Merge branch 'master' into x-updates

2013-05-29 23:32:05 +02:00 · 2013-05-29 23:32:05 +02:00 · a5a7c8ad78
parent 40d61bfe36 421fb9d585
commit a5a7c8ad78
20 changed files with 239 additions and 24 deletions
--- a/modules/config/swap.nix
+++ b/modules/config/swap.nix
@ -58,6 +58,17 @@ with utils;
            '';
          };

+          priority = mkOption {
+            default = null;
+            example = 2048;
+            type = types.nullOr types.int;
+            description = ''
+              Specify the priority of the swap device. Priority is a value between 0 and 32767.
+              Higher numbers indicate higher priority.
+              null lets the kernel choose a priority, which will show up as a negative value.
+            '';
+          };
+
        };

        config = {
--- a/modules/config/system-path.nix
+++ b/modules/config/system-path.nix
@ -41,7 +41,6 @@ let
      pkgs.nano
      pkgs.ncurses
      pkgs.netcat
-      pkgs.ntp
      pkgs.openssh
      pkgs.pciutils
      pkgs.perl
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@ -75,6 +75,7 @@ in
    spamd = 56;
    nslcd = 58;
    nginx = 60;
+    chrony = 61;

    # When adding a uid, make sure it doesn't match an existing gid.

--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@ -36,6 +36,7 @@
  ./misc/nixpkgs.nix
  ./misc/passthru.nix
  ./misc/version.nix
+  ./programs/atop.nix
  ./programs/bash/bash.nix
  ./programs/bash/command-not-found.nix
  ./programs/blcr.nix
@ -125,6 +126,7 @@
  ./services/networking/bind.nix
  ./services/networking/bitlbee.nix
  ./services/networking/cntlm.nix
+  ./services/networking/chrony.nix
  ./services/networking/ddclient.nix
  #./services/networking/dhclient.nix
  ./services/networking/dhcpcd.nix
--- a/modules/programs/atop.nix
+++ b/modules/programs/atop.nix
@ -0,0 +1,36 @@
+# Global configuration for atop.
+
+{config, pkgs, ...}:
+
+with pkgs.lib;
+
+let cfg = config.programs.atop;
+
+in
+{
+  ###### interface
+
+  options = {
+
+    programs.atop = {
+
+      settings = mkOption {
+        type = types.attrs;
+        default = {};
+        example = {
+          flags = "a1f";
+          interval = 5;
+        };
+        description = ''
+          Parameters to be written to <filename>/etc/atoprc</filename>
+        '';
+      };
+
+    };
+  };
+
+  config = mkIf (cfg.settings != {}) {
+    environment.etc."atoprc".text =
+      concatStrings (mapAttrsToList (n: v: "${n} ${toString v}\n") cfg.settings);
+  };
+}
--- a/modules/security/apparmor-suid.nix
+++ b/modules/security/apparmor-suid.nix
@ -29,8 +29,12 @@ with pkgs.lib;
        network inet raw,

        ${pkgs.glibc}/lib/*.so mr,
-        /var/setuid-wrappers/ping.real mixr,
-        ${pkgs.iputils}/sbin/ping mixr,
+        ${pkgs.libcap}/lib/libcap.so* mr,
+        ${pkgs.attr}/lib/libattr.so* mr,
+
+        ${pkgs.iputils}/bin/ping mixr,
+        /var/setuid-wrappers/ping.real r,
+
        #/etc/modules.conf r,

        ## Site-specific additions and overrides. See local/README for details.
--- a/modules/security/apparmor.nix
+++ b/modules/security/apparmor.nix
@ -53,12 +53,12 @@ with pkgs.lib;
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = "yes";
-        ExecStart = concatMapStrings (profile: ''
-          ${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}"
-        '') cfg.profiles;
-        ExecStop = concatMapStrings (profile: ''
-          ${pkgs.apparmor}/sbin/apparmor_parser -Rv "${profile}"
-        '') cfg.profiles;
+        ExecStart = concatMapStrings (profile:
+          ''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
+        ) cfg.profiles;
+        ExecStop = concatMapStrings (profile:
+          ''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
+        ) cfg.profiles;
      };

