From 40fb90a2953bf870bfaa2b941fda744dd39a4878 Mon Sep 17 00:00:00 2001
From: Domen Kozar <domen@dev.si>
Date: Thu, 16 May 2013 21:58:24 +0200
Subject: [PATCH 01/18] bacula: generate bconsole config
---
modules/services/backup/bacula.nix | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/modules/services/backup/bacula.nix b/modules/services/backup/bacula.nix
index 05192f797fcd..a5f2c62fa05d 100644
--- a/modules/services/backup/bacula.nix
+++ b/modules/services/backup/bacula.nix
@@ -7,6 +7,7 @@ with pkgs.lib;
let
libDir = "/var/lib/bacula";
+
fd_cfg = config.services.bacula-fd;
fd_conf = pkgs.writeText "bacula-fd.conf"
''
@@ -96,6 +97,17 @@ let
${dir_cfg.extraConfig}
'';
+ # TODO: by default use this config
+ bconsole_conf = pkgs.writeText "bconsole.conf"
+ ''
+ Director {
+ Name = ${dir_cfg.name};
+ Address = "localhost";
+ DirPort = ${toString dir_cfg.port};
+ Password = "${dir_cfg.password}";
+ }
+ '';
+
directorOptions = {name, config, ...}:
{
options = {
From 085ccc81995ab3c73e7a011f7b122b1400f346ee Mon Sep 17 00:00:00 2001
From: Mathijs Kwik <mathijs@bluescreen303.nl>
Date: Mon, 13 May 2013 23:07:58 +0200
Subject: [PATCH 02/18] btrfs: btrfsck is now actually the same binary as
"btrfs" symlinked to save space.
---
modules/tasks/filesystems/btrfs.nix | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/modules/tasks/filesystems/btrfs.nix b/modules/tasks/filesystems/btrfs.nix
index 57a7e5e302da..d95a32e2e3f7 100644
--- a/modules/tasks/filesystems/btrfs.nix
+++ b/modules/tasks/filesystems/btrfs.nix
@@ -17,12 +17,13 @@ in
boot.initrd.extraUtilsCommands = mkIf inInitrd
''
- cp -v ${pkgs.btrfsProgs}/bin/btrfsck $out/bin
+ mkdir -p $out/bin
cp -v ${pkgs.btrfsProgs}/bin/btrfs $out/bin
+ ln -sv btrfs $out/bin/btrfsck
+ ln -sv btrfsck $out/bin/fsck.btrfs
# !!! Increases uncompressed initrd by 240k
cp -pv ${pkgs.zlib}/lib/libz.so* $out/lib
cp -pv ${pkgs.lzo}/lib/liblzo2.so* $out/lib
- ln -sv btrfsck $out/bin/fsck.btrfs
'';
boot.initrd.extraUtilsCommandsTest = mkIf inInitrd
From 4630ad4d26a0b5a8774c9121b2fd42d92bb81eb0 Mon Sep 17 00:00:00 2001
From: Mathijs Kwik <mathijs@bluescreen303.nl>
Date: Mon, 13 May 2013 23:42:55 +0200
Subject: [PATCH 03/18] filesystems: add priority option for swap devices.
Useful for setting up raid0-like load balancing for swap.
By giving multiple swap devices the same prio.
---
modules/config/swap.nix | 11 +++++++++++
modules/tasks/filesystems.nix | 4 +++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/modules/config/swap.nix b/modules/config/swap.nix
index a0287c948af1..7d4654ae2877 100644
--- a/modules/config/swap.nix
+++ b/modules/config/swap.nix
@@ -58,6 +58,17 @@ with utils;
'';
};
+ priority = mkOption {
+ default = null;
+ example = 2048;
+ type = types.nullOr types.int;
+ description = ''
+ Specify the priority of the swap device. Priority is a value between 0 and 32767.
+ Higher numbers indicate higher priority.
+ null lets the kernel choose a priority, which will show up as a negative value.
