diff options
Diffstat (limited to 'nixos/modules')
114 files changed, 3171 insertions, 925 deletions
diff --git a/nixos/modules/config/iproute2.nix b/nixos/modules/config/iproute2.nix index a1d9ebcec66..5f41f3d21e4 100644 --- a/nixos/modules/config/iproute2.nix +++ b/nixos/modules/config/iproute2.nix @@ -18,15 +18,15 @@ in }; config = mkIf cfg.enable { - environment.etc."iproute2/bpf_pinning" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/bpf_pinning"; }; - environment.etc."iproute2/ematch_map" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/ematch_map"; }; - environment.etc."iproute2/group" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/group"; }; - environment.etc."iproute2/nl_protos" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/nl_protos"; }; - environment.etc."iproute2/rt_dsfield" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/rt_dsfield"; }; - environment.etc."iproute2/rt_protos" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/rt_protos"; }; - environment.etc."iproute2/rt_realms" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/rt_realms"; }; - environment.etc."iproute2/rt_scopes" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/rt_scopes"; }; - environment.etc."iproute2/rt_tables" = { mode = "0644"; text = (fileContents "${pkgs.iproute}/etc/iproute2/rt_tables") + environment.etc."iproute2/bpf_pinning" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/bpf_pinning"; }; + environment.etc."iproute2/ematch_map" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/ematch_map"; }; + environment.etc."iproute2/group" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/group"; }; + environment.etc."iproute2/nl_protos" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/nl_protos"; }; + environment.etc."iproute2/rt_dsfield" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/rt_dsfield"; }; + environment.etc."iproute2/rt_protos" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/rt_protos"; }; + environment.etc."iproute2/rt_realms" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/rt_realms"; }; + environment.etc."iproute2/rt_scopes" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/rt_scopes"; }; + environment.etc."iproute2/rt_tables" = { mode = "0644"; text = (fileContents "${pkgs.iproute2}/etc/iproute2/rt_tables") + (optionalString (cfg.rttablesExtraConfig != "") "\n\n${cfg.rttablesExtraConfig}"); }; }; } diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 2b6a61e9a80..567a8b6f3b9 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -6,6 +6,12 @@ let ids = config.ids; cfg = config.users; + isPasswdCompatible = str: !(hasInfix ":" str || hasInfix "\n" str); + passwdEntry = type: lib.types.addCheck type isPasswdCompatible // { + name = "passwdEntry ${type.name}"; + description = "${type.description}, not containing newlines or colons"; + }; + # Check whether a password hash will allow login. allowsLogin = hash: hash == "" # login without password @@ -54,7 +60,7 @@ let options = { name = mkOption { - type = types.str; + type = passwdEntry types.str; apply = x: assert (builtins.stringLength x < 32 || abort "Username '${x}' is longer than 31 characters which is not allowed!"); x; description = '' The name of the user account. If undefined, the name of the @@ -63,7 +69,7 @@ let }; description = mkOption { - type = types.str; + type = passwdEntry types.str; default = ""; example = "Alice Q. User"; description = '' @@ -128,7 +134,7 @@ let }; home = mkOption { - type = types.path; + type = passwdEntry types.path; default = "/var/empty"; description = "The user's home directory."; }; @@ -157,7 +163,7 @@ let }; shell = mkOption { - type = types.nullOr (types.either types.shellPackage types.path); + type = types.nullOr (types.either types.shellPackage (passwdEntry types.path)); default = pkgs.shadow; defaultText = "pkgs.shadow"; example = literalExample "pkgs.bashInteractive"; @@ -217,7 +223,7 @@ let }; hashedPassword = mkOption { - type = with types; nullOr str; + type = with types; nullOr (passwdEntry str); default = null; description = '' Specifies the hashed password for the user. @@ -251,7 +257,7 @@ let }; initialHashedPassword = mkOption { - type = with types; nullOr str; + type = with types; nullOr (passwdEntry str); default = null; description = '' Specifies the initial hashed password for the user, i.e. the @@ -323,7 +329,7 @@ let options = { name = mkOption { - type = types.str; + type = passwdEntry types.str; description = '' The name of the group. If undefined, the name of the attribute set will be used. @@ -340,7 +346,7 @@ let }; members = mkOption { - type = with types; listOf str; + type = with types; listOf (passwdEntry str); default = []; description = '' The user names of the group members, added to the diff --git a/nixos/modules/hardware/keyboard/teck.nix b/nixos/modules/hardware/keyboard/teck.nix new file mode 100644 index 00000000000..091ddb81962 --- /dev/null +++ b/nixos/modules/hardware/keyboard/teck.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.hardware.keyboard.teck; +in +{ + options.hardware.keyboard.teck = { + enable = mkEnableOption "non-root access to the firmware of TECK keyboards"; + }; + + config = mkIf cfg.enable { + services.udev.packages = [ pkgs.teck-udev-rules ]; + }; +} + diff --git a/nixos/modules/hardware/printers.nix b/nixos/modules/hardware/printers.nix index 752de41f26d..c587076dcd1 100644 --- a/nixos/modules/hardware/printers.nix +++ b/nixos/modules/hardware/printers.nix @@ -15,7 +15,7 @@ let ${ppdOptionsString p.ppdOptions} ''; ensureDefaultPrinter = name: '' - ${pkgs.cups}/bin/lpoptions -d '${name}' + ${pkgs.cups}/bin/lpadmin -d '${name}' ''; # "graph but not # or /" can't be implemented as regex alone due to missing lookahead support diff --git a/nixos/modules/i18n/input-method/default.nix b/nixos/modules/i18n/input-method/default.nix index 4649f9b862a..bbc5783565a 100644 --- a/nixos/modules/i18n/input-method/default.nix +++ b/nixos/modules/i18n/input-method/default.nix @@ -29,7 +29,7 @@ in options.i18n = { inputMethod = { enabled = mkOption { - type = types.nullOr (types.enum [ "ibus" "fcitx" "fcitx5" "nabi" "uim" "hime" ]); + type = types.nullOr (types.enum [ "ibus" "fcitx" "fcitx5" "nabi" "uim" "hime" "kime" ]); default = null; example = "fcitx"; description = '' @@ -46,6 +46,7 @@ in <listitem><para>nabi: A Korean input method based on XIM. Nabi doesn't support Qt 5.</para></listitem> <listitem><para>uim: The universal input method, is a library with a XIM bridge. uim mainly support Chinese, Japanese and Korean.</para></listitem> <listitem><para>hime: An extremely easy-to-use input method framework.</para></listitem> + <listitem><para>kime: Koream IME.</para></listitem> </itemizedlist> ''; }; diff --git a/nixos/modules/i18n/input-method/default.xml b/nixos/modules/i18n/input-method/default.xml index 73911059f8a..dd66316c730 100644 --- a/nixos/modules/i18n/input-method/default.xml +++ b/nixos/modules/i18n/input-method/default.xml @@ -40,6 +40,11 @@ Hime: An extremely easy-to-use input method framework. </para> </listitem> + <listitem> + <para> + Kime: Korean IME + </para> + </listitem> </itemizedlist> <section xml:id="module-services-input-methods-ibus"> <title>IBus</title> @@ -266,4 +271,21 @@ i18n.inputMethod = { }; </programlisting> </section> + <section xml:id="module-services-input-methods-kime"> + <title>Kime</title> + + <para> + Kime is Korean IME. it's built with Rust language and let you get simple, safe, fast Korean typing + </para> + + <para> + The following snippet can be used to configure Kime: + </para> + +<programlisting> +i18n.inputMethod = { + <link linkend="opt-i18n.inputMethod.enabled">enabled</link> = "kime"; +}; +</programlisting> + </section> </chapter> diff --git a/nixos/modules/i18n/input-method/kime.nix b/nixos/modules/i18n/input-method/kime.nix new file mode 100644 index 00000000000..2a73cb3f460 --- /dev/null +++ b/nixos/modules/i18n/input-method/kime.nix @@ -0,0 +1,49 @@ +{ config, pkgs, lib, generators, ... }: +with lib; +let + cfg = config.i18n.inputMethod.kime; + yamlFormat = pkgs.formats.yaml { }; +in +{ + options = { + i18n.inputMethod.kime = { + config = mkOption { + type = yamlFormat.type; + default = { }; + example = literalExample '' + { + daemon = { + modules = ["Xim" "Indicator"]; + }; + + indicator = { + icon_color = "White"; + }; + + engine = { + hangul = { + layout = "dubeolsik"; + }; + }; + } + ''; + description = '' + kime configuration. Refer to <link xlink:href="https://github.com/Riey/kime/blob/v${pkgs.kime.version}/docs/CONFIGURATION.md"/> for details on supported values. + ''; + }; + }; + }; + + config = mkIf (config.i18n.inputMethod.enabled == "kime") { + i18n.inputMethod.package = pkgs.kime; + + environment.variables = { + GTK_IM_MODULE = "kime"; + QT_IM_MODULE = "kime"; + XMODIFIERS = "@im=kime"; + }; + + environment.etc."xdg/kime/config.yaml".text = replaceStrings [ "\\\\" ] [ "\\" ] (builtins.toJSON cfg.config); + }; +} + diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 1418420afcd..7a4738599b0 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -162,12 +162,14 @@ let isolinuxCfg = concatStringsSep "\n" ([ baseIsolinuxCfg ] ++ optional config.boot.loader.grub.memtest86.enable isolinuxMemtest86Entry); + refindBinary = if targetArch == "x64" || targetArch == "aa64" then "refind_${targetArch}.efi" else null; + # Setup instructions for rEFInd. refind = - if targetArch == "x64" then + if refindBinary != null then '' # Adds rEFInd to the ISO. - cp -v ${pkgs.refind}/share/refind/refind_x64.efi $out/EFI/boot/ + cp -v ${pkgs.refind}/share/refind/${refindBinary} $out/EFI/boot/ '' else "# No refind for ${targetArch}" @@ -186,7 +188,10 @@ let # Fonts can be loaded? # (This font is assumed to always be provided as a fallback by NixOS) - if loadfont (hd0)/EFI/boot/unicode.pf2; then + if loadfont /EFI/boot/unicode.pf2; then + set with_fonts=true + fi + if [ "\$textmode" != "true" -a "\$with_fonts" == "true" ]; then # Use graphical term, it can be either with background image or a theme. # input is "console", while output is "gfxterm". # This enables "serial" input and output only when possible. @@ -207,11 +212,11 @@ let ${ # When there is a theme configured, use it, otherwise use the background image. if config.isoImage.grubTheme != null then '' # Sets theme. - set theme=(hd0)/EFI/boot/grub-theme/theme.txt + set theme=/EFI/boot/grub-theme/theme.txt # Load theme fonts - $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont (hd0)/EFI/boot/grub-theme/%P\n") + $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont /EFI/boot/grub-theme/%P\n") '' else '' - if background_image (hd0)/EFI/boot/efi-background.png; then + if background_image /EFI/boot/efi-background.png; then # Black background means transparent background when there # is a background image set... This seems undocumented :( set color_normal=black/black @@ -264,6 +269,8 @@ let cat <<EOF > $out/EFI/boot/grub.cfg + set with_fonts=false + set textmode=false # If you want to use serial for "terminal_*" commands, you need to set one up: # Example manual configuration: # → serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 @@ -273,8 +280,28 @@ let export with_serial clear set timeout=10 + + # This message will only be viewable when "gfxterm" is not used. + echo "" + echo "Loading graphical boot menu..." + echo "" + echo "Press 't' to use the text boot menu on this console..." + echo "" + ${grubMenuCfg} + hiddenentry 'Text mode' --hotkey 't' { + loadfont /EFI/boot/unicode.pf2 + set textmode=true + terminal_output gfxterm console + } + hiddenentry 'GUI mode' --hotkey 'g' { + $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont /EFI/boot/grub-theme/%P\n") + set textmode=false + terminal_output gfxterm + } + + # If the parameter iso_path is set, append the findiso parameter to the kernel # line. We need this to allow the nixos iso to be booted from grub directly. if [ \''${iso_path} ] ; then @@ -337,11 +364,15 @@ let } } - menuentry 'rEFInd' --class refind { - # UUID is hard-coded in the derivation. - search --set=root --no-floppy --fs-uuid 1234-5678 - chainloader (\$root)/EFI/boot/refind_x64.efi - } + ${lib.optionalString (refindBinary != null) '' + # GRUB apparently cannot do "chainloader" operations on "CD". + if [ "\$root" != "cd0" ]; then + menuentry 'rEFInd' --class refind { + # \$root defaults to the drive the EFI is found on. + chainloader (\$root)/EFI/boot/${refindBinary} + } + fi + ''} menuentry 'Firmware Setup' --class settings { fwsetup clear diff --git a/nixos/modules/installer/sd-card/sd-image.nix b/nixos/modules/installer/sd-card/sd-image.nix index b811ae07eb0..45c8c67169b 100644 --- a/nixos/modules/installer/sd-card/sd-image.nix +++ b/nixos/modules/installer/sd-card/sd-image.nix @@ -126,6 +126,13 @@ in ''; }; + expandOnBoot = mkOption { + type = types.bool; + default = true; + description = '' + Whether to configure the sd image to expand it's partition on boot. + ''; + }; }; config = { @@ -215,7 +222,7 @@ in ''; }) {}; - boot.postBootCommands = '' + boot.postBootCommands = lib.mkIf config.sdImage.expandOnBoot '' # On the first boot do some maintenance tasks if [ -f /nix-path-registration ]; then set -euo pipefail diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 9d49d4055e4..ea9667995e1 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -125,7 +125,7 @@ fi # Resolve the flake. if [[ -n $flake ]]; then - flake=$(nix "${flakeFlags[@]}" flake info --json "${extraBuildFlags[@]}" "${lockFlags[@]}" -- "$flake" | jq -r .url) + flake=$(nix "${flakeFlags[@]}" flake metadata --json "${extraBuildFlags[@]}" "${lockFlags[@]}" -- "$flake" | jq -r .url) fi if [[ ! -e $NIXOS_CONFIG && -z $system && -z $flake ]]; then diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 77c974fc22c..cb2dbf6c859 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -163,7 +163,8 @@ in # List packages installed in system profile. To search, run: # \$ nix search wget # environment.systemPackages = with pkgs; [ - # wget vim + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + # wget # firefox # ]; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 5271cbebc26..0c0935a7992 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -49,6 +49,7 @@ ./hardware/i2c.nix ./hardware/sensor/hddtemp.nix ./hardware/sensor/iio.nix + ./hardware/keyboard/teck.nix ./hardware/keyboard/zsa.nix ./hardware/ksm.nix ./hardware/ledger.nix @@ -92,6 +93,7 @@ ./i18n/input-method/ibus.nix ./i18n/input-method/nabi.nix ./i18n/input-method/uim.nix + ./i18n/input-method/kime.nix ./installer/tools/tools.nix ./misc/assertions.nix ./misc/crashdump.nix @@ -112,6 +114,9 @@ ./programs/autojump.nix ./programs/bandwhich.nix ./programs/bash/bash.nix + ./programs/bash/bash-completion.nix + ./programs/bash/ls-colors.nix + ./programs/bash/undistract-me.nix ./programs/bash-my-aws.nix ./programs/bcc.nix ./programs/browserpass.nix @@ -128,9 +133,11 @@ ./programs/droidcam.nix ./programs/environment.nix ./programs/evince.nix + ./programs/feedbackd.nix ./programs/file-roller.nix ./programs/firejail.nix ./programs/fish.nix + ./programs/flexoptix-app.nix ./programs/freetds.nix ./programs/fuse.nix ./programs/geary.nix @@ -160,6 +167,7 @@ ./programs/partition-manager.nix ./programs/plotinus.nix ./programs/proxychains.nix + ./programs/phosh.nix ./programs/qt5ct.nix ./programs/screen.nix ./programs/sedutil.nix @@ -366,6 +374,7 @@ ./services/games/minecraft-server.nix ./services/games/minetest-server.nix ./services/games/openarena.nix + ./services/games/quake3-server.nix ./services/games/teeworlds.nix ./services/games/terraria.nix ./services/hardware/acpid.nix @@ -465,6 +474,7 @@ ./services/misc/couchpotato.nix ./services/misc/devmon.nix ./services/misc/dictd.nix + ./services/misc/duckling.nix ./services/misc/dwm-status.nix ./services/misc/dysnomia.nix ./services/misc/disnix.nix @@ -504,6 +514,7 @@ ./services/misc/mame.nix ./services/misc/matrix-appservice-discord.nix ./services/misc/matrix-appservice-irc.nix + ./services/misc/matrix-dendrite.nix ./services/misc/matrix-synapse.nix ./services/misc/mautrix-telegram.nix ./services/misc/mbpfan.nix @@ -526,6 +537,7 @@ ./services/misc/parsoid.nix ./services/misc/plex.nix ./services/misc/plikd.nix + ./services/misc/podgrab.nix ./services/misc/tautulli.nix ./services/misc/pinnwand.nix ./services/misc/pykms.nix @@ -626,6 +638,7 @@ ./services/network-filesystems/xtreemfs.nix ./services/network-filesystems/ceph.nix ./services/networking/3proxy.nix + ./services/networking/adguardhome.nix ./services/networking/amuled.nix ./services/networking/aria2.nix ./services/networking/asterisk.nix @@ -697,6 +710,9 @@ ./services/networking/iodine.nix ./services/networking/iperf3.nix ./services/networking/ircd-hybrid/default.nix + ./services/networking/iscsi/initiator.nix + ./services/networking/iscsi/root-initiator.nix + ./services/networking/iscsi/target.nix ./services/networking/iwd.nix ./services/networking/jicofo.nix ./services/networking/jitsi-videobridge.nix @@ -728,6 +744,7 @@ ./services/networking/nar-serve.nix ./services/networking/nat.nix ./services/networking/ndppd.nix + ./services/networking/nebula.nix ./services/networking/networkmanager.nix ./services/networking/nextdns.nix ./services/networking/nftables.nix @@ -763,7 +780,6 @@ ./services/networking/prayer.nix ./services/networking/privoxy.nix ./services/networking/prosody.nix - ./services/networking/quagga.nix ./services/networking/quassel.nix ./services/networking/quorum.nix ./services/networking/quicktun.nix @@ -965,6 +981,7 @@ ./services/web-servers/shellinabox.nix ./services/web-servers/tomcat.nix ./services/web-servers/traefik.nix + ./services/web-servers/trafficserver.nix ./services/web-servers/ttyd.nix ./services/web-servers/uwsgi.nix ./services/web-servers/varnish/default.nix diff --git a/nixos/modules/programs/bash/bash-completion.nix b/nixos/modules/programs/bash/bash-completion.nix new file mode 100644 index 00000000000..f07b1b636ef --- /dev/null +++ b/nixos/modules/programs/bash/bash-completion.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + enable = config.programs.bash.enableCompletion; +in +{ + options = { + programs.bash.enableCompletion = mkEnableOption "Bash completion for all interactive bash shells" // { + default = true; + }; + }; + + config = mkIf enable { + programs.bash.promptPluginInit = '' + # Check whether we're running a version of Bash that has support for + # programmable completion. If we do, enable all modules installed in + # the system and user profile in obsolete /etc/bash_completion.d/ + # directories. Bash loads completions in all + # $XDG_DATA_DIRS/bash-completion/completions/ + # on demand, so they do not need to be sourced here. + if shopt -q progcomp &>/dev/null; then + . "${pkgs.bash-completion}/etc/profile.d/bash_completion.sh" + nullglobStatus=$(shopt -p nullglob) + shopt -s nullglob + for p in $NIX_PROFILES; do + for m in "$p/etc/bash_completion.d/"*; do + . $m + done + done + eval "$nullglobStatus" + unset nullglobStatus p m + fi + ''; + }; +} diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 1b3254b54a5..908ab34b08d 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -11,31 +11,6 @@ let cfg = config.programs.bash; - bashCompletion = optionalString cfg.enableCompletion '' - # Check whether we're running a version of Bash that has support for - # programmable completion. If we do, enable all modules installed in - # the system and user profile in obsolete /etc/bash_completion.d/ - # directories. Bash loads completions in all - # $XDG_DATA_DIRS/bash-completion/completions/ - # on demand, so they do not need to be sourced here. - if shopt -q progcomp &>/dev/null; then - . "${pkgs.bash-completion}/etc/profile.d/bash_completion.sh" - nullglobStatus=$(shopt -p nullglob) - shopt -s nullglob - for p in $NIX_PROFILES; do - for m in "$p/etc/bash_completion.d/"*; do - . $m - done - done - eval "$nullglobStatus" - unset nullglobStatus p m - fi - ''; - - lsColors = optionalString cfg.enableLsColors '' - eval "$(${pkgs.coreutils}/bin/dircolors -b)" - ''; - bashAliases = concatStringsSep "\n" ( mapAttrsFlatten (k: v: "alias ${k}=${escapeShellArg v}") (filterAttrs (k: v: v != null) cfg.shellAliases) @@ -123,20 +98,13 @@ in type = types.lines; }; - enableCompletion = mkOption { - default = true; - description = '' - Enable Bash completion for all interactive bash shells. - ''; - type = types.bool; - }; - - enableLsColors = mkOption { - default = true; + promptPluginInit = mkOption { + default = ""; description = '' - Enable extra colors in directory listings. + Shell script code used to initialise bash prompt plugins. ''; - type = types.bool; + type = types.lines; + internal = true; }; }; @@ -167,8 +135,7 @@ in set +h ${cfg.promptInit} - ${bashCompletion} - ${lsColors} + ${cfg.promptPluginInit} ${bashAliases} ${cfge.interactiveShellInit} diff --git a/nixos/modules/programs/bash/ls-colors.nix b/nixos/modules/programs/bash/ls-colors.nix new file mode 100644 index 00000000000..254ee14c477 --- /dev/null +++ b/nixos/modules/programs/bash/ls-colors.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + enable = config.programs.bash.enableLsColors; +in +{ + options = { + programs.bash.enableLsColors = mkEnableOption "extra colors in directory listings" // { + default = true; + }; + }; + + config = mkIf enable { + programs.bash.promptPluginInit = '' + eval "$(${pkgs.coreutils}/bin/dircolors -b)" + ''; + }; +} diff --git a/nixos/modules/programs/bash/undistract-me.nix b/nixos/modules/programs/bash/undistract-me.nix new file mode 100644 index 00000000000..378144f598b --- /dev/null +++ b/nixos/modules/programs/bash/undistract-me.