Merge master into haskell-updates

4 files changed, 155 insertions, 3 deletions

diff --git a/nixos/modules/services/networking/clatd.nix b/nixos/modules/services/networking/clatd.nix
new file mode 100644
index 0000000000000..76e0c130ca466
--- /dev/null
+++ b/nixos/modules/services/networking/clatd.nix
@@ -0,0 +1,82 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.services.clatd;
+
+  settingsFormat = pkgs.formats.keyValue {};
+
+  configFile = settingsFormat.generate "clatd.conf" cfg.settings;
+in
+{
+  options = {
+    services.clatd = {
+      enable = mkEnableOption "clatd";
+
+      package = mkPackageOption pkgs "clatd" { };
+
+      settings = mkOption {
+        type = types.submodule ({ name, ... }: {
+          freeformType = settingsFormat.type;
+        });
+        default = { };
+        example = literalExpression ''
+          {
+            plat-prefix = "64:ff9b::/96";
+          }
+        '';
+        description = ''
+          Configuration of clatd. See [clatd Documentation](https://github.com/toreanderson/clatd/blob/master/README.pod#configuration).
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.clatd = {
+      description = "464XLAT CLAT daemon";
+      documentation = [ "man:clatd(8)" ];
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      startLimitIntervalSec = 0;
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/clatd -c ${configFile}";
+        startLimitIntervalSec = 0;
+
+        # Hardening
+        CapabilityBoundingSet = [
+          "CAP_NET_ADMIN"
+        ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectProc = "invisible";
+        ProtectSystem = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@network-io"
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+      };
+    };
+  };
+}
diff --git a/nixos/modules/services/networking/jotta-cli.md b/nixos/modules/services/networking/jotta-cli.md
new file mode 100644
index 0000000000000..fee002a4e6046
--- /dev/null
+++ b/nixos/modules/services/networking/jotta-cli.md
@@ -0,0 +1,27 @@
+# Jottacloud Command-line Tool {#module-services-jotta-cli}
+
+The [Jottacloud Command-line Tool](https://docs.jottacloud.com/en/articles/1436834-jottacloud-command-line-tool) is a headless [Jottacloud](https://jottacloud.com) client.
+
+## Quick Start {#module-services-jotta-cli-quick-start}
+
+```nix
+{
+  user.services.jotta-cli.enable = true;
+}
+```
+
+This adds `jotta-cli` to `environment.systemPackages` and starts a user service that runs `jottad` with the default options.
+
+## Example Configuration {#module-services-jotta-cli-example-configuration}
+
+```nix
+user.services.jotta-cli = {
+  enable = true;
+  options = [ "slow" ];
+  package = pkgs.jotta-cli;
+};
+```
+
+This uses `jotta-cli` and `jottad` from the `pkgs.jotta-cli` package and starts `jottad` in low memory mode.
+
+`jottad` is also added to `environment.systemPackages`, so `jottad --help` can be used to explore options.
diff --git a/nixos/modules/services/networking/jotta-cli.nix b/nixos/modules/services/networking/jotta-cli.nix
new file mode 100644
index 0000000000000..c7e6dad5453ca
--- /dev/null
+++ b/nixos/modules/services/networking/jotta-cli.nix
@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let cfg = config.user.services.jotta-cli;
+in {
+  options = {
+    user.services.jotta-cli = {
+
+      enable = mkEnableOption "Jottacloud Command-line Tool";
+
+      options = mkOption {
+        default = [ "stdoutlog" "datadir" "%h/.jottad/" ];
+        example = [ ];
+        type = with types; listOf str;
+        description = "Command-line options passed to jottad.";
+      };
+
+      package = lib.mkPackageOption pkgs "jotta-cli" { };
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.user.services.jottad = {
+
+      description = "Jottacloud Command-line Tool daemon";
+
+      serviceConfig = {
+        Type = "notify";
+        EnvironmentFile = "-%h/.config/jotta-cli/jotta-cli.env";
+        ExecStart = "${lib.getExe' cfg.package "jottad"} ${concatStringsSep " " cfg.options}";
+        Restart = "on-failure";
+      };
+
+      wantedBy = [ "default.target" ];
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+    };
+    environment.systemPackages = [ pkgs.jotta-cli ];
+  };
+
+  meta.maintainers = with lib.maintainers; [ evenbrenden ];
+  meta.doc = ./jotta-cli.md;
+}
diff --git a/nixos/modules/services/networking/trust-dns.nix b/nixos/modules/services/networking/trust-dns.nix
index e6f8cc15819f6..039b7de263504 100644
--- a/nixos/modules/services/networking/trust-dns.nix
+++ b/nixos/modules/services/networking/trust-dns.nix
@@ -51,7 +51,7 @@ in
       package = mkPackageOption pkgs "trust-dns" {
         extraDescription = ''
           ::: {.note}
-          The package must provide `meta.mainProgram` which names the server binayr; any other utilities (client, resolver) are not needed.
+          The package must provide `meta.mainProgram` which names the server binary; any other utilities (client, resolver) are not needed.
           :::
         '';
       };
@@ -86,7 +86,7 @@ in
               type = types.listOf types.str;
               default = [ "0.0.0.0" ];
               description = ''
-              List of ipv4 addresses on which to listen for DNS queries.
+                List of ipv4 addresses on which to listen for DNS queries.
               '';
             };
             listen_addrs_ipv6 = mkOption {
@@ -114,7 +114,7 @@ in
             };
             zones = mkOption {
               description = "List of zones to serve.";
-              default = {};
+              default = [];
               type = types.listOf (types.coercedTo types.str (zone: { inherit zone; }) zoneType);
             };
           };