mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-09-22 04:57:56 +03:00
Merge branch 'master' of github.com:nixos/nixpkgs into ryghcjs
Conflicts: pkgs/development/libraries/haskell/ghcjs-dom/default.nix pkgs/top-level/haskell-packages.nix
This commit is contained in:
commit
a188373640
16
README.md
16
README.md
@ -1,10 +1,10 @@
|
||||
Nixpkgs is a collection of packages for [Nix](http://nixos.org/nix/) package
|
||||
manager. Nixpkgs also includes [NixOS](http://nixos.org/nixos/) linux distribution source code.
|
||||
Nixpkgs is a collection of packages for [Nix](https://nixos.org/nix/) package
|
||||
manager. Nixpkgs also includes [NixOS](https://nixos.org/nixos/) linux distribution source code.
|
||||
|
||||
* [NixOS installation instructions](http://nixos.org/nixos/manual/#ch-installation)
|
||||
* [Manual (How to write packages for Nix)](http://nixos.org/nixpkgs/manual/)
|
||||
* [Manual (NixOS)](http://nixos.org/nixos/manual/)
|
||||
* [Continuous build](http://hydra.nixos.org/jobset/nixos/trunk-combined)
|
||||
* [Tests](http://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
|
||||
* [Mailing list](http://lists.science.uu.nl/mailman/listinfo/nix-dev)
|
||||
* [NixOS installation instructions](https://nixos.org/nixos/manual/#ch-installation)
|
||||
* [Manual (How to write packages for Nix)](https://nixos.org/nixpkgs/manual/)
|
||||
* [Manual (NixOS)](https://nixos.org/nixos/manual/)
|
||||
* [Continuous build](https://hydra.nixos.org/jobset/nixos/trunk-combined)
|
||||
* [Tests](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
|
||||
* [Mailing list](https://lists.science.uu.nl/mailman/listinfo/nix-dev)
|
||||
* [IRC - #nixos on freenode.net](irc://irc.freenode.net/#nixos)
|
||||
|
@ -502,7 +502,7 @@ exist in community to help save time. No tool is preferred at the moment.
|
||||
<section xml:id="python-development"><title>Development</title>
|
||||
|
||||
<para>
|
||||
To develop Python packages <function>bulidPythonPackage</function> has
|
||||
To develop Python packages <function>buildPythonPackage</function> has
|
||||
additional logic inside <varname>shellPhase</varname> to run
|
||||
<command>${python.interpreter} setup.py develop</command> for the package.
|
||||
</para>
|
||||
|
@ -184,10 +184,10 @@ if test "$noSysDirs" = "1"; then
|
||||
if test "$noSysDirs" = "1"; then
|
||||
# Figure out what extra flags to pass to the gcc compilers
|
||||
# being generated to make sure that they use our glibc.
|
||||
if test -e $NIX_GCC/nix-support/orig-glibc; then
|
||||
glibc=$(cat $NIX_GCC/nix-support/orig-glibc)
|
||||
if test -e $NIX_CC/nix-support/orig-glibc; then
|
||||
glibc=$(cat $NIX_CC/nix-support/orig-glibc)
|
||||
# Ugh. Copied from gcc-wrapper/builder.sh. We can't just
|
||||
# source in $NIX_GCC/nix-support/add-flags, since that
|
||||
# source in $NIX_CC/nix-support/add-flags, since that
|
||||
# would cause *this* GCC to be linked against the
|
||||
# *previous* GCC. Need some more modularity there.
|
||||
extraCFlags="-B$glibc/lib -isystem $glibc/include"
|
||||
|
@ -135,7 +135,7 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
|
||||
};
|
||||
|
||||
gpl1 = spdx {
|
||||
shortName = "GPL-1.0";
|
||||
spdxId = "GPL-1.0";
|
||||
fullName = "GNU General Public License v1.0 only";
|
||||
};
|
||||
|
||||
@ -255,6 +255,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
|
||||
fullName = "LaTeX Project Public License v1.2";
|
||||
};
|
||||
|
||||
lppl13c = spdx {
|
||||
spdxId = "LPPL-1.3c";
|
||||
fullName = "LaTeX Project Public License v1.3c";
|
||||
};
|
||||
|
||||
lpl-102 = spdx {
|
||||
spdxId = "LPL-1.02";
|
||||
fullName = "Lucent Public License v1.02";
|
||||
|
@ -26,6 +26,7 @@
|
||||
aycanirican = "Aycan iRiCAN <iricanaycan@gmail.com>";
|
||||
balajisivaraman = "Balaji Sivaraman<sivaraman.balaji@gmail.com>";
|
||||
bbenoist = "Baptist BENOIST <return_0@live.com>";
|
||||
bdimcheff = "Brandon Dimcheff <brandon@dimcheff.com>";
|
||||
bennofs = "Benno Fünfstück <benno.fuenfstueck@gmail.com>";
|
||||
berdario = "Dario Bertini <berdario@gmail.com>";
|
||||
bergey = "Daniel Bergey <bergey@teallabs.org>";
|
||||
@ -50,6 +51,7 @@
|
||||
davidrusu = "David Rusu <davidrusu.me@gmail.com>";
|
||||
dbohdan = "Danyil Bohdan <danyil.bohdan@gmail.com>";
|
||||
DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
|
||||
devhell = "devhell <\"^\"@regexmail.net>";
|
||||
dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
|
||||
doublec = "Chris Double <chris.double@double.co.nz>";
|
||||
ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
|
||||
@ -90,6 +92,7 @@
|
||||
jzellner = "Jeff Zellner <jeffz@eml.cc>";
|
||||
kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
|
||||
koral = "Koral <koral@mailoo.org>";
|
||||
kovirobi = "Kovacsics Robert <kovirobi@gmail.com>";
|
||||
kragniz = "Louis Taylor <kragniz@gmail.com>";
|
||||
ktosiek = "Tomasz Kontusz <tomasz.kontusz@gmail.com>";
|
||||
lethalman = "Luca Bruno <lucabru@src.gnome.org>";
|
||||
@ -102,12 +105,14 @@
|
||||
manveru = "Michael Fellinger <m.fellinger@gmail.com>";
|
||||
marcweber = "Marc Weber <marco-oweber@gmx.de>";
|
||||
matejc = "Matej Cotman <cotman.matej@gmail.com>";
|
||||
meditans = "Carlo Nucera <meditans@gmail.com>";
|
||||
meisternu = "Matt Miemiec <meister@krutt.org>";
|
||||
michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
|
||||
modulistic = "Pablo Costa <modulistic@gmail.com>";
|
||||
mornfall = "Petr Ročkai <me@mornfall.net>";
|
||||
MP2E = "Cray Elliott <MP2E@archlinux.us>";
|
||||
msackman = "Matthew Sackman <matthew@wellquite.org>";
|
||||
mtreskin = "Max Treskin <zerthurd@gmail.com>";
|
||||
muflax = "Stefan Dorn <mail@muflax.com>";
|
||||
nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
|
||||
nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
|
||||
@ -124,6 +129,7 @@
|
||||
piotr = "Piotr Pietraszkiewicz <ppietrasa@gmail.com>";
|
||||
pkmx = "Chih-Mao Chen <pkmx.tw@gmail.com>";
|
||||
plcplc = "Philip Lykke Carlsen <plcplc@gmail.com>";
|
||||
prikhi = "Pavan Rikhi <pavan.rikhi@gmail.com>";
|
||||
pSub = "Pascal Wittmann <mail@pascal-wittmann.de>";
|
||||
puffnfresh = "Brian McKenna <brian@brianmckenna.org>";
|
||||
qknight = "Joachim Schiele <js@lastlog.de>";
|
||||
@ -175,6 +181,7 @@
|
||||
wjlroe = "William Roe <willroe@gmail.com>";
|
||||
wkennington = "William A. Kennington III <william@wkennington.com>";
|
||||
wmertens = "Wout Mertens <Wout.Mertens@gmail.com>";
|
||||
wscott = "Wayne Scott <wsc9tt@gmail.com>";
|
||||
wyvie = "Elijah Rum <elijahrum@gmail.com>";
|
||||
yarr = "Dmitry V. <savraz@gmail.com>";
|
||||
z77z = "Marco Maggesi <maggesi@math.unifi.it>";
|
||||
|
@ -31,6 +31,23 @@ rec {
|
||||
type = lib.types.bool;
|
||||
};
|
||||
|
||||
# This option accept anything, but it does not produce any result. This
|
||||
# is useful for sharing a module across different module sets without
|
||||
# having to implement similar features as long as the value of the options
|
||||
# are not expected.
|
||||
mkSinkUndeclaredOptions = attrs: mkOption ({
|
||||
internal = true;
|
||||
visible = false;
|
||||
default = false;
|
||||
description = "Sink for option definitions.";
|
||||
type = mkOptionType {
|
||||
name = "sink";
|
||||
check = x: true;
|
||||
merge = loc: defs: false;
|
||||
};
|
||||
apply = x: throw "Option value is not readable because the option is not declared.";
|
||||
} // attrs);
|
||||
|
||||
mergeDefaultOption = loc: defs:
|
||||
let list = getValues defs; in
|
||||
if length list == 1 then head list
|
||||
|
@ -1,7 +1,7 @@
|
||||
FROM busybox
|
||||
|
||||
RUN dir=`mktemp -d` && trap 'rm -rf "$dir"' EXIT && \
|
||||
wget -O- http://nixos.org/releases/nix/nix-1.7/nix-1.7-x86_64-linux.tar.bz2 | bzcat | tar x -C $dir && \
|
||||
wget -O- https://nixos.org/releases/nix/nix-1.7/nix-1.7-x86_64-linux.tar.bz2 | bzcat | tar x -C $dir && \
|
||||
mkdir -m 0755 /nix && USER=root sh $dir/*/install && \
|
||||
echo ". /root/.nix-profile/etc/profile.d/nix.sh" >> /etc/profile
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
stdenv.mkDerivation {
|
||||
name = "nix-generate-from-cpan-1";
|
||||
|
||||
buildInputs = [ makeWrapper perl perlPackages.YAMLLibYAML perlPackages.JSON ];
|
||||
buildInputs = [ makeWrapper perl perlPackages.YAMLLibYAML perlPackages.JSON perlPackages.CPANPLUS ];
|
||||
|
||||
unpackPhase = "true";
|
||||
buildPhase = "true";
|
||||
@ -19,4 +19,4 @@ stdenv.mkDerivation {
|
||||
maintainers = [ stdenv.lib.maintainers.eelco ];
|
||||
description = "Utility to generate a Nix expression for a Perl package from CPAN";
|
||||
};
|
||||
}
|
||||
}
|
||||
|
@ -100,7 +100,7 @@ sub get_deps {
|
||||
foreach my $n (keys %{$deps}) {
|
||||
next if $n eq "perl";
|
||||
# Hacky way to figure out if this module is part of Perl.
|
||||
if ($n !~ /^JSON/ && $n !~ /^YAML/) {
|
||||
if ($n !~ /^JSON/ && $n !~ /^YAML/ && $n !~ /^Module::Pluggable/) {
|
||||
eval "use $n;";
|
||||
if (!$@) {
|
||||
print STDERR "skipping Perl-builtin module $n\n";
|
||||
|
@ -62,7 +62,7 @@ for bin in $(find $binaryDist -executable -type f) :; do
|
||||
)
|
||||
|
||||
if test "$names" = "glibc"; then names="stdenv.glibc"; fi
|
||||
if echo $names | grep -c "gcc" &> /dev/null; then names="stdenv.gcc.gcc"; fi
|
||||
if echo $names | grep -c "gcc" &> /dev/null; then names="stdenv.cc.gcc"; fi
|
||||
|
||||
if test $lib != $libPath; then
|
||||
interpreter="--interpreter \${$names}/lib/$lib"
|
||||
|
111
maintainers/scripts/update-channel-branches.sh
Executable file
111
maintainers/scripts/update-channel-branches.sh
Executable file
@ -0,0 +1,111 @@
|
||||
#!/bin/sh
|
||||
|
||||
: ${NIXOS_CHANNELS:=https://nixos.org/channels/}
|
||||
: ${CHANNELS_NAMESPACE:=refs/heads/channels/}
|
||||
|
||||
# List all channels which are currently in the repository which we would
|
||||
# have to remove if they are not found again.
|
||||
deadChannels=$(git for-each-ref --format="%(refname)" $CHANNELS_NAMESPACE)
|
||||
|
||||
function updateRef() {
|
||||
local channelName=$1
|
||||
local newRev=$2
|
||||
|
||||
# if the inputs are not valid, then we do not update any branch.
|
||||
test -z "$newRev" -o -z "$channelName" && return;
|
||||
|
||||
# Update the local refs/heads/channels/* branches to be in-sync with the
|
||||
# channel references.
|
||||
local branch=$CHANNELS_NAMESPACE$channelName
|
||||
oldRev=$(git rev-parse --short $branch 2>/dev/null || true)
|
||||
if test "$oldRev" != "$newRev"; then
|
||||
if git update-ref $branch $newRev 2>/dev/null; then
|
||||
if test -z "$oldRev"; then
|
||||
echo " * [new branch] $newRev -> ${branch#refs/heads/}"
|
||||
else
|
||||
echo " $oldRev..$newRev -> ${branch#refs/heads/}"
|
||||
fi
|
||||
else
|
||||
if test -z "$oldRev"; then
|
||||
echo " * [missing rev] $newRev -> ${branch#refs/heads/}"
|
||||
else
|
||||
echo " [missing rev] $oldRev..$newRev -> ${branch#refs/heads/}"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# Filter out the current channel from the list of dead channels.
|
||||
deadChannels=$(grep -v $CHANNELS_NAMESPACE$channelName <<EOF
|
||||
$deadChannels
|
||||
EOF
|
||||
)
|
||||
}
|
||||
|
||||
# Find the name of all channels which are listed in the directory.
|
||||
echo "Fetching channels from $NIXOS_CHANNELS:"
|
||||
for channelName in : $(curl -s $NIXOS_CHANNELS | sed -n '/folder/ { s,.*href=",,; s,/".*,,; p }'); do
|
||||
test "$channelName" = : && continue;
|
||||
|
||||
# Do not follow redirections, such that we can extract the
|
||||
# short-changeset from the name of the directory where we are
|
||||
# redirected to.
|
||||
sha1=$(curl -sI $NIXOS_CHANNELS$channelName | sed -n '/Location/ { s,.*\.\([a-f0-9]*\)[ \r]*$,\1,; p; }')
|
||||
|
||||
updateRef "remotes/$channelName" "$sha1"
|
||||
done
|
||||
|
||||
echo "Fetching channels from nixos-version:"
|
||||
if currentSystem=$(nixos-version 2>/dev/null); then
|
||||
# If the system is entirely build from a custom nixpkgs version,
|
||||
# then the version is not annotated in git version. This sed
|
||||
# expression is basically matching that the expressions end with
|
||||
# ".<sha1> (Name)" to extract the sha1.
|
||||
sha1=$(echo $currentSystem | sed -n 's,^.*\.\([a-f0-9]*\) *(.*)$,\1,; T skip; p; :skip;')
|
||||
|
||||
updateRef current-system "$sha1"
|
||||
fi
|
||||
|
||||
echo "Fetching channels from ~/.nix-defexpr:"
|
||||
for revFile in : $(find -L ~/.nix-defexpr/ -maxdepth 4 -name svn-revision); do
|
||||
test "$revFile" = : && continue;
|
||||
|
||||
# Deconstruct a path such as, into:
|
||||
#
|
||||
# /home/luke/.nix-defexpr/channels_root/nixos/nixpkgs/svn-revision
|
||||
# channelName = root/nixos
|
||||
#
|
||||
# /home/luke/.nix-defexpr/channels/nixpkgs/svn-revision
|
||||
# channelName = nixpkgs
|
||||
#
|
||||
user=${revFile#*.nix-defexpr/channels}
|
||||
repo=${user#*/}
|
||||
repo=${repo%%/*}
|
||||
user=${user%%/*}
|
||||
user=${user#_}
|
||||
test -z "$user" && user=$USER
|
||||
channelName="$user${user:+/}$repo"
|
||||
|
||||
sha1=$(cat $revFile | sed -n 's,^.*\.\([a-f0-9]*\)$,\1,; T skip; p; :skip;')
|
||||
|
||||
updateRef "$channelName" "$sha1"
|
||||
done
|
||||
|
||||
# Suggest to remove channel branches which are no longer found by this
|
||||
# script. This is to handle the cases where a local/remote channel
|
||||
# disappear. We should not attempt to remove manually any branches, as they
|
||||
# might be user branches.
|
||||
if test -n "$deadChannels"; then
|
||||
|
||||
echo "
|
||||
Some old channel branches are still in your repository, if you
|
||||
want to remove them, run the following command(s):
|
||||
"
|
||||
|
||||
while read branch; do
|
||||
echo " git update-ref -d $branch"
|
||||
done <<EOF
|
||||
$deadChannels
|
||||
EOF
|
||||
|
||||
echo
|
||||
fi
|
@ -12,9 +12,9 @@ pre-built binary. That is, whenever a command like
|
||||
<command>nixos-rebuild</command> needs a path in the Nix store, Nix
|
||||
will try to download that path from the Internet rather than build it
|
||||
from source. The default binary cache is
|
||||
<uri>http://cache.nixos.org/</uri>. If this cache is unreachable, Nix
|
||||
operations may take a long time due to HTTP connection timeouts. You
|
||||
can disable the use of the binary cache by adding <option>--option
|
||||
<uri>https://cache.nixos.org/</uri>. If this cache is unreachable,
|
||||
Nix operations may take a long time due to HTTP connection timeouts.
|
||||
You can disable the use of the binary cache by adding <option>--option
|
||||
use-binary-caches false</option>, e.g.
|
||||
|
||||
<screen>
|
||||
@ -30,4 +30,4 @@ $ nixos-rebuild switch --option binary-caches http://my-cache.example.org/
|
||||
|
||||
</para>
|
||||
|
||||
</section>
|
||||
</section>
|
||||
|
@ -40,20 +40,22 @@ rebuild everything from source. So you may want to create a local
|
||||
branch based on your current NixOS version:
|
||||
|
||||
<screen>
|
||||
$ nixos-version
|
||||
14.04.273.ea1952b (Baboon)
|
||||
|
||||
$ git checkout -b local ea1952b
|
||||
$ <replaceable>/my/sources</replaceable>/nixpkgs/maintainers/scripts/update-channel-branches.sh
|
||||
Fetching channels from https://nixos.org/channels:
|
||||
* [new branch] cbe467e -> channels/remotes/nixos-unstable
|
||||
Fetching channels from nixos-version:
|
||||
* [new branch] 9ff4738 -> channels/current-system
|
||||
Fetching channels from ~/.nix-defexpr:
|
||||
* [new branch] 0d4acad -> channels/root/nixos
|
||||
$ git checkout -b local channels/current-system
|
||||
</screen>
|
||||
|
||||
Or, to base your local branch on the latest version available in the
|
||||
NixOS channel:
|
||||
|
||||
<screen>
|
||||
$ curl -sI http://nixos.org/channels/nixos-unstable/ | grep Location
|
||||
Location: http://releases.nixos.org/nixos/unstable/nixos-14.10pre43986.acaf4a6/
|
||||
|
||||
$ git checkout -b local acaf4a6
|
||||
$ <replaceable>/my/sources</replaceable>/nixpkgs/maintainers/scripts/update-channel-branches.sh
|
||||
$ git checkout -b local channels/remotes/nixos-unstable
|
||||
</screen>
|
||||
|
||||
You can then use <command>git rebase</command> to sync your local
|
||||
@ -92,4 +94,4 @@ to <command>nix-env</command>, as it will break after interpreting expressions
|
||||
in <filename>nixos/</filename> as packages.</para>
|
||||
-->
|
||||
|
||||
</chapter>
|
||||
</chapter>
|
||||
|
@ -8,9 +8,14 @@
|
||||
|
||||
<para>NixOS ISO images can be downloaded from the <link
|
||||
xlink:href="http://nixos.org/nixos/download.html">NixOS
|
||||
homepage</link>. These can be burned onto a CD. It is also possible
|
||||
to copy them onto a USB stick and install NixOS from there. For
|
||||
details, see the <link
|
||||
homepage</link>. There are a number of installation options. If
|
||||
you happen to have an optical drive and a spare CD, burning the
|
||||
image to CD and booting from that is probably the easiest option.
|
||||
Most people will need to prepare a USB stick to boot from.
|
||||
Unetbootin is recommended and the process is described in brief below.
|
||||
Note that systems which use UEFI require some additional manual steps.
|
||||
If you run into difficulty a number of alternative methods are presented
|
||||
in the <link
|
||||
xlink:href="https://nixos.org/wiki/Installing_NixOS_from_a_USB_stick">NixOS
|
||||
Wiki</link>.</para>
|
||||
|
||||
|
@ -15,7 +15,7 @@ been built. These channels are:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Stable channels, such as <literal
|
||||
xlink:href="http://nixos.org/channels/nixos-14.04">nixos-14.04</literal>.
|
||||
xlink:href="https://nixos.org/channels/nixos-14.04">nixos-14.04</literal>.
|
||||
These only get conservative bug fixes and package upgrades. For
|
||||
instance, a channel update may cause the Linux kernel on your
|
||||
system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
|
||||
@ -26,7 +26,7 @@ been built. These channels are:
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>The unstable channel, <literal
|
||||
xlink:href="http://nixos.org/channels/nixos-unstable">nixos-unstable</literal>.
|
||||
xlink:href="https://nixos.org/channels/nixos-unstable">nixos-unstable</literal>.
|
||||
This corresponds to NixOS’s main development branch, and may thus
|
||||
see radical changes between channel updates. It’s not recommended
|
||||
for production systems.</para>
|
||||
@ -34,7 +34,7 @@ been built. These channels are:
|
||||
</itemizedlist>
|
||||
|
||||
To see what channels are available, go to <link
|
||||
xlink:href="http://nixos.org/channels"/>. (Note that the URIs of the
|
||||
xlink:href="https://nixos.org/channels"/>. (Note that the URIs of the
|
||||
various channels redirect to a directory that contains the channel’s
|
||||
latest version and includes ISO images and VirtualBox
|
||||
appliances.)</para>
|
||||
@ -53,20 +53,20 @@ nixos https://nixos.org/channels/nixos-unstable
|
||||
To switch to a different NixOS channel, do
|
||||
|
||||
<screen>
|
||||
$ nix-channel --add http://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
|
||||
$ nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
|
||||
</screen>
|
||||
|
||||
(Be sure to include the <literal>nixos</literal> parameter at the
|
||||
end.) For instance, to use the NixOS 14.04 stable channel:
|
||||
|
||||
<screen>
|
||||
$ nix-channel --add http://nixos.org/channels/nixos-14.04 nixos
|
||||
$ nix-channel --add https://nixos.org/channels/nixos-14.04 nixos
|
||||
</screen>
|
||||
|
||||
But if you want to live on the bleeding edge:
|
||||
|
||||
<screen>
|
||||
$ nix-channel --add http://nixos.org/channels/nixos-unstable nixos
|
||||
$ nix-channel --add https://nixos.org/channels/nixos-unstable nixos
|
||||
</screen>
|
||||
|
||||
</para>
|
||||
|
@ -10,7 +10,7 @@
|
||||
<para>This section lists the release notes for each stable version of NixOS.</para>
|
||||
</partintro>
|
||||
|
||||
<xi:include href="rl-1411.xml" />
|
||||
<xi:include href="rl-1412.xml" />
|
||||
<xi:include href="rl-1404.xml" />
|
||||
<xi:include href="rl-1310.xml" />
|
||||
|
||||
|
@ -1,37 +0,0 @@
|
||||
<chapter xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
version="5.0"
|
||||
xml:id="sec-release-14.11">
|
||||
|
||||
<title>Release 14.11 (“Caterpillar”, 2014/11/??)</title>
|
||||
|
||||
<para>When upgrading from a previous release, please be aware of the
|
||||
following incompatible changes:
|
||||
|
||||
<itemizedlist>
|
||||
|
||||
<listitem><para>The default version of Apache httpd is now 2.4. If
|
||||
you use the <option>extraConfig</option> option to pass literal
|
||||
Apache configuration text, you may need to update it — see <link
|
||||
xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache’s
|
||||
documentation</link> for details. If you wish to continue to use
|
||||
httpd 2.2, add the following line to your NixOS configuration:
|
||||
|
||||
<programlisting>
|
||||
services.httpd.package = pkgs.apacheHttpd_2_2;
|
||||
</programlisting>
|
||||
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>The host side of a container virtual Ethernet pair
|
||||
is now called <literal>ve-<replaceable>container-name</replaceable></literal>
|
||||
rather than <literal>c-<replaceable>container-name</replaceable></literal>.</para></listitem>
|
||||
|
||||
<listitem><para>GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.</para></listitem>
|
||||
|
||||
</itemizedlist>
|
||||
|
||||
</para>
|
||||
|
||||
</chapter>
|
167
nixos/doc/manual/release-notes/rl-1412.xml
Normal file
167
nixos/doc/manual/release-notes/rl-1412.xml
Normal file
@ -0,0 +1,167 @@
|
||||
<chapter xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
version="5.0"
|
||||
xml:id="sec-release-14.12">
|
||||
|
||||
<title>Release 14.12 (“Caterpillar”, 2014/12/??)</title>
|
||||
|
||||
<para>In addition to numerous new and upgraded packages, this release has the following highlights:
|
||||
|
||||
<itemizedlist>
|
||||
|
||||
<listitem><para>Systemd has been updated to version 217, which has numerous
|
||||
<link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements
|
||||
.</link></para></listitem>
|
||||
|
||||
<listitem><para><link xlink:href="http://thread.gmane.org/gmane.linux.distributions.nixos/15165">
|
||||
Nix has been updated to 1.8.</link></para></listitem>
|
||||
|
||||
<listitem><para>NixOS is now based on Glibc 2.20.</para></listitem>
|
||||
|
||||
<listitem><para>KDE has been updated to 4.14.</para></listitem>
|
||||
|
||||
<listitem><para>The default Linux kernel has been updated to 3.14.</para></listitem>
|
||||
|
||||
<listitem><para><option>users.mutableUsers</option> set to <literal>true</literal> now respect any changes
|
||||
made after initial creation of a user or a group.