+ '';
+ };
+
};
config = {
diff --git a/modules/tasks/filesystems.nix b/modules/tasks/filesystems.nix
index a95bb0673a23..cc7f1f407420 100644
--- a/modules/tasks/filesystems.nix
+++ b/modules/tasks/filesystems.nix
@@ -7,6 +7,8 @@ let
fileSystems = attrValues config.fileSystems;
+ prioOption = prio: optionalString (prio !=null) " pri=${toString prio}";
+
fileSystemOpts = { name, ... }: {
options = {
@@ -167,7 +169,7 @@ in
# Swap devices.
${flip concatMapStrings config.swapDevices (sw:
- "${sw.device} none swap\n"
+ "${sw.device} none swap${prioOption sw.priority}\n"
)}
'';
From 0e9a963b424257e3a578c1054ab5895ae8b38a19 Mon Sep 17 00:00:00 2001
From: Mathijs Kwik <mathijs@bluescreen303.nl>
Date: Wed, 15 May 2013 00:47:57 +0200
Subject: [PATCH 04/18] kde4: use udisks2 for kde versions that support it.
Currently, none do, although kde 4.10 is supposed to be able to use it.
---
modules/services/x11/desktop-managers/kde4.nix | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/modules/services/x11/desktop-managers/kde4.nix b/modules/services/x11/desktop-managers/kde4.nix
index 6e0d5057126c..dcc3859820c6 100644
--- a/modules/services/x11/desktop-managers/kde4.nix
+++ b/modules/services/x11/desktop-managers/kde4.nix
@@ -42,6 +42,8 @@ let
phononBackendPackages = flip concatMap cfg.phononBackends
(name: attrByPath [name] (throw "unknown phonon backend `${name}'") phononBackends);
+
+ wantsUdisks2 = pkgs.kde4.kdelibs.wantsUdisks2 or false;
in
{
@@ -155,7 +157,8 @@ in
};
# Enable helpful DBus services.
- services.udisks.enable = true;
+ services.udisks.enable = ! wantsUdisks2;
+ services.udisks2.enable = wantsUdisks2;
services.upower.enable = config.powerManagement.enable;
security.pam.services = [ { name = "kde"; allowNullPassword = true; startSession = true; } ];
From 97689f90623557b600744a9e5a8552af9d6eaa60 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Fri, 17 May 2013 13:37:58 +0200
Subject: [PATCH 05/18] mediawiki: Update to 1.20.5
---
modules/services/web-servers/apache-httpd/mediawiki.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/services/web-servers/apache-httpd/mediawiki.nix b/modules/services/web-servers/apache-httpd/mediawiki.nix
index 04899839b7a8..dcc05b03891b 100644
--- a/modules/services/web-servers/apache-httpd/mediawiki.nix
+++ b/modules/services/web-servers/apache-httpd/mediawiki.nix
@@ -72,11 +72,11 @@ let
# Unpack Mediawiki and put the config file in its root directory.
mediawikiRoot = pkgs.stdenv.mkDerivation rec {
- name= "mediawiki-1.20.3";
+ name= "mediawiki-1.20.5";
src = pkgs.fetchurl {
url = "http://download.wikimedia.org/mediawiki/1.20/${name}.tar.gz";
- sha256 = "046jcq54xla490sx0pn0w169wj74lqj3n87r39s59in6494lwp4a";
+ sha256 = "0ix6khrilfdncjqnh41xjs0bd49i1q0rywycjaixjfpwj6vjbqbl";
};
skins = config.skins;
From 07406231e3b90b95cf7d683d9a46b5c016520c10 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Fri, 17 May 2013 15:32:43 +0200
Subject: [PATCH 06/18] zabbix: Don't set the mbstring.func_overload option
This breaks MediaWiki running in the same web server. Zabbix no
longer seems to need it anyway.
