a/nixos/modules/services/backup/automysqlbackup.nix +++ b/nixos/modules/services/backup/automysqlbackup.nix @@ -41,7 +41,7 @@ in }; config = mkOption { - type = with types; attrsOf (either (either str (either int bool)) (listOf str)); + type = with types; attrsOf (oneOf [ str int bool (listOf str) ]); default = {}; description = '' automysqlbackup configuration. Refer to diff --git a/nixos/modules/services/backup/postgresql-wal-receiver.nix b/nixos/modules/services/backup/postgresql-wal-receiver.nix new file mode 100644 index 000000000000..d9a37037992e --- /dev/null +++ b/nixos/modules/services/backup/postgresql-wal-receiver.nix @@ -0,0 +1,203 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + receiverSubmodule = { + options = { + postgresqlPackage = mkOption { + type = types.package; + example = literalExample "pkgs.postgresql_11"; + description = '' + PostgreSQL package to use. + ''; + }; + + directory = mkOption { + type = types.path; + example = literalExample "/mnt/pg_wal/main/"; + description = '' + Directory to write the output to. + ''; + }; + + statusInterval = mkOption { + type = types.int; + default = 10; + description = '' + Specifies the number of seconds between status packets sent back to the server. + This allows for easier monitoring of the progress from server. + A value of zero disables the periodic status updates completely, + although an update will still be sent when requested by the server, to avoid timeout disconnect. + ''; + }; + + slot = mkOption { + type = types.str; + default = ""; + example = "some_slot_name"; + description = '' + Require <command>pg_receivewal</command> to use an existing replication slot (see + <link xlink:href="https://www.postgresql.org/docs/current/warm-standby.html#STREAMING-REPLICATION-SLOTS">Section 26.2.6 of the PostgreSQL manual</link>). + When this option is used, <command>pg_receivewal</command> will report a flush position to the server, + indicating when each segment has been synchronized to disk so that the server can remove that segment if it is not otherwise needed. + + When the replication client of <command>pg_receivewal</command> is configured on the server as a synchronous standby, + then using a replication slot will report the flush position to the server, but only when a WAL file is closed. + Therefore, that configuration will cause transactions on the primary to wait for a long time and effectively not work satisfactorily. + The option <option>synchronous</option> must be specified in addition to make this work correctly. + ''; + }; + + synchronous = mkOption { + type = types.bool; + default = false; + description = '' + Flush the WAL data to disk immediately after it has been received. + Also send a status packet back to the server immediately after flushing, regardless of <option>statusInterval</option>. + + This option should be specified if the replication client of <command>pg_receivewal</command> is configured on the server as a synchronous standby, + to ensure that timely feedback is sent to the server. + ''; + }; + + compress = mkOption { + type = types.ints.between 0 9; + default = 0; + description = '' + Enables gzip compression of write-ahead logs, and specifies the compression level + (<literal>0</literal> through <literal>9</literal>, <literal>0</literal> being no compression and <literal>9</literal> being best compression). + The suffix <literal>.gz</literal> will automatically be added to all filenames. + + This option requires PostgreSQL >= 10. + ''; + }; + + connection = mkOption { + type = types.str; + example = "postgresql://user@somehost"; + description = '' + Specifies parameters used to connect to the server, as a connection string. + See <link xlink:href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING">Section 34.1.1 of the PostgreSQL manual</link> for more information. + + Because <command>pg_receivewal</command> doesn't connect to any particular database in the cluster, + database name in the connection string will be ignored. + ''; + }; + + extraArgs = mkOption { + type = with types; listOf str; + default = [ ]; + example = literalExample '' + [ + "--no-sync" + ] + ''; + description = '' + A list of extra arguments to pass to the <command>pg_receivewal</command> command. + ''; + }; + + environment = mkOption { + type = with types; attrsOf str; + default = { }; + example = literalExample '' + { + PGPASSFILE = "/private/passfile"; + PGSSLMODE = "require"; + } + ''; + description = '' + Environment variables passed to the service. + Usable parameters are listed in <link xlink:href="https://www.postgresql.org/docs/current/libpq-envars.html">Section 34.14 of the PostgreSQL manual</link>. + ''; + }; + }; + }; + +in { + options = { + services.postgresqlWalReceiver = { + receivers = mkOption { + type = with types; attrsOf (submodule receiverSubmodule); + default = { }; + example = literalExample '' + { + main = { + postgresqlPackage = pkgs.postgresql_11; + directory = /mnt/pg_wal/main/; + slot = "main_wal_receiver"; + connection = "postgresql://user@somehost"; + }; + } + ''; + description = '' + PostgreSQL WAL receivers. + Stream write-ahead logs from a PostgreSQL server using <command>pg_receivewal</command> (formerly <command>pg_receivexlog</command>). + See <link xlink:href="https://www.postgresql.org/docs/current/app-pgreceivewal.html">the man page</link> for more information. + ''; + }; + }; + }; + + config = let + receivers = config.services.postgresqlWalReceiver.receivers; + in mkIf (receivers != { }) { + users = { + users.postgres = { + uid = config.ids.uids.postgres; + group = "postgres"; + description = "PostgreSQL server user"; + }; + + groups.postgres = { + gid = config.ids.gids.postgres; + }; + }; + + assertions = concatLists (attrsets.mapAttrsToList (name: config: [ + { + assertion = config.compress > 0 -> versionAtLeast config.postgresqlPackage.version "10"; + message = "Invalid configuration for WAL receiver \"${name}\": compress requires PostgreSQL version >= 10."; + } + ]) receivers); + + systemd.tmpfiles.rules = mapAttrsToList (name: config: '' + d ${escapeShellArg config.directory} 0750 postgres postgres - - + '') receivers; + + systemd.services = with attrsets; mapAttrs' (name: config: nameValuePair "postgresql-wal-receiver-${name}" { + description = "PostgreSQL WAL receiver (${name})"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "postgres"; + Group = "postgres"; + KillSignal = "SIGINT"; + Restart = "always"; + RestartSec = 30; + }; + + inherit (config) environment; + + script = let + receiverCommand = postgresqlPackage: + if (versionAtLeast postgresqlPackage.version "10") + then "${postgresqlPackage}/bin/pg_receivewal" + else "${postgresqlPackage}/bin/pg_receivexlog"; + in '' + ${receiverCommand config.postgresqlPackage} \ + --no-password \ + --directory=${escapeShellArg config.directory} \ + --status-interval=${toString config.statusInterval} \ + --dbname=${escapeShellArg config.connection} \ + ${optionalString (config.compress > 0) "--compress=${toString config.compress}"} \ + ${optionalString (config.slot != "") "--slot=${escapeShellArg config.slot}"} \ + ${optionalString config.synchronous "--synchronous"} \ + ${concatStringsSep " " config.extraArgs} + ''; + }) receivers; + }; + + meta.maintainers = with maintainers; [ pacien ]; +} diff --git a/nixos/modules/services/databases/couchdb.nix b/nixos/modules/services/databases/couchdb.nix index 5ddf8ba4bfbd..77e404116c8a 100644 --- a/nixos/modules/services/databases/couchdb.nix +++ b/nixos/modules/services/databases/couchdb.nix @@ -160,7 +160,7 @@ in { systemd.tmpfiles.rules = [ "d '${dirOf cfg.uriFile}' - ${cfg.user} ${cfg.group} - -" - "d '${dirOf cfg.logFile}' - ${cfg.user} ${cfg.group} - -" + "f '${cfg.logFile}' - ${cfg.user} ${cfg.group} - -" "d '${cfg.databaseDir}' - ${cfg.user} ${cfg.group} - -" "d '${cfg.viewIndexDir}' - ${cfg.user} ${cfg.group} - -" ]; @@ -169,11 +169,9 @@ in { description = "CouchDB Server"; wantedBy = [ "multi-user.target" ]; - preStart = - '' + preStart = '' touch ${cfg.configFile} - touch -a ${cfg.logFile} - ''; + ''; environment = mkIf useVersion2 { # we are actually specifying 4 configuration files: diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix index 052ff1f308eb..f9e403dfc0c2 100644 --- a/nixos/modules/services/databases/memcached.nix +++ b/nixos/modules/services/databases/memcached.nix @@ -86,7 +86,25 @@ in in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${concatStringsSep " " cfg.extraOptions}"; User = cfg.user; + + # Filesystem access + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; RuntimeDirectory = "memcached"; + # Caps + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + MemoryDenyWriteExecute = true; }; }; }; diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 7ff899970ccd..10250bb5193a 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -330,13 +330,13 @@ in fi '' + optionalString (cfg.ensureDatabases != []) '' ${concatMapStrings (database: '' - $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE ${database}" + $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}"' '') cfg.ensureDatabases} '' + '' ${concatMapStrings (user: '' $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc "CREATE USER ${user.name}" ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' - $PSQL -tAc "GRANT ${permission} ON ${database} TO ${user.name}" + $PSQL -tAc 'GRANT ${permission} ON ${database} TO ${user.name}' '') user.ensurePermissions)} '') cfg.ensureUsers} ''; diff --git a/nixos/modules/services/desktops/gnome3/evince.nix