diff options
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/config/system-path.nix | 1 | ||||
-rw-r--r-- | nixos/modules/config/users-groups.nix | 3 | ||||
-rw-r--r-- | nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix | 9 | ||||
-rw-r--r-- | nixos/modules/installer/tools/nixos-build-vms/build-vms.nix | 9 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/programs/wshowkeys.nix | 22 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 45 | ||||
-rw-r--r-- | nixos/modules/services/desktops/flatpak.nix | 14 | ||||
-rw-r--r-- | nixos/modules/services/networking/avahi-daemon.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-wrapper.nix | 5 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/engelsystem.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/gnome3.nix | 25 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/pantheon.nix | 1 | ||||
-rw-r--r-- | nixos/modules/testing/test-instrumentation.nix | 24 | ||||
-rw-r--r-- | nixos/modules/virtualisation/ec2-amis.nix | 21 |
16 files changed, 159 insertions, 30 deletions
diff --git a/nixos/modules/config/system-path.nix b/nixos/modules/config/system-path.nix index c46937f8008..c65fa1a684f 100644 --- a/nixos/modules/config/system-path.nix +++ b/nixos/modules/config/system-path.nix @@ -33,6 +33,7 @@ let pkgs.ncurses pkgs.netcat config.programs.ssh.package + pkgs.mkpasswd pkgs.procps pkgs.su pkgs.time diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 5264d5b56fa..72285fe631d 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -35,8 +35,7 @@ let ''; hashedPasswordDescription = '' - To generate a hashed password install the <literal>mkpasswd</literal> - package and run <literal>mkpasswd -m sha-512</literal>. + To generate a hashed password run <literal>mkpasswd -m sha-512</literal>. If set to an empty string (<literal>""</literal>), this user will be able to log in without being asked for a password (but not via remote diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 8c98691116d..803bae4212e 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -9,7 +9,14 @@ with lib; isoImage.edition = "gnome"; - services.xserver.desktopManager.gnome3.enable = true; + services.xserver.desktopManager.gnome3 = { + # Add firefox to favorite-apps + favoriteAppsOverride = '' + [org.gnome.shell] + favorite-apps=[ 'firefox.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop' ] + ''; + enable = true; + }; services.xserver.displayManager = { gdm = { diff --git a/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix b/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix index 199e5f9206b..e49ceba2424 100644 --- a/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix +++ b/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix @@ -6,12 +6,7 @@ let nodes = builtins.mapAttrs (vm: module: { _file = "${networkExpr}@node-${vm}"; - imports = [ - module - ({ pkgs, ... }: { - virtualisation.qemu.package = pkgs.qemu; - }) - ]; + imports = [ module ]; }) (import networkExpr); in @@ -20,4 +15,4 @@ with import ../../../../lib/testing-python.nix { pkgs = import ../../../../.. { inherit system config; }; }; -(makeTest { inherit nodes; testScript = ""; }).driver +(makeTest { inherit nodes; testScript = ""; }).driverInteractive diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index cce4e8e74b4..aa3b71a6124 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -173,6 +173,7 @@ ./programs/wavemon.nix ./programs/waybar.nix ./programs/wireshark.nix + ./programs/wshowkeys.nix ./programs/x2goserver.nix ./programs/xfs_quota.nix ./programs/xonsh.nix diff --git a/nixos/modules/programs/wshowkeys.nix b/nixos/modules/programs/wshowkeys.nix new file mode 100644 index 00000000000..09b008af1d5 --- /dev/null +++ b/nixos/modules/programs/wshowkeys.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.wshowkeys; +in { + meta.maintainers = with maintainers; [ primeos ]; + + options = { + programs.wshowkeys = { + enable = mkEnableOption '' + wshowkeys (displays keypresses on screen on supported Wayland + compositors). It requires root permissions to read input events, but + these permissions are dropped after startup''; + }; + }; + + config = mkIf cfg.enable { + security.wrappers.wshowkeys.source = "${pkgs.wshowkeys}/bin/wshowkeys"; + }; +} diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index a20d0a243a8..a517f9e51ce 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -318,6 +318,42 @@ let ''; }; + gnupg = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, pam_gnupg will attempt to automatically unlock the + user's GPG keys with the login password via + <command>gpg-agent</command>. The keygrips of all keys to be + unlocked should be written to <filename>~/.pam-gnupg</filename>, + and can be queried with <command>gpg -K --with-keygrip</command>. + Presetting passphrases must be enabled by adding + <literal>allow-preset-passphrase</literal> in + <filename>~/.gnupg/gpg-agent.conf</filename>. + ''; + }; + + noAutostart = mkOption { + type = types.bool; + default = false; + description = '' + Don't start <command>gpg-agent</command> if it is not running. + Useful in conjunction with starting <command>gpg-agent</command> as + a systemd user service. + ''; + }; + + storeOnly = mkOption { + type = types.bool; + default = false; + description = '' + Don't send the password immediately after login, but store for PAM + <literal>session</literal>. + ''; + }; + }; + text = mkOption { type = types.nullOr types.lines; description = "Contents of the PAM service file."; @@ -386,6 +422,7 @@ let || cfg.enableKwallet || cfg.enableGnomeKeyring || cfg.googleAuthenticator.enable + || cfg.gnupg.enable || cfg.duoSecurity.enable)) '' auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth ${optionalString config.security.pam.enableEcryptfs @@ -397,6 +434,10 @@ let " kwalletd=${pkgs.kdeFrameworks.kwallet.bin}/bin/kwalletd5")} ${optionalString cfg.enableGnomeKeyring "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"} + ${optionalString cfg.gnupg.enable + "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" + + optionalString cfg.gnupg.storeOnly " store-only" + } ${optionalString cfg.googleAuthenticator.enable "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} ${optionalString cfg.duoSecurity.enable @@ -472,6 +513,10 @@ let " kwalletd=${pkgs.kdeFrameworks.kwallet.bin}/bin/kwalletd5")} ${optionalString (cfg.enableGnomeKeyring) "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} + ${optionalString cfg.gnupg.enable + "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" + + optionalString cfg.gnupg.noAutostart " no-autostart" + } ${optionalString (config.virtualisation.lxc.lxcfs.enable) "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"} ''); diff --git a/nixos/modules/services/desktops/flatpak.nix b/nixos/modules/services/desktops/flatpak.nix index 7da92cc9f26..d0f6b66328a 100644 --- a/nixos/modules/services/desktops/flatpak.nix +++ b/nixos/modules/services/desktops/flatpak.nix @@ -15,6 +15,18 @@ in { options = { services.flatpak = { enable = mkEnableOption "flatpak"; + + guiPackages = mkOption { + internal = true; + type = types.listOf types.package; + default = []; + example = literalExample "[ pkgs.gnome3.gnome-software ]"; + description = '' + Packages that provide an interface for flatpak + (like gnome-software) that will be automatically available + to all users when flatpak is enabled. + ''; + }; }; }; @@ -28,7 +40,7 @@ in { } ]; - environment.systemPackages = [ pkgs.flatpak ]; + environment.systemPackages = [ pkgs.flatpak ] ++ cfg.guiPackages; services.dbus.packages = [ pkgs.flatpak ]; diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index 2900c37f990..0b7d5575c11 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -86,7 +86,8 @@ in ipv6 = mkOption { type = types.bool; - default = false; + default = config.networking.enableIPv6; + defaultText = "config.networking.enableIPv6"; description = "Whether to use IPv6."; }; diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix index b9333cd19a2..ee7e9b0454d 100644 --- a/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -55,7 +55,10 @@ let rotateKeys = '' # check if keys are not expired keyValid() { - fingerprint=$(dnscrypt-wrapper --show-provider-publickey | awk '{print $(NF)}') + fingerprint=$(dnscrypt-wrapper \ + --show-provider-publickey \ + --provider-publickey-file=${publicKey} \ + | awk '{print $(NF)}') dnscrypt-proxy --test=${toString (cfg.keys.checkInterval + 1)} \ --resolver-address=127.0.0.1:${toString cfg.port} \ --provider-name=${cfg.providerName} \ diff --git a/nixos/modules/services/web-apps/engelsystem.nix b/nixos/modules/services/web-apps/engelsystem.nix index 899582a2030..2e755ae9d52 100644 --- a/nixos/modules/services/web-apps/engelsystem.nix +++ b/nixos/modules/services/web-apps/engelsystem.nix @@ -10,7 +10,7 @@ in { default = false; example = true; description = '' - Whether to enable engelsystem, an online tool for coordinating helpers + Whether to enable engelsystem, an online tool for coordinating volunteers and shifts on large events. ''; type = lib.types.bool; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 6d2ddea927e..631e92fd6e9 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -86,7 +86,7 @@ let ''} ssl_protocols ${cfg.sslProtocols}; - ssl_ciphers ${cfg.sslCiphers}; + ${optionalString (cfg.sslCiphers != null) "ssl_ciphers ${cfg.sslCiphers};"} ${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"} ${optionalString (cfg.recommendedTlsSettings) '' @@ -487,7 +487,7 @@ in }; sslCiphers = mkOption { - type = types.str; + type = types.nullOr types.str; # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; description = "Ciphers to choose from when negotiating TLS handshakes."; diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 97eb74991ab..9dfac56c7fe 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -17,6 +17,11 @@ let ''; }; + defaultFavoriteAppsOverride = '' + [org.gnome.shell] + favorite-apps=[ 'org.gnome.Geary.