diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2016-02-17 10:06:31 +0100 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2016-02-17 10:06:31 +0100 |
| commit | e9520e81b375fca8bcf06b3f4c2dd3bb0b757be6 (patch) | |
| tree | 7da1bda216c30520d864a266735c48988c2b2369 /nixos | |
| parent | ee994dfae6e897ee4e7405e1624be43625086622 (diff) | |
| parent | 2f3eae3a87eb4f9e330ac2c31611061c1ae8699f (diff) | |
Merge branch 'master' into staging
Diffstat (limited to 'nixos')
40 files changed, 893 insertions, 346 deletions
diff --git a/nixos/doc/manual/release-notes/rl-unstable.xml b/nixos/doc/manual/release-notes/rl-unstable.xml index 768b51d84a46..c2d1563e0a5d 100644 --- a/nixos/doc/manual/release-notes/rl-unstable.xml +++ b/nixos/doc/manual/release-notes/rl-unstable.xml @@ -41,6 +41,7 @@ nixos.path = ./nixpkgs-unstable-2015-12-06/nixos; <itemizedlist> <listitem><para><literal>services/monitoring/longview.nix</literal></para></listitem> + <listitem><para><literal>services/networking/pdnsd.nix</literal></para></listitem> <listitem><para><literal>services/web-apps/pump.io.nix</literal></para></listitem> <listitem><para><literal>services/security/haka.nix</literal></para></listitem> </itemizedlist> diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index 1a04baef1930..d0d481f72a40 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -22,7 +22,7 @@ with lib; ###### implementation config = mkIf config.hardware.enableAllFirmware { - hardware.firmware = [ pkgs.firmwareLinuxNonfree ]; + hardware.firmware = [ pkgs.firmwareLinuxNonfree pkgs.intel2200BGFirmware ]; }; } diff --git a/nixos/modules/hardware/network/intel-2200bg.nix b/nixos/modules/hardware/network/intel-2200bg.nix index 1b70057d135b..17b973474c93 100644 --- a/nixos/modules/hardware/network/intel-2200bg.nix +++ b/nixos/modules/hardware/network/intel-2200bg.nix @@ -23,7 +23,7 @@ config = lib.mkIf config.networking.enableIntel2200BGFirmware { - hardware.enableAllFirmware = true; + hardware.firmware = [ pkgs.intel2200BGFirmware ]; }; diff --git a/nixos/modules/hardware/video/webcam/facetimehd.nix b/nixos/modules/hardware/video/webcam/facetimehd.nix new file mode 100644 index 000000000000..b35709763b90 --- /dev/null +++ b/nixos/modules/hardware/video/webcam/facetimehd.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.hardware.facetimehd; + + kernelPackages = config.boot.kernelPackages; + +in + +{ + + options.hardware.facetimehd.enable = mkEnableOption "facetimehd kernel module"; + + config = mkIf cfg.enable { + + assertions = singleton { + assertion = versionAtLeast kernelPackages.kernel.version "3.19"; + message = "facetimehd is not supported for kernels older than 3.19"; + }; + + boot.kernelModules = [ "facetimehd" ]; + + boot.blacklistedKernelModules = [ "bdc_pci" ]; + + boot.extraModulePackages = [ kernelPackages.facetimehd ]; + + hardware.firmware = [ pkgs.facetimehd-firmware ]; + + # unload module during suspend/hibernate as it crashes the whole system + powerManagement.powerDownCommands = '' + ${pkgs.module_init_tools}/bin/rmmod -f facetimehd + ''; + + # and load it back on resume + powerManagement.resumeCommands = '' + export MODULE_DIR=/run/current-system/kernel-modules/lib/modules + ${pkgs.module_init_tools}/bin/modprobe -v facetimehd + ''; + + }; + +} diff --git a/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix b/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix index 15e22fb50d48..957a8ff9ce6d 100644 --- a/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix +++ b/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix @@ -23,7 +23,7 @@ in boot.loader.generic-extlinux-compatible.enable = true; boot.kernelPackages = pkgs.linuxPackages_latest; - boot.kernelParams = ["console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"]; + boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"]; # FIXME: this probably should be in installation-device.nix users.extraUsers.root.initialHashedPassword = ""; diff --git a/nixos/modules/installer/cd-dvd/sd-image.nix b/nixos/modules/installer/cd-dvd/sd-image.nix index 12b4f3045614..9eba542d8c91 100644 --- a/nixos/modules/installer/cd-dvd/sd-image.nix +++ b/nixos/modules/installer/cd-dvd/sd-image.nix @@ -30,7 +30,7 @@ in bootSize = mkOption { type = types.int; - default = 128; + default = 120; description = '' Size of the /boot partition, in megabytes. ''; @@ -66,10 +66,10 @@ in buildInputs = with pkgs; [ dosfstools e2fsprogs mtools libfaketime utillinux ]; buildCommand = '' - # Create the image file sized to fit /boot and /, plus 4M of slack + # Create the image file sized to fit /boot and /, plus 20M of slack rootSizeBlocks=$(du -B 512 --apparent-size ${rootfsImage} | awk '{ print $1 }') bootSizeBlocks=$((${toString config.sdImage.bootSize} * 1024 * 1024 / 512)) - imageSize=$((rootSizeBlocks * 512 + bootSizeBlocks * 512 + 4096 * 1024)) + imageSize=$((rootSizeBlocks * 512 + bootSizeBlocks * 512 + 20 * 1024 * 1024)) truncate -s $imageSize $out # type=b is 'W95 FAT32', type=83 is 'Linux'. @@ -77,8 +77,8 @@ in label: dos label-id: 0x2178694e - start=1M, size=$bootSizeBlocks, type=b, bootable - type=83 + start=8M, size=$bootSizeBlocks, type=b, bootable + start=${toString (8 + config.sdImage.bootSize)}M, type=83 EOF # Copy the rootfs into the SD image diff --git a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix index de0cc604bf3b..7badfcb8df22 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix @@ -86,8 +86,7 @@ in system.boot.loader.kernelFile = "uImage"; boot.initrd.availableKernelModules = - [ "mvsdio" "mmc_block" "reiserfs" "ext3" "ums-cypress" "rtc_mv" - "ext4" ]; + [ "mvsdio" "reiserfs" "ext3" "ums-cypress" "rtc_mv" "ext4" ]; boot.postBootCommands = '' diff --git a/nixos/modules/installer/cd-dvd/system-tarball.nix b/nixos/modules/installer/cd-dvd/system-tarball.nix index c24fe97fba46..90e9b98a4575 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball.nix @@ -43,7 +43,7 @@ in # so that we don't need to know its device. fileSystems = [ ]; - # boot.initrd.availableKernelModules = [ "mvsdio" "mmc_block" "reiserfs" "ext3" "ext4" ]; + # boot.initrd.availableKernelModules = [ "mvsdio" "reiserfs" "ext3" "ext4" ]; # boot.initrd.kernelModules = [ "rtc_mv" ]; diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 4e10615f902f..c23d7e5b509d 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -73,11 +73,6 @@ if ! test -e "$mountPoint"; then exit 1 fi -if ! grep -F -q " $mountPoint " /proc/mounts; then - echo "$mountPoint doesn't appear to be a mount point" - exit 1 -fi - # Mount some stuff in the target root directory. mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 064b4cbc4b33..19da804c13f3 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -248,6 +248,9 @@ matrix-synapse = 224; rspamd = 225; rmilter = 226; + cfdyndns = 227; + gammu-smsd = 228; + pdnsd = 229; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -473,6 +476,8 @@ matrix-synapse = 224; rspamd = 225; rmilter = 226; + cfdyndns = 227; + pdnsd = 229; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index f0b90d3d8c80..8254cdd6f5eb 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -42,6 +42,7 @@ ./hardware/video/bumblebee.nix ./hardware/video/nvidia.nix ./hardware/video/ati.nix + ./hardware/video/webcam/facetimehd.nix ./installer/tools/auto-upgrade.nix ./installer/tools/nixos-checkout.nix ./installer/tools/tools.nix @@ -200,6 +201,7 @@ ./services/misc/bepasty.nix ./services/misc/canto-daemon.nix ./services/misc/calibre-server.nix + ./services/misc/cfdyndns.nix ./services/misc/cpuminer-cryptonight.nix ./services/misc/cgminer.nix ./services/misc/confd.nix @@ -210,6 +212,7 @@ ./services/misc/etcd.nix ./services/misc/felix.nix ./services/misc/folding-at-home.nix + ./services/misc/gammu-smsd.nix #./services/misc/gitit.nix ./services/misc/gitlab.nix ./services/misc/gitolite.nix @@ -339,6 +342,7 @@ ./services/networking/openntpd.nix ./services/networking/openvpn.nix ./services/networking/ostinato.nix + ./services/networking/pdnsd.nix ./services/networking/polipo.nix ./services/networking/prayer.nix ./services/networking/privoxy.nix diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 15e5b49878f6..3d25e811e670 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -56,8 +56,8 @@ let plugins = mkOption { type = types.listOf (types.enum [ - "cert.der" "cert.pem" "chain.der" "chain.pem" "external_pem.sh" - "fullchain.der" "fullchain.pem" "key.der" "key.pem" "account_key.json" + "cert.der" "cert.pem" "chain.pem" "external_pem.sh" + "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" ]); default = [ "fullchain.pem" "key.pem" "account_key.json" ]; description = '' diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index c2045a5859c5..31ffe51c11ef 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -158,7 +158,7 @@ in # Note: when changing the default, make it conditional on # ‘system.stateVersion’ to maintain compatibility with existing # systems! - mkDefault pkgs.postgresql94; + mkDefault (if versionAtLeast config.system.stateVersion "16.03" then pkgs.postgresql95 else pkgs.postgresql94); services.postgresql.authentication = mkAfter '' @@ -177,7 +177,7 @@ in users.extraGroups.postgres.gid = config.ids.gids.postgres; - environment.systemPackages = [postgresql]; + environment.systemPackages = [ postgresql ]; systemd.services.postgresql = { description = "PostgreSQL Server"; @@ -187,35 +187,37 @@ in environment.PGDATA = cfg.dataDir; - path = [ pkgs.su postgresql ]; + path = [ postgresql ]; preStart = '' - # Initialise the database. + # Create data directory. if ! test -e ${cfg.dataDir}/PG_VERSION; then - mkdir -m 0700 -p ${cfg.dataDir} - rm -f ${cfg.dataDir}/*.conf - if [ "$(id -u)" = 0 ]; then - chown -R postgres ${cfg.dataDir} - su -s ${pkgs.stdenv.shell} postgres -c 'initdb -U root' - else - # For non-root operation. - initdb - fi - # See postStart! - touch "${cfg.dataDir}/.first_startup" + mkdir -m 0700 -p ${cfg.dataDir} + rm -f ${cfg.dataDir}/*.conf + chown -R postgres:postgres ${cfg.dataDir} fi + ''; # */ + script = + '' + # Initialise the database. + if ! test -e ${cfg.dataDir}/PG_VERSION; then + initdb -U root + # See postStart! + touch "${cfg.dataDir}/.first_startup" + fi ln -sfn "${configFile}" "${cfg.dataDir}/postgresql.conf" ${optionalString (cfg.recoveryConfig != null) '' ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \ "${cfg.dataDir}/recovery.conf" ''} - ''; # */ + + exec postgres ${toString flags} + ''; serviceConfig = - { ExecStart = "@${postgresql}/bin/postgres postgres ${toString flags}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + { ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "postgres"; Group = "postgres"; PermissionsStartOnly = true; diff --git a/nixos/modules/services/hardware/bluetooth.nix b/nixos/modules/services/hardware/bluetooth.nix index 68d0406e63bd..fc95c4910bf7 100644 --- a/nixos/modules/services/hardware/bluetooth.nix +++ b/nixos/modules/services/hardware/bluetooth.nix @@ -1,6 +1,43 @@ { config, lib, pkgs, ... }: with lib; +let + bluez-bluetooth = if config.services.xserver.desktopManager.kde4.enable then pkgs.bluez else pkgs.bluez5; + + configBluez = { + description = "Bluetooth Service"; + serviceConfig = { + Type = "dbus"; + BusName = "org.bluez"; + ExecStart = "${bluez-bluetooth}/sbin/bluetoothd -n"; + }; + wantedBy = [ "bluetooth.target" ]; + }; + + configBluez5 = { + description = "Bluetooth Service"; + serviceConfig = { + Type = "dbus"; + BusName = "org.bluez"; + ExecStart = "${bluez-bluetooth}/sbin/bluetoothd -n"; + NotifyAccess="main"; + CapabilityBoundingSet="CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; + LimitNPROC=1; + }; + wantedBy = [ "bluetooth.target" ]; + }; + + obexConfig = { + description = "Bluetooth OBEX service"; + serviceConfig = { + Type = "dbus"; + BusName = "org.bluez.obex"; + ExecStart = "${bluez-bluetooth}/sbin/obexd"; + }; + }; + + bluezConfig = if config.services.xserver.desktopManager.kde4.enable then configBluez else configBluez5; +in { @@ -16,26 +53,15 @@ with lib; }; - ###### implementation - + config = mkIf config.hardware.bluetooth.enable { - environment.systemPackages = [ pkgs.bluez pkgs.openobex pkgs.obexftp ]; - - services.udev.packages = [ pkgs.bluez ]; - - services.dbus.packages = [ pkgs.bluez ]; - - systemd.services."dbus-org.bluez" = { - description = "Bluetooth Service"; - serviceConfig = { - Type = "dbus"; - BusName = "org.bluez"; - ExecStart = "${pkgs.bluez}/sbin/bluetoothd -n"; - }; - wantedBy = [ "bluetooth.target" ]; - }; + environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ]; + services.udev.packages = [ bluez-bluetooth ]; + services.dbus.packages = [ bluez-bluetooth ]; + systemd.services."dbus-org.bluez" = bluezConfig; + systemd.services."dbus-org.bluez.obex" = obexConfig; }; diff --git a/nixos/modules/services/logging/logstash.nix b/nixos/modules/services/logging/logstash.nix index e019e6c3f237..d27456e59e88 100644 --- a/nixos/modules/services/logging/logstash.nix +++ b/nixos/modules/services/logging/logstash.nix @@ -85,7 +85,7 @@ in type = types.lines; default = ''stdin { type => "example" }''; description = "Logstash input configuration."; - example = '' + example = literalExample '' # Read from journal pipe { command => "''${pkgs.systemd}/bin/journalctl -f -o json" @@ -98,7 +98,7 @@ in type = types.lines; default = ''noop {}''; description = "logstash filter configuration."; - example = '' + example = literalExample '' if [type] == "syslog" { # Keep only relevant systemd fields # http://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html @@ -114,7 +114,7 @@ in outputConfig = mkOption { type = types.lines; - default = ''stdout { debug => true debug_format => "json"}''; + default = literalExample ''stdout { debug => true debug_format => "json"}''; description = "Logstash output configuration."; example = '' redis { host => "localhost" data_type => "list" key => "logstash" codec => json } diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 11e8b26c75ef..333a03315bca 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -13,6 +13,7 @@ let '' base_dir = ${baseDir} protocols = ${concatStringsSep " " cfg.protocols} + sendmail_path = /var/setuid-wrappers/sendmail '' (if isNull cfg.sslServerCert then '' diff --git a/nixos/modules/services/mail/dspam.nix b/nixos/modules/services/mail/dspam.nix index 10352ba6abcc..46e6f216b21e 100644 --- a/nixos/modules/services/mail/dspam.nix +++ b/nixos/modules/services/mail/dspam.nix @@ -19,7 +19,10 @@ let SystemLog on UserLog on - ${optionalString (cfg.domainSocket != null) ''ServerDomainSocketPath "${cfg.domainSocket}"''} + ${optionalString (cfg.domainSocket != null) '' + ServerDomainSocketPath "${cfg.domainSocket}" + ClientHost "${cfg.domainSocket}" + ''} ${cfg.extraConfig} ''; @@ -108,7 +111,11 @@ in { User = cfg.user; Group = cfg.group; RuntimeDirectory = optional (cfg.domainSocket == defaultSock) "dspam"; + RuntimeDirectoryMode = optional (cfg.domainSocket == defaultSock) "0750"; PermissionsStartOnly = true; + # DSPAM segfaults on just about every error + Restart = "on-failure"; + RestartSec = "1s"; }; preStart = '' @@ -136,7 +143,7 @@ in { restartTriggers = [ cfgfile ]; serviceConfig = { - ExecStart = "${dspam}/bin/dspam_maintenance"; + ExecStart = "${dspam}/bin/dspam_maintenance --verbose"; Type = "oneshot"; User = cfg.user; Group = cfg.group; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index f2d8189de6ef..404cdf0f564b 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -13,6 +13,18 @@ let haveTransport = cfg.transport != ""; haveVirtual = cfg.virtual != ""; + clientAccess = + if (cfg.dnsBlacklistOverrides != "") + then [ "check_client_access hash:/etc/postfix/client_access" ] + else []; + + dnsBl = + if (cfg.dnsBlacklists != []) + then [ (concatStringsSep ", " (map (s: "reject_rbl_client " + s) cfg.dnsBlacklists)) ] + else []; + + clientRestrictions = concatStringsSep ", " (clientAccess ++ dnsBl); + mainCf = '' compatibility_level = 2 @@ -104,6 +116,9 @@ let + optionalString haveVirtual '' virtual_alias_maps = hash:/etc/postfix/virtual '' + + optionalString (cfg.dnsBlacklists != []) '' + smtpd_client_restrictions = ${clientRestrictions} + '' + cfg.extraConfig; masterCf = '' @@ -161,6 +176,7 @@ let aliasesFile = pkgs.writeText "postfix-aliases" aliases; virtualFile = pkgs.writeText "postfix-virtual" cfg.virtual; + checkClientAccessFile = pkgs.writeText "postfix-check-client-access" cfg.dnsBlacklistOverrides; mainCfFile = pkgs.writeText "postfix-main.cf" mainCf; masterCfFile = pkgs.writeText "postfix-master.cf" masterCf; transportFile = pkgs.writeText "postfix-transport" cfg.transport; @@ -366,6 +382,17 @@ in "; }; + dnsBlacklists = mkOption { + default = []; + type = with types; listOf string; + description = "dns blacklist servers to use with smtpd_client_restrictions"; + }; + + dnsBlacklistOverrides = mkOption { + default = ""; + description = "contents of check_client_access for overriding dnsBlacklists"; + }; + extraMasterConf = mkOption { type = types.lines; default = ""; @@ -461,7 +488,7 @@ in rm -rf /var/lib/postfix/conf mkdir -p /var/lib/postfix/conf chmod 0755 /var/lib/postfix/conf - ln -sf ${pkgs.postfix}/etc/postfix/postfix-files + ln -sf ${pkgs.postfix}/etc/postfix/postfix-files /var/lib/postfix/conf/postfix-files ln -sf ${mainCfFile} /var/lib/postfix/conf/main.cf ln -sf ${masterCfFile} /var/lib/postfix/conf/master.cf @@ -494,6 +521,9 @@ in (mkIf haveVirtual { services.postfix.mapFiles."virtual" = virtualFile; }) + (mkIf (cfg.dnsBlacklists != []) { + services.postfix.mapFiles."client_access" = checkClientAccessFile; + }) ]); } diff --git a/nixos/modules/services/mail/postsrsd.nix b/nixos/modules/services/mail/postsrsd.nix index 36a0f8218d88..68a4c1012064 100644 --- a/nixos/modules/services/mail/postsrsd.nix +++ b/nixos/modules/services/mail/postsrsd.nix @@ -95,7 +95,11 @@ in { preStart = '' if [ ! -e "${cfg.secretsFile}" ]; then echo "WARNING: secrets file not found, autogenerating!" - mkdir -p -m750 "$(dirname "${cfg.secretsFile}")" + DIR="$(dirname "${cfg.secretsFile}")" + if [ ! -d "$DIR" ]; then + mkdir -p -m750 "$DIR" + chown "${cfg.user}:${cfg.group}" "$DIR" + fi dd if=/dev/random bs=18 count=1 | base64 > "${cfg.secretsFile}" chmod 600 "${cfg.secretsFile}" fi diff --git a/nixos/modules/services/misc/cfdyndns.nix b/nixos/modules/services/misc/cfdyndns.nix new file mode 100644 index 000000000000..69a33d0b8c1b --- /dev/null +++ b/nixos/modules/services/misc/cfdyndns.nix @@ -0,0 +1,70 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.cfdyndns; +in +{ + options = { + services.cfdyndns = { + enable = mkEnableOption "Cloudflare Dynamic DNS Client"; + + email = mkOption { + type = types.str; + descript |