b/nixos/modules/services/desktops/gnome3/evince.nix deleted file mode 100644 index 5f040a16f067..000000000000 --- a/nixos/modules/services/desktops/gnome3/evince.nix +++ /dev/null @@ -1,35 +0,0 @@ -# Evince. - -{ config, pkgs, lib, ... }: - -with lib; - -{ - - ###### interface - - options = { - - services.gnome3.evince = { - - enable = mkEnableOption - "systemd and dbus services for Evince, the GNOME document viewer"; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.gnome3.evince.enable { - - environment.systemPackages = [ pkgs.evince ]; - - services.dbus.packages = [ pkgs.evince ]; - - systemd.packages = [ pkgs.evince ]; - - }; - -} diff --git a/nixos/modules/services/desktops/gnome3/file-roller.nix b/nixos/modules/services/desktops/gnome3/file-roller.nix deleted file mode 100644 index 7fb558a98953..000000000000 --- a/nixos/modules/services/desktops/gnome3/file-roller.nix +++ /dev/null @@ -1,32 +0,0 @@ -# File Roller. - -{ config, pkgs, lib, ... }: - -with lib; - -{ - - ###### interface - - options = { - - services.gnome3.file-roller = { - - enable = mkEnableOption "File Roller, an archive manager for GNOME"; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.gnome3.file-roller.enable { - - environment.systemPackages = [ pkgs.gnome3.file-roller ]; - - services.dbus.packages = [ pkgs.gnome3.file-roller ]; - - }; - -} diff --git a/nixos/modules/services/desktops/gnome3/gnome-disks.nix b/nixos/modules/services/desktops/gnome3/gnome-disks.nix deleted file mode 100644 index 139534cdb892..000000000000 --- a/nixos/modules/services/desktops/gnome3/gnome-disks.nix +++ /dev/null @@ -1,39 +0,0 @@ -# GNOME Disks daemon. - -{ config, pkgs, lib, ... }: - -with lib; - -{ - - ###### interface - - options = { - - services.gnome3.gnome-disks = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable GNOME Disks daemon, a service designed to - be a UDisks2 graphical front-end. - ''; - }; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.gnome3.gnome-disks.enable { - - environment.systemPackages = [ pkgs.gnome3.gnome-disk-utility ]; - - services.dbus.packages = [ pkgs.gnome3.gnome-disk-utility ]; - - }; - -} diff --git a/nixos/modules/services/desktops/gnome3/gnome-documents.nix b/nixos/modules/services/desktops/gnome3/gnome-documents.nix deleted file mode 100644 index f6efb6684240..000000000000 --- a/nixos/modules/services/desktops/gnome3/gnome-documents.nix +++ /dev/null @@ -1,43 +0,0 @@ -# GNOME Documents daemon. - -{ config, pkgs, lib, ... }: - -with lib; - -{ - - ###### interface - - options = { - - services.gnome3.gnome-documents = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable GNOME Documents services, a document - manager application for GNOME. - ''; - }; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.gnome3.gnome-documents.enable { - - environment.systemPackages = [ pkgs.gnome3.gnome-documents ]; - - services.dbus.packages = [ pkgs.gnome3.gnome-documents ]; - - services.gnome3.gnome-online-accounts.enable = true; - - services.gnome3.gnome-online-miners.enable = true; - - }; - -} diff --git a/nixos/modules/services/desktops/gnome3/gpaste.nix b/nixos/modules/services/desktops/gnome3/gpaste.nix deleted file mode 100644 index 5a8258775e0a..000000000000 --- a/nixos/modules/services/desktops/gnome3/gpaste.nix +++ /dev/null @@ -1,27 +0,0 @@ -# GPaste daemon. -{ config, lib, pkgs, ... }: - -with lib; - -{ - ###### interface - options = { - services.gnome3.gpaste = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable GPaste, a clipboard manager. - ''; - }; - }; - }; - - ###### implementation - config = mkIf config.services.gnome3.gpaste.enable { - environment.systemPackages = [ pkgs.gnome3.gpaste ]; - services.dbus.packages = [ pkgs.gnome3.gpaste ]; - services.xserver.desktopManager.gnome3.sessionPath = [ pkgs.gnome3.gpaste ]; - systemd.packages = [ pkgs.gnome3.gpaste ]; - }; -} diff --git a/nixos/modules/services/games/minecraft-server.nix b/nixos/modules/services/games/minecraft-server.nix index 39a68f4b5536..eb9288fca586 100644 --- a/nixos/modules/services/games/minecraft-server.nix +++ b/nixos/modules/services/games/minecraft-server.nix @@ -118,7 +118,7 @@ in { }; serverProperties = mkOption { - type = with types; attrsOf (either bool (either int str)); + type = with types; attrsOf (oneOf [ bool int str ]); default = {}; example = literalExample '' { diff --git a/nixos/modules/services/mail/davmail.nix b/nixos/modules/services/mail/davmail.nix index 5b5cc294e5c7..374a3dd75c1c 100644 --- a/nixos/modules/services/mail/davmail.nix +++ b/nixos/modules/services/mail/davmail.nix @@ -7,7 +7,7 @@ let cfg = config.services.davmail; configType = with types; - either (either (attrsOf configType) str) (either int bool) // { + oneOf [ (attrsOf configType) str int bool ] // { description = "davmail config type (str, int, bool or attribute set thereof)"; }; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index dab1b29aa4be..2b08ab1e6aa6 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -447,7 +447,7 @@ in }; config = mkOption { - type = with types; attrsOf (either bool (either str (listOf str))); + type = with types; attrsOf (oneOf [ bool str (listOf str) ]); description = '' The main.cf configuration file as key value set. ''; diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index 5541b8b79b7e..e59d5715de05 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -331,7 +331,7 @@ in }; config = mkOption { - type = with types; attrsOf (either bool (either str (listOf str))); + type = with types; attrsOf (oneOf [ bool str (listOf str) ]); description = '' Addon to postfix configuration ''; diff --git a/nixos/modules/services/mail/rss2email.nix b/nixos/modules/services/mail/rss2email.nix index a123736005ab..df454abc8267 100644 --- a/nixos/modules/services/mail/rss2email.nix +++ b/nixos/modules/services/mail/rss2email.nix @@ -30,7 +30,7 @@ in { }; config = mkOption { - type = with types; attrsOf (either str (either int bool)); + type = with types; attrsOf (oneOf [ str int bool ]); default = {}; description = '' The configuration to give rss2email. diff --git a/nixos/modules/services/misc/dwm-status.nix b/nixos/modules/services/misc/dwm-status.nix new file mode 100644 index 000000000000..b98a42e6a6d2 --- /dev/null +++ b/nixos/modules/services/misc/dwm-status.nix @@ -0,0 +1,73 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.dwm-status; + + order = concatMapStringsSep "," (feature: ''"${feature}"'') cfg.order; + + configFile = pkgs.writeText "dwm-status.toml" '' + order = [${order}] + + ${cfg.extraConfig} + ''; +in + +{ + + ###### interface + + options = { + + services.dwm-status = { + + enable = mkEnableOption "dwm-status user service"; + + package = mkOption { + type = types.package; + default = pkgs.dwm-status; + defaultText = "pkgs.dwm-status"; + example = "pkgs.dwm-status.override { enableAlsaUtils = false; }"; + description = '' + Which dwm-status package to use. + ''; + }; + + order = mkOption { + type = types.listOf (types.enum [ "audio" "backlight" "battery" "cpu_load" "network" "time" ]); + description = '' + List of enabled features in order. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra config in TOML format. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + services.upower.enable = elem "battery" cfg.order; + + systemd.user.services.dwm-status = { + description = "Highly performant and configurable DWM status service"; + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + + serviceConfig.ExecStart = "${cfg.package}/bin/dwm-status ${configFile}"; + }; + + }; + +} diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 2f3f76d79ff3..087630f21776 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -502,7 +502,7 @@ in { "d ${cfg.statePath} 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/builds 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/config 0750 ${cfg.user} ${cfg.group} -" - "d ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -" + "D ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/db 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/log 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/repositories 2770 ${cfg.user} ${cfg.group} -" diff --git a/nixos/modules/services/monitoring/datadog-agent.nix b/nixos/modules/services/monitoring/datadog-agent.nix index ce3d53fb2c17..7f78db74677c 100644 --- a/nixos/modules/services/monitoring/datadog-agent.nix +++ b/nixos/modules/services/monitoring/datadog-agent.nix @@ -42,9 +42,9 @@ let # Apply the configured extraIntegrations to the provided agent # package. See the documentation of `dd-agent/integrations-core.nix` # for detailed information on this. - datadogPkg = cfg.package.overrideAttrs(_: { - python = (pkgs.datadog-integrations-core cfg.extraIntegrations).python; - }); + datadogPkg = cfg.package.override { + pythonPackages = pkgs.datadog-integrations-core cfg.extraIntegrations; + }; in { options.services.datadog-agent = { enable = mkOption { @@ -60,7 +60,7 @@ in { defaultText = "pkgs.datadog-agent"; description = '' Which DataDog v6 agent package to use. Note that the provided - package is expected to have an overridable `python`-attribute + package is expected to have an overridable `pythonPackages`-attribute which configures the Python environment with the Datadog checks. ''; diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index c2f6b585d493..bf1084eecc3a 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -503,12 +503,12 @@ in { message = "Cannot set both adminPassword and adminPasswordFile"; } { - assertion = cfg.security.secretKeyFile != opt.security.secretKeyFile.default -> cfg.sec |