mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-29 08:30:21 +02:00
Merge branch 'master' of github.com:NixOS/nixos into systemd
This commit is contained in:
commit
aac6fe44b6
|
@ -22,9 +22,11 @@ let kernelVersion = config.boot.kernelPackages.kernel.version; in
|
||||||
###### implementation
|
###### implementation
|
||||||
|
|
||||||
config = pkgs.lib.mkIf config.networking.enableB43Firmware {
|
config = pkgs.lib.mkIf config.networking.enableB43Firmware {
|
||||||
hardware.firmware = if builtins.lessThan (builtins.compareVersions kernelVersion "3.2") 0 then
|
assertions = [ {
|
||||||
throw "b43 firmware for kernels older than 3.2 not packaged yet!" else
|
assertion = builtins.lessThan 0 (builtins.compareVersions kernelVersion "3.2");
|
||||||
[ pkgs.b43Firmware_5_1_138 ];
|
message = "b43 firmware for kernels older than 3.2 not packaged yet!";
|
||||||
|
} ];
|
||||||
|
hardware.firmware = [ pkgs.b43Firmware_5_1_138 ];
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -73,6 +73,7 @@ in
|
||||||
fprot = 52;
|
fprot = 52;
|
||||||
bind = 53;
|
bind = 53;
|
||||||
wwwrun = 54;
|
wwwrun = 54;
|
||||||
|
spamd = 55;
|
||||||
|
|
||||||
# When adding a uid, make sure it doesn't match an existing gid.
|
# When adding a uid, make sure it doesn't match an existing gid.
|
||||||
|
|
||||||
|
|
|
@ -77,6 +77,7 @@
|
||||||
./services/hardware/udisks.nix
|
./services/hardware/udisks.nix
|
||||||
./services/hardware/upower.nix
|
./services/hardware/upower.nix
|
||||||
#./services/logging/klogd.nix
|
#./services/logging/klogd.nix
|
||||||
|
./services/logging/logcheck.nix
|
||||||
./services/logging/logrotate.nix
|
./services/logging/logrotate.nix
|
||||||
./services/logging/logstash.nix
|
./services/logging/logstash.nix
|
||||||
./services/logging/syslogd.nix
|
./services/logging/syslogd.nix
|
||||||
|
|
139
modules/services/logging/logcheck.nix
Normal file
139
modules/services/logging/logcheck.nix
Normal file
|
@ -0,0 +1,139 @@
|
||||||
|
{config, pkgs, ...}:
|
||||||
|
|
||||||
|
with pkgs.lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.services.logcheck;
|
||||||
|
|
||||||
|
rulesDir = pkgs.runCommand "logcheck-rules-dir"
|
||||||
|
{} (
|
||||||
|
''
|
||||||
|
mkdir $out
|
||||||
|
cp -prd ${pkgs.logcheck}/etc/logcheck/* $out/
|
||||||
|
rm $out/logcheck.*
|
||||||
|
chmod u+w $out/*
|
||||||
|
'' + optionalString (! builtins.isNull cfg.extraRulesDir) ''
|
||||||
|
cp -prd ${cfg.extraRulesDir}/* $out/
|
||||||
|
'' );
|
||||||
|
|
||||||
|
configFile = pkgs.writeText "logcheck.conf" cfg.config;
|
||||||
|
|
||||||
|
logFiles = pkgs.writeText "logcheck.logfiles" cfg.files;
|
||||||
|
|
||||||
|
flags = "-r ${rulesDir} -c ${configFile} -L ${logFiles} -${levelFlag} -m ${cfg.mailTo}";
|
||||||
|
|
||||||
|
levelFlag = getAttrFromPath [cfg.level]
|
||||||
|
{ "paranoid" = "p";
|
||||||
|
"server" = "s";
|
||||||
|
"workstation" = "w";
|
||||||
|
};
|
||||||
|
|
||||||
|
cronJob = ''
|
||||||
|
@reboot logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
|
||||||
|
2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
|
||||||
|
'';
|
||||||
|
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
services.logcheck = {
|
||||||
|
enable = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = ''
|
||||||
|
Enable the logcheck cron job.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
user = mkOption {
|
||||||
|
default = "logcheck";
|
||||||
|
type = types.uniq types.string;
|
||||||
|
description = ''
|
||||||
|
Username for the logcheck user.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
timeOfDay = mkOption {
|
||||||
|
default = "*";
|
||||||
|
example = "6";
|
||||||
|
type = types.uniq types.string;
|
||||||
|
description = ''
|
||||||
|
Time of day to run logcheck. A logcheck will be scheduled at xx:02 each day.
