diff options
| author | Alyssa Ross <hi@alyssa.is> | 2023-11-21 16:12:21 +0100 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-11-21 16:12:48 +0100 |
| commit | 048a4cd441a59cbf89defb18bb45c9f0b4429b35 (patch) | |
| tree | f8f5850ff05521ab82d65745894714a8796cbfb6 /nixos/modules/services/misc | |
| parent | 030c5028b07afcedce7c5956015c629486cc79d9 (diff) | |
| parent | 4c2d05dd6435d449a3651a6dd314d9411b5f8146 (diff) | |
| download | nixpkgs-rootfs.tar nixpkgs-rootfs.tar.gz nixpkgs-rootfs.tar.bz2 nixpkgs-rootfs.tar.lz nixpkgs-rootfs.tar.xz nixpkgs-rootfs.tar.zst nixpkgs-rootfs.zip | |
Signed-off-by: Alyssa Ross <hi@alyssa.is>
Diffstat (limited to 'nixos/modules/services/misc')
26 files changed, 584 insertions, 162 deletions
diff --git a/nixos/modules/services/misc/ssm-agent.nix b/nixos/modules/services/misc/amazon-ssm-agent.nix index d1f371c2bd6..0be79e759c3 100644 --- a/nixos/modules/services/misc/ssm-agent.nix +++ b/nixos/modules/services/misc/amazon-ssm-agent.nix @@ -2,7 +2,7 @@ with lib; let - cfg = config.services.ssm-agent; + cfg = config.services.amazon-ssm-agent; # The SSM agent doesn't pay attention to our /etc/os-release yet, and the lsb-release tool # in nixpkgs doesn't seem to work properly on NixOS, so let's just fake the two fields SSM @@ -16,19 +16,24 @@ let esac ''; in { - options.services.ssm-agent = { - enable = mkEnableOption (lib.mdDoc "AWS SSM agent"); + imports = [ + (mkRenamedOptionModule [ "services" "ssm-agent" "enable" ] [ "services" "amazon-ssm-agent" "enable" ]) + (mkRenamedOptionModule [ "services" "ssm-agent" "package" ] [ "services" "amazon-ssm-agent" "package" ]) + ]; + + options.services.amazon-ssm-agent = { + enable = mkEnableOption (lib.mdDoc "Amazon SSM agent"); package = mkOption { type = types.path; - description = lib.mdDoc "The SSM agent package to use"; - default = pkgs.ssm-agent.override { overrideEtc = false; }; - defaultText = literalExpression "pkgs.ssm-agent.override { overrideEtc = false; }"; + description = lib.mdDoc "The Amazon SSM agent package to use"; + default = pkgs.amazon-ssm-agent.override { overrideEtc = false; }; + defaultText = literalExpression "pkgs.amazon-ssm-agent.override { overrideEtc = false; }"; }; }; config = mkIf cfg.enable { - systemd.services.ssm-agent = { + systemd.services.amazon-ssm-agent = { inherit (cfg.package.meta) description; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/misc/atuin.nix b/nixos/modules/services/misc/atuin.nix index 8d2c1b5242f..2d6ffc510ce 100644 --- a/nixos/modules/services/misc/atuin.nix +++ b/nixos/modules/services/misc/atuin.nix @@ -73,9 +73,7 @@ in enable = true; ensureUsers = [{ name = "atuin"; - ensurePermissions = { - "DATABASE atuin" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }]; ensureDatabases = [ "atuin" ]; }; diff --git a/nixos/modules/services/misc/autofs.nix b/nixos/modules/services/misc/autofs.nix index 55ab15ff003..723b67e8bb6 100644 --- a/nixos/modules/services/misc/autofs.nix +++ b/nixos/modules/services/misc/autofs.nix @@ -74,7 +74,7 @@ in config = mkIf cfg.enable { - boot.kernelModules = [ "autofs4" ]; + boot.kernelModules = [ "autofs" ]; systemd.services.autofs = { description = "Automounts filesystems on demand"; diff --git a/nixos/modules/services/misc/confd.nix b/nixos/modules/services/misc/confd.nix index 17c1be57ccb..17c1be57ccb 100755..100644 --- a/nixos/modules/services/misc/confd.nix +++ b/nixos/modules/services/misc/confd.nix diff --git a/nixos/modules/services/misc/dysnomia.nix b/nixos/modules/services/misc/dysnomia.nix index 0f92265ccbe..129345e3810 100644 --- a/nixos/modules/services/misc/dysnomia.nix +++ b/nixos/modules/services/misc/dysnomia.nix @@ -223,7 +223,7 @@ in ejabberdUser = config.services.ejabberd.user; }; } // lib.optionalAttrs (config.services.mysql.enable) { mysql-database = { - mysqlPort = config.services.mysql.port; + mysqlPort = config.services.mysql.settings.mysqld.port; mysqlSocket = "/run/mysqld/mysqld.sock"; } // lib.optionalAttrs cfg.enableAuthentication { mysqlUsername = "root"; diff --git a/nixos/modules/services/misc/forgejo.md b/nixos/modules/services/misc/forgejo.md new file mode 100644 index 00000000000..3df8bc20976 --- /dev/null +++ b/nixos/modules/services/misc/forgejo.md @@ -0,0 +1,79 @@ +# Forgejo {#module-forgejo} + +Forgejo is a soft-fork of gitea, with strong community focus, as well +as on self-hosting and federation. [Codeberg](https://codeberg.org) is +deployed from it. + +See [upstream docs](https://forgejo.org/docs/latest/). + +The method of choice for running forgejo is using [`services.forgejo`](#opt-services.forgejo.enable). + +::: {.warning} +Running forgejo using `services.gitea.package = pkgs.forgejo` is no longer +recommended. +If you experience issues with your instance using `services.gitea`, +**DO NOT** report them to the `services.gitea` module maintainers. +**DO** report them to the `services.forgejo` module maintainers instead. +::: + +## Migration from Gitea {#module-forgejo-migration-gitea} + +::: {.note} +Migrating is, while not strictly necessary at this point, highly recommended. +Both modules and projects are likely to divide further with each release. +Which might lead to an even more involved migration. +::: + +### Full-Migration {#module-forgejo-migration-gitea-default} + +This will migrate the state