diff options
| author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-06-26 00:02:13 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-26 00:02:13 +0000 |
| commit | 27074b7d078ee7f554bc623756c23914939f3c4b (patch) | |
| tree | 161bd8a7590e7c229814877667330d5fe35d2edd /nixos | |
| parent | 08b5c3c46ad3ffd4e31332f69d816004c529b82a (diff) | |
| parent | 260616a5fddf0d3cf41bca8b74be23e2e2bf8c2e (diff) | |
Merge master into staging-next
Diffstat (limited to 'nixos')
52 files changed, 268 insertions, 84 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 2c2f797bb3244..436ec7b188250 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -21,6 +21,8 @@ - [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable). +- [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at [services.wg-access-server](#opt-services.wg-access-server.enable). + ## Backward Incompatibilities {#sec-release-24.11-incompatibilities} - `transmission` package has been aliased with a `trace` warning to `transmission_3`. Since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0), and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The `services.transmission.package` defaults to `transmission_3` as well because the upgrade can cause data loss in certain specific usage patterns (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory per your usage: @@ -120,6 +122,10 @@ services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; }; ``` +- The default value of `services.kubernetes.kubelet.hostname` is now lowercased. + Explicitly set `kubelet.hostname` to `networking.fqdnOrHostName` to get back + the old default behavior. + - `keycloak` was updated to version 25, which introduces new hostname related options. See [Upgrading Guide](https://www.keycloak.org/docs/25.0.1/upgrading/#migrating-to-25-0-0) for instructions. diff --git a/nixos/modules/misc/mandoc.nix b/nixos/modules/misc/mandoc.nix index 706e2ac2c2836..166693930b5c7 100644 --- a/nixos/modules/misc/mandoc.nix +++ b/nixos/modules/misc/mandoc.nix @@ -96,12 +96,17 @@ in {option}`documentation.man.mandoc.manPath` to an empty list (`[]`). ''; }; - output.fragment = lib.mkEnableOption '' - Omit the <!DOCTYPE> declaration and the <html>, <head>, and <body> - elements and only emit the subtree below the <body> element in HTML - output of {manpage}`mandoc(1)`. The style argument will be ignored. - This is useful when embedding manual content within existing documents. - ''; + output.fragment = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = '' + Whether to omit the <!DOCTYPE> declaration and the <html>, <head>, and <body> + elements and only emit the subtree below the <body> element in HTML + output of {manpage}`mandoc(1)`. The style argument will be ignored. + This is useful when embedding manual content within existing documents. + ''; + }; output.includes = lib.mkOption { type = with lib.types; nullOr str; default = null; @@ -160,9 +165,9 @@ in ''; }; output.toc = lib.mkEnableOption '' - In HTML output of {manpage}`mandoc(1)`, If an input file contains - at least two non-standard sections, print a table of contents near - the beginning of the output. + printing a table of contents near the beginning of the HTML output + of {manpage}`mandoc(1)` if an input file contains at least two + non-standard sections ''; output.width = lib.mkOption { type = with lib.types; nullOr int; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c7004a6e3b1ed..8f5d8ecd1ce30 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1225,6 +1225,7 @@ ./services/networking/vsftpd.nix ./services/networking/wasabibackend.nix ./services/networking/websockify.nix + ./services/networking/wg-access-server.nix ./services/networking/wg-netmanager.nix ./services/networking/webhook.nix ./services/networking/wg-quick.nix diff --git a/nixos/modules/programs/dublin-traceroute.nix b/nixos/modules/programs/dublin-traceroute.nix index de9446ad7377c..c764352843e78 100644 --- a/nixos/modules/programs/dublin-traceroute.nix +++ b/nixos/modules/programs/dublin-traceroute.nix @@ -8,9 +8,7 @@ in { options = { programs.dublin-traceroute = { - enable = lib.mkEnableOption '' - dublin-traceroute, add it to the global environment and configure a setcap wrapper for it. - ''; + enable = lib.mkEnableOption "dublin-traceroute (including setcap wrapper)"; package = lib.mkPackageOption pkgs "dublin-traceroute" { }; }; diff --git a/nixos/modules/programs/joycond-cemuhook.nix b/nixos/modules/programs/joycond-cemuhook.nix index 6cdd198a7df23..c01a00478113a 100644 --- a/nixos/modules/programs/joycond-cemuhook.nix +++ b/nixos/modules/programs/joycond-cemuhook.nix @@ -1,7 +1,7 @@ { lib, pkgs, config, ... }: { options.programs.joycond-cemuhook = { - enable = lib.mkEnableOption "joycond-cemuhook, a program to enable support