From f2ea45461767eef7b1c03d130342902e4070fe45 Mon Sep 17 00:00:00 2001 From: Ivan Kozik Date: Wed, 19 Jun 2019 20:29:46 +0000 Subject: usbguard-nox: init at 0.7.4 This is just usbguard without the Qt GUI that brings in Qt dependencies. Remove pandoc to reduce closure size. The usbguard build appears to use it only for spell checking. Remove asciidoctor because 0.7.1 switched to asciidoc. But don't add a dependency on asciidoc, because that causes the build fails on external DTDs. --- nixos/modules/services/security/usbguard.nix | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index 88d2f69db572..20d5e3b28eb9 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -39,6 +39,16 @@ in { services.usbguard = { enable = mkEnableOption "USBGuard daemon"; + package = mkOption { + type = types.package; + default = pkgs.usbguard; + defaultText = "pkgs.usbguard"; + description = '' + The usbguard package to use. If you do not need the Qt GUI, use + pkgs.usbguard-nox to save disk space. + ''; + }; + ruleFile = mkOption { type = types.path; default = "/var/lib/usbguard/rules.conf"; @@ -179,7 +189,7 @@ in { config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.usbguard ]; + environment.systemPackages = [ cfg.package ]; systemd.services.usbguard = { description = "USBGuard daemon"; @@ -195,7 +205,7 @@ in { serviceConfig = { Type = "simple"; - ExecStart = ''${pkgs.usbguard}/bin/usbguard-daemon -P -k -c ${daemonConfFile}''; + ExecStart = ''${cfg.package}/bin/usbguard-daemon -P -k -c ${daemonConfFile}''; Restart = "on-failure"; }; }; -- cgit v1.2.3 From cc83a0d0812e2b31acd37315554ca59bca091a2b Mon Sep 17 00:00:00 2001 From: Aaron Vodney Date: Sun, 30 Jun 2019 22:05:42 -0400 Subject: u9fs service: start after network.target --- nixos/modules/services/network-filesystems/u9fs.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos/modules') diff --git a/nixos/modules/services/network-filesystems/u9fs.nix b/nixos/modules/services/network-filesystems/u9fs.nix index 4f37fc2a9e5c..77961b78cadb 100644 --- a/nixos/modules/services/network-filesystems/u9fs.nix +++ b/nixos/modules/services/network-filesystems/u9fs.nix @@ -55,6 +55,7 @@ in sockets.u9fs = { description = "U9fs Listening Socket"; wantedBy = [ "sockets.target" ]; + after = [ "network.target" ]; inherit (cfg) listenStreams; socketConfig.Accept = "yes"; }; -- cgit v1.2.3 From 9e2a8f50237d1c3def60aabea16d099bfdae576e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Janne=20He=C3=9F?= Date: Sun, 7 Jul 2019 03:03:59 +0200 Subject: nixos/icingaweb: Fix module path; Add test --- nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix index e83270fda5c9..bbed2e12c593 100644 --- a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix +++ b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix @@ -4,10 +4,12 @@ defaultConfig = { global = { - module_path = "${pkgs.icingaweb2}/modules${optionalString (builtins.length config.modulePath > 0) ":${concatStringsSep ":" config.modulePath}"}"; + module_path = "${pkgs.icingaweb2}/modules"; }; }; in { + meta.maintainers = with maintainers; [ das_j ]; + options.services.icingaweb2 = with types; { enable = mkEnableOption "the icingaweb2 web interface"; -- cgit v1.2.3 From 3b0534310c89d04fc3a9c5714b5a4d0f9fb0efca Mon Sep 17 00:00:00 2001 From: danbst Date: Sun, 14 Jul 2019 13:46:10 +0300 Subject: mass replace "flip map -> foreach" See `foreach`-introduction commit. ``` rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /foreach /g' ``` --- nixos/modules/rename.nix | 2 +- nixos/modules/services/monitoring/ups.nix | 2 +- nixos/modules/services/networking/consul.nix | 2 +- nixos/modules/services/networking/hylafax/systemd.nix | 2 +- nixos/modules/services/networking/ssh/sshd.nix | 2 +- nixos/modules/services/x11/xautolock.nix | 2 +- nixos/modules/services/x11/xserver.nix | 2 +- nixos/modules/system/boot/loader/grub/grub.nix | 2 +- nixos/modules/tasks/network-interfaces-systemd.nix | 8 ++++---- nixos/modules/tasks/network-interfaces.nix | 12 ++++++------ 10 files changed, 18 insertions(+), 18 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index e127782e85f5..218b1d9339aa 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -248,7 +248,7 @@ with lib; # KSM (mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ]) - ] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter" + ] ++ (foreach [ "blackboxExporter" "collectdExporter" "fritzboxExporter" "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" "snmpExporter" "unifiExporter" "varnishExporter" ] (opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' diff --git a/nixos/modules/services/monitoring/ups.nix b/nixos/modules/services/monitoring/ups.nix index bc755612fd9b..57f0bfec5745 100644 --- a/nixos/modules/services/monitoring/ups.nix +++ b/nixos/modules/services/monitoring/ups.nix @@ -225,7 +225,7 @@ in '' maxstartdelay = ${toString cfg.maxStartDelay} - ${flip concatStringsSep (flip map (attrValues cfg.ups) (ups: ups.summary)) " + ${flip concatStringsSep (foreach (attrValues cfg.ups) (ups: ups.summary)) " "} ''; diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index 3a92a883fbf8..78fca9326d33 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -15,7 +15,7 @@ let ++ cfg.extraConfigFiles; devices = attrValues (filterAttrs (_: i: i != null) cfg.interface); - systemdDevices = flip map devices + systemdDevices = foreach devices (i: "sys-subsystem-net-devices-${utils.escapeSystemdPath i}.device"); in { diff --git a/nixos/modules/services/networking/hylafax/systemd.nix b/nixos/modules/services/networking/hylafax/systemd.nix index ef177e4be345..527026c00762 100644 --- a/nixos/modules/services/networking/hylafax/systemd.nix +++ b/nixos/modules/services/networking/hylafax/systemd.nix @@ -7,7 +7,7 @@ let inherit (lib) concatStringsSep optionalString; cfg = config.services.hylafax; - mapModems = lib.flip map (lib.attrValues cfg.modems); + mapModems = lib.foreach (lib.attrValues cfg.modems); mkConfigFile = name: conf: # creates hylafax config file, diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 0f9d2420903b..005d8bfb61fb 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -502,7 +502,7 @@ in assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; message = "cannot enable X11 forwarding without setting xauth location";}] - ++ flip map cfg.listenAddresses ({ addr, ... }: { + ++ foreach cfg.listenAddresses ({ addr, ... }: { assertion = addr != null; message = "addr must be specified in each listenAddresses entry"; }); diff --git a/nixos/modules/services/x11/xautolock.nix b/nixos/modules/services/x11/xautolock.nix index cbe000058dc6..51bdcae992e2 100644 --- a/nixos/modules/services/x11/xautolock.nix +++ b/nixos/modules/services/x11/xautolock.nix @@ -129,7 +129,7 @@ in assertion = cfg.killer != null -> cfg.killtime >= 10; message = "killtime has to be at least 10 minutes according to `man xautolock`"; } - ] ++ (lib.flip map [ "locker" "notifier" "nowlocker" "killer" ] + ] ++ (lib.foreach [ "locker" "notifier" "nowlocker" "killer" ] (option: { assertion = cfg."