|
||||
</para></listitem>
|
||||
|
||||
</itemizedlist></para>
|
||||
|
||||
<para>Following new services were added since the last release:
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>parallels-guest</para></listitem>
|
||||
<listitem><para>docker</para></listitem>
|
||||
<listitem><para>lxc</para></listitem>
|
||||
<listitem><para>openvswitch</para></listitem>
|
||||
<listitem><para>fluxbox</para></listitem>
|
||||
<listitem><para>bspwm</para></listitem>
|
||||
<listitem><para>gdm</para></listitem>
|
||||
<listitem><para>fcgiwrap</para></listitem>
|
||||
<listitem><para>peerflix</para></listitem>
|
||||
<listitem><para>fail2ban</para></listitem>
|
||||
<listitem><para>chronos</para></listitem>
|
||||
<listitem><para>znc</para></listitem>
|
||||
<listitem><para>unifi</para></listitem>
|
||||
<listitem><para>teamspeak3</para></listitem>
|
||||
<listitem><para>strongswan</para></listitem>
|
||||
<listitem><para>seeks</para></listitem>
|
||||
<listitem><para>radicale</para></listitem>
|
||||
<listitem><para>prosody</para></listitem>
|
||||
<listitem><para>polipo</para></listitem>
|
||||
<listitem><para>openntpd</para></listitem>
|
||||
<listitem><para>nsd</para></listitem>
|
||||
<listitem><para>mailpile</para></listitem>
|
||||
<listitem><para>i2pd</para></listitem>
|
||||
<listitem><para>dnscrypt-proxy</para></listitem>
|
||||
<listitem><para>consul</para></listitem>
|
||||
<listitem><para>atftpd</para></listitem>
|
||||
<listitem><para>scollector</para></listitem>
|
||||
<listitem><para>collectd</para></listitem>
|
||||
<listitem><para>bosun</para></listitem>
|
||||
<listitem><para>riemann</para></listitem>
|
||||
<listitem><para>zookeeper</para></listitem>
|
||||
<listitem><para>uhub</para></listitem>
|
||||
<listitem><para>siproxd</para></listitem>
|
||||
<listitem><para>redmine</para></listitem>
|
||||
<listitem><para>phd</para></listitem>
|
||||
<listitem><para>mesos</para></listitem>
|
||||
<listitem><para>gitlab</para></listitem>
|
||||
<listitem><para>gitolite</para></listitem>
|
||||
<listitem><para>etcd</para></listitem>
|
||||
<listitem><para>docker-registry</para></listitem>
|
||||
<listitem><para>cpuminer-cryptonight</para></listitem>
|
||||
<listitem><para>thermald</para></listitem>
|
||||
<listitem><para>mlmmj</para></listitem>
|
||||
<listitem><para>tcsd</para></listitem>
|
||||
<listitem><para>gnome3.seahorse</para></listitem>
|
||||
<listitem><para>gnome3.gvfs</para></listitem>
|
||||
<listitem><para>gnome3.gnome-online-miners</para></listitem>
|
||||
<listitem><para>gnome3.gnome-documents</para></listitem>
|
||||
<listitem><para>geoclue2</para></listitem>
|
||||
<listitem><para>opentsdb</para></listitem>
|
||||
<listitem><para>neo4j</para></listitem>
|
||||
<listitem><para>monetdb</para></listitem>
|
||||
<listitem><para>influxdb</para></listitem>
|
||||
<listitem><para>hbase</para></listitem>
|
||||
<listitem><para>torque/mrom</para></listitem>
|
||||
<listitem><para>torque/server</para></listitem>
|
||||
<listitem><para>kubernetes</para></listitem>
|
||||
<listitem><para>fleet</para></listitem>
|
||||
<listitem><para>crashplan</para></listitem>
|
||||
<listitem><para>mopidy</para></listitem>
|
||||
<listitem><para>liquidsoap</para></listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
|
||||
<para>When upgrading from a previous release, please be aware of the
|
||||
following incompatible changes:
|
||||
|
||||
<itemizedlist>
|
||||
|
||||
<listitem><para>The default version of Apache httpd is now 2.4. If
|
||||
you use the <option>extraConfig</option> option to pass literal
|
||||
Apache configuration text, you may need to update it — see <link
|
||||
xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache’s
|
||||
documentation</link> for details. If you wish to continue to use
|
||||
httpd 2.2, add the following line to your NixOS configuration:
|
||||
|
||||
rogramlisting>
|
||||
rvices.httpd.package = pkgs.apacheHttpd_2_2;
|
||||
programlisting>
|
||||
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>PHP 5.3 has been removed because it is no longer
|
||||
supported by the PHP project. A <link
|
||||
xlink:href="http://php.net/migration54">migration guide</link> is
|
||||
available.</para></listitem>
|
||||
|
||||
<listitem><para>The host side of a container virtual Ethernet pair
|
||||
is now called <literal>ve-<replaceable>container-name</replaceable></literal>
|
||||
rather than <literal>c-<replaceable>container-name</replaceable></literal>.</para></listitem>
|
||||
|
||||
<listitem><para>GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.</para></listitem>
|
||||
|
||||
<listitem><para>VirtualBox has been upgraded to 4.3.20 release. Users may be required to run
|
||||
<command>rm -rf /tmp.vbox*</command>. <literal>imports = [ <nixpkgs/nixos/modules/programs/virtualbox.nix> ]</literal>
|
||||
is no longer necessary, use <literal>services.virtualboxHost.enable = true</literal> instead.
|
||||
</para>
|
||||
<para>Also, hardening mode is now enabled by default, which means that unless you want to use
|
||||
USB support, you no longer need to be a member of the <literal>vboxusers</literal> group.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>Chromium has been updated to 39.0.2171.65. <option>enablePepperPDF</option> is now enabled by default.
|
||||
<literal>chromium*Wrapper</literal> packages no longer exist, because upstream removed NSAPI support.
|
||||
<literal>chromium-stable</literal> has been renamed to <literal>chromium</literal>.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>Python packaging documentation is now part of nixpkgs manual. To override
|
||||
the python packages available to a custom python you now use <literal>pkgs.pythonFull.buildEnv.override</literal>
|
||||
instead of <literal>pkgs.pythonFull.override</literal>.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para><literal>boot.resumeDevice = "8:6"</literal> is no longer supported. Most users will
|
||||
want to leave it undefined, which takes the swap partitions automatically. There is an evaluation
|
||||
assertion to ensure that the string starts with a slash.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>The system-wide default timezone for NixOS installations
|
||||
changed from <literal>CET</literal> to <literal>UTC</literal>. To choose
|
||||
a different timezone for your system, configure
|
||||
<literal>time.timeZone</literal> in
|
||||
<literal>configuration.nix</literal>. A fairly complete list of possible
|
||||
values for that setting is available at <link
|
||||
xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>.</para></listitem>
|
||||
|
||||
<listitem><para>GNU screen has been updated to 4.2.1, which breaks
|
||||
the ability to connect to sessions created by older versions of
|
||||
screen.</para></listitem>
|
||||
|
||||
</itemizedlist>
|
||||
|
||||
</para>
|
||||
|
||||
</chapter>
|
@ -11,15 +11,16 @@
|
||||
, prefix ? []
|
||||
}:
|
||||
|
||||
let extraArgs_ = extraArgs; pkgs_ = pkgs; system_ = system; in
|
||||
|
||||
rec {
|
||||
let extraArgs_ = extraArgs; pkgs_ = pkgs; system_ = system;
|
||||
extraModules = let e = builtins.getEnv "NIXOS_EXTRA_MODULE_PATH";
|
||||
in if e == "" then [] else [(import (builtins.toPath e))];
|
||||
in rec {
|
||||
|
||||
# Merge the option definitions in all modules, forming the full
|
||||
# system configuration.
|
||||
inherit (pkgs.lib.evalModules {
|
||||
inherit prefix;
|
||||
modules = modules ++ baseModules;
|
||||
modules = modules ++ extraModules ++ baseModules;
|
||||
args = extraArgs;
|
||||
check = check && options.environment.checkConfigurationOptions.value;
|
||||
}) config options;
|
||||
|
@ -16,6 +16,9 @@
|
||||
# symlink to `object' that will be added to the tarball.
|
||||
storeContents ? []
|
||||
|
||||
# Extra commands to be executed before archiving files
|
||||
, extraCommands ? ""
|
||||
|
||||
# Extra tar arguments
|
||||
, extraArgs ? ""
|
||||
}:
|
||||
@ -25,7 +28,7 @@ stdenv.mkDerivation {
|
||||
builder = ./make-system-tarball.sh;
|
||||
buildInputs = [perl xz];
|
||||
|
||||
inherit fileName pathsFromGraph extraArgs;
|
||||
inherit fileName pathsFromGraph extraArgs extraCommands;
|
||||
|
||||
# !!! should use XML.
|
||||
sources = map (x: x.source) contents;
|
||||
|
@ -33,7 +33,7 @@ for i in $storePaths; do
|
||||
done
|
||||
|
||||
|
||||
# TODO tar ruxo
|
||||
# TODO tar ruxo
|
||||
# Also include a manifest of the closures in a format suitable for
|
||||
# nix-store --load-db.
|
||||
printRegistration=1 perl $pathsFromGraph closure-* > nix-path-registration
|
||||
@ -48,6 +48,8 @@ for ((n = 0; n < ${#objects[*]}; n++)); do
|
||||
fi
|
||||
done
|
||||
|
||||
$extraCommands
|
||||
|
||||
mkdir -p $out/tarball
|
||||
|
||||
tar cvJf $out/tarball/$fileName.tar.xz * $extraArgs
|
||||
|
@ -75,7 +75,7 @@ m.run_command("mount {0} /mnt".format(device))
|
||||
m.run_command("touch /mnt/.ebs")
|
||||
m.run_command("mkdir -p /mnt/etc/nixos")
|
||||
|
||||
m.run_command("nix-channel --add http://nixos.org/channels/nixos-{} nixos".format(args.channel))
|
||||
m.run_command("nix-channel --add https://nixos.org/channels/nixos-{} nixos".format(args.channel))
|
||||
m.run_command("nix-channel --update")
|
||||
|
||||
version = m.run_command("nix-instantiate --eval-only -A lib.nixpkgsVersion '<nixpkgs>'", capture_stdout=True).split(' ')[0].replace('"','').strip()
|
||||
|
193
nixos/modules/config/fonts/fontconfig-ultimate.nix
Normal file
193
nixos/modules/config/fonts/fontconfig-ultimate.nix
Normal file
@ -0,0 +1,193 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
with pkgs.lib;
|
||||
|
||||
let fcBool = x: if x then "<bool>true</bool>" else "<bool>false</bool>";
|
||||
in
|
||||
{
|
||||
|
||||
options = {
|
||||
|
||||
fonts = {
|
||||
|
||||
fontconfig = {
|
||||
|
||||
ultimate = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Enable fontconfig-ultimate settings (formerly known as
|
||||
Infinality). Besides the customizable settings in this NixOS
|
||||
module, fontconfig-ultimate also provides many font-specific
|
||||
rendering tweaks.
|
||||
'';
|
||||
};
|
||||
|
||||
allowBitmaps = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Allow bitmap fonts. Set to <literal>false</literal> to ban all
|
||||
bitmap fonts.
|
||||
'';
|
||||
};
|
||||
|
||||
allowType1 = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Allow Type-1 fonts. Default is <literal>false</literal> because of
|
||||
poor rendering.
|
||||
'';
|
||||
};
|
||||
|
||||
useEmbeddedBitmaps = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''Use embedded bitmaps in fonts like Calibri.'';
|
||||
};
|
||||
|
||||
forceAutohint = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Force use of the TrueType Autohinter. Useful for debugging or
|
||||
free-software purists.
|
||||
'';
|
||||
};
|
||||
|
||||
renderMonoTTFAsBitmap = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''Render some monospace TTF fonts as bitmaps.'';
|
||||
};
|
||||
|
||||
substitutions = mkOption {
|
||||
type = types.str // {
|
||||
check = flip elem ["none" "free" "combi" "ms"];
|
||||
};
|
||||
default = "free";
|
||||
description = ''
|
||||
Font substitutions to replace common Type 1 fonts with nicer
|
||||
TrueType fonts. <literal>free</literal> uses free fonts,
|
||||
<literal>ms</literal> uses Microsoft fonts,
|
||||
<literal>combi</literal> uses a combination, and
|
||||
<literal>none</literal> disables the substitutions.
|
||||
'';
|
||||
};
|
||||
|
||||
rendering = mkOption {
|
||||
type = types.attrs;
|
||||
default = pkgs.fontconfig-ultimate.rendering.ultimate;
|
||||
description = ''
|
||||
FreeType rendering settings presets. The default is
|
||||
<literal>pkgs.fontconfig-ultimate.rendering.ultimate</literal>.
|
||||
The other available styles are:
|
||||
<literal>ultimate-lighter</literal>,
|
||||
<literal>ultimate-darker</literal>,
|
||||
<literal>ultimate-lightest</literal>,
|
||||
<literal>ultimate-darkest</literal>,
|
||||
<literal>default</literal> (the original Infinality default),
|
||||
<literal>osx</literal>,
|
||||
<literal>ipad</literal>,
|
||||
<literal>ubuntu</literal>,
|
||||
<literal>linux</literal>,
|
||||
<literal>winxplight</literal>,
|
||||
<literal>win7light</literal>,
|
||||
<literal>winxp</literal>,
|
||||
<literal>win7</literal>,
|
||||
<literal>vanilla</literal>,
|
||||
<literal>classic</literal>,
|
||||
<literal>nudge</literal>,
|
||||
<literal>push</literal>,
|
||||
<literal>shove</literal>,
|
||||
<literal>sharpened</literal>,
|
||||
<literal>infinality</literal>. Any of the presets may be
|
||||
customized by editing the attributes. To disable, set this option
|
||||
to the empty attribute set <literal>{}</literal>.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
config =
|
||||
let ultimate = config.fonts.fontconfig.ultimate;
|
||||
fontconfigUltimateConf = ''
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
|
||||
<fontconfig>
|
||||
|
||||
${optionalString (!ultimate.allowBitmaps) ''
|
||||
<!-- Reject bitmap fonts -->
|
||||
<selectfont>
|
||||
<rejectfont>
|
||||
<pattern>
|
||||
<patelt name="scalable"><bool>false</bool></patelt>
|
||||
</pattern>
|
||||
</rejectfont>
|
||||
</selectfont>
|
||||
''}
|
||||
|
||||
${optionalString ultimate.allowType1 ''
|
||||
<!-- Reject Type 1 fonts -->
|
||||
<selectfont>
|
||||
<rejectfont>
|
||||
<pattern>
|
||||
<patelt name="fontformat">
|
||||
<string>Type 1</string>
|
||||
</patelt>
|
||||
</pattern>
|
||||
</rejectfont>
|
||||
</selectfont>
|
||||
''}
|
||||
|
||||
<!-- Use embedded bitmaps in fonts like Calibri? -->
|
||||
<match target="font">
|
||||
<edit name="embeddedbitmap" mode="assign">
|
||||
${fcBool ultimate.useEmbeddedBitmaps}
|
||||
</edit>
|
||||
</match>
|
||||
|
||||
<!-- Force autohint always -->
|
||||
<match target="font">
|
||||
<edit name="force_autohint" mode="assign">
|
||||
${fcBool ultimate.forceAutohint}
|
||||
</edit>
|
||||
</match>
|
||||
|
||||
<!-- Render some monospace TTF fonts as bitmaps -->
|
||||
<match target="pattern">
|
||||
<edit name="bitmap_monospace" mode="assign">
|
||||
${fcBool ultimate.renderMonoTTFAsBitmap}
|
||||
</edit>
|
||||
</match>
|
||||
|
||||
${optionalString (ultimate.substitutions != "none") ''
|
||||
<!-- Type 1 font substitutions -->
|
||||
<include ignore_missing="yes">${pkgs.fontconfig-ultimate.confd}/etc/fonts/presets/${ultimate.substitutions}</include>
|
||||
''}
|
||||
|
||||
<include ignore_missing="yes">${pkgs.fontconfig-ultimate.confd}/etc/fonts/conf.d</include>
|
||||
|
||||
</fontconfig>
|
||||
'';
|
||||
in mkIf (config.fonts.fontconfig.enable && ultimate.enable) {
|
||||
|
||||
environment.etc."fonts/conf.d/52-fontconfig-ultimate.conf" = {
|
||||
text = fontconfigUltimateConf;
|
||||
};
|
||||
|
||||
environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/52-fontconfig-ultimate.conf" = {
|
||||
text = fontconfigUltimateConf;
|
||||
};
|
||||
|
||||
environment.variables = ultimate.rendering;
|
||||
|
||||
};
|
||||
|
||||
}
|
@ -8,72 +8,250 @@ with lib;
|
||||
|
||||
fonts = {
|
||||
|
||||
enableFontConfig = mkOption { # !!! should be enableFontconfig
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
If enabled, a Fontconfig configuration file will be built
|
||||
pointing to a set of default fonts. If you don't care about
|
||||
running X11 applications or any other program that uses
|
||||
Fontconfig, you can turn this option off and prevent a
|
||||
dependency on all those fonts.
|
||||
'';
|
||||
fontconfig = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
If enabled, a Fontconfig configuration file will be built
|
||||
pointing to a set of default fonts. If you don't care about
|
||||
running X11 applications or any other program that uses
|
||||
Fontconfig, you can turn this option off and prevent a
|
||||
dependency on all those fonts.
|
||||
'';
|
||||
};
|
||||
|
||||
antialias = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Enable font antialiasing.";
|
||||
};
|
||||
|
||||
dpi = mkOption {
|
||||
type = types.int;
|
||||
default = 0;
|
||||
description = ''
|
||||
Force DPI setting. Setting to <literal>0</literal> disables DPI
|
||||
forcing; the DPI detected for the display will be used.
|
||||
'';
|
||||
};
|
||||
|
||||
defaultFonts = {
|
||||
monospace = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = ["DejaVu Sans Mono"];
|
||||
description = ''
|
||||
System-wide default monospace font(s). Multiple fonts may be
|
||||
listed in case multiple languages must be supported.
|
||||
'';
|
||||
};
|
||||
|
||||
sansSerif = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = ["DejaVu Sans"];
|
||||
description = ''
|
||||
System-wide default sans serif font(s). Multiple fonts may be
|
||||
listed in case multiple languages must be supported.
|
||||
'';
|
||||
};
|
||||
|
||||
serif = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = ["DejaVu Serif"];
|
||||
description = ''
|
||||
System-wide default serif font(s). Multiple fonts may be listed
|
||||
in case multiple languages must be supported.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
hinting = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Enable TrueType hinting.";
|
||||
};
|
||||
|
||||
autohint = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Enable the autohinter, which provides hinting for otherwise
|
||||
un-hinted fonts. The results are usually lower quality than
|
||||
correctly-hinted fonts.
|
||||
'';
|
||||
};
|
||||
|
||||
style = mkOption {
|
||||
type = types.str // {
|
||||
check = flip elem ["none" "slight" "medium" "full"];
|
||||
};
|
||||
default = "full";
|
||||
description = ''
|
||||
TrueType hinting style, one of <literal>none</literal>,
|
||||
<literal>slight</literal>, <literal>medium</literal>, or
|
||||
<literal>full</literal>.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
includeUserConf = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Include the user configuration from
|
||||
<filename>~/.config/fontconfig/fonts.conf</filename> or
|
||||
<filename>~/.config/fontconfig/conf.d</filename>.
|
||||
'';
|
||||
};
|
||||
|
||||
subpixel = {
|
||||
|
||||
rgba = mkOption {
|
||||
type = types.string // {
|
||||
check = flip elem ["rgb" "bgr" "vrgb" "vbgr" "none"];
|
||||
};
|
||||
default = "rgb";
|
||||
description = ''
|
||||
Subpixel order, one of <literal>none</literal>,
|
||||
<literal>rgb</literal>, <literal>bgr</literal>,
|
||||
<literal>vrgb</literal>, or <literal>vbgr</literal>.
|
||||
'';
|
||||
};
|
||||
|
||||
lcdfilter = mkOption {
|
||||
type = types.str // {
|
||||
check = flip elem ["none" "default" "light" "legacy"];
|
||||
};
|
||||
default = "default";
|
||||
description = ''
|
||||
FreeType LCD filter, one of <literal>none</literal>,
|
||||
<literal>default</literal>, <literal>light</literal>, or
|
||||
<literal>legacy</literal>.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config =
|
||||
let fontconfig = config.fonts.fontconfig;
|
||||
fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
|
||||
nixosConf = ''
|
||||
<?xml version='1.0'?>
|
||||
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
|
||||
<fontconfig>
|
||||
|
||||
config = mkIf config.fonts.enableFontConfig {
|
||||
<!-- Default rendering settings -->
|
||||
<match target="font">
|
||||
<edit mode="assign" name="hinting">
|
||||
${fcBool fontconfig.hinting.enable}
|
||||
</edit>
|
||||
<edit mode="assign" name="autohint">
|
||||
${fcBool fontconfig.hinting.autohint}
|
||||
</edit>
|
||||
<edit mode="assign" name="hintstyle">
|
||||
<const>hint${fontconfig.hinting.style}</const>
|
||||
</edit>
|
||||
<edit mode="assign" name="antialias">
|
||||
${fcBool fontconfig.antialias}
|
||||
</edit>
|
||||
<edit mode="assign" name="rgba">
|
||||
<const>${fontconfig.subpixel.rgba}</const>
|
||||
</edit>
|
||||
<edit mode="assign" name="lcdfilter">
|
||||
<const>lcd${fontconfig.subpixel.lcdfilter}</const>
|
||||
</edit>
|
||||
</match>
|
||||
|
||||
# Fontconfig 2.10 backward compatibility
|
||||
<!-- Default fonts -->
|
||||
${optionalString (fontconfig.defaultFonts.sansSerif != []) ''
|
||||
<alias>
|
||||
<family>sans-serif</family>
|
||||
<prefer>
|
||||
${concatStringsSep "\n"
|
||||
(map (font: "<family>${font}</family>")
|
||||
fontconfig.defaultFonts.sansSerif)}
|
||||
</prefer>
|
||||
</alias>
|
||||
''}
|
||||
${optionalString (fontconfig.defaultFonts.serif != []) ''
|
||||
<alias>
|
||||
<family>serif</family>
|
||||
<prefer>
|
||||
${concatStringsSep "\n"
|
||||
(map (font: "<family>${font}</family>")
|
||||
fontconfig.defaultFonts.serif)}
|
||||
</prefer>
|
||||
</alias>
|
||||
''}
|
||||
${optionalString (fontconfig.defaultFonts.monospace != []) ''
|
||||
<alias>
|
||||
<family>monospace</family>
|
||||
<prefer>
|
||||
${concatStringsSep "\n"
|
||||
(map (font: "<family>${font}</family>")
|
||||
fontconfig.defaultFonts.monospace)}
|
||||
</prefer>
|
||||
</alias>
|
||||
''}
|
||||
|
||||
# Bring in the default (upstream) fontconfig configuration, only for fontconfig 2.10
|
||||
environment.etc."fonts/fonts.conf".source =
|
||||
pkgs.makeFontsConf { fontconfig = pkgs.fontconfig_210; fontDirectories = config.fonts.fonts; };
|
||||
${optionalString (fontconfig.dpi != 0) ''
|
||||
<match target="pattern">
|
||||
<edit name="dpi" mode="assign">
|
||||
<double>${fontconfig.dpi}</double>
|
||||
</edit>
|
||||
</match>
|
||||
''}
|
||||
|
||||
environment.etc."fonts/conf.d/00-nixos.conf".text =
|
||||
''
|
||||
<?xml version='1.0'?>
|
||||
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
|
||||
<fontconfig>
|
||||
</fontconfig>
|
||||
'';
|
||||
in mkIf fontconfig.enable {
|
||||
|
||||
<!-- Set the default hinting style to "slight". -->
|
||||
<match target="font">
|
||||
<edit mode="assign" name="hintstyle">
|
||||
<const>hintslight</const>
|
||||
</edit>
|
||||
</match>
|
||||
# Fontconfig 2.10 backward compatibility
|
||||
|
||||
</fontconfig>
|
||||
'';
|
||||
# Bring in the default (upstream) fontconfig configuration, only for fontconfig 2.10
|
||||
environment.etc."fonts/fonts.conf".source =
|
||||
pkgs.makeFontsConf { fontconfig = pkgs.fontconfig_210; fontDirectories = config.fonts.fonts; };
|
||||
|
||||
# Versioned fontconfig > 2.10. Take shared fonts.conf from fontconfig.
|
||||
# Otherwise specify only font directories.
|
||||
environment.etc."fonts/${pkgs.fontconfig.configVersion}/fonts.conf".source =
|
||||
"${pkgs.fontconfig}/etc/fonts/fonts.conf";
|
||||
environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/00-nixos.conf".text =
|
||||
''
|
||||
<?xml version='1.0'?>
|
||||
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
|
||||
<fontconfig>
|
||||
environment.etc."fonts/conf.d/98-nixos.conf".text = nixosConf;
|
||||
|
||||
<!-- Set the default hinting style to "slight". -->
|
||||
<match target="font">
|
||||
<edit mode="assign" name="hintstyle">
|
||||
<const>hintslight</const>
|
||||
</edit>
|
||||
</match>
|
||||
# Versioned fontconfig > 2.10. Take shared fonts.conf from fontconfig.
|
||||
# Otherwise specify only font directories.
|
||||
environment.etc."fonts/${pkgs.fontconfig.configVersion}/fonts.conf".source =
|
||||
"${pkgs.fontconfig}/etc/fonts/fonts.conf";
|
||||
|
||||
<!-- Font directories -->
|
||||
${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
|
||||
environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/00-nixos.conf".text =
|
||||
''
|
||||
<?xml version='1.0'?>
|
||||
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
|
||||
<fontconfig>
|
||||
<!-- Font directories -->
|
||||
${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
|
||||
</fontconfig>
|
||||
'';
|
||||
|
||||
</fontconfig>
|
||||
'';
|
||||
environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/98-nixos.conf".text = nixosConf;
|
||||
|
||||
environment.systemPackages = [ pkgs.fontconfig ];
|
||||
environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/99-user.conf" = {
|
||||
enable = fontconfig.includeUserConf;
|
||||
text = ''
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
|
||||
<fontconfig>
|
||||
<include ignore_missing="yes" prefix="xdg">fontconfig/conf.d</include>
|
||||
<include ignore_missing="yes" prefix="xdg">fontconfig/fonts.conf</include>
|
||||
</fontconfig>
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
environment.systemPackages = [ pkgs.fontconfig ];
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -25,7 +25,7 @@ with lib;
|
||||
[ pkgs.xorg.fontbhttf
|
||||
pkgs.xorg.fontbhlucidatypewriter100dpi
|
||||
pkgs.xorg.fontbhlucidatypewriter75dpi
|
||||
pkgs.ttf_bitstream_vera
|
||||
pkgs.dejavu_fonts
|
||||
pkgs.freefont_ttf
|
||||
pkgs.liberation_ttf
|
||||
pkgs.xorg.fontbh100dpi
|
||||
|
@ -140,7 +140,7 @@ in
|
||||
'' + optionalString config.services.nscd.enable ''
|
||||
# Invalidate the nscd cache whenever resolv.conf is
|
||||
# regenerated.
|
||||
libc_restart='${pkgs.systemd}/bin/systemctl try-restart --no-block nscd.service'
|
||||
libc_restart='${pkgs.systemd}/bin/systemctl try-restart --no-block nscd.service 2> /dev/null'
|
||||
'' + optionalString cfg.dnsSingleRequest ''
|
||||
# only send one DNS request at a time
|
||||
resolv_conf_options='single-request'
|
||||
|
@ -24,7 +24,7 @@ with lib;
|
||||
programs.ssh.setXAuthLocation = false;
|
||||
security.pam.services.su.forwardXAuth = lib.mkForce false;
|
||||
|
||||
fonts.enableFontConfig = false;
|
||||
fonts.fontconfig.enable = false;
|
||||
|
||||
nixpkgs.config.packageOverrides = pkgs:
|
||||
{ dbus = pkgs.dbus.override { useX11 = false; }; };
|
||||
|
@ -14,10 +14,14 @@ in
|
||||
time = {
|
||||
|
||||
timeZone = mkOption {
|
||||
default = "CET";
|
||||
default = "UTC";
|
||||
type = types.str;
|
||||
example = "America/New_York";
|
||||
description = "The time zone used when displaying times and dates.";
|
||||
description = ''
|
||||
The time zone used when displaying times and dates. See <link
|
||||
xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>
|
||||
for a comprehensive list of possible values for this setting.