for cemuhook's UDP protocol for joycond devices."; + enable = lib.mkEnableOption "joycond-cemuhook, a program to enable support for cemuhook's UDP protocol for joycond devices"; }; config = lib.mkIf config.programs.joycond-cemuhook.enable { diff --git a/nixos/modules/programs/mouse-actions.nix b/nixos/modules/programs/mouse-actions.nix index fdf39d56d3838..73dc783e3100b 100644 --- a/nixos/modules/programs/mouse-actions.nix +++ b/nixos/modules/programs/mouse-actions.nix @@ -6,7 +6,7 @@ in { options.programs.mouse-actions = { enable = lib.mkEnableOption '' - mouse-actions udev rules. This is a prerequisite for using mouse-actions without being root. + mouse-actions udev rules. This is a prerequisite for using mouse-actions without being root ''; }; config = lib.mkIf cfg.enable { diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index af5d91b35f2eb..8aae6eb3f29b0 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -26,13 +26,13 @@ in security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle. - Such a bundle consist exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, - which is a OpenSSL specific PEM format. + Such a bundle consists exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, + which is an OpenSSL specific PEM format. It is known to be incompatible with certain software stacks. Nevertheless, enabling this will strip all additional trust rules provided by the - certificates themselves, this can have security consequences depending on your usecases. + certificates themselves. This can have security consequences depending on your usecases ''; security.pki.certificateFiles = mkOption { diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 5d3bed2fb02c8..f77e819d0c83a 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -1055,7 +1055,7 @@ in the dp9ik pam module provided by tlsclient. If set, users can be authenticated against the 9front - authentication server given in {option}`security.pam.dp9ik.authserver`. + authentication server given in {option}`security.pam.dp9ik.authserver` ''; control = mkOption { default = "sufficient"; diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix index 6ccf42ed7f087..e63a64d4691c0 100644 --- a/nixos/modules/security/sudo-rs.nix +++ b/nixos/modules/security/sudo-rs.nix @@ -41,7 +41,7 @@ in enable = mkEnableOption '' a memory-safe implementation of the {command}`sudo` command, - which allows non-root users to execute commands as root. + which allows non-root users to execute commands as root ''; package = mkPackageOption pkgs "sudo-rs" { }; diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index c841f4e5f1862..f36edeaf64ceb 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -356,7 +356,7 @@ in boot.kernelModules = ["br_netfilter" "overlay"]; services.kubernetes.kubelet.hostname = - mkDefault config.networking.fqdnOrHostName; + mkDefault (lib.toLower config.networking.fqdnOrHostName); services.kubernetes.pki.certs = with top.lib; { kubelet = mkCert { diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix index e38931b6b7ea8..7a3afc5efafcf 100644 --- a/nixos/modules/services/databases/memcached.nix +++ b/nixos/modules/services/databases/memcached.nix @@ -37,7 +37,7 @@ in description = "The port to bind to."; }; - enableUnixSocket = mkEnableOption "Unix Domain Socket at /run/memcached/memcached.sock instead of listening on an IP address and port. The `listen` and `port` options are ignored."; + enableUnixSocket = mkEnableOption "Unix Domain Socket at /run/memcached/memcached.sock instead of listening on an IP address and port. The `listen` and `port` options are ignored"; maxMemory = mkOption { type = types.ints.unsigned; diff --git a/nixos/modules/services/matrix/mautrix-signal.nix b/nixos/modules/services/matrix/mautrix-signal.nix index faca10551abb6..0da95b9c8a7b4 100644 --- a/nixos/modules/services/matrix/mautrix-signal.nix +++ b/nixos/modules/services/matrix/mautrix-signal.nix @@ -52,7 +52,7 @@ let in { options.services.mautrix-signal = { - enable = lib.mkEnableOption "mautrix-signal, a Matrix-Signal puppeting bridge."; + enable = lib.mkEnableOption "mautrix-signal, a Matrix-Signal puppeting bridge"; settings = lib.mkOption { apply = lib.recursiveUpdate defaultConfig; diff --git a/nixos/modules/services/matrix/mautrix-whatsapp.nix b/nixos/modules/services/matrix/mautrix-whatsapp.nix index 31f64c16d7913..d124edc216dd0 100644 --- a/nixos/modules/services/matrix/mautrix-whatsapp.nix +++ b/nixos/modules/services/matrix/mautrix-whatsapp.nix @@ -47,7 +47,7 @@ in { options.services.mautrix-whatsapp = { - enable = lib.mkEnableOption "mautrix-whatsapp, a puppeting/relaybot bridge between Matrix and WhatsApp."; + enable = lib.mkEnableOption "mautrix-whatsapp, a puppeting/relaybot bridge between Matrix and WhatsApp"; settings = lib.mkOption { type = settingsFormat.type; diff --git a/nixos/modules/services/misc/mqtt2influxdb.nix b/nixos/modules/services/misc/mqtt2influxdb.nix index 925139b449b8e..d07ce1e66ba31 100644 --- a/nixos/modules/services/misc/mqtt2influxdb.nix +++ b/nixos/modules/services/misc/mqtt2influxdb.nix @@ -124,7 +124,7 @@ let in { options = { services.mqtt2influxdb = { - enable = mkEnableOption "BigClown MQTT to InfluxDB bridge."; + enable = mkEnableOption "BigClown MQTT to InfluxDB bridge"; package = mkPackageOption pkgs ["python3Packages" "mqtt2influxdb"] {}; environmentFiles = mkOption { type = types.listOf types.path; diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index e564fe3b8317b..6d6a49c10bddc 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -225,7 +225,7 @@ in effectively never complete due to running into timeouts. This sets `OMP_NUM_THREADS` to `1` in order to mitigate the issue. See - https://github.com/NixOS/nixpkgs/issues/240591 for more information. + https://github.com/NixOS/nixpkgs/issues/240591 for more information '' // mkOption { default = true; }; }; diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix index c7abb2cfa2a3e..a9a069b0c0555 100644 --- a/nixos/modules/services/misc/portunus.nix +++ b/nixos/modules/services/misc/portunus.nix @@ -70,7 +70,7 @@ in To activate dex, first a search user must be created in the Portunus web ui and then the password must to be set as the `DEX_SEARCH_USER_PASSWORD` environment variable - in the [](#opt-services.dex.environmentFile) setting. + in the [](#opt-services.dex.environmentFile) setting ''; oidcClients = mkOption { diff --git a/nixos/modules/services/misc/spice-autorandr.nix b/nixos/modules/services/misc/spice-autorandr.nix index 0d58d28657172..92b8a15e93c5d 100644 --- a/nixos/modules/services/misc/spice-autorandr.nix +++ b/nixos/modules/services/misc/spice-autorandr.nix @@ -6,7 +6,7 @@ in { options = { services.spice-autorandr = { - enable = lib.mkEnableOption "spice-autorandr service that will automatically resize display to match SPICE client window size."; + enable = lib.mkEnableOption "spice-autorandr service that will automatically resize display to match SPICE client window size"; package = lib.mkPackageOption pkgs "spice-autorandr" { }; }; }; diff --git a/nixos/modules/services/monitoring/rustdesk-server.nix b/nixos/modules/services/monitoring/rustdesk-server.nix index 21e6128c7226a..ea4dd43cbb35b 100644 --- a/nixos/modules/services/monitoring/rustdesk-server.nix +++ b/nixos/modules/services/monitoring/rustdesk-server.nix @@ -4,7 +4,7 @@ let UDPPorts = [21116]; in { options.services.rustdesk-server = with lib; with types; { - enable = mkEnableOption "RustDesk, a remote access and remote control software, allowing maintenance of computers and other devices."; + enable = mkEnableOption "RustDesk, a remote access and remote control software, allowing maintenance of computers and other devices"; package = mkPackageOption pkgs "rustdesk-server" {}; diff --git a/nixos/modules/services/monitoring/thanos.nix b/nixos/modules/services/monitoring/thanos.nix index f4cec0a545cb7..10f4d08f8874e 100644 --- a/nixos/modules/services/monitoring/thanos.nix +++ b/nixos/modules/services/monitoring/thanos.nix @@ -696,7 +696,7 @@ in { }; store = paramsToOptions params.store // { - enable = mkEnableOption "the Thanos store node giving access to blocks in a bucket provider."; + enable = mkEnableOption "the Thanos store node giving access to blocks in a bucket provider"; arguments = mkArgumentsOption "store"; }; diff --git a/nixos/modules/services/monitoring/ups.nix b/nixos/modules/services/monitoring/ups.nix index 0a0d5eadccd30..35a2d61da1de4 100644 --- a/nixos/modules/services/monitoring/ups.nix +++ b/nixos/modules/services/monitoring/ups.nix @@ -385,8 +385,8 @@ in power.ups = { enable = mkEnableOption '' - Enables support for Power Devices, such as Uninterruptible Power - Supplies, Power Distribution Units and Solar Controllers. + support for Power Devices, such as Uninterruptible Power + Supplies, Power Distribution Units and Solar Controllers ''; mode = mkOption { diff --git a/nixos/modules/services/network-filesystems/openafs/server.nix b/nixos/modules/services/network-filesystems/openafs/server.nix index a399aa6c23bca..8186277b47775 100644 --- a/nixos/modules/services/network-filesystems/openafs/server.nix +++ b/nixos/modules/services/network-filesystems/openafs/server.nix @@ -183,7 +183,7 @@ in { enableFabs = mkEnableOption '' FABS, the flexible AFS backup system. It stores volumes as dump files, relying on other - pre-existing backup solutions for handling them. + pre-existing backup solutions for handling them ''; buserverArgs = mkOption { diff --git a/nixos/modules/services/network-filesystems/samba-wsdd.nix