    };
--- a/modules/services/backup/bacula.nix
+++ b/modules/services/backup/bacula.nix
@ -7,6 +7,7 @@ with pkgs.lib;

 let
  libDir = "/var/lib/bacula";
+
  fd_cfg = config.services.bacula-fd;
  fd_conf = pkgs.writeText "bacula-fd.conf"
    ''
@ -96,6 +97,17 @@ let
    ${dir_cfg.extraConfig}
    '';

+  # TODO: by default use this config
+  bconsole_conf = pkgs.writeText "bconsole.conf"
+    ''
+    Director {
+      Name = ${dir_cfg.name};
+      Address = "localhost";
+      DirPort = ${toString dir_cfg.port};
+      Password = "${dir_cfg.password}";
+    }
+    '';
+
  directorOptions = {name, config, ...}:
  {
    options = {
@ -342,7 +354,8 @@ in {
      description = "Bacula File Daemon";
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.bacula ];
-      serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-fd -f -u bacula -g bacula -c ${fd_conf}";
+      serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-fd -f -u root -g bacula -c ${fd_conf}";
+      serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
    };

    systemd.services.bacula-sd = mkIf sd_cfg.enable {
@ -351,6 +364,7 @@ in {
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.bacula ];
      serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-sd -f -u bacula -g bacula -c ${sd_conf}";
+      serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
    };

    services.postgresql.enable = dir_cfg.enable == true;
@ -361,6 +375,7 @@ in {
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.bacula ];
      serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-dir -f -u bacula -g bacula -c ${dir_conf}";
+      serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
      preStart = ''
        if ! test -e "${libDir}/db-created"; then
            ${pkgs.postgresql}/bin/createuser --no-superuser --no-createdb --no-createrole bacula
--- a/modules/services/networking/chrony.nix
+++ b/modules/services/networking/chrony.nix
@ -0,0 +1,118 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+let
+
+  inherit (pkgs) chrony;
+
+  stateDir = "/var/lib/chrony";
+
+  chronyUser = "chrony";
+
+  cfg = config.services.chrony;
+
+  configFile = pkgs.writeText "chrony.conf" ''
+    ${toString (map (server: "server " + server + "\n") cfg.servers)}
+
+    ${optionalString cfg.initstepslew.enabled ''
+      initstepslew ${toString cfg.initstepslew.threshold} ${toString (map (server: server + " ") cfg.initstepslew.servers)}
+    ''}
+
+    driftfile ${stateDir}/chrony.drift
+
+    ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}
+
+    ${cfg.extraConfig}
+  '';
+
+  chronyFlags = "-m -f ${configFile} -u ${chronyUser}";
+
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.chrony = {
+
+      enable = mkOption {
+        default = false;
+        description = ''
+          Whether to synchronise your machine's time using chrony.
+          Make sure you disable NTP if you enable this service.
+        '';
+      };
+
+      servers = mkOption {
+        default = [
+          "0.pool.ntp.org"
+          "1.pool.ntp.org"
+          "2.pool.ntp.org"
+        ];
+        description = ''
+          The set of NTP servers from which to synchronise.
+        '';
+      };
+
+      initstepslew = mkOption {
+        default = {
+          enabled = true;
+          threshold = 1000; # by default, same threshold as 'ntpd -g' (1000s)
+          servers = cfg.servers;
+        };
+        description = ''
+          Allow chronyd to make a rapid measurement of the system clock error at
+          boot time, and to correct the system clock by stepping before normal
+          operation begins.
+        '';
+      };
+
+      extraConfig = mkOption {
+        default = "";
+        description = ''
+          Extra configuration directives that should be added to
+          <literal>chrony.conf</literal>
+        '';
+      };
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf config.services.chrony.enable {
+
+    # Make chronyc available in the system path
+    environment.systemPackages = [ pkgs.chrony ];
+
+    users.extraUsers = singleton
+      { name = chronyUser;
+        uid = config.ids.uids.chrony;
+        description = "chrony daemon user";
+        home = stateDir;
+      };
+
+    jobs.chronyd =
+      { description = "chrony daemon";
+
+        wantedBy = [ "ip-up.target" ];
+        partOf = [ "ip-up.target" ];
+
+        path = [ chrony ];
+
+        preStart =
+          ''
+            mkdir -m 0755 -p ${stateDir}
+            chown ${chronyUser} ${stateDir}
+          '';
+
+        exec = "chronyd -n ${chronyFlags}";
+      };
+
+  };
+
+}
--- a/modules/services/networking/gnunet.nix
+++ b/modules/services/networking/gnunet.nix
@ -126,6 +126,10 @@ in
        createHome = true; 
      };