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.bash.undistractMe; +in +{ + options = { + programs.bash.undistractMe = { + enable = mkEnableOption "notifications when long-running terminal commands complete"; + + playSound = mkEnableOption "notification sounds when long-running terminal commands complete"; + + timeout = mkOption { + default = 10; + description = '' + Number of seconds it would take for a command to be considered long-running. + ''; + type = types.int; + }; + }; + }; + + config = mkIf cfg.enable { + programs.bash.promptPluginInit = '' + export LONG_RUNNING_COMMAND_TIMEOUT=${toString cfg.timeout} + export UDM_PLAY_SOUND=${if cfg.playSound then "1" else "0"} + . "${pkgs.undistract-me}/etc/profile.d/undistract-me.sh" + ''; + }; + + meta = { + maintainers = with maintainers; [ metadark ]; + }; +} diff --git a/nixos/modules/programs/ccache.nix b/nixos/modules/programs/ccache.nix index 3c9e64932f1..d672e1da017 100644 --- a/nixos/modules/programs/ccache.nix +++ b/nixos/modules/programs/ccache.nix @@ -17,7 +17,7 @@ in { type = types.listOf types.str; description = "Nix top-level packages to be compiled using CCache"; default = []; - example = [ "wxGTK30" "qt48" "ffmpeg_3_3" "libav_all" ]; + example = [ "wxGTK30" "ffmpeg" "libav_all" ]; }; }; diff --git a/nixos/modules/programs/feedbackd.nix b/nixos/modules/programs/feedbackd.nix new file mode 100644 index 00000000000..bb14489a6f4 --- /dev/null +++ b/nixos/modules/programs/feedbackd.nix @@ -0,0 +1,32 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + cfg = config.programs.feedbackd; +in { + options = { + programs.feedbackd = { + enable = mkEnableOption '' + Whether to enable the feedbackd D-BUS service and udev rules. + + Your user needs to be in the `feedbackd` group to trigger effects. + ''; + package = mkOption { + description = '' + Which feedbackd package to use. + ''; + type = types.package; + default = pkgs.feedbackd; + }; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + services.dbus.packages = [ cfg.package ]; + services.udev.packages = [ cfg.package ]; + + users.groups.feedbackd = {}; + }; +} diff --git a/nixos/modules/programs/flexoptix-app.nix b/nixos/modules/programs/flexoptix-app.nix new file mode 100644 index 00000000000..93dcdfeb514 --- /dev/null +++ b/nixos/modules/programs/flexoptix-app.nix @@ -0,0 +1,25 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.programs.flexoptix-app; +in { + options = { + programs.flexoptix-app = { + enable = mkEnableOption "FLEXOPTIX app + udev rules"; + + package = mkOption { + description = "FLEXOPTIX app package to use"; + type = types.package; + default = pkgs.flexoptix-app; + defaultText = "\${pkgs.flexoptix-app}"; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + services.udev.packages = [ cfg.package ]; + }; +} diff --git a/nixos/modules/programs/phosh.nix b/nixos/modules/programs/phosh.nix new file mode 100644 index 00000000000..f6faf7990dd --- /dev/null +++ b/nixos/modules/programs/phosh.nix @@ -0,0 +1,167 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.phosh; + + # Based on https://source.puri.sm/Librem5/librem5-base/-/blob/4596c1056dd75ac7f043aede07887990fd46f572/default/sm.puri.OSK0.desktop + oskItem = pkgs.makeDesktopItem { + name = "sm.puri.OSK0"; + type = "Application"; + desktopName = "On-screen keyboard"; + exec = "${pkgs.squeekboard}/bin/squeekboard"; + categories = "GNOME;Core;"; + extraEntries = '' + OnlyShowIn=GNOME; + NoDisplay=true + X-GNOME-Autostart-Phase=Panel + X-GNOME-Provides=inputmethod + X-GNOME-Autostart-Notify=true + X-GNOME-AutoRestart=true + ''; + }; + + phocConfigType = types.submodule { + options = { + xwayland = mkOption { + description = '' + Whether to enable XWayland support. + + To start XWayland immediately, use `immediate`. + ''; + type = types.enum [ "true" "false" "immediate" ]; + default = "false"; + }; + cursorTheme = mkOption { + description = '' + Cursor theme to use in Phosh. + ''; + type = types.str; + default = "default"; + }; + outputs = mkOption { + description = '' + Output configurations. + ''; + type = types.attrsOf phocOutputType; + default = { + DSI-1 = { + scale = 2; + }; + }; + }; + }; + }; + + phocOutputType = types.submodule { + options = { + modeline = mkOption { + description = '' + One or more modelines. + ''; + type = types.either types.str (types.listOf types.str); + default = []; + example = [ + "87.25 720 776 848 976 1440 1443 1453 1493 -hsync +vsync" + "65.13 768 816 896 1024 1024 1025 1028 1060 -HSync +VSync" + ]; + }; + mode = mkOption { + description = '' + Default video mode. + ''; + type = types.nullOr types.str; + default = null; + example = "768x1024"; + }; + scale = mkOption { + description = '' + Display scaling factor. + ''; + type = types.nullOr types.ints.unsigned; + default = null; + example = 2; + }; + rotate = mkOption { + description = '' + Screen transformation. + ''; + type = types.enum [ + "90" "180" "270" "flipped" "flipped-90" "flipped-180" "flipped-270" null + ]; + default = null; + }; + }; + }; + + optionalKV = k: v: if v == null then "" else "${k} = ${builtins.toString v}"; + + renderPhocOutput = name: output: let + modelines = if builtins.isList output.modeline + then output.modeline + else [ output.modeline ]; + renderModeline = l: "modeline = ${l}"; + in '' + [output:${name}] + ${concatStringsSep "\n" (map renderModeline modelines)} + ${optionalKV "mode" output.mode} + ${optionalKV "scale" output.scale} + ${optionalKV "rotate" output.rotate} + ''; + + renderPhocConfig = phoc: let + outputs = mapAttrsToList renderPhocOutput phoc.outputs; + in '' + [core] + xwayland = ${phoc.xwayland} + ${concatStringsSep "\n" outputs} + [cursor] + theme = ${phoc.cursorTheme} + ''; +in { + options = { + programs.phosh = { + enable = mkEnableOption '' + Whether to enable, Phosh, related packages and default configurations. + ''; + phocConfig = mkOption { + description = '' + Configurations for the Phoc compositor. + ''; + type = types.oneOf [ types.lines types.path phocConfigType ]; + default = {}; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ + pkgs.phoc + pkgs.phosh + pkgs.squeekboard + oskItem + ]; + + programs.feedbackd.enable = true; + + # https://source.puri.sm/Librem5/phosh/-/issues/303 + security.pam.services.phosh = { + text = '' + auth requisite pam_nologin.so + auth required pam_succeed_if.so user != root quiet_success + auth required pam_securetty.so + auth requisite pam_nologin.so + ''; + }; + + services.gnome3.core-shell.enable = true; + services.gnome3.core-os-services.enable = true; + services.xserver.displayManager.sessionPackages = [ pkgs.phosh ]; + + environment.etc."phosh/phoc.ini".source = + if builtins.isPath cfg.phocConfig then cfg.phocConfig + else if builtins.isString cfg.phocConfig then pkgs.writeText "phoc.ini" cfg.phocConfig + else pkgs.writeText "phoc.ini" (renderPhocConfig cfg.phocConfig); + }; +} diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 9f1efc46279..233e3ee848b 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -18,6 +18,7 @@ with lib; # Completely removed modules (mkRemovedOptionModule [ "fonts" "fontconfig" "penultimate" ] "The corresponding package has removed from nixpkgs.") + (mkRemovedOptionModule [ "services" "quagga" ] "the corresponding package has been removed from nixpkgs") (mkRemovedOptionModule [ "services" "chronos" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "deepin" ] "The corresponding packages were removed from nixpkgs.") (mkRemovedOptionModule [ "services" "firefox" "syncserver" "user" ] "") diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index a5b13215476..f1531caa754 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -145,7 +145,7 @@ in extraOpts = mkOption { description = "Kubernetes apiserver extra command line options."; default = ""; - type = str; + type = separatedString " "; }; extraSANs = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index a99ef6640e9..0c81fa9ae49 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -38,7 +38,7 @@ in extraOpts = mkOption { description = "Kubernetes controller manager extra command line options."; default = ""; - type = str; + type = separatedString " "; }; featureGates = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index b5346b1cd44..a428a60800c 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -142,7 +142,7 @@ in extraOpts = mkOption { description = "Kubernetes kubelet extra command line options."; default = ""; - type = str; + type = separatedString " "; }; featureGates = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix index 86d1dc2439b..7aa449f9aa2 100644 --- a/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -25,7 +25,7 @@ in extraOpts = mkOption { description = "Kubernetes proxy extra command line options."; default = ""; - type = str; + type = separatedString " "; }; featureGates = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 5f6113227d9..454c689759d 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -21,7 +21,7 @@ in extraOpts = mkOption { description = "Kubernetes scheduler extra command line options."; default = ""; - type = str; + type = separatedString " "; }; featureGates = mkOption { diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix index 0b52f8afed8..a3dee94e2dc 100644 --- a/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixos/modules/services/computing/slurm/slurm.nix @@ -403,9 +403,7 @@ in requires = [ "munged.service" "mysql.service" ]; preStart = '' - cp ${slurmdbdConf} ${configPath} - chmod 600 ${configPath} - chown ${cfg.user} ${configPath} + install -m 600 -o ${cfg.user} -T ${slurmdbdConf} ${configPath} ${optionalString (cfg.dbdserver.storagePassFile != null) '' echo "StoragePass=$(cat ${cfg.dbdserver.storagePassFile})" \ >> ${configPath} diff --git a/nixos/modules/services/continuous-integration/buildkite-agents.nix b/nixos/modules/services/continuous-integration/buildkite-agents.nix index b0045409ae6..3dd1c40aaa4 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agents.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agents.nix @@ -76,7 +76,7 @@ let }; tags = mkOption { - type = types.attrsOf types.str; + type = types.attrsOf (types.either types.str (types.listOf types.str)); default = {}; example = { queue = "default"; docker = "true"; ruby2 ="true"; }; description = '' @@ -230,7 +230,11 @@ in ## don't end up in the Nix store. preStart = let sshDir = "${cfg.dataDir}/.ssh"; - tagStr = lib.concatStringsSep "," (lib.mapAttrsToList (name: value: "${name}=${value}") cfg.tags); + tagStr = name: value: + if lib.isList value + then lib.concatStringsSep "," (builtins.map (v: "${name}=${v}") value) + else "${name}=${value}"; + tagsStr = lib.concatStringsSep "," (lib.mapAttrsToList tagStr cfg.tags); in optionalString (cfg.privateSshKeyPath != null) '' mkdir -m 0700 -p "${sshDir}" @@ -241,7 +245,7 @@ in token="$(cat ${toString cfg.tokenPath})" name="${cfg.name}" shell="${cfg.shell}" - tags="${tagStr}" + tags="${tagsStr}" build-path="${cfg.dataDir}/builds" hooks-path="${cfg.hooksPath}" ${cfg.extraConfig} diff --git a/nixos/modules/services/databases/cassandra.nix b/nixos/modules/services/databases/cassandra.nix index d55a7db3915..820be5085de 100644 --- a/nixos/modules/services/databases/cassandra.nix +++ b/nixos/modules/services/databases/cassandra.nix @@ -1,79 +1,108 @@ { config, lib, pkgs, ... }: -with lib; - let + inherit (lib) + concatStringsSep + flip + literalExample + optionalAttrs + optionals + recursiveUpdate + mkEnableOption + mkIf + mkOption + types + versionAtLeast + ; + cfg = config.services.cassandra; + defaultUser = "cassandra"; - cassandraConfig = flip recursiveUpdate cfg.extraConfig - ({ commitlog_sync = "batch"; - commitlog_sync_batch_window_in_ms = 2; - start_native_transport = cfg.allowClients; - cluster_name = cfg.clusterName; - partitioner = "org.apache.cassandra.dht.Murmur3Partitioner"; - endpoint_snitch = "SimpleSnitch"; - data_file_directories = [ "${cfg.homeDir}/data" ]; - commitlog_directory = "${cfg.homeDir}/commitlog"; - saved_caches_directory = "${cfg.homeDir}/saved_caches"; - } // (lib.optionalAttrs (cfg.seedAddresses != []) { - seed_provider = [{ - class_name = "org.apache.cassandra.locator.SimpleSeedProvider"; - parameters = [ { seeds = concatStringsSep "," cfg.seedAddresses; } ]; - }]; - }) // (lib.optionalAttrs (lib.versionAtLeast cfg.package.version "3") { - hints_directory = "${cfg.homeDir}/hints"; - }) - ); - cassandraConfigWithAddresses = cassandraConfig // - ( if cfg.listenAddress == null - then { listen_interface = cfg.listenInterface; } - else { listen_address = cfg.listenAddress; } - ) // ( - if cfg.rpcAddress == null - then { rpc_interface = cfg.rpcInterface; } - else { rpc_address = cfg.rpcAddress; } - ); - cassandraEtc = pkgs.stdenv.mkDerivation - { name = "cassandra-etc"; - cassandraYaml = builtins.toJSON cassandraConfigWithAddresses; - cassandraEnvPkg = "${cfg.package}/conf/cassandra-env.sh"; - cassandraLogbackConfig = pkgs.writeText "logback.xml" cfg.logbackConfig; - passAsFile = [ "extraEnvSh" ]; - inherit (cfg) extraEnvSh; - buildCommand = '' - mkdir -p "$out" - - echo "$cassandraYaml" > "$out/cassandra.yaml" - ln -s "$cassandraLogbackConfig" "$out/logback.xml" - - ( cat "$cassandraEnvPkg" - echo "# lines from services.cassandra.extraEnvSh: " - cat "$extraEnvShPath" - ) > "$out/cassandra-env.sh" - - # Delete default JMX Port, otherwise we can't set it using env variable - sed -i '/JMX_PORT="7199"/d' "$out/cassandra-env.sh" - - # Delete default password file - sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh" - ''; - }; - defaultJmxRolesFile = builtins.foldl' - (left: right: left + right) "" - (map (role: "${role.username} ${role.password}") cfg.jmxRoles); - fullJvmOptions = cfg.jvmOpts - ++ lib.optionals (cfg.jmxRoles != []) [ + + cassandraConfig = flip recursiveUpdate cfg.extraConfig ( + { + commitlog_sync = "batch"; + commitlog_sync_batch_window_in_ms = 2; + start_native_transport = cfg.allowClients; + cluster_name = cfg.clusterName; + partitioner = "org.apache.cassandra.dht.Murmur3Partitioner"; + endpoint_snitch = "SimpleSnitch"; + data_file_directories = [ "${cfg.homeDir}/data" ]; + commitlog_directory = "${cfg.homeDir}/commitlog"; + saved_caches_directory = "${cfg.homeDir}/saved_caches"; + } // optionalAttrs (cfg.seedAddresses != [ ]) { + seed_provider = [ + { + class_name = "org.apache.cassandra.locator.SimpleSeedProvider"; + parameters = [{ seeds = concatStringsSep "," cfg.seedAddresses; }]; + } + ]; + } // optionalAttrs (versionAtLeast cfg.package.version "3") { + hints_directory = "${cfg.homeDir}/hints"; + } + ); + + cassandraConfigWithAddresses = cassandraConfig // ( + if cfg.listenAddress == null + then { listen_interface = cfg.listenInterface; } + else { listen_address = cfg.listenAddress; } + ) // ( + if cfg.rpcAddress == null + then { rpc_interface = cfg.rpcInterface; } + else { rpc_address = cfg.rpcAddress; } + ); + + cassandraEtc = pkgs.stdenv.mkDerivation { + name = "cassandra-etc"; + + cassandraYaml = builtins.toJSON cassandraConfigWithAddresses; + cassandraEnvPkg = "${cfg.package}/conf/cassandra-env.sh"; + cassandraLogbackConfig = pkgs.writeText "logback.xml" cfg.logbackConfig; + + passAsFile = [ "extraEnvSh" ]; + inherit (cfg) extraEnvSh; + + buildCommand = '' + mkdir -p "$out" + + echo "$cassandraYaml" > "$out/cassandra.yaml" + ln -s "$cassandraLogbackConfig" "$out/logback.xml" + + ( cat "$cassandraEnvPkg" + echo "# lines from services.cassandra.extraEnvSh: " + cat "$extraEnvShPath" + ) > "$out/cassandra-env.sh" + + # Delete default JMX Port, otherwise we can't set it using env variable + sed -i '/JMX_PORT="7199"/d' "$out/cassandra-env.sh" + + # Delete default password file + sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh" + ''; + }; + + defaultJmxRolesFile = + builtins.foldl' + (left: right: left + right) "" + (map (role: "${role.username} ${role.password}") cfg.jmxRoles); + + fullJvmOptions = + cfg.jvmOpts + ++ optionals (cfg.jmxRoles != [ ]) [ "-Dcom.sun.management.jmxremote.authenticate=true" "-Dcom.sun.management.jmxremote.password.file=${cfg.jmxRolesFile}" - ] - ++ lib.optionals cfg.remoteJmx [ + ] ++ optionals cfg.remoteJmx [ "-Djava.rmi.server.hostname=${cfg.rpcAddress}" ]; -in { + +in +{ options.services.cassandra = { + enable = mkEnableOption '' Apache Cassandra – Scalable and highly available database. ''; + clusterName = mkOption { type = types.str; default = "Test Cluster"; @@ -83,16 +112,19 @@ in { another. All nodes in a cluster must have the same value. ''; }; + user = mkOption { type = types.str; default = defaultUser; description = "Run Apache Cassandra under this user."; }; + group = mkOption { type = types.str; default = defaultUser; description = "Run Apache Cassandra under this group."; }; + homeDir = mkOption { type = types.path; default = "/var/lib/cassandra"; @@ -100,6 +132,7 @@ in { Home directory for Apache Cassandra. ''; }; + package = mkOption { type = types.package; default = pkgs.cassandra; @@ -109,17 +142,19 @@ in { The Apache Cassandra package to use. ''; }; + jvmOpts = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = '' Populate the JVM_OPT environment variable. ''; }; + listenAddress = mkOption { type = types.nullOr types.str; default = "127.0.0.1"; - example = literalExample "null"; + example = null; description = '' Address or interface to bind to and tell other Cassandra nodes to connect to. You _must_ change this if you want multiple @@ -136,6 +171,7 @@ in { Setting listen_address to 0.0.0.0 is always wrong. ''; }; + listenInterface = mkOption { type = types.nullOr types.str; default = null; @@ -146,10 +182,11 @@ in { supported. ''; }; + rpcAddress = mkOption { type = types.nullOr types.str; default = "127.0.0.1"; - example = literalExample "null"; + example = null; description = '' The address or interface to bind the native transport server to. @@ -167,6 +204,7 @@ in { internet. Firewall it if needed. ''; }; + rpcInterface = mkOption { type = types.nullOr types.str; default = null; @@ -176,6 +214,7 @@ in { correspond to a single address, IP aliasing is not supported. ''; }; + logbackConfig = mkOption { type = types.lines; default = '' @@ -197,6 +236,7 @@ in { XML logback configuration for cassandra ''; }; + seedAddresses = mkOption { type = types.listOf types.str; default = [ "127.0.0.1" ]; @@ -207,6 +247,7 @@ in { Set to 127.0.0.1 for a single node cluster. ''; }; + allowClients = mkOption { type = types.bool; default = true; @@ -219,16 +260,19 @@ in { <literal>extraConfig</literal>. ''; }; + extraConfig = mkOption { type = types.attrs; - default = {}; + default = { }; example = - { commitlog_sync_batch_window_in_ms = 3; + { + commitlog_sync_batch_window_in_ms = 3; }; description = '' Extra options to be merged into cassandra.yaml as nix attribute set. ''; }; + extraEnvSh = mkOption { type = types.lines; default = ""; @@ -237,48 +281,53 @@ in { Extra shell lines to be appended onto cassandra-env.sh. ''; }; + fullRepairInterval = mkOption { type = types.nullOr types.str; default = "3w"; - example = literalExample "null"; + example = null; description = '' - Set the interval how often full repairs are run, i.e. - <literal>nodetool repair --full</literal> is executed. See - https://cassandra.apache.org/doc/latest/operating/repair.html - for more information. + Set the interval how often full repairs are run, i.e. + <literal>nodetool repair --full</literal> is executed. See + https://cassandra.apache.org/doc/latest/operating/repair.html + for more information. - Set to <literal>null</literal> to disable full repairs. - ''; + Set to <literal>null</literal> to disable full repairs. + ''; }; + fullRepairOptions = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "--partitioner-range" ]; description = '' - Options passed through to the full repair command. - ''; + Options passed through to the full repair command. + ''; }; + incrementalRepairInterval = mkOption { type = types.nullOr types.str; default = "3d"; - example = literalExample "null"; + example = null; description = '' - Set the interval how often incremental repairs are run, i.e. - <literal>nodetool repair</literal> is executed. See - https://cassandra.apache.org/doc/latest/operating/repair.html - for more information. + Set the interval how often incremental repairs are run, i.e. + <literal>nodetool repair</literal> is executed. See + https://cassandra.apache.org/doc/latest/operating/repair.html + for more information. - Set to <literal>null</literal> to disable incremental repairs. - ''; + Set to <literal>null</literal> to disable incremental repairs. + ''; }; + incrementalRepairOptions = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "--partitioner-range" ]; description = '' - Options passed through to the incremental repair command. - ''; + Options passed through to the incremental repair command. + ''; }; + maxHeapSize = mkOption { type = types.nullOr types.str; default = null; @@ -299,6 +348,7 @@ in { expensive GC will be (usually). ''; }; + heapNewSize = mkOption { type = types.nullOr types.str; default = null; @@ -322,6 +372,7 @@ in { 100 MB per physical CPU core. ''; }; + mallocArenaMax = mkOption { type = types.nullOr types.int; default = null; @@ -330,6 +381,7 @@ in { Set this to control the amount of arenas per-thread in glibc. ''; }; + remoteJmx = mkOption { type = types.bool; default = false; @@ -341,6 +393,7 @@ in { See: https://wiki.apache.org/cassandra/JmxSecurity ''; }; + jmxPort = mkOption { type = types.int; default = 7199; @@ -351,8 +404,9 @@ in { Firewall it if needed. ''; }; + jmxRoles = mkOption { - default = []; + default = [ ]; description = '' Roles that are allowed to access the JMX (e.g. nodetool) BEWARE: The passwords will be stored world readable in the nix-store. @@ -375,11 +429,13 @@ in { }; }); }; + jmxRolesFile = mkOption { type = types.nullOr types.path; - default = if (lib.versionAtLeast cfg.package.version "3.11") - then pkgs.writeText "jmx-roles-file" defaultJmxRolesFile - else null; + default = + if versionAtLeast cfg.package.version "3.11" + then pkgs.writeText "jmx-roles-file" defaultJmxRolesFile + else null; example = "/var/lib/cassandra/jmx.password"; description = '' Specify your own jmx roles file. @@ -391,102 +447,115 @@ in { }; config = mkIf cfg.enable { - assertions = - [ { assertion = (cfg.listenAddress == null) != (cfg.listenInterface == null); - message = "You have to set either listenAddress or listenInterface"; - } - { assertion = (cfg.rpcAddress == null) != (cfg.rpcInterface == null); - message = "You have to set either rpcAddress or rpcInterface"; - } - { assertion = (cfg.maxHeapSize == null) == (cfg.heapNewSize == null); - message = "If you set either of maxHeapSize or heapNewSize you have to set both"; - } - { assertion = cfg.remoteJmx -> cfg.jmxRolesFile != null; - message = '' - If you want JMX available remotely you need to set a password using - <literal>jmxRoles</literal> or <literal>jmxRolesFile</literal> if - using Cassandra older than v3.11. - ''; - } - ]; + assertions = [ + { + assertion = (cfg.listenAddress == null) != (cfg.listenInterface == null); + message = "You have to set either listenAddress or listenInterface"; + } + { + assertion = (cfg.rpcAddress == null) != (cfg.rpcInterface == null); + message = "You have to set either rpcAddress or rpcInterface"; + } + { + assertion = (cfg.maxHeapSize == null) == (cfg.heapNewSize == null); + message = "If you set either of maxHeapSize or heapNewSize you have to set both"; + } + { + assertion = cfg.remoteJmx -> cfg.jmxRolesFile != null; + message = '' + If you want JMX available remotely you need to set a password using + <literal>jmxRoles</literal> or <literal>jmxRolesFile</literal> if + using Cassandra older than v3.11. + ''; + } + ]; users = mkIf (cfg.user == defaultUser) { - extraUsers.