diff options
author | Matthew Bauer <mjbauer95@gmail.com> | 2019-04-23 22:00:42 -0400 |
---|---|---|
committer | Matthew Bauer <mjbauer95@gmail.com> | 2019-04-23 22:00:42 -0400 |
commit | 84d00355e8b288a0700ea1590897b75297ec3877 (patch) | |
tree | 5006e56e8ac8441f5af8fcef632ead1a0e561bb2 /nixos | |
parent | dc552fd2ff745d5942ceb1ec2d1016a80f7f7307 (diff) | |
parent | 6088a4793f2a83921b197a9185034934fcd96d02 (diff) | |
download | nixpkgs-84d00355e8b288a0700ea1590897b75297ec3877.tar nixpkgs-84d00355e8b288a0700ea1590897b75297ec3877.tar.gz nixpkgs-84d00355e8b288a0700ea1590897b75297ec3877.tar.bz2 nixpkgs-84d00355e8b288a0700ea1590897b75297ec3877.tar.lz nixpkgs-84d00355e8b288a0700ea1590897b75297ec3877.tar.xz nixpkgs-84d00355e8b288a0700ea1590897b75297ec3877.tar.zst nixpkgs-84d00355e8b288a0700ea1590897b75297ec3877.zip |
Merge remote-tracking branch 'NixOS/master' into staging
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/installer/cd-dvd/system-tarball.nix | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 3 | ||||
-rw-r--r-- | nixos/modules/security/misc.nix | 24 | ||||
-rw-r--r-- | nixos/modules/services/backup/automysqlbackup.nix | 115 | ||||
-rw-r--r-- | nixos/modules/services/misc/matrix-synapse.nix | 5 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/graphite.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/munin.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/tedicross.nix | 100 | ||||
-rw-r--r-- | nixos/modules/services/security/bitwarden_rs/backup.sh | 17 | ||||
-rw-r--r-- | nixos/modules/services/security/bitwarden_rs/default.nix | 126 | ||||
-rw-r--r-- | nixos/modules/services/x11/display-managers/startx.nix | 4 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/automysqlbackup.nix | 34 |
13 files changed, 422 insertions, 13 deletions
diff --git a/nixos/modules/installer/cd-dvd/system-tarball.nix b/nixos/modules/installer/cd-dvd/system-tarball.nix index e72d4a5b491..b84096861f5 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball.nix @@ -68,7 +68,7 @@ in # Create the tarball system.build.tarball = import ../../../lib/make-system-tarball.nix { - inherit (pkgs) stdenv perl xz pathsFromGraph; + inherit (pkgs) stdenv closureInfo pixz; inherit (config.tarball) contents storeContents; }; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c97e9f01ad7..9e589258ee0 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -188,6 +188,7 @@ ./services/audio/snapserver.nix ./services/audio/squeezelite.nix ./services/audio/ympd.nix + ./services/backup/automysqlbackup.nix ./services/backup/bacula.nix ./services/backup/borgbackup.nix ./services/backup/duplicati.nix @@ -672,6 +673,7 @@ ./services/networking/syncthing-relay.nix ./services/networking/tcpcrypt.nix ./services/networking/teamspeak3.nix + ./services/networking/tedicross.nix ./services/networking/tinc.nix ./services/networking/tinydns.nix ./services/networking/tftpd.nix @@ -705,6 +707,7 @@ ./services/search/hound.nix ./services/search/kibana.nix ./services/search/solr.nix + ./services/security/bitwarden_rs/default.nix ./services/security/certmgr.nix ./services/security/cfssl.nix ./services/security/clamav.nix diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 4506a67487d..ecf22bf81c5 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -12,14 +12,24 @@ with lib; type = types.bool; default = true; description = '' - Whether to allow creation of user namespaces. A recurring problem - with user namespaces is the presence of code paths where the kernel's - permission checking logic fails to account for namespacing, instead - permitting a namespaced process to act outside the namespace with the - same privileges as it would have inside it. This is particularly + Whether to allow creation of user namespaces. + </para> + + <para> + The motivation for disabling user namespaces is the potential + presence of code paths where the kernel's permission checking + logic fails to account for namespacing, instead permitting a + namespaced process to act outside the namespace with the same + privileges as it would have inside it. This is particularly damaging in the common case of running as root within the namespace. - When user namespace creation is disallowed, attempting to create - a user namespace fails with "no space left on device" (ENOSPC). + </para> + + <para> + When user namespace creation is disallowed, attempting to create a + user namespace fails with "no space left on device" (ENOSPC). + root may re-enable user namespace creation at runtime. + </para> + <para> ''; }; diff --git a/nixos/modules/services/backup/automysqlbackup.nix b/nixos/modules/services/backup/automysqlbackup.nix new file mode 100644 index 00000000000..b845f370fb7 --- /dev/null +++ b/nixos/modules/services/backup/automysqlbackup.nix @@ -0,0 +1,115 @@ +{ config, lib, pkgs, ... }: + +let + + inherit (lib) concatMapStringsSep concatStringsSep isInt isList literalExample; + inherit (lib) mapAttrs mapAttrsToList mkDefault mkEnableOption mkIf mkOption optional types; + + cfg = config.services.automysqlbackup; + pkg = pkgs.automysqlbackup; + user = "automysqlbackup"; + group = "automysqlbackup"; + + toStr = val: + if isList val then "( ${concatMapStringsSep " " (val: "'${val}'") val} )" + else if isInt val then toString val + else if true == val then "'yes'" + else if false == val then "'no'" + else "'${toString val}'"; + + configFile = pkgs.writeText "automysqlbackup.conf" '' + #version=${pkg.version} + # DONT'T REMOVE THE PREVIOUS VERSION LINE! + # + ${concatStringsSep "\n" (mapAttrsToList (name: value: "CONFIG_${name}=${toStr value}") cfg.config)} + ''; + +in +{ + # interface + options = { + services.automysqlbackup = { + + enable = mkEnableOption "AutoMySQLBackup"; + + calendar = mkOption { + type = types.str; + default = "01:15:00"; + description = '' + Configured when to run the backup service systemd unit (DayOfWeek Year-Month-Day Hour:Minute:Second). + ''; + }; + + config = mkOption { + type = with types; attrsOf (either (either str (either int bool)) (listOf str)); + default = {}; + description = '' + automysqlbackup configuration. Refer to + <filename>''${pkgs.automysqlbackup}/etc/automysqlbackup.conf</filename> + for details on supported values. + ''; + example = literalExample '' + { + db_names = [ "nextcloud" "matomo" ]; + table_exclude = [ "nextcloud.oc_users" "nextcloud.oc_whats_new" ]; + mailcontent = "log"; + mail_address = "admin@example.org"; + } + ''; + }; + + }; + }; + + # implementation + config = mkIf cfg.enable { + + assertions = [ + { assertion = !config.services.mysqlBackup.enable; + message = "Please choose one of services.mysqlBackup or services.automysqlbackup."; + } + ]; + + services.automysqlbackup.config = mapAttrs (name: mkDefault) { + mysql_dump_username = user; + mysql_dump_host = "localhost"; + backup_dir = "/var/backup/mysql"; + db_exclude = [ "information_schema" "performance_schema" ]; + mailcontent = "stdout"; + mysql_dump_single_transaction = true; + }; + + systemd.timers.automysqlbackup = { + description = "automysqlbackup timer"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = cfg.calendar; + AccuracySec = "5m"; + }; + }; + + systemd.services.automysqlbackup = { + description = "automysqlbackup service"; + serviceConfig = { + User = user; + Group = group; + ExecStart = "${pkg}/bin/automysqlbackup ${configFile}"; + }; + }; + + environment.systemPackages = [ pkg ]; + + users.users.${user}.group = group; + users.groups.${group} = { }; + + systemd.tmpfiles.rules = [ + "d '${cfg.config.backup_dir}' 0750 ${user} ${group} - -" + ]; + + services.mysql.ensureUsers = optional (config.services.mysql.enable && cfg.config.mysql_dump_host == "localhost") { + name = user; + ensurePermissions = { "*.