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop' ] + ''; + nixos-gsettings-desktop-schemas = let defaultPackages = with pkgs; [ gsettings-desktop-schemas gnome3.gnome-shell ]; in @@ -42,8 +47,7 @@ let [org.gnome.desktop.screensaver] picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom.gnomeFilePath}' - [org.gnome.shell] - favorite-apps=[ 'org.gnome.Epiphany.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop', 'org.gnome.Software.desktop' ] + ${cfg.favoriteAppsOverride} ${cfg.extraGSettingsOverrides} EOF @@ -123,6 +127,17 @@ in apply = list: list ++ [ pkgs.gnome3.gnome-shell pkgs.gnome3.gnome-shell-extensions ]; }; + favoriteAppsOverride = mkOption { + internal = true; # this is messy + default = defaultFavoriteAppsOverride; + type = types.lines; + example = literalExample '' + [org.gnome.shell] + favorite-apps=[ 'firefox.desktop', 'org.gnome.Calendar.desktop' ] + ''; + description = "List of desktop files to put as favorite apps into gnome-shell. These need to be installed somehow globally."; + }; + extraGSettingsOverrides = mkOption { default = ""; type = types.lines; @@ -215,6 +230,11 @@ in # If gnome3 is installed, build vim for gtk3 too. nixpkgs.config.vim.gui = "gtk3"; + + # Install gnome-software if flatpak is enabled + services.flatpak.guiPackages = [ + pkgs.gnome3.gnome-software + ]; }) (mkIf flashbackEnabled { @@ -397,7 +417,6 @@ in gnome-music gnome-photos gnome-screenshot - gnome-software gnome-system-monitor gnome-weather nautilus diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index e67e216f90d..cf02a71248b 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -180,7 +180,6 @@ in gtk3.out hicolor-icon-theme lightlocker - nixos-artwork.wallpapers.simple-dark-gray onboard qgnomeplatform shared-mime-info diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 2986bd4c4e3..be5fa88b8ad 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -45,15 +45,21 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; systemd.services."serial-getty@${qemuSerialDevice}".enable = false; systemd.services."serial-getty@hvc0".enable = false; - # Only use a serial console, no TTY. - # NOTE: optionalAttrs - # test-instrumentation.nix appears to be used without qemu-vm.nix, so - # we avoid defining consoles if not possible. - # TODO: refactor such that test-instrumentation can import qemu-vm - # or declare virtualisation.qemu.console option in a module that's always imported - virtualisation.qemu = { - consoles = lib.optional (options ? virtualisation.qemu.consoles) qemuSerialDevice; - package = lib.mkDefault pkgs.qemu_test; + # Only set these settings when the options exist. Some tests (e.g. those + # that do not specify any nodes, or an empty attr set as nodes) will not + # have the QEMU module loaded and thuse these options can't and should not + # be set. + virtualisation = lib.optionalAttrs (options ? virtualisation.qemu) { + qemu = { + # Only use a serial console, no TTY. + # NOTE: optionalAttrs + # test-instrumentation.nix appears to be used without qemu-vm.nix, so + # we avoid defining consoles if not possible. + # TODO: refactor such that test-instrumentation can import qemu-vm + # or declare virtualisation.qemu.console option in a module that's always imported + consoles = [ qemuSerialDevice ]; + package = lib.mkDefault pkgs.qemu_test; + }; }; boot.initrd.preDeviceCommands = diff --git a/nixos/modules/virtualisation/ec2-amis.nix b/nixos/modules/virtualisation/ec2-amis.nix index 24de8cf1afb..4d9c391e046 100644 --- a/nixos/modules/virtualisation/ec2-amis.nix +++ b/nixos/modules/virtualisation/ec2-amis.nix @@ -329,5 +329,24 @@ let self = { "20.03".ap-east-1.hvm-ebs = "ami-0d18fdd309cdefa86"; "20.03".sa-east-1.hvm-ebs = "ami-09859378158ae971d"; - latest = self."20.03"; + # 20.09.1465.9a0b14b097d + "20.09".eu-west-1.hvm-ebs = "ami-0d90f16418e3c364c"; + "20.09".eu-west-2.hvm-ebs = "ami-0635ec0780ea57cfe"; + "20.09".eu-west-3.hvm-ebs = "ami-0714e94352f2eabb9"; + "20.09".eu-central-1.hvm-ebs = "ami-0979d39762a4d2a02"; + "20.09".eu-north-1.hvm-ebs = "ami-0b14e273185c66e9b"; + "20.09".us-east-1.hvm-ebs = "ami-0f8b063ac3f2d9645"; + "20.09".us-east-2.hvm-ebs = "ami-0959202a0393fdd0c"; + "20.09".us-west-1.hvm-ebs = "ami-096d50833b785478b"; + "20.09".us-west-2.hvm-ebs = "ami-0fc31031df0df6104"; + "20.09".ca-central-1.hvm-ebs = "ami-0787786a38cde3905"; + "20.09".ap-southeast-1.hvm-ebs = "ami-0b3f693d3a2a0b9ae"; + "20.09".ap-southeast-2.hvm-ebs = "ami-02471872bc876b610"; + "20.09".ap-northeast-1.hvm-ebs = "ami-06505fd2bf44a59a7"; + "20.09".ap-northeast-2.hvm-ebs = "ami-0754b4c014eea1e8a"; + "20.09".ap-south-1.hvm-ebs = "ami-05100e32242ae65a6"; + "20.09".ap-east-1.hvm-ebs = "ami-045288859a39de009"; + "20.09".sa-east-1.hvm-ebs = "ami-0a937748db48fb00d"; + + latest = self."20.09"; }; in self |