Merge remote-tracking branch 'upstream/master' into HEAD

NixOS · Aug 14, 2017 · 62dac1b · 62dac1b
2 parents d87f53b + eb9f427
commit 62dac1b
Show file tree

Hide file tree

Showing 270 changed files with 1,295 additions and 450 deletions.
diff --git a/doc/overlays.xml b/doc/overlays.xml
@@ -8,59 +8,62 @@
 overlays. Overlays are used to add layers in the fix-point used by Nixpkgs
 to compose the set of all packages.</para>
 
+<para>Nixpkgs can be configured with a list of overlays, which are
+applied in order. This means that the order of the overlays can be significant
+if multiple layers override the same package.</para>
+
 <!--============================================================-->
 
 <section xml:id="sec-overlays-install">
-<title>Installing Overlays</title>
+<title>Installing overlays</title>
 
-<para>The set of overlays is looked for in the following places. The
-first one present is considered, and all the rest are ignored:
+<para>The list of overlays is determined as follows:
 
 <orderedlist>
 
   <listitem>
+    <para>First, if an <varname>overlays</varname> argument to the nixpkgs function itself is given,
+    then that is used. This can be passed explicitly when importing nipxkgs, for example 
+    <literal>import &lt;nixpkgs> { overlays = [ overlay1 overlay2 ] }</literal>.</para>
 
-    <para>As an argument of the imported attribute set. When importing Nixpkgs,
-    the <varname>overlays</varname> attribute argument can be set to a list of
-    functions, which is described in <xref linkend="sec-overlays-layout"/>.</para>
-
+    <para>On a NixOS system the value of the <literal>nixpkgs.overlays</literal> option, if present, 
+    is passed to the system Nixpkgs in this way. Note that this does not affect the overlays for
+    non-NixOS operations (e.g. <literal>nix-env</literal>), which are looked up independently.</para>
   </listitem>
 
   <listitem>
+    <para>Otherwise, if the Nix path entry <literal>&lt;nixpkgs-overlays></literal> exists and is a 
+    directory, then the result is the set of overlays found in that directory, ordered lexicographically.</para> 
 
-    <para>In the directory pointed to by the Nix search path entry
-    <literal>&lt;nixpkgs-overlays></literal>.</para>
+    <para>See the section on <literal>NIX_PATH</literal> in the Nix manual for more details on how to 
+    set a value for <literal>&lt;nixpkgs-overlays>.</literal></para>
   </listitem>
 
   <listitem>
-
-    <para>In the directory <filename>~/.config/nixpkgs/overlays/</filename>.</para>
+    <para>Otherwise, if <filename>~/.config/nixpkgs/overlays/</filename> exists and is a directory, then
+    the result is the set of overlays found in that directory, ordered lexicographically.</para>
   </listitem>
 
 </orderedlist>
 </para>
 
-<para>For the second and third options, the directory should contain Nix expressions defining the
-overlays. Each overlay can be a file, a directory containing a
-<filename>default.nix</filename>, or a symlink to one of those. The expressions should follow
-the syntax described in <xref linkend="sec-overlays-layout"/>.</para>
+<para>For the second and third options, overlays are extracted from the given directory as files, 
+directories containing a <filename>default.nix</filename>, or symlinks to one of those.</para>
 
-<para>The order of the overlay layers can influence the recipe of packages if multiple layers override
-the same recipe. In the case where overlays are loaded from a directory, they are loaded in
-alphabetical order.</para>
-
-<para>To install an overlay using the last option, you can clone the overlay's repository and add
-a symbolic link to it in <filename>~/.config/nixpkgs/overlays/</filename> directory.</para>
+<para>The last option provides a convenient way to install an overlay from a repository, 
+by cloning the overlay's repository and adding a symbolic link to it in 
+<filename>~/.config/nixpkgs/overlays/</filename>.</para>
 
 </section>
 
 <!--============================================================-->
 
-<section xml:id="sec-overlays-layout">
-<title>Overlays Layout</title>
+<section xml:id="sec-overlays-definition">
+<title>Defining overlays</title>
 
-<para>Overlays are expressed as Nix functions which accept 2 arguments and return a set of
-packages.</para>
+<para>Overlays are Nix functions which accept two arguments, 
+conventionally called <varname>self</varname> and <varname>super</varname>, 
+and return a set of packages. For example, the following is a valid overlay.</para>
 
 <programlisting>
 self: super:
@@ -75,25 +78,31 @@ self: super:
 }
 </programlisting>
 
