diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2021-04-21 00:15:20 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-04-21 00:15:20 +0000 |
commit | 99c7bab106c7a8bf88f1a92ad93fa165369513c1 (patch) | |
tree | b1ef624984c9adc25abb39821d94781dce912109 /nixos | |
parent | b08c9b444bf86a67de405f5a7263de099ad70c96 (diff) | |
parent | 4f8cfd1c2e307576c7a88934e1ff42a8d46388f5 (diff) | |
download | nixpkgs-99c7bab106c7a8bf88f1a92ad93fa165369513c1.tar nixpkgs-99c7bab106c7a8bf88f1a92ad93fa165369513c1.tar.gz nixpkgs-99c7bab106c7a8bf88f1a92ad93fa165369513c1.tar.bz2 nixpkgs-99c7bab106c7a8bf88f1a92ad93fa165369513c1.tar.lz nixpkgs-99c7bab106c7a8bf88f1a92ad93fa165369513c1.tar.xz nixpkgs-99c7bab106c7a8bf88f1a92ad93fa165369513c1.tar.zst nixpkgs-99c7bab106c7a8bf88f1a92ad93fa165369513c1.zip |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/installer/tools/tools.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/databases/redis.nix | 41 | ||||
-rw-r--r-- | nixos/modules/services/misc/matrix-appservice-irc.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/security/oauth2_proxy.nix | 6 |
4 files changed, 46 insertions, 7 deletions
diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 77c974fc22c..21f2e730c3f 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -163,7 +163,8 @@ in # List packages installed in system profile. To search, run: # \$ nix search wget # environment.systemPackages = with pkgs; [ - # wget vim + # nano vim # don't forget to add an editor to edit configuration.nix! + # wget # firefox # ]; diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 3ddc7aad81e..7ec10c0eb5a 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -5,6 +5,8 @@ with lib; let cfg = config.services.redis; + ulimitNofile = cfg.maxclients + 32; + mkValueString = value: if value == true then "yes" else if value == false then "no" @@ -14,8 +16,8 @@ let listsAsDuplicateKeys = true; mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " "; } cfg.settings); -in -{ + +in { imports = [ (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") @@ -121,6 +123,12 @@ in description = "Set the number of databases."; }; + maxclients = mkOption { + type = types.int; + default = 10000; + description = "Set the max number of connected clients at the same time."; + }; + save = mkOption { type = with types; listOf (listOf int); default = [ [900 1] [300 10] [60 10000] ]; @@ -253,6 +261,7 @@ in logfile = cfg.logfile; syslog-enabled = cfg.syslog; databases = cfg.databases; + maxclients = cfg.maxclients; save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") cfg.save; dbfilename = "dump.rdb"; dir = "/var/lib/redis"; @@ -295,6 +304,34 @@ in StateDirectoryMode = "0700"; # Access write directories UMask = "0077"; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Process Properties + LimitNOFILE = "${toString ulimitNofile}"; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap"; }; }; }; diff --git a/nixos/modules/services/misc/matrix-appservice-irc.nix b/nixos/modules/services/misc/matrix-appservice-irc.nix index 63dc313ad10..a0a5973d30f 100644 --- a/nixos/modules/services/misc/matrix-appservice-irc.nix +++ b/nixos/modules/services/misc/matrix-appservice-irc.nix @@ -214,7 +214,8 @@ in { PrivateMounts = true; SystemCallFilter = "~@aio @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @setuid @swap"; SystemCallArchitectures = "native"; - RestrictAddressFamilies = "AF_INET AF_INET6"; + # AF_UNIX is required to connect to a postgres socket. + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; }; }; diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 77c579279ab..e85fd4b75df 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -90,10 +90,10 @@ in package = mkOption { type = types.package; - default = pkgs.oauth2_proxy; - defaultText = "pkgs.oauth2_proxy"; + default = pkgs.oauth2-proxy; + defaultText = "pkgs.oauth2-proxy"; description = '' - The package that provides oauth2_proxy. + The package that provides oauth2-proxy. ''; }; |