diff options
Diffstat (limited to 'nixos/modules/services/misc')
25 files changed, 1105 insertions, 1103 deletions
diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index 5a5c30a412330..2b9c6d80abbd7 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -39,9 +39,11 @@ in { default = "127.0.0.1"; description = '' The host name or IP address on which to bind Airsonic. - Only relevant if you have multiple network interfaces and want - to make Airsonic available on only one of them. The default value - will bind Airsonic to all available network interfaces. + The default value is appropriate for first launch, when the + default credentials are easy to guess. It is also appropriate + if you intend to use the virtualhost option in the service + module. In other cases, you may want to change this to a + specific IP or 0.0.0.0 to listen on all interfaces. ''; }; diff --git a/nixos/modules/services/misc/ananicy.nix b/nixos/modules/services/misc/ananicy.nix index f76f534fb4507..191666bc36259 100644 --- a/nixos/modules/services/misc/ananicy.nix +++ b/nixos/modules/services/misc/ananicy.nix @@ -84,7 +84,7 @@ in } // (if ((lib.getName cfg.package) == (lib.getName pkgs.ananicy-cpp)) then { # https://gitlab.com/ananicy-cpp/ananicy-cpp/-/blob/master/src/config.cpp#L12 loglevel = mkOD "warn"; # default is info but its spammy - cgroup_realtime_workaround = mkOD true; + cgroup_realtime_workaround = mkOD config.systemd.enableUnifiedCgroupHierarchy; } else { # https://github.com/Nefelim4ag/Ananicy/blob/master/ananicy.d/ananicy.conf check_disks_schedulers = mkOD true; diff --git a/nixos/modules/services/misc/autorandr.nix b/nixos/modules/services/misc/autorandr.nix index 95cee5046e819..a65c5c9d11cf7 100644 --- a/nixos/modules/services/misc/autorandr.nix +++ b/nixos/modules/services/misc/autorandr.nix @@ -43,6 +43,7 @@ in { ExecStart = "${pkgs.autorandr}/bin/autorandr --batch --change --default ${cfg.defaultTarget}"; Type = "oneshot"; RemainAfterExit = false; + KillMode = "process"; }; }; diff --git a/nixos/modules/services/misc/bees.nix b/nixos/modules/services/misc/bees.nix index cb97a86b85921..fa00d7e4f55d0 100644 --- a/nixos/modules/services/misc/bees.nix +++ b/nixos/modules/services/misc/bees.nix @@ -21,6 +21,8 @@ let <para> This must be in a format usable by findmnt; that could be a key=value pair, or a bare path to a mount point. + Using bare paths will allow systemd to start the beesd service only + after mounting the associated path. ''; example = "LABEL=MyBulkDataDrive"; }; @@ -122,6 +124,7 @@ in StartupIOWeight = 25; SyslogIdentifier = "beesd"; # would otherwise be "bees-service-wrapper" }; + unitConfig.RequiresMountsFor = lib.mkIf (lib.hasPrefix "/" fs.spec) fs.spec; wantedBy = [ "multi-user.target" ]; }) cfg.filesystems; diff --git a/nixos/modules/services/misc/couchpotato.nix b/nixos/modules/services/misc/couchpotato.nix deleted file mode 100644 index f5163cf86cf5f..0000000000000 --- a/nixos/modules/services/misc/couchpotato.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.couchpotato; - -in -{ - options = { - services.couchpotato = { - enable = mkEnableOption "CouchPotato Server"; - }; - }; - - config = mkIf cfg.enable { - systemd.services.couchpotato = { - description = "CouchPotato Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Type = "simple"; - User = "couchpotato"; - Group = "couchpotato"; - StateDirectory = "couchpotato"; - ExecStart = "${pkgs.couchpotato}/bin/couchpotato"; - Restart = "on-failure"; - }; - }; - - users.users.couchpotato = - { group = "couchpotato"; - home = "/var/lib/couchpotato/"; - description = "CouchPotato daemon user"; - uid = config.ids.uids.couchpotato; - }; - - users.groups.couchpotato = - { gid = config.ids.gids.couchpotato; }; - }; -} diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 0096286701f43..bc7bb663ee007 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -177,6 +177,19 @@ in defaultText = literalExpression ''"''${config.${opt.stateDir}}/dump"''; description = "Path to the dump files."; }; + + type = mkOption { + type = types.enum [ "zip" "rar" "tar" "sz" "tar.gz" "tar.xz" "tar.bz2" "tar.br" "tar.lz4" ]; + default = "zip"; + description = "Archive format used to store the dump file."; + }; + + file = mkOption { + type = types.nullOr types.str; + default = null; + description = "Filename to be used for the dump. If `null` a default name is choosen by gitea."; + example = "gitea-dump"; + }; }; ssh = { @@ -634,7 +647,7 @@ in serviceConfig = { Type = "oneshot"; User = cfg.user; - ExecStart = "${gitea}/bin/gitea dump"; + ExecStart = "${gitea}/bin/gitea dump --type ${cfg.dump.type}" + optionalString (cfg.dump.file != null) " --file ${cfg.dump.file}"; WorkingDirectory = cfg.dump.backupDir; }; }; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 219155777db95..e48444f716123 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -72,7 +72,7 @@ let redis = { bin = "${pkgs.redis}/bin/redis-cli"; host = "127.0.0.1"; - port = 6379; + port = config.services.redis.servers.gitlab.port; database = 0; namespace = "resque:gitlab"; }; @@ -450,7 +450,8 @@ in { redisUrl = mkOption { type = types.str; - default = "redis://localhost:6379/"; + default = "redis://localhost:${toString config.services.redis.servers.gitlab.port}/"; + defaultText = literalExpression ''redis://localhost:''${toString config.services.redis.servers.gitlab.port}/''; description = "Redis URL for all GitLab services except gitlab-shell"; }; @@ -961,7 +962,11 @@ in { }; # Redis is required for the sidekiq queue runner. - services.redis.enable = mkDefault true; + services.redis.servers.gitlab = { + enable = mkDefault true; + port = mkDefault 31636; + bind = mkDefault "127.0.0.1"; + }; # We use postgres as the main data store. services.postgresql = optionalAttrs databaseActuallyCreateLocally { @@ -1099,7 +1104,9 @@ in { "d ${gitlabConfig.production.shared.path} 0750 ${cfg.user} ${cfg.group} -" "d ${gitlabConfig.production.shared.path}/artifacts 0750 ${cfg.user} ${cfg.group} -" "d ${gitlabConfig.production.shared.path}/lfs-objects 0750 ${cfg.user} ${cfg.group} -