directory (data), rename and chown the database and +delete the gitea user. + +::: {.note} +This will also change the git remote ssh-url user from `gitea@` to `forgejo@`, +when using the host's openssh server (default) instead of the integrated one. +::: + +Instructions for PostgreSQL (default). Adapt accordingly for other databases: + +```sh +systemctl stop gitea +mv /var/lib/gitea /var/lib/forgejo +runuser -u postgres -- psql -c ' + ALTER USER gitea RENAME TO forgejo; + ALTER DATABASE gitea RENAME TO forgejo; +' +nixos-rebuild switch +systemctl stop forgejo +chown -R forgejo:forgejo /var/lib/forgejo +systemctl restart forgejo +``` + +### Alternatively, keeping the gitea user {#module-forgejo-migration-gitea-impersonate} + +Alternatively, instead of renaming the database, copying the state folder and +changing the user, the forgejo module can be set up to re-use the old storage +locations and database, instead of having to copy or rename them. +Make sure to disable `services.gitea`, when doing this. + +```nix +services.gitea.enable = false; + +services.forgejo = { + enable = true; + user = "gitea"; + group = "gitea"; + stateDir = "/var/lib/gitea"; + database.name = "gitea"; + database.user = "gitea"; +}; + +users.users.gitea = { + home = "/var/lib/gitea"; + useDefaultShell = true; + group = "gitea"; + isSystemUser = true; +}; + +users.groups.gitea = {}; +``` diff --git a/nixos/modules/services/misc/forgejo.nix b/nixos/modules/services/misc/forgejo.nix index f26658b7bcb..454febda589 100644 --- a/nixos/modules/services/misc/forgejo.nix +++ b/nixos/modules/services/misc/forgejo.nix @@ -357,6 +357,14 @@ in assertion = cfg.database.createDatabase -> useSqlite || cfg.database.user == cfg.user; message = "services.forgejo.database.user must match services.forgejo.user if the database is to be automatically provisioned"; } + { assertion = cfg.database.createDatabase && usePostgresql -> cfg.database.user == cfg.database.name; + message = '' + When creating a database via NixOS, the db user and db name must be equal! + If you already have an existing DB+user and this assertion is new, you can safely set + `services.forgejo.createDatabase` to `false` because removal of `ensureUsers` + and `ensureDatabases` doesn't have any effect. + ''; + } ]; services.forgejo.settings = { @@ -423,7 +431,7 @@ in ensureUsers = [ { name = cfg.database.user; - ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; }; + ensureDBOwnership = true; } ]; }; @@ -621,6 +629,8 @@ in }; }; + services.openssh.settings.AcceptEnv = mkIf (!cfg.settings.START_SSH_SERVER or false) "GIT_PROTOCOL"; + users.users = mkIf (cfg.user == "forgejo") { forgejo = { home = cfg.stateDir; @@ -664,5 +674,6 @@ in }; }; + meta.doc = ./forgejo.md; meta.maintainers = with lib.maintainers; [ bendlas emilylange ]; } diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index f6ef2bb9191..be528a29899 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -246,6 +246,13 @@ in description = lib.mdDoc "Path to a file containing the SMTP password."; }; + metricsTokenFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/var/lib/secrets/gitea/metrics_token"; + description = lib.mdDoc "Path to a file containing the metrics authentication token."; + }; + settings = mkOption { default = {}; description = lib.mdDoc '' @@ -387,6 +394,14 @@ in { assertion = cfg.database.createDatabase -> useSqlite || cfg.database.user == cfg.user; message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned"; } + { assertion = cfg.database.createDatabase && usePostgresql -> cfg.database.user == cfg.database.name; + message = '' + When creating a database via NixOS, the db user and db name must be equal! + If you already have an existing DB+user and this assertion is new, you can safely set + `services.gitea.createDatabase` to `false` because removal of `ensureUsers` + and `ensureDatabases` doesn't have any effect. + ''; + } ]; services.gitea.settings = { @@ -433,6 +448,10 @@ in PASSWD = "#mailerpass#"; }; + metrics = mkIf (cfg.metricsTokenFile != null) { + TOKEN = "#metricstoken#"; + }; + oauth2 = { JWT_SECRET = "#oauth2jwtsecret#"; }; @@ -450,7 +469,7 @@ in ensureDatabases = [ cfg.database.name ]; ensureUsers = [ { name = cfg.database.user; - ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; }; + ensureDBOwnership = true; } ]; }; @@ -559,6 +578,10 @@ in ${lib.optionalString (cfg.mailerPasswordFile != null) '' ${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}' ''} + + ${lib.optionalString (cfg.metricsTokenFile != null) '' + ${replaceSecretBin} '#metricstoken#' '${cfg.metricsTokenFile}' '${runConfig}' + ''} chmod u-w '${runConfig}' } (umask 027; gitea_setup) diff --git a/nixos/modules/services/misc/gollum.nix b/nixos/modules/services/misc/gollum.nix index d607e92e5ec..b73528abaf6 100644 --- a/nixos/modules/services/misc/gollum.nix +++ b/nixos/modules/services/misc/gollum.nix @@ -154,5 +154,5 @@ in }; }; - meta.maintainers = with lib.maintainers; [ erictapen bbenno joscha ]; + meta.maintainers = with lib.maintainers; [ erictapen bbenno ]; } diff --git a/nixos/modules/services/misc/gpsd.nix b/nixos/modules/services/misc/gpsd.nix index ce0f9bb3ba2..5d2e806181d 100644 --- a/nixos/modules/services/misc/gpsd.nix +++ b/nixos/modules/services/misc/gpsd.nix @@ -92,6 +92,16 @@ in { ''; }; + extraArgs = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "-r" "-s" "19200" ]; + description = lib.mdDoc '' + A list of extra command line arguments to pass to gpsd. + Check gpsd(8) mangpage for possible arguments. + ''; + }; + }; }; @@ -117,12 +127,14 @@ in { Type = "forking"; ExecStart = let devices = utils.escapeSystemdExecArgs cfg.devices; + extraArgs = utils.escapeSystemdExecArgs cfg.extraArgs; in '' ${pkgs.gpsd}/sbin/gpsd -D "${toString cfg.debugLevel}" \ -S "${toString cfg.port}" \ ${optionalString cfg.readonly "-b"} \ ${optionalString cfg.nowait "-n"} \ ${optionalString cfg.listenany "-G"} \ + ${extraArgs} \ ${devices} ''; }; diff --git a/nixos/modules/services/misc/klipper.nix b/nixos/modules/services/misc/klipper.nix index 67a217c994e..9eb2fdb4659 100644 --- a/nixos/modules/services/misc/klipper.nix +++ b/nixos/modules/services/misc/klipper.nix @@ -111,11 +111,11 @@ in (submodule { options = { enable = mkEnableOption (lib.mdDoc '' - building of firmware for manual flashing. + building of firmware for manual flashing ''); enableKlipperFlash = mkEnableOption (lib.mdDoc '' flashings scripts for firmware. This will add `klipper-flash-$mcu` scripts to your environment which can be called to flash the firmware. - Please check the configs at [klipper](https://github.com/Klipper3d/klipper/tree/master/config) whether your board supports flashing via `make flash`. + Please check the configs at [klipper](https://github.com/Klipper3d/klipper/tree/master/config) whether your board supports flashing via `make flash` ''); serial = mkOption { type = types.nullOr path; diff --git a/nixos/modules/services/misc/mediatomb.nix b/nixos/modules/services/misc/mediatomb.nix index 632b7caaac4..335b1b684b1 100644 --- a/nixos/modules/services/misc/mediatomb.nix +++ b/nixos/modules/services/misc/mediatomb.nix @@ -186,7 +186,7 @@ let defaultFirewallRules = { # udp 1900 port needs to be opened for SSDP (not configurable within # mediatomb/gerbera) cf. - # http://docs.gerbera.io/en/latest/run.html?highlight=udp%20port#network-setup + # https://docs.gerbera.io/en/latest/run.html?highlight=udp%20port#network-setup allowedUDPPorts = [ 1900 cfg.port ]; allowedTCPPorts = [ cfg.port ]; }; diff --git a/nixos/modules/services/misc/moonraker.nix b/nixos/modules/services/misc/moonraker.nix index 7e306d718e0..797e145c47a 100644 --- a/nixos/modules/services/misc/moonraker.nix +++ b/nixos/modules/services/misc/moonraker.nix @@ -1,8 +1,8 @@ { config, lib, options, pkgs, ... }: with lib; let - pkg = pkgs.moonraker; cfg = config.services.moonraker; + pkg = cfg.package; opt = options.services.moonraker; format = pkgs.formats.ini { # https://github.com/NixOS/nixpkgs/pull/121613#issuecomment-885241996 @@ -18,6 +18,14 @@ in { services.moonraker = { enable = mkEnableOption (lib.mdDoc "Moonraker, an API web server for Klipper"); + package = mkOption { + type = with types; nullOr package; + default = pkgs.moonraker; + defaultText = literalExpression "pkgs.moonraker"; + example = literalExpression "pkgs.moonraker.override { useGpiod = true; }"; + description = lib.mdDoc "Moonraker package to use"; + }; + klipperSocket = mkOption { type = types.path; default = config.services.klipper.apiSocket; diff --git a/nixos/modules/services/misc/packagekit.nix b/nixos/modules/services/misc/packagekit.nix index f3e6bf50e9b..5a0d314d25c 100644 --- a/nixos/modules/services/misc/packagekit.nix +++ b/nixos/modules/services/misc/packagekit.nix @@ -40,9 +40,9 @@ in options.services.packagekit = { enable = mkEnableOption (lib.mdDoc '' - PackageKit provides a cross-platform D-Bus abstraction layer for + PackageKit, a cross-platform D-Bus abstraction layer for installing software. Software utilizing PackageKit can install - software regardless of the package manager. + software regardless of the package manager ''); settings = mkOption { diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 74a3b49ac9a..1e0a8d0f928 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -36,18 +36,7 @@ let # Secure the services defaultServiceConfig = { - TemporaryFileSystem = "/:ro"; - BindReadOnlyPaths = [ - "/nix/store" - "-/etc/resolv.conf" - "-/etc/nsswitch.conf" - "-/etc/hosts" - "-/etc/localtime" - "-/etc/ssl/certs" - "-/etc/static/ssl/certs" - "-/run/postgresql" - ] ++ (optional enableRedis redisServer.unixSocket); - BindPaths = [ + ReadWritePaths = [ cfg.consumptionDir cfg.dataDir cfg.mediaDir @@ -66,11 +55,9 @@ let PrivateUsers = true; ProtectClock = true; # Breaks if the home dir of the user is in /home - # Also does not add much value in combination with the TemporaryFileSystem. # ProtectHome = true; ProtectHostname = true; - # Would re-mount paths ignored by temporary root - #ProtectSystem = "strict"; + ProtectSystem = "strict"; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectKernelModules = true; @@ -319,17 +306,6 @@ in Type = "oneshot"; # Enable internet access PrivateNetwork = false; - # Restrict write access - BindPaths = []; - BindReadOnlyPaths = [ - "/nix/store" - "-/etc/resolv.conf" - "-/etc/nsswitch.conf" - "-/etc/ssl/certs" - "-/etc/static/ssl/certs" - "-/etc/hosts" - "-/etc/localtime" - ]; ExecStart = let pythonWithNltk = pkg.python.withPackages (ps: [ ps.nltk ]); in '' ${pythonWithNltk}/bin/python -m nltk.downloader -d '${nltkDir}' punkt snowball_data stopwords ''; @@ -356,12 +332,28 @@ in # during migrations bindsTo = [ "paperless-scheduler.service" ]; after = [ "paperless-scheduler.service" ]; + # Setup PAPERLESS_SECRET_KEY. + # If this environment variable is left unset, paperless-ngx defaults + # to a well-known value, which is insecure. + script = let + secretKeyFile = "${cfg.dataDir}/nixos-paperless-secret-key"; + in '' + if [[ ! -f '${secretKeyFile}' ]]; then + ( + umask 0377 + tr -dc A-Za-z0-9 < /dev/urandom | head -c64 | ${pkgs.moreutils}/bin/sponge '${secretKeyFile}' + ) + fi + export PAPERLESS_SECRET_KEY=$(cat '${secretKeyFile}') + if [[ ! $PAPERLESS_SECRET_KEY ]]; then + echo "PAPERLESS_SECRET_KEY is empty, refusing to start." + exit 1 + fi + exec ${pkg.python.pkgs.gunicorn}/bin/gunicorn \ + -c ${pkg}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application + ''; serviceConfig = defaultServiceConfig // { User = cfg.user; - ExecStart = '' - ${pkg.python.pkgs.gunicorn}/bin/gunicorn \ - -c ${pkg}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application - ''; Restart = "on-failure"; # gunicorn needs setuid, liblapack needs mbind @@ -373,7 +365,6 @@ in CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; }; environment = env // { - PATH = mkForce pkg.path; PYTHONPATH = "${pkg.python.pkgs.makePythonPath pkg.propagatedBuildInputs}:${pkg}/lib/paperless-ngx/src"; }; # Allow the web interface to access the private /tmp directory of the server. diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix index a296fd3816b..20fa71507b6 100644 --- a/nixos/modules/services/misc/redmine.nix +++ b/nixos/modules/services/misc/redmine.nix @@ -267,7 +267,7 @@ in { assertion = cfg.database.passwordFile != null || cfg.database.socket != null; message = "one of services.redmine.database.socket or services.redmine.database.passwordFile must be set"; } - { assertion = cfg.database.createLocally -> cfg.database.user == cfg.user; + { assertion = cfg.database.createLocally -> cfg.database.user == cfg.user && cfg.database.user == cfg.database.name; message = "services.redmine.database.user must be set to ${cfg.user} if services.redmine.database.createLocally is set true"; } { assertion = cfg.database.createLocally -> cfg.database.socket != null; @@ -315,7 +315,7 @@ in ensureDatabases = [ cfg.database.name ]; ensureUsers = [ { name = cfg.database.user; - ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; }; + ensureDBOwnership = true; } ]; }; diff --git a/nixos/modules/services/misc/rkvm.nix b/nixos/modules/services/misc/rkvm.nix new file mode 100644 index 00000000000..582e8511ed9 --- /dev/null +++ b/nixos/modules/services/misc/rkvm.nix @@ -0,0 +1,164 @@ +{ options, config, pkgs, lib, ... }: + +with lib; +let + opt = options.services.rkvm; + cfg = config.services.rkvm; + toml = pkgs.formats.toml { }; +in +{ + meta.maintainers = with maintainers; [ ckie ]; + + options.services.rkvm = { + enable = mkOption { + default = cfg.server.enable || cfg.client.enable; + defaultText = literalExpression "config.${opt.server.enable} || config.${opt.client.enable}"; + type = types.bool; + description = mdDoc '' + Whether to enable rkvm, a Virtual KVM switch for Linux machines. + ''; + }; + + package = mkPackageOption pkgs "rkvm" { }; + + server = { + enable = mkEnableOption "the rkvm server daemon (input transmitter)"; + + settings = mkOption { + type = types.submodule + { + freeformType = toml.type; + options = { + listen = mkOption { + type = types.str; + default = "0.0.0.0:5258"; + description = mdDoc '' + An internet socket address to listen on, either IPv4 or IPv6. + ''; + }; + + switch-keys = mkOption { + type = types.listOf types.str; + default = [ "left-alt" "left-ctrl" ]; + description = mdDoc '' + A key list specifying a host switch combination. + + _A list of key names is available in <https://github.com/htrefil/rkvm/blob/master/switch-keys.md>._ + ''; + }; + + certificate = mkOption { + type = types.path; + default = "/etc/rkvm/certificate.pem"; + description = mdDoc '' + TLS certificate path. + + ::: {.note} + This should be generated with {command}`rkvm-certificate-gen`. + ::: + ''; + }; + + key = mkOption { + type = types.path; + default = "/etc/rkvm/key.pem"; + description = mdDoc '' + TLS key path. + + ::: {.note} + This should be generated with {command}`rkvm-certificate-gen`. + ::: + ''; + }; + + password = mkOption { + type = types.str; + description = mdDoc '' + Shared secret token to authenticate the client. + Make sure this matches your client's config. + ''; + }; + }; + }; + + default = { }; + description = mdDoc "Structured server daemon configuration"; + }; + }; + + client = { + enable = mkEnableOption "the rkvm client daemon (input receiver)"; + + settings = mkOption { + type = types.submodule + { + freeformType = toml.type; + options = { + server = mkOption { + type = types.str; + example = "192.168.0.123:5258"; + description = mdDoc '' + An RKVM server's internet socket address, either IPv4 or IPv6. + ''; + }; + + certificate = mkOption { + type = types.path; + default = "/etc/rkvm/certificate.pem"; + description = mdDoc '' + TLS ceritficate path. + + ::: {.note} + This should be generated with {command}`rkvm-certificate-gen`. + ::: + ''; + }; + + password = mkOption { + type = types.str; + description = mdDoc '' + Shared secret token to authenticate the client. + Make sure this matches your server's config. + ''; + }; + }; + }; + + default = {}; + description = mdDoc "Structured client daemon configuration"; + }; + }; + + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + systemd.services = + let + mkBase = component: { + description = "RKVM ${component}"; + wantedBy = [ "multi-user.target" ]; + after = { + server = [ "network.target" ]; + client = [ "network-online.target" ]; + }.