diff options
Diffstat (limited to 'nixos/modules')
44 files changed, 808 insertions, 182 deletions
diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index 0693e896f71..f65a3fc50d5 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -38,6 +38,8 @@ let bind_timelimit ${toString cfg.bind.timeLimit} ${optionalString (cfg.bind.distinguishedName != "") "binddn ${cfg.bind.distinguishedName}" } + ${optionalString (cfg.daemon.rootpwmoddn != "") + "rootpwmoddn ${cfg.daemon.rootpwmoddn}" } ${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig } ''; }; @@ -126,6 +128,26 @@ in the end of the nslcd configuration file (nslcd.conf). '' ; } ; + + rootpwmoddn = mkOption { + default = ""; + example = "cn=admin,dc=example,dc=com"; + type = types.str; + description = '' + The distinguished name to use to bind to the LDAP server + when the root user tries to modify a user's password. + ''; + }; + + rootpwmodpw = mkOption { + default = ""; + example = "/run/keys/nslcd.rootpwmodpw"; + type = types.str; + description = '' + The path to a file containing the credentials with which + to bind to the LDAP server if the root user tries to change a user's password + ''; + }; }; bind = { @@ -203,9 +225,11 @@ in system.activationScripts = mkIf insertLdapPassword { ldap = stringAfter [ "etc" "groups" "users" ] '' if test -f "${cfg.bind.password}" ; then - echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig.source} - > /etc/ldap.conf.bindpw - mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf - chmod 600 /etc/ldap.conf + umask 0077 + conf="$(mktemp)" + printf 'bindpw %s\n' "$(cat ${cfg.bind.password})" | + cat ${ldapConfig.source} - >"$conf" + mv -fT "$conf" /etc/ldap.conf fi ''; }; @@ -232,21 +256,31 @@ in wantedBy = [ "multi-user.target" ]; preStart = '' - mkdir -p /run/nslcd - rm -f /run/nslcd/nslcd.pid; - chown nslcd.nslcd /run/nslcd - ${optionalString (cfg.bind.distinguishedName != "") '' - if test -s "${cfg.bind.password}" ; then - ln -sfT "${cfg.bind.password}" /run/nslcd/bindpw - fi - ''} + umask 0077 + conf="$(mktemp)" + { + cat ${nslcdConfig.source} + test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.password}' || + printf 'bindpw %s\n' "$(cat '${cfg.bind.password}')" + test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpw}' || + printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpw}')" + } >"$conf" + mv -fT "$conf" /etc/nslcd.conf ''; + # NOTE: because one cannot pass a custom config path to `nslcd` + # (which is only able to use `/etc/nslcd.conf`) + # changes in `nslcdConfig` won't change `serviceConfig`, + # and thus won't restart `nslcd`. + # Therefore `restartTriggers` is used on `/etc/nslcd.conf`. + restartTriggers = [ nslcdConfig.source ]; + serviceConfig = { ExecStart = "${nss_pam_ldapd}/sbin/nslcd"; Type = "forking"; PIDFile = "/run/nslcd/nslcd.pid"; Restart = "always"; + RuntimeDirectory = [ "nslcd" ]; }; }; diff --git a/nixos/modules/config/pulseaudio.nix b/nixos/modules/config/pulseaudio.nix index 67f7105fe2f..e61a3a73120 100644 --- a/nixos/modules/config/pulseaudio.nix +++ b/nixos/modules/config/pulseaudio.nix @@ -180,7 +180,7 @@ in { type = types.attrsOf types.unspecified; default = {}; description = ''Config of the pulse daemon. See <literal>man pulse-daemon.conf</literal>.''; - example = literalExample ''{ flat-volumes = "no"; }''; + example = literalExample ''{ realtime-scheduling = "yes"; }''; }; }; @@ -242,6 +242,9 @@ in { source = writeText "libao.conf" "default_driver=pulse"; } ]; + # Disable flat volumes to enable relative ones + hardware.pulseaudio.daemon.config.flat-volumes = mkDefault "no"; + # Allow PulseAudio to get realtime priority using rtkit. security.rtkit.enable = true; diff --git a/nixos/modules/config/zram.nix b/nixos/modules/config/zram.nix index c1748812821..925d945c081 100644 --- a/nixos/modules/config/zram.nix +++ b/nixos/modules/config/zram.nix @@ -6,10 +6,27 @@ let cfg = config.zramSwap; - devices = map (nr: "zram${toString nr}") (range 0 (cfg.numDevices - 1)); + # don't set swapDevices as mkDefault, so we can detect user had read our warning + # (see below) and made an action (or not) + devicesCount = if cfg.swapDevices != null then cfg.swapDevices else cfg.numDevices; + + devices = map (nr: "zram${toString nr}") (range 0 (devicesCount - 1)); modprobe = "${pkgs.kmod}/bin/modprobe"; + warnings = + assert cfg.swapDevices != null -> cfg.numDevices >= cfg.swapDevices; + flatten [ + (optional (cfg.numDevices > 1 && cfg.swapDevices == null) '' + Using several small zram devices as swap is no better than using one large. + Set either zramSwap.numDevices = 1 or explicitly set zramSwap.swapDevices. + + Previously multiple zram devices were used to enable multithreaded + compression. Linux supports multithreaded compression for 1 device + since 3.15. See https://lkml.org/lkml/2014/2/28/404 for details. + '') + ]; + in { @@ -24,9 +41,11 @@ in default = false; type = types.bool; description = '' - Enable in-memory compressed swap space provided by the zram kernel - module. - See https://www.kernel.org/doc/Documentation/blockdev/zram.txt + Enable in-memory compressed devices and swap space provided by the zram + kernel module. + See <link xlink:href="https://www.kernel.org/doc/Documentation/blockdev/zram.txt"> + https://www.kernel.org/doc/Documentation/blockdev/zram.txt + </link>. ''; }; @@ -34,7 +53,19 @@ in default = 1; type = types.int; description = '' - Number of zram swap devices to create. + Number of zram devices to create. See also + <literal>zramSwap.swapDevices</literal> + ''; + }; + + swapDevices = mkOption { + default = null; + example = 1; + type = with types; nullOr int; + description = '' + Number of zram devices to be used as swap. Must be + <literal><= zramSwap.numDevices</literal>. + Default is same as <literal>zramSwap.numDevices</literal>, recommended is 1. ''; }; @@ -44,7 +75,8 @@ in description = '' Maximum amount of memory that can be used by the zram swap devices (as a percentage of your total memory). Defaults to 1/2 of your total - RAM. + RAM. Run <literal>zramctl</literal> to check how good memory is + compressed. ''; }; @@ -58,12 +90,26 @@ in ''; }; + algorithm = mkOption { + default = "zstd"; + example = "lzo"; + type = with types; either (enum [ "lzo" "lz4" "zstd" ]) str; + description = '' + Compression algorithm. <literal>lzo</literal> has good compression, + but is slow. <literal>lz4</literal> has bad compression, but is fast. + <literal>zstd</literal> is both good compression and fast. + You can check what other algorithms are supported by your zram device with + <programlisting>cat /sys/class/block/zram*/comp_algorithm</programlisting> + ''; + }; }; }; config = mkIf cfg.enable { + inherit warnings; + system.requiredKernelConfig = with config.lib.kernelConfig; [ (isModule "ZRAM") ]; @@ -85,25 +131,25 @@ in createZramInitService = dev: nameValuePair "zram-init-${dev}" { description = "Init swap on zram-based device ${dev}"; - bindsTo = [ "dev-${dev}.swap" ]; after = [ "dev-${dev}.device" "zram-reloader.service" ]; requires = [ "dev-${dev}.device" "zram-reloader.service" ]; before = [ "dev-${dev}.swap" ]; requiredBy = [ "dev-${dev}.swap" ]; + unitConfig.DefaultDependencies = false; # needed to prevent a cycle serviceConfig = { Type = "oneshot"; RemainAfterExit = true; ExecStop = "${pkgs.runtimeShell} -c 'echo 1 > /sys/class/block/${dev}/reset'"; }; script = '' - set -u - set -o pipefail - + set -euo pipefail + # Calculate memory to use for zram - totalmem=$(${pkgs.gnugrep}/bin/grep 'MemTotal: ' /proc/meminfo | ${pkgs.gawk}/bin/awk '{print $2}') - mem=$(((totalmem * ${toString cfg.memoryPercent} / 100 / ${toString cfg.numDevices}) * 1024)) + mem=$(${pkgs.gawk}/bin/awk '/MemTotal: / { + print int($2*${toString cfg.memoryPercent}/100.0/${toString devicesCount}*1024) + }' /proc/meminfo) - echo $mem > /sys/class/block/${dev}/disksize + ${pkgs.utillinux}/sbin/zramctl --size $mem --algorithm ${cfg.algorithm} /dev/${dev} ${pkgs.utillinux}/sbin/mkswap /dev/${dev} ''; restartIfChanged = false; @@ -111,6 +157,9 @@ in in listToAttrs ((map createZramInitService devices) ++ [(nameValuePair "zram-reloader" { description = "Reload zram kernel module when number of devices changes"; + wants = [ "systemd-udevd.service" ]; + after = [ "systemd-udevd.service" ]; + unitConfig.DefaultDependencies = false; # needed to prevent a cycle serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -118,7 +167,11 @@ in ExecStart = "${modprobe} zram"; ExecStop = "${modprobe} -r zram"; }; - restartTriggers = [ cfg.numDevices ]; + restartTriggers = [ + cfg.numDevices + cfg.algorithm + cfg.memoryPercent + ]; restartIfChanged = true; })]); diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index 48e0072e089..6b7b8069fd4 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -124,10 +124,14 @@ in config = mkIf cfg.enable { - assertions = lib.singleton { - assertion = cfg.driSupport32Bit -> pkgs.stdenv.isx86_64; - message = "Option driSupport32Bit only makes sense on a 64-bit system."; - }; + assertions = [ + { assertion = cfg.driSupport32Bit -> pkgs.stdenv.isx86_64; + message = "Option driSupport32Bit only makes sense on a 64-bit system."; + } + { assertion = cfg.driSupport32Bit -> (config.boot.kernelPackages.kernel.features.ia32Emulation or false); + message = "Option driSupport32Bit requires a kernel that supports 32bit emulation"; + } + ]; systemd.tmpfiles.rules = [ "L+ /run/opengl-driver - - - - ${package}" diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index bad9356ab5a..e58392ad05b 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -635,9 +635,10 @@ $bootLoaderConfig # services.xserver.desktopManager.plasma5.enable = true; # Define a user account. Don't forget to set a password with ‘passwd’. - # users.users.guest = { + # users.users.jane = { # isNormalUser = true; # uid = 1000; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. # }; # This value determines the NixOS release with which your system is to be diff --git a/nixos/modules/installer/tools/nixos-option.sh b/nixos/modules/installer/tools/nixos-option.sh index 327e3e6989f..4560e9c7403 100644 --- a/nixos/modules/installer/tools/nixos-option.sh +++ b/nixos/modules/installer/tools/nixos-option.sh @@ -314,13 +314,13 @@ else # echo 1>&2 "Warning: This value is not an option." result=$(evalCfg "") - if names=$(attrNames "$result" 2> /dev/null); then + if [ ! -z "$result" ]; then + names=$(attrNames "$result" 2> /dev/null) echo 1>&2 "This attribute set contains:" escapeQuotes () { eval echo "$1"; } nixMap escapeQuotes "$names" else - echo 1>&2 "An error occurred while looking for attribute names." - echo $result + echo 1>&2 "An error occurred while looking for attribute names. Are you sure that '$option' exists?" fi fi diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 1a8bd9cccb1..3ee242ab222 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -681,6 +681,7 @@ ./services/security/hologram-server.nix ./services/security/hologram-agent.nix ./services/security/munge.nix + ./services/security/nginx-sso.nix ./services/security/oauth2_proxy.nix ./services/security/oauth2_proxy_nginx.nix ./services/security/physlock.nix diff --git a/nixos/modules/profiles/minimal.nix b/nixos/modules/profiles/minimal.nix index 809bedc588f..f044e6f39ea 100644 --- a/nixos/modules/profiles/minimal.nix +++ b/nixos/modules/profiles/minimal.nix @@ -13,5 +13,5 @@ with lib; documentation.enable = mkDefault false; - services.nixosManual.enable = mkDefault false; + documentation.nixos.enable = mkDefault false; } diff --git a/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix b/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix index e7cf17c2c00..89087a229eb 100644 --- a/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix +++ b/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix @@ -48,6 +48,23 @@ in https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters/pattern.md ''; }; + styles = mkOption { + default = {}; + type = types.attrsOf types.string; + + example = literalExample '' + { + "alias" = "fg=magenta,bold"; + } + ''; + + description = '' + Specifies custom styles to be highlighted by zsh-syntax-highlighting. + + Please refer to the docs for more information about the usage: + https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters/main.md + ''; + }; }; }; @@ -73,6 +90,11 @@ in pattern: design: "ZSH_HIGHLIGHT_PATTERNS+=('${pattern}' '${design}')" ) cfg.patterns) + ++ optionals (length(attrNames cfg.styles) > 0) + (mapAttrsToList ( + styles: design: + "ZSH_HIGHLIGHT_STYLES[${styles}]='${design}'" + ) cfg.styles) ); }; } diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index dc0a175d5bb..24ab963f718 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -69,6 +69,9 @@ with lib; (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead") (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead") + # PAM + (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) + (mkRemovedOptionModule [ "services" "rmilter" "bindInetSockets" ] "Use services.rmilter.bindSocket.* instead") (mkRemovedOptionModule [ "services" "rmilter" "bindUnixSockets" ] "Use services.rmilter.bindSocket.