Merge branch 'master' into staging

NixOS · Jan 9, 2017 · bba12a6 · bba12a6
2 parents abcd344 + 41b69a0
commit bba12a6
Show file tree

Hide file tree

Showing 97 changed files with 2,090 additions and 809 deletions.
diff --git a/lib/licenses.nix b/lib/licenses.nix
@@ -449,6 +449,12 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
     fullName = "Sleepycat License";
   };
 
+  smail = {
+    shortName = "smail";
+    fullName = "SMAIL General Public License";
+    url = http://metadata.ftp-master.debian.org/changelogs/main/d/debianutils/debianutils_4.8.1_copyright;
+  };
+
   tcltk = spdx {
     spdxId = "TCL";
     fullName = "TCL/TK License";

diff --git a/lib/maintainers.nix b/lib/maintainers.nix
@@ -237,6 +237,7 @@
   KibaFox = "Kiba Fox <kiba.fox@foxypossibilities.com>";
   kierdavis = "Kier Davis <kierdavis@gmail.com>";
   kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
+  knedlsepp = "Josef Kemetmüller <josef.kemetmueller@gmail.com>";
   koral = "Koral <koral@mailoo.org>";
   kovirobi = "Kovacsics Robert <kovirobi@gmail.com>";
   kragniz = "Louis Taylor <louis@kragniz.eu>";

diff --git a/nixos/lib/test-driver/Machine.pm b/nixos/lib/test-driver/Machine.pm
@@ -611,11 +611,37 @@ sub copyFileFromHost {
 }
 
 
+my %charToKey = (
+    '!' => "shift-0x02",
+    '@' => "shift-0x03",
+    '#' => "shift-0x04",
+    '$' => "shift-0x05",
+    '%' => "shift-0x06",
+    '^' => "shift-0x07",
+    '&' => "shift-0x08",
+    '*' => "shift-0x09",
+    '(' => "shift-0x0A",
+    ')' => "shift-0x0B",
+    '-' => "0x0C", '_' => "shift-0x0C",
+    '=' => "0x0D", '+' => "shift-0x0D",
+    '[' => "0x1A", '{' => "shift-0x1A",
+    ']' => "0x1B", '}' => "shift-0x1B",
+    ';' => "0x27", ':' => "shift-0x27",
+   '\'' => "0x28", '"' => "shift-0x28",
+    '`' => "0x29", '~' => "shift-0x29",
+   '\\' => "0x2B", '|' => "shift-0x2B",
+    ',' => "0x33", '<' => "shift-0x33",
+    '.' => "0x34", '>' => "shift-0x34",
+    '/' => "0x35", '?' => "shift-0x35",
+    ' ' => "spc",
+   "\n" => "ret",
+);
+
+
 sub sendKeys {
     my ($self, @keys) = @_;
     foreach my $key (@keys) {
-        $key = "spc" if $key eq " ";
-        $key = "ret" if $key eq "\n";
+        $key = $charToKey{$key} if exists $charToKey{$key};
         $self->sendMonitorCommand("sendkey $key");
     }
 }

diff --git a/nixos/modules/config/pulseaudio.nix b/nixos/modules/config/pulseaudio.nix
@@ -212,6 +212,7 @@ in {
       # Allow PulseAudio to get realtime priority using rtkit.
       security.rtkit.enable = true;
 
+      systemd.packages = [ cfg.package ];
     })
 
     (mkIf hasZeroconf {
@@ -227,31 +228,14 @@ in {
         target = "pulse/default.pa";
         source = myConfigFile;
       };
-
       systemd.user = {
         services.pulseaudio = {
-          description = "PulseAudio Server";
-          # NixOS doesn't support "Also" so we bring it in manually
-          wantedBy = [ "default.target" ];
           serviceConfig = {
-            Type = "notify";
-            ExecStart = binaryNoDaemon;
-            Restart = "on-failure";
             RestartSec = "500ms";
           };
           environment = { DISPLAY = ":${toString config.services.xserver.display}"; };
           restartIfChanged = true;
         };
-
-        sockets.pulseaudio = {
-          description = "PulseAudio Socket";
-          wantedBy = [ "sockets.target" ];
-          socketConfig = {
-            Priority = 6;
-            Backlog = 5;
-            ListenStream = "%t/pulse/native";
-          };
-        };
       };
     })
 

diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix
@@ -232,8 +232,6 @@ in
     system.boot.loader.kernelFile = "bzImage";
     environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi pkgs.syslinux ];
 
