diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/lib/make-disk-image.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/network-filesystems/rsyncd.nix | 60 | ||||
| -rw-r--r-- | nixos/modules/services/networking/gvpe.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/services/security/fprot.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/services/torrent/deluge.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/hledger-web.nix | 77 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/hledger-web.nix | 53 | ||||
| -rw-r--r-- | nixos/tests/rsyncd.nix | 39 |
10 files changed, 225 insertions, 21 deletions
diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix index 3f50bb431c5e..023d0791a5c7 100644 --- a/nixos/lib/make-disk-image.nix +++ b/nixos/lib/make-disk-image.nix @@ -257,7 +257,8 @@ let format' = format; in let ''} echo "copying staging root to image..." - cptofs -p ${optionalString (partitionTableType != "none") "-P ${rootPartition}"} -t ${fsType} -i $diskImage $root/* / + cptofs -p ${optionalString (partitionTableType != "none") "-P ${rootPartition}"} -t ${fsType} -i $diskImage $root/* / || + (echo >&2 "ERROR: cptofs failed. diskSize might be too small for closure."; exit 1) ''; in pkgs.vmTools.runInLinuxVM ( pkgs.runCommand name diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c7a8f6b2f7c3..7586ae41bbb0 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -876,6 +876,7 @@ ./services/web-apps/gotify-server.nix ./services/web-apps/grocy.nix ./services/web-apps/hedgedoc.nix + ./services/web-apps/hledger-web.nix ./services/web-apps/icingaweb2/icingaweb2.nix ./services/web-apps/icingaweb2/module-monitoring.nix ./services/web-apps/ihatemoney diff --git a/nixos/modules/services/network-filesystems/rsyncd.nix b/nixos/modules/services/network-filesystems/rsyncd.nix index 9f1263ddff56..edac86eb0e30 100644 --- a/nixos/modules/services/network-filesystems/rsyncd.nix +++ b/nixos/modules/services/network-filesystems/rsyncd.nix @@ -46,6 +46,13 @@ in { ''; }; + socketActivated = mkOption { + default = false; + type = types.bool; + description = + "If enabled Rsync will be socket-activated rather than run persistently."; + }; + }; }; @@ -63,12 +70,55 @@ in { services.rsyncd.settings.global.port = toString cfg.port; - systemd.services.rsyncd = { - description = "Rsync daemon"; - wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = - "${pkgs.rsync}/bin/rsync --daemon --no-detach --config=${configFile}"; + systemd = let + serviceConfigSecurity = { + ProtectSystem = "full"; + PrivateDevices = "on"; + NoNewPrivileges = "on"; + }; + in { + services.rsync = { + enable = !cfg.socketActivated; + aliases = [ "rsyncd" ]; + + description = "fast remote file copy program daemon"; + after = [ "network.target" ]; + documentation = [ "man:rsync(1)" "man:rsyncd.conf(5)" ]; + + serviceConfig = serviceConfigSecurity // { + ExecStart = + "${pkgs.rsync}/bin/rsync --daemon --no-detach --config=${configFile}"; + RestartSec = 1; + }; + + wantedBy = [ "multi-user.target" ]; + }; + + services."rsync@" = { + description = "fast remote file copy program daemon"; + after = [ "network.target" ]; + + serviceConfig = serviceConfigSecurity // { + ExecStart = "${pkgs.rsync}/bin/rsync --daemon --config=${configFile}"; + StandardInput = "socket"; + StandardOutput = "inherit"; + StandardError = "journal"; + }; + }; + + sockets.rsync = { + enable = cfg.socketActivated; + + description = "socket for fast remote file copy program daemon"; + conflicts = [ "rsync.service" ]; + + listenStreams = [ (toString cfg.port) ]; + socketConfig.Accept = true; + + wantedBy = [ "sockets.target" ]; + }; }; + }; meta.maintainers = with lib.maintainers; [ ehmry ]; diff --git a/nixos/modules/services/networking/gvpe.nix b/nixos/modules/services/networking/gvpe.nix index 92e87cd4640d..b851facf1e32 100644 --- a/nixos/modules/services/networking/gvpe.nix +++ b/nixos/modules/services/networking/gvpe.nix @@ -3,7 +3,7 @@ {config, pkgs, lib, ...