${component}; + wants = { + server = [ ]; + client = [ "network-online.target" ]; + }.${component}; + serviceConfig = { + ExecStart = "${cfg.package}/bin/rkvm-${component} ${toml.generate "rkvm-${component}.toml" cfg.${component}.settings}"; + Restart = "always"; + RestartSec = 5; + Type = "simple"; + }; + }; + in + { + rkvm-server = mkIf cfg.server.enable (mkBase "server"); + rkvm-client = mkIf cfg.client.enable (mkBase "client"); + }; + }; + +} diff --git a/nixos/modules/services/misc/rshim.nix b/nixos/modules/services/misc/rshim.nix index 0fef2cc228c..706cf9136b0 100644 --- a/nixos/modules/services/misc/rshim.nix +++ b/nixos/modules/services/misc/rshim.nix @@ -12,7 +12,7 @@ let in { options.services.rshim = { - enable = lib.mkEnableOption (lib.mdDoc "User-space rshim driver for the BlueField SoC"); + enable = lib.mkEnableOption (lib.mdDoc "user-space rshim driver for the BlueField SoC"); package = lib.mkPackageOptionMD pkgs "rshim-user-space" { }; diff --git a/nixos/modules/services/misc/soft-serve.nix b/nixos/modules/services/misc/soft-serve.nix new file mode 100644 index 00000000000..2b63b6bcd86 --- /dev/null +++ b/nixos/modules/services/misc/soft-serve.nix @@ -0,0 +1,99 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.soft-serve; + configFile = format.generate "config.yaml" cfg.settings; + format = pkgs.formats.yaml { }; + docUrl = "https://charm.sh/blog/self-hosted-soft-serve/"; + stateDir = "/var/lib/soft-serve"; +in +{ + options = { + services.soft-serve = { + enable = mkEnableOption "soft-serve"; + + package = mkPackageOption pkgs "soft-serve" { }; + + settings = mkOption { + type = format.type; + default = { }; + description = mdDoc '' + The contents of the configuration file for soft-serve. + + See <${docUrl}>. + ''; + example = literalExpression '' + { + name = "dadada's repos"; + log_format = "text"; + ssh = { + listen_addr = ":23231"; + public_url = "ssh://localhost:23231"; + max_timeout = 30; + idle_timeout = 120; + }; + stats.listen_addr = ":23233"; + } + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + systemd.tmpfiles.rules = [ + # The config file has to be inside the state dir + "L+ ${stateDir}/config.yaml - - - - ${configFile}" + ]; + + systemd.services.soft-serve = { + description = "Soft Serve git server"; + documentation = [ docUrl ]; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment.SOFT_SERVE_DATA_PATH = stateDir; + + serviceConfig = { + Type = "simple"; + DynamicUser = true; + Restart = "always"; + ExecStart = "${getExe cfg.package} serve"; + StateDirectory = "soft-serve"; + WorkingDirectory = stateDir; + RuntimeDirectory = "soft-serve"; + RuntimeDirectoryMode = "0750"; + ProcSubset = "pid"; + ProtectProc = "invisible"; + UMask = "0027"; + CapabilityBoundingSet = ""; + ProtectHome = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RemoveIPC = true; + PrivateMounts = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @setuid @swap" + ]; + }; + }; + }; + + meta.maintainers = [ maintainers.dadada ]; +} diff --git a/nixos/modules/services/misc/sourcehut/default.nix b/nixos/modules/services/misc/sourcehut/default.nix index 580a009a0ad..f2b09f4bc4b 100644 --- a/nixos/modules/services/misc/sourcehut/default.nix +++ b/nixos/modules/services/misc/sourcehut/default.nix @@ -25,7 +25,7 @@ let || head srvMatch == srv # Include sections for the service being configured then v # Enable Web links and integrations between services. - else if tail srvMatch == [ null ] && elem (head srvMatch) cfg.services + else if tail srvMatch == [ null ] && cfg.${head srvMatch}.enable then { inherit (v) origin; # mansrht crashes without it @@ -38,9 +38,9 @@ let # for services needing access to them. "builds.sr.ht::worker".buildlogs = "/var/log/sourcehut/buildsrht-worker"; "git.sr.ht".post-update-script = "/usr/bin/gitsrht-update-hook"; - "git.sr.ht".repos = "/var/lib/sourcehut/gitsrht/repos"; + "git.sr.ht".repos = cfg.settings."git.sr.ht".repos; "hg.sr.ht".changegroup-script = "/usr/bin/hgsrht-hook-changegroup"; - "hg.sr.ht".repos = "/var/lib/sourcehut/hgsrht/repos"; + "hg.sr.ht".repos = cfg.settings."hg.sr.ht".repos; # Making this a per service option despite being in a global section, # so that it uses the redis-server used by the service. "sr.ht".redis-host = cfg.${srv}.redis.host; @@ -77,6 +77,14 @@ let type = types.path; apply = s: "<" + toString s; }; + api-origin = mkOption { + description = lib.mdDoc "Origin URL for the API"; + type = types.str; + default = "http://${cfg.listenAddress}:${toString (cfg.${srv}.port + 100)}"; + defaultText = lib.literalMD '' + `"http://''${`[](#opt-services.sourcehut.listenAddress)`}:''${toString (`[](#opt-services.sourcehut.