diff options
Diffstat (limited to 'nixos/modules')
60 files changed, 1090 insertions, 1381 deletions
diff --git a/nixos/modules/config/fonts/fontconfig-penultimate.nix b/nixos/modules/config/fonts/fontconfig-penultimate.nix deleted file mode 100644 index 7e311a21acf..00000000000 --- a/nixos/modules/config/fonts/fontconfig-penultimate.nix +++ /dev/null @@ -1,292 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.fonts.fontconfig; - - fcBool = x: "<bool>" + (boolToString x) + "</bool>"; - - # back-supported fontconfig version and package - # version is used for font cache generation - supportVersion = "210"; - supportPkg = pkgs."fontconfig_${supportVersion}"; - - # latest fontconfig version and package - # version is used for configuration folder name, /etc/fonts/VERSION/ - # note: format differs from supportVersion and can not be used with makeCacheConf - latestVersion = pkgs.fontconfig.configVersion; - latestPkg = pkgs.fontconfig; - - # supported version fonts.conf - supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; }; - - # configuration file to read fontconfig cache - # version dependent - # priority 0 - cacheConfSupport = makeCacheConf { version = supportVersion; }; - cacheConfLatest = makeCacheConf {}; - - # generate the font cache setting file for a fontconfig version - # use latest when no version is passed - makeCacheConf = { version ? null }: - let - fcPackage = if version == null - then "fontconfig" - else "fontconfig_${version}"; - makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; }; - cache = makeCache pkgs.${fcPackage}; - cache32 = makeCache pkgs.pkgsi686Linux.${fcPackage}; - in - pkgs.writeText "fc-00-nixos-cache.conf" '' - <?xml version='1.0'?> - <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> - <fontconfig> - <!-- Font directories --> - ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)} - <!-- Pre-generated font caches --> - <cachedir>${cache}</cachedir> - ${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) '' - <cachedir>${cache32}</cachedir> - ''} - </fontconfig> - ''; - - # local configuration file - localConf = pkgs.writeText "fc-local.conf" cfg.localConf; - - # rendering settings configuration files - # priority 10 - hintingConf = pkgs.writeText "fc-10-hinting.conf" '' - <?xml version='1.0'?> - <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> - <fontconfig> - - <!-- Default rendering settings --> - <match target="pattern"> - <edit mode="append" name="hinting"> - ${fcBool cfg.hinting.enable} - </edit> - <edit mode="append" name="autohint"> - ${fcBool cfg.hinting.autohint} - </edit> - <edit mode="append" name="hintstyle"> - <const>hintslight</const> - </edit> - </match> - - </fontconfig> - ''; - - antialiasConf = pkgs.writeText "fc-10-antialias.conf" '' - <?xml version='1.0'?> - <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> - <fontconfig> - - <!-- Default rendering settings --> - <match target="pattern"> - <edit mode="append" name="antialias"> - ${fcBool cfg.antialias} - </edit> - </match> - - </fontconfig> - ''; - - subpixelConf = pkgs.writeText "fc-10-subpixel.conf" '' - <?xml version='1.0'?> - <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> - <fontconfig> - - <!-- Default rendering settings --> - <match target="pattern"> - <edit mode="append" name="rgba"> - <const>${cfg.subpixel.rgba}</const> - </edit> - <edit mode="append" name="lcdfilter"> - <const>lcd${cfg.subpixel.lcdfilter}</const> - </edit> - </match> - - </fontconfig> - ''; - - dpiConf = pkgs.writeText "fc-11-dpi.conf" '' - <?xml version='1.0'?> - <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> - <fontconfig> - - <match target="pattern"> - <edit name="dpi" mode="assign"> - <double>${toString cfg.dpi}</double> - </edit> - </match> - - </fontconfig> - ''; - - # default fonts configuration file - # priority 52 - defaultFontsConf = - let genDefault = fonts: name: - optionalString (fonts != []) '' - <alias> - <family>${name}</family> - <prefer> - ${concatStringsSep "" - (map (font: '' - <family>${font}</family> - '') fonts)} - </prefer> - </alias> - ''; - in - pkgs.writeText "fc-52-nixos-default-fonts.conf" '' - <?xml version='1.0'?> - <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> - <fontconfig> - - <!-- Default fonts --> - ${genDefault cfg.defaultFonts.sansSerif "sans-serif"} - - ${genDefault cfg.defaultFonts.serif "serif"} - - ${genDefault cfg.defaultFonts.monospace "monospace"} - - </fontconfig> - ''; - - # reject Type 1 fonts - # priority 53 - rejectType1 = pkgs.writeText "fc-53-nixos-reject-type1.conf" '' - <?xml version="1.0"?> - <!DOCTYPE fontconfig SYSTEM "fonts.dtd"> - <fontconfig> - - <!-- Reject Type 1 fonts --> - <selectfont> - <rejectfont> - <pattern> - <patelt name="fontformat"><string>Type 1</string></patelt> - </pattern> - </rejectfont> - </selectfont> - - </fontconfig> - ''; - - # The configuration to be included in /etc/font/ - penultimateConf = pkgs.runCommand "fontconfig-penultimate-conf" { - preferLocalBuild = true; - } '' - support_folder=$out/etc/fonts/conf.d - latest_folder=$out/etc/fonts/${latestVersion}/conf.d - - mkdir -p $support_folder - mkdir -p $latest_folder - - # fonts.conf - ln -s ${supportFontsConf} $support_folder/../fonts.conf - ln -s ${latestPkg.out}/etc/fonts/fonts.conf \ - $latest_folder/../fonts.conf - - # fontconfig-penultimate various configuration files - ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \ - $support_folder - ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \ - $latest_folder - - ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf - ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf - - rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf - ln -s ${antialiasConf} $support_folder/10-antialias.conf - ln -s ${antialiasConf} $latest_folder/10-antialias.conf - - rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf - ln -s ${hintingConf} $support_folder/10-hinting.conf - ln -s ${hintingConf} $latest_folder/10-hinting.conf - - ${optionalString cfg.useEmbeddedBitmaps '' - rm $support_folder/10-no-embedded-bitmaps.conf - rm $latest_folder/10-no-embedded-bitmaps.conf - ''} - - rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf - ln -s ${subpixelConf} $support_folder/10-subpixel.conf - ln -s ${subpixelConf} $latest_folder/10-subpixel.conf - - ${optionalString (cfg.dpi != 0) '' - ln -s ${dpiConf} $support_folder/11-dpi.conf - ln -s ${dpiConf} $latest_folder/11-dpi.conf - ''} - - # 50-user.conf - ${optionalString (!cfg.includeUserConf) '' - rm $support_folder/50-user.conf - rm $latest_folder/50-user.conf - ''} - - # 51-local.conf - rm $latest_folder/51-local.conf - substitute \ - ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \ - $latest_folder/51-local.conf \ - --replace local.conf /etc/fonts/${latestVersion}/local.conf - - # local.conf (indirect priority 51) - ${optionalString (cfg.localConf != "") '' - ln -s ${localConf} $support_folder/../local.conf - ln -s ${localConf} $latest_folder/../local.conf - ''} - - # 52-nixos-default-fonts.conf - ln -s ${defaultFontsConf} $support_folder/52-nixos-default-fonts.conf - ln -s ${defaultFontsConf} $latest_folder/52-nixos-default-fonts.conf - - # 53-no-bitmaps.conf - ${optionalString cfg.allowBitmaps '' - rm $support_folder/53-no-bitmaps.conf - rm $latest_folder/53-no-bitmaps.conf - ''} - - ${optionalString (!cfg.allowType1) '' - # 53-nixos-reject-type1.conf - ln -s ${rejectType1} $support_folder/53-nixos-reject-type1.conf - ln -s ${rejectType1} $latest_folder/53-nixos-reject-type1.conf - ''} - ''; - -in -{ - - options = { - - fonts = { - - fontconfig = { - - penultimate = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable fontconfig-penultimate settings to supplement the - NixOS defaults by providing per-font rendering defaults and - metric aliases. - ''; - }; - }; - - }; - }; - - }; - - config = mkIf (config.fonts.fontconfig.enable && config.fonts.fontconfig.penultimate.enable) { - - fonts.fontconfig.confPackages = [ penultimateConf ]; - - }; - -} diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 52d284f739b..1f1044bc5af 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -1,11 +1,6 @@ /* -NixOS support 2 fontconfig versions, "support" and "latest". - -- "latest" refers to default fontconfig package (pkgs.fontconfig). - configuration files are linked to /etc/fonts/VERSION/conf.d/ -- "support" refers to supportPkg (pkgs."fontconfig_${supportVersion}"). - configuration files are linked to /etc/fonts/conf.d/ +Configuration files are linked to /etc/fonts/${pkgs.fontconfig.configVersion}/conf.d/ This module generates a package containing configuration files and link it in /etc/fonts. @@ -22,40 +17,21 @@ let cfg = config.fonts.fontconfig; fcBool = x: "<bool>" + (boolToString x) + "</bool>"; - - # back-supported fontconfig version and package - # version is used for font cache generation - supportVersion = "210"; - supportPkg = pkgs."fontconfig_${supportVersion}"; - - # latest fontconfig version and package - # version is used for configuration folder name, /etc/fonts/VERSION/ - # note: format differs from supportVersion and can not be used with makeCacheConf - latestVersion = pkgs.fontconfig.configVersion; - latestPkg = pkgs.fontconfig; - - # supported version fonts.conf - supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; }; + pkg = pkgs.fontconfig; # configuration file to read fontconfig cache - # version dependent # priority 0 - cacheConfSupport = makeCacheConf { version = supportVersion; }; - cacheConfLatest = makeCacheConf {}; + cacheConf = makeCacheConf {}; - # generate the font cache setting file for a fontconfig version - # use latest when no version is passed + # generate the font cache setting file # When cross-compiling, we can’t generate the cache, so we skip the # <cachedir> part. fontconfig still works but is a little slower in # looking things up. - makeCacheConf = { version ? null }: + makeCacheConf = { }: let - fcPackage = if version == null - then "fontconfig" - else "fontconfig_${version}"; makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; }; - cache = makeCache pkgs.${fcPackage}; - cache32 = makeCache pkgs.pkgsi686Linux.${fcPackage}; + cache = makeCache pkgs.fontconfig; + cache32 = makeCache pkgs.pkgsi686Linux.fontconfig; in pkgs.writeText "fc-00-nixos-cache.conf" '' <?xml version='1.0'?> @@ -200,59 +176,47 @@ let confPkg = pkgs.runCommand "fontconfig-conf" { preferLocalBuild = true; } '' - support_folder=$out/etc/fonts/conf.d - latest_folder=$out/etc/fonts/${latestVersion}/conf.d - - mkdir -p $support_folder - mkdir -p $latest_folder + dst=$out/etc/fonts/${pkg.configVersion}/conf.d + mkdir -p $dst # fonts.conf - ln -s ${supportFontsConf} $support_folder/../fonts.conf - ln -s ${latestPkg.out}/etc/fonts/fonts.conf \ - $latest_folder/../fonts.conf + ln -s ${pkg.out}/etc/fonts/fonts.conf \ + $dst/../fonts.conf + # TODO: remove this legacy symlink once people stop using packages built before #95358 was merged + ln -s /etc/fonts/${pkg.configVersion}/fonts.conf \ + $out/etc/fonts/fonts.conf # fontconfig default config files - ln -s ${supportPkg.out}/etc/fonts/conf.d/*.conf \ - $support_folder/ - # Latest fontconfig is configured to look for the upstream defaults inside the package. + ln -s ${pkg.out}/etc/fonts/conf.d/*.conf \ + $dst/ # 00-nixos-cache.conf - ln -s ${cacheConfSupport} \ - $support_folder/00-nixos-cache.conf - ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf + ln -s ${cacheConf} $dst/00-nixos-cache.conf # 10-nixos-rendering.conf - ln -s ${renderConf} $support_folder/10-nixos-rendering.conf - ln -s ${renderConf} $latest_folder/10-nixos-rendering.conf + ln -s ${renderConf} $dst/10-nixos-rendering.conf # 50-user.conf - ${optionalString (!cfg.includeUserConf) '' - rm $support_folder/50-user.conf - ''} # Since latest fontconfig looks for default files inside the package, # we had to move this one elsewhere to be able to exclude it here. ${optionalString cfg.includeUserConf '' - ln -s ${latestPkg.out}/etc/fonts/conf.d.bak/50-user.conf $latest_folder/50-user.conf + ln -s ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf $dst/50-user.conf ''} # local.conf (indirect priority 51) ${optionalString (cfg.localConf != "") '' - ln -s ${localConf} $support_folder/../local.conf - ln -s ${localConf} $latest_folder/../local.conf + ln -s ${localConf} $dst/../local.conf ''} # 52-nixos-default-fonts.conf - ln -s ${defaultFontsConf} $support_folder/52-nixos-default-fonts.conf - ln -s ${defaultFontsConf} $latest_folder/52-nixos-default-fonts.conf + ln -s ${defaultFontsConf} $dst/52-nixos-default-fonts.conf # 53-no-bitmaps.conf - ln -s ${rejectBitmaps} $support_folder/53-no-bitmaps.conf - ln -s ${rejectBitmaps} $latest_folder/53-no-bitmaps.conf + ln -s ${rejectBitmaps} $dst/53-no-bitmaps.conf ${optionalString (!cfg.allowType1) '' # 53-nixos-reject-type1.conf - ln -s ${rejectType1} $support_folder/53-nixos-reject-type1.conf - ln -s ${rejectType1} $latest_folder/53-nixos-reject-type1.conf + ln -s ${rejectType1} $dst/53-nixos-reject-type1.conf ''} ''; @@ -486,7 +450,7 @@ in environment.systemPackages = [ pkgs.fontconfig ]; environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/"; }) - (mkIf (cfg.enable && !cfg.penultimate.enable) { + (mkIf cfg.enable { fonts.fontconfig.confPackages = [ confPkg ]; }) ]; diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 873b8073fed..941ab78f863 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -27,6 +27,7 @@ with lib; fonts.fontconfig.enable = false; nixpkgs.overlays = singleton (const (super: { + cairo = super.cairo.override { x11Support = false; }; dbus = super.dbus.override { x11Support = false; }; networkmanager-fortisslvpn = super.networkmanager-fortisslvpn.override { withGnome = false; }; networkmanager-l2tp = super.networkmanager-l2tp.override { withGnome = false; }; @@ -35,6 +36,7 @@ with lib; networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; gobject-introspection = super.gobject-introspection.override { x11Support = false; }; + qemu = super.qemu.override { gtkSupport = false; spiceSupport = false; sdlSupport = false; }; })); }; } diff --git a/nixos/modules/config/system-path.nix b/nixos/modules/config/system-path.nix index ae9710e3518..b3c5c6f93f3 100644 --- a/nixos/modules/config/system-path.nix +++ b/nixos/modules/config/system-path.nix @@ -33,14 +33,11 @@ let pkgs.ncurses pkgs.netcat config.programs.ssh.package - pkgs.perl pkgs.procps - pkgs.rsync - pkgs.strace pkgs.su pkgs.time pkgs.utillinux - pkgs.which # 88K size + pkgs.which pkgs.zstd ]; diff --git a/nixos/modules/hardware/ckb-next.nix b/nixos/modules/hardware/ckb-next.nix index fe0ca9f26d5..6932be1c54c 100644 --- a/nixos/modules/hardware/ckb-next.nix +++ b/nixos/modules/hardware/ckb-next.nix @@ -43,7 +43,6 @@ in serviceConfig = { ExecStart = "${cfg.package}/bin/ckb-next-daemon ${optionalString (cfg.gid != null) "--gid=${builtins.toString cfg.gid}"}"; Restart = "on-failure"; - StandardOutput = "syslog"; }; }; }; diff --git a/nixos/modules/installer/tools/nixos-build-vms/nixos-build-vms.sh b/nixos/modules/installer/tools/nixos-build-vms/nixos-build-vms.sh index 25106733087..2a6c3ab1149 100644 --- a/nixos/modules/installer/tools/nixos-build-vms/nixos-build-vms.sh +++ b/nixos/modules/installer/tools/nixos-build-vms/nixos-build-vms.sh @@ -1,4 +1,4 @@ -#! @shell@ -e +#! @runtimeShell@ -e # Shows the usage of this command to the user diff --git a/nixos/modules/installer/tools/nixos-enter.sh b/nixos/modules/installer/tools/nixos-enter.sh index 1fdd4627a90..c72ef6e9c28 100644 --- a/nixos/modules/installer/tools/nixos-enter.sh +++ b/nixos/modules/installer/tools/nixos-enter.sh @@ -1,4 +1,4 @@ -#! @shell@ +#! @runtimeShell@ set -e diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 0b62bca8367..e0252befdfd 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -1,4 +1,4 @@ -#! @shell@ +#! @runtimeShell@ set -e shopt -s nullglob diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh index 354274478a3..437199bae1d 100644 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixos/modules/installer/tools/nixos-rebuild.sh @@ -1,6 +1,6 @@ -#! @shell@ +#! @runtimeShell@ -if [ -x "@shell@" ]; then export SHELL="@shell@"; fi; +if [ -x "@runtimeShell@" ]; then export SHELL="@runtimeShell@"; fi; set -e set -o pipefail diff --git a/nixos/modules/installer/tools/nixos-version.sh b/nixos/modules/installer/tools/nixos-version.sh index fb0fe26116a..f5e3f32b3c6 100644 --- a/nixos/modules/installer/tools/nixos-version.sh +++ b/nixos/modules/installer/tools/nixos-version.sh @@ -1,4 +1,4 @@ -#! @shell@ +#! @runtimeShell@ case "$1" in -h|--help) diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 11128621424..1582f049309 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -14,11 +14,13 @@ let nixos-build-vms = makeProg { name = "nixos-build-vms"; src = ./nixos-build-vms/nixos-build-vms.sh; + inherit (pkgs) runtimeShell; }; nixos-install = makeProg { name = "nixos-install"; src = ./nixos-install.sh; + inherit (pkgs) runtimeShell; nix = config.nix.package.out; path = makeBinPath [ nixos-enter ]; }; @@ -28,6 +30,7 @@ let makeProg { name = "nixos-rebuild"; src = ./nixos-rebuild.sh; + inherit (pkgs) runtimeShell; nix = config.nix.package.out; nix_x86_64_linux = fallback.x86_64-linux; nix_i686_linux = fallback.i686-linux; @@ -50,6 +53,7 @@ let nixos-version = makeProg { name = "nixos-version"; src = ./nixos-version.sh; + inherit (pkgs) runtimeShell; inherit (config.system.nixos) version codeName revision; inherit (config.system) configurationRevision; json = builtins.toJSON ({ @@ -64,6 +68,7 @@ let nixos-enter = makeProg { name = "nixos-enter"; src = ./nixos-enter.sh; + inherit (pkgs) runtimeShell; }; in diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 4692ea32656..bdb7fa3b12c 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -198,7 +198,7 @@ in bosun = 161; kubernetes = 162; peerflix = 163; - chronos = 164; + #chronos = 164; # removed 2020-08-15 gitlab = 165; tox-bootstrapd = 166; cadvisor = 167; @@ -247,7 +247,7 @@ in bepasty = 215; # pumpio = 216; # unused, removed 2018-02-24 nm-openvpn = 217; - mathics = 218; + # mathics = 218; # unused, removed 2020-08-15 ejabberd = 219; postsrsd = 220; opendkim = 221; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 1802fc4bbdc..522a7992919 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1,7 +1,6 @@ [ ./config/debug-info.nix ./config/fonts/fontconfig.nix - ./config/fonts/fontconfig-penultimate.nix ./config/fonts/fontdir.nix ./config/fonts/fonts.nix ./config/fonts/ghostscript.nix @@ -466,14 +465,11 @@ ./services/misc/leaps.nix ./services/misc/lidarr.nix ./services/misc/mame.nix - ./services/misc/mathics.nix ./services/misc/matrix-appservice-discord.nix ./services/misc/matrix-synapse.nix ./services/misc/mautrix-telegram.nix ./services/misc/mbpfan.nix ./services/misc/mediatomb.nix - ./services/misc/mesos-master.nix - ./services/misc/mesos-slave.nix ./services/misc/metabase.nix ./services/misc/mwlib.nix ./services/misc/nix-daemon.nix @@ -489,6 +485,7 @@ ./services/misc/parsoid.nix ./services/misc/plex.nix ./services/misc/tautulli.nix + ./services/misc/pinnwand.nix ./services/misc/pykms.nix ./services/misc/radarr.nix ./services/misc/redmine.nix @@ -785,10 +782,8 @@ ./services/networking/znc/default.nix ./services/printing/cupsd.nix ./services/scheduling/atd.nix - ./services/scheduling/chronos.nix ./services/scheduling/cron.nix ./services/scheduling/fcron.nix - ./services/scheduling/marathon.nix ./services/search/elasticsearch.nix ./services/search/elasticsearch-curator.nix ./services/search/hound.nix @@ -839,6 +834,7 @@ ./services/ttys/gpm.nix ./services/ttys/kmscon.nix ./services/wayland/cage.nix + ./services/video/mirakurun.nix ./services/web-apps/atlassian/confluence.nix ./services/web-apps/atlassian/crowd.nix ./services/web-apps/atlassian/jira.nix @@ -869,6 +865,7 @@ ./services/web-apps/moinmoin.nix ./services/web-apps/restya-board.nix ./services/web-apps/sogo.nix + ./services/web-apps/rss-bridge.nix ./services/web-apps/tt-rss.nix ./services/web-apps/trac.nix ./services/web-apps/trilium.nix diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index 2a2fe119d30..3b67d628f9f 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -26,6 +26,7 @@ pkgs.fuse pkgs.fuse3 pkgs.sshfs-fuse + pkgs.rsync pkgs.socat pkgs.screen diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index cfe216d512b..86cd3bf8dcf 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -17,8 +17,12 @@ with lib; (mkAliasOptionModule [ "environment" "checkConfigurationOptions" ] [ "_module" "check" ]) # Completely removed modules + (mkRemovedOptionModule [ "fonts" "fontconfig" "penultimate" ] "The corresponding package has removed from nixpkgs.") + (mkRemovedOptionModule [ "services" "chronos" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "firefox" "syncserver" "user" ] "") (mkRemovedOptionModule [ "services" "firefox" "syncserver" "group" ] "") + (mkRemovedOptionModule [ "services" "marathon" ] "The corresponding package was removed from nixpkgs.") + (mkRemovedOptionModule [ "services" "mesos" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.") (mkRemovedOptionModule [ "environment" "blcr" "enable" ] "The BLCR module has been removed") @@ -28,6 +32,7 @@ with lib; (mkRemovedOptionModule [ "services" "osquery" ] "The osquery module has been removed") (mkRemovedOptionModule [ "services" "fourStore" ] "The fourStore module has been removed") (mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed") + (mkRemovedOptionModule [ "services" "mathics" ] "The Mathics module has been removed") (mkRemovedOptionModule [ "programs" "way-cooler" ] ("way-cooler is abandoned by its author: " + "https://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html")) (mkRemovedOptionModule [ "services" "xserver" "multitouch" ] '' diff --git a/nixos/modules/security/tpm2.nix b/nixos/modules/security/tpm2.nix index 13804fb82cb..27f9b58c975 100644 --- a/nixos/modules/security/tpm2.nix +++ b/nixos/modules/security/tpm2.nix @@ -170,7 +170,6 @@ in { Restart = "always"; RestartSec = 30; BusName = "com.intel.tss2.Tabrmd"; - StandardOutput = "syslog"; ExecStart = "${cfg.abrmd.package}/bin/tpm2-abrmd"; User = "tss"; Group = "nogroup"; diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index a0fadb018ec..2def74f8535 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -160,8 +160,11 @@ in config = { security.wrappers = { + # These are mount related wrappers that require the +s permission. fusermount.source = "${pkgs.fuse}/bin/fusermount"; fusermount3.source = "${pkgs.fuse3}/bin/fusermount3"; + mount.source = "${lib.getBin pkgs.utillinux}/bin/mount"; + umount.source = "${lib.getBin pkgs.utillinux}/bin/umount"; }; boot.specialFileSystems.${parentWrapperDir} = { diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 2e8c5b7640b..7d0a3f9afc4 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -6,12 +6,10 @@ let cfg = config.services.mysql; - mysql = cfg.package; - - isMariaDB = lib.getName mysql == lib.getName pkgs.mariadb; + isMariaDB = lib.getName cfg.package == lib.getName pkgs.mariadb; mysqldOptions = - "--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${mysql}"; + "--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${cfg.package}"; settingsFile = pkgs.writeText "my.cnf" ( generators.toINI { listsAsDuplicateKeys = true; } cfg.settings + @@ -22,7 +20,7 @@ in { imports = [ - (mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd") + (mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd.") (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") ]; @@ -46,25 +44,31 @@ in type = types.nullOr types.str; default = null; example = literalExample "0.0.0.0"; - description = "Address to bind to. The default is to bind to all addresses"; + description = "Address to bind to. The default is to bind to all addresses."; }; port = mkOption { type = types.int; default = 3306; - description = "Port of MySQL"; + description = "Port of MySQL."; }; user = mkOption { type = types.str; default = "mysql"; - description = "User account under which MySQL runs"; + description = "User account under which MySQL runs."; + }; + + group = mkOption { + type = types.str; + default = "mysql"; + description = "Group under which MySQL runs."; }; dataDir = mkOption { type = types.path; example = "/var/lib/mysql"; - description = "Location where MySQL stores its table files"; + description = "Location where MySQL stores its table files."; }; configFile = mkOption { @@ -171,7 +175,7 @@ in initialScript = mkOption { type = types.nullOr types.path; default = null; - description = "A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database"; + description = "A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database."; }; ensureDatabases = mkOption { @@ -259,33 +263,33 @@ in serverId = mkOption { type = types.int; default = 1; - description = "Id of the MySQL server instance. This number must be unique for each instance"; + description = "Id of the MySQL server instance. This number must be unique for each instance."; }; masterHost = mkOption { type = types.str; - description = "Hostname of the MySQL master server"; + description = "Hostname of the MySQL master server."; }; slaveHost = mkOption { type = types.str; - description = "Hostname of the MySQL slave server"; + description = "Hostname of the MySQL slave server."; }; masterUser = mkOption { type = types.str; - description = "Username of the MySQL replication user"; + description = "Username of the MySQL replication user."; }; masterPassword = mkOption { type = types.str; - description = "Password of the MySQL replication user"; + description = "Password of the MySQL replication user."; }; masterPort = mkOption { type = types.int; default = 3306; - description = "Port number on which the MySQL master server runs"; + description = "Port number on which the MySQL master server runs."; }; }; }; @@ -317,29 +321,33 @@ in binlog-ignore-db = [ "information_schema" "performance_schema" "mysql" ]; }) (mkIf (!isMariaDB) { - plugin-load-add = optional (cfg.ensureUsers != []) "auth_socket.so"; + plugin-load-add = "auth_socket.so"; }) ]; - users.users.mysql = { - description = "MySQL server user"; - group = "mysql"; - uid = config.ids.uids.mysql; + users.users = optionalAttrs (cfg.user == "mysql") { + mysql = { + description = "MySQL server user"; + group = cfg.group; + uid = config.ids.uids.mysql; + }; }; - users.groups.mysql.gid = config.ids.gids.mysql; + users.groups = optionalAttrs (cfg.group == "mysql") { + mysql.gid = config.ids.gids.mysql; + }; - environment.systemPackages = [mysql]; + environment.systemPackages = [ cfg.package ]; environment.etc."my.cnf".source = cfg.configFile; systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} mysql - -" - "z '${cfg.dataDir}' 0700 ${cfg.user} mysql - -" + "d '${cfg.dataDir}' 0700 '${cfg.user}' '${cfg.group}' - -" + "z '${cfg.dataDir}' 0700 '${cfg.user}' '${cfg.group}' - -" ]; systemd.services.mysql = let - hasNotify = (cfg.package == pkgs.mariadb); + hasNotify = isMariaDB; in { description = "MySQL Server"; @@ -357,125 +365,127 @@ in preStart = if isMariaDB then '' if ! test -e ${cfg.dataDir}/mysql; then - ${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${mysqldOptions} + ${cfg.package}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${mysqldOptions} touch ${cfg.dataDir}/mysql_init fi '' else '' if ! test -e ${cfg.dataDir}/mysql; then - ${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} --initialize-insecure + ${cfg.package}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} --initialize-insecure touch ${cfg.dataDir}/mysql_init fi ''; - serviceConfig = { - Type = if hasNotify then "notify" else "simple"; - Restart = "on-abort"; - RestartSec = "5s"; - # The last two environment variables are used for starting Galera clusters - ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION"; - ExecStartPost = - let - setupScript = pkgs.writeScript "mysql-setup" '' - #!${pkgs.runtimeShell} -e - - ${optionalString (!hasNotify) '' - # Wait until the MySQL server is available for use - count=0 - while [ ! -e /run/mysqld/mysqld.sock ] - do - if [ $count -eq 30 ] - then - echo "Tried 30 times, giving up..." - exit 1 - fi - - echo "MySQL daemon not yet started. Waiting for 1 second..." - count=$((count++)) - sleep 1 - done - ''} - - if [ -f ${cfg.dataDir}/mysql_init ] + postStart = let + # The super user account to use on *first* run of MySQL server + superUser = if isMariaDB then cfg.user else "root"; + in '' + ${optionalString (!hasNotify) '' + # Wait until the MySQL server is available for use + count=0 + while [ ! -e /run/mysqld/mysqld.sock ] + do + if [ $count -eq 30 ] then - ${concatMapStrings (database: '' - # Create initial databases - if ! test -e "${cfg.dataDir}/${database.name}"; then - echo "Creating initial database: ${database.name}" - ( echo 'create database `${database.name}`;' - - ${optionalString (database.schema != null) '' - echo 'use `${database.name}`;' - - # TODO: this silently falls through if database.schema does not exist, - # we should catch this somehow and exit, but can't do it here because we're in a subshell. - if [ -f "${database.schema}" ] - then - cat ${database.schema} - elif [ -d "${database.schema}" ] - then - cat ${database.schema}/mysql-databases/*.sql - fi - ''} - ) | ${mysql}/bin/mysql -u root -N - fi - '') cfg.initialDatabases} - - ${optionalString (cfg.replication.role == "master") - '' - # Set up the replication master + echo "Tried 30 times, giving up..." + exit 1 + fi - ( echo "use mysql;" - echo "CREATE USER '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}' IDENTIFIED WITH mysql_native_password;" - echo "SET PASSWORD FOR '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}' = PASSWORD('${cfg.replication.masterPassword}');" - echo "GRANT REPLICATION SLAVE ON *.* TO '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}';" - ) | ${mysql}/bin/mysql -u root -N + echo "MySQL daemon not yet started. Waiting for 1 second..." + count=$((count++)) + sleep 1 + done + ''} + + if [ -f ${cfg.dataDir}/mysql_init ] + then + # While MariaDB comes with a 'mysql' super user account since 10.4.x, MySQL does not + # Since we don't want to run this service as 'root' we need to ensure the account exists on first run + ( echo "CREATE USER IF NOT EXISTS '${cfg.user}'@'localhost' IDENTIFIED WITH ${if isMariaDB then "unix_socket" else "auth_socket"};" + echo "GRANT ALL PRIVILEGES ON *.* TO '${cfg.user}'@'localhost' WITH GRANT OPTION;" + ) | ${cfg.package}/bin/mysql -u ${superUser} -N + + ${concatMapStrings (database: '' + # Create initial databases + if ! test -e "${cfg.dataDir}/${database.name}"; then + echo "Creating initial database: ${database.name}" + ( echo 'create database `${database.name}`;' + + ${optionalString (database.schema != null) '' + echo 'use `${database.name}`;' + + # TODO: this silently falls through if database.schema does not exist, + # we should catch this somehow and exit, but can't do it here because we're in a subshell. + if [ -f "${database.schema}" ] + then + cat ${database.schema} + elif [ -d "${database.schema}" ] + then + cat ${database.schema}/mysql-databases/*.sql + fi ''} + ) | ${cfg.package}/bin/mysql -u ${superUser} -N + fi + '') cfg.initialDatabases} - ${optionalString (cfg.replication.role == "slave") - '' - # Set up the replication slave + ${optionalString (cfg.replication.role == "master") + '' + # Set up the replication master - ( echo "stop slave;" - echo "change master to master_host='${cfg.replication.masterHost}', master_user='${cfg.replication.masterUser}', master_password='${cfg.replication.masterPassword}';" - echo "start slave;" - ) | ${mysql}/bin/mysql -u root -N - ''} + ( echo "use mysql;" + echo "CREATE USER '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}' IDENTIFIED WITH mysql_native_password;" + echo "SET PASSWORD FOR '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}' = PASSWORD('${cfg.replication.masterPassword}');" + echo "GRANT REPLICATION SLAVE ON *.* TO '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}';" + ) | ${cfg.package}/bin/mysql -u ${superUser} -N + ''} - ${optionalString (cfg.initialScript != null) - '' - # Execute initial script - # using toString to avoid copying the file to nix store if given as path instead of string, - # as it might contain credentials - cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N - ''} + ${optionalString (cfg.replication.role == "slave") + '' + # Set up the replication slave - rm ${cfg.dataDir}/mysql_init - fi + ( echo "stop slave;" + echo "change master to master_host='${cfg.replication.masterHost}', master_user='${cfg.replication.masterUser}', master_password='${cfg.replication.masterPassword}';" + echo "start slave;" + ) | ${cfg.package}/bin/mysql -u ${superUser} -N + ''} - ${optionalString (cfg.ensureDatabases != []) '' - ( - ${concatMapStrings (database: '' - echo "CREATE DATABASE IF NOT EXISTS \`${database}\`;" - '') cfg.ensureDatabases} - ) | ${mysql}/bin/mysql -u root -N + ${optionalString (cfg.initialScript != null) + '' + # Execute initial script + # using toString to avoid copying the file to nix store if given as path instead of string, + # as it might contain credentials + cat ${toString cfg.initialScript} | ${cfg.package}/bin/mysql -u ${superUser} -N ''} - ${concatMapStrings (user: - '' - ( echo "CREATE USER IF NOT EXISTS '${user.name}'@'localhost' IDENTIFIED WITH ${if isMariaDB then "unix_socket" else "auth_socket"};" - ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' - echo "GRANT ${permission} ON ${database} TO '${user.name}'@'localhost';" - '') user.ensurePermissions)} - ) | ${mysql}/bin/mysql -u root -N - '') cfg.ensureUsers} - ''; - in - # ensureDatbases & ensureUsers depends on this script being run as root - # when the user has secured their mysql install - "+${setupScript}"; + rm ${cfg.dataDir}/mysql_init + fi + + ${optionalString (cfg.ensureDatabases != []) '' + ( + ${concatMapStrings (database: '' + echo "CREATE DATABASE IF NOT EXISTS \`${database}\`;" + '') cfg.ensureDatabases} + ) | ${cfg.package}/bin/mysql -N + ''} + + ${concatMapStrings (user: + '' + ( echo "CREATE USER IF NOT EXISTS '${user.name}'@'localhost' IDENTIFIED WITH ${if isMariaDB then "unix_socket" else "auth_socket"};" + ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' + echo "GRANT ${permission} ON ${database} TO '${user.name}'@'localhost';" + '') user.ensurePermissions)} + ) | ${cfg.package}/bin/mysql -N + '') cfg.ensureUsers} + ''; + + serviceConfig = { + Type = if hasNotify then "notify" else "simple"; + Restart = "on-abort"; + RestartSec = "5s"; + # The last two environment variables are used for starting Galera clusters + ExecStart = "${cfg.package}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION"; # User and group User = cfg.user; - Group = "mysql"; + Group = cfg.group; # Runtime directory and mode RuntimeDirectory = "mysqld"; RuntimeDirectoryMode = "0755"; diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 3e16b5907dd..c726a08e34f 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -225,14 +225,15 @@ in Contents of the <filename>recovery.conf</filename> file. ''; }; + superUser = mkOption { type = types.str; - default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root"; + default = "postgres"; internal = true; + readOnly = true; description = '' - NixOS traditionally used 'root' as superuser, most other distros use 'postgres'. - From 17.09 we also try to follow this standard. Internal since changing this value - would lead to breakage while setting up databases. + PostgreSQL superuser account to use for various operations. Internal since changing + this value would lead to breakage while setting up databases. ''; }; }; @@ -310,6 +311,35 @@ in ''} ''; + # Wait for PostgreSQL to be ready to accept connections. + postStart = + '' + PSQL="psql --port=${toString cfg.port}" + + while ! $PSQL -d postgres -c "" 2> /dev/null; do + if ! kill -0 "$MAINPID"; then exit 1; fi + sleep 0.1 + done + + if test -e "${cfg.dataDir}/.first_startup"; then + ${optionalString (cfg.initialScript != null) '' + $PSQL -f "${cfg.initialScript}" -d postgres + ''} + rm -f "${cfg.dataDir}/.first_startup" + fi + '' + optionalString (cfg.ensureDatabases != []) '' + ${concatMapStrings (database: '' + $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}"' + '') cfg.ensureDatabases} + '' + '' + ${concatMapStrings (user: '' + $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"' + ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' + $PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' + '') user.ensurePermissions)} + '') cfg.ensureUsers} + ''; + serviceConfig = mkMerge [ { ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "postgres"; @@ -329,40 +359,6 @@ in TimeoutSec = 120; ExecStart = "${postgresql}/bin/postgres"; - - # Wait for PostgreSQL to be ready to accept connections. - ExecStartPost = - let - setupScript = pkgs.writeScript "postgresql-setup" ('' - #!${pkgs.runtimeShell} -e - - PSQL="${pkgs.utillinux}/bin/runuser -u ${cfg.superUser} -- psql --port=${toString cfg.port}" - - while ! $PSQL -d postgres -c "" 2> /dev/null; do - if ! kill -0 "$MAINPID"; then exit 1; fi - sleep 0.1 - done - - if test -e "${cfg.dataDir}/.first_startup"; then - ${optionalString (cfg.initialScript != null) '' - $PSQL -f "${cfg.initialScript}" -d postgres - ''} - rm -f "${cfg.dataDir}/.first_startup" - fi - '' + optionalString (cfg.ensureDatabases != []) '' - ${concatMapStrings (database: '' - $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}"' - '') cfg.ensureDatabases} - '' + '' - ${concatMapStrings (user: '' - $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"' - ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' - $PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' - '') user.ensurePermissions)} - '') cfg.ensureUsers} - ''); - in - "+${setupScript}"; } (mkIf (cfg.dataDir == "/var/lib/postgresql/${cfg.package.psqlSchema}") { StateDirectory = "postgresql postgresql/${cfg.package.psqlSchema}"; diff --git a/nixos/modules/services/editors/emacs.nix b/nixos/modules/services/editors/emacs.nix index d791b387665..00d9eaad9eb 100644 --- a/nixos/modules/services/editors/emacs.nix +++ b/nixos/modules/services/editors/emacs.nix @@ -15,26 +15,27 @@ let fi ''; -desktopApplicationFile = pkgs.writeTextFile { - name = "emacsclient.desktop"; - destination = "/share/applications/emacsclient.desktop"; - text = '' -[Desktop Entry] -Name=Emacsclient -GenericName=Text Editor -Comment=Edit text -MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++; -Exec=emacseditor %F -Icon=emacs -Type=Application -Terminal=false -Categories=Development;TextEditor; -StartupWMClass=Emacs -Keywords=Text;Editor; -''; -}; - -in { + desktopApplicationFile = pkgs.writeTextFile { + name = "emacsclient.desktop"; + destination = "/share/applications/emacsclient.desktop"; + text = '' + [Desktop Entry] + Name=Emacsclient + GenericName=Text Editor + Comment=Edit text + MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++; + Exec=emacseditor %F + Icon=emacs + Type=Application + Terminal=false + Categories=Development;TextEditor; + StartupWMClass=Emacs + Keywords=Text;Editor; + ''; + }; + +in +{ options.services.emacs = { enable = mkOption { @@ -86,10 +87,10 @@ in { description = "Emacs: the extensible, self-documenting text editor"; serviceConfig = { - Type = "forking"; + Type = "forking"; ExecStart = "${pkgs.bash}/bin/bash -c 'source ${config.system.build.setEnvironment}; exec ${cfg.package}/bin/emacs --daemon'"; - ExecStop = "${cfg.package}/bin/emacsclient --eval (kill-emacs)"; - Restart = "always"; + ExecStop = "${cfg.package}/bin/emacsclient --eval (kill-emacs)"; + Restart = "always"; }; } // optionalAttrs cfg.enable { wantedBy = [ "default.target" ]; }; diff --git a/nixos/modules/services/editors/emacs.xml b/nixos/modules/services/editors/emacs.xml index 74c60014dce..05f87df43bc 100644 --- a/nixos/modules/services/editors/emacs.xml +++ b/nixos/modules/services/editors/emacs.xml @@ -53,11 +53,11 @@ <varname>emacs</varname> </term> <term> - <varname>emacs25</varname> + <varname>emacs</varname> </term> <listitem> <para> - The latest stable version of Emacs 25 using the + The latest stable version of Emacs using the <link xlink:href="http://www.gtk.org">GTK 2</link> widget toolkit. @@ -66,11 +66,11 @@ </varlistentry> <varlistentry> <term> - <varname>emacs25-nox</varname> + <varname>emacs-nox</varname> </term> <listitem> <para> - Emacs 25 built without any dependency on X11 libraries. + Emacs built without any dependency on X11 libraries. </para> </listitem> </varlistentry> @@ -79,11 +79,11 @@ <varname>emacsMacport</varname> </term> <term> - <varname>emacs25Macport</varname> + <varname>emacsMacport</varname> </term> <listitem> <para> - Emacs 25 with the "Mac port" patches, providing a more native look and + Emacs with the "Mac port" patches, providing a more native look and feel under macOS. </para> </listitem> diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index ad10ba1d909..fd4d16cdc37 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -25,6 +25,8 @@ let clientRestrictions = concatStringsSep ", " (clientAccess ++ dnsBl); + smtpTlsSecurityLevel = if cfg.useDane then "dane" else "may"; + mainCf = let escape = replaceStrings ["$"] ["$$"]; mkList = items: "\n " + concatStringsSep ",\n " items; @@ -508,6 +510,14 @@ in ''; }; + useDane = mkOption { + type = types.bool; + default = false; + description = '' + Sets smtp_tls_security_level to "dane" rather than "may". See postconf(5) for details. + ''; + }; + sslCert = mkOption { type = types.str; default = ""; @@ -809,13 +819,13 @@ in // optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; } // optionalAttrs (cfg.tlsTrustedAuthorities != "") { smtp_tls_CAfile = cfg.tlsTrustedAuthorities; - smtp_tls_security_level = "may"; + smtp_tls_security_level = smtpTlsSecurityLevel; } // optionalAttrs (cfg.sslCert != "") { smtp_tls_cert_file = cfg.sslCert; smtp_tls_key_file = cfg.sslKey; - smtp_tls_security_level = "may"; + smtp_tls_security_level = smtpTlsSecurityLevel; smtpd_tls_cert_file = cfg.sslCert; smtpd_tls_key_file = cfg.sslKey; diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index f8bcedc94fe..af80e99746b 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -162,6 +162,45 @@ in <manvolnum>7</manvolnum></citerefentry>. ''; }; + + backupDir = mkOption { + type = types.str; + default = "${cfg.stateDir}/dump"; + description = "Path to the dump files."; + }; + }; + + ssh = { + enable = mkOption { + type = types.bool; + default = true; + description = "Enable external SSH feature."; + }; + + clonePort = mkOption { + type = types.int; + default = 22; + example = 2222; + description = '' + SSH port displayed in clone URL. + The option is required to configure a service when the external visible port + differs from the local listening port i.e. if port forwarding is used. + ''; + }; + }; + + lfs = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enables git-lfs support."; + }; + + contentDir = mkOption { + type = types.str; + default = "${cfg.stateDir}/data/lfs"; + description = "Where to store LFS files."; + }; }; appName = mkOption { @@ -200,6 +239,12 @@ in description = "HTTP listen port."; }; + enableUnixSocket = mkOption { + type = types.bool; + default = false; + description = "Configure Gitea to listen on a unix socket instead of the default TCP port."; + }; + cookieSecure = mkOption { type = types.bool; default = false; @@ -300,14 +345,34 @@ in ROOT = cfg.repositoryRoot; }; - server = { - DOMAIN = cfg.domain; - HTTP_ADDR = cfg.httpAddress; - HTTP_PORT = cfg.httpPort; - ROOT_URL = cfg.rootUrl; - STATIC_ROOT_PATH = cfg.staticRootPath; - LFS_JWT_SECRET = "#jwtsecret#"; - }; + server = mkMerge [ + { + DOMAIN = cfg.domain; + STATIC_ROOT_PATH = cfg.staticRootPath; + LFS_JWT_SECRET = "#jwtsecret#"; + ROOT_URL = cfg.rootUrl; + } + (mkIf cfg.enableUnixSocket { + PROTOCOL = "unix"; + HTTP_ADDR = "/run/gitea/gitea.sock"; + }) + (mkIf (!cfg.enableUnixSocket) { + HTTP_ADDR = cfg.httpAddress; + HTTP_PORT = cfg.httpPort; + }) + (mkIf cfg.ssh.enable { + DISABLE_SSH = false; + SSH_PORT = cfg.ssh.clonePort; + }) + (mkIf (!cfg.ssh.enable) { + DISABLE_SSH = true; + }) + (mkIf cfg.lfs.enable { + LFS_START_SERVER = true; + LFS_CONTENT_PATH = cfg.lfs.contentDir; + }) + + ]; session = { COOKIE_NAME = "session"; @@ -357,12 +422,26 @@ in }; systemd.tmpfiles.rules = [ - "d '${cfg.stateDir}' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}/conf' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}/custom' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}/custom/conf' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}/log' - ${cfg.user} gitea - -" - "d '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" + "d '${cfg.dump.backupDir}' 0750 ${cfg.user} gitea - -" + "z '${cfg.dump.backupDir}' 0750 ${cfg.user} gitea - -" + "Z '${cfg.dump.backupDir}' - ${cfg.user} gitea - -" + "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} gitea - -" + "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} gitea - -" + "Z '${cfg.lfs.contentDir}' - ${cfg.user} gitea - -" + "d '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -" + "z '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -" + "Z '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" + "d '${cfg.stateDir}' 0750 ${cfg.user} gitea - -" + "d '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -" + "d '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -" + "d '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -" + "d '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -" "Z '${cfg.stateDir}' - ${cfg.user} gitea - -" # If we have a folder or symlink with gitea locales, remove it @@ -431,28 +510,39 @@ in User = cfg.user; Group = "gitea"; WorkingDirectory = cfg.stateDir; - ExecStart = "${gitea}/bin/gitea web"; + ExecStart = "${gitea}/bin/gitea web --pid /run/gitea/gitea.pid"; Restart = "always"; - - # Filesystem + # Runtime directory and mode + RuntimeDirectory = "gitea"; + RuntimeDirectoryMode = "0755"; + # Access write directories + ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ]; + UMask = "0027"; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; ProtectHome = true; + PrivateTmp = true; PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; + ProtectKernelLogs = true; ProtectControlGroups = true; - ReadWritePaths = cfg.stateDir; - # Caps - CapabilityBoundingSet = ""; - NoNewPrivileges = true; - # Misc. + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; LockPersonality = true; + MemoryDenyWriteExecute = true; RestrictRealtime = true; + RestrictSUIDSGID = true; PrivateMounts = true; - PrivateUsers = true; - MemoryDenyWriteExecute = true; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; + # System Call Filtering SystemCallArchitectures = "native"; - RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; }; environment = { @@ -504,7 +594,7 @@ in Type = "oneshot"; User = cfg.user; ExecStart = "${gitea}/bin/gitea dump"; - WorkingDirectory = cfg.stateDir; + WorkingDirectory = cfg.dump.backupDir; }; }; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index fa393de3219..5d8de3b1bbd 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -696,7 +696,6 @@ in { "L+ /run/gitlab/shell-config.yml - - - - ${pkgs.writeText "config.yml" (builtins.toJSON gitlabShellConfig)}" "L+ ${cfg.statePath}/config/unicorn.rb - - - - ${./defaultUnicornConfig.rb}" - "L+ ${cfg.statePath}/config/initializers/extra-gitlab.rb - - - - ${extraGitlabRb}" ]; systemd.services.gitlab-sidekiq = { @@ -816,6 +815,7 @@ in { rm -f ${cfg.statePath}/lib cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db + ln -sf ${extraGitlabRb} ${cfg.statePath}/config/initializers/extra-gitlab.rb ${cfg.packages.gitlab-shell}/bin/install diff --git a/nixos/modules/services/misc/gollum.nix b/nixos/modules/services/misc/gollum.nix index f4a9c72b154..8842e1e4d90 100644 --- a/nixos/modules/services/misc/gollum.nix +++ b/nixos/modules/services/misc/gollum.nix @@ -98,7 +98,7 @@ in ${pkgs.gollum}/bin/gollum \ --port ${toString cfg.port} \ --host ${cfg.address} \ - --config ${builtins.toFile "gollum-config.rb" cfg.extraConfig} \ + --config ${pkgs.writeText "gollum-config.rb" cfg.extraConfig} \ --ref ${cfg.branch} \ ${optionalString cfg.mathjax "--mathjax"} \ ${optionalString cfg.emoji "--emoji"} \ diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 6ecdfb57dc3..0493dadea94 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -16,6 +16,14 @@ in description = "User account under which Jellyfin runs."; }; + package = mkOption { + type = types.package; + example = literalExample "pkgs.jellyfin"; + description = '' + Jellyfin package to use. + ''; + }; + group = mkOption { type = types.str; default = "jellyfin"; @@ -35,11 +43,16 @@ in Group = cfg.group; StateDirectory = "jellyfin"; CacheDirectory = "jellyfin"; - ExecStart = "${pkgs.jellyfin}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; + ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; Restart = "on-failure"; }; }; + services.jellyfin.package = mkDefault ( + if versionAtLeast config.system.stateVersion "20.09" then pkgs.jellyfin + else pkgs.jellyfin_10_5 + ); + users.users = mkIf (cfg.user == "jellyfin") { jellyfin = { group = cfg.group; diff --git a/nixos/modules/services/misc/mathics.nix b/nixos/modules/services/misc/mathics.nix deleted file mode 100644 index c588a30d76c..00000000000 --- a/nixos/modules/services/misc/mathics.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ pkgs, lib, config, ... }: - -with lib; - -let - cfg = config.services.mathics; - -in { - options = { - services.mathics = { - enable = mkEnableOption "Mathics notebook service"; - - external = mkOption { - type = types.bool; - default = false; - description = "Listen on all interfaces, rather than just localhost?"; - }; - - port = mkOption { - type = types.int; - default = 8000; - description = "TCP port to listen on."; - }; - }; - }; - - config = mkIf cfg.enable { - - users.users.mathics = { - group = config.users.groups.mathics.name; - description = "Mathics user"; - home = "/var/lib/mathics"; - createHome = true; - uid = config.ids.uids.mathics; - }; - - users.groups.mathics.gid = config.ids.gids.mathics; - - systemd.services.mathics = { - description = "Mathics notebook server"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - User = config.users.users.mathics.name; - Group = config.users.groups.mathics.name; - ExecStart = concatStringsSep " " [ - "${pkgs.mathics}/bin/mathicsserver" - "--port" (toString cfg.port) - (if cfg.external then "--external" else "") - ]; - }; - }; - }; -} diff --git a/nixos/modules/services/misc/mesos-master.nix b/nixos/modules/services/misc/mesos-master.nix deleted file mode 100644 index 572a9847e46..00000000000 --- a/nixos/modules/services/misc/mesos-master.nix +++ /dev/null @@ -1,125 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.mesos.master; - -in { - - options.services.mesos = { - - master = { - enable = mkOption { - description = "Whether to enable the Mesos Master."; - default = false; - type = types.bool; - }; - - ip = mkOption { - description = "IP address to listen on."; - default = "0.0.0.0"; - type = types.str; - }; - - port = mkOption { - description = "Mesos Master port"; - default = 5050; - type = types.int; - }; - - advertiseIp = mkOption { - description = "IP address advertised to reach this master."; - default = null; - type = types.nullOr types.str; - }; - - advertisePort = mkOption { - description = "Port advertised to reach this Mesos master."; - default = null; - type = types.nullOr types.int; - }; - - zk = mkOption { - description = '' - ZooKeeper URL (used for leader election amongst masters). - May be one of: - zk://host1:port1,host2:port2,.../mesos - zk://username:password@host1:port1,host2:port2,.../mesos - ''; - type = types.str; - }; - - workDir = mkOption { - description = "The Mesos work directory."; - default = "/var/lib/mesos/master"; - type = types.str; - }; - - extraCmdLineOptions = mkOption { - description = '' - Extra command line options for Mesos Master. - - See https://mesos.apache.org/documentation/latest/configuration/ - ''; - default = [ "" ]; - type = types.listOf types.str; - example = [ "--credentials=VALUE" ]; - }; - - quorum = mkOption { - description = '' - The size of the quorum of replicas when using 'replicated_log' based - registry. It is imperative to set this value to be a majority of - masters i.e., quorum > (number of masters)/2. - - If 0 will fall back to --registry=in_memory. - ''; - default = 0; - type = types.int; - }; - - logLevel = mkOption { - description = '' - The logging level used. Possible values: - 'INFO', 'WARNING', 'ERROR' - ''; - default = "INFO"; - type = types.str; - }; - - }; - - - }; - - - config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.workDir}' 0700 - - - -" - ]; - systemd.services.mesos-master = { - description = "Mesos Master"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - ExecStart = '' - ${pkgs.mesos}/bin/mesos-master \ - --ip=${cfg.ip} \ - --port=${toString cfg.port} \ - ${optionalString (cfg.advertiseIp != null) "--advertise_ip=${cfg.advertiseIp}"} \ - ${optionalString (cfg.advertisePort != null) "--advertise_port=${toString cfg.advertisePort}"} \ - ${if cfg.quorum == 0 - then "--registry=in_memory" - else "--zk=${cfg.zk} --registry=replicated_log --quorum=${toString cfg.quorum}"} \ - --work_dir=${cfg.workDir} \ - --logging_level=${cfg.logLevel} \ - ${toString cfg.extraCmdLineOptions} - ''; - Restart = "on-failure"; - }; - }; - }; - -} - diff --git a/nixos/modules/services/misc/mesos-slave.nix b/nixos/modules/services/misc/mesos-slave.nix deleted file mode 100644 index 170065d0065..00000000000 --- a/nixos/modules/services/misc/mesos-slave.nix +++ /dev/null @@ -1,220 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.mesos.slave; - - mkAttributes = - attrs: concatStringsSep ";" (mapAttrsToList - (k: v: "${k}:${v}") - (filterAttrs (k: v: v != null) attrs)); - attribsArg = optionalString (cfg.attributes != {}) - "--attributes=${mkAttributes cfg.attributes}"; - - containerizersArg = concatStringsSep "," ( - lib.unique ( - cfg.containerizers ++ (optional cfg.withDocker "docker") - ) - ); - - imageProvidersArg = concatStringsSep "," ( - lib.unique ( - cfg.imageProviders ++ (optional cfg.withDocker "docker") - ) - ); - - isolationArg = concatStringsSep "," ( - lib.unique ( - cfg.isolation ++ (optionals cfg.withDocker [ "filesystem/linux" "docker/runtime"]) - ) - ); - -in { - - options.services.mesos = { - slave = { - enable = mkOption { - description = "Whether to enable the Mesos Slave."; - default = false; - type = types.bool; - }; - - ip = mkOption { - description = "IP address to listen on."; - default = "0.0.0.0"; - type = types.str; - }; - - port = mkOption { - description = "Port to listen on."; - default = 5051; - type = types.int; - }; - - advertiseIp = mkOption { - description = "IP address advertised to reach this agent."; - default = null; - type = types.nullOr types.str; - }; - - advertisePort = mkOption { - description = "Port advertised to reach this agent."; - default = null; - type = types.nullOr types.int; - }; - - containerizers = mkOption { - description = '' - List of containerizer implementations to compose in order to provide - containerization. Available options are mesos and docker. - The order the containerizers are specified is the order they are tried. - ''; - default = [ "mesos" ]; - type = types.listOf types.str; - }; - - imageProviders = mkOption { - description = "List of supported image providers, e.g., APPC,DOCKER."; - default = [ ]; - type = types.listOf types.str; - }; - - imageProvisionerBackend = mkOption { - description = '' - Strategy for provisioning container rootfs from images, - e.g., aufs, bind, copy, overlay. - ''; - default = "copy"; - type = types.str; - }; - - isolation = mkOption { - description = '' - Isolation mechanisms to use, e.g., posix/cpu,posix/mem, or - cgroups/cpu,cgroups/mem, or network/port_mapping, or `gpu/nvidia` for nvidia - specific gpu isolation. - ''; - default = [ "posix/cpu" "posix/mem" ]; - type = types.listOf types.str; - }; - - master = mkOption { - description = '' - May be one of: - zk://host1:port1,host2:port2,.../path - zk://username:password@host1:port1,host2:port2,.../path - ''; - type = types.str; - }; - - withHadoop = mkOption { - description = "Add the HADOOP_HOME to the slave."; - default = false; - type = types.bool; - }; - - withDocker = mkOption { - description = "Enable the docker containerizer."; - default = config.virtualisation.docker.enable; - type = types.bool; - }; - - dockerRegistry = mkOption { - description = '' - The default url for pulling Docker images. - It could either be a Docker registry server url, - or a local path in which Docker image archives are stored. - ''; - default = null; - type = types.nullOr (types.either types.str types.path); - }; - - workDir = mkOption { - description = "The Mesos work directory."; - default = "/var/lib/mesos/slave"; - type = types.str; - }; - - extraCmdLineOptions = mkOption { - description = '' - Extra command line options for Mesos Slave. - - See https://mesos.apache.org/documentation/latest/configuration/ - ''; - default = [ "" ]; - type = types.listOf types.str; - example = [ "--gc_delay=3days" ]; - }; - - logLevel = mkOption { - description = '' - The logging level used. Possible values: - 'INFO', 'WARNING', 'ERROR' - ''; - default = "INFO"; - type = types.str; - }; - - attributes = mkOption { - description = '' - Machine attributes for the slave instance. - - Use caution when changing this; you may need to manually reset slave - metadata before the slave can re-register. - ''; - default = {}; - type = types.attrsOf types.str; - example = { rack = "aa"; - host = "aabc123"; - os = "nixos"; }; - }; - - executorEnvironmentVariables = mkOption { - description = '' - The environment variables that should be passed to the executor, and thus subsequently task(s). - ''; - default = { - PATH = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"; - }; - type = types.attrsOf types.str; - }; - }; - - }; - - config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.workDir}' 0701 - - - -" - ]; - systemd.services.mesos-slave = { - description = "Mesos Slave"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ] ++ optionals cfg.withDocker [ "docker.service" ] ; - path = [ pkgs.runtimeShellPackage ]; - serviceConfig = { - ExecStart = '' - ${pkgs.mesos}/bin/mesos-slave \ - --containerizers=${containerizersArg} \ - --image_providers=${imageProvidersArg} \ - --image_provisioner_backend=${cfg.imageProvisionerBackend} \ - --isolation=${isolationArg} \ - --ip=${cfg.ip} \ - --port=${toString cfg.port} \ - ${optionalString (cfg.advertiseIp != null) "--advertise_ip=${cfg.advertiseIp}"} \ - ${optionalString (cfg.advertisePort != null) "--advertise_port=${toString cfg.advertisePort}"} \ - --master=${cfg.master} \ - --work_dir=${cfg.workDir} \ - --logging_level=${cfg.logLevel} \ - ${attribsArg} \ - ${optionalString cfg.withHadoop "--hadoop-home=${pkgs.hadoop}"} \ - ${optionalString cfg.withDocker "--docker=${pkgs.docker}/libexec/docker/docker"} \ - ${optionalString (cfg.dockerRegistry != null) "--docker_registry=${cfg.dockerRegistry}"} \ - --executor_environment_variables=${lib.escapeShellArg (builtins.toJSON cfg.executorEnvironmentVariables)} \ - ${toString cfg.extraCmdLineOptions} - ''; - }; - }; - }; - -} diff --git a/nixos/modules/services/misc/pinnwand.nix b/nixos/modules/services/misc/pinnwand.nix new file mode 100644 index 00000000000..aa1ee5cfaa7 --- /dev/null +++ b/nixos/modules/services/misc/pinnwand.nix @@ -0,0 +1,78 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.pinnwand; + + format = pkgs.formats.toml {}; + configFile = format.generate "pinnwand.toml" cfg.settings; +in +{ + options.services.pinnwand = { + enable = mkEnableOption "Pinnwand"; + + port = mkOption { + type = types.port; + description = "The port to listen on."; + default = 8000; + }; + + settings = mkOption { + type = format.type; + description = '' + Your <filename>pinnwand.toml</filename> as a Nix attribute set. Look up + possible options in the <link xlink:href="https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example">pinnwand.toml-example</link>. + ''; + default = { + # https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example + database_uri = "sqlite:///var/lib/pinnwand/pinnwand.db"; + preferred_lexeres = []; + paste_size = 262144; + paste_help = '' + <p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p> + ''; + footer = '' + View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.pinnwand = { + description = "Pinnwannd HTTP Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; + serviceConfig = { + ExecStart = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile} http --port ${toString(cfg.port)}"; + StateDirectory = "pinnwand"; + StateDirectoryMode = "0700"; + + AmbientCapabilities = []; + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + UMask = "0077"; + }; + }; + }; +} diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index 5c096d26d82..f298f831fa7 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -25,6 +25,15 @@ let then "/${lib.concatStringsSep "/" (lib.tail addr)}" else null; # not valid for listen stream, skip + multiaddrToListenDatagram = addrRaw: let + addr = splitMulitaddr addrRaw; + s = builtins.elemAt addr; + in if s 0 == "ip4" && s 2 == "udp" + then "${s 1}:${s 3}" + else if s 0 == "ip6" && s 2 == "udp" + then "[${s 1}]:${s 3}" + else null; # not valid for listen datagram, skip + in { ###### interface @@ -268,9 +277,14 @@ in { systemd.sockets.ipfs-gateway = { wantedBy = [ "sockets.target" ]; - socketConfig.ListenStream = let - fromCfg = multiaddrToListenStream cfg.gatewayAddress; - in [ "" ] ++ lib.optional (fromCfg != null) fromCfg; + socketConfig = { + ListenStream = let + fromCfg = multiaddrToListenStream cfg.gatewayAddress; + in [ "" ] ++ lib.optional (fromCfg != null) fromCfg; + ListenDatagram = let + fromCfg = multiaddrToListenDatagram cfg.gatewayAddress; + in [ "" ] ++ lib.optional (fromCfg != null) fromCfg; + }; }; systemd.sockets.ipfs-api = { diff --git a/nixos/modules/services/networking/bitcoind.nix b/nixos/modules/services/networking/bitcoind.nix index ba9281cf6f0..bc9aa53f49a 100644 --- a/nixos/modules/services/networking/bitcoind.nix +++ b/nixos/modules/services/networking/bitcoind.nix @@ -256,6 +256,6 @@ in }; - meta.maintainers = with maintainers; [ maintainers."1000101" ]; + meta.maintainers = with maintainers; [ _1000101 ]; } diff --git a/nixos/modules/services/networking/blockbook-frontend.nix b/nixos/modules/services/networking/blockbook-frontend.nix index f289683cef0..dde24522756 100644 --- a/nixos/modules/services/networking/blockbook-frontend.nix +++ b/nixos/modules/services/networking/blockbook-frontend.nix @@ -270,6 +270,6 @@ in nameValuePair "${cfg.group}" { })) eachBlockbook; }; - meta.maintainers = with maintainers; [ maintainers."1000101" ]; + meta.maintainers = with maintainers; [ _1000101 ]; } diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix index 26ddd4e811e..ccb34163d5f 100644 --- a/nixos/modules/services/networking/kresd.nix +++ b/nixos/modules/services/networking/kresd.nix @@ -129,13 +129,17 @@ in { systemd.services."kresd@".serviceConfig = { ExecStart = "${package}/bin/kresd --noninteractive " + "-c ${package}/lib/knot-resolver/distro-preconfig.lua -c ${configFile}"; - # Ensure correct ownership in case UID or GID changes. + # Ensure /run/knot-resolver exists + RuntimeDirectory = "knot-resolver"; + RuntimeDirectoryMode = "0770"; + # Ensure /var/lib/knot-resolver exists + StateDirectory = "knot-resolver"; + StateDirectoryMode = "0770"; + # Ensure /var/cache/knot-resolver exists CacheDirectory = "knot-resolver"; - CacheDirectoryMode = "0750"; + CacheDirectoryMode = "0770"; }; - systemd.tmpfiles.packages = [ package ]; - # Try cleaning up the previously default location of cache file. # Note that /var/cache/* should always be safe to remove. # TODO: remove later, probably between 20.09 and 21.03 diff --git a/nixos/modules/services/networking/trickster.nix b/nixos/modules/services/networking/trickster.nix index bcf5a04ae5f..49c945adb80 100644 --- a/nixos/modules/services/networking/trickster.nix +++ b/nixos/modules/services/networking/trickster.nix @@ -108,7 +108,6 @@ in }; }; - meta.maintainers = with maintainers; [ maintainers."1000101" ]; + meta.maintainers = with maintainers; [ _1000101 ]; } - diff --git a/nixos/modules/services/networking/xandikos.nix b/nixos/modules/services/networking/xandikos.nix index f1882261656..3c40bb956f5 100644 --- a/nixos/modules/services/networking/xandikos.nix +++ b/nixos/modules/services/networking/xandikos.nix @@ -90,7 +90,7 @@ in config = mkIf cfg.enable ( mkMerge [ { - meta.maintainers = [ lib.maintainers."0x4A6F" ]; + meta.maintainers = with lib.maintainers; [ _0x4A6F ]; systemd.services.xandikos = { description = "A Simple Calendar and Contact Server"; diff --git a/nixos/modules/services/scheduling/chronos.nix b/nixos/modules/services/scheduling/chronos.nix deleted file mode 100644 index 9a8ed4c09ac..00000000000 --- a/nixos/modules/services/scheduling/chronos.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.chronos; - -in { - - ###### interface - - options.services.chronos = { - enable = mkOption { - description = "Whether to enable graphite web frontend."; - default = false; - type = types.bool; - }; - - httpPort = mkOption { - description = "Chronos listening port"; - default = 4400; - type = types.int; - }; - - master = mkOption { - description = "Chronos mesos master zookeeper address"; - default = "zk://${head cfg.zookeeperHosts}/mesos"; - type = types.str; - }; - - zookeeperHosts = mkOption { - description = "Chronos mesos zookepper addresses"; - default = [ "localhost:2181" ]; - type = types.listOf types.str; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - systemd.services.chronos = { - description = "Chronos Service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "zookeeper.service" ]; - - serviceConfig = { - ExecStart = "${pkgs.chronos}/bin/chronos --master ${cfg.master} --zk_hosts ${concatStringsSep "," cfg.zookeeperHosts} --http_port ${toString cfg.httpPort}"; - User = "chronos"; - }; - }; - - users.users.chronos.uid = config.ids.uids.chronos; - }; -} diff --git a/nixos/modules/services/scheduling/marathon.nix b/nixos/modules/services/scheduling/marathon.nix deleted file mode 100644 index 2e0d20c64b2..00000000000 --- a/nixos/modules/services/scheduling/marathon.nix +++ /dev/null @@ -1,98 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.marathon; - -in { - - ###### interface - - options.services.marathon = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable the marathon mesos framework. - ''; - }; - - master = mkOption { - type = types.str; - default = "zk://${concatStringsSep "," cfg.zookeeperHosts}/mesos"; - example = "zk://1.2.3.4:2181,2.3.4.5:2181,3.4.5.6:2181/mesos"; - description = '' - Mesos master address. See <link xlink:href="https://mesosphere.github.io/marathon/docs/"/> for details. - ''; - }; - - zookeeperHosts = mkOption { - type = types.listOf types.str; - default = [ "localhost:2181" ]; - example = [ "1.2.3.4:2181" "2.3.4.5:2181" "3.4.5.6:2181" ]; - description = '' - ZooKeeper hosts' addresses. - ''; - }; - - user = mkOption { - type = types.str; - default = "marathon"; - example = "root"; - description = '' - The user that the Marathon framework will be launched as. If the user doesn't exist it will be created. - If you want to run apps that require root access or you want to launch apps using arbitrary users, that - is using the `--mesos_user` flag then you need to change this to `root`. - ''; - }; - - httpPort = mkOption { - type = types.int; - default = 8080; - description = '' - Marathon listening port for HTTP connections. - ''; - }; - - extraCmdLineOptions = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "--https_port=8443" "--zk_timeout=10000" "--marathon_store_timeout=2000" ]; - description = '' - Extra command line options to pass to Marathon. - See <link xlink:href="https://mesosphere.github.io/marathon/docs/command-line-flags.html"/> for all possible flags. - ''; - }; - - environment = mkOption { - default = { }; - type = types.attrs; - example = { JAVA_OPTS = "-Xmx512m"; MESOSPHERE_HTTP_CREDENTIALS = "username:password"; }; - description = '' - Environment variables passed to Marathon. - ''; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - systemd.services.marathon = { - description = "Marathon Service"; - environment = cfg.environment; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "zookeeper.service" "mesos-master.service" "mesos-slave.service" ]; - - serviceConfig = { - ExecStart = "${pkgs.marathon}/bin/marathon --master ${cfg.master} --zk zk://${concatStringsSep "," cfg.zookeeperHosts}/marathon --http_port ${toString cfg.httpPort} ${concatStringsSep " " cfg.extraCmdLineOptions}"; - User = cfg.user; - Restart = "always"; - RestartSec = "2"; - }; - }; - - users.users.${cfg.user}.isSystemUser = true; - }; -} diff --git a/nixos/modules/services/security/privacyidea.nix b/nixos/modules/services/security/privacyidea.nix index d6abfd0e271..c2988858e56 100644 --- a/nixos/modules/services/security/privacyidea.nix +++ b/nixos/modules/services/security/privacyidea.nix @@ -234,7 +234,6 @@ in ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; NotifyAccess = "main"; KillSignal = "SIGQUIT"; - StandardError = "syslog"; }; }; diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index f4118eb87fc..16a90da5231 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -1,37 +1,39 @@ -{config, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: with lib; - let - cfg = config.services.usbguard; # valid policy options policy = (types.enum [ "allow" "block" "reject" "keep" "apply-policy" ]); + defaultRuleFile = "/var/lib/usbguard/rules.conf"; + # decide what file to use for rules - ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else cfg.ruleFile; + ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else defaultRuleFile; daemonConf = '' - # generated by nixos/modules/services/security/usbguard.nix - RuleFile=${ruleFile} - ImplicitPolicyTarget=${cfg.implictPolicyTarget} - PresentDevicePolicy=${cfg.presentDevicePolicy} - PresentControllerPolicy=${cfg.presentControllerPolicy} - InsertedDevicePolicy=${cfg.insertedDevicePolicy} - RestoreControllerDeviceState=${if cfg.restoreControllerDeviceState then "true" else "false"} - # this does not seem useful for endusers to change - DeviceManagerBackend=uevent - IPCAllowedUsers=${concatStringsSep " " cfg.IPCAllowedUsers} - IPCAllowedGroups=${concatStringsSep " " cfg.IPCAllowedGroups} - IPCAccessControlFiles=${cfg.IPCAccessControlFiles} - DeviceRulesWithPort=${if cfg.deviceRulesWithPort then "true" else "false"} - AuditFilePath=${cfg.auditFilePath} - ''; - - daemonConfFile = pkgs.writeText "usbguard-daemon-conf" daemonConf; - -in { + # generated by nixos/modules/services/security/usbguard.nix + RuleFile=${ruleFile} + ImplicitPolicyTarget=${cfg.implictPolicyTarget} + PresentDevicePolicy=${cfg.presentDevicePolicy} + PresentControllerPolicy=${cfg.presentControllerPolicy} + InsertedDevicePolicy=${cfg.insertedDevicePolicy} + RestoreControllerDeviceState=${if cfg.restoreControllerDeviceState then "true" else "false"} + # this does not seem useful for endusers to change + DeviceManagerBackend=uevent + IPCAllowedUsers=${concatStringsSep " " cfg.IPCAllowedUsers} + IPCAllowedGroups=${concatStringsSep " " cfg.IPCAllowedGroups} + IPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d/ + DeviceRulesWithPort=${if cfg.deviceRulesWithPort then "true" else "false"} + # HACK: that way audit logs still land in the journal + AuditFilePath=/dev/null + ''; + + daemonConfFile = pkgs.writeText "usbguard-daemon-conf" daemonConf; + +in +{ ###### interface @@ -49,22 +51,6 @@ in { ''; }; - ruleFile = mkOption { - type = types.path; - default = "/var/lib/usbguard/rules.conf"; - description = '' - The USBGuard daemon will use this file to load the policy rule set - from it and to write new rules received via the IPC interface. - - Running the command <literal>usbguard generate-policy</literal> as - root will generate a config for your currently plugged in devices. - For a in depth guide consult the official documentation. - - Setting the <literal>rules</literal> option will ignore the - <literal>ruleFile</literal> option. - ''; - }; - rules = mkOption { type = types.nullOr types.lines; default = null; @@ -72,16 +58,20 @@ in { allow with-interface equals { 08:*:* } ''; description = '' - The USBGuard daemon will load this policy rule set. Modifying it via - the IPC interface won't work if you use this option, since the - contents of this option will be written into the nix-store it will be - read-only. + The USBGuard daemon will load this as the policy rule set. + As these rules are NixOS managed they are immutable and can't + be changed by the IPC interface. + + If you do not set this option, the USBGuard daemon will load + it's policy rule set from <literal>${defaultRuleFile}</literal>. + This file can be changed manually or via the IPC interface. - You can still use <literal> usbguard generate-policy</literal> to - generate rules, but you would have to insert them here. + Running <literal>usbguard generate-policy</literal> as root will + generate a config for your currently plugged in devices. - Setting the <literal>rules</literal> option will ignore the - <literal>ruleFile</literal> option. + For more details see <citerefentry> + <refentrytitle>usbguard-rules.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. ''; }; @@ -155,17 +145,6 @@ in { ''; }; - IPCAccessControlFiles = mkOption { - type = types.path; - default = "/var/lib/usbguard/IPCAccessControl.d/"; - description = '' - The files at this location will be interpreted by the daemon as IPC - access control definition files. See the IPC ACCESS CONTROL section - in <citerefentry><refentrytitle>usbguard-daemon.conf</refentrytitle> - <manvolnum>5</manvolnum></citerefentry> for more details. - ''; - }; - deviceRulesWithPort = mkOption { type = types.bool; default = false; @@ -173,14 +152,6 @@ in { Generate device specific rules including the "via-port" attribute. ''; }; - - auditFilePath = mkOption { - type = types.path; - default = "/var/log/usbguard/usbguard-audit.log"; - description = '' - USBGuard audit events log file path. - ''; - }; }; }; @@ -197,17 +168,19 @@ in { wantedBy = [ "basic.target" ]; wants = [ "systemd-udevd.service" ]; - # make sure an empty rule file and required directories exist - preStart = '' - mkdir -p $(dirname "${cfg.ruleFile}") $(dirname "${cfg.auditFilePath}") "${cfg.IPCAccessControlFiles}" \ - && ([ -f "${cfg.ruleFile}" ] || touch ${cfg.ruleFile}) - ''; + # make sure an empty rule file exists + preStart = ''[ -f "${ruleFile}" ] || touch ${ruleFile}''; serviceConfig = { Type = "simple"; ExecStart = ''${cfg.package}/bin/usbguard-daemon -P -k -c ${daemonConfFile}''; Restart = "on-failure"; + StateDirectory = [ + "usbguard" + "usbguard/IPCAccessControl.d" + ]; + AmbientCapabilities = ""; CapabilityBoundingSet = "CAP_CHOWN CAP_FOWNER"; DeviceAllow = "/dev/null rw"; @@ -223,8 +196,8 @@ in { ProtectKernelModules = true; ProtectSystem = true; ReadOnlyPaths = "-/"; - ReadWritePaths = "-/dev/shm -${dirOf cfg.auditFilePath} -/tmp -${dirOf cfg.ruleFile}"; - RestrictAddressFamilies = "AF_UNIX AF_NETLINK"; + ReadWritePaths = "-/dev/shm -/tmp"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_NETLINK" ]; RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; @@ -233,4 +206,9 @@ in { }; }; }; + imports = [ + (mkRemovedOptionModule [ "services" "usbguard" "ruleFile" ] "The usbguard module now uses ${defaultRuleFile} as ruleFile. Alternatively, use services.usbguard.rules to configure rules.") + (mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ] "The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d.") + (mkRemovedOptionModule [ "services" "usbguard" "auditFilePath" ] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.") + ]; } diff --git a/nixos/modules/services/system/earlyoom.nix b/nixos/modules/services/system/earlyoom.nix index c6a001d30ee..e29bdbe264c 100644 --- a/nixos/modules/services/system/earlyoom.nix +++ b/nixos/modules/services/system/earlyoom.nix @@ -106,7 +106,6 @@ in path = optional ecfg.enableNotifications pkgs.dbus; serviceConfig = { StandardOutput = "null"; - StandardError = "syslog"; ExecStart = '' ${pkgs.earlyoom}/bin/earlyoom \ -m ${toString ecfg.freeMemThreshold} \ diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 92df46083ec..014a22bb5a8 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -11,6 +11,7 @@ let settingsDir = ".config/transmission-daemon"; downloadsDir = "Downloads"; incompleteDir = ".incomplete"; + watchDir = "watchdir"; # TODO: switch to configGen.json once RFC0042 is implemented settingsFile = pkgs.writeText "settings.json" (builtins.toJSON cfg.settings); in @@ -35,6 +36,8 @@ in download-dir = "${cfg.home}/${downloadsDir}"; incomplete-dir = "${cfg.home}/${incompleteDir}"; incomplete-dir-enabled = true; + watch-dir = "${cfg.home}/${watchDir}"; + watch-dir-enabled = false; message-level = 1; peer-port = 51413; peer-port-random-high = 65535; @@ -161,6 +164,9 @@ in { assertion = types.path.check cfg.settings.incomplete-dir; message = "`services.transmission.settings.incomplete-dir' must be an absolute path."; } + { assertion = types.path.check cfg.settings.watch-dir; + message = "`services.transmission.settings.watch-dir' must be an absolute path."; + } { assertion = cfg.settings.script-torrent-done-filename == "" || types.path.check cfg.settings.script-torrent-done-filename; message = "`services.transmission.settings.script-torrent-done-filename' must be an absolute path."; } @@ -220,14 +226,16 @@ in cfg.settings.download-dir ] ++ optional cfg.settings.incomplete-dir-enabled - cfg.settings.incomplete-dir; + cfg.settings.incomplete-dir + ++ + optional cfg.settings.watch-dir-enabled + cfg.settings.watch-dir + ; BindReadOnlyPaths = [ # No confinement done of /nix/store here like in systemd-confinement.nix, # an AppArmor profile is provided to get a confinement based upon paths and rights. builtins.storeDir - "-/etc/hosts" - "-/etc/ld-nix.so.preload" - "-/etc/localtime" + "/etc" ] ++ optional (cfg.settings.script-torrent-done-enabled && cfg.settings.script-torrent-done-filename != "") @@ -410,11 +418,17 @@ in ${optionalString cfg.settings.incomplete-dir-enabled '' rw ${cfg.settings.incomplete-dir}/**, ''} + ${optionalString cfg.settings.watch-dir-enabled '' + rw ${cfg.settings.watch-dir}/**, + ''} profile dirs { rw ${cfg.settings.download-dir}/**, ${optionalString cfg.settings.incomplete-dir-enabled '' rw ${cfg.settings.incomplete-dir}/**, ''} + ${optionalString cfg.settings.watch-dir-enabled '' + rw ${cfg.settings.watch-dir}/**, + ''} } ${optionalString (cfg.settings.script-torrent-done-enabled && diff --git a/nixos/modules/services/video/mirakurun.nix b/nixos/modules/services/video/mirakurun.nix new file mode 100644 index 00000000000..675b67f6ebf --- /dev/null +++ b/nixos/modules/services/video/mirakurun.nix @@ -0,0 +1,165 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.mirakurun; + mirakurun = pkgs.mirakurun; + username = config.users.users.mirakurun.name; + groupname = config.users.users.mirakurun.group; + settingsFmt = pkgs.formats.yaml {}; +in + { + options = { + services.mirakurun = { + enable = mkEnableOption mirakurun.meta.description; + + port = mkOption { + type = with types; nullOr port; + default = 40772; + description = '' + Port to listen on. If null, it won't listen on any port. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open ports in the firewall for Mirakurun. + ''; + }; + + serverSettings = mkOption { + type = settingsFmt.type; + default = {}; + example = literalExample '' + { + highWaterMark = 25165824; + overflowTimeLimit = 30000; + }; + ''; + description = '' + Options for server.yml. + + Documentation: + <link xlink:href="https://github.com/Chinachu/Mirakurun/blob/master/doc/Configuration.md"/> + ''; + }; + + tunerSettings = mkOption { + type = with types; nullOr settingsFmt.type; + default = null; + example = literalExample '' + [ + { + name = "tuner-name"; + types = [ "GR" "BS" "CS" "SKY" ]; + dvbDevicePath = "/dev/dvb/adapterX/dvrX"; + } + ]; + ''; + description = '' + Options which are added to tuners.yml. If none is specified, it will + automatically be generated at runtime. + + Documentation: + <link xlink:href="https://github.com/Chinachu/Mirakurun/blob/master/doc/Configuration.md"/> + ''; + }; + + channelSettings = mkOption { + type = with types; nullOr settingsFmt.type; + default = null; + example = literalExample '' + [ + { + name = "channel"; + types = "GR"; + channel = "0"; + } + ]; + ''; + description = '' + Options which are added to channels.yml. If none is specified, it + will automatically be generated at runtime. + + Documentation: + <link xlink:href="https://github.com/Chinachu/Mirakurun/blob/master/doc/Configuration.md"/> + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ mirakurun ]; + environment.etc = { + "mirakurun/server.yml".source = settingsFmt.generate "server.yml" cfg.serverSettings; + "mirakurun/tuners.yml" = mkIf (cfg.tunerSettings != null) { + source = settingsFmt.generate "tuners.yml" cfg.tunerSettings; + mode = "0644"; + user = username; + group = groupname; + }; + "mirakurun/channels.yml" = mkIf (cfg.channelSettings != null) { + source = settingsFmt.generate "channels.yml" cfg.channelSettings; + mode = "0644"; + user = username; + group = groupname; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = mkIf (cfg.port != null) [ cfg.port ]; + }; + + users.users.mirakurun = { + description = "Mirakurun user"; + group = "video"; + isSystemUser = true; + }; + + services.mirakurun.serverSettings = { + logLevel = mkDefault 2; + path = mkDefault "/var/run/mirakurun/mirakurun.sock"; + port = mkIf (cfg.port != null) (mkDefault cfg.port); + }; + + systemd.tmpfiles.rules = [ + "d '/etc/mirakurun' - ${username} ${groupname} - -" + ]; + + systemd.services.mirakurun = { + description = mirakurun.meta.description; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = "${mirakurun}/bin/mirakurun"; + User = username; + Group = groupname; + RuntimeDirectory="mirakurun"; + StateDirectory="mirakurun"; + Nice = -10; + IOSchedulingClass = "realtime"; + IOSchedulingPriority = 7; + }; + + environment = { + SERVER_CONFIG_PATH = "/etc/mirakurun/server.yml"; + TUNERS_CONFIG_PATH = "/etc/mirakurun/tuners.yml"; + CHANNELS_CONFIG_PATH = "/etc/mirakurun/channels.yml"; + SERVICES_DB_PATH = "/var/lib/mirakurun/services.json"; + PROGRAMS_DB_PATH = "/var/lib/mirakurun/programs.json"; + NODE_ENV = "production"; + }; + + restartTriggers = let + getconf = target: config.environment.etc."mirakurun/${target}.yml".source; + targets = [ + "server" + ] ++ optional (cfg.tunerSettings != null) "tuners" + ++ optional (cfg.channelSettings != null) "channels"; + in (map getconf targets); + }; + }; + } diff --git a/nixos/modules/services/wayland/cage.nix b/nixos/modules/services/wayland/cage.nix index c59ca9983a6..50e424fccbf 100644 --- a/nixos/modules/services/wayland/cage.nix +++ b/nixos/modules/services/wayland/cage.nix @@ -73,8 +73,6 @@ in { TTYVTDisallocate = "yes"; # Fail to start if not controlling the virtual terminal. StandardInput = "tty-fail"; - StandardOutput = "syslog"; - StandardError = "syslog"; # Set up a full (custom) user session for the user, required by Cage. PAMName = "cage"; }; diff --git a/nixos/modules/services/web-apps/dokuwiki.nix b/nixos/modules/services/web-apps/dokuwiki.nix index 7aaa832a602..d9ebb3a9880 100644 --- a/nixos/modules/services/web-apps/dokuwiki.nix +++ b/nixos/modules/services/web-apps/dokuwiki.nix @@ -383,6 +383,6 @@ in }; }; - meta.maintainers = with maintainers; [ maintainers."1000101" ]; + meta.maintainers = with maintainers; [ _1000101 ]; } diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 0579e58d1d6..7da119758fc 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -47,8 +47,18 @@ let in { imports = [ - ( mkRemovedOptionModule [ "services" "nextcloud" "nginx" "enable" ] - "The nextcloud module dropped support for other webservers than nginx.") + (mkRemovedOptionModule [ "services" "nextcloud" "nginx" "enable" ] '' + The nextcloud module supports `nginx` as reverse-proxy by default and doesn't + support other reverse-proxies officially. + + However it's possible to use an alternative reverse-proxy by + + * disabling nginx + * setting `listen.owner` & `listen.group` in the phpfpm-pool to a different value + + Further details about this can be found in the `Nextcloud`-section of the NixOS-manual + (which can be openend e.g. by running `nixos-help`). + '') ]; options.services.nextcloud = { @@ -531,107 +541,103 @@ in { environment.systemPackages = [ occ ]; - services.nginx = mkDefault { - enable = true; - virtualHosts.${cfg.hostName} = { - root = cfg.package; - locations = { - "= /robots.txt" = { - priority = 100; - extraConfig = '' - allow all; - log_not_found off; - access_log off; - ''; - }; - "/" = { - priority = 200; - extraConfig = "rewrite ^ /index.php;"; - }; - "~ ^/store-apps" = { - priority = 201; - extraConfig = "root ${cfg.home};"; - }; - "= /.well-known/carddav" = { - priority = 210; - extraConfig = "return 301 $scheme://$host/remote.php/dav;"; - }; - "= /.well-known/caldav" = { - priority = 210; - extraConfig = "return 301 $scheme://$host/remote.php/dav;"; - }; - "~ ^\\/(?:build|tests|config|lib|3rdparty|templates|data)\\/" = { - priority = 300; - extraConfig = "deny all;"; - }; - "~ ^\\/(?:\\.|autotest|occ|issue|indie|db_|console)" = { - priority = 300; - extraConfig = "deny all;"; - }; - "~ ^\\/(?:index|remote|public|cron|core/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|ocs-provider\\/.+|ocm-provider\\/.+)\\.php(?:$|\\/)" = { - priority = 500; - extraConfig = '' - include ${config.services.nginx.package}/conf/fastcgi.conf; - fastcgi_split_path_info ^(.+\.php)(\\/.*)$; - try_files $fastcgi_script_name =404; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_pass unix:${fpm.socket}; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - fastcgi_read_timeout 120s; - ''; - }; - "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = '' - try_files $uri/ =404; - index index.php; - ''; - "~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = '' - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options sameorigin; - add_header Referrer-Policy no-referrer; + services.nginx.enable = mkDefault true; + services.nginx.virtualHosts.${cfg.hostName} = { + root = cfg.package; + locations = { + "= /robots.txt" = { + priority = 100; + extraConfig = '' + allow all; + log_not_found off; access_log off; ''; - "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = '' - try_files $uri /index.php$request_uri; - access_log off; + }; + "/" = { + priority = 900; + extraConfig = "try_files $uri $uri/ /index.php$request_uri;"; + }; + "~ ^/store-apps" = { + priority = 201; + extraConfig = "root ${cfg.home};"; + }; + "^~ /.well-known" = { + priority = 210; + extraConfig = '' + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + try_files $uri $uri/ =404; ''; }; - extraConfig = '' - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options sameorigin; - add_header Referrer-Policy no-referrer; - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; - client_max_body_size ${cfg.maxUploadSize}; - fastcgi_buffers 64 4K; - fastcgi_hide_header X-Powered-By; - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - ${optionalString cfg.webfinger '' - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - ''} + "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = '' + return 404; + ''; + "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)".extraConfig = '' + return 404; + ''; + "~ \\.php(?:$|/)" = { + priority = 500; + extraConfig = '' + include ${config.services.nginx.package}/conf/fastcgi.conf; + fastcgi_split_path_info ^(.+?\.php)(\\/.*)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + fastcgi_param PATH_INFO $path_info; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass unix:${fpm.socket}; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + fastcgi_read_timeout 120s; + ''; + }; + "~ \\.(?:css|js|svg|gif|map)$".extraConfig = '' + try_files $uri /index.php$request_uri; + expires 6M; + access_log off; + ''; + "~ \\.woff2?$".extraConfig = '' + try_files $uri /index.php$request_uri; + expires 7d; + access_log off; + ''; + "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = '' + try_files $uri/ =404; + index index.php; ''; }; + extraConfig = '' + index index.php index.html /index.php$request_uri; + expires 1m; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options sameorigin; + add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + client_max_body_size ${cfg.maxUploadSize}; + fastcgi_buffers 64 4K; + fastcgi_hide_header X-Powered-By; + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + ${optionalString cfg.webfinger '' + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''} + ''; }; } ]); diff --git a/nixos/modules/services/web-apps/nextcloud.xml b/nixos/modules/services/web-apps/nextcloud.xml index f8b92244c89..02e4dba2861 100644 --- a/nixos/modules/services/web-apps/nextcloud.xml +++ b/nixos/modules/services/web-apps/nextcloud.xml @@ -123,6 +123,61 @@ </para> </section> + <section xml:id="module-services-nextcloud-httpd"> + <title>Using an alternative webserver as reverse-proxy (e.g. <literal>httpd</literal>)</title> + <para> + By default, <package>nginx</package> is used as reverse-proxy for <package>nextcloud</package>. + However, it's possible to use e.g. <package>httpd</package> by explicitly disabling + <package>nginx</package> using <xref linkend="opt-services.nginx.enable" /> and fixing the + settings <literal>listen.owner</literal> & <literal>listen.group</literal> in the + <link linkend="opt-services.phpfpm.pools">corresponding <literal>phpfpm</literal> pool</link>. + </para> + <para> + An exemplary configuration may look like this: +<programlisting>{ config, lib, pkgs, ... }: { + <link linkend="opt-services.nginx.enable">services.nginx.enable</link> = false; + services.nextcloud = { + <link linkend="opt-services.nextcloud.enable">enable</link> = true; + <link linkend="opt-services.nextcloud.hostName">hostName</link> = "localhost"; + + /* further, required options */ + }; + <link linkend="opt-services.phpfpm.pools._name_.settings">services.phpfpm.pools.nextcloud.settings</link> = { + "listen.owner" = config.services.httpd.user; + "listen.group" = config.services.httpd.group; + }; + services.httpd = { + <link linkend="opt-services.httpd.enable">enable</link> = true; + <link linkend="opt-services.httpd.adminAddr">adminAddr</link> = "webmaster@localhost"; + <link linkend="opt-services.httpd.extraModules">extraModules</link> = [ "proxy_fcgi" ]; + virtualHosts."localhost" = { + <link linkend="opt-services.httpd.virtualHosts._name_.documentRoot">documentRoot</link> = config.services.nextcloud.package; + <link linkend="opt-services.httpd.virtualHosts._name_.extraConfig">extraConfig</link> = '' + <Directory "${config.services.nextcloud.package}"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost/" + </If> + </FilesMatch> + <IfModule mod_rewrite.c> + RewriteEngine On + RewriteBase / + RewriteRule ^index\.php$ - [L] + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule . /index.php [L] + </IfModule> + DirectoryIndex index.php + Require all granted + Options +FollowSymLinks + </Directory> + ''; + }; + }; +}</programlisting> + </para> + </section> + <section xml:id="module-services-nextcloud-maintainer-info"> <title>Maintainer information</title> diff --git a/nixos/modules/services/web-apps/rss-bridge.nix b/nixos/modules/services/web-apps/rss-bridge.nix new file mode 100644 index 00000000000..f1d5b7660f3 --- /dev/null +++ b/nixos/modules/services/web-apps/rss-bridge.nix @@ -0,0 +1,127 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.rss-bridge; + + poolName = "rss-bridge"; + + whitelist = pkgs.writeText "rss-bridge_whitelist.txt" + (concatStringsSep "\n" cfg.whitelist); +in +{ + options = { + services.rss-bridge = { + enable = mkEnableOption "rss-bridge"; + + user = mkOption { + type = types.str; + default = "nginx"; + example = "nginx"; + description = '' + User account under which both the service and the web-application run. + ''; + }; + + group = mkOption { + type = types.str; + default = "nginx"; + example = "nginx"; + description = '' + Group under which the web-application run. + ''; + }; + + pool = mkOption { + type = types.str; + default = poolName; + description = '' + Name of existing phpfpm pool that is used to run web-application. + If not specified a pool will be created automatically with + default values. + ''; + }; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/rss-bridge"; + description = '' + Location in which cache directory will be created. + You can put <literal>config.ini.php</literal> in here. + ''; + }; + + virtualHost = mkOption { + type = types.nullOr types.str; + default = "rss-bridge"; + description = '' + Name of the nginx virtualhost to use and setup. If null, do not setup any virtualhost. + ''; + }; + + whitelist = mkOption { + type = types.listOf types.str; + default = []; + example = options.literalExample '' + [ + "Facebook" + "Instagram" + "Twitter" + ] + ''; + description = '' + List of bridges to be whitelisted. + If the list is empty, rss-bridge will use whitelist.default.txt. + Use <literal>[ "*" ]</literal> to whitelist all. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + services.phpfpm.pools = mkIf (cfg.pool == poolName) { + ${poolName} = { + user = cfg.user; + settings = mapAttrs (name: mkDefault) { + "listen.owner" = cfg.user; + "listen.group" = cfg.user; + "listen.mode" = "0600"; + "pm" = "dynamic"; + "pm.max_children" = 75; + "pm.start_servers" = 10; + "pm.min_spare_servers" = 5; + "pm.max_spare_servers" = 20; + "pm.max_requests" = 500; + "catch_workers_output" = 1; + }; + }; + }; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}/cache' 0750 ${cfg.user} ${cfg.group} - -" + (mkIf (cfg.whitelist != []) "L+ ${cfg.dataDir}/whitelist.txt - - - - ${whitelist}") + "z '${cfg.dataDir}/config.ini.php' 0750 ${cfg.user} ${cfg.group} - -" + ]; + + services.nginx = mkIf (cfg.virtualHost != null) { + enable = true; + virtualHosts = { + ${cfg.virtualHost} = { + root = "${pkgs.rss-bridge}"; + + locations."/" = { + tryFiles = "$uri /index.php$is_args$args"; + }; + + locations."~ ^/index.php(/|$)" = { + extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.socket}; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param RSSBRIDGE_DATA ${cfg.dataDir}; + ''; + }; + }; + }; + }; + }; +} diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index 2ea9537b93d..6a29f10d119 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -632,8 +632,6 @@ let User = "${cfg.user}"; Group = "tt_rss"; ExecStart = "${pkgs.php}/bin/php ${cfg.root}/update.php --daemon --quiet"; - StandardOutput = "syslog"; - StandardError = "syslog"; Restart = "on-failure"; RestartSec = "60"; SyslogIdentifier = "tt-rss"; diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index e1d1217943b..46660151f76 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -10,6 +10,12 @@ let pkg = cfg.package.out; + apachectl = pkgs.runCommand "apachectl" { meta.priority = -1; } '' + mkdir -p $out/bin + cp ${pkg}/bin/apachectl $out/bin/apachectl + sed -i $out/bin/apachectl -e 's|$HTTPD -t|$HTTPD -t -f ${httpdConf}|' + ''; + httpdConf = cfg.configFile; php = cfg.phpPackage.override { apacheHttpd = pkg; }; @@ -650,10 +656,10 @@ in postRun = "systemctl reload httpd.service"; }) (filterAttrs (name: hostOpts: hostOpts.enableACME) cfg.virtualHosts); - environment.systemPackages = [ pkg ]; - - # required for "apachectl configtest" - environment.etc."httpd/httpd.conf".source = httpdConf; + environment.systemPackages = [ + apachectl + pkg + ]; services.httpd.phpOptions = '' diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 4c4b7f39e6b..461888c4cc4 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -704,7 +704,10 @@ in ''; serviceConfig = { ExecStart = execCommand; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecReload = [ + "${execCommand} -t" + "${pkgs.coreutils}/bin/kill -HUP $MAINPID" + ]; Restart = "always"; RestartSec = "10s"; StartLimitInterval = "1min"; @@ -761,8 +764,7 @@ in serviceConfig.TimeoutSec = 60; script = '' if /run/current-system/systemd/bin/systemctl -q is-active nginx.service ; then - ${execCommand} -t && \ - /run/current-system/systemd/bin/systemctl reload nginx.service + /run/current-system/systemd/bin/systemctl reload nginx.service fi ''; serviceConfig.RemainAfterExit = true; diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix index 65dcdbed000..894271d1e55 100644 --- a/nixos/modules/services/web-servers/unit/default.nix +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -120,9 +120,12 @@ in { ProtectHome = true; PrivateTmp = true; PrivateDevices = true; + PrivateUsers = false; ProtectHostname = true; + ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; + ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; LockPersonality = true; diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 573049ab07a..23ab7f2ae43 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -200,7 +200,6 @@ in KillMode = "mixed"; IgnoreSIGPIPE = "no"; BusName = "org.gnome.DisplayManager"; - StandardOutput = "syslog"; StandardError = "inherit"; ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; KeyringMode = "shared"; diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index 3bee21fa822..143785db0b4 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -253,7 +253,6 @@ in KeyringMode = "shared"; KillMode = "mixed"; StandardError = "inherit"; - StandardOutput = "syslog"; }; environment.etc."lightdm/lightdm.conf".source = lightdmConf; diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 7f13f67e8ef..a04660fb56e 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -374,7 +374,8 @@ let ) config.boot.initrd.secrets) } - (cd "$tmp" && find . | cpio -H newc -o) | gzip >>"$1" + (cd "$tmp" && find . -print0 | sort -z | cpio -o -H newc -R +0:+0 --reproducible --null) | \ + ${config.boot.initrd.compressor} >> "$1" ''; in diff --git a/nixos/modules/system/boot/systemd-unit-options.nix b/nixos/modules/system/boot/systemd-unit-options.nix index c6dbb96951a..ac6fed440a2 100644 --- a/nixos/modules/system/boot/systemd-unit-options.nix +++ b/nixos/modules/system/boot/systemd-unit-options.nix @@ -379,6 +379,16 @@ in rec { ''; }; + listenDatagrams = mkOption { + default = []; + type = types.listOf types.str; + example = [ "0.0.0.0:993" "/run/my-socket" ]; + description = '' + For each item in this list, a <literal>ListenDatagram</literal> + option in the <literal>[Socket]</literal> section will be created. + ''; + }; + socketConfig = mkOption { default = {}; example = { ListenStream = "/run/my-socket"; }; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index a5f368c869a..96304ff6cec 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -81,10 +81,6 @@ let "systemd-coredump.socket" "systemd-coredump@.service" - # SysV init compatibility. - "systemd-initctl.socket" - "systemd-initctl.service" - # Kernel module loading. "systemd-modules-load.service" "kmod-static-nodes.service" @@ -354,6 +350,7 @@ let [Socket] ${attrsToSection def.socketConfig} ${concatStringsSep "\n" (map (s: "ListenStream=${s}") def.listenStreams)} + ${concatStringsSep "\n" (map (s: "ListenDatagram=${s}") def.listenDatagrams)} ''; }; @@ -1011,18 +1008,18 @@ in "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; - "tmpfiles.d".source = (pkgs.symlinkJoin { + "tmpfiles.d".source = pkgs.symlinkJoin { name = "tmpfiles.d"; - paths = cfg.tmpfiles.packages; + paths = map (p: p + "/lib/tmpfiles.d") cfg.tmpfiles.packages; postBuild = '' for i in $(cat $pathsPath); do - (test -d $i/lib/tmpfiles.d && test $(ls $i/lib/tmpfiles.d/*.conf | wc -l) -ge 1) || ( - echo "ERROR: The path $i was passed to systemd.tmpfiles.packages but either does not contain the folder lib/tmpfiles.d or if it contains that folder, there are no files ending in .conf in it." + (test -d "$i" && test $(ls "$i"/*.conf | wc -l) -ge 1) || ( + echo "ERROR: The path '$i' from systemd.tmpfiles.packages contains no *.conf files." exit 1 ) done ''; - }) + "/lib/tmpfiles.d"; + }; "systemd/system-generators" = { source = hooks "generators" cfg.generators; }; "systemd/system-shutdown" = { source = hooks "shutdown" cfg.shutdown; }; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index c9d9c6c1657..9ca7c6fb343 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -191,13 +191,14 @@ in }; requestEncryptionCredentials = mkOption { - type = types.bool; + type = types.either types.bool (types.listOf types.str); default = true; + example = [ "tank" "data" ]; description = '' - Request encryption keys or passwords for all encrypted datasets on import. - For root pools the encryption key can be supplied via both an - interactive prompt (keylocation=prompt) and from a file - (keylocation=file://). + If true on import encryption keys or passwords for all encrypted datasets + are requested. To only decrypt selected datasets supply a list of dataset + names instead. For root pools the encryption key can be supplied via both + an interactive prompt (keylocation=prompt) and from a file (keylocation=file://). ''; }; @@ -419,9 +420,13 @@ in fi poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool. fi - ${lib.optionalString cfgZfs.requestEncryptionCredentials '' - zfs load-key -a - ''} + ${if isBool cfgZfs.requestEncryptionCredentials + then optionalString cfgZfs.requestEncryptionCredentials '' + zfs load-key -a + '' + else concatMapStrings (fs: '' + zfs load-key ${fs} + '') cfgZfs.requestEncryptionCredentials} '') rootPools)); }; @@ -517,9 +522,16 @@ in done poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool. if poolImported "${pool}"; then - ${optionalString cfgZfs.requestEncryptionCredentials '' + ${optionalString (if isBool cfgZfs.requestEncryptionCredentials + then cfgZfs.requestEncryptionCredentials + else cfgZfs.requestEncryptionCredentials != []) '' ${packages.zfsUser}/sbin/zfs list -rHo name,keylocation ${pool} | while IFS=$'\t' read ds kl; do - (case "$kl" in + (${optionalString (!isBool cfgZfs.requestEncryptionCredentials) '' + if ! echo '${concatStringsSep "\n" cfgZfs.requestEncryptionCredentials}' | grep -qFx "$ds"; then + continue + fi + ''} + case "$kl" in none ) ;; prompt ) diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 1baeab53b0c..30ffb12cbad 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -1,22 +1,13 @@ # This module allows the test driver to connect to the virtual machine # via a root shell attached to port 514. -{ config, lib, pkgs, ... }: +{ options, config, lib, pkgs, ... }: with lib; with import ../../lib/qemu-flags.nix { inherit pkgs; }; { - # This option is a dummy that if used in conjunction with - # modules/virtualisation/qemu-vm.nix gets merged with the same option defined - # there and only is declared here because some modules use - # test-instrumentation.nix but not qemu-vm.nix. - # - # One particular example are the boot tests where we want instrumentation - # within the images but not other stuff like setting up 9p filesystems. - options.virtualisation.qemu = { }; - config = { systemd.services.backdoor = @@ -55,7 +46,12 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; systemd.services."serial-getty@hvc0".enable = false; # Only use a serial console, no TTY. - virtualisation.qemu.consoles = [ qemuSerialDevice ]; + # NOTE: optionalAttrs + # test-instrumentation.nix appears to be used without qemu-vm.nix, so + # we avoid defining consoles if not possible. + # TODO: refactor such that test-instrumentation can import qemu-vm + # or declare virtualisation.qemu.console option in a module that's always imported + virtualisation = lib.optionalAttrs (options ? virtualisation.qemu.consoles) { qemu.consoles = [ qemuSerialDevice ]; }; boot.initrd.preDeviceCommands = '' diff --git a/nixos/modules/virtualisation/cri-o.nix b/nixos/modules/virtualisation/cri-o.nix index f267c97b178..f8a75d3faa5 100644 --- a/nixos/modules/virtualisation/cri-o.nix +++ b/nixos/modules/virtualisation/cri-o.nix @@ -85,7 +85,7 @@ in environment.etc."crictl.yaml".source = copyFile "${pkgs.cri-o-unwrapped.src}/crictl.yaml"; - environment.etc."crio/crio.conf".text = '' + environment.etc."crio/crio.conf.d/00-default.conf".text = '' [crio] storage_driver = "${cfg.storageDriver}" @@ -100,6 +100,7 @@ in cgroup_manager = "systemd" log_level = "${cfg.logLevel}" manage_ns_lifecycle = true + pinns_path = "${cfg.package}/bin/pinns" ${optionalString (cfg.runtime != null) '' default_runtime = "${cfg.runtime}" |