Merge master into staging-next

nimPackages
Frederik Rietdijk 3 years ago
commit 98640fd482
  1. 2
      lib/options.nix
  2. 25
      maintainers/maintainer-list.nix
  3. 21
      nixos/doc/manual/release-notes/rl-1909.xml
  4. 1
      nixos/modules/config/update-users-groups.pl
  5. 6
      nixos/modules/misc/ids.nix
  6. 3
      nixos/modules/module-list.nix
  7. 4
      nixos/modules/rename.nix
  8. 1
      nixos/modules/services/databases/memcached.nix
  9. 252
      nixos/modules/services/mail/rmilter.nix
  10. 5
      nixos/modules/services/misc/zoneminder.nix
  11. 14
      nixos/modules/services/networking/dnschain.nix
  12. 2
      nixos/modules/services/networking/jormungandr.nix
  13. 83
      nixos/modules/services/networking/pdns-recursor.nix
  14. 1
      nixos/modules/services/networking/unifi.nix
  15. 36
      nixos/modules/services/torrent/transmission.nix
  16. 2
      nixos/modules/services/web-apps/matomo.nix
  17. 300
      nixos/modules/services/web-apps/moodle.nix
  18. 77
      nixos/modules/services/web-servers/darkhttpd.nix
  19. 309
      nixos/modules/services/x11/desktop-managers/gnome3.nix
  20. 6
      nixos/modules/system/boot/systemd.nix
  21. 1
      nixos/tests/all-tests.nix
  22. 28
      nixos/tests/jormungandr.nix
  23. 22
      nixos/tests/moodle.nix
  24. 7
      nixos/tests/systemd.nix
  25. 6
      pkgs/applications/altcoins/bitcoin-classic.nix
  26. 16
      pkgs/applications/altcoins/jormungandr/default.nix
  27. 6
      pkgs/applications/audio/vcv-rack/default.nix
  28. 23
      pkgs/applications/editors/emacs-modes/melpa-packages.nix
  29. 4
      pkgs/applications/editors/nano/default.nix
  30. 4
      pkgs/applications/editors/tiled/default.nix
  31. 6
      pkgs/applications/misc/hugo/default.nix
  32. 8
      pkgs/applications/misc/megasync/default.nix
  33. 3
      pkgs/applications/misc/orca/default.nix
  34. 24
      pkgs/applications/misc/rsclock/default.nix
  35. 8
      pkgs/applications/misc/yate/default.nix
  36. 8
      pkgs/applications/networking/browsers/chromium/plugins.nix
  37. 4
      pkgs/applications/networking/browsers/vivaldi/default.nix
  38. 6
      pkgs/applications/networking/cluster/tilt/default.nix
  39. 129
      pkgs/applications/networking/instant-messengers/riot/riot-desktop-yarndeps.nix
  40. 20
      pkgs/applications/networking/instant-messengers/riot/riot-desktop.nix
  41. 17
      pkgs/applications/networking/instant-messengers/riot/update-riot-desktop.sh
  42. 320
      pkgs/applications/networking/instant-messengers/riot/yarn2nix.nix
  43. 4
      pkgs/applications/networking/instant-messengers/slack/default.nix
  44. 4
      pkgs/applications/networking/mumble/overlay.nix
  45. 40
      pkgs/applications/networking/p2p/gnunet/default.nix
  46. 56
      pkgs/applications/networking/p2p/stig/default.nix
  47. 4
      pkgs/applications/networking/sniffers/wireshark/default.nix
  48. 12
      pkgs/applications/networking/ssb/patchwork/default.nix
  49. 74
      pkgs/applications/radio/sdrangel/default.nix
  50. 11
      pkgs/applications/science/logic/stp/default.nix
  51. 9