* instead") diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index b1a0eff98c2..206b529ed68 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -37,12 +37,14 @@ let }; u2fAuth = mkOption { - default = config.security.pam.enableU2F; + default = config.security.pam.u2f.enable; type = types.bool; description = '' If set, users listed in - <filename>~/.config/Yubico/u2f_keys</filename> are able to log in - with the associated U2F key. + <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or + <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is + not set) are able to log in with the associated U2F key. Path can be + changed using <option>security.pam.u2f.authFile</option> option. ''; }; @@ -320,8 +322,8 @@ let "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} ${optionalString cfg.fprintAuth "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} - ${optionalString cfg.u2fAuth - "auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so"} + ${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth + "auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"}"} ${optionalString cfg.usbAuth "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth @@ -368,7 +370,7 @@ let auth required pam_deny.so # Password management. - password requisite pam_unix.so nullok sha512 + password sufficient pam_unix.so nullok sha512 ${optionalString config.security.pam.enableEcryptfs "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} ${optionalString cfg.pamMount @@ -527,11 +529,96 @@ in ''; }; - security.pam.enableU2F = mkOption { - default = false; - description = '' - Enable the U2F PAM module. - ''; + security.pam.u2f = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enables U2F PAM (<literal>pam-u2f</literal>) module. + + If set, users listed in + <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or + <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is + not set) are able to log in with the associated U2F key. The path can + be changed using <option>security.pam.u2f.authFile</option> option. + + File format is: + <literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal> + This file can be generated using <command>pamu2fcfg</command> command. + + More information can be found <link + xlink:href="https://developers.yubico.com/pam-u2f/">here</link>. + ''; + }; + + authFile = mkOption { + default = null; + type = with types; nullOr path; + description = '' + By default <literal>pam-u2f</literal> module reads the keys from + <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or + <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is + not set). + + If you want to change auth file locations or centralize database (for + example use <filename>/etc/u2f-mappings</filename>) you can set this + option. + + File format is: + <literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal> + This file can be generated using <command>pamu2fcfg</command> command. + + More information can be found <link + xlink:href="https://developers.yubico.com/pam-u2f/">here</link>. + ''; + }; + + control = mkOption { + default = "sufficient"; + type = types.enum [ "required" "requisite" "sufficient" "optional" ]; + description = '' + This option sets pam "control". + If you want to have multi factor authentication, use "required". + If you want to use U2F device instead of regular password, use "sufficient". + + Read + <citerefentry> + <refentrytitle>pam.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + for better understanding of this option. + ''; + }; + + debug = mkOption { + default = false; + type = types.bool; + description = '' + Debug output to stderr. + ''; + }; + + interactive = mkOption { + default = false; + type = types.bool; + description = '' + Set to prompt a message and wait before testing the presence of a U2F device. + Recommended if your device doesn’t have a tactile trigger. + ''; + }; + + cue = mkOption { + default = false; + type = types.bool; + description = '' + By default <literal>pam-u2f</literal> module does not inform user + that he needs to use the u2f device, it just waits without a prompt. + + If you set this option to <literal>true</literal>, + <literal>cue</literal> option is added to <literal>pam-u2f</literal> + module and reminder message will be displayed. + ''; + }; }; security.pam.enableEcryptfs = mkOption { @@ -563,7 +650,7 @@ in ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ] - ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]; + ++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ]; boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ]; diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix index f9f9568faa5..11efa47ec5b 100644 --- a/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixos/modules/services/backup/postgresql-backup.nix @@ -6,11 +6,11 @@ let cfg = config.services.postgresqlBackup; - postgresqlBackupService = db : + postgresqlBackupService = db: dumpCmd: { enable = true; - description = "Backup of database ${db}"; + description = "Backup of ${db} database(s)"; requires = [ "postgresql.service" ]; @@ -26,7 +26,7 @@ let ${pkgs.coreutils}/bin/mv ${cfg.location}/${db}.sql.gz ${cfg.location}/${db}.prev.sql.gz fi - ${config.services.postgresql.package}/bin/pg_dump ${cfg.pgdumpOptions} ${db} | \ + ${dumpCmd} | \ ${pkgs.gzip}/bin/gzip -c > ${cfg.location}/${db}.sql.gz ''; @@ -42,9 +42,7 @@ let in { options = { - services.postgresqlBackup = { - enable = mkOption { default = false; description = '' @@ -61,6 +59,19 @@ in { ''; }; + backupAll = mkOption { + default = cfg.databases == []; + defaultText = "services.postgresqlBackup.databases == []"; + type = lib.types.bool; + description = '' + Backup all databases using pg_dumpall. + This option is mutual exclusive to + <literal>services.postgresqlBackup.databases</literal>. + The resulting backup dump will have the name all.sql.gz. + This option is the default if no databases are specified. + ''; + }; + databases = mkOption { default = []; description = '' @@ -79,18 +90,36 @@ in { type = types.string; default = "-Cbo"; description = '' - Command line options for pg_dump. + Command line options for pg_dump. This options is not used + if <literal>config.services.postgresqlBackup.backupAll</literal> is enabled. + Note that config.services.postgresqlBackup.backupAll is also active, + when no databases where specified. ''; }; }; }; - config = mkIf config.services.postgresqlBackup.enable { - - systemd.services = listToAttrs (map (db : { + config = mkMerge [ + { + assertions = [{ + assertion = cfg.backupAll -> cfg.databases == []; + message = "config.services.postgresqlBackup.backupAll cannot be used together with config.services.postgresqlBackup.databases"; + }]; + } + (mkIf (cfg.enable && cfg.backupAll) { + systemd.services.postgresqlBackup = + postgresqlBackupService "all" "${config.services.postgresql.package}/bin/pg_dumpall"; + }) + (mkIf (cfg.enable && !cfg.backupAll) { + systemd.services = listToAttrs (map (db: + let + cmd = "${config.services.postgresql.package}/bin/pg_dump ${cfg.pgdumpOptions} ${db}"; + in { name = "postgresqlBackup-${db}"; - value = postgresqlBackupService db; } ) cfg.databases); - }; + value = postgresqlBackupService db cmd; + }) cfg.databases); + }) + ]; } diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix index 6ece5a9b5ad..7e8e91e4b9c 100644 --- a/nixos/modules/services/backup/restic.nix +++ b/nixos/modules/services/backup/restic.nix @@ -1,6 +1,11 @@ { config, lib, pkgs, ... }: with lib; + +let + # Type for a valid systemd unit option. Needed for correctly passing "timerConfig" to "systemd.timers" + unitOption = (import ../../system/boot/systemd-unit-options.nix { inherit config lib; }).unitOption; +in { options.services.restic.backups = mkOption { description = '' @@ -47,7 +52,7 @@ with lib; }; timerConfig = mkOption { - type = types.attrsOf types.str; + type = types.attrsOf unitOption; default = { OnCalendar = "daily"; }; diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 1ba878957ed..467feb09b3a 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -249,6 +249,7 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."my.cnf".source ]; unitConfig.RequiresMountsFor = "${cfg.dataDir}"; @@ -274,7 +275,8 @@ in serviceConfig = { Type = if hasNotify then "notify" else "simple"; RuntimeDirectory = "mysqld"; - ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions}"; + # The last two environment variables are used for starting Galera clusters + ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION"; }; postStart = '' diff --git a/nixos/modules/services/hardware/fwupd.nix b/nixos/modules/services/hardware/fwupd.nix index 7743f81fd62..cad9fa20de0 100644 --- a/nixos/modules/services/hardware/fwupd.nix +++ b/nixos/modules/services/hardware/fwupd.nix @@ -15,6 +15,19 @@ let mkName = p: "pki/fwupd/${baseNameOf (toString p)}"; mkEtcFile = p: nameValuePair (mkName p) { source = p; }; in listToAttrs (map mkEtcFile cfg.extraTrustedKeys); + + # We cannot include the file in $out and rely on filesInstalledToEtc + # to install it because it would create a cyclic dependency between + # the outputs. We also need to enable the remote, + # which should not be done by default. + testRemote = if cfg.enableTestRemote then { + "fwupd/remotes.d/fwupd-tests.conf" = { + source = pkgs.runCommand "fwupd-tests-enabled.conf" {} '' + sed "s,^Enabled=false,Enabled=true," \ + "${pkgs.fwupd.installedTests}/etc/fwupd/remotes.d/fwupd-tests.conf" > "$out" + ''; + }; + } else {}; in { ###### interface @@ -40,7 +53,7 @@ in { blacklistPlugins = mkOption { type = types.listOf types.string; - default = []; + default = [ "test" ]; example = [ "udev" ]; description = '' Allow blacklisting specific plugins @@ -55,6 +68,15 @@ in { Installing a public key allows firmware signed with a matching private key to be recognized as trusted, which may require less authentication to install than for untrusted files. By default trusted firmware can be upgraded (but not downgraded) without the user or administrator password. Only very few keys are installed by default. ''; }; + + enableTestRemote = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable test remote. This is used by + <link xlink:href="https://github.com/hughsie/fwupd/blob/master/data/installed-tests/README.md">installed tests</link>. + ''; + }; }; }; @@ -78,7 +100,7 @@ in { ''; }; - } // originalEtc // extraTrustedKeys; + } // originalEtc // extraTrustedKeys // testRemote; services.dbus.packages = [ pkgs.fwupd ]; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 769a9526cf6..25c258ebe13 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -497,7 +497,12 @@ in { systemd.services.gitaly = { after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ gitAndTools.git cfg.packages.gitaly.rubyEnv cfg.packages.gitaly.rubyEnv.wrappedRuby ]; + path = with pkgs; [ + openssh + gitAndTools.git + cfg.packages.gitaly.rubyEnv + cfg.packages.gitaly.rubyEnv.wrappedRuby + ]; serviceConfig = { Type = "simple"; User = cfg.user; diff --git a/nixos/modules/services/misc/plex.nix b/nixos/modules/services/misc/plex.nix index 8fe5879c276..e4810ce9f87 100644 --- a/nixos/modules/services/misc/plex.nix +++ b/nixos/modules/services/misc/plex.nix @@ -145,7 +145,7 @@ in PLEX_MEDIA_SERVER_HOME="${cfg.package}/usr/lib/plexmediaserver"; PLEX_MEDIA_SERVER_MAX_PLUGIN_PROCS="6"; PLEX_MEDIA_SERVER_TMPDIR="/tmp"; - LD_LIBRARY_PATH="${cfg.package}/usr/lib/plexmediaserver"; + LD_LIBRARY_PATH="/run/opengl-driver/lib:${cfg.package}/usr/lib/plexmediaserver"; LC_ALL="en_US.UTF-8"; LANG="en_US.UTF-8"; }; diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix index 8d25ac5cb76..3c322ba1c3e 100644 --- a/nixos/modules/services/misc/redmine.nix +++ b/nixos/modules/services/misc/redmine.nix @@ -292,6 +292,7 @@ in # execute redmine required commands prior to starting the application # NOTE: su required in case using mysql socket authentication /run/wrappers/bin/su -s ${pkgs.bash}/bin/bash -m -l redmine -c '${bundle} exec rake db:migrate' + /run/wrappers/bin/su -s ${pkgs.bash}/bin/bash -m -l redmine -c '${bundle} exec rake redmine:plugins:migrate' /run/wrappers/bin/su -s ${pkgs.bash}/bin/bash -m -l redmine -c '${bundle} exec rake redmine:load_default_data' diff --git a/nixos/modules/services/monitoring/collectd.nix b/nixos/modules/services/monitoring/collectd.nix index 6606980cdad..45e3312c0f4 100644 --- a/nixos/modules/services/monitoring/collectd.nix +++ b/nixos/modules/services/monitoring/collectd.nix @@ -88,6 +88,8 @@ in { ExecStart = "${cfg.package}/sbin/collectd -C ${conf} -f"; User = cfg.user; PermissionsStartOnly = true; + Restart = "on-failure"; + RestartSec = 3; }; preStart = '' diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 4873ab1fc60..1d86c5d893d 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -10,9 +10,14 @@ let ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin ''; + plugins = [ + "${pkgs.netdata}/libexec/netdata/plugins.d" + "${wrappedPlugins}/libexec/netdata/plugins.d" + ] ++ cfg.extraPluginPaths; + localConfig = { global = { - "plugins directory" = "${pkgs.netdata}/libexec/netdata/plugins.d ${wrappedPlugins}/libexec/netdata/plugins.d"; + "plugins directory" = concatStringsSep " " plugins; }; web = { "web files owner" = "root"; @@ -78,6 +83,24 @@ in { }; }; + extraPluginPaths = mkOption { + type = types.listOf types.path; + default = [ ]; + example = literalExample '' + [ "/path/to/plugins.d" ] + ''; + description = '' + Extra paths to add to the netdata global "plugins directory" + option. Useful for when you want to include your own + collection scripts. + </para><para> + Details about writing a custom netdata plugin are available at: + <link xlink:href="https://docs.netdata.cloud/collectors/plugins.d/"/> + </para><para> + Cannot be combined with configText. + ''; + }; + config = mkOption { type = types.attrsOf types.attrs; default = {}; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix index 4ca6d4e5f8b..c47e87a3dc3 