diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-02-07 18:00:58 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-07 18:00:58 +0000 |
commit | 296d2f69915ddc4b8ce55fc49727c735d227d1f7 (patch) | |
tree | 39f8d20b50a8766011c4fb5db540763da15f7175 /nixos | |
parent | ff0149cc25a43a7e484ad2542adf5ab90508756e (diff) | |
parent | cd5c10f69676a36ae44254b8cfd58f528a062f65 (diff) |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/pki.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/home-automation/govee2mqtt.nix | 90 | ||||
-rw-r--r-- | nixos/modules/services/home-automation/zigbee2mqtt.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/security/kanidm.nix | 15 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/tt-rss.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 2 |
7 files changed, 105 insertions, 7 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 23a761041bf48..2996da3c2d554 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -579,6 +579,7 @@ ./services/home-automation/ebusd.nix ./services/home-automation/esphome.nix ./services/home-automation/evcc.nix + ./services/home-automation/govee2mqtt.nix ./services/home-automation/home-assistant.nix ./services/home-automation/homeassistant-satellite.nix ./services/home-automation/zigbee2mqtt.nix diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 4b7a86c44a0cc..c47ceb218e66c 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -219,7 +219,6 @@ in inherit (cert) action; authority = { inherit remote; - file.path = cert.caCert; root_ca = cert.caCert; profile = "default"; auth_key_file = certmgrAPITokenPath; diff --git a/nixos/modules/services/home-automation/govee2mqtt.nix b/nixos/modules/services/home-automation/govee2mqtt.nix new file mode 100644 index 0000000000000..1dee5999fa3be --- /dev/null +++ b/nixos/modules/services/home-automation/govee2mqtt.nix @@ -0,0 +1,90 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.govee2mqtt; +in { + meta.maintainers = with lib.maintainers; [ SuperSandro2000 ]; + + options.services.govee2mqtt = { + enable = lib.mkEnableOption "Govee2MQTT"; + + package = lib.mkPackageOption pkgs "govee2mqtt" { }; + + user = lib.mkOption { + type = lib.types.str; + default = "govee2mqtt"; + description = "User under which Govee2MQTT should run."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "govee2mqtt"; + description = "Group under which Govee2MQTT should run."; + }; + + environmentFile = lib.mkOption { + type = lib.types.path; + example = "/var/lib/govee2mqtt/govee2mqtt.env"; + description = '' + Environment file as defined in {manpage}`systemd.exec(5)`. + + See upstream documentation <https://github.com/wez/govee2mqtt/blob/main/docs/CONFIG.md>. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + users = { + groups.${cfg.group} = { }; + users.${cfg.user} = { + description = "Govee2MQTT service user"; + inherit (cfg) group; + isSystemUser = true; + }; + }; + + systemd.services.govee2mqtt = { + description = "Govee2MQTT Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "networking.target" ]; + serviceConfig = { + CacheDirectory = "govee2mqtt"; + Environment = [ + "GOVEE_CACHE_DIR=/var/cache/govee2mqtt" + ]; + EnvironmentFile = cfg.environmentFile; + ExecStart = "${lib.getExe cfg.package} serve --govee-iot-key=/var/lib/govee2mqtt/iot.key --govee-iot-cert=/var/lib/govee2mqtt/iot.cert" + + " --amazon-root-ca=${pkgs.cacert.unbundled}/etc/ssl/certs/Amazon_Root_CA_1:66c9fcf99bf8c0a39e2f0788a43e696365bca.crt"; + Group = cfg.group; + Restart = "on-failure"; + StateDirectory = "govee2mqtt"; + User = cfg.user; + + # Hardening + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + }; + }; + }; +} diff --git a/nixos/modules/services/home-automation/zigbee2mqtt.nix b/nixos/modules/services/home-automation/zigbee2mqtt.nix index 570ce41aa6d45..a653e49a09f62 100644 --- a/nixos/modules/services/home-automation/zigbee2mqtt.nix +++ b/nixos/modules/services/home-automation/zigbee2mqtt.nix @@ -71,7 +71,6 @@ in after = [ "network.target" ]; environment.ZIGBEE2MQTT_DATA = cfg.dataDir; serviceConfig = { - Type = "notify"; ExecStart = "${cfg.package}/bin/zigbee2mqtt"; User = "zigbee2mqtt"; Group = "zigbee2mqtt"; diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix index c8d8f69729e9b..c659d93b40872 100644 --- a/nixos/modules/services/security/kanidm.nix +++ b/nixos/modules/services/security/kanidm.nix @@ -165,10 +165,17 @@ in type = lib.types.submodule { freeformType = settingsFormat.type; - options.pam_allowed_login_groups = lib.mkOption { - description = lib.mdDoc "Kanidm groups that are allowed to login using PAM."; - example = "my_pam_group"; - type = lib.types.listOf lib.types.str; + options = { + pam_allowed_login_groups = lib.mkOption { + description = lib.mdDoc "Kanidm groups that are allowed to login using PAM."; + example = "my_pam_group"; + type = lib.types.listOf lib.types.str; + }; + hsm_pin_path = lib.mkOption { + description = lib.mdDoc "Path to a HSM pin."; + default = "/var/cache/kanidm-unixd/hsm-pin"; + type = lib.types.path; + }; }; }; description = lib.mdDoc '' diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index a8fb37d2c5ecd..6c9b4bd1b8a7d 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -605,7 +605,7 @@ let description = "Tiny Tiny RSS feeds update daemon"; preStart = '' - ${pkgs.php81}/bin/php ${cfg.root}/www/update.php --update-schema + ${pkgs.php81}/bin/php ${cfg.root}/www/update.php --update-schema --force-yes ''; serviceConfig = { diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 6799de6c7d96c..93b1a3fdfaddd 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -361,10 +361,12 @@ let ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"} ${optionalString (vhost.acmeRoot != null) "root ${vhost.acmeRoot};"} auth_basic off; + auth_request off; } ${optionalString (vhost.acmeFallbackHost != null) '' location @acme-fallback { auth_basic off; + auth_request off; proxy_pass http://${vhost.acmeFallbackHost}; } ''} |