diff options
Diffstat (limited to 'nixos/modules/services')
109 files changed, 3552 insertions, 1424 deletions
diff --git a/nixos/modules/services/audio/snapserver.nix b/nixos/modules/services/audio/snapserver.nix index 6d5ce98df89..91d97a0b551 100644 --- a/nixos/modules/services/audio/snapserver.nix +++ b/nixos/modules/services/audio/snapserver.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; @@ -101,6 +101,8 @@ in { openFirewall = mkOption { type = types.bool; + # Make the behavior consistent with other services. Set the default to + # false and remove the accompanying warning after NixOS 22.05 is released. default = true; description = '' Whether to automatically open the specified ports in the firewall. @@ -273,10 +275,16 @@ in { config = mkIf cfg.enable { - # https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85 - warnings = filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then '' - services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead. - '' else "") cfg.streams); + warnings = + # https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85 + filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then '' + services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead. + '' else "") cfg.streams) + # Remove this warning after NixOS 22.05 is released. + ++ optional (options.services.snapserver.openFirewall.highestPrio >= (mkOptionDefault null).priority) '' + services.snapserver.openFirewall will no longer default to true starting with NixOS 22.11. + Enable it explicitly if you need to control Snapserver remotely. + ''; systemd.services.snapserver = { after = [ "network.target" ]; @@ -304,8 +312,8 @@ in { networking.firewall.allowedTCPPorts = optionals cfg.openFirewall [ cfg.port ] - ++ optional cfg.tcp.enable cfg.tcp.port - ++ optional cfg.http.enable cfg.http.port; + ++ optional (cfg.openFirewall && cfg.tcp.enable) cfg.tcp.port + ++ optional (cfg.openFirewall && cfg.http.enable) cfg.http.port; }; meta = { diff --git a/nixos/modules/services/backup/zrepl.nix b/nixos/modules/services/backup/zrepl.nix index 4356479b663..73f5e4d9f6d 100644 --- a/nixos/modules/services/backup/zrepl.nix +++ b/nixos/modules/services/backup/zrepl.nix @@ -38,6 +38,9 @@ in environment.etc."zrepl/zrepl.yml".source = configFile; systemd.packages = [ pkgs.zrepl ]; + + # Note that pkgs.zrepl copies and adapts the upstream systemd unit, and + # the fields defined here only override certain fields from that unit. systemd.services.zrepl = { requires = [ "local-fs.target" ]; wantedBy = [ "zfs.target" ]; diff --git a/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixos/modules/services/continuous-integration/buildbot/master.nix index aaa159d3cb1..80c6c6abfd0 100644 --- a/nixos/modules/services/continuous-integration/buildbot/master.nix +++ b/nixos/modules/services/continuous-integration/buildbot/master.nix @@ -64,7 +64,7 @@ in { description = "Factory Steps"; default = []; example = [ - "steps.Git(repourl='git://github.com/buildbot/pyflakes.git', mode='incremental')" + "steps.Git(repourl='https://github.com/buildbot/pyflakes.git', mode='incremental')" "steps.ShellCommand(command=['trial', 'pyflakes'])" ]; }; @@ -74,7 +74,7 @@ in { description = "List of Change Sources."; default = []; example = [ - "changes.GitPoller('git://github.com/buildbot/pyflakes.git', workdir='gitpoller-workdir', branch='master', pollinterval=300)" + "changes.GitPoller('https://github.com/buildbot/pyflakes.git', workdir='gitpoller-workdir', branch='master', pollinterval=300)" ]; }; diff --git a/nixos/modules/services/continuous-integration/github-runner.nix b/nixos/modules/services/continuous-integration/github-runner.nix index a7645e1f56e..30dd919b81a 100644 --- a/nixos/modules/services/continuous-integration/github-runner.nix +++ b/nixos/modules/services/continuous-integration/github-runner.nix @@ -299,6 +299,16 @@ in RestrictRealtime = true; RestrictSUIDSGID = true; UMask = "0066"; + ProtectProc = "invisible"; + ProcSubset = "pid"; + SystemCallFilter = [ + "~@debug" + "~@mount" + "~@privileged" + "~@cpu-emulation" + "~@obsolete" + ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; # Needs network access PrivateNetwork = false; diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix index dc58c634523..85ac0fb2a89 100644 --- a/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -36,12 +36,12 @@ let # register new services ${concatStringsSep "\n" (mapAttrsToList (name: service: '' - if echo "$NEW_SERVICES" | grep -xq ${name}; then + if echo "$NEW_SERVICES" | grep -xq "${name}"; then bash -c ${escapeShellArg (concatStringsSep " \\\n " ([ "set -a && source ${service.registrationConfigFile} &&" "gitlab-runner register" "--non-interactive" - "--name ${name}" + (if service.description != null then "--description \"${service.description}\"" else "--name '${name}'") "--executor ${service.executor}" "--limit ${toString service.limit}" "--request-concurrency ${toString service.requestConcurrency}" @@ -365,6 +365,13 @@ in with <literal>RUNNER_ENV</literal> variable set. ''; }; + description = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Name/description of the runner. + ''; + }; executor = mkOption { type = types.str; default = "docker"; diff --git a/nixos/modules/services/continuous-integration/jenkins/slave.nix b/nixos/modules/services/continuous-integration/jenkins/slave.nix index 3c0e6f78e74..871b9914fb2 100644 --- a/nixos/modules/services/continuous-integration/jenkins/slave.nix +++ b/nixos/modules/services/continuous-integration/jenkins/slave.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; let cfg = config.services.jenkinsSlave; @@ -46,6 +46,15 @@ in { this is the home of the "jenkins" user. ''; }; + + javaPackage = mkOption { + default = pkgs.jdk; + defaultText = literalExpression "pkgs.jdk"; + description = '' + Java package to install. + ''; + type = types.package; + }; }; }; @@ -64,5 +73,10 @@ in { uid = config.ids.uids.jenkins; }; }; + + programs.java = { + enable = true; + package = cfg.javaPackage; + }; }; } diff --git a/nixos/modules/services/databases/cockroachdb.nix b/nixos/modules/services/databases/cockroachdb.nix index eb061af9262..9a7aebe4f6a 100644 --- a/nixos/modules/services/databases/cockroachdb.nix +++ b/nixos/modules/services/databases/cockroachdb.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: with lib; @@ -6,46 +6,44 @@ let cfg = config.services.cockroachdb; crdb = cfg.package; - escape = builtins.replaceStrings ["%"] ["%%"]; - ifNotNull = v: s: optionalString (v != null) s; - - startupCommand = lib.concatStringsSep " " - [ # Basic startup - "${crdb}/bin/cockroach start" + startupCommand = utils.escapeSystemdExecArgs + ([ + # Basic startup + "${crdb}/bin/cockroach" + "start" "--logtostderr" "--store=/var/lib/cockroachdb" - (ifNotNull cfg.locality "--locality='${cfg.locality}'") # WebUI settings - "--http-addr='${cfg.http.address}:${toString cfg.http.port}'" + "--http-addr=${cfg.http.address}:${toString cfg.http.port}" # Cluster listen address - "--listen-addr='${cfg.listen.address}:${toString cfg.listen.port}'" - - # Cluster configuration - (ifNotNull cfg.join "--join=${cfg.join}") + "--listen-addr=${cfg.listen.address}:${toString cfg.listen.port}" - # Cache and memory settings. Must be escaped. - "--cache='${escape cfg.cache}'" - "--max-sql-memory='${escape cfg.maxSqlMemory}'" + # Cache and memory settings. + "--cache=${cfg.cache}" + "--max-sql-memory=${cfg.maxSqlMemory}" # Certificate/security settings. (if cfg.insecure then "--insecure" else "--certs-dir=${cfg.certsDir}") - ]; - - addressOption = descr: defaultPort: { - address = mkOption { - type = types.str; - default = "localhost"; - description = "Address to bind to for ${descr}"; - }; + ] + ++ lib.optional (cfg.join != null) "--join=${cfg.join}" + ++ lib.optional (cfg.locality != null) "--locality=${cfg.locality}" + ++ cfg.extraArgs); + + addressOption = descr: defaultPort: { + address = mkOption { + type = types.str; + default = "localhost"; + description = "Address to bind to for ${descr}"; + }; - port = mkOption { - type = types.port; - default = defaultPort; - description = "Port to bind to for ${descr}"; - }; + port = mkOption { + type = types.port; + default = defaultPort; + description = "Port to bind to for ${descr}"; }; + }; in { @@ -159,6 +157,16 @@ in only contain open source features and open source code). ''; }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + example = [ "--advertise-addr" "[fe80::f6f2:::]" ]; + description = '' + Extra CLI arguments passed to <command>cockroach start</command>. + For the full list of supported argumemnts, check <link xlink:href="https://www.cockroachlabs.com/docs/stable/cockroach-start.html#flags"/> + ''; + }; }; }; diff --git a/nixos/modules/services/desktops/pipewire/daemon/pipewire-pulse.conf.json b/nixos/modules/services/desktops/pipewire/daemon/pipewire-pulse.conf.json index df0f62556df..b19fb33ec17 100644 --- a/nixos/modules/services/desktops/pipewire/daemon/pipewire-pulse.conf.json +++ b/nixos/modules/services/desktops/pipewire/daemon/pipewire-pulse.conf.json @@ -29,14 +29,7 @@ }, { "name": "libpipewire-module-protocol-pulse", - "args": { - "server.address": [ - "unix:native" - ], - "vm.overrides": { - "pulse.min.quantum": "1024/48000" - } - } + "args": {} } ], "context.exec": [ @@ -46,6 +39,14 @@ } ], "stream.properties": {}, + "pulse.properties": { + "server.address": [ + "unix:native" + ], + "vm.overrides": { + "pulse.min.quantum": "1024/48000" + } + }, "pulse.rules": [ { "matches": [ diff --git a/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix b/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix index 109c91134b9..09761d6300e 100644 --- a/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix +++ b/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix @@ -58,7 +58,7 @@ in { Configuration for the media session core. For details see https://gitlab.freedesktop.org/pipewire/media-session/-/blob/${cfg.package.version}/src/daemon/media-session.d/media-session.conf ''; - default = {}; + default = defaults.media-session; }; alsa-monitor = mkOption { @@ -67,7 +67,7 @@ in { Configuration for the alsa monitor. For details see https://gitlab.freedesktop.org/pipewire/media-session/-/blob/${cfg.package.version}/src/daemon/media-session.d/alsa-monitor.conf ''; - default = {}; + default = defaults.alsa-monitor; }; bluez-monitor = mkOption { @@ -76,7 +76,7 @@ in { Configuration for the bluez5 monitor. For details see https://gitlab.freedesktop.org/pipewire/media-session/-/blob/${cfg.package.version}/src/daemon/media-session.d/bluez-monitor.conf ''; - default = {}; + default = defaults.bluez-monitor; }; v4l2-monitor = mkOption { @@ -85,7 +85,7 @@ in { Configuration for the V4L2 monitor. For details see https://gitlab.freedesktop.org/pipewire/media-session/-/blob/${cfg.package.version}/src/daemon/media-session.d/v4l2-monitor.conf ''; - default = {}; + default = defaults.v4l2-monitor; }; }; }; @@ -110,6 +110,11 @@ in { source = json.generate "v4l2-monitor.conf" configs.v4l2-monitor; }; + environment.etc."pipewire/media-session.d/with-audio" = + mkIf config.services.pipewire.audio.enable { + text = ""; + }; + environment.etc."pipewire/media-session.d/with-alsa" = mkIf config.services.pipewire.alsa.enable { text = ""; diff --git a/nixos/modules/services/desktops/pipewire/pipewire.nix b/nixos/modules/services/desktops/pipewire/pipewire.nix index 59e9342a6ea..1323336d866 100644 --- a/nixos/modules/services/desktops/pipewire/pipewire.nix +++ b/nixos/modules/services/desktops/pipewire/pipewire.nix @@ -116,6 +116,16 @@ in { }; }; + audio = { + enable = lib.mkOption { + type = lib.types.bool; + # this is for backwards compatibility + default = cfg.alsa.enable || cfg.jack.enable || cfg.pulse.enable; + defaultText = lib.literalExpression "config.services.pipewire.alsa.enable || config.services.pipewire.jack.enable || config.services.pipewire.pulse.enable"; + description = "Whether to use PipeWire as the primary sound server"; + }; + }; + alsa = { enable = mkEnableOption "ALSA support"; support32Bit = mkEnableOption "32-bit ALSA support on 64-bit systems"; @@ -152,13 +162,18 @@ in { config = mkIf cfg.enable { assertions = [ { - assertion = cfg.pulse.enable -> !config.hardware.pulseaudio.enable; - message = "PipeWire based PulseAudio server emulation replaces PulseAudio. This option requires `hardware.pulseaudio.enable` to be set to false"; + assertion = cfg.audio.enable -> !config.hardware.pulseaudio.enable; + message = "Using PipeWire as the sound server conflicts with PulseAudio. This option requires `hardware.pulseaudio.enable` to be set to false"; } { assertion = cfg.jack.enable -> !config.services.jack.jackd.enable; message = "PipeWire based JACK emulation doesn't use the JACK service. This option requires `services.jack.jackd.enable` to be set to false"; } + { + # JACK intentionally not checked, as PW-on-JACK setups are a thing that some people may want + assertion = (cfg.alsa.enable || cfg.pulse.enable) -> cfg.audio.enable; + message = "Using PipeWire's ALSA/PulseAudio compatibility layers requires running PipeWire as the sound server. Set `services.pipewire.audio.enable` to true."; + } ]; environment.systemPackages = [ cfg.package ] diff --git a/nixos/modules/services/desktops/pipewire/wireplumber.nix b/nixos/modules/services/desktops/pipewire/wireplumber.nix index 52ec17b95db..1dbdd842c4a 100644 --- a/nixos/modules/services/desktops/pipewire/wireplumber.nix +++ b/nixos/modules/services/desktops/pipewire/wireplumber.nix @@ -1,7 +1,9 @@ { config, lib, pkgs, ... }: let - cfg = config.services.pipewire.wireplumber; + pwCfg = config.services.pipewire; + cfg = pwCfg.wireplumber; + pwUsedForAudio = pwCfg.audio.enable; in { meta.maintainers = [ lib.maintainers.k900 ]; @@ -33,6 +35,14 @@ in ]; environment.systemPackages = [ cfg.package ]; + + environment.etc."wireplumber/main.lua.d/80-nixos.lua" = lib.mkIf (!pwUsedForAudio) { + text = '' + -- Pipewire is not used for audio, so prevent it from grabbing audio devices + alsa_monitor.enable = function() end + ''; + }; + systemd.packages = [ cfg.package ]; systemd.services.wireplumber.enable = config.services.pipewire.systemWide; diff --git a/nixos/modules/services/development/jupyter/default.nix b/nixos/modules/services/development/jupyter/default.nix index bebb3c3f13f..4eacc4782a9 100644 --- a/nixos/modules/services/development/jupyter/default.nix +++ b/nixos/modules/services/development/jupyter/default.nix @@ -194,6 +194,7 @@ in { extraGroups = [ cfg.group ]; home = "/var/lib/jupyter"; createHome = true; + isSystemUser = true; useDefaultShell = true; # needed so that the user can start a terminal. }; }) diff --git a/nixos/modules/services/editors/haste.nix b/nixos/modules/services/editors/haste.nix new file mode 100644 index 00000000000..35fe26766ef --- /dev/null +++ b/nixos/modules/services/editors/haste.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + pkg = pkgs.haste-server; + cfg = config.services.haste-server; + + format = pkgs.formats.json {}; +in +{ + options.services.haste-server = { + enable = mkEnableOption "haste-server"; + openFirewall = mkEnableOption "firewall passthrough for haste-server"; + + settings = mkOption { + description = '' + Configuration for haste-server. + For documentation see <link xlink:href="https://github.com/toptal/haste-server#settings">project readme</link> + ''; + type = format.type; + }; + }; + + config = mkIf (cfg.enable) { + networking.firewall.allowedTCPPorts = mkIf (cfg.openFirewall) [ cfg.settings.port ]; + + services.haste-server = { + settings = { + host = mkDefault "::"; + port = mkDefault 7777; + + keyLength = mkDefault 10; + maxLength = mkDefault 400000; + + staticMaxAge = mkDefault 86400; + recompressStaticAssets = mkDefault false; + + logging = mkDefault [ + { + level = "verbose"; + type = "Console"; + colorize = true; + } + ]; + + keyGenerator = mkDefault { + type = "phonetic"; + }; + + rateLimits = { + categories = { + normal = { + totalRequests = mkDefault 500; + every = mkDefault 60000; + }; + }; + }; + + storage = mkDefault { + type = "file"; + }; + + documents = { + about = mkDefault "${pkg}/share/haste-server/about.md"; + }; + }; + }; + + systemd.services.haste-server = { + wantedBy = [ "multi-user.target" ]; + requires = [ "network.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + User = "haste-server"; + DynamicUser = true; + StateDirectory = "haste-server"; + WorkingDirectory = "/var/lib/haste-server"; + ExecStart = "${pkg}/bin/haste-server ${format.generate "config.json" cfg.settings}"; + }; + + path = with pkgs; [ pkg coreutils ]; + }; + }; +} diff --git a/nixos/modules/services/games/factorio.nix b/nixos/modules/services/games/factorio.nix index 96fcd6d2c8b..ff73d7a46ed 100644 --- a/nixos/modules/services/games/factorio.nix +++ b/nixos/modules/services/games/factorio.nix @@ -53,6 +53,14 @@ in ''; }; + bind = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + The address to which the service should bind. + ''; + }; + admins = mkOption { type = types.listOf types.str; default = []; @@ -241,6 +249,7 @@ in "${cfg.package}/bin/factorio" "--config=${cfg.configFile}" "--port=${toString cfg.port}" + "--bind=${cfg.bind}" "--start-server=${mkSavePath cfg.saveName}" "--server-settings=${serverSettingsFile}" (optionalString (cfg.mods != []) "--mod-directory=${modDir}") diff --git a/nixos/modules/services/games/minecraft-server.nix b/nixos/modules/services/games/minecraft-server.nix index 5bb8eff5762..8233962c1a2 100644 --- a/nixos/modules/services/games/minecraft-server.nix +++ b/nixos/modules/services/games/minecraft-server.nix @@ -153,7 +153,7 @@ in { type = types.separatedString " "; default = "-Xmx2048M -Xms2048M"; # Example options from https://minecraft.gamepedia.com/Tutorials/Server_startup_script - example = "-Xmx2048M -Xms4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing " + example = "-Xms4092M -Xmx4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing " + "-XX:+CMSClassUnloadingEnabled -XX:ParallelGCThreads=2 " + "-XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10"; description = "JVM options for the Minecraft server."; diff --git a/nixos/modules/services/hardware/joycond.nix b/nixos/modules/services/hardware/joycond.nix index ffef4f8a4e1..d81c1bb6d63 100644 --- a/nixos/modules/services/hardware/joycond.nix +++ b/nixos/modules/services/hardware/joycond.nix @@ -22,13 +22,9 @@ with lib; }; config = mkIf cfg.enable { - environment.systemPackages = [ - kernelPackages.hid-nintendo - cfg.package - ]; + environment.systemPackages = [ cfg.package ]; - boot.extraModulePackages = [ kernelPackages.hid-nintendo ]; - boot.kernelModules = [ "hid_nintendo" ]; + boot.extraModulePackages = optional (versionOlder kernelPackages.kernel.version "5.16") kernelPackages.hid-nintendo; services.udev.packages = [ cfg.package ]; diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 61448af2d33..8257eeb673b 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -23,17 +23,16 @@ let nixosRules = '' # Miscellaneous devices. KERNEL=="kvm", MODE="0666" - KERNEL=="kqemu", MODE="0666" # Needed for gpm. SUBSYSTEM=="input", KERNEL=="mice", TAG+="systemd" ''; # Perform substitutions in all udev rules files. - udevRules = pkgs.runCommand "udev-rules" + udevRulesFor = { name, udevPackages, udevPath, udev, systemd, binPackages, initrdBin ? null }: pkgs.runCommand name { preferLocalBuild = true; allowSubstitutes = false; - packages = unique (map toString cfg.packages); + packages = unique (map toString udevPackages); } '' mkdir -p $out @@ -61,6 +60,9 @@ let --replace \"/bin/mount \"${pkgs.util-linux}/bin/mount \ --replace /usr/bin/readlink ${pkgs.coreutils}/bin/readlink \ --replace /usr/bin/basename ${pkgs.coreutils}/bin/basename + ${optionalString (initrdBin != null) '' + substituteInPlace $i --replace '/run/current-system/systemd' "${removeSuffix "/bin" initrdBin}" + ''} done echo -n "Checking that all programs called by relative paths in udev rules exist in ${udev}/lib/udev... " @@ -85,8 +87,9 @@ let for i in $import_progs $run_progs; do # if the path refers to /run/current-system/systemd, replace with config.systemd.package if [[ $i == /run/current-system/systemd* ]]; then - i="${config.systemd.package}/''${i#/run/current-system/systemd/}" + i="${systemd}/''${i#/run/current-system/systemd/}" fi + if [[ ! -x $i ]]; then echo "FAIL" echo "$i is called in udev rules but is not executable or does not exist" @@ -103,7 +106,7 @@ let echo "Consider fixing the following udev rules:" echo "$filesToFixup" | while read localFile; do remoteFile="origin unknown" - for i in ${toString cfg.packages}; do + for i in ${toString binPackages}; do for j in "$i"/*/udev/rules.d/*; do [ -e "$out/$(basename "$j")" ] || continue [ "$(basename "$j")" = "$(basename "$localFile")" ] || continue @@ -126,7 +129,7 @@ let ${optionalString (!config.boot.hardwareScan) '' ln -s /dev/null $out/80-drivers.rules ''} - ''; # */ + ''; hwdbBin = pkgs.runCommand "hwdb.bin" { preferLocalBuild = true; @@ -202,20 +205,6 @@ in ''; }; - initrdRules = mkOption { - default = ""; - example = '' - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1D:60:B9:6D:4F", KERNEL=="eth*", NAME="my_fast_network_card" - ''; - type = types.lines; - description = '' - <command>udev</command> rules to include in the initrd - <emphasis>only</emphasis>. They'll be written into file - <filename>99-local.rules</filename>. Thus they are read and applied - after the essential initrd rules. - ''; - }; - extraRules = mkOption { default = ""; example = '' @@ -283,6 +272,52 @@ in ''; }; + boot.initrd.services.udev = { + + packages = mkOption { + type = types.listOf types.path; + default = []; + visible = false; + description = '' + <emphasis>This will only be used when systemd is used in stage 1.</emphasis> + + List of packages containing <command>udev</command> rules that will be copied to stage 1. + All files found in + <filename><replaceable>pkg</replaceable>/etc/udev/rules.d</filename> and + <filename><replaceable>pkg</replaceable>/lib/udev/rules.d</filename> + will be included. + ''; + }; + + binPackages = mkOption { + type = types.listOf types.path; + default = []; + visible = false; + description = '' + <emphasis>This will only be used when systemd is used in stage 1.</emphasis> + + Packages to search for binaries that are referenced by the udev rules in stage 1. + This list always contains /bin of the initrd. + ''; + apply = map getBin; + }; + + rules = mkOption { + default = ""; + example = '' + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1D:60:B9:6D:4F", KERNEL=="eth*", NAME="my_fast_network_card" + ''; + type = types.lines; + description = '' + <command>udev</command> rules to include in the initrd + <emphasis>only</emphasis>. They'll be written into file + <filename>99-local.rules</filename>. Thus they are read and applied + after the essential initrd rules. + ''; + }; + + }; + }; @@ -298,16 +333,54 @@ in boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ]; - boot.initrd.extraUdevRulesCommands = optionalString (cfg.initrdRules != "") + boot.initrd.extraUdevRulesCommands = optionalString (!config.boot.initrd.systemd.enable && config.boot.initrd.services.udev.rules != "") '' cat <<'EOF' > $out/99-local.rules - ${cfg.initrdRules} + ${config.boot.initrd.services.udev.rules} EOF ''; + boot.initrd.systemd.additionalUpstreamUnits = [ + # TODO: "initrd-udevadm-cleanup-db.service" is commented out because of https://github.com/systemd/systemd/issues/12953 + "systemd-udevd-control.socket" + "systemd-udevd-kernel.socket" + "systemd-udevd.service" + "systemd-udev-settle.service" + "systemd-udev-trigger.service" + ]; + boot.initrd.systemd.storePaths = [ + "${config.boot.initrd.systemd.package}/lib/systemd/systemd-udevd" + "${config.boot.initrd.systemd.package}/lib/udev" + ] ++ map (x: "${x}/bin") config.boot.initrd.services.udev.binPackages; + + # Generate the udev rules for the initrd + boot.initrd.systemd.contents = { + "/etc/udev/rules.d".source = udevRulesFor { + name = "initrd-udev-rules"; + initrdBin = config.boot.initrd.systemd.contents."/bin".source; + udevPackages = config.boot.initrd.services.udev.packages; + udevPath = config.boot.initrd.systemd.contents."/bin".source; + udev = config.boot.initrd.systemd.package; + systemd = config.boot.initrd.systemd.package; + binPackages = config.boot.initrd.services.udev.binPackages ++ [ config.boot.initrd.systemd.contents."/bin".source ]; + }; + }; + # Insert custom rules + boot.initrd.services.udev.packages = mkIf (config.boot.initrd.services.udev.rules != "") (pkgs.writeTextFile { + name = "initrd-udev-rules"; + destination = "/etc/udev/rules.d/99-local.rules"; + text = config.boot.initrd.services.udev.rules; + }); + environment.etc = { - "udev/rules.d".source = udevRules; + "udev/rules.d".source = udevRulesFor { + name = "udev-rules"; + udevPackages = cfg.packages; + systemd = config.systemd.package; + binPackages = cfg.packages; + inherit udevPath udev; + }; "udev/hwdb.bin".source = hwdbBin; }; @@ -338,4 +411,8 @@ in }; }; + + imports = [ + (mkRenamedOptionModule [ "services" "udev" "initrdRules" ] [ "boot" "initrd" "services" "udev" "rules" ]) + ]; } diff --git a/nixos/modules/services/hardware/udisks2.nix b/nixos/modules/services/hardware/udisks2.nix index 6be23f39754..ea552ce867e 100644 --- a/nixos/modules/services/hardware/udisks2.nix +++ b/nixos/modules/services/hardware/udisks2.nix @@ -4,6 +4,13 @@ with lib; +let + settingsFormat = pkgs.formats.ini { + listToValue = concatMapStringsSep "," (generators.mkValueStringDefault {}); + }; + configFiles = mapAttrs (name: value: (settingsFormat.generate name value)) (mapAttrs' (name: value: nameValuePair name value ) config.services.udisks2.settings); +in + { ###### interface @@ -21,6 +28,36 @@ with lib; ''; }; + settings = mkOption rec { + type = types.attrsOf settingsFormat.type; + apply = recursiveUpdate default; + default = { + "udisks2.conf" = { + udisks2 = { + modules = [ "*" ]; + modules_load_preference = "ondemand"; + }; + defaults = { + encryption = "luks2"; + }; + }; + }; + example = literalExpression '' + { + "WDC-WD10EZEX-60M2NA0-WD-WCC3F3SJ0698.conf" = { + ATA = { + StandbyTimeout = 50; + }; + }; + }; + ''; + description = '' + Options passed to udisksd. + See <link xlink:href="http://manpages.ubuntu.com/manpages/latest/en/man5/udisks2.conf.5.html">here</link> and + drive configuration in <link xlink:href="http://manpages.ubuntu.com/manpages/latest/en/man8/udisks.8.html">here</link> for supported options. + ''; + }; + }; }; @@ -32,6 +69,8 @@ with lib; environment.systemPackages = [ pkgs.udisks2 ]; + environment.etc = mapAttrs' (name: value: nameValuePair "udisks2/${name}" { source = value; } ) configFiles; + security.polkit.enable = true; services.dbus.packages = [ pkgs.udisks2 ]; diff --git a/nixos/modules/services/hardware/usbrelayd.nix b/nixos/modules/services/hardware/usbrelayd.nix new file mode 100644 index 00000000000..c0322e89e6b --- /dev/null +++ b/nixos/modules/services/hardware/usbrelayd.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.usbrelayd; +in +{ + options.services.usbrelayd = with types; { + enable = mkEnableOption "USB Relay MQTT daemon"; + + broker = mkOption { + type = str; + description = "Hostname or IP address of your MQTT Broker."; + default = "127.0.0.1"; + example = [ + "mqtt" + "192.168.1.1" + ]; + }; + + clientName = mkOption { + type = str; + description = "Name, your client connects as."; + default = "MyUSBRelay"; + }; + }; + + config = mkIf cfg.enable { + + # TODO: Rename to .conf in upcomming release + environment.etc."usbrelayd.ini".text = '' + [MQTT] + BROKER = ${cfg.broker} + CLIENTNAME = ${cfg.clientName} + ''; + + services.udev.packages = [ pkgs.usbrelayd ]; + systemd.packages = [ pkgs.usbrelayd ]; + users.users.usbrelay = { + isSystemUser = true; + group = "usbrelay"; + }; + users.groups.usbrelay = { }; + }; +} diff --git a/nixos/modules/services/logging/graylog.nix b/nixos/modules/services/logging/graylog.nix index e6a23233ba2..28e2d18bf03 100644 --- a/nixos/modules/services/logging/graylog.nix +++ b/nixos/modules/services/logging/graylog.nix @@ -132,7 +132,7 @@ in description = "Graylog server daemon user"; }; }; - users.groups = mkIf (cfg.user == "graylog") {}; + users.groups = mkIf (cfg.user == "graylog") { graylog = {}; }; systemd.tmpfiles.rules = [ "d '${cfg.messageJournalDir}' - ${cfg.user} - - -" diff --git a/nixos/modules/services/logging/klogd.nix b/nixos/modules/services/logging/klogd.nix index 8d371c161eb..1de0e58abbb 100644 --- a/nixos/modules/services/logging/klogd.nix +++ b/nixos/modules/services/logging/klogd.nix @@ -1,38 +1,9 @@ -{ config, lib, pkgs, ... }: - -with lib; +{ lib, ... }: { - ###### interface - - options = { - - services.klogd.enable = mkOption { - type = types.bool; - default = versionOlder (getVersion config.boot.kernelPackages.kernel) "3.5"; - defaultText = literalExpression ''versionOlder (getVersion config.boot.kernelPackages.kernel) "3.5"''; - description = '' - Whether to enable klogd, the kernel log message processing - daemon. Since systemd handles logging of kernel messages on - Linux 3.5 and later, this is only useful if you're running an - older kernel. - ''; - }; - - }; - - - ###### implementation - - config = mkIf config.services.klogd.enable { - systemd.services.klogd = { - description = "Kernel Log Daemon"; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.sysklogd ]; - unitConfig.ConditionVirtualization = "!systemd-nspawn"; - script = - "klogd -c 1 -2 -n " + - "-k $(dirname $(readlink -f /run/booted-system/kernel))/System.map"; - }; - }; + imports = [ + (lib.mkRemovedOptionModule [ "security" "klogd" "enable" ] '' + Logging of kernel messages is now handled by systemd. + '') + ]; } diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix index 082cf92ff4e..e6eb0552c9e 100644 --- a/nixos/modules/services/logging/logrotate.nix +++ b/nixos/modules/services/logging/logrotate.nix @@ -5,7 +5,10 @@ with lib; let cfg = config.services.logrotate; - pathOpts = { name, ... }: { + # deprecated legacy compat settings + # these options will be removed before 22.11 in the following PR: + # https://github.com/NixOS/nixpkgs/pull/164169 + pathOpts = { name, ... }: { options = { enable = mkOption { type = types.bool; @@ -86,23 +89,113 @@ let config.name = name; }; - mkConf = pathOpts: '' - # generated by NixOS using the `services.logrotate.paths.${pathOpts.name}` attribute set - ${concatMapStringsSep " " (path: ''"${path}"'') (toList pathOpts.path)} { - ${optionalString (pathOpts.user != null || pathOpts.group != null) "su ${pathOpts.user} ${pathOpts.group}"} - ${pathOpts.frequency} - rotate ${toString pathOpts.keep} - ${pathOpts.extraConfig} - } - ''; - - paths = sortProperties (attrValues (filterAttrs (_: pathOpts: pathOpts.enable) cfg.paths)); - configFile = pkgs.writeText "logrotate.conf" ( - concatStringsSep "\n" ( - [ "missingok" "notifempty" cfg.extraConfig ] ++ (map mkConf paths) - ) + generateLine = n: v: + if builtins.elem n [ "files" "priority" "enable" "global" ] || v == null then null + else if builtins.elem n [ "extraConfig" "frequency" ] then "${v}\n" + else if builtins.elem n [ "firstaction" "lastaction" "prerotate" "postrotate" "preremove" ] + then "${n}\n ${v}\n endscript\n" + else if isInt v then "${n} ${toString v}\n" + else if v == true then "${n}\n" + else if v == false then "no${n}\n" + else "${n} ${v}\n"; + generateSection = indent: settings: concatStringsSep (fixedWidthString indent " " "") ( + filter (x: x != null) (mapAttrsToList generateLine settings) ); + # generateSection includes a final newline hence weird closing brace + mkConf = settings: + if settings.global or false then generateSection 0 settings + else '' + ${concatMapStringsSep "\n" (files: ''"${files}"'') (toList settings.files)} { + ${generateSection 2 settings}} + ''; + + # below two mapPaths are compat functions + mapPathOptToSetting = n: v: + if n == "keep" then nameValuePair "rotate" v + else if n == "path" then nameValuePair "files" v + else nameValuePair n v; + + mapPathsToSettings = path: pathOpts: + nameValuePair path ( + filterAttrs (n: v: ! builtins.elem n [ "user" "group" "name" ] && v != "") ( + (mapAttrs' mapPathOptToSetting pathOpts) // + { + su = + if pathOpts.user != null + then "${pathOpts.user} ${pathOpts.group}" + else null; + } + ) + ); + + settings = sortProperties (attrValues (filterAttrs (_: settings: settings.enable) ( + foldAttrs recursiveUpdate { } [ + { + header = { + enable = true; + missingok = true; + notifempty = true; + frequency = "weekly"; + rotate = 4; + }; + # compat section + extraConfig = { + enable = (cfg.extraConfig != ""); + global = true; + extraConfig = cfg.extraConfig; + priority = 101; + }; + } + (mapAttrs' mapPathsToSettings cfg.paths) + cfg.settings + { header = { global = true; priority = 100; }; } + ] + ))); + configFile = pkgs.writeTextFile { + name = "logrotate.conf"; + text = concatStringsSep "\n" ( + map mkConf settings + ); + checkPhase = optionalString cfg.checkConfig '' + # logrotate --debug also checks that users specified in config + # file exist, but we only have sandboxed users here so brown these + # out. according to man page that means su, create and createolddir. + # files required to exist also won't be present, so missingok is forced. + user=$(${pkgs.buildPackages.coreutils}/bin/id -un) + group=$(${pkgs.buildPackages.coreutils}/bin/id -gn) + sed -e "s/\bsu\s.*/su $user $group/" \ + -e "s/\b\(create\s\+[0-9]*\s*\|createolddir\s\+[0-9]*\s\+\).*/\1$user $group/" \ + -e "1imissingok" -e "s/\bnomissingok\b//" \ + $out > /tmp/logrotate.conf + # Since this makes for very verbose builds only show real error. + # There is no way to control log level, but logrotate hardcodes + # 'error:' at common log level, so we can use grep, taking care + # to keep error codes + set -o pipefail + if ! ${pkgs.buildPackages.logrotate}/sbin/logrotate --debug /tmp/logrotate.conf 2>&1 \ + | ( ! grep "error:" ) > /tmp/logrotate-error; then + echo "Logrotate configuration check failed." + echo "The failing configuration (after adjustments to pass tests in sandbox) was:" + printf "%s\n" "-------" + cat /tmp/logrotate.conf + printf "%s\n" "-------" + echo "The error reported by logrotate was as follow:" + printf "%s\n" "-------" + cat /tmp/logrotate-error + printf "%s\n" "-------" + echo "You can disable this check with services.logrotate.checkConfig = false," + echo "but if you think it should work please report this failure along with" + echo "the config file being tested!" + false + fi + ''; + }; + + mailOption = + if foldr (n: a: a || n ? mail) false (attrValues cfg.settings) + then "--mail=${pkgs.mailutils}/bin/mail" + else ""; in { imports = [ @@ -112,17 +205,121 @@ in options = { services.logrotate = { enable = mkEnableOption "the logrotate systemd service" // { - default = foldr (n: a: a || n.enable) false (attrValues cfg.paths); - defaultText = literalExpression "cfg.paths != {}"; + default = foldr (n: a: a || n.enable) false (attrValues cfg.settings); + defaultText = literalExpression "cfg.settings != {}"; + }; + + settings = mkOption { + default = { }; + description = '' + logrotate freeform settings: each attribute here will define its own section, + ordered by priority, which can either define files to rotate with their settings + or settings common to all further files settings. + Refer to <link xlink:href="https://linux.die.net/man/8/logrotate"/> for details. + ''; + type = types.attrsOf (types.submodule ({ name, ... }: { + freeformType = with types; attrsOf (nullOr (oneOf [ int bool str ])); + + options = { + enable = mkEnableOption "setting individual kill switch" // { + default = true; + }; + + global = mkOption { + type = types.bool; + default = false; + description = '' + Whether this setting is a global option or not: set to have these + settings apply to all files settings with a higher priority. + ''; + }; + files = mkOption { + type = with types; either str (listOf str); + default = name; + defaultText = '' + The attrset name if not specified + ''; + description = '' + Single or list of files for which rules are defined. + The files are quoted with double-quotes in logrotate configuration, + so globs and spaces are supported. + Note this setting is ignored if globals is true. + ''; + }; + + frequency = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + How often to rotate the logs. Defaults to previously set global setting, + which itself defauts to weekly. + ''; + }; + + priority = mkOption { + type = types.int; + default = 1000; + description = '' + Order of this logrotate block in relation to the others. The semantics are + the same as with `lib.mkOrder`. Smaller values are inserted first. + ''; + }; + }; + + })); + }; + + configFile = mkOption { + type = types.path; + default = configFile; + defaultText = '' + A configuration file automatically generated by NixOS. + ''; + description = '' + Override the configuration file used by MySQL. By default, + NixOS generates one automatically from <xref linkend="opt-services.logrotate.settings"/>. + ''; + example = literalExpression '' + pkgs.writeText "logrotate.conf" ''' + missingok + "/var/log/*.log" { + rotate 4 + weekly + } + '''; + ''; }; + checkConfig = mkOption { + type = types.bool; + default = true; + description = '' + Whether the config should be checked at build time. + + Some options are not checkable at build time because of the build sandbox: + for example, the test does not know about existing files and system users are + not known. + These limitations mean we must adjust the file for tests (missingok is forced + and users are replaced by dummy users), so tests are complemented by a + logrotate-checkconf service that is enabled by default. + This extra check can be disabled by disabling it at the systemd level with the + <option>services.systemd.services.logrotate-checkconf.enable</option> option. + + Conversely there are still things that might make this check fail incorrectly + (e.g. a file path where we don't have access to intermediate directories): + in this case you can disable the failing check with this option. + ''; + }; + + # deprecated legacy compat settings paths = mkOption { type = with types; attrsOf (submodule pathOpts); - default = {}; + default = { }; description = '' Attribute set of paths to rotate. The order each block appears in the generated configuration file can be controlled by the <link linkend="opt-services.logrotate.paths._name_.priority">priority</link> option using the same semantics as `lib.mkOrder`. Smaller values have a greater priority. + This setting has been deprecated in favor of <link linkend="opt-services.logrotate.settings">logrotate settings</link>. ''; example = literalExpression '' { @@ -151,19 +348,37 @@ in description = '' Extra contents to append to the logrotate configuration file. Refer to <link xlink:href="https://linux.die.net/man/8/logrotate"/> for details. + This setting has been deprecated in favor of + <link linkend="opt-services.logrotate.settings">logrotate settings</link>. ''; }; }; }; config = mkIf cfg.enable { - assertions = mapAttrsToList (name: pathOpts: - { assertion = (pathOpts.user != null) == (pathOpts.group != null); - message = '' - If either of `services.logrotate.paths.${name}.user` or `services.logrotate.paths.${name}.group` are specified then *both* must be specified. - ''; - } - ) cfg.paths; + assertions = + mapAttrsToList + (name: pathOpts: + { + assertion = (pathOpts.user != null) == (pathOpts.group != null); + message = '' + If either of `services.logrotate.paths.${name}.user` or `services.logrotate.paths.${name}.group` are specified then *both* must be specified. + ''; + }) + cfg.paths; + + warnings = + (mapAttrsToList + (name: pathOpts: '' + Using config.services.logrotate.paths.${name} is deprecated and will become unsupported in a future release. + Please use services.logrotate.settings instead. + '') + cfg.paths + ) ++ + (optional (cfg.extraConfig != "") '' + Using config.services.logrotate.extraConfig is deprecated and will become unsupported in a future release. + Please use services.logrotate.settings with globals=true instead. + ''); systemd.services.logrotate = { description = "Logrotate Service"; @@ -172,7 +387,16 @@ in serviceConfig = { Restart = "no"; User = "root"; - ExecStart = "${pkgs.logrotate}/sbin/logrotate ${configFile}"; + ExecStart = "${pkgs.logrotate}/sbin/logrotate ${mailOption} ${cfg.configFile}"; + }; + }; + systemd.services.logrotate-checkconf = { + description = "Logrotate configuration check"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.logrotate}/sbin/logrotate --debug ${cfg.configFile}"; }; }; }; diff --git a/nixos/modules/services/mail/mailman.nix b/nixos/modules/services/mail/mailman.nix index 0c9b38b44b2..f1e074587b3 100644 --- a/nixos/modules/services/mail/mailman.nix +++ b/nixos/modules/services/mail/mailman.nix @@ -192,7 +192,6 @@ in { log_dir = "/var/log/mailman"; lock_dir = "$var_dir/lock"; etc_dir = "/etc"; - ext_dir = "$etc_dir/mailman.d"; pid_file = "/run/mailman/master.pid"; }; @@ -225,7 +224,14 @@ in { See <https://mailman.readthedocs.io/en/latest/src/mailman/docs/mta.html>. ''; }; - in (lib.optionals cfg.enablePostfix [ + in [ + { assertion = cfg.webHosts != []; + message = '' + services.mailman.serve.enable requires there to be at least one entry + in services.mailman.webHosts. + ''; + } + ] ++ (lib.optionals cfg.enablePostfix [ { assertion = postfix.enable; message = '' Mailman's default NixOS configuration requires Postfix to be enabled. @@ -275,15 +281,14 @@ in { globals().update(json.load(f)) ''; - services.nginx = mkIf cfg.serve.enable { + services.nginx = mkIf (cfg.serve.enable && cfg.webHosts != []) { enable = mkDefault true; - virtualHosts."${lib.head cfg.webHosts}" = { - serverAliases = cfg.webHosts; + virtualHosts = lib.genAttrs cfg.webHosts (webHost: { locations = { "/".extraConfig = "uwsgi_pass unix:/run/mailman-web.socket;"; "/static/".alias = webSettings.STATIC_ROOT + "/"; }; - }; + }); }; environment.systemPackages = [ (pkgs.buildEnv { @@ -313,7 +318,9 @@ in { systemd.services = { mailman = { description = "GNU Mailman Master Process"; - after = [ "network.target" ]; + before = lib.optional cfg.enablePostfix "postfix.service"; + after = [ "network.target" ] + ++ lib.optional cfg.enablePostfix "postfix-setup.service"; restartTriggers = [ config.environment.etc."mailman.cfg".source ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 23d3574ae27..da14b6eef7e 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -723,23 +723,10 @@ in { ${setgidGroup}.gid = config.ids.gids.postdrop; }; - systemd.services.postfix = - { description = "Postfix mail server"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - path = [ pkgs.postfix ]; - - serviceConfig = { - Type = "forking"; - Restart = "always"; - PIDFile = "/var/lib/postfix/queue/pid/master.pid"; - ExecStart = "${pkgs.postfix}/bin/postfix start"; - ExecStop = "${pkgs.postfix}/bin/postfix stop"; - ExecReload = "${pkgs.postfix}/bin/postfix reload"; - }; - - preStart = '' + systemd.services.postfix-setup = + { description = "Setup for Postfix mail server"; + serviceConfig.Type = "oneshot"; + script = '' # Backwards compatibility if [ ! -d /var/lib/postfix ] && [ -d /var/postfix ]; then mkdir -p /var/lib @@ -777,6 +764,24 @@ in ''; }; + systemd.services.postfix = + { description = "Postfix mail server"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "postfix-setup.service" ]; + requires = [ "postfix-setup.service" ]; + path = [ pkgs.postfix ]; + + serviceConfig = { + Type = "forking"; + Restart = "always"; + PIDFile = "/var/lib/postfix/queue/pid/master.pid"; + ExecStart = "${pkgs.postfix}/bin/postfix start"; + ExecStop = "${pkgs.postfix}/bin/postfix stop"; + ExecReload = "${pkgs.postfix}/bin/postfix reload"; + }; + }; + services.postfix.config = (mapAttrs (_: v: mkDefault v) { compatibility_level = pkgs.postfix.version; mail_owner = cfg.user; diff --git a/nixos/modules/services/matrix/matrix-synapse.nix b/nixos/modules/services/matrix/matrix-synapse.nix index c4d14dbd547..a498aff7a55 100644 --- a/nixos/modules/services/matrix/matrix-synapse.nix +++ b/nixos/modules/services/matrix/matrix-synapse.nix @@ -81,7 +81,7 @@ in { (mkRemovedOptionModule [ "services" "matrix-synapse" "verbose" ] "Use a log config instead." ) # options that were moved into rfc42 style settigns - (mkRemovedOptionModule [ "services" "matrix-synapse" "app_service_config_files" ] "Use settings.app_service_config_Files instead" ) + (mkRemovedOptionModule [ "services" "matrix-synapse" "app_service_config_files" ] "Use settings.app_service_config_files instead" ) (mkRemovedOptionModule [ "services" "matrix-synapse" "database_args" ] "Use settings.database.args instead" ) (mkRemovedOptionModule [ "services" "matrix-synapse" "database_name" ] "Use settings.database.args.database instead" ) (mkRemovedOptionModule [ "services" "matrix-synapse" "database_type" ] "Use settings.database.name instead" ) @@ -141,7 +141,7 @@ in { enable = mkEnableOption "matrix.org synapse"; configFile = mkOption { - type = types.str; + type = types.path; readOnly = true; description = '' Path to the configuration file on the target system. Useful to configure e.g. workers diff --git a/nixos/modules/services/matrix/matrix-synapse.xml b/nixos/modules/services/matrix/matrix-synapse.xml index cdc4b4de1a7..cf33957d58e 100644 --- a/nixos/modules/services/matrix/matrix-synapse.xml +++ b/nixos/modules/services/matrix/matrix-synapse.xml @@ -119,7 +119,7 @@ in { <link linkend="opt-services.matrix-synapse.settings.listeners">listeners</link> = [ { <link linkend="opt-services.matrix-synapse.settings.listeners._.port">port</link> = 8008; - <link linkend="opt-services.matrix-synapse.settings.listeners._.bind_addresses">bind_address</link> = [ "::1" ]; + <link linkend="opt-services.matrix-synapse.settings.listeners._.bind_addresses">bind_addresses</link> = [ "::1" ]; <link linkend="opt-services.matrix-synapse.settings.listeners._.type">type</link> = "http"; <link linkend="opt-services.matrix-synapse.settings.listeners._.tls">tls</link> = false; <link linkend="opt-services.matrix-synapse.settings.listeners._.x_forwarded">x_forwarded</link> = true; @@ -152,10 +152,10 @@ in { <para> If you want to run a server with public registration by anybody, you can - then enable <literal><link linkend="opt-services.matrix-synapse.settings.enable_registration">services.matrix-synapse.enable_registration</link> = + then enable <literal><link linkend="opt-services.matrix-synapse.settings.enable_registration">services.matrix-synapse.settings.enable_registration</link> = true;</literal>. Otherwise, or you can generate a registration secret with <command>pwgen -s 64 1</command> and set it with - <option><link linkend="opt-services.matrix-synapse.settings.registration_shared_secret">services.matrix-synapse.registration_shared_secret</link></option>. + <option><link linkend="opt-services.matrix-synapse.settings.registration_shared_secret">services.matrix-synapse.settings.registration_shared_secret</link></option>. To create a new user or admin, run the following after you have set the secret and have rebuilt NixOS: <screen> diff --git a/nixos/modules/services/misc/autorandr.nix b/nixos/modules/services/misc/autorandr.nix index a65c5c9d11c..ef799e9ce3b 100644 --- a/nixos/modules/services/misc/autorandr.nix +++ b/nixos/modules/services/misc/autorandr.nix @@ -5,6 +5,243 @@ with lib; let cfg = config.services.autorandr; + hookType = types.lines; + + matrixOf = n: m: elemType: + mkOptionType rec { + name = "matrixOf"; + description = + "${toString n}×${toString m} matrix of ${elemType.description}s"; + check = xss: + let listOfSize = l: xs: isList xs && length xs == l; + in listOfSize n xss + && all (xs: listOfSize m xs && all elemType.check xs) xss; + merge = mergeOneOption; + getSubOptions = prefix: elemType.getSubOptions (prefix ++ [ "*" "*" ]); + getSubModules = elemType.getSubModules; + substSubModules = mod: matrixOf n m (elemType.substSubModules mod); + functor = (defaultFunctor name) // { wrapped = elemType; }; + }; + + profileModule = types.submodule { + options = { + fingerprint = mkOption { + type = types.attrsOf types.str; + description = '' + Output name to EDID mapping. + Use <code>autorandr --fingerprint</code> to get current setup values. + ''; + default = { }; + }; + + config = mkOption { + type = types.attrsOf configModule; + description = "Per output profile configuration."; + default = { }; + }; + + hooks = mkOption { + type = hooksModule; + description = "Profile hook scripts."; + default = { }; + }; + }; + }; + + configModule = types.submodule { + options = { + enable = mkOption { + type = types.bool; + description = "Whether to enable the output."; + default = true; + }; + + crtc = mkOption { + type = types.nullOr types.ints.unsigned; + description = "Output video display controller."; + default = null; + example = 0; + }; + + primary = mkOption { + type = types.bool; + description = "Whether output should be marked as primary"; + default = false; + }; + + position = mkOption { + type = types.str; + description = "Output position"; + default = ""; + example = "5760x0"; + }; + + mode = mkOption { + type = types.str; + description = "Output resolution."; + default = ""; + example = "3840x2160"; + }; + + rate = mkOption { + type = types.str; + description = "Output framerate."; + default = ""; + example = "60.00"; + }; + + gamma = mkOption { + type = types.str; + description = "Output gamma configuration."; + default = ""; + example = "1.0:0.909:0.833"; + }; + + rotate = mkOption { + type = types.nullOr (types.enum [ "normal" "left" "right" "inverted" ]); + description = "Output rotate configuration."; + default = null; + example = "left"; + }; + + transform = mkOption { + type = types.nullOr (matrixOf 3 3 types.float); + default = null; + example = literalExpression '' + [ + [ 0.6 0.0 0.0 ] + [ 0.0 0.6 0.0 ] + [ 0.0 0.0 1.0 ] + ] + ''; + description = '' + Refer to + <citerefentry> + <refentrytitle>xrandr</refentrytitle> + <manvolnum>1</manvolnum> + </citerefentry> + for the documentation of the transform matrix. + ''; + }; + + dpi = mkOption { + type = types.nullOr types.ints.positive; + description = "Output DPI configuration."; + default = null; + example = 96; + }; + + scale = mkOption { + type = types.nullOr (types.submodule { + options = { + method = mkOption { + type = types.enum [ "factor" "pixel" ]; + description = "Output scaling method."; + default = "factor"; + example = "pixel"; + }; + + x = mkOption { + type = types.either types.float types.ints.positive; + description = "Horizontal scaling factor/pixels."; + }; + + y = mkOption { + type = types.either types.float types.ints.positive; + description = "Vertical scaling factor/pixels."; + }; + }; + }); + description = '' + Output scale configuration. + </para><para> + Either configure by pixels or a scaling factor. When using pixel method the + <citerefentry> + <refentrytitle>xrandr</refentrytitle> + <manvolnum>1</manvolnum> + </citerefentry> + option + <parameter class="command">--scale-from</parameter> + will be used; when using factor method the option + <parameter class="command">--scale</parameter> + will be used. + </para><para> + This option is a shortcut version of the transform option and they are mutually + exclusive. + ''; + default = null; + example = literalExpression '' + { + x = 1.25; + y = 1.25; + } + ''; + }; + }; + }; + + hooksModule = types.submodule { + options = { + postswitch = mkOption { + type = types.attrsOf hookType; + description = "Postswitch hook executed after mode switch."; + default = { }; + }; + + preswitch = mkOption { + type = types.attrsOf hookType; + description = "Preswitch hook executed before mode switch."; + default = { }; + }; + + predetect = mkOption { + type = types.attrsOf hookType; + description = '' + Predetect hook executed before autorandr attempts to run xrandr. + ''; + default = { }; + }; + }; + }; + + hookToFile = folder: name: hook: + nameValuePair "xdg/autorandr/${folder}/${name}" { + source = "${pkgs.writeShellScriptBin "hook" hook}/bin/hook"; + }; + profileToFiles = name: profile: + with profile; + mkMerge ([ + { + "xdg/autorandr/${name}/setup".text = concatStringsSep "\n" + (mapAttrsToList fingerprintToString fingerprint); + "xdg/autorandr/${name}/config".text = + concatStringsSep "\n" (mapAttrsToList configToString profile.config); + } + (mapAttrs' (hookToFile "${name}/postswitch.d") hooks.postswitch) + (mapAttrs' (hookToFile "${name}/preswitch.d") hooks.preswitch) + (mapAttrs' (hookToFile "${name}/predetect.d") hooks.predetect) + ]); + fingerprintToString = name: edid: "${name} ${edid}"; + configToString = name: config: + if config.enable then + concatStringsSep "\n" ([ "output ${name}" ] + ++ optional (config.position != "") "pos ${config.position}" + ++ optional (config.crtc != null) "crtc ${toString config.crtc}" + ++ optional config.primary "primary" + ++ optional (config.dpi != null) "dpi ${toString config.dpi}" + ++ optional (config.gamma != "") "gamma ${config.gamma}" + ++ optional (config.mode != "") "mode ${config.mode}" + ++ optional (config.rate != "") "rate ${config.rate}" + ++ optional (config.rotate != null) "rotate ${config.rotate}" + ++ optional (config.transform != null) ("transform " + + concatMapStringsSep "," toString (flatten config.transform)) + ++ optional (config.scale != null) + ((if config.scale.method == "factor" then "scale" else "scale-from") + + " ${toString config.scale.x}x${toString config.scale.y}")) + else '' + output ${name} + off + ''; in { @@ -22,6 +259,67 @@ in { for further reference. ''; }; + + hooks = mkOption { + type = hooksModule; + description = "Global hook scripts"; + default = { }; + example = '' + { + postswitch = { + "notify-i3" = "''${pkgs.i3}/bin/i3-msg restart"; + "change-background" = readFile ./change-background.sh; + "change-dpi" = ''' + case "$AUTORANDR_CURRENT_PROFILE" in + default) + DPI=120 + ;; + home) + DPI=192 + ;; + work) + DPI=144 + ;; + *) + echo "Unknown profle: $AUTORANDR_CURRENT_PROFILE" + exit 1 + esac + echo "Xft.dpi: $DPI" | ''${pkgs.xorg.xrdb}/bin/xrdb -merge + ''' + }; + } + ''; + }; + profiles = mkOption { + type = types.attrsOf profileModule; + description = "Autorandr profiles specification."; + default = { }; + example = literalExpression '' + { + "work" = { + fingerprint = { + eDP1 = "<EDID>"; + DP1 = "<EDID>"; + }; + config = { + eDP1.enable = false; + DP1 = { + enable = true; + crtc = 0; + primary = true; + position = "0x0"; + mode = "3840x2160"; + gamma = "1.0:0.909:0.833"; + rate = "60.00"; + rotate = "left"; + }; + }; + hooks.postswitch = readFile ./work-postswitch.sh; + }; + } + ''; + }; + }; }; @@ -30,7 +328,15 @@ in { services.udev.packages = [ pkgs.autorandr ]; - environment.systemPackages = [ pkgs.autorandr ]; + environment = { + systemPackages = [ pkgs.autorandr ]; + etc = mkMerge ([ + (mapAttrs' (hookToFile "postswitch.d") cfg.hooks.postswitch) + (mapAttrs' (hookToFile "preswitch.d") cfg.hooks.preswitch) + (mapAttrs' (hookToFile "predetect.d") cfg.hooks.predetect) + (mkMerge (mapAttrsToList profileToFiles cfg.profiles)) + ]); + }; systemd.services.autorandr = { wantedBy = [ "sleep.target" ]; @@ -49,5 +355,5 @@ in { }; - meta.maintainers = with maintainers; [ ]; + meta.maintainers = with maintainers; [ alexnortung ]; } diff --git a/nixos/modules/services/misc/dendrite.nix b/nixos/modules/services/misc/dendrite.nix index b2885b09415..35bec40926e 100644 --- a/nixos/modules/services/misc/dendrite.nix +++ b/nixos/modules/services/misc/dendrite.nix @@ -247,15 +247,13 @@ in WorkingDirectory = workingDir; RuntimeDirectory = "dendrite"; RuntimeDirectoryMode = "0700"; + LimitNOFILE = 65535; EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; - ExecStartPre = - if (cfg.environmentFile != null) then '' - ${pkgs.envsubst}/bin/envsubst \ - -i ${configurationYaml} \ - -o /run/dendrite/dendrite.yaml - '' else '' - ${pkgs.coreutils}/bin/cp ${configurationYaml} /run/dendrite/dendrite.yaml - ''; + ExecStartPre = '' + ${pkgs.envsubst}/bin/envsubst \ + -i ${configurationYaml} \ + -o /run/dendrite/dendrite.yaml + ''; ExecStart = lib.strings.concatStringsSep " " ([ "${pkgs.dendrite}/bin/dendrite-monolith-server" "--config /run/dendrite/dendrite.yaml" diff --git a/nixos/modules/services/misc/etebase-server.nix b/nixos/modules/services/misc/etebase-server.nix index dd84ac37b0d..cb99364aa1a 100644 --- a/nixos/modules/services/misc/etebase-server.nix +++ b/nixos/modules/services/misc/etebase-server.nix @@ -166,7 +166,7 @@ in } '' makeWrapper ${pythonEnv}/bin/etebase-server \ $out/bin/etebase-server \ - --run "cd ${cfg.dataDir}" \ + --chdir ${escapeShellArg cfg.dataDir} \ --prefix ETEBASE_EASY_CONFIG_PATH : "${configIni}" '') ]; diff --git a/nixos/modules/services/misc/ethminer.nix b/nixos/modules/services/misc/ethminer.nix index 95afb0460fb..22363466982 100644 --- a/nixos/modules/services/misc/ethminer.nix +++ b/nixos/modules/services/misc/ethminer.nix @@ -22,7 +22,7 @@ in }; recheckInterval = mkOption { - type = types.int; + type = types.ints.unsigned; default = 2000; description = "Interval in milliseconds between farm rechecks."; }; @@ -70,7 +70,7 @@ in }; maxPower = mkOption { - type = types.int; + type = types.ints.unsigned; default = 113; description = "Miner max watt usage."; }; @@ -85,7 +85,7 @@ in config = mkIf cfg.enable { systemd.services.ethminer = { - path = [ pkgs.cudatoolkit ]; + path = optional (cfg.toolkit == "cuda") [ pkgs.cudaPackages.cudatoolkit ]; description = "ethminer ethereum mining service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; @@ -97,7 +97,7 @@ in Restart = "always"; }; - environment = { + environment = mkIf (cfg.toolkit == "cuda") { LD_LIBRARY_PATH = "${config.boot.kernelPackages.nvidia_x11}/lib"; }; diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index bc7bb663ee0..effa0c06ad6 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -499,6 +499,7 @@ in oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET internalToken = "${cfg.stateDir}/custom/conf/internal_token"; + replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; in '' # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' @@ -526,23 +527,17 @@ in ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} fi - SECRETKEY="$(head -n1 ${secretKey})" - DBPASS="$(head -n1 ${cfg.database.passwordFile})" - OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})" - LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})" - INTERNALTOKEN="$(head -n1 ${internalToken})" - ${if (cfg.mailerPasswordFile == null) then '' - MAILERPASSWORD="#mailerpass#" - '' else '' - MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" + chmod u+w '${runConfig}' + ${replaceSecretBin} '#secretkey#' '${secretKey}' '${runConfig}' + ${replaceSecretBin} '#dbpass#' '${cfg.database.passwordFile}' '${runConfig}' + ${replaceSecretBin} '#oauth2jwtsecret#' '${oauth2JwtSecret}' '${runConfig}' + ${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}' + ${replaceSecretBin} '#internaltoken#' '${internalToken}' '${runConfig}' + + ${lib.optionalString (cfg.mailerPasswordFile != null) '' + ${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}' ''} - sed -e "s,#secretkey#,$SECRETKEY,g" \ - -e "s,#dbpass#,$DBPASS,g" \ - -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \ - -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \ - -e "s,#internaltoken#,$INTERNALTOKEN,g" \ - -e "s,#mailerpass#,$MAILERPASSWORD,g" \ - -i ${runConfig} + chmod u-w '${runConfig}' } (umask 027; gitea_setup) ''} diff --git a/nixos/modules/services/misc/gitit.nix b/nixos/modules/services/misc/gitit.nix index ceb186c0f04..87dd97166b8 100644 --- a/nixos/modules/services/misc/gitit.nix +++ b/nixos/modules/services/misc/gitit.nix @@ -10,7 +10,7 @@ let toYesNo = b: if b then "yes" else "no"; - gititShared = with cfg.haskellPackages; gitit + "/share/" + pkgs.stdenv.hostPlatform.system + "-" + ghc.name + "/" + gitit.pname + "-" + gitit.version; + gititShared = with cfg.haskellPackages; gitit + "/share/" + ghc.targetPrefix + ghc.haskellCompilerName + "/" + gitit.pname + "-" + gitit.version; gititWithPkgs = hsPkgs: extras: hsPkgs.ghcWithPackages (self: with self; [ gitit ] ++ (extras self)); diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index e48444f7161..0811b34156e 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -179,7 +179,7 @@ let ${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \ --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar postgresqlPackage pkgs.coreutils pkgs.procps ]}:$PATH' \ --set RAKEOPT '-f ${cfg.packages.gitlab}/share/gitlab/Rakefile' \ - --run 'cd ${cfg.packages.gitlab}/share/gitlab' + --chdir '${cfg.packages.gitlab}/share/gitlab' ''; }; @@ -193,7 +193,7 @@ let makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/rails $out/bin/gitlab-rails \ ${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \ --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar postgresqlPackage pkgs.coreutils pkgs.procps ]}:$PATH' \ - --run 'cd ${cfg.packages.gitlab}/share/gitlab' + --chdir '${cfg.packages.gitlab}/share/gitlab' ''; }; @@ -848,10 +848,7 @@ in { extraConfig = mkOption { type = types.lines; - default = '' - copytruncate - compress - ''; + default = ""; description = '' Extra logrotate config options for this path. Refer to <link xlink:href="https://linux.die.net/man/8/logrotate"/> for details. @@ -977,13 +974,14 @@ in { # Enable rotation of log files services.logrotate = { enable = cfg.logrotate.enable; - paths = { + settings = { gitlab = { - path = "${cfg.statePath}/log/*.log"; - user = cfg.user; - group = cfg.group; + files = "${cfg.statePath}/log/*.log"; + su = "${cfg.user} ${cfg.group}"; frequency = cfg.logrotate.frequency; - keep = cfg.logrotate.keep; + rotate = cfg.logrotate.keep; + copytruncate = true; + compress = true; extraConfig = cfg.logrotate.extraConfig; }; }; diff --git a/nixos/modules/services/misc/moonraker.nix b/nixos/modules/services/misc/moonraker.nix index ae57aaa6d47..b75227effa0 100644 --- a/nixos/modules/services/misc/moonraker.nix +++ b/nixos/modules/services/misc/moonraker.nix @@ -79,6 +79,19 @@ in { for supported values. ''; }; + + allowSystemControl = mkOption { + type = types.bool; + default = false; + description = '' + Whether to allow Moonraker to perform system-level operations. + + Moonraker exposes APIs to perform system-level operations, such as + reboot, shutdown, and management of systemd units. See the + <link xlink:href="https://moonraker.readthedocs.io/en/latest/web_api/#machine-commands">documentation</link> + for details on what clients are able to do. + ''; + }; }; }; @@ -86,6 +99,13 @@ in { warnings = optional (cfg.settings ? update_manager) ''Enabling update_manager is not supported on NixOS and will lead to non-removable warnings in some clients.''; + assertions = [ + { + assertion = cfg.allowSystemControl -> config.security.polkit.enable; + message = "services.moonraker.allowSystemControl requires polkit to be enabled (security.polkit.enable)."; + } + ]; + users.users = optionalAttrs (cfg.user == "moonraker") { moonraker = { group = cfg.group; @@ -128,11 +148,31 @@ in { exec ${pkg}/bin/moonraker -c ${cfg.configDir}/moonraker-temp.cfg ''; + # Needs `ip` command + path = [ pkgs.iproute2 ]; + serviceConfig = { WorkingDirectory = cfg.stateDir; Group = cfg.group; User = cfg.user; }; }; + + security.polkit.extraConfig = lib.optionalString cfg.allowSystemControl '' + // nixos/moonraker: Allow Moonraker to perform system-level operations + // + // This was enabled via services.moonraker.allowSystemControl. + polkit.addRule(function(action, subject) { + if ((action.id == "org.freedesktop.systemd1.manage-units" || + action.id == "org.freedesktop.login1.power-off" || + action.id == "org.freedesktop.login1.power-off-multiple-sessions" || + action.id == "org.freedesktop.login1.reboot" || + action.id == "org.freedesktop.login1.reboot-multiple-sessions" || + action.id.startsWith("org.freedesktop.packagekit.")) && + subject.user == "${cfg.user}") { + return polkit.Result.YES; + } + }); + ''; }; } diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 2b21df91b82..a4d2d10af70 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -112,11 +112,11 @@ in { imports = [ - (mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ]) - (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) - (mkRenamedOptionModule [ "nix" "daemonIONiceLevel" ] [ "nix" "daemonIOSchedPriority" ]) + (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; }) + (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; }) + (mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; }) (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.") - ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings; + ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" oldConf ]; to = [ "nix" "settings" newConf ]; }) legacyConfMappings; ###### interface @@ -409,14 +409,14 @@ in to = mkOption { type = referenceAttrs; example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; - description = "The flake reference <option>from></option> is rewritten to."; + description = "The flake reference <option>from</option> is rewritten to."; }; flake = mkOption { type = types.nullOr types.attrs; default = null; example = literalExpression "nixpkgs"; description = '' - The flake input <option>from></option> is rewritten to. + The flake input <option>from</option> is rewritten to. ''; }; exact = mkOption { @@ -708,6 +708,14 @@ in systemd.packages = [ nixPackage ]; + # Will only work once https://github.com/NixOS/nix/pull/6285 is merged + # systemd.tmpfiles.packages = [ nixPackage ]; + + # Can be dropped for Nix > https://github.com/NixOS/nix/pull/6285 + systemd.tmpfiles.rules = [ + "d /nix/var/nix/daemon-socket 0755 root root - -" + ]; + systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ]; systemd.services.nix-daemon = diff --git a/nixos/modules/services/misc/nix-gc.nix b/nixos/modules/services/misc/nix-gc.nix index a7a6a3b5964..0fcb0160101 100644 --- a/nixos/modules/services/misc/nix-gc.nix +++ b/nixos/modules/services/misc/nix-gc.nix @@ -39,7 +39,7 @@ in type = types.str; example = "45min"; description = '' - Add a randomized delay before each automatic upgrade. + Add a randomized delay before each garbage collection. The delay will be chosen between zero and this value. This value must be a time span in the format specified by <citerefentry><refentrytitle>systemd.time</refentrytitle> @@ -81,8 +81,14 @@ in ###### implementation config = { - - systemd.services.nix-gc = { + assertions = [ + { + assertion = cfg.automatic -> config.nix.enable; + message = ''nix.gc.automatic requires nix.enable''; + } + ]; + + systemd.services.nix-gc = lib.mkIf config.nix.enable { description = "Nix Garbage Collector"; script = "exec ${config.nix.package.out}/bin/nix-collect-garbage ${cfg.options}"; startAt = optional cfg.automatic cfg.dates; diff --git a/nixos/modules/services/misc/nix-optimise.nix b/nixos/modules/services/misc/nix-optimise.nix index e02026d5f76..acf8177b146 100644 --- a/nixos/modules/services/misc/nix-optimise.nix +++ b/nixos/modules/services/misc/nix-optimise.nix @@ -37,8 +37,14 @@ in ###### implementation config = { - - systemd.services.nix-optimise = + assertions = [ + { + assertion = cfg.automatic -> config.nix.enable; + message = ''nix.optimise.automatic requires nix.enable''; + } + ]; + + systemd.services.nix-optimise = lib.mkIf config.nix.enable { description = "Nix Store Optimiser"; # No point this if the nix daemon (and thus the nix store) is outside unitConfig.ConditionPathIsReadWrite = "/nix/var/nix/daemon-socket"; diff --git a/nixos/modules/services/misc/paperless-ng.nix b/nixos/modules/services/misc/paperless.nix index 11e44f5ece5..bfaf842fb46 100644 --- a/nixos/modules/services/misc/paperless-ng.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -2,11 +2,13 @@ with lib; let - cfg = config.services.paperless-ng; + cfg = config.services.paperless; defaultUser = "paperless"; - hasCustomRedis = hasAttr "PAPERLESS_REDIS" cfg.extraConfig; + # Don't start a redis instance if the user sets a custom redis connection + enableRedis = !hasAttr "PAPERLESS_REDIS" cfg.extraConfig; + redisServer = config.services.redis.servers.paperless; env = { PAPERLESS_DATA_DIR = cfg.dataDir; @@ -15,15 +17,15 @@ let GUNICORN_CMD_ARGS = "--bind=${cfg.address}:${toString cfg.port}"; } // ( lib.mapAttrs (_: toString) cfg.extraConfig - ) // (optionalAttrs (!hasCustomRedis) { - PAPERLESS_REDIS = "unix://${config.services.redis.servers.paperless-ng.unixSocket}"; + ) // (optionalAttrs enableRedis { + PAPERLESS_REDIS = "unix://${redisServer.unixSocket}"; }); manage = let setupEnv = lib.concatStringsSep "\n" (mapAttrsToList (name: val: "export ${name}=\"${val}\"") env); in pkgs.writeShellScript "manage" '' ${setupEnv} - exec ${cfg.package}/bin/paperless-ng "$@" + exec ${cfg.package}/bin/paperless-ngx "$@" ''; # Secure the services @@ -36,7 +38,7 @@ let "-/etc/hosts" "-/etc/localtime" "-/run/postgresql" - ] ++ (optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.unixSocket); + ] ++ (optional enableRedis redisServer.unixSocket); BindPaths = [ cfg.consumptionDir cfg.dataDir @@ -53,7 +55,6 @@ let PrivateNetwork = true; PrivateTmp = true; PrivateUsers = true; - ProcSubset = "pid"; ProtectClock = true; # Breaks if the home dir of the user is in /home # Also does not add much value in combination with the TemporaryFileSystem. @@ -66,11 +67,15 @@ let ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; + # Don't restrict ProcSubset because django-q requires read access to /proc/stat + # to query CPU and memory information. + # Note that /proc only contains processes of user `paperless`, so this is safe. + # ProcSubset = "pid"; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; - SupplementaryGroups = optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.user; + SupplementaryGroups = optional enableRedis redisServer.user; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ]; # Does not work well with the temporary root @@ -81,26 +86,22 @@ in meta.maintainers = with maintainers; [ earvstedt Flakebi ]; imports = [ - (mkRemovedOptionModule [ "services" "paperless"] '' - The paperless module has been removed as the upstream project died. - Users should migrate to the paperless-ng module (services.paperless-ng). - More information can be found in the NixOS 21.11 release notes. - '') + (mkRenamedOptionModule [ "services" "paperless-ng" ] [ "services" "paperless" ]) ]; - options.services.paperless-ng = { + options.services.paperless = { enable = mkOption { type = lib.types.bool; default = false; description = '' - Enable Paperless-ng. + Enable Paperless. When started, the Paperless database is automatically created if it doesn't exist and updated if the Paperless package has changed. Both tasks are achieved by running a Django migration. A script to manage the Paperless instance (by wrapping Django's manage.py) is linked to - <literal>''${dataDir}/paperless-ng-manage</literal>. + <literal>''${dataDir}/paperless-manage</literal>. ''; }; @@ -133,13 +134,13 @@ in passwordFile = mkOption { type = types.nullOr types.path; default = null; - example = "/run/keys/paperless-ng-password"; + example = "/run/keys/paperless-password"; description = '' A file containing the superuser password. A superuser is required to access the web interface. If unset, you can create a superuser manually by running - <literal>''${dataDir}/paperless-ng-manage createsuperuser</literal>. + <literal>''${dataDir}/paperless-manage createsuperuser</literal>. The default superuser name is <literal>admin</literal>. To change it, set option <option>extraConfig.PAPERLESS_ADMIN_USER</option>. @@ -168,9 +169,9 @@ in type = types.attrs; default = {}; description = '' - Extra paperless-ng config options. + Extra paperless config options. - See <link xlink:href="https://paperless-ng.readthedocs.io/en/latest/configuration.html">the documentation</link> + See <link xlink:href="https://paperless-ngx.readthedocs.io/en/latest/configuration.html">the documentation</link> for available options. ''; example = literalExpression '' @@ -188,15 +189,14 @@ in package = mkOption { type = types.package; - default = pkgs.paperless-ng; - defaultText = literalExpression "pkgs.paperless-ng"; + default = pkgs.paperless-ngx; + defaultText = literalExpression "pkgs.paperless-ngx"; description = "The Paperless package to use."; }; }; config = mkIf cfg.enable { - # Enable redis if no special url is set - services.redis.servers.paperless-ng.enable = mkIf (!hasCustomRedis) true; + services.redis.servers.paperless.enable = mkIf enableRedis true; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" @@ -208,26 +208,28 @@ in ) ]; - systemd.services.paperless-ng-server = { - description = "Paperless document server"; + systemd.services.paperless-scheduler = { + description = "Paperless scheduler"; serviceConfig = defaultServiceConfig // { User = cfg.user; - ExecStart = "${cfg.package}/bin/paperless-ng qcluster"; + ExecStart = "${cfg.package}/bin/paperless-ngx qcluster"; Restart = "on-failure"; # The `mbind` syscall is needed for running the classifier. SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "mbind" ]; + # Needs to talk to mail server for automated import rules + PrivateNetwork = false; }; environment = env; wantedBy = [ "multi-user.target" ]; - wants = [ "paperless-ng-consumer.service" "paperless-ng-web.service" ]; + wants = [ "paperless-consumer.service" "paperless-web.service" ]; preStart = '' - ln -sf ${manage} ${cfg.dataDir}/paperless-ng-manage + ln -sf ${manage} ${cfg.dataDir}/paperless-manage # Auto-migrate on first run or if the package has changed versionFile="${cfg.dataDir}/src-version" if [[ $(cat "$versionFile" 2>/dev/null) != ${cfg.package} ]]; then - ${cfg.package}/bin/paperless-ng migrate + ${cfg.package}/bin/paperless-ngx migrate echo ${cfg.package} > "$versionFile" fi '' @@ -238,52 +240,48 @@ in superuserStateFile="${cfg.dataDir}/superuser-state" if [[ $(cat "$superuserStateFile" 2>/dev/null) != $superuserState ]]; then - ${cfg.package}/bin/paperless-ng manage_superuser + ${cfg.package}/bin/paperless-ngx manage_superuser echo "$superuserState" > "$superuserStateFile" fi ''; - } // optionalAttrs (!hasCustomRedis) { - after = [ "redis-paperless-ng.service" ]; + } // optionalAttrs enableRedis { + after = [ "redis-paperless.service" ]; }; - # Password copying can't be implemented as a privileged preStart script - # in 'paperless-ng-server' because 'defaultServiceConfig' limits the filesystem - # paths accessible by the service. - systemd.services.paperless-ng-copy-password = mkIf (cfg.passwordFile != null) { - requiredBy = [ "paperless-ng-server.service" ]; - before = [ "paperless-ng-server.service" ]; + # Reading the user-provided password file requires root access + systemd.services.paperless-copy-password = mkIf (cfg.passwordFile != null) { + requiredBy = [ "paperless-scheduler.service" ]; + before = [ "paperless-scheduler.service" ]; serviceConfig = { ExecStart = '' ${pkgs.coreutils}/bin/install --mode 600 --owner '${cfg.user}' --compare \ '${cfg.passwordFile}' '${cfg.dataDir}/superuser-password' ''; Type = "oneshot"; - # Needs to talk to mail server for automated import rules - PrivateNetwork = false; }; }; - systemd.services.paperless-ng-consumer = { + systemd.services.paperless-consumer = { description = "Paperless document consumer"; serviceConfig = defaultServiceConfig // { User = cfg.user; - ExecStart = "${cfg.package}/bin/paperless-ng document_consumer"; + ExecStart = "${cfg.package}/bin/paperless-ngx document_consumer"; Restart = "on-failure"; }; environment = env; - # Bind to `paperless-ng-server` so that the consumer never runs + # Bind to `paperless-scheduler` so that the consumer never runs # during migrations - bindsTo = [ "paperless-ng-server.service" ]; - after = [ "paperless-ng-server.service" ]; + bindsTo = [ "paperless-scheduler.service" ]; + after = [ "paperless-scheduler.service" ]; }; - systemd.services.paperless-ng-web = { + systemd.services.paperless-web = { description = "Paperless web server"; serviceConfig = defaultServiceConfig // { User = cfg.user; ExecStart = '' ${pkgs.python3Packages.gunicorn}/bin/gunicorn \ - -c ${cfg.package}/lib/paperless-ng/gunicorn.conf.py paperless.asgi:application + -c ${cfg.package}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application ''; Restart = "on-failure"; @@ -296,15 +294,15 @@ in }; environment = env // { PATH = mkForce cfg.package.path; - PYTHONPATH = "${cfg.package.pythonPath}:${cfg.package}/lib/paperless-ng/src"; + PYTHONPATH = "${cfg.package.pythonPath}:${cfg.package}/lib/paperless-ngx/src"; }; # Allow the web interface to access the private /tmp directory of the server. # This is required to support uploading files via the web interface. - unitConfig.JoinsNamespaceOf = "paperless-ng-server.service"; - # Bind to `paperless-ng-server` so that the web server never runs + unitConfig.JoinsNamespaceOf = "paperless-scheduler.service"; + # Bind to `paperless-scheduler` so that the web server never runs # during migrations - bindsTo = [ "paperless-ng-server.service" ]; - after = [ "paperless-ng-server.service" ]; + bindsTo = [ "paperless-scheduler.service" ]; + after = [ "paperless-scheduler.service" ]; }; users = optionalAttrs (cfg.user == defaultUser) { diff --git a/nixos/modules/services/misc/sourcehut/default.nix b/nixos/modules/services/misc/sourcehut/default.nix index 21551d7d5f0..5a6d011a729 100644 --- a/nixos/modules/services/misc/sourcehut/default.nix +++ b/nixos/modules/services/misc/sourcehut/default.nix @@ -1018,7 +1018,7 @@ in inherit configIniOfService; mainService = mkMerge [ baseService { serviceConfig.StateDirectory = [ "sourcehut/gitsrht" "sourcehut/gitsrht/repos" ]; - preStart = mkIf (!versionAtLeast config.system.stateVersion "22.05") (mkBefore '' + preStart = mkIf (versionOlder config.system.stateVersion "22.05") (mkBefore '' # Fix Git hooks of repositories pre-dating https://github.com/NixOS/nixpkgs/pull/133984 ( set +f diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index ff63c41e193..e2080492998 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -106,7 +106,7 @@ let certtool = "${pkgs.gnutls.bin}/bin/certtool"; - nixos-taskserver = with pkgs.python2.pkgs; buildPythonApplication { + nixos-taskserver = with pkgs.python3.pkgs; buildPythonApplication { name = "nixos-taskserver"; src = pkgs.runCommand "nixos-taskserver-src" { preferLocalBuild = true; } '' @@ -277,10 +277,6 @@ in { example = "::"; description = '' The address (IPv4, IPv6 or DNS) to listen on. - - If the value is something else than <literal>localhost</literal> the - port defined by <option>listenPort</option> is automatically added to - <option>networking.firewall.allowedTCPPorts</option>. ''; }; @@ -292,6 +288,14 @@ in { ''; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the firewall for the specified Taskserver port. + ''; + }; + fqdn = mkOption { type = types.str; default = "localhost"; @@ -560,7 +564,7 @@ in { ''; }; }) - (mkIf (cfg.enable && cfg.listenHost != "localhost") { + (mkIf (cfg.enable && cfg.openFirewall) { networking.firewall.allowedTCPPorts = [ cfg.listenPort ]; }) ]; diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py index 22a3d8d5311..fec05728b2b 100644 --- a/nixos/modules/services/misc/taskserver/helper-tool.py +++ b/nixos/modules/services/misc/taskserver/helper-tool.py @@ -90,7 +90,7 @@ def certtool_cmd(*args, **kwargs): """ return subprocess.check_output( [CERTTOOL_COMMAND] + list(args), - preexec_fn=lambda: os.umask(0077), + preexec_fn=lambda: os.umask(0o077), stderr=subprocess.STDOUT, **kwargs ) @@ -164,7 +164,7 @@ def generate_key(org, user): pubcert = os.path.join(basedir, "public.cert") try: - os.makedirs(basedir, mode=0700) + os.makedirs(basedir, mode=0o700) certtool_cmd("-p", "--bits", CERT_BITS, "--outfile", privkey) @@ -301,7 +301,7 @@ class Organisation(object): return None if name not in self.users.keys(): output = taskd_cmd("add", "user", self.name, name, - capture_stdout=True) + capture_stdout=True, encoding='utf-8') key = RE_USERKEY.search(output) if key is None: msg = "Unable to find key while creating user {}." @@ -412,9 +412,9 @@ class Manager(object): if org is not None: if self.ignore_imperative and is_imperative(name): return - for user in org.users.keys(): + for user in list(org.users.keys()): org.del_user(user) - for group in org.groups.keys(): + for group in list(org.groups.keys()): org.del_group(group) taskd_cmd("remove", "org", name) del self._lazy_orgs[name] diff --git a/nixos/modules/services/monitoring/collectd.nix b/nixos/modules/services/monitoring/collectd.nix index 8d81737a3ef..1b9af585756 100644 --- a/nixos/modules/services/monitoring/collectd.nix +++ b/nixos/modules/services/monitoring/collectd.nix @@ -5,36 +5,15 @@ with lib; let cfg = config.services.collectd; - unvalidated_conf = pkgs.writeText "collectd-unvalidated.conf" '' - BaseDir "${cfg.dataDir}" - AutoLoadPlugin ${boolToString cfg.autoLoadPlugin} - Hostname "${config.networking.hostName}" - - LoadPlugin syslog - <Plugin "syslog"> - LogLevel "info" - NotifyLevel "OKAY" - </Plugin> - - ${concatStrings (mapAttrsToList (plugin: pluginConfig: '' - LoadPlugin ${plugin} - <Plugin "${plugin}"> - ${pluginConfig} - </Plugin> - '') cfg.plugins)} - - ${concatMapStrings (f: '' - Include "${f}" - '') cfg.include} - - ${cfg.extraConfig} - ''; + baseDirLine = ''BaseDir "${cfg.dataDir}"''; + unvalidated_conf = pkgs.writeText "collectd-unvalidated.conf" cfg.extraConfig; conf = if cfg.validateConfig then pkgs.runCommand "collectd.conf" {} '' echo testing ${unvalidated_conf} + cp ${unvalidated_conf} collectd.conf # collectd -t fails if BaseDir does not exist. - sed '1s/^BaseDir.*$/BaseDir "."/' ${unvalidated_conf} > collectd.conf + substituteInPlace collectd.conf --replace ${lib.escapeShellArgs [ baseDirLine ]} 'BaseDir "."' ${package}/bin/collectd -t -C collectd.conf cp ${unvalidated_conf} $out '' else unvalidated_conf; @@ -123,7 +102,8 @@ in { extraConfig = mkOption { default = ""; description = '' - Extra configuration for collectd. + Extra configuration for collectd. Use mkBefore to add lines before the + default config, and mkAfter to add them below. ''; type = lines; }; @@ -131,6 +111,30 @@ in { }; config = mkIf cfg.enable { + # 1200 is after the default (1000) but before mkAfter (1500). + services.collectd.extraConfig = lib.mkOrder 1200 '' + ${baseDirLine} + AutoLoadPlugin ${boolToString cfg.autoLoadPlugin} + Hostname "${config.networking.hostName}" + + LoadPlugin syslog + <Plugin "syslog"> + LogLevel "info" + NotifyLevel "OKAY" + </Plugin> + + ${concatStrings (mapAttrsToList (plugin: pluginConfig: '' + LoadPlugin ${plugin} + <Plugin "${plugin}"> + ${pluginConfig} + </Plugin> + '') cfg.plugins)} + + ${concatMapStrings (f: '' + Include "${f}" + '') cfg.include} + ''; + systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' - ${cfg.user} - - -" ]; diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 81fca33f5fe..b959379d331 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -214,6 +214,11 @@ let type = types.path; description = "Path grafana will watch for dashboards."; }; + foldersFromFilesStructure = mkOption { + type = types.bool; + default = false; + description = "Use folder names from filesystem to create folders in Grafana."; + }; }; }; }; diff --git a/nixos/modules/services/monitoring/nagios.nix b/nixos/modules/services/monitoring/nagios.nix index 2c7f0ed1966..69173ce4e44 100644 --- a/nixos/modules/services/monitoring/nagios.nix +++ b/nixos/modules/services/monitoring/nagios.nix @@ -102,8 +102,8 @@ in plugins = mkOption { type = types.listOf types.package; - default = with pkgs; [ monitoring-plugins ssmtp mailutils ]; - defaultText = literalExpression "[pkgs.monitoring-plugins pkgs.ssmtp pkgs.mailutils]"; + default = with pkgs; [ monitoring-plugins msmtp mailutils ]; + defaultText = literalExpression "[pkgs.monitoring-plugins pkgs.msmtp pkgs.mailutils]"; description = " Packages to be added to the Nagios <envar>PATH</envar>. Typically used to add plugins, but can be anything. diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index f563861b61c..52525e8935b 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -74,7 +74,6 @@ let }" "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" - "--alertmanager.timeout=${toString cfg.alertmanagerTimeout}s" ] ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}" ++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}"; @@ -1563,6 +1562,8 @@ in (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) (mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ] "It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`.") + (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerTimeout" ] + "Deprecated upstream and no longer had any effect") ]; options.services.prometheus = { @@ -1719,14 +1720,6 @@ in ''; }; - alertmanagerTimeout = mkOption { - type = types.int; - default = 10; - description = '' - Alert manager HTTP API timeout (in seconds). - ''; - }; - webExternalUrl = mkOption { type = types.nullOr types.str; default = null; diff --git a/nixos/modules/services/monitoring/prometheus/exporters.xml b/nixos/modules/services/monitoring/prometheus/exporters.xml index c2d4b05996a..1df88bb61a1 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.xml +++ b/nixos/modules/services/monitoring/prometheus/exporters.xml @@ -19,6 +19,7 @@ <programlisting> services.prometheus.exporters.node = { enable = true; + port = 9100; enabledCollectors = [ "logind" "systemd" @@ -42,6 +43,26 @@ <link xlink:href="https://nixos.org/nixos/options.html#prometheus.exporters">available options</link>. </para> + + <para> + Prometheus can now be configured to consume the metrics produced by the exporter: + <programlisting> + services.prometheus = { + # ... + + scrapeConfigs = [ + { + job_name = "node"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + ]; + + # ... + } + </programlisting> + </para> </section> <section xml:id="module-services-prometheus-exporters-new-exporter"> <title>Adding a new exporter</title> diff --git a/nixos/modules/services/monitoring/prometheus/exporters/bird.nix b/nixos/modules/services/monitoring/prometheus/exporters/bird.nix index 1ef264fc86e..5fda4c980eb 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/bird.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/bird.nix @@ -17,7 +17,7 @@ in }; birdSocket = mkOption { type = types.path; - default = "/var/run/bird.ctl"; + default = "/run/bird/bird.ctl"; description = '' Path to BIRD2 (or BIRD1 v4) socket. ''; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix index 27aeb909624..e0ee90d9b97 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @@ -25,6 +25,10 @@ in { }; }; serviceOpts = { + after = [ + "kea-dhcp4-server.service" + "kea-dhcp6-server.service" + ]; serviceConfig = { User = "kea"; ExecStart = '' diff --git a/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix b/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix index 5b5a6e18fcd..ede6028933a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix @@ -45,7 +45,8 @@ in }; instance = mkOption { type = types.nullOr types.str; - default = null; + default = config.services.varnish.stateDir; + defaultText = lib.literalExpression "config.services.varnish.stateDir"; description = '' varnishstat -n value. ''; @@ -66,7 +67,7 @@ in }; }; serviceOpts = { - path = [ pkgs.varnish ]; + path = [ config.services.varnish.package ]; serviceConfig = { RestartSec = mkDefault 1; DynamicUser = false; diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index 17da020bf3e..395b9788855 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -1,16 +1,16 @@ -{ config, lib, pkgs, options, ... }: +{ config, lib, pkgs, utils, ... }: with lib; let cfg = config.services.ipfs; - opt = options.services.ipfs; - ipfsFlags = toString ([ - (optionalString cfg.autoMount "--mount") - (optionalString cfg.enableGC "--enable-gc") - (optionalString (cfg.serviceFdlimit != null) "--manage-fdlimit=false") - (optionalString (cfg.defaultMode == "offline") "--offline") - (optionalString (cfg.defaultMode == "norouting") "--routing=none") - ] ++ cfg.extraFlags); + ipfsFlags = utils.escapeSystemdExecArgs ( + optional cfg.autoMount "--mount" ++ + optional cfg.enableGC "--enable-gc" ++ + optional (cfg.serviceFdlimit != null) "--manage-fdlimit=false" ++ + optional (cfg.defaultMode == "offline") "--offline" ++ + optional (cfg.defaultMode == "norouting") "--routing=none" ++ + cfg.extraFlags + ); profile = if cfg.localDiscovery @@ -239,7 +239,10 @@ in "d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -" ]; - systemd.packages = [ cfg.package ]; + # The hardened systemd unit breaks the fuse-mount function according to documentation in the unit file itself + systemd.packages = if cfg.autoMount + then [ cfg.package.systemd_unit ] + else [ cfg.package.systemd_unit_hardened ]; systemd.services.ipfs = { path = [ "/run/wrappers" cfg.package ]; @@ -251,23 +254,27 @@ in else # After an unclean shutdown this file may exist which will cause the config command to attempt to talk to the daemon. This will hang forever if systemd is holding our sockets open. rm -vf "$IPFS_PATH/api" - + '' + optionalString cfg.autoMigrate '' + ${pkgs.ipfs-migrator}/bin/fs-repo-migrations -to '${cfg.package.repoVersion}' -y + '' + '' ipfs --offline config profile apply ${profile} fi '' + optionalString cfg.autoMount '' ipfs --offline config Mounts.FuseAllowOther --json true ipfs --offline config Mounts.IPFS ${cfg.ipfsMountDir} ipfs --offline config Mounts.IPNS ${cfg.ipnsMountDir} - '' + optionalString cfg.autoMigrate '' - ${pkgs.ipfs-migrator}/bin/fs-repo-migrations -to '${cfg.package.repoVersion}' -y '' + '' ipfs --offline config show \ | ${pkgs.jq}/bin/jq '. * $extraConfig' --argjson extraConfig ${ - escapeShellArg (builtins.toJSON ({ - Addresses.API = cfg.apiAddress; - Addresses.Gateway = cfg.gatewayAddress; - Addresses.Swarm = cfg.swarmAddress; - } // cfg.extraConfig)) + escapeShellArg (builtins.toJSON ( + recursiveUpdate + { + Addresses.API = cfg.apiAddress; + Addresses.Gateway = cfg.gatewayAddress; + Addresses.Swarm = cfg.swarmAddress; + } + cfg.extraConfig + )) } \ | ipfs --offline config replace - ''; @@ -275,6 +282,8 @@ in ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}" ]; User = cfg.user; Group = cfg.group; + StateDirectory = ""; + ReadWritePaths = [ "" cfg.dataDir ]; } // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; }; } // optionalAttrs (!cfg.startWhenNeeded) { wantedBy = [ "default.target" ]; @@ -306,6 +315,9 @@ in in [ "" "%t/ipfs.sock" ] ++ lib.optional (fromCfg != null) fromCfg; }; + }; + meta = { + maintainers = with lib.maintainers; [ Luflosi ]; }; } diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 9ed755d0465..992f948e8cd 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -224,6 +224,7 @@ in targets.samba = { description = "Samba Server"; after = [ "network.target" ]; + wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; }; # Refer to https://github.com/samba-team/samba/tree/master/packaging/systemd diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix index 3049c4f2bce..d409f060228 100644 --- a/nixos/modules/services/networking/bird.nix +++ b/nixos/modules/services/networking/bird.nix @@ -68,8 +68,7 @@ in systemd.services.bird2 = { description = "BIRD Internet Routing Daemon"; wantedBy = [ "multi-user.target" ]; - reloadIfChanged = true; - restartTriggers = [ config.environment.etc."bird/bird2.conf".source ]; + reloadTriggers = [ config.environment.etc."bird/bird2.conf".source ]; serviceConfig = { Type = "forking"; Restart = "on-failure"; diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index ca9c422e6d7..cb53cc01f52 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -80,13 +80,21 @@ in The name of the interface to pull the bind_addr from. ''; }; + }; + forceAddrFamily = mkOption { + type = types.enum [ "any" "ipv4" "ipv6" ]; + default = "any"; + description = '' + Whether to bind ipv4/ipv6 or both kind of addresses. + ''; }; forceIpv4 = mkOption { - type = types.bool; - default = false; + type = types.nullOr types.bool; + default = null; description = '' + Deprecated: Use consul.forceAddrFamily instead. Whether we should force the interfaces to only pull ipv4 addresses. ''; }; @@ -175,6 +183,13 @@ in systemPackages = [ cfg.package ]; }; + warnings = lib.flatten [ + (lib.optional (cfg.forceIpv4 != null) '' + The option consul.forceIpv4 is deprecated, please use + consul.forceAddrFamily instead. + '') + ]; + systemd.services.consul = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ] ++ systemdDevices; @@ -196,15 +211,21 @@ in }); path = with pkgs; [ iproute2 gnugrep gawk consul ]; - preStart = '' + preStart = let + family = if cfg.forceAddrFamily == "ipv6" then + "-6" + else if cfg.forceAddrFamily == "ipv4" then + "-4" + else + ""; + in '' mkdir -m 0700 -p ${dataDir} chown -R consul ${dataDir} # Determine interface addresses getAddrOnce () { - ip addr show dev "$1" \ - | grep 'inet${optionalString (cfg.forceIpv4) " "}.*scope global' \ - | awk -F '[ /\t]*' '{print $3}' | head -n 1 + ip ${family} addr show dev "$1" scope global \ + | awk -F '[ /\t]*' '/inet/ {print $3}' | head -n 1 } getAddr () { ADDR="$(getAddrOnce $1)" @@ -234,6 +255,11 @@ in }; } + # deprecated + (mkIf (cfg.forceIpv4 != null && cfg.forceIpv4) { + services.consul.forceAddrFamily = "ipv4"; + }) + (mkIf (cfg.alerts.enable) { systemd.services.consul-alerts = { wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/networking/create_ap.nix b/nixos/modules/services/networking/create_ap.nix new file mode 100644 index 00000000000..a3c330fab00 --- /dev/null +++ b/nixos/modules/services/networking/create_ap.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.create_ap; + configFile = pkgs.writeText "create_ap.conf" (generators.toKeyValue { } cfg.settings); +in { + options = { + services.create_ap = { + enable = mkEnableOption "setup wifi hotspots using create_ap"; + settings = mkOption { + type = with types; attrsOf (oneOf [ int bool str ]); + default = {}; + description = '' + Configuration for <package>create_ap</package>. + See <link xlink:href="https://raw.githubusercontent.com/lakinduakash/linux-wifi-hotspot/master/src/scripts/create_ap.conf">upstream example configuration</link> + for supported values. + ''; + example = { + INTERNET_IFACE = "eth0"; + WIFI_IFACE = "wlan0"; + SSID = "My Wifi Hotspot"; + PASSPHRASE = "12345678"; + }; + }; + }; + }; + + config = mkIf cfg.enable { + + systemd = { + services.create_ap = { + wantedBy = [ "multi-user.target" ]; + description = "Create AP Service"; + after = [ "network.target" ]; + restartTriggers = [ configFile ]; + serviceConfig = { + ExecStart = "${pkgs.linux-wifi-hotspot}/bin/create_ap --config ${configFile}"; + KillSignal = "SIGINT"; + Restart = "on-failure"; + }; + }; + }; + + }; + + meta.maintainers = with lib.maintainers; [ onny ]; + +} diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix index 3c4c0069dfd..49950efc0a1 100644 --- a/nixos/modules/services/networking/dhcpd.nix +++ b/nixos/modules/services/networking/dhcpd.nix @@ -7,7 +7,7 @@ let cfg4 = config.services.dhcpd4; cfg6 = config.services.dhcpd6; - writeConfig = cfg: pkgs.writeText "dhcpd.conf" + writeConfig = postfix: cfg: pkgs.writeText "dhcpd.conf" '' default-lease-time 600; max-lease-time 7200; @@ -21,7 +21,9 @@ let (machine: '' host ${machine.hostName} { hardware ethernet ${machine.ethernetAddress}; - fixed-address ${machine.ipAddress}; + fixed-address${ + optionalString (postfix == "6") postfix + } ${machine.ipAddress}; } '') cfg.machines @@ -33,7 +35,7 @@ let configFile = if cfg.configFile != null then cfg.configFile - else writeConfig cfg; + else writeConfig postfix cfg; leaseFile = "/var/lib/dhcpd${postfix}/dhcpd.leases"; args = [ "@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}" diff --git a/nixos/modules/services/networking/envoy.nix b/nixos/modules/services/networking/envoy.nix new file mode 100644 index 00000000000..b7f859c73d9 --- /dev/null +++ b/nixos/modules/services/networking/envoy.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.envoy; + format = pkgs.formats.json { }; + conf = format.generate "envoy.json" cfg.settings; + validateConfig = file: + pkgs.runCommand "validate-envoy-conf" { } '' + ${pkgs.envoy}/bin/envoy --log-level error --mode validate -c "${file}" + cp "${file}" "$out" + ''; + +in + +{ + options.services.envoy = { + enable = mkEnableOption "Envoy reverse proxy"; + + settings = mkOption { + type = format.type; + default = { }; + example = literalExpression '' + { + admin = { + access_log_path = "/dev/null"; + address = { + socket_address = { + protocol = "TCP"; + address = "127.0.0.1"; + port_value = 9901; + }; + }; + }; + static_resources = { + listeners = []; + clusters = []; + }; + } + ''; + description = '' + Specify the configuration for Envoy in Nix. + ''; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.envoy ]; + systemd.services.envoy = { + description = "Envoy reverse proxy"; + after = [ "network-online.target" ]; + requires = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.envoy}/bin/envoy -c ${validateConfig conf}"; + DynamicUser = true; + Restart = "no"; + CacheDirectory = "envoy"; + LogsDirectory = "envoy"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_XDP"; + SystemCallArchitectures = "native"; + LockPersonality = true; + RestrictNamespaces = true; + RestrictRealtime = true; + PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "ptraceable"; + ProtectHostname = true; + ProtectSystem = "strict"; + UMask = "0066"; + SystemCallFilter = "~@clock @module @mount @reboot @swap @obsolete @cpu-emulation"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/headscale.nix b/nixos/modules/services/networking/headscale.nix index 091d2a938cd..5b07beadb45 100644 --- a/nixos/modules/services/networking/headscale.nix +++ b/nixos/modules/services/networking/headscale.nix @@ -479,7 +479,7 @@ in NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; - SystemCallFilter = [ "@system-service" "~@priviledged" "@chown" ]; + SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ]; SystemCallArchitectures = "native"; RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX"; }; diff --git a/nixos/modules/services/networking/https-dns-proxy.nix b/nixos/modules/services/networking/https-dns-proxy.nix new file mode 100644 index 00000000000..85d6c362b46 --- /dev/null +++ b/nixos/modules/services/networking/https-dns-proxy.nix @@ -0,0 +1,128 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) + concatStringsSep + mkEnableOption mkIf mkOption types; + + cfg = config.services.https-dns-proxy; + + providers = { + cloudflare = { + ips = [ "1.1.1.1" "1.0.0.1" ]; + url = "https://cloudflare-dns.com/dns-query"; + }; + google = { + ips = [ "8.8.8.8" "8.8.4.4" ]; + url = "https://dns.google/dns-query"; + }; + quad9 = { + ips = [ "9.9.9.9" "149.112.112.112" ]; + url = "https://dns.quad9.net/dns-query"; + }; + }; + + defaultProvider = "quad9"; + + providerCfg = + let + isCustom = cfg.provider.kind == "custom"; + in + lib.concatStringsSep " " [ + "-b" + (concatStringsSep "," (if isCustom then cfg.provider.ips else providers."${cfg.provider.kind}".ips)) + "-r" + (if isCustom then cfg.provider.url else providers."${cfg.provider.kind}".url) + ]; + +in +{ + meta.maintainers = with lib.maintainers; [ peterhoeg ]; + + ###### interface + + options.services.https-dns-proxy = { + enable = mkEnableOption "https-dns-proxy daemon"; + + address = mkOption { + description = "The address on which to listen"; + type = types.str; + default = "127.0.0.1"; + }; + + port = mkOption { + description = "The port on which to listen"; + type = types.port; + default = 5053; + }; + + provider = { + kind = mkOption { + description = '' + The upstream provider to use or custom in case you do not trust any of + the predefined providers or just want to use your own. + + The default is ${defaultProvider} and there are privacy and security trade-offs + when using any upstream provider. Please consider that before using any + of them. + + If you pick a custom provider, you will need to provide the bootstrap + IP addresses as well as the resolver https URL. + ''; + type = types.enum ((builtins.attrNames providers) ++ [ "custom" ]); + default = defaultProvider; + }; + + ips = mkOption { + description = "The custom provider IPs"; + type = types.listOf types.str; + }; + + url = mkOption { + description = "The custom provider URL"; + type = types.str; + }; + }; + + preferIPv4 = mkOption { + description = '' + https_dns_proxy will by default use IPv6 and fail if it is not available. + To play it safe, we choose IPv4. + ''; + type = types.bool; + default = true; + }; + + extraArgs = mkOption { + description = "Additional arguments to pass to the process."; + type = types.listOf types.str; + default = [ "-v" ]; + }; + }; + + ###### implementation + + config = lib.mkIf cfg.enable { + systemd.services.https-dns-proxy = { + description = "DNS to DNS over HTTPS (DoH) proxy"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = rec { + Type = "exec"; + DynamicUser = true; + ExecStart = lib.concatStringsSep " " ( + [ + "${pkgs.https-dns-proxy}/bin/https_dns_proxy" + "-a ${toString cfg.address}" + "-p ${toString cfg.port}" + "-l -" + providerCfg + ] + ++ lib.optional cfg.preferIPv4 "-4" + ++ cfg.extraArgs + ); + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/iwd.nix b/nixos/modules/services/networking/iwd.nix index 8835f7f9372..5c1480e7e2f 100644 --- a/nixos/modules/services/networking/iwd.nix +++ b/nixos/modules/services/networking/iwd.nix @@ -1,12 +1,21 @@ { config, lib, pkgs, ... }: -with lib; - let + inherit (lib) + mkEnableOption mkIf mkOption types + recursiveUpdate; + cfg = config.networking.wireless.iwd; ini = pkgs.formats.ini { }; - configFile = ini.generate "main.conf" cfg.settings; -in { + defaults = { + # without UseDefaultInterface, sometimes wlan0 simply goes AWOL with NetworkManager + # https://iwd.wiki.kernel.org/interface_lifecycle#interface_management_in_iwd + General.UseDefaultInterface = with config.networking.networkmanager; (enable && (wifi.backend == "iwd")); + }; + configFile = ini.generate "main.conf" (recursiveUpdate defaults cfg.settings); + +in +{ options.networking.wireless.iwd = { enable = mkEnableOption "iwd"; @@ -38,10 +47,10 @@ in { ''; }]; - environment.etc."iwd/main.conf".source = configFile; + environment.etc."iwd/${configFile.name}".source = configFile; # for iwctl - environment.systemPackages = [ pkgs.iwd ]; + environment.systemPackages = [ pkgs.iwd ]; services.dbus.packages = [ pkgs.iwd ]; diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix index 17b4eb2e283..994c511bdc2 100644 --- a/nixos/modules/services/networking/kea.nix +++ b/nixos/modules/services/networking/kea.nix @@ -9,20 +9,26 @@ with lib; let cfg = config.services.kea; + xor = x: y: (!x && y) || (x && !y); format = pkgs.formats.json {}; - ctrlAgentConfig = format.generate "kea-ctrl-agent.conf" { + chooseNotNull = x: y: if x != null then x else y; + + ctrlAgentConfig = chooseNotNull cfg.ctrl-agent.configFile (format.generate "kea-ctrl-agent.conf" { Control-agent = cfg.ctrl-agent.settings; - }; - dhcp4Config = format.generate "kea-dhcp4.conf" { + }); + + dhcp4Config = chooseNotNull cfg.dhcp4.configFile (format.generate "kea-dhcp4.conf" { Dhcp4 = cfg.dhcp4.settings; - }; - dhcp6Config = format.generate "kea-dhcp6.conf" { + }); + + dhcp6Config = chooseNotNull cfg.dhcp6.configFile (format.generate "kea-dhcp6.conf" { Dhcp6 = cfg.dhcp6.settings; - }; - dhcpDdnsConfig = format.generate "kea-dhcp-ddns.conf" { + }); + + dhcpDdnsConfig = chooseNotNull cfg.dhcp-ddns.configFile (format.generate "kea-dhcp-ddns.conf" { DhcpDdns = cfg.dhcp-ddns.settings; - }; + }); package = pkgs.kea; in @@ -45,6 +51,17 @@ in ''; }; + configFile = mkOption { + type = nullOr path; + default = null; + description = '' + Kea Control Agent configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html"/>. + + Takes preference over <link linkend="opt-services.kea.ctrl-agent.settings">settings</link>. + Most users should prefer using <link linkend="opt-services.kea.ctrl-agent.settings">settings</link> instead. + ''; + }; + settings = mkOption { type = format.type; default = null; @@ -73,6 +90,17 @@ in ''; }; + configFile = mkOption { + type = nullOr path; + default = null; + description = '' + Kea DHCP4 configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html"/>. + + Takes preference over <link linkend="opt-services.kea.dhcp4.settings">settings</link>. + Most users should prefer using <link linkend="opt-services.kea.dhcp4.settings">settings</link> instead. + ''; + }; + settings = mkOption { type = format.type; default = null; @@ -122,6 +150,17 @@ in ''; }; + configFile = mkOption { + type = nullOr path; + default = null; + description = '' + Kea DHCP6 configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html"/>. + + Takes preference over <link linkend="opt-services.kea.dhcp6.settings">settings</link>. + Most users should prefer using <link linkend="opt-services.kea.dhcp6.settings">settings</link> instead. + ''; + }; + settings = mkOption { type = format.type; default = null; @@ -172,6 +211,17 @@ in ''; }; + configFile = mkOption { + type = nullOr path; + default = null; + description = '' + Kea DHCP-DDNS configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html"/>. + + Takes preference over <link linkend="opt-services.kea.dhcp-ddns.settings">settings</link>. + Most users should prefer using <link linkend="opt-services.kea.dhcp-ddns.settings">settings</link> instead. + ''; + }; + settings = mkOption { type = format.type; default = null; @@ -214,6 +264,10 @@ in } (mkIf cfg.ctrl-agent.enable { + assertions = [{ + assertion = xor (cfg.ctrl-agent.settings == null) (cfg.ctrl-agent.configFile == null); + message = "Either services.kea.ctrl-agent.settings or services.kea.ctrl-agent.configFile must be set to a non-null value."; + }]; environment.etc."kea/ctrl-agent.conf".source = ctrlAgentConfig; @@ -252,6 +306,10 @@ in }) (mkIf cfg.dhcp4.enable { + assertions = [{ + assertion = xor (cfg.dhcp4.settings == null) (cfg.dhcp4.configFile == null); + message = "Either services.kea.dhcp4.settings or services.kea.dhcp4.configFile must be set to a non-null value."; + }]; environment.etc."kea/dhcp4-server.conf".source = dhcp4Config; @@ -295,6 +353,10 @@ in }) (mkIf cfg.dhcp6.enable { + assertions = [{ + assertion = xor (cfg.dhcp6.settings == null) (cfg.dhcp6.configFile == null); + message = "Either services.kea.dhcp6.settings or services.kea.dhcp6.configFile must be set to a non-null value."; + }]; environment.etc."kea/dhcp6-server.conf".source = dhcp6Config; @@ -336,6 +398,10 @@ in }) (mkIf cfg.dhcp-ddns.enable { + assertions = [{ + assertion = xor (cfg.dhcp-ddns.settings == null) (cfg.dhcp-ddns.configFile == null); + message = "Either services.kea.dhcp-ddns.settings or services.kea.dhcp-ddns.configFile must be set to a non-null value."; + }]; environment.etc."kea/dhcp-ddns.conf".source = dhcpDdnsConfig; diff --git a/nixos/modules/services/networking/lxd-image-server.nix b/nixos/modules/services/networking/lxd-image-server.nix index b119ba8acf6..d326626eed4 100644 --- a/nixos/modules/services/networking/lxd-image-server.nix +++ b/nixos/modules/services/networking/lxd-image-server.nix @@ -51,18 +51,14 @@ in environment.etc."lxd-image-server/config.toml".source = format.generate "config.toml" cfg.settings; - services.logrotate.paths.lxd-image-server = { - path = "/var/log/lxd-image-server/lxd-image-server.log"; + services.logrotate.settings.lxd-image-server = { + files = "/var/log/lxd-image-server/lxd-image-server.log"; frequency = "daily"; - keep = 21; - extraConfig = '' - create 755 lxd-image-server ${cfg.group} - missingok - compress - delaycompress - copytruncate - notifempty - ''; + rotate = 21; + create = "755 lxd-image-server ${cfg.group}"; + compress = true; + delaycompress = true; + copytruncate = true; }; systemd.tmpfiles.rules = [ diff --git a/nixos/modules/services/networking/mozillavpn.nix b/nixos/modules/services/networking/mozillavpn.nix new file mode 100644 index 00000000000..e35ba65314e --- /dev/null +++ b/nixos/modules/services/networking/mozillavpn.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, ... }: + +{ + options.services.mozillavpn.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable the Mozilla VPN daemon. + ''; + }; + + config = lib.mkIf config.services.mozillavpn.enable { + environment.systemPackages = [ pkgs.mozillavpn ]; + services.dbus.packages = [ pkgs.mozillavpn ]; + systemd.packages = [ pkgs.mozillavpn ]; + }; + + meta.maintainers = with lib.maintainers; [ andersk ]; +} diff --git a/nixos/modules/services/networking/nbd.nix b/nixos/modules/services/networking/nbd.nix index 87f8c41a8e5..df3358f5187 100644 --- a/nixos/modules/services/networking/nbd.nix +++ b/nixos/modules/services/networking/nbd.nix @@ -4,28 +4,34 @@ with lib; let cfg = config.services.nbd; - configFormat = pkgs.formats.ini { }; iniFields = with types; attrsOf (oneOf [ bool int float str ]); - serverConfig = configFormat.generate "nbd-server-config" - ({ - generic = - (cfg.server.extraOptions // { - user = "root"; - group = "root"; - port = cfg.server.listenPort; - } // (optionalAttrs (cfg.server.listenAddress != null) { - listenaddr = cfg.server.listenAddress; - })); - } - // (mapAttrs + # The `[generic]` section must come before all the others in the + # config file. This means we can't just dump an attrset to INI + # because that sorts the sections by name. Instead, we serialize it + # on its own first. + genericSection = { + generic = (cfg.server.extraOptions // { + user = "root"; + group = "root"; + port = cfg.server.listenPort; + } // (optionalAttrs (cfg.server.listenAddress != null) { + listenaddr = cfg.server.listenAddress; + })); + }; + exportSections = + mapAttrs (_: { path, allowAddresses, extraOptions }: extraOptions // { exportname = path; } // (optionalAttrs (allowAddresses != null) { authfile = pkgs.writeText "authfile" (concatStringsSep "\n" allowAddresses); })) - cfg.server.exports) - ); + cfg.server.exports; + serverConfig = + pkgs.writeText "nbd-server-config" '' + ${lib.generators.toINI {} genericSection} + ${lib.generators.toINI {} exportSections} + ''; splitLists = partition (path: hasPrefix "/dev/" path) @@ -103,6 +109,13 @@ in }; config = mkIf cfg.server.enable { + assertions = [ + { + assertion = !(cfg.server.exports ? "generic"); + message = "services.nbd.server exports must not be named 'generic'"; + } + ]; + boot.kernelModules = [ "nbd" ]; systemd.services.nbd-server = { diff --git a/nixos/modules/services/networking/ncdns.nix b/nixos/modules/services/networking/ncdns.nix index 82c285d0516..c8d1b6718e2 100644 --- a/nixos/modules/services/networking/ncdns.nix +++ b/nixos/modules/services/networking/ncdns.nix @@ -58,7 +58,7 @@ in address = mkOption { type = types.str; - default = "127.0.0.1"; + default = "[::1]"; description = '' The IP address the ncdns resolver will bind to. Leave this unchanged if you do not wish to directly expose the resolver. @@ -202,7 +202,7 @@ in config = mkIf cfg.enable { services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveNamecoin { - forwardZonesRecurse.bit = "127.0.0.1:${toString cfg.port}"; + forwardZonesRecurse.bit = "${cfg.address}:${toString cfg.port}"; luaConfig = if cfg.dnssec.enable then ''readTrustAnchorsFromFile("${cfg.dnssec.keys.public}")'' diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 7a9d9e5428a..242afd548df 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -5,18 +5,6 @@ with lib; let cfg = config.networking.networkmanager; - basePackages = with pkgs; [ - modemmanager - networkmanager - networkmanager-fortisslvpn - networkmanager-iodine - networkmanager-l2tp - networkmanager-openconnect - networkmanager-openvpn - networkmanager-vpnc - networkmanager-sstp - ] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant; - delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; enableIwd = cfg.wifi.backend == "iwd"; @@ -145,6 +133,15 @@ let ''; }; + packages = [ + pkgs.modemmanager + pkgs.networkmanager + ] + ++ cfg.plugins + ++ lib.optionals (!delegateWireless && !enableIwd) [ + pkgs.wpa_supplicant + ]; + in { meta = { @@ -227,17 +224,33 @@ in { ''; }; - packages = mkOption { - type = types.listOf types.package; + plugins = mkOption { + type = + let + networkManagerPluginPackage = types.package // { + description = "NetworkManager plug-in"; + check = + p: + lib.assertMsg + (types.package.check p + && p ? networkManagerPlugin + && lib.isString p.networkManagerPlugin) + '' + Package ‘${p.name}’, is not a NetworkManager plug-in. + Those need to have a ‘networkManagerPlugin’ attribute. + ''; + }; + in + types.listOf networkManagerPluginPackage; default = [ ]; description = '' - Extra packages that provide NetworkManager plugins. + List of NetworkManager plug-ins to enable. + Some plug-ins are enabled by the NetworkManager module by default. ''; - apply = list: basePackages ++ list; }; dhcp = mkOption { - type = types.enum [ "dhclient" "dhcpcd" "internal" ]; + type = types.enum [ "dhcpcd" "internal" ]; default = "internal"; description = '' Which program (or internal library) should be used for DHCP. @@ -380,7 +393,7 @@ in { </para><para> If you enable this option the <literal>networkmanager_strongswan</literal> plugin will be added to - the <option>networking.networkmanager.packages</option> option + the <option>networking.networkmanager.plugins</option> option so you don't need to to that yourself. ''; }; @@ -399,6 +412,9 @@ in { }; imports = [ + (mkRenamedOptionModule + [ "networking" "networkmanager" "packages" ] + [ "networking" "networkmanager" "plugins" ]) (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] '' This option was removed because allowing (multiple) regular users to @@ -426,31 +442,12 @@ in { hardware.wirelessRegulatoryDatabase = true; - environment.etc = with pkgs; { - "NetworkManager/NetworkManager.conf".source = configFile; - - "NetworkManager/VPN/nm-openvpn-service.name".source = - "${networkmanager-openvpn}/lib/NetworkManager/VPN/nm-openvpn-service.name"; - - "NetworkManager/VPN/nm-vpnc-service.name".source = - "${networkmanager-vpnc}/lib/NetworkManager/VPN/nm-vpnc-service.name"; - - "NetworkManager/VPN/nm-openconnect-service.name".source = - "${networkmanager-openconnect}/lib/NetworkManager/VPN/nm-openconnect-service.name"; - - "NetworkManager/VPN/nm-fortisslvpn-service.name".source = - "${networkmanager-fortisslvpn}/lib/NetworkManager/VPN/nm-fortisslvpn-service.name"; - - "NetworkManager/VPN/nm-l2tp-service.name".source = - "${networkmanager-l2tp}/lib/NetworkManager/VPN/nm-l2tp-service.name"; - - "NetworkManager/VPN/nm-iodine-service.name".source = - "${networkmanager-iodine}/lib/NetworkManager/VPN/nm-iodine-service.name"; - - "NetworkManager/VPN/nm-sstp-service.name".source = - "${networkmanager-sstp}/lib/NetworkManager/VPN/nm-sstp-service.name"; - + environment.etc = { + "NetworkManager/NetworkManager.conf".source = configFile; } + // builtins.listToAttrs (map (pkg: nameValuePair "NetworkManager/${pkg.networkManagerPlugin}" { + source = "${pkg}/lib/NetworkManager/${pkg.networkManagerPlugin}"; + }) cfg.plugins) // optionalAttrs cfg.enableFccUnlock { "ModemManager/fcc-unlock.d".source = @@ -460,18 +457,13 @@ in { { "NetworkManager/dispatcher.d/02overridedns".source = overrideNameserversScript; } - // optionalAttrs cfg.enableStrongSwan - { - "NetworkManager/VPN/nm-strongswan-service.name".source = - "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; - } // listToAttrs (lib.imap1 (i: s: { name = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; value = { mode = "0544"; inherit (s) source; }; }) cfg.dispatcherScripts); - environment.systemPackages = cfg.packages; + environment.systemPackages = packages; users.groups = { networkmanager.gid = config.ids.gids.networkmanager; @@ -490,14 +482,13 @@ in { }; }; - systemd.packages = cfg.packages; + systemd.packages = packages; systemd.tmpfiles.rules = [ "d /etc/NetworkManager/system-connections 0700 root root -" "d /etc/ipsec.d 0700 root root -" "d /var/lib/NetworkManager-fortisslvpn 0700 root root -" - "d /var/lib/dhclient 0755 root root -" "d /var/lib/misc 0755 root root -" # for dnsmasq.leases ]; @@ -534,8 +525,20 @@ in { useDHCP = false; }) + { + networkmanager.plugins = with pkgs; [ + networkmanager-fortisslvpn + networkmanager-iodine + networkmanager-l2tp + networkmanager-openconnect + networkmanager-openvpn + networkmanager-vpnc + networkmanager-sstp + ]; + } + (mkIf cfg.enableStrongSwan { - networkmanager.packages = [ pkgs.networkmanager_strongswan ]; + networkmanager.plugins = [ pkgs.networkmanager_strongswan ]; }) (mkIf enableIwd { @@ -559,10 +562,10 @@ in { security.polkit.enable = true; security.polkit.extraConfig = polkitConf; - services.dbus.packages = cfg.packages + services.dbus.packages = packages ++ optional cfg.enableStrongSwan pkgs.strongswanNM ++ optional (cfg.dns == "dnsmasq") pkgs.dnsmasq; - services.udev.packages = cfg.packages; + services.udev.packages = packages; }; } diff --git a/nixos/modules/services/networking/openconnect.nix b/nixos/modules/services/networking/openconnect.nix new file mode 100644 index 00000000000..de4b505130e --- /dev/null +++ b/nixos/modules/services/networking/openconnect.nix @@ -0,0 +1,137 @@ +{ config, lib, options, pkgs, ... }: +with lib; +let + cfg = config.networking.openconnect; + openconnect = cfg.package; + pkcs11 = types.strMatching "pkcs11:.+" // { + name = "pkcs11"; + description = "PKCS#11 URI"; + }; + interfaceOptions = { + options = { + gateway = mkOption { + description = "Gateway server to connect to."; + example = "gateway.example.com"; + type = types.str; + }; + + protocol = mkOption { + description = "Protocol to use."; + example = "anyconnect"; + type = + types.enum [ "anyconnect" "array" "nc" "pulse" "gp" "f5" "fortinet" ]; + }; + + user = mkOption { + description = "Username to authenticate with."; + example = "example-user"; + type = types.nullOr types.str; + }; + + # Note: It does not make sense to provide a way to declaratively + # set an authentication cookie, because they have to be requested + # for every new connection and would only work once. + passwordFile = mkOption { + description = '' + File containing the password to authenticate with. This + is passed to <code>openconnect</code> via the + <code>--passwd-on-stdin</code> option. + ''; + default = null; + example = "/var/lib/secrets/openconnect-passwd"; + type = types.nullOr types.path; + }; + + certificate = mkOption { + description = "Certificate to authenticate with."; + default = null; + example = "/var/lib/secrets/openconnect_certificate.pem"; + type = with types; nullOr (either path pkcs11); + }; + + privateKey = mkOption { + description = "Private key to authenticate with."; + example = "/var/lib/secrets/openconnect_private_key.pem"; + default = null; + type = with types; nullOr (either path pkcs11); + }; + + extraOptions = mkOption { + description = '' + Extra config to be appended to the interface config. It should + contain long-format options as would be accepted on the command + line by <code>openconnect</code> + (see https://www.infradead.org/openconnect/manual.html). + Non-key-value options like <code>deflate</code> can be used by + declaring them as booleans, i. e. <code>deflate = true;</code>. + ''; + default = { }; + example = { + compression = "stateless"; + + no-http-keepalive = true; + no-dtls = true; + }; + type = with types; attrsOf (either str bool); + }; + }; + }; + generateExtraConfig = extra_cfg: + strings.concatStringsSep "\n" (attrsets.mapAttrsToList + (name: value: if (value == true) then name else "${name}=${value}") + (attrsets.filterAttrs (_: value: value != false) extra_cfg)); + generateConfig = name: icfg: + pkgs.writeText "config" '' + interface=${name} + ${optionalString (icfg.user != null) "user=${icfg.user}"} + ${optionalString (icfg.passwordFile != null) "passwd-on-stdin"} + ${optionalString (icfg.certificate != null) + "certificate=${icfg.certificate}"} + ${optionalString (icfg.privateKey != null) "sslkey=${icfg.privateKey}"} + + ${generateExtraConfig icfg.extraOptions} + ''; + generateUnit = name: icfg: { + description = "OpenConnect Interface - ${name}"; + requires = [ "network-online.target" ]; + after = [ "network.target" "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + ExecStart = "${openconnect}/bin/openconnect --config=${ + generateConfig name icfg + } ${icfg.gateway}"; + StandardInput = "file:${icfg.passwordFile}"; + + ProtectHome = true; + }; + }; +in { + options.networking.openconnect = { + package = mkPackageOption pkgs "openconnect" { }; + + interfaces = mkOption { + description = "OpenConnect interfaces."; + default = { }; + example = { + openconnect0 = { + gateway = "gateway.example.com"; + protocol = "anyconnect"; + user = "example-user"; + passwordFile = "/var/lib/secrets/openconnect-passwd"; + }; + }; + type = with types; attrsOf (submodule interfaceOptions); + }; + }; + + config = { + systemd.services = mapAttrs' (name: value: { + name = "openconnect-${name}"; + value = generateUnit name value; + }) cfg.interfaces; + }; + + meta.maintainers = with maintainers; [ alyaeanyx ]; +} diff --git a/nixos/modules/services/networking/openfire.nix b/nixos/modules/services/networking/openfire.nix deleted file mode 100644 index fe0499d5232..00000000000 --- a/nixos/modules/services/networking/openfire.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -{ - ###### interface - - options = { - - services.openfire = { - - enable = mkEnableOption "OpenFire XMPP server"; - - usePostgreSQL = mkOption { - type = types.bool; - default = true; - description = " - Whether you use PostgreSQL service for your storage back-end. - "; - }; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.openfire.enable { - - assertions = singleton - { assertion = !(config.services.openfire.usePostgreSQL -> config.services.postgresql.enable); - message = "OpenFire configured to use PostgreSQL but services.postgresql.enable is not enabled."; - }; - - systemd.services.openfire = { - description = "OpenFire XMPP server"; - wantedBy = [ "multi-user.target" ]; - after = [ "networking.target" ] ++ - optional config.services.openfire.usePostgreSQL "postgresql.service"; - path = with pkgs; [ jre openfire coreutils which gnugrep gawk gnused ]; - script = '' - export HOME=/tmp - mkdir /var/log/openfire || true - mkdir /etc/openfire || true - for i in ${pkgs.openfire}/conf.inst/*; do - if ! test -f /etc/openfire/$(basename $i); then - cp $i /etc/openfire/ - fi - done - openfire start - ''; # */ - }; - }; - -} diff --git a/nixos/modules/services/networking/pdns-recursor.nix b/nixos/modules/services/networking/pdns-recursor.nix index 0579d314a9b..a986f83141c 100644 --- a/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixos/modules/services/networking/pdns-recursor.nix @@ -30,10 +30,10 @@ in { enable = mkEnableOption "PowerDNS Recursor, a recursive DNS server"; dns.address = mkOption { - type = types.str; - default = "0.0.0.0"; + type = oneOrMore types.str; + default = [ "::" "0.0.0.0" ]; description = '' - IP address Recursor DNS server will bind to. + IP addresses Recursor DNS server will bind to. ''; }; @@ -47,8 +47,12 @@ in { dns.allowFrom = mkOption { type = types.listOf types.str; - default = [ "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]; - example = [ "0.0.0.0/0" ]; + default = [ + "127.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" + "169.254.0.0/16" "192.168.0.0/16" "172.16.0.0/12" + "::1/128" "fc00::/7" "fe80::/10" + ]; + example = [ "0.0.0.0/0" "::/0" ]; description = '' IP address ranges of clients allowed to make DNS queries. ''; @@ -72,7 +76,8 @@ in { api.allowFrom = mkOption { type = types.listOf types.str; - default = [ "0.0.0.0/0" ]; + default = [ "127.0.0.1" "::1" ]; + example = [ "0.0.0.0/0" "::/0" ]; description = '' IP address ranges of clients allowed to make API requests. ''; @@ -96,7 +101,7 @@ in { forwardZonesRecurse = mkOption { type = types.attrs; - example = { eth = "127.0.0.1:5353"; }; + example = { eth = "[::1]:5353"; }; default = {}; description = '' DNS zones to be forwarded to other recursive servers. diff --git a/nixos/modules/services/networking/powerdns.nix b/nixos/modules/services/networking/powerdns.nix index 8cae61b8354..b035698456c 100644 --- a/nixos/modules/services/networking/powerdns.nix +++ b/nixos/modules/services/networking/powerdns.nix @@ -24,14 +24,14 @@ in { config = mkIf cfg.enable { - systemd.packages = [ pkgs.powerdns ]; + systemd.packages = [ pkgs.pdns ]; systemd.services.pdns = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" "mysql.service" "postgresql.service" "openldap.service" ]; serviceConfig = { - ExecStart = [ "" "${pkgs.powerdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; + ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; }; }; diff --git a/nixos/modules/services/networking/shellhub-agent.nix b/nixos/modules/services/networking/shellhub-agent.nix index a45ef148544..57825945d9f 100644 --- a/nixos/modules/services/networking/shellhub-agent.nix +++ b/nixos/modules/services/networking/shellhub-agent.nix @@ -1,31 +1,37 @@ { config, lib, pkgs, ... }: with lib; + let cfg = config.services.shellhub-agent; -in { - +in +{ ###### interface options = { services.shellhub-agent = { - enable = mkOption { - type = types.bool; - default = false; + enable = mkEnableOption "ShellHub Agent daemon"; + + package = mkPackageOption pkgs "shellhub-agent" { }; + + preferredHostname = mkOption { + type = types.str; + default = ""; description = '' - Whether to enable the ShellHub Agent daemon, which allows - secure remote logins. + Set the device preferred hostname. This provides a hint to + the server to use this as hostname if it is available. ''; }; - package = mkOption { - type = types.package; - default = pkgs.shellhub-agent; - defaultText = literalExpression "pkgs.shellhub-agent"; + keepAliveInterval = mkOption { + type = types.int; + default = 30; description = '' - Which ShellHub Agent package to use. + Determine the interval to send the keep alive message to + the server. This has a direct impact of the bandwidth + used by the device. ''; }; @@ -74,9 +80,13 @@ in { "time-sync.target" ]; - environment.SERVER_ADDRESS = cfg.server; - environment.PRIVATE_KEY = cfg.privateKey; - environment.TENANT_ID = cfg.tenantId; + environment = { + SHELLHUB_SERVER_ADDRESS = cfg.server; + SHELLHUB_PRIVATE_KEY = cfg.privateKey; + SHELLHUB_TENANT_ID = cfg.tenantId; + SHELLHUB_KEEPALIVE_INTERVAL = toString cfg.keepAliveInterval; + SHELLHUB_PREFERRED_HOSTNAME = cfg.preferredHostname; + }; serviceConfig = { # The service starts sessions for different users. @@ -85,7 +95,6 @@ in { ExecStart = "${cfg.package}/bin/agent"; }; }; - - environment.systemPackages = [ cfg.package ]; }; } + diff --git a/nixos/modules/services/networking/squid.nix b/nixos/modules/services/networking/squid.nix index 4f3881af8bb..db4f0d26b6f 100644 --- a/nixos/modules/services/networking/squid.nix +++ b/nixos/modules/services/networking/squid.nix @@ -111,6 +111,13 @@ in description = "Whether to run squid web proxy."; }; + package = mkOption { + default = pkgs.squid; + defaultText = literalExpression "pkgs.squid"; + type = types.package; + description = "Squid package to use."; + }; + proxyAddress = mkOption { type = types.nullOr types.str; default = null; @@ -157,17 +164,21 @@ in users.groups.squid = {}; systemd.services.squid = { - description = "Squid caching web proxy"; + description = "Squid caching proxy"; + documentation = [ "man:squid(8)" ]; after = [ "network.target" "nss-lookup.target" ]; wantedBy = [ "multi-user.target"]; preStart = '' mkdir -p "/var/log/squid" chown squid:squid "/var/log/squid" + ${cfg.package}/bin/squid --foreground -z -f ${squidConfig} ''; serviceConfig = { - Type="forking"; PIDFile="/run/squid.pid"; - ExecStart = "${pkgs.squid}/bin/squid -YCs -f ${squidConfig}"; + ExecStart = "${cfg.package}/bin/squid --foreground -YCs -f ${squidConfig}"; + ExecReload="kill -HUP $MAINPID"; + KillMode="mixed"; + NotifyAccess="all"; }; }; diff --git a/nixos/modules/services/networking/supplicant.nix b/nixos/modules/services/networking/supplicant.nix index eb24130e519..8df450a11c6 100644 --- a/nixos/modules/services/networking/supplicant.nix +++ b/nixos/modules/services/networking/supplicant.nix @@ -43,7 +43,7 @@ let path = [ pkgs.coreutils ]; preStart = '' - ${optionalString (suppl.configFile.path!=null) '' + ${optionalString (suppl.configFile.path!=null && suppl.configFile.writable) '' (umask 077 && touch -a "${suppl.configFile.path}") ''} ${optionalString suppl.userControlled.enable '' diff --git a/nixos/modules/services/networking/syncplay.nix b/nixos/modules/services/networking/syncplay.nix index b6faf2d3f77..7694b4bf990 100644 --- a/nixos/modules/services/networking/syncplay.nix +++ b/nixos/modules/services/networking/syncplay.nix @@ -61,6 +61,15 @@ in Group to use when running Syncplay. ''; }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to the file that contains the server password. If + <literal>null</literal>, the server doesn't require a password. + ''; + }; }; }; @@ -71,10 +80,17 @@ in after = [ "network-online.target" ]; serviceConfig = { - ExecStart = "${pkgs.syncplay}/bin/syncplay-server ${escapeShellArgs cmdArgs}"; User = cfg.user; Group = cfg.group; + LoadCredential = lib.mkIf (cfg.passwordFile != null) "password:${cfg.passwordFile}"; }; + + script = '' + ${lib.optionalString (cfg.passwordFile != null) '' + export SYNCPLAY_PASSWORD=$(cat "''${CREDENTIALS_DIRECTORY}/password") + ''} + exec ${pkgs.syncplay-nogui}/bin/syncplay-server ${escapeShellArgs cmdArgs} + ''; }; }; } diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index 3f41646bf01..1f64113950a 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -21,6 +21,12 @@ in { description = ''The interface name for tunnel traffic. Use "userspace-networking" (beta) to not use TUN.''; }; + permitCertUid = mkOption { + type = types.nullOr types.nonEmptyStr; + default = null; + description = "Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node."; + }; + package = mkOption { type = types.package; default = pkgs.tailscale; @@ -38,7 +44,9 @@ in { serviceConfig.Environment = [ "PORT=${toString cfg.port}" ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName}"'' - ]; + ] ++ (lib.optionals (cfg.permitCertUid != null) [ + "TS_PERMIT_CERT_UID=${cfg.permitCertUid}" + ]); }; }; } diff --git a/nixos/modules/services/networking/wg-quick.nix b/nixos/modules/services/networking/wg-quick.nix index 414775fc357..61e9fe5096b 100644 --- a/nixos/modules/services/networking/wg-quick.nix +++ b/nixos/modules/services/networking/wg-quick.nix @@ -17,6 +17,13 @@ let description = "The IP addresses of the interface."; }; + autostart = mkOption { + description = "Whether to bring up this interface automatically during boot."; + default = true; + example = false; + type = types.bool; + }; + dns = mkOption { example = [ "192.168.2.2" ]; default = []; @@ -247,7 +254,7 @@ let description = "wg-quick WireGuard Tunnel - ${name}"; requires = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = optional values.autostart "multi-user.target"; environment.DEVICE = name; path = [ pkgs.kmod pkgs.wireguard-tools ]; diff --git a/nixos/modules/services/networking/zeronet.nix b/nixos/modules/services/networking/zeronet.nix index 3370390a4c6..dd83b7facc1 100644 --- a/nixos/modules/services/networking/zeronet.nix +++ b/nixos/modules/services/networking/zeronet.nix @@ -90,5 +90,5 @@ in with lib; { (mkRemovedOptionModule [ "services" "zeronet" "logDir" ] "Zeronet will log by default in /var/lib/zeronet") ]; - meta.maintainers = with maintainers; [ chiiruno ]; + meta.maintainers = with maintainers; [ Madouura ]; } diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 4d356242417..5c89d587237 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -102,17 +102,19 @@ in # Taken from: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go provider = mkOption { type = types.enum [ - "google" + "adfs" "azure" + "bitbucket" + "digitalocean" "facebook" "github" - "keycloak" "gitlab" + "google" + "keycloak" + "keycloak-oidc" "linkedin" "login.gov" - "bitbucket" "nextcloud" - "digitalocean" "oidc" ]; default = "google"; @@ -569,8 +571,11 @@ in users.users.oauth2_proxy = { description = "OAuth2 Proxy"; isSystemUser = true; + group = "oauth2_proxy"; }; + users.groups.oauth2_proxy = {}; + systemd.services.oauth2_proxy = { description = "OAuth2 Proxy"; path = [ cfg.package ]; diff --git a/nixos/modules/services/security/sslmate-agent.nix b/nixos/modules/services/security/sslmate-agent.nix new file mode 100644 index 00000000000..c850eb22a03 --- /dev/null +++ b/nixos/modules/services/security/sslmate-agent.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.sslmate-agent; + +in { + meta.maintainers = with maintainers; [ wolfangaukang ]; + + options = { + services.sslmate-agent = { + enable = mkEnableOption "sslmate-agent, a daemon for managing SSL/TLS certificates on a server"; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ sslmate-agent ]; + + systemd = { + packages = [ pkgs.sslmate-agent ]; + services.sslmate-agent = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ConfigurationDirectory = "sslmate-agent"; + LogsDirectory = "sslmate-agent"; + StateDirectory = "sslmate-agent"; + }; + }; + }; + }; +} diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index ddd216ca7fd..a5822c02794 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -910,6 +910,11 @@ in ORPort = mkForce []; PublishServerDescriptor = mkForce false; }) + (mkIf (!cfg.client.enable) { + # Make sure application connections via SOCKS are disabled + # when services.tor.client.enable is false + SOCKSPort = mkForce [ 0 ]; + }) (mkIf cfg.client.enable ( { SOCKSPort = [ cfg.client.socksListenAddress ]; } // optionalAttrs cfg.client.transparentProxy.enable { diff --git a/nixos/modules/services/system/earlyoom.nix b/nixos/modules/services/system/earlyoom.nix index ddd5bcebcdd..62935855989 100644 --- a/nixos/modules/services/system/earlyoom.nix +++ b/nixos/modules/services/system/earlyoom.nix @@ -5,8 +5,8 @@ let inherit (lib) mkDefault mkEnableOption mkIf mkOption types - mkRemovedOptionModule - concatStringsSep optional; + mkRemovedOptionModule literalExpression + escapeShellArg concatStringsSep optional optionalString; in { @@ -17,10 +17,26 @@ in type = types.ints.between 1 100; default = 10; description = '' - Minimum of availabe memory (in percent). - If the free memory falls below this threshold and the analog is true for - <option>services.earlyoom.freeSwapThreshold</option> - the killing begins. + Minimum available memory (in percent). + + If the available memory falls below this threshold (and the analog is true for + <option>freeSwapThreshold</option>) the killing begins. + SIGTERM is sent first to the process that uses the most memory; then, if the available + memory falls below <option>freeMemKillThreshold</option> (and the analog is true for + <option>freeSwapKillThreshold</option>), SIGKILL is sent. + + See <link xlink:href="https://github.com/rfjakob/earlyoom#command-line-options">README</link> for details. + ''; + }; + + freeMemKillThreshold = mkOption { + type = types.nullOr (types.ints.between 1 100); + default = null; + description = '' + Minimum available memory (in percent) before sending SIGKILL. + If unset, this defaults to half of <option>freeMemThreshold</option>. + + See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. ''; }; @@ -28,19 +44,20 @@ in type = types.ints.between 1 100; default = 10; description = '' - Minimum of availabe swap space (in percent). - If the available swap space falls below this threshold and the analog - is true for <option>services.earlyoom.freeMemThreshold</option> - the killing begins. + Minimum free swap space (in percent) before sending SIGTERM. + + See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. ''; }; - # TODO: remove or warn after 1.7 (https://github.com/rfjakob/earlyoom/commit/7ebc4554) - ignoreOOMScoreAdjust = mkOption { - type = types.bool; - default = false; + freeSwapKillThreshold = mkOption { + type = types.nullOr (types.ints.between 1 100); + default = null; description = '' - Ignore oom_score_adjust values of processes. + Minimum free swap space (in percent) before sending SIGKILL. + If unset, this defaults to half of <option>freeSwapThreshold</option>. + + See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. ''; }; @@ -63,12 +80,43 @@ in local user to DoS your session by spamming notifications. To actually see the notifications in your GUI session, you need to have - <literal>systembus-notify</literal> running as your user which this - option handles. + <literal>systembus-notify</literal> running as your user, which this + option handles by enabling <option>services.systembus-notify</option>. See <link xlink:href="https://github.com/rfjakob/earlyoom#notifications">README</link> for details. ''; }; + + killHook = mkOption { + type = types.nullOr types.path; + default = null; + example = literalExpression '' + pkgs.writeShellScript "earlyoom-kill-hook" ''' + echo "Process $EARLYOOM_NAME ($EARLYOOM_PID) was killed" >> /path/to/log + ''' + ''; + description = '' + An absolute path to an executable to be run for each process killed. + Some environment variables are available, see + <link xlink:href="https://github.com/rfjakob/earlyoom#notifications">README</link> and + <link xlink:href="https://github.com/rfjakob/earlyoom/blob/master/MANPAGE.md#-n-pathtoscript">the man page</link> + for details. + ''; + }; + + reportInterval = mkOption { + type = types.int; + default = 3600; + example = 0; + description = "Interval (in seconds) at which a memory report is printed (set to 0 to disable)."; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + example = [ "-g" "--prefer '(^|/)(java|chromium)$'" ]; + description = "Extra command-line arguments to be passed to earlyoom."; + }; }; imports = [ @@ -76,7 +124,11 @@ in This option is deprecated and ignored by earlyoom since 1.2. '') (mkRemovedOptionModule [ "services" "earlyoom" "notificationsCommand" ] '' - This option is deprecated and ignored by earlyoom since 1.6. + This option was removed in earlyoom 1.6, but was reimplemented in 1.7 + and is available as the new option `services.earlyoom.killHook`. + '') + (mkRemovedOptionModule [ "services" "earlyoom" "ignoreOOMScoreAdjust" ] '' + This option is deprecated and ignored by earlyoom since 1.7. '') ]; @@ -91,12 +143,16 @@ in StandardError = "journal"; ExecStart = concatStringsSep " " ([ "${pkgs.earlyoom}/bin/earlyoom" - "-m ${toString cfg.freeMemThreshold}" - "-s ${toString cfg.freeSwapThreshold}" + ("-m ${toString cfg.freeMemThreshold}" + + optionalString (cfg.freeMemKillThreshold != null) ",${toString cfg.freeMemKillThreshold}") + ("-s ${toString cfg.freeSwapThreshold}" + + optionalString (cfg.freeSwapKillThreshold != null) ",${toString cfg.freeSwapKillThreshold}") + "-r ${toString cfg.reportInterval}" ] - ++ optional cfg.ignoreOOMScoreAdjust "-i" ++ optional cfg.enableDebugInfo "-d" ++ optional cfg.enableNotifications "-n" + ++ optional (cfg.killHook != null) "-N ${escapeShellArg cfg.killHook}" + ++ cfg.extraArgs ); }; }; diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix index 00a87e788dc..0caebc8ce90 100644 --- a/nixos/modules/services/system/nscd.nix +++ b/nixos/modules/services/system/nscd.nix @@ -7,10 +7,6 @@ let nssModulesPath = config.system.nssModules.path; cfg = config.services.nscd; - nscd = if pkgs.stdenv.hostPlatform.libc == "glibc" - then pkgs.stdenv.cc.libc.bin - else pkgs.glibc.bin; - in { @@ -37,6 +33,19 @@ in description = "Configuration to use for Name Service Cache Daemon."; }; + package = mkOption { + type = types.package; + default = if pkgs.stdenv.hostPlatform.libc == "glibc" + then pkgs.stdenv.cc.libc.bin + else pkgs.glibc.bin; + defaultText = literalExample '' + if pkgs.stdenv.hostPlatform.libc == "glibc" + then pkgs.stdenv.cc.libc.bin + else pkgs.glibc.bin; + ''; + description = "package containing the nscd binary to be used by the service"; + }; + }; }; @@ -69,16 +78,16 @@ in # files. So prefix the ExecStart command with "!" to prevent systemd # from dropping privileges early. See ExecStart in systemd.service(5). serviceConfig = - { ExecStart = "!@${nscd}/sbin/nscd nscd"; + { ExecStart = "!@${cfg.package}/bin/nscd nscd"; Type = "forking"; DynamicUser = true; RuntimeDirectory = "nscd"; PIDFile = "/run/nscd/nscd.pid"; Restart = "always"; ExecReload = - [ "${nscd}/sbin/nscd --invalidate passwd" - "${nscd}/sbin/nscd --invalidate group" - "${nscd}/sbin/nscd --invalidate hosts" + [ "${cfg.package}/bin/nscd --invalidate passwd" + "${cfg.package}/bin/nscd --invalidate group" + "${cfg.package}/bin/nscd --invalidate hosts" ]; }; }; diff --git a/nixos/modules/services/ttys/kmscon.nix b/nixos/modules/services/ttys/kmscon.nix index 4fe720bf044..e02ab3cb6b3 100644 --- a/nixos/modules/services/ttys/kmscon.nix +++ b/nixos/modules/services/ttys/kmscon.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - inherit (lib) mkOption types mkIf; + inherit (lib) mapAttrs mkIf mkOption optional optionals types; cfg = config.services.kmscon; @@ -28,6 +28,19 @@ in { default = false; }; + fonts = mkOption { + description = "Fonts used by kmscon, in order of priority."; + default = null; + example = lib.literalExpression ''[ { name = "Source Code Pro"; package = pkgs.source-code-pro; } ]''; + type = with types; + let fontType = submodule { + options = { + name = mkOption { type = str; description = "Font name, as used by fontconfig."; }; + package = mkOption { type = package; description = "Package providing the font."; }; + }; + }; in nullOr (nonEmptyListOf fontType); + }; + extraConfig = mkOption { description = "Extra contents of the kmscon.conf file."; type = types.lines; @@ -87,11 +100,17 @@ in { systemd.services.systemd-vconsole-setup.enable = false; - services.kmscon.extraConfig = mkIf cfg.hwRender '' - drm - hwaccel - ''; + services.kmscon.extraConfig = + let + render = optionals cfg.hwRender [ "drm" "hwaccel" ]; + fonts = optional (cfg.fonts != null) "font-name=${lib.concatMapStringsSep ", " (f: f.name) cfg.fonts}"; + in lib.concatStringsSep "\n" (render ++ fonts); hardware.opengl.enable = mkIf cfg.hwRender true; + + fonts = mkIf (cfg.fonts != null) { + fontconfig.enable = true; + fonts = map (f: f.package) cfg.fonts; + }; }; } diff --git a/nixos/modules/services/video/unifi-video.nix b/nixos/modules/services/video/unifi-video.nix index 43208a9fe4c..11d9fe30547 100644 --- a/nixos/modules/services/video/unifi-video.nix +++ b/nixos/modules/services/video/unifi-video.nix @@ -16,7 +16,7 @@ let -pidfile ${cfg.pidFile} \ -procname unifi-video \ -Djava.security.egd=file:/dev/./urandom \ - -Xmx${cfg.maximumJavaHeapSize}M \ + -Xmx${toString cfg.maximumJavaHeapSize}M \ -Xss512K \ -XX:+UseG1GC \ -XX:+UseStringDeduplication \ @@ -91,98 +91,102 @@ let stateDir = "/var/lib/unifi-video"; in - { - - options.services.unifi-video = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether or not to enable the unifi-video service. - ''; - }; +{ - jrePackage = mkOption { - type = types.package; - default = pkgs.jre8; - defaultText = literalExpression "pkgs.jre8"; - description = '' - The JRE package to use. Check the release notes to ensure it is supported. - ''; - }; + options.services.unifi-video = { - unifiVideoPackage = mkOption { - type = types.package; - default = pkgs.unifi-video; - defaultText = literalExpression "pkgs.unifi-video"; - description = '' - The unifi-video package to use. - ''; - }; + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether or not to enable the unifi-video service. + ''; + }; - mongodbPackage = mkOption { - type = types.package; - default = pkgs.mongodb-4_0; - defaultText = literalExpression "pkgs.mongodb"; - description = '' - The mongodb package to use. - ''; - }; + jrePackage = mkOption { + type = types.package; + default = pkgs.jre8; + defaultText = literalExpression "pkgs.jre8"; + description = '' + The JRE package to use. Check the release notes to ensure it is supported. + ''; + }; - logDir = mkOption { - type = types.str; - default = "${stateDir}/logs"; - description = '' - Where to store the logs. - ''; - }; + unifiVideoPackage = mkOption { + type = types.package; + default = pkgs.unifi-video; + defaultText = literalExpression "pkgs.unifi-video"; + description = '' + The unifi-video package to use. + ''; + }; - dataDir = mkOption { - type = types.str; - default = "${stateDir}/data"; - description = '' - Where to store the database and other data. - ''; - }; + mongodbPackage = mkOption { + type = types.package; + default = pkgs.mongodb-4_0; + defaultText = literalExpression "pkgs.mongodb"; + description = '' + The mongodb package to use. + ''; + }; - openPorts = mkOption { - type = types.bool; - default = true; - description = '' - Whether or not to open the required ports on the firewall. - ''; - }; + logDir = mkOption { + type = types.str; + default = "${stateDir}/logs"; + description = '' + Where to store the logs. + ''; + }; - maximumJavaHeapSize = mkOption { - type = types.nullOr types.int; - default = 1024; - example = 4096; - description = '' - Set the maximimum heap size for the JVM in MB. - ''; - }; + dataDir = mkOption { + type = types.str; + default = "${stateDir}/data"; + description = '' + Where to store the database and other data. + ''; + }; - pidFile = mkOption { - type = types.path; - default = "${cfg.dataDir}/unifi-video.pid"; - defaultText = literalExpression ''"''${config.${opt.dataDir}}/unifi-video.pid"''; - description = "Location of unifi-video pid file."; - }; + openFirewall = mkOption { + type = types.bool; + default = true; + description = '' + Whether or not to open the required ports on the firewall. + ''; + }; + + maximumJavaHeapSize = mkOption { + type = types.nullOr types.int; + default = 1024; + example = 4096; + description = '' + Set the maximimum heap size for the JVM in MB. + ''; + }; + + pidFile = mkOption { + type = types.path; + default = "${cfg.dataDir}/unifi-video.pid"; + defaultText = literalExpression ''"''${config.${opt.dataDir}}/unifi-video.pid"''; + description = "Location of unifi-video pid file."; + }; + + }; + + config = mkIf cfg.enable { -}; + warnings = optional + (options.services.unifi-video.openFirewall.highestPrio >= (mkOptionDefault null).priority) + "The current services.unifi-video.openFirewall = true default is deprecated and will change to false in 22.11. Set it explicitly to silence this warning."; -config = mkIf cfg.enable { - users = { - users.unifi-video = { + users.users.unifi-video = { description = "UniFi Video controller daemon user"; home = stateDir; group = "unifi-video"; isSystemUser = true; }; - groups.unifi-video = {}; - }; + users.groups.unifi-video = {}; - networking.firewall = mkIf cfg.openPorts { + networking.firewall = mkIf cfg.openFirewall { # https://help.ui.com/hc/en-us/articles/217875218-UniFi-Video-Ports-Used allowedTCPPorts = [ 7080 # HTTP portal @@ -237,7 +241,6 @@ config = mkIf cfg.enable { "L+ '${stateDir}/conf/server.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/server.xml" "L+ '${stateDir}/conf/tomcat-users.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/tomcat-users.xml" "L+ '${stateDir}/conf/web.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/web.xml" - ]; systemd.services.unifi-video = { @@ -258,10 +261,11 @@ config = mkIf cfg.enable { WorkingDirectory = "${stateDir}"; }; }; - }; - meta = { - maintainers = with lib.maintainers; [ rsynnest ]; - }; + imports = [ + (mkRenamedOptionModule [ "services" "unifi-video" "openPorts" ] [ "services" "unifi-video" "openFirewall" ]) + ]; + + meta.maintainers = with lib.maintainers; [ rsynnest ]; } diff --git a/nixos/modules/services/web-apps/atlassian/jira.nix b/nixos/modules/services/web-apps/atlassian/jira.nix index d7a26838d6f..a120f6cdb3d 100644 --- a/nixos/modules/services/web-apps/atlassian/jira.nix +++ b/nixos/modules/services/web-apps/atlassian/jira.nix @@ -151,6 +151,7 @@ in users.users.${cfg.user} = { isSystemUser = true; group = cfg.group; + home = cfg.home; }; users.groups.${cfg.group} = {}; diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix index 2c2911aada3..7dbbf4a12fe 100644 --- a/nixos/modules/services/web-apps/discourse.nix +++ b/nixos/modules/services/web-apps/discourse.nix @@ -609,6 +609,7 @@ in connection_reaper_interval = 30; relative_url_root = null; message_bus_max_backlog_size = 100; + message_bus_clear_every = 50; secret_key_base = cfg.secretKeyBaseFile; fallback_assets_path = null; @@ -655,7 +656,12 @@ in long_polling_interval = null; }; - services.redis.enable = lib.mkDefault (cfg.redis.host == "localhost"); + services.redis.servers.discourse = + lib.mkIf (lib.elem cfg.redis.host [ "localhost" "127.0.0.1" ]) { + enable = true; + bind = cfg.redis.host; + port = cfg.backendSettings.redis_port; + }; services.postgresql = lib.mkIf databaseActuallyCreateLocally { enable = true; @@ -696,12 +702,12 @@ in systemd.services.discourse = { wantedBy = [ "multi-user.target" ]; after = [ - "redis.service" + "redis-discourse.service" "postgresql.service" "discourse-postgresql.service" ]; bindsTo = [ - "redis.service" + "redis-discourse.service" ] ++ lib.optionals (cfg.database.host == null) [ "postgresql.service" "discourse-postgresql.service" diff --git a/nixos/modules/services/web-apps/jitsi-meet.nix b/nixos/modules/services/web-apps/jitsi-meet.nix index 2f1c4acec1e..be0b5b94fb2 100644 --- a/nixos/modules/services/web-apps/jitsi-meet.nix +++ b/nixos/modules/services/web-apps/jitsi-meet.nix @@ -159,7 +159,7 @@ in ''; }; - caddy.enable = mkEnableOption "Whether to enablle caddy reverse proxy to expose jitsi-meet"; + caddy.enable = mkEnableOption "Whether to enable caddy reverse proxy to expose jitsi-meet"; prosody.enable = mkOption { type = bool; diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 22c16be7613..2d817ca1923 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -4,20 +4,94 @@ let cfg = config.services.keycloak; opt = options.services.keycloak; - inherit (lib) types mkOption concatStringsSep mapAttrsToList - escapeShellArg recursiveUpdate optionalAttrs boolToString mkOrder - sort filterAttrs concatMapStringsSep concatStrings mkIf - optionalString optionals mkDefault literalExpression hasSuffix - foldl' isAttrs filter attrNames elem literalDocBook - maintainers; - - inherit (builtins) match typeOf; + inherit (lib) + types + mkMerge + mkOption + mkChangedOptionModule + mkRenamedOptionModule + mkRemovedOptionModule + concatStringsSep + mapAttrsToList + escapeShellArg + mkIf + optionalString + optionals + mkDefault + literalExpression + isAttrs + literalDocBook + maintainers + catAttrs + collect + splitString + ; + + inherit (builtins) + elem + typeOf + isInt + isString + hashString + isPath + ; + + prefixUnlessEmpty = prefix: string: optionalString (string != "") "${prefix}${string}"; in { + imports = + [ + (mkRenamedOptionModule + [ "services" "keycloak" "bindAddress" ] + [ "services" "keycloak" "settings" "http-host" ]) + (mkRenamedOptionModule + [ "services" "keycloak" "forceBackendUrlToFrontendUrl"] + [ "services" "keycloak" "settings" "hostname-strict-backchannel"]) + (mkChangedOptionModule + [ "services" "keycloak" "httpPort" ] + [ "services" "keycloak" "settings" "http-port" ] + (config: + builtins.fromJSON config.services.keycloak.httpPort)) + (mkChangedOptionModule + [ "services" "keycloak" "httpsPort" ] + [ "services" "keycloak" "settings" "https-port" ] + (config: + builtins.fromJSON config.services.keycloak.httpsPort)) + (mkRemovedOptionModule + [ "services" "keycloak" "frontendUrl" ] + '' + Set `services.keycloak.settings.hostname' and `services.keycloak.settings.http-relative-path' instead. + NOTE: You likely want to set 'http-relative-path' to '/auth' to keep compatibility with your clients. + See its description for more information. + '') + (mkRemovedOptionModule + [ "services" "keycloak" "extraConfig" ] + "Use `services.keycloak.settings' instead.") + ]; + options.services.keycloak = let - inherit (types) bool str nullOr attrsOf path enum anything - package port; + inherit (types) + bool + str + int + nullOr + attrsOf + oneOf + path + enum + package + port; + + assertStringPath = optionName: value: + if isPath value then + throw '' + services.keycloak.${optionName}: + ${toString value} + is a Nix path, but should be a string, since Nix + paths are copied into the world-readable Nix store. + '' + else value; in { enable = mkOption { @@ -30,89 +104,14 @@ in ''; }; - bindAddress = mkOption { - type = str; - default = "\${jboss.bind.address:0.0.0.0}"; - example = "127.0.0.1"; - description = '' - On which address Keycloak should accept new connections. - - A special syntax can be used to allow command line Java system - properties to override the value: ''${property.name:value} - ''; - }; - - httpPort = mkOption { - type = str; - default = "\${jboss.http.port:80}"; - example = "8080"; - description = '' - On which port Keycloak should listen for new HTTP connections. - - A special syntax can be used to allow command line Java system - properties to override the value: ''${property.name:value} - ''; - }; - - httpsPort = mkOption { - type = str; - default = "\${jboss.https.port:443}"; - example = "8443"; - description = '' - On which port Keycloak should listen for new HTTPS connections. - - A special syntax can be used to allow command line Java system - properties to override the value: ''${property.name:value} - ''; - }; - - frontendUrl = mkOption { - type = str; - apply = x: - if x == "" || hasSuffix "/" x then - x - else - x + "/"; - example = "keycloak.example.com/auth"; - description = '' - The public URL used as base for all frontend requests. Should - normally include a trailing <literal>/auth</literal>. - - See <link xlink:href="https://www.keycloak.org/docs/latest/server_installation/#_hostname">the - Hostname section of the Keycloak server installation - manual</link> for more information. - ''; - }; - - forceBackendUrlToFrontendUrl = mkOption { - type = bool; - default = false; - example = true; - description = '' - Whether Keycloak should force all requests to go through the - frontend URL configured in <xref - linkend="opt-services.keycloak.frontendUrl" />. By default, - Keycloak allows backend requests to instead use its local - hostname or IP address and may also advertise it to clients - through its OpenID Connect Discovery endpoint. - - See <link - xlink:href="https://www.keycloak.org/docs/latest/server_installation/#_hostname">the - Hostname section of the Keycloak server installation - manual</link> for more information. - ''; - }; - sslCertificate = mkOption { type = nullOr path; default = null; example = "/run/keys/ssl_cert"; + apply = assertStringPath "sslCertificate"; description = '' The path to a PEM formatted certificate to use for TLS/SSL connections. - - This should be a string, not a Nix path, since Nix paths are - copied into the world-readable Nix store. ''; }; @@ -120,20 +119,28 @@ in type = nullOr path; default = null; example = "/run/keys/ssl_key"; + apply = assertStringPath "sslCertificateKey"; description = '' The path to a PEM formatted private key to use for TLS/SSL connections. + ''; + }; - This should be a string, not a Nix path, since Nix paths are - copied into the world-readable Nix store. + plugins = lib.mkOption { + type = lib.types.listOf lib.types.path; + default = [ ]; + description = '' + Keycloak plugin jar, ear files or derivations containing + them. Packaged plugins are available through + <literal>pkgs.keycloak.plugins</literal>. ''; }; database = { type = mkOption { - type = enum [ "mysql" "postgresql" ]; + type = enum [ "mysql" "mariadb" "postgresql" ]; default = "postgresql"; - example = "mysql"; + example = "mariadb"; description = '' The type of database Keycloak should connect to. ''; @@ -151,6 +158,7 @@ in let dbPorts = { postgresql = 5432; + mariadb = 3306; mysql = 3306; }; in @@ -199,6 +207,21 @@ in ''; }; + name = mkOption { + type = str; + default = "keycloak"; + description = '' + Database name to use when connecting to an external or + manually provisioned database; has no effect when a local + database is automatically provisioned. + + To use this with a local database, set <xref + linkend="opt-services.keycloak.database.createLocally" /> to + <literal>false</literal> and create the database and user + manually. + ''; + }; + username = mkOption { type = str; default = "keycloak"; @@ -210,19 +233,16 @@ in To use this with a local database, set <xref linkend="opt-services.keycloak.database.createLocally" /> to <literal>false</literal> and create the database and user - manually. The database should be called - <literal>keycloak</literal>. + manually. ''; }; passwordFile = mkOption { type = path; example = "/run/keys/db_password"; + apply = assertStringPath "passwordFile"; description = '' - File containing the database password. - - This should be a string, not a Nix path, since Nix paths are - copied into the world-readable Nix store. + The path to a file containing the database password. ''; }; }; @@ -260,67 +280,181 @@ in ''; }; - extraConfig = mkOption { - type = attrsOf anything; - default = { }; + settings = mkOption { + type = lib.types.submodule { + freeformType = attrsOf (nullOr (oneOf [ str int bool (attrsOf path) ])); + + options = { + http-host = mkOption { + type = str; + default = "0.0.0.0"; + example = "127.0.0.1"; + description = '' + On which address Keycloak should accept new connections. + ''; + }; + + http-port = mkOption { + type = port; + default = 80; + example = 8080; + description = '' + On which port Keycloak should listen for new HTTP connections. + ''; + }; + + https-port = mkOption { + type = port; + default = 443; + example = 8443; + description = '' + On which port Keycloak should listen for new HTTPS connections. + ''; + }; + + http-relative-path = mkOption { + type = str; + default = ""; + example = "/auth"; + description = '' + The path relative to <literal>/</literal> for serving + resources. + + <note> + <para> + In versions of Keycloak using Wildfly (<17), + this defaulted to <literal>/auth</literal>. If + upgrading from the Wildfly version of Keycloak, + i.e. a NixOS version before 22.05, you'll likely + want to set this to <literal>/auth</literal> to + keep compatibility with your clients. + + See <link + xlink:href="https://www.keycloak.org/migration/migrating-to-quarkus" + /> for more information on migrating from Wildfly + to Quarkus. + </para> + </note> + ''; + }; + + hostname = mkOption { + type = str; + example = "keycloak.example.com"; + description = '' + The hostname part of the public URL used as base for + all frontend requests. + + See <link xlink:href="https://www.keycloak.org/server/hostname" /> + for more information about hostname configuration. + ''; + }; + + hostname-strict-backchannel = mkOption { + type = bool; + default = false; + example = true; + description = '' + Whether Keycloak should force all requests to go + through the frontend URL. By default, Keycloak allows + backend requests to instead use its local hostname or + IP address and may also advertise it to clients + through its OpenID Connect Discovery endpoint. + + See <link xlink:href="https://www.keycloak.org/server/hostname" /> + for more information about hostname configuration. + ''; + }; + + proxy = mkOption { + type = enum [ "edge" "reencrypt" "passthrough" "none" ]; + default = "none"; + example = "edge"; + description = '' + The proxy address forwarding mode if the server is + behind a reverse proxy. + + <variablelist> + <varlistentry> + <term>edge</term> + <listitem> + <para> + Enables communication through HTTP between the + proxy and Keycloak. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>reencrypt</term> + <listitem> + <para> + Requires communication through HTTPS between the + proxy and Keycloak. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>passthrough</term> + <listitem> + <para> + Enables communication through HTTP or HTTPS between + the proxy and Keycloak. + </para> + </listitem> + </varlistentry> + </variablelist> + + See <link + xlink:href="https://www.keycloak.org/server/reverseproxy" + /> for more information. + ''; + }; + }; + }; + example = literalExpression '' { - "subsystem=keycloak-server" = { - "spi=hostname" = { - "provider=default" = null; - "provider=fixed" = { - enabled = true; - properties.hostname = "keycloak.example.com"; - }; - default-provider = "fixed"; - }; - }; + hostname = "keycloak.example.com"; + proxy = "reencrypt"; + https-key-store-file = "/path/to/file"; + https-key-store-password = { _secret = "/run/keys/store_password"; }; } ''; + description = '' - Additional Keycloak configuration options to set in - <literal>standalone.xml</literal>. - - Options are expressed as a Nix attribute set which matches the - structure of the jboss-cli configuration. The configuration is - effectively overlayed on top of the default configuration - shipped with Keycloak. To remove existing nodes and undefine - attributes from the default configuration, set them to - <literal>null</literal>. - - The example configuration does the equivalent of the following - script, which removes the hostname provider - <literal>default</literal>, adds the deprecated hostname - provider <literal>fixed</literal> and defines it the default: - - <programlisting> - /subsystem=keycloak-server/spi=hostname/provider=default:remove() - /subsystem=keycloak-server/spi=hostname/provider=fixed:add(enabled = true, properties = { hostname = "keycloak.example.com" }) - /subsystem=keycloak-server/spi=hostname:write-attribute(name=default-provider, value="fixed") - </programlisting> - - You can discover available options by using the <link - xlink:href="http://docs.wildfly.org/21/Admin_Guide.html#Command_Line_Interface">jboss-cli.sh</link> - program and by referring to the <link - xlink:href="https://www.keycloak.org/docs/latest/server_installation/index.html">Keycloak - Server Installation and Configuration Guide</link>. + Configuration options corresponding to parameters set in + <filename>conf/keycloak.conf</filename>. + + Most available options are documented at <link + xlink:href="https://www.keycloak.org/server/all-config" />. + + Options containing secret data should be set to an attribute + set containing the attribute <literal>_secret</literal> - a + string pointing to a file containing the value the option + should be set to. See the example to get a better picture of + this: in the resulting + <filename>conf/keycloak.conf</filename> file, the + <literal>https-key-store-password</literal> key will be set + to the contents of the + <filename>/run/keys/store_password</filename> file. ''; }; - }; config = let - # We only want to create a database if we're actually going to connect to it. + # We only want to create a database if we're actually going to + # connect to it. databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == "localhost"; createLocalPostgreSQL = databaseActuallyCreateLocally && cfg.database.type == "postgresql"; - createLocalMySQL = databaseActuallyCreateLocally && cfg.database.type == "mysql"; + createLocalMySQL = databaseActuallyCreateLocally && elem cfg.database.type [ "mysql" "mariadb" ]; mySqlCaKeystore = pkgs.runCommand "mysql-ca-keystore" { } '' ${pkgs.jre}/bin/keytool -importcert -trustcacerts -alias MySQLCACert -file ${cfg.database.caCert} -keystore $out -storepass notsosecretpassword -noprompt ''; - # Both theme and theme type directories need to be actual directories in one hierarchy to pass Keycloak checks. + # Both theme and theme type directories need to be actual + # directories in one hierarchy to pass Keycloak checks. themesBundle = pkgs.runCommand "keycloak-themes" { } '' linkTheme() { theme="$1" @@ -339,7 +473,7 @@ in } mkdir -p "$out" - for theme in ${cfg.package}/themes/*; do + for theme in ${keycloakBuild}/themes/*; do if [ -d "$theme" ]; then linkTheme "$theme" "$(basename "$theme")" fi @@ -348,329 +482,25 @@ in ${concatStringsSep "\n" (mapAttrsToList (name: theme: "linkTheme ${theme} ${escapeShellArg name}") cfg.themes)} ''; - keycloakConfig' = foldl' recursiveUpdate - { - "interface=public".inet-address = cfg.bindAddress; - "socket-binding-group=standard-sockets"."socket-binding=http".port = cfg.httpPort; - "subsystem=keycloak-server" = { - "spi=hostname"."provider=default" = { - enabled = true; - properties = { - inherit (cfg) frontendUrl forceBackendUrlToFrontendUrl; - }; - }; - "theme=defaults".dir = toString themesBundle; - }; - "subsystem=datasources"."data-source=KeycloakDS" = { - max-pool-size = "20"; - user-name = if databaseActuallyCreateLocally then "keycloak" else cfg.database.username; - password = "@db-password@"; - }; - } [ - (optionalAttrs (cfg.database.type == "postgresql") { - "subsystem=datasources" = { - "jdbc-driver=postgresql" = { - driver-module-name = "org.postgresql"; - driver-name = "postgresql"; - driver-xa-datasource-class-name = "org.postgresql.xa.PGXADataSource"; - }; - "data-source=KeycloakDS" = { - connection-url = "jdbc:postgresql://${cfg.database.host}:${toString cfg.database.port}/keycloak"; - driver-name = "postgresql"; - "connection-properties=ssl".value = boolToString cfg.database.useSSL; - } // (optionalAttrs (cfg.database.caCert != null) { - "connection-properties=sslrootcert".value = cfg.database.caCert; - "connection-properties=sslmode".value = "verify-ca"; - }); - }; - }) - (optionalAttrs (cfg.database.type == "mysql") { - "subsystem=datasources" = { - "jdbc-driver=mysql" = { - driver-module-name = "com.mysql"; - driver-name = "mysql"; - driver-class-name = "com.mysql.jdbc.Driver"; - }; - "data-source=KeycloakDS" = { - connection-url = "jdbc:mysql://${cfg.database.host}:${toString cfg.database.port}/keycloak"; - driver-name = "mysql"; - "connection-properties=useSSL".value = boolToString cfg.database.useSSL; - "connection-properties=requireSSL".value = boolToString cfg.database.useSSL; - "connection-properties=verifyServerCertificate".value = boolToString cfg.database.useSSL; - "connection-properties=characterEncoding".value = "UTF-8"; - valid-connection-checker-class-name = "org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"; - validate-on-match = true; - exception-sorter-class-name = "org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"; - } // (optionalAttrs (cfg.database.caCert != null) { - "connection-properties=trustCertificateKeyStoreUrl".value = "file:${mySqlCaKeystore}"; - "connection-properties=trustCertificateKeyStorePassword".value = "notsosecretpassword"; - }); - }; - }) - (optionalAttrs (cfg.sslCertificate != null && cfg.sslCertificateKey != null) { - "socket-binding-group=standard-sockets"."socket-binding=https".port = cfg.httpsPort; - "subsystem=elytron" = mkOrder 900 { - "key-store=httpsKS" = mkOrder 900 { - path = "/run/keycloak/ssl/certificate_private_key_bundle.p12"; - credential-reference.clear-text = "notsosecretpassword"; - type = "JKS"; - }; - "key-manager=httpsKM" = mkOrder 901 { - key-store = "httpsKS"; - credential-reference.clear-text = "notsosecretpassword"; - }; - "server-ssl-context=httpsSSC" = mkOrder 902 { - key-manager = "httpsKM"; - }; - }; - "subsystem=undertow" = mkOrder 901 { - "server=default-server"."https-listener=https".ssl-context = "httpsSSC"; - }; - }) - cfg.extraConfig - ]; - - - /* Produces a JBoss CLI script that creates paths and sets - attributes matching those described by `attrs`. When the - script is run, the existing settings are effectively overlayed - by those from `attrs`. Existing attributes can be unset by - defining them `null`. - - JBoss paths and attributes / maps are distinguished by their - name, where paths follow a `key=value` scheme. - - Example: - mkJbossScript { - "subsystem=keycloak-server"."spi=hostname" = { - "provider=fixed" = null; - "provider=default" = { - enabled = true; - properties = { - inherit frontendUrl; - forceBackendUrlToFrontendUrl = false; - }; - }; - }; - } - => '' - if (outcome != success) of /:read-resource() - /:add() - end-if - if (outcome != success) of /subsystem=keycloak-server:read-resource() - /subsystem=keycloak-server:add() - end-if - if (outcome != success) of /subsystem=keycloak-server/spi=hostname:read-resource() - /subsystem=keycloak-server/spi=hostname:add() - end-if - if (outcome != success) of /subsystem=keycloak-server/spi=hostname/provider=default:read-resource() - /subsystem=keycloak-server/spi=hostname/provider=default:add(enabled = true, properties = { forceBackendUrlToFrontendUrl = false, frontendUrl = "https://keycloak.example.com/auth" }) - end-if - if (result != true) of /subsystem=keycloak-server/spi=hostname/provider=default:read-attribute(name="enabled") - /subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=enabled, value=true) - end-if - if (result != false) of /subsystem=keycloak-server/spi=hostname/provider=default:read-attribute(name="properties.forceBackendUrlToFrontendUrl") - /subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.forceBackendUrlToFrontendUrl, value=false) - end-if - if (result != "https://keycloak.example.com/auth") of /subsystem=keycloak-server/spi=hostname/provider=default:read-attribute(name="properties.frontendUrl") - /subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.frontendUrl, value="https://keycloak.example.com/auth") - end-if - if (outcome != success) of /subsystem=keycloak-server/spi=hostname/provider=fixed:read-resource() - /subsystem=keycloak-server/spi=hostname/provider=fixed:remove() - end-if - '' - */ - mkJbossScript = attrs: - let - /* From a JBoss path and an attrset, produces a JBoss CLI - snippet that writes the corresponding attributes starting - at `path`. Recurses down into subattrsets as necessary, - producing the variable name from its full path in the - attrset. - - Example: - writeAttributes "/subsystem=keycloak-server/spi=hostname/provider=default" { - enabled = true; - properties = { - forceBackendUrlToFrontendUrl = false; - frontendUrl = "https://keycloak.example.com/auth"; - }; - } - => '' - if (result != true) of /subsystem=keycloak-server/spi=hostname/provider=default:read-attribute(name="enabled") - /subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=enabled, value=true) - end-if - if (result != false) of /subsystem=keycloak-server/spi=hostname/provider=default:read-attribute(name="properties.forceBackendUrlToFrontendUrl") - /subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.forceBackendUrlToFrontendUrl, value=false) - end-if - if (result != "https://keycloak.example.com/auth") of /subsystem=keycloak-server/spi=hostname/provider=default:read-attribute(name="properties.frontendUrl") - /subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.frontendUrl, value="https://keycloak.example.com/auth") - end-if - '' - */ - writeAttributes = path: set: - let - # JBoss expressions like `${var}` need to be prefixed - # with `expression` to evaluate. - prefixExpression = string: - let - matchResult = match ''"\$\{.*}"'' string; - in - if matchResult != null then - "expression " + string - else - string; - - writeAttribute = attribute: value: - let - type = typeOf value; - in - if type == "set" then - let - names = attrNames value; - in - foldl' (text: name: text + (writeAttribute "${attribute}.${name}" value.${name})) "" names - else if value == null then '' - if (outcome == success) of ${path}:read-attribute(name="${attribute}") - ${path}:undefine-attribute(name="${attribute}") - end-if - '' - else if elem type [ "string" "path" "bool" ] then - let - value' = if type == "bool" then boolToString value else ''"${value}"''; - in - '' - if (result != ${prefixExpression value'}) of ${path}:read-attribute(name="${attribute}") - ${path}:write-attribute(name=${attribute}, value=${value'}) - end-if - '' - else throw "Unsupported type '${type}' for path '${path}'!"; - in - concatStrings - (mapAttrsToList - (attribute: value: (writeAttribute attribute value)) - set); - - - /* Produces an argument list for the JBoss `add()` function, - which adds a JBoss path and takes as its arguments the - required subpaths and attributes. - - Example: - makeArgList { - enabled = true; - properties = { - forceBackendUrlToFrontendUrl = false; - frontendUrl = "https://keycloak.example.com/auth"; - }; - } - => '' - enabled = true, properties = { forceBackendUrlToFrontendUrl = false, frontendUrl = "https://keycloak.example.com/auth" } - '' - */ - makeArgList = set: - let - makeArg = attribute: value: - let - type = typeOf value; - in - if type == "set" then - "${attribute} = { " + (makeArgList value) + " }" - else if elem type [ "string" "path" "bool" ] then - "${attribute} = ${if type == "bool" then boolToString value else ''"${value}"''}" - else if value == null then - "" - else - throw "Unsupported type '${type}' for attribute '${attribute}'!"; - - in - concatStringsSep ", " (mapAttrsToList makeArg set); - - - /* Recurses into the `nodeValue` attrset. Only subattrsets that - are JBoss paths, i.e. follows the `key=value` format, are recursed - into - the rest are considered JBoss attributes / maps. - */ - recurse = nodePath: nodeValue: - let - nodeContent = - if isAttrs nodeValue && nodeValue._type or "" == "order" then - nodeValue.content - else - nodeValue; - isPath = name: - let - value = nodeContent.${name}; - in - if (match ".*([=]).*" name) == [ "=" ] then - if isAttrs value || value == null then - true - else - throw "Parsing path '${concatStringsSep "." (nodePath ++ [ name ])}' failed: JBoss attributes cannot contain '='!" - else - false; - jbossPath = "/" + concatStringsSep "/" nodePath; - children = if !isAttrs nodeContent then { } else nodeContent; - subPaths = filter isPath (attrNames children); - getPriority = name: - let - value = children.${name}; - in - if value._type or "" == "order" then value.priority else 1000; - orderedSubPaths = sort (a: b: getPriority a < getPriority b) subPaths; - jbossAttrs = filterAttrs (name: _: !(isPath name)) children; - text = - if nodeContent != null then - '' - if (outcome != success) of ${jbossPath}:read-resource() - ${jbossPath}:add(${makeArgList jbossAttrs}) - end-if - '' + writeAttributes jbossPath jbossAttrs - else - '' - if (outcome == success) of ${jbossPath}:read-resource() - ${jbossPath}:remove() - end-if - ''; - in - text + concatMapStringsSep "\n" (name: recurse (nodePath ++ [ name ]) children.${name}) orderedSubPaths; - in - recurse [ ] attrs; - - jbossCliScript = pkgs.writeText "jboss-cli-script" (mkJbossScript keycloakConfig'); - - keycloakConfig = pkgs.runCommand "keycloak-config" - { - nativeBuildInputs = [ cfg.package ]; - } - '' - export JBOSS_BASE_DIR="$(pwd -P)"; - export JBOSS_MODULEPATH="${cfg.package}/modules"; - export JBOSS_LOG_DIR="$JBOSS_BASE_DIR/log"; - - cp -r ${cfg.package}/standalone/configuration . - chmod -R u+rwX ./configuration - - mkdir -p {deployments,ssl} - - standalone.sh& - - attempt=1 - max_attempts=30 - while ! jboss-cli.sh --connect ':read-attribute(name=server-state)'; do - if [[ "$attempt" == "$max_attempts" ]]; then - echo "ERROR: Could not connect to Keycloak after $attempt attempts! Failing.." >&2 - exit 1 - fi - echo "Keycloak not fully started yet, retrying.. ($attempt/$max_attempts)" - sleep 1 - (( attempt++ )) - done - - jboss-cli.sh --connect --file=${jbossCliScript} --echo-command + keycloakConfig = lib.generators.toKeyValue { + mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" { + mkValueString = v: with builtins; + if isInt v then toString v + else if isString v then v + else if true == v then "true" + else if false == v then "false" + else if isSecret v then hashString "sha256" v._secret + else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}"; + }; + }; - cp configuration/standalone.xml $out - ''; + isSecret = v: isAttrs v && v ? _secret && isString v._secret; + filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [{ } null])) cfg.settings; + confFile = pkgs.writeText "keycloak.conf" (keycloakConfig filteredConfig); + keycloakBuild = cfg.package.override { + inherit confFile; + plugins = cfg.package.enabledPlugins ++ cfg.plugins; + }; in mkIf cfg.enable { @@ -681,7 +511,45 @@ in } ]; - environment.systemPackages = [ cfg.package ]; + environment.systemPackages = [ keycloakBuild ]; + + services.keycloak.settings = + let + postgresParams = concatStringsSep "&" ( + optionals cfg.database.useSSL [ + "ssl=true" + ] ++ optionals (cfg.database.caCert != null) [ + "sslrootcert=${cfg.database.caCert}" + "sslmode=verify-ca" + ] + ); + mariadbParams = concatStringsSep "&" ([ + "characterEncoding=UTF-8" + ] ++ optionals cfg.database.useSSL [ + "useSSL=true" + "requireSSL=true" + "verifyServerCertificate=true" + ] ++ optionals (cfg.database.caCert != null) [ + "trustCertificateKeyStoreUrl=file:${mySqlCaKeystore}" + "trustCertificateKeyStorePassword=notsosecretpassword" + ]); + dbProps = if cfg.database.type == "postgresql" then postgresParams else mariadbParams; + in + mkMerge [ + { + db = if cfg.database.type == "postgresql" then "postgres" else cfg.database.type; + db-username = if databaseActuallyCreateLocally then "keycloak" else cfg.database.username; + db-password._secret = cfg.database.passwordFile; + db-url-host = "${cfg.database.host}:${toString cfg.database.port}"; + db-url-database = if databaseActuallyCreateLocally then "keycloak" else cfg.database.name; + db-url-properties = prefixUnlessEmpty "?" dbProps; + db-url = null; + } + (mkIf (cfg.sslCertificate != null && cfg.sslCertificateKey != null) { + https-certificate-file = "/run/keycloak/ssl/ssl_cert"; + https-certificate-key-file = "/run/keycloak/ssl/ssl_key"; + }) + ]; systemd.services.keycloakPostgreSQLInit = mkIf createLocalPostgreSQL { after = [ "postgresql.service" ]; @@ -744,41 +612,37 @@ in "mysql.service" ] else [ ]; + secretPaths = catAttrs "_secret" (collect isSecret cfg.settings); + mkSecretReplacement = file: '' + replace-secret ${hashString "sha256" file} $CREDENTIALS_DIRECTORY/${baseNameOf file} /run/keycloak/conf/keycloak.conf + ''; + secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths; in { after = databaseServices; bindsTo = databaseServices; wantedBy = [ "multi-user.target" ]; path = with pkgs; [ - cfg.package + keycloakBuild openssl replace-secret ]; environment = { - JBOSS_LOG_DIR = "/var/log/keycloak"; - JBOSS_BASE_DIR = "/run/keycloak"; - JBOSS_MODULEPATH = "${cfg.package}/modules"; + KC_HOME_DIR = "/run/keycloak"; + KC_CONF_DIR = "/run/keycloak/conf"; }; serviceConfig = { - LoadCredential = [ - "db_password:${cfg.database.passwordFile}" - ] ++ optionals (cfg.sslCertificate != null && cfg.sslCertificateKey != null) [ - "ssl_cert:${cfg.sslCertificate}" - "ssl_key:${cfg.sslCertificateKey}" - ]; + LoadCredential = + map (p: "${baseNameOf p}:${p}") secretPaths + ++ optionals (cfg.sslCertificate != null && cfg.sslCertificateKey != null) [ + "ssl_cert:${cfg.sslCertificate}" + "ssl_key:${cfg.sslCertificateKey}" + ]; User = "keycloak"; Group = "keycloak"; DynamicUser = true; - RuntimeDirectory = map (p: "keycloak/" + p) [ - "configuration" - "deployments" - "data" - "ssl" - "log" - "tmp" - ]; + RuntimeDirectory = "keycloak"; RuntimeDirectoryMode = 0700; - LogsDirectory = "keycloak"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; }; script = '' @@ -787,31 +651,30 @@ in umask u=rwx,g=,o= - install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration - install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml + ln -s ${themesBundle} /run/keycloak/themes + ln -s ${keycloakBuild}/providers /run/keycloak/ - replace-secret '@db-password@' "$CREDENTIALS_DIRECTORY/db_password" /run/keycloak/configuration/standalone.xml + install -D -m 0600 ${confFile} /run/keycloak/conf/keycloak.conf + + ${secretReplacements} - export JAVA_OPTS=-Djboss.server.config.user.dir=/run/keycloak/configuration - add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}' '' + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) '' - pushd /run/keycloak/ssl/ - cat "$CREDENTIALS_DIRECTORY/ssl_cert" <(echo) \ - "$CREDENTIALS_DIRECTORY/ssl_key" <(echo) \ - /etc/ssl/certs/ca-certificates.crt \ - > allcerts.pem - openssl pkcs12 -export -in "$CREDENTIALS_DIRECTORY/ssl_cert" -inkey "$CREDENTIALS_DIRECTORY/ssl_key" -chain \ - -name "${cfg.frontendUrl}" -out certificate_private_key_bundle.p12 \ - -CAfile allcerts.pem -passout pass:notsosecretpassword - popd + mkdir -p /run/keycloak/ssl + cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/ '' + '' - ${cfg.package}/bin/standalone.sh + export KEYCLOAK_ADMIN=admin + export KEYCLOAK_ADMIN_PASSWORD=${cfg.initialAdminPassword} + kc.sh start ''; }; services.postgresql.enable = mkDefault createLocalPostgreSQL; services.mysql.enable = mkDefault createLocalMySQL; - services.mysql.package = mkIf createLocalMySQL pkgs.mariadb; + services.mysql.package = + let + dbPkg = if cfg.database.type == "mariadb" then pkgs.mariadb else pkgs.mysql80; + in + mkIf createLocalMySQL (mkDefault dbPkg); }; meta.doc = ./keycloak.xml; diff --git a/nixos/modules/services/web-apps/keycloak.xml b/nixos/modules/services/web-apps/keycloak.xml index cb706932f48..861756e33ac 100644 --- a/nixos/modules/services/web-apps/keycloak.xml +++ b/nixos/modules/services/web-apps/keycloak.xml @@ -27,10 +27,10 @@ <para> Refer to the <link - xlink:href="https://www.keycloak.org/docs/latest/server_admin/index.html#admin-console">Admin - Console section of the Keycloak Server Administration Guide</link> for - information on how to administer your - <productname>Keycloak</productname> instance. + xlink:href="https://www.keycloak.org/docs/latest/server_admin/index.html"> + Keycloak Server Administration Guide</link> for information on + how to administer your <productname>Keycloak</productname> + instance. </para> </section> @@ -38,27 +38,28 @@ <title>Database access</title> <para> <productname>Keycloak</productname> can be used with either - <productname>PostgreSQL</productname> or + <productname>PostgreSQL</productname>, + <productname>MariaDB</productname> or <productname>MySQL</productname>. Which one is used can be configured in <xref linkend="opt-services.keycloak.database.type" />. The selected database will automatically be enabled and a database and role created unless <xref - linkend="opt-services.keycloak.database.host" /> is changed from - its default of <literal>localhost</literal> or <xref - linkend="opt-services.keycloak.database.createLocally" /> is set - to <literal>false</literal>. + linkend="opt-services.keycloak.database.host" /> is changed + from its default of <literal>localhost</literal> or <xref + linkend="opt-services.keycloak.database.createLocally" /> is + set to <literal>false</literal>. </para> <para> External database access can also be configured by setting <xref linkend="opt-services.keycloak.database.host" />, <xref + linkend="opt-services.keycloak.database.name" />, <xref linkend="opt-services.keycloak.database.username" />, <xref linkend="opt-services.keycloak.database.useSSL" /> and <xref linkend="opt-services.keycloak.database.caCert" /> as - appropriate. Note that you need to manually create a database - called <literal>keycloak</literal> and allow the configured - database user full access to it. + appropriate. Note that you need to manually create the database + and allow the configured database user full access to it. </para> <para> @@ -79,22 +80,27 @@ </warning> </section> - <section xml:id="module-services-keycloak-frontendurl"> - <title>Frontend URL</title> + <section xml:id="module-services-keycloak-hostname"> + <title>Hostname</title> <para> - The frontend URL is used as base for all frontend requests and - must be configured through <xref linkend="opt-services.keycloak.frontendUrl" />. - It should normally include a trailing <literal>/auth</literal> - (the default web context). If you use a reverse proxy, you need - to set this option to <literal>""</literal>, so that frontend URL - is derived from HTTP headers. <literal>X-Forwarded-*</literal> headers - support also should be enabled, using <link - xlink:href="https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses"> - respective guidelines</link>. + The hostname is used to build the public URL used as base for + all frontend requests and must be configured through <xref + linkend="opt-services.keycloak.settings.hostname" />. </para> + <note> + <para> + If you're migrating an old Wildfly based Keycloak instance + and want to keep compatibility with your current clients, + you'll likely want to set <xref + linkend="opt-services.keycloak.settings.http-relative-path" + /> to <literal>/auth</literal>. See the option description + for more details. + </para> + </note> + <para> - <xref linkend="opt-services.keycloak.forceBackendUrlToFrontendUrl" /> + <xref linkend="opt-services.keycloak.settings.hostname-strict-backchannel" /> determines whether Keycloak should force all requests to go through the frontend URL. By default, <productname>Keycloak</productname> allows backend requests to @@ -104,10 +110,10 @@ </para> <para> - See the <link - xlink:href="https://www.keycloak.org/docs/latest/server_installation/#_hostname">Hostname - section of the Keycloak Server Installation and Configuration - Guide</link> for more information. + For more information on hostname configuration, see the <link + xlink:href="https://www.keycloak.org/server/hostname">Hostname + section of the Keycloak Server Installation and Configuration + Guide</link>. </para> </section> @@ -139,68 +145,40 @@ <section xml:id="module-services-keycloak-themes"> <title>Themes</title> <para> - You can package custom themes and make them visible to Keycloak via - <xref linkend="opt-services.keycloak.themes" /> - option. See the <link xlink:href="https://www.keycloak.org/docs/latest/server_development/#_themes"> + You can package custom themes and make them visible to + Keycloak through <xref linkend="opt-services.keycloak.themes" + />. See the <link + xlink:href="https://www.keycloak.org/docs/latest/server_development/#_themes"> Themes section of the Keycloak Server Development Guide</link> - and respective NixOS option description for more information. + and the description of the aforementioned NixOS option for + more information. </para> </section> - <section xml:id="module-services-keycloak-extra-config"> - <title>Additional configuration</title> + <section xml:id="module-services-keycloak-settings"> + <title>Configuration file settings</title> <para> - Additional Keycloak configuration options, for which no - explicit <productname>NixOS</productname> options are provided, - can be set in <xref linkend="opt-services.keycloak.extraConfig" />. + Keycloak server configuration parameters can be set in <xref + linkend="opt-services.keycloak.settings" />. These correspond + directly to options in + <filename>conf/keycloak.conf</filename>. Some of the most + important parameters are documented as suboptions, the rest can + be found in the <link + xlink:href="https://www.keycloak.org/server/all-config">All + configuration section of the Keycloak Server Installation and + Configuration Guide</link>. </para> <para> - Options are expressed as a Nix attribute set which matches the - structure of the jboss-cli configuration. The configuration is - effectively overlayed on top of the default configuration - shipped with Keycloak. To remove existing nodes and undefine - attributes from the default configuration, set them to - <literal>null</literal>. - </para> - <para> - For example, the following script, which removes the hostname - provider <literal>default</literal>, adds the deprecated - hostname provider <literal>fixed</literal> and defines it the - default: - -<programlisting> -/subsystem=keycloak-server/spi=hostname/provider=default:remove() -/subsystem=keycloak-server/spi=hostname/provider=fixed:add(enabled = true, properties = { hostname = "keycloak.example.com" }) -/subsystem=keycloak-server/spi=hostname:write-attribute(name=default-provider, value="fixed") -</programlisting> - - would be expressed as - -<programlisting> -services.keycloak.extraConfig = { - "subsystem=keycloak-server" = { - "spi=hostname" = { - "provider=default" = null; - "provider=fixed" = { - enabled = true; - properties.hostname = "keycloak.example.com"; - }; - default-provider = "fixed"; - }; - }; -}; -</programlisting> - </para> - <para> - You can discover available options by using the <link - xlink:href="http://docs.wildfly.org/21/Admin_Guide.html#Command_Line_Interface">jboss-cli.sh</link> - program and by referring to the <link - xlink:href="https://www.keycloak.org/docs/latest/server_installation/index.html">Keycloak - Server Installation and Configuration Guide</link>. + Options containing secret data should be set to an attribute + set containing the attribute <literal>_secret</literal> - a + string pointing to a file containing the value the option + should be set to. See the description of <xref + linkend="opt-services.keycloak.settings" /> for an example. </para> </section> + <section xml:id="module-services-keycloak-example-config"> <title>Example configuration</title> <para> @@ -208,9 +186,11 @@ services.keycloak.extraConfig = { <programlisting> services.keycloak = { <link linkend="opt-services.keycloak.enable">enable</link> = true; + settings = { + <link linkend="opt-services.keycloak.settings.hostname">hostname</link> = "keycloak.example.com"; + <link linkend="opt-services.keycloak.settings.hostname-strict-backchannel">hostname-strict-backchannel</link> = true; + }; <link linkend="opt-services.keycloak.initialAdminPassword">initialAdminPassword</link> = "e6Wcm0RrtegMEHl"; # change on first login - <link linkend="opt-services.keycloak.frontendUrl">frontendUrl</link> = "https://keycloak.example.com/auth"; - <link linkend="opt-services.keycloak.forceBackendUrlToFrontendUrl">forceBackendUrlToFrontendUrl</link> = true; <link linkend="opt-services.keycloak.sslCertificate">sslCertificate</link> = "/run/keys/ssl_cert"; <link linkend="opt-services.keycloak.sslCertificateKey">sslCertificateKey</link> = "/run/keys/ssl_key"; <link linkend="opt-services.keycloak.database.passwordFile">database.passwordFile</link> = "/run/keys/db_password"; diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 8208c85bfd7..fbfcc33b2dc 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -9,6 +9,8 @@ let RAILS_ENV = "production"; NODE_ENV = "production"; + LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so"; + # mastodon-web concurrency. WEB_CONCURRENCY = toString cfg.webProcesses; MAX_THREADS = toString cfg.webThreads; @@ -121,7 +123,7 @@ in { Make sure that websockets are forwarded properly. You might want to set up caching of some requests. Take a look at mastodon's provided nginx configuration at - <code>https://github.com/tootsuite/mastodon/blob/master/dist/nginx.conf</code>. + <code>https://github.com/mastodon/mastodon/blob/master/dist/nginx.conf</code>. ''; type = lib.types.bool; default = false; diff --git a/nixos/modules/services/web-apps/netbox.nix b/nixos/modules/services/web-apps/netbox.nix new file mode 100644 index 00000000000..a7d8bede74b --- /dev/null +++ b/nixos/modules/services/web-apps/netbox.nix @@ -0,0 +1,265 @@ +{ config, lib, pkgs, buildEnv, ... }: + +with lib; + +let + cfg = config.services.netbox; + staticDir = cfg.dataDir + "/static"; + configFile = pkgs.writeTextFile { + name = "configuration.py"; + text = '' + STATIC_ROOT = '${staticDir}' + ALLOWED_HOSTS = ['*'] + DATABASE = { + 'NAME': 'netbox', + 'USER': 'netbox', + 'HOST': '/run/postgresql', + } + + # Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate + # configuration exists for each. Full connection details are required in both sections, and it is strongly recommended + # to use two separate database IDs. + REDIS = { + 'tasks': { + 'URL': 'unix://${config.services.redis.servers.netbox.unixSocket}?db=0', + 'SSL': False, + }, + 'caching': { + 'URL': 'unix://${config.services.redis.servers.netbox.unixSocket}?db=1', + 'SSL': False, + } + } + + with open("${cfg.secretKeyFile}", "r") as file: + SECRET_KEY = file.readline() + + ${optionalString cfg.enableLdap "REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'"} + + ${cfg.extraConfig} + ''; + }; + pkg = (pkgs.netbox.overrideAttrs (old: { + installPhase = old.installPhase + '' + ln -s ${configFile} $out/opt/netbox/netbox/netbox/configuration.py + '' + optionalString cfg.enableLdap '' + ln -s ${ldapConfigPath} $out/opt/netbox/netbox/netbox/ldap_config.py + ''; + })).override { + plugins = ps: ((cfg.plugins ps) + ++ optional cfg.enableLdap [ ps.django-auth-ldap ]); + }; + netboxManageScript = with pkgs; (writeScriptBin "netbox-manage" '' + #!${stdenv.shell} + export PYTHONPATH=${pkg.pythonPath} + sudo -u netbox ${pkg}/bin/netbox "$@" + ''); + +in { + options.services.netbox = { + enable = mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable Netbox. + + This module requires a reverse proxy that serves <literal>/static</literal> separately. + See this <link xlink:href="https://github.com/netbox-community/netbox/blob/develop/contrib/nginx.conf/">example</link> on how to configure this. + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = "[::1]"; + description = '' + Address the server will listen on. + ''; + }; + + port = mkOption { + type = types.port; + default = 8001; + description = '' + Port the server will listen on. + ''; + }; + + plugins = mkOption { + type = types.functionTo (types.listOf types.package); + default = _: []; + defaultText = literalExpression '' + python3Packages: with python3Packages; []; + ''; + description = '' + List of plugin packages to install. + ''; + }; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/netbox"; + description = '' + Storage path of netbox. + ''; + }; + + secretKeyFile = mkOption { + type = types.path; + description = '' + Path to a file containing the secret key. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Additional lines of configuration appended to the <literal>configuration.py</literal>. + See the <link xlink:href="https://netbox.readthedocs.io/en/stable/configuration/optional-settings/">documentation</link> for more possible options. + ''; + }; + + enableLdap = mkOption { + type = types.bool; + default = false; + description = '' + Enable LDAP-Authentication for Netbox. + + This requires a configuration file being pass through <literal>ldapConfigPath</literal>. + ''; + }; + + ldapConfigPath = mkOption { + type = types.path; + default = ""; + description = '' + Path to the Configuration-File for LDAP-Authentification, will be loaded as <literal>ldap_config.py</literal>. + See the <link xlink:href="https://netbox.readthedocs.io/en/stable/installation/6-ldap/#configuration">documentation</link> for possible options. + ''; + }; + }; + + config = mkIf cfg.enable { + services.redis.servers.netbox.enable = true; + + services.postgresql = { + enable = true; + ensureDatabases = [ "netbox" ]; + ensureUsers = [ + { + name = "netbox"; + ensurePermissions = { + "DATABASE netbox" = "ALL PRIVILEGES"; + }; + } + ]; + }; + + environment.systemPackages = [ netboxManageScript ]; + + systemd.targets.netbox = { + description = "Target for all NetBox services"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" "redis-netbox.service" ]; + }; + + systemd.services = let + defaultServiceConfig = { + WorkingDirectory = "${cfg.dataDir}"; + User = "netbox"; + Group = "netbox"; + StateDirectory = "netbox"; + StateDirectoryMode = "0750"; + Restart = "on-failure"; + }; + in { + netbox-migration = { + description = "NetBox migrations"; + wantedBy = [ "netbox.target" ]; + + environment = { + PYTHONPATH = pkg.pythonPath; + }; + + serviceConfig = defaultServiceConfig // { + Type = "oneshot"; + ExecStart = '' + ${pkg}/bin/netbox migrate + ''; + }; + }; + + netbox = { + description = "NetBox WSGI Service"; + wantedBy = [ "netbox.target" ]; + after = [ "netbox-migration.service" ]; + + preStart = '' + ${pkg}/bin/netbox trace_paths --no-input + ${pkg}/bin/netbox collectstatic --no-input + ${pkg}/bin/netbox remove_stale_contenttypes --no-input + ''; + + environment = { + PYTHONPATH = pkg.pythonPath; + }; + + serviceConfig = defaultServiceConfig // { + ExecStart = '' + ${pkgs.python3Packages.gunicorn}/bin/gunicorn netbox.wsgi \ + --bind ${cfg.listenAddress}:${toString cfg.port} \ + --pythonpath ${pkg}/opt/netbox/netbox + ''; + }; + }; + + netbox-rq = { + description = "NetBox Request Queue Worker"; + wantedBy = [ "netbox.target" ]; + after = [ "netbox.service" ]; + + environment = { + PYTHONPATH = pkg.pythonPath; + }; + + serviceConfig = defaultServiceConfig // { + ExecStart = '' + ${pkg}/bin/netbox rqworker high default low + ''; + }; + }; + + netbox-housekeeping = { + description = "NetBox housekeeping job"; + after = [ "netbox.service" ]; + + environment = { + PYTHONPATH = pkg.pythonPath; + }; + + serviceConfig = defaultServiceConfig // { + Type = "oneshot"; + ExecStart = '' + ${pkg}/bin/netbox housekeeping + ''; + }; + }; + }; + + systemd.timers.netbox-housekeeping = { + description = "Run NetBox housekeeping job"; + wantedBy = [ "timers.target" ]; + + timerConfig = { + OnCalendar = "daily"; + }; + }; + + users.users.netbox = { + home = "${cfg.dataDir}"; + isSystemUser = true; + group = "netbox"; + }; + users.groups.netbox = {}; + users.groups."${config.services.redis.servers.netbox.user}".members = [ "netbox" ]; + }; +} diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index b32220a5e57..a4b886821eb 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -251,6 +251,23 @@ in { ''; }; + database = { + + createLocally = mkOption { + type = types.bool; + default = false; + description = '' + Create the database and database user locally. Only available for + mysql database. + Note that this option will use the latest version of MariaDB which + is not officially supported by Nextcloud. As for now a workaround + is used to also support MariaDB version >= 10.6. + ''; + }; + + }; + + config = { dbtype = mkOption { type = types.enum [ "sqlite" "pgsql" "mysql" ]; @@ -505,6 +522,29 @@ in { The nextcloud-occ program preconfigured to target this Nextcloud instance. ''; }; + globalProfiles = mkEnableOption "global profiles" // { + description = '' + Makes user-profiles globally available under <literal>nextcloud.tld/u/user.name</literal>. + Even though it's enabled by default in Nextcloud, it must be explicitly enabled + here because it has the side-effect that personal information is even accessible to + unauthenticated users by default. + + By default, the following properties are set to <quote>Show to everyone</quote> + if this flag is enabled: + <itemizedlist> + <listitem><para>About</para></listitem> + <listitem><para>Full name</para></listitem> + <listitem><para>Headline</para></listitem> + <listitem><para>Organisation</para></listitem> + <listitem><para>Profile picture</para></listitem> + <listitem><para>Role</para></listitem> + <listitem><para>Twitter</para></listitem> + <listitem><para>Website</para></listitem> + </itemizedlist> + + Only has an effect in Nextcloud 23 and later. + ''; + }; nginx.recommendedHttpHeaders = mkOption { type = types.bool; @@ -583,6 +623,12 @@ in { else pkgs.php80; } + { assertions = [ + { assertion = cfg.database.createLocally -> cfg.config.dbtype == "mysql"; + message = ''services.nextcloud.config.dbtype must be set to mysql if services.nextcloud.database.createLocally is set to true.''; + } + ]; } + { systemd.timers.nextcloud-cron = { wantedBy = [ "timers.target" ]; timerConfig.OnBootSec = "5m"; @@ -627,6 +673,8 @@ in { if x == null then "false" else boolToString x; + nextcloudGreaterOrEqualThan = req: versionAtLeast cfg.package.version req; + overrideConfig = pkgs.writeText "nextcloud-config.php" '' <?php ${optionalString requiresReadSecretFunction '' @@ -666,6 +714,7 @@ in { 'trusted_domains' => ${writePhpArrary ([ cfg.hostName ] ++ c.extraTrustedDomains)}, 'trusted_proxies' => ${writePhpArrary (c.trustedProxies)}, ${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"} + ${optionalString (nextcloudGreaterOrEqualThan "23") "'profile.enabled' => ${boolToString cfg.globalProfiles}"} ${objectstoreConfig} ]; ''; @@ -811,6 +860,32 @@ in { environment.systemPackages = [ occ ]; + services.mysql = lib.mkIf cfg.database.createLocally { + enable = true; + package = lib.mkDefault pkgs.mariadb; + ensureDatabases = [ cfg.config.dbname ]; + ensureUsers = [{ + name = cfg.config.dbuser; + ensurePermissions = { "${cfg.config.dbname}.*" = "ALL PRIVILEGES"; }; + }]; + # FIXME(@Ma27) Nextcloud isn't compatible with mariadb 10.6, + # this is a workaround. + # See https://help.nextcloud.com/t/update-to-next-cloud-21-0-2-has-get-an-error/117028/22 + settings = { + mysqld = { + innodb_read_only_compressed = 0; + }; + }; + initialScript = pkgs.writeText "mysql-init" '' + CREATE USER '${cfg.config.dbname}'@'localhost' IDENTIFIED BY '${builtins.readFile( cfg.config.dbpassFile )}'; + CREATE DATABASE IF NOT EXISTS ${cfg.config.dbname}; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES ON ${cfg.config.dbname}.* TO '${cfg.config.dbuser}'@'localhost' + IDENTIFIED BY '${builtins.readFile( cfg.config.dbpassFile )}'; + FLUSH privileges; + ''; + }; + services.nginx.enable = mkDefault true; services.nginx.virtualHosts.${cfg.hostName} = { diff --git a/nixos/modules/services/web-apps/nifi.nix b/nixos/modules/services/web-apps/nifi.nix new file mode 100644 index 00000000000..21a63127264 --- /dev/null +++ b/nixos/modules/services/web-apps/nifi.nix @@ -0,0 +1,318 @@ +{ lib, pkgs, config, options, ... }: + +let + cfg = config.services.nifi; + opt = options.services.nifi; + + env = { + NIFI_OVERRIDE_NIFIENV = "true"; + NIFI_HOME = "/var/lib/nifi"; + NIFI_PID_DIR = "/run/nifi"; + NIFI_LOG_DIR = "/var/log/nifi"; + }; + + envFile = pkgs.writeText "nifi.env" (lib.concatMapStrings (s: s + "\n") ( + (lib.concatLists (lib.mapAttrsToList (name: value: + if value != null then [ + "${name}=\"${toString value}\"" + ] else [] + ) env)))); + + nifiEnv = pkgs.writeShellScriptBin "nifi-env" '' + set -a + source "${envFile}" + eval -- "\$@" + ''; + +in { + options = { + services.nifi = { + enable = lib.mkEnableOption "Apache NiFi"; + + package = lib.mkOption { + type = lib.types.package; + default = pkgs.nifi; + defaultText = lib.literalExpression "pkgs.nifi"; + description = "Apache NiFi package to use."; + }; + + user = lib.mkOption { + type = lib.types.str; + default = "nifi"; + description = "User account where Apache NiFi runs."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "nifi"; + description = "Group account where Apache NiFi runs."; + }; + + enableHTTPS = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Enable HTTPS protocol. Don`t use in production."; + }; + + listenHost = lib.mkOption { + type = lib.types.str; + default = if cfg.enableHTTPS then "0.0.0.0" else "127.0.0.1"; + defaultText = lib.literalExpression '' + if config.${opt.enableHTTPS} + then "0.0.0.0" + else "127.0.0.1" + ''; + description = "Bind to an ip for Apache NiFi web-ui."; + }; + + listenPort = lib.mkOption { + type = lib.types.int; + default = if cfg.enableHTTPS then 8443 else 8080; + defaultText = lib.literalExpression '' + if config.${opt.enableHTTPS} + then "8443" + else "8000" + ''; + description = "Bind to a port for Apache NiFi web-ui."; + }; + + proxyHost = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = if cfg.enableHTTPS then "0.0.0.0" else null; + defaultText = lib.literalExpression '' + if config.${opt.enableHTTPS} + then "0.0.0.0" + else null + ''; + description = "Allow requests from a specific host."; + }; + + proxyPort = lib.mkOption { + type = lib.types.nullOr lib.types.int; + default = if cfg.enableHTTPS then 8443 else null; + defaultText = lib.literalExpression '' + if config.${opt.enableHTTPS} + then "8443" + else null + ''; + description = "Allow requests from a specific port."; + }; + + initUser = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "Initial user account for Apache NiFi. Username must be at least 4 characters."; + }; + + initPasswordFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/run/keys/nifi/password-nifi"; + description = "nitial password for Apache NiFi. Password must be at least 12 characters."; + }; + + initJavaHeapSize = lib.mkOption { + type = lib.types.nullOr lib.types.int; + default = null; + example = 1024; + description = "Set the initial heap size for the JVM in MB."; + }; + + maxJavaHeapSize = lib.mkOption { + type = lib.types.nullOr lib.types.int; + default = null; + example = 2048; + description = "Set the initial heap size for the JVM in MB."; + }; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { assertion = cfg.initUser!=null || cfg.initPasswordFile==null; + message = '' + <option>services.nifi.initUser</option> needs to be set if <option>services.nifi.initPasswordFile</option> enabled. + ''; + } + { assertion = cfg.initUser==null || cfg.initPasswordFile!=null; + message = '' + <option>services.nifi.initPasswordFile</option> needs to be set if <option>services.nifi.initUser</option> enabled. + ''; + } + { assertion = cfg.proxyHost==null || cfg.proxyPort!=null; + message = '' + <option>services.nifi.proxyPort</option> needs to be set if <option>services.nifi.proxyHost</option> value specified. + ''; + } + { assertion = cfg.proxyHost!=null || cfg.proxyPort==null; + message = '' + <option>services.nifi.proxyHost</option> needs to be set if <option>services.nifi.proxyPort</option> value specified. + ''; + } + { assertion = cfg.initJavaHeapSize==null || cfg.maxJavaHeapSize!=null; + message = '' + <option>services.nifi.maxJavaHeapSize</option> needs to be set if <option>services.nifi.initJavaHeapSize</option> value specified. + ''; + } + { assertion = cfg.initJavaHeapSize!=null || cfg.maxJavaHeapSize==null; + message = '' + <option>services.nifi.initJavaHeapSize</option> needs to be set if <option>services.nifi.maxJavaHeapSize</option> value specified. + ''; + } + ]; + + warnings = lib.optional (cfg.enableHTTPS==false) '' + Please do not disable HTTPS mode in production. In this mode, access to the nifi is opened without authentication. + ''; + + systemd.tmpfiles.rules = [ + "d '/var/lib/nifi/conf' 0750 ${cfg.user} ${cfg.group}" + "L+ '/var/lib/nifi/lib' - - - - ${cfg.package}/lib" + ]; + + + systemd.services.nifi = { + description = "Apache NiFi"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment = env; + path = [ pkgs.gawk ]; + + serviceConfig = { + Type = "forking"; + PIDFile = "/run/nifi/nifi.pid"; + ExecStartPre = pkgs.writeScript "nifi-pre-start.sh" '' + #!/bin/sh + umask 077 + test -f '/var/lib/nifi/conf/authorizers.xml' || (cp '${cfg.package}/share/nifi/conf/authorizers.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/authorizers.xml') + test -f '/var/lib/nifi/conf/bootstrap.conf' || (cp '${cfg.package}/share/nifi/conf/bootstrap.conf' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/bootstrap.conf') + test -f '/var/lib/nifi/conf/bootstrap-hashicorp-vault.conf' || (cp '${cfg.package}/share/nifi/conf/bootstrap-hashicorp-vault.conf' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/bootstrap-hashicorp-vault.conf') + test -f '/var/lib/nifi/conf/bootstrap-notification-services.xml' || (cp '${cfg.package}/share/nifi/conf/bootstrap-notification-services.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/bootstrap-notification-services.xml') + test -f '/var/lib/nifi/conf/logback.xml' || (cp '${cfg.package}/share/nifi/conf/logback.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/logback.xml') + test -f '/var/lib/nifi/conf/login-identity-providers.xml' || (cp '${cfg.package}/share/nifi/conf/login-identity-providers.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/login-identity-providers.xml') + test -f '/var/lib/nifi/conf/nifi.properties' || (cp '${cfg.package}/share/nifi/conf/nifi.properties' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/nifi.properties') + test -f '/var/lib/nifi/conf/stateless-logback.xml' || (cp '${cfg.package}/share/nifi/conf/stateless-logback.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/stateless-logback.xml') + test -f '/var/lib/nifi/conf/stateless.properties' || (cp '${cfg.package}/share/nifi/conf/stateless.properties' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/stateless.properties') + test -f '/var/lib/nifi/conf/state-management.xml' || (cp '${cfg.package}/share/nifi/conf/state-management.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/state-management.xml') + test -f '/var/lib/nifi/conf/zookeeper.properties' || (cp '${cfg.package}/share/nifi/conf/zookeeper.properties' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/zookeeper.properties') + test -d '/var/lib/nifi/docs/html' || (mkdir -p /var/lib/nifi/docs && cp -r '${cfg.package}/share/nifi/docs/html' '/var/lib/nifi/docs/html') + ${lib.optionalString ((cfg.initUser != null) && (cfg.initPasswordFile != null)) '' + awk -F'[<|>]' '/property name="Username"/ {if ($3!="") f=1} END{exit !f}' /var/lib/nifi/conf/login-identity-providers.xml || ${cfg.package}/bin/nifi.sh set-single-user-credentials ${cfg.initUser} $(cat ${cfg.initPasswordFile}) + ''} + ${lib.optionalString (cfg.enableHTTPS == false) '' + sed -i /var/lib/nifi/conf/nifi.properties \ + -e 's|nifi.remote.input.secure=.*|nifi.remote.input.secure=false|g' \ + -e 's|nifi.web.http.host=.*|nifi.web.http.host=${cfg.listenHost}|g' \ + -e 's|nifi.web.http.port=.*|nifi.web.http.port=${(toString cfg.listenPort)}|g' \ + -e 's|nifi.web.https.host=.*|nifi.web.https.host=|g' \ + -e 's|nifi.web.https.port=.*|nifi.web.https.port=|g' \ + -e 's|nifi.security.keystore=.*|nifi.security.keystore=|g' \ + -e 's|nifi.security.keystoreType=.*|nifi.security.keystoreType=|g' \ + -e 's|nifi.security.truststore=.*|nifi.security.truststore=|g' \ + -e 's|nifi.security.truststoreType=.*|nifi.security.truststoreType=|g' \ + -e '/nifi.security.keystorePasswd/s|^|#|' \ + -e '/nifi.security.keyPasswd/s|^|#|' \ + -e '/nifi.security.truststorePasswd/s|^|#|' + ''} + ${lib.optionalString (cfg.enableHTTPS == true) '' + sed -i /var/lib/nifi/conf/nifi.properties \ + -e 's|nifi.remote.input.secure=.*|nifi.remote.input.secure=true|g' \ + -e 's|nifi.web.http.host=.*|nifi.web.http.host=|g' \ + -e 's|nifi.web.http.port=.*|nifi.web.http.port=|g' \ + -e 's|nifi.web.https.host=.*|nifi.web.https.host=${cfg.listenHost}|g' \ + -e 's|nifi.web.https.port=.*|nifi.web.https.port=${(toString cfg.listenPort)}|g' \ + -e 's|nifi.security.keystore=.*|nifi.security.keystore=./conf/keystore.p12|g' \ + -e 's|nifi.security.keystoreType=.*|nifi.security.keystoreType=PKCS12|g' \ + -e 's|nifi.security.truststore=.*|nifi.security.truststore=./conf/truststore.p12|g' \ + -e 's|nifi.security.truststoreType=.*|nifi.security.truststoreType=PKCS12|g' \ + -e '/nifi.security.keystorePasswd/s|^#\+||' \ + -e '/nifi.security.keyPasswd/s|^#\+||' \ + -e '/nifi.security.truststorePasswd/s|^#\+||' + ''} + ${lib.optionalString ((cfg.enableHTTPS == true) && (cfg.proxyHost != null) && (cfg.proxyPort != null)) '' + sed -i /var/lib/nifi/conf/nifi.properties \ + -e 's|nifi.web.proxy.host=.*|nifi.web.proxy.host=${cfg.proxyHost}:${(toString cfg.proxyPort)}|g' + ''} + ${lib.optionalString ((cfg.enableHTTPS == false) || (cfg.proxyHost == null) && (cfg.proxyPort == null)) '' + sed -i /var/lib/nifi/conf/nifi.properties \ + -e 's|nifi.web.proxy.host=.*|nifi.web.proxy.host=|g' + ''} + ${lib.optionalString ((cfg.initJavaHeapSize != null) && (cfg.maxJavaHeapSize != null))'' + sed -i /var/lib/nifi/conf/bootstrap.conf \ + -e 's|java.arg.2=.*|java.arg.2=-Xms${(toString cfg.initJavaHeapSize)}m|g' \ + -e 's|java.arg.3=.*|java.arg.3=-Xmx${(toString cfg.maxJavaHeapSize)}m|g' + ''} + ${lib.optionalString ((cfg.initJavaHeapSize == null) && (cfg.maxJavaHeapSize == null))'' + sed -i /var/lib/nifi/conf/bootstrap.conf \ + -e 's|java.arg.2=.*|java.arg.2=-Xms512m|g' \ + -e 's|java.arg.3=.*|java.arg.3=-Xmx512m|g' + ''} + ''; + ExecStart = "${cfg.package}/bin/nifi.sh start"; + ExecStop = "${cfg.package}/bin/nifi.sh stop"; + # User and group + User = cfg.user; + Group = cfg.group; + # Runtime directory and mode + RuntimeDirectory = "nifi"; + RuntimeDirectoryMode = "0750"; + # State directory and mode + StateDirectory = "nifi"; + StateDirectoryMode = "0750"; + # Logs directory and mode + LogsDirectory = "nifi"; + LogsDirectoryMode = "0750"; + # Proc filesystem + ProcSubset = "pid"; + ProtectProc = "invisible"; + # Access write directories + ReadWritePaths = [ cfg.initPasswordFile ]; + UMask = "0027"; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateIPC = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = false; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @resources @privileged @setuid" "@chown" ]; + }; + }; + + users.users = lib.mkMerge [ + (lib.mkIf (cfg.user == "nifi") { + nifi = { + group = cfg.group; + isSystemUser = true; + home = cfg.package; + }; + }) + (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package nifiEnv ]) + ]; + + users.groups = lib.optionalAttrs (cfg.group == "nifi") { + nifi = { }; + }; + }; +} diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index d817ff6019a..3099705acbe 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -710,20 +710,15 @@ in services.logrotate = optionalAttrs (cfg.logFormat != "none") { enable = mkDefault true; - paths.httpd = { - path = "${cfg.logDir}/*.log"; - user = cfg.user; - group = cfg.group; + settings.httpd = { + files = "${cfg.logDir}/*.log"; + su = "${cfg.user} ${cfg.group}"; frequency = "daily"; - keep = 28; - extraConfig = '' - sharedscripts - compress - delaycompress - postrotate - systemctl reload httpd.service > /dev/null 2>/dev/null || true - endscript - ''; + rotate = 28; + sharedscripts = true; + compress = true; + delaycompress = true; + postrotate = "systemctl reload httpd.service > /dev/null 2>/dev/null || true"; }; }; diff --git a/nixos/modules/services/web-servers/hydron.nix b/nixos/modules/services/web-servers/hydron.nix index a4a5a435b2e..46f62a9119f 100644 --- a/nixos/modules/services/web-servers/hydron.nix +++ b/nixos/modules/services/web-servers/hydron.nix @@ -161,5 +161,5 @@ in with lib; { (mkRenamedOptionModule [ "services" "hydron" "baseDir" ] [ "services" "hydron" "dataDir" ]) ]; - meta.maintainers = with maintainers; [ chiiruno ]; + meta.maintainers = with maintainers; [ Madouura ]; } diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index e046c28dd6b..0c2333399e8 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -255,20 +255,22 @@ let else defaultListen; listenString = { addr, port, ssl, extraParameters ? [], ... }: - "listen ${addr}:${toString port} " - + optionalString ssl "ssl " + (if ssl && vhost.http3 then " + # UDP listener for **QUIC+HTTP/3 + listen ${addr}:${toString port} http3 " + + optionalString vhost.default "default_server " + + optionalString vhost.reuseport "reuseport " + + optionalString (extraParameters != []) (concatStringsSep " " extraParameters) + + ";" else "") + + " + + listen ${addr}:${toString port} " + optionalString (ssl && vhost.http2) "http2 " + + optionalString ssl "ssl " + optionalString vhost.default "default_server " + + optionalString vhost.reuseport "reuseport " + optionalString (extraParameters != []) (concatStringsSep " " extraParameters) - + ";" - + (if ssl && vhost.http3 then '' - # UDP listener for **QUIC+HTTP/3 - listen ${addr}:${toString port} http3 reuseport; - # Advertise that HTTP/3 is available - add_header Alt-Svc 'h3=":443"'; - # Sent when QUIC was used - add_header QUIC-Status $quic; - '' else ""); + + ";"; redirectListen = filter (x: !x.ssl) defaultListen; @@ -321,6 +323,11 @@ let ssl_conf_command Options KTLS; ''} + ${optionalString (hasSSL && vhost.http3) '' + # Advertise that HTTP/3 is available + add_header Alt-Svc 'h3=":443"; ma=86400' always; + ''} + ${mkBasicAuth vhostName vhost} ${mkLocations vhost.locations} @@ -989,17 +996,14 @@ in nginx.gid = config.ids.gids.nginx; }; - services.logrotate.paths.nginx = mapAttrs (_: mkDefault) { - path = "/var/log/nginx/*.log"; + services.logrotate.settings.nginx = mapAttrs (_: mkDefault) { + files = "/var/log/nginx/*.log"; frequency = "weekly"; - keep = 26; - extraConfig = '' - compress - delaycompress - postrotate - [ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid` - endscript - ''; + su = "${cfg.user} ${cfg.group}"; + rotate = 26; + compress = true; + delaycompress = true; + postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; }; }; } diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index c4e8285dc48..2c77d6ee816 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -20,7 +20,7 @@ with lib; serverAliases = mkOption { type = types.listOf types.str; default = []; - example = ["www.example.org" "example.org"]; + example = [ "www.example.org" "example.org" ]; description = '' Additional names of virtual hosts served by this virtual host configuration. ''; @@ -31,11 +31,11 @@ with lib; addr = mkOption { type = str; description = "IP address."; }; port = mkOption { type = int; description = "Port number."; default = 80; }; ssl = mkOption { type = bool; description = "Enable SSL."; default = false; }; - extraParameters = mkOption { type = listOf str; description = "Extra parameters of this listen directive."; default = []; example = [ "reuseport" "deferred" ]; }; + extraParameters = mkOption { type = listOf str; description = "Extra parameters of this listen directive."; default = []; example = [ "backlog=1024" "deferred" ]; }; }; }); default = []; example = [ - { addr = "195.154.1.1"; port = 443; ssl = true;} + { addr = "195.154.1.1"; port = 443; ssl = true; } { addr = "192.154.1.1"; port = 80; } ]; description = '' @@ -207,6 +207,15 @@ with lib; ''; }; + reuseport = mkOption { + type = types.bool; + default = false; + description = '' + Create an individual listening socket . + It is required to specify only once on one of the hosts. + ''; + }; + root = mkOption { type = types.nullOr types.path; default = null; diff --git a/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixos/modules/services/x11/desktop-managers/cinnamon.nix index 3a78a526460..705dbec5e74 100644 --- a/nixos/modules/services/x11/desktop-managers/cinnamon.nix +++ b/nixos/modules/services/x11/desktop-managers/cinnamon.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: with lib; @@ -196,7 +196,7 @@ in programs.evince.enable = mkDefault true; programs.file-roller.enable = mkDefault true; - environment.systemPackages = (with pkgs // pkgs.gnome // pkgs.cinnamon; pkgs.gnome.removePackagesByName [ + environment.systemPackages = with pkgs // pkgs.gnome // pkgs.cinnamon; utils.removePackagesByName [ # cinnamon team apps bulky blueberry @@ -212,7 +212,7 @@ in # external apps shipped with linux-mint hexchat gnome-calculator - ] config.environment.cinnamon.excludePackages); + ] config.environment.cinnamon.excludePackages; }) ]; } diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index d1513a596b9..654079023cb 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -92,6 +92,7 @@ in services.udisks2.enable = true; services.upower.enable = config.powerManagement.enable; + services.xserver.libinput.enable = mkDefault true; services.dbus.packages = [ e.efl ]; diff --git a/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixos/modules/services/x11/desktop-managers/gnome.nix index e2323785149..e7e626c66f0 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: with lib; @@ -22,6 +22,9 @@ let favorite-apps=[ 'org.gnome.Epiphany.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop' ] ''; + nixos-background-ligtht = pkgs.nixos-artwork.wallpapers.simple-blue; + nixos-background-dark = pkgs.nixos-artwork.wallpapers.simple-dark-gray; + nixos-gsettings-desktop-schemas = let defaultPackages = with pkgs; [ gsettings-desktop-schemas gnome.gnome-shell ]; in @@ -42,10 +45,11 @@ let chmod -R a+w $out/share/gsettings-schemas/nixos-gsettings-overrides cat - > $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/nixos-defaults.gschema.override <<- EOF [org.gnome.desktop.background] - picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray.gnomeFilePath}' + picture-uri='file://${nixos-background-ligtht.gnomeFilePath}' + picture-uri-dark='file://${nixos-background-dark.gnomeFilePath}' [org.gnome.desktop.screensaver] - picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom.gnomeFilePath}' + picture-uri='file://${nixos-background-dark.gnomeFilePath}' ${cfg.favoriteAppsOverride} @@ -55,6 +59,26 @@ let ${pkgs.glib.dev}/bin/glib-compile-schemas $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/ ''; + nixos-background-info = pkgs.writeTextFile rec { + name = "nixos-background-info"; + text = '' + <?xml version="1.0"?> + <!DOCTYPE wallpapers SYSTEM "gnome-wp-list.dtd"> + <wallpapers> + <wallpaper deleted="false"> + <name>Blobs</name> + <filename>${nixos-background-ligtht.gnomeFilePath}</filename> + <filename-dark>${nixos-background-dark.gnomeFilePath}</filename-dark> + <options>zoom</options> + <shade_type>solid</shade_type> + <pcolor>#3a4ba0</pcolor> + <scolor>#2f302f</scolor> + </wallpaper> + </wallpapers> + ''; + destination = "/share/gnome-background-properties/nixos.xml"; + }; + flashbackEnabled = cfg.flashback.enableMetacity || length cfg.flashback.customSessions > 0; flashbackWms = optional cfg.flashback.enableMetacity { wmName = "metacity"; @@ -132,6 +156,10 @@ in [ "environment" "gnome3" "excludePackages" ] [ "environment" "gnome" "excludePackages" ] ) + (mkRemovedOptionModule + [ "services" "gnome" "experimental-features" "realtime-scheduling" ] + "Set `security.rtkit.enable = true;` to make realtime scheduling possible. (Still needs to be enabled using GSettings.)" + ) ]; options = { @@ -142,38 +170,6 @@ in core-utilities.enable = mkEnableOption "GNOME core utilities"; core-developer-tools.enable = mkEnableOption "GNOME core developer tools"; games.enable = mkEnableOption "GNOME games"; - - experimental-features = { - realtime-scheduling = mkOption { - type = types.bool; - default = false; - description = '' - Makes mutter (which propagates to gnome-shell) request a low priority real-time - scheduling which is only available on the wayland session. - To enable this experimental feature it requires a restart of the compositor. - Note that enabling this option only enables the <emphasis>capability</emphasis> - for realtime-scheduling to be used. It doesn't automatically set the gsetting - so that mutter actually uses realtime-scheduling. This would require adding <literal> - rt-scheduler</literal> to <literal>/org/gnome/mutter/experimental-features</literal> - with dconf-editor. You cannot use extraGSettingsOverrides because that will only - change the default value of the setting. - - Please be aware of these known issues with the feature in nixos: - <itemizedlist> - <listitem> - <para> - <link xlink:href="https://github.com/NixOS/nixpkgs/issues/90201">NixOS/nixpkgs#90201</link> - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/NixOS/nixpkgs/issues/86730">NixOS/nixpkgs#86730</link> - </para> - </listitem> - </itemizedlist> - ''; - }; - }; }; services.xserver.desktopManager.gnome = { @@ -414,7 +410,6 @@ in services.gnome.rygel.enable = mkDefault true; services.gvfs.enable = true; services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); - services.telepathy.enable = mkDefault true; systemd.packages = with pkgs.gnome; [ gnome-session @@ -459,6 +454,7 @@ in # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-38/elements/core/meta-gnome-core-shell.bst environment.systemPackages = with pkgs.gnome; [ adwaita-icon-theme + nixos-background-info gnome-backgrounds gnome-bluetooth gnome-color-manager @@ -467,8 +463,6 @@ in gnome-shell-extensions gnome-themes-extra pkgs.gnome-tour # GNOME Shell detects the .desktop file on first log-in. - pkgs.nixos-artwork.wallpapers.simple-dark-gray - pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom pkgs.gnome-user-docs pkgs.orca pkgs.glib # for gsettings @@ -480,51 +474,28 @@ in ]; }) - # Enable soft realtime scheduling, only supported on wayland - (mkIf serviceCfg.experimental-features.realtime-scheduling { - security.wrappers.".gnome-shell-wrapped" = { - source = "${pkgs.gnome.gnome-shell}/bin/.gnome-shell-wrapped"; - owner = "root"; - group = "root"; - capabilities = "cap_sys_nice=ep"; - }; - - systemd.user.services.gnome-shell-wayland = let - gnomeShellRT = with pkgs.gnome; pkgs.runCommand "gnome-shell-rt" {} '' - mkdir -p $out/bin/ - cp ${gnome-shell}/bin/gnome-shell $out/bin - sed -i "s@${gnome-shell}/bin/@${config.security.wrapperDir}/@" $out/bin/gnome-shell - ''; - in { - # Note we need to clear ExecStart before overriding it - serviceConfig.ExecStart = ["" "${gnomeShellRT}/bin/gnome-shell"]; - # Do not use the default environment, it provides a broken PATH - environment = mkForce {}; - }; - }) - # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-38/elements/core/meta-gnome-core-utilities.bst (mkIf serviceCfg.core-utilities.enable { environment.systemPackages = with pkgs.gnome; - removePackagesByName + utils.removePackagesByName ([ baobab cheese eog epiphany - gedit + pkgs.gnome-text-editor gnome-calculator gnome-calendar gnome-characters gnome-clocks + pkgs.gnome-console gnome-contacts gnome-font-viewer gnome-logs gnome-maps gnome-music pkgs.gnome-photos - gnome-screenshot gnome-system-monitor gnome-weather nautilus @@ -547,10 +518,13 @@ in programs.file-roller.enable = notExcluded pkgs.gnome.file-roller; programs.geary.enable = notExcluded pkgs.gnome.geary; programs.gnome-disks.enable = notExcluded pkgs.gnome.gnome-disk-utility; - programs.gnome-terminal.enable = notExcluded pkgs.gnome.gnome-terminal; programs.seahorse.enable = notExcluded pkgs.gnome.seahorse; services.gnome.sushi.enable = notExcluded pkgs.gnome.sushi; + # VTE shell integration for gnome-console + programs.bash.vteIntegration = mkDefault true; + programs.zsh.vteIntegration = mkDefault true; + # Let nautilus find extensions # TODO: Create nautilus-with-extensions package environment.sessionVariables.NAUTILUS_EXTENSION_DIR = "${config.system.path}/lib/nautilus/extensions-3.0"; @@ -564,7 +538,7 @@ in }) (mkIf serviceCfg.games.enable { - environment.systemPackages = (with pkgs.gnome; removePackagesByName [ + environment.systemPackages = with pkgs.gnome; utils.removePackagesByName [ aisleriot atomix five-or-more @@ -585,12 +559,12 @@ in quadrapassel swell-foop tali - ] config.environment.gnome.excludePackages); + ] config.environment.gnome.excludePackages; }) # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/-/blob/3.38.0/elements/core/meta-gnome-core-developer-tools.bst (mkIf serviceCfg.core-developer-tools.enable { - environment.systemPackages = (with pkgs.gnome; removePackagesByName [ + environment.systemPackages = with pkgs.gnome; utils.removePackagesByName [ dconf-editor devhelp pkgs.gnome-builder @@ -599,7 +573,7 @@ in # in default configurations. # https://github.com/NixOS/nixpkgs/issues/60908 /* gnome-boxes */ - ] config.environment.gnome.excludePackages); + ] config.environment.gnome.excludePackages; services.sysprof.enable = notExcluded pkgs.sysprof; }) diff --git a/nixos/modules/services/x11/desktop-managers/lxqt.nix b/nixos/modules/services/x11/desktop-managers/lxqt.nix index 720985ba0d9..3c912d72611 100644 --- a/nixos/modules/services/x11/desktop-managers/lxqt.nix +++ b/nixos/modules/services/x11/desktop-managers/lxqt.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: with lib; @@ -51,7 +51,7 @@ in environment.systemPackages = pkgs.lxqt.preRequisitePackages ++ pkgs.lxqt.corePackages ++ - (pkgs.gnome.removePackagesByName + (utils.removePackagesByName pkgs.lxqt.optionalPackages config.environment.lxqt.excludePackages); @@ -62,6 +62,9 @@ in services.gvfs.enable = true; services.upower.enable = config.powerManagement.enable; + + xdg.portal.enable = true; + xdg.portal.extraPortals = [ pkgs.lxqt.xdg-desktop-portal-lxqt ]; }; } diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index a7fda4be979..9ab4c6e7e98 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -1,20 +1,9 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: with lib; let - addToXDGDirs = p: '' - if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then - export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} - fi - - if [ -d "${p}/lib/girepository-1.0" ]; then - export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib - fi - ''; - xcfg = config.services.xserver; cfg = xcfg.desktopManager.mate; @@ -48,24 +37,8 @@ in pkgs.mate.mate-session-manager ]; - services.xserver.displayManager.sessionCommands = '' - if test "$XDG_CURRENT_DESKTOP" = "MATE"; then - export XDG_MENU_PREFIX=mate- - - # Let caja find extensions - export CAJA_EXTENSION_DIRS=$CAJA_EXTENSION_DIRS''${CAJA_EXTENSION_DIRS:+:}${config.system.path}/lib/caja/extensions-2.0 - - # Let caja extensions find gsettings schemas - ${concatMapStrings (p: '' - if [ -d "${p}/lib/caja/extensions-2.0" ]; then - ${addToXDGDirs p} - fi - '') config.environment.systemPackages} - - # Add mate-control-center paths to some XDG variables because its schemas are needed by mate-settings-daemon, and mate-settings-daemon is a dependency for mate-control-center (that is, they are mutually recursive) - ${addToXDGDirs pkgs.mate.mate-control-center} - fi - ''; + # Let caja find extensions + environment.sessionVariables.CAJA_EXTENSION_DIRS = [ "${config.system.path}/lib/caja/extensions-2.0" ]; # Let mate-panel find applets environment.sessionVariables."MATE_PANEL_APPLETS_DIR" = "${config.system.path}/share/mate-panel/applets"; @@ -74,7 +47,7 @@ in # Debugging environment.sessionVariables.MATE_SESSION_DEBUG = mkIf cfg.debug "1"; - environment.systemPackages = pkgs.gnome.removePackagesByName + environment.systemPackages = utils.removePackagesByName (pkgs.mate.basePackages ++ pkgs.mate.extraPackages ++ [ @@ -83,7 +56,6 @@ in pkgs.gtk3.out pkgs.shared-mime-info pkgs.xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ - pkgs.mate.mate-settings-daemon pkgs.yelp # for 'Contents' in 'Help' menus ]) config.environment.mate.excludePackages; diff --git a/nixos/modules/services/x11/desktop-managers/none.nix b/nixos/modules/services/x11/desktop-managers/none.nix index af7a376ae02..b5e498b67a0 100644 --- a/nixos/modules/services/x11/desktop-managers/none.nix +++ b/nixos/modules/services/x11/desktop-managers/none.nix @@ -1,7 +1,46 @@ +{ config, lib, pkgs, ... }: +with lib; +let + runXdgAutostart = config.services.xserver.desktopManager.runXdgAutostartIfNone; +in { - services.xserver.desktopManager.session = - [ { name = "none"; - start = ""; - } - ]; + options = { + services.xserver.desktopManager.runXdgAutostartIfNone = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run XDG autostart files for sessions without a desktop manager + (with only a window manager), these sessions usually don't handle XDG + autostart files by default. + + Some services like <option>i18n.inputMethod</option> and + <option>service.earlyoom</option> use XDG autostart files to start. + If this option is not set to <literal>true</literal> and you are using + a window manager without a desktop manager, you need to manually start + them or running <package>dex</package> somewhere. + ''; + }; + }; + + config = mkMerge [ + { + services.xserver.desktopManager.session = [ + { + name = "none"; + start = optionalString runXdgAutostart '' + /run/current-system/systemd/bin/systemctl --user start xdg-autostart-if-no-desktop-manager.target + ''; + } + ]; + } + (mkIf runXdgAutostart { + systemd.user.targets.xdg-autostart-if-no-desktop-manager = { + description = "Run XDG autostart files"; + # From `plasma-workspace`, `share/systemd/user/plasma-workspace@.target`. + requires = [ "xdg-desktop-autostart.target" "graphical-session.target" ]; + before = [ "xdg-desktop-autostart.target" "graphical-session.target" ]; + bindsTo = [ "graphical-session.target" ]; + }; + }) + ]; } diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index 8ff9b0b756d..004d14b634d 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, utils, pkgs, ... }: with lib; @@ -214,15 +214,13 @@ in elementary-settings-daemon pantheon-agent-geoclue2 pantheon-agent-polkit - ]) ++ (gnome.removePackagesByName [ + ]) ++ (utils.removePackagesByName [ gnome.gnome-font-viewer gnome.gnome-settings-daemon338 ] config.environment.pantheon.excludePackages); programs.evince.enable = mkDefault true; - programs.evince.package = pkgs.pantheon.evince; programs.file-roller.enable = mkDefault true; - programs.file-roller.package = pkgs.pantheon.file-roller; # Settings from elementary-default-settings environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini"; @@ -274,7 +272,7 @@ in }) (mkIf serviceCfg.apps.enable { - environment.systemPackages = with pkgs.pantheon; pkgs.gnome.removePackagesByName ([ + environment.systemPackages = with pkgs.pantheon; utils.removePackagesByName ([ elementary-calculator elementary-calendar elementary-camera diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.xml b/nixos/modules/services/x11/desktop-managers/pantheon.xml index 202909d398f..6226f8f6a27 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.xml +++ b/nixos/modules/services/x11/desktop-managers/pantheon.xml @@ -3,7 +3,7 @@ xml:id="chap-pantheon"> <title>Pantheon Desktop</title> <para> - Pantheon is the desktop environment created for the elementary OS distribution. It is written from scratch in Vala, utilizing GNOME technologies with GTK 3 and Granite. + Pantheon is the desktop environment created for the elementary OS distribution. It is written from scratch in Vala, utilizing GNOME technologies with GTK and Granite. </para> <section xml:id="sec-pantheon-enable"> <title>Enabling Pantheon</title> @@ -89,9 +89,9 @@ switchboard-with-plugs.override { </para> </listitem> </varlistentry> - <varlistentry xml:id="sec-pantheon-faq-gnome3-and-pantheon"> + <varlistentry xml:id="sec-pantheon-faq-gnome-and-pantheon"> <term> - I cannot enable both GNOME 3 and Pantheon. + I cannot enable both GNOME and Pantheon. </term> <listitem> <para> diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index b7aa2eba81c..3ca044ad5bc 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -519,7 +519,7 @@ in with plasma5; with kdeApplications; with kdeFrameworks; [ # Basic packages without which Plasma Mobile fails to work properly. - plasma-phone-components + plasma-mobile plasma-nano pkgs.maliit-framework pkgs.maliit-keyboard @@ -573,7 +573,7 @@ in }; }; - services.xserver.displayManager.sessionPackages = [ pkgs.libsForQt5.plasma5.plasma-phone-components ]; + services.xserver.displayManager.sessionPackages = [ pkgs.libsForQt5.plasma5.plasma-mobile ]; }) ]; } diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index 3cf92f98c56..88b21e59aaa 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -66,6 +66,12 @@ in default = true; description = "Enable the XFWM (default) window manager."; }; + + enableScreensaver = mkOption { + type = types.bool; + default = true; + description = "Enable the XFCE screensaver."; + }; }; }; @@ -122,7 +128,7 @@ in ] ++ optionals (!cfg.noDesktop) [ xfce4-panel xfdesktop - ]; + ] ++ optional cfg.enableScreensaver xfce4-screensaver; environment.pathsToLink = [ "/share/xfce4" @@ -168,5 +174,6 @@ in xfce4-notifyd ]; + security.pam.services.xfce4-screensaver.unixAuth = cfg.enableScreensaver; }; } diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index b1dc6643be8..70ae6b8978d 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -141,7 +141,7 @@ in GDM_X_SERVER_EXTRA_ARGS = toString (filter (arg: arg != "-terminate") cfg.xserverArgs); # GDM is needed for gnome-login.session - XDG_DATA_DIRS = "${gdm}/share:${cfg.sessionData.desktops}/share"; + XDG_DATA_DIRS = "${gdm}/share:${cfg.sessionData.desktops}/share:${pkgs.gnome.gnome-control-center}/share"; } // optionalAttrs (xSessionWrapper != null) { # Make GDM use this wrapper before running the session, which runs the # configured setupCommands. This relies on a patched GDM which supports diff --git a/nixos/modules/services/x11/window-managers/qtile.nix b/nixos/modules/services/x11/window-managers/qtile.nix index 835b41d4ada..4d455fdf7b2 100644 --- a/nixos/modules/services/x11/window-managers/qtile.nix +++ b/nixos/modules/services/x11/window-managers/qtile.nix @@ -7,19 +7,26 @@ let in { - options = { - services.xserver.windowManager.qtile.enable = mkEnableOption "qtile"; + options.services.xserver.windowManager.qtile = { + enable = mkEnableOption "qtile"; + + package = mkPackageOption pkgs "qtile" { }; }; config = mkIf cfg.enable { services.xserver.windowManager.session = [{ name = "qtile"; start = '' - ${pkgs.qtile}/bin/qtile start & + ${cfg.package}/bin/qtile start & waitPID=$! ''; }]; - environment.systemPackages = [ pkgs.qtile ]; + environment.systemPackages = [ + # pkgs.qtile is currently a buildenv of qtile and its dependencies. + # For userland commands, we want the underlying package so that + # packages such as python don't bleed into userland and overwrite intended behavior. + (cfg.package.unwrapped or cfg.package) + ]; }; } diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 0c50d82b23b..d488e9b55d4 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, utils, pkgs, ... }: with lib; @@ -181,6 +181,13 @@ in ''; }; + excludePackages = mkOption { + default = []; + example = literalExpression "[ pkgs.xterm ]"; + type = types.listOf types.package; + description = "Which X11 packages to exclude from the default environment"; + }; + exportConfiguration = mkOption { type = types.bool; default = false; @@ -655,7 +662,7 @@ in ${cfgPath}.source = xorg.xf86inputevdev.out + "/share" + cfgPath; }); - environment.systemPackages = + environment.systemPackages = utils.removePackagesByName [ xorg.xorgserver.out xorg.xrandr xorg.xrdb @@ -671,7 +678,7 @@ in pkgs.xdg-utils xorg.xf86inputevdev.out # get evdev.4 man page pkgs.nixos-icons # needed for gnome and pantheon about dialog, nixos-manual and maybe more - ] + ] config.services.xserver.excludePackages ++ optional (elem "virtualbox" cfg.videoDrivers) xorg.xrefresh; environment.pathsToLink = [ "/share/X11" ]; |