|
||||||
|
Leave default (*) to run every hour. Of course when nothing special was logged,
|
||||||
|
logcheck will be silent.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
mailTo = mkOption {
|
||||||
|
default = "root";
|
||||||
|
example = "you@domain.com";
|
||||||
|
type = types.uniq types.string;
|
||||||
|
description = ''
|
||||||
|
Email address to send reports to.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
level = mkOption {
|
||||||
|
default = "server";
|
||||||
|
type = types.uniq types.string;
|
||||||
|
description = ''
|
||||||
|
Set the logcheck level. Either "workstation", "server", or "paranoid".
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkOption {
|
||||||
|
default = "FQDN=1";
|
||||||
|
type = types.string;
|
||||||
|
description = ''
|
||||||
|
Config options that you would like in logcheck.conf.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
files = mkOption {
|
||||||
|
default = [ "/var/log/messages" ];
|
||||||
|
type = types.listOf types.path;
|
||||||
|
example = [ "/var/log/messages" "/var/log/mail" ];
|
||||||
|
description = ''
|
||||||
|
Which log files to check.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
extraRulesDir = mkOption {
|
||||||
|
default = null;
|
||||||
|
example = "/etc/logcheck";
|
||||||
|
type = types.nullOr types.path;
|
||||||
|
description = ''
|
||||||
|
Directory with extra rules.
|
||||||
|
Will be merged with bundled rules, so it's possible to override certain behaviour.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
extraGroups = mkOption {
|
||||||
|
default = [];
|
||||||
|
type = types.listOf types.string;
|
||||||
|
example = [ "postdrop" "mongodb" ];
|
||||||
|
description = ''
|
||||||
|
Extra groups for the logcheck user, for example to be able to use sendmail,
|
||||||
|
or to access certain log files.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
users.extraUsers = singleton
|
||||||
|
{ name = cfg.user;
|
||||||
|
shell = "/bin/sh";
|
||||||
|
description = "Logcheck user account";
|
||||||
|
extraGroups = cfg.extraGroups;
|
||||||
|
};
|
||||||
|
|
||||||
|
system.activationScripts.logcheck = ''
|
||||||
|
mkdir -m 700 -p /var/{lib,lock}/logcheck
|
||||||
|
chown ${cfg.user} /var/{lib,lock}/logcheck
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.cron.systemCronJobs = [ cronJob ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -141,6 +141,7 @@ in
|
||||||
|
|
||||||
jobs.logstash = with pkgs; {
|
jobs.logstash = with pkgs; {
|
||||||
description = "Logstash daemon";
|
description = "Logstash daemon";
|
||||||
|
startOn = "started networking and filesystem";
|
||||||
|
|
||||||
path = [ jre ];
|
path = [ jre ];
|
||||||
|
|
||||||
|
|
|
@ -80,6 +80,9 @@ let
|
||||||
|
|
||||||
recipientDelimiter = ${cfg.recipientDelimiter}
|
recipientDelimiter = ${cfg.recipientDelimiter}
|
||||||
''
|
''
|
||||||
|
+ optionalString (cfg.virtual != "") ''
|
||||||
|
virtual_alias_maps = hash:/etc/postfix/virtual
|
||||||
|
''
|
||||||
+ cfg.extraConfig;
|
+ cfg.extraConfig;
|
||||||
|
|
||||||
aliases =
|
aliases =
|
||||||
|
@ -93,6 +96,7 @@ let
|
||||||
;
|
;
|
||||||
|
|
||||||
aliasesFile = pkgs.writeText "postfix-aliases" aliases;
|
aliasesFile = pkgs.writeText "postfix-aliases" aliases;
|
||||||
|
virtualFile = pkgs.writeText "postfix-virtual" cfg.virtual;
|
||||||
mainCfFile = pkgs.writeText "postfix-main.cf" mainCf;
|
mainCfFile = pkgs.writeText "postfix-main.cf" mainCf;
|
||||||
|
|
||||||
in
|
in
|
||||||
|
@ -255,6 +259,13 @@ in
|
||||||
";
|
";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
virtual = mkOption {
|
||||||
|
default = "";
|
||||||
|
description = "
|
||||||
|
Entries for the virtual alias map.