${defaultUser} = - { group = cfg.group; - home = cfg.homeDir; - createHome = true; - uid = config.ids.uids.cassandra; - description = "Cassandra service user"; - }; - extraGroups.${defaultUser}.gid = config.ids.gids.cassandra; + users.${defaultUser} = { + group = cfg.group; + home = cfg.homeDir; + createHome = true; + uid = config.ids.uids.cassandra; + description = "Cassandra service user"; + }; + groups.${defaultUser}.gid = config.ids.gids.cassandra; }; - systemd.services.cassandra = - { description = "Apache Cassandra service"; - after = [ "network.target" ]; - environment = - { CASSANDRA_CONF = "${cassandraEtc}"; - JVM_OPTS = builtins.concatStringsSep " " fullJvmOptions; - MAX_HEAP_SIZE = toString cfg.maxHeapSize; - HEAP_NEWSIZE = toString cfg.heapNewSize; - MALLOC_ARENA_MAX = toString cfg.mallocArenaMax; - LOCAL_JMX = if cfg.remoteJmx then "no" else "yes"; - JMX_PORT = toString cfg.jmxPort; - }; - wantedBy = [ "multi-user.target" ]; - serviceConfig = - { User = cfg.user; - Group = cfg.group; - ExecStart = "${cfg.package}/bin/cassandra -f"; - SuccessExitStatus = 143; - }; + systemd.services.cassandra = { + description = "Apache Cassandra service"; + after = [ "network.target" ]; + environment = { + CASSANDRA_CONF = "${cassandraEtc}"; + JVM_OPTS = builtins.concatStringsSep " " fullJvmOptions; + MAX_HEAP_SIZE = toString cfg.maxHeapSize; + HEAP_NEWSIZE = toString cfg.heapNewSize; + MALLOC_ARENA_MAX = toString cfg.mallocArenaMax; + LOCAL_JMX = if cfg.remoteJmx then "no" else "yes"; + JMX_PORT = toString cfg.jmxPort; + }; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${cfg.package}/bin/cassandra -f"; + SuccessExitStatus = 143; }; + }; - systemd.services.cassandra-full-repair = - { description = "Perform a full repair on this Cassandra node"; - after = [ "cassandra.service" ]; - requires = [ "cassandra.service" ]; - serviceConfig = - { User = cfg.user; - Group = cfg.group; - ExecStart = - lib.concatStringsSep " " - ([ "${cfg.package}/bin/nodetool" "repair" "--full" - ] ++ cfg.fullRepairOptions); - }; + systemd.services.cassandra-full-repair = { + description = "Perform a full repair on this Cassandra node"; + after = [ "cassandra.service" ]; + requires = [ "cassandra.service" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = + concatStringsSep " " + ([ + "${cfg.package}/bin/nodetool" + "repair" + "--full" + ] ++ cfg.fullRepairOptions); }; + }; + systemd.timers.cassandra-full-repair = mkIf (cfg.fullRepairInterval != null) { description = "Schedule full repairs on Cassandra"; wantedBy = [ "timers.target" ]; - timerConfig = - { OnBootSec = cfg.fullRepairInterval; - OnUnitActiveSec = cfg.fullRepairInterval; - Persistent = true; - }; + timerConfig = { + OnBootSec = cfg.fullRepairInterval; + OnUnitActiveSec = cfg.fullRepairInterval; + Persistent = true; + }; }; - systemd.services.cassandra-incremental-repair = - { description = "Perform an incremental repair on this cassandra node."; - after = [ "cassandra.service" ]; - requires = [ "cassandra.service" ]; - serviceConfig = - { User = cfg.user; - Group = cfg.group; - ExecStart = - lib.concatStringsSep " " - ([ "${cfg.package}/bin/nodetool" "repair" - ] ++ cfg.incrementalRepairOptions); - }; + systemd.services.cassandra-incremental-repair = { + description = "Perform an incremental repair on this cassandra node."; + after = [ "cassandra.service" ]; + requires = [ "cassandra.service" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = + concatStringsSep " " + ([ + "${cfg.package}/bin/nodetool" + "repair" + ] ++ cfg.incrementalRepairOptions); }; + }; + systemd.timers.cassandra-incremental-repair = mkIf (cfg.incrementalRepairInterval != null) { description = "Schedule incremental repairs on Cassandra"; wantedBy = [ "timers.target" ]; - timerConfig = - { OnBootSec = cfg.incrementalRepairInterval; - OnUnitActiveSec = cfg.incrementalRepairInterval; - Persistent = true; - }; + timerConfig = { + OnBootSec = cfg.incrementalRepairInterval; + OnUnitActiveSec = cfg.incrementalRepairInterval; + Persistent = true; + }; }; }; + + meta.maintainers = with lib.maintainers; [ roberth ]; } diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index ee8cdf2d285..fdc05312ece 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -295,8 +295,7 @@ in # systems! mkDefault (if versionAtLeast config.system.stateVersion "20.03" then pkgs.postgresql_11 else if versionAtLeast config.system.stateVersion "17.09" then pkgs.postgresql_9_6 - else if versionAtLeast config.system.stateVersion "16.03" then pkgs.postgresql_9_5 - else throw "postgresql_9_4 was removed, please upgrade your postgresql version."); + else throw "postgresql_9_5 was removed, please upgrade your postgresql version."); services.postgresql.dataDir = mkDefault "/var/lib/postgresql/${cfg.package.psqlSchema}"; diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 3ddc7aad81e..7ec10c0eb5a 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -5,6 +5,8 @@ with lib; let cfg = config.services.redis; + ulimitNofile = cfg.maxclients + 32; + mkValueString = value: if value == true then "yes" else if value == false then "no" @@ -14,8 +16,8 @@ let listsAsDuplicateKeys = true; mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " "; } cfg.settings); -in -{ + +in { imports = [ (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") @@ -121,6 +123,12 @@ in description = "Set the number of databases."; }; + maxclients = mkOption { + type = types.int; + default = 10000; + description = "Set the max number of connected clients at the same time."; + }; + save = mkOption { type = with types; listOf (listOf int); default = [ [900 1] [300 10] [60 10000] ]; @@ -253,6 +261,7 @@ in logfile = cfg.logfile; syslog-enabled = cfg.syslog; databases = cfg.databases; + maxclients = cfg.maxclients; save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") cfg.save; dbfilename = "dump.rdb"; dir = "/var/lib/redis"; @@ -295,6 +304,34 @@ in StateDirectoryMode = "0700"; # Access write directories UMask = "0077"; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Process Properties + LimitNOFILE = "${toString ulimitNofile}"; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap"; }; }; }; diff --git a/nixos/modules/services/desktops/pipewire/README.md b/nixos/modules/services/desktops/pipewire/README.md deleted file mode 100644 index 87288a81cfe..00000000000 --- a/nixos/modules/services/desktops/pipewire/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# Updating - -1. Update the version & hash in pkgs/development/libraries/pipewire/default.nix -2. run `nix build -f /path/to/nixpkgs/checkout pipewire pipewire.mediaSession` -3. copy all JSON files from result/etc/pipewire and result-mediaSession/etc/pipewire/media-session.d to this directory -4. add new files to the module config and passthru tests diff --git a/nixos/modules/services/desktops/pipewire/bluez-monitor.conf.json b/nixos/modules/services/desktops/pipewire/bluez-monitor.conf.json index bd00571bc35..6d1c23e8256 100644 --- a/nixos/modules/services/desktops/pipewire/bluez-monitor.conf.json +++ b/nixos/modules/services/desktops/pipewire/bluez-monitor.conf.json @@ -9,7 +9,7 @@ ], "actions": { "update-props": { - "bluez5.reconnect-profiles": [ + "bluez5.auto-connect": [ "hfp_hf", "hsp_hs", "a2dp_sink" diff --git a/nixos/modules/services/desktops/pipewire/media-session.conf.json b/nixos/modules/services/desktops/pipewire/media-session.conf.json index 62e59935dbe..24906e767d6 100644 --- a/nixos/modules/services/desktops/pipewire/media-session.conf.json +++ b/nixos/modules/services/desktops/pipewire/media-session.conf.json @@ -59,6 +59,7 @@ "with-pulseaudio": [ "with-audio", "bluez5", + "logind", "restore-stream", "streams-follow-default" ] diff --git a/nixos/modules/services/desktops/pipewire/pipewire-pulse.conf.json b/nixos/modules/services/desktops/pipewire/pipewire-pulse.conf.json index 3e776fe75a2..17bbbdef117 100644 --- a/nixos/modules/services/desktops/pipewire/pipewire-pulse.conf.json +++ b/nixos/modules/services/desktops/pipewire/pipewire-pulse.conf.json @@ -30,7 +30,10 @@ "args": { "server.address": [ "unix:native" - ] + ], + "vm.overrides": { + "pulse.min.quantum": "1024/48000" + } } } ], diff --git a/nixos/modules/services/desktops/pipewire/pipewire.conf.json b/nixos/modules/services/desktops/pipewire/pipewire.conf.json index bae87dd6637..a9330f54f4f 100644 --- a/nixos/modules/services/desktops/pipewire/pipewire.conf.json +++ b/nixos/modules/services/desktops/pipewire/pipewire.conf.json @@ -2,7 +2,10 @@ "context.properties": { "link.max-buffers": 16, "core.daemon": true, - "core.name": "pipewire-0" + "core.name": "pipewire-0", + "vm.overrides": { + "default.clock.min-quantum": 1024 + } }, "context.spa-libs": { "audio.convert.*": "audioconvert/libspa-audioconvert", diff --git a/nixos/modules/services/games/quake3-server.nix b/nixos/modules/services/games/quake3-server.nix new file mode 100644 index 00000000000..1dc01260e8f --- /dev/null +++ b/nixos/modules/services/games/quake3-server.nix @@ -0,0 +1,111 @@ +{ config, pkgs, lib, ... }: +with lib; + +let + cfg = config.services.quake3-server; + configFile = pkgs.writeText "q3ds-extra.cfg" '' + set net_port ${builtins.toString cfg.port} + + ${cfg.extraConfig} + ''; + defaultBaseq3 = pkgs.requireFile rec { + name = "baseq3"; + hashMode = "recursive"; + sha256 = "5dd8ee09eabd45e80450f31d7a8b69b846f59738726929298d8a813ce5725ed3"; + message = '' + Unfortunately, we cannot download ${name} automatically. + Please purchase a legitimate copy of Quake 3 and change into the installation directory. + + You can either add all relevant files to the nix-store like this: + mkdir /tmp/baseq3 + cp baseq3/pak*.pk3 /tmp/baseq3 + nix-store --add-fixed sha256 --recursive /tmp/baseq3 + + Alternatively you can set services.quake3-server.baseq3 to a path and copy the baseq3 directory into + $services.quake3-server.baseq3/.q3a/ + ''; + }; + home = pkgs.runCommand "quake3-home" {} '' + mkdir -p $out/.q3a/baseq3 + + for file in ${cfg.baseq3}/*; do + ln -s $file $out/.q3a/baseq3/$(basename $file) + done + + ln -s ${configFile} $out/.q3a/baseq3/nix.cfg + ''; +in { + options = { + services.quake3-server = { + enable = mkEnableOption "Quake 3 dedicated server"; + + port = mkOption { + type = types.port; + default = 27960; + description = '' + UDP Port the server should listen on. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open the firewall. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + seta rconPassword "superSecret" // sets RCON password for remote console + seta sv_hostname "My Quake 3 server" // name that appears in server list + ''; + description = '' + Extra configuration options. Note that options changed via RCON will not be persisted. To list all possible + options, use "cvarlist 1" via RCON. + ''; + }; + + baseq3 = mkOption { + type = types.either types.package types.path; + default = defaultBaseq3; + example = "/var/lib/q3ds"; + description = '' + Path to the baseq3 files (pak*.pk3). If this is on the nix store (type = package) all .pk3 files should be saved + in the top-level directory. If this is on another filesystem (e.g /var/lib/baseq3) the .pk3 files are searched in + $baseq3/.q3a/baseq3/ + ''; + }; + }; + }; + + config = let + baseq3InStore = builtins.typeOf cfg.baseq3 == "set"; + in mkIf cfg.enable { + networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [ cfg.port ]; + + systemd.services.q3ds = { + description = "Quake 3 dedicated server"; + wantedBy = [ "multi-user.target" ]; + after = [ "networking.target" ]; + + environment.HOME = if baseq3InStore then home else cfg.baseq3; + + serviceConfig = with lib; { + Restart = "always"; + DynamicUser = true; + WorkingDirectory = home; + + # It is possible to alter configuration files via RCON. To ensure reproducibility we have to prevent this + ReadOnlyPaths = if baseq3InStore then home else cfg.baseq3; + ExecStartPre = optionalString (!baseq3InStore) "+${pkgs.coreutils}/bin/cp ${configFile} ${cfg.baseq3}/.q3a/baseq3/nix.cfg"; + + ExecStart = "${pkgs.ioquake3}/ioq3ded.x86_64 +exec nix.cfg"; + }; + }; + }; + + meta.maintainers = with maintainers; [ f4814n ]; +} diff --git a/nixos/modules/services/hardware/pcscd.nix b/nixos/modules/services/hardware/pcscd.nix index f3fc4c3cc79..4fc1e351f50 100644 --- a/nixos/modules/services/hardware/pcscd.nix +++ b/nixos/modules/services/hardware/pcscd.nix @@ -10,39 +10,37 @@ let paths = map (p: "${p}/pcsc/drivers") config.services.pcscd.plugins; }; -in { +in +{ ###### interface - options = { - - services.pcscd = { - enable = mkEnableOption "PCSC-Lite daemon"; - - plugins = mkOption { - type = types.listOf types.package; - default = [ pkgs.ccid ]; - defaultText = "[ pkgs.ccid ]"; - example = literalExample "[ pkgs.pcsc-cyberjack ]"; - description = "Plugin packages to be used for PCSC-Lite."; - }; - - readerConfig = mkOption { - type = types.lines; - default = ""; - example = '' - FRIENDLYNAME "Some serial reader" - DEVICENAME /dev/ttyS0 - LIBPATH /path/to/serial_reader.so - CHANNELID 1 - ''; - description = '' - Configuration for devices that aren't hotpluggable. - - See <citerefentry><refentrytitle>reader.conf</refentrytitle> - <manvolnum>5</manvolnum></citerefentry> for valid options. - ''; - }; + options.services.pcscd = { + enable = mkEnableOption "PCSC-Lite daemon"; + + plugins = mkOption { + type = types.listOf types.package; + default = [ pkgs.ccid ]; + defaultText = "[ pkgs.ccid ]"; + example = literalExample "[ pkgs.pcsc-cyberjack ]"; + description = "Plugin packages to be used for PCSC-Lite."; + }; + + readerConfig = mkOption { + type = types.lines; + default = ""; + example = '' + FRIENDLYNAME "Some serial reader" + DEVICENAME /dev/ttyS0 + LIBPATH /path/to/serial_reader.so + CHANNELID 1 + ''; + description = '' + Configuration for devices that aren't hotpluggable. + + See <citerefentry><refentrytitle>reader.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for valid options. + ''; }; }; @@ -50,20 +48,26 @@ in { config = mkIf config.services.pcscd.enable { - systemd.sockets.pcscd = { - description = "PCSC-Lite Socket"; - wantedBy = [ "sockets.target" ]; - before = [ "multi-user.target" ]; - socketConfig.ListenStream = "/run/pcscd/pcscd.comm"; - }; + environment.etc."reader.conf".source = cfgFile; + + environment.systemPackages = [ pkgs.pcsclite ]; + systemd.packages = [ (getBin pkgs.pcsclite) ]; + + systemd.sockets.pcscd.wantedBy = [ "sockets.target" ]; systemd.services.pcscd = { - description = "PCSC-Lite daemon"; environment.PCSCLITE_HP_DROPDIR = pluginEnv; - serviceConfig = { - ExecStart = "${getBin pkgs.pcsclite}/sbin/pcscd -f -x -c ${cfgFile}"; - ExecReload = "${getBin pkgs.pcsclite}/sbin/pcscd -H"; - }; + restartTriggers = [ "/etc/reader.conf" ]; + + # If the cfgFile is empty and not specified (in which case the default + # /etc/reader.conf is assumed), pcscd will happily start going through the + # entire confdir (/etc in our case) looking for a config file and try to + # parse everything it finds. Doesn't take a lot of imagination to see how + # well that works. It really shouldn't do that to begin with, but to work + # around it, we force the path to the cfgFile. + # + # https://github.com/NixOS/nixpkgs/issues/121088 + serviceConfig.ExecStart = [ "" "${getBin pkgs.pcsclite}/bin/pcscd -f -x -c ${cfgFile}" ]; }; }; } diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix index 19b12daa415..34211687dc1 100644 --- a/nixos/modules/services/logging/promtail.nix +++ b/nixos/modules/services/logging/promtail.nix @@ -40,6 +40,7 @@ in { serviceConfig = { Restart = "on-failure"; + TimeoutStopSec = 10; ExecStart = "${pkgs.grafana-loki}/bin/promtail -config.file=${prettyJSON cfg.configuration} ${escapeShellArgs cfg.extraFlags}"; diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index 892fbd33214..8927d84b478 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -67,6 +67,13 @@ in ''; }; + queueRunnerInterval = mkOption { + type = types.str; + default = "5m"; + description = '' + How often to spawn a new queue runner. + ''; + }; }; }; @@ -104,7 +111,7 @@ in wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."exim.conf".source ]; serviceConfig = { - ExecStart = "${cfg.package}/bin/exim -bdf -q30m"; + ExecStart = "${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}"; ExecReload = "${coreutils}/bin/kill -HUP $MAINPID"; }; preStart = '' diff --git a/nixos/modules/services/mail/mailman.nix b/nixos/modules/services/mail/mailman.nix index a5b17be349c..f75d6183c3e 100644 --- a/nixos/modules/services/mail/mailman.nix +++ b/nixos/modules/services/mail/mailman.nix @@ -165,7 +165,7 @@ in { baseUrl = mkOption { type = types.str; - default = "http://localhost/hyperkitty/"; + default = "http://localhost:18507/archives/"; description = '' Where can Mailman connect to Hyperkitty's internal API, preferably on localhost? @@ -391,6 +391,7 @@ in { plugins = ["python3"]; home = pythonEnv; module = "mailman_web.wsgi"; + http = "127.0.0.1:18507"; }; uwsgiConfigFile = pkgs.writeText "uwsgi-mailman.json" (builtins.toJSON uwsgiConfig); in { @@ -453,7 +454,7 @@ in { }; meta = { - maintainers = with lib.maintainers; [ lheckemann ]; + maintainers = with lib.maintainers; [ lheckemann qyliss ]; doc = ./mailman.xml; }; diff --git a/nixos/modules/services/mail/nullmailer.nix b/nixos/modules/services/mail/nullmailer.nix index fe3f8ef9b39..09874ca0ed7 100644 --- a/nixos/modules/services/mail/nullmailer.nix +++ b/nixos/modules/services/mail/nullmailer.nix @@ -204,6 +204,7 @@ with lib; users.${cfg.user} = { description = "Nullmailer relay-only mta user"; group = cfg.group; + isSystemUser = true; }; groups.${cfg.group} = { }; diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index 9bf6f338d93..beff57613af 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -134,7 +134,7 @@ in { ReadWritePaths = [ cfg.keyPath ]; AmbientCapabilities = []; - CapabilityBoundingSet = []; + CapabilityBoundingSet = ""; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 8e5bed5fcb8..35639e1bbc8 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -773,7 +773,7 @@ in }; services.postfix.config = (mapAttrs (_: v: mkDefault v) { - compatibility_level = "9999"; + compatibility_level = pkgs.postfix.version; mail_owner = cfg.user; default_privs = "nobody"; diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index 2f9d28195bd..473ddd52357 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -410,7 +410,7 @@ in StateDirectoryMode = "0700"; AmbientCapabilities = []; - CapabilityBoundingSet = []; + CapabilityBoundingSet = ""; DevicePolicy = "closed"; LockPersonality = true; NoNewPrivileges = true; diff --git a/nixos/modules/services/mail/spamassassin.nix b/nixos/modules/services/mail/spamassassin.nix index 4e642542ec6..ac878222b26 100644 --- a/nixos/modules/services/mail/spamassassin.nix +++ b/nixos/modules/services/mail/spamassassin.nix @@ -126,19 +126,36 @@ in }; systemd.services.sa-update = { + # Needs to be able to contact the update server. + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + Type = "oneshot"; + User = "spamd"; + Group = "spamd"; + StateDirectory = "spamassassin"; + ExecStartPost = "+${pkgs.systemd}/bin/systemctl -q --no-block try-reload-or-restart spamd.service"; + }; + script = '' set +e - ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd - - v=$? + ${pkgs.spamassassin}/bin/sa-update --verbose --gpghomedir=/var/lib/spamassassin/sa-update-keys/ + rc=$? set -e - if [ $v -gt 1 ]; then - echo "sa-update execution error" - exit $v + + if [[ $rc -gt 1 ]]; then + # sa-update failed. + exit $rc fi - if [ $v -eq 0 ]; then - systemctl reload spamd.service + + if [[ $rc -eq 1 ]]; then + # No update was available, exit successfully. + exit 0 fi + + # An update was available and installed. Compile the rules. + ${pkgs.spamassassin}/bin/sa-compile ''; }; @@ -153,32 +170,22 @@ in }; systemd.services.spamd = { - description = "Spam Assassin Server"; + description = "SpamAssassin Server"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + wants = [ "sa-update.service" ]; + after = [ + "network.target" + "sa-update.service" + ]; serviceConfig = { - ExecStart = "${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=/var/lib/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + User = "spamd"; + Group = "spamd"; + ExecStart = "+${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=%S/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid"; + ExecReload = "+${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + StateDirectory = "spamassassin"; }; - - # 0 and 1 no error, exitcode > 1 means error: - # https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes - preStart = '' - echo "Recreating '/var/lib/spamasassin' with creating '3.004001' (or similar) and 'sa-update-keys'" - mkdir -p /var/lib/spamassassin - chown spamd:spamd /var/lib/spamassassin -R - set +e - ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd - v=$? - set -e - if [ $v -gt 1 ]; then - echo "sa-update execution error" - exit $v - fi - chown spamd:spamd /var/lib/spamassassin -R - ''; }; }; } diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index 5cc2ff7f4bd..a572f1f6d6f 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -118,7 +118,7 @@ in { ''; serviceConfig = { ExecStart = '' - ${pkgs.jre}/bin/java -Xmx${toString cfg.maxMemory}m \ + ${pkgs.jre8}/bin/java -Xmx${toString cfg.maxMemory}m \ -Dairsonic.home=${cfg.home} \ -Dserver.address=${cfg.listenAddress} \ -Dserver.port=${toString cfg.port} \ diff --git a/nixos/modules/services/misc/disnix.nix b/nixos/modules/services/misc/disnix.nix index 41483d80a2d..aea49511327 100644 --- a/nixos/modules/services/misc/disnix.nix +++ b/nixos/modules/services/misc/disnix.nix @@ -37,7 +37,7 @@ in enableProfilePath = mkEnableOption "exposing the Disnix profiles in the system's PATH"; profiles = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = [ "default" ]; example = [ "default" ]; description = "Names of the Disnix profiles to expose in the system's PATH"; diff --git a/nixos/modules/services/misc/duckling.nix b/nixos/modules/services/misc/duckling.nix new file mode 100644 index 00000000000..77d2a92380b --- /dev/null +++ b/nixos/modules/services/misc/duckling.