*" = "SELECT, SHOW VIEW, TRIGGER, LOCK TABLES"; }; + }; + + }; +} diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 5e465926b83..00c8e740803 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -554,7 +554,10 @@ in { }; trusted_third_party_id_servers = mkOption { type = types.listOf types.str; - default = ["matrix.org"]; + default = [ + "matrix.org" + "vector.im" + ]; description = '' The list of identity servers trusted to verify third party identifiers by this server. ''; diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix index f59bc56962b..2365142af40 100644 --- a/nixos/modules/services/monitoring/graphite.nix +++ b/nixos/modules/services/monitoring/graphite.nix @@ -123,7 +123,7 @@ in { graphite carbon. For more information visit - <link xlink:href="http://graphite-api.readthedocs.org/en/latest/"/> + <link xlink:href="https://graphite-api.readthedocs.org/en/latest/"/> ''; default = false; type = types.bool; diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index f6798632724..ffe223fedbe 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -8,7 +8,7 @@ # spawn-fcgi -s /run/munin/fastcgi-graph.sock -U www-data -u munin -g munin /usr/lib/munin/cgi/munin-cgi-graph # spawn-fcgi -s /run/munin/fastcgi-html.sock -U www-data -u munin -g munin /usr/lib/munin/cgi/munin-cgi-html # https://paste.sh/vofcctHP#-KbDSXVeWoifYncZmLfZzgum -# nginx http://munin.readthedocs.org/en/latest/example/webserver/nginx.html +# nginx https://munin.readthedocs.org/en/latest/example/webserver/nginx.html with lib; diff --git a/nixos/modules/services/networking/tedicross.nix b/nixos/modules/services/networking/tedicross.nix new file mode 100644 index 00000000000..0716975f594 --- /dev/null +++ b/nixos/modules/services/networking/tedicross.nix @@ -0,0 +1,100 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + dataDir = "/var/lib/tedicross"; + cfg = config.services.tedicross; + configJSON = pkgs.writeText "tedicross-settings.json" (builtins.toJSON cfg.config); + configYAML = pkgs.runCommand "tedicross-settings.yaml" { preferLocalBuild = true; } '' + ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out + ''; + +in { + options = { + services.tedicross = { + enable = mkEnableOption "the TediCross Telegram-Discord bridge service"; + + config = mkOption { + type = types.attrs; + # from https://github.com/TediCross/TediCross/blob/master/example.settings.yaml + example = literalExample '' + { + telegram = { + useFirstNameInsteadOfUsername = false; + colonAfterSenderName = false; + skipOldMessages = true; + sendEmojiWithStickers = true; + }; + discord = { + useNickname = false; + skipOldMessages = true; + displayTelegramReplies = "embed"; + replyLength = 100; + }; + bridges = [ + { + name = "Default bridge"; + direction = "both"; + telegram = { + chatId = -123456789; + relayJoinMessages = true; + relayLeaveMessages = true; + sendUsernames = true; + ignoreCommands = true; + }; + discord = { + serverId = "DISCORD_SERVER_ID"; + channelId = "DISCORD_CHANNEL_ID"; + relayJoinMessages = true; + relayLeaveMessages = true; + sendUsernames = true; + crossDeleteOnTelegram = true; + }; + } + ]; + + debug = false; + } + ''; + description = '' + <filename>settings.yaml</filename> configuration as a Nix attribute set. + Secret tokens should be specified using <option>environmentFile</option> + instead of this world-readable file. + ''; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + File containing environment variables to be passed to the TediCross service, + in which secret tokens can be specified securely using the + <literal>TELEGRAM_BOT_TOKEN</literal> and <literal>DISCORD_BOT_TOKEN</literal> + keys. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + # from https://github.com/TediCross/TediCross/blob/master/guides/autostart/Linux.md + systemd.services.tedicross = { + description = "TediCross Telegram-Discord bridge service"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.nodePackages.tedicross}/bin/tedicross --config='${configYAML}' --data-dir='${dataDir}'"; + Restart = "always"; + DynamicUser = true; + StateDirectory = baseNameOf dataDir; + EnvironmentFile = cfg.environmentFile; + }; + }; + }; + + meta.maintainers = with maintainers; [ pacien ]; +} + diff --git a/nixos/modules/services/security/bitwarden_rs/backup.sh b/nixos/modules/services/security/bitwarden_rs/backup.sh new file mode 100644 index 00000000000..264a7da9cbb --- /dev/null +++ b/nixos/modules/services/security/bitwarden_rs/backup.