---
modules/services/web-servers/apache-httpd/zabbix.nix | 1 -
1 file changed, 1 deletion(-)
diff --git a/modules/services/web-servers/apache-httpd/zabbix.nix b/modules/services/web-servers/apache-httpd/zabbix.nix
index 385e9ab56446..6191d63584a9 100644
--- a/modules/services/web-servers/apache-httpd/zabbix.nix
+++ b/modules/services/web-servers/apache-httpd/zabbix.nix
@@ -27,7 +27,6 @@ in
''
post_max_size = 32M
max_execution_time = 300
- mbstring.func_overload = 2
'';
extraConfig = ''
From 000d5a62aa69114e44af482d3c6788efef58ecc3 Mon Sep 17 00:00:00 2001
From: Domen Kozar <domen@dev.si>
Date: Sat, 18 May 2013 12:29:03 +0200
Subject: [PATCH 07/18] bacula: file daemon needs to run as root
---
modules/services/backup/bacula.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/services/backup/bacula.nix b/modules/services/backup/bacula.nix
index a5f2c62fa05d..daece0d11584 100644
--- a/modules/services/backup/bacula.nix
+++ b/modules/services/backup/bacula.nix
@@ -354,7 +354,7 @@ in {
description = "Bacula File Daemon";
wantedBy = [ "multi-user.target" ];
path = [ pkgs.bacula ];
- serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-fd -f -u bacula -g bacula -c ${fd_conf}";
+ serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-fd -f -u root -g bacula -c ${fd_conf}";
};
systemd.services.bacula-sd = mkIf sd_cfg.enable {
From a29c30695855a165e131696d83d68a60573f9c3b Mon Sep 17 00:00:00 2001
From: Domen Kozar <domen@dev.si>
Date: Sat, 18 May 2013 13:28:21 +0200
Subject: [PATCH 08/18] bacula: add ExecReload
---
modules/services/backup/bacula.nix | 3 +++
1 file changed, 3 insertions(+)
diff --git a/modules/services/backup/bacula.nix b/modules/services/backup/bacula.nix
index daece0d11584..525df3400484 100644
--- a/modules/services/backup/bacula.nix
+++ b/modules/services/backup/bacula.nix
@@ -355,6 +355,7 @@ in {
wantedBy = [ "multi-user.target" ];
path = [ pkgs.bacula ];
serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-fd -f -u root -g bacula -c ${fd_conf}";
+ serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
};
systemd.services.bacula-sd = mkIf sd_cfg.enable {
@@ -363,6 +364,7 @@ in {
wantedBy = [ "multi-user.target" ];
path = [ pkgs.bacula ];
serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-sd -f -u bacula -g bacula -c ${sd_conf}";
+ serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
};
services.postgresql.enable = dir_cfg.enable == true;
@@ -373,6 +375,7 @@ in {
wantedBy = [ "multi-user.target" ];
path = [ pkgs.bacula ];
serviceConfig.ExecStart = "${pkgs.bacula}/sbin/bacula-dir -f -u bacula -g bacula -c ${dir_conf}";
+ serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
preStart = ''
if ! test -e "${libDir}/db-created"; then
${pkgs.postgresql}/bin/createuser --no-superuser --no-createdb --no-createrole bacula
From 70586f03fe3427faaf800f17726af5b651e2485c Mon Sep 17 00:00:00 2001
From: Rickard Nilsson <rickynils@gmail.com>
Date: Tue, 14 May 2013 16:07:55 +0200
Subject: [PATCH 09/18] systemd.sockets: Add listenStreams option for
specifying several sockets
---
modules/system/boot/systemd-unit-options.nix | 10 ++++++++++
modules/system/boot/systemd.nix | 1 +
2 files changed, 11 insertions(+)
diff --git a/modules/system/boot/systemd-unit-options.nix b/modules/system/boot/systemd-unit-options.nix
index 9069d03b9f00..f863daf2250d 100644
--- a/modules/system/boot/systemd-unit-options.nix
+++ b/modules/system/boot/systemd-unit-options.nix
@@ -215,6 +215,16 @@ rec {
socketOptions = unitOptions // {
+ listenStreams = mkOption {
+ default = [];
+ types = types.listOf types.string;
+ example = [ "0.0.0.0:993" "/run/my-socket" ];
+ description = ''
+ For each item in this list, a <literal>ListenStream</literal>
+ option in the <literal>[Socket]</literal> section will be created.