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.duckling; +in { + options = { + services.duckling = { + enable = mkEnableOption "duckling"; + + port = mkOption { + type = types.port; + default = 8080; + description = '' + Port on which duckling will run. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.duckling = { + description = "Duckling server service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + environment = { + PORT = builtins.toString cfg.port; + }; + + serviceConfig = { + ExecStart = "${pkgs.haskellPackages.duckling}/bin/duckling-example-exe --no-access-log --no-error-log"; + Restart = "always"; + DynamicUser = true; + }; + }; + }; +} diff --git a/nixos/modules/services/misc/etebase-server.nix b/nixos/modules/services/misc/etebase-server.nix index 32a5a3ad8bd..b6bd6e9fd37 100644 --- a/nixos/modules/services/misc/etebase-server.nix +++ b/nixos/modules/services/misc/etebase-server.nix @@ -192,8 +192,8 @@ in # Auto-migrate on first run or if the package has changed versionFile="${cfg.dataDir}/src-version" if [[ $(cat "$versionFile" 2>/dev/null) != ${pkgs.etebase-server} ]]; then - ${pythonEnv}/bin/etebase-server migrate - ${pythonEnv}/bin/etebase-server collectstatic + ${pythonEnv}/bin/etebase-server migrate --no-input + ${pythonEnv}/bin/etebase-server collectstatic --no-input --clear echo ${pkgs.etebase-server} > "$versionFile" fi ''; diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 434e2d2429b..95369ff7ee4 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -477,47 +477,49 @@ in in '' # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' - cp -f ${configFile} ${runConfig} - - if [ ! -e ${secretKey} ]; then - ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} - fi - - # Migrate LFS_JWT_SECRET filename - if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then - mv ${oldLfsJwtSecret} ${lfsJwtSecret} - fi - - if [ ! -e ${oauth2JwtSecret} ]; then - ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret} - fi - - if [ ! -e ${lfsJwtSecret} ]; then - ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret} - fi - - if [ ! -e ${internalToken} ]; then - ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} - fi - - SECRETKEY="$(head -n1 ${secretKey})" - DBPASS="$(head -n1 ${cfg.database.passwordFile})" - OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})" - LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})" - INTERNALTOKEN="$(head -n1 ${internalToken})" - ${if (cfg.mailerPasswordFile == null) then '' - MAILERPASSWORD="#mailerpass#" - '' else '' - MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" - ''} - sed -e "s,#secretkey#,$SECRETKEY,g" \ - -e "s,#dbpass#,$DBPASS,g" \ - -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \ - -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \ - -e "s,#internaltoken#,$INTERNALTOKEN,g" \ - -e "s,#mailerpass#,$MAILERPASSWORD,g" \ - -i ${runConfig} - chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken} + function gitea_setup { + cp -f ${configFile} ${runConfig} + + if [ ! -e ${secretKey} ]; then + ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} + fi + + # Migrate LFS_JWT_SECRET filename + if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then + mv ${oldLfsJwtSecret} ${lfsJwtSecret} + fi + + if [ ! -e ${oauth2JwtSecret} ]; then + ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret} + fi + + if [ ! -e ${lfsJwtSecret} ]; then + ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret} + fi + + if [ ! -e ${internalToken} ]; then + ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} + fi + + SECRETKEY="$(head -n1 ${secretKey})" + DBPASS="$(head -n1 ${cfg.database.passwordFile})" + OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})" + LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})" + INTERNALTOKEN="$(head -n1 ${internalToken})" + ${if (cfg.mailerPasswordFile == null) then '' + MAILERPASSWORD="#mailerpass#" + '' else '' + MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" + ''} + sed -e "s,#secretkey#,$SECRETKEY,g" \ + -e "s,#dbpass#,$DBPASS,g" \ + -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \ + -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \ + -e "s,#internaltoken#,$INTERNALTOKEN,g" \ + -e "s,#mailerpass#,$MAILERPASSWORD,g" \ + -i ${runConfig} + } + (umask 027; gitea_setup) ''} # update all hooks' binary paths diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index f86653f3ead..8153754af0f 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -155,6 +155,7 @@ let GITLAB_REDIS_CONFIG_FILE = pkgs.writeText "redis.yml" (builtins.toJSON redisConfig); prometheus_multiproc_dir = "/run/gitlab"; RAILS_ENV = "production"; + MALLOC_ARENA_MAX = "2"; }; gitlab-rake = pkgs.stdenv.mkDerivation { @@ -588,7 +589,7 @@ in { the DB. If you change or lose this key you will be unable to access variables stored in database. - Make sure the secret is at least 30 characters and all random, + Make sure the secret is at least 32 characters and all random, no regular words or you'll be exposed to dictionary attacks. This should be a string, not a nix path, since nix paths are @@ -604,7 +605,7 @@ in { the DB. If you change or lose this key you will be unable to access variables stored in database. - Make sure the secret is at least 30 characters and all random, + Make sure the secret is at least 32 characters and all random, no regular words or you'll be exposed to dictionary attacks. This should be a string, not a nix path, since nix paths are @@ -620,7 +621,7 @@ in { tokens. If you change or lose this key, users which have 2FA enabled for login won't be able to login anymore. - Make sure the secret is at least 30 characters and all random, + Make sure the secret is at least 32 characters and all random, no regular words or you'll be exposed to dictionary attacks. This should be a string, not a nix path, since nix paths are @@ -652,6 +653,105 @@ in { description = "Extra configuration to merge into shell-config.yml"; }; + puma.workers = mkOption { + type = types.int; + default = 2; + apply = x: builtins.toString x; + description = '' + The number of worker processes Puma should spawn. This + controls the amount of parallel Ruby code can be + executed. GitLab recommends <quote>Number of CPU cores - + 1</quote>, but at least two. + + <note> + <para> + Each worker consumes quite a bit of memory, so + be careful when increasing this. + </para> + </note> + ''; + }; + + puma.threadsMin = mkOption { + type = types.int; + default = 0; + apply = x: builtins.toString x; + description = '' + The minimum number of threads Puma should use per + worker. + + <note> + <para> + Each thread consumes memory and contributes to Global VM + Lock contention, so be careful when increasing this. + </para> + </note> + ''; + }; + + puma.threadsMax = mkOption { + type = types.int; + default = 4; + apply = x: builtins.toString x; + description = '' + The maximum number of threads Puma should use per + worker. This limits how many threads Puma will automatically + spawn in response to requests. In contrast to workers, + threads will never be able to run Ruby code in parallel, but + give higher IO parallelism. + + <note> + <para> + Each thread consumes memory and contributes to Global VM + Lock contention, so be careful when increasing this. + </para> + </note> + ''; + }; + + sidekiq.memoryKiller.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether the Sidekiq MemoryKiller should be turned + on. MemoryKiller kills Sidekiq when its memory consumption + exceeds a certain limit. + + See <link xlink:href="https://docs.gitlab.com/ee/administration/operations/sidekiq_memory_killer.html"/> + for details. + ''; + }; + + sidekiq.memoryKiller.maxMemory = mkOption { + type = types.int; + default = 2000; + apply = x: builtins.toString (x * 1024); + description = '' + The maximum amount of memory, in MiB, a Sidekiq worker is + allowed to consume before being killed. + ''; + }; + + sidekiq.memoryKiller.graceTime = mkOption { + type = types.int; + default = 900; + apply = x: builtins.toString x; + description = '' + The time MemoryKiller waits after noticing excessive memory + consumption before killing Sidekiq. + ''; + }; + + sidekiq.memoryKiller.shutdownWait = mkOption { + type = types.int; + default = 30; + apply = x: builtins.toString x; + description = '' + The time allowed for all jobs to finish before Sidekiq is + killed forcefully. + ''; + }; + extraConfig = mkOption { type = types.attrs; default = {}; @@ -993,7 +1093,11 @@ in { ] ++ optional (cfg.databaseHost == "") "postgresql.service"; wantedBy = [ "gitlab.target" ]; partOf = [ "gitlab.target" ]; - environment = gitlabEnv; + environment = gitlabEnv // (optionalAttrs cfg.sidekiq.memoryKiller.enable { + SIDEKIQ_MEMORY_KILLER_MAX_RSS = cfg.sidekiq.memoryKiller.maxMemory; + SIDEKIQ_MEMORY_KILLER_GRACE_TIME = cfg.sidekiq.memoryKiller.graceTime; + SIDEKIQ_MEMORY_KILLER_SHUTDOWN_WAIT = cfg.sidekiq.memoryKiller.shutdownWait; + }); path = with pkgs; [ postgresqlPackage git @@ -1005,13 +1109,15 @@ in { # Needed for GitLab project imports gnutar gzip + + procps # Sidekiq MemoryKiller ]; serviceConfig = { Type = "simple"; User = cfg.user; Group = cfg.group; TimeoutSec = "infinity"; - Restart = "on-failure"; + Restart = "always"; WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; ExecStart="${cfg.packages.gitlab.rubyEnv}/bin/sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production"; }; @@ -1145,7 +1251,13 @@ in { TimeoutSec = "infinity"; Restart = "on-failure"; WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; - ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/puma -C ${cfg.statePath}/config/puma.rb -e production"; + ExecStart = concatStringsSep " " [ + "${cfg.packages.gitlab.rubyEnv}/bin/puma" + "-e production" + "-C ${cfg.statePath}/config/puma.rb" + "-w ${cfg.puma.workers}" + "-t ${cfg.puma.threadsMin}:${cfg.puma.threadsMax}" + ]; }; }; diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index 2787c975b35..1985f130881 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -50,15 +50,10 @@ let # List of components used in config extraComponents = filter useComponent availableComponents; - testedPackage = if (cfg.autoExtraComponents && cfg.config != null) + package = if (cfg.autoExtraComponents && cfg.config != null) then (cfg.package.override { inherit extraComponents; }) else cfg.package; - # overridePythonAttrs has to be applied after override - package = testedPackage.overridePythonAttrs (oldAttrs: { - doCheck = false; - }); - # If you are changing this, please update the description in applyDefaultConfig defaultConfig = { homeassistant.time_zone = config.time.timeZone; @@ -188,9 +183,13 @@ in { }; package = mkOption { - default = pkgs.home-assistant; + default = pkgs.home-assistant.overrideAttrs (oldAttrs: { + doInstallCheck = false; + }); defaultText = literalExample '' - pkgs.home-assistant + pkgs.home-assistant.overrideAttrs (oldAttrs: { + doInstallCheck = false; + }) ''; type = types.package; example = literalExample '' @@ -199,12 +198,11 @@ in { } ''; description = '' - Home Assistant package to use. Tests are automatically disabled, as they take a considerable amout of time to complete. + Home Assistant package to use. By default the tests are disabled, as they take a considerable amout of time to complete. Override <literal>extraPackages</literal> or <literal>extraComponents</literal> in order to add additional dependencies. If you specify <option>config</option> and do not set <option>autoExtraComponents</option> to <literal>false</literal>, overriding <literal>extraComponents</literal> will have no effect. - Avoid <literal>home-assistant.overridePythonAttrs</literal> if you use - <literal>autoExtraComponents</literal>. + Avoid <literal>home-assistant.overridePythonAttrs</literal> if you use <literal>autoExtraComponents</literal>. ''; }; @@ -247,22 +245,85 @@ in { rm -f "${cfg.configDir}/ui-lovelace.yaml" ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml" ''); - serviceConfig = { - ExecStart = "${package}/bin/hass --config '${cfg.configDir}'"; + serviceConfig = let + # List of capabilities to equip home-assistant with, depending on configured components + capabilities = [ + # Empty string first, so we will never accidentally have an empty capability bounding set + # https://github.com/NixOS/nixpkgs/issues/120617#issuecomment-830685115 + "" + ] ++ (unique (optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ + # Required for interaction with hci devices and bluetooth sockets + # https://www.home-assistant.io/integrations/bluetooth_le_tracker/#rootless-setup-on-core-installs + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ] ++ lib.optionals (useComponent "emulated_hue") [ + # Alexa looks for the service on port 80 + # https://www.home-assistant.io/integrations/emulated_hue + "CAP_NET_BIND_SERVICE" + ] ++ lib.optionals (useComponent "nmap_tracker") [ + # https://www.home-assistant.io/integrations/nmap_tracker#linux-capabilities + "CAP_NET_ADMIN" + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ])); + in { + ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "hass"; Group = "hass"; Restart = "on-failure"; + RestartForceExitStatus = "100"; + SuccessExitStatus = "100"; + KillSignal = "SIGINT"; + + # Hardening + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + DeviceAllow = [ + "char-ttyACM rw" + "char-ttyAMA rw" + "char-ttyUSB rw" + ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateTmp = true; + PrivateUsers = false; # prevents gaining capabilities in the host namespace + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; ProtectSystem = "strict"; + RemoveIPC = true; ReadWritePaths = let + # Allow rw access to explicitly configured paths cfgPath = [ "config" "homeassistant" "allowlist_external_dirs" ]; value = attrByPath cfgPath [] cfg; allowPaths = if isList value then value else singleton value; in [ "${cfg.configDir}" ] ++ allowPaths; - KillSignal = "SIGINT"; - PrivateTmp = true; - RemoveIPC = true; - AmbientCapabilities = "cap_net_raw,cap_net_admin+eip"; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ + "AF_BLUETOOTH" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SupplementaryGroups = [ "dialout" ]; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; }; path = [ "/run/wrappers" # needed for ping @@ -280,7 +341,6 @@ in { home = cfg.configDir; createHome = true; group = "hass"; - extraGroups = [ "dialout" ]; uid = config.ids.uids.hass; }; diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 64b774a220b..c1b45864041 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -18,6 +18,7 @@ in package = mkOption { type = types.package; + default = pkgs.jellyfin; example = literalExample "pkgs.jellyfin"; description = '' Jellyfin package to use. @@ -98,11 +99,6 @@ in }; }; - services.jellyfin.package = mkDefault ( - if versionAtLeast config.system.stateVersion "20.09" then pkgs.jellyfin - else pkgs.jellyfin_10_5 - ); - users.users = mkIf (cfg.user == "jellyfin") { jellyfin = { group = cfg.group; diff --git a/nixos/modules/services/misc/matrix-appservice-irc.nix b/nixos/modules/services/misc/matrix-appservice-irc.nix index 63dc313ad10..a0a5973d30f 100644 --- a/nixos/modules/services/misc/matrix-appservice-irc.nix +++ b/nixos/modules/services/misc/matrix-appservice-irc.nix @@ -214,7 +214,8 @@ in { PrivateMounts = true; SystemCallFilter = "~@aio @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @setuid @swap"; SystemCallArchitectures = "native"; - RestrictAddressFamilies = "AF_INET AF_INET6"; + # AF_UNIX is required to connect to a postgres socket. + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; }; }; diff --git a/nixos/modules/services/misc/matrix-dendrite.nix b/nixos/modules/services/misc/matrix-dendrite.nix new file mode 100644 index 00000000000..b719df29c5a --- /dev/null +++ b/nixos/modules/services/misc/matrix-dendrite.nix @@ -0,0 +1,181 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.matrix-dendrite; + settingsFormat = pkgs.formats.yaml { }; + configurationYaml = settingsFormat.generate "dendrite.yaml" cfg.settings; + workingDir = "/var/lib/matrix-dendrite"; +in +{ + options.services.matrix-dendrite = { + enable = lib.mkEnableOption "matrix.org dendrite"; + httpPort = lib.mkOption { + type = lib.types.nullOr lib.types.port; + default = 8008; + description = '' + The port to listen for HTTP requests on. + ''; + }; + httpsPort = lib.mkOption { + type = lib.types.nullOr lib.types.port; + default = null; + description = '' + The port to listen for HTTPS requests on. + ''; + }; + tlsCert = lib.mkOption { + type = lib.types.nullOr lib.types.path; + example = "/var/lib/matrix-dendrite/server.cert"; + default = null; + description = '' + The path to the TLS certificate. + + <programlisting> + nix-shell -p matrix-dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key" + </programlisting> + ''; + }; + tlsKey = lib.mkOption { + type = lib.types.nullOr lib.types.path; + example = "/var/lib/matrix-dendrite/server.key"; + default = null; + description = '' + The path to the TLS key. + + <programlisting> + nix-shell -p matrix-dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key" + </programlisting> + ''; + }; + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + example = "/var/lib/matrix-dendrite/registration_secret"; + default = null; + description = '' + Environment file as defined in <citerefentry> + <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>. + Secrets may be passed to the service without adding them to the world-readable + Nix store, by specifying placeholder variables as the option value in Nix and + setting these variables accordingly in the environment file. Currently only used + for the registration secret to allow secure registration when + client_api.registration_disabled is true. + + <programlisting> + # snippet of dendrite-related config + services.matrix-dendrite.settings.client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; + </programlisting> + + <programlisting> + # content of the environment file + REGISTRATION_SHARED_SECRET=verysecretpassword + </programlisting> + + Note that this file needs to be available on the host on which + <literal>dendrite</literal> is running. + ''; + }; + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + options.global = { + server_name = lib.mkOption { + type = lib.types.str; + example = "example.com"; + description = '' + The domain name of the server, with optional explicit port. + This is used by remote servers to connect to this server. + This is also the last part of your UserID. + ''; + }; + private_key = lib.mkOption { + type = lib.types.path; + example = "${workingDir}/matrix_key.pem"; + description = '' + The path to the signing private key file, used to sign + requests and events. + + <programlisting> + nix-shell -p matrix-dendrite --command "generate-keys --private-key matrix_key.pem" + </programlisting> + ''; + }; + trusted_third_party_id_servers = lib.mkOption { + type = lib.types.listOf lib.types.str; + example = [ "matrix.org" ]; + default = [ "matrix.org" "vector.im" ]; + description = '' + Lists of domains that the server will trust as identity + servers to verify third party identifiers such as phone + numbers and email addresses + ''; + }; + }; + options.client_api = { + registration_disabled = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether to disable user registration to the server + without the shared secret. + ''; + }; + }; + }; + default = { }; + description = '' + Configuration for dendrite, see: + <link xlink:href="https://github.com/matrix-org/dendrite/blob/master/dendrite-config.yaml"/> + for available options with which to populate settings. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [{ + assertion = cfg.httpsPort != null -> (cfg.tlsCert != null && cfg.tlsKey != null); + message = '' + If Dendrite is configured to use https, tlsCert and tlsKey must be provided. + + nix-shell -p matrix-dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key" + ''; + }]; + + systemd.services.matrix-dendrite = { + description = "Dendrite Matrix homeserver"; + after = [ + "network.target" + ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + DynamicUser = true; + StateDirectory = "matrix-dendrite"; + WorkingDirectory = workingDir; + RuntimeDirectory = "matrix-dendrite"; + RuntimeDirectoryMode = "0700"; + EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; + ExecStartPre = + if (cfg.environmentFile != null) then '' + ${pkgs.envsubst}/bin/envsubst \ + -i ${configurationYaml} \ + -o /run/matrix-dendrite/dendrite.yaml + '' else '' + ${pkgs.coreutils}/bin/cp ${configurationYaml} /run/matrix-dendrite/dendrite.yaml + ''; + ExecStart = lib.strings.concatStringsSep " " ([ + "${pkgs.matrix-dendrite}/bin/dendrite-monolith-server" + "--config /run/matrix-dendrite/dendrite.yaml" + ] ++ lib.optionals (cfg.httpPort != null) [ + "--http-bind-address :${builtins.toString cfg.httpPort}" + ] ++ lib.optionals (cfg.httpsPort != null) [ + "--https-bind-address :${builtins.toString cfg.httpsPort}" + "--tls-cert ${cfg.tlsCert}" + "--tls-key ${cfg.tlsKey}" + ]); + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "on-failure"; + }; + }; + }; + meta.maintainers = lib.teams.matrix.members; +} diff --git a/nixos/modules/services/misc/matrix-synapse.xml b/nixos/modules/services/misc/matrix-synapse.xml index 358b631eb48..41a56df0f2b 100644 --- a/nixos/modules/services/misc/matrix-synapse.xml +++ b/nixos/modules/services/misc/matrix-synapse.xml @@ -33,11 +33,11 @@ <link xlink:href="https://github.com/matrix-org/synapse#synapse-installation"> installation instructions of Synapse </link>. <programlisting> -{ pkgs, ... }: +{ pkgs, lib, ... }: let fqdn = let - join = hostName: domain: hostName + optionalString (domain != null) ".