-    boot.consoleLogLevel = mkDefault 7;
-
     # In stage 1 of the boot, mount the CD as the root FS by label so
     # that we don't need to know its device.  We pass the label of the
     # root filesystem on the kernel command line, rather than in

diff --git a/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix b/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
@@ -27,7 +27,6 @@ in
 
   boot.kernelPackages = pkgs.linuxPackages_latest;
   boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=tty0"];
-  boot.consoleLogLevel = 7;
 
   # FIXME: this probably should be in installation-device.nix
   users.extraUsers.root.initialHashedPassword = "";

diff --git a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix b/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix
@@ -26,7 +26,6 @@ in
   boot.loader.generic-extlinux-compatible.enable = true;
 
   boot.kernelPackages = pkgs.linuxPackages_rpi;
-  boot.consoleLogLevel = 7;
 
   # FIXME: this probably should be in installation-device.nix
   users.extraUsers.root.initialHashedPassword = "";

diff --git a/nixos/modules/installer/netboot/netboot.nix b/nixos/modules/installer/netboot/netboot.nix
@@ -30,8 +30,6 @@ with lib;
     system.boot.loader.kernelFile = "bzImage";
     environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi pkgs.syslinux ];
 
-    boot.consoleLogLevel = mkDefault 7;
-
     fileSystems."/" =
       { fsType = "tmpfs";
         options = [ "mode=0755" ];

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -308,8 +308,13 @@
   ./services/monitoring/munin.nix
   ./services/monitoring/nagios.nix
   ./services/monitoring/prometheus/default.nix
-  ./services/monitoring/prometheus/node-exporter.nix
   ./services/monitoring/prometheus/alertmanager.nix
+  ./services/monitoring/prometheus/blackbox-exporter.nix
+  ./services/monitoring/prometheus/json-exporter.nix
+  ./services/monitoring/prometheus/nginx-exporter.nix
+  ./services/monitoring/prometheus/node-exporter.nix
+  ./services/monitoring/prometheus/snmp-exporter.nix
+  ./services/monitoring/prometheus/varnish-exporter.nix
   ./services/monitoring/riemann.nix
   ./services/monitoring/riemann-dash.nix
   ./services/monitoring/riemann-tools.nix

diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix
@@ -70,5 +70,11 @@ with lib;
     # the initrd builder.
     system.extraDependencies = [ pkgs.stdenv pkgs.busybox pkgs.perlPackages.ArchiveCpio ];
 
+    # Show all debug messages from the kernel but don't log refused packets
+    # because we have the firewall enabled. This makes installs from the
+    # console less cumbersome if the machine has a public IP.
+    boot.consoleLogLevel = mkDefault 7;
+    networking.firewall.logRefusedConnections = mkDefault false;
+
   };
 }
diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml
@@ -67,52 +67,30 @@ options for the <literal>security.acme</literal> module.</para>
 </section>
 
 <section><title>Using ACME certificates in Nginx</title>
-<para>In practice ACME is mostly used for retrieval and renewal of
-  certificates that will be used in a webserver like Nginx. A configuration for
-  Nginx that uses the certificates from ACME for
-  <literal>foo.example.com</literal> will look similar to:
+<para>NixOS supports fetching ACME certificates for you by setting
+<literal>enableACME = true;</literal> in a virtualHost config. We
+first create self-signed placeholder certificates in place of the
+real ACME certs. The placeholder certs are overwritten when the ACME
+certs arrive. For <literal>foo.example.com</literal> the config would
+look like.
 </para>
 