}: let - inherit (lib) mkOption mkIf; + inherit (lib) mkOption mkIf types; cfg = config.services.gvpe; @@ -46,12 +46,14 @@ in nodename = mkOption { default = null; + type = types.nullOr types.str; description ='' GVPE node name ''; }; configText = mkOption { default = null; + type = types.nullOr types.lines; example = '' tcp-port = 655 udp-port = 655 @@ -72,6 +74,7 @@ in }; configFile = mkOption { default = null; + type = types.nullOr types.path; example = "/root/my-gvpe-conf"; description = '' GVPE config file, if already present @@ -79,12 +82,14 @@ in }; ipAddress = mkOption { default = null; + type = types.nullOr types.str; description = '' IP address to assign to GVPE interface ''; }; subnet = mkOption { default = null; + type = types.nullOr types.str; example = "10.0.0.0/8"; description = '' IP subnet assigned to GVPE network @@ -92,6 +97,7 @@ in }; customIFSetup = mkOption { default = ""; + type = types.lines; description = '' Additional commands to apply in ifup script ''; diff --git a/nixos/modules/services/security/fprot.nix b/nixos/modules/services/security/fprot.nix index 3a0b08b3c6d8..df60d553e85b 100644 --- a/nixos/modules/services/security/fprot.nix +++ b/nixos/modules/services/security/fprot.nix @@ -16,16 +16,19 @@ in { description = '' product.data file. Defaults to the one supplied with installation package. ''; + type = types.path; }; frequency = mkOption { default = 30; + type = types.int; description = '' Update virus definitions every X minutes. ''; }; licenseKeyfile = mkOption { + type = types.path; description = '' License keyfile. Defaults to the one supplied with installation package. ''; diff --git a/nixos/modules/services/torrent/deluge.nix b/nixos/modules/services/torrent/deluge.nix index 45398cb26138..7ca4fdcf64d4 100644 --- a/nixos/modules/services/torrent/deluge.nix +++ b/nixos/modules/services/torrent/deluge.nix @@ -41,6 +41,7 @@ in { openFilesLimit = mkOption { default = openFilesLimit; + type = types.either types.int types.str; description = '' Number of files to allow deluged to open. ''; diff --git a/nixos/modules/services/web-apps/hledger-web.nix b/nixos/modules/services/web-apps/hledger-web.nix new file mode 100644 index 000000000000..43fc4daa177f --- /dev/null +++ b/nixos/modules/services/web-apps/hledger-web.nix @@ -0,0 +1,77 @@ +{ lib, pkgs, config, ... }: +with lib; +let + cfg = config.services.hledger-web; +in { + options.services.hledger-web = { + + enable = mkEnableOption "hledger-web service"; + + serveApi = mkEnableOption "Serve only the JSON web API, without the web UI."; + + host = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + Address to listen on. + ''; + }; + + port = mkOption { + type = types.port; + default = 5000; + example = "80"; + description = '' + Port to listen on. + ''; + }; + + capabilities = mkOption { + type = types.commas; + default = "view"; + description = '' + Enable the view, add, and/or manage capabilities. E.g. view,add + ''; + }; + + journalFile = mkOption { + type = types.path; + example = "/home/hledger/.hledger.journal"; + description = '' + Input journal file. + ''; + }; + + baseUrl = mkOption { + type = with types; nullOr str; + default = null; + example = "https://example.org"; + description = '' + Base URL, when sharing over a network. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.hledger-web = { + description = "hledger-web - web-app for the hledger accounting tool."; + documentation = [ https://hledger.org/hledger-web.html ]; + wantedBy = [ "multi-user.target" ]; + after = [ "networking.target" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.hledger-web}/bin/hledger-web \ + --host=${cfg.host} \ + --port=${toString cfg.port} \ + --file=${cfg.journalFile} \ + "--capabilities=${cfg.capabilities}" \ + ${optionalString (cfg.baseUrl != null) "--base-url=${cfg.baseUrl}"} \ + ${optionalString (cfg.serveApi) "--serve-api"} + ''; + Restart = "always"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ marijanp ]; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 05fd5c4822a7..d267ddeb4cf4 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -155,6 +155,7 @@ in # not on other platforms. hibernate = handleTestOn ["x86_64-linux"] ./hibernate.nix {}; hitch = handleTest ./hitch {}; + hledger-web = handleTest ./hledger-web.nix {}; hocker-fetchdocker = handleTest ./hocker-fetchdocker {}; home-assistant = handleTest ./home-assistant.nix {}; hostname = handleTest ./hostname.nix {}; diff --git a/nixos/tests/hledger-web.nix b/nixos/tests/hledger-web.nix new file mode 100644 index 000000000000..378d819437db --- /dev/null +++ b/nixos/tests/hledger-web.nix @@ -0,0 +1,53 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: +let + journal = pkgs.writeText "test.journal" '' + 2010/01/10 Loan + assets:cash 500$ + income:loan -500$ + 2010/01/10 NixOS Foundation donation + expenses:donation 250$ + assets:cash -250$ + ''; +in +rec { + name = "hledger-web"; + meta.maintainers = with lib.maintainers; [ marijanp ]; + + nodes = { + server = { config, pkgs, ... }: rec { + services.hledger-web = { + host = "127.0.0.1"; + port = 5000; + enable = true; + journalFile = journal; + }; + networking.firewall.allowedTCPPorts = [ services.hledger-web.port ]; + }; + apiserver = { config, pkgs, ... }: rec { + services.hledger-web = { + host = "127.0.0.1"; + port = 5000; + enable = true; + serveApi = true; + journalFile = journal; + }; + networking.firewall.allowedTCPPorts = [ services.hledger-web.port ]; + }; + }; + + testScript = '' + start_all() + + server.wait_for_unit("hledger-web.service") + server.wait_for_open_port(5000) + with subtest("Check if web UI is accessible"): + page = server.succeed("curl -L http://127.0.0.1:5000") + assert "test.journal" in page + + apiserver.wait_for_unit("hledger-web.service") + apiserver.wait_for_open_port(5000) + with subtest("Check if the JSON API is served"): + transactions = apiserver.succeed("curl -L http://127.0.0.1:5000/transactions") + assert "NixOS Foundation donation" in transactions + ''; +}) diff --git a/nixos/tests/rsyncd.nix b/nixos/tests/rsyncd.nix index 3639320f645d..44464e42f28d 100644 --- a/nixos/tests/rsyncd.nix +++ b/nixos/tests/rsyncd.nix @@ -2,24 +2,35 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "rsyncd"; meta.maintainers = with pkgs.lib.maintainers; [ ehmry ]; - nodes.machine.services.rsyncd = { - enable = true; - settings = { - global = { - "reverse lookup" = false; - "forward lookup" = false; + nodes = let + mkNode = socketActivated: + { config, ... }: { + networking.firewall.allowedTCPPorts = [ config.services.rsyncd.port ]; + services.rsyncd = { + enable = true; + inherit socketActivated; + settings = { + global = { + "reverse lookup" = false; + "forward lookup" = false; + }; + tmp = { + path = "/nix/store"; + comment = "test module"; + }; + }; + }; }; - tmp = { - path = "/nix/store"; - comment = "test module"; - }; - - }; + in { + a = mkNode false; + b = mkNode true; }; testScript = '' start_all() - machine.wait_for_unit("rsyncd") - machine.succeed("rsync localhost::") + a.wait_for_unit("rsync") + b.wait_for_unit("sockets.target") + b.succeed("rsync a::") + a.succeed("rsync b::") ''; }) |