From 7f9fc8d817de86084b08b33b001e96fd12f1ff9c Mon Sep 17 00:00:00 2001
From: "Ricardo M. Correia" <rcorreia@wizy.org>
Date: Tue, 21 May 2013 23:30:24 +0000
Subject: [PATCH 01/12] Set the domain name of the machine
The domain name was not being set before, even if the administrator
properly configured the networking.domain option in
/etc/nixos/configuration.nix.
---
modules/tasks/network-interfaces.nix | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/modules/tasks/network-interfaces.nix b/modules/tasks/network-interfaces.nix
index cb0d17459ff4..d7b1988fe8de 100644
--- a/modules/tasks/network-interfaces.nix
+++ b/modules/tasks/network-interfaces.nix
@@ -424,13 +424,17 @@ in
// mapAttrs createBridgeDevice cfg.bridges
// { "network-setup" = networkSetup; };
- # Set the host name in the activation script. Don't clear it if
- # it's not configured in the NixOS configuration, since it may
- # have been set by dhclient in the meantime.
+ # Set the host and domain names in the activation script. Don't
+ # clear it if it's not configured in the NixOS configuration,
+ # since it may have been set by dhclient in the meantime.
system.activationScripts.hostname =
optionalString (config.networking.hostName != "") ''
hostname "${config.networking.hostName}"
'';
+ system.activationScripts.domain =
+ optionalString (config.networking.domain != "") ''
+ domainname "${config.networking.domain}"
+ '';
services.udev.extraRules =
''
From 2e61811284e1116e1700bd505d95161ebf07bb9d Mon Sep 17 00:00:00 2001
From: "Ricardo M. Correia" <rcorreia@wizy.org>
Date: Tue, 28 May 2013 17:19:15 +0000
Subject: [PATCH 02/12] transmission: Add apparmor profile
---
modules/services/torrent/transmission.nix | 40 +++++++++++++++++++++--
1 file changed, 38 insertions(+), 2 deletions(-)
diff --git a/modules/services/torrent/transmission.nix b/modules/services/torrent/transmission.nix
index 02ec25d1294d..742e5bee70c0 100644
--- a/modules/services/torrent/transmission.nix
+++ b/modules/services/torrent/transmission.nix
@@ -89,6 +89,11 @@ in
description = "TCP port number to run the RPC/web interface.";
};
+ apparmor = mkOption {
+ type = types.uniq types.bool;
+ default = true;
+ description = "Generate apparmor profile for transmission-daemon.";
+ };
};
};
@@ -104,8 +109,8 @@ in
# 1) Only the "transmission" user and group have access to torrents.
# 2) Optionally update/force specific fields into the configuration file.
serviceConfig.ExecStartPre =
- if config.services.transmission.settings != {} then ''
- ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir} && mkdir -p ${settingsDir} && ${pkgs.transmission}/bin/transmission-daemon -d |& sed ${attrsToSedArgs config.services.transmission.settings} > ${settingsFile}.tmp && mv ${settingsFile}.tmp ${settingsFile}"
+ if cfg.settings != {} then ''
+ ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir} && mkdir -p ${settingsDir} && ${pkgs.transmission}/bin/transmission-daemon -d |& sed ${attrsToSedArgs cfg.settings} > ${settingsFile}.tmp && mv ${settingsFile}.tmp ${settingsFile}"
''
else ''
${pkgs.stdenv.shell} -c "chmod 770 ${homeDir}"
@@ -129,6 +134,37 @@ in
users.extraGroups.transmission = {};
+ # AppArmor profile
+ security.apparmor.profiles = mkIf (config.security.apparmor.enable && cfg.apparmor) [
+ (pkgs.writeText "apparmor-transmission-daemon" ''
+ #include <tunables/global>
+
+ ${pkgs.transmission}/bin/transmission-daemon {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ ${pkgs.glibc}/lib/*.so mr,
+ ${pkgs.libevent}/lib/libevent*.so* mr,
+ ${pkgs.curl}/lib/libcurl*.so* mr,
+ ${pkgs.openssl}/lib/libssl*.so* mr,
+ ${pkgs.openssl}/lib/libcrypto*.so* mr,
