diff options
author | Vladimír Čunát <v@cunat.cz> | 2022-12-10 16:19:36 +0100 |
---|---|---|
committer | Vladimír Čunát <v@cunat.cz> | 2022-12-10 16:19:36 +0100 |
commit | de033ae75a79861108d4203ffdf2df4ed09c618b (patch) | |
tree | 9a61f37a5794f98a4ef7773ff77e87ec0d259681 /nixos | |
parent | 7561ba5987b928c47ac2ffee8468e62940881b4f (diff) | |
parent | 60aa3fa6d7bc6ebbd1ad704ef8b3dbd28a115ae3 (diff) | |
download | nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.tar nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.tar.gz nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.tar.bz2 nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.tar.lz nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.tar.xz nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.tar.zst nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.zip |
Merge branch 'master' into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/zram.nix | 8 | ||||
-rw-r--r-- | nixos/modules/programs/firejail.nix | 24 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/mastodon.nix | 5 |
3 files changed, 24 insertions, 13 deletions
diff --git a/nixos/modules/config/zram.nix b/nixos/modules/config/zram.nix index cc2ca631443..87ac53a60b7 100644 --- a/nixos/modules/config/zram.nix +++ b/nixos/modules/config/zram.nix @@ -132,6 +132,8 @@ in options zram num_devices=${toString cfg.numDevices} ''; + boot.kernelParams = ["zram.num_devices=${toString cfg.numDevices}"]; + services.udev.extraRules = '' KERNEL=="zram[0-9]*", ENV{SYSTEMD_WANTS}="zram-init-%k.service", TAG+="systemd" ''; @@ -178,9 +180,9 @@ in serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStartPre = "${modprobe} -r zram"; - ExecStart = "${modprobe} zram"; - ExecStop = "${modprobe} -r zram"; + ExecStartPre = "-${modprobe} -r zram"; + ExecStart = "-${modprobe} zram"; + ExecStop = "-${modprobe} -r zram"; }; restartTriggers = [ cfg.numDevices diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index a98c15a0451..6f79c13d94b 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -8,18 +8,21 @@ let wrappedBins = pkgs.runCommand "firejail-wrapped-binaries" { preferLocalBuild = true; allowSubstitutes = false; + # take precedence over non-firejailed versions + meta.priority = -1; } '' mkdir -p $out/bin + mkdir -p $out/share/applications ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value: let opts = if builtins.isAttrs value then value - else { executable = value; profile = null; extraArgs = []; }; + else { executable = value; desktop = null; profile = null; extraArgs = []; }; args = lib.escapeShellArgs ( opts.extraArgs ++ (optional (opts.profile != null) "--profile=${toString opts.profile}") - ); + ); in '' cat <<_EOF >$out/bin/${command} @@ -27,6 +30,11 @@ let exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@" _EOF chmod 0755 $out/bin/${command} + + ${lib.optionalString (opts.desktop != null) '' + substitute ${opts.desktop} $out/share/applications/$(basename ${opts.desktop}) \ + --replace ${opts.executable} $out/bin/${command} + ''} '') cfg.wrappedBinaries)} ''; @@ -42,6 +50,12 @@ in { description = lib.mdDoc "Executable to run sandboxed"; example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"''; }; + desktop = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mkDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable."; + example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"''; + }; profile = mkOption { type = types.nullOr types.path; default = null; @@ -71,12 +85,6 @@ in { ''; description = lib.mdDoc '' Wrap the binaries in firejail and place them in the global path. - - You will get file collisions if you put the actual application binary in - the global environment (such as by adding the application package to - `environment.systemPackages`), and applications started via - .desktop files are not wrapped if they specify the absolute path to the - binary. ''; }; }; diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 35b96734be7..a6cd7432db2 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -658,8 +658,9 @@ in { recommendedProxySettings = true; # required for redirections to work virtualHosts."${cfg.localDomain}" = { root = "${cfg.package}/public/"; - forceSSL = true; # mastodon only supports https - enableACME = true; + # mastodon only supports https, but you can override this if you offload tls elsewhere. + forceSSL = lib.mkDefault true; + enableACME = lib.mkDefault true; locations."/system/".alias = "/var/lib/mastodon/public-system/"; |