+    users.extraGroups = singleton
+      { name = "gnunet";
+      };
+
    # The user tools that talk to `gnunetd' should come from the same source,
    # so install them globally.
    environment.systemPackages = [ pkgs.gnunet ];
--- a/modules/services/networking/networkmanager.nix
+++ b/modules/services/networking/networkmanager.nix
@ -94,7 +94,7 @@ in {
      }
    ];

-    environment.systemPackages = cfg.packages;
+    environment.systemPackages = cfg.packages ++ [ networkmanager_openvpn ];

    users.extraGroups = singleton {
      name = "networkmanager";
--- a/modules/services/networking/ntpd.nix
+++ b/modules/services/networking/ntpd.nix
@ -58,6 +58,9 @@ in

  config = mkIf config.services.ntp.enable {

+    # Make tools such as ntpq available in the system path
+    environment.systemPackages = [ pkgs.ntp ];
+
    users.extraUsers = singleton
      { name = ntpUser;
        uid = config.ids.uids.ntp;
--- a/modules/services/networking/openvpn.nix
+++ b/modules/services/networking/openvpn.nix
@ -15,7 +15,6 @@ let

      upScript = ''
        #! /bin/sh
-        exec > /var/log/openvpn-${name}-up 2>&1
        export PATH=${path}

        # For convenience in client scripts, extract the remote domain
@ -34,13 +33,13 @@ let

      downScript = ''
        #! /bin/sh
-        exec > /var/log/openvpn-${name}-down 2>&1
        export PATH=${path}
        ${cfg.down}
      '';

      configFile = pkgs.writeText "openvpn-config-${name}"
        ''
+          errors-to-stderr
          ${optionalString (cfg.up != "" || cfg.down != "") "script-security 2"}
          ${cfg.config}
          ${optionalString (cfg.up != "") "up ${pkgs.writeScript "openvpn-${name}-up" upScript}"}
@ -50,12 +49,13 @@ let
    in {
      description = "OpenVPN instance ‘${name}’";

-      startOn = mkDefault "started network-interfaces";
-      stopOn = mkDefault "stopping network-interfaces";
+      wantedBy = optional cfg.autoStart [ "multi-user.target" ];
+      after = [ "network-interfaces.target" ];

      path = [ pkgs.iptables pkgs.iproute pkgs.nettools ];

-      exec = "${openvpn}/sbin/openvpn --config ${configFile}";
+      serviceConfig.ExecStart = "@${openvpn}/sbin/openvpn openvpn --config ${configFile}";
+      serviceConfig.Restart = "always";
    };

 in
@ -144,6 +144,12 @@ in
          '';
        };

+        autoStart = mkOption {
+          default = true;
+          type = types.bool;
+          description = "Whether this OpenVPN instance should be started automatically.";
+        };
+
      };

    };
@ -155,7 +161,7 @@ in

  config = mkIf (cfg.servers != {}) {

-    jobs = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers);
+    systemd.services = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers);

    environment.systemPackages = [ openvpn ];

--- a/modules/services/web-servers/apache-httpd/mediawiki.nix
+++ b/modules/services/web-servers/apache-httpd/mediawiki.nix
@ -72,11 +72,11 @@ let