${srv}.port)` + 100)}"` + ''; + }; }; # Specialized python containing all the modules @@ -112,15 +120,6 @@ in and account management services ''); - services = mkOption { - type = with types; listOf (enum - [ "builds" "git" "hg" "hub" "lists" "man" "meta" "pages" "paste" "todo" ]); - defaultText = "locally enabled services"; - description = lib.mdDoc '' - Services that may be displayed as links in the title bar of the Web interface. - ''; - }; - listenAddress = mkOption { type = types.str; default = "localhost"; @@ -400,8 +399,8 @@ in This setting is propagated to newer and existing repositories. ''; type = types.str; - default = "${cfg.python}/bin/hgsrht-hook-changegroup"; - defaultText = "\${cfg.python}/bin/hgsrht-hook-changegroup"; + default = "${pkgs.sourcehut.hgsrht}/bin/hgsrht-hook-changegroup"; + defaultText = "\${pkgs.sourcehut.hgsrht}/bin/hgsrht-hook-changegroup"; }; repos = mkOption { description = lib.mdDoc '' @@ -438,7 +437,7 @@ in }; options."lists.sr.ht" = commonServiceSettings "lists" // { - allow-new-lists = mkEnableOption (lib.mdDoc "Allow creation of new lists"); + allow-new-lists = mkEnableOption (lib.mdDoc "creation of new lists"); notify-from = mkOption { description = lib.mdDoc "Outgoing email for notifications generated by users."; type = types.str; @@ -501,12 +500,6 @@ in options."meta.sr.ht" = removeAttrs (commonServiceSettings "meta") ["oauth-client-id" "oauth-client-secret"] // { - api-origin = mkOption { - description = lib.mdDoc "Origin URL for API, 100 more than web."; - type = types.str; - default = "http://${cfg.listenAddress}:${toString (cfg.meta.port + 100)}"; - defaultText = lib.literalMD ''`"http://''${`[](#opt-services.sourcehut.listenAddress)`}:''${toString (`[](#opt-services.sourcehut.meta.port)` + 100)}"`''; - }; webhooks = mkOption { description = lib.mdDoc "The Redis connection used for the webhooks worker."; type = types.str; @@ -784,6 +777,7 @@ in extraConfig = '' PermitUserEnvironment SRHT_* ''; + startWhenNeeded = false; }; environment.etc."ssh/sourcehut/config.ini".source = settingsFormat.generate "sourcehut-dispatch-config.ini" @@ -792,15 +786,28 @@ in environment.etc."ssh/sourcehut/subdir/srht-dispatch" = { # sshd_config(5): The program must be owned by root, not writable by group or others mode = "0755"; - source = pkgs.writeShellScript "srht-dispatch" '' + source = pkgs.writeShellScript "srht-dispatch-wrapper" '' set -e + set -x cd /etc/ssh/sourcehut/subdir - ${cfg.python}/bin/gitsrht-dispatch "$@" + ${pkgs.sourcehut.gitsrht}/bin/gitsrht-dispatch "$@" ''; }; + systemd.tmpfiles.settings."10-sourcehut-gitsrht" = mkIf cfg.git.enable ( + builtins.listToAttrs (map (name: { + name = "/var/log/sourcehut/gitsrht-${name}"; + value.f = { + inherit (cfg.git) user group; + mode = "0644"; + }; + }) [ "keys" "shell" "update-hook" ]) + ); systemd.services.sshd = { - #path = optional cfg.git.enable [ cfg.git.package ]; + preStart = mkIf cfg.hg.enable '' + chown ${cfg.hg.user}:${cfg.hg.group} /var/log/sourcehut/hgsrht-keys + ''; serviceConfig = { + LogsDirectory = "sourcehut"; BindReadOnlyPaths = # Note that those /usr/bin/* paths are hardcoded in multiple places in *.sr.ht, # for instance to get the user from the [git.sr.ht::dispatch] settings. @@ -813,7 +820,6 @@ in "${pkgs.writeShellScript "buildsrht-keys-wrapper" '' set -e cd /run/sourcehut/buildsrht/subdir - set -x exec -a "$0" ${pkgs.sourcehut.buildsrht}/bin/buildsrht-keys "$@" ''}:/usr/bin/buildsrht-keys" "${pkgs.sourcehut.buildsrht}/bin/master-shell:/usr/bin/master-shell" @@ -825,31 +831,26 @@ in "${pkgs.writeShellScript "gitsrht-keys-wrapper" '' set -e cd /run/sourcehut/gitsrht/subdir - set -x exec -a "$0" ${pkgs.sourcehut.gitsrht}/bin/gitsrht-keys "$@" ''}:/usr/bin/gitsrht-keys" "${pkgs.writeShellScript "gitsrht-shell-wrapper" '' set -e cd /run/sourcehut/gitsrht/subdir - set -x + export PATH="${cfg.git.package}/bin:$PATH" + export SRHT_CONFIG=/run/sourcehut/gitsrht/config.ini exec -a "$0" ${pkgs.sourcehut.gitsrht}/bin/gitsrht-shell "$@" ''}:/usr/bin/gitsrht-shell" "${pkgs.writeShellScript "gitsrht-update-hook" '' set -e - test -e "''${PWD%/*}"/config.ini || - # Git hooks are run relative to their repository's directory, - # but gitsrht-update-hook looks up ../config.ini - ln -s /run/sourcehut/gitsrht/config.ini "''${PWD%/*}"/config.ini + export SRHT_CONFIG=/run/sourcehut/gitsrht/config.ini # hooks/post-update calls /usr/bin/gitsrht-update-hook as hooks/stage-3 # but this wrapper being a bash script, it overrides $0 with /usr/bin/gitsrht-update-hook # hence this hack to put hooks/stage-3 back into gitsrht-update-hook's $0 if test "''${STAGE3:+set}" then - set -x exec -a hooks/stage-3 ${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook "$@" else export STAGE3=set - set -x exec -a "$0" ${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook "$@" fi ''}:/usr/bin/gitsrht-update-hook" @@ -860,13 +861,11 @@ in "${pkgs.writeShellScript "hgsrht-keys-wrapper" '' set -e cd /run/sourcehut/hgsrht/subdir - set -x exec -a "$0" ${pkgs.sourcehut.hgsrht}/bin/hgsrht-keys "$@" ''}:/usr/bin/hgsrht-keys" "${pkgs.writeShellScript "hgsrht-shell-wrapper" '' set -e cd /run/sourcehut/hgsrht/subdir - set -x exec -a "$0" ${pkgs.sourcehut.hgsrht}/bin/hgsrht-shell "$@" ''}:/usr/bin/hgsrht-shell" # Mercurial's changegroup hooks are run relative to their repository's directory, @@ -875,8 +874,7 @@ in set -e test -e "''$PWD"/config.ini || ln -s /run/sourcehut/hgsrht/config.ini "''$PWD"/config.ini - set -x - exec -a "$0" ${cfg.python}/bin/hgsrht-hook-changegroup "$@" + exec -a "$0" ${pkgs.sourcehut.hgsrht}/bin/hgsrht-hook-changegroup "$@" ''}:/usr/bin/hgsrht-hook-changegroup" ]; }; @@ -1066,10 +1064,11 @@ in }; }) ]; - extraServices.gitsrht-api = { - serviceConfig.Restart = "always"; - serviceConfig.RestartSec = "5s"; - serviceConfig.ExecStart = "${pkgs.sourcehut.gitsrht}/bin/gitsrht-api -b ${cfg.listenAddress}:${toString (cfg.git.port + 100)}"; + extraServices.gitsrht-api.serviceConfig = { + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.sourcehut.gitsrht}/bin/gitsrht-api -b ${cfg.listenAddress}:${toString (cfg.git.port + 100)}"; + BindPaths = [ "${cfg.settings."git.sr.ht".repos}:/var/lib/sourcehut/gitsrht/repos" ]; }; extraServices.gitsrht-fcgiwrap = mkIf cfg.nginx.enable { serviceConfig = { @@ -1188,7 +1187,7 @@ in extraServices.listssrht-lmtp = { wants = [ "postfix.service" ]; unitConfig.JoinsNamespaceOf = optional cfg.postfix.enable "postfix.service"; - serviceConfig.ExecStart = "${cfg.python}/bin/listssrht-lmtp"; + serviceConfig.ExecStart = "${pkgs.sourcehut.listssrht}/bin/listssrht-lmtp"; # Avoid crashing: os.chown(sock, os.getuid(), sock_gid) serviceConfig.PrivateUsers = mkForce false; }; @@ -1252,55 +1251,30 @@ in ) cfg.settings)); serviceConfig.ExecStart = "${pkgs.sourcehut.metasrht}/bin/metasrht-api -b ${cfg.listenAddress}:${toString (cfg.meta.port + 100)}"; }; - extraConfig = mkMerge [ - { - assertions = [ - { assertion = let s = cfg.settings."meta.sr.ht::billing"; in - s.enabled == "yes" -> (s.stripe-public-key != null && s.stripe-secret-key != null); - message = "If meta.sr.ht::billing is enabled, the keys must be defined."; - } - ]; - environment.systemPackages = optional cfg.meta.enable - (pkgs.writeShellScriptBin "metasrht-manageuser" '' - set -eux - if test "$(${pkgs.coreutils}/bin/id -n -u)" != '${cfg.meta.user}' - then exec sudo -u '${cfg.meta.user}' "$0" "$@" - else - # In order to load config.ini - if cd /run/sourcehut/metasrht - then exec ${cfg.python}/bin/metasrht-manageuser "$@" - else cat <<EOF - Please run: sudo systemctl start metasrht - EOF - exit 1 - fi + extraConfig = { + assertions = [ + { assertion = let s = cfg.settings."meta.sr.ht::billing"; in + s.enabled == "yes" -> (s.stripe-public-key != null && s.stripe-secret-key != null); + message = "If meta.sr.ht::billing is enabled, the keys must be defined."; + } + ]; + environment.systemPackages = optional cfg.meta.enable + (pkgs.writeShellScriptBin "metasrht-manageuser" '' + set -eux + if test "$(${pkgs.coreutils}/bin/id -n -u)" != '${cfg.meta.user}' + then exec sudo -u '${cfg.meta.user}' "$0" "$@" + else + # In order to load config.ini + if cd /run/sourcehut/metasrht + then exec ${pkgs.sourcehut.metasrht}/bin/metasrht-manageuser "$@" + else cat <<EOF + Please run: sudo systemctl start metasrht + EOF + exit 1 fi - ''); - } - (mkIf cfg.nginx.enable { - services.nginx.virtualHosts."meta.${domain}" = { - locations."/query" = { - proxyPass = cfg.settings."meta.sr.ht".api-origin; - extraConfig = '' - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; - ''; - }; - }; - }) - ]; + fi + ''); + }; }) (import ./service.nix "pages" { @@ -1356,7 +1330,7 @@ in extraServices.todosrht-lmtp = { wants = [ "postfix.service" ]; unitConfig.JoinsNamespaceOf = optional cfg.postfix.enable "postfix.service"; - serviceConfig.ExecStart = "${cfg.python}/bin/todosrht-lmtp"; + serviceConfig.ExecStart = "${pkgs.sourcehut.todosrht}/bin/todosrht-lmtp"; # Avoid crashing: os.chown(sock, os.getuid(), sock_gid) serviceConfig.PrivateUsers = mkForce false; }; @@ -1388,6 +1362,10 @@ in dispatch is deprecated. See https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/ for more information. '') + + (mkRemovedOptionModule [ "services" "sourcehut" "services"] '' + This option was removed in favor of individual <service>.enable flags. + '') ]; meta.doc = ./default.md; diff --git a/nixos/modules/services/misc/sourcehut/service.nix b/nixos/modules/services/misc/sourcehut/service.nix index aae13e0cc2c..f08d5eb4687 100644 --- a/nixos/modules/services/misc/sourcehut/service.nix +++ b/nixos/modules/services/misc/sourcehut/service.nix @@ -108,7 +108,7 @@ let #SocketBindDeny = "any"; SystemCallFilter = [ "@system-service" - "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@timer" + "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@timer" "@chown" "@setuid" ]; SystemCallArchitectures = "native"; @@ -222,6 +222,23 @@ in expires 30d; ''; }; + locations."/query" = mkIf (cfg.settings.${iniKey} ? api-origin) { + proxyPass = cfg.settings.${iniKey}.api-origin; + extraConfig = '' + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + + add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + ''; + }; } cfg.nginx.virtualHost ]; }; @@ -232,12 +249,12 @@ in ensureDatabases = [ srvCfg.postgresql.database ]; ensureUsers = map (name: { inherit name; - ensurePermissions = { "DATABASE \"${srvCfg.postgresql.database}\"" = "ALL PRIVILEGES"; }; + # We don't use it because we have a special default database name with dots. + # TODO(for maintainers of sourcehut): migrate away from custom preStart script. + ensureDBOwnership = false; }) [srvCfg.user]; }; - services.sourcehut.services = mkDefault (filter (s: cfg.