      pkgs/applications/science/logic/vampire/default.nix
  52. 4
      pkgs/applications/version-management/blackbox/default.nix
  53. 15
      pkgs/applications/version-management/git-and-tools/qgit/default.nix
  54. 63
      pkgs/applications/video/kodi/default.nix
  55. 5
      pkgs/applications/virtualization/singularity/default.nix
  56. 8
      pkgs/applications/window-managers/sway/default.nix
  57. 10
      pkgs/data/themes/obsidian2/default.nix
  58. 9
      pkgs/desktops/gnome-3/core/gnome-color-manager/default.nix
  59. 90
      pkgs/desktops/gnome-3/core/vino/default.nix
  60. 35
      pkgs/desktops/gnome-3/default.nix
  61. 6
      pkgs/desktops/lxqt/compton-conf/default.nix
  62. 6
      pkgs/desktops/lxqt/libfm-qt/default.nix
  63. 13
      pkgs/desktops/lxqt/liblxqt/default.nix
  64. 6
      pkgs/desktops/lxqt/libqtxdg/default.nix
  65. 6
      pkgs/desktops/lxqt/libsysstat/default.nix
  66. 6
      pkgs/desktops/lxqt/lximage-qt/default.nix
  67. 11
      pkgs/desktops/lxqt/lxqt-about/default.nix
  68. 11
      pkgs/desktops/lxqt/lxqt-admin/default.nix
  69. 6
      pkgs/desktops/lxqt/lxqt-archiver/default.nix
  70. 7
      pkgs/desktops/lxqt/lxqt-build-tools/LXQtConfigVars.cmake
  71. 17
      pkgs/desktops/lxqt/lxqt-build-tools/default.nix
  72. 15
      pkgs/desktops/lxqt/lxqt-build-tools/setup-hook.sh
  73. 23
      pkgs/desktops/lxqt/lxqt-config/default.nix
  74. 16
      pkgs/desktops/lxqt/lxqt-globalkeys/default.nix
  75. 16
      pkgs/desktops/lxqt/lxqt-notificationd/default.nix
  76. 11
      pkgs/desktops/lxqt/lxqt-openssh-askpass/default.nix
  77. 20
      pkgs/desktops/lxqt/lxqt-panel/default.nix
  78. 14
      pkgs/desktops/lxqt/lxqt-policykit/default.nix
  79. 16
      pkgs/desktops/lxqt/lxqt-powermanagement/default.nix
  80. 6
      pkgs/desktops/lxqt/lxqt-qtplugin/default.nix
  81. 14
      pkgs/desktops/lxqt/lxqt-runner/default.nix
  82. 18
      pkgs/desktops/lxqt/lxqt-session/default.nix
  83. 11
      pkgs/desktops/lxqt/lxqt-sudo/default.nix
  84. 13
      pkgs/desktops/lxqt/lxqt-themes/default.nix
  85. 6
      pkgs/desktops/lxqt/obconf-qt/default.nix
  86. 6
      pkgs/desktops/lxqt/pavucontrol-qt/default.nix
  87. 13
      pkgs/desktops/lxqt/pcmanfm-qt/default.nix
  88. 6
      pkgs/desktops/lxqt/qlipper/default.nix
  89. 6
      pkgs/desktops/lxqt/qps/default.nix
  90. 6
      pkgs/desktops/lxqt/qterminal/default.nix
  91. 8
      pkgs/desktops/lxqt/qtermwidget/default.nix
  92. 6
      pkgs/desktops/lxqt/screengrab/default.nix
  93. 9
      pkgs/development/compilers/crystal/default.nix
  94. 66
      pkgs/development/compilers/fsharp41/default.nix
  95. 21
      pkgs/development/compilers/fsharp41/fsharp-IsPathRooted-type-inference.patch
  96. 22
      pkgs/development/compilers/fsharp41/fsharp-path-overloads.patch
  97. 13
      pkgs/development/compilers/fsharp41/fsharp-string-switchName.patch
  98. 6
      pkgs/development/compilers/ghc/8.8.1.nix
  99. 9
      pkgs/development/compilers/mono/6.nix
  100. 7
      pkgs/development/compilers/mono/generic.nix
  101. Some files were not shown because too many files have changed in this diff Show More