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix @@ -18,12 +18,34 @@ in socketPath = mkOption { type = types.path; default = "/var/run/dovecot/stats"; - example = "/var/run/dovecot2/stats"; + example = "/var/run/dovecot2/old-stats"; description = '' Path under which the stats socket is placed. The user/group under which the exporter runs, should be able to access the socket in order to scrape the metrics successfully. + + Please keep in mind that the stats module has changed in + <link xlink:href="https://wiki2.dovecot.org/Upgrading/2.3">Dovecot 2.3+</link> which + is not <link xlink:href="https://github.com/kumina/dovecot_exporter/issues/8">compatible with this exporter</link>. + + The following extra config has to be passed to Dovecot to ensure that recent versions + work with this exporter: + <programlisting> + { + <xref linkend="opt-services.prometheus.exporters.dovecot.enable" /> = true; + <xref linkend="opt-services.prometheus.exporters.dovecot.socketPath" /> = "/var/run/dovecot2/old-stats"; + <xref linkend="opt-services.dovecot2.extraConfig" /> = ''' + mail_plugins = $mail_plugins old_stats + service old-stats { + unix_listener old-stats { + user = nobody + group = nobody + } + } + '''; + } + </programlisting> ''; }; scopes = mkOption { diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix index 97d223a56ca..6842aa73561 100644 --- a/nixos/modules/services/networking/firefox/sync-server.nix +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -13,7 +13,7 @@ let overrides = ${cfg.privateConfig} [server:main] - use = egg:Paste#http + use = egg:gunicorn host = ${cfg.listen.address} port = ${toString cfg.listen.port} @@ -30,6 +30,8 @@ let audiences = ${removeSuffix "/" cfg.publicUrl} ''; + user = "syncserver"; + group = "syncserver"; in { @@ -126,15 +128,14 @@ in config = mkIf cfg.enable { - systemd.services.syncserver = let - syncServerEnv = pkgs.python.withPackages(ps: with ps; [ syncserver pasteScript requests ]); - user = "syncserver"; - group = "syncserver"; - in { + systemd.services.syncserver = { after = [ "network.target" ]; description = "Firefox Sync Server"; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.coreutils syncServerEnv ]; + path = [ + pkgs.coreutils + (pkgs.python.withPackages (ps: [ pkgs.syncserver ps.gunicorn ])) + ]; serviceConfig = { User = user; @@ -166,14 +167,17 @@ in chown ${user}:${group} ${defaultDbLocation} fi ''; - serviceConfig.ExecStart = "${syncServerEnv}/bin/paster serve ${syncServerIni}"; + + script = '' + gunicorn --paste ${syncServerIni} + ''; }; - users.users.syncserver = { - group = "syncserver"; + users.users.${user} = { + inherit group; isSystemUser = true; }; - users.groups.syncserver = {}; + users.groups.${group} = {}; }; } diff --git a/nixos/modules/services/networking/nylon.nix b/nixos/modules/services/networking/nylon.nix index 613b0e0fb51..b061ce34ed2 100644 --- a/nixos/modules/services/networking/nylon.nix +++ b/nixos/modules/services/networking/nylon.nix @@ -142,7 +142,6 @@ in description = "Collection of named nylon instances"; type = with types; loaOf (submodule nylonOpts); internal = true; - options = [ nylonOpts ]; }; }; diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix index 25b7d6dbeba..de316e5f466 100644 --- a/nixos/modules/services/networking/prosody.nix +++ b/nixos/modules/services/networking/prosody.nix @@ -513,6 +513,7 @@ in RuntimeDirectory = [ "prosody" ]; PIDFile = "/run/prosody/prosody.pid"; ExecStart = "${cfg.package}/bin/prosodyctl start"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; }; }; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 90d08ca3131..95dc8a62a45 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -11,7 +11,7 @@ let userOptions = { - openssh.authorizedKeys = { + options.openssh.authorizedKeys = { keys = mkOption { type = types.listOf types.str; default = []; @@ -320,7 +320,7 @@ in }; users.users = mkOption { - options = [ userOptions ]; + type = with types; loaOf (submodule userOptions); }; }; diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index ac10e77ba30..89b9ac4eadf 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -184,4 +184,5 @@ in }; + meta.maintainers = with lib.maintainers; [ erictapen ]; } diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index c788528fa47..8622212f085 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: with lib; @@ -193,7 +193,7 @@ in { # FIXME: start a separate wpa_supplicant instance per interface. systemd.services.wpa_supplicant = let ifaces = cfg.interfaces; - deviceUnit = interface: [ "sys-subsystem-net-devices-${interface}.device" ]; + deviceUnit = interface: [ "sys-subsystem-net-devices-${utils.escapeSystemdPath interface}.device" ]; in { description = "WPA Supplicant"; diff --git a/nixos/modules/services/networking/xrdp.nix b/nixos/modules/services/networking/xrdp.nix index 9ed3025e47d..a1c5d879f3c 100644 --- a/nixos/modules/services/networking/xrdp.nix +++ b/nixos/modules/services/networking/xrdp.nix @@ -26,6 +26,12 @@ let substituteInPlace $out/sesman.ini \ --replace LogFile=xrdp-sesman.log LogFile=/dev/null \ --replace EnableSyslog=1 EnableSyslog=0 + + # Ensure that clipboard works for non-ASCII characters + sed -i -e '/.*SessionVariables.*/ a\ + LANG=${config.i18n.defaultLocale}\ + LOCALE_ARCHIVE=${config.i18n.glibcLocales}/lib/locale/locale-archive + ' $out/sesman.ini ''; in { diff --git a/nixos/modules/services/security/certmgr.nix b/nixos/modules/services/security/certmgr.nix index 22d5817ec4f..e89078883eb 100644 --- a/nixos/modules/services/security/certmgr.nix +++ b/nixos/modules/services/security/certmgr.nix @@ -30,13 +30,20 @@ let preStart = '' ${concatStringsSep " \\\n" (["mkdir -p"] ++ map escapeShellArg specPaths)} - ${pkgs.certmgr}/bin/certmgr -f ${certmgrYaml} check + ${cfg.package}/bin/certmgr -f ${certmgrYaml} check ''; in { options.services.certmgr = { enable = mkEnableOption "certmgr"; + package = mkOption { + type = types.package; + default = pkgs.certmgr; + defaultText = "pkgs.certmgr"; + description = "Which certmgr package to use in the service."; + }; + defaultRemote = mkOption { type = types.str; default = "127.0.0.1:8888"; @@ -187,7 +194,7 @@ in serviceConfig = { Restart = "always"; RestartSec = "10s"; - ExecStart = "${pkgs.certmgr}/bin/certmgr -f ${certmgrYaml}"; + ExecStart = "${cfg.package}/bin/certmgr -f ${certmgrYaml}"; }; }; }; diff --git a/nixos/modules/services/security/munge.nix b/nixos/modules/services/security/munge.nix index fda864f2c30..504bc66c6d1 100644 --- a/nixos/modules/services/security/munge.nix +++ b/nixos/modules/services/security/munge.nix @@ -50,7 +50,7 @@ in path = [ pkgs.munge pkgs.coreutils ]; preStart = '' - chmod 0700 ${cfg.password} + chmod 0400 ${cfg.password} mkdir -p /var/lib/munge -m 0711 chown -R munge:munge /var/lib/munge mkdir -p /run/munge -m 0755 diff --git a/nixos/modules/services/security/nginx-sso.nix b/nixos/modules/services/security/nginx-sso.nix new file mode 100644 index 00000000000..d792f90abe6 --- /dev/null +++ b/nixos/modules/services/security/nginx-sso.