${domain}"; + join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}"; in join config.networking.hostName config.networking.domain; in { networking = { @@ -132,7 +132,7 @@ in { } ]; }; -}; +} </programlisting> </para> diff --git a/nixos/modules/services/misc/ombi.nix b/nixos/modules/services/misc/ombi.nix index 83f433e0be4..b5882168e51 100644 --- a/nixos/modules/services/misc/ombi.nix +++ b/nixos/modules/services/misc/ombi.nix @@ -70,6 +70,7 @@ in { users.users = mkIf (cfg.user == "ombi") { ombi = { + isSystemUser = true; group = cfg.group; home = cfg.dataDir; }; diff --git a/nixos/modules/services/misc/pinnwand.nix b/nixos/modules/services/misc/pinnwand.nix index aa1ee5cfaa7..cbc796c9a7c 100644 --- a/nixos/modules/services/misc/pinnwand.nix +++ b/nixos/modules/services/misc/pinnwand.nix @@ -24,55 +24,80 @@ in Your <filename>pinnwand.toml</filename> as a Nix attribute set. Look up possible options in the <link xlink:href="https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example">pinnwand.toml-example</link>. ''; - default = { - # https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example - database_uri = "sqlite:///var/lib/pinnwand/pinnwand.db"; - preferred_lexeres = []; - paste_size = 262144; - paste_help = '' - <p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p> - ''; - footer = '' - View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page. - ''; - }; + default = {}; }; }; config = mkIf cfg.enable { - systemd.services.pinnwand = { - description = "Pinnwannd HTTP Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; + services.pinnwand.settings = { + database_uri = mkDefault "sqlite:////var/lib/pinnwand/pinnwand.db"; + paste_size = mkDefault 262144; + paste_help = mkDefault '' + <p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p> + ''; + footer = mkDefault '' + View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page. + ''; + }; + + systemd.services = let + hardeningOptions = { + User = "pinnwand"; + DynamicUser = true; - unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; - serviceConfig = { - ExecStart = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile} http --port ${toString(cfg.port)}"; StateDirectory = "pinnwand"; StateDirectoryMode = "0700"; AmbientCapabilities = []; CapabilityBoundingSet = ""; DevicePolicy = "closed"; - DynamicUser = true; LockPersonality = true; MemoryDenyWriteExecute = true; PrivateDevices = true; PrivateUsers = true; + ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; - ProtectKernelLogs = true; ProtectHome = true; ProtectHostname = true; + ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; SystemCallFilter = "@system-service"; UMask = "0077"; }; + + command = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile}"; + in { + pinnwand = { + description = "Pinnwannd HTTP Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; + + serviceConfig = { + ExecStart = "${command} http --port ${toString(cfg.port)}"; + } // hardeningOptions; + }; + + pinnwand-reaper = { + description = "Pinnwand Reaper"; + startAt = "daily"; + + serviceConfig = { + ExecStart = "${command} -vvvv reap"; # verbosity increased to show number of deleted pastes + } // hardeningOptions; + }; }; }; } diff --git a/nixos/modules/services/misc/podgrab.nix b/nixos/modules/services/misc/podgrab.nix new file mode 100644 index 00000000000..7077408b794 --- /dev/null +++ b/nixos/modules/services/misc/podgrab.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.podgrab; +in +{ + options.services.podgrab = with lib; { + enable = mkEnableOption "Podgrab, a self-hosted podcast manager"; + + passwordFile = mkOption { + type = with types; nullOr str; + default = null; + example = "/run/secrets/password.env"; + description = '' + The path to a file containing the PASSWORD environment variable + definition for Podgrab's authentification. + ''; + }; + + port = mkOption { + type = types.port; + default = 8080; + example = 4242; + description = "The port on which Podgrab will listen for incoming HTTP traffic."; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.podgrab = { + description = "Podgrab podcast manager"; + wantedBy = [ "multi-user.target" ]; + environment = { + CONFIG = "/var/lib/podgrab/config"; + DATA = "/var/lib/podgrab/data"; + GIN_MODE = "release"; + PORT = toString cfg.port; + }; + serviceConfig = { + DynamicUser = true; + EnvironmentFile = lib.optional (cfg.passwordFile != null) [ + cfg.passwordFile + ]; + ExecStart = "${pkgs.podgrab}/bin/podgrab"; + WorkingDirectory = "${pkgs.podgrab}/share"; + StateDirectory = [ "podgrab/config" "podgrab/data" ]; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ ambroisie ]; +} diff --git a/nixos/modules/services/misc/zigbee2mqtt.nix b/nixos/modules/services/misc/zigbee2mqtt.nix index cd987eb76c7..4458da1346b 100644 --- a/nixos/modules/services/misc/zigbee2mqtt.nix +++ b/nixos/modules/services/misc/zigbee2mqtt.nix @@ -5,29 +5,17 @@ with lib; let cfg = config.services.zigbee2mqtt; - configJSON = pkgs.writeText "configuration.json" - (builtins.toJSON (recursiveUpdate defaultConfig cfg.config)); - configFile = pkgs.runCommand "configuration.yaml" { preferLocalBuild = true; } '' - ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out - ''; + format = pkgs.formats.yaml { }; + configFile = format.generate "zigbee2mqtt.yaml" cfg.settings; - # the default config contains all required settings, - # so the service starts up without crashing. - defaultConfig = { - homeassistant = false; - permit_join = false; - mqtt = { - base_topic = "zigbee2mqtt"; - server = "mqtt://localhost:1883"; - }; - serial.port = "/dev/ttyACM0"; - # put device configuration into separate file because configuration.yaml - # is copied from the store on startup - devices = "devices.yaml"; - }; in { - meta.maintainers = with maintainers; [ sweber ]; + meta.maintainers = with maintainers; [ sweber hexa ]; + + imports = [ + # Remove warning before the 21.11 release + (mkRenamedOptionModule [ "services" "zigbee2mqtt" "config" ] [ "services" "zigbee2mqtt" "settings" ]) + ]; options.services.zigbee2mqtt = { enable = mkEnableOption "enable zigbee2mqtt service"; @@ -37,7 +25,11 @@ in default = pkgs.zigbee2mqtt.override { dataDir = cfg.dataDir; }; - defaultText = "pkgs.zigbee2mqtt"; + defaultText = literalExample '' + pkgs.zigbee2mqtt { + dataDir = services.zigbee2mqtt.dataDir + } + ''; type = types.package; }; @@ -47,9 +39,9 @@ in type = types.path; }; - config = mkOption { + settings = mkOption { + type = format.type; default = {}; - type = with types; nullOr attrs; example = literalExample '' { homeassistant = config.services.home-assistant.enable; @@ -61,11 +53,28 @@ in ''; description = '' Your <filename>configuration.yaml</filename> as a Nix attribute set. + Check the <link xlink:href="https://www.zigbee2mqtt.io/information/configuration.html">documentation</link> + for possible options. ''; }; }; config = mkIf (cfg.enable) { + + # preset config values + services.zigbee2mqtt.settings = { + homeassistant = mkDefault config.services.home-assistant.enable; + permit_join = mkDefault false; + mqtt = { + base_topic = mkDefault "zigbee2mqtt"; + server = mkDefault "mqtt://localhost:1883"; + }; + serial.port = mkDefault "/dev/ttyACM0"; + # reference device configuration, that is kept in a separate file + # to prevent it being overwritten in the units ExecStartPre script + devices = mkDefault "devices.yaml"; + }; + systemd.services.zigbee2mqtt = { description = "Zigbee2mqtt Service"; wantedBy = [ "multi-user.target" ]; @@ -76,10 +85,48 @@ in User = "zigbee2mqtt"; WorkingDirectory = cfg.dataDir; Restart = "on-failure"; + + # Hardening + CapabilityBoundingSet = ""; + DeviceAllow = [ + config.services.zigbee2mqtt.settings.serial.port + ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + PrivateDevices = false; # prevents access to /dev/serial, because it is set 0700 root:root + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; ProtectSystem = "strict"; ReadWritePaths = cfg.dataDir; - PrivateTmp = true; RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SupplementaryGroups = [ + "dialout" + ]; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; }; preStart = '' cp --no-preserve=mode ${configFile} "${cfg.dataDir}/configuration.yaml" @@ -90,7 +137,6 @@ in home = cfg.dataDir; createHome = true; group = "zigbee2mqtt"; - extraGroups = [ "dialout" ]; uid = config.ids.uids.zigbee2mqtt; }; diff --git a/nixos/modules/services/monitoring/nagios.nix b/nixos/modules/services/monitoring/nagios.nix index 9ac6869068f..61214508a9c 100644 --- a/nixos/modules/services/monitoring/nagios.nix +++ b/nixos/modules/services/monitoring/nagios.nix @@ -192,6 +192,7 @@ in path = [ pkgs.nagios ] ++ cfg.plugins; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + restartTriggers = [ nagiosCfgFile ]; serviceConfig = { User = "nagios"; @@ -201,7 +202,6 @@ in LogsDirectory = "nagios"; StateDirectory = "nagios"; ExecStart = "${pkgs.nagios}/bin/nagios /etc/nagios.cfg"; - X-ReloadIfChanged = nagiosCfgFile; }; }; diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index bd74e1a9cdb..1d483627e9e 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -112,7 +112,7 @@ let http://tools.ietf.org/html/rfc4366#section-3.1 ''; }; - name = mkOpt types.string '' + name = mkOpt types.str '' Name of the remote read config, which if specified must be unique among remote read configs. The name will be used in metrics and logging in place of a generated value to help users distinguish between remote read configs. @@ -174,7 +174,7 @@ let write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' List of remote write relabel configurations. ''; - name = mkOpt types.string '' + name = mkOpt types.str '' Name of the remote write config, which if specified must be unique among remote write configs. The name will be used in metrics and logging in place of a generated value to help users distinguish between remote write configs. diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index e0c5ceccfcc..ce7c215fd14 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -59,6 +59,7 @@ let "surfboard" "systemd" "tor" + "unbound" "unifi" "unifi-poller" "varnish" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix b/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix new file mode 100644 index 00000000000..56a559531c1 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.unbound; +in +{ + port = 9167; + extraOpts = { + fetchType = mkOption { + # TODO: add shm when upstream implemented it + type = types.enum [ "tcp" "uds" ]; + default = "uds"; + description = '' + Which methods the exporter uses to get the information from unbound. + ''; + }; + + telemetryPath = mkOption { + type = types.str; + default = "/metrics"; + description = '' + Path under which to expose metrics. + ''; + }; + + controlInterface = mkOption { + type = types.nullOr types.str; + default = null; + example = "/run/unbound/unbound.socket"; + description = '' + Path to the unbound socket for uds mode or the control interface port for tcp mode. + + Example: + uds-mode: /run/unbound/unbound.socket + tcp-mode: 127.0.0.1:8953 + ''; + }; + }; + + serviceOpts = mkMerge ([{ + serviceConfig = { + ExecStart = '' + ${pkgs.prometheus-unbound-exporter}/bin/unbound-telemetry \ + ${cfg.fetchType} \ + --bind ${cfg.listenAddress}:${toString cfg.port} \ + --path ${cfg.telemetryPath} \ + ${optionalString (cfg.controlInterface != null) "--control-interface ${cfg.controlInterface}"} \ + ${toString cfg.extraFlags} + ''; + }; + }] ++ [ + (mkIf config.services.unbound.enable { + after = [ "unbound.service" ]; + requires = [ "unbound.service" ]; + }) + ]); +} diff --git a/nixos/modules/services/monitoring/vnstat.nix b/nixos/modules/services/monitoring/vnstat.nix index e9bedb704a4..5e19c399568 100644 --- a/nixos/modules/services/monitoring/vnstat.nix +++ b/nixos/modules/services/monitoring/vnstat.nix @@ -6,21 +6,21 @@ let cfg = config.services.vnstat; in { options.services.vnstat = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable update of network usage statistics via vnstatd. - ''; - }; + enable = mkEnableOption "update of network usage statistics via vnstatd"; }; config = mkIf cfg.enable { - users.users.vnstatd = { - isSystemUser = true; - description = "vnstat daemon user"; - home = "/var/lib/vnstat"; - createHome = true; + + environment.systemPackages = [ pkgs.vnstat ]; + + users = { + groups.vnstatd = {}; + + users.vnstatd = { + isSystemUser = true; + group = "vnstatd"; + description = "vnstat daemon user"; + }; }; systemd.services.vnstat = { @@ -33,7 +33,6 @@ in { "man:vnstat(1)" "man:vnstat.conf(5)" ]; - preStart = "chmod 755 /var/lib/vnstat"; serviceConfig = { ExecStart = "${pkgs.vnstat}/bin/vnstatd -n"; ExecReload = "${pkgs.procps}/bin/kill -HUP $MAINPID"; @@ -52,7 +51,10 @@ in { RestrictNamespaces = true; User = "vnstatd"; + Group = "vnstatd"; }; }; }; + + meta.maintainers = [ maintainers.evils ]; } diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index 2082d513161..6d8dfcce933 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -216,14 +216,11 @@ in { systemd.packages = [ cfg.package ]; - systemd.services.ipfs-init = { - description = "IPFS Initializer"; - + systemd.services.ipfs = { + path = [ "/run/wrappers" cfg.package ]; environment.IPFS_PATH = cfg.dataDir; - path = [ cfg.package ]; - - script = '' + preStart = '' if [[ ! -f ${cfg.dataDir}/config ]]; then ipfs init ${optionalString cfg.emptyRepo "-e"} \ ${optionalString (! cfg.localDiscovery) "--profile=server"} @@ -233,26 +230,7 @@ in { else "ipfs config profile apply server" } fi - ''; - - wantedBy = [ "default.target" ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - User = cfg.user; - Group = cfg.group; - }; - }; - - systemd.services.ipfs = { - path = [ "/run/wrappers" cfg.package ]; - environment.IPFS_PATH = cfg.dataDir; - - wants = [ "ipfs-init.service" ]; - after = [ "ipfs-init.service" ]; - - preStart = optionalString cfg.autoMount '' + '' + optionalString cfg.autoMount '' ipfs --local config Mounts.FuseAllowOther --json true ipfs --local config Mounts.IPFS ${cfg.ipfsMountDir} ipfs --local config Mounts.IPNS ${cfg.ipnsMountDir} @@ -296,7 +274,7 @@ in { systemd.sockets.ipfs-api = { wantedBy = [ "sockets.target" ]; - # We also include "%t/ipfs.sock" because tere is no way to put the "%t" + # We also include "%t/ipfs.sock" because there is no way to put the "%t" # in the multiaddr. socketConfig.ListenStream = let fromCfg = multiaddrToListenStream cfg.apiAddress; diff --git a/nixos/modules/services/networking/adguardhome.nix b/nixos/modules/services/networking/adguardhome.nix new file mode 100644 index 00000000000..4388ef2b7e5 --- /dev/null +++ b/nixos/modules/services/networking/adguardhome.nix @@ -0,0 +1,78 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.adguardhome; + + args = concatStringsSep " " ([ + "--no-check-update" + "--pidfile /run/AdGuardHome/AdGuardHome.pid" + "--work-dir /var/lib/AdGuardHome/" + "--config /var/lib/AdGuardHome/AdGuardHome.yaml" + "--host ${cfg.host}" + "--port ${toString cfg.port}" + ] ++ cfg.extraArgs); + +in +{ + options.services.adguardhome = with types; { + enable = mkEnableOption "AdGuard Home network-wide ad blocker"; + + host = mkOption { + default = "0.0.0.0"; + type = str; + description = '' + Host address to bind HTTP server to. + ''; + }; + + port = mkOption { + default = 3000; + type = port; + description = '' + Port to serve HTTP pages on. + ''; + }; + + openFirewall = mkOption { + default = false; + type = bool; + description = '' + Open ports in the firewall for the AdGuard Home web interface. Does not + open the port needed to access the DNS resolver. + ''; + }; + + extraArgs = mkOption { + default = [ ]; + type = listOf str; + description = '' + Extra command line parameters to be passed to the adguardhome binary. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.adguardhome = { + description = "AdGuard Home: Network-level blocker"; + after = [ "syslog.target" "network.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + StartLimitIntervalSec = 5; + StartLimitBurst = 10; + }; + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.adguardhome}/bin/adguardhome ${args}"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + Restart = "always"; + RestartSec = 10; + RuntimeDirectory = "AdGuardHome"; + StateDirectory = "AdGuardHome"; + }; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + }; +} diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix index e16e56121c4..5e14283179a 100644 --- a/nixos/modules/services/networking/babeld.nix +++ b/nixos/modules/services/networking/babeld.nix @@ -19,7 +19,10 @@ let "interface ${name} ${paramsString interface}\n"; configFile = with cfg; pkgs.writeText "babeld.conf" ( - (optionalString (cfg.interfaceDefaults != null) '' + '' + skip-kernel-setup true + '' + + (optionalString (cfg.interfaceDefaults != null) '' default ${paramsString cfg.interfaceDefaults} '') + (concatMapStrings interfaceConfig (attrNames cfg.interfaces)) @@ -29,6 +32,8 @@ in { + meta.maintainers = with maintainers; [ hexa ]; + ###### interface options = { @@ -84,13 +89,22 @@ in config = mkIf config.services.babeld.enable { + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv4.conf.all.forwarding" = 1; + "net.ipv4.conf.all.rp_filter" = 0; + } // lib.mapAttrs' (ifname: _: lib.nameValuePair "net.ipv4.conf.${ifname}.rp_filter" (lib.mkDefault 0)) config.services.babeld.interfaces; + systemd.services.babeld = { description = "Babel routing daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state"; + AmbientCapabilities = [ "CAP_NET_ADMIN" ]; CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; + DynamicUser = true; IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ]; IPAddressDeny = "any"; LockPersonality = true; @@ -98,7 +112,7 @@ in MemoryDenyWriteExecute = true; ProtectSystem = "strict"; ProtectClock = true; - ProtectKernelTunables = false; # Couldn't write sysctl: Read-only file system + ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index e507e8ce9ee..b73b2b62685 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -8,32 +8,37 @@ let bindUser = "named"; - bindZoneOptions = { - name = mkOption { - type = types.str; - description = "Name of the zone."; - }; - master = mkOption { - description = "Master=false means slave server"; - type = types.bool; - }; - file = mkOption { - type = types.either types.str types.path; - description = "Zone file resource records contain columns of data, separated by whitespace, that define the record."; - }; - masters = mkOption { - type = types.listOf types.str; - description = "List of servers for inclusion in stub and secondary zones."; - }; - slaves = mkOption { - type = types.listOf types.str; - description = "Addresses who may request zone transfers."; - default = []; - }; - extraConfig = mkOption { - type = types.str; - description = "Extra zone config to be appended at the end of the zone section."; - default = ""; + bindZoneCoerce = list: builtins.listToAttrs (lib.forEach list (zone: { name = zone.name; value = zone; })); + + bindZoneOptions = { name, config, ... }: { + options = { + name = mkOption { + type = types.str; + default = name; + description = "Name of the zone."; + }; + master = mkOption { + description = "Master=false means slave server"; + type = types.bool; + }; + file = mkOption { + type = types.either types.str types.path; + description = "Zone file resource records contain columns of data, separated by whitespace, that define the record."; + }; + masters = mkOption { + type = types.listOf types.str; + description = "List of servers for inclusion in stub and secondary zones."; + }; + slaves = mkOption { + type = types.listOf types.str; + description = "Addresses who may request zone transfers."; + default = []; + }; + extraConfig = mkOption { + type = types.str; + description = "Extra zone config to be appended at the end of the zone section."; + default = ""; + }; }; }; @@ -84,7 +89,7 @@ let ${extraConfig} }; '') - cfg.zones } + (attrValues cfg.zones) } ''; in @@ -153,18 +158,19 @@ in zones = mkOption { default = []; - type = types.listOf (types.submodule [ { options = bindZoneOptions; } ]); + type = with types; coercedTo (listOf attrs) bindZoneCoerce (attrsOf (types.submodule bindZoneOptions)); description = " List of zones we claim authority over. "; - example = [{ - name = "example.com"; - master = false; - file = "/var/dns/example.com"; - masters = ["192.168.0.1"]; - slaves = []; - extraConfig = ""; - }]; + example = { + "example.com" = { + master = false; + file = "/var/dns/example.com"; + masters = ["192.168.0.1"]; + slaves = []; + extraConfig = ""; + }; + }; }; extraConfig = mkOption { diff --git a/nixos/modules/services/networking/dnsdist.nix b/nixos/modules/services/networking/dnsdist.nix index 3584915d0aa..c7c6a79864c 100644 --- a/nixos/modules/services/networking/dnsdist.nix +++ b/nixos/modules/services/networking/dnsdist.nix @@ -4,7 +4,7 @@ with lib; let cfg = config.services.dnsdist; - configFile = pkgs.writeText "dndist.conf" '' + configFile = pkgs.writeText "dnsdist.conf" '' setLocal('${cfg.listenAddress}:${toString cfg.listenPort}') ${cfg.extraConfig} ''; diff --git a/nixos/modules/services/networking/iscsi/initiator.nix b/nixos/modules/services/networking/iscsi/initiator.nix new file mode 100644 index 00000000000..cbc919a2f76 --- /dev/null +++ b/nixos/modules/services/networking/iscsi/initiator.