 <programlisting>
-security.acme.certs."foo.example.com" = {
-  webroot = config.security.acme.directory + "/acme-challenge";
-  email = "foo@example.com";
-  user = "nginx";
-  group = "nginx";
-  postRun = "systemctl restart nginx.service";
-};
-services.nginx.httpConfig = ''
-  server {
-    server_name foo.example.com;
-    listen 80;
-    listen [::]:80;
-
-    location /.well-known/acme-challenge {
-      root /var/www/challenges;
-    }
-
-    location / {
-      return 301 https://$host$request_uri;
-    }
-  }
-
-  server {
-    server_name foo.example.com;
-    listen 443 ssl;
-    ssl_certificate     ${config.security.acme.directory}/foo.example.com/fullchain.pem;
-    ssl_certificate_key ${config.security.acme.directory}/foo.example.com/key.pem;
-    root /var/www/foo.example.com/;
-  }
-'';
+services.nginx = {
+  enable = true;
+  virtualHosts = {
+    "foo.example.com" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        root = "/var/www";
+      };
+    };
+  };
+}
 </programlisting>
 
-<para>Now Nginx will try to use the certificates that will be retrieved by ACME.
-  ACME needs Nginx (or any other webserver) to function and Nginx needs
-  the certificates to actually start. For this reason the ACME module
-  automatically generates self-signed certificates that will be used by Nginx to
-  start. After that Nginx is used by ACME to retrieve the actual ACME
-  certificates. <literal>security.acme.preliminarySelfsigned</literal> can be
-  used to control whether to generate the self-signed certificates.
-</para>
+<para>At the moment you still have to restart Nginx after the ACME
+certs arrive.</para>
 </section>
 </chapter>
diff --git a/nixos/modules/services/monitoring/prometheus/blackbox-exporter.nix b/nixos/modules/services/monitoring/prometheus/blackbox-exporter.nix
@@ -0,0 +1,67 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.prometheus.blackboxExporter;
+in {
+  options = {
+    services.prometheus.blackboxExporter = {
+      enable = mkEnableOption "prometheus blackbox exporter";
+
+      configFile = mkOption {
+        type = types.path;
+        description = ''
+          Path to configuration file.
+        '';
+      };
+
+      port = mkOption {
+        type = types.int;
+        default = 9115;
+        description = ''
+          Port to listen on.
+        '';
+      };
+
+      extraFlags = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          Extra commandline options when launching the blackbox exporter.
+        '';
+      };
+
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Open port in firewall for incoming connections.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port;
+
+    systemd.services.prometheus-blackbox-exporter = {
+      description = "Prometheus exporter for blackbox probes";
+      unitConfig.Documentation = "https://github.com/prometheus/blackbox_exporter";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        User = "nobody";
+        Restart = "always";
+        PrivateTmp = true;
+        WorkingDirectory = /tmp;
+        ExecStart = ''
+          ${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \
+            -web.listen-address :${toString cfg.port} \
+            -config.file ${cfg.configFile} \
+            ${concatStringsSep " \\\n  " cfg.extraFlags}
+        '';
+        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      };
+    };
+  };
+}
diff --git a/nixos/modules/services/monitoring/prometheus/json-exporter.nix b/nixos/modules/services/monitoring/prometheus/json-exporter.nix
@@ -0,0 +1,74 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.prometheus.jsonExporter;
+in {
+  options = {
+    services.prometheus.jsonExporter = {
+      enable = mkEnableOption "prometheus JSON exporter";
+
+      url = mkOption {
+        type = types.str;
+        description = ''
+          URL to scrape JSON from.
+        '';
+      };
+
+      configFile = mkOption {
+        type = types.path;
+        description = ''
+          Path to configuration file.
+        '';
+      };
+
+      port = mkOption {
+        type = types.int;
+        default = 7979;
+        description = ''
+          Port to listen on.
+        '';
+      };
+
+      extraFlags = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          Extra commandline options when launching the JSON exporter.
+        '';
+      };
+
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Open port in firewall for incoming connections.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port;
+
+    systemd.services.prometheus-json-exporter = {
+      description = "Prometheus exporter for JSON over HTTP";
+      unitConfig.Documentation = "https://github.com/kawamuray/prometheus-json-exporter";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        User = "nobody";
+        Restart = "always";
+        PrivateTmp = true;
+        WorkingDirectory = /tmp;
+        ExecStart = ''
+          ${pkgs.prometheus-json-exporter}/bin/prometheus-json-exporter \
+            --port ${toString cfg.port} \
+            ${cfg.url} ${cfg.configFile} \
+            ${concatStringsSep " \\\n  " cfg.extraFlags}
+        '';
+        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      };
+    };
+  };
+}