diff options
| author | Vladimír Čunát <v@cunat.cz> | 2019-09-24 08:14:34 +0200 |
|---|---|---|
| committer | Vladimír Čunát <v@cunat.cz> | 2019-09-24 08:14:34 +0200 |
| commit | eab41878ac16a80b1189d5e4aeec5e037f6571db (patch) | |
| tree | 8bd9dcfadee430fc3f853bfacdd6220bc4e35152 /nixos | |
| parent | 11c2b06dd2cf9ea86920ff9bb3939a3f5eb41a27 (diff) | |
| parent | afd04a49ed4d03923adf51352ce2bce1fa72455d (diff) | |
| download | nixpkgs-eab41878ac16a80b1189d5e4aeec5e037f6571db.tar nixpkgs-eab41878ac16a80b1189d5e4aeec5e037f6571db.tar.gz nixpkgs-eab41878ac16a80b1189d5e4aeec5e037f6571db.tar.bz2 nixpkgs-eab41878ac16a80b1189d5e4aeec5e037f6571db.tar.lz nixpkgs-eab41878ac16a80b1189d5e4aeec5e037f6571db.tar.xz nixpkgs-eab41878ac16a80b1189d5e4aeec5e037f6571db.tar.zst nixpkgs-eab41878ac16a80b1189d5e4aeec5e037f6571db.zip | |
Merge branch 'master' into staging-next
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/profiles/qemu-guest.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/programs/less.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/security/pam.nix | 26 | ||||
| -rw-r--r-- | nixos/modules/services/backup/postgresql-wal-receiver.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/services/mail/mailcatcher.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/services/mail/rspamd.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/services/monitoring/graphite.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/services/networking/prosody.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/matomo.nix | 10 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/restya-board.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/tt-rss.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 5 |
14 files changed, 50 insertions, 27 deletions
diff --git a/nixos/modules/profiles/qemu-guest.nix b/nixos/modules/profiles/qemu-guest.nix index 315d04093b1..0ea70107f71 100644 --- a/nixos/modules/profiles/qemu-guest.nix +++ b/nixos/modules/profiles/qemu-guest.nix @@ -1,7 +1,7 @@ # Common configuration for virtual machines running under QEMU (using # virtio). -{ ... }: +{ lib, ... }: { boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ]; @@ -15,5 +15,5 @@ hwclock -s ''; - security.rngd.enable = false; + security.rngd.enable = lib.mkDefault false; } diff --git a/nixos/modules/programs/less.nix b/nixos/modules/programs/less.nix index e19935b77ca..75b3e707d57 100644 --- a/nixos/modules/programs/less.nix +++ b/nixos/modules/programs/less.nix @@ -54,8 +54,8 @@ in type = types.attrsOf types.str; default = {}; example = { - h = "noaction 5\e("; - l = "noaction 5\e)"; + h = "noaction 5\\e("; + l = "noaction 5\\e)"; }; description = "Defines new command keys."; }; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 3cf09611fba..11227354ad3 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -351,7 +351,7 @@ let ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth - "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so id=${toString yubi.id} ${optionalString yubi.debug "debug"}"} + "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"} '' + # Modules in this block require having the password set in PAM_AUTHTOK. # pam_unix is marked as 'sufficient' on NixOS which means nothing will run @@ -696,6 +696,23 @@ in Debug output to stderr. ''; }; + mode = mkOption { + default = "client"; + type = types.enum [ "client" "challenge-response" ]; + description = '' + Mode of operation. + + Use "client" for online validation with a YubiKey validation service such as + the YubiCloud. + + Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 + Challenge-Response configurations. See the man-page ykpamcfg(1) for further + details on how to configure offline Challenge-Response validation. + + More information can be found <link + xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. + ''; + }; }; security.pam.enableEcryptfs = mkOption { @@ -742,13 +759,6 @@ in environment.etc = mapAttrsToList (n: v: makePAMService v) config.security.pam.services; - systemd.tmpfiles.rules = optionals - (any (s: s.updateWtmp) (attrValues config.security.pam.services)) - [ - "f /var/log/wtmp" - "f /var/log/lastlog" - ]; - security.pam.services = { other.text = '' diff --git a/nixos/modules/services/backup/postgresql-wal-receiver.nix b/nixos/modules/services/backup/postgresql-wal-receiver.nix index d9a37037992..3d9869d5343 100644 --- a/nixos/modules/services/backup/postgresql-wal-receiver.nix +++ b/nixos/modules/services/backup/postgresql-wal-receiver.nix @@ -169,13 +169,14 @@ in { systemd.services = with attrsets; mapAttrs' (name: config: nameValuePair "postgresql-wal-receiver-${name}" { description = "PostgreSQL WAL receiver (${name})"; wantedBy = [ "multi-user.target" ]; + startLimitIntervalSec = 0; # retry forever, useful in case of network disruption serviceConfig = { User = "postgres"; Group = "postgres"; KillSignal = "SIGINT"; Restart = "always"; - RestartSec = 30; + RestartSec = 60; }; inherit (config) environment; diff --git a/nixos/modules/services/mail/mailcatcher.nix b/nixos/modules/services/mail/mailcatcher.nix index fa8d41e918d..f5b4508b335 100644 --- a/nixos/modules/services/mail/mailcatcher.nix +++ b/nixos/modules/services/mail/mailcatcher.nix @@ -3,7 +3,7 @@ let cfg = config.services.mailcatcher; - inherit (lib) mkEnableOption mkIf mkOption types; + inherit (lib) mkEnableOption mkIf mkOption types optionalString; in { # interface @@ -54,6 +54,7 @@ in DynamicUser = true; Restart = "always"; ExecStart = "${pkgs.mailcatcher}/bin/mailcatcher --foreground --no-quit --http-ip ${cfg.http.ip} --http-port ${toString cfg.http.port} --smtp-ip ${cfg.smtp.ip} --smtp-port ${toString cfg.smtp.port}"; + AmbientCapabilities = optionalString (cfg.http.port < 1024 || cfg.smtp.port < 1024) "cap_net_bind_service"; }; }; }; diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index 89aa9d17ff7..4db35d9e89a 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -68,7 +68,7 @@ let replaced with <literal>rspamd_proxy</literal>. ''; apply = let - from = "services.rspamd.workers.\”${name}\".type"; + from = "services.rspamd.workers.\"${name}\".type"; files = options.type.files; warning = "The option `${from}` defined in ${showFiles files} has enum value `proxy` which has been renamed to `rspamd_proxy`"; in x: if x == "proxy" then traceWarning warning "rspamd_proxy" else x; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 66da6864fca..1e1eb0fd9a1 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -673,6 +673,10 @@ in { openssh nodejs gnupg + + # Needed for GitLab project imports + gnutar + gzip ]; serviceConfig = { Type = "simple"; diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix index 64cb6c3da1e..f7874af3df2 100644 --- a/nixos/modules/services/monitoring/graphite.nix +++ b/nixos/modules/services/monitoring/graphite.nix @@ -239,7 +239,7 @@ in { description = "Any metrics received which match one of the experssions will be dropped."; default = null; type = types.nullOr types.str; - example = "^some\.noisy\.metric\.prefix\..*"; + example = "^some\\.noisy\\.metric\\.prefix\\..*"; }; whitelist = mkOption { diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index db047e6d0b8..a137045834b 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -27,6 +27,7 @@ let [logging] level=${cfg.logLevel} + audit=${lib.boolToString config.security.audit.enable} [connection] ipv6.ip6-privacy=2 @@ -513,8 +514,9 @@ in { security.polkit.extraConfig = polkitConf; - services.dbus.packages = - optional cfg.enableStrongSwan pkgs.strongswanNM ++ cfg.packages; + services.dbus.packages = cfg.packages + ++ optional cfg.enableStrongSwan pkgs.strongswanNM + ++ optional (cfg.dns == "dnsmasq") pkgs.dnsmasq; services.udev.packages = cfg.packages; }; diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix index 1ae063aa6bb..7a503e71166 100644 --- a/nixos/modules/services/networking/prosody.nix +++ b/nixos/modules/services/networking/prosody.nix @@ -465,7 +465,7 @@ in modules_enabled = { - ${ lib.concatStringsSep "\n\ \ " (lib.mapAttrsToList + ${ lib.concatStringsSep "\n " (lib.mapAttrsToList (name: val: optionalString val "${toLua name};") cfg.modules) } ${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.package.communityModules)} diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index d9f840408cc..1e34aff8d17 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -105,8 +105,8 @@ in { default = null; example = { serverAliases = [ - "matomo.$\{config.networking.domain\}" - "stats.$\{config.networking.domain\}" + "matomo.\${config.networking.domain}" + "stats.\${config.networking.domain}" ]; enableACME = false; }; @@ -115,7 +115,7 @@ in { Either this option or the webServerUser option is mandatory. Set this to {} to just enable the virtualHost if you don't need any customization. If enabled, then by default, the <option>serverName</option> is - <literal>${user}.$\{config.networking.hostName\}.$\{config.networking.domain\}</literal>, + <literal>''${user}.''${config.networking.hostName}.''${config.networking.domain}</literal>, SSL is active, and certificates are acquired via ACME. If this is set to null (the default), no nginx virtualHost will be configured. ''; @@ -275,7 +275,7 @@ in { fastcgi_pass unix:${phpSocket}; ''; # Any other attempt to access any php files is forbidden - locations."~* ^.+\.php$".extraConfig = '' + locations."~* ^.+\\.php$".extraConfig = '' return 403; ''; # Disallow access to unneeded directories @@ -284,7 +284,7 @@ in { return 403; ''; # Disallow access to several helper files - locations."~* \.(?:bat|git|ini|sh|txt|tpl|xml|md)$".extraConfig = '' + locations."~* \\.(?:bat|git|ini|sh|txt|tpl|xml|md)$".extraConfig = '' return 403; ''; # No crawling of this site for bots that obey robots.txt - no useful information here. diff --git a/nixos/modules/services/web-apps/restya-board.nix b/nixos/modules/services/web-apps/restya-board.nix index 1e7882488ac..2c2f36ac598 100644 --- a/nixos/modules/services/web-apps/restya-board.nix +++ b/nixos/modules/services/web-apps/restya-board.nix @@ -235,7 +235,7 @@ in locations."/".root = "${runDir}/client"; - locations."~ \.php$" = { + locations."~ \\.php$" = { tryFiles = "$uri =404"; extraConfig = '' include ${pkgs.nginx}/conf/fastcgi_params; @@ -246,7 +246,7 @@ in ''; }; - locations."~* \.(css|js|less|html|ttf|woff|jpg|jpeg|gif|png|bmp|ico)" = { + locations."~* \\.(css|js|less|html|ttf|woff|jpg|jpeg|gif|png|bmp|ico)" = { root = "${runDir}/client"; extraConfig = '' if (-f $request_filename) { diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index abe4748591e..b92e3449894 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -548,7 +548,7 @@ let index = "index.php"; }; - locations."~ \.php$" = { + locations."~ \\.php$" = { extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.socket}; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 2287a82418f..5cf437bfbcb 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -858,7 +858,12 @@ in "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; + "tmpfiles.d/journal-nocow.conf".source = "${systemd}/example/tmpfiles.d/journal-nocow.conf"; + "tmpfiles.d/static-nodes-permissions.conf".source = "${systemd}/example/tmpfiles.d/static-nodes-permissions.conf"; "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf"; + "tmpfiles.d/systemd-nspawn.conf".source = "${systemd}/example/tmpfiles.d/system-nspawn.conf"; + "tmpfiles.d/systemd-tmp.conf".source = "${systemd}/example/tmpfiles.d/system-tmp.conf"; + "tmpfiles.d/var.conf".source = "${systemd}/example/tmpfiles.d/var.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; "tmpfiles.d/nixos.conf".text = '' |