+ ${pkgs.zlib}/lib/libz*.so* mr,
+ ${pkgs.libssh2}/lib/libssh2*.so* mr,
+
+ @{PROC}/sys/kernel/random/uuid r,
+ @{PROC}/sys/vm/overcommit_memory r,
+
+ ${pkgs.transmission}/share/transmission/** r,
+
+ owner ${settingsDir}/** rw,
+
+ ${cfg.settings.download-dir}/** rw,
+ ${optionalString cfg.settings.incomplete-dir-enabled ''
+ ${cfg.settings.incomplete-dir}/** rw,
+ ''}
+ }
+ '')
+ ];
};
}
From 0a0beadecd5bce5fca73baae2dc075d15f8dd85e Mon Sep 17 00:00:00 2001
From: "Ricardo M. Correia" <rcorreia@wizy.org>
Date: Tue, 28 May 2013 17:48:08 +0000
Subject: [PATCH 03/12] transmission: Add apparmor service dependency
---
modules/services/torrent/transmission.nix | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/modules/services/torrent/transmission.nix b/modules/services/torrent/transmission.nix
index 742e5bee70c0..4c989f09fea6 100644
--- a/modules/services/torrent/transmission.nix
+++ b/modules/services/torrent/transmission.nix
@@ -104,8 +104,10 @@ in
systemd.services.transmission = {
description = "Transmission BitTorrent Daemon";
- after = [ "network.target" ];
+ after = [ "network.target" ] ++ optional (config.security.apparmor.enable && cfg.apparmor) "apparmor.service";
+ requires = mkIf (config.security.apparmor.enable && cfg.apparmor) [ "apparmor.service" ];
wantedBy = [ "multi-user.target" ];
+
# 1) Only the "transmission" user and group have access to torrents.
# 2) Optionally update/force specific fields into the configuration file.
serviceConfig.ExecStartPre =
From 08eba4c114871e5f138263aecf0824c90a32a703 Mon Sep 17 00:00:00 2001
From: Peter Simons <simons@cryp.to>
Date: Sat, 1 Jun 2013 11:38:49 +0200
Subject: [PATCH 04/12] atd: don't enable at daemon by default
The at daemon doesn't work on NixOS [1], so enabling it by default
doesn't seem useful. I'd argue that it shouldn't be enabled by default
even if it worked, actually.
[1] http://lists.science.uu.nl/pipermail/nix-dev/2013-April/011048.html
---
modules/services/scheduling/atd.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/services/scheduling/atd.nix b/modules/services/scheduling/atd.nix
index 68bc6f6466fb..88bec2cb2f3e 100644
--- a/modules/services/scheduling/atd.nix
+++ b/modules/services/scheduling/atd.nix
@@ -17,7 +17,7 @@ in
options = {
services.atd.enable = mkOption {
- default = true;
+ default = false;
description = ''
Whether to enable the `at' daemon, a command scheduler.
'';
From 70fd5422a7a0d17e1d2236a07fc2ae841f9bc9a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= <viric@viric.name>
Date: Sun, 2 Jun 2013 14:27:39 +0200
Subject: [PATCH 05/12] Adding iw to systemPackages.
---
modules/tasks/network-interfaces.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/tasks/network-interfaces.nix b/modules/tasks/network-interfaces.nix
index d7b1988fe8de..75f2e1af4be6 100644
--- a/modules/tasks/network-interfaces.nix
+++ b/modules/tasks/network-interfaces.nix
@@ -244,6 +244,7 @@ in
pkgs.iputils
pkgs.nettools
pkgs.wirelesstools
+ pkgs.iw
pkgs.rfkill
pkgs.openresolv
]
From b1f82e428a58ffcb7d0582a2201726d0a1b8c55f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>
Date: Fri, 31 May 2013 23:53:13 +0200
Subject: [PATCH 06/12] lighttpd: add cgit sub-service
(cgit is "a hyperfast web frontend for git repositories written in C")
cgit is enabled like this (assuming lighttpd is already enabled):
services.lighttpd.cgit.enable = true;
and configured verbatim like this (contents of the cgitrc file):
services.lighttpd.cgit.configText = ''
cache-size=1000
scan-path=/srv/git
'';
cgit will be available from this URL: http://yourserver/cgit
In lighttpd, I've ensured that the cache dir for cgit is created if cgit
is enabled.
