summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorVladimír Čunát <v@cunat.cz>2022-12-10 16:19:36 +0100
committerVladimír Čunát <v@cunat.cz>2022-12-10 16:19:36 +0100
commitde033ae75a79861108d4203ffdf2df4ed09c618b (patch)
tree9a61f37a5794f98a4ef7773ff77e87ec0d259681 /nixos
parent7561ba5987b928c47ac2ffee8468e62940881b4f (diff)
parent60aa3fa6d7bc6ebbd1ad704ef8b3dbd28a115ae3 (diff)
downloadnixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.tar
nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.tar.gz
nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.tar.bz2
nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.tar.lz
nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.tar.xz
nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.tar.zst
nixpkgs-de033ae75a79861108d4203ffdf2df4ed09c618b.zip
Merge branch 'master' into staging-next
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/config/zram.nix8


-rw-r--r--nixos/modules/programs/firejail.nix24


-rw-r--r--nixos/modules/services/web-apps/mastodon.nix5


3 files changed, 24 insertions, 13 deletions
diff --git a/nixos/modules/config/zram.nix b/nixos/modules/config/zram.nix
index cc2ca631443..87ac53a60b7 100644
--- a/nixos/modules/config/zram.nix
+++ b/nixos/modules/config/zram.nix
@@ -132,6 +132,8 @@ in
       options zram num_devices=${toString cfg.numDevices}
     '';
 
+    boot.kernelParams = ["zram.num_devices=${toString cfg.numDevices}"];
+
     services.udev.extraRules = ''
       KERNEL=="zram[0-9]*", ENV{SYSTEMD_WANTS}="zram-init-%k.service", TAG+="systemd"
     '';
@@ -178,9 +180,9 @@ in
           serviceConfig = {
             Type = "oneshot";
             RemainAfterExit = true;
-            ExecStartPre = "${modprobe} -r zram";
-            ExecStart = "${modprobe} zram";
-            ExecStop = "${modprobe} -r zram";
+            ExecStartPre = "-${modprobe} -r zram";
+            ExecStart = "-${modprobe} zram";
+            ExecStop = "-${modprobe} -r zram";
           };
           restartTriggers = [
             cfg.numDevices
diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix
index a98c15a0451..6f79c13d94b 100644
--- a/nixos/modules/programs/firejail.nix
+++ b/nixos/modules/programs/firejail.nix
@@ -8,18 +8,21 @@ let
   wrappedBins = pkgs.runCommand "firejail-wrapped-binaries"
     { preferLocalBuild = true;
       allowSubstitutes = false;
+      # take precedence over non-firejailed versions
+      meta.priority = -1;
     }
     ''
       mkdir -p $out/bin
+      mkdir -p $out/share/applications
       ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value:
       let
         opts = if builtins.isAttrs value
         then value
-        else { executable = value; profile = null; extraArgs = []; };
+        else { executable = value; desktop = null; profile = null; extraArgs = []; };
         args = lib.escapeShellArgs (
           opts.extraArgs
           ++ (optional (opts.profile != null) "--profile=${toString opts.profile}")
-          );
+        );
       in
       ''
         cat <<_EOF >$out/bin/${command}
@@ -27,6 +30,11 @@ let
         exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@"
         _EOF
         chmod 0755 $out/bin/${command}
+
+        ${lib.optionalString (opts.desktop != null) ''
+          substitute ${opts.desktop} $out/share/applications/$(basename ${opts.desktop}) \
+            --replace ${opts.executable} $out/bin/${command}
+        ''}
       '') cfg.wrappedBinaries)}
     '';
 
@@ -42,6 +50,12 @@ in {
             description = lib.mdDoc "Executable to run sandboxed";
             example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"'';
           };
+          desktop = mkOption {
+            type = types.nullOr types.path;
+            default = null;
+            description = lib.mkDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable.";
+            example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"'';
+          };
           profile = mkOption {
             type = types.nullOr types.path;
             default = null;
@@ -71,12 +85,6 @@ in {
       '';
       description = lib.mdDoc ''
         Wrap the binaries in firejail and place them in the global path.
-
-        You will get file collisions if you put the actual application binary in
-        the global environment (such as by adding the application package to
-        `environment.systemPackages`), and applications started via
-        .desktop files are not wrapped if they specify the absolute path to the
-        binary.
       '';
     };
   };
diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix
index 35b96734be7..a6cd7432db2 100644
--- a/nixos/modules/services/web-apps/mastodon.nix
+++ b/nixos/modules/services/web-apps/mastodon.nix
@@ -658,8 +658,9 @@ in {
       recommendedProxySettings = true; # required for redirections to work
       virtualHosts."${cfg.localDomain}" = {
         root = "${cfg.package}/public/";
-        forceSSL = true; # mastodon only supports https
-        enableACME = true;
+        # mastodon only supports https, but you can override this if you offload tls elsewhere.
+        forceSSL = lib.mkDefault true;
+        enableACME = lib.mkDefault true;
 
         locations."/system/".alias = "/var/lib/mastodon/public-system/";
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-04 08:40:33 +0000