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# Based on: https://github.com/dani-garcia/bitwarden_rs/wiki/Backing-up-your-vault +if ! mkdir -p "$BACKUP_FOLDER"; then + echo "Could not create backup folder '$BACKUP_FOLDER'" >&2 + exit 1 +fi + +if [[ ! -f "$DATA_FOLDER"/db.sqlite3 ]]; then + echo "Could not find SQLite database file '$DATA_FOLDER/db.sqlite3'" >&2 + exit 1 +fi + +sqlite3 "$DATA_FOLDER"/db.sqlite3 ".backup '$BACKUP_FOLDER/db.sqlite3'" +cp "$DATA_FOLDER"/rsa_key.{der,pem,pub.der} "$BACKUP_FOLDER" +cp -r "$DATA_FOLDER"/attachments "$BACKUP_FOLDER" +cp -r "$DATA_FOLDER"/icon_cache "$BACKUP_FOLDER" diff --git a/nixos/modules/services/security/bitwarden_rs/default.nix b/nixos/modules/services/security/bitwarden_rs/default.nix new file mode 100644 index 00000000000..bb036ee020f --- /dev/null +++ b/nixos/modules/services/security/bitwarden_rs/default.nix @@ -0,0 +1,126 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.bitwarden_rs; + user = config.users.users.bitwarden_rs.name; + group = config.users.groups.bitwarden_rs.name; + + # Convert name from camel case (e.g. disable2FARemember) to upper case snake case (e.g. DISABLE_2FA_REMEMBER). + nameToEnvVar = name: + let + parts = builtins.split "([A-Z0-9]+)" name; + partsToEnvVar = parts: foldl' (key: x: let last = stringLength key - 1; in + if isList x then key + optionalString (key != "" && substring last 1 key != "_") "_" + head x + else if key != "" && elem (substring 0 1 x) lowerChars then # to handle e.g. [ "disable" [ "2FAR" ] "emember" ] + substring 0 last key + optionalString (substring (last - 1) 1 key != "_") "_" + substring last 1 key + toUpper x + else key + toUpper x) "" parts; + in if builtins.match "[A-Z0-9_]+" name != null then name else partsToEnvVar parts; + + configFile = pkgs.writeText "bitwarden_rs.env" (concatMapStrings (s: s + "\n") ( + (concatLists (mapAttrsToList (name: value: + if value != null then [ "${nameToEnvVar name}=${if isBool value then boolToString value else toString value}" ] else [] + ) cfg.config)))); + +in { + options.services.bitwarden_rs = with types; { + enable = mkEnableOption "bitwarden_rs"; + + backupDir = mkOption { + type = nullOr str; + default = null; + description = '' + The directory under which bitwarden_rs will backup its persistent data. + ''; + }; + + config = mkOption { + type = attrsOf (nullOr (either (either bool int) str)); + default = {}; + example = literalExample '' + { + domain = https://bw.domain.tld:8443; + signupsAllowed = true; + rocketPort = 8222; + rocketLog = "critical"; + } + ''; + description = '' + The configuration of bitwarden_rs is done through environment variables, + therefore the names are converted from camel case (e.g. disable2FARemember) + to upper case snake case (e.g. DISABLE_2FA_REMEMBER). + In this conversion digits (0-9) are handled just like upper case characters, + so foo2 would be converted to FOO_2. + Names already in this format remain unchanged, so FOO2 remains FOO2 if passed as such, + even though foo2 would have been converted to FOO_2. + This allows working around any potential future conflicting naming conventions. + + Based on the attributes passed to this config option a environment file will be generated + that is passed to bitwarden_rs's systemd service. + + The available configuration options can be found in + <link xlink:href="https://github.com/dani-garcia/bitwarden_rs/blob/1.8.0/.env.template">the environment template file</link>. + ''; + apply = config: optionalAttrs config.webVaultEnabled { + webVaultFolder = "${pkgs.bitwarden_rs-vault}/share/bitwarden_rs/vault"; + } // config; + }; + }; + + config = mkIf cfg.enable { + services.bitwarden_rs.config = { + dataFolder = "/var/lib/bitwarden_rs"; + webVaultEnabled = mkDefault true; + }; + + users.users.bitwarden_rs = { inherit group; }; + users.groups.bitwarden_rs = { }; + + systemd.services.bitwarden_rs = { + after = [ "network.target" ]; + path = with pkgs; [ openssl ]; + serviceConfig = { + User = user; + Group = group; + EnvironmentFile = configFile; + ExecStart = "${pkgs.bitwarden_rs}/bin/bitwarden_rs"; + LimitNOFILE = "1048576"; + LimitNPROC = "64"; + PrivateTmp = "true"; + PrivateDevices = "true"; + ProtectHome = "true"; + ProtectSystem = "strict"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + StateDirectory = "bitwarden_rs"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services.backup-bitwarden_rs = mkIf (cfg.backupDir != null) { + description = "Backup bitwarden_rs"; + environment = { + DATA_FOLDER = "/var/lib/bitwarden_rs"; + BACKUP_FOLDER = cfg.backupDir; + }; + path = with pkgs; [ sqlite ]; + serviceConfig = { + SyslogIdentifier = "backup-bitwarden_rs"; + User = mkDefault user; + Group = mkDefault group; + ExecStart = "${pkgs.bash}/bin/bash ${./backup.sh}"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.timers.backup-bitwarden_rs = mkIf (cfg.backupDir != null) { + description = "Backup bitwarden_rs on time"; + timerConfig = { + OnCalendar = mkDefault "23:00"; + Persistent = "true"; + Unit = "backup-bitwarden_rs.service"; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; +} diff --git a/nixos/modules/services/x11/display-managers/startx.nix b/nixos/modules/services/x11/display-managers/startx.nix index 15609540a6e..57046984358 100644 --- a/nixos/modules/services/x11/display-managers/startx.nix +++ b/nixos/modules/services/x11/display-managers/startx.nix @@ -20,8 +20,8 @@ in Whether to enable the dummy "startx" pseudo-display manager, which allows users to start X manually via the "startx" command from a vt shell. The X server runs under the user's id, not as root. - The user must provide a ~/.xinintrc file containing session startup - commands, see startx(1). This is not autmatically generated + The user must provide a ~/.xinitrc file containing session startup + commands, see startx(1). This is not automatically generated from the desktopManager and windowManager settings. ''; }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 8b27ff808e6..950eb01044f 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -23,6 +23,7 @@ in { acme = handleTestOn ["x86_64-linux"] ./acme.nix {}; atd = handleTest ./atd.nix {}; + automysqlbackup = handleTest ./automysqlbackup.nix {}; avahi = handleTest ./avahi.nix {}; bcachefs = handleTestOn ["x86_64-linux"] ./bcachefs.nix {}; # linux-4.18.2018.10.12 is unsupported on aarch64 beanstalkd = handleTest ./beanstalkd.nix {}; diff --git a/nixos/tests/automysqlbackup.nix b/nixos/tests/automysqlbackup.nix new file mode 100644 index 00000000000..ada104a34de --- /dev/null +++ b/nixos/tests/automysqlbackup.nix @@ -0,0 +1,34 @@ +import ./make-test.nix ({ pkgs, lib, ... }: + +{ + name = "automysqlbackup"; + meta.maintainers = [ lib.maintainers.aanderse ]; + + machine = + { pkgs, ... }: + { + services.mysql.enable = true; + services.mysql.package = pkgs.mysql; + services.mysql.initialDatabases = [ { name = "testdb"; schema = ./testdb.sql; } ]; + + services.automysqlbackup.enable = true; + }; + + testScript = '' + startAll; + + # Need to have mysql started so that it can be populated with data. + $machine->waitForUnit("mysql.service"); + + # Wait for testdb to be fully populated (5 rows). + $machine->waitUntilSucceeds("mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5"); + + # Do a backup and wait for it to start + $machine->startJob("automysqlbackup.service"); + $machine->waitForJob("automysqlbackup.service"); + + # wait for backup file and check that data appears in backup + $machine->waitForFile("/var/backup/mysql/daily/testdb"); + $machine->succeed("${pkgs.gzip}/bin/zcat /var/backup/mysql/daily/testdb/daily_testdb_*.sql.gz | grep hello"); + ''; +}) |