---
modules/module-list.nix | 1 +
.../services/web-servers/lighttpd/cgit.nix | 71 +++++++++++++++++++
.../services/web-servers/lighttpd/default.nix | 6 ++
3 files changed, 78 insertions(+)
create mode 100644 modules/services/web-servers/lighttpd/cgit.nix
diff --git a/modules/module-list.nix b/modules/module-list.nix
index 7739f2df6f6c..93a868f5f0d9 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -189,6 +189,7 @@
./services/web-servers/apache-httpd/default.nix
./services/web-servers/jboss/default.nix
./services/web-servers/lighttpd/default.nix
+ ./services/web-servers/lighttpd/cgit.nix
./services/web-servers/lighttpd/gitweb.nix
./services/web-servers/nginx/default.nix
./services/web-servers/tomcat.nix
diff --git a/modules/services/web-servers/lighttpd/cgit.nix b/modules/services/web-servers/lighttpd/cgit.nix
new file mode 100644
index 000000000000..b22b05e305b5
--- /dev/null
+++ b/modules/services/web-servers/lighttpd/cgit.nix
@@ -0,0 +1,71 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+let
+ cfg = config.services.lighttpd.cgit;
+ configFile = pkgs.writeText "cgitrc"
+ ''
+ ${cfg.configText}
+ '';
+in
+{
+
+ options.services.lighttpd.cgit = {
+
+ enable = mkOption {
+ default = false;
+ type = types.uniq types.bool;
+ description = ''
+ If true, enable cgit (fast web interface for git repositories) as a
+ sub-service in lighttpd. cgit will be accessible at
+ http://yourserver/cgit
+ '';
+ };
+
+ configText = mkOption {
+ default = "";
+ example = ''
+ cache-size=1000
+ scan-path=/srv/git
+ '';
+ type = types.string;
+ description = ''
+ Verbatim contents of the cgit runtime configuration file. Documentation
+ (with cgitrc example file) is available in "man cgitrc". Or online:
+ http://git.zx2c4.com/cgit/tree/cgitrc.5.txt
+ '';
+ };
+
+ };
+
+ config = mkIf cfg.enable {
+
+ # make the cgitrc manpage available
+ environment.systemPackages = [ pkgs.cgit ];
+
+ services.lighttpd.extraConfig = ''
+ server.modules += (
+ "mod_cgi",
+ "mod_alias",
+ "mod_setenv"
+ )
+
+ $HTTP["url"] =~ "^/cgit" {
+ cgi.assign = (
+ "cgit.cgi" => "${pkgs.cgit}/cgit/cgit.cgi"
+ )
+ alias.url = (
+ "/cgit.css" => "${pkgs.cgit}/cgit/cgit.css",
+ "/cgit.png" => "${pkgs.cgit}/cgit/cgit.png",
+ "/cgit" => "${pkgs.cgit}/cgit/cgit.cgi"
+ )
+ setenv.add-environment = (
+ "CGIT_CONFIG" => "${configFile}"
+ )
+ }
+ '';
+
+ };
+
+}
diff --git a/modules/services/web-servers/lighttpd/default.nix b/modules/services/web-servers/lighttpd/default.nix
index 1d1cd6fa1786..5ed32d0147c0 100644
--- a/modules/services/web-servers/lighttpd/default.nix
+++ b/modules/services/web-servers/lighttpd/default.nix
@@ -131,6 +131,12 @@ in
description = "Lighttpd Web Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
+ preStart = ''
+ ${if cfg.cgit.enable then ''
+ mkdir -p /var/cache/cgit
+ chown lighttpd:lighttpd /var/cache/cgit
+ '' else ""}
+ '';
serviceConfig.ExecStart = "${pkgs.lighttpd}/sbin/lighttpd -D -f ${configFile}";
# SIGINT => graceful shutdown
serviceConfig.KillSignal = "SIGINT";
From 3d48da72a99252580db03bf0df4d02c095a46a5e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>
Date: Sun, 2 Jun 2013 19:26:55 +0200
Subject: [PATCH 07/12] lighttpd: gitweb: add extraConfig option
So that we can append custom configuration text to the end of the
generated gitweb.conf file.