b/nixos/modules/services/network-filesystems/samba-wsdd.nix index 608b48cf0305c..f46bf802511ae 100644 --- a/nixos/modules/services/network-filesystems/samba-wsdd.nix +++ b/nixos/modules/services/network-filesystems/samba-wsdd.nix @@ -10,7 +10,7 @@ in { services.samba-wsdd = { enable = mkEnableOption '' Web Services Dynamic Discovery host daemon. This enables (Samba) hosts, like your local NAS device, - to be found by Web Service Discovery Clients like Windows. + to be found by Web Service Discovery Clients like Windows ''; interface = mkOption { type = types.nullOr types.str; diff --git a/nixos/modules/services/networking/gns3-server.nix b/nixos/modules/services/networking/gns3-server.nix index ba0d6be30f499..b2f25b158bbbc 100644 --- a/nixos/modules/services/networking/gns3-server.nix +++ b/nixos/modules/services/networking/gns3-server.nix @@ -87,17 +87,17 @@ in { }; dynamips = { - enable = lib.mkEnableOption ''Whether to enable Dynamips support.''; + enable = lib.mkEnableOption ''Dynamips support''; package = lib.mkPackageOptionMD pkgs "dynamips" { }; }; ubridge = { - enable = lib.mkEnableOption ''Whether to enable uBridge support.''; + enable = lib.mkEnableOption ''uBridge support''; package = lib.mkPackageOptionMD pkgs "ubridge" { }; }; vpcs = { - enable = lib.mkEnableOption ''Whether to enable VPCS support.''; + enable = lib.mkEnableOption ''VPCS support''; package = lib.mkPackageOptionMD pkgs "vpcs" { }; }; }; diff --git a/nixos/modules/services/networking/haproxy.nix b/nixos/modules/services/networking/haproxy.nix index c764b447b0cb9..19b096bf49069 100644 --- a/nixos/modules/services/networking/haproxy.nix +++ b/nixos/modules/services/networking/haproxy.nix @@ -17,7 +17,7 @@ with lib; options = { services.haproxy = { - enable = mkEnableOption "HAProxy, the reliable, high performance TCP/HTTP load balancer."; + enable = mkEnableOption "HAProxy, the reliable, high performance TCP/HTTP load balancer"; package = mkPackageOption pkgs "haproxy" { }; diff --git a/nixos/modules/services/networking/hylafax/options.nix b/nixos/modules/services/networking/hylafax/options.nix index 1880aebe7a6be..973dfa054afcb 100644 --- a/nixos/modules/services/networking/hylafax/options.nix +++ b/nixos/modules/services/networking/hylafax/options.nix @@ -312,9 +312,9 @@ in }; faxqclean.enable.spoolInit = mkEnableOption '' - Purge old files from the spooling area with + purging old files from the spooling area with {file}`faxqclean` - each time the spooling area is initialized. + each time the spooling area is initialized ''; faxqclean.enable.frequency = mkOption { type = nullOr nonEmptyStr; diff --git a/nixos/modules/services/networking/netbird/dashboard.nix b/nixos/modules/services/networking/netbird/dashboard.nix index 6fc3086155900..788b724231be3 100644 --- a/nixos/modules/services/networking/netbird/dashboard.nix +++ b/nixos/modules/services/networking/netbird/dashboard.nix @@ -39,7 +39,7 @@ in package = mkPackageOption pkgs "netbird-dashboard" { }; - enableNginx = mkEnableOption "Nginx reverse-proxy to serve the dashboard."; + enableNginx = mkEnableOption "Nginx reverse-proxy to serve the dashboard"; domain = mkOption { type = str; diff --git a/nixos/modules/services/networking/netbird/management.nix b/nixos/modules/services/networking/netbird/management.nix index 52f033959143c..f4b5bbf643239 100644 --- a/nixos/modules/services/networking/netbird/management.nix +++ b/nixos/modules/services/networking/netbird/management.nix @@ -137,7 +137,7 @@ in { options.services.netbird.server.management = { - enable = mkEnableOption "Netbird Management Service."; + enable = mkEnableOption "Netbird Management Service"; package = mkPackageOption pkgs "netbird" { }; @@ -335,7 +335,7 @@ in description = "Log level of the netbird services."; }; - enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird management service."; + enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird management service"; }; config = mkIf cfg.enable { diff --git a/nixos/modules/services/networking/netbird/server.nix b/nixos/modules/services/networking/netbird/server.nix index e3de286a04fa4..1725374d03c6b 100644 --- a/nixos/modules/services/networking/netbird/server.nix +++ b/nixos/modules/services/networking/netbird/server.nix @@ -31,7 +31,7 @@ in options.services.netbird.server = { enable = mkEnableOption "Netbird Server stack, comprising the dashboard, management API and signal service"; - enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird server services."; + enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird server services"; domain = mkOption { type = str; diff --git a/nixos/modules/services/networking/netbird/signal.nix b/nixos/modules/services/networking/netbird/signal.nix index 8408d20e874b5..b53e9d40c2eed 100644 --- a/nixos/modules/services/networking/netbird/signal.nix +++ b/nixos/modules/services/networking/netbird/signal.nix @@ -28,7 +28,7 @@ in package = mkPackageOption pkgs "netbird" { }; - enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird signal service."; + enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird signal service"; domain = mkOption { type = str; diff --git a/nixos/modules/services/networking/networkd-dispatcher.nix b/nixos/modules/services/networking/networkd-dispatcher.nix index 039888e3c0646..427835870e59f 100644 --- a/nixos/modules/services/networking/networkd-dispatcher.nix +++ b/nixos/modules/services/networking/networkd-dispatcher.nix @@ -14,7 +14,7 @@ in { enable = mkEnableOption '' Networkd-dispatcher service for systemd-networkd connection status change. See [https://gitlab.com/craftyguy/networkd-dispatcher](upstream instructions) - for usage. + for usage ''; rules = mkOption { diff --git a/nixos/modules/services/networking/nncp.nix b/nixos/modules/services/networking/nncp.nix index f4ed7ecc7d4a6..8c5b5a61a181d 100644 --- a/nixos/modules/services/networking/nncp.nix +++ b/nixos/modules/services/networking/nncp.nix @@ -34,9 +34,7 @@ in { [](#opt-programs.nncp.settings) ''; socketActivation = { - enable = mkEnableOption '' - Whether to run nncp-daemon persistently or socket-activated. - ''; + enable = mkEnableOption "socket activation for nncp-daemon"; listenStreams = mkOption { type = with types; listOf str; description = '' diff --git a/nixos/modules/services/networking/wg-access-server.nix b/nixos/modules/services/networking/wg-access-server.nix new file mode 100644 index 0000000000000..5876699924b22 --- /dev/null +++ b/nixos/modules/services/networking/wg-access-server.nix @@ -0,0 +1,124 @@ +{ config, pkgs, lib, ... }: +let + inherit (lib) mkEnableOption mkPackageOption mkOption types; + + cfg = config.services.wg-access-server; + + settingsFormat = pkgs.formats.yaml { }; + configFile = settingsFormat.generate "config.yaml" cfg.settings; +in +{ + + options.services.wg-access-server = { + enable = mkEnableOption "wg-access-server"; + + package = mkPackageOption pkgs "wg-access-server" { }; + + settings = mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + options = { + dns.enable = mkOption { + type = types.bool; + default = true; + description = '' + Enable/disable the embedded DNS proxy server. + This is enabled by default and allows VPN clients to avoid DNS leaks by sending all DNS requests to wg-access-server itself. + ''; + }; + storage = mkOption { + type = types.str; + default = "sqlite3://db.sqlite"; + description = "A storage backend connection string. See [storage docs](https://www.freie-netze.org/wg-access-server/3-storage/)"; + }; + }; + }; + description = "See https://www.freie-netze.org/wg-access-server/2-configuration/ for possible options"; + }; + + secretsFile = mkOption { + type = types.path; + description = '' + yaml file containing all secrets. this needs to be in the same structure as the configuration. + + This must to contain the admin password and wireguard private key. + As well as the secrets for your auth backend. + + Example: + ```yaml + adminPassword: <admin password> + wireguard: + privateKey: <wireguard private key> + auth: + oidc: + clientSecret: <client secret> + ``` + ''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = + map + (attrPath: + { + assertion = !lib.hasAttrByPath attrPath config.services.wg-access-server.settings; + message = '' + {option}`services.wg-access-server.settings.${lib.concatStringsSep "." attrPath}` must definded + in {option}`services.wg-access-server.secretsFile`. + ''; + }) + [ + [ "adminPassword" ] + [ "wireguard" "privateKey" ] + [ "auth" "sessionStore" ] + [ "auth" "oidc" "clientSecret" ] + [ "auth" "gitlab" "clientSecret" ] + ]; + + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = "1"; + "net.ipv6.conf.all.forwarding" = "1"; + }; + + systemd.services.wg-access-server = { + description = "WG access server"; + wantedBy = [ "multi-user.target" ]; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + script = '' + # merge secrets into main config + yq eval-all "select(fileIndex == 0) * select(fileIndex == 1)" ${configFile} $CREDENTIALS_DIRECTORY/SECRETS_FILE \ + > "$STATE_DIRECTORY/config.yml" + + ${lib.getExe cfg.package} serve --config "$STATE_DIRECTORY/config.yml" + ''; + + path = with pkgs; [ + iptables + # needed by startup script + yq-go + ]; + + serviceConfig = + let + capabilities = [ + "CAP_NET_ADMIN" + ] ++ lib.optional cfg.settings.dns.enabled "CAP_NET_BIND_SERVICE"; + in + { + WorkingDirectory = "/var/lib/wg-access-server"; + StateDirectory = "wg-access-server"; + + LoadCredential = [ + "SECRETS_FILE:${cfg.secretsFile}" + ]; + + # Hardening + DynamicUser = true; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + }; + }; + }; +} diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index c4031b64ba6aa..b6ce42d7318c8 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -263,7 +263,7 @@ in ''; type = with types; attrsOf (either lines (submodule ({ name, ... }: { options = { - enabled = mkEnableOption "this jail." // { + enabled = mkEnableOption "this jail" // { default = true; readOnly = name == "DEFAULT"; }; diff --git a/nixos/modules/services/security/haveged.nix b/nixos/modules/services/security/haveged.nix index 57cef7e44d503..4c686d74268af 100644 --- a/nixos/modules/services/security/haveged.nix +++ b/nixos/modules/services/security/haveged.nix @@ -17,7 +17,7 @@ in enable = mkEnableOption '' haveged entropy daemon, which refills /dev/random when low. - NOTE: does nothing on kernels newer than 5.6. + NOTE: does nothing on kernels newer than 5.6 ''; # source for the note https://github.com/jirka-h/haveged/issues/57 diff --git a/nixos/modules/services/security/vaultwarden/backup.sh b/nixos/modules/services/security/vaultwarden/backup.sh index 7668da5bc88f3..0c1cd3aa544f6 100644 --- a/nixos/modules/services/security/vaultwarden/backup.sh +++ b/nixos/modules/services/security/vaultwarden/backup.sh @@ -1,17 +1,21 @@ #!/usr/bin/env bash +# Allow use of !() when copying to not copy certain files +shopt -s extglob + # Based on: https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault if [ ! -d "$BACKUP_FOLDER" ]; then echo "Backup folder '$BACKUP_FOLDER' does not exist" >&2 exit 1 fi -if [[ ! -f "$DATA_FOLDER"/db.sqlite3 ]]; then - echo "Could not find SQLite database file '$DATA_FOLDER/db.sqlite3'" >&2 - exit 1 +if [[ -f "$DATA_FOLDER"/db.sqlite3 ]]; then + sqlite3 "$DATA_FOLDER"/db.sqlite3 ".backup '$BACKUP_FOLDER/db.sqlite3'" +fi + +if [ ! -d "$DATA_FOLDER" ]; then + echo "No data folder (yet). This will happen on first launch if backup is triggered before vaultwarden has started." + exit 0 fi -sqlite3 "$DATA_FOLDER"/db.sqlite3 ".backup '$BACKUP_FOLDER/db.sqlite3'" -cp "$DATA_FOLDER"/rsa_key.{der,pem,pub.der} "$BACKUP_FOLDER" -cp -r "$DATA_FOLDER"/attachments "$BACKUP_FOLDER" -cp -r "$DATA_FOLDER"/icon_cache "$BACKUP_FOLDER" +cp -r "$DATA_FOLDER"/!(db.*) "$BACKUP_FOLDER"/ diff --git a/nixos/modules/services/web-apps/audiobookshelf.nix b/nixos/modules/services/web-apps/audiobookshelf.nix index 84dffc5f9d3c5..2f00c852ac8fe 100644 --- a/nixos/modules/services/web-apps/audiobookshelf.nix +++ b/nixos/modules/services/web-apps/audiobookshelf.nix @@ -8,7 +8,7 @@ in { options = { services.audiobookshelf = { - enable = mkEnableOption "Audiobookshelf, self-hosted audiobook and podcast server."; + enable = mkEnableOption "Audiobookshelf, self-hosted audiobook and podcast server"; package = mkPackageOption pkgs "audiobookshelf" { }; diff --git a/nixos/modules/services/web-apps/jitsi-meet.nix b/nixos/modules/services/web-apps/jitsi-meet.nix index 76753b89ec9ea..247b65c786636 100644 --- a/nixos/modules/services/web-apps/jitsi-meet.nix +++ b/nixos/modules/services/web-apps/jitsi-meet.nix @@ -170,7 +170,7 @@ in ''; }; - caddy.enable = mkEnableOption "Whether to enable caddy reverse proxy to expose jitsi-meet"; + caddy.enable = mkEnableOption "caddy reverse proxy to expose jitsi-meet"; prosody.enable = mkOption { type = bool; diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index f4560ed64bb4f..a4a1f399f4e22 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -489,7 +489,7 @@ in { implementation into the virtual filesystem. Further details about this feature can be found in the - [upstream documentation](https://docs.nextcloud.com/server/22/admin_manual/configuration_files/primary_storage.html). + [upstream documentation](https://docs.nextcloud.com/server/22/admin_manual/configuration_files/primary_storage.html) ''; bucket = mkOption { type = types.str; @@ -591,7 +591,7 @@ in { This is used by the theming app and for generating previews of certain images (e.g. SVG and HEIF). You may want to disable it for increased security. In that case, previews will still be available for some images (e.g. JPEG and PNG). - See <https://github.com/nextcloud/server/issues/13099>. + See <https://github.com/nextcloud/server/issues/13099> '' // { default = true; }; diff --git a/nixos/modules/services/web-apps/pretix.nix b/nixos/modules/services/web-apps/pretix.nix index 9786b61160260..0fb635964fe65 100644 --- a/nixos/modules/services/web-apps/pretix.nix +++ b/nixos/modules/services/web-apps/pretix.nix @@ -63,7 +63,7 @@ in }; options.services.pretix = { - enable = mkEnableOption "Pretix, a ticket shop application for conferences, festivals, concerts, etc."; + enable = mkEnableOption "Pretix, a ticket shop application for conferences, festivals, concerts, etc"; package = mkPackageOption pkgs "pretix" { }; diff --git