diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2021-07-22 18:01:39 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-22 18:01:39 +0000 |
commit | 0b0a8c7c9ac81a7d4e2936aee4a27915194e8bac (patch) | |
tree | 6475a18d8f5d3fd9ea110fd7db803c8ad312842c /nixos | |
parent | 741be6dfc1fdd013ee52c4154dd82cd69d328be3 (diff) | |
parent | 4df8d6305c414a172f167f900e852724dedbca3a (diff) | |
download | nixpkgs-0b0a8c7c9ac81a7d4e2936aee4a27915194e8bac.tar nixpkgs-0b0a8c7c9ac81a7d4e2936aee4a27915194e8bac.tar.gz nixpkgs-0b0a8c7c9ac81a7d4e2936aee4a27915194e8bac.tar.bz2 nixpkgs-0b0a8c7c9ac81a7d4e2936aee4a27915194e8bac.tar.lz nixpkgs-0b0a8c7c9ac81a7d4e2936aee4a27915194e8bac.tar.xz nixpkgs-0b0a8c7c9ac81a7d4e2936aee4a27915194e8bac.tar.zst nixpkgs-0b0a8c7c9ac81a7d4e2936aee4a27915194e8bac.zip |
Merge staging-next into staging
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/programs/udevil.nix | 3 | ||||
-rw-r--r-- | nixos/modules/programs/zsh/zsh.nix | 26 | ||||
-rw-r--r-- | nixos/modules/services/networking/pppd.nix | 26 |
3 files changed, 46 insertions, 9 deletions
diff --git a/nixos/modules/programs/udevil.nix b/nixos/modules/programs/udevil.nix index ba5670f9dfe..25975d88ec8 100644 --- a/nixos/modules/programs/udevil.nix +++ b/nixos/modules/programs/udevil.nix @@ -10,5 +10,8 @@ in { config = mkIf cfg.enable { security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil"; + + systemd.packages = [ pkgs.udevil ]; + systemd.services."devmon@".wantedBy = [ "multi-user.target" ]; }; } diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 48638fda28d..6c824a692b7 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -53,7 +53,7 @@ in }; shellAliases = mkOption { - default = {}; + default = { }; description = '' Set of aliases for zsh shell, which overrides <option>environment.shellAliases</option>. See <option>environment.shellAliases</option> for an option format description. @@ -118,7 +118,9 @@ in setOptions = mkOption { type = types.listOf types.str; default = [ - "HIST_IGNORE_DUPS" "SHARE_HISTORY" "HIST_FCNTL_LOCK" + "HIST_IGNORE_DUPS" + "SHARE_HISTORY" + "HIST_FCNTL_LOCK" ]; example = [ "EXTENDED_HISTORY" "RM_STAR_WAIT" ]; description = '' @@ -278,15 +280,29 @@ in environment.etc.zinputrc.source = ./zinputrc; - environment.systemPackages = [ pkgs.zsh ] - ++ optional cfg.enableCompletion pkgs.nix-zsh-completions; + environment.systemPackages = + let + completions = + if lib.versionAtLeast (lib.getVersion config.nix.package) "2.4pre" + then + pkgs.nix-zsh-completions.overrideAttrs + (_: { + postInstall = '' + rm $out/share/zsh/site-functions/_nix + ''; + }) + else pkgs.nix-zsh-completions; + in + [ pkgs.zsh ] + ++ optional cfg.enableCompletion completions; environment.pathsToLink = optional cfg.enableCompletion "/share/zsh"; #users.defaultUserShell = mkDefault "/run/current-system/sw/bin/zsh"; environment.shells = - [ "/run/current-system/sw/bin/zsh" + [ + "/run/current-system/sw/bin/zsh" "${pkgs.zsh}/bin/zsh" ]; diff --git a/nixos/modules/services/networking/pppd.nix b/nixos/modules/services/networking/pppd.nix index c1cbdb46176..37f44f07ac4 100644 --- a/nixos/modules/services/networking/pppd.nix +++ b/nixos/modules/services/networking/pppd.nix @@ -82,13 +82,21 @@ in LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; NIX_REDIRECTS = "/var/run=/run/pppd"; }; - serviceConfig = { + serviceConfig = let + capabilities = [ + "CAP_BPF" + "CAP_SYS_TTY_CONFIG" + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ]; + in + { ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; Restart = "always"; RestartSec = 5; - AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; - CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; KeyringMode = "private"; LockPersonality = true; MemoryDenyWriteExecute = true; @@ -103,7 +111,17 @@ in ProtectKernelTunables = false; ProtectSystem = "strict"; RemoveIPC = true; - RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX"; + RestrictAddressFamilies = [ + "AF_ATMPVC" + "AF_ATMSVC" + "AF_INET" + "AF_INET6" + "AF_IPX" + "AF_NETLINK" + "AF_PACKET" + "AF_PPPOX" + "AF_UNIX" + ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; |