|
||||
'';
|
||||
};
|
||||
|
||||
hardwareClockInLocalTime = mkOption {
|
||||
|
@ -16,7 +16,6 @@ let
|
||||
[ p.mesa_drivers
|
||||
p.mesa_noglu # mainly for libGL
|
||||
(if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
|
||||
p.udev
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -80,7 +80,7 @@ had booted this nixos. Run:
|
||||
* `grep local-cmds run/current-system/init`
|
||||
|
||||
Then you can proceed normally subscribing to a nixos channel:
|
||||
nix-channel --add http://nixos.org/channels/nixos-unstable
|
||||
nix-channel --add https://nixos.org/channels/nixos-unstable
|
||||
nix-channel --update
|
||||
|
||||
Testing:
|
||||
|
@ -476,14 +476,6 @@ EOF
|
||||
EOF
|
||||
}
|
||||
|
||||
# Generate a random 32-bit value to use as the host id
|
||||
open my $rnd, "<", "/dev/urandom" or die $!;
|
||||
read $rnd, $hostIdBin, 4;
|
||||
close $rnd;
|
||||
|
||||
# Convert the 32-bit value to a hex string
|
||||
my $hostIdHex = unpack("H*", $hostIdBin);
|
||||
|
||||
write_file($fn, <<EOF);
|
||||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
@ -499,8 +491,7 @@ EOF
|
||||
|
||||
$bootLoaderConfig
|
||||
# networking.hostName = "nixos"; # Define your hostname.
|
||||
networking.hostId = "$hostIdHex";
|
||||
# networking.wireless.enable = true; # Enables wireless.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
|
||||
# Select internationalisation properties.
|
||||
# i18n = {
|
||||
@ -509,6 +500,9 @@ $bootLoaderConfig
|
||||
# defaultLocale = "en_US.UTF-8";
|
||||
# };
|
||||
|
||||
# Set your time zone.
|
||||
# time.timeZone = "Europe/Amsterdam";
|
||||
|
||||
# List packages installed in system profile. To search by name, run:
|
||||
# \$ nix-env -qaP | grep wget
|
||||
# environment.systemPackages = with pkgs; [
|
||||
|
@ -30,8 +30,7 @@ while [ "$#" -gt 0 ]; do
|
||||
case "$i" in
|
||||
-I)
|
||||
given_path="$1"; shift 1
|
||||
absolute_path=$(readlink -m $given_path)
|
||||
extraBuildFlags+=("$i" "/mnt$absolute_path")
|
||||
extraBuildFlags+=("$i" "$given_path")
|
||||
;;
|
||||
--root)
|
||||
mountPoint="$1"; shift 1
|
||||
@ -89,6 +88,12 @@ ln -s /run $mountPoint/var/run
|
||||
rm -f $mountPoint/etc/{resolv.conf,hosts}
|
||||
cp -Lf /etc/resolv.conf /etc/hosts $mountPoint/etc/
|
||||
|
||||
if [ -e "$SSL_CERT_FILE" ]; then
|
||||
cp -Lf "$SSL_CERT_FILE" "$mountPoint/tmp/ca-cert.crt"
|
||||
export SSL_CERT_FILE=/tmp/ca-cert.crt
|
||||
# For Nix 1.7
|
||||
export CURL_CA_BUNDLE=/tmp/ca-cert.crt
|
||||
fi
|
||||
|
||||
if [ -n "$runChroot" ]; then
|
||||
if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then
|
||||
@ -244,7 +249,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
|
||||
|
||||
|
||||
# Ask the user to set a root password.
|
||||
if [ -t 0 ] ; then
|
||||
if [ "$(chroot $mountPoint nix-instantiate --eval '<nixos>' -A config.users.mutableUsers)" = true ] && [ -t 0 ] ; then
|
||||
echo "setting root password..."
|
||||
chroot $mountPoint /var/setuid-wrappers/passwd
|
||||
fi
|
||||
|
@ -13,6 +13,7 @@ usage () {
|
||||
|
||||
xml=false
|
||||
verbose=false
|
||||
nixPath=""
|
||||
|
||||
option=""
|
||||
|
||||
@ -26,6 +27,7 @@ for arg; do
|
||||
while test "$sarg" != "-"; do
|
||||
case $sarg in
|
||||
--*) longarg=$arg; sarg="--";;
|
||||
-I) argfun="include_nixpath";;
|
||||
-*) usage;;
|
||||
esac
|
||||
# remove the first letter option
|
||||
@ -53,6 +55,9 @@ for arg; do
|
||||
var=$(echo $argfun | sed 's,^set_,,')
|
||||
eval $var=$arg
|
||||
;;
|
||||
include_nixpath)
|
||||
nixPath="-I $arg $nixPath"
|
||||
;;
|
||||
esac
|
||||
argfun=""
|
||||
fi
|
||||
@ -69,18 +74,114 @@ fi
|
||||
#############################
|
||||
|
||||
evalNix(){
|
||||
nix-instantiate - --eval-only "$@"
|
||||
result=$(nix-instantiate ${nixPath:+$nixPath} - --eval-only "$@" 2>&1)
|
||||
if test $? -eq 0; then
|
||||
cat <<EOF
|
||||
$result
|
||||
EOF
|
||||
return 0;
|
||||
else
|
||||
sed -n '
|
||||
/^error/ { s/, at (string):[0-9]*:[0-9]*//; p; };
|
||||
/^warning: Nix search path/ { p; };
|
||||
' <<EOF
|
||||
$result
|
||||
EOF
|
||||
return 1;
|
||||
fi
|
||||
}
|
||||
|
||||
header="let
|
||||
nixos = import <nixpkgs/nixos> {};
|
||||
nixpkgs = import <nixpkgs> {};
|
||||
in with nixpkgs.lib;
|
||||
"
|
||||
|
||||
# This function is used for converting the option definition path given by
|
||||
# the user into accessors for reaching the definition and the declaration
|
||||
# corresponding to this option.
|
||||
generateAccessors(){
|
||||
if result=$(evalNix --strict --show-trace <<EOF
|
||||
$header
|
||||
|
||||
let
|
||||
path = "${option:+$option}";
|
||||
pathList = splitString "." path;
|
||||
|
||||
walkOptions = attrsNames: result:
|
||||
if attrsNames == [] then
|
||||
result
|
||||
else
|
||||
let name = head attrsNames; rest = tail attrsNames; in
|
||||
if isOption result.options then
|
||||
walkOptions rest {
|
||||
options = result.options.type.getSubOptions "";
|
||||
opt = ''(\${result.opt}.type.getSubOptions "")'';
|
||||
cfg = ''\${result.cfg}."\${name}"'';
|
||||
}
|
||||
else
|
||||
walkOptions rest {
|
||||
options = result.options.\${name};
|
||||
opt = ''\${result.opt}."\${name}"'';
|
||||
cfg = ''\${result.cfg}."\${name}"'';
|
||||
}
|
||||
;
|
||||
|
||||
walkResult = (if path == "" then x: x else walkOptions pathList) {
|
||||
options = nixos.options;
|
||||
opt = ''nixos.options'';
|
||||
cfg = ''nixos.config'';
|
||||
};
|
||||
|
||||
in
|
||||
''let option = \${walkResult.opt}; config = \${walkResult.cfg}; in''
|
||||
EOF
|
||||
)
|
||||
then
|
||||
echo $result
|
||||
else
|
||||
# In case of error we want to ignore the error message roduced by the
|
||||
# script above, as it is iterating over each attribute, which does not
|
||||
# produce a nice error message. The following code is a fallback
|
||||
# solution which is cause a nicer error message in the next
|
||||
# evaluation.
|
||||
echo "\"let option = nixos.options${option:+.$option}; config = nixos.config${option:+.$option}; in\""
|
||||
fi
|
||||
}
|
||||
|
||||
header="$header
|
||||
$(eval echo $(generateAccessors))
|
||||
"
|
||||
|
||||
evalAttr(){
|
||||
local prefix="$1"
|
||||
local strict="$2"
|
||||
local suffix="$3"
|
||||
echo "(import <nixos> {}).$prefix${option:+.$option}${suffix:+.$suffix}" | evalNix ${strict:+--strict}
|
||||
|
||||
# If strict is set, then set it to "true".
|
||||
test -n "$strict" && strict=true
|
||||
|
||||
evalNix ${strict:+--strict} <<EOF
|
||||
$header
|
||||
|
||||
let
|
||||
value = $prefix${suffix:+.$suffix};
|
||||
strict = ${strict:-false};
|
||||
cleanOutput = x: with nixpkgs.lib;
|
||||
if isDerivation x then x.outPath
|
||||
else if isFunction x then "<CODE>"
|
||||
else if strict then
|
||||
if isAttrs x then mapAttrs (n: cleanOutput) x
|
||||
else if isList x then map cleanOutput x
|
||||
else x
|
||||
else x;
|
||||
in
|
||||
cleanOutput value
|
||||
EOF
|
||||
}
|
||||
|
||||
evalOpt(){
|
||||
evalAttr "options" "" "$@"
|
||||
evalAttr "option" "" "$@"
|
||||
}
|
||||
|
||||
evalCfg(){
|
||||
@ -90,8 +191,11 @@ evalCfg(){
|
||||
|
||||
findSources(){
|
||||
local suffix=$1
|
||||
echo "(import <nixos> {}).options${option:+.$option}.$suffix" |
|
||||
evalNix --strict
|
||||
evalNix --strict <<EOF
|
||||
$header
|
||||
|
||||
option.$suffix
|
||||
EOF
|
||||
}
|
||||
|
||||
# Given a result from nix-instantiate, recover the list of attributes it
|
||||
@ -121,13 +225,12 @@ nixMap() {
|
||||
# the output of nixos-option with other tools such as nixos-gui.
|
||||
if $xml; then
|
||||
evalNix --xml --no-location <<EOF
|
||||
$header
|
||||
|
||||
let
|
||||
reach = attrs: attrs${option:+.$option};
|
||||
nixos = import <nixos> {};
|
||||
nixpkgs = import <nixpkgs> {};
|
||||
sources = builtins.map (f: f.source);
|
||||
opt = reach nixos.options;
|
||||
cfg = reach nixos.config;
|
||||
opt = option;
|
||||
cfg = config;
|
||||
in
|
||||
|
||||
with nixpkgs.lib;
|
||||
|
@ -156,7 +156,7 @@ if [ -n "$buildNix" ]; then
|
||||
exit 1
|
||||
fi
|
||||
if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
|
||||
--option extra-binary-caches http://cache.nixos.org/; then
|
||||
--option extra-binary-caches https://cache.nixos.org/; then
|
||||
echo "warning: don't know how to get latest Nix" >&2
|
||||
fi
|
||||
# Older version of nix-store -r don't support --add-root.
|
||||
|
@ -172,6 +172,8 @@
|
||||
kubernetes = 162;
|
||||
peerflix = 163;
|
||||
chronos = 164;
|
||||
gitlab = 165;
|
||||
tox-bootstrapd = 166;
|
||||
|
||||
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
|
||||
|
||||
@ -212,6 +214,7 @@
|
||||
privoxy = 32;
|
||||
disnix = 33;
|
||||
osgi = 34;
|
||||
tor = 35;
|
||||
ghostOne = 40;
|
||||
git = 41;
|
||||
fourstore = 42;
|
||||
@ -306,6 +309,8 @@
|
||||
scollector = 156;
|
||||
bosun = 157;
|
||||
kubernetes = 158;
|
||||
fleet = 159;
|
||||
gitlab = 160;
|
||||
|
||||
# When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!
|
||||
|
||||
|
@ -53,7 +53,7 @@ with lib;
|
||||
mkDefault (if pathExists fn then readFile fn else "master");
|
||||
|
||||
# Note: code names must only increase in alphabetical order.
|
||||
system.nixosCodeName = "Caterpillar";
|
||||
system.nixosCodeName = "Dingo";
|
||||
|
||||
# Generate /etc/os-release. See
|
||||
# http://0pointer.de/public/systemd-man/os-release.html for the
|
||||
|
@ -1,6 +1,7 @@
|
||||
[
|
||||
./config/fonts/corefonts.nix
|
||||
./config/fonts/fontconfig.nix
|
||||
./config/fonts/fontconfig-ultimate.nix
|
||||
./config/fonts/fontdir.nix
|
||||
./config/fonts/fonts.nix
|
||||
./config/fonts/ghostscript.nix
|
||||
@ -101,6 +102,8 @@
|
||||
./services/backup/rsnapshot.nix
|
||||
./services/backup/sitecopy-backup.nix
|
||||
./services/backup/tarsnap.nix
|
||||
./services/cluster/fleet.nix
|
||||
./services/cluster/kubernetes.nix
|
||||
./services/computing/torque/server.nix
|
||||
./services/computing/torque/mom.nix
|
||||
./services/continuous-integration/jenkins/default.nix
|
||||
@ -134,6 +137,7 @@
|
||||
./services/desktops/gnome3/seahorse.nix
|
||||
./services/desktops/gnome3/sushi.nix
|
||||
./services/desktops/gnome3/tracker.nix
|
||||
./services/desktops/profile-sync-daemon.nix
|
||||
./services/desktops/telepathy.nix
|
||||
./services/games/ghost-one.nix
|
||||
./services/games/minecraft-server.nix
|
||||
@ -173,6 +177,7 @@
|
||||
./services/misc/etcd.nix
|
||||
./services/misc/felix.nix
|
||||
./services/misc/folding-at-home.nix
|
||||
./services/misc/gitlab.nix
|
||||
./services/misc/gitolite.nix
|
||||
./services/misc/gpsd.nix
|
||||
./services/misc/mesos-master.nix
|
||||
@ -281,6 +286,7 @@
|
||||
./services/networking/tcpcrypt.nix
|
||||
./services/networking/teamspeak3.nix
|
||||
./services/networking/tftpd.nix
|
||||
./services/networking/tox-bootstrapd.nix
|
||||
./services/networking/unbound.nix
|
||||
./services/networking/unifi.nix
|
||||
./services/networking/vsftpd.nix
|
||||
@ -305,6 +311,7 @@
|
||||
./services/security/torify.nix
|
||||
./services/security/tor.nix
|
||||
./services/security/torsocks.nix
|
||||
./services/system/cloud-init.nix
|
||||
./services/system/dbus.nix
|
||||
./services/system/kerberos.nix
|
||||
./services/system/nscd.nix
|
||||
@ -400,7 +407,6 @@
|
||||
./virtualisation/container-config.nix
|
||||
./virtualisation/containers.nix
|
||||
./virtualisation/docker.nix
|
||||
./virtualisation/kubernetes.nix
|
||||
./virtualisation/libvirtd.nix
|
||||
./virtualisation/lxc.nix
|
||||
#./virtualisation/nova.nix
|
||||
|
56
nixos/modules/profiles/container.nix
Normal file
56
nixos/modules/profiles/container.nix
Normal file
@ -0,0 +1,56 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l;
|
||||
|
||||
in {
|
||||
# Docker image config.
|
||||
imports = [
|
||||
../installer/cd-dvd/channel.nix
|
||||
./minimal.nix
|
||||
./clone-config.nix
|
||||
];
|
||||
|
||||
# Create the tarball
|
||||
system.build.tarball = import ../../lib/make-system-tarball.nix {
|
||||
inherit (pkgs) stdenv perl xz pathsFromGraph;
|
||||
|
||||
contents = [];
|
||||
extraArgs = "--owner=0";
|
||||
|
||||
# Add init script to image
|
||||
storeContents = [
|
||||
{ object = config.system.build.toplevel + "/init";
|
||||
symlink = "/init";
|
||||
}
|
||||
] ++ (pkgs2storeContents [ pkgs.stdenv ]);
|
||||
|
||||
# Some container managers like lxc need these
|
||||
extraCommands = "mkdir -p proc sys dev";
|
||||
};
|
||||
|
||||
boot.isContainer = true;
|
||||
boot.postBootCommands =
|
||||
''
|
||||
# After booting, register the contents of the Nix store in the Nix
|
||||
# database.
|
||||
if [ -f /nix-path-registration ]; then
|
||||
${config.nix.package}/bin/nix-store --load-db < /nix-path-registration &&
|
||||
rm /nix-path-registration
|
||||
fi
|
||||
|
||||
# nixos-rebuild also requires a "system" profile
|
||||
${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
|
||||
'';
|
||||
|
||||
# Disable some features that are not useful in a container.
|
||||
sound.enable = mkDefault false;
|
||||
services.udisks2.enable = mkDefault false;
|
||||
|
||||
# Install new init script
|
||||
system.activationScripts.installInitScript = ''
|
||||
ln -fs $systemConfig/init /init
|
||||
'';
|
||||
}
|
@ -61,7 +61,8 @@ in
|
||||
|
||||
agentTimeout = mkOption {
|
||||
type = types.nullOr types.string;
|
||||
default = "1h";
|
||||
default = null;
|
||||
example = "1h";
|
||||
description = ''
|
||||
How long to keep the private keys in memory. Use null to keep them forever.
|
||||
'';
|
||||
|
@ -3,34 +3,74 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
virtualbox = config.boot.kernelPackages.virtualbox;
|
||||
cfg = config.services.virtualboxHost;
|
||||
virtualbox = config.boot.kernelPackages.virtualbox.override {
|
||||
inherit (cfg) enableHardening;
|
||||
};
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
services.virtualboxHost.enable = mkEnableOption "VirtualBox Host support";
|
||||
options.services.virtualboxHost = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable host-side support for VirtualBox.
|
||||
|
||||
<note><para>
|
||||
In order to pass USB devices from the host to the guests, the user
|
||||
needs to be in the <literal>vboxusers</literal> group.
|
||||
</para></note>
|
||||
'';
|
||||
};
|
||||
|
||||
addNetworkInterface = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Automatically set up a vboxnet0 host-only network interface.
|
||||
'';
|
||||
};
|
||||
|
||||
enableHardening = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Enable hardened VirtualBox, which ensures that only the binaries in the
|
||||
system path get access to the devices exposed by the kernel modules
|
||||
instead of all users in the vboxusers group.
|
||||
|
||||
<important><para>
|
||||
Disabling this can put your system's security at risk, as local users
|
||||
in the vboxusers group can tamper with the VirtualBox device files.
|
||||
</para></important>
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf config.services.virtualboxHost.enable {
|
||||
config = mkIf cfg.enable (mkMerge [{
|
||||
boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
|
||||
boot.extraModulePackages = [ virtualbox ];
|
||||
environment.systemPackages = [ virtualbox ];
|
||||
|
||||
security.setuidOwners = let
|
||||
mkVboxStub = program: {
|
||||
mkSuid = program: {
|
||||
inherit program;
|
||||
source = "${virtualbox}/libexec/virtualbox/${program}";
|
||||
owner = "root";
|
||||
group = "vboxusers";
|
||||
setuid = true;
|
||||
};
|
||||
in map mkVboxStub [
|
||||
"VBoxBFE"
|
||||
"VBoxBalloonCtrl"
|
||||
in mkIf cfg.enableHardening (map mkSuid [
|
||||
"VBoxHeadless"
|
||||
"VBoxManage"
|
||||
"VBoxNetAdpCtl"
|
||||
"VBoxNetDHCP"
|
||||
"VBoxNetNAT"
|
||||
"VBoxSDL"
|
||||
"VBoxVolInfo"
|
||||
"VirtualBox"
|
||||
];
|
||||
]);
|
||||
|
||||
users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
|
||||
|
||||
@ -46,7 +86,7 @@ in
|
||||
'';
|
||||
|
||||
# Since we lack the right setuid binaries, set up a host-only network by default.
|
||||
|
||||
} (mkIf cfg.addNetworkInterface {
|
||||
systemd.services."vboxnet0" =
|
||||
{ description = "VirtualBox vboxnet0 Interface";
|
||||
requires = [ "dev-vboxnetctl.device" ];
|
||||
@ -55,10 +95,13 @@ in
|
||||
path = [ virtualbox ];
|
||||
serviceConfig.RemainAfterExit = true;
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.PrivateTmp = true;
|
||||
environment.VBOX_USER_HOME = "/tmp";
|
||||
script =
|
||||
''
|
||||
if ! [ -e /sys/class/net/vboxnet0 ]; then
|
||||
VBoxManage hostonlyif create
|
||||
cat /tmp/VBoxSVC.log >&2
|
||||
fi
|
||||
'';
|
||||
postStop =
|
||||
@ -68,5 +111,5 @@ in
|
||||
};
|
||||
|
||||
networking.interfaces.vboxnet0.ip4 = [ { address = "192.168.56.1"; prefixLength = 24; } ];
|
||||
};
|
||||
})]);
|
||||
}
|
||||
|
@ -74,6 +74,7 @@ in zipModules ([]
|
||||
++ obsolete [ "environment" "x11Packages" ] [ "environment" "systemPackages" ]
|
||||
++ obsolete [ "environment" "enableBashCompletion" ] [ "programs" "bash" "enableCompletion" ]
|
||||
++ obsolete [ "environment" "nix" ] [ "nix" "package" ]
|
||||
++ obsolete [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ]
|
||||
++ obsolete [ "fonts" "extraFonts" ] [ "fonts" "fonts" ]
|
||||
|
||||
++ obsolete [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ]
|
||||
|
@ -64,7 +64,7 @@ in
|
||||
security.sudo.configFile =
|
||||
''
|
||||
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
|
||||
# and security.sudo.extraConfig instead.
|
||||
# or ‘security.sudo.extraConfig’ instead.
|
||||
|
||||
# Environment variables to keep for root and %wheel.
|
||||
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
|
||||
@ -90,11 +90,10 @@ in
|
||||
environment.etc = singleton
|
||||
{ source =
|
||||
pkgs.runCommand "sudoers"
|
||||
{src = pkgs.writeText "sudoers-in" cfg.configFile; }
|
||||
{ src = pkgs.writeText "sudoers-in" cfg.configFile; }
|
||||
# Make sure that the sudoers file is syntactically valid.
|
||||
# (currently disabled - NIXOS-66)
|
||||
"${pkgs.sudo}/sbin/visudo -f $src -c &&
|
||||
cp $src $out";
|
||||
"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
|
||||
target = "sudoers";
|
||||
mode = "0440";
|
||||
};
|
||||
|
@ -15,7 +15,6 @@ let
|
||||
state_file "${cfg.dataDir}/state"
|
||||
sticker_file "${cfg.dataDir}/sticker.sql"
|
||||
log_file "syslog"
|
||||
user "mpd"
|
||||
${if cfg.network.host != "any" then
|
||||
"bind_to_address ${cfg.network.host}" else ""}
|
||||
${if cfg.network.port != 6600 then
|
||||
@ -99,6 +98,9 @@ in {
|
||||
path = [ pkgs.mpd ];
|
||||
preStart = "mkdir -p ${cfg.dataDir} && chown -R mpd:mpd ${cfg.dataDir}";
|
||||
script = "exec mpd --no-daemon ${mpdConf}";
|
||||
serviceConfig = {
|
||||
User = "mpd";
|
||||
};
|
||||
};
|
||||
|
||||
users.extraUsers.mpd = {
|
||||
|
150
nixos/modules/services/cluster/fleet.nix
Normal file
150
nixos/modules/services/cluster/fleet.nix
Normal file
@ -0,0 +1,150 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.fleet;
|
||||
|
||||
in {
|
||||
|
||||
##### Interface
|
||||
options.services.fleet = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable fleet service.