|
||||||
|
";
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
@ -338,9 +349,11 @@ in
|
||||||
ln -sf ${pkgs.postfix}/share/postfix/conf/* /var/postfix/conf
|
ln -sf ${pkgs.postfix}/share/postfix/conf/* /var/postfix/conf
|
||||||
|
|
||||||
ln -sf ${aliasesFile} /var/postfix/conf/aliases
|
ln -sf ${aliasesFile} /var/postfix/conf/aliases
|
||||||
|
ln -sf ${virtualFile} /var/postfix/conf/virtual
|
||||||
ln -sf ${mainCfFile} /var/postfix/conf/main.cf
|
ln -sf ${mainCfFile} /var/postfix/conf/main.cf
|
||||||
|
|
||||||
${pkgs.postfix}/sbin/postalias -c /var/postfix/conf /var/postfix/conf/aliases
|
${pkgs.postfix}/sbin/postalias -c /var/postfix/conf /var/postfix/conf/aliases
|
||||||
|
${pkgs.postfix}/sbin/postmap -c /var/postfix/conf /var/postfix/conf/virtual
|
||||||
|
|
||||||
exec ${pkgs.postfix}/sbin/postfix -c /var/postfix/conf start
|
exec ${pkgs.postfix}/sbin/postfix -c /var/postfix/conf start
|
||||||
''; # */
|
''; # */
|
||||||
|
|
|
@ -33,11 +33,17 @@ in
|
||||||
# Allow users to run 'spamc'.
|
# Allow users to run 'spamc'.
|
||||||
environment.systemPackages = [ pkgs.spamassassin ];
|
environment.systemPackages = [ pkgs.spamassassin ];
|
||||||
|
|
||||||
|
users.extraUsers = singleton
|
||||||
|
{ name = "spamd";
|
||||||
|
description = "Spam Assassin Daemon";
|
||||||
|
uid = config.ids.uids.spamd;
|
||||||
|
};
|
||||||
|
|
||||||
jobs.spamd = {
|
jobs.spamd = {
|
||||||
description = "Spam Assassin Server";
|
description = "Spam Assassin Server";
|
||||||
startOn = "started networking and filesystem";
|
startOn = "started networking and filesystem";
|
||||||
environment.TZ = config.time.timeZone;
|
environment.TZ = config.time.timeZone;
|
||||||
exec = "${pkgs.spamassassin}/bin/spamd -C /etc/spamassassin/init.pre --siteconfigpath=/etc/spamassassin --debug --pidfile=/var/run/spamd.pid";
|
exec = "${pkgs.spamassassin}/bin/spamd -C /etc/spamassassin/init.pre --siteconfigpath=/etc/spamassassin --username=spamd --pidfile=/var/run/spamd.pid";
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
|
@ -11,7 +11,13 @@ let
|
||||||
|
|
||||||
avahiDaemonConf = with cfg; pkgs.writeText "avahi-daemon.conf" ''
|
avahiDaemonConf = with cfg; pkgs.writeText "avahi-daemon.conf" ''
|
||||||
[server]
|
[server]