@ -36,7 +36,7 @@ rec {
example ? null,
# String describing the option.
description ? null,
# Related packages used in the manual (see `genRelatedPackages` in ../nixos/doc/manual/default.nix).
# Related packages used in the manual (see `genRelatedPackages` in ../nixos/lib/make-options-doc/default.nix).
relatedPackages ? null,
# Option type, providing type-checking and value merging.
type ? null,

@ -1724,6 +1724,16 @@
fingerprint = "389A 78CB CD88 5E0C 4701 DEB9 FD42 C7D0 D414 94C8";
}];
};
dump_stack = {
email = "root@dumpstack.io";
github = "jollheef";
githubId = 1749762;
name = "Mikhail Klementev";
keys = [{
longkeyid = "rsa4096/0x1525585D1B43C62A";
fingerprint = "5DD7 C6F6 0630 F08E DAE7 4711 1525 585D 1B43 C62A";
}];
};
dxf = {
email = "dingxiangfei2009@gmail.com";
github = "dingxiangfei2009";
@ -2853,6 +2863,15 @@
githubId = 1383440;
name = "Jason Gilliland";
};
jdanek = {
email = "jdanek@redhat.com";
github = "jdanekrh";
keys = [{
longkeyid = "ed25519/0x69275CADF15D872E";
fingerprint = "D4A6 F051 AD58 2E7C BCED 5439 6927 5CAD F15D 872E";
}];
name = "Jiri Daněk";
};
jdehaas = {
email = "qqlq@nullptr.club";
github = "jeroendehaas";
@ -6549,6 +6568,12 @@
githubId = 1525767;
name = "Vaibhav Sagar";
};
valebes = {
email = "valebes@gmail.com";
github = "valebes";
githubid = 10956211;
name = "Valerio Besozzi";
};
valeriangalliat = {
email = "val@codejam.info";
github = "valeriangalliat";

@ -284,6 +284,13 @@
Squid 3 has been removed and the <option>squid</option> derivation now refers to Squid 4.
</para>
</listitem>
<listitem>
<para>
The <option>services.pdns-recursor.extraConfig</option> option has been replaced by
<option>services.pdns-recursor.settings</option>. The new option allows setting extra
configuration while being better type-checked and mergeable.
</para>
</listitem>
</itemizedlist>
</section>
@ -506,6 +513,20 @@
been removed.
</para>
</listitem>
<listitem>
<para>
The <literal>rmilter</literal> package was removed with associated module and options due deprecation by upstream developer.
Use <literal>rspamd</literal> in proxy mode instead.
</para>
</listitem>
<listitem>
<para>
systemd cgroup accounting via the
<link linkend="opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link>
option is now enabled by default. It now also enables the more recent Block IO and IP accounting
features.
</para>
</listitem>
</itemizedlist>
</section>
</section>

@ -267,6 +267,7 @@ foreach my $line (-f "/etc/shadow" ? read_file("/etc/shadow") : ()) {
next if !defined $u;
$hashedPassword = "!" if !$spec->{mutableUsers};
$hashedPassword = $u->{hashedPassword} if defined $u->{hashedPassword} && !$spec->{mutableUsers}; # FIXME
chomp $hashedPassword;
push @shadowNew, join(":", $name, $hashedPassword, @rest) . "\n";
$shadowSeen{$name} = 1;
}

@ -251,7 +251,7 @@
gale = 223;
matrix-synapse = 224;
rspamd = 225;
rmilter = 226;
# rmilter = 226; # unused, removed 2019-08-22
cfdyndns = 227;
gammu-smsd = 228;
pdnsd = 229;
@ -340,6 +340,7 @@
cockroachdb = 313;
zoneminder = 314;
paperless = 315;
mailman = 316;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -559,7 +560,7 @@
gale = 223;
matrix-synapse = 224;
rspamd = 225;
rmilter = 226;
# rmilter = 226; # unused, removed 2019-08-22
cfdyndns = 227;
pdnsd = 229;
octoprint = 230;
@ -640,6 +641,7 @@
cockroachdb = 313;
zoneminder = 314;
paperless = 315;
mailman = 316;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

@ -387,7 +387,6 @@
./services/mail/spamassassin.nix
./services/mail/rspamd.nix
./services/mail/rss2email.nix
./services/mail/rmilter.nix
./services/mail/roundcube.nix
./services/mail/nullmailer.nix
./services/misc/airsonic.nix
@ -790,6 +789,7 @@
./services/web-apps/mattermost.nix
./services/web-apps/mediawiki.nix
./services/web-apps/miniflux.nix
./services/web-apps/moodle.nix
./services/web-apps/nextcloud.nix
./services/web-apps/nexus.nix
./services/web-apps/pgpkeyserver-lite.nix
@ -803,6 +803,7 @@
./services/web-apps/zabbix.nix
./services/web-servers/apache-httpd/default.nix
./services/web-servers/caddy.nix
./services/web-servers/darkhttpd.nix
./services/web-servers/fcgiwrap.nix
./services/web-servers/hitch/default.nix
./services/web-servers/hydron.nix

@ -72,8 +72,8 @@ with lib;
# PAM
(mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])
(mkRemovedOptionModule [ "services" "rmilter" "bindInetSockets" ] "Use services.rmilter.bindSocket.* instead")
(mkRemovedOptionModule [ "services" "rmilter" "bindUnixSockets" ] "Use services.rmilter.bindSocket.* instead")
# rmilter/rspamd
(mkRemovedOptionModule [ "services" "rmilter" ] "Use services.rspamd.* instead to set up milter service")
# Xsession script
(mkRenamedOptionModule [ "services" "xserver" "displayManager" "job" "logsXsession" ] [ "services" "xserver" "displayManager" "job" "logToFile" ])