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.nginx.sso; + pkg = getBin pkgs.nginx-sso; + configYml = pkgs.writeText "nginx-sso.yml" (builtins.toJSON cfg.configuration); +in { + options.services.nginx.sso = { + enable = mkEnableOption "nginx-sso service"; + + configuration = mkOption { + type = types.attrsOf types.unspecified; + default = {}; + example = literalExample '' + { + listen = { addr = "127.0.0.1"; port = 8080; }; + + providers.token.tokens = { + myuser = "MyToken"; + }; + + acl = { + rule_sets = [ + { + rules = [ { field = "x-application"; equals = "MyApp"; } ]; + allow = [ "myuser" ]; + } + ]; + }; + } + ''; + description = '' + nginx-sso configuration + (<link xlink:href="https://github.com/Luzifer/nginx-sso/wiki/Main-Configuration">documentation</link>) + as a Nix attribute set. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.nginx-sso = { + description = "Nginx SSO Backend"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = '' + ${pkg}/bin/nginx-sso \ + --config ${configYml} \ + --frontend-dir ${pkg}/share/frontend + ''; + Restart = "always"; + DynamicUser = true; + }; + }; + }; +} diff --git a/nixos/modules/services/security/sks.nix b/nixos/modules/services/security/sks.nix index 9f0261038d5..8136a5c763a 100644 --- a/nixos/modules/services/security/sks.nix +++ b/nixos/modules/services/security/sks.nix @@ -5,6 +5,9 @@ with lib; let cfg = config.services.sks; sksPkg = cfg.package; + dbConfig = pkgs.writeText "DB_CONFIG" '' + ${cfg.extraDbConfig} + ''; in { meta.maintainers = with maintainers; [ primeos calbrecht jcumming ]; @@ -39,6 +42,20 @@ in { ''; }; + extraDbConfig = mkOption { + type = types.str; + default = ""; + description = '' + Set contents of the files "KDB/DB_CONFIG" and "PTree/DB_CONFIG" within + the ''${dataDir} directory. This is used to configure options for the + database for the sks key server. + + Documentation of available options are available in the file named + "sampleConfig/DB_CONFIG" in the following repository: + https://bitbucket.org/skskeyserver/sks-keyserver/src + ''; + }; + hkpAddress = mkOption { default = [ "127.0.0.1" "::1" ]; type = types.listOf types.str; @@ -99,6 +116,17 @@ in { ${lib.optionalString (cfg.webroot != null) "ln -sfT \"${cfg.webroot}\" web"} mkdir -p dump + # Check that both database configs are symlinks before overwriting them + if [ -e KDB/DB_CONFIG ] && [ ! -L KBD/DB_CONFIG ]; then + echo "KDB/DB_CONFIG exists but is not a symlink." >&2 + exit 1 + fi + if [ -e PTree/DB_CONFIG ] && [ ! -L PTree/DB_CONFIG ]; then + echo "PTree/DB_CONFIG exists but is not a symlink." >&2 + exit 1 + fi + ln -sf ${dbConfig} KDB/DB_CONFIG + ln -sf ${dbConfig} PTree/DB_CONFIG ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/ ${sksPkg}/bin/sks cleandb || true ${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 137c3d61018..3892cd5c72b 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.services.sshguard; + in { ###### interface @@ -77,65 +78,65 @@ in { Systemd services sshguard should receive logs of. ''; }; - }; - }; - ###### implementation config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.sshguard pkgs.iptables pkgs.ipset ]; - environment.etc."sshguard.conf".text = let - list_services = ( name: "-t ${name} "); - in '' - BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset" - LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl -afb -p info -n1 ${toString (map list_services cfg.services)} -o cat" + args = lib.concatStringsSep " " ([ + "-afb" + "-p info" + "-o cat" + "-n1" + ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); + in '' + BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset" + LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" + ''; + + systemd.services.sshguard = { + description = "SSHGuard brute-force attacks protection system"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + partOf = optional config.networking.firewall.enable "firewall.service"; + + path = with pkgs; [ iptables ipset iproute systemd ]; + + postStart = '' + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:ip family inet + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:ip family inet6 + ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP + ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP + ''; + + preStop = '' + ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP + ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP ''; - systemd.services.sshguard = - { description = "SSHGuard brute-force attacks protection system"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - partOf = optional config.networking.firewall.enable "firewall.service"; - - path = [ pkgs.iptables pkgs.ipset pkgs.iproute pkgs.systemd ]; - - postStart = '' - mkdir -p /var/lib/sshguard - ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:ip family inet - ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:ip family inet6 - ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP - ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP - ''; - - preStop = '' - ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP - ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP - ''; - - unitConfig.Documentation = "man:sshguard(8)"; - - serviceConfig = { - Type = "simple"; - ExecStart = let - list_whitelist = ( name: "-w ${name} "); - in '' - ${pkgs.sshguard}/bin/sshguard -a ${toString cfg.attack_threshold} ${optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file} "}-i /run/sshguard/sshguard.pid -p ${toString cfg.blocktime} -s ${toString cfg.detection_time} ${toString (map list_whitelist cfg.whitelist)} - ''; - PIDFile = "/run/sshguard/sshguard.pid"; - Restart = "always"; - - ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run/sshguard /var/lib/sshguard"; - RuntimeDirectory = "sshguard"; - StateDirectory = "sshguard"; - CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; - }; + unitConfig.Documentation = "man:sshguard(8)"; + + serviceConfig = { + Type = "simple"; + ExecStart = let + args = lib.concatStringsSep " " ([ + "-a ${toString cfg.attack_threshold}" + "-p ${toString cfg.blocktime}" + "-s ${toString cfg.detection_time}" + (optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}") + ] ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist)); + in "${pkgs.sshguard}/bin/sshguard ${args}"; + Restart = "always"; + ProtectSystem = "strict"; + ProtectHome = "tmpfs"; + RuntimeDirectory = "sshguard"; + StateDirectory = "sshguard"; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; }; + }; }; } diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 719eb76f42c..f544928fb6b 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -143,6 +143,9 @@ in ${getLib pkgs.lz4}/lib/liblz4*.so* mr, ${getLib pkgs.libkrb5}/lib/lib*.so* mr, ${getLib pkgs.keyutils}/lib/libkeyutils*.so* mr, + ${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so.