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: with lib; +let + cfg = config.services.openiscsi; +in +{ + options.services.openiscsi = with types; { + enable = mkEnableOption "the openiscsi iscsi daemon"; + enableAutoLoginOut = mkEnableOption '' + automatic login and logout of all automatic targets. + You probably do not want this. + ''; + discoverPortal = mkOption { + type = nullOr str; + default = null; + description = "Portal to discover targets on"; + }; + name = mkOption { + type = str; + description = "Name of this iscsi initiator"; + example = "iqn.2020-08.org.linux-iscsi.initiatorhost:example"; + }; + package = mkOption { + type = package; + description = "openiscsi package to use"; + default = pkgs.openiscsi; + defaultText = "pkgs.openiscsi"; + }; + + extraConfig = mkOption { + type = str; + default = ""; + description = "Lines to append to default iscsid.conf"; + }; + + extraConfigFile = mkOption { + description = '' + Append an additional file's contents to /etc/iscsid.conf. Use a non-store path + and store passwords in this file. + ''; + default = null; + type = nullOr str; + }; + }; + + config = mkIf cfg.enable { + environment.etc."iscsi/iscsid.conf.fragment".source = pkgs.runCommand "iscsid.conf" {} '' + cat "${cfg.package}/etc/iscsi/iscsid.conf" > $out + cat << 'EOF' >> $out + ${cfg.extraConfig} + ${optionalString cfg.enableAutoLoginOut "node.startup = automatic"} + EOF + ''; + environment.etc."iscsi/initiatorname.iscsi".text = "InitiatorName=${cfg.name}"; + + system.activationScripts.iscsid = let + extraCfgDumper = optionalString (cfg.extraConfigFile != null) '' + if [ -f "${cfg.extraConfigFile}" ]; then + printf "\n# The following is from ${cfg.extraConfigFile}:\n" + cat "${cfg.extraConfigFile}" + else + echo "Warning: services.openiscsi.extraConfigFile ${cfg.extraConfigFile} does not exist!" >&2 + fi + ''; + in '' + ( + cat ${config.environment.etc."iscsi/iscsid.conf.fragment".source} + ${extraCfgDumper} + ) > /etc/iscsi/iscsid.conf + ''; + + systemd.packages = [ cfg.package ]; + + systemd.services."iscsid".wantedBy = [ "multi-user.target" ]; + systemd.sockets."iscsid".wantedBy = [ "sockets.target" ]; + + systemd.services."iscsi" = mkIf cfg.enableAutoLoginOut { + wantedBy = [ "remote-fs.target" ]; + serviceConfig.ExecStartPre = mkIf (cfg.discoverPortal != null) "${cfg.package}/bin/iscsiadm --mode discoverydb --type sendtargets --portal ${escapeShellArg cfg.discoverPortal} --discover"; + }; + + environment.systemPackages = [ cfg.package ]; + boot.kernelModules = [ "iscsi_tcp" ]; + }; +} diff --git a/nixos/modules/services/networking/iscsi/root-initiator.nix b/nixos/modules/services/networking/iscsi/root-initiator.nix new file mode 100644 index 00000000000..3274878c4fa --- /dev/null +++ b/nixos/modules/services/networking/iscsi/root-initiator.nix @@ -0,0 +1,181 @@ +{ config, lib, pkgs, ... }: with lib; +let + cfg = config.boot.iscsi-initiator; +in +{ + # If you're booting entirely off another machine you may want to add + # this snippet to always boot the latest "system" version. It is not + # enabled by default in case you have an initrd on a local disk: + # + # boot.initrd.postMountCommands = '' + # ln -sfn /nix/var/nix/profiles/system/init /mnt-root/init + # stage2Init=/init + # ''; + # + # Note: Theoretically you might want to connect to multiple portals and + # log in to multiple targets, however the authors of this module so far + # don't have the need or expertise to reasonably implement it. Also, + # consider carefully before making your boot chain depend on multiple + # machines to be up. + options.boot.iscsi-initiator = with types; { + name = mkOption { + description = '' + Name of the iSCSI initiator to boot from. Note, booting from iscsi + requires networkd based networking. + ''; + default = null; + example = "iqn.2020-08.org.linux-iscsi.initiatorhost:example"; + type = nullOr str; + }; + + discoverPortal = mkOption { + description = '' + iSCSI portal to boot from. + ''; + default = null; + example = "192.168.1.1:3260"; + type = nullOr str; + }; + + target = mkOption { + description = '' + Name of the iSCSI target to boot from. + ''; + default = null; + example = "iqn.2020-08.org.linux-iscsi.targethost:example"; + type = nullOr str; + }; + + logLevel = mkOption { + description = '' + Higher numbers elicits more logs. + ''; + default = 1; + example = 8; + type = int; + }; + + loginAll = mkOption { + description = '' + Do not log into a specific target on the portal, but to all that we discover. + This overrides setting target. + ''; + type = bool; + default = false; + }; + + extraConfig = mkOption { + description = "Extra lines to append to /etc/iscsid.conf"; + default = null; + type = nullOr lines; + }; + + extraConfigFile = mkOption { + description = '' + Append an additional file's contents to `/etc/iscsid.conf`. Use a non-store path + and store passwords in this file. Note: the file specified here must be available + in the initrd, see: `boot.initrd.secrets`. + ''; + default = null; + type = nullOr str; + }; + }; + + config = mkIf (cfg.name != null) { + # The "scripted" networking configuration (ie: non-networkd) + # doesn't properly order the start and stop of the interfaces, and the + # network interfaces are torn down before unmounting disks. Since this + # module is specifically for very-early-boot network mounts, we need + # the network to stay on. + # + # We could probably fix the scripted options to properly order, but I'm + # not inclined to invest that time today. Hopefully this gets users far + # enough along and they can just use networkd. + networking.useNetworkd = true; + networking.useDHCP = false; # Required to set useNetworkd = true + + boot.initrd = { + network.enable = true; + + # By default, the stage-1 disables the network and resets the interfaces + # on startup. Since our startup disks are on the network, we can't let + # the network not work. + network.flushBeforeStage2 = false; + + kernelModules = [ "iscsi_tcp" ]; + + extraUtilsCommands = '' + copy_bin_and_libs ${pkgs.openiscsi}/bin/iscsid + copy_bin_and_libs ${pkgs.openiscsi}/bin/iscsiadm + ${optionalString (!config.boot.initrd.network.ssh.enable) "cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib"} + + mkdir -p $out/etc/iscsi + cp ${config.environment.etc.hosts.source} $out/etc/hosts + cp ${pkgs.openiscsi}/etc/iscsi/iscsid.conf $out/etc/iscsi/iscsid.fragment.conf + chmod +w $out/etc/iscsi/iscsid.fragment.conf + cat << 'EOF' >> $out/etc/iscsi/iscsid.fragment.conf + ${optionalString (cfg.extraConfig != null) cfg.extraConfig} + EOF + ''; + + extraUtilsCommandsTest = '' + $out/bin/iscsiadm --version + ''; + + preLVMCommands = let + extraCfgDumper = optionalString (cfg.extraConfigFile != null) '' + if [ -f "${cfg.extraConfigFile}" ]; then + printf "\n# The following is from ${cfg.extraConfigFile}:\n" + cat "${cfg.extraConfigFile}" + else + echo "Warning: boot.iscsi-initiator.extraConfigFile ${cfg.extraConfigFile} does not exist!" >&2 + fi + ''; + in '' + ${optionalString (!config.boot.initrd.network.ssh.enable) '' + # stolen from initrd-ssh.nix + echo 'root:x:0:0:root:/root:/bin/ash' > /etc/passwd + echo 'passwd: files' > /etc/nsswitch.conf + ''} + + cp -f $extraUtils/etc/hosts /etc/hosts + + mkdir -p /etc/iscsi /run/lock/iscsi + echo "InitiatorName=${cfg.name}" > /etc/iscsi/initiatorname.iscsi + + ( + cat "$extraUtils/etc/iscsi/iscsid.fragment.conf" + printf "\n" + ${optionalString cfg.loginAll ''echo "node.startup = automatic"''} + ${extraCfgDumper} + ) > /etc/iscsi/iscsid.conf + + iscsid --foreground --no-pid-file --debug ${toString cfg.logLevel} & + iscsiadm --mode discoverydb \ + --type sendtargets \ + --discover \ + --portal ${escapeShellArg cfg.discoverPortal} \ + --debug ${toString cfg.logLevel} + + ${if cfg.loginAll then '' + iscsiadm --mode node --loginall all + '' else '' + iscsiadm --mode node --targetname ${escapeShellArg cfg.target} --login + ''} + pkill -9 iscsid + ''; + }; + + services.openiscsi = { + enable = true; + inherit (cfg) name; + }; + + assertions = [ + { + assertion = cfg.loginAll -> cfg.target == null; + message = "iSCSI target name is set while login on all portals is enabled."; + } + ]; + }; +} diff --git a/nixos/modules/services/networking/iscsi/target.nix b/nixos/modules/services/networking/iscsi/target.nix new file mode 100644 index 00000000000..8a10e7d346a --- /dev/null +++ b/nixos/modules/services/networking/iscsi/target.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.target; +in +{ + ###### interface + options = { + services.target = with types; { + enable = mkEnableOption "the kernel's LIO iscsi target"; + + config = mkOption { + type = attrs; + default = {}; + description = '' + Content of /etc/target/saveconfig.json + This file is normally read and written by targetcli + ''; + }; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + environment.etc."target/saveconfig.json" = { + text = builtins.toJSON cfg.config; + mode = "0600"; + }; + + environment.systemPackages = with pkgs; [ targetcli ]; + + boot.kernelModules = [ "configfs" "target_core_mod" "iscsi_target_mod" ]; + + systemd.services.iscsi-target = { + enable = true; + after = [ "network.target" "local-fs.target" ]; + requires = [ "sys-kernel-config.mount" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.python3.pkgs.rtslib}/bin/targetctl restore"; + ExecStop = "${pkgs.python3.pkgs.rtslib}/bin/targetctl clear"; + RemainAfterExit = "yes"; + }; + }; + + systemd.tmpfiles.rules = [ + "d /etc/target 0700 root root - -" + ]; + }; +} diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix index 3f9be6172f1..9b94c390e98 100644 --- a/nixos/modules/services/networking/kresd.nix +++ b/nixos/modules/services/networking/kresd.nix @@ -29,8 +29,6 @@ let + concatMapStrings (mkListen "doh2") cfg.listenDoH + cfg.extraConfig ); - - package = pkgs.knot-resolver; in { meta.maintainers = [ maintainers.vcunat /* upstream developer */ ]; @@ -58,6 +56,15 @@ in { and give commands interactively to kresd@1.service. ''; }; + package = mkOption { + type = types.package; + description = " + knot-resolver package to use. + "; + default = pkgs.knot-resolver; + defaultText = "pkgs.knot-resolver"; + example = literalExample "pkgs.knot-resolver.override { extraFeatures = true; }"; + }; extraConfig = mkOption { type = types.lines; default = ""; @@ -115,7 +122,7 @@ in { }; users.groups.knot-resolver.gid = null; - systemd.packages = [ package ]; # the units are patched inside the package a bit + systemd.packages = [ cfg.package ]; # the units are patched inside the package a bit systemd.targets.kresd = { # configure units started by default wantedBy = [ "multi-user.target" ]; @@ -123,8 +130,8 @@ in { ++ map (i: "kresd@${toString i}.service") (range 1 cfg.instances); }; systemd.services."kresd@".serviceConfig = { - ExecStart = "${package}/bin/kresd --noninteractive " - + "-c ${package}/lib/knot-resolver/distro-preconfig.lua -c ${configFile}"; + ExecStart = "${cfg.package}/bin/kresd --noninteractive " + + "-c ${cfg.package}/lib/knot-resolver/distro-preconfig.lua -c ${configFile}"; # Ensure /run/knot-resolver exists RuntimeDirectory = "knot-resolver"; RuntimeDirectoryMode = "0770"; diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 10b49d9b220..8e814ffd0b9 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -20,8 +20,7 @@ let acl_file ${aclFile} persistence true allow_anonymous ${boolToString cfg.allowAnonymous} - bind_address ${cfg.host} - port ${toString cfg.port} + listener ${toString cfg.port} ${cfg.host} ${passwordConf} ${listenerConf} ${cfg.extraConf} @@ -233,15 +232,50 @@ in ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ProtectSystem = "strict"; - ProtectHome = true; + # Hardening + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; - ReadWritePaths = "${cfg.dataDir}"; + PrivateUsers = true; + ProtectClock = true; ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; - NoNewPrivileges = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + ReadWritePaths = [ + cfg.dataDir + "/tmp" # mosquitto_passwd creates files in /tmp before moving them + ]; + ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [ + certfile + keyfile + cafile + ]; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_UNIX" # for sd_notify() call + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; }; preStart = '' rm -f ${cfg.dataDir}/passwd diff --git a/nixos/modules/services/networking/mxisd.nix b/nixos/modules/services/networking/mxisd.nix index 482d6ff456b..f29d190c626 100644 --- a/nixos/modules/services/networking/mxisd.nix +++ b/nixos/modules/services/networking/mxisd.nix @@ -41,8 +41,8 @@ in { package = mkOption { type = types.package; - default = pkgs.mxisd; - defaultText = "pkgs.mxisd"; + default = pkgs.ma1sd; + defaultText = "pkgs.ma1sd"; description = "The mxisd/ma1sd package to use"; }; diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix new file mode 100644 index 00000000000..e7ebfe1b4db --- /dev/null +++ b/nixos/modules/services/networking/nebula.nix @@ -0,0 +1,219 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.nebula; + enabledNetworks = filterAttrs (n: v: v.enable) cfg.networks; + + format = pkgs.formats.yaml {}; + + nameToId = netName: "nebula-${netName}"; +in +{ + # Interface + + options = { + services.nebula = { + networks = mkOption { + description = "Nebula network definitions."; + default = {}; + type = types.attrsOf (types.submodule { + options = { + enable = mkOption { + type = types.bool; + default = true; + description = "Enable or disable this network."; + }; + + package = mkOption { + type = types.package; + default = pkgs.nebula; + defaultText = "pkgs.nebula"; + description = "Nebula derivation to use."; + }; + + ca = mkOption { + type = types.path; + description = "Path to the certificate authority certificate."; + example = "/etc/nebula/ca.crt"; + }; + + cert = mkOption { + type = types.path; + description = "Path to the host certificate."; + example = "/etc/nebula/host.crt"; + }; + + key = mkOption { + type = types.path; + description = "Path to the host key."; + example = "/etc/nebula/host.key"; + }; + + staticHostMap = mkOption { + type = types.attrsOf (types.listOf (types.str)); + default = {}; + description = '' + The static host map defines a set of hosts with fixed IP addresses on the internet (or any network). + A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel. + ''; + example = literalExample '' + { "192.168.100.1" = [ "100.64.22.11:4242" ]; } + ''; + }; + + isLighthouse = mkOption { + type = types.bool; + default = false; + description = "Whether this node is a lighthouse."; + }; + + lighthouses = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of IPs of lighthouse hosts this node should report to and query from. This should be empty on lighthouse + nodes. The IPs should be the lighthouse's Nebula IPs, not their external IPs. + ''; + example = ''[ "192.168.100.1" ]''; + }; + + listen.host = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IP address to listen on."; + }; + + listen.port = mkOption { + type = types.port; + default = 4242; + description = "Port number to listen on."; + }; + + tun.disable = mkOption { + type = types.bool; + default = false; + description = '' + When tun is disabled, a lighthouse can be started without a local tun interface (and therefore without root). + ''; + }; + + tun.device = mkOption { + type = types.nullOr types.str; + default = null; + description = "Name of the tun device. Defaults to nebula.\${networkName}."; + }; + + firewall.outbound = mkOption { + type = types.listOf types.attrs; + default = []; + description = "Firewall rules for outbound traffic."; + example = ''[ { port = "any"; proto = "any"; host = "any"; } ]''; + }; + + firewall.inbound = mkOption { + type = types.listOf types.attrs; + default = []; + description = "Firewall rules for inbound traffic."; + example = ''[ { port = "any"; proto = "any"; host = "any"; } ]''; + }; + + settings = mkOption { + type = format.type; + default = {}; + description = '' + Nebula configuration. Refer to + <link xlink:href="https://github.com/slackhq/nebula/blob/master/examples/config.yml"/> + for details on supported values. + ''; + example = literalExample '' + { + lighthouse.dns = { + host = "0.0.0.0"; + port = 53; + }; + } + ''; + }; + }; + }); + }; + }; + }; + + # Implementation + config = mkIf (enabledNetworks != {}) { + systemd.services = mkMerge (mapAttrsToList (netName: netCfg: + let + networkId = nameToId netName; + settings = recursiveUpdate { + pki = { + ca = netCfg.ca; + cert = netCfg.cert; + key = netCfg.key; + }; + static_host_map = netCfg.staticHostMap; + lighthouse = { + am_lighthouse = netCfg.isLighthouse; + hosts = netCfg.lighthouses; + }; + listen = { + host = netCfg.listen.host; + port = netCfg.listen.port; + }; + tun = { + disabled = netCfg.tun.disable; + dev = if (netCfg.tun.device != null) then netCfg.tun.device else "nebula.${netName}"; + }; + firewall = { + inbound = netCfg.firewall.inbound; + outbound = netCfg.firewall.outbound; + }; + } netCfg.settings; + configFile = format.generate "nebula-config-${netName}.yml" settings; + in + { + # Create systemd service for Nebula. + "nebula@${netName}" = { + description = "Nebula VPN service for ${netName}"; + wants = [ "basic.target" ]; + after = [ "basic.target" "network.target" ]; + before = [ "sshd.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = mkMerge [ + { + Type = "simple"; + Restart = "always"; + ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; + } + # The service needs to launch as root to access the tun device, if it's enabled. + (mkIf netCfg.tun.disable { + User = networkId; + Group = networkId; + }) + ]; + }; + }) enabledNetworks); + + # Open the chosen ports for UDP. + networking.firewall.allowedUDPPorts = + unique (mapAttrsToList (netName: netCfg: netCfg.listen.port) enabledNetworks); + + # Create the service users and groups. + users.users = mkMerge (mapAttrsToList (netName: netCfg: + mkIf netCfg.tun.disable { + ${nameToId netName} = { + group = nameToId netName; + description = "Nebula service user for network ${netName}"; + isSystemUser = true; + }; + }) enabledNetworks); + + users.groups = mkMerge (mapAttrsToList (netName: netCfg: + mkIf netCfg.tun.disable { + ${nameToId netName} = {}; + }) enabledNetworks); + }; +} diff --git a/nixos/modules/services/networking/quagga.nix b/nixos/modules/services/networking/quagga.nix deleted file mode 100644 index 7c169fe62d8..00000000000 --- a/nixos/modules/services/networking/quagga.nix +++ /dev/null @@ -1,185 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.quagga; - - services = [ "babel" "bgp" "isis" "ospf6" "ospf" "pim" "rip" "ripng" ]; - allServices = services ++ [ "zebra" ]; - - isEnabled = service: cfg.${service}.enable; - - daemonName = service: if service == "zebra" then service else "${service}d"; - - configFile = service: - let - scfg = cfg.${service}; - in - if scfg.configFile != null then scfg.configFile - else pkgs.writeText "${daemonName service}.conf" - '' - ! Quagga ${daemonName service} configuration - ! - hostname ${config.networking.hostName} - log syslog - service password-encryption - ! - ${scfg.config} - ! - end - ''; - - serviceOptions = service: - { - enable = mkEnableOption "the Quagga ${toUpper service} routing protocol"; - - configFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/etc/quagga/${daemonName service}.conf"; - description = '' - Configuration file to use for Quagga ${daemonName service}. - By default the NixOS generated files are used. - ''; - }; - - config = mkOption { - type = types.lines; - default = ""; - example = - let - examples = { - rip = '' - router rip - network 10.0.0.0/8 - ''; - - ospf = '' - router ospf - network 10.0.0.0/8 area 0 - ''; - - bgp = '' - router bgp 65001 - neighbor 10.0.0.1 remote-as 65001 - ''; - }; - in - examples.${service} or ""; - description = '' - ${daemonName service} configuration statements. - ''; - }; - - vtyListenAddress = mkOption { - type = types.str; - default = "127.0.0.1"; - description = '' - Address to bind to for the VTY interface. - ''; - }; - - vtyListenPort = mkOption { - type = types.nullOr types.int; - default = null; - description = '' - TCP Port to bind to for the VTY interface. - ''; - }; - }; - -in - -{ - - ###### interface - imports = [ - { - options.services.quagga = { - zebra = (serviceOptions "zebra") // { - enable = mkOption { - type = types.bool; - default = any isEnabled services; - description = '' - Whether to enable the Zebra routing manager. - - The Zebra routing manager is automatically enabled - if any routing protocols are configured. - ''; - }; - }; - }; - } - { options.services.quagga = (genAttrs services serviceOptions); } - ]; - - ###### implementation - - config = mkIf (any isEnabled allServices) { - - environment.systemPackages = [ - pkgs.quagga # for the vtysh tool - ]; - - users.users.quagga = { - description = "Quagga daemon user"; - isSystemUser = true; - group = "quagga"; - }; - - users.groups = { - quagga = {}; - # Members of the quaggavty group can use vtysh to inspect the Quagga daemons - quaggavty = { members = [ "quagga" ]; }; - }; - - systemd.services = - let - quaggaService = service: - let - scfg = cfg.