@ -103,7 +103,6 @@ in
LockPersonality = true;
RestrictRealtime = true;
PrivateMounts = true;
PrivateUsers = true;
MemoryDenyWriteExecute = true;
};
};

@ -1,252 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
rspamdCfg = config.services.rspamd;
postfixCfg = config.services.postfix;
cfg = config.services.rmilter;
inetSocket = addr: port: "inet:${addr}:${toString port}";
unixSocket = sock: "unix:${sock}";
systemdSocket = if cfg.bindSocket.type == "unix" then cfg.bindSocket.path
else "${cfg.bindSocket.address}:${toString cfg.bindSocket.port}";
rmilterSocket = if cfg.bindSocket.type == "unix" then unixSocket cfg.bindSocket.path
else inetSocket cfg.bindSocket.address cfg.bindSocket.port;
rmilterConf = ''
pidfile = /run/rmilter/rmilter.pid;
bind_socket = ${if cfg.socketActivation then "fd:3" else rmilterSocket};
tempdir = /tmp;
'' + (with cfg.rspamd; if enable then ''
spamd {
servers = ${concatStringsSep ", " servers};
connect_timeout = 1s;
results_timeout = 20s;
error_time = 10;
dead_time = 300;
maxerrors = 10;
reject_message = "${rejectMessage}";
${optionalString (length whitelist != 0) "whitelist = ${concatStringsSep ", " whitelist};"}
# rspamd_metric - metric for using with rspamd
# Default: "default"
rspamd_metric = "default";
${extraConfig}
};
'' else "") + cfg.extraConfig;
rmilterConfigFile = pkgs.writeText "rmilter.conf" rmilterConf;
in
{
###### interface
options = {
services.rmilter = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to run the rmilter daemon.";
};
debug = mkOption {
type = types.bool;
default = false;
description = "Whether to run the rmilter daemon in debug mode.";
};
user = mkOption {
type = types.string;
default = "rmilter";
description = ''
User to use when no root privileges are required.
'';
};
group = mkOption {
type = types.string;
default = "rmilter";
description = ''
Group to use when no root privileges are required.
'';
};
bindSocket.type = mkOption {
type = types.enum [ "unix" "inet" ];
default = "unix";
description = ''
What kind of socket rmilter should listen on. Either "unix"
for an Unix domain socket or "inet" for a TCP socket.
'';
};
bindSocket.path = mkOption {
type = types.str;
default = "/run/rmilter.sock";
description = ''
Path to Unix domain socket to listen on.
'';
};
bindSocket.address = mkOption {
type = types.str;
default = "[::1]";
example = "0.0.0.0";
description = ''
Inet address to listen on.
'';
};
bindSocket.port = mkOption {
type = types.int;
default = 11990;
description = ''
Inet port to listen on.
'';
};
socketActivation = mkOption {
type = types.bool;
default = true;
description = ''
Enable systemd socket activation for rmilter.
Disabling socket activation is not recommended when a Unix
domain socket is used and could lead to incorrect
permissions.
'';
};
rspamd = {
enable = mkOption {
type = types.bool;
default = rspamdCfg.enable;
description = "Whether to use rspamd to filter mails";
};
servers = mkOption {
type = types.listOf types.str;
default = ["r:/run/rspamd/rspamd.sock"];
description = ''
Spamd socket definitions.
Is server name is prefixed with r: it is rspamd server.
'';
};
whitelist = mkOption {
type = types.listOf types.str;
default = [ ];
description = "list of ips or nets that should be not checked with spamd";
};
rejectMessage = mkOption {
type = types.str;
default = "Spam message rejected; If this is not spam contact abuse";
description = "reject message for spam";
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = "Custom snippet to append to end of `spamd' section";
};
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = "Custom snippet to append to rmilter config";
};
postfix = {
enable = mkOption {
type = types.bool;
default = false;
description = "Add rmilter to postfix main.conf";
};
configFragment = mkOption {
type = types.str;
description = "Addon to postfix configuration";
default = ''
smtpd_milters = ${rmilterSocket}
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
'';
};
};
};
};
###### implementation
config = mkMerge [
(mkIf cfg.enable {
warnings = [
''`config.services.rmilter' is deprecated, `rmilter' deprecated and unsupported by upstream, and will be removed from next releases. Use built-in rspamd milter instead.''
];
users.users = singleton {
name = cfg.user;
description = "rmilter daemon";
uid = config.ids.uids.rmilter;
group = cfg.group;
};
users.groups = singleton {
name = cfg.group;
gid = config.ids.gids.rmilter;
};
systemd.services.rmilter = {
description = "Rmilter Service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = true;
Restart = "always";
RuntimeDirectory = "rmilter";
RuntimeDirectoryMode = "0750";
};
};
systemd.sockets.rmilter = mkIf cfg.socketActivation {
description = "Rmilter service socket";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = systemdSocket;
SocketUser = cfg.user;
SocketGroup = cfg.group;
SocketMode = "0660";
};
};
})
(mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) {
users.users.${cfg.user}.extraGroups = [ rspamdCfg.group ];
})
(mkIf (cfg.enable && cfg.postfix.enable) {
services.postfix.extraConfig = cfg.postfix.configFragment;
users.users.${postfixCfg.user}.extraGroups = [ cfg.group ];
})
];
}