* mr, + ${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so.* mr, + ${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so.* mr, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/vm/overcommit_memory r, diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 73607c6f9a3..bb962334786 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -151,7 +151,7 @@ let loggingConf = (if mainCfg.logFormat != "none" then '' - ErrorLog ${mainCfg.logDir}/error_log + ErrorLog ${mainCfg.logDir}/error.log LogLevel notice @@ -160,7 +160,7 @@ let LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent - CustomLog ${mainCfg.logDir}/access_log ${mainCfg.logFormat} + CustomLog ${mainCfg.logDir}/access.log ${mainCfg.logFormat} '' else '' ErrorLog /dev/null ''); @@ -187,8 +187,8 @@ let SSLRandomSeed startup builtin SSLRandomSeed connect builtin - SSLProtocol All -SSLv2 -SSLv3 - SSLCipherSuite HIGH:!aNULL:!MD5:!EXP + SSLProtocol ${mainCfg.sslProtocols} + SSLCipherSuite ${mainCfg.sslCiphers} SSLHonorCipherOrder on ''; @@ -261,8 +261,8 @@ let '' else ""} ${if !isMainServer && mainCfg.logPerVirtualHost then '' - ErrorLog ${mainCfg.logDir}/error_log-${cfg.hostName} - CustomLog ${mainCfg.logDir}/access_log-${cfg.hostName} ${cfg.logFormat} + ErrorLog ${mainCfg.logDir}/error-${cfg.hostName}.log + CustomLog ${mainCfg.logDir}/access-${cfg.hostName}.log ${cfg.logFormat} '' else ""} ${optionalString (robotsTxt != "") '' @@ -630,6 +630,19 @@ in description = "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited"; }; + + sslCiphers = mkOption { + type = types.str; + default = "HIGH:!aNULL:!MD5:!EXP"; + description = "Cipher Suite available for negotiation in SSL proxy handshake."; + }; + + sslProtocols = mkOption { + type = types.str; + default = "All -SSLv2 -SSLv3"; + example = "All -SSLv2 -SSLv3 -TLSv1"; + description = "Allowed SSL/TLS protocol versions."; + }; } # Include the options shared between the main server and virtual hosts. diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix index d1ee076e918..efec943c007 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix @@ -6,12 +6,14 @@ let dmcfg = config.services.xserver.displayManager; ldmcfg = dmcfg.lightdm; + xcfg = config.services.xserver; cfg = ldmcfg.greeters.gtk; inherit (pkgs) writeText; theme = cfg.theme.package; icons = cfg.iconTheme.package; + cursors = cfg.cursorTheme.package; # The default greeter provided with this expression is the GTK greeter. # Again, we need a few things in the environment for the greeter to run with @@ -28,7 +30,8 @@ let --set GTK_EXE_PREFIX "${theme}" \ --set GTK_DATA_PREFIX "${theme}" \ --set XDG_DATA_DIRS "${theme}/share:${icons}/share" \ - --set XDG_CONFIG_HOME "${theme}/share" + --set XDG_CONFIG_HOME "${theme}/share" \ + --set XCURSOR_PATH "${cursors}/share/icons" cat - > $out/lightdm-gtk-greeter.desktop << EOF [Desktop Entry] @@ -44,9 +47,12 @@ let [greeter] theme-name = ${cfg.theme.name} icon-theme-name = ${cfg.iconTheme.name} + cursor-theme-name = ${cfg.cursorTheme.name} + cursor-theme-size = ${toString cfg.cursorTheme.size} background = ${ldmcfg.background} ${optionalString (cfg.clock-format != null) "clock-format = ${cfg.clock-format}"} ${optionalString (cfg.indicators != null) "indicators = ${concatStringsSep ";" cfg.indicators}"} + ${optionalString (xcfg.dpi != null) "xft-dpi=${toString xcfg.dpi}"} ${cfg.extraConfig} ''; @@ -106,6 +112,33 @@ in }; + cursorTheme = { + + package = mkOption { + default = pkgs.gnome3.defaultIconTheme; + defaultText = "pkgs.gnome3.defaultIconTheme"; + description = '' + The package path that contains the cursor theme given in the name option. + ''; + }; + + name = mkOption { + type = types.str; + default = "Adwaita"; + description = '' + Name of the cursor theme to use for the lightdm-gtk-greeter. + ''; + }; + + size = mkOption { + type = types.int; + default = 16; + description = '' + Size of the cursor theme to use for the lightdm-gtk-greeter. + ''; + }; + }; + clock-format = mkOption { type = types.nullOr types.str; default = null; diff --git a/nixos/modules/system/boot/kernel_config.nix b/nixos/modules/system/boot/kernel_config.nix new file mode 100644 index 00000000000..fbbd0982b2c --- /dev/null +++ b/nixos/modules/system/boot/kernel_config.nix @@ -0,0 +1,137 @@ +{ lib, config, ... }: + +with lib; +let + findWinner = candidates: winner: + any (x: x == winner) candidates; + + # winners is an ordered list where first item wins over 2nd etc + mergeAnswer = winners: locs: defs: + let + values = map (x: x.value) defs; + freeformAnswer = intersectLists values winners; + inter = intersectLists values winners; + winner = head winners; + in + if defs == [] then abort "This case should never happen." + else if winner == [] then abort "Give a valid list of winner" + else if inter == [] then mergeOneOption locs defs + else if findWinner values winner then + winner + else + mergeAnswer (tail winners) locs defs; + + mergeFalseByDefault = locs: defs: + if defs == [] then abort "This case should never happen." + else if any (x: x == false) defs then false + else true; + + kernelItem = types.submodule { + options = { + tristate = mkOption { + type = types.enum [ "y" "m" "n" null ] // { + merge = mergeAnswer [ "y" "m" "n" ]; + }; + default = null; + internal = true; + visible = true; + description = '' + Use this field for tristate kernel options expecting a "y" or "m" or "n". + ''; + }; + + freeform = mkOption { + type = types.nullOr types.str // { + merge = mergeEqualOption; + }; + default = null; + example = ''MMC_BLOCK_MINORS.freeform = "32";''; + description = '' + Freeform description of a kernel configuration item value. + ''; + }; + + optional = mkOption { + type = types.bool // { merge = mergeFalseByDefault; }; + default = false; + description = '' + Wether option should generate a failure when unused. + ''; + }; + }; + }; + + mkValue = with lib; val: + let + isNumber = c: elem c ["0" "1" "2" "3" "4" "5" "6" "7" "8" "9"]; + + in + if (val == "") then "\"\"" + else if val == "y" || val == "m" || val == "n" then val + else if all isNumber (stringToCharacters val) then val + else if substring 0 2 val == "0x" then val + else val; # FIXME: fix quoting one day + + + # generate nix intermediate kernel config file of the form + # + # VIRTIO_MMIO m + # VIRTIO_BLK y + # VIRTIO_CONSOLE n + # NET_9P_VIRTIO? y + # + # Borrowed from copumpkin https://github.com/NixOS/nixpkgs/pull/12158 + # returns