+ '';
+ };
+
socketConfig = mkOption {
default = {};
example = { ListenStream = "/run/my-socket"; };
diff --git a/modules/system/boot/systemd.nix b/modules/system/boot/systemd.nix
index 4957bfeed34b..11c2cfc6ace4 100644
--- a/modules/system/boot/systemd.nix
+++ b/modules/system/boot/systemd.nix
@@ -275,6 +275,7 @@ let
[Socket]
${attrsToSection def.socketConfig}
+ ${concatStringsSep "\n" (map (s: "ListenStream=${s}") def.listenStreams)}
'';
};
From 02d9a8066a0ad0adbf9d1c3617659a4a00610a88 Mon Sep 17 00:00:00 2001
From: "Ricardo M. Correia" <rcorreia@wizy.org>
Date: Thu, 23 May 2013 02:07:49 +0000
Subject: [PATCH 10/18] Add chrony service Also, do not build and add ntp to
the system unless it is enabled.
---
modules/config/system-path.nix | 1 -
modules/misc/ids.nix | 1 +
modules/module-list.nix | 1 +
modules/services/networking/chrony.nix | 88 ++++++++++++++++++++++++++
modules/services/networking/ntpd.nix | 3 +
5 files changed, 93 insertions(+), 1 deletion(-)
create mode 100644 modules/services/networking/chrony.nix
diff --git a/modules/config/system-path.nix b/modules/config/system-path.nix
index 8c36015718c8..6e73118fe084 100644
--- a/modules/config/system-path.nix
+++ b/modules/config/system-path.nix
@@ -41,7 +41,6 @@ let
pkgs.nano
pkgs.ncurses
pkgs.netcat
- pkgs.ntp
pkgs.openssh
pkgs.pciutils
pkgs.perl
diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix
index fd76dfc47a1f..8a23148b0284 100644
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@@ -75,6 +75,7 @@ in
spamd = 56;
nslcd = 58;
nginx = 60;
+ chrony = 61;
# When adding a uid, make sure it doesn't match an existing gid.
diff --git a/modules/module-list.nix b/modules/module-list.nix
index b6193b191314..e6b4fd37c660 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -125,6 +125,7 @@
./services/networking/bind.nix
./services/networking/bitlbee.nix
./services/networking/cntlm.nix
+ ./services/networking/chrony.nix
./services/networking/ddclient.nix
#./services/networking/dhclient.nix
./services/networking/dhcpcd.nix
diff --git a/modules/services/networking/chrony.nix b/modules/services/networking/chrony.nix
new file mode 100644
index 000000000000..5a53744791ce
--- /dev/null
+++ b/modules/services/networking/chrony.nix
@@ -0,0 +1,88 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+let
+
+ inherit (pkgs) chrony;
+
+ stateDir = "/var/lib/chrony";
+
+ chronyUser = "chrony";
+
+ configFile = pkgs.writeText "chrony.conf" ''
+ ${toString (map (server: "server " + server + "\n") config.services.chrony.servers)}
+
+ driftfile ${stateDir}/chrony.drift
+ '';
+
+ chronyFlags = "-m -f ${configFile} -u ${chronyUser}";
+
+in
+
+{
+
+ ###### interface
+
+ options = {
+
+ services.chrony = {
+
+ enable = mkOption {
+ default = false;
+ description = ''
+ Whether to synchronise your machine's time using chrony.
+ Make sure you disable NTP if you enable this service.
+ '';
+ };
+
+ servers = mkOption {
+ default = [
+ "0.pool.ntp.org"
+ "1.pool.ntp.org"
+ "2.pool.ntp.org"
+ ];
+ description = ''
+ The set of NTP servers from which to synchronise.