@ -200,7 +200,10 @@ in {
"zoneminder/80-nixos.conf".source = configFile;
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.port ];
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [
cfg.port
6802 # zmtrigger
];
services = {
fcgiwrap = lib.mkIf useNginx {

@ -136,10 +136,16 @@ in
"/.dns/127.0.0.1#${toString cfg.dns.port}"
];
services.pdns-recursor.forwardZones = mkIf cfgs.pdns-recursor.resolveDNSChainQueries
{ bit = "127.0.0.1:${toString cfg.dns.port}";
dns = "127.0.0.1:${toString cfg.dns.port}";
};
services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveDNSChainQueries {
forwardZones =
{ bit = "127.0.0.1:${toString cfg.dns.port}";
dns = "127.0.0.1:${toString cfg.dns.port}";
};
luaConfig =''
addNTA("bit", "namecoin doesn't support DNSSEC")
addNTA("dns", "namecoin doesn't support DNSSEC")
'';
};
users.users = singleton {
name = username;

@ -13,7 +13,7 @@ let
configSettings = {
storage = dataDir;
p2p = {
public_address = "/ip4/127.0.0.1/tcp/8606";
public_address = "/ip4/127.0.0.1/tcp/8299";
messages = "high";
blocks = "high";
};

@ -6,25 +6,27 @@ let
dataDir = "/var/lib/pdns-recursor";
username = "pdns-recursor";
cfg = config.services.pdns-recursor;
zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones;
cfg = config.services.pdns-recursor;
configFile = pkgs.writeText "recursor.conf" ''
local-address=${cfg.dns.address}
local-port=${toString cfg.dns.port}
allow-from=${concatStringsSep "," cfg.dns.allowFrom}
oneOrMore = type: with types; either type (listOf type);
valueType = with types; oneOf [ int str bool path ];
configType = with types; attrsOf (nullOr (oneOrMore valueType));
webserver-address=${cfg.api.address}
webserver-port=${toString cfg.api.port}
webserver-allow-from=${concatStringsSep "," cfg.api.allowFrom}
toBool = val: if val then "yes" else "no";
serialize = val: with types;
if str.check val then val
else if int.check val then toString val
else if path.check val then toString val
else if bool.check val then toBool val
else if builtins.isList val then (concatMapStringsSep "," serialize val)
else "";
forward-zones=${concatStringsSep "," zones}
export-etc-hosts=${if cfg.exportHosts then "yes" else "no"}
dnssec=${cfg.dnssecValidation}
serve-rfc1918=${if cfg.serveRFC1918 then "yes" else "no"}
configFile = pkgs.writeText "recursor.conf"
(concatStringsSep "\n"
(flip mapAttrsToList cfg.settings
(name: val: "${name}=${serialize val}")));
${cfg.extraConfig}
'';
mkDefaultAttrs = mapAttrs (n: v: mkDefault v);
in {
options.services.pdns-recursor = {
@ -117,17 +119,55 @@ in {
'';
};
extraConfig = mkOption {
settings = mkOption {
type = configType;
default = { };
example = literalExample ''
{
loglevel = 8;
log-common-errors = true;
}
'';
description = ''
PowerDNS Recursor settings. Use this option to configure Recursor
settings not exposed in a NixOS option or to bypass one.
See the full documentation at
<link xlink:href="https://doc.powerdns.com/recursor/settings.html"/>
for the available options.
'';
};
luaConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra options to be appended to the configuration file.
The content Lua configuration file for PowerDNS Recursor. See
<link xlink:href="https://doc.powerdns.com/recursor/lua-config/index.html"/>.
'';
};
};
config = mkIf cfg.enable {
services.pdns-recursor.settings = mkDefaultAttrs {
local-address = cfg.dns.address;
local-port = cfg.dns.port;
allow-from = cfg.dns.allowFrom;
webserver-address = cfg.api.address;
webserver-port = cfg.api.port;
webserver-allow-from = cfg.api.allowFrom;
forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones;
export-etc-hosts = cfg.exportHosts;
dnssec = cfg.dnssecValidation;
serve-rfc1918 = cfg.serveRFC1918;
lua-config-file = pkgs.writeText "recursor.lua" cfg.luaConfig;
log-timestamp = false;
disable-syslog = true;
};
users.users."${username}" = {
home = dataDir;
createHome = true;
@ -150,8 +190,7 @@ in {
AmbientCapabilities = "cap_net_bind_service";
ExecStart = ''${pkgs.pdns-recursor}/bin/pdns_recursor \
--config-dir=${dataDir} \
--socket-dir=${dataDir} \
--disable-syslog
--socket-dir=${dataDir}
'';
};
@ -165,4 +204,10 @@ in {
'';
};
};
imports = [
(mkRemovedOptionModule [ "services" "pdns-recursor" "extraConfig" ]
"To change extra Recursor settings use services.pdns-recursor.settings instead.")
];
}