|
||||
'';
|
||||
};
|
||||
|
||||
listen = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "/var/run/fleet.sock" ];
|
||||
example = [ "/var/run/fleet.sock" "127.0.0.1:49153" ];
|
||||
description = ''
|
||||
Fleet listening addresses.
|
||||
'';
|
||||
};
|
||||
|
||||
etcdServers = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "http://127.0.0.1:4001" ];
|
||||
description = ''
|
||||
Fleet list of etcd endpoints to use.
|
||||
'';
|
||||
};
|
||||
|
||||
publicIp = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = "";
|
||||
description = ''
|
||||
Fleet IP address that should be published with the local Machine's
|
||||
state and any socket information. If not set, fleetd will attempt
|
||||
to detect the IP it should publish based on the machine's IP
|
||||
routing information.
|
||||
'';
|
||||
};
|
||||
|
||||
etcdCafile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Fleet TLS ca file when SSL certificate authentication is enabled
|
||||
in etcd endpoints.
|
||||
'';
|
||||
};
|
||||
|
||||
etcdKeyfile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Fleet TLS key file when SSL certificate authentication is enabled
|
||||
in etcd endpoints.
|
||||
'';
|
||||
};
|
||||
|
||||
etcdCertfile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Fleet TLS cert file when SSL certificate authentication is enabled
|
||||
in etcd endpoints.
|
||||
'';
|
||||
};
|
||||
|
||||
metadata = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = {};
|
||||
apply = attrs: concatMapStringsSep "," (n: "${n}=${attrs."${n}"}") (attrNames attrs);
|
||||
example = literalExample ''
|
||||
{
|
||||
region = "us-west";
|
||||
az = "us-west-1";
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Key/value pairs that are published with the local to the fleet registry.
|
||||
This data can be used directly by a client of fleet to make scheduling decisions.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
apply = mapAttrs' (n: v: nameValuePair ("ETCD_" + n) v);
|
||||
default = {};
|
||||
example = literalExample ''
|
||||
{
|
||||
VERBOSITY = 1;
|
||||
ETCD_REQUEST_TIMEOUT = "2.0";
|
||||
AGENT_TTL = "40s";
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Fleet extra config. See
|
||||
<link xlink:href="https://github.com/coreos/fleet/blob/master/Documentation/deployment-and-configuration.md"/>
|
||||
for configuration options.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
##### Implementation
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.fleet = {
|
||||
description = "Fleet Init System Daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" "fleet.socket" "etcd.service" "docker.service" ];
|
||||
requires = [ "fleet.socket" ];
|
||||
environment = {
|
||||
FLEET_ETCD_SERVERS = concatStringsSep "," cfg.etcdServers;
|
||||
FLEET_PUBLIC_IP = cfg.publicIp;
|
||||
FLEET_ETCD_CAFILE = cfg.etcdCafile;
|
||||
FLEET_ETCD_KEYFILE = cfg.etcdKeyfile;
|
||||
FEELT_ETCD_CERTFILE = cfg.etcdCertfile;
|
||||
FLEET_METADATA = cfg.metadata;
|
||||
} // cfg.extraConfig;
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.fleet}/bin/fleetd";
|
||||
Group = "fleet";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.sockets.fleet = {
|
||||
description = "Fleet Socket for the API";
|
||||
wantedBy = [ "sockets.target" ];
|
||||
listenStreams = cfg.listen;
|
||||
socketConfig = {
|
||||
ListenStream = "/var/run/fleet.sock";
|
||||
SocketMode = "0660";
|
||||
SocketUser = "root";
|
||||
SocketGroup = "fleet";
|
||||
};
|
||||
};
|
||||
|
||||
services.etcd.enable = mkDefault true;
|
||||
virtualisation.docker.enable = mkDefault true;
|
||||
|
||||
environment.systemPackages = [ pkgs.fleet ];
|
||||
users.extraGroups.fleet.gid = config.ids.gids.fleet;
|
||||
};
|
||||
}
|
@ -3,13 +3,13 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.virtualisation.kubernetes;
|
||||
cfg = config.services.kubernetes;
|
||||
|
||||
in {
|
||||
|
||||
###### interface
|
||||
|
||||
options.virtualisation.kubernetes = {
|
||||
options.services.kubernetes = {
|
||||
package = mkOption {
|
||||
description = "Kubernetes package to use.";
|
||||
type = types.package;
|
||||
@ -420,15 +420,15 @@ in {
|
||||
})
|
||||
|
||||
(mkIf (any (el: el == "master") cfg.roles) {
|
||||
virtualisation.kubernetes.apiserver.enable = mkDefault true;
|
||||
virtualisation.kubernetes.scheduler.enable = mkDefault true;
|
||||
virtualisation.kubernetes.controllerManager.enable = mkDefault true;
|
||||
services.kubernetes.apiserver.enable = mkDefault true;
|
||||
services.kubernetes.scheduler.enable = mkDefault true;
|
||||
services.kubernetes.controllerManager.enable = mkDefault true;
|
||||
})
|
||||
|
||||
(mkIf (any (el: el == "node") cfg.roles) {
|
||||
virtualisation.docker.enable = mkDefault true;
|
||||
virtualisation.kubernetes.kubelet.enable = mkDefault true;
|
||||
virtualisation.kubernetes.proxy.enable = mkDefault true;
|
||||
services.kubernetes.kubelet.enable = mkDefault true;
|
||||
services.kubernetes.proxy.enable = mkDefault true;
|
||||
})
|
||||
|
||||
(mkIf (any (el: el == "node" || el == "master") cfg.roles) {
|
||||
@ -442,7 +442,7 @@ in {
|
||||
cfg.kubelet.enable ||
|
||||
cfg.proxy.enable
|
||||
) {
|
||||
virtualisation.kubernetes.package = mkDefault pkgs.kubernetes;
|
||||
services.kubernetes.package = mkDefault pkgs.kubernetes;
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
@ -1,6 +1,6 @@
|
||||
# gvfs backends
|
||||
|
||||
{ config, lib, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
@ -37,6 +37,8 @@ in
|
||||
|
||||
services.dbus.packages = [ gnome3.gvfs ];
|
||||
|
||||
services.udev.packages = [ pkgs.libmtp ];
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
139
nixos/modules/services/desktops/profile-sync-daemon.nix
Normal file
139
nixos/modules/services/desktops/profile-sync-daemon.nix
Normal file
@ -0,0 +1,139 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.psd;
|
||||
|
||||
configFile = ''
|
||||
${optionalString (cfg.users != [ ]) ''
|
||||
USERS="${concatStringsSep " " cfg.users}"
|
||||
''}
|
||||
|
||||
${optionalString (cfg.browsers != [ ]) ''
|
||||
BROWSERS="${concatStringsSep " " cfg.browsers}"
|
||||
''}
|
||||
|
||||
${optionalString (cfg.volatile != "") "VOLATILE=${cfg.volatile}"}
|
||||
${optionalString (cfg.daemonFile != "") "DAEMON_FILE=${cfg.daemonFile}"}
|
||||
'';
|
||||
|
||||
in {
|
||||
|
||||
options.services.psd = with types; {
|
||||
enable = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable the Profile Sync daemon.
|
||||
'';
|
||||
};
|
||||
|
||||
users = mkOption {
|
||||
type = listOf str;
|
||||
default = [ ];
|
||||
example = [ "demo" ];
|
||||
description = ''
|
||||
A list of users whose browser profiles should be sync'd to tmpfs.
|
||||
'';
|
||||
};
|
||||
|
||||
browsers = mkOption {
|
||||
type = listOf str;
|
||||
default = [ ];
|
||||
example = [ "chromium" "firefox" ];
|
||||
description = ''
|
||||
A list of browsers to sync. Available choices are:
|
||||
|
||||
chromium chromium-dev conkeror.mozdev.org epiphany firefox
|
||||
firefox-trunk google-chrome google-chrome-beta google-chrome-unstable
|
||||
heftig-aurora icecat luakit midori opera opera-developer opera-beta
|
||||
qupzilla palemoon rekonq seamonkey
|
||||
|
||||
An empty list will enable all browsers.
|
||||
'';
|
||||
};
|
||||
|
||||
resyncTimer = mkOption {
|
||||
type = str;
|
||||
default = "1h";
|
||||
example = "1h 30min";
|
||||
description = ''
|
||||
The amount of time to wait before syncing browser profiles back to the
|
||||
disk.
|
||||
|
||||
Takes a systemd.unit time span. The time unit defaults to seconds if
|
||||
omitted.
|
||||
'';
|
||||
};
|
||||
|
||||
volatile = mkOption {
|
||||
type = str;
|
||||
default = "/run/psd-profiles";
|
||||
description = ''
|
||||
The directory where browser profiles should reside(this should be
|
||||
mounted as a tmpfs). Do not include a trailing backslash.
|
||||
'';
|
||||
};
|
||||
|
||||
daemonFile = mkOption {
|
||||
type = str;
|
||||
default = "/run/psd";
|
||||
description = ''
|
||||
Where the pid and backup configuration files will be stored.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd = {
|
||||
services = {
|
||||
psd = {
|
||||
description = "Profile Sync daemon";
|
||||
wants = [ "psd-resync.service" "local-fs.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
preStart = "mkdir -p ${cfg.volatile}";
|
||||
|
||||
path = with pkgs; [ glibc rsync gawk ];
|
||||
|
||||
unitConfig = {
|
||||
RequiresMountsFor = [ "/home/" ];
|
||||
};
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = "yes";
|
||||
ExecStart = "${pkgs.profile-sync-daemon}/bin/profile-sync-daemon sync";
|
||||
ExecStop = "${pkgs.profile-sync-daemon}/bin/profile-sync-daemon unsync";
|
||||
};
|
||||
};
|
||||
|
||||
psd-resync = {
|
||||
description = "Timed profile resync";
|
||||
after = [ "psd.service" ];
|
||||
wants = [ "psd-resync.timer" ];
|
||||
partOf = [ "psd.service" ];
|
||||
|
||||
path = with pkgs; [ glibc rsync gawk ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = "${pkgs.profile-sync-daemon}/bin/profile-sync-daemon resync";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
timers.psd-resync = {
|
||||
description = "Timer for profile sync daemon - ${cfg.resyncTimer}";
|
||||
partOf = [ "psd-resync.service" "psd.service" ];
|
||||
|
||||
timerConfig = {
|
||||
OnUnitActiveSec = "${cfg.resyncTimer}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc."psd.conf".text = configFile;
|
||||
|
||||
};
|
||||
}
|
@ -88,7 +88,7 @@ let
|
||||
done
|
||||
|
||||
${optionalString config.networking.usePredictableInterfaceNames ''
|
||||
cp ${./80-net-name-slot.rules} $out/80-net-name-slot.rules
|
||||
cp ${./80-net-setup-link.rules} $out/80-net-setup-link.rules
|
||||
''}
|
||||
|
||||
# If auto-configuration is disabled, then remove
|
||||
|
@ -84,7 +84,7 @@ in
|
||||
startOn = "started network-interfaces";
|
||||
stopOn = "stopping network-interfaces";
|
||||
|
||||
path = [ pkgs.nfsUtils pkgs.sshfsFuse ];
|
||||
path = [ pkgs.nfs-utils pkgs.sshfsFuse ];
|
||||
|
||||
preStop =
|
||||
''
|
||||
|
206
nixos/modules/services/misc/defaultUnicornConfig.rb
Normal file
206
nixos/modules/services/misc/defaultUnicornConfig.rb
Normal file
@ -0,0 +1,206 @@
|
||||
# The following was taken from github.com/crohr/syslogger and is BSD
|
||||
# licensed.
|
||||
require 'syslog'
|
||||
require 'logger'
|
||||
require 'thread'
|
||||
|
||||
class Syslogger
|
||||
|
||||
VERSION = "1.6.0"
|
||||
|
||||
attr_reader :level, :ident, :options, :facility, :max_octets
|
||||
attr_accessor :formatter
|
||||
|
||||
MAPPING = {
|
||||
Logger::DEBUG => Syslog::LOG_DEBUG,
|
||||
Logger::INFO => Syslog::LOG_INFO,
|
||||
Logger::WARN => Syslog::LOG_WARNING,
|
||||
Logger::ERROR => Syslog::LOG_ERR,
|
||||
Logger::FATAL => Syslog::LOG_CRIT,
|
||||
Logger::UNKNOWN => Syslog::LOG_ALERT
|
||||
}
|
||||
|
||||
#
|
||||
# Initializes default options for the logger
|
||||
# <tt>ident</tt>:: the name of your program [default=$0].
|
||||
# <tt>options</tt>:: syslog options [default=<tt>Syslog::LOG_PID | Syslog::LOG_CONS</tt>].
|
||||
# Correct values are:
|
||||
# LOG_CONS : writes the message on the console if an error occurs when sending the message;
|
||||
# LOG_NDELAY : no delay before sending the message;
|
||||
# LOG_PERROR : messages will also be written on STDERR;
|
||||
# LOG_PID : adds the process number to the message (just after the program name)
|
||||
# <tt>facility</tt>:: the syslog facility [default=nil] Correct values include:
|
||||
# Syslog::LOG_DAEMON
|
||||
# Syslog::LOG_USER
|
||||
# Syslog::LOG_SYSLOG
|
||||
# Syslog::LOG_LOCAL2
|
||||
# Syslog::LOG_NEWS
|
||||
# etc.
|
||||
#
|
||||
# Usage:
|
||||
# logger = Syslogger.new("my_app", Syslog::LOG_PID | Syslog::LOG_CONS, Syslog::LOG_LOCAL0)
|
||||
# logger.level = Logger::INFO # use Logger levels
|
||||
# logger.warn "warning message"
|
||||
# logger.debug "debug message"
|
||||
#
|
||||
def initialize(ident = $0, options = Syslog::LOG_PID | Syslog::LOG_CONS, facility = nil)
|
||||
@ident = ident
|
||||
@options = options || (Syslog::LOG_PID | Syslog::LOG_CONS)
|
||||
@facility = facility
|
||||
@level = Logger::INFO
|
||||
@mutex = Mutex.new
|
||||
@formatter = Logger::Formatter.new
|
||||
end
|
||||
|
||||
%w{debug info warn error fatal unknown}.each do |logger_method|
|
||||
# Accepting *args as message could be nil.
|
||||
# Default params not supported in ruby 1.8.7
|
||||
define_method logger_method.to_sym do |*args, &block|
|
||||
return true if @level > Logger.const_get(logger_method.upcase)
|
||||
message = args.first || block && block.call
|
||||
add(Logger.const_get(logger_method.upcase), message)
|
||||
end
|
||||
|
||||
unless logger_method == 'unknown'
|
||||
define_method "#{logger_method}?".to_sym do
|
||||
@level <= Logger.const_get(logger_method.upcase)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Log a message at the Logger::INFO level. Useful for use with Rack::CommonLogger
|
||||
def write(msg)
|
||||
add(Logger::INFO, msg)
|
||||
end
|
||||
|
||||
# Logs a message at the Logger::INFO level.
|
||||
def <<(msg)
|
||||
add(Logger::INFO, msg)
|
||||
end
|
||||
|
||||
# Low level method to add a message.
|
||||
# +severity+:: the level of the message. One of Logger::DEBUG, Logger::INFO, Logger::WARN, Logger::ERROR, Logger::FATAL, Logger::UNKNOWN
|
||||
# +message+:: the message string.
|
||||
# If nil, the method will call the block and use the result as the message string.
|
||||
# If both are nil or no block is given, it will use the progname as per the behaviour of both the standard Ruby logger, and the Rails BufferedLogger.
|
||||
# +progname+:: optionally, overwrite the program name that appears in the log message.
|
||||
def add(severity, message = nil, progname = nil, &block)
|
||||
if message.nil? && block.nil? && !progname.nil?
|
||||
message, progname = progname, nil
|
||||
end
|
||||
progname ||= @ident
|
||||
|
||||
@mutex.synchronize do
|
||||
Syslog.open(progname, @options, @facility) do |s|
|
||||
s.mask = Syslog::LOG_UPTO(MAPPING[@level])
|
||||
communication = clean(message || block && block.call)
|
||||
if self.max_octets
|
||||
buffer = "#{tags_text}"
|
||||
communication.bytes do |byte|
|
||||
buffer.concat(byte)
|
||||
# if the last byte we added is potentially part of an escape, we'll go ahead and add another byte
|
||||
if buffer.bytesize >= self.max_octets && !['%'.ord,'\\'.ord].include?(byte)
|
||||
s.log(MAPPING[severity],buffer)
|
||||
buffer = ""
|
||||
end
|
||||
end
|
||||
s.log(MAPPING[severity],buffer) unless buffer.empty?
|
||||
else
|
||||
s.log(MAPPING[severity],"#{tags_text}#{communication}")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Set the max octets of the messages written to the log
|
||||
def max_octets=(max_octets)
|
||||
@max_octets = max_octets
|
||||
end
|
||||
|
||||
# Sets the minimum level for messages to be written in the log.
|
||||
# +level+:: one of <tt>Logger::DEBUG</tt>, <tt>Logger::INFO</tt>, <tt>Logger::WARN</tt>, <tt>Logger::ERROR</tt>, <tt>Logger::FATAL</tt>, <tt>Logger::UNKNOWN</tt>
|
||||
def level=(level)
|
||||
level = Logger.const_get(level.to_s.upcase) if level.is_a?(Symbol)
|
||||
|
||||
unless level.is_a?(Fixnum)
|
||||
raise ArgumentError.new("Invalid logger level `#{level.inspect}`")
|
||||
end
|
||||
|
||||
@level = level
|
||||
end
|
||||
|
||||
# Sets the ident string passed along to Syslog
|
||||
def ident=(ident)
|
||||
@ident = ident
|
||||
end
|
||||
|
||||
# Tagging code borrowed from ActiveSupport gem
|
||||
def tagged(*tags)
|
||||
new_tags = push_tags(*tags)
|
||||
yield self
|
||||
ensure
|
||||
pop_tags(new_tags.size)
|
||||
end
|
||||
|
||||
def push_tags(*tags)
|
||||
tags.flatten.reject{ |i| i.respond_to?(:empty?) ? i.empty? : !i }.tap do |new_tags|
|
||||
current_tags.concat new_tags
|
||||
end
|
||||
end
|
||||
|
||||
def pop_tags(size = 1)
|
||||
current_tags.pop size
|
||||
end
|
||||
|
||||
def clear_tags!
|
||||
current_tags.clear
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
# Borrowed from SyslogLogger.
|
||||
def clean(message)
|
||||
message = message.to_s.dup
|
||||
message.strip! # remove whitespace
|
||||
message.gsub!(/\n/, '\\n') # escape newlines
|
||||
message.gsub!(/%/, '%%') # syslog(3) freaks on % (printf)
|
||||
message.gsub!(/\e\[[^m]*m/, '') # remove useless ansi color codes
|
||||
message
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def tags_text
|
||||
tags = current_tags
|
||||
if tags.any?
|
||||
tags.collect { |tag| "[#{tag}] " }.join
|
||||
end
|
||||
end
|
||||
|
||||
def current_tags
|
||||
Thread.current[:syslogger_tagged_logging_tags] ||= []
|
||||
end
|
||||
end
|
||||
|
||||
worker_processes 2
|
||||
working_directory ENV["GITLAB_PATH"]
|
||||
pid ENV["UNICORN_PATH"] + "/tmp/pids/unicorn.pid"
|
||||
|
||||
listen ENV["UNICORN_PATH"] + "/tmp/sockets/gitlab.socket", :backlog => 1024
|
||||
listen "127.0.0.1:8080", :tcp_nopush => true
|
||||
|
||||
timeout 60
|
||||
|
||||
logger Syslogger.new
|
||||
|
||||
preload_app true
|
||||
|
||||
GC.respond_to?(:copy_on_write_friendly=) and
|
||||
GC.copy_on_write_friendly = true
|
||||
|
||||
check_client_connection false
|
||||
|
||||
after_fork do |server, worker|
|
||||
defined?(ActiveRecord::Base) and
|
||||
ActiveRecord::Base.establish_connection
|
||||
end
|
295
nixos/modules/services/misc/gitlab.nix
Normal file
295
nixos/modules/services/misc/gitlab.nix
Normal file
@ -0,0 +1,295 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
# TODO: support non-postgresql
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.gitlab;
|
||||
|
||||
ruby = pkgs.ruby;
|
||||
rubyLibs = pkgs.rubyLibs;
|
||||
|
||||
databaseYml = ''
|
||||
production:
|
||||
adapter: postgresql
|
||||
database: ${cfg.databaseName}
|
||||
host: ${cfg.databaseHost}
|
||||
password: ${cfg.databasePassword}
|
||||
username: ${cfg.databaseUsername}
|
||||
encoding: utf8
|
||||
'';
|
||||
gitlabShellYml = ''
|
||||
user: gitlab
|
||||
gitlab_url: "http://${cfg.host}:${toString cfg.port}/"
|
||||
http_settings:
|
||||
self_signed_cert: false
|
||||
repos_path: "${cfg.stateDir}/repositories"
|
||||
log_file: "${cfg.stateDir}/log/gitlab-shell.log"
|
||||
redis:
|
||||
bin: ${pkgs.redis}/bin/redis-cli
|
||||
host: 127.0.0.1
|
||||
port: 6379
|
||||
database: 0
|
||||
namespace: resque:gitlab
|
||||
'';
|
||||
|
||||
unicornConfig = builtins.readFile ./defaultUnicornConfig.rb;
|
||||
|
||||
gitlab-runner = pkgs.stdenv.mkDerivation rec {
|
||||
name = "gitlab-runner";
|
||||
buildInputs = [ pkgs.gitlab pkgs.rubyLibs.bundler pkgs.makeWrapper ];
|
||||
phases = "installPhase fixupPhase";
|
||||
buildPhase = "";
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
makeWrapper ${rubyLibs.bundler}/bin/bundle $out/bin/gitlab-runner\
|
||||
--set RAKEOPT '"-f ${pkgs.gitlab}/share/gitlab/Rakefile"'\
|
||||
--set UNICORN_PATH "${cfg.stateDir}/"\
|
||||
--set GITLAB_PATH "${pkgs.gitlab}/share/gitlab/"\
|
||||
--set GITLAB_APPLICATION_LOG_PATH "${cfg.stateDir}/log/application.log"\
|
||||
--set GITLAB_SATELLITES_PATH "${cfg.stateDir}/satellites"\
|
||||
--set GITLAB_SHELL_PATH "${pkgs.gitlab-shell}"\
|
||||
--set GITLAB_REPOSITORIES_PATH "${cfg.stateDir}/repositories"\
|
||||
--set GITLAB_SHELL_HOOKS_PATH "${cfg.stateDir}/shell/hooks"\
|
||||
--set BUNDLE_GEMFILE "${pkgs.gitlab}/share/gitlab/Gemfile"\
|
||||
--set GITLAB_EMAIL_FROM "${cfg.emailFrom}"\
|
||||
--set GITLAB_SHELL_CONFIG_PATH "${cfg.stateDir}/shell/config.yml"\
|
||||
--set GITLAB_SHELL_SECRET_PATH "${cfg.stateDir}/config/gitlab_shell_secret"\
|
||||
--set GITLAB_HOST "${cfg.host}"\
|
||||
--set GITLAB_PORT "${toString cfg.port}"\
|
||||
--set GITLAB_BACKUP_PATH"${cfg.backupPath}"\
|
||||
--set RAILS_ENV "production"
|
||||
'';
|
||||
};
|
||||
|
||||
in {
|
||||
|
||||
options = {
|
||||
services.gitlab = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Enable the gitlab service.