${option}" != null -> builtins.substring 0 1 cfg."${option}" == "/"; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 82730c5e80c6..4d28a45c2ce3 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -75,7 +75,7 @@ let in imap1 mkHead cfg.xrandrHeads; xrandrDeviceSection = let - monitors = flip map xrandrHeads (h: '' + monitors = foreach xrandrHeads (h: '' Option "monitor-${h.config.output}" "${h.name}" ''); # First option is indented through the space in the config but any diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 4e4d14985b0d..84753d77cc4c 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -684,7 +684,7 @@ in assertion = if args.efiSysMountPoint == null then true else hasPrefix "/" args.efiSysMountPoint; message = "EFI paths must be absolute, not ${args.efiSysMountPoint}"; } - ] ++ flip map args.devices (device: { + ] ++ foreach args.devices (device: { assertion = device == "nodev" || hasPrefix "/" device; message = "GRUB devices must be absolute paths, not ${device} in ${args.path}"; })); diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 857aaf1e6e30..2612d13da4f8 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -74,7 +74,7 @@ in enable = true; networks."99-main" = genericNetwork mkDefault; } - (mkMerge (flip map interfaces (i: { + (mkMerge (foreach interfaces (i: { netdevs = mkIf i.virtual ({ "40-${i.name}" = { netdevConfig = { @@ -90,7 +90,7 @@ in name = mkDefault i.name; DHCP = mkForce (dhcpStr (if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ])); - address = flip map (interfaceIps i) + address = foreach (interfaceIps i) (ip: "${ip.address}/${toString ip.prefixLength}"); networkConfig.IPv6PrivacyExtensions = "kernel"; } ]; @@ -102,7 +102,7 @@ in Kind = "bridge"; }; }; - networks = listToAttrs (flip map bridge.interfaces (bi: + networks = listToAttrs (foreach bridge.interfaces (bi: nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) { DHCP = mkOverride 0 (dhcpStr false); networkConfig.Bridge = name; @@ -173,7 +173,7 @@ in }; - networks = listToAttrs (flip map bond.interfaces (bi: + networks = listToAttrs (foreach bond.interfaces (bi: nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) { DHCP = mkOverride 0 (dhcpStr false); networkConfig.Bond = name; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index f9b0eb330bf8..2af20e05b051 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -926,7 +926,7 @@ in warnings = concatMap (i: i.warnings) interfaces; assertions = - (flip map interfaces (i: { + (foreach interfaces (i: { # With the linux kernel, interface name length is limited by IFNAMSIZ # to 16 bytes, including the trailing null byte. # See include/linux/if.h in the kernel sources @@ -934,12 +934,12 @@ in message = '' The name of networking.interfaces."${i.name}" is too long, it needs to be less than 16 characters. ''; - })) ++ (flip map slaveIfs (i: { + })) ++ (foreach slaveIfs (i: { assertion = i.ipv4.addresses == [ ] && i.ipv6.addresses == [ ]; message = '' The networking.interfaces."${i.name}" must not have any defined ips when it is a slave. ''; - })) ++ (flip map interfaces (i: { + })) ++ (foreach interfaces (i: { assertion = i.preferTempAddress -> cfg.enableIPv6; message = '' Temporary addresses are only needed when IPv6 is enabled. @@ -967,8 +967,8 @@ in "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) - (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) - // listToAttrs (flip map (filter (i: i.preferTempAddress) interfaces) + (i: foreach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) + // listToAttrs (foreach (filter (i: i.preferTempAddress) interfaces) (i: nameValuePair "net.ipv6.conf.${i.name}.use_tempaddr" 2)); # Capabilities won't work unless we have at-least a 4.3 Linux @@ -1051,7 +1051,7 @@ in ${cfg.localCommands} ''; }; - } // (listToAttrs (flip map interfaces (i: + } // (listToAttrs (foreach interfaces (i: let deviceDependency = if (config.boot.isContainer || i.name == "lo") then [] -- cgit v1.2.3 From 089da1c14dfdd76c2f3d66c383d97cb3aee34142 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Sun, 4 Aug 2019 16:20:08 -0700 Subject: nixos/sshguard: create ipsets before starting, and clean up after stopping. The fix for #62874 introduced a race condition on startup: the postStart commands that configure the firewall run concurrently with sshguard's creation of the ipsets that the rules depend on. Unfortunately iptables fails hard when referencing an ipset that doesn't exist, so this causes non-deterministic crashlooping until sshguard wins the race. This change fixes that race condition by always creating the ipset and reconfiguring the firewall before starting sshguard, so that the order of operations is always deterministic. This change also cleans up the ipsets on sshguard shutdown, so that removing sshguard from a running system doesn't leave state behind. Fixes #65985. --- nixos/modules/services/security/sshguard.nix | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 25cec5b5b105..4a174564dd2c 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -106,14 +106,24 @@ in { path = with pkgs; [ iptables ipset iproute systemd ]; - postStart = '' + # The sshguard ipsets must exist before we invoke + # iptables. sshguard creates the ipsets after startup if + # necessary, but if we let sshguard do it, we