@ -176,6 +176,7 @@ in
Type = "simple";
ExecStart = "${(removeSuffix "\n" cmd)} start";
ExecStop = "${(removeSuffix "\n" cmd)} stop";
Restart = "on-failure";
User = "unifi";
UMask = "0077";
WorkingDirectory = "${stateDir}";

@ -84,6 +84,18 @@ in
The directory where transmission will create files.
'';
};
user = mkOption {
type = types.str;
default = "transmission";
description = "User account under which Transmission runs.";
};
group = mkOption {
type = types.str;
default = "transmission";
description = "Group account under which Transmission runs.";
};
};
};
@ -99,7 +111,8 @@ in
serviceConfig.ExecStartPre = preStart;
serviceConfig.ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f --port ${toString config.services.transmission.port}";
serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
serviceConfig.User = "transmission";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
# NOTE: transmission has an internal umask that also must be set (in settings.json)
serviceConfig.UMask = "0002";
};
@ -107,14 +120,19 @@ in
# It's useful to have transmission in path, e.g. for remote control
environment.systemPackages = [ pkgs.transmission ];
users.groups.transmission.gid = config.ids.gids.transmission;
users.users.transmission = {
group = "transmission";
uid = config.ids.uids.transmission;
description = "Transmission BitTorrent user";
home = homeDir;
createHome = true;
};
users.users = optionalAttrs (cfg.user == "transmission") (singleton
{ name = "transmission";
group = cfg.group;
uid = config.ids.uids.transmission;
description = "Transmission BitTorrent user";
home = homeDir;
createHome = true;
});
users.groups = optionalAttrs (cfg.group == "transmission") (singleton
{ name = "transmission";
gid = config.ids.gids.transmission;
});
# AppArmor profile
security.apparmor.profiles = mkIf apparmor [

@ -176,7 +176,7 @@ in {
# Use User-Private Group scheme to protect Matomo data, but allow administration / backup via 'matomo' group
# Copy config folder
chmod g+s "${dataDir}"
cp -r "${cfg.package}/config" "${dataDir}/"
cp -r "${cfg.package}/share/config" "${dataDir}/"
chmod -R u+rwX,g+rwX,o-rwx "${dataDir}"
# check whether user setup has already been done