|
||||||
host-name=${hostName}
|
${# Users can set `networking.hostName' to the empty string, when getting
|
||||||
|
# a host name from DHCP. In that case, let Avahi take whatever the
|
||||||
|
# current host name is; setting `host-name' to the empty string in
|
||||||
|
# `avahi-daemon.conf' would be invalid.
|
||||||
|
if hostName != ""
|
||||||
|
then "host-name=${hostName}"
|
||||||
|
else ""}
|
||||||
browse-domains=${concatStringsSep ", " browseDomains}
|
browse-domains=${concatStringsSep ", " browseDomains}
|
||||||
use-ipv4=${if ipv4 then "yes" else "no"}
|
use-ipv4=${if ipv4 then "yes" else "no"}
|
||||||
use-ipv6=${if ipv6 then "yes" else "no"}
|
use-ipv6=${if ipv6 then "yes" else "no"}
|
||||||
|
|
|
@ -123,6 +123,20 @@ let
|
||||||
enableSplashScreen =
|
enableSplashScreen =
|
||||||
config.boot.vesa && config.boot.initrd.enableSplashScreen && kernelPackages.splashutils != null;
|
config.boot.vesa && config.boot.initrd.enableSplashScreen && kernelPackages.splashutils != null;
|
||||||
|
|
||||||
|
needsCifsUtils = kernelPackages.kernel ? features
|
||||||
|
&& kernelPackages.kernel.features ? needsCifsUtils
|
||||||
|
&& kernelPackages.kernel.features.needsCifsUtils
|
||||||
|
&& any (fs: fs.fsType == "cifs") fileSystems;
|
||||||
|
|
||||||
|
busybox = if needsCifsUtils
|
||||||
|
then pkgs.busybox.override {
|
||||||
|
extraConfig = ''
|
||||||
|
CONFIG_FEATURE_MOUNT_CIFS n
|
||||||
|
CONFIG_FEATURE_MOUNT_HELPERS y
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
else pkgs.busybox;
|
||||||
|
|
||||||
|
|
||||||
# Some additional utilities needed in stage 1, like mount, lvm, fsck
|
# Some additional utilities needed in stage 1, like mount, lvm, fsck
|
||||||
# etc. We don't want to bring in all of those packages, so we just
|
# etc. We don't want to bring in all of those packages, so we just
|
||||||
|
@ -148,7 +162,7 @@ let
|
||||||
cp -pv ${pkgs.gcc.gcc}/lib*/libgcc_s.so.* $out/lib
|
cp -pv ${pkgs.gcc.gcc}/lib*/libgcc_s.so.* $out/lib
|
||||||
|
|
||||||
# Copy BusyBox.
|
# Copy BusyBox.
|
||||||
cp -rvd ${pkgs.busybox}/{bin,sbin} $out/
|
cp -rvd ${busybox}/{bin,sbin} $out/
|
||||||
chmod -R u+w $out
|
chmod -R u+w $out
|
||||||
|
|
||||||
# Copy some utillinux stuff.
|
# Copy some utillinux stuff.
|
||||||
|
@ -180,6 +194,11 @@ let
|
||||||
cp ${kernelPackages.splashutils}/${kernelPackages.splashutils.helperName} $out/bin/splash_helper
|
cp ${kernelPackages.splashutils}/${kernelPackages.splashutils.helperName} $out/bin/splash_helper
|
||||||
''}
|
''}
|
||||||
|
|
||||||
|
# Maybe copy cifs utils
|
||||||
|
${optionalString needsCifsUtils ''
|
||||||
|
cp -v ${pkgs.cifs_utils}/sbin/mount.cifs $out/bin
|
||||||
|
''}
|
||||||
|
|
||||||
${config.boot.initrd.extraUtilsCommands}
|
${config.boot.initrd.extraUtilsCommands}
|
||||||
|
|
||||||
# Strip binaries further than normal.
|
# Strip binaries further than normal.
|
||||||
|
|
|
@ -121,7 +121,7 @@ if ! mountpoint -q /run; then
|
||||||
mount -t tmpfs -o "mode=0755,size=@runSize@" none /run
|
mount -t tmpfs -o "mode=0755,size=@runSize@" none /run
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mkdir -m 0700 -p /run/lock
|
mkdir -m 0755 -p /run/lock
|
||||||
|
|
||||||
|
|
||||||
# For backwards compatibility, symlink /var/run to /run, and /var/lock
|
# For backwards compatibility, symlink /var/run to /run, and /var/lock
|
||||||
|
|
|
@ -5,6 +5,7 @@ with pkgs.lib;
|
||||||
let
|
let
|
||||||
|
|
||||||
cfg = config.networking;
|
cfg = config.networking;
|
||||||
|
hasVirtuals = any (i: i.virtual) cfg.interfaces;
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
|
@ -119,6 +120,44 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
virtual = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = ''
|
||||||
|
Whether this interface is virtual and should be created by tunctl.
|
||||||
|
This is mainly useful for creating bridges between a host a virtual
|
||||||
|
network such as VPN or a virtual machine.
|
||||||
|
|
||||||
|
Defaults to tap device, unless interface contains "tun" in its name.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualOwner = mkOption {
|
||||||
|
default = "root";
|
||||||
|
type = types.uniq types.string;
|
||||||
|
description = ''
|
||||||
|
In case of a virtual device, the user who owns it.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
proxyARP = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = ''
|
||||||
|
Turn on proxy_arp for this device (and proxy_ndp for ipv6).
|
||||||
|
This is mainly useful for creating pseudo-bridges between a real
|
||||||
|
interface and a virtual network such as VPN or a virtual machine for
|
||||||
|
interfaces that don't support real bridging (most wlan interfaces).
