Commit graph

258 commits

Author SHA1 Message Date
Peter Simons 0afcc637d7 Add support for opportunistic TCP encryption.
Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption
based on the user-space tools available from <http://tcpcrypt.org>.

Network attackers come in two varieties: passive and active (man-in-the-middle).
Passive attacks are much simpler to execute because they just require listening
on the network. Active attacks are much harder as they require listening and
modifying network traffic, often requiring very precise timing that can make
some attacks impractical.

Opportunistic encryption cannot protect against active attackers, but it *does*
protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to
stop active attacks, too, if the application using it performs authentication.

A complete description of the protocol extension can be found at
<http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>.
2013-09-10 23:32:55 +02:00
Eelco Dolstra 17457297cb Update all legacy-style modules
I.e., modules that use "require = [options]".  Nowadays that should be
written as

  {
    options = { ... };
    config = { ... };
  };

Also, use "imports" instead of "require" in places where we actually
import another module.
2013-09-04 13:05:09 +02:00
Jaka Hudoklin c613ae7b82 Add elasticsearch, a powerful open source search and analytics engine 2013-08-27 20:42:59 +02:00
Jaka Hudoklin 5894f26c81 Add statsd, simple daemon for easy stats aggregation 2013-08-21 11:52:25 +02:00
Jaka Hudoklin b244a47185 Add graphite, scalable realtime graphing service 2013-08-11 12:16:19 +02:00
Eelco Dolstra 5827261bef compiz: Disable
It doesn't currently work.
2013-08-07 14:10:49 +02:00
Jaka Hudoklin d0cb70cefb Add iodined, ip over dns daemon 2013-08-05 01:20:55 +02:00
Cillian de Róiste 41e04c9aff Merge branch 'supybot'
Conflicts:
	modules/misc/ids.nix
2013-08-04 03:59:18 +02:00
Cillian de Róiste 90554a03c7 Supybot/limnoria: add service module 2013-08-01 00:36:15 +02:00
Rickard Nilsson 3ca7d7b291 Add OpenSMTPD service option 2013-07-30 10:20:56 +02:00
Rok Garbas 589b745fc6 new venus service 2013-07-23 22:42:12 +02:00
Shea Levy 18de9f64ae Add uptime module
Signed-off-by: Shea Levy <shea@shealevy.com>
2013-07-18 19:25:35 -04:00
Bjørn Forsman 44f1a8d8c7 Add apcupsd service
apcupsd is a daemon for controlling APC UPSes. It is very simple to
configure. If you have an USB based UPS, the default settings should be
useable without further adjustments:

  services.apcupsd.enable = true;

This will give you autodetection of USB UPSes, network access limited to
localhost (for security) and the shutdown sequence will be started when
the system when the battery level is below 50 percent, or when the UPS
has calculated that it has 5 minutes or less of remaining power-on time.

You can provide your own configuration file contents with this option:

  services.apcupsd.configText = "contents of apcupsd.conf";

Bug/annoyance 1: When apcupsd calls "wall" (on powerfail etc. events),
it prints an error message because stdout is not connected to a tty (it
is connected to the journal):

  wall: cannot get tty name: Inappropriate ioctl for device

The message still gets through though, to ctrl-alt-f[1-6] terminals.

Bug/annoyance 2: apcupsd tries to call "mail" (on powerfail etc.
events), and that fails because I'm not passing in any mail program at
the moment (because that would require more configuration options). A
solution to this would be to simply let the user fully configure the
apcupsd event handling logic in nix.
2013-07-17 21:23:09 +02:00
Peter Simons ff8a01b145 Merge pull request #185 from ocharles/memcached
memcached: Add NixOS support
2013-07-01 03:00:45 -07:00
Domen Kožar 1b7108952e Merge pull request #182 from zefhemel/redis
Added redis service module with bunch of documentation.
2013-06-29 04:11:33 -07:00
Eelco Dolstra 0cbf0605d2 Refactoring: Split fonts.nix into smaller modules 2013-06-27 13:12:45 +02:00
Oliver Charles c7f61ee921 memcached: Add NixOS support 2013-06-23 18:49:49 +01:00
Jaka Hudoklin aa548ef803 Add cgminer crypto currency miner 2013-06-20 09:01:11 +00:00
Zef Hemel 6b4d76c2c2 Added redis service with bunch of documentation. 2013-06-07 11:34:05 +02:00
Bjørn Forsman b1f82e428a lighttpd: add cgit sub-service
(cgit is "a hyperfast web frontend for git repositories written in C")

