Merge branch 'master' into x-updates

modules/installer/tools/nixos-rebuild.sh

@@ -141,7 +141,7 @@ fi
 if nixos=$(nix-instantiate --find-file nixos "${extraBuildFlags[@]}"); then
     suffix=$(@shell@ $nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}")
     if [ -n "$suffix" ]; then
-        echo -n "$suffix" > "$nixos/.version-suffix"
+        echo -n "$suffix" > "$nixos/.version-suffix" || true
     fi
 fi
 

modules/module-list.nix

@@ -189,6 +189,7 @@
   ./services/web-servers/apache-httpd/default.nix
   ./services/web-servers/jboss/default.nix
   ./services/web-servers/lighttpd/default.nix
+  ./services/web-servers/lighttpd/cgit.nix
   ./services/web-servers/lighttpd/gitweb.nix
   ./services/web-servers/nginx/default.nix
   ./services/web-servers/tomcat.nix

modules/services/misc/disnix.nix

@@ -119,12 +119,13 @@ in
     jobs = {
       disnix =
         { description = "Disnix server";
-
-          startOn = "started dbus"
-          + optionalString config.services.httpd.enable " and started httpd"
-          + optionalString config.services.mysql.enable " and started mysql"
-          + optionalString config.services.tomcat.enable " and started tomcat"
-          + optionalString config.services.svnserve.enable " and started svnserve";
+        
+          wantedBy = [ "multi-user.target" ];
+          after = [ "dbus.service" ]
+          ++ optional config.services.httpd.enable "httpd.service"
+          ++ optional config.services.mysql.enable "mysql.service"
+          ++ optional config.services.tomcat.enable "tomcat.service"
+          ++ optional config.services.svnserve.enable "svnserve.service";
 
           restartIfChanged = false;
         

modules/services/networking/openvpn.nix

@@ -49,7 +49,7 @@ let
     in {
       description = "OpenVPN instance ‘${name}’";
 
-      wantedBy = optional cfg.autoStart [ "multi-user.target" ];
+      wantedBy = optional cfg.autoStart "multi-user.target";
       after = [ "network-interfaces.target" ];
 
       path = [ pkgs.iptables pkgs.iproute pkgs.nettools ];

modules/services/scheduling/atd.nix

@@ -17,7 +17,7 @@ in
   options = {
 
     services.atd.enable = mkOption {
-      default = true;
+      default = false;
       description = ''
         Whether to enable the `at' daemon, a command scheduler.
       '';

modules/services/security/tor.nix

@@ -135,7 +135,9 @@ in
 
             A bridge relay can't be an exit relay.
 
-            You need to set enableRelay to true for this option to take effect.
+            You need to set relay.enable to true for this option to take effect.
+
+            The bridge is set up with an obfuscated transport proxy.
 
             See https://www.torproject.org/bridges.html.en for more info.
           '';
@@ -278,7 +280,10 @@ in
         ${optint "RelayBandwidthRate" cfg.relay.bandwidthRate}
         ${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst}
         ${if cfg.relay.isExit then opt "ExitPolicy" cfg.relay.exitPolicy else "ExitPolicy reject *:*"}
-        ${if cfg.relay.isBridge then "BridgeRelay 1" else ""}
+        ${if cfg.relay.isBridge then ''
+          BridgeRelay 1
+          ServerTransportPlugin obfs2,obfs3 exec ${pkgs.pythonPackages.obfsproxy}/bin/obfsproxy managed
+        '' else ""}
       '';
 
       services.tor.client.privoxy.config = ''

modules/services/torrent/transmission.nix

@@ -89,6 +89,11 @@ in
         description = "TCP port number to run the RPC/web interface.";
       };
 
+      apparmor = mkOption {
+        type = types.uniq types.bool;
+        default = true;
+        description = "Generate apparmor profile for transmission-daemon.";
+      };
     };
 
