diff options
author | Robin Gloster <mail@glob.in> | 2019-09-25 11:28:20 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-25 11:28:20 +0200 |
commit | 68b42a84fdd167e358ec9f76c40ff3907d0c3c2e (patch) | |
tree | 1a54ec197e8e7d73be867bebf6e79c6a89d5af9d /nixos | |
parent | 5ee383ea8c31cd7c8489c2b076aac9c51f63b55c (diff) | |
parent | fb6595eafdb90ef0bc7a31c2bfc9204e4cad11d9 (diff) | |
download | nixpkgs-68b42a84fdd167e358ec9f76c40ff3907d0c3c2e.tar nixpkgs-68b42a84fdd167e358ec9f76c40ff3907d0c3c2e.tar.gz nixpkgs-68b42a84fdd167e358ec9f76c40ff3907d0c3c2e.tar.bz2 nixpkgs-68b42a84fdd167e358ec9f76c40ff3907d0c3c2e.tar.lz nixpkgs-68b42a84fdd167e358ec9f76c40ff3907d0c3c2e.tar.xz nixpkgs-68b42a84fdd167e358ec9f76c40ff3907d0c3c2e.tar.zst nixpkgs-68b42a84fdd167e358ec9f76c40ff3907d0c3c2e.zip |
Merge branch 'master' into networkd-disallow-dhcp
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1909.xml | 29 | ||||
-rw-r--r-- | nixos/modules/rename.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 10 | ||||
-rw-r--r-- | nixos/modules/services/misc/home-assistant.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/misc/pykms.nix | 39 | ||||
-rw-r--r-- | nixos/modules/tasks/network-interfaces-systemd.nix | 2 |
6 files changed, 65 insertions, 18 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 012c2e4f992..ddce4df5098 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -485,7 +485,34 @@ </para> </listitem> <listitem> - <para> + <para> + The <literal>services.gitlab</literal> module has had its literal secret options (<option>services.gitlab.smtp.password</option>, + <option>services.gitlab.databasePassword</option>, + <option>services.gitlab.initialRootPassword</option>, + <option>services.gitlab.secrets.secret</option>, + <option>services.gitlab.secrets.db</option>, + <option>services.gitlab.secrets.otp</option> and + <option>services.gitlab.secrets.jws</option>) replaced by file-based versions (<option>services.gitlab.smtp.passwordFile</option>, + <option>services.gitlab.databasePasswordFile</option>, + <option>services.gitlab.initialRootPasswordFile</option>, + <option>services.gitlab.secrets.secretFile</option>, + <option>services.gitlab.secrets.dbFile</option>, + <option>services.gitlab.secrets.otpFile</option> and + <option>services.gitlab.secrets.jwsFile</option>). This was done so that secrets aren't stored + in the world-readable nix store, but means that for each option you'll have to create a file with + the same exact string, add "File" to the end of the option name, and change the definition to a + string pointing to the corresponding file; e.g. <literal>services.gitlab.databasePassword = "supersecurepassword"</literal> + becomes <literal>services.gitlab.databasePasswordFile = "/path/to/secret_file"</literal> where the + file <literal>secret_file</literal> contains the string <literal>supersecurepassword</literal>. + </para> + <para> + The state path (<option>services.gitlab.statePath</option>) now has the following restriction: + no parent directory can be owned by any other user than <literal>root</literal> or the user + specified in <option>services.gitlab.user</option>; i.e. if <option>services.gitlab.statePath</option> + is set to <literal>/var/lib/gitlab/state</literal>, <literal>gitlab</literal> and all parent directories + must be owned by either <literal>root</literal> or the user specified in <option>services.gitlab.user</option>. + </para> + <para> The <option>networking.useDHCP</option> option is unsupported in combination with <option>networking.useNetworkd</option> in anticipation of defaulting to it by default. It has to be set to <literal>false</literal> and enabled per diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 0c7c45a4708..802ffcdc94e 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -66,6 +66,8 @@ with lib; (mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ]) + (mkRemovedOptionModule [ "services" "pykms" "verbose" ] "Use services.pykms.logLevel instead") + (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead") (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead") diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 1e1eb0fd9a1..4c1ffead00c 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -223,7 +223,15 @@ in { statePath = mkOption { type = types.str; default = "/var/gitlab/state"; - description = "Gitlab state directory, logs are stored here."; + description = '' + Gitlab state directory. Configuration, repositories and + logs, among other things, are stored here. + + The directory will be created automatically if it doesn't + exist already. Its parent directories must be owned by + either <literal>root</literal> or the user set in + <option>services.gitlab.user</option>. + ''; }; backupPath = mkOption { diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index f1b35124674..74702c97f55 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -224,6 +224,7 @@ in { KillSignal = "SIGINT"; PrivateTmp = true; RemoveIPC = true; + AmbientCapabilities = "cap_net_raw,cap_net_admin+eip"; }; path = [ "/run/wrappers" # needed for ping diff --git a/nixos/modules/services/misc/pykms.nix b/nixos/modules/services/misc/pykms.nix index ab00086e591..e2d1254602b 100644 --- a/nixos/modules/services/misc/pykms.nix +++ b/nixos/modules/services/misc/pykms.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.services.pykms; + libDir = "/var/lib/pykms"; in { meta.maintainers = with lib.maintainers; [ peterhoeg ]; @@ -28,12 +29,6 @@ in { description = "The port on which to listen."; }; - verbose = mkOption { - type = types.bool; - default = false; - description = "Show verbose output."; - }; - openFirewallPort = mkOption { type = types.bool; default = false; @@ -45,30 +40,44 @@ in { default = "64M"; description = "How much memory to use at most."; }; + + logLevel = mkOption { + type = types.enum [ "CRITICAL" "ERROR" "WARNING" "INFO" "DEBUG" "MINI" ]; + default = "INFO"; + description = "How much to log"; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = "Additional arguments"; + }; }; }; config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewallPort [ cfg.port ]; - systemd.services.pykms = let - home = "/var/lib/pykms"; - in { + systemd.services.pykms = { description = "Python KMS"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; # python programs with DynamicUser = true require HOME to be set - environment.HOME = home; + environment.HOME = libDir; serviceConfig = with pkgs; { DynamicUser = true; - StateDirectory = baseNameOf home; - ExecStartPre = "${getBin pykms}/bin/create_pykms_db.sh ${home}/clients.db"; + StateDirectory = baseNameOf libDir; + ExecStartPre = "${getBin pykms}/libexec/create_pykms_db.sh ${libDir}/clients.db"; ExecStart = lib.concatStringsSep " " ([ - "${getBin pykms}/bin/server.py" + "${getBin pykms}/bin/server" + "--logfile STDOUT" + "--loglevel ${cfg.logLevel}" + ] ++ cfg.extraArgs ++ [ cfg.listenAddress (toString cfg.port) - ] ++ lib.optional cfg.verbose "--verbose"); - WorkingDirectory = home; + ]); + ProtectHome = "tmpfs"; + WorkingDirectory = libDir; Restart = "on-failure"; MemoryLimit = cfg.memoryLimit; }; diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 605d00de58f..863072e33dc 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -12,7 +12,7 @@ let i.ipv4.addresses ++ optionals cfg.enableIPv6 i.ipv6.addresses; - dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "no"; + dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "yes" else "no"; slaves = concatLists (map (bond: bond.interfaces) (attrValues cfg.bonds)) |