a/nixos/modules/services/web-apps/silverbullet.nix b/nixos/modules/services/web-apps/silverbullet.nix index c316d074cbaab..5d5f950a9a661 100644 --- a/nixos/modules/services/web-apps/silverbullet.nix +++ b/nixos/modules/services/web-apps/silverbullet.nix @@ -12,7 +12,7 @@ in { options = { services.silverbullet = { - enable = lib.mkEnableOption "Silverbullet, an open-source, self-hosted, offline-capable Personal Knowledge Management (PKM) web application."; + enable = lib.mkEnableOption "Silverbullet, an open-source, self-hosted, offline-capable Personal Knowledge Management (PKM) web application"; package = lib.mkPackageOptionMD pkgs "silverbullet" { }; diff --git a/nixos/modules/services/web-apps/suwayomi-server.nix b/nixos/modules/services/web-apps/suwayomi-server.nix index 5b61852a534dc..ba2352d0e693f 100644 --- a/nixos/modules/services/web-apps/suwayomi-server.nix +++ b/nixos/modules/services/web-apps/suwayomi-server.nix @@ -9,7 +9,7 @@ in { options = { services.suwayomi-server = { - enable = mkEnableOption "Suwayomi, a free and open source manga reader server that runs extensions built for Tachiyomi."; + enable = mkEnableOption "Suwayomi, a free and open source manga reader server that runs extensions built for Tachiyomi"; package = lib.mkPackageOptionMD pkgs "suwayomi-server" { }; @@ -72,7 +72,7 @@ in }; basicAuthEnabled = mkEnableOption '' - Add basic access authentication to Suwayomi-Server. + basic access authentication for Suwayomi-Server. Enabling this option is useful when hosting on a public network/the Internet ''; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index f9720c3629353..b5ff630a4d484 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -1086,9 +1086,9 @@ in ''; description = "Declarative vhost config"; }; - validateConfigFile = lib.mkEnableOption '' - Validate configuration with pkgs.writeNginxConfig. - '' // { default = true; }; + validateConfigFile = lib.mkEnableOption "validating configuration with pkgs.writeNginxConfig" // { + default = true; + }; }; }; diff --git a/nixos/modules/services/web-servers/tomcat.nix b/nixos/modules/services/web-servers/tomcat.nix index e243778cc747c..1c5a9af5c9245 100644 --- a/nixos/modules/services/web-servers/tomcat.nix +++ b/nixos/modules/services/web-servers/tomcat.nix @@ -21,6 +21,14 @@ in example = "tomcat10"; }; + port = lib.mkOption { + type = lib.types.port; + default = 8080; + description = '' + The TCP port Tomcat should listen on. + ''; + }; + purifyOnStart = lib.mkOption { type = lib.types.bool; default = false; @@ -244,8 +252,12 @@ in hostElementsString = lib.concatMapStringsSep "\n" hostElementForVirtualHost cfg.virtualHosts; hostElementsSedString = lib.replaceStrings ["\n"] ["\\\n"] hostElementsString; in '' - # Create a modified server.xml which also includes all virtual hosts - sed -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\\"${lib.escapeShellArg hostElementsSedString} \ + # Create a modified server.xml which listens on the given port, + # and also includes all virtual hosts. + # The host modification must be last here, + # else if hostElementsSedString is empty sed gets confused as to what to append + sed -e 's/<Connector port="8080"/<Connector port="${toString cfg.port}"/' \ + -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\\"${lib.escapeShellArg hostElementsSedString} \ ${tomcat}/conf/server.xml > ${cfg.baseDir}/conf/server.xml '' } diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index d1cd601c2d9b1..cbeec4588f593 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -150,9 +150,13 @@ in HostKey ${initrdKeyPath path} '')} - KexAlgorithms ${concatStringsSep "," sshdCfg.settings.KexAlgorithms} - Ciphers ${concatStringsSep "," sshdCfg.settings.Ciphers} - MACs ${concatStringsSep "," sshdCfg.settings.Macs} + '' + lib.optionalString (sshdCfg.settings.KexAlgorithms != null) '' + KexAlgorithms ${concatStringsSep "," sshdCfg.settings.KexAlgorithms} + '' + lib.optionalString (sshdCfg.settings.Ciphers != null) '' + Ciphers ${concatStringsSep "," sshdCfg.settings.Ciphers} + '' + lib.optionalString (sshdCfg.settings.Macs != null) '' + MACs ${concatStringsSep "," sshdCfg.settings.Macs} + '' + '' LogLevel ${sshdCfg.settings.LogLevel} diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 2b365bc555855..00b6b28eb6537 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -57,12 +57,12 @@ in options.testing = { initrdBackdoor = lib.mkEnableOption '' - enable backdoor.service in initrd. Requires + backdoor.service in initrd. Requires boot.initrd.systemd.enable to be enabled. Boot will pause in stage 1 at initrd.target, and will listen for commands from the Machine python interface, just like stage 2 normally does. This enables commands to be sent to test and debug stage 1. Use - machine.switch_root() to leave