---
modules/services/web-servers/lighttpd/gitweb.nix | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/modules/services/web-servers/lighttpd/gitweb.nix b/modules/services/web-servers/lighttpd/gitweb.nix
index 88c63064a047..3c710e5b09ee 100644
--- a/modules/services/web-servers/lighttpd/gitweb.nix
+++ b/modules/services/web-servers/lighttpd/gitweb.nix
@@ -7,7 +7,9 @@ let
gitwebConfigFile = pkgs.writeText "gitweb.conf" ''
# path to git projects (<project>.git)
$projectroot = "${cfg.projectroot}";
+ ${cfg.extraConfig}
'';
+
in
{
@@ -30,6 +32,14 @@ in
'';
};
+ extraConfig = mkOption {
+ default = "";
+ type = types.uniq types.string;
+ description = ''
+ Verbatim configuration text appended to the generated gitweb.conf file.
+ '';
+ };
+
};
config = mkIf cfg.enable {
From e776c0623d95592256a5a6380113fa989e983541 Mon Sep 17 00:00:00 2001
From: Sander van der Burg <svanderburg@gmail.com>
Date: Mon, 3 Jun 2013 01:34:22 +0200
Subject: [PATCH 08/12] Fixed disnix service to use systemd's dependency
facilities
---
modules/services/misc/disnix.nix | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/modules/services/misc/disnix.nix b/modules/services/misc/disnix.nix
index 8d04c81ad681..c50af6fb095f 100644
--- a/modules/services/misc/disnix.nix
+++ b/modules/services/misc/disnix.nix
@@ -119,12 +119,13 @@ in
jobs = {
disnix =
{ description = "Disnix server";
-
- startOn = "started dbus"
- + optionalString config.services.httpd.enable " and started httpd"
- + optionalString config.services.mysql.enable " and started mysql"
- + optionalString config.services.tomcat.enable " and started tomcat"
- + optionalString config.services.svnserve.enable " and started svnserve";
+
+ wantedBy = [ "multi-user.target" ];
+ after = [ "dbus.service" ]
+ ++ optional config.services.httpd.enable "httpd.service"
+ ++ optional config.services.mysql.enable "mysql.service"
+ ++ optional config.services.tomcat.enable "tomcat.service"
+ ++ optional config.services.svnserve.enable "svnserve.service";
restartIfChanged = false;
From 824b5b645a3d6cb3d937e7cc25d2fa47e6971df1 Mon Sep 17 00:00:00 2001
From: Mathijs Kwik <mathijs@bluescreen303.nl>
Date: Sun, 2 Jun 2013 10:23:03 +0200
Subject: [PATCH 09/12] openvpn: fix type error
either use
- optional cond "target"
or
- optionals cond ["target1" "target2"]
---
modules/services/networking/openvpn.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/services/networking/openvpn.nix b/modules/services/networking/openvpn.nix
index 63b6cc90f073..1e862591406d 100644
--- a/modules/services/networking/openvpn.nix
+++ b/modules/services/networking/openvpn.nix
@@ -49,7 +49,7 @@ let
in {
description = "OpenVPN instance ‘${name}’";
- wantedBy = optional cfg.autoStart [ "multi-user.target" ];
+ wantedBy = optional cfg.autoStart "multi-user.target";
after = [ "network-interfaces.target" ];
path = [ pkgs.iptables pkgs.iproute pkgs.nettools ];
From 6e6061e6b39b59127538f9b926c210d1a1951822 Mon Sep 17 00:00:00 2001
From: Evgeny Egorochkin <phreedom@yandex.ru>
Date: Tue, 4 Jun 2013 13:02:37 +0300
Subject: [PATCH 10/12] TOR: add obfsproxy support by default for TOR bridges
---
modules/services/security/tor.nix | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/modules/services/security/tor.nix b/modules/services/security/tor.nix
index ebbe15695763..2dafb4595c63 100644
--- a/modules/services/security/tor.nix
+++ b/modules/services/security/tor.nix
@@ -135,7 +135,9 @@ in
A bridge relay can't be an exit relay.
- You need to set enableRelay to true for this option to take effect.
+ You need to set relay.enable to true for this option to take effect.
+
+ The bridge is set up with an obfuscated transport proxy.
See https://www.torproject.org/bridges.html.en for more info.