|
||||
'';
|
||||
};
|
||||
|
||||
satelliteDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/gitlab/git-satellites";
|
||||
description = "Gitlab directory to store checked out git trees requires for operation.";
|
||||
};
|
||||
|
||||
stateDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/gitlab/state";
|
||||
description = "Gitlab state directory, logs are stored here.";
|
||||
};
|
||||
|
||||
backupPath = mkOption {
|
||||
type = types.str;
|
||||
default = cfg.stateDir + "/backup";
|
||||
description = "Gitlab path for backups.";
|
||||
};
|
||||
|
||||
databaseHost = mkOption {
|
||||
type = types.str;
|
||||
default = "127.0.0.1";
|
||||
description = "Gitlab database hostname.";
|
||||
};
|
||||
|
||||
databasePassword = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = "Gitlab database user password.";
|
||||
};
|
||||
|
||||
databaseName = mkOption {
|
||||
type = types.str;
|
||||
default = "gitlab";
|
||||
description = "Gitlab database name.";
|
||||
};
|
||||
|
||||
databaseUsername = mkOption {
|
||||
type = types.str;
|
||||
default = "gitlab";
|
||||
description = "Gitlab database user.";
|
||||
};
|
||||
|
||||
emailFrom = mkOption {
|
||||
type = types.str;
|
||||
default = "example@example.org";
|
||||
description = "The source address for emails sent by gitlab.";
|
||||
};
|
||||
|
||||
host = mkOption {
|
||||
type = types.str;
|
||||
default = config.networking.hostName;
|
||||
description = "Gitlab host name. Used e.g. for copy-paste URLs.";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 8080;
|
||||
description = "Gitlab server listening port.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
environment.systemPackages = [ gitlab-runner pkgs.gitlab-shell ];
|
||||
|
||||
assertions = [
|
||||
{ assertion = cfg.databasePassword != "";
|
||||
message = "databasePassword must be set";
|
||||
}
|
||||
];
|
||||
|
||||
# Redis is required for the sidekiq queue runner.
|
||||
services.redis.enable = mkDefault true;
|
||||
# We use postgres as the main data store.
|
||||
services.postgresql.enable = mkDefault true;
|
||||
services.postgresql.package = mkDefault pkgs.postgresql;
|
||||
# Use postfix to send out mails.
|
||||
services.postfix.enable = mkDefault true;
|
||||
|
||||
users.extraUsers = [
|
||||
{ name = "gitlab";
|
||||
group = "gitlab";
|
||||
home = "${cfg.stateDir}/home";
|
||||
shell = "${pkgs.bash}/bin/bash";
|
||||
uid = config.ids.uids.gitlab;
|
||||
} ];
|
||||
|
||||
users.extraGroups = [
|
||||
{ name = "gitlab";
|
||||
gid = config.ids.gids.gitlab;
|
||||
} ];
|
||||
|
||||
systemd.services.gitlab-sidekiq = {
|
||||
after = [ "network.target" "redis.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
environment.HOME = "${cfg.stateDir}/home";
|
||||
environment.UNICORN_PATH = "${cfg.stateDir}/";
|
||||
environment.GITLAB_PATH = "${pkgs.gitlab}/share/gitlab/";
|
||||
environment.GITLAB_APPLICATION_LOG_PATH = "${cfg.stateDir}/log/application.log";
|
||||
environment.GITLAB_SATELLITES_PATH = "${cfg.stateDir}/satellites";
|
||||
environment.GITLAB_SHELL_PATH = "${pkgs.gitlab-shell}";
|
||||
environment.GITLAB_REPOSITORIES_PATH = "${cfg.stateDir}/repositories";
|
||||
environment.GITLAB_SHELL_HOOKS_PATH = "${cfg.stateDir}/shell/hooks";
|
||||
environment.BUNDLE_GEMFILE = "${pkgs.gitlab}/share/gitlab/Gemfile";
|
||||
environment.GITLAB_EMAIL_FROM = "${cfg.emailFrom}";
|
||||
environment.GITLAB_SHELL_CONFIG_PATH = "${cfg.stateDir}/shell/config.yml";
|
||||
environment.GITLAB_SHELL_SECRET_PATH = "${cfg.stateDir}/config/gitlab_shell_secret";
|
||||
environment.GITLAB_HOST = "${cfg.host}";
|
||||
environment.GITLAB_PORT = "${toString cfg.port}";
|
||||
environment.GITLAB_DATABASE_HOST = "${cfg.databaseHost}";
|
||||
environment.GITLAB_DATABASE_PASSWORD = "${cfg.databasePassword}";
|
||||
environment.RAILS_ENV = "production";
|
||||
path = with pkgs; [
|
||||
config.services.postgresql.package
|
||||
gitAndTools.git
|
||||
ruby
|
||||
openssh
|
||||
nodejs
|
||||
];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = "gitlab";
|
||||
Group = "gitlab";
|
||||
TimeoutSec = "300";
|
||||
WorkingDirectory = "${pkgs.gitlab}/share/gitlab";
|
||||
ExecStart="${rubyLibs.bundler}/bin/bundle exec \"sidekiq -q post_receive -q mailer -q system_hook -q project_web_hook -q gitlab_shell -q common -q default -e production -P ${cfg.stateDir}/tmp/sidekiq.pid\"";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.gitlab = {
|
||||
after = [ "network.target" "postgresql.service" "redis.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
environment.HOME = "${cfg.stateDir}/home";
|
||||
environment.UNICORN_PATH = "${cfg.stateDir}/";
|
||||
environment.GITLAB_PATH = "${pkgs.gitlab}/share/gitlab/";
|
||||
environment.GITLAB_APPLICATION_LOG_PATH = "${cfg.stateDir}/log/application.log";
|
||||
environment.GITLAB_SATELLITES_PATH = "${cfg.stateDir}/satellites";
|
||||
environment.GITLAB_SHELL_PATH = "${pkgs.gitlab-shell}";
|
||||
environment.GITLAB_REPOSITORIES_PATH = "${cfg.stateDir}/repositories";
|
||||
environment.GITLAB_SHELL_HOOKS_PATH = "${cfg.stateDir}/shell/hooks";
|
||||
environment.BUNDLE_GEMFILE = "${pkgs.gitlab}/share/gitlab/Gemfile";
|
||||
environment.GITLAB_EMAIL_FROM = "${cfg.emailFrom}";
|
||||
environment.GITLAB_HOST = "${cfg.host}";
|
||||
environment.GITLAB_PORT = "${toString cfg.port}";
|
||||
environment.GITLAB_DATABASE_HOST = "${cfg.databaseHost}";
|
||||
environment.GITLAB_DATABASE_PASSWORD = "${cfg.databasePassword}";
|
||||
environment.RAILS_ENV = "production";
|
||||
path = with pkgs; [
|
||||
config.services.postgresql.package
|
||||
gitAndTools.git
|
||||
ruby
|
||||
openssh
|
||||
nodejs
|
||||
];
|
||||
preStart = ''
|
||||
# TODO: use env vars
|
||||
mkdir -p ${cfg.stateDir}
|
||||
mkdir -p ${cfg.stateDir}/log
|
||||
mkdir -p ${cfg.stateDir}/satellites
|
||||
mkdir -p ${cfg.stateDir}/repositories
|
||||
mkdir -p ${cfg.stateDir}/shell/hooks
|
||||
mkdir -p ${cfg.stateDir}/tmp/pids
|
||||
mkdir -p ${cfg.stateDir}/tmp/sockets
|
||||
rm -rf ${cfg.stateDir}/config
|
||||
mkdir -p ${cfg.stateDir}/config
|
||||
# TODO: What exactly is gitlab-shell doing with the secret?
|
||||
head -c 20 /dev/urandom > ${cfg.stateDir}/config/gitlab_shell_secret
|
||||
mkdir -p ${cfg.stateDir}/home/.ssh
|
||||
touch ${cfg.stateDir}/home/.ssh/authorized_keys
|
||||
|
||||
cp -rf ${pkgs.gitlab}/share/gitlab/config ${cfg.stateDir}/
|
||||
cp ${pkgs.gitlab}/share/gitlab/VERSION ${cfg.stateDir}/VERSION
|
||||
|
||||
ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.stateDir}/config/database.yml
|
||||
ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.stateDir}/config/unicorn.rb
|
||||
|
||||
chown -R gitlab:gitlab ${cfg.stateDir}/
|
||||
chmod -R 755 ${cfg.stateDir}/
|
||||
|
||||
if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then
|
||||
if ! test -e "${cfg.stateDir}/db-created"; then
|
||||
psql postgres -c "CREATE ROLE gitlab WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
|
||||
${config.services.postgresql.package}/bin/createdb --owner gitlab gitlab || true
|
||||
touch "${cfg.stateDir}/db-created"
|
||||
|
||||
# force=yes disables the manual-interaction yes/no prompt
|
||||
# which breaks without an stdin.
|
||||
force=yes ${rubyLibs.bundler}/bin/bundle exec rake -f ${pkgs.gitlab}/share/gitlab/Rakefile gitlab:setup RAILS_ENV=production
|
||||
fi
|
||||
fi
|
||||
|
||||
# Install the shell required to push repositories
|
||||
ln -fs ${pkgs.writeText "config.yml" gitlabShellYml} ${cfg.stateDir}/shell/config.yml
|
||||
export GITLAB_SHELL_CONFIG_PATH=""${cfg.stateDir}/shell/config.yml
|
||||
${pkgs.gitlab-shell}/bin/install
|
||||
|
||||
# Change permissions in the last step because some of the
|
||||
# intermediary scripts like to create directories as root.
|
||||
chown -R gitlab:gitlab ${cfg.stateDir}/
|
||||
chmod -R 755 ${cfg.stateDir}/
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
PermissionsStartOnly = true; # preStart must be run as root
|
||||
Type = "simple";
|
||||
User = "gitlab";
|
||||
Group = "gitlab";
|
||||
TimeoutSec = "300";
|
||||
WorkingDirectory = "${pkgs.gitlab}/share/gitlab";
|
||||
ExecStart="${rubyLibs.bundler}/bin/bundle exec \"unicorn -c ${cfg.stateDir}/config/unicorn.rb -E production\"";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
@ -5,6 +5,13 @@ with lib;
|
||||
let
|
||||
cfg = config.services.mesos.slave;
|
||||
|
||||
mkAttributes =
|
||||
attrs: concatStringsSep ";" (mapAttrsToList
|
||||
(k: v: "${k}:${v}")
|
||||
(filterAttrs (k: v: v != null) attrs));
|
||||
attribsArg = optionalString (cfg.attributes != {})
|
||||
"--attributes=${mkAttributes cfg.attributes}";
|
||||
|
||||
in {
|
||||
|
||||
options.services.mesos = {
|
||||
@ -31,9 +38,9 @@ in {
|
||||
};
|
||||
|
||||
withHadoop = mkOption {
|
||||
description = "Add the HADOOP_HOME to the slave.";
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = "Add the HADOOP_HOME to the slave.";
|
||||
default = false;
|
||||
type = types.bool;
|
||||
};
|
||||
|
||||
workDir = mkOption {
|
||||
@ -44,10 +51,10 @@ in {
|
||||
|
||||
extraCmdLineOptions = mkOption {
|
||||
description = ''
|
||||
Extra command line options for Mesos Slave.
|
||||
Extra command line options for Mesos Slave.
|
||||
|
||||
See https://mesos.apache.org/documentation/latest/configuration/
|
||||
'';
|
||||
See https://mesos.apache.org/documentation/latest/configuration/
|
||||
'';
|
||||
default = [ "" ];
|
||||
type = types.listOf types.string;
|
||||
example = [ "--gc_delay=3days" ];
|
||||
@ -62,6 +69,19 @@ in {
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
attributes = mkOption {
|
||||
description = ''
|
||||
Machine attributes for the slave instance.
|
||||
|
||||
Use caution when changing this; you may need to manually reset slave
|
||||
metadata before the slave can re-register.
|
||||
'';
|
||||
default = {};
|
||||
type = types.attrsOf types.str;
|
||||
example = { rack = "aa";
|
||||
host = "aabc123";
|
||||
os = "nixos"; };
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
@ -74,20 +94,21 @@ in {
|
||||
after = [ "network-interfaces.target" ];
|
||||
environment.MESOS_CONTAINERIZERS = "docker,mesos";
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${pkgs.mesos}/bin/mesos-slave \
|
||||
--port=${toString cfg.port} \
|
||||
--master=${cfg.master} \
|
||||
${optionalString cfg.withHadoop "--hadoop-home=${pkgs.hadoop}"} \
|
||||
--work_dir=${cfg.workDir} \
|
||||
--logging_level=${cfg.logLevel} \
|
||||
--docker=${pkgs.docker}/libexec/docker/docker \
|
||||
${toString cfg.extraCmdLineOptions}
|
||||
'';
|
||||
PermissionsStartOnly = true;
|
||||
ExecStart = ''
|
||||
${pkgs.mesos}/bin/mesos-slave \
|
||||
--port=${toString cfg.port} \
|
||||
--master=${cfg.master} \
|
||||
${optionalString cfg.withHadoop "--hadoop-home=${pkgs.hadoop}"} \
|
||||
${attribsArg} \
|
||||
--work_dir=${cfg.workDir} \
|
||||
--logging_level=${cfg.logLevel} \
|
||||
--docker=${pkgs.docker}/libexec/docker/docker \
|
||||
${toString cfg.extraCmdLineOptions}
|
||||
'';
|
||||
PermissionsStartOnly = true;
|
||||
};
|
||||
preStart = ''
|
||||
mkdir -m 0700 -p ${cfg.workDir}
|
||||
mkdir -m 0700 -p ${cfg.workDir}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -225,7 +225,7 @@ in
|
||||
|
||||
binaryCaches = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ http://cache.nixos.org/ ];
|
||||
default = [ https://cache.nixos.org/ ];
|
||||
description = ''
|
||||
List of binary cache URLs used to obtain pre-built binaries
|
||||
of Nix packages.
|
||||
|
@ -81,27 +81,26 @@ in
|
||||
|
||||
###### implementation
|
||||
|
||||
config = {
|
||||
|
||||
systemd.services."synergy-client" = {
|
||||
enable = cfgC.enable;
|
||||
after = [ "network.target" ];
|
||||
description = "Synergy client";
|
||||
wantedBy = optional cfgC.autoStart "multi-user.target";
|
||||
path = [ pkgs.synergy ];
|
||||
serviceConfig.ExecStart = ''${pkgs.synergy}/bin/synergyc -f ${optionalString (cfgC.screenName != "") "-n ${cfgC.screenName}"} ${cfgC.serverAddress}'';
|
||||
};
|
||||
|
||||
systemd.services."synergy-server" = {
|
||||
enable = cfgS.enable;
|
||||
after = [ "network.target" ];
|
||||
description = "Synergy server";
|
||||
wantedBy = optional cfgS.autoStart "multi-user.target";
|
||||
path = [ pkgs.synergy ];
|
||||
serviceConfig.ExecStart = ''${pkgs.synergy}/bin/synergys -c ${cfgS.configFile} -f ${optionalString (cfgS.address != "") "-a ${cfgS.address}"} ${optionalString (cfgS.screenName != "") "-n ${cfgS.screenName}" }'';
|
||||
};
|
||||
|
||||
};
|
||||
config = mkMerge [
|
||||
(mkIf cfgC.enable {
|
||||
systemd.services."synergy-client" = {
|
||||
after = [ "network.target" ];
|
||||
description = "Synergy client";
|
||||
wantedBy = optional cfgC.autoStart "multi-user.target";
|
||||
path = [ pkgs.synergy ];
|
||||
serviceConfig.ExecStart = ''${pkgs.synergy}/bin/synergyc -f ${optionalString (cfgC.screenName != "") "-n ${cfgC.screenName}"} ${cfgC.serverAddress}'';
|
||||
};
|
||||
})
|
||||
(mkIf cfgS.enable {
|
||||
systemd.services."synergy-server" = {
|
||||
after = [ "network.target" ];
|
||||
description = "Synergy server";
|
||||
wantedBy = optional cfgS.autoStart "multi-user.target";
|
||||
path = [ pkgs.synergy ];
|
||||
serviceConfig.ExecStart = ''${pkgs.synergy}/bin/synergys -c ${cfgS.configFile} -f ${optionalString (cfgS.address != "") "-a ${cfgS.address}"} ${optionalString (cfgS.screenName != "") "-n ${cfgS.screenName}" }'';
|
||||
};
|
||||
})
|
||||
];
|
||||
|
||||
}
|
||||
|
||||
|
@ -34,7 +34,7 @@ let
|
||||
cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file)
|
||||
|
||||
wrapProgram $file \
|
||||
--set PATH "/run/current-system/sw/bin:/run/current-system/sw/sbin" \
|
||||
--set PATH "/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/sbin" \
|
||||
--set MUNIN_LIBDIR "${pkgs.munin}/lib" \
|
||||
--set MUNIN_PLUGSTATE "/var/run/munin"
|
||||
|
||||
@ -194,7 +194,7 @@ in
|
||||
|
||||
mkdir -p /etc/munin/plugins
|
||||
rm -rf /etc/munin/plugins/*
|
||||
PATH="/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
|
||||
PATH="/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
|
||||
'';
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";
|
||||
|
@ -86,7 +86,7 @@ in
|
||||
|
||||
boot.supportedFilesystems = [ "nfs" ]; # needed for statd and idmapd
|
||||
|
||||
environment.systemPackages = [ pkgs.nfsUtils ];
|
||||
environment.systemPackages = [ pkgs.nfs-utils ];
|
||||
|
||||
environment.etc = singleton
|
||||
{ source = exports;
|
||||
@ -104,7 +104,7 @@ in
|
||||
after = [ "rpcbind.service" "mountd.service" "idmapd.service" ];
|
||||
before = [ "statd.service" ];
|
||||
|
||||
path = [ pkgs.nfsUtils ];
|
||||
path = [ pkgs.nfs-utils ];
|
||||
|
||||
script =
|
||||
''
|
||||
@ -131,7 +131,7 @@ in
|
||||
requires = [ "rpcbind.service" ];
|
||||
after = [ "rpcbind.service" ];
|
||||
|
||||
path = [ pkgs.nfsUtils pkgs.sysvtools pkgs.utillinux ];
|
||||
path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ];
|
||||
|
||||
preStart =
|
||||
''
|
||||
@ -157,7 +157,7 @@ in
|
||||
|
||||
serviceConfig.Type = "forking";
|
||||
serviceConfig.ExecStart = ''
|
||||
@${pkgs.nfsUtils}/sbin/rpc.mountd rpc.mountd \
|
||||
@${pkgs.nfs-utils}/sbin/rpc.mountd rpc.mountd \
|
||||
${if cfg.mountdPort != null then "-p ${toString cfg.mountdPort}" else ""}
|
||||
'';
|
||||
serviceConfig.Restart = "always";
|
||||
|
@ -6,113 +6,84 @@ let
|
||||
|
||||
cfg = config.services.rsyncd;
|
||||
|
||||
motdFile = pkgs.writeText "rsyncd-motd" cfg.motd;
|
||||
motdFile = builtins.toFile "rsyncd-motd" cfg.motd;
|
||||
|
||||
rsyncdCfg = ""
|
||||
+ optionalString (cfg.motd != "") "motd file = ${motdFile}\n"
|
||||
+ optionalString (cfg.address != "") "address = ${cfg.address}\n"
|
||||
+ optionalString (cfg.port != 873) "port = ${toString cfg.port}\n"
|
||||
+ cfg.extraConfig
|
||||
+ "\n"
|
||||
+ flip concatMapStrings cfg.modules (m: "[${m.name}]\n\tpath = ${m.path}\n"
|
||||
+ optionalString (m.comment != "") "\tcomment = ${m.comment}\n"
|
||||
+ m.extraConfig
|
||||
+ "\n"
|
||||
);
|
||||
|
||||
rsyncdCfgFile = pkgs.writeText "rsyncd.conf" rsyncdCfg;
|
||||
moduleConfig = name:
|
||||
let module = getAttr name cfg.modules; in
|
||||
"[${name}]\n " + (toString (
|
||||
map
|
||||
(key: "${key} = ${toString (getAttr key module)}\n")
|
||||
(attrNames module)
|
||||
));
|
||||
|
||||
cfgFile = builtins.toFile "rsyncd.conf"
|
||||
''
|
||||
${optionalString (cfg.motd != "") "motd file = ${motdFile}"}
|
||||
${optionalString (cfg.address != "") "address = ${cfg.address}"}
|
||||
${optionalString (cfg.port != 873) "port = ${toString cfg.port}"}
|
||||
${cfg.extraConfig}
|
||||
${toString (map moduleConfig (attrNames cfg.modules))}
|
||||
'';
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
|
||||
services.rsyncd = {
|
||||
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
description = "Whether to enable the rsync daemon.";
|
||||
description = "Whether to enable the rsync daemon.";
|
||||
};
|
||||
|
||||
motd = mkOption {
|
||||
type = types.string;
|
||||
default = "";
|
||||
description = ''
|
||||
Message of the day to display to clients on each connect.
|
||||
This usually contains site information and any legal notices.
|
||||
'';
|
||||
description = ''
|
||||
Message of the day to display to clients on each connect.
|
||||
This usually contains site information and any legal notices.
|
||||
'';
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
default = 873;
|
||||
type = types.int;
|
||||
description = "TCP port the daemon will listen on.";
|
||||
type = types.int;
|
||||
description = "TCP port the daemon will listen on.";
|
||||
};
|
||||
|
||||
address = mkOption {
|
||||
default = "";
|
||||
example = "192.168.1.2";
|
||||
description = ''
|
||||
IP address the daemon will listen on; rsyncd will listen on
|
||||
all addresses if this is not specified.
|
||||
'';
|
||||
example = "192.168.1.2";
|
||||
description = ''
|
||||
IP address the daemon will listen on; rsyncd will listen on
|
||||
all addresses if this is not specified.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
Lines of configuration to add to rsyncd globally.
|
||||
See <literal>man rsyncd.conf</literal> for more options.
|
||||
'';
|
||||
default = "";
|
||||
description = ''
|
||||
Lines of configuration to add to rsyncd globally.
|
||||
See <command>man rsyncd.conf</command> for options.
|
||||
'';
|
||||
};
|
||||
|
||||
modules = mkOption {
|
||||
default = [ ];
|
||||
example = [
|
||||
{ name = "ftp";
|
||||
path = "/home/ftp";
|
||||
comment = "ftp export area";
|
||||
extraConfig = ''
|
||||
secrets file = /etc/rsyncd.secrets
|
||||
'';
|
||||
}
|
||||
];
|
||||
description = "The list of file paths to export.";
|
||||
type = types.listOf types.optionSet;
|
||||
|
||||
options = {
|
||||
|
||||
name = mkOption {
|
||||
example = "ftp";
|
||||
type = types.string;
|
||||
description = "Name of export module.";
|
||||
};
|
||||
|
||||
comment = mkOption {
|
||||
default = "";
|
||||
description = ''
|
||||
Description string that is displayed next to the module name
|
||||
when clients obtain a list of available modules.
|
||||
'';
|
||||
};
|
||||
|
||||
path = mkOption {
|
||||
example = "/home/ftp";
|
||||
type = types.string;
|
||||
description = "Directory to make available in this module.";
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
Lines of configuration to add to this module.
|
||||
See <literal>man rsyncd.conf</literal> for more options.
|
||||
'';
|
||||
default = {};
|
||||
description = ''
|
||||
A set describing exported directories.
|
||||
See <command>man rsyncd.conf</command> for options.
|
||||
'';
|
||||
type = types.attrsOf (types.attrsOf types.str);
|
||||
example =
|
||||
{ srv =
|
||||
{ path = "/srv";
|
||||
"read only" = "yes";
|
||||
comment = "Public rsync share.";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
@ -120,20 +91,16 @@ in
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
environment.etc = singleton
|
||||
{ source = rsyncdCfgFile;
|
||||
environment.etc = singleton {
|
||||
source = cfgFile;
|
||||
target = "rsyncd.conf";
|
||||
};
|
||||
|
||||
systemd.services.rsyncd = {
|
||||
description = "Rsync daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
path = [ pkgs.rsync ];
|
||||
|
||||
serviceConfig.ExecStart = "${pkgs.rsync}/bin/rsync --daemon --no-detach";
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
};
|
||||
}
|
||||
|
@ -27,6 +27,14 @@ let
|
||||
mkdir -p ${privateDir}
|
||||
'';
|
||||
|
||||
shareConfig = name:
|
||||
let share = getAttr name cfg.shares; in
|
||||
"[${name}]\n " + (toString (
|
||||
map
|
||||
(key: "${key} = ${toString (getAttr key share)}\n")
|
||||
(attrNames share)
|
||||
));
|
||||
|
||||
configFile = pkgs.writeText "smb.conf"
|
||||
(if cfg.configText != null then cfg.configText else
|
||||
''
|
||||
@ -36,6 +44,8 @@ let
|
||||
${optionalString cfg.syncPasswordsByPam "pam password change = true"}
|
||||
|
||||
${cfg.extraConfig}
|
||||
|
||||
${toString (map shareConfig (attrNames cfg.shares))}
|
||||
'');
|
||||
|
||||
# This may include nss_ldap, needed for samba if it has to use ldap.
|
||||
@ -159,6 +169,23 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
shares = mkOption {
|
||||
default = {};
|
||||
description =
|
||||
''
|
||||
A set describing shared resources.
|
||||
See <command>man smb.conf</command> for options.
|
||||
'';
|
||||
type = types.attrsOf (types.attrsOf types.str);
|
||||
example =
|
||||
{ srv =
|
||||
{ path = "/srv";
|
||||
"read only" = "yes";
|
||||
comment = "Public samba share.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -8,7 +8,6 @@ let
|
||||
|
||||
configOptions = {
|
||||
data_dir = dataDir;
|
||||
rejoin_after_leave = true;
|
||||
}
|
||||
// (if cfg.webUi then { ui_dir = "${pkgs.consul.ui}"; } else { })
|
||||
// cfg.extraConfig;
|
||||
@ -41,6 +40,35 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
leaveOnStop = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
If enabled, causes a leave action to be sent when closing consul.