a string, expr should be an attribute set + # Use mkValuePreprocess to preprocess option values, aka mark 'modules' as 'yes' or vice-versa + # use the identity if you don't want to override the configured values + generateNixKConf = exprs: + let + mkConfigLine = key: item: + let + val = if item.freeform != null then item.freeform else item.tristate; + in + if val == null + then "" + else if (item.optional) + then "${key}? ${mkValue val}\n" + else "${key} ${mkValue val}\n"; + + mkConf = cfg: concatStrings (mapAttrsToList mkConfigLine cfg); + in mkConf exprs; + +in +{ + + options = { + + intermediateNixConfig = mkOption { + readOnly = true; + type = types.lines; + example = '' + USB? y + DEBUG n + ''; + description = '' + The result of converting the structured kernel configuration in settings + to an intermediate string that can be parsed by generate-config.pl to + answer the kernel `make defconfig`. + ''; + }; + + settings = mkOption { + type = types.attrsOf kernelItem; + example = literalExample '' with lib.kernel; { + "9P_NET" = yes; + USB = optional yes; + MMC_BLOCK_MINORS = freeform "32"; + }''; + description = '' + Structured kernel configuration. + ''; + }; + }; + + config = { + intermediateNixConfig = generateNixKConf config.settings; + }; +} diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index c8ea1401528..5e27b24ac44 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -525,16 +525,18 @@ in }; fileSystems = mkOption { - options.neededForBoot = mkOption { - default = false; - type = types.bool; - description = '' - If set, this file system will be mounted in the initial - ramdisk. By default, this applies to the root file system - and to the file system containing - <filename>/nix/store</filename>. - ''; - }; + type = with lib.types; loaOf (submodule { + options.neededForBoot = mkOption { + default = false; + type = types.bool; + description = '' + If set, this file system will be mounted in the initial + ramdisk. By default, this applies to the root file system + and to the file system containing + <filename>/nix/store</filename>. + ''; + }; + }); }; }; diff --git a/nixos/modules/system/boot/systemd-unit-options.nix b/nixos/modules/system/boot/systemd-unit-options.nix index 5f2bec5c34a..63f974b704f 100644 --- a/nixos/modules/system/boot/systemd-unit-options.nix +++ b/nixos/modules/system/boot/systemd-unit-options.nix @@ -210,6 +210,15 @@ in rec { ''; }; + startLimitIntervalSec = mkOption { + type = types.int; + description = '' + Configure unit start rate limiting. Units which are started + more than burst times within an interval time interval are + not permitted to start any more. + ''; + }; + }; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 860268ab23a..f783daba902 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -193,7 +193,7 @@ let let mkScriptName = s: "unit-script-" + (replaceChars [ "\\" "@" ] [ "-" "_" ] (shellEscape s) ); in pkgs.writeTextFile { name = mkScriptName name; executable = true; inherit text; }; - unitConfig = { config, ... }: { + unitConfig = { config, options, ... }: { config = { unitConfig = optionalAttrs (config.requires != []) @@ -219,7 +219,9 @@ let // optionalAttrs (config.documentation != []) { Documentation = toString config.documentation; } // optionalAttrs (config.onFailure != []) { - OnFailure = toString config.onFailure; + OnFailure = toString config.onFailure; } + // optionalAttrs (options.startLimitIntervalSec.isDefined) { + StartLimitIntervalSec = toString config.startLimitIntervalSec; }; }; }; diff --git a/nixos/modules/tasks/auto-upgrade.nix b/nixos/modules/tasks/auto-upgrade.nix index 7b756b70e2f..d225778a387 100644 --- a/nixos/modules/tasks/auto-upgrade.nix +++ b/nixos/modules/tasks/auto-upgrade.nix @@ -78,7 +78,7 @@ let cfg = config.system.autoUpgrade; in HOME = "/root"; } // config.networking.proxy.envVars; - path = [ pkgs.gnutar pkgs.xz.bin config.nix.package.out ]; + path = [ pkgs.gnutar pkgs.xz.bin pkgs.gitMinimal config.nix.package.out ]; script = '' ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch ${toString cfg.flags} diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix index 11ed5d7e4d0..2c9231f5523 100644 --- a/nixos/modules/tasks/encrypted-devices.nix +++ b/nixos/modules/tasks/encrypted-devices.nix @@ -12,7 +12,7 @@ let encryptedFSOptions = { - encrypted = { + options.encrypted = { enable = mkOption { default = false; type = types.bool; @@ -47,10 +47,10 @@ in options = { fileSystems = mkOption { - options = [encryptedFSOptions]; + type = with lib.types; loaOf (submodule encryptedFSOptions); }; swapDevices = mkOption { - options = [encryptedFSOptions]; + type = with lib.types; listOf (submodule encryptedFSOptions); }; }; diff --git a/nixos/modules/testing/service-runner.nix b/nixos/modules/testing/service-runner.nix index 5ead75788e5..17d5e337690 100644 --- a/nixos/modules/testing/service-runner.nix +++ b/nixos/modules/testing/service-runner.nix @@ -92,23 +92,24 @@ let exit($mainRes & 127 ? 255 : $mainRes << 8); ''; + opts = { config, name, ... }: { + options.runner = mkOption { + internal = true; + description = '' + A script that runs the service outside of systemd, + useful for testing or for using NixOS services outside + of NixOS. + ''; + }; + config.runner = makeScript name config; + }; + in { options = { systemd.services = mkOption { - options = - { config, name, ... }: - { options.runner = mkOption { - internal = true; - description = '' - A script that runs the service outside of systemd, - useful for testing or for using NixOS services outside - of NixOS. - ''; - }; - config.runner = makeScript name config; - }; + type = with types; attrsOf (submodule opts); }; }; } diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index c2e6e9f6a13..7c9909ae278 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -36,7 +36,7 @@ let #! ${pkgs.runtimeShell} -e # Initialise the container side of the veth pair. - if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ]; then + if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || [ -n "$HOST_BRIDGE" ]; then ip link set host0 name eth0 ip link set dev eth0 up @@ -90,18 +90,20 @@ let if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ]; then extraFlags+=" --network-veth" - if [ -n "$HOST_BRIDGE" ]; then - extraFlags+=" --network-bridge=$HOST_BRIDGE" - fi - if [ -n "$HOST_PORT" ]; then - OIFS=$IFS - IFS="," - for i in $HOST_PORT - do - extraFlags+=" --port=$i" - done - IFS=$OIFS - fi + fi + + if [ -n "$HOST_PORT" ]; then + OIFS=$IFS + IFS="," + for i in $HOST_PORT + do + extraFlags+=" --port=$i" + done + IFS=$OIFS + fi + + if [ -n "$HOST_BRIDGE" ]; then + extraFlags+=" --network-bridge=$HOST_BRIDGE" fi extraFlags+=" ${concatStringsSep " " (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)}" |