@ -0,0 +1,300 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption types;
inherit (lib) concatStringsSep literalExample mapAttrsToList optional optionalString;
cfg = config.services.moodle;
fpm = config.services.phpfpm.pools.moodle;
user = "moodle";
group = config.services.httpd.group;
stateDir = "/var/lib/moodle";
moodleConfig = pkgs.writeText "config.php" ''
<?php // Moodle configuration file
unset($CFG);
global $CFG;
$CFG = new stdClass();
$CFG->dbtype = '${ { "mysql" = "mariadb"; "pgsql" = "pgsql"; }.${cfg.database.type} }';
$CFG->dblibrary = 'native';
$CFG->dbhost = '${cfg.database.host}';
$CFG->dbname = '${cfg.database.name}';
$CFG->dbuser = '${cfg.database.user}';
${optionalString (cfg.database.passwordFile != null) "$CFG->dbpass = file_get_contents('${cfg.database.passwordFile}');"}
$CFG->prefix = 'mdl_';
$CFG->dboptions = array (
'dbpersist' => 0,
'dbport' => '${toString cfg.database.port}',
${optionalString (cfg.database.socket != null) "'dbsocket' => '${cfg.database.socket}',"}
'dbcollation' => 'utf8mb4_unicode_ci',
);
$CFG->wwwroot = '${if cfg.virtualHost.enableSSL then "https" else "http"}://${cfg.virtualHost.hostName}';
$CFG->dataroot = '${stateDir}';
$CFG->admin = 'admin';
$CFG->directorypermissions = 02777;
$CFG->disableupdateautodeploy = true;
$CFG->pathtogs = '${pkgs.ghostscript}/bin/gs';
$CFG->pathtophp = '${pkgs.php}/bin/php';
$CFG->pathtodu = '${pkgs.coreutils}/bin/du';
$CFG->aspellpath = '${pkgs.aspell}/bin/aspell';
$CFG->pathtodot = '${pkgs.graphviz}/bin/dot';
require_once('${cfg.package}/share/moodle/lib/setup.php');
// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!
'';
mysqlLocal = cfg.database.createLocally && cfg.database.type == "mysql";
pgsqlLocal = cfg.database.createLocally && cfg.database.type == "pgsql";
in
{
# interface
options.services.moodle = {
enable = mkEnableOption "Moodle web application";
package = mkOption {
type = types.package;
default = pkgs.moodle;
defaultText = "pkgs.moodle";
description = "The Moodle package to use.";
};
initialPassword = mkOption {
type = types.str;
example = "correcthorsebatterystaple";
description = ''
Specifies the initial password for the admin, i.e. the password assigned if the user does not already exist.
The password specified here is world-readable in the Nix store, so it should be changed promptly.
'';
};
database = {
type = mkOption {
type = types.enum [ "mysql" "pgsql" ];
default = "mysql";
description = ''Database engine to use.'';
};
host = mkOption {
type = types.str;
default = "localhost";
description = "Database host address.";
};
port = mkOption {
type = types.int;
description = "Database host port.";
default = {
"mysql" = 3306;
"pgsql" = 5432;
}.${cfg.database.type};
defaultText = "3306";
};
name = mkOption {
type = types.str;
default = "moodle";
description = "Database name.";
};
user = mkOption {
type = types.str;
default = "moodle";
description = "Database user.";
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/moodle-dbpassword";
description = ''
A file containing the password corresponding to
<option>database.user</option>.
'';
};
socket = mkOption {
type = types.nullOr types.path;
default =
if mysqlLocal then "/run/mysqld/mysqld.sock"
else if pgsqlLocal then "/run/postgresql"
else null;
defaultText = "/run/mysqld/mysqld.sock";
description = "Path to the unix socket file to use for authentication.";
};
createLocally = mkOption {
type = types.bool;
default = true;
description = "Create the database and database user locally.";
};
};
virtualHost = mkOption {
type = types.submodule ({
options = import ../web-servers/apache-httpd/per-server-options.nix {
inherit lib;
forMainServer = false;
};
});
example = {
hostName = "moodle.example.org";
enableSSL = true;
adminAddr = "webmaster@example.org";
sslServerCert = "/var/lib/acme/moodle.example.org/full.pem";
sslServerKey = "/var/lib/acme/moodle.example.org/key.pem";
};
description = ''
Apache configuration can be done by adapting <option>services.httpd.virtualHosts</option>.
See <xref linkend="opt-services.httpd.virtualHosts"/> for further information.
'';
};
poolConfig = mkOption {
type = with types; attrsOf (oneOf [ str int bool ]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
description = ''
Options for the Moodle PHP pool. See the documentation on <literal>php-fpm.conf</literal>
for details on configuration directives.
'';
};
};
# implementation
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
message = "services.moodle.database.user must be set to ${user} if services.moodle.database.createLocally is set true";
}
{ assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
message = "a password cannot be specified if services.moodle.database.createLocally is set to true";
}
];
services.mysql = mkIf mysqlLocal {
enable = true;
package = mkDefault pkgs.mariadb;
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = {
"${cfg.database.name}.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, CREATE TEMPORARY TABLES, DROP, INDEX, ALTER";
};
}
];
};
services.postgresql = mkIf pgsqlLocal {
enable = true;
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
}
];
};
services.phpfpm.pools.moodle = {
inherit user group;
phpEnv.MOODLE_CONFIG = "${moodleConfig}";
phpOptions = ''
zend_extension = opcache.so
opcache.enable = 1
'';
settings = {
"listen.owner" = config.services.httpd.user;
"listen.group" = config.services.httpd.group;
} // cfg.poolConfig;
};
services.httpd = {
enable = true;
adminAddr = mkDefault cfg.virtualHost.adminAddr;
extraModules = [ "proxy_fcgi" ];
virtualHosts = [ (mkMerge [
cfg.virtualHost {
documentRoot = mkForce "${cfg.package}/share/moodle";
extraConfig = ''
<Directory "${cfg.package}/share/moodle">
<FilesMatch "\.php$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
</If>
</FilesMatch>
Options -Indexes
DirectoryIndex index.php
</Directory>
'';
}
]) ];
};
systemd.tmpfiles.rules = [
"d '${stateDir}' 0750 ${user} ${group} - -"
];
systemd.services.moodle-init = {
wantedBy = [ "multi-user.target" ];
before = [ "phpfpm-moodle.service" ];
after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service";
environment.MOODLE_CONFIG = moodleConfig;
script = ''
${pkgs.php}/bin/php ${cfg.package}/share/moodle/admin/cli/check_database_schema.php && rc=$? || rc=$?
[ "$rc" == 1 ] && ${pkgs.php}/bin/php ${cfg.package}/share/moodle/admin/cli/upgrade.php \
--non-interactive \
--allow-unstable
[ "$rc" == 2 ] && ${pkgs.php}/bin/php ${cfg.package}/share/moodle/admin/cli/install_database.php \
--agree-license \
--adminpass=${cfg.initialPassword}
true
'';
serviceConfig = {
User = user;
Group = group;
Type = "oneshot";
};
};
systemd.services.moodle-cron = {
description = "Moodle cron service";
after = [ "moodle-init.service" ];
environment.MOODLE_CONFIG = moodleConfig;
serviceConfig = {
User = user;
Group = group;
ExecStart = "${pkgs.php}/bin/php ${cfg.package}/share/moodle/admin/cli/cron.php";
};
};
systemd.timers.moodle-cron = {
description = "Moodle cron timer";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "minutely";
};
};
systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service";
users.users."${user}".group = group;
};
}