  # Unpack Mediawiki and put the config file in its root directory.
  mediawikiRoot = pkgs.stdenv.mkDerivation rec {
-    name= "mediawiki-1.20.3";
+    name= "mediawiki-1.20.5";

    src = pkgs.fetchurl {
      url = "http://download.wikimedia.org/mediawiki/1.20/${name}.tar.gz";
-      sha256 = "046jcq54xla490sx0pn0w169wj74lqj3n87r39s59in6494lwp4a";
+      sha256 = "0ix6khrilfdncjqnh41xjs0bd49i1q0rywycjaixjfpwj6vjbqbl";
    };

    skins = config.skins;
--- a/modules/services/web-servers/apache-httpd/zabbix.nix
+++ b/modules/services/web-servers/apache-httpd/zabbix.nix
@ -27,7 +27,6 @@ in
    ''
      post_max_size = 32M
      max_execution_time = 300
-      mbstring.func_overload = 2
    '';

  extraConfig = ''
--- a/modules/services/x11/desktop-managers/kde4.nix
+++ b/modules/services/x11/desktop-managers/kde4.nix
@ -42,6 +42,8 @@ let

  phononBackendPackages = flip concatMap cfg.phononBackends
    (name: attrByPath [name] (throw "unknown phonon backend `${name}'") phononBackends);
+
+  wantsUdisks2 = pkgs.kde4.kdelibs.wantsUdisks2 or false;
 in

 {
@ -155,7 +157,8 @@ in
      };

    # Enable helpful DBus services.
-    services.udisks.enable = true;
+    services.udisks.enable = ! wantsUdisks2;
+    services.udisks2.enable = wantsUdisks2;
    services.upower.enable = config.powerManagement.enable;

    security.pam.services = [ { name = "kde"; allowNullPassword = true; startSession = true; } ];
--- a/modules/system/boot/systemd-unit-options.nix
+++ b/modules/system/boot/systemd-unit-options.nix
@ -215,6 +215,16 @@ rec {

  socketOptions = unitOptions // {

+    listenStreams = mkOption {
+      default = [];
+      types = types.listOf types.string;
+      example = [ "0.0.0.0:993" "/run/my-socket" ];
+      description = ''
+        For each item in this list, a <literal>ListenStream</literal>
+        option in the <literal>[Socket]</literal> section will be created.
+      '';
+    };
+
    socketConfig = mkOption {
      default = {};
      example = { ListenStream = "/run/my-socket"; };
--- a/modules/system/boot/systemd.nix
+++ b/modules/system/boot/systemd.nix
@ -275,6 +275,7 @@ let

          [Socket]
          ${attrsToSection def.socketConfig}
+          ${concatStringsSep "\n" (map (s: "ListenStream=${s}") def.listenStreams)}
        '';
    };

--- a/modules/tasks/filesystems.nix
+++ b/modules/tasks/filesystems.nix
@ -7,6 +7,8 @@ let

  fileSystems = attrValues config.fileSystems;

+  prioOption = prio: optionalString (prio !=null) " pri=${toString prio}";
+
  fileSystemOpts = { name, ... }: {

    options = {
@ -167,7 +169,7 @@ in

        # Swap devices.
        ${flip concatMapStrings config.swapDevices (sw:
-            "${sw.device} none swap\n"
+            "${sw.device} none swap${prioOption sw.priority}\n"
        )}
      '';

--- a/modules/tasks/filesystems/btrfs.nix
+++ b/modules/tasks/filesystems/btrfs.nix
@ -17,12 +17,13 @@ in

    boot.initrd.extraUtilsCommands = mkIf inInitrd
      ''
-        cp -v ${pkgs.btrfsProgs}/bin/btrfsck $out/bin
+        mkdir -p $out/bin
        cp -v ${pkgs.btrfsProgs}/bin/btrfs $out/bin
+        ln -sv btrfs $out/bin/btrfsck
+        ln -sv btrfsck $out/bin/fsck.btrfs
        # !!! Increases uncompressed initrd by 240k
        cp -pv ${pkgs.zlib}/lib/libz.so* $out/lib
        cp -pv ${pkgs.lzo}/lib/liblzo2.so* $out/lib
-        ln -sv btrfsck $out/bin/fsck.btrfs
      '';

    boot.initrd.extraUtilsCommandsTest = mkIf inInitrd