${s}.enable) - [ "builds" "dispatch" "git" "hg" "hub" "lists" "man" "meta" "pages" "paste" "todo" ]); services.sourcehut.settings = mkMerge [ { @@ -363,6 +380,21 @@ in } extraService ])) extraServices) + + # Work around 'pq: permission denied for schema public' with postgres v15. + # See https://github.com/NixOS/nixpkgs/issues/216989 + # Workaround taken from nixos/forgejo: https://github.com/NixOS/nixpkgs/pull/262741 + # TODO(to maintainers of sourcehut): please migrate away from this workaround + # by migrating away from database name defaults with dots. + (lib.mkIf ( + cfg.postgresql.enable + && lib.strings.versionAtLeast config.services.postgresql.package.version "15.0" + ) { + postgresql.postStart = (lib.mkAfter '' + $PSQL -tAc 'ALTER DATABASE "${srvCfg.postgresql.database}" OWNER TO "${srvCfg.user}";' + ''); + } + ) ]; systemd.timers = mapAttrs (timerName: timer: diff --git a/nixos/modules/services/misc/spice-autorandr.nix b/nixos/modules/services/misc/spice-autorandr.nix new file mode 100644 index 00000000000..8437441c752 --- /dev/null +++ b/nixos/modules/services/misc/spice-autorandr.nix @@ -0,0 +1,26 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.services.spice-autorandr; +in +{ + options = { + services.spice-autorandr = { + enable = lib.mkEnableOption (lib.mdDoc "spice-autorandr service that will automatically resize display to match SPICE client window size."); + package = lib.mkPackageOptionMD pkgs "spice-autorandr" { }; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + systemd.user.services.spice-autorandr = { + wantedBy = [ "default.target" ]; + after = [ "spice-vdagentd.service" ]; + serviceConfig = { + ExecStart = "${cfg.package}/bin/spice-autorandr"; + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nixos/modules/services/misc/tp-auto-kbbl.nix b/nixos/modules/services/misc/tp-auto-kbbl.nix index 8d92d3d9367..1076c814e86 100644 --- a/nixos/modules/services/misc/tp-auto-kbbl.nix +++ b/nixos/modules/services/misc/tp-auto-kbbl.nix @@ -9,7 +9,7 @@ in { options = { services.tp-auto-kbbl = { - enable = mkEnableOption (lib.mdDoc "Auto toggle keyboard back-lighting on Thinkpads (and maybe other laptops) for Linux"); + enable = mkEnableOption (lib.mdDoc "auto toggle keyboard back-lighting on Thinkpads (and maybe other laptops) for Linux"); package = mkOption { type = types.package; diff --git a/nixos/modules/services/misc/xmr-stak.nix b/nixos/modules/services/misc/xmr-stak.nix index 6e123cf0380..54efae48d5d 100644 --- a/nixos/modules/services/misc/xmr-stak.nix +++ b/nixos/modules/services/misc/xmr-stak.nix @@ -7,7 +7,7 @@ let cfg = config.services.xmr-stak; pkg = pkgs.xmr-stak.override { - inherit (cfg) openclSupport cudaSupport; + inherit (cfg) openclSupport; }; in @@ -17,7 +17,6 @@ in services.xmr-stak = { enable = mkEnableOption (lib.mdDoc "xmr-stak miner"); openclSupport = mkEnableOption (lib.mdDoc "support for OpenCL (AMD/ATI graphics cards)"); - cudaSupport = mkEnableOption (lib.mdDoc "support for CUDA (NVidia graphics cards)"); extraArgs = mkOption { type = types.listOf types.str; @@ -64,15 +63,12 @@ in wantedBy = [ "multi-user.target" ]; bindsTo = [ "network-online.target" ]; after = [ "network-online.target" ]; - environment = mkIf cfg.cudaSupport { - LD_LIBRARY_PATH = "${pkgs.linuxPackages_latest.nvidia_x11}/lib"; - }; preStart = concatStrings (flip mapAttrsToList cfg.configFiles (fn: content: '' ln -sf '${pkgs.writeText "xmr-stak-${fn}" content}' '${fn}' '')); - serviceConfig = let rootRequired = cfg.openclSupport || cfg.cudaSupport; in { + serviceConfig = let rootRequired = cfg.openclSupport; in { ExecStart = "${pkg}/bin/xmr-stak ${concatStringsSep " " cfg.extraArgs}"; # xmr-stak generates cpu and/or gpu configuration files WorkingDirectory = "/tmp"; diff --git a/nixos/modules/services/misc/xmrig.nix b/nixos/modules/services/misc/xmrig.nix index d2aa3df45d5..f75b47ffece 100644 --- a/nixos/modules/services/misc/xmrig.nix +++ b/nixos/modules/services/misc/xmrig.nix @@ -52,15 +52,15 @@ with lib; }; config = mkIf cfg.enable { - boot.kernelModules = [ "msr" ]; + hardware.cpu.x86.msr.enable = true; systemd.services.xmrig = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; description = "XMRig Mining Software Service"; serviceConfig = { - ExecStartPre = "${cfg.package}/bin/xmrig --config=${configFile} --dry-run"; - ExecStart = "${cfg.package}/bin/xmrig --config=${configFile}"; + ExecStartPre = "${lib.getExe cfg.package} --config=${configFile} --dry-run"; + ExecStart = "${lib.getExe cfg.package} --config=${configFile}"; # https://xmrig.com/docs/miner/randomx-optimization-guide/msr # If you use recent XMRig with root privileges (Linux) or admin # privileges (Windows) the miner configure all MSR registers diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index b2e4e760d82..fca03b2ad4e 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -67,14 +67,14 @@ in { options = { services.zoneminder = with lib; { enable = lib.mkEnableOption (lib.mdDoc '' - ZoneMinder + ZoneMinder. If you intend to run the database locally, you should set `config.services.zoneminder.database.createLocally` to true. Otherwise, when set to `false` (the default), you will have to create the database and database user as well as populate the database yourself. Additionally, you will need to run `zmupdate.pl` yourself when - upgrading to a newer version. + upgrading to a newer version ''); webserver = mkOption { |