   };
@@ -99,13 +104,15 @@ in
 
     systemd.services.transmission = {
       description = "Transmission BitTorrent Daemon";
-      after = [ "network.target" ];
+      after = [ "network.target" ] ++ optional (config.security.apparmor.enable && cfg.apparmor) "apparmor.service";
+      requires = mkIf (config.security.apparmor.enable && cfg.apparmor) [ "apparmor.service" ];
       wantedBy = [ "multi-user.target" ];
+
       # 1) Only the "transmission" user and group have access to torrents.
       # 2) Optionally update/force specific fields into the configuration file.
       serviceConfig.ExecStartPre =
-        if config.services.transmission.settings != {} then ''
-          ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir} && mkdir -p ${settingsDir} && ${pkgs.transmission}/bin/transmission-daemon -d |& sed ${attrsToSedArgs config.services.transmission.settings} > ${settingsFile}.tmp && mv ${settingsFile}.tmp ${settingsFile}"
+        if cfg.settings != {} then ''
+          ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir} && mkdir -p ${settingsDir} && ${pkgs.transmission}/bin/transmission-daemon -d |& sed ${attrsToSedArgs cfg.settings} > ${settingsFile}.tmp && mv ${settingsFile}.tmp ${settingsFile}"
         ''
         else ''
           ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir}"
@@ -129,6 +136,37 @@ in
 
     users.extraGroups.transmission = {};
 
+    # AppArmor profile
+    security.apparmor.profiles = mkIf (config.security.apparmor.enable && cfg.apparmor) [
+      (pkgs.writeText "apparmor-transmission-daemon" ''
+        #include <tunables/global>
+
+        ${pkgs.transmission}/bin/transmission-daemon {
+          #include <abstractions/base>
+          #include <abstractions/nameservice>
+
+          ${pkgs.glibc}/lib/*.so             mr,
+          ${pkgs.libevent}/lib/libevent*.so* mr,
+          ${pkgs.curl}/lib/libcurl*.so*      mr,
+          ${pkgs.openssl}/lib/libssl*.so*    mr,
+          ${pkgs.openssl}/lib/libcrypto*.so* mr,
+          ${pkgs.zlib}/lib/libz*.so*         mr,
+          ${pkgs.libssh2}/lib/libssh2*.so*   mr,
+
+          @{PROC}/sys/kernel/random/uuid   r,
+          @{PROC}/sys/vm/overcommit_memory r,
+
+          ${pkgs.transmission}/share/transmission/** r,
+
+          owner ${settingsDir}/** rw,
+
+          ${cfg.settings.download-dir}/** rw,
+          ${optionalString cfg.settings.incomplete-dir-enabled ''
+            ${cfg.settings.incomplete-dir}/** rw,
+          ''}
+        }
+      '')
+    ];
   };
 
 }

modules/services/web-servers/lighttpd/cgit.nix

@@ -0,0 +1,71 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+let
+  cfg = config.services.lighttpd.cgit;
+  configFile = pkgs.writeText "cgitrc"
+    ''
+      ${cfg.configText}
+    '';
+in
+{
+
+  options.services.lighttpd.cgit = {
+
+    enable = mkOption {
+      default = false;
+      type = types.uniq types.bool;
+      description = ''
+        If true, enable cgit (fast web interface for git repositories) as a
+        sub-service in lighttpd. cgit will be accessible at
+        http://yourserver/cgit
+      '';
+    };
+
+    configText = mkOption {
+      default = "";
+      example = ''
+        cache-size=1000
+        scan-path=/srv/git
+      '';
+      type = types.string;
+      description = ''
+        Verbatim contents of the cgit runtime configuration file. Documentation
+        (with cgitrc example file) is available in "man cgitrc". Or online:
+        http://git.zx2c4.com/cgit/tree/cgitrc.5.txt
+      '';
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    # make the cgitrc manpage available
+    environment.systemPackages = [ pkgs.cgit ];
+
+    services.lighttpd.extraConfig = ''
+      server.modules += (
+        "mod_cgi",
+        "mod_alias",
+        "mod_setenv"
+      )
+
+      $HTTP["url"] =~ "^/cgit" {
+          cgi.assign = (
+              "cgit.cgi" => "${pkgs.cgit}/cgit/cgit.cgi"
+          )
+          alias.url = (
+              "/cgit.css" => "${pkgs.cgit}/cgit/cgit.css",
+              "/cgit.png" => "${pkgs.cgit}/cgit/cgit.png",
+              "/cgit"     => "${pkgs.cgit}/cgit/cgit.cgi"
+          )
+          setenv.add-environment = (
+              "CGIT_CONFIG" => "${configFile}"
+          )
+      }
+    '';
+
+  };
+
+}

modules/services/web-servers/lighttpd/default.nix

@@ -131,6 +131,12 @@ in
       description = "Lighttpd Web Server";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
+      preStart = ''
+        ${if cfg.cgit.enable then ''
+          mkdir -p /var/cache/cgit
+          chown lighttpd:lighttpd /var/cache/cgit
+        '' else ""}
+      '';
       serviceConfig.ExecStart = "${pkgs.lighttpd}/sbin/lighttpd -D -f ${configFile}";
       # SIGINT => graceful shutdown
       serviceConfig.KillSignal = "SIGINT";

modules/services/web-servers/lighttpd/gitweb.nix

@@ -7,7 +7,9 @@ let
   gitwebConfigFile = pkgs.writeText "gitweb.conf" ''
     # path to git projects (<project>.git)
     $projectroot = "${cfg.projectroot}";
+    ${cfg.extraConfig}
   '';
+
 in
 {
 
@@ -30,6 +32,14 @@ in
       '';
     };
 
+    extraConfig = mkOption {
+      default = "";
+      type = types.uniq types.string;
+      description = ''
+        Verbatim configuration text appended to the generated gitweb.conf file.
+      '';
+    };
+
   };
 
   config = mkIf cfg.enable {

modules/system/boot/loader/grub/grub.nix

@@ -6,7 +6,14 @@ let
 
   cfg = config.boot.loader.grub;
 
-  grub = if cfg.version == 1 then pkgs.grub else pkgs.grub2;
+  realGrub = if cfg.version == 1 then pkgs.grub else pkgs.grub2;
+
+  grub =
+    # Don't include GRUB if we're only generating a GRUB menu (e.g.,
+    # in EC2 instances).
+    if cfg.devices == ["nodev"]
+    then null
+    else realGrub;
 
   f = x: if x == null then "" else "" + x;
 
@@ -14,8 +21,8 @@ let
     { splashImage = f config.boot.loader.grub.splashImage;
       grub = f grub;
       shell = "${pkgs.stdenv.shell}";
-      fullVersion = (builtins.parseDrvName config.system.build.grub.name).version;
-      inherit (config.boot.loader.grub)
+      fullVersion = (builtins.parseDrvName realGrub.name).version;
+      inherit (cfg)
         version extraConfig extraPerEntryConfig extraEntries
         extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout
         default devices;
@@ -141,7 +148,7 @@ in
 
       splashImage = mkOption {
         default =
-          if config.boot.loader.grub.version == 1
+          if cfg.version == 1
           then pkgs.fetchurl {
             url = http://www.gnome-look.org/CONTENT/content-files/36909-soft-tux.xpm.gz;
             sha256 = "14kqdx2lfqvh40h6fjjzqgff1mwk74dmbjvmqphi6azzra7z8d59";
@@ -196,7 +203,7 @@ in
 
   ###### implementation
 
-  config = mkIf config.boot.loader.grub.enable {
+  config = mkIf cfg.enable {
 
     boot.loader.grub.devices = optional (cfg.device != "") cfg.device;
 
@@ -212,7 +219,7 @@ in
     # set at once.
     system.boot.loader.id = "grub";
 
-    environment.systemPackages = mkIf config.boot.loader.grub.enable [ grub ];
+    environment.systemPackages = [ grub ];
 
   };
 

modules/tasks/network-interfaces.nix

@@ -244,6 +244,7 @@ in
         pkgs.iputils
         pkgs.nettools
         pkgs.wirelesstools
+        pkgs.iw
         pkgs.rfkill
         pkgs.openresolv
       ]
@@ -424,13 +425,17 @@ in
          // mapAttrs createBridgeDevice cfg.bridges
          // { "network-setup" = networkSetup; };
 
-    # Set the host name in the activation script.  Don't clear it if
-    # it's not configured in the NixOS configuration, since it may
-    # have been set by dhclient in the meantime.
+    # Set the host and domain names in the activation script.  Don't
+    # clear it if it's not configured in the NixOS configuration,
+    # since it may have been set by dhclient in the meantime.
     system.activationScripts.hostname =
       optionalString (config.networking.hostName != "") ''
         hostname "${config.networking.hostName}"
       '';
+    system.activationScripts.domain =
+      optionalString (config.networking.domain != "") ''
+        domainname "${config.networking.domain}"
+      '';
 
     services.udev.extraRules =
       ''