can't reliably add + # the iptables rules because postStart races with the creation + # of the ipsets. So instead, we create both the ipsets and + # firewall rules before sshguard starts. + preStart = '' + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP ''; - preStop = '' + postStop = '' ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP + ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4 + ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6 ''; unitConfig.Documentation = "man:sshguard(8)"; -- cgit v1.2.3 From 91bb646e98808d594b339d3386f7963a546ccfb4 Mon Sep 17 00:00:00 2001 From: danbst Date: Mon, 5 Aug 2019 14:01:45 +0300 Subject: Revert "mass replace "flip map -> foreach"" This reverts commit 3b0534310c89d04fc3a9c5714b5a4d0f9fb0efca. --- nixos/modules/rename.nix | 2 +- nixos/modules/services/monitoring/ups.nix | 2 +- nixos/modules/services/networking/consul.nix | 2 +- nixos/modules/services/networking/hylafax/systemd.nix | 2 +- nixos/modules/services/networking/ssh/sshd.nix | 2 +- nixos/modules/services/x11/xautolock.nix | 2 +- nixos/modules/services/x11/xserver.nix | 2 +- nixos/modules/system/boot/loader/grub/grub.nix | 2 +- nixos/modules/tasks/network-interfaces-systemd.nix | 8 ++++---- nixos/modules/tasks/network-interfaces.nix | 12 ++++++------ 10 files changed, 18 insertions(+), 18 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 218b1d9339aa..e127782e85f5 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -248,7 +248,7 @@ with lib; # KSM (mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ]) - ] ++ (foreach [ "blackboxExporter" "collectdExporter" "fritzboxExporter" + ] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter" "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" "snmpExporter" "unifiExporter" "varnishExporter" ] (opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' diff --git a/nixos/modules/services/monitoring/ups.nix b/nixos/modules/services/monitoring/ups.nix index 57f0bfec5745..bc755612fd9b 100644 --- a/nixos/modules/services/monitoring/ups.nix +++ b/nixos/modules/services/monitoring/ups.nix @@ -225,7 +225,7 @@ in '' maxstartdelay = ${toString cfg.maxStartDelay} - ${flip concatStringsSep (foreach (attrValues cfg.ups) (ups: ups.summary)) " + ${flip concatStringsSep (flip map (attrValues cfg.ups) (ups: ups.summary)) " "} ''; diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index 78fca9326d33..3a92a883fbf8 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -15,7 +15,7 @@ let ++ cfg.extraConfigFiles; devices = attrValues (filterAttrs (_: i: i != null) cfg.interface); - systemdDevices = foreach devices + systemdDevices = flip map devices (i: "sys-subsystem-net-devices-${utils.escapeSystemdPath i}.device"); in { diff --git a/nixos/modules/services/networking/hylafax/systemd.nix b/nixos/modules/services/networking/hylafax/systemd.nix index 527026c00762..ef177e4be345 100644 --- a/nixos/modules/services/networking/hylafax/systemd.nix +++ b/nixos/modules/services/networking/hylafax/systemd.nix @@ -7,7 +7,7 @@ let inherit (lib) concatStringsSep optionalString; cfg = config.services.hylafax; - mapModems = lib.foreach (lib.attrValues cfg.modems); + mapModems = lib.flip map (lib.attrValues cfg.modems); mkConfigFile = name: conf: # creates hylafax config file, diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 005d8bfb61fb..0f9d2420903b 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -502,7 +502,7 @@ in assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; message = "cannot enable X11 forwarding without setting xauth location";}] - ++ foreach cfg.listenAddresses ({ addr, ... }: { + ++ flip map cfg.listenAddresses ({ addr, ... }: { assertion = addr != null; message = "addr must be specified in each listenAddresses entry"; }); diff --git a/nixos/modules/services/x11/xautolock.nix b/nixos/modules/services/x11/xautolock.nix index 51bdcae992e2..cbe000058dc6 100644 --- a/nixos/modules/services/x11/xautolock.nix +++ b/nixos/modules/services/x11/xautolock.nix @@ -129,7 +129,7 @@ in assertion = cfg.killer != null -> cfg.killtime >= 10; message = "killtime has to be at least 10 minutes according to `man xautolock`"; } - ] ++ (lib.foreach [ "locker" "notifier" "nowlocker" "killer" ] + ] ++ (lib.flip map [ "locker" "notifier" "nowlocker" "killer" ] (option: { assertion = cfg."${option}" != null -> builtins.substring 0 1 cfg."${option}" == "/"; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 4d28a45c2ce3..82730c5e80c6 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -75,7 +75,7 @@ let in imap1 mkHead cfg.xrandrHeads; xrandrDeviceSection = let - monitors = foreach xrandrHeads (h: '' + monitors = flip map xrandrHeads (h: '' Option "monitor-${h.config.output}" "${h.name}" ''); # First option is indented through the space in the config but any diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 84753d77cc4c..4e4d14985b0d 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -684,7 +684,7 @@ in assertion = if args.efiSysMountPoint == null then true else hasPrefix "/" args.efiSysMountPoint; message = "EFI paths must be absolute, not ${args.efiSysMountPoint}"; } - ] ++ foreach args.devices (device: { + ] ++ flip map args.devices (device: { assertion = device == "nodev" || hasPrefix "/" device; message = "GRUB devices must be absolute paths, not ${device} in ${args.path}"; })); diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 2612d13da4f8..857aaf1e6e30 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -74,7 +74,7 @@ in enable = true; networks."99-main" = genericNetwork mkDefault; } - (mkMerge (foreach interfaces (i: { + (mkMerge (flip map interfaces (i: { netdevs = mkIf i.virtual ({ "40-${i.name}" = { netdevConfig = { @@ -90,7 +90,7 @@ in name = mkDefault i.name; DHCP = mkForce (dhcpStr (if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ])); - address = foreach (interfaceIps i) + address = flip map (interfaceIps i) (ip: "${ip.address}/${toString ip.prefixLength}"); networkConfig.IPv6PrivacyExtensions = "kernel"; } ]; @@ -102,7 +102,7 @@ in Kind = "bridge"; }; }; - networks = listToAttrs (foreach bridge.interfaces (bi: + networks = listToAttrs (flip map bridge.interfaces (bi: nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) { DHCP = mkOverride 0 (dhcpStr false); networkConfig.Bridge = name; @@ -173,7 +173,7 @@ in }; - networks = listToAttrs (foreach bond.interfaces (bi: + networks = listToAttrs (flip map bond.interfaces (bi: nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) { DHCP = mkOverride 0 (dhcpStr false); networkConfig.Bond = name; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 2af20e05b051..f9b0eb330bf8 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -926,7 +926,7 @@ in warnings = concatMap (i: i.warnings) interfaces; assertions = - (foreach interfaces (i: { + (flip map interfaces (i: { # With the linux kernel, interface name length is limited by IFNAMSIZ # to 16 bytes, including the trailing null byte. # See include/linux/if.h in the kernel sources @@ -934,12 +934,12 @@ in message = '' The name of networking.interfaces."