'';
@@ -278,7 +280,10 @@ in
${optint "RelayBandwidthRate" cfg.relay.bandwidthRate}
${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst}
${if cfg.relay.isExit then opt "ExitPolicy" cfg.relay.exitPolicy else "ExitPolicy reject *:*"}
- ${if cfg.relay.isBridge then "BridgeRelay 1" else ""}
+ ${if cfg.relay.isBridge then ''
+ BridgeRelay 1
+ ServerTransportPlugin obfs2,obfs3 exec ${pkgs.pythonPackages.obfsproxy}/bin/obfsproxy managed
+ '' else ""}
'';
services.tor.client.privoxy.config = ''
From d210f30fa75fe6a06d5292f30251b8896d5ba0f6 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 4 Jun 2013 14:05:07 +0200
Subject: [PATCH 11/12] Omit GRUB if boot.loader.grub.device is set to "nodev"
If we only need to generate a GRUB boot menu, we don't need GRUB
itself. This cuts 38 MiB from EC2 system closures (in particular
because it gets rid of the need for the 32-bit Glibc).
---
modules/system/boot/loader/grub/grub.nix | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/modules/system/boot/loader/grub/grub.nix b/modules/system/boot/loader/grub/grub.nix
index 490502c5a360..1552d2cb1021 100644
--- a/modules/system/boot/loader/grub/grub.nix
+++ b/modules/system/boot/loader/grub/grub.nix
@@ -6,7 +6,14 @@ let
cfg = config.boot.loader.grub;
- grub = if cfg.version == 1 then pkgs.grub else pkgs.grub2;
+ realGrub = if cfg.version == 1 then pkgs.grub else pkgs.grub2;
+
+ grub =
+ # Don't include GRUB if we're only generating a GRUB menu (e.g.,
+ # in EC2 instances).
+ if cfg.devices == ["nodev"]
+ then null
+ else realGrub;
f = x: if x == null then "" else "" + x;
@@ -14,8 +21,8 @@ let
{ splashImage = f config.boot.loader.grub.splashImage;
grub = f grub;
shell = "${pkgs.stdenv.shell}";
- fullVersion = (builtins.parseDrvName config.system.build.grub.name).version;
- inherit (config.boot.loader.grub)
+ fullVersion = (builtins.parseDrvName realGrub.name).version;
+ inherit (cfg)
version extraConfig extraPerEntryConfig extraEntries
extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout
default devices;
@@ -141,7 +148,7 @@ in
splashImage = mkOption {
default =
- if config.boot.loader.grub.version == 1
+ if cfg.version == 1
then pkgs.fetchurl {
url = http://www.gnome-look.org/CONTENT/content-files/36909-soft-tux.xpm.gz;
sha256 = "14kqdx2lfqvh40h6fjjzqgff1mwk74dmbjvmqphi6azzra7z8d59";
@@ -196,7 +203,7 @@ in
###### implementation
- config = mkIf config.boot.loader.grub.enable {
+ config = mkIf cfg.enable {
boot.loader.grub.devices = optional (cfg.device != "") cfg.device;
@@ -212,7 +219,7 @@ in
# set at once.
system.boot.loader.id = "grub";
- environment.systemPackages = mkIf config.boot.loader.grub.enable [ grub ];
+ environment.systemPackages = [ grub ];
};
From 365307ada1b6f3fc85b131cdcaaa9fcf19864a31 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Wed, 5 Jun 2013 17:09:34 +0200
Subject: [PATCH 12/12] nixos-rebuild: Handle .version-suffix not being
writable
Reported by @vcunat.
---
modules/installer/tools/nixos-rebuild.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/installer/tools/nixos-rebuild.sh b/modules/installer/tools/nixos-rebuild.sh
index fb26279e7c7f..16ec49bde9b7 100644
--- a/modules/installer/tools/nixos-rebuild.sh
+++ b/modules/installer/tools/nixos-rebuild.sh
@@ -141,7 +141,7 @@ fi
if nixos=$(nix-instantiate --find-file nixos "${extraBuildFlags[@]}"); then
suffix=$(@shell@ $nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}")
if [ -n "$suffix" ]; then
- echo -n "$suffix" > "$nixos/.version-suffix"
+ echo -n "$suffix" > "$nixos/.version-suffix" || true
fi
fi