cgit is enabled like this (assuming lighttpd is already enabled):

  services.lighttpd.cgit.enable = true;

and configured verbatim like this (contents of the cgitrc file):

  services.lighttpd.cgit.configText = ''
    cache-size=1000
    scan-path=/srv/git
  '';

cgit will be available from this URL: http://yourserver/cgit

In lighttpd, I've ensured that the cache dir for cgit is created if cgit
is enabled.
2013-06-02 18:41:18 +02:00
Peter Simons 717dc3b858 Merge pull request #169 from wizeman/chrony
Add chrony service
2013-05-25 02:25:57 -07:00
Ricardo M. Correia 76046850fe atop: Add basic config option for /etc/atoprc 2013-05-23 11:14:24 +00:00
Ricardo M. Correia 02d9a8066a Add chrony service
Also, do not build and add ntp to the system unless it is enabled.
2013-05-23 02:07:49 +00:00
Rob Vermaas 3b00eca8e9 Add varnish to module-list.nix 2013-05-15 14:36:17 +02:00
Evgeny Egorochkin 748ab74d1f AppArmor profiles for SUID binaries. At this moment only for ping. 2013-05-11 08:41:36 +03:00
Evgeny Egorochkin dc389c5d1e lighttpd: add gitweb as a sub-service
Now you can access gitweb at http://yourserver/gitweb by simply adding
this to configuration.nix (assuming services.lighttpd.enable = true);

  services.lighttpd.gitweb.enable = true;

The path to all bare repositories served by gitweb can be set with this
option (default value below):

  services.lighttpd.gitweb.projectroot = "/srv/git";

Based on patch contributed by Bjørn Forsman.
2013-05-06 13:51:09 +03:00
Evgeny Egorochkin 39ba755873 Move lighttpd.nix to lighttpd/default.nix
So that we later can add sub-services for lighttpd without polluting the
web-servers/ directory.
2013-05-06 13:51:08 +03:00
Oliver Charles 2e088aa277 lightdm: Initial expression for lightdm as the display-manager service (using default GTK greeter) 2013-04-22 23:32:10 +04:00
Lluís Batlle i Rossell 7a71320a9c Adding freenet module 2013-04-21 11:27:41 +04:00
Vladimír Čunát 41ccade531 Merge pull request #132 from ierton/udisks2-v2
add udisks2 for Xfce
2013-04-20 01:36:14 -07:00
Domen Kozar 8d5c252ae1 add thinkfan service 2013-04-06 23:35:04 +02:00
Sergey Mironov 4b504d8bba udisks2: add udisks2 service
Udisks2 is a Dbus service started by systemd on demand.
2013-04-04 12:06:34 +04:00
Domen Kozar c52cb9bb65 add almir service 2013-03-27 11:47:28 +01:00
Domen Kozar b8a1ccd16a Add bacula service 2013-03-23 01:23:59 +01:00
Rob Vermaas 9a9b53aa9f Add module for rsyslog. Although rsyslog is supposed to be a drop-in
replacement for sysklogd, it lacks some support for certain arguments
used in the default syslog module of NixOS.
2013-03-15 12:55:49 +01:00
Rickard Nilsson be698e93a4 Merge hardware.pulseaudio and services.pulseaudio
More specifically, this removes services.pulseaudio and adds the option
hardware.pulseaudio.systemWide which defaults to false but can be used to turn
on the system-wide PulseAudio server (previously defined in
services.pulseaudio). Since the two PulseAudio modes are mutually exclusive
anyway (maybe not strictly true, but I don't think is a good idea combining
them) its nicer to be able to reuse server and ALSA configuration between them.