|
||||||
|
As ARP proxying acts slightly above the link-layer, below-ip traffic
|
||||||
|
isn't bridged, so things like DHCP won't work. The advantage above
|
||||||
|
using NAT lies in the fact that no IP addresses are shared, so all
|
||||||
|
hosts are reachable/routeable.
|
||||||
|
|
||||||
|
WARNING: turns on ip-routing, so if you have multiple interfaces, you
|
||||||
|
should think of the consequence and setup firewall rules to limit this.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
@ -179,7 +218,7 @@ in
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
|
|
||||||
boot.kernelModules = optional cfg.enableIPv6 "ipv6";
|
boot.kernelModules = optional cfg.enableIPv6 "ipv6" ++ optional hasVirtuals "tun";
|
||||||
|
|
||||||
environment.systemPackages =
|
environment.systemPackages =
|
||||||
[ pkgs.host
|
[ pkgs.host
|
||||||
|
@ -191,6 +230,7 @@ in
|
||||||
pkgs.openresolv
|
pkgs.openresolv
|
||||||
]
|
]
|
||||||
++ optional (cfg.bridges != {}) pkgs.bridge_utils
|
++ optional (cfg.bridges != {}) pkgs.bridge_utils
|
||||||
|
++ optional hasVirtuals pkgs.tunctl
|
||||||
++ optional cfg.enableIPv6 pkgs.ndisc6;
|
++ optional cfg.enableIPv6 pkgs.ndisc6;
|
||||||
|
|
||||||
security.setuidPrograms = [ "ping" "ping6" ];
|
security.setuidPrograms = [ "ping" "ping6" ];
|
||||||
|
@ -208,6 +248,15 @@ in
|
||||||
''
|
''
|
||||||
set +e # continue in case of errors
|
set +e # continue in case of errors
|
||||||
|
|
||||||
|
# Create virtual network interfaces
|
||||||
|
${flip concatMapStrings cfg.interfaces (i:
|
||||||
|
optionalString i.virtual
|
||||||
|
''
|
||||||
|
echo "Creating virtual network interface ${i.name}..."
|
||||||
|
${pkgs.tunctl}/bin/tunctl -t "${i.name}" -u "${i.virtualOwner}"
|
||||||
|
'')
|
||||||
|
}
|
||||||
|
|
||||||
# Set MAC addresses of interfaces, if desired.
|
# Set MAC addresses of interfaces, if desired.
|
||||||
${flip concatMapStrings cfg.interfaces (i:
|
${flip concatMapStrings cfg.interfaces (i:
|
||||||
optionalString (i.macAddress != "")
|
optionalString (i.macAddress != "")
|
||||||
|
@ -246,6 +295,14 @@ in
|
||||||
echo "Configuring interface ${i.name}..."
|
echo "Configuring interface ${i.name}..."
|
||||||
ip addr add "${i.ipAddress}""${optionalString (i.subnetMask != "") ("/" + i.subnetMask)}" \
|
ip addr add "${i.ipAddress}""${optionalString (i.subnetMask != "") ("/" + i.subnetMask)}" \
|
||||||
dev "${i.name}"
|
dev "${i.name}"
|
||||||
|
'' +
|
||||||
|
optionalString i.proxyARP
|
||||||
|
''
|
||||||
|
echo 1 > /proc/sys/net/ipv4/conf/${i.name}/proxy_arp
|
||||||
|
'' +
|
||||||
|
optionalString (i.proxyARP && cfg.enableIPv6)
|
||||||
|
''
|
||||||
|
echo 1 > /proc/sys/net/ipv6/conf/${i.name}/proxy_ndp
|
||||||
'')
|
'')
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -264,6 +321,11 @@ in
|
||||||
ip route add default via "${cfg.defaultGateway}"
|
ip route add default via "${cfg.defaultGateway}"
|
||||||
''}
|
''}
|
||||||
|
|
||||||
|
# turn on forwarding if any interface has enabled proxy_arp
|
||||||
|
${optionalString (any (i: i.proxyARP) cfg.interfaces) ''
|
||||||
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||||
|
''}
|
||||||
|
|
||||||
# Run any user-specified commands.
|
# Run any user-specified commands.
|
||||||
${pkgs.stdenv.shell} ${pkgs.writeText "local-net-cmds" cfg.localCommands}
|
${pkgs.stdenv.shell} ${pkgs.writeText "local-net-cmds" cfg.localCommands}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue