diff options
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/config/no-x-libs.nix | 6 | ||||
-rw-r--r-- | nixos/modules/hardware/printers.nix | 19 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 27 | ||||
-rw-r--r-- | nixos/modules/services/networking/ircd-hybrid/builder.sh | 1 | ||||
-rw-r--r-- | nixos/modules/services/printing/cupsd.nix | 7 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/jboss/builder.sh | 1 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/homed.nix | 43 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/userdbd.nix | 18 |
10 files changed, 109 insertions, 17 deletions
diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 70e265a65a6..9c83a44d7b0 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -33,12 +33,16 @@ with lib; ffmpeg_4 = super.ffmpeg_4-headless; ffmpeg_5 = super.ffmpeg_5-headless; gobject-introspection = super.gobject-introspection.override { x11Support = false; }; + gst_all_1 = super.gst_all_1 // { + gst-plugins-base = super.gst_all_1.gst-plugins-base.override { enableX11 = false; }; + }; gpsd = super.gpsd.override { guiSupport = false; }; imagemagick = super.imagemagick.override { libX11Support = false; libXtSupport = false; }; imagemagickBig = super.imagemagickBig.override { libX11Support = false; libXtSupport = false; }; - libextractor = super.libextractor.override { gstreamerSupport = false; gtkSupport = false; }; + libextractor = super.libextractor.override { gtkSupport = false; }; libva = super.libva-minimal; limesuite = super.limesuite.override { withGui = false; }; + mpv-unwrapped = super.mpv-unwrapped.override { sdl2Support = false; x11Support = false; }; msmtp = super.msmtp.override { withKeyring = false; }; networkmanager-fortisslvpn = super.networkmanager-fortisslvpn.override { withGnome = false; }; networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; diff --git a/nixos/modules/hardware/printers.nix b/nixos/modules/hardware/printers.nix index 85e3215127f..846ff6f3fb4 100644 --- a/nixos/modules/hardware/printers.nix +++ b/nixos/modules/hardware/printers.nix @@ -110,21 +110,26 @@ in { }; config = mkIf (cfg.ensurePrinters != [] && config.services.printing.enable) { - systemd.services.ensure-printers = let - cupsUnit = if config.services.printing.startWhenNeeded then "cups.socket" else "cups.service"; - in { + systemd.services.ensure-printers = { description = "Ensure NixOS-configured CUPS printers"; wantedBy = [ "multi-user.target" ]; - requires = [ cupsUnit ]; - after = [ cupsUnit ]; + wants = [ "cups.service" ]; + after = [ "cups.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; - script = concatMapStringsSep "\n" ensurePrinter cfg.ensurePrinters - + optionalString (cfg.ensureDefaultPrinter != null) (ensureDefaultPrinter cfg.ensureDefaultPrinter); + script = concatStringsSep "\n" [ + (concatMapStrings ensurePrinter cfg.ensurePrinters) + (optionalString (cfg.ensureDefaultPrinter != null) + (ensureDefaultPrinter cfg.ensureDefaultPrinter)) + # Note: if cupsd is "stateless" the service can't be stopped, + # otherwise the configuration will be wiped on the next start. + (optionalString (with config.services.printing; startWhenNeeded && !stateless) + "systemctl stop cups.service") + ]; }; }; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b2e80b10fc2..dbebca815be 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1300,6 +1300,8 @@ ./system/boot/systemd/shutdown.nix ./system/boot/systemd/tmpfiles.nix ./system/boot/systemd/user.nix + ./system/boot/systemd/userdbd.nix + ./system/boot/systemd/homed.nix ./system/boot/timesyncd.nix ./system/boot/tmp.nix ./system/boot/uvesafb.nix diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 273bc796341..4224722f879 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -488,6 +488,9 @@ let account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so '' + + optionalString config.services.homed.enable '' + account sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + # The required pam_unix.so module has to come after all the sufficient modules # because otherwise, the account lookup will fail if the user does not exist # locally, for example with MySQL- or LDAP-auth. @@ -541,8 +544,10 @@ let # after it succeeds. Certain modules need to run after pam_unix # prompts the user for password so we run it once with 'optional' at an # earlier point and it will run again with 'sufficient' further down. - # We use try_first_pass the second time to avoid prompting password twice - (optionalString (cfg.unixAuth && + # We use try_first_pass the second time to avoid prompting password twice. + # + # The same principle applies to systemd-homed + (optionalString ((cfg.unixAuth || config.services.homed.enable) && (config.security.pam.enableEcryptfs || config.security.pam.enableFscrypt || cfg.pamMount @@ -553,7 +558,10 @@ let || cfg.failDelay.enable || cfg.duoSecurity.enable)) ( - '' + optionalString config.services.homed.enable '' + auth optional ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + + optionalString cfg.unixAuth '' auth optional pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth '' + optionalString config.security.pam.enableEcryptfs '' @@ -584,6 +592,9 @@ let auth required ${pkgs.duo-unix}/lib/security/pam_duo.so '' )) + + optionalString config.services.homed.enable '' + auth sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + optionalString cfg.unixAuth '' auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass '' + @@ -605,6 +616,10 @@ let auth required pam_deny.so # Password management. + '' + + optionalString config.services.homed.enable '' + password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + '' password sufficient pam_unix.so nullok sha512 '' + optionalString config.security.pam.enableEcryptfs '' @@ -650,6 +665,9 @@ let ++ optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}" ++ optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}" )) + + optionalString config.services.homed.enable '' + session required ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + optionalString cfg.makeHomeDir '' session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077 '' + @@ -1361,6 +1379,9 @@ in '' + optionalString config.virtualisation.lxc.lxcfs.enable '' mr ${pkgs.lxc}/lib/security/pam_cgfs.so + '' + + optionalString config.services.homed.enable '' + mr ${config.systemd.package}/lib/security/pam_systemd_home.so ''; }; diff --git a/nixos/modules/services/networking/ircd-hybrid/builder.sh b/nixos/modules/services/networking/ircd-hybrid/builder.sh index 38312210df2..d9d2e4264df 100644 --- a/nixos/modules/services/networking/ircd-hybrid/builder.sh +++ b/nixos/modules/services/networking/ircd-hybrid/builder.sh @@ -1,3 +1,4 @@ +if [ -e .attrs.sh ]; then source .attrs.sh; fi source $stdenv/setup doSub() { diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index ae59dcc226d..9ac89e05762 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -341,7 +341,7 @@ in systemd.sockets.cups = mkIf cfg.startWhenNeeded { wantedBy = [ "sockets.target" ]; - listenStreams = [ "/run/cups/cups.sock" ] + listenStreams = [ "" "/run/cups/cups.sock" ] ++ map (x: replaceStrings ["localhost"] ["127.0.0.1"] (removePrefix "*:" x)) cfg.listenAddresses; }; @@ -395,10 +395,7 @@ in ''} ''; - serviceConfig = { - PrivateTmp = true; - RuntimeDirectory = [ "cups" ]; - }; + serviceConfig.PrivateTmp = true; }; systemd.services.cups-browsed = mkIf avahiEnabled diff --git a/nixos/modules/services/web-servers/jboss/builder.sh b/nixos/modules/services/web-servers/jboss/builder.sh index 0e5af324c13..ac573089cd5 100644 --- a/nixos/modules/services/web-servers/jboss/builder.sh +++ b/nixos/modules/services/web-servers/jboss/builder.sh @@ -1,5 +1,6 @@ set -e +if [ -e .attrs.sh ]; then source .attrs.sh; fi source $stdenv/setup mkdir -p $out/bin diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index e37ed853181..679a663362b 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -450,7 +450,7 @@ in (mkAfter [ "systemd" ]) ]); group = (mkMerge [ - (mkAfter [ "systemd" ]) + (mkAfter [ "[success=merge] systemd" ]) # need merge so that NSS won't stop at file-based groups ]); }; diff --git a/nixos/modules/system/boot/systemd/homed.nix b/nixos/modules/system/boot/systemd/homed.nix new file mode 100644 index 00000000000..403d1690124 --- /dev/null +++ b/nixos/modules/system/boot/systemd/homed.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.homed; +in +{ + options.services.homed.enable = lib.mkEnableOption (lib.mdDoc '' + Enable systemd home area/user account manager + ''); + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = config.services.nscd.enable; + message = "systemd-homed requires the use of systemd nss module. services.nscd.enable must be set to true,"; + } + ]; + + systemd.additionalUpstreamSystemUnits = [ + "systemd-homed.service" + "systemd-homed-activate.service" + ]; + + # This is mentioned in homed's [Install] section. + # + # While homed appears to work without it, it's probably better + # to follow upstream recommendations. + services.userdbd.enable = lib.mkDefault true; + + systemd.services = { + systemd-homed = { + # These packages are required to manage encrypted volumes + path = config.system.fsPackages; + aliases = [ "dbus-org.freedesktop.home1.service" ]; + wantedBy = [ "multi-user.target" ]; + }; + + systemd-homed-activate = { + wantedBy = [ "systemd-homed.service" ]; + }; + }; + }; +} diff --git a/nixos/modules/system/boot/systemd/userdbd.nix b/nixos/modules/system/boot/systemd/userdbd.nix new file mode 100644 index 00000000000..994aa3ca3b8 --- /dev/null +++ b/nixos/modules/system/boot/systemd/userdbd.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: + +let + cfg = config.services.userdbd; +in +{ + options.services.userdbd.enable = lib.mkEnableOption (lib.mdDoc '' + Enables the systemd JSON user/group record lookup service + ''); + config = lib.mkIf cfg.enable { + systemd.additionalUpstreamSystemUnits = [ + "systemd-userdbd.socket" + "systemd-userdbd.service" + ]; + + systemd.sockets.systemd-userdbd.wantedBy = [ "sockets.target" ]; + }; +} |