@ -0,0 +1,77 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.darkhttpd;
args = concatStringsSep " " ([
cfg.rootDir
"--port ${toString cfg.port}"
"--addr ${cfg.address}"
] ++ cfg.extraArgs
++ optional cfg.hideServerId "--no-server-id"
++ optional config.networking.enableIPv6 "--ipv6");
in {
options.services.darkhttpd = with types; {
enable = mkEnableOption "DarkHTTPd web server";
port = mkOption {
default = 80;
type = ints.u16;
description = ''
Port to listen on.
Pass 0 to let the system choose any free port for you.
'';
};
address = mkOption {
default = "127.0.0.1";
type = str;
description = ''
Address to listen on.
Pass `all` to listen on all interfaces.
'';
};
rootDir = mkOption {
type = path;
description = ''
Path from which to serve files.
'';
};
hideServerId = mkOption {
type = bool;
default = true;
description = ''
Don't identify the server type in headers or directory listings.
'';
};
extraArgs = mkOption {
type = listOf str;
default = [];
description = ''
Additional configuration passed to the executable.
'';
};
};
config = mkIf cfg.enable {
systemd.services.darkhttpd = {
description = "Dark HTTPd";
wants = [ "network.target" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = true;
ExecStart = "${cfg.package}/bin/darkhttpd ${args}";
AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
Restart = "on-failure";
RestartSec = "2s";
};
};
};
}

@ -3,7 +3,9 @@
with lib;
let
cfg = config.services.xserver.desktopManager.gnome3;
serviceCfg = config.services.gnome3;
# Prioritize nautilus by default when opening directories
mimeAppsList = pkgs.writeTextFile {
@ -45,10 +47,19 @@ let
flashbackEnabled = cfg.flashback.enableMetacity || length cfg.flashback.customSessions > 0;
in {
in
{
options = {
services.gnome3 = {
core-os-services.enable = mkEnableOption "essential services for GNOME3";
core-shell.enable = mkEnableOption "GNOME Shell services";
core-utilities.enable = mkEnableOption "GNOME core utilities";
games.enable = mkEnableOption "GNOME games";
};
services.xserver.desktopManager.gnome3 = {
enable = mkOption {
default = false;
@ -121,138 +132,194 @@ in {
};
config = mkIf cfg.enable {
# Enable helpful DBus services.
security.polkit.enable = true;