stage 1 and proceed to stage 2. + machine.switch_root() to leave stage 1 and proceed to stage 2 ''; }; diff --git a/nixos/modules/virtualisation/incus.nix b/nixos/modules/virtualisation/incus.nix index 87568390bd3b8..2b69a7a076585 100644 --- a/nixos/modules/virtualisation/incus.nix +++ b/nixos/modules/virtualisation/incus.nix @@ -149,7 +149,7 @@ in Users in the "incus-admin" group can interact with the daemon (e.g. to start or stop containers) using the - {command}`incus` command line tool, among others. + {command}`incus` command line tool, among others ''; package = lib.mkPackageOption pkgs "incus-lts" { }; diff --git a/nixos/modules/virtualisation/multipass.nix b/nixos/modules/virtualisation/multipass.nix index 7918a716a870b..8a55282c88d8c 100644 --- a/nixos/modules/virtualisation/multipass.nix +++ b/nixos/modules/virtualisation/multipass.nix @@ -10,9 +10,7 @@ in { options = { virtualisation.multipass = { - enable = lib.mkEnableOption '' - Multipass, a simple manager for virtualised Ubuntu instances. - ''; + enable = lib.mkEnableOption "Multipass, a simple manager for virtualised Ubuntu instances"; logLevel = lib.mkOption { type = lib.types.enum [ "error" "warning" "info" "debug" "trace" ]; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 3b81cfaf2b8ca..d1dc6404d4f51 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -900,7 +900,7 @@ in }; virtualisation.tpm = { - enable = mkEnableOption "a TPM device in the virtual machine with a driver, using swtpm."; + enable = mkEnableOption "a TPM device in the virtual machine with a driver, using swtpm"; package = mkPackageOption cfg.host.pkgs "swtpm" { }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index d9551c33d8f6a..ad9025a917c38 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -1042,6 +1042,7 @@ in { wiki-js = handleTest ./wiki-js.nix {}; wine = handleTest ./wine.nix {}; wireguard = handleTest ./wireguard {}; + wg-access-server = handleTest ./wg-access-server.nix {}; without-nix = handleTest ./without-nix.nix {}; wmderland = handleTest ./wmderland.nix {}; workout-tracker = handleTest ./workout-tracker.nix {}; diff --git a/nixos/tests/tomcat.nix b/nixos/tests/tomcat.nix index df5cb033b78f0..c5e6e65ac600e 100644 --- a/nixos/tests/tomcat.nix +++ b/nixos/tests/tomcat.nix @@ -5,23 +5,24 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { nodes.machine = { pkgs, ... }: { services.tomcat = { enable = true; + port = 8001; axis2.enable = true; }; }; testScript = '' machine.wait_for_unit("tomcat.service") - machine.wait_for_open_port(8080) + machine.wait_for_open_port(8001) machine.wait_for_file("/var/tomcat/webapps/examples"); machine.succeed( - "curl -sS --fail http://localhost:8080/examples/servlets/servlet/HelloWorldExample | grep 'Hello World!'" + "curl -sS --fail http://localhost:8001/examples/servlets/servlet/HelloWorldExample | grep 'Hello World!'" ) machine.succeed( - "curl -sS --fail http://localhost:8080/examples/jsp/jsp2/simpletag/hello.jsp | grep 'Hello, world!'" + "curl -sS --fail http://localhost:8001/examples/jsp/jsp2/simpletag/hello.jsp | grep 'Hello, world!'" ) machine.succeed( - "curl -sS --fail http://localhost:8080/axis2/axis2-web/HappyAxis.jsp | grep 'Found Axis2'" + "curl -sS --fail http://localhost:8001/axis2/axis2-web/HappyAxis.jsp | grep 'Found Axis2'" ) ''; }) diff --git a/nixos/tests/vaultwarden.nix b/nixos/tests/vaultwarden.nix index baefa67dbf535..a60cb3af5535c 100644 --- a/nixos/tests/vaultwarden.nix +++ b/nixos/tests/vaultwarden.nix @@ -208,6 +208,10 @@ builtins.mapAttrs (k: v: makeVaultwardenTest k v) { server.succeed('[ -d "/var/lib/vaultwarden/backups" ]') server.succeed('[ -f "/var/lib/vaultwarden/backups/db.sqlite3" ]') server.succeed('[ -d "/var/lib/vaultwarden/backups/attachments" ]') + server.succeed('[ -f "/var/lib/vaultwarden/backups/rsa_key.pem" ]') + server.succeed('[ -f "/var/lib/vaultwarden/backups/rsa_key.pub.pem" ]') + # Ensure only the db backed up with the backup command exists and not the other db files. + server.succeed('[ ! -f "/var/lib/vaultwarden/backups/db.sqlite3-shm" ]') ''; }; } diff --git a/nixos/tests/wg-access-server.nix b/nixos/tests/wg-access-server.nix new file mode 100644 index 0000000000000..84fdf43e7943b --- /dev/null +++ b/nixos/tests/wg-access-server.nix @@ -0,0 +1,28 @@ +import ./make-test-python.nix ({ pkgs, lib, kernelPackages ? null, ... }: +{ + name = "wg-access-server"; + meta = with pkgs.lib.maintainers; { + maintainers = [ xanderio ]; + }; + + nodes = { + server = { + services.wg-access-server = { + enable = true; + settings = { + adminUsername = "admin"; + }; + secretsFile = (pkgs.writers.writeYAML "secrets.yaml" { + adminPassword = "hunter2"; + }); + }; + }; + }; + + testScript = '' + start_all() + + server.wait_for_unit("wg-access-server.service") + ''; +} +) |