|
||||
This allows a clean termination of the node, but permanently removes
|
||||
it from the cluster. You probably don't want this option unless you
|
||||
are running a node which going offline in a permanent / semi-permanent
|
||||
fashion.
|
||||
'';
|
||||
};
|
||||
|
||||
joinNodes = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
description = ''
|
||||
A list of addresses of nodes which should be joined at startup if the
|
||||
current node is in a left state.
|
||||
'';
|
||||
};
|
||||
|
||||
joinRetries = mkOption {
|
||||
type = types.int;
|
||||
default = 10;
|
||||
description = ''
|
||||
The number of times to retry connecting to the join nodes.
|
||||
'';
|
||||
};
|
||||
|
||||
interface = {
|
||||
|
||||
advertise = mkOption {
|
||||
@ -119,13 +147,15 @@ in
|
||||
serviceConfig = {
|
||||
ExecStart = "@${pkgs.consul}/bin/consul consul agent"
|
||||
+ concatMapStrings (n: " -config-file ${n}") configFiles;
|
||||
ExecStop = "${pkgs.consul}/bin/consul leave";
|
||||
ExecReload = "${pkgs.consul}/bin/consul reload";
|
||||
PermissionsStartOnly = true;
|
||||
User = if cfg.dropPrivileges then "consul" else null;
|
||||
};
|
||||
TimeoutStartSec = "${toString (20 + (3 * cfg.joinRetries))}s";
|
||||
} // (optionalAttrs (cfg.leaveOnStop) {
|
||||
ExecStop = "${pkgs.consul}/bin/consul leave";
|
||||
});
|
||||
|
||||
path = with pkgs; [ iproute gnugrep gawk ];
|
||||
path = with pkgs; [ iproute gnugrep gawk consul ];
|
||||
preStart = ''
|
||||
mkdir -m 0700 -p ${dataDir}
|
||||
chown -R consul ${dataDir}
|
||||
@ -160,6 +190,18 @@ in
|
||||
echo " \"\": \"\"" >> /etc/consul-addrs.json
|
||||
echo "}" >> /etc/consul-addrs.json
|
||||
'';
|
||||
postStart = ''
|
||||
# Issues joins to nodes which we statically connect to
|
||||
${flip concatMapStrings cfg.joinNodes (addr: ''
|
||||
for i in {0..${toString cfg.joinRetries}}; do
|
||||
# Try to join the other nodes ${toString cfg.joinRetries} times before failing
|
||||
consul join "${addr}" && break
|
||||
sleep 1
|
||||
done &
|
||||
'')}
|
||||
wait
|
||||
exit 0
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -194,7 +194,7 @@ in {
|
||||
};
|
||||
|
||||
powerManagement.resumeCommands = ''
|
||||
Systemctl restart network-manager
|
||||
${config.systemd.package}/bin/systemctl restart network-manager
|
||||
'';
|
||||
|
||||
security.polkit.extraConfig = polkitConf;
|
||||
|
@ -118,7 +118,7 @@ in
|
||||
systemd.services.strongswan = {
|
||||
description = "strongSwan IPSec Service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = with pkgs; [ kmod ]; # XXX Linux
|
||||
path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux
|
||||
wants = [ "keys.target" ];
|
||||
after = [ "network.target" "keys.target" ];
|
||||
environment = {
|
||||
|
@ -44,6 +44,8 @@ in
|
||||
path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ];
|
||||
|
||||
preStart = ''
|
||||
mkdir -p /var/run/tcpcryptd
|
||||
chown tcpcryptd /var/run/tcpcryptd
|
||||
sysctl -n net.ipv4.tcp_ecn >/run/pre-tcpcrypt-ecn-state
|
||||
sysctl -w net.ipv4.tcp_ecn=0
|
||||
|
||||
|
80
nixos/modules/services/networking/tox-bootstrapd.nix
Normal file
80
nixos/modules/services/networking/tox-bootstrapd.nix
Normal file
@ -0,0 +1,80 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
home = "/var/lib/tox-bootstrapd";
|
||||
PIDFile = "${home}/pid";
|
||||
|
||||
pkg = pkgs.libtoxcore;
|
||||
cfg = config.services.toxBootstrapd;
|
||||
cfgFile = builtins.toFile "tox-bootstrapd.conf"
|
||||
''
|
||||
port = ${toString cfg.port}
|
||||
keys_file_path = "${home}/keys"
|
||||
pid_file_path = "${PIDFile}"
|
||||
${cfg.extraConfig}
|
||||
'';
|
||||
in
|
||||
{
|
||||
options =
|
||||
{ services.toxBootstrapd =
|
||||
{ enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description =
|
||||
''
|
||||
Whether to enable the Tox DHT boostrap daemon.
|
||||
'';
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 33445;
|
||||
description = "Listening port (UDP).";
|
||||
};
|
||||
|
||||
keysFile = mkOption {
|
||||
type = types.str;
|
||||
default = "${home}/keys";
|
||||
description = "Node key file.";
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description =
|
||||
''
|
||||
Configuration for boostrap daemon.
|
||||
See <link xlink:href="https://github.com/irungentoo/toxcore/blob/master/other/bootstrap_daemon/tox-bootstrapd.conf"/>
|
||||
and <link xlink:href="http://wiki.tox.im/Nodes"/>.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkIf config.services.toxBootstrapd.enable {
|
||||
|
||||
users.extraUsers = singleton
|
||||
{ name = "tox-bootstrapd";
|
||||
uid = config.ids.uids.tox-bootstrapd;
|
||||
description = "Tox bootstrap daemon user";
|
||||
inherit home;
|
||||
createHome = true;
|
||||
};
|
||||
|
||||
systemd.services.tox-bootstrapd = {
|
||||
description = "Tox DHT bootstrap daemon";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig =
|
||||
{ ExecStart = "${pkg}/bin/tox-bootstrapd ${cfgFile}";
|
||||
Type = "forking";
|
||||
inherit PIDFile;
|
||||
User = "tox-bootstrapd";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
@ -48,6 +48,7 @@ in
|
||||
systemd.mounts = map ({ what, where }: {
|
||||
bindsTo = [ "unifi.service" ];
|
||||
partOf = [ "unifi.service" ];
|
||||
unitConfig.RequiresMountsFor = stateDir;
|
||||
options = "bind";
|
||||
what = what;
|
||||
where = where;
|
||||
@ -59,6 +60,7 @@ in
|
||||
after = [ "network.target" ] ++ systemdMountPoints;
|
||||
partOf = systemdMountPoints;
|
||||
bindsTo = systemdMountPoints;
|
||||
unitConfig.RequiresMountsFor = stateDir;
|
||||
|
||||
preStart = ''
|
||||
# Ensure privacy of state
|
||||
|
@ -11,20 +11,16 @@ let
|
||||
additionalBackends = pkgs.runCommand "additional-cups-backends" { }
|
||||
''
|
||||
mkdir -p $out
|
||||
if [ ! -e ${pkgs.cups}/lib/cups/backend/smb ]; then
|
||||
if [ ! -e ${cups}/lib/cups/backend/smb ]; then
|
||||
mkdir -p $out/lib/cups/backend
|
||||
ln -sv ${pkgs.samba}/bin/smbspool $out/lib/cups/backend/smb
|
||||
fi
|
||||
|
||||
# Provide support for printing via HTTPS.
|
||||
if [ ! -e ${pkgs.cups}/lib/cups/backend/https ]; then
|
||||
if [ ! -e ${cups}/lib/cups/backend/https ]; then
|
||||
mkdir -p $out/lib/cups/backend
|
||||
ln -sv ${pkgs.cups}/lib/cups/backend/ipp $out/lib/cups/backend/https
|
||||
ln -sv ${cups}/lib/cups/backend/ipp $out/lib/cups/backend/https
|
||||
fi
|
||||
|
||||
# Import filter configuration from Ghostscript.
|
||||
mkdir -p $out/share/cups/mime/
|
||||
ln -v -s "${pkgs.ghostscript}/etc/cups/"* $out/share/cups/mime/
|
||||
'';
|
||||
|
||||
# Here we can enable additional backends, filters, etc. that are not
|
||||
@ -90,6 +86,15 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
cupsFilesConf = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
The contents of the configuration file of the CUPS daemon
|
||||
(<filename>cups-files.conf</filename>).
|
||||
'';
|
||||
};
|
||||
|
||||
extraConf = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
@ -153,13 +158,9 @@ in
|
||||
|
||||
environment.systemPackages = [ cups ];
|
||||
|
||||
environment.variables.CUPS_SERVERROOT = "/etc/cups";
|
||||
|
||||
environment.etc = [
|
||||
{ source = pkgs.writeText "client.conf" cfg.clientConf;
|
||||
target = "cups/client.conf";
|
||||
}
|
||||
];
|
||||
environment.etc."cups/client.conf".text = cfg.clientConf;
|
||||
environment.etc."cups/cups-files.conf".text = cfg.cupsFilesConf;
|
||||
environment.etc."cups/cupsd.conf".text = cfg.cupsdConf;
|
||||
|
||||
services.dbus.packages = [ cups ];
|
||||
|
||||
@ -186,35 +187,26 @@ in
|
||||
'';
|
||||
|
||||
serviceConfig.Type = "forking";
|
||||
serviceConfig.ExecStart = "@${cups}/sbin/cupsd cupsd -c ${pkgs.writeText "cupsd.conf" cfg.cupsdConf}";
|
||||
serviceConfig.ExecStart = "@${cups}/sbin/cupsd cupsd";
|
||||
|
||||
restartTriggers =
|
||||
[ config.environment.etc."cups/cups-files.conf".source
|
||||
config.environment.etc."cups/cupsd.conf".source
|
||||
];
|
||||
};
|
||||
|
||||
services.printing.drivers =
|
||||
[ pkgs.cups pkgs.ghostscript pkgs.cups_filters additionalBackends
|
||||
[ cups pkgs.ghostscript pkgs.cups_filters additionalBackends
|
||||
pkgs.perl pkgs.coreutils pkgs.gnused pkgs.bc pkgs.gawk pkgs.gnugrep
|
||||
];
|
||||
|
||||
services.printing.cupsdConf =
|
||||
services.printing.cupsFilesConf =
|
||||
''
|
||||
LogLevel info
|
||||
|
||||
SystemGroup root wheel
|
||||
|
||||
${concatMapStrings (addr: ''
|
||||
Listen ${addr}
|
||||
'') cfg.listenAddresses}
|
||||
Listen /var/run/cups/cups.sock
|
||||
|
||||
# Note: we can't use ${cups}/etc/cups as the ServerRoot, since
|
||||
# CUPS will write in the ServerRoot when e.g. adding new printers
|
||||
# through the web interface.
|
||||
ServerRoot /etc/cups
|
||||
|
||||
ServerBin ${bindir}/lib/cups
|
||||
DataDir ${bindir}/share/cups
|
||||
|
||||
SetEnv PATH ${bindir}/lib/cups/filter:${bindir}/bin:${bindir}/sbin
|
||||
|
||||
AccessLog syslog
|
||||
ErrorLog syslog
|
||||
PageLog syslog
|
||||
@ -227,6 +219,18 @@ in
|
||||
# these programs to run as `lp' as well.
|
||||
User cups
|
||||
Group lp
|
||||
'';
|
||||
|
||||
services.printing.cupsdConf =
|
||||
''
|
||||
LogLevel info
|
||||
|
||||
${concatMapStrings (addr: ''
|
||||
Listen ${addr}
|
||||
'') cfg.listenAddresses}
|
||||
Listen /var/run/cups/cups.sock
|
||||
|
||||
SetEnv PATH ${bindir}/lib/cups/filter:${bindir}/bin:${bindir}/sbin
|
||||
|
||||
Browsing On
|
||||
BrowseOrder allow,deny
|
||||
@ -272,6 +276,7 @@ in
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
</Policy>
|
||||
|
||||
${cfg.extraConf}
|
||||
'';
|
||||
|
||||
|
@ -97,12 +97,10 @@ in
|
||||
|
||||
environment.systemPackages = [ cronNixosPkg ];
|
||||
|
||||
jobs.cron =
|
||||
systemd.services.cron =
|
||||
{ description = "Cron Daemon";
|
||||
|
||||
startOn = "startup";
|
||||
|
||||
path = [ cronNixosPkg ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
preStart =
|
||||
''
|
||||
@ -119,7 +117,8 @@ in
|
||||
fi
|
||||
'';
|
||||
|
||||
exec = "cron -n";
|
||||
restartTriggers = [ config.environment.etc.localtime.source ];
|
||||
serviceConfig.ExecStart = "${cronNixosPkg}/bin/cron -n";
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -3,120 +3,146 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
inherit (pkgs) tor privoxy;
|
||||
|
||||
stateDir = "/var/lib/tor";
|
||||
privoxyDir = stateDir+"/privoxy";
|
||||
|
||||
cfg = config.services.tor;
|
||||
torDirectory = "/var/lib/tor";
|
||||
|
||||
torUser = "tor";
|
||||
opt = name: value: optionalString (value != null) "${name} ${value}";
|
||||
optint = name: value: optionalString (value != 0) "${name} ${toString value}";
|
||||
|
||||
opt = name: value: if value != "" then "${name} ${value}" else "";
|
||||
optint = name: value: if value != 0 then "${name} ${toString value}" else "";
|
||||
torRc = ''
|
||||
User tor
|
||||
DataDirectory ${torDirectory}
|
||||
|
||||
${optint "ControlPort" cfg.controlPort}
|
||||
''
|
||||
# Client connection config
|
||||
+ optionalString cfg.client.enable ''
|
||||
SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr
|
||||
SOCKSPort ${cfg.client.socksListenAddressFaster}
|
||||
${opt "SocksPolicy" cfg.client.socksPolicy}
|
||||
''
|
||||
# Relay config
|
||||
+ optionalString cfg.relay.enable ''
|
||||
ORPort ${cfg.relay.portSpec}
|
||||
${opt "Nickname" cfg.relay.nickname}
|
||||
${opt "ContactInfo" cfg.relay.contactInfo}
|
||||
|
||||
${optint "RelayBandwidthRate" cfg.relay.bandwidthRate}
|
||||
${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst}
|
||||
${opt "AccountingMax" cfg.relay.accountingMax}
|
||||
${opt "AccountingStart" cfg.relay.accountingStart}
|
||||
|
||||
${if cfg.relay.isExit then
|
||||
opt "ExitPolicy" cfg.relay.exitPolicy
|
||||
else
|
||||
"ExitPolicy reject *:*"}
|
||||
|
||||
${optionalString cfg.relay.isBridge ''
|
||||
BridgeRelay 1
|
||||
ServerTransportPlugin obfs2,obfs3 exec ${pkgs.pythonPackages.obfsproxy}/bin/obfsproxy managed
|
||||
''}
|
||||
''
|
||||
+ cfg.extraConfig;
|
||||
|
||||
torRcFile = pkgs.writeText "torrc" torRc;
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
|
||||
services.tor = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Enable the Tor daemon. By default, the daemon is run without
|
||||
relay, exit, bridge or client connectivity.
|
||||
'';
|
||||
};
|
||||
|
||||
config = mkOption {
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
Extra configuration. Contents will be added verbatim to the
|
||||
configuration file.
|
||||
configuration file at the end.
|
||||
'';
|
||||
};
|
||||
|
||||
controlPort = mkOption {
|
||||
type = types.int;
|
||||
default = 0;
|
||||
example = 9051;
|
||||
description = ''
|
||||
If set, Tor will accept connections on the specified port
|
||||
and allow them to control the tor process.
|
||||
'';
|
||||
};
|
||||
|
||||
client = {
|
||||
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable Tor daemon to route application connections.
|
||||
You might want to disable this if you plan running a dedicated Tor relay.
|
||||
Whether to enable Tor daemon to route application
|
||||
connections. You might want to disable this if you plan
|
||||
running a dedicated Tor relay.
|
||||
'';
|
||||
};
|
||||
|
||||
socksListenAddress = mkOption {
|
||||
type = types.str;
|
||||
default = "127.0.0.1:9050";
|
||||
example = "192.168.0.1:9100";
|
||||
description = ''
|
||||
Bind to this address to listen for connections from Socks-speaking
|
||||
applications.
|
||||
Bind to this address to listen for connections from
|
||||
Socks-speaking applications. Provides strong circuit
|
||||
isolation, separate circuit per IP address.
|
||||
'';
|
||||
};
|
||||
|
||||
socksListenAddressFaster = mkOption {
|
||||
type = types.str;
|
||||
default = "127.0.0.1:9063";
|
||||
example = "192.168.0.1:9101";
|
||||
description = ''
|
||||
Same as socksListenAddress but uses weaker circuit isolation to provide
|
||||
performance suitable for a web browser.
|
||||
'';
|
||||
};
|
||||
Bind to this address to listen for connections from
|
||||
Socks-speaking applications. Same as socksListenAddress
|
||||
but uses weaker circuit isolation to provide performance
|
||||
suitable for a web browser.
|
||||
'';
|
||||
};
|
||||
|
||||
socksPolicy = mkOption {
|
||||
default = "";
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "accept 192.168.0.0/16, reject *";
|
||||
description = ''
|
||||
Entry policies to allow/deny SOCKS requests based on IP address.
|
||||
First entry that matches wins. If no SocksPolicy is set, we accept
|
||||
all (and only) requests from SocksListenAddress.
|
||||
Entry policies to allow/deny SOCKS requests based on IP
|
||||
address. First entry that matches wins. If no SocksPolicy
|
||||
is set, we accept all (and only) requests from
|
||||
SocksListenAddress.
|
||||
'';
|
||||
};
|
||||
|
||||
privoxy = {
|
||||
privoxy.enable = mkOption {
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to enable and configure the system Privoxy to use Tor's
|
||||
faster port, suitable for HTTP.
|
||||
|
||||
enable = mkOption {
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to enable a special instance of privoxy dedicated to Tor.
|
||||
To have anonymity, protocols need to be scrubbed of identifying
|
||||
information.
|
||||
Most people using Tor want to anonymize their web traffic, so by
|
||||
default we enable an special instance of privoxy specifically for
|
||||
Tor.
|
||||
However, if you are only going to use Tor only for other kinds of
|
||||
traffic then you can disable this option.
|
||||
'';
|
||||
};
|
||||
|
||||
listenAddress = mkOption {
|
||||
default = "127.0.0.1:8118";
|
||||
description = ''
|
||||
Address that Tor's instance of privoxy is listening to.
|
||||
*This does not configure the standard NixOS instance of privoxy.*
|
||||
This is for Tor connections only!
|
||||
See services.privoxy.listenAddress to configure the standard NixOS
|
||||
instace of privoxy.
|
||||
'';
|
||||
};
|
||||
|
||||
config = mkOption {
|
||||
default = "";
|
||||
description = ''
|
||||
Extra configuration for Tor's instance of privoxy. Contents will be
|
||||
added verbatim to the configuration file.
|
||||
*This does not configure the standard NixOS instance of privoxy.*
|
||||
This is for Tor connections only!
|
||||
See services.privoxy.extraConfig to configure the standard NixOS
|
||||
instace of privoxy.
|
||||
'';
|
||||
};
|
||||
To have anonymity, protocols need to be scrubbed of identifying
|
||||
information, and this can be accomplished for HTTP by Privoxy.
|
||||
|
||||
Privoxy can also be useful for KDE torification. A good setup would be:
|
||||
setting SOCKS proxy to the default Tor port, providing maximum
|
||||
circuit isolation where possible; and setting HTTP proxy to Privoxy
|
||||
to route HTTP traffic over faster, but less isolated port.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
relay = {
|
||||
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable relaying TOR traffic for others.
|
||||
@ -126,16 +152,19 @@ in
|
||||
};
|
||||
|
||||
isBridge = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Bridge relays (or "bridges" ) are Tor relays that aren't listed in the
|
||||
main directory. Since there is no complete public list of them, even if an
|
||||
ISP is filtering connections to all the known Tor relays, they probably
|
||||
Bridge relays (or "bridges") are Tor relays that aren't
|
||||
listed in the main directory. Since there is no complete
|
||||
public list of them, even if an ISP is filtering
|
||||
connections to all the known Tor relays, they probably
|
||||
won't be able to block all the bridges.
|
||||
|
||||
A bridge relay can't be an exit relay.
|
||||
|
||||
You need to set relay.enable to true for this option to take effect.
|
||||
You need to set relay.enable to true for this option to
|
||||
take effect.
|
||||
|
||||
The bridge is set up with an obfuscated transport proxy.
|
||||
|
||||
@ -144,25 +173,72 @@ in
|
||||
};
|
||||
|
||||
isExit = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
An exit relay allows Tor users to access regular Internet services.
|
||||
An exit relay allows Tor users to access regular Internet
|
||||
services.
|
||||
|
||||
Unlike running a non-exit relay, running an exit relay may expose
|
||||
you to abuse complaints. See https://www.torproject.org/faq.html.en#ExitPolicies for more info.
|
||||
Unlike running a non-exit relay, running an exit relay may
|
||||
expose you to abuse complaints. See
|
||||
https://www.torproject.org/faq.html.en#ExitPolicies for
|
||||
more info.
|
||||
|
||||
You can specify which services Tor users may access via your exit relay using exitPolicy option.
|
||||
You can specify which services Tor users may access via
|
||||
your exit relay using exitPolicy option.
|
||||
'';
|
||||
};
|
||||
|
||||
nickname = mkOption {
|
||||
type = types.str;
|
||||
default = "anonymous";
|
||||
description = ''
|
||||
A unique handle for your TOR relay.
|
||||
'';
|
||||
};
|
||||
|
||||
contactInfo = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "admin@relay.com";
|
||||
description = ''
|
||||
Contact information for the relay owner (e.g. a mail
|
||||
address and GPG key ID).
|
||||
'';
|
||||
};
|
||||
|
||||
accountingMax = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "450 GBytes";
|
||||
description = ''
|
||||
Specify maximum bandwidth allowed during an accounting
|
||||
period. This allows you to limit overall tor bandwidth
|
||||
over some time period. See the
|
||||
<literal>AccountingMax</literal> option by looking at the
|
||||
tor manual (<literal>man tor</literal>) for more.
|
||||
|
||||
Note this limit applies individually to upload and
|
||||
download; if you specify <literal>"500 GBytes"</literal>
|
||||
here, then you may transfer up to 1 TBytes of overall
|
||||
bandwidth (500 GB upload, 500 GB download).
|
||||
'';
|
||||
};
|
||||
|
||||
accountingStart = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "month 1 1:00";
|
||||
description = ''
|
||||
Specify length of an accounting period. This allows you to
|
||||
limit overall tor bandwidth over some time period. See the
|
||||
<literal>AccountingStart</literal> option by looking at
|
||||
the tor manual (<literal>man tor</literal>) for more.
|
||||
'';
|
||||
};
|
||||
|
||||
bandwidthRate = mkOption {
|
||||
type = types.int;
|
||||
default = 0;
|
||||
example = 100;
|
||||
description = ''
|
||||
@ -172,6 +248,7 @@ in
|
||||
};
|
||||
|
||||
bandwidthBurst = mkOption {
|
||||
type = types.int;
|
||||
default = cfg.relay.bandwidthRate;
|
||||
example = 200;
|
||||
description = ''
|
||||
@ -181,143 +258,110 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
default = 9001;
|
||||
portSpec = mkOption {
|
||||
type = types.str;
|
||||
example = "143";
|
||||
description = ''
|
||||
What port to advertise for Tor connections.
|
||||
'';
|
||||
};
|
||||
What port to advertise for Tor connections. This corresponds
|
||||
to the <literal>ORPort</literal> section in the Tor manual; see
|
||||
<literal>man tor</literal> for more details.
|
||||
|
||||
listenAddress = mkOption {
|
||||
default = "";
|
||||
example = "0.0.0.0:9090";
|
||||
description = ''
|
||||
Set this if you need to listen on a port other than the one advertised
|
||||
in relayPort (e.g. to advertise 443 but bind to 9090). You'll need to do
|
||||
ipchains or other port forwsarding yourself to make this work.
|
||||
At a minimum, you should just specify the port for the
|
||||
relay to listen on; a common one like 143, 22, 80, or 443
|
||||
to help Tor users who may have very restrictive port-based
|
||||
firewalls.
|
||||
'';
|
||||
};
|
||||
|
||||
exitPolicy = mkOption {
|
||||
default = "";
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "accept *:6660-6667,reject *:*";
|
||||
description = ''
|
||||
A comma-separated list of exit policies. They're considered first
|
||||
to last, and the first match wins. If you want to _replace_
|
||||
the default exit policy, end this with either a reject *:* or an
|
||||
accept *:*. Otherwise, you're _augmenting_ (prepending to) the
|
||||
default exit policy. Leave commented to just use the default, which is
|
||||
available in the man page or at https://www.torproject.org/documentation.html
|
||||
A comma-separated list of exit policies. They're
|
||||
considered first to last, and the first match wins. If you
|
||||
want to _replace_ the default exit policy, end this with
|
||||
either a reject *:* or an accept *:*. Otherwise, you're
|
||||
_augmenting_ (prepending to) the default exit
|
||||
policy. Leave commented to just use the default, which is
|
||||
available in the man page or at
|
||||
https://www.torproject.org/documentation.html
|
||||
|
||||
Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
|
||||
for issues you might encounter if you use the default exit policy.
|
||||
|
||||
If certain IPs and ports are blocked externally, e.g. by your firewall,
|
||||
you should update your exit policy to reflect this -- otherwise Tor
|
||||
users will be told that those destinations are down.
