diff options
Diffstat (limited to 'nixos/modules/services/network-filesystems')
13 files changed, 342 insertions, 255 deletions
diff --git a/nixos/modules/services/network-filesystems/cachefilesd.nix b/nixos/modules/services/network-filesystems/cachefilesd.nix index 61981340840..229c9665419 100644 --- a/nixos/modules/services/network-filesystems/cachefilesd.nix +++ b/nixos/modules/services/network-filesystems/cachefilesd.nix @@ -43,17 +43,21 @@ in config = mkIf cfg.enable { + boot.kernelModules = [ "cachefiles" ]; + systemd.services.cachefilesd = { description = "Local network file caching management daemon"; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.kmod pkgs.cachefilesd ]; - script = '' - modprobe -qab cachefiles - mkdir -p ${cfg.cacheDir} - chmod 700 ${cfg.cacheDir} - exec cachefilesd -n -f ${cfgFile} - ''; + serviceConfig = { + Type = "exec"; + ExecStart = "${pkgs.cachefilesd}/bin/cachefilesd -n -f ${cfgFile}"; + Restart = "on-failure"; + PrivateTmp = true; + }; }; + systemd.tmpfiles.rules = [ + "d ${cfg.cacheDir} 0700 root root - -" + ]; }; } diff --git a/nixos/modules/services/network-filesystems/ceph.nix b/nixos/modules/services/network-filesystems/ceph.nix index d17959a6a30..d833062c473 100644 --- a/nixos/modules/services/network-filesystems/ceph.nix +++ b/nixos/modules/services/network-filesystems/ceph.nix @@ -28,6 +28,9 @@ let # Don't start services that are not yet initialized unitConfig.ConditionPathExists = "/var/lib/${stateDirectory}/keyring"; + startLimitBurst = + if daemonType == "osd" then 30 else if lib.elem daemonType ["mgr" "mds"] then 3 else 5; + startLimitIntervalSec = 60 * 30; # 30 mins serviceConfig = { LimitNOFILE = 1048576; @@ -39,22 +42,17 @@ let ProtectHome = "true"; ProtectSystem = "full"; Restart = "on-failure"; - StartLimitBurst = "5"; - StartLimitInterval = "30min"; StateDirectory = stateDirectory; User = "ceph"; Group = if daemonType == "osd" then "disk" else "ceph"; ExecStart = ''${ceph.out}/bin/${if daemonType == "rgw" then "radosgw" else "ceph-${daemonType}"} \ -f --cluster ${clusterName} --id ${daemonId}''; } // optionalAttrs (daemonType == "osd") { - ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}''; - StartLimitBurst = "30"; + ExecStartPre = "${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}"; RestartSec = "20s"; PrivateDevices = "no"; # osd needs disk access } // optionalAttrs ( daemonType == "mon") { RestartSec = "10"; - } // optionalAttrs (lib.elem daemonType ["mgr" "mds"]) { - StartLimitBurst = "3"; }; }); @@ -318,7 +316,7 @@ in client = { enable = mkEnableOption "Ceph client configuration"; extraConfig = mkOption { - type = with types; attrsOf str; + type = with types; attrsOf (attrsOf str); default = {}; example = '' { @@ -355,7 +353,7 @@ in ]; warnings = optional (cfg.global.monInitialMembers == null) - ''Not setting up a list of members in monInitialMembers requires that you set the host variable for each mon daemon or else the cluster won't function''; + "Not setting up a list of members in monInitialMembers requires that you set the host variable for each mon daemon or else the cluster won't function"; environment.etc."ceph/ceph.conf".text = let # Merge the extraConfig set for mgr daemons, as mgr don't have their own section diff --git a/nixos/modules/services/network-filesystems/davfs2.nix b/nixos/modules/services/network-filesystems/davfs2.nix index 4b6f85e4a2c..8cf314fe63a 100644 --- a/nixos/modules/services/network-filesystems/davfs2.nix +++ b/nixos/modules/services/network-filesystems/davfs2.nix @@ -70,6 +70,24 @@ in }; }; + security.wrappers."mount.davfs" = { + program = "mount.davfs"; + source = "${pkgs.davfs2}/bin/mount.davfs"; + owner = "root"; + group = cfg.davGroup; + setuid = true; + permissions = "u+rx,g+x"; + }; + + security.wrappers."umount.davfs" = { + program = "umount.davfs"; + source = "${pkgs.davfs2}/bin/umount.davfs"; + owner = "root"; + group = cfg.davGroup; + setuid = true; + permissions = "u+rx,g+x"; + }; + }; } diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index f298f831fa7..2748571be1f 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -44,6 +44,13 @@ in { enable = mkEnableOption "Interplanetary File System (WARNING: may cause severe network degredation)"; + package = mkOption { + type = types.package; + default = pkgs.ipfs; + defaultText = "pkgs.ipfs"; + description = "Which IPFS package to use."; + }; + user = mkOption { type = types.str; default = "ipfs"; @@ -176,7 +183,7 @@ in { ###### implementation config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.ipfs ]; + environment.systemPackages = [ cfg.package ]; environment.variables.IPFS_PATH = cfg.dataDir; programs.fuse = mkIf cfg.autoMount { @@ -207,16 +214,13 @@ in { "d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -" ]; - systemd.packages = [ pkgs.ipfs ]; - - systemd.services.ipfs-init = { - description = "IPFS Initializer"; + systemd.packages = [ cfg.package ]; + systemd.services.ipfs = { + path = [ "/run/wrappers" cfg.package ]; environment.IPFS_PATH = cfg.dataDir; - path = [ pkgs.ipfs ]; - - script = '' + preStart = '' if [[ ! -f ${cfg.dataDir}/config ]]; then ipfs init ${optionalString cfg.emptyRepo "-e"} \ ${optionalString (! cfg.localDiscovery) "--profile=server"} @@ -226,29 +230,10 @@ in { else "ipfs config profile apply server" } fi - ''; - - wantedBy = [ "default.target" ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - User = cfg.user; - Group = cfg.group; - }; - }; - - systemd.services.ipfs = { - path = [ "/run/wrappers" pkgs.ipfs ]; - environment.IPFS_PATH = cfg.dataDir; - - wants = [ "ipfs-init.service" ]; - after = [ "ipfs-init.service" ]; - - preStart = optionalString cfg.autoMount '' - ipfs --local config Mounts.FuseAllowOther --json true - ipfs --local config Mounts.IPFS ${cfg.ipfsMountDir} - ipfs --local config Mounts.IPNS ${cfg.ipnsMountDir} + '' + optionalString cfg.autoMount '' + ipfs --offline config Mounts.FuseAllowOther --json true + ipfs --offline config Mounts.IPFS ${cfg.ipfsMountDir} + ipfs --offline config Mounts.IPNS ${cfg.ipnsMountDir} '' + concatStringsSep "\n" (collect isString (mapAttrsRecursive @@ -258,7 +243,7 @@ in { read value <<EOF ${builtins.toJSON value} EOF - ipfs --local config --json "${concatStringsSep "." path}" "$value" + ipfs --offline config --json "${concatStringsSep "." path}" "$value" '') ({ Addresses.API = cfg.apiAddress; Addresses.Gateway = cfg.gatewayAddress; @@ -267,7 +252,7 @@ in { cfg.extraConfig)) ); serviceConfig = { - ExecStart = ["" "${pkgs.ipfs}/bin/ipfs daemon ${ipfsFlags}"]; + ExecStart = ["" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}"]; User = cfg.user; Group = cfg.group; } // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; }; @@ -289,7 +274,7 @@ in { systemd.sockets.ipfs-api = { wantedBy = [ "sockets.target" ]; - # We also include "%t/ipfs.sock" because tere is no way to put the "%t" + # We also include "%t/ipfs.sock" because there is no way to put the "%t" # in the multiaddr. socketConfig.ListenStream = let fromCfg = multiaddrToListenStream cfg.apiAddress; diff --git a/nixos/modules/services/network-filesystems/netatalk.nix b/nixos/modules/services/network-filesystems/netatalk.nix index 7674c8f7fa8..06a36eb30c2 100644 --- a/nixos/modules/services/network-filesystems/netatalk.nix +++ b/nixos/modules/services/network-filesystems/netatalk.nix @@ -3,126 +3,74 @@ with lib; let - cfg = config.services.netatalk; - - extmapFile = pkgs.writeText "extmap.conf" cfg.extmap; - - afpToString = x: if builtins.typeOf x == "bool" - then boolToString x - else toString x; - - volumeConfig = name: - let vol = getAttr name cfg.volumes; in - "[${name}]\n " + (toString ( - map - (key: "${key} = ${afpToString (getAttr key vol)}\n") - (attrNames vol) - )); - - afpConf = ''[Global] - extmap file = ${extmapFile} - afp port = ${toString cfg.port} - - ${cfg.extraConfig} - - ${if cfg.homes.enable then ''[Homes] - ${optionalString (cfg.homes.path != "") "path = ${cfg.homes.path}"} - basedir regex = ${cfg.homes.basedirRegex} - ${cfg.homes.extraConfig} - '' else ""} - - ${toString (map volumeConfig (attrNames cfg.volumes))} - ''; - - afpConfFile = pkgs.writeText "afp.conf" afpConf; - -in - -{ + settingsFormat = pkgs.formats.ini { }; + afpConfFile = settingsFormat.generate "afp.conf" cfg.settings; +in { options = { services.netatalk = { enable = mkEnableOption "the Netatalk AFP fileserver"; port = mkOption { + type = types.port; default = 548; description = "TCP port to be used for AFP."; }; - extraConfig = mkOption { - type = types.lines; - default = ""; - example = "uam list = uams_guest.so"; - description = '' - Lines of configuration to add to the <literal>[Global]</literal> section. - See <literal>man apf.conf</literal> for more information. - ''; - }; - - homes = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable sharing of the UNIX server user home directories."; - }; - - path = mkOption { - default = ""; - example = "afp-data"; - description = "Share not the whole user home but this subdirectory path."; - }; - - basedirRegex = mkOption { - example = "/home"; - description = "Regex which matches the parent directory of the user homes."; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Lines of configuration to add to the <literal>[Homes]</literal> section. - See <literal>man apf.conf</literal> for more information. - ''; - }; - }; - - volumes = mkOption { + settings = mkOption { + inherit (settingsFormat) type; default = { }; - type = types.attrsOf (types.attrsOf types.unspecified); - description = - '' - Set of AFP volumes to export. - See <literal>man apf.conf</literal> for more information. - ''; - example = literalExample '' - { srv = - { path = "/srv"; - "read only" = true; - "hosts allow" = "10.1.0.0/16 10.2.1.100 2001:0db8:1234::/48"; - }; - } + example = { + Global = { "uam list" = "uams_guest.so"; }; + Homes = { + path = "afp-data"; + "basedir regex" = "/home"; + }; + example-volume = { + path = "/srv/volume"; + "read only" = true; + }; + }; + description = '' + Configuration for Netatalk. See + <citerefentry><refentrytitle>afp.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. ''; }; extmap = mkOption { type = types.lines; - default = ""; - description = '' - File name extension mappings. - See <literal>man extmap.conf</literal> for more information. + default = ""; + description = '' + File name extension mappings. + See <citerefentry><refentrytitle>extmap.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. for more information. ''; }; }; }; + imports = (map (option: + mkRemovedOptionModule [ "services" "netatalk" option ] + "This option was removed in favor of `services.netatalk.settings`.") [ + "extraConfig" + "homes" + "volumes" + ]); + config = mkIf cfg.enable { + services.netatalk.settings.Global = { + "afp port" = toString cfg.port; + "extmap file" = "${pkgs.writeText "extmap.conf" cfg.extmap}"; + }; + systemd.services.netatalk = { description = "Netatalk AFP fileserver for Macintosh clients"; - unitConfig.Documentation = "man:afp.conf(5) man:netatalk(8) man:afpd(8) man:cnid_metad(8) man:cnid_dbd(8)"; + unitConfig.Documentation = + "man:afp.conf(5) man:netatalk(8) man:afpd(8) man:cnid_metad(8) man:cnid_dbd(8)"; after = [ "network.target" "avahi-daemon.service" ]; wantedBy = [ "multi-user.target" ]; @@ -132,12 +80,12 @@ in Type = "forking"; GuessMainPID = "no"; PIDFile = "/run/lock/netatalk"; - ExecStartPre = "${pkgs.coreutils}/bin/mkdir -m 0755 -p /var/lib/netatalk/CNID"; - ExecStart = "${pkgs.netatalk}/sbin/netatalk -F ${afpConfFile}"; + ExecStart = "${pkgs.netatalk}/sbin/netatalk -F ${afpConfFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ExecStop = "${pkgs.coreutils}/bin/kill -TERM $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -TERM $MAINPID"; Restart = "always"; RestartSec = 1; + StateDirectory = [ "netatalk/CNID" ]; }; }; diff --git a/nixos/modules/services/network-filesystems/openafs/client.nix b/nixos/modules/services/network-filesystems/openafs/client.nix index 677111814a0..03884cb7297 100644 --- a/nixos/modules/services/network-filesystems/openafs/client.nix +++ b/nixos/modules/services/network-filesystems/openafs/client.nix @@ -244,7 +244,7 @@ in # postStop, then we get a hang + kernel oops, because AFS can't be # stopped simply by sending signals to processes. preStop = '' - ${pkgs.utillinux}/bin/umount ${cfg.mountPoint} + ${pkgs.util-linux}/bin/umount ${cfg.mountPoint} ${openafsBin}/sbin/afsd -shutdown ${pkgs.kmod}/sbin/rmmod libafs ''; diff --git a/nixos/modules/services/network-filesystems/openafs/server.nix b/nixos/modules/services/network-filesystems/openafs/server.nix index 095024d2c8a..4fce650b013 100644 --- a/nixos/modules/services/network-filesystems/openafs/server.nix +++ b/nixos/modules/services/network-filesystems/openafs/server.nix @@ -61,6 +61,7 @@ in { }; advertisedAddresses = mkOption { + type = types.listOf types.str; default = []; description = "List of IP addresses this server is advertised under. See NetInfo(5)"; }; @@ -251,7 +252,6 @@ in { wantedBy = [ "multi-user.target" ]; restartIfChanged = false; unitConfig.ConditionPathExists = [ - "|/etc/openafs/server/rxkad.keytab" "|/etc/openafs/server/KeyFileExt" ]; preStart = '' diff --git a/nixos/modules/services/network-filesystems/orangefs/server.nix b/nixos/modules/services/network-filesystems/orangefs/server.nix index 74ebdc13402..8eb754fe611 100644 --- a/nixos/modules/services/network-filesystems/orangefs/server.nix +++ b/nixos/modules/services/network-filesystems/orangefs/server.nix @@ -83,14 +83,14 @@ in { }; dataStorageSpace = mkOption { - type = types.str; + type = types.nullOr types.str; default = null; example = "/data/storage"; description = "Directory for data storage."; }; metadataStorageSpace = mkOption { - type = types.str; + type = types.nullOr types.str; default = null; example = "/data/meta"; description = "Directory for meta data storage."; diff --git a/nixos/modules/services/network-filesystems/rsyncd.nix b/nixos/modules/services/network-filesystems/rsyncd.nix index fa29e18a939..edac86eb0e3 100644 --- a/nixos/modules/services/network-filesystems/rsyncd.nix +++ b/nixos/modules/services/network-filesystems/rsyncd.nix @@ -3,120 +3,126 @@ with lib; let - cfg = config.services.rsyncd; - - motdFile = builtins.toFile "rsyncd-motd" cfg.motd; - - foreach = attrs: f: - concatStringsSep "\n" (mapAttrsToList f attrs); - - cfgFile = '' - ${optionalString (cfg.motd != "") "motd file = ${motdFile}"} - ${optionalString (cfg.address != "") "address = ${cfg.address}"} - ${optionalString (cfg.port != 873) "port = ${toString cfg.port}"} - ${cfg.extraConfig} - ${foreach cfg.modules (name: module: '' - [${name}] - ${foreach module (k: v: - "${k} = ${v}" - )} - '')} - ''; -in - -{ + settingsFormat = pkgs.formats.ini { }; + configFile = settingsFormat.generate "rsyncd.conf" cfg.settings; +in { options = { services.rsyncd = { enable = mkEnableOption "the rsync daemon"; - motd = mkOption { - type = types.str; - default = ""; - description = '' - Message of the day to display to clients on each connect. - This usually contains site information and any legal notices. - ''; - }; - port = mkOption { default = 873; - type = types.int; + type = types.port; description = "TCP port the daemon will listen on."; }; - address = mkOption { - default = ""; - example = "192.168.1.2"; + settings = mkOption { + inherit (settingsFormat) type; + default = { }; + example = { + global = { + uid = "nobody"; + gid = "nobody"; + "use chroot" = true; + "max connections" = 4; + }; + ftp = { + path = "/var/ftp/./pub"; + comment = "whole ftp area"; + }; + cvs = { + path = "/data/cvs"; + comment = "CVS repository (requires authentication)"; + "auth users" = [ "tridge" "susan" ]; + "secrets file" = "/etc/rsyncd.secrets"; + }; + }; description = '' - IP address the daemon will listen on; rsyncd will listen on - all addresses if this is not specified. + Configuration for rsyncd. See + <citerefentry><refentrytitle>rsyncd.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. ''; }; - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Lines of configuration to add to rsyncd globally. - See <command>man rsyncd.conf</command> for options. - ''; + socketActivated = mkOption { + default = false; + type = types.bool; + description = + "If enabled Rsync will be socket-activated rather than run persistently."; }; - modules = mkOption { - default = {}; - description = '' - A set describing exported directories. - See <command>man rsyncd.conf</command> for options. - ''; - type = types.attrsOf (types.attrsOf types.str); - example = literalExample '' - { srv = - { path = "/srv"; - "read only" = "yes"; - comment = "Public rsync share."; - }; - } - ''; - }; + }; + }; - user = mkOption { - type = types.str; - default = "root"; - description = '' - The user to run the daemon as. - By default the daemon runs as root. - ''; - }; + imports = (map (option: + mkRemovedOptionModule [ "services" "rsyncd" option ] + "This option was removed in favor of `services.rsyncd.settings`.") [ + "address" + "extraConfig" + "motd" + "user" + "group" + ]); - group = mkOption { - type = types.str; - default = "root"; - description = '' - The group to run the daemon as. - By default the daemon runs as root. - ''; + config = mkIf cfg.enable { + + services.rsyncd.settings.global.port = toString cfg.port; + + systemd = let + serviceConfigSecurity = { + ProtectSystem = "full"; + PrivateDevices = "on"; + NoNewPrivileges = "on"; + }; + in { + services.rsync = { + enable = !cfg.socketActivated; + aliases = [ "rsyncd" ]; + + description = "fast remote file copy program daemon"; + after = [ "network.target" ]; + documentation = [ "man:rsync(1)" "man:rsyncd.conf(5)" ]; + + serviceConfig = serviceConfigSecurity // { + ExecStart = + "${pkgs.rsync}/bin/rsync --daemon --no-detach --config=${configFile}"; + RestartSec = 1; + }; + + wantedBy = [ "multi-user.target" ]; }; - }; - }; + services."rsync@" = { + description = "fast remote file copy program daemon"; + after = [ "network.target" ]; - ###### implementation + serviceConfig = serviceConfigSecurity // { + ExecStart = "${pkgs.rsync}/bin/rsync --daemon --config=${configFile}"; + StandardInput = "socket"; + StandardOutput = "inherit"; + StandardError = "journal"; + }; + }; - config = mkIf cfg.enable { + sockets.rsync = { + enable = cfg.socketActivated; - environment.etc."rsyncd.conf".text = cfgFile; + description = "socket for fast remote file copy program daemon"; + conflicts = [ "rsync.service" ]; - systemd.services.rsyncd = { - description = "Rsync daemon"; - wantedBy = [ "multi-user.target" ]; - restartTriggers = [ config.environment.etc."rsyncd.conf".source ]; - serviceConfig = { - ExecStart = "${pkgs.rsync}/bin/rsync --daemon --no-detach"; - User = cfg.user; - Group = cfg.group; + listenStreams = [ (toString cfg.port) ]; + socketConfig.Accept = true; + + wantedBy = [ "sockets.target" ]; }; }; + }; + + meta.maintainers = with lib.maintainers; [ ehmry ]; + + # TODO: socket activated rsyncd + } diff --git a/nixos/modules/services/network-filesystems/samba-wsdd.nix b/nixos/modules/services/network-filesystems/samba-wsdd.nix new file mode 100644 index 00000000000..800ef448d37 --- /dev/null +++ b/nixos/modules/services/network-filesystems/samba-wsdd.nix @@ -0,0 +1,124 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.samba-wsdd; + +in { + options = { + services.samba-wsdd = { + enable = mkEnableOption '' + Enable Web Services Dynamic Discovery host daemon. This enables (Samba) hosts, like your local NAS device, + to be found by Web Service Discovery Clients like Windows. + <note> + <para>If you use the firewall consider adding the following:</para> + <programlisting> + networking.firewall.allowedTCPPorts = [ 5357 ]; + networking.firewall.allowedUDPPorts = [ 3702 ]; + </programlisting> + </note> + ''; + interface = mkOption { + type = types.nullOr types.str; + default = null; + example = "eth0"; + description = "Interface or address to use."; + }; + hoplimit = mkOption { + type = types.nullOr types.int; + default = null; + example = 2; + description = "Hop limit for multicast packets (default = 1)."; + }; + workgroup = mkOption { + type = types.nullOr types.str; + default = null; + example = "HOME"; + description = "Set workgroup name (default WORKGROUP)."; + }; + hostname = mkOption { + type = types.nullOr types.str; + default = null; + example = "FILESERVER"; + description = "Override (NetBIOS) hostname to be used (default hostname)."; + }; + domain = mkOption { + type = types.nullOr types.str; + default = null; + description = "Set domain name (disables workgroup)."; + }; + discovery = mkOption { + type = types.bool; + default = false; + description = "Enable discovery operation mode."; + }; + listen = mkOption { + type = types.str; + default = "/run/wsdd/wsdd.sock"; + description = "Listen on path or localhost port in discovery mode."; + }; + extraOptions = mkOption { + type = types.listOf types.str; + default = [ "--shortlog" ]; + example = [ "--verbose" "--no-http" "--ipv4only" "--no-host" ]; + description = "Additional wsdd options."; + }; + }; + }; + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.wsdd ]; + + systemd.services.samba-wsdd = { + description = "Web Services Dynamic Discovery host daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + Type = "simple"; + ExecStart = '' + ${pkgs.wsdd}/bin/wsdd ${optionalString (cfg.interface != null) "--interface '${cfg.interface}'"} \ + ${optionalString (cfg.hoplimit != null) "--hoplimit '${toString cfg.hoplimit}'"} \ + ${optionalString (cfg.workgroup != null) "--workgroup '${cfg.workgroup}'"} \ + ${optionalString (cfg.hostname != null) "--hostname '${cfg.hostname}'"} \ + ${optionalString (cfg.domain != null) "--domain '${cfg.domain}'"} \ + ${optionalString cfg.discovery "--discovery --listen '${cfg.listen}'"} \ + ${escapeShellArgs cfg.extraOptions} + ''; + # Runtime directory and mode + RuntimeDirectory = "wsdd"; + RuntimeDirectoryMode = "0750"; + # Access write directories + UMask = "0027"; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = false; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = "~@cpu-emulation @debug @mount @obsolete @privileged @resources"; + }; + }; + }; +} diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 08c912e0fcd..78ea245cb35 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -26,7 +26,6 @@ let [global] security = ${cfg.securityType} passwd program = /run/wrappers/bin/passwd %u - pam password change = ${smbToString cfg.syncPasswordsByPam} invalid users = ${smbToString cfg.invalidUsers} ${cfg.extraConfig} @@ -67,6 +66,7 @@ in { imports = [ (mkRemovedOptionModule [ "services" "samba" "defaultShare" ] "") + (mkRemovedOptionModule [ "services" "samba" "syncPasswordsByPam" ] "This option has been removed by upstream, see https://bugzilla.samba.org/show_bug.cgi?id=10669#c10") ]; ###### interface @@ -124,18 +124,6 @@ in ''; }; - syncPasswordsByPam = mkOption { - type = types.bool; - default = false; - description = '' - Enabling this will add a line directly after pam_unix.so. - Whenever a password is changed the samba password will be updated as well. - However, you still have to add the samba password once, using smbpasswd -a user. - If you don't want to maintain an extra password database, you still can send plain text - passwords which is not secure. - ''; - }; - invalidUsers = mkOption { type = types.listOf types.str; default = [ "root" ]; @@ -168,7 +156,6 @@ in securityType = mkOption { type = types.str; default = "user"; - example = "share"; description = "Samba security type"; }; @@ -248,7 +235,7 @@ in }; security.pam.services.samba = {}; - + environment.systemPackages = [ config.services.samba.package ]; }) ]; diff --git a/nixos/modules/services/network-filesystems/xtreemfs.nix b/nixos/modules/services/network-filesystems/xtreemfs.nix index b8f8c1d7117..6cc8a05ee00 100644 --- a/nixos/modules/services/network-filesystems/xtreemfs.nix +++ b/nixos/modules/services/network-filesystems/xtreemfs.nix @@ -92,6 +92,7 @@ in enable = mkEnableOption "XtreemFS"; homeDir = mkOption { + type = types.path; default = "/var/lib/xtreemfs"; description = '' XtreemFS home dir for the xtreemfs user. @@ -109,19 +110,22 @@ in uuid = mkOption { example = "eacb6bab-f444-4ebf-a06a-3f72d7465e40"; + type = types.str; description = '' Must be set to a unique identifier, preferably a UUID according to RFC 4122. UUIDs can be generated with `uuidgen` command, found in - the `utillinux` package. + the `util-linux` package. ''; }; port = mkOption { default = 32638; + type = types.port; description = '' The port to listen on for incoming connections (TCP). ''; }; address = mkOption { + type = types.str; example = "127.0.0.1"; default = ""; description = '' @@ -131,12 +135,14 @@ in }; httpPort = mkOption { default = 30638; + type = types.port; description = '' Specifies the listen port for the HTTP service that returns the status page. ''; }; syncMode = mkOption { + type = types.enum [ "ASYNC" "SYNC_WRITE_METADATA" "SYNC_WRITE" "FDATASYNC" "ASYNC" ]; default = "FSYNC"; example = "FDATASYNC"; description = '' @@ -229,20 +235,23 @@ in uuid = mkOption { example = "eacb6bab-f444-4ebf-a06a-3f72d7465e41"; + type = types.str; description = '' Must be set to a unique identifier, preferably a UUID according to RFC 4122. UUIDs can be generated with `uuidgen` command, found in - the `utillinux` package. + the `util-linux` package. ''; }; port = mkOption { default = 32636; + type = types.port; description = '' The port to listen on for incoming connections (TCP). ''; }; address = mkOption { example = "127.0.0.1"; + type = types.str; default = ""; description = '' If specified, it defines the interface to listen on. If not @@ -251,6 +260,7 @@ in }; httpPort = mkOption { default = 30636; + type = types.port; description = '' Specifies the listen port for the HTTP service that returns the status page. @@ -258,6 +268,7 @@ in }; syncMode = mkOption { default = "FSYNC"; + type = types.enum [ "ASYNC" "SYNC_WRITE_METADATA" "SYNC_WRITE" "FDATASYNC" "ASYNC" ]; example = "FDATASYNC"; description = '' The sync mode influences how operations are committed to the disk @@ -367,20 +378,23 @@ in uuid = mkOption { example = "eacb6bab-f444-4ebf-a06a-3f72d7465e42"; + type = types.str; description = '' Must be set to a unique identifier, preferably a UUID according to RFC 4122. UUIDs can be generated with `uuidgen` command, found in - the `utillinux` package. + the `util-linux` package. ''; }; port = mkOption { default = 32640; + type = types.port; description = '' The port to listen on for incoming connections (TCP and UDP). ''; }; address = mkOption { example = "127.0.0.1"; + type = types.str; default = ""; description = '' If specified, it defines the interface to listen on. If not @@ -389,6 +403,7 @@ in }; httpPort = mkOption { default = 30640; + type = types.port; description = '' Specifies the listen port for the HTTP service that returns the status page. diff --git a/nixos/modules/services/network-filesystems/yandex-disk.nix b/nixos/modules/services/network-filesystems/yandex-disk.nix index cc73f13bf77..a5b1f9d4ab6 100644 --- a/nixos/modules/services/network-filesystems/yandex-disk.nix +++ b/nixos/modules/services/network-filesystems/yandex-disk.nix @@ -46,12 +46,14 @@ in user = mkOption { default = null; + type = types.nullOr types.str; description = '' The user the yandex-disk daemon should run as. ''; }; directory = mkOption { + type = types.path; default = "/home/Yandex.Disk"; description = "The directory to use for Yandex.Disk storage"; }; |