Also the system-wide PulseAudio service has been adjusted to systemd, and a few
things has been fixed (there was no alsa.conf before, for example).

The bottomline is that people that was using hardware.pulseaudio before should
be able to keep doing it in exactly the same way, and people that used
services.pulseaudio must switch over to hardware.pulseaudio.systemWide instead.
2013-03-14 23:33:45 +01:00
Bjørn Forsman d89ba0697f Add Transmission BitTorrent service
Enable it with

  services.transmission.enable = true;

and optionally configure it

  services.transmission.settings =
    {
      download-dir = "/srv/torrents/";
      incomplete-dir = "/srv/torrents/.incomplete/";
      incomplete-dir-enabled = true;
      rpc-whitelist = "127.0.0.1,192.168.*.*";
      # for users in group "transmission" to have access to torrents
      umask = 2;
    };

The above settings are written/merged into settings.json each time the
service is about to start.
2013-03-08 16:47:09 +01:00
Bjørn Forsman 61c07244e8 Add lighttpd web server module 2013-03-03 20:16:44 +01:00
Domen Kozar 854a37aa7e add most basic nginx service 2013-03-03 12:12:17 +01:00
Eelco Dolstra 080bf5614f Add a module for setting sysctl parameters
This adds an option ‘boot.kernel.sysctl’ and generates a file
/etc/sysctl/nixos.conf read by systemd-sysctl.service.
2013-03-02 20:06:02 +01:00
Shea Levy 7ac425a22f Merge pull request #102 from iElectric/deluge
Add deluged and deluge.web services
2013-02-27 11:19:08 -08:00
Rickard Nilsson cc3549fa34 Add ActiveMQ service 2013-02-25 16:50:10 +01:00
Domen Kozar a6f0d984fe Add deluge and deluge web services 2013-02-24 17:33:48 +01:00
Vladimír Čunát 9de455cf2e Merge pull request #53 from jcumming/zfs.121204
add a zfs module
2013-02-19 11:35:20 -08:00
Eelco Dolstra 233cc2fdaa Add a module for MiniDLNA
Now my NixOS machine can serve videos to my Bluray player!
2013-02-16 23:08:53 +01:00
Shea Levy 59a4df3159 Add websockify service 2013-02-14 21:50:41 -05:00
Shea Levy 02e209b139 Add gummiboot module.
We should probably eventually get rid of the old direct boot stub approach.
2013-02-02 00:03:45 -05:00
Lluís Batlle i Rossell 3c2f45695f Merge branch 'raspberrypi'
Adding support for the kind of bootloader in raspberrypi. Disable grub,
disable generationsDir, enable boot.loader.raspberrypi.

Usual layout expected: /boot being the first vfat the board reads blobs from.
2013-01-31 18:55:12 +01:00
Eelco Dolstra b89f941b20 Provide missing command suggestions, Ubuntu style
If the user tries to run a program that doesn't exist from Bash, the
program name is looked up in a database that maps to Nix package
names.  If it is found, we print out a message like:

  $ pdflatex
  The program ‘pdflatex’ is currently not installed. It is provided by
  several packages. You can install it by typing one of the following:
    nix-env -i tetex
    nix-env -i texlive-core

If the environment variable $NIX_AUTO_INSTALL is set, the command is
installed and executed automatically:

  $ hello --version
  The program ‘hello’ is currently not installed. It is provided by
  the package ‘hello’, which I will now install for you.
  installing `hello-2.8'
  hello (GNU hello) 2.8
  Copyright (C) 2011 Free Software Foundation, Inc. ...

To use this, you must currently manually put the SQLite programs
database in /var/lib/nixos/programs.sqlite.  In the future, this file
should be provided as part of the NixOS channel so it gets updated
automatically.  To get a test version:

  $ curl http://nixos.org/~eelco/programs.sqlite.xz | xz -d > /var/lib/nixos/programs.sqlite
2013-01-30 15:00:59 +01:00
Lluís Batlle i Rossell fe85f4be6c Adding an untested bootloader for raspberrypi 2013-01-28 20:58:46 +00:00