|
||||
If certain IPs and ports are blocked externally, e.g. by
|
||||
your firewall, you should update your exit policy to
|
||||
reflect this -- otherwise Tor users will be told that
|
||||
those destinations are down.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf (cfg.client.enable || cfg.relay.enable) {
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
assertions = singleton
|
||||
{ assertion = cfg.relay.enable -> !(cfg.relay.isBridge && cfg.relay.isExit);
|
||||
message = "Can't be both an exit and a bridge relay at the same time";
|
||||
{ message = "Can't be both an exit and a bridge relay at the same time";
|
||||
assertion =
|
||||
cfg.relay.enable -> !(cfg.relay.isBridge && cfg.relay.isExit);
|
||||
};
|
||||
|
||||
users.extraUsers = singleton
|
||||
{ name = torUser;
|
||||
uid = config.ids.uids.tor;
|
||||
description = "Tor daemon user";
|
||||
home = stateDir;
|
||||
users.extraGroups.tor.gid = config.ids.gids.tor;
|
||||
users.extraUsers.tor =
|
||||
{ description = "Tor Daemon User";
|
||||
createHome = true;
|
||||
home = torDirectory;
|
||||
group = "tor";
|
||||
uid = config.ids.uids.tor;
|
||||
};
|
||||
|
||||
jobs = {
|
||||
tor = { name = "tor";
|
||||
systemd.services.tor =
|
||||
{ description = "Tor Daemon";
|
||||
path = [ pkgs.tor ];
|
||||
|
||||
startOn = "started network-interfaces";
|
||||
stopOn = "stopping network-interfaces";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
restartTriggers = [ torRcFile ];
|
||||
|
||||
preStart = ''
|
||||
mkdir -m 0755 -p ${stateDir}
|
||||
chown ${torUser} ${stateDir}
|
||||
'';
|
||||
exec = "${tor}/bin/tor -f ${pkgs.writeText "torrc" cfg.config}";
|
||||
}; }
|
||||
// optionalAttrs (cfg.client.privoxy.enable && cfg.client.enable) {
|
||||
torPrivoxy = { name = "tor-privoxy";
|
||||
# Translated from the upstream contrib/dist/tor.service.in
|
||||
serviceConfig =
|
||||
{ Type = "simple";
|
||||
ExecStartPre = "${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config";
|
||||
ExecStart = "${pkgs.tor}/bin/tor -f ${torRcFile} --RunAsDaemon 0";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
KillSignal = "SIGINT";
|
||||
TimeoutSec = 30;
|
||||
Restart = "on-failure";
|
||||
LimitNOFILE = 32768;
|
||||
|
||||
startOn = "started network-interfaces";
|
||||
stopOn = "stopping network-interfaces";
|
||||
# Hardening
|
||||
# Note: DevicePolicy is set to 'closed', although the
|
||||
# minimal permissions are really:
|
||||
# DeviceAllow /dev/null rw
|
||||
# DeviceAllow /dev/urandom r
|
||||
# .. but we can't specify DeviceAllow multiple times. 'closed'
|
||||
# is close enough.
|
||||
PrivateTmp = "yes";
|
||||
DevicePolicy = "closed";
|
||||
InaccessibleDirectories = "/home";
|
||||
ReadOnlyDirectories = "/";
|
||||
ReadWriteDirectories = torDirectory;
|
||||
NoNewPrivileges = "yes";
|
||||
};
|
||||
};
|
||||
|
||||
preStart = ''
|
||||
mkdir -m 0755 -p ${privoxyDir}
|
||||
chown ${torUser} ${privoxyDir}
|
||||
'';
|
||||
exec = "${privoxy}/sbin/privoxy --no-daemon --user ${torUser} ${pkgs.writeText "torPrivoxy.conf" cfg.client.privoxy.config}";
|
||||
}; };
|
||||
environment.systemPackages = [ pkgs.tor ];
|
||||
|
||||
services.tor.config = ''
|
||||
DataDirectory ${stateDir}
|
||||
User ${torUser}
|
||||
''
|
||||
+ optionalString cfg.client.enable ''
|
||||
SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr
|
||||
SOCKSPort ${cfg.client.socksListenAddressFaster}
|
||||
${opt "SocksPolicy" cfg.client.socksPolicy}
|
||||
''
|
||||
+ optionalString cfg.relay.enable ''
|
||||
ORPort ${toString cfg.relay.port}
|
||||
${opt "ORListenAddress" cfg.relay.listenAddress }
|
||||
${opt "Nickname" cfg.relay.nickname}
|
||||
${optint "RelayBandwidthRate" cfg.relay.bandwidthRate}
|
||||
${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst}
|
||||
${if cfg.relay.isExit then opt "ExitPolicy" cfg.relay.exitPolicy else "ExitPolicy reject *:*"}
|
||||
${if cfg.relay.isBridge then ''
|
||||
BridgeRelay 1
|
||||
ServerTransportPlugin obfs2,obfs3 exec ${pkgs.pythonPackages.obfsproxy}/bin/obfsproxy managed
|
||||
'' else ""}
|
||||
'';
|
||||
|
||||
services.tor.client.privoxy.config = ''
|
||||
# Generally, this file goes in /etc/privoxy/config
|
||||
#
|
||||
# Tor listens as a SOCKS4a proxy here:
|
||||
services.privoxy = mkIf (cfg.client.enable && cfg.client.privoxy.enable) {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
forward-socks4a / ${cfg.client.socksListenAddressFaster} .
|
||||
confdir ${privoxy}/etc
|
||||
logdir ${privoxyDir}
|
||||
# actionsfile standard # Internal purpose, recommended
|
||||
actionsfile default.action # Main actions file
|
||||
actionsfile user.action # User customizations
|
||||
filterfile default.filter
|
||||
|
||||
# Don't log interesting things, only startup messages, warnings and errors
|
||||
logfile logfile
|
||||
#jarfile jarfile
|
||||
#debug 0 # show each GET/POST/CONNECT request
|
||||
debug 4096 # Startup banner and warnings
|
||||
debug 8192 # Errors - *we highly recommended enabling this*
|
||||
|
||||
user-manual ${privoxy}/doc/privoxy/user-manual
|
||||
listen-address ${cfg.client.privoxy.listenAddress}
|
||||
toggle 1
|
||||
enable-remote-toggle 0
|
||||
enable-edit-actions 0
|
||||
enable-remote-http-toggle 0
|
||||
buffer-limit 4096
|
||||
|
||||
# Extra config goes here
|
||||
'';
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -5,13 +5,13 @@ let
|
||||
cfg = config.services.tor;
|
||||
|
||||
torify = pkgs.writeTextFile {
|
||||
name = "torify";
|
||||
name = "tsocks";
|
||||
text = ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
TSOCKS_CONF_FILE=${pkgs.writeText "tsocks.conf" cfg.torify.config} LD_PRELOAD="${pkgs.tsocks}/lib/libtsocks.so $LD_PRELOAD" "$@"
|
||||
TSOCKS_CONF_FILE=${pkgs.writeText "tsocks.conf" cfg.tsocks.config} LD_PRELOAD="${pkgs.tsocks}/lib/libtsocks.so $LD_PRELOAD" "$@"
|
||||
'';
|
||||
executable = true;
|
||||
destination = "/bin/torify";
|
||||
destination = "/bin/tsocks";
|
||||
};
|
||||
|
||||
in
|
||||
@ -22,12 +22,12 @@ in
|
||||
|
||||
options = {
|
||||
|
||||
services.tor.torify = {
|
||||
services.tor.tsocks = {
|
||||
|
||||
enable = mkOption {
|
||||
default = cfg.client.enable;
|
||||
default = cfg.enable && cfg.client.enable;
|
||||
description = ''
|
||||
Whether to build torify scipt to relay application traffic via TOR.
|
||||
Whether to build tsocks wrapper script to relay application traffic via TOR.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -53,13 +53,13 @@ in
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.torify.enable {
|
||||
config = mkIf cfg.tsocks.enable {
|
||||
|
||||
environment.systemPackages = [ torify ]; # expose it to the users
|
||||
|
||||
services.tor.torify.config = ''
|
||||
server = ${toString(head (splitString ":" cfg.torify.server))}
|
||||
server_port = ${toString(tail (splitString ":" cfg.torify.server))}
|
||||
services.tor.tsocks.config = ''
|
||||
server = ${toString(head (splitString ":" cfg.tsocks.server))}
|
||||
server_port = ${toString(tail (splitString ":" cfg.tsocks.server))}
|
||||
|
||||
local = 127.0.0.0/255.128.0.0
|
||||
local = 127.128.0.0/255.192.0.0
|
||||
|
@ -1,85 +1,121 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.tor.torsocks;
|
||||
optionalNullStr = b: v: optionalString (b != null) v;
|
||||
|
||||
cfg = config.services.tor;
|
||||
configFile = server: ''
|
||||
TorAddress ${toString (head (splitString ":" server))}
|
||||
TorPort ${toString (tail (splitString ":" server))}
|
||||
|
||||
makeConfig = server: ''
|
||||
server = ${toString(head (splitString ":" server))}
|
||||
server_port = ${toString(tail (splitString ":" server))}
|
||||
OnionAddrRange ${cfg.onionAddrRange}
|
||||
|
||||
local = 127.0.0.0/255.128.0.0
|
||||
local = 127.128.0.0/255.192.0.0
|
||||
local = 169.254.0.0/255.255.0.0
|
||||
local = 172.16.0.0/255.240.0.0
|
||||
local = 192.168.0.0/255.255.0.0
|
||||
${optionalNullStr cfg.socks5Username
|
||||
"SOCKS5Username ${cfg.socks5Username}"}
|
||||
${optionalNullStr cfg.socks5Password
|
||||
"SOCKS5Password ${cfg.socks5Password}"}
|
||||
|
||||
${cfg.torsocks.config}
|
||||
'';
|
||||
makeTorsocks = name: server: pkgs.writeTextFile {
|
||||
AllowInbound ${if cfg.allowInbound then "1" else "0"}
|
||||
'';
|
||||
|
||||
wrapTorsocks = name: server: pkgs.writeTextFile {
|
||||
name = name;
|
||||
text = ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (makeConfig server)} LD_PRELOAD="${pkgs.torsocks}/lib/torsocks/libtorsocks.so $LD_PRELOAD" "$@"
|
||||
TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (configFile server)} ${pkgs.torsocks}/bin/torsocks "$@"
|
||||
'';
|
||||
executable = true;
|
||||
destination = "/bin/${name}";
|
||||
};
|
||||
|
||||
torsocks = makeTorsocks "torsocks" cfg.torsocks.server;
|
||||
torsocksFaster = makeTorsocks "torsocks-faster" cfg.torsocks.serverFaster;
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
|
||||
services.tor.torsocks = {
|
||||
|
||||
enable = mkOption {
|
||||
default = cfg.client.enable;
|
||||
type = types.bool;
|
||||
default = config.services.tor.enable && config.services.tor.client.enable;
|
||||
description = ''
|
||||
Whether to build torsocks scipt to relay application traffic via TOR.
|
||||
Whether to build <literal>/etc/tor/torsocks.conf</literal>
|
||||
containing the specified global torsocks configuration.
|
||||
'';
|
||||
};
|
||||
|
||||
server = mkOption {
|
||||
default = cfg.client.socksListenAddress;
|
||||
example = "192.168.0.20:9050";
|
||||
type = types.str;
|
||||
default = "127.0.0.1:9050";
|
||||
example = "192.168.0.20:1234";
|
||||
description = ''
|
||||
IP address of TOR client to use.
|
||||
IP/Port of the Tor SOCKS server. Currently, hostnames are
|
||||
NOT supported by torsocks.
|
||||
'';
|
||||
};
|
||||
|
||||
serverFaster = mkOption {
|
||||
default = cfg.client.socksListenAddressFaster;
|
||||
example = "192.168.0.20:9063";
|
||||
fasterServer = mkOption {
|
||||
type = types.str;
|
||||
default = "127.0.0.1:9063";
|
||||
example = "192.168.0.20:1234";
|
||||
description = ''
|
||||
IP address of TOR client to use for applications like web browsers which
|
||||
need less circuit isolation to achive satisfactory performance.
|
||||
IP/Port of the Tor SOCKS server for torsocks-faster wrapper suitable for HTTP.
|
||||
Currently, hostnames are NOT supported by torsocks.
|
||||
'';
|
||||
};
|
||||
|
||||
config = mkOption {
|
||||
default = "";
|
||||
onionAddrRange = mkOption {
|
||||
type = types.str;
|
||||
default = "127.42.42.0/24";
|
||||
description = ''
|
||||
Extra configuration. Contents will be added verbatim to torsocks
|
||||
configuration file.
|
||||
Tor hidden sites do not have real IP addresses. This
|
||||
specifies what range of IP addresses will be handed to the
|
||||
application as "cookies" for .onion names. Of course, you
|
||||
should pick a block of addresses which you aren't going to
|
||||
ever need to actually connect to. This is similar to the
|
||||
MapAddress feature of the main tor daemon.
|
||||
'';
|
||||
};
|
||||
|
||||
socks5Username = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "bob";
|
||||
description = ''
|
||||
SOCKS5 username. The <literal>TORSOCKS_USERNAME</literal>
|
||||
environment variable overrides this option if it is set.
|
||||
'';
|
||||
};
|
||||
|
||||
socks5Password = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "sekret";
|
||||
description = ''
|
||||
SOCKS5 password. The <literal>TORSOCKS_PASSWORD</literal>
|
||||
environment variable overrides this option if it is set.
|
||||
'';
|
||||
};
|
||||
|
||||
allowInbound = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Set Torsocks to accept inbound connections. If set to
|
||||
<literal>true</literal>, listen() and accept() will be
|
||||
allowed to be used with non localhost address.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.torsocks.enable {
|
||||
|
||||
environment.systemPackages = [ torsocks torsocksFaster ]; # expose it to the users
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ];
|
||||
|
||||
environment.etc =
|
||||
[ { source = pkgs.writeText "torsocks.conf" (configFile cfg.server);
|
||||
target = "tor/torsocks.conf";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
}
|
||||
|
152
nixos/modules/services/system/cloud-init.nix
Normal file
152
nixos/modules/services/system/cloud-init.nix
Normal file
@ -0,0 +1,152 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let cfg = config.services.cloud-init;
|
||||
path = with pkgs; [ cloud-init nettools utillinux e2fsprogs shadow dmidecode openssh ];
|
||||
configFile = pkgs.writeText "cloud-init.cfg" ''
|
||||
users:
|
||||
- root
|
||||
|
||||
disable_root: false
|
||||
preserve_hostname: false
|
||||
|
||||
cloud_init_modules:
|
||||
- migrator
|
||||
- seed_random
|
||||
- bootcmd
|
||||
- write-files
|
||||
- growpart
|
||||
- resizefs
|
||||
- set_hostname
|
||||
- update_hostname
|
||||
- update_etc_hosts
|
||||
- ca-certs
|
||||
- rsyslog
|
||||
- users-groups
|
||||
|
||||
cloud_config_modules:
|
||||
- emit_upstart
|
||||
- disk_setup
|
||||
- mounts
|
||||
- ssh-import-id
|
||||
- set-passwords
|
||||
- timezone
|
||||
- disable-ec2-metadata
|
||||
- runcmd
|
||||
- ssh
|
||||
|
||||
cloud_final_modules:
|
||||
- rightscale_userdata
|
||||
- scripts-vendor
|
||||
- scripts-per-once
|
||||
- scripts-per-boot
|
||||
- scripts-per-instance
|
||||
- scripts-user
|
||||
- ssh-authkey-fingerprints
|
||||
- keys-to-console
|
||||
- phone-home
|
||||
- final-message
|
||||
- power-state-change
|
||||
'';
|
||||
in
|
||||
{
|
||||
options = {
|
||||
|
||||
services.cloud-init = {
|
||||
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Enable the cloud-init service. This services reads
|
||||
configuration metadata in a cloud environment and configures
|
||||
the machine according to this metadata.
|
||||
|
||||
This configuration is not completely compatible with the
|
||||
NixOS way of doing configuration, as configuration done by
|
||||
cloud-init might be overriden by a subsequent nixos-rebuild
|
||||
call. However, some parts of cloud-init fall outside of
|
||||
NixOS's responsibility, like filesystem resizing and ssh
|
||||
public key provisioning, and cloud-init is useful for that
|
||||
parts. Thus, be wary that using cloud-init in NixOS might
|
||||
come as some cost.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
systemd.services.cloud-init-local =
|
||||
{ description = "Initial cloud-init job (pre-networking)";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "local-fs.target" ];
|
||||
after = [ "local-fs.target" ];
|
||||
path = path;
|
||||
serviceConfig =
|
||||
{ Type = "oneshot";
|
||||
ExecStart = "${pkgs.cloud-init}/bin/cloud-init -f ${configFile} init --local";
|
||||
RemainAfterExit = "yes";
|
||||
TimeoutSec = "0";
|
||||
StandardOutput = "journal+console";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.cloud-init =
|
||||
{ description = "Initial cloud-init job (metadata service crawler)";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "local-fs.target" "cloud-init-local.service" "sshd.service" "sshd-keygen.service" ];
|
||||
after = [ "local-fs.target" "network.target" "cloud-init-local.service" ];
|
||||
before = [ "sshd.service" "sshd-keygen.service" ];
|
||||
requires = [ "network.target "];
|
||||
path = path;
|
||||
serviceConfig =
|
||||
{ Type = "oneshot";
|
||||
ExecStart = "${pkgs.cloud-init}/bin/cloud-init -f ${configFile} init";
|
||||
RemainAfterExit = "yes";
|
||||
TimeoutSec = "0";
|
||||
StandardOutput = "journal+console";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.cloud-config =
|
||||
{ description = "Apply the settings specified in cloud-config";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "network.target" ];
|
||||
after = [ "network.target" "syslog.target" "cloud-config.target" ];
|
||||
|
||||
path = path;
|
||||
serviceConfig =
|
||||
{ Type = "oneshot";
|
||||
ExecStart = "${pkgs.cloud-init}/bin/cloud-init -f ${configFile} modules --mode=config";
|
||||
RemainAfterExit = "yes";
|
||||
TimeoutSec = "0";
|
||||
StandardOutput = "journal+console";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.cloud-final =
|
||||
{ description = "Execute cloud user/final scripts";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "network.target" ];
|
||||
after = [ "network.target" "syslog.target" "cloud-config.service" "rc-local.service" ];
|
||||
requires = [ "cloud-config.target" ];
|
||||
path = path;
|
||||
serviceConfig =
|
||||
{ Type = "oneshot";
|
||||
ExecStart = "${pkgs.cloud-init}/bin/cloud-init -f ${configFile} modules --mode=final";
|
||||
RemainAfterExit = "yes";
|
||||
TimeoutSec = "0";
|
||||
StandardOutput = "journal+console";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.targets.cloud-config =
|
||||
{ description = "Cloud-config availability";
|
||||
requires = [ "cloud-init-local.service" "cloud-init.service" ];
|
||||
};
|
||||
};
|
||||
}
|
@ -98,9 +98,6 @@ let
|
||||
# Authorization: is the user allowed access?
|
||||
"authz_user" "authz_groupfile" "authz_host"
|
||||
|
||||
# For compatibility with old configurations, the new module mod_access_compat is provided.
|
||||
(if version24 then "access_compat" else "")
|
||||
|
||||
# Other modules.
|
||||
"ext_filter" "include" "log_config" "env" "mime_magic"
|
||||
"cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif"
|
||||
@ -115,6 +112,8 @@ let
|
||||
"cache" "cache_disk"
|
||||
"slotmem_shm"
|
||||
"socache_shmcb"
|
||||
# For compatibility with old configurations, the new module mod_access_compat is provided.
|
||||
"access_compat"
|
||||
]
|
||||
++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
|
||||
++ optional enableSSL "ssl"
|
||||
|
@ -23,6 +23,7 @@ in
|
||||
services.nginx = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = "
|
||||
Enable the nginx Web Server.
|
||||
";
|
||||
@ -70,11 +71,13 @@ in
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "nginx";
|
||||
description = "User account under which nginx runs.";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "nginx";
|
||||
description = "Group account under which nginx runs.";
|
||||
};
|
||||
|
@ -152,7 +152,9 @@ in
|
||||
xorg.xauth # used by kdesu
|
||||
pkgs.shared_desktop_ontologies # used by nepomuk
|
||||
pkgs.strigi # used by nepomuk
|
||||
pkgs.kde4.akonadi
|
||||
pkgs.mysql # used by akonadi
|
||||
pkgs.kde4.kdepim_runtime
|
||||
]
|
||||
++ lib.optional config.hardware.pulseaudio.enable pkgs.kde4.kmix # Perhaps this should always be enabled
|
||||
++ lib.optional config.hardware.bluetooth.enable pkgs.kde4.bluedevil
|
||||
|
@ -23,6 +23,17 @@ let
|
||||
pathsToLink = [ "/" ];
|
||||
};
|
||||
|
||||
fontconfig = config.fonts.fontconfig;
|
||||
xresourcesXft = pkgs.writeText "Xresources-Xft" ''
|
||||
${optionalString (fontconfig.dpi != 0) ''Xft.dpi: ${fontconfig.dpi}''}
|
||||
Xft.antialias: ${if fontconfig.antialias then "1" else "0"}
|
||||
Xft.rgba: ${fontconfig.subpixel.rgba}
|
||||
Xft.lcdfilter: lcd${fontconfig.subpixel.lcdfilter}
|
||||
Xft.hinting: ${if fontconfig.hinting.enable then "1" else "0"}
|
||||
Xft.autohint: ${if fontconfig.hinting.autohint then "1" else "0"}
|
||||
Xft.hintstyle: hint${fontconfig.hinting.style}
|
||||
'';
|
||||
|
||||
# file provided by services.xserver.displayManager.session.script
|
||||
xsession = wm: dm: pkgs.writeScript "xsession"
|
||||
''
|
||||
@ -79,6 +90,7 @@ let
|
||||
''}
|
||||
|
||||
# Load X defaults.
|
||||
${xorg.xrdb}/bin/xrdb -merge ${xresourcesXft}
|
||||
if test -e ~/.Xresources; then
|
||||
${xorg.xrdb}/bin/xrdb -merge ~/.Xresources
|
||||
elif test -e ~/.Xdefaults; then
|
||||
@ -177,7 +189,7 @@ in
|
||||
xserverArgs = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = [ "-ac" "-logverbose" "-nolisten tcp" ];
|
||||
example = [ "-ac" "-logverbose" "-verbose" "-nolisten tcp" ];
|
||||
description = "List of arguments for the X server.";
|
||||
apply = toString;
|
||||
};
|
||||
|
@ -5,6 +5,7 @@ with lib;
|
||||
let
|
||||
|
||||
cfg = config.services.xserver.windowManager.awesome;
|
||||
awesome = cfg.package;
|
||||
|
||||
in
|
||||
|
||||
@ -14,9 +15,24 @@ in
|
||||
|
||||
options = {
|
||||
|
||||
services.xserver.windowManager.awesome.enable = mkOption {
|
||||
default = false;
|
||||
description = "Enable the Awesome window manager.";
|
||||
services.xserver.windowManager.awesome = {
|
||||
|
||||
enable = mkEnableOption "Awesome window manager";
|
||||
|
||||
luaModules = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.package;
|
||||
description = "List of lua packages available for being used in the Awesome configuration.";
|
||||
example = literalExample "[ luaPackages.oocairo ]";
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
default = null;
|
||||
type = types.nullOr types.package;
|
||||
description = "Package to use for running the Awesome WM.";
|
||||
apply = pkg: if pkg == null then pkgs.awesome else pkg;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
@ -30,12 +46,17 @@ in
|
||||
{ name = "awesome";
|
||||
start =
|
||||
''
|
||||
${pkgs.awesome}/bin/awesome &
|
||||
${concatMapStrings (pkg: ''
|
||||
export LUA_CPATH=$LUA_CPATH''${LUA_CPATH:+;}${pkg}/lib/lua/${awesome.lua.luaversion}/?.so
|
||||
export LUA_PATH=$LUA_PATH''${LUA_PATH:+;}${pkg}/lib/lua/${awesome.lua.luaversion}/?.lua
|
||||
'') cfg.luaModules}
|
||||
|
||||
${awesome}/bin/awesome &
|
||||
waitPID=$!
|
||||
'';
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.awesome ];
|
||||
environment.systemPackages = [ awesome ];
|
||||
|
||||
};
|
||||
|
||||
|
@ -483,8 +483,6 @@ in
|
||||
|
||||
services.xserver.displayManager.xserverArgs =
|
||||
[ "-ac"
|
||||
"-logverbose"
|
||||
"-verbose"
|
||||
"-terminate"
|
||||
"-logfile" "/var/log/X.${toString cfg.display}.log"
|
||||
"-config ${configFile}"
|
||||
|
@ -181,7 +181,7 @@ while (my ($unit, $state) = each %{$activePrev}) {
|
||||
} elsif ($unit =~ /\.mount$/) {
|
||||
# Reload the changed mount unit to force a remount.
|
||||
write_file($reloadListFile, { append => 1 }, "$unit\n");
|
||||
} elsif ($unit =~ /\.socket$/ || $unit =~ /\.path$/) {
|
||||
} elsif ($unit =~ /\.socket$/ || $unit =~ /\.path$/ || $unit =~ /\.slice$/) {
|
||||
# FIXME: do something?
|
||||
} else {
|
||||
my $unitInfo = parseUnit($newUnitFile);
|
||||
|
@ -88,7 +88,7 @@ let
|
||||
|
||||
failed = map (x: x.message) (filter (x: !x.assertion) config.assertions);
|
||||
|
||||
showWarnings = res: fold (w: x: builtins.trace "^[[1;31mwarning: ${w}^[[0m" x) res config.warnings;
|
||||
showWarnings = res: fold (w: x: builtins.trace "[1;31mwarning: ${w}[0m" x) res config.warnings;
|
||||
|
||||
# Putting it all together. This builds a store path containing
|
||||
# symlinks to the various parts of the built configuration (the
|
||||
|
@ -203,7 +203,7 @@ in
|
||||
description = ''
|
||||
Unless enabled, encryption keys can be easily recovered by an attacker with physical
|
||||
access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port.
|
||||
More information: http://en.wikipedia.org/wiki/DMA_attack
|
||||
More information is available at <link xlink:href="http://en.wikipedia.org/wiki/DMA_attack"/>.
|
||||
|
||||
This option blacklists FireWire drivers, but doesn't remove them. You can manually
|
||||
load the drivers if you need to use a FireWire device, but don't forget to unload them!
|
||||
|
@ -56,9 +56,10 @@ echo
|
||||
|
||||
|
||||
# Mount special file systems.
|
||||
mkdir -p /etc
|
||||
mkdir -p /etc/udev
|
||||
touch /etc/fstab # to shut up mount
|
||||
touch /etc/mtab # to shut up mke2fs
|
||||
touch /etc/udev/hwdb.bin # to shut up udev
|
||||
touch /etc/initrd-release
|
||||
mkdir -p /proc
|
||||
mount -t proc proc /proc
|
||||
|
@ -240,8 +240,9 @@ in
|
||||
example = "/dev/sda3";
|
||||
description = ''
|
||||
Device for manual resume attempt during boot. This should be used primarily
|
||||
if you want to resume from file. Specify here the device where the file
|
||||
resides. You should also use <varname>boot.kernelParams</varname> to specify
|
||||
if you want to resume from file. If left empty, the swap partitions are used.
|
||||
Specify here the device where the file resides.
|
||||
You should also use <varname>boot.kernelParams</varname> to specify
|
||||
<literal><replaceable>resume_offset</replaceable></literal>.
|
||||
'';
|
||||
};
|
||||
@ -355,10 +356,17 @@ in
|
||||
|
||||
config = mkIf (!config.boot.isContainer) {
|
||||
|
||||
assertions = singleton
|
||||
assertions = [
|
||||
{ assertion = any (fs: fs.mountPoint == "/") (attrValues config.fileSystems);
|
||||
message = "The ‘fileSystems’ option does not specify your root file system.";
|
||||
};
|
||||
}
|
||||
{ assertion = let inherit (config.boot) resumeDevice; in
|
||||
resumeDevice == "" || builtins.substring 0 1 resumeDevice == "/";
|
||||
message = "boot.resumeDevice has to be an absolute path."
|
||||
+ " Old \"x:y\" style is no longer supported.";
|
||||
}
|
||||
];
|
||||
|
||||
|
||||
system.build.bootStage1 = bootStage1;
|
||||
system.build.initialRamdisk = initialRamdisk;
|
||||
|
@ -348,7 +348,8 @@ let
|
||||
[Service]
|
||||
${let env = cfg.globalEnvironment // def.environment;
|
||||
in concatMapStrings (n:
|
||||
let s = "Environment=\"${n}=${env.${n}}\"\n";
|
||||
let s = optionalString (env."${n}" != null)
|
||||
"Environment=\"${n}=${env.${n}}\"\n";
|
||||
in if stringLength s >= 2048 then throw "The value of the environment variable ‘${n}’ in systemd service ‘${name}.service’ is too long." else s) (attrNames env)}
|
||||
${if def.reloadIfChanged then ''
|
||||
X-ReloadIfChanged=true
|
||||
|
@ -58,7 +58,7 @@ in
|
||||
|
||||
services.rpcbind.enable = true;
|
||||
|
||||
system.fsPackages = [ pkgs.nfsUtils ];
|
||||
system.fsPackages = [ pkgs.nfs-utils ];
|
||||
|
||||
boot.extraModprobeConfig = mkIf (cfg.lockdPort != null) ''
|
||||
options lockd nlm_udpport=${toString cfg.lockdPort} nlm_tcpport=${toString cfg.lockdPort}
|
||||
@ -71,7 +71,7 @@ in
|
||||
systemd.services.statd =
|
||||
{ description = "NFSv3 Network Status Monitor";
|
||||
|
||||
path = [ pkgs.nfsUtils pkgs.sysvtools pkgs.utillinux ];
|
||||
path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ];
|
||||
|
||||
wantedBy = [ "remote-fs-pre.target" ];
|
||||
before = [ "remote-fs-pre.target" ];
|
||||
@ -89,7 +89,7 @@ in
|
||||
|
||||
serviceConfig.Type = "forking";
|
||||
serviceConfig.ExecStart = ''
|
||||
@${pkgs.nfsUtils}/sbin/rpc.statd rpc.statd --no-notify \
|
||||
@${pkgs.nfs-utils}/sbin/rpc.statd rpc.statd --no-notify \
|
||||
${if cfg.statdPort != null then "-p ${toString statdPort}" else ""}
|
||||
'';
|
||||
serviceConfig.Restart = "always";
|
||||
@ -117,7 +117,7 @@ in
|
||||
'';
|
||||
|
||||
serviceConfig.Type = "forking";
|
||||
serviceConfig.ExecStart = "@${pkgs.nfsUtils}/sbin/rpc.idmapd rpc.idmapd -c ${idmapdConfFile}";
|
||||
serviceConfig.ExecStart = "@${pkgs.nfs-utils}/sbin/rpc.idmapd rpc.idmapd -c ${idmapdConfFile}";
|
||||
serviceConfig.Restart = "always";
|
||||
};
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
{ config, lib, pkgs, utils, ... }:
|
||||
|
||||
with lib;
|
||||
with utils;
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
@ -85,6 +85,12 @@ in
|
||||
optionalString (cfg.defaultGatewayWindowSize != null)
|
||||
"window ${cfg.defaultGatewayWindowSize}"} || true
|
||||
''}
|
||||
${optionalString (cfg.defaultGateway6 != null && cfg.defaultGateway6 != "") ''
|
||||
# FIXME: get rid of "|| true" (necessary to make it idempotent).
|
||||
ip -6 route add ::/0 via "${cfg.defaultGateway6}" ${
|
||||
optionalString (cfg.defaultGatewayWindowSize != null)
|
||||
"window ${cfg.defaultGatewayWindowSize}"} || true
|
||||
''}
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
{ config, lib, pkgs, utils, ... }:
|
||||
|
||||
with lib;
|
||||
with utils;
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
@ -51,6 +51,8 @@ in
|
||||
DHCP = override (dhcpStr cfg.useDHCP);
|
||||
} // optionalAttrs (cfg.defaultGateway != null) {
|
||||
gateway = override [ cfg.defaultGateway ];
|
||||
} // optionalAttrs (cfg.defaultGateway6 != null) {
|
||||
gateway = override [ cfg.defaultGateway6 ];
|
||||
} // optionalAttrs (domains != [ ]) {
|
||||
domains = override domains;
|
||||
};
|
||||
|
@ -233,8 +233,12 @@ in
|
||||
The 32-bit host ID of the machine, formatted as 8 hexadecimal characters.
|
||||
|
||||
You should try to make this ID unique among your machines. You can
|
||||
generate a random 32-bit ID using the following command:
|
||||
generate a random 32-bit ID using the following commands:
|
||||
|
||||
<literal>cksum /etc/machine-id | while read c rest; do printf "%x" $c; done</literal>
|
||||
|
||||
(this derives it from the machine-id that systemd generates) or
|
||||
|
||||
<literal>head -c4 /dev/urandom | od -A none -t x4</literal>
|
||||
'';
|
||||
};
|
||||
@ -256,6 +260,15 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
networking.defaultGateway6 = mkOption {
|
||||
default = null;
|
||||
example = "2001:4d0:1e04:895::1";
|
||||
type = types.nullOr types.str;
|
||||
description = ''
|
||||
The default ipv6 gateway. It can be left empty if it is auto-detected through DHCP.
|
||||
'';
|
||||
};
|
||||
|
||||
networking.defaultGatewayWindowSize = mkOption {
|
||||
default = null;
|
||||
example = 524288;
|
||||
|
@ -1,67 +1,19 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l;
|
||||
|
||||
in {
|
||||
# Create the tarball
|
||||
system.build.dockerImage = import ../../lib/make-system-tarball.nix {
|
||||
inherit (pkgs) stdenv perl xz pathsFromGraph;
|
||||
|
||||
contents = [];
|
||||
extraArgs = "--owner=0";
|
||||
storeContents = [
|
||||
{ object = config.system.build.toplevel + "/init";
|
||||
symlink = "/bin/init";
|
||||
}
|
||||
] ++ (pkgs2storeContents [ pkgs.stdenv ]);
|
||||
};
|
||||
{
|
||||
imports = [
|
||||
../profiles/container.nix
|
||||
];
|
||||
|
||||
boot.postBootCommands =
|
||||
''
|
||||
# After booting, register the contents of the Nix store in the Nix
|
||||
# database.
|
||||
if [ -f /nix-path-registration ]; then
|
||||
${config.nix.package}/bin/nix-store --load-db < /nix-path-registration &&
|
||||
rm /nix-path-registration
|
||||
fi
|
||||
|
||||
# nixos-rebuild also requires a "system" profile and an
|
||||
# /etc/NIXOS tag.
|
||||
touch /etc/NIXOS
|
||||
${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
|
||||
|
||||
# Set virtualisation to docker
|
||||
echo "docker" > /run/systemd/container
|
||||
echo "docker" > /run/systemd/container
|
||||
'';
|
||||
|
||||
|
||||
# Docker image config.
|
||||
imports = [
|
||||
../installer/cd-dvd/channel.nix
|
||||
../profiles/minimal.nix
|
||||
../profiles/clone-config.nix
|
||||
];
|
||||
|
||||
boot.isContainer = true;
|
||||
|
||||
# Iptables do not work in Docker.
|
||||
networking.firewall.enable = false;
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
# Socket activated ssh presents problem in Docker.
|
||||
services.openssh.startWhenNeeded = false;
|
||||
|
||||
# Allow the user to login as root without password.
|
||||
users.extraUsers.root.initialHashedPassword = mkOverride 150 "";
|
||||
|
||||
# Some more help text.
|
||||
services.mingetty.helpLine =
|
||||
''
|
||||
|
||||
Log in as "root" with an empty password.
|
||||
'';
|
||||
}
|
||||
|
26
nixos/modules/virtualisation/lxc-container.nix
Normal file
26
nixos/modules/virtualisation/lxc-container.nix
Normal file
@ -0,0 +1,26 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
imports = [
|
||||
../profiles/container.nix
|
||||
];
|
||||
|
||||
# Allow the user to login as root without password.
|
||||
users.extraUsers.root.initialHashedPassword = mkOverride 150 "";
|
||||
|
||||
# Some more help text.
|
||||
services.mingetty.helpLine =
|
||||
''
|
||||
|
||||
Log in as "root" with an empty password.
|
||||
'';
|
||||
|
||||
# Containers should be light-weight, so start sshd on demand.
|
||||
services.openssh.enable = mkDefault true;
|
||||
services.openssh.startWhenNeeded = mkDefault true;
|
||||
|
||||
# Allow ssh connections
|
||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||
}
|
@ -57,8 +57,7 @@ let
|
||||
-name ${vmName} \
|
||||
-m ${toString config.virtualisation.memorySize} \
|
||||
${optionalString (pkgs.stdenv.system == "x86_64-linux") "-cpu kvm64"} \
|
||||
-net nic,vlan=0,model=virtio \
|
||||
-net user,vlan=0''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} \
|
||||
${concatStringsSep " " config.virtualisation.qemu.networkingOptions} \
|
||||
-virtfs local,path=/nix/store,security_model=none,mount_tag=store \
|
||||
-virtfs local,path=$TMPDIR/xchg,security_model=none,mount_tag=xchg \
|
||||
-virtfs local,path=''${SHARED_DIR:-$TMPDIR/xchg},security_model=none,mount_tag=shared \
|
||||
@ -248,12 +247,31 @@ in
|
||||
description = "Primary IP address used in /etc/hosts.";
|
||||
};
|
||||
|
||||
virtualisation.qemu.options =
|
||||
mkOption {
|
||||
default = [];
|
||||
example = [ "-vga std" ];
|
||||
description = "Options passed to QEMU.";
|
||||
};
|
||||
virtualisation.qemu = {
|
||||
options =
|
||||
mkOption {
|
||||
default = [];
|
||||
example = [ "-vga std" ];
|
||||
description = "Options passed to QEMU.";
|
||||
};
|
||||
|
||||
networkingOptions =
|
||||
mkOption {
|
||||
default = [
|
||||
"-net nic,vlan=0,model=virtio"
|
||||
"-net user,vlan=0\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
|
||||
];
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
Networking-related command-line options that should be passed to qemu.
|
||||
The default is to use userspace networking (slirp).
|
||||
|
||||
If you override this option, be adviced to keep
|
||||
''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} (as seen in the default)
|
||||
to keep the default runtime behaviour.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation.useBootLoader =
|
||||
mkOption {
|
||||
|
@ -48,6 +48,7 @@ in rec {
|
||||
(all nixos.ova)
|
||||
|
||||
#(all nixos.tests.containers)
|
||||
(all nixos.tests.chromium)
|
||||
(all nixos.tests.firefox)
|
||||
(all nixos.tests.firewall)
|
||||
(all nixos.tests.gnome3)
|
||||
|
@ -213,6 +213,12 @@ in rec {
|
||||
inherit system;
|
||||
});
|
||||
|
||||
# Provide container tarball for lxc, libvirt-lxc, docker-lxc, ...
|
||||
containerTarball = forAllSystems (system: makeSystemTarball {
|
||||
module = ./modules/virtualisation/lxc-container.nix;
|
||||
inherit system;
|
||||
});
|
||||
|
||||
/*
|
||||
system_tarball_fuloong2f =
|
||||
assert builtins.currentSystem == "mips64-linux";
|
||||
@ -244,6 +250,8 @@ in rec {
|
||||
tests.etcd = scrubDrv (import tests/etcd.nix { system = "x86_64-linux"; });
|
||||
tests.firefox = callTest tests/firefox.nix {};
|
||||
tests.firewall = callTest tests/firewall.nix {};
|
||||
tests.fleet = scrubDrv (import tests/fleet.nix { system = "x86_64-linux"; });
|
||||
tests.gitlab = callTest tests/gitlab.nix {};
|
||||
tests.gnome3 = callTest tests/gnome3.nix {};
|
||||
tests.installer.grub1 = forAllSystems (system: scrubDrv (import tests/installer.nix { inherit system; }).grub1.test);
|
||||
tests.installer.lvm = forAllSystems (system: scrubDrv (import tests/installer.nix { inherit system; }).lvm.test);
|
||||
@ -299,6 +307,7 @@ in rec {
|
||||
tests.simple = callTest tests/simple.nix {};
|
||||
tests.tomcat = callTest tests/tomcat.nix {};
|
||||
tests.udisks2 = callTest tests/udisks2.nix {};
|
||||
tests.virtualbox = callTest tests/virtualbox.nix {};
|
||||
tests.xfce = callTest tests/xfce.nix {};
|
||||
|
||||
|
||||
|
@ -81,7 +81,7 @@ in
|
||||
# Create the torrent.
|
||||
$tracker->succeed("mkdir /tmp/data");
|
||||
$tracker->succeed("cp ${file} /tmp/data/test.tar.bz2");
|
||||
$tracker->succeed("transmission-create /tmp/data/test.tar.bz2 -t http://${(pkgs.lib.head nodes.tracker.config.networking.interfaces.eth1.ip4).address}:6969/announce -o /tmp/test.torrent");
|
||||
$tracker->succeed("transmission-create /tmp/data/test.tar.bz2 -p -t http://${(pkgs.lib.head nodes.tracker.config.networking.interfaces.eth1.ip4).address}:6969/announce -o /tmp/test.torrent");
|
||||
$tracker->succeed("chmod 644 /tmp/test.torrent");
|
||||
|
||||
# Start the tracker. !!! use a less crappy tracker
|
||||
|
@ -43,11 +43,6 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.pythonPackages; rec {
|
||||
TMPDIR=/tmp/xchg/bigtmp
|
||||
export TMPDIR
|
||||
|
||||
mkPythonPath() {
|
||||
nix-store -qR "$@" \
|
||||
| sed -e 's|$|/lib/${pkgs.python.libPrefix}/site-packages|'
|
||||
}
|
||||
|
||||
cp -Rd "${blivet.src}/tests" .
|
||||
|
||||
# Skip SELinux tests
|
||||
@ -73,8 +68,11 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.pythonPackages; rec {
|
||||
-e 's|_STORE_FILE_PATH = .*|_STORE_FILE_PATH = tempfile.gettempdir()|' \
|
||||
tests/loopbackedtestcase.py
|
||||
|
||||
PYTHONPATH=".:$(mkPythonPath "${blivet}" "${mock}" | paste -sd :)" \
|
||||
python "${pythonTestRunner}"
|
||||
PYTHONPATH=".:$(< "${pkgs.stdenv.mkDerivation {
|
||||
name = "blivet-pythonpath";
|
||||
buildInputs = [ blivet mock ];
|
||||
buildCommand = "echo \"$PYTHONPATH\" > \"$out\"";
|
||||
}}")" python "${pythonTestRunner}"
|
||||
'';
|
||||
|
||||
testScript = ''
|
||||
|
@ -43,7 +43,7 @@ import ./make-test.nix {
|
||||
$machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null");
|
||||
|
||||
# Make sure we have a NixOS tree (required by ‘nixos-container create’).
|
||||
$machine->succeed("nix-env -qa -A nixos.pkgs.hello >&2");
|
||||
$machine->succeed("PAGER=cat nix-env -qa -A nixos.pkgs.hello >&2");
|
||||
|
||||
# Create some containers imperatively.
|
||||
my $id1 = $machine->succeed("nixos-container create foo --ensure-unique-name");
|
||||
|
73
nixos/tests/fleet.nix
Normal file
73
nixos/tests/fleet.nix
Normal file
@ -0,0 +1,73 @@
|
||||
import ./make-test.nix rec {
|
||||
name = "simple";
|
||||
|
||||
nodes = {
|
||||
node1 =
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
services = {
|
||||
etcd = {
|
||||
enable = true;
|
||||
listenPeerUrls = ["http://0.0.0.0:7001"];
|
||||
initialAdvertisePeerUrls = ["http://node1:7001"];
|
||||
initialCluster = ["node1=http://node1:7001" "node2=http://node2:7001"];
|
||||
};
|
||||
};
|
||||
|
||||
services.fleet = {
|
||||
enable = true;
|
||||
metadata.name = "node1";
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 7001 ];
|
||||
};
|
||||
|
||||
node2 =
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
services = {
|
||||
etcd = {
|
||||
enable = true;
|
||||
listenPeerUrls = ["http://0.0.0.0:7001"];
|
||||
initialAdvertisePeerUrls = ["http://node2:7001"];
|
||||
initialCluster = ["node1=http://node1:7001" "node2=http://node2:7001"];
|
||||
};
|
||||
};
|
||||
|
||||
services.fleet = {
|
||||
enable = true;
|
||||
metadata.name = "node2";
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 7001 ];
|
||||
};
|
||||
};
|
||||
|
||||
service = builtins.toFile "hello.service" ''
|
||||
[Unit]
|
||||
Description=Hello World
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -c "while true; do echo \"Hello, world\"; /var/run/current-system/sw/bin/sleep 1; done"
|
||||
|
||||
[X-Fleet]
|
||||
MachineMetadata=name=node2
|
||||
'';
|
||||
|
||||
testScript =
|
||||
''
|
||||
startAll;
|
||||
$node1->waitForUnit("fleet.service");
|
||||
$node2->waitForUnit("fleet.service");
|
||||
|
||||
$node2->waitUntilSucceeds("fleetctl list-machines | grep node1");
|
||||
$node1->waitUntilSucceeds("fleetctl list-machines | grep node2");
|
||||
|
||||
$node1->succeed("cp ${service} hello.service && fleetctl submit hello.service");
|
||||
$node1->succeed("fleetctl list-unit-files | grep hello");
|
||||
$node1->succeed("fleetctl start hello.service");
|
||||
$node1->waitUntilSucceeds("fleetctl list-units | grep running");
|
||||
$node1->succeed("fleetctl stop hello.service");
|
||||
$node1->succeed("fleetctl destroy hello.service");
|
||||
'';
|
||||
}
|
21
nixos/tests/gitlab.nix
Normal file
21
nixos/tests/gitlab.nix
Normal file
@ -0,0 +1,21 @@
|
||||
# This test runs gitlab and checks if it works
|
||||
|
||||
import ./make-test.nix {
|
||||
name = "gitlab";
|
||||
|
||||
nodes = {
|
||||
gitlab = { config, pkgs, ... }: {
|
||||
virtualisation.memorySize = 768;
|
||||
services.gitlab.enable = true;
|
||||
services.gitlab.databasePassword = "gitlab";
|
||||
systemd.services.gitlab.serviceConfig.TimeoutStartSec = "10min";
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
$gitlab->start();
|
||||
$gitlab->waitForUnit("gitlab.service");
|
||||
$gitlab->waitForUnit("gitlab-sidekiq.service");
|
||||
$gitlab->waitUntilSucceeds("curl http://localhost:8080/users/sign_in");
|
||||
'';
|
||||
}
|
@ -29,6 +29,10 @@ let
|
||||
pkgs.unionfs-fuse
|
||||
pkgs.gummiboot
|
||||
];
|
||||
|
||||
# Don't use https://cache.nixos.org since the fake
|
||||
# cache.nixos.org doesn't do https.
|
||||
nix.binaryCaches = [ http://cache.nixos.org/ ];
|
||||
}
|
||||
];
|
||||
}).config.system.build.isoImage;
|
||||
@ -38,7 +42,7 @@ let
|
||||
makeConfig = { testChannel, grubVersion, grubDevice, grubIdentifier
|
||||
, readOnly ? true, forceGrubReinstallCount ? 0 }:
|
||||
pkgs.writeText "configuration.nix" ''
|
||||
{ config, pkgs, modulesPath, ... }:
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{ imports =
|
||||
[ ./hardware-configuration.nix
|
||||
@ -58,9 +62,9 @@ let
|
||||
|
||||
${optionalString (!readOnly) "nix.readOnlyStore = false;"}
|
||||
|
||||
swapDevices = mkOverride 0 [ ];
|
||||
|
||||
environment.systemPackages = [ ${optionalString testChannel "pkgs.rlwrap"} ];
|
||||
|
||||
nix.binaryCaches = [ http://cache.nixos.org/ ];
|
||||
}
|
||||
'';
|
||||
|
||||
@ -68,7 +72,7 @@ let
|
||||
# Configuration of a web server that simulates the Nixpkgs channel
|
||||
# distribution server.
|
||||
webserver =
|
||||
{ config, pkgs, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{ services.httpd.enable = true;
|
||||
services.httpd.adminAddr = "foo@example.org";
|
||||
@ -187,8 +191,9 @@ let
|
||||
$machine->succeed("test -e /boot/grub");
|
||||
|
||||
# Did the swap device get activated?
|
||||
$machine->waitForUnit("swap.target");
|
||||
$machine->succeed("cat /proc/swaps | grep -q /dev");
|
||||
# uncomment once https://bugs.freedesktop.org/show_bug.cgi?id=86930 is resolved
|
||||
#$machine->waitForUnit("swap.target");
|
||||
$machine->waitUntilSucceeds("cat /proc/swaps | grep -q /dev");
|
||||
|
||||
# Check whether the channel works.
|
||||
$machine->succeed("nix-env -i coreutils >&2");
|
||||
|
@ -45,10 +45,10 @@ import ./make-test.nix rec {
|
||||
|
||||
nodes = {
|
||||
master =
|
||||
{ config, pkgs, nodes, ... }:
|
||||
{ config, pkgs, lib, nodes, ... }:
|
||||
{
|
||||
virtualisation.memorySize = 512;
|
||||
virtualisation.kubernetes = {
|
||||
virtualisation.memorySize = 768;
|
||||
services.kubernetes = {
|
||||
roles = ["master" "node"];
|
||||
controllerManager.machines = ["master" "node"];
|
||||
kubelet.extraOpts = "-network_container_image=master:5000/pause";
|
||||
@ -75,6 +75,7 @@ import ./make-test.nix rec {
|
||||
ipAddress = "10.10.0.1";
|
||||
prefixLength = 24;
|
||||
};
|
||||
eth2.ip4 = lib.mkOverride 0 [ ];
|
||||
};
|
||||
networking.localCommands = ''
|
||||
ip route add 10.10.0.0/16 dev cbr0
|
||||
@ -89,9 +90,9 @@ import ./make-test.nix rec {
|
||||
};
|
||||
|
||||
node =
|
||||
{ config, pkgs, nodes, ... }:
|
||||
{ config, pkgs, lib, nodes, ... }:
|
||||
{
|
||||
virtualisation.kubernetes = {
|
||||
services.kubernetes = {
|
||||
roles = ["node"];
|
||||
kubelet.extraOpts = "-network_container_image=master:5000/pause";
|
||||
verbose = true;
|
||||
@ -112,6 +113,7 @@ import ./make-test.nix rec {
|
||||
ipAddress = "10.10.1.1";
|
||||
prefixLength = 24;
|
||||
};
|
||||
eth2.ip4 = lib.mkOverride 0 [ ];
|
||||
};
|
||||
networking.localCommands = ''
|
||||
ip route add 10.10.0.0/16 dev cbr0
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user