+ '';
+ };
+
+ };
+
+ };
+
+
+ ###### implementation
+
+ config = mkIf config.services.chrony.enable {
+
+ # Make chronyc available in the system path
+ environment.systemPackages = [ pkgs.chrony ];
+
+ users.extraUsers = singleton
+ { name = chronyUser;
+ uid = config.ids.uids.chrony;
+ description = "chrony daemon user";
+ home = stateDir;
+ };
+
+ jobs.chronyd =
+ { description = "chrony daemon";
+
+ wantedBy = [ "ip-up.target" ];
+ partOf = [ "ip-up.target" ];
+
+ path = [ chrony ];
+
+ preStart =
+ ''
+ mkdir -m 0755 -p ${stateDir}
+ chown ${chronyUser} ${stateDir}
+ '';
+
+ exec = "chronyd -n ${chronyFlags}";
+ };
+
+ };
+
+}
diff --git a/modules/services/networking/ntpd.nix b/modules/services/networking/ntpd.nix
index be3fcbd65433..e5e164021d3a 100644
--- a/modules/services/networking/ntpd.nix
+++ b/modules/services/networking/ntpd.nix
@@ -58,6 +58,9 @@ in
config = mkIf config.services.ntp.enable {
+ # Make tools such as ntpq available in the system path
+ environment.systemPackages = [ pkgs.ntp ];
+
users.extraUsers = singleton
{ name = ntpUser;
uid = config.ids.uids.ntp;
From 6336048c5843ffcbd9fb010e47386adda2cdb913 Mon Sep 17 00:00:00 2001
From: "Ricardo M. Correia" <rcorreia@wizy.org>
Date: Thu, 23 May 2013 03:00:09 +0000
Subject: [PATCH 11/18] chrony: properly set rtconutc option, and add a few
more options
---
modules/services/networking/chrony.nix | 32 +++++++++++++++++++++++++-
1 file changed, 31 insertions(+), 1 deletion(-)
diff --git a/modules/services/networking/chrony.nix b/modules/services/networking/chrony.nix
index 5a53744791ce..5e9818858e0c 100644
--- a/modules/services/networking/chrony.nix
+++ b/modules/services/networking/chrony.nix
@@ -10,10 +10,20 @@ let
chronyUser = "chrony";
+ cfg = config.services.chrony;
+
configFile = pkgs.writeText "chrony.conf" ''
- ${toString (map (server: "server " + server + "\n") config.services.chrony.servers)}
+ ${toString (map (server: "server " + server + "\n") cfg.servers)}
+
+ ${optionalString cfg.initstepslew.enabled ''
+ initstepslew ${toString cfg.initstepslew.threshold} ${toString (map (server: server + " ") cfg.initstepslew.servers)}
+ ''}
driftfile ${stateDir}/chrony.drift
+
+ ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}
+
+ ${cfg.extraConfig}
'';
chronyFlags = "-m -f ${configFile} -u ${chronyUser}";
@@ -47,6 +57,26 @@ in
'';
};
+ initstepslew = mkOption {
+ default = {
+ enabled = true;
+ threshold = 1000; # by default, same threshold as 'ntpd -g' (1000s)
+ servers = cfg.servers;
+ };
+ description = ''
+ Allow chronyd to make a rapid measurement of the system clock error at
+ boot time, and to correct the system clock by stepping before normal
+ operation begins.
+ '';
+ };
+
+ extraConfig = mkOption {
+ default = "";
+ description = ''
+ Extra configuration directives that should be added to
+ <literal>chrony.conf</literal>
+ '';
+ };
};
};
From 76046850fe56efde474778db0f04493bee4222e1 Mon Sep 17 00:00:00 2001
From: "Ricardo M. Correia" <rcorreia@wizy.org>
Date: Thu, 23 May 2013 11:04:07 +0000
Subject: [PATCH 12/18] atop: Add basic config option for /etc/atoprc
---
modules/module-list.nix | 1 +
modules/programs/atop.nix | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 37 insertions(+)
create mode 100644 modules/programs/atop.nix
diff --git a/modules/module-list.nix b/modules/module-list.nix
index b6193b191314..476983b33044 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -36,6 +36,7 @@
./misc/nixpkgs.nix
./misc/passthru.nix
./misc/version.nix
+ ./programs/atop.nix
./programs/bash/bash.nix
./programs/bash/command-not-found.nix
./programs/blcr.nix
diff --git a/modules/programs/atop.nix b/modules/programs/atop.nix
new file mode 100644
index 000000000000..7fdaab9d67df
--- /dev/null
+++ b/modules/programs/atop.nix
@@ -0,0 +1,36 @@
+# Global configuration for atop.