-<para>The first argument, usually named <varname>self</varname>, corresponds to the final package
+<para>The first argument (<varname>self</varname>) corresponds to the final package
 set. You should use this set for the dependencies of all packages specified in your
 overlay. For example, all the dependencies of <varname>rr</varname> in the example above come
 from <varname>self</varname>, as well as the overridden dependencies used in the
 <varname>boost</varname> override.</para>
 
-<para>The second argument, usually named <varname>super</varname>,
+<para>The second argument (<varname>super</varname>)
 corresponds to the result of the evaluation of the previous stages of
 Nixpkgs. It does not contain any of the packages added by the current
-overlay nor any of the following overlays. This set should be used either
+overlay, nor any of the following overlays. This set should be used either
 to refer to packages you wish to override, or to access functions defined
 in Nixpkgs. For example, the original recipe of <varname>boost</varname>
 in the above example, comes from <varname>super</varname>, as well as the
 <varname>callPackage</varname> function.</para>
 
 <para>The value returned by this function should be a set similar to
-<filename>pkgs/top-level/all-packages.nix</filename>, which contains
+<filename>pkgs/top-level/all-packages.nix</filename>, containing
 overridden and/or new packages.</para>
 
+<para>Overlays are similar to other methods for customizing Nixpkgs, in particular
+the <literal>packageOverrides</literal> attribute described in <xref linkend="sec-modify-via-packageOverrides"/>.
+Indeed, <literal>packageOverrides</literal> acts as an overlay with only the 
+<varname>super</varname> argument. It is therefore appropriate for basic use, 
+but overlays are more powerful and easier to distribute.</para>
+
 </section>
 
 </chapter>
diff --git a/lib/maintainers.nix b/lib/maintainers.nix
@@ -521,6 +521,7 @@
   schneefux = "schneefux <schneefux+nixos_pkg@schneefux.xyz>";
   schristo = "Scott Christopher <schristopher@konputa.com>";
   scolobb = "Sergiu Ivanov <sivanov@colimite.fr>";
+  sdll = "Sasha Illarionov <sasha.delly@gmail.com>";
   sepi = "Raffael Mancini <raffael@mancini.lu>";
   seppeljordan = "Sebastian Jordan <sebastian.jordan.mail@googlemail.com>";
   shanemikel = "Shane Pearlman <shanemikel1@gmail.com>";

diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
@@ -335,7 +335,7 @@
       dialout = 27;
       #polkituser = 28; # currently unused, polkitd doesn't need a group
       utmp = 29;
-      #ddclient = 30; # unused
+      ddclient = 30;
       davfs2 = 31;
       disnix = 33;
       osgi = 34;

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -185,6 +185,7 @@
   ./services/databases/neo4j.nix
   ./services/databases/openldap.nix
   ./services/databases/opentsdb.nix
+  ./services/databases/postage.nix
   ./services/databases/postgresql.nix
   ./services/databases/redis.nix
   ./services/databases/riak.nix