${service}; - daemon = daemonName service; - in - nameValuePair daemon ({ - wantedBy = [ "multi-user.target" ]; - restartTriggers = [ (configFile service) ]; - - serviceConfig = { - Type = "forking"; - PIDFile = "/run/quagga/${daemon}.pid"; - ExecStart = "@${pkgs.quagga}/libexec/quagga/${daemon} ${daemon} -d -f ${configFile service}" - + optionalString (scfg.vtyListenAddress != "") " -A ${scfg.vtyListenAddress}" - + optionalString (scfg.vtyListenPort != null) " -P ${toString scfg.vtyListenPort}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - Restart = "on-abort"; - }; - } // ( - if service == "zebra" then - { - description = "Quagga Zebra routing manager"; - unitConfig.Documentation = "man:zebra(8)"; - after = [ "network.target" ]; - preStart = '' - install -m 0755 -o quagga -g quagga -d /run/quagga - - ${pkgs.iproute2}/bin/ip route flush proto zebra - ''; - } - else - { - description = "Quagga ${toUpper service} routing daemon"; - unitConfig.Documentation = "man:${daemon}(8) man:zebra(8)"; - bindsTo = [ "zebra.service" ]; - after = [ "network.target" "zebra.service" ]; - } - )); - in - listToAttrs (map quaggaService (filter isEnabled allServices)); - - }; - - meta.maintainers = with lib.maintainers; [ tavyc ]; - -} diff --git a/nixos/modules/services/networking/searx.nix b/nixos/modules/services/networking/searx.nix index a515e4a3dc3..04f7d7e31f4 100644 --- a/nixos/modules/services/networking/searx.nix +++ b/nixos/modules/services/networking/searx.nix @@ -4,23 +4,25 @@ with lib; let runDir = "/run/searx"; + cfg = config.services.searx; + settingsFile = pkgs.writeText "settings.yml" + (builtins.toJSON cfg.settings); + generateConfig = '' cd ${runDir} # write NixOS settings as JSON - cat <<'EOF' > settings.yml - ${builtins.toJSON cfg.settings} - EOF + ( + umask 077 + cp --no-preserve=mode ${settingsFile} settings.yml + ) # substitute environment variables env -0 | while IFS='=' read -r -d ''' n v; do sed "s#@$n@#$v#g" -i settings.yml done - - # set strict permissions - chmod 400 settings.yml ''; settingType = with types; (oneOf diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 622c3d8ea43..a8747e244a9 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -4,51 +4,28 @@ with lib; let cfg = config.services.unbound; - stateDir = "/var/lib/unbound"; - - access = concatMapStringsSep "\n " (x: "access-control: ${x} allow") cfg.allowedAccess; - - interfaces = concatMapStringsSep "\n " (x: "interface: ${x}") cfg.interfaces; - - isLocalAddress = x: substring 0 3 x == "::1" || substring 0 9 x == "127.0.0.1"; - - forward = - optionalString (any isLocalAddress cfg.forwardAddresses) '' - do-not-query-localhost: no - '' - + optionalString (cfg.forwardAddresses != []) '' - forward-zone: - name: . - '' - + concatMapStringsSep "\n" (x: " forward-addr: ${x}") cfg.forwardAddresses; - - rootTrustAnchorFile = "${stateDir}/root.key"; - - trustAnchor = optionalString cfg.enableRootTrustAnchor - "auto-trust-anchor-file: ${rootTrustAnchorFile}"; - - confFile = pkgs.writeText "unbound.conf" '' - server: - ip-freebind: yes - directory: "${stateDir}" - username: unbound - chroot: "" - pidfile: "" - # when running under systemd there is no need to daemonize - do-daemonize: no - ${interfaces} - ${access} - ${trustAnchor} - ${lib.optionalString (cfg.localControlSocketPath != null) '' - remote-control: - control-enable: yes - control-interface: ${cfg.localControlSocketPath} - ''} - ${cfg.extraConfig} - ${forward} - ''; -in -{ + yesOrNo = v: if v then "yes" else "no"; + + toOption = indent: n: v: "${indent}${toString n}: ${v}"; + + toConf = indent: n: v: + if builtins.isFloat v then (toOption indent n (builtins.toJSON v)) + else if isInt v then (toOption indent n (toString v)) + else if isBool v then (toOption indent n (yesOrNo v)) + else if isString v then (toOption indent n v) + else if isList v then (concatMapStringsSep "\n" (toConf indent n) v) + else if isAttrs v then (concatStringsSep "\n" ( + ["${indent}${n}:"] ++ ( + mapAttrsToList (toConf "${indent} ") v + ) + )) + else throw (traceSeq v "services.unbound.settings: unexpected type"); + + confFile = pkgs.writeText "unbound.conf" (concatStringsSep "\n" ((mapAttrsToList (toConf "") cfg.settings) ++ [""])); + + rootTrustAnchorFile = "${cfg.stateDir}/root.key"; + +in { ###### interface @@ -64,25 +41,30 @@ in description = "The unbound package to use"; }; - allowedAccess = mkOption { - default = [ "127.0.0.0/24" ]; - type = types.listOf types.str; - description = "What networks are allowed to use unbound as a resolver."; + user = mkOption { + type = types.str; + default = "unbound"; + description = "User account under which unbound runs."; }; - interfaces = mkOption { - default = [ "127.0.0.1" ] ++ optional config.networking.enableIPv6 "::1"; - type = types.listOf types.str; - description = '' - What addresses the server should listen on. This supports the interface syntax documented in - <citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8</manvolnum></citerefentry>. - ''; + group = mkOption { + type = types.str; + default = "unbound"; + description = "Group under which unbound runs."; }; - forwardAddresses = mkOption { - default = []; - type = types.listOf types.str; - description = "What servers to forward queries to."; + stateDir = mkOption { + default = "/var/lib/unbound"; + description = "Directory holding all state for unbound to run."; + }; + + resolveLocalQueries = mkOption { + type = types.bool; + default = true; + description = '' + Whether unbound should resolve local queries (i.e. add 127.0.0.1 to + /etc/resolv.conf). + ''; }; enableRootTrustAnchor = mkOption { @@ -106,23 +88,66 @@ in and group will be <literal>nogroup</literal>. Users that should be permitted to access the socket must be in the - <literal>unbound</literal> group. + <literal>config.services.unbound.group</literal> group. If this option is <literal>null</literal> remote control will not be - configured at all. Unbounds default values apply. + enabled. Unbounds default values apply. ''; }; - extraConfig = mkOption { - default = ""; - type = types.lines; + settings = mkOption { + default = {}; + type = with types; submodule { + + freeformType = let + validSettingsPrimitiveTypes = oneOf [ int str bool float ]; + validSettingsTypes = oneOf [ validSettingsPrimitiveTypes (listOf validSettingsPrimitiveTypes) ]; + settingsType = (attrsOf validSettingsTypes); + in attrsOf (oneOf [ string settingsType (listOf settingsType) ]) + // { description = '' + unbound.conf configuration type. The format consist of an attribute + set of settings. Each settings can be either one value, a list of + values or an attribute set. The allowed values are integers, + strings, booleans or floats. + ''; + }; + + options = { + remote-control.control-enable = mkOption { + type = bool; + default = false; + internal = true; + }; + }; + }; + example = literalExample '' + { + server = { + interface = [ "127.0.0.1" ]; + }; + forward-zone = [ + { + name = "."; + forward-addr = "1.1.1.1@853#cloudflare-dns.com"; + } + { + name = "example.org."; + forward-addr = [ + "1.1.1.1@853#cloudflare-dns.com" + "1.0.0.1@853#cloudflare-dns.com" + ]; + } + ]; + remote-control.control-enable = true; + }; + ''; description = '' - Extra unbound config. See - <citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8 - </manvolnum></citerefentry>. + Declarative Unbound configuration + See the <citerefentry><refentrytitle>unbound.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> manpage for a list of + available options. ''; }; - }; }; @@ -130,23 +155,56 @@ in config = mkIf cfg.enable { + services.unbound.settings = { + server = { + directory = mkDefault cfg.stateDir; + username = cfg.user; + chroot = ''""''; + pidfile = ''""''; + # when running under systemd there is no need to daemonize + do-daemonize = false; + interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); + access-control = mkDefault ([ "127.0.0.0/8 allow" ] ++ (optional config.networking.enableIPv6 "::1/128 allow")); + auto-trust-anchor-file = mkIf cfg.enableRootTrustAnchor rootTrustAnchorFile; + tls-cert-bundle = mkDefault "/etc/ssl/certs/ca-certificates.crt"; + # prevent race conditions on system startup when interfaces are not yet + # configured + ip-freebind = mkDefault true; + }; + remote-control = { + control-enable = mkDefault false; + control-interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); + server-key-file = mkDefault "${cfg.stateDir}/unbound_server.key"; + server-cert-file = mkDefault "${cfg.stateDir}/unbound_server.pem"; + control-key-file = mkDefault "${cfg.stateDir}/unbound_control.key"; + control-cert-file = mkDefault "${cfg.stateDir}/unbound_control.pem"; + } // optionalAttrs (cfg.localControlSocketPath != null) { + control-enable = true; + control-interface = cfg.localControlSocketPath; + }; + }; + environment.systemPackages = [ cfg.package ]; - users.users.unbound = { - description = "unbound daemon user"; - isSystemUser = true; - group = lib.mkIf (cfg.localControlSocketPath != null) (lib.mkDefault "unbound"); + users.users = mkIf (cfg.user == "unbound") { + unbound = { + description = "unbound daemon user"; + isSystemUser = true; + group = cfg.group; + }; }; - # We need a group so that we can give users access to the configured - # control socket. Unbound allows access to the socket only to the unbound - # user and the primary group. - users.groups = lib.mkIf (cfg.localControlSocketPath != null) { + users.groups = mkIf (cfg.group == "unbound") { unbound = {}; }; - networking.resolvconf.useLocalResolver = mkDefault true; + networking = mkIf cfg.resolveLocalQueries { + resolvconf = { + useLocalResolver = mkDefault true; + }; + networkmanager.dns = "unbound"; + }; environment.etc."unbound/unbound.conf".source = confFile; @@ -156,8 +214,15 @@ in before = [ "nss-lookup.target" ]; wantedBy = [ "multi-user.target" "nss-lookup.target" ]; - preStart = lib.mkIf cfg.enableRootTrustAnchor '' - ${cfg.package}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" + path = mkIf cfg.settings.remote-control.control-enable [ pkgs.openssl ]; + + preStart = '' + ${optionalString cfg.enableRootTrustAnchor '' + ${cfg.package}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" + ''} + ${optionalString cfg.settings.remote-control.control-enable '' + ${cfg.package}/bin/unbound-control-setup -d ${cfg.stateDir} + ''} ''; restartTriggers = [ @@ -181,8 +246,8 @@ in "CAP_SYS_RESOURCE" ]; - User = "unbound"; - Group = lib.mkIf (cfg.localControlSocketPath != null) (lib.mkDefault "unbound"); + User = cfg.user; + Group = cfg.group; MemoryDenyWriteExecute = true; NoNewPrivileges = true; @@ -211,9 +276,29 @@ in RestrictNamespaces = true; LockPersonality = true; RestrictSUIDSGID = true; + + Restart = "on-failure"; + RestartSec = "5s"; }; }; - # If networkmanager is enabled, ask it to interface with unbound. - networking.networkmanager.dns = "unbound"; }; + + imports = [ + (mkRenamedOptionModule [ "services" "unbound" "interfaces" ] [ "services" "unbound" "settings" "server" "interface" ]) + (mkChangedOptionModule [ "services" "unbound" "allowedAccess" ] [ "services" "unbound" "settings" "server" "access-control" ] ( + config: map (value: "${value} allow") (getAttrFromPath [ "services" "unbound" "allowedAccess" ] config) + )) + (mkRemovedOptionModule [ "services" "unbound" "forwardAddresses" ] '' + Add a new setting: + services.unbound.settings.forward-zone = [{ + name = "."; + forward-addr = [ # Your current services.unbound.forwardAddresses ]; + }]; + If any of those addresses are local addresses (127.0.0.1 or ::1), you must + also set services.unbound.settings.server.do-not-query-localhost to false. + '') + (mkRemovedOptionModule [ "services" "unbound" "extraConfig" ] '' + You can use services.unbound.settings to add any configuration you want. + '') + ]; } diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 34c86934535..043bce16e54 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -246,12 +246,15 @@ let }; script = '' - mkdir --mode 0644 -p "${dirOf values.privateKeyFile}" + set -e + + # If the parent dir does not already exist, create it. + # Otherwise, does nothing, keeping existing permisions intact. + mkdir -p --mode 0755 "${dirOf values.privateKeyFile}" + if [ ! -f "${values.privateKeyFile}" ]; then - touch "${values.privateKeyFile}" - chmod 0600 "${values.privateKeyFile}" - wg genkey > "${values.privateKeyFile}" - chmod 0400 "${values.privateKeyFile}" + # Write private key file with atomically-correct permissions. + (set -e; umask 077; wg genkey > "${values.privateKeyFile}") fi ''; }; diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index b901b19cf31..0c24972823d 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -62,6 +62,22 @@ in description = "The firewall package used by fail2ban service."; }; + extraPackages = mkOption { + default = []; + type = types.listOf types.package; + example = lib.literalExample "[ pkgs.ipset ]"; + description = '' + Extra packages to be made available to the fail2ban service. The example contains + the packages needed by the `iptables-ipset-proto6` action. + ''; + }; + + maxretry = mkOption { + default = 3; + type = types.ints.unsigned; + description = "Number of failures before a host gets banned."; + }; + banaction = mkOption { default = "iptables-multiport"; type = types.str; @@ -243,7 +259,7 @@ in restartTriggers = [ fail2banConf jailConf pathsConf ]; reloadIfChanged = true; - path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ]; + path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ] ++ cfg.extraPackages; unitConfig.Documentation = "man:fail2ban(1)"; @@ -291,7 +307,7 @@ in ''} # Miscellaneous options ignoreip = 127.0.0.1/8 ${optionalString config.networking.enableIPv6 "::1"} ${concatStringsSep " " cfg.ignoreIP} - maxretry = 3 + maxretry = ${toString cfg.maxretry} backend = systemd # Actions banaction = ${cfg.banaction} diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 77c579279ab..e85fd4b75df 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -90,10 +90,10 @@ in package = mkOption { type = types.package; - default = pkgs.oauth2_proxy; - defaultText = "pkgs.oauth2_proxy"; + default = pkgs.oauth2-proxy; + defaultText = "pkgs.oauth2-proxy"; description = '' - The package that provides oauth2_proxy. + The package that provides oauth2-proxy. ''; }; diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix index 553638ad496..d82ddb894ea 100644 --- a/nixos/modules/services/security/oauth2_proxy_nginx.nix +++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix @@ -23,7 +23,8 @@ in config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) { enable = true; }; - config.services.nginx = mkMerge ((optional (cfg.virtualHosts != []) { + config.services.nginx = mkIf config.services.oauth2_proxy.enable (mkMerge + ((optional (cfg.virtualHosts != []) { recommendedProxySettings = true; # needed because duplicate headers }) ++ (map (vhost: { virtualHosts.${vhost} = { @@ -60,5 +61,5 @@ in ''; }; - }) cfg.virtualHosts)); + }) cfg.virtualHosts))); } diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 033ff5ef4b5..53bd9efa5ac 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -5,6 +5,21 @@ with lib; let cfg = config.services.sshguard; + configFile = let + args = lib.concatStringsSep " " ([ + "-afb" + "-p info" + "-o cat" + "-n1" + ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); + backend = if config.networking.nftables.enable + then "sshg-fw-nft-sets" + else "sshg-fw-ipset"; + in pkgs.writeText "sshguard.conf" '' + BACKEND="${pkgs.sshguard}/libexec/${backend}" + LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" + ''; + in { ###### interface @@ -85,20 +100,7 @@ in { config = mkIf cfg.enable { - environment.etc."sshguard.conf".text = let - args = lib.concatStringsSep " " ([ - "-afb" - "-p info" - "-o cat" - "-n1" - ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); - backend = if config.networking.nftables.enable - then "sshg-fw-nft-sets" - else "sshg-fw-ipset"; - in '' - BACKEND="${pkgs.sshguard}/libexec/${backend}" - LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" - ''; + environment.etc."sshguard.conf".source = configFile; systemd.services.sshguard = { description = "SSHGuard brute-force attacks protection system"; @@ -107,6 +109,8 @@ in { after = [ "network.target" ]; partOf = optional config.networking.firewall.enable "firewall.service"; + restartTriggers = [ configFile ]; + path = with pkgs; if config.networking.nftables.enable then [ nftables iproute2 systemd ] else [ iptables ipset iproute2 systemd ]; diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 7bec073e26f..1dec111b829 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -402,6 +402,7 @@ in mr ${getLib pkgs.util-linuxMinimal.out}/lib/libuuid.so*, mr ${getLib pkgs.xz}/lib/liblzma*.so*, mr ${getLib pkgs.zlib}/lib/libz*.so*, + mr ${getLib pkgs.brotli}/lib/libbrotli*.so*, r @{PROC}/sys/kernel/random/uuid, r @{PROC}/sys/vm/overcommit_memory, diff --git a/nixos/modules/services/wayland/cage.nix b/nixos/modules/services/wayland/cage.nix index 14d84c4ce0f..2e71abb69fc 100644 --- a/nixos/modules/services/wayland/cage.nix +++ b/nixos/modules/services/wayland/cage.nix @@ -93,6 +93,6 @@ in { systemd.defaultUnit = "graphical.target"; }; - meta.maintainers = with lib.maintainers; [ matthewbauer flokli ]; + meta.maintainers = with lib.maintainers; [ matthewbauer ]; } diff --git a/nixos/modules/services/web-apps/bookstack.nix b/nixos/modules/services/web-apps/bookstack.nix index 83d05ffbad9..34a31af9c9d 100644 --- a/nixos/modules/services/web-apps/bookstack.nix +++ b/nixos/modules/services/web-apps/bookstack.nix @@ -292,6 +292,8 @@ in { WorkingDirectory = "${bookstack}"; }; script = '' + # set permissions + umask 077 # create .env file echo " APP_KEY=base64:$(head -n1 ${cfg.appKeyFile}) @@ -317,13 +319,14 @@ in { ${optionalString (cfg.nginx.addSSL || cfg.nginx.forceSSL || cfg.nginx.onlySSL || cfg.nginx.enableACME) "SESSION_SECURE_COOKIE=true"} ${toString cfg.extraConfig} " > "${cfg.dataDir}/.env" - # set permissions - chmod 700 "${cfg.dataDir}/.env" # migrate db ${pkgs.php}/bin/php artisan migrate --force - # create caches + # clear & create caches (needed in case of update) + ${pkgs.php}/bin/php artisan cache:clear + ${pkgs.php}/bin/php artisan config:clear + ${pkgs.php}/bin/php artisan view:clear ${pkgs.php}/bin/php artisan config:cache ${pkgs.php}/bin/php artisan route:cache ${pkgs.php}/bin/php artisan view:cache diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix index 03ea002c9de..00b58d50257 100644 --- a/nixos/modules/services/web-apps/discourse.nix +++ b/nixos/modules/services/web-apps/discourse.nix @@ -702,7 +702,7 @@ in cp -r ${cfg.package}/share/discourse/config.dist/* /run/discourse/config/ cp -r ${cfg.package}/share/discourse/public.dist/* /run/discourse/public/ cp -r ${cfg.package}/share/discourse/plugins.dist/* /run/discourse/plugins/ - ${lib.concatMapStrings (p: "ln -sf ${p} /run/discourse/plugins/") cfg.plugins} + ${lib.concatMapStringsSep "\n" (p: "ln -sf ${p} /run/discourse/plugins/") cfg.plugins} ln -sf /var/lib/discourse/uploads /run/discourse/public/uploads ln -sf /var/lib/discourse/backups /run/discourse/public/backups @@ -726,7 +726,8 @@ in export ADMIN_EMAIL="${cfg.admin.email}" export ADMIN_NAME="${cfg.admin.fullName}" export ADMIN_USERNAME="${cfg.admin.username}" - export ADMIN_PASSWORD="$(<${cfg.admin.passwordFile})" + ADMIN_PASSWORD="$(<${cfg.admin.passwordFile})" + export ADMIN_PASSWORD discourse-rake admin:create_noninteractively discourse-rake themes:update @@ -938,7 +939,8 @@ in set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit - export api_key=$(<'${apiKeyPath}') + api_key=$(<'${apiKeyPath}') + export api_key jq <${mail-receiver-json} \ '.DISCOURSE_API_KEY = $ENV.api_key' \ diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index a93e9327933..5b578cd8c4a 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -171,6 +171,12 @@ in Username to use when connecting to an external or manually provisioned database; has no effect when a local database is automatically provisioned. + + To use this with a local database, set <xref + linkend="opt-services.keycloak.databaseCreateLocally" /> to + <literal>false</literal> and create the database and user + manually. The database should be called + <literal>keycloak</literal>. ''; }; diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 16e8ae2ec0b..af46f4e1927 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -31,6 +31,8 @@ let // (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {}) // cfg.extraConfig; + systemCallsList = [ "@clock" "@cpu-emulation" "@debug" "@keyring" "@module" "@mount" "@obsolete" "@raw-io" "@reboot" "@setuid" "@swap" ]; + cfgService = { # User and group User = cfg.user; @@ -68,7 +70,6 @@ let PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @reboot @resources @setuid @swap"; }; envFile = pkgs.writeText "mastodon.env" (lib.concatMapStrings (s: s + "\n") ( @@ -432,6 +433,8 @@ in { serviceConfig = { Type = "oneshot"; WorkingDirectory = cfg.package; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); } // cfgService; after = [ "network.target" ]; @@ -457,6 +460,8 @@ in { Type = "oneshot"; EnvironmentFile = "/var/lib/mastodon/.secrets_env"; WorkingDirectory = cfg.package; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); } // cfgService; after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []); wantedBy = [ "multi-user.target" ]; @@ -481,6 +486,8 @@ in { # Runtime directory and mode RuntimeDirectory = "mastodon-streaming"; RuntimeDirectoryMode = "0750"; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" "@resources" ]); } // cfgService; }; @@ -503,6 +510,8 @@ in { # Runtime directory and mode RuntimeDirectory = "mastodon-web"; RuntimeDirectoryMode = "0750"; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; @@ -522,6 +531,8 @@ in { RestartSec = 20; EnvironmentFile = "/var/lib/mastodon/.secrets_env"; WorkingDirectory = cfg.package; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " systemCallsList; } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 58e8e5a0a8b..545deaa905f 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -10,7 +10,7 @@ let extensions = { enabled, all }: (with all; enabled - ++ optional (!cfg.disableImagemagick) imagick + ++ optional cfg.enableImagemagick imagick # Optionally enabled depending on caching settings ++ optional cfg.caching.apcu apcu ++ optional cfg.caching.redis redis @@ -63,6 +63,9 @@ in { Further details about this can be found in the `Nextcloud`-section of the NixOS-manual (which can be openend e.g. by running `nixos-help`). '') + (mkRemovedOptionModule [ "services" "nextcloud" "disableImagemagick" ] '' + Use services.nextcloud.nginx.enableImagemagick instead. + '') ]; options.services.nextcloud = { @@ -303,16 +306,14 @@ in { }; }; - disableImagemagick = mkOption { - type = types.bool; - default = false; - description = '' - Whether to not load the ImageMagick module into PHP. + enableImagemagick = mkEnableOption '' + Whether to load the ImageMagick module into PHP. This is used by the theming app and for generating previews of certain images (e.g. SVG and HEIF). You may want to disable it for increased security. In that case, previews will still be available for some images (e.g. JPEG and PNG). See https://github.com/nextcloud/server/issues/13099 - ''; + '' // { + default = true; }; caching = { diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 7591ad0c3d2..d811879b7b1 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -249,7 +249,15 @@ let + optionalString (ssl && vhost.http2) "http2 " + optionalString vhost.default "default_server " + optionalString (extraParameters != []) (concatStringsSep " " extraParameters) - + ";"; + + ";" + + (if ssl && vhost.http3 then '' + # UDP listener for **QUIC+HTTP/3 + listen ${addr}:${toString port} http3 reuseport; + # Advertise that HTTP/3 is available + add_header Alt-Svc 'h3=":443"'; + # Sent when QUIC was used + add_header QUIC-Status $quic; + '' else ""); redirectListen = filter (x: !x.ssl) defaultListen; @@ -676,6 +684,7 @@ in Defines the address and other parameters of the upstream servers. ''; default = {}; + example = { "127.0.0.1:8000" = {}; }; }; extraConfig = mkOption { type = types.lines; @@ -690,6 +699,14 @@ in Defines a group of servers to use as proxy target. ''; default = {}; + example = literalExample '' + "backend_server" = { + servers = { "127.0.0.1:8000" = {}; }; + extraConfig = '''' + keepalive 16; + ''''; + }; + ''; }; virtualHosts = mkOption { @@ -802,28 +819,38 @@ in # Logs directory and mode LogsDirectory = "nginx"; LogsDirectoryMode = "0750"; + # Proc filesystem + ProcSubset = "pid"; + ProtectProc = "invisible"; + # New file permissions + UMask = "0027"; # 0640 / 0750 # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; # Security NoNewPrivileges = true; - # Sandboxing + # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) ProtectSystem = "strict"; ProtectHome = mkDefault true; PrivateTmp = true; PrivateDevices = true; ProtectHostname = true; + ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; + ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules); RestrictRealtime = true; RestrictSUIDSGID = true; + RemoveIPC = true; PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; + SystemCallFilter = "~@chown @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @privileged @raw-io @reboot @setuid @swap"; }; }; @@ -870,6 +897,7 @@ in users.users = optionalAttrs (cfg.user == "nginx") { nginx = { group = cfg.group; + isSystemUser = true; uid = config.ids.uids.nginx; }; }; diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index cf211ea9a71..1f5fe6a368c 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -151,6 +151,19 @@ with lib; ''; }; + http3 = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable HTTP 3. + This requires using <literal>pkgs.nginxQuic</literal> package + which can be achived by setting <literal>services.nginx.package = pkgs.nginxQuic;</literal>. + Note that HTTP 3 support is experimental and + *not* yet recommended for production. + Read more at https://quic.nginx.org/ + ''; + }; + root = mkOption { type = types.nullOr types.path; default = null; diff --git a/nixos/modules/services/web-servers/trafficserver.nix b/nixos/modules/services/web-servers/trafficserver.nix new file mode 100644 index 00000000000..db0e2ac0bd0 --- /dev/null +++ b/nixos/modules/services/web-servers/trafficserver.nix @@ -0,0 +1,318 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.trafficserver; + user = config.users.users.trafficserver.name; + group = config.users.groups.trafficserver.name; + + getManualUrl = name: "https://docs.trafficserver.apache.org/en/latest/admin-guide/files/${name}.en.html"; + getConfPath = name: "${pkgs.trafficserver}/etc/trafficserver/${name}"; + + yaml = pkgs.formats.yaml { }; + + fromYAML = f: + let + jsonFile = pkgs.runCommand "in.json" + { + nativeBuildInputs = [ pkgs.remarshal ]; + } '' + yaml2json < "${f}" > "$out" + ''; + in + builtins.fromJSON (builtins.readFile jsonFile); + + mkYamlConf = name: cfg: + if cfg != null then { + "trafficserver/${name}.yaml".source = yaml.generate "${name}.yaml" cfg; + } else { + "trafficserver/${name}.yaml".text = ""; + }; + + mkRecordLines = path: value: + if isAttrs value then + lib.mapAttrsToList (n: v: mkRecordLines (path ++ [ n ]) v) value + else if isInt value then + "CONFIG ${concatStringsSep "." path} INT ${toString value}" + else if isFloat value then + "CONFIG ${concatStringsSep "." path} FLOAT ${toString value}" + else + "CONFIG ${concatStringsSep "." path} STRING ${toString value}"; + + mkRecordsConfig = cfg: concatStringsSep "\n" (flatten (mkRecordLines [ ] cfg)); + mkPluginConfig = cfg: concatStringsSep "\n" (map (p: "${p.path} ${p.arg}") cfg); +in +{ + options.services.trafficserver = { + enable = mkEnableOption "Apache Traffic Server"; + + cache = mkOption { + type = types.lines; + default = ""; + example = "dest_domain=example.com suffix=js action=never-cache"; + description = '' + Caching rules that overrule the origin's caching policy. + + Consult the <link xlink:href="${getManualUrl "cache.config"}">upstream + documentation</link> for more details. + ''; + }; + + hosting = mkOption { + type = types.lines; + default = ""; + example = "domain=example.com volume=1"; + description = '' + Partition the cache according to origin server or domain + + Consult the <link xlink:href="${getManualUrl "hosting.config"}"> + upstream documentation</link> for more details. + ''; + }; + + ipAllow = mkOption { + type = types.nullOr yaml.type; + default = fromYAML (getConfPath "ip_allow.yaml"); + defaultText = "upstream defaults"; + example = literalExample { + ip_allow = [{ + apply = "in"; + ip_addrs = "127.0.0.1"; + action = "allow"; + methods = "ALL"; + }]; + }; + description = '' + Control client access to Traffic Server and Traffic Server connections + to upstream servers. + + Consult the <link xlink:href="${getManualUrl "ip_allow.yaml"}">upstream + documentation</link> for more details. + ''; + }; + + logging = mkOption { + type = types.nullOr yaml.type; + default = fromYAML (getConfPath "logging.yaml"); + defaultText = "upstream defaults"; + example = literalExample { }; + description = '' + Configure logs. + + Consult the <link xlink:href="${getManualUrl "logging.yaml"}">upstream + documentation</link> for more details. + ''; + }; + + parent = mkOption { + type = types.lines; + default = ""; + example = '' + dest_domain=. method=get parent="p1.example:8080; p2.example:8080" round_robin=true + ''; + description = '' + Identify the parent proxies used in an cache hierarchy. + + Consult the <link xlink:href="${getManualUrl "parent.config"}">upstream + documentation</link> for more details. + ''; + }; + + plugins = mkOption { + default = [ ]; + + description = '' + Controls run-time loadable plugins available to Traffic Server, as + well as their configuration. + + Consult the <link xlink:href="${getManualUrl "plugin.config"}">upstream + documentation</link> for more details. + ''; + + type = with types; + listOf (submodule { + options.path = mkOption { + type = str; + example = "xdebug.so"; + description = '' + Path to plugin. The path can either be absolute, or relative to + the plugin directory. + ''; + }; + options.arg = mkOption { + type = str; + default = ""; + example = "--header=ATS-My-Debug"; + description = "arguments to pass to the plugin"; + }; + }); + }; + + records = mkOption { + type = with types; + let valueType = (attrsOf (oneOf [ int float str valueType ])) // { + description = "Traffic Server records value"; + }; + in + valueType; + default = { }; + example = literalExample { proxy.config.proxy_name = "my_server"; }; + description = '' + List of configurable variables used by Traffic Server. + + Consult the <link xlink:href="${getManualUrl "records.config"}"> + upstream documentation</link> for more details. + ''; + }; + + remap = mkOption { + type = types.lines; + default = ""; + example = "map http://from.example http://origin.example"; + description = '' + URL remapping rules used by Traffic Server. + + Consult the <link xlink:href="${getManualUrl "remap.config"}"> + upstream documentation</link> for more details. + ''; + }; + + splitDns = mkOption { + type = types.lines; + default = ""; + example = '' + dest_domain=internal.corp.example named="255.255.255.255:212 255.255.255.254" def_domain=corp.example search_list="corp.example corp1.example" + dest_domain=!internal.corp.example named=255.255.255.253 + ''; + description = '' + Specify the DNS server that Traffic Server should use under specific + conditions. + + Consult the <link xlink:href="${getManualUrl "splitdns.config"}"> + upstream documentation</link> for more details. + ''; + }; + + sslMulticert = mkOption { + type = types.lines; + default = ""; + example = "dest_ip=* ssl_cert_name=default.pem"; + description = '' + Configure SSL server certificates to terminate the SSL sessions. + + Consult the <link xlink:href="${getManualUrl "ssl_multicert.config"}"> + upstream documentation</link> for more details. + ''; + }; + + sni = mkOption { + type = types.nullOr yaml.type; + default = null; + example = literalExample { + sni = [{ + fqdn = "no-http2.example.com"; + https = "off"; + }]; + }; + description = '' + Configure aspects of TLS connection handling for both inbound and + outbound connections. + + Consult the <link xlink:href="${getManualUrl "sni.yaml"}">upstream + documentation</link> for more details. + ''; + }; + + storage = mkOption { + type = types.lines; + default = "/var/cache/trafficserver 256M"; + example = "/dev/disk/by-id/XXXXX volume=1"; + description = '' + List all the storage that make up the Traffic Server cache. + + Consult the <link xlink:href="${getManualUrl "storage.config"}"> + upstream documentation</link> for more details. + ''; + }; + + strategies = mkOption { + type = types.nullOr yaml.type; + default = null; + description = '' + Specify the next hop proxies used in an cache hierarchy and the + algorithms used to select the next proxy. + + Consult the <link xlink:href="${getManualUrl "strategies.yaml"}"> + upstream documentation</link> for more details. + ''; + }; + + volume = mkOption { + type = types.nullOr yaml.type; + default = ""; + example = "volume=1 scheme=http size=20%"; + description = '' + Manage cache space more efficiently and restrict disk usage by + creating cache volumes of different sizes. + + Consult the <link xlink:href="${getManualUrl "volume.config"}"> + upstream documentation</link> for more details. + ''; + }; + }; + + config = mkIf cfg.enable { + environment.etc = { + "trafficserver/cache.config".text = cfg.cache; + "trafficserver/hosting.config".text = cfg.hosting; + "trafficserver/parent.config".text = cfg.parent; + "trafficserver/plugin.config".text = mkPluginConfig cfg.plugins; + "trafficserver/records.config".text = mkRecordsConfig cfg.records; + "trafficserver/remap.config".text = cfg.remap; + "trafficserver/splitdns.config".text = cfg.splitDns; + "trafficserver/ssl_multicert.config".text = cfg.sslMulticert; + "trafficserver/storage.config".text = cfg.storage; + "trafficserver/volume.config".text = cfg.volume; + } // (mkYamlConf "ip_allow" cfg.ipAllow) + // (mkYamlConf "logging" cfg.logging) + // (mkYamlConf "sni" cfg.sni) + // (mkYamlConf "strategies" cfg.strategies); + + environment.systemPackages = [ pkgs.trafficserver ]; + systemd.packages = [ pkgs.trafficserver ]; + + # Traffic Server does privilege handling independently of systemd, and + # therefore should be started as root + systemd.services.trafficserver = { + enable = true; + wantedBy = [ "multi-user.target" ]; + }; + + # These directories can't be created by systemd because: + # + # 1. Traffic Servers starts as root and switches to an unprivileged user + # afterwards. The runtime directories defined below are assumed to be + # owned by that user. + # 2. The bin/trafficserver script assumes these directories exist. + systemd.tmpfiles.rules = [ + "d '/run/trafficserver' - ${user} ${group} - -" + "d '/var/cache/trafficserver' - ${user} ${group} - -" + "d '/var/lib/trafficserver' - ${user} ${group} - -" + "d '/var/log/trafficserver' - ${user} ${group} - -" + ]; + + services.trafficserver = { + records.proxy.config.admin.user_id = user; + records.proxy.config.body_factory.template_sets_dir = + "${pkgs.trafficserver}/etc/trafficserver/body_factory"; + }; + + users.users.trafficserver = { + description = "Apache Traffic Server"; + isSystemUser = true; + inherit group; + }; + users.groups.trafficserver = { }; + }; +} diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index fc7f7bea4e4..7d2856939c8 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -151,7 +151,6 @@ in services.upower.enable = config.powerManagement.enable; services.gnome3.glib-networking.enable = true; services.gvfs.enable = true; - services.gvfs.package = pkgs.xfce.gvfs; services.tumbler.enable = true; services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 35bd4dabb67..4dde4476d2c 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -666,6 +666,7 @@ in # The default max inotify watches is 8192. # Nowadays most apps require a good number of inotify watches, # the value below is used by default on several other distros. + boot.kernel.sysctl."fs.inotify.max_user_instances" = mkDefault 524288; boot.kernel.sysctl."fs.inotify.max_user_watches" = mkDefault 524288; systemd.defaultUnit = mkIf cfg.autorun "graphical.target"; diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index 2ea191426ce..63e01dd054a 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -236,9 +236,12 @@ def main() -> None: gens += get_generations(profile) remove_old_entries(gens) for gen in gens: - write_entry(*gen, machine_id) - if os.readlink(system_dir(*gen)) == args.default_config: - write_loader_conf(*gen) + try: + write_entry(*gen, machine_id) + if os.readlink(system_dir(*gen)) == args.default_config: + write_loader_conf(*gen) + except OSError as e: + print("ignoring profile '{}' in the list of boot entries because of the following error:\n{}".format(profile, e), file=sys.stderr) memtest_entry_file = "@efiSysMountPoint@/loader/entries/memtest86.conf" if os.path.exists(memtest_entry_file): diff --git a/nixos/modules/tasks/cpu-freq.nix b/nixos/modules/tasks/cpu-freq.nix index 513382936e4..f1219c07c50 100644 --- a/nixos/modules/tasks/cpu-freq.nix +++ b/nixos/modules/tasks/cpu-freq.nix @@ -19,7 +19,7 @@ in default = null; example = "ondemand"; description = '' - Configure the governor used to regulate the frequence of the + Configure the governor used to regulate the frequency of the available CPUs. By default, the kernel configures the performance governor, although this may be overwritten in your hardware-configuration.nix file. diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 97fab6f11ea..21c30305188 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -446,7 +446,8 @@ in '') rootPools)); }; - boot.loader.grub = mkIf inInitrd { + # TODO FIXME See https://github.com/NixOS/nixpkgs/pull/99386#issuecomment-798813567. To not break people's bootloader and as probably not everybody would read release notes that thoroughly add inSystem. + boot.loader.grub = mkIf (inInitrd || inSystem) { zfsSupport = true; }; diff --git a/nixos/modules/virtualisation/amazon-init.nix b/nixos/modules/virtualisation/amazon-init.nix index be83607c0af..4f2f8df90eb 100644 --- a/nixos/modules/virtualisation/amazon-init.nix +++ b/nixos/modules/virtualisation/amazon-init.nix @@ -16,6 +16,16 @@ let userData=/etc/ec2-metadata/user-data + # Check if user-data looks like a shell script and execute it with the + # runtime shell if it does. Otherwise treat it as a nixos configuration + # expression + if IFS= LC_ALL=C read -rN2 shebang < $userData && [ "$shebang" = '#!' ]; then + # NB: we cannot chmod the $userData file, this is why we execute it via + # `pkgs.runtimeShell`. This means we have only limited support for shell + # scripts compatible with the `pkgs.runtimeShell`. + exec ${pkgs.runtimeShell} $userData + fi + if [ -s "$userData" ]; then # If the user-data looks like it could be a nix expression, # copy it over. Also, look for a magic three-hash comment and set diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index 60fed3222ef..03dd3c05130 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -9,8 +9,9 @@ in options = { virtualisation.azureImage.diskSize = mkOption { - type = with types; int; - default = 2048; + type = with types; either (enum [ "auto" ]) int; + default = "auto"; + example = 2048; description = '' Size of disk image. Unit is MB. ''; diff --git a/nixos/modules/virtualisation/digital-ocean-image.nix b/nixos/modules/virtualisation/digital-ocean-image.nix index b582e235d43..0ff2ee591f2 100644 --- a/nixos/modules/virtualisation/digital-ocean-image.nix +++ b/nixos/modules/virtualisation/digital-ocean-image.nix @@ -10,8 +10,9 @@ in options = { virtualisation.digitalOceanImage.diskSize = mkOption { - type = with types; int; - default = 4096; + type = with types; either (enum [ "auto" ]) int; + default = "auto"; + example = 4096; description = '' Size of disk image. Unit is MB. ''; diff --git a/nixos/modules/virtualisation/ec2-metadata-fetcher.nix b/nixos/modules/virtualisation/ec2-metadata-fetcher.nix index dca5c2abd4e..760f024f33f 100644 --- a/nixos/modules/virtualisation/ec2-metadata-fetcher.nix +++ b/nixos/modules/virtualisation/ec2-metadata-fetcher.nix @@ -71,7 +71,7 @@ } wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path - wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" + (umask 077 && wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data) wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key '' diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index e2332df611a..79c3921669e 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -18,8 +18,9 @@ in options = { virtualisation.googleComputeImage.diskSize = mkOption { - type = with types; int; - default = 1536; + type = with types; either (enum [ "auto" ]) int; + default = "auto"; + example = 1536; description = '' Size of disk image. Unit is MB. ''; diff --git a/nixos/modules/virtualisation/hyperv-guest.nix b/nixos/modules/virtualisation/hyperv-guest.nix index a3656c307f9..b3bcfff1980 100644 --- a/nixos/modules/virtualisation/hyperv-guest.nix +++ b/nixos/modules/virtualisation/hyperv-guest.nix @@ -56,6 +56,8 @@ in { systemd = { packages = [ config.boot.kernelPackages.hyperv-daemons.lib ]; + services.hv-vss.unitConfig.ConditionPathExists = [ "/dev/vmbus/hv_vss" ]; + targets.hyperv-daemons = { wantedBy = [ "multi-user.target" ]; }; diff --git a/nixos/modules/virtualisation/hyperv-image.nix b/nixos/modules/virtualisation/hyperv-image.nix index fabc9113dfc..6845d675009 100644 --- a/nixos/modules/virtualisation/hyperv-image.nix +++ b/nixos/modules/virtualisation/hyperv-image.nix @@ -9,8 +9,9 @@ in { options = { hyperv = { baseImageSize = mkOption { - type = types.int; - default = 2048; + type = with types; either (enum [ "auto" ]) int; + default = "auto"; + example = 2048; description = '' The size of the hyper-v base image in MiB. ''; diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index f15d5875841..a158509a77a 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -35,6 +35,9 @@ let '' #! ${pkgs.runtimeShell} -e + # Exit early if we're asked to shut down. + trap "exit 0" SIGRTMIN+3 + # Initialise the container side of the veth pair. if [ -n "$HOST_ADDRESS" ] || [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS" ] || [ -n "$LOCAL_ADDRESS6" ] || @@ -60,8 +63,12 @@ let ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} - # Start the regular stage 1 script. - exec "$1" + # Start the regular stage 2 script. + # We source instead of exec to not lose an early stop signal, which is + # also the only _reliable_ shutdown signal we have since early stop + # does not execute ExecStop* commands. + set +e + . "$1" '' ); @@ -127,12 +134,16 @@ let ''} # Run systemd-nspawn without startup notification (we'll - # wait for the container systemd to signal readiness). + # wait for the container systemd to signal readiness) + # Kill signal handling means systemd-nspawn will pass a system-halt signal + # to the container systemd when it receives SIGTERM for container shutdown; + # containerInit and stage2 have to handle this as well. exec ${config.systemd.package}/bin/systemd-nspawn \ --keep-unit \ -M "$INSTANCE" -D "$root" $extraFlags \ $EXTRA_NSPAWN_FLAGS \ --notify-ready=yes \ + --kill-signal=SIGRTMIN+3 \ --bind-ro=/nix/store \ --bind-ro=/nix/var/nix/db \ --bind-ro=/nix/var/nix/daemon-socket \ @@ -259,13 +270,10 @@ let Slice = "machine.slice"; Delegate = true; - # Hack: we don't want to kill systemd-nspawn, since we call - # "machinectl poweroff" in preStop to shut down the - # container cleanly. But systemd requires sending a signal - # (at least if we want remaining processes to be killed - # after the timeout). So send an ignored signal. + # We rely on systemd-nspawn turning a SIGTERM to itself into a shutdown + # signal (SIGRTMIN+3) for the inner container. KillMode = "mixed"; - KillSignal = "WINCH"; + KillSignal = "TERM"; DevicePolicy = "closed"; DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; @@ -439,21 +447,16 @@ in default = false; description = '' Whether this NixOS machine is a lightweight container running - in another NixOS system. If set to true, support for nested - containers is disabled by default, but can be reenabled by - setting <option>boot.enableContainers</option> to true. + in another NixOS system. ''; }; boot.enableContainers = mkOption { type = types.bool; - default = !config.boot.isContainer; + default = true; description = '' Whether to enable support for NixOS containers. Defaults to true - (at no cost if containers are not actually used), but only if the - system is not itself a lightweight container of a host. - To enable support for nested containers, this option has to be - explicitly set to true (in the outer container). + (at no cost if containers are not actually used). ''; }; @@ -752,8 +755,6 @@ in postStart = postStartScript dummyConfig; - preStop = "machinectl poweroff $INSTANCE"; - restartIfChanged = false; serviceConfig = serviceDirectives dummyConfig; diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix index 2dd15e3aba4..ad436ed3014 100644 --- a/nixos/modules/virtualisation/oci-containers.nix +++ b/nixos/modules/virtualisation/oci-containers.nix @@ -59,6 +59,18 @@ let ''; }; + environmentFiles = mkOption { + type = with types; listOf path; + default = []; + description = "Environment files for this container."; + example = literalExample '' + [ + /path/to/.env + /path/to/.env.secret + ] + ''; + }; + log-driver = mkOption { type = types.str; default = "journald"; @@ -236,6 +248,7 @@ let ] ++ optional (container.entrypoint != null) "--entrypoint=${escapeShellArg container.entrypoint}" ++ (mapAttrsToList (k: v: "-e ${escapeShellArg k}=${escapeShellArg v}") container.environment) + ++ map (f: "--env-file ${escapeShellArg f}") container.environmentFiles ++ map (p: "-p ${escapeShellArg p}") container.ports ++ optional (container.user != null) "-u ${escapeShellArg container.user}" ++ map (v: "-v ${escapeShellArg v}") container.volumes diff --git a/nixos/modules/virtualisation/openstack-metadata-fetcher.nix b/nixos/modules/virtualisation/openstack-metadata-fetcher.nix index 8c191397cf9..133cd4c0e9f 100644 --- a/nixos/modules/virtualisation/openstack-metadata-fetcher.nix +++ b/nixos/modules/virtualisation/openstack-metadata-fetcher.nix @@ -15,7 +15,7 @@ } wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path - wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" + (umask 077 && wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data) wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key '' diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix index fa580e8b42d..071edda8269 100644 --- a/nixos/modules/virtualisation/virtualbox-image.nix +++ b/nixos/modules/virtualisation/virtualbox-image.nix @@ -11,8 +11,9 @@ in { options = { virtualbox = { baseImageSize = mkOption { - type = types.int; - default = 50 * 1024; + type = with types; either (enum [ "auto" ]) int; + default = "auto"; + example = 50 * 1024; description = '' The size of the VirtualBox base image in MiB. ''; diff --git a/nixos/modules/virtualisation/vmware-image.nix b/nixos/modules/virtualisation/vmware-image.nix index 9da9e145f7a..f6cd12e2bb7 100644 --- a/nixos/modules/virtualisation/vmware-image.nix +++ b/nixos/modules/virtualisation/vmware-image.nix @@ -18,8 +18,9 @@ in { options = { vmware = { baseImageSize = mkOption { - type = types.int; - default = 2048; + type = with types; either (enum [ "auto" ]) int; + default = "auto"; + example = 2048; description = '' The size of the VMWare base image in MiB. ''; diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index 24df1b6ad7c..fea43727f2f 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -161,9 +161,6 @@ in environment.systemPackages = [ cfg.package ]; - # Make sure Domain 0 gets the required configuration - #boot.kernelPackages = pkgs.boot.kernelPackages.override { features={xen_dom0=true;}; }; - boot.kernelModules = [ "xen-evtchn" "xen-gntdev" "xen-gntalloc" "xen-blkback" "xen-netback" "xen-pciback" "evtchn" "gntdev" "netbk" "blkbk" "xen-scsibk" |