+
+{config, pkgs, ...}:
+
+with pkgs.lib;
+
+let cfg = config.programs.atop;
+
+in
+{
+ ###### interface
+
+ options = {
+
+ programs.atop = {
+
+ settings = mkOption {
+ type = types.attrs;
+ default = {};
+ example = {
+ flags = "a1f";
+ interval = 5;
+ };
+ description = ''
+ Parameters to be written to <filename>/etc/atoprc</filename>
+ '';
+ };
+
+ };
+ };
+
+ config = mkIf (cfg.settings != {}) {
+ environment.etc."atoprc".text =
+ concatStrings (mapAttrsToList (n: v: "${n} ${toString v}\n") cfg.settings);
+ };
+}
From f60393975f7c36a5f57330ffa4d1d826706cf64f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= <viric@viric.name>
Date: Tue, 28 May 2013 10:19:59 +0200
Subject: [PATCH 13/18] gnunet: it was missing extraGroups
---
modules/services/networking/gnunet.nix | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/modules/services/networking/gnunet.nix b/modules/services/networking/gnunet.nix
index 37df4acd63d7..e0c41dcb1887 100644
--- a/modules/services/networking/gnunet.nix
+++ b/modules/services/networking/gnunet.nix
@@ -126,6 +126,10 @@ in
createHome = true;
};
+ users.extraGroups = singleton
+ { name = "gnunet";
+ };
+
# The user tools that talk to `gnunetd' should come from the same source,
# so install them globally.
environment.systemPackages = [ pkgs.gnunet ];
From 2ec6759f5fade16c6b131a054d220a600635f9a7 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 28 May 2013 14:38:13 +0200
Subject: [PATCH 14/18] openvpn.nix: Use systemd.*
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Also add an option ‘autoStart’ to configure whether an OpenVPN
instance should be started automatically. And don't log to
/var/log/openvpn-* anymore.
---
modules/services/networking/openvpn.nix | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/modules/services/networking/openvpn.nix b/modules/services/networking/openvpn.nix
index 4ea6fa135b0f..63b6cc90f073 100644
--- a/modules/services/networking/openvpn.nix
+++ b/modules/services/networking/openvpn.nix
@@ -15,7 +15,6 @@ let
upScript = ''
#! /bin/sh
- exec > /var/log/openvpn-${name}-up 2>&1
export PATH=${path}
# For convenience in client scripts, extract the remote domain
@@ -34,13 +33,13 @@ let
downScript = ''
#! /bin/sh
- exec > /var/log/openvpn-${name}-down 2>&1
export PATH=${path}
${cfg.down}
'';
configFile = pkgs.writeText "openvpn-config-${name}"
''
+ errors-to-stderr
${optionalString (cfg.up != "" || cfg.down != "") "script-security 2"}
${cfg.config}
${optionalString (cfg.up != "") "up ${pkgs.writeScript "openvpn-${name}-up" upScript}"}
@@ -50,12 +49,13 @@ let
in {
description = "OpenVPN instance ‘${name}’";
- startOn = mkDefault "started network-interfaces";
- stopOn = mkDefault "stopping network-interfaces";
+ wantedBy = optional cfg.autoStart [ "multi-user.target" ];
+ after = [ "network-interfaces.target" ];
path = [ pkgs.iptables pkgs.iproute pkgs.nettools ];
- exec = "${openvpn}/sbin/openvpn --config ${configFile}";
+ serviceConfig.ExecStart = "@${openvpn}/sbin/openvpn openvpn --config ${configFile}";
+ serviceConfig.Restart = "always";
};
in
@@ -144,6 +144,12 @@ in
'';
};
+ autoStart = mkOption {
+ default = true;
+ type = types.bool;
+ description = "Whether this OpenVPN instance should be started automatically.";
+ };
+
};
};
@@ -155,7 +161,7 @@ in
config = mkIf (cfg.servers != {}) {
- jobs = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers);
+ systemd.services = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers);
environment.systemPackages = [ openvpn ];
From eb01d87b31a85b4446e56deacfe1e63dbca52552 Mon Sep 17 00:00:00 2001
From: "Ricardo M. Correia" <rcorreia@wizy.org>
Date: Tue, 28 May 2013 14:15:10 +0000
Subject: [PATCH 15/18] apparmor: Fix broken iputils/ping profile
---
modules/security/apparmor-suid.nix | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/modules/security/apparmor-suid.nix b/modules/security/apparmor-suid.nix
index b03047ac1f1a..bc661164fdc2 100644
--- a/modules/security/apparmor-suid.nix
+++ b/modules/security/apparmor-suid.nix
@@ -29,8 +29,12 @@ with pkgs.lib;
network inet raw,
${pkgs.glibc}/lib/*.so mr,
- /var/setuid-wrappers/ping.real mixr,
- ${pkgs.iputils}/sbin/ping mixr,
+ ${pkgs.libcap}/lib/libcap.so* mr,
+ ${pkgs.attr}/lib/libattr.so* mr,
+
+ ${pkgs.iputils}/bin/ping mixr,
+ /var/setuid-wrappers/ping.real r,
+
#/etc/modules.conf r,
## Site-specific additions and overrides. See local/README for details.
From 84c0af80d77348ca9b1d6d3f3ae18e23eb8c5ed5 Mon Sep 17 00:00:00 2001
From: "Ricardo M. Correia" <rcorreia@wizy.org>
Date: Tue, 28 May 2013 16:15:16 +0000
Subject: [PATCH 16/18] apparmor: Fix loading multiple profiles
apparmor's systemd service wasn't working when multiple profiles were
defined, due to the ExecStart commands in the service file being
broken into multiple lines, instead of being separated by ';'.
---
modules/security/apparmor.nix | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/modules/security/apparmor.nix b/modules/security/apparmor.nix
index 8aa933e29962..63098fdc6613 100644
--- a/modules/security/apparmor.nix
+++ b/modules/security/apparmor.nix
@@ -53,12 +53,12 @@ with pkgs.lib;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
- ExecStart = concatMapStrings (profile: ''
- ${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}"
- '') cfg.profiles;
- ExecStop = concatMapStrings (profile: ''
- ${pkgs.apparmor}/sbin/apparmor_parser -Rv "${profile}"
- '') cfg.profiles;
+ ExecStart = concatMapStrings (profile:
+ ''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
+ ) cfg.profiles;
+ ExecStop = concatMapStrings (profile:
+ ''${pkgs.apparmor}/sbin/apparmor_parser -Rv "${profile}" ; ''
+ ) cfg.profiles;
};
};
From 531b5816363534fc53f219241ea08a82b310341e Mon Sep 17 00:00:00 2001
From: "Ricardo M. Correia" <rcorreia@wizy.org>
Date: Tue, 28 May 2013 17:49:52 +0000
Subject: [PATCH 17/18] apparmor: Fix service stop
When stopping the apparmor service, the profile removal failed with
parsing errors due to not including the
${pkgs.apparmor}/etc/apparmor.d directory.
---
modules/security/apparmor.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/security/apparmor.nix b/modules/security/apparmor.nix
index 63098fdc6613..d4aa0598dd3d 100644
--- a/modules/security/apparmor.nix
+++ b/modules/security/apparmor.nix
@@ -57,7 +57,7 @@ with pkgs.lib;
''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
) cfg.profiles;
ExecStop = concatMapStrings (profile:
- ''${pkgs.apparmor}/sbin/apparmor_parser -Rv "${profile}" ; ''
+ ''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
) cfg.profiles;
};
From 53390a2da975032ca0b4ad3e830dfa9b98313cbb Mon Sep 17 00:00:00 2001
From: Domen Kozar <domen@dev.si>
Date: Wed, 29 May 2013 00:38:44 +0200
Subject: [PATCH 18/18] add networkmanager_openvpn to systemPackages
---
modules/services/networking/networkmanager.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/services/networking/networkmanager.nix b/modules/services/networking/networkmanager.nix
index b82f34aa9011..88f1e08b3771 100644
--- a/modules/services/networking/networkmanager.nix
+++ b/modules/services/networking/networkmanager.nix
@@ -94,7 +94,7 @@ in {
}
];
- environment.systemPackages = cfg.packages;
+ environment.systemPackages = cfg.packages ++ [ networkmanager_openvpn ];
users.extraGroups = singleton {
name = "networkmanager";