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
@@ -59,4 +59,10 @@ with lib;
   # the feature at runtime.  Attempting to create a user namespace
   # with unshare will then fail with "no space left on device".
   boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;
+
+  # Raise ASLR entropy for 64bit & 32bit, respectively.
+  #
+  # Note: mmap_rnd_compat_bits may not exist on 64bit.
+  boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
+  boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;
 }
diff --git a/nixos/modules/services/databases/postage.nix b/nixos/modules/services/databases/postage.nix
@@ -0,0 +1,205 @@
+{ lib, pkgs, config, ... } :
+
+with lib;
+
+let
+  cfg = config.services.postage;
+
+  confFile = pkgs.writeTextFile {
+    name = "postage.conf";
+    text =  ''
+      connection_file = ${postageConnectionsFile}
+
+      allow_custom_connections = ${builtins.toJSON cfg.allowCustomConnections}
+
+      postage_port = ${toString cfg.port}
+
+      super_only = ${builtins.toJSON cfg.superOnly}
+
+      ${optionalString (!isNull cfg.loginGroup) "login_group = ${cfg.loginGroup}"}
+
+      login_timeout = ${toString cfg.loginTimeout}
+
+      web_root = ${cfg.package}/etc/postage/web_root
+
+      data_root = ${cfg.dataRoot}
+
+      ${optionalString (!isNull cfg.tls) ''
+      tls_cert = ${cfg.tls.cert}
+      tls_key = ${cfg.tls.key}
+      ''}
+
+      log_level = ${cfg.logLevel}
+    '';
+  };
+
+  postageConnectionsFile = pkgs.writeTextFile {
+    name = "postage-connections.conf";
+    text = concatStringsSep "\n"
+      (mapAttrsToList (name : conn : "${name}: ${conn}") cfg.connections);
+  };
+
+  postage = "postage";
+in {
+
+  options.services.postage = {
+    enable = mkEnableOption "PostgreSQL Administration for the web";
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.postage;
+      defaultText = "pkgs.postage";
+      description = ''
+        The postage package to use.
+      '';
+    };
+
+    connections = mkOption {
+      type = types.attrsOf types.str;
+      default = {};
+      example = {
+        "nuc-server"  = "hostaddr=192.168.0.100 port=5432 dbname=postgres";
+        "mini-server" = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require";
+      };
+      description = ''
+        Postage requires at least one PostgreSQL server be defined.
+        </para><para>
+        Detailed information about PostgreSQL connection strings is available at:
+        <link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/>
+        </para><para>
+        Note that you should not specify your user name or password. That
+        information will be entered on the login screen. If you specify a
+        username or password, it will be removed by Postage before attempting to
+        connect to a database.
+      '';
+    };
+
+    allowCustomConnections = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        This tells Postage whether or not to allow anyone to use a custom
+        connection from the login screen.
+      '';
+    };
+
+    port = mkOption {
+      type = types.int;
+      default = 8080;
+      description = ''
+        This tells Postage what port to listen on for browser requests.
+      '';
+    };
+
+    localOnly = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        This tells Postage whether or not to set the listening socket to local
+        addresses only.
+      '';
+    };
+
+    superOnly = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        This tells Postage whether or not to only allow super users to
+        login. The recommended value is true and will restrict users who are not
+        super users from logging in to any PostgreSQL instance through
+        Postage. Note that a connection will be made to PostgreSQL in order to
+        test if the user is a superuser.
+      '';
+    };
+
+    loginGroup = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = ''
+        This tells Postage to only allow users in a certain PostgreSQL group to
+        login to Postage. Note that a connection will be made to PostgreSQL in
+        order to test if the user is a member of the login group.
+      '';
+    };
+
+    loginTimeout = mkOption {
+      type = types.int;
+      default = 3600;
+      description = ''
+        Number of seconds of inactivity before user is automatically logged
+        out.
+      '';
+    };
+
+    dataRoot = mkOption {
+      type = types.str;
+      default = "/var/lib/postage";
+      description = ''
+        This tells Postage where to put the SQL file history. All tabs are saved
+        to this location so that if you get disconnected from Postage you
+        don't lose your work.
+      '';
+    };
+
+    tls = mkOption {
+      type = types.nullOr (types.submodule {
+        options = {
+          cert = mkOption {
+            type = types.str;
+            description = "TLS certificate";
+          };
+          key = mkOption {
+            type = types.str;
+            description = "TLS key";
+          };
+        };
+      });
+      default = null;
+      description = ''
+        These options tell Postage where the TLS Certificate and Key files
+        reside. If you use these options then you'll only be able to access
+        Postage through a secure TLS connection. These options are only
+        necessary if you wish to connect directly to Postage using a secure TLS
+        connection. As an alternative, you can set up Postage in a reverse proxy
+        configuration. This allows your web server to terminate the secure
+        connection and pass on the request to Postage. You can find help to set
+        up this configuration in:
+        <link xlink:href="https://github.com/workflowproducts/postage/blob/master/INSTALL_NGINX.md"/>
+      '';
+    };
+
+    logLevel = mkOption {
+      type = types.enum ["error" "warn" "notice" "info"];
+      default = "error";
+      description = ''
+        Verbosity of logs
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.postage = {
+      description = "postage - PostgreSQL Administration for the web";
+      wants    = [ "postgresql.service" ];
+      after    = [ "postgresql.service" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        User         = postage;
+        Group        = postage;
+        ExecStart    = "${pkgs.postage}/sbin/postage -c ${confFile}" +
+                       optionalString cfg.localOnly " --local-only=true";
+      };
+    };
+    users = {
+      users."${postage}" = {
+        name  = postage;
+        group = postage;
+        home  = cfg.dataRoot;
+        createHome = true;
+      };
+      groups."${postage}" = {
+        name = postage;
+      };
+    };
+  };
+}
diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix
@@ -26,7 +26,9 @@ let
 
       for file in $out/*; do
         case "$file" in
-            plugin.sh) continue;;
+            */plugin.sh|*/plugins.history)
+              chmod +x "$file"
+              continue;;
         esac
 
         # read magic makers from the file