${i.name}" is too long, it needs to be less than 16 characters. ''; - })) ++ (foreach slaveIfs (i: { + })) ++ (flip map slaveIfs (i: { assertion = i.ipv4.addresses == [ ] && i.ipv6.addresses == [ ]; message = '' The networking.interfaces."${i.name}" must not have any defined ips when it is a slave. ''; - })) ++ (foreach interfaces (i: { + })) ++ (flip map interfaces (i: { assertion = i.preferTempAddress -> cfg.enableIPv6; message = '' Temporary addresses are only needed when IPv6 is enabled. @@ -967,8 +967,8 @@ in "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) - (i: foreach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) - // listToAttrs (foreach (filter (i: i.preferTempAddress) interfaces) + (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) + // listToAttrs (flip map (filter (i: i.preferTempAddress) interfaces) (i: nameValuePair "net.ipv6.conf.${i.name}.use_tempaddr" 2)); # Capabilities won't work unless we have at-least a 4.3 Linux @@ -1051,7 +1051,7 @@ in ${cfg.localCommands} ''; }; - } // (listToAttrs (foreach interfaces (i: + } // (listToAttrs (flip map interfaces (i: let deviceDependency = if (config.boot.isContainer || i.name == "lo") then [] -- cgit v1.2.3 From 0f8596ab3f05321e36d9bd53ea7f048b7f0b62e3 Mon Sep 17 00:00:00 2001 From: danbst Date: Mon, 5 Aug 2019 14:03:38 +0300 Subject: mass replace "flip map -> forEach" See `forEach`-introduction commit. ``` rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /forEach /g' ``` --- nixos/modules/rename.nix | 2 +- nixos/modules/services/monitoring/ups.nix | 2 +- nixos/modules/services/networking/consul.nix | 2 +- nixos/modules/services/networking/hylafax/systemd.nix | 2 +- nixos/modules/services/networking/ssh/sshd.nix | 2 +- nixos/modules/services/x11/xautolock.nix | 2 +- nixos/modules/services/x11/xserver.nix | 2 +- nixos/modules/system/boot/loader/grub/grub.nix | 2 +- nixos/modules/tasks/network-interfaces-systemd.nix | 8 ++++---- nixos/modules/tasks/network-interfaces.nix | 12 ++++++------ 10 files changed, 18 insertions(+), 18 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index e127782e85f5..c226f28034d5 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -248,7 +248,7 @@ with lib; # KSM (mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ]) - ] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter" + ] ++ (forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter" "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" "snmpExporter" "unifiExporter" "varnishExporter" ] (opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' diff --git a/nixos/modules/services/monitoring/ups.nix b/nixos/modules/services/monitoring/ups.nix index bc755612fd9b..429b40227d47 100644 --- a/nixos/modules/services/monitoring/ups.nix +++ b/nixos/modules/services/monitoring/ups.nix @@ -225,7 +225,7 @@ in '' maxstartdelay = ${toString cfg.maxStartDelay} - ${flip concatStringsSep (flip map (attrValues cfg.ups) (ups: ups.summary)) " + ${flip concatStringsSep (forEach (attrValues cfg.ups) (ups: ups.summary)) " "} ''; diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index 3a92a883fbf8..f080f12eaccd 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -15,7 +15,7 @@ let ++ cfg.extraConfigFiles; devices = attrValues (filterAttrs (_: i: i != null) cfg.interface); - systemdDevices = flip map devices + systemdDevices = forEach devices (i: "sys-subsystem-net-devices-${utils.escapeSystemdPath i}.device"); in { diff --git a/nixos/modules/services/networking/hylafax/systemd.nix b/nixos/modules/services/networking/hylafax/systemd.nix index ef177e4be345..0c6602e7f8ab 100644 --- a/nixos/modules/services/networking/hylafax/systemd.nix +++ b/nixos/modules/services/networking/hylafax/systemd.nix @@ -7,7 +7,7 @@ let inherit (lib) concatStringsSep optionalString; cfg = config.services.hylafax; - mapModems = lib.flip map (lib.attrValues cfg.modems); + mapModems = lib.forEach (lib.attrValues cfg.modems); mkConfigFile = name: conf: # creates hylafax config file, diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 0f9d2420903b..91fc7d72bc6d 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -502,7 +502,7 @@ in assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; message = "cannot enable X11 forwarding without setting xauth location";}] - ++ flip map cfg.listenAddresses ({ addr, ... }: { + ++ forEach cfg.listenAddresses ({ addr, ... }: { assertion = addr != null; message = "addr must be specified in each listenAddresses entry"; }); diff --git a/nixos/modules/services/x11/xautolock.nix b/nixos/modules/services/x11/xautolock.nix index cbe000058dc6..10eef8aefbcd 100644 --- a/nixos/modules/services/x11/xautolock.nix +++ b/nixos/modules/services/x11/xautolock.nix @@ -129,7 +129,7 @@ in assertion = cfg.killer != null -> cfg.killtime >= 10; message = "killtime has to be at least 10 minutes according to `man xautolock`"; } - ] ++ (lib.flip map [ "locker" "notifier" "nowlocker" "killer" ] + ] ++ (lib.forEach [ "locker" "notifier" "nowlocker" "killer" ] (option: { assertion = cfg."${option}" != null -> builtins.substring 0 1 cfg."${option}" == "/"; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 82730c5e80c6..e716d3bcdc65 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -75,7 +75,7 @@ let in imap1 mkHead cfg.xrandrHeads; xrandrDeviceSection = let - monitors = flip map xrandrHeads (h: '' + monitors = forEach xrandrHeads (h: '' Option "monitor-${h.config.output}" "${h.name}" ''); # First option is indented through the space in the config but any diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 4e4d14985b0d..eca9dad64222 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -684,7 +684,7 @@ in assertion = if args.efiSysMountPoint == null then true else hasPrefix "/" args.efiSysMountPoint; message = "EFI paths must be absolute, not ${args.efiSysMountPoint}"; } - ] ++ flip map args.devices (device: { + ] ++ forEach args.devices (device: { assertion = device == "nodev" || hasPrefix "/" device; message = "GRUB devices must be absolute paths, not ${device} in ${args.path}"; })); diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 857aaf1e6e30..fbca54978e5b 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -74,7 +74,7 @@ in enable = true; networks."99-main" = genericNetwork mkDefault; } - (mkMerge (flip map interfaces (i: { + (mkMerge (forEach interfaces (i: { netdevs = mkIf i.virtual ({ "40-${i.name}" = { netdevConfig = { @@ -90,7 +90,7 @@ in name = mkDefault i.name; DHCP = mkForce (dhcpStr (if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ])); - address = flip map (interfaceIps i) + address = forEach (interfaceIps i) (ip: "${ip.address}/${toString ip.prefixLength}"); networkConfig.IPv6PrivacyExtensions = "kernel"; } ]; @@ -102,7 +102,7 @@ in Kind = "bridge"; }; }; - networks = listToAttrs (flip map bridge.interfaces (bi: + networks = listToAttrs (forEach bridge.interfaces (bi: nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) { DHCP = mkOverride 0 (dhcpStr false); networkConfig.Bridge = name; @@ -173,7 +173,7 @@ in }; - networks = listToAttrs (flip map bond.interfaces (bi: + networks = listToAttrs (forEach bond.interfaces (bi: nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) { DHCP = mkOverride 0 (dhcpStr false); networkConfig.Bond = name; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index f9b0eb330bf8..7c98010bd3d6 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -926,7 +926,7 @@ in warnings = concatMap (i: i.warnings) interfaces; assertions = - (flip map interfaces (i: { + (forEach interfaces (i: { # With the linux kernel, interface name length is limited by IFNAMSIZ # to 16 bytes, including the trailing null byte. # See include/linux/if.h in the kernel sources @@ -934,12 +934,12 @@ in message = '' The name of networking.interfaces."${i.name}" is too long, it needs to be less than 16 characters. ''; - })) ++ (flip map slaveIfs (i: { + })) ++ (forEach slaveIfs (i: { assertion = i.ipv4.addresses == [ ] && i.ipv6.addresses == [ ]; message = '' The networking.interfaces."${i.name}" must not have any defined ips when it is a slave. ''; - })) ++ (flip map interfaces (i: { + })) ++ (forEach interfaces (i: { assertion = i.preferTempAddress -> cfg.enableIPv6; message = '' Temporary addresses are only needed when IPv6 is enabled. @@ -967,8 +967,8 @@ in "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) - (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) - // listToAttrs (flip map (filter (i: i.preferTempAddress) interfaces) + (i: forEach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) + // listToAttrs (forEach (filter (i: i.preferTempAddress) interfaces) (i: nameValuePair "net.ipv6.conf.${i.name}.use_tempaddr" 2)); # Capabilities won't work unless we have at-least a 4.3 Linux @@ -1051,7 +1051,7 @@ in ${cfg.localCommands} ''; }; - } // (listToAttrs (flip map interfaces (i: + } // (listToAttrs (forEach interfaces (i: let deviceDependency = if (config.boot.isContainer || i.name == "lo") then [] -- cgit v1.2.3 From 386f9739b56d8877245917e235b46fdd4c3621ab Mon Sep 17 00:00:00 2001 From: vdot0x23 <40716069+vdot0x23@users.noreply.github.com> Date: Wed, 7 Aug 2019 12:23:20 +0000 Subject: nixos/stubby: Clearer wording for upstreamServers Indicate that upstreamServers actually replaces defaults instead of adding to default. --- nixos/modules/services/networking/stubby.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/networking/stubby.nix b/nixos/modules/services/networking/stubby.nix index 3fbf6eb60e9d..b38bcd4cec05 100644 --- a/nixos/modules/services/networking/stubby.nix +++ b/nixos/modules/services/networking/stubby.nix @@ -168,7 +168,7 @@ in default = defaultUpstream; type = types.lines; description = '' - Add additional upstreams. See stubby + Replace default upstreams. See stubby 1 for an example of the entry formatting. In Strict mode, at least one of the following settings must be supplied for each nameserver: -- cgit v1.2.3 From 8becc897ea85bcd9e7c6a2953899ed863b4990fd Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Wed, 7 Aug 2019 11:57:42 -0700 Subject: roon-server: disable DynamicUser DynamicUser currently breaks the backup functionality provided by roon, as the roon server cannot write to non-canonical directories and the recycled UIDs/GIDs would make managing permissions for the directory impossible. On top of that, it would break the ability to manage the local music library files (as it would not be able to delete them). --- nixos/modules/services/audio/roon-server.nix | 2 -- 1 file changed, 2 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 9562ad1b164e..a1683a24c10f 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -33,9 +33,7 @@ in { serviceConfig = { ExecStart = "${pkgs.roon-server}/opt/start.sh"; LimitNOFILE = 8192; - DynamicUser = true; SupplementaryGroups = "audio"; - StateDirectory = name; }; }; -- cgit v1.2.3 From 62d242d1cdc086a04eb4da6c973a3e8e15c370aa Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Wed, 7 Aug 2019 12:27:52 -0700 Subject: roon-server: Add actual user piping Adds defined IDs --- nixos/modules/misc/ids.nix | 2 ++ nixos/modules/services/audio/roon-server.nix | 27 ++++++++++++++++++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) (limited to 'nixos/modules') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 1047df95cdf5..225068d76403 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -340,6 +340,7 @@ cockroachdb = 313; zoneminder = 314; paperless = 315; + roon-server = 316; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -640,6 +641,7 @@ cockroachdb = 313; zoneminder = 314; paperless = 315; + roon-server = 316; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index a1683a24c10f..81980c8f6b28 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -19,6 +19,20 @@ in { TCP: 9100 - 9200 ''; }; + user = mkOption { + type = types.string; + default = "roon-server"; + description = '' + User to run the Roon Server as. + ''; + }; + group = mkOption { + type = types.string; + default = "roon-server"; + description = '' + Group to run the Roon Server as. + ''; + }; }; }; @@ -33,7 +47,7 @@ in { serviceConfig = { ExecStart = "${pkgs.roon-server}/opt/start.sh"; LimitNOFILE = 8192; - SupplementaryGroups = "audio"; + User = cfg.user; }; }; @@ -43,5 +57,16 @@ in { ]; allowedUDPPorts = [ 9003 ]; }; + + users.groups = singleton { + name = cfg.group; + gid = config.ids.gids.roon-server; + }; + users.users = singleton { + name = cfg.user; + description = "Roon Server user"; + uid = config.ids.uids.roon-server; + groups = [ cfg.group "audio" ]; + }; }; } -- cgit v1.2.3 From f160233793af1d8b03dce69757a621f389d363aa Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Wed, 7 Aug 2019 12:34:52 -0700 Subject: roon-server: let nix assign ids --- nixos/modules/misc/ids.nix | 2 -- nixos/modules/services/audio/roon-server.nix | 2 -- 2 files changed, 4 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 225068d76403..1047df95cdf5 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -340,7 +340,6 @@ cockroachdb = 313; zoneminder = 314; paperless = 315; - roon-server = 316; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -641,7 +640,6 @@ cockroachdb = 313; zoneminder = 314; paperless = 315; - roon-server = 316; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 81980c8f6b28..4e4e79694bfc 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -60,12 +60,10 @@ in { users.groups = singleton { name = cfg.group; - gid = config.ids.gids.roon-server; }; users.users = singleton { name = cfg.user; description = "Roon Server user"; - uid = config.ids.uids.roon-server; groups = [ cfg.group "audio" ]; }; }; -- cgit v1.2.3 From 6572b5e4a13f56d8ac1fb69a4b92fd65c8106eef Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Wed, 7 Aug 2019 13:12:57 -0700 Subject: [roon-server] make roon user a system user --- nixos/modules/services/audio/roon-server.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos/modules') diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 4e4e79694bfc..8c56634cb75c 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -63,6 +63,7 @@ in { }; users.users = singleton { name = cfg.user; + isSystemUser = true; description = "Roon Server user"; groups = [ cfg.group "audio" ]; }; -- cgit v1.2.3 From 9f9b458ce39e1e6fecb4dca2f659db8752d91e8a Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Wed, 7 Aug 2019 13:23:36 -0700 Subject: [roon-server] don't create user if user changes defaults If the user changes the user for roon, we can assume they handled the setup for it --- nixos/modules/services/audio/roon-server.nix | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 8c56634cb75c..6ad5b6b4cbdc 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -48,6 +48,7 @@ in { ExecStart = "${pkgs.roon-server}/opt/start.sh"; LimitNOFILE = 8192; User = cfg.user; + Group = cfg.group; }; }; @@ -58,14 +59,14 @@ in { allowedUDPPorts = [ 9003 ]; }; - users.groups = singleton { - name = cfg.group; - }; - users.users = singleton { - name = cfg.user; - isSystemUser = true; - description = "Roon Server user"; - groups = [ cfg.group "audio" ]; - }; + + users.groups."${cfg.group}" = {}; + users.users."${cfg.user}" = + if cfg.user == "roon-server" then { + isSystemUser = true; + description = "Roon Server user"; + groups = [ cfg.group "audio" ]; + } + else {}; }; } -- cgit v1.2.3 From 2da1ad60a8ccc2946cfb6f547453ce2387a06bae Mon Sep 17 00:00:00 2001 From: Matthieu Coudron Date: Sun, 24 Mar 2019 22:04:15 +0900 Subject: boot.kernelPackages: check for conflicts It's currently possible to set conflicting `boot.kernelPackages` several times which can prove confusing. This is an attempt to warn for this. --- nixos/modules/system/boot/kernel.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos/modules') diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index ee43fe100238..baa8c602a99e 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -36,6 +36,7 @@ in boot.kernelPackages = mkOption { default = pkgs.linuxPackages; + type = types.unspecified // { merge = mergeEqualOption; }; apply = kernelPackages: kernelPackages.extend (self: super: { kernel = super.kernel.override { inherit randstructSeed; -- cgit v1.2.3 From d830ae9af3ff2c0f435e22adc576e0e70c98ac51 Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Fri, 9 Aug 2019 13:02:46 -0700 Subject: [roon-server] Use non-deprecated string type --- nixos/modules/services/audio/roon-server.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 6ad5b6b4cbdc..ba995ab93ec4 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -20,14 +20,14 @@ in { ''; }; user = mkOption { - type = types.string; + type = types.str; default = "roon-server"; description = '' User to run the Roon Server as. ''; }; group = mkOption { - type = types.string; + type = types.str; default = "roon-server"; description = '' Group to run the Roon Server as. -- cgit v1.2.3 From 9fec6dfa39e3a9a0deab6713d2626c7a95b3437f Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Fri, 9 Aug 2019 22:21:46 -0700 Subject: roon-server: add back state directory --- nixos/modules/services/audio/roon-server.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos/modules') diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index ba995ab93ec4..d4b0b098b78e 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -49,6 +49,7 @@ in { LimitNOFILE = 8192; User = cfg.user; Group = cfg.group; + StateDirectory = name; }; }; -- cgit v1.2.3 From 5bbde1e1cab31e7559fb76f0fd22aac5d1e561fe Mon Sep 17 00:00:00 2001 From: Tim Digel Date: Mon, 3 Jun 2019 14:27:51 +0200 Subject: nixos/riemann-tools: Add ExtraArgs Config Option Added option "extraArgs" to forward any switches to riemann-tools. --- nixos/modules/services/monitoring/riemann-tools.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/monitoring/riemann-tools.nix b/nixos/modules/services/monitoring/riemann-tools.nix index 9c400a1e3e46..2b647b6b1ade 100644 --- a/nixos/modules/services/monitoring/riemann-tools.nix +++ b/nixos/modules/services/monitoring/riemann-tools.nix @@ -11,7 +11,7 @@ let healthLauncher = writeScriptBin "riemann-health" '' #!/bin/sh - exec ${pkgs.riemann-tools}/bin/riemann-health --host ${riemannHost} + exec ${pkgs.riemann-tools}/bin/riemann-health ${builtins.concatStringsSep " " cfg.extraArgs} --host ${riemannHost} ''; @@ -34,8 +34,16 @@ in { Address of the host riemann node. Defaults to localhost. ''; }; + extraArgs = mkOption { + type = types.listOf types.string; + default = []; + description = '' + A list of commandline-switches forwarded to a riemann-tool. + See for example `riemann-health --help` for available options. + ''; + example = ["-p 5555" "--timeout=30" "--attribute=myattribute=42"]; + }; }; - }; config = mkIf cfg.enableHealth { -- cgit v1.2.3 From d7d873b8cb2e7c39234e9b214813d58f29cc4950 Mon Sep 17 00:00:00 2001 From: Ben Gamari Date: Tue, 30 Jul 2019 18:32:42 -0400 Subject: nixos/gitlab: Delete stale hooks directories with -R These can be directories. --- nixos/modules/services/misc/gitlab.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 087630f21776..09c3a89d6a68 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -659,7 +659,7 @@ in { fi # We remove potentially broken links to old gitlab-shell versions - rm -f ${cfg.statePath}/repositories/**/*.git/hooks + rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${pkgs.git}/bin/git config --global core.autocrlf "input" ''; -- cgit v1.2.3 From 4ead3d2ec3d4fac9ee22da47bbe3bc9defb62c49 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Thu, 15 Aug 2019 18:48:38 +0200 Subject: Revert "nixos/hardened: use graphene-hardened malloc by default" This reverts commit 48ff4f119735dc60c3e2794a71b00757b838d877. Causes too much breakage to be enabled by default [1][2]. [1]: https://github.com/NixOS/nixpkgs/issues/61489 [2]: https://github.com/NixOS/nixpkgs/issues/65000 --- nixos/modules/profiles/hardened.nix | 2 -- 1 file changed, 2 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 3ff9a2b4fde0..b748a7c296df 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -14,8 +14,6 @@ with lib; nix.allowedUsers = mkDefault [ "@users" ]; - environment.memoryAllocator.provider = mkDefault "graphene-hardened"; - security.hideProcessInformation = mkDefault true; security.lockKernelModules = mkDefault true; -- cgit v1.2.3 From ac4327c0256cdf8fc70f385a0b9ccb8068936871 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 11 Aug 2019 08:57:48 -0400 Subject: nixos/awstats: replace usage of deprecated services.httpd.extraSubservices --- nixos/modules/services/logging/awstats.nix | 54 +++++++++++++----------------- 1 file changed, 24 insertions(+), 30 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/logging/awstats.nix b/nixos/modules/services/logging/awstats.nix index 612ae06d0a79..54799d699a74 100644 --- a/nixos/modules/services/logging/awstats.nix +++ b/nixos/modules/services/logging/awstats.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.services.awstats; + httpd = config.services.httpd; package = pkgs.awstats; in @@ -67,50 +68,43 @@ in environment.etc."awstats/awstats.conf".source = pkgs.runCommand "awstats.conf" { preferLocalBuild = true; } ( let - cfg-httpd = config.services.httpd; logFormat = - if cfg-httpd.logFormat == "combined" then "1" else - if cfg-httpd.logFormat == "common" then "4" else - throw "awstats service doesn't support Apache log format `${cfg-httpd.logFormat}`"; + if httpd.logFormat == "combined" then "1" else + if httpd.logFormat == "common" then "4" else + throw "awstats service doesn't support Apache log format `${httpd.logFormat}`"; in '' sed \ -e 's|^\(DirData\)=.*$|\1="${cfg.vardir}"|' \ -e 's|^\(DirIcons\)=.*$|\1="icons"|' \ -e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \ - -e 's|^\(SiteDomain\)=.*$|\1="${cfg-httpd.hostName}"|' \ - -e 's|^\(LogFile\)=.*$|\1="${cfg-httpd.logDir}/access_log"|' \ + -e 's|^\(SiteDomain\)=.*$|\1="${httpd.hostName}"|' \ + -e 's|^\(LogFile\)=.*$|\1="${httpd.logDir}/access_log"|' \ -e 's|^\(LogFormat\)=.*$|\1=${logFormat}|' \ < '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out" echo '${cfg.extraConfig}' >> "$out" ''); + systemd.tmpfiles.rules = optionals cfg.service.enable [ + "d '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -" + "Z '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -" + ]; + # The httpd sub-service showing awstats. - services.httpd.enable = mkIf cfg.service.enable true; - services.httpd.extraSubservices = mkIf cfg.service.enable [ { function = { serverInfo, ... }: { - extraConfig = - '' - Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/" - Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/" - Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/" - ScriptAlias ${cfg.service.urlPrefix}/ "${package.out}/wwwroot/cgi-bin/" + services.httpd = optionalAttrs cfg.service.enable { + enable = true; + extraConfig = '' + Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/" + Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/" + Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/" + ScriptAlias ${cfg.service.urlPrefix}/ "${package.out}/wwwroot/cgi-bin/" - - Options None - AllowOverride None - Order allow,deny - Allow from all - - ''; - startupScript = - let - inherit (serverInfo.serverConfig) user group; - in pkgs.writeScript "awstats_startup.sh" - '' - mkdir -p '${cfg.vardir}' - chown '${user}:${group}' '${cfg.vardir}' - ''; - };}]; + + Options None + Require all granted + + ''; + }; systemd.services.awstats-update = mkIf (cfg.updateAt != null) { description = "awstats log collector"; -- cgit v1.2.3 From 265163da07cb1045af26613cf6f218ebd9548fc1 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 11 Aug 2019 11:14:03 -0400 Subject: nixos/systemhealth: drop unmaintained module --- nixos/modules/module-list.nix | 1 - nixos/modules/services/monitoring/systemhealth.nix | 133 --------------------- 2 files changed, 134 deletions(-) delete mode 100644 nixos/modules/services/monitoring/systemhealth.nix (limited to 'nixos/modules') diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 87fcce875253..f0122f1c886c 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -519,7 +519,6 @@ ./services/monitoring/scollector.nix ./services/monitoring/smartd.nix ./services/monitoring/sysstat.nix - ./services/monitoring/systemhealth.nix ./services/monitoring/teamviewer.nix ./services/monitoring/telegraf.nix ./services/monitoring/thanos.nix diff --git a/nixos/modules/services/monitoring/systemhealth.nix b/nixos/modules/services/monitoring/systemhealth.nix deleted file mode 100644 index 32d4314d5f77..000000000000 --- a/nixos/modules/services/monitoring/systemhealth.nix +++ /dev/null @@ -1,133 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.systemhealth; - - systemhealth = with pkgs; stdenv.mkDerivation { - name = "systemhealth-1.0"; - src = fetchurl { - url = "https://www.brianlane.com/downloads/systemhealth/systemhealth-1.0.tar.bz2"; - sha256 = "1q69lz7hmpbdpbz36zb06nzfkj651413n9icx0njmyr3xzq1j9qy"; - }; - buildInputs = [ python ]; - installPhase = '' - mkdir -p $out/bin - # Make it work for kernels 3.x, not so different than 2.6 - sed -i 's/2\.6/4.0/' system_health.py - cp system_health.py $out/bin - ''; - }; - - rrdDir = "/var/lib/health/rrd"; - htmlDir = "/var/lib/health/html"; - - configFile = rrdDir + "/.syshealthrc"; - # The program will try to read $HOME/.syshealthrc, so we set the proper home. - command = "HOME=${rrdDir} ${systemhealth}/bin/system_health.py"; - - cronJob = '' - */5 * * * * wwwrun ${command} --log - 5 * * * * wwwrun ${command} --graph - ''; - - nameEqualName = s: "${s} = ${s}"; - interfacesSection = concatStringsSep "\n" (map nameEqualName cfg.interfaces); - - driveLine = d: "${d.path} = ${d.name}"; - drivesSection = concatStringsSep "\n" (map driveLine cfg.drives); - -in -{ - options = { - services.systemhealth = { - enable = mkOption { - default = false; - description = '' - Enable the system health monitor and its generation of graphs. - ''; - }; - - urlPrefix = mkOption { - default = "/health"; - description = '' - The URL prefix under which the System Health web pages appear in httpd. - ''; - }; - - interfaces = mkOption { - default = [ "lo" ]; - example = [ "lo" "eth0" "eth1" ]; - description = '' - Interfaces to monitor (minimum one). - ''; - }; - - drives = mkOption { - default = [ ]; - example = [ { name = "root"; path = "/"; } ]; - description = '' - Drives to monitor. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - services.cron.systemCronJobs = [ cronJob ]; - - system.activationScripts.systemhealth = stringAfter [ "var" ] - '' - mkdir -p ${rrdDir} ${htmlDir} - chown wwwrun:wwwrun ${rrdDir} ${htmlDir} - - cat >${configFile} << EOF - [paths] - rrdtool = ${pkgs.rrdtool}/bin/rrdtool - loadavg_rrd = loadavg - ps = /run/current-system/sw/bin/ps - df = /run/current-system/sw/bin/df - meminfo_rrd = meminfo - uptime_rrd = uptime - rrd_path = ${rrdDir} - png_path = ${htmlDir} - - [processes] - - [interfaces] - ${interfacesSection} - - [drives] - ${drivesSection} - - [graphs] - width = 400 - time = ['-3hours', '-32hours', '-8days', '-5weeks', '-13months'] - height = 100 - - [external] - - EOF - - chown wwwrun:wwwrun ${configFile} - - ${pkgs.su}/bin/su -s "/bin/sh" -c "${command} --check" wwwrun - ${pkgs.su}/bin/su -s "/bin/sh" -c "${command} --html" wwwrun - ''; - - services.httpd.extraSubservices = [ - { function = f: { - extraConfig = '' - Alias ${cfg.urlPrefix} ${htmlDir} - - - Order allow,deny - Allow from all - - ''; - }; - } - ]; - }; -} -- cgit v1.2.3 From efbdce2e96e1a5befc4e3ef6681ad3edb5ba50a4 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Mon, 12 Aug 2019 18:02:22 -0400 Subject: nixos/mantisbt: drop unmaintained module --- nixos/modules/module-list.nix | 1 - nixos/modules/services/misc/mantisbt.nix | 68 -------------------------------- 2 files changed, 69 deletions(-) delete mode 100644 nixos/modules/services/misc/mantisbt.nix (limited to 'nixos/modules') diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index f0122f1c886c..7930770aad47 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -435,7 +435,6 @@ ./services/misc/logkeys.nix ./services/misc/leaps.nix ./services/misc/lidarr.nix - ./services/misc/mantisbt.nix ./services/misc/mathics.nix ./services/misc/matrix-synapse.nix ./services/misc/mbpfan.nix diff --git a/nixos/modules/services/misc/mantisbt.nix b/nixos/modules/services/misc/mantisbt.nix deleted file mode 100644 index 7e3474feb672..000000000000 --- a/nixos/modules/services/misc/mantisbt.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.services.mantisbt; - - freshInstall = cfg.extraConfig == ""; - - # combined code+config directory - mantisbt = let - config_inc = pkgs.writeText "config_inc.php" (" Date: Fri, 16 Aug 2019 16:58:48 +0200 Subject: trezord: adding emultor support --- nixos/modules/services/hardware/trezord.nix | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/hardware/trezord.nix b/nixos/modules/services/hardware/trezord.nix index c06a0665d02f..bb55cc2a9ad1 100644 --- a/nixos/modules/services/hardware/trezord.nix +++ b/nixos/modules/services/hardware/trezord.nix @@ -16,6 +16,22 @@ in { Enable Trezor bridge daemon, for use with Trezor hardware bitcoin wallets. ''; }; + + emulator.enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable Trezor emulator support. + ''; + }; + + emulator.port = mkOption { + type = types.port; + default = 21324; + description = '' + Listening port for the Trezor emulator. + ''; + }; }; }; @@ -44,7 +60,7 @@ in { path = []; serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.trezord}/bin/trezord-go"; + ExecStart = "${pkgs.trezord}/bin/trezord-go ${optionalString cfg.emulator.enable "-e ${builtins.toString cfg.emulator.port}"}"; User = "trezord"; }; }; -- cgit v1.2.3 From dac8fe9ceec97d071f6257f19aaeb9ba9a4e86c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maximilian=20G=C3=BCntner?= Date: Fri, 16 Aug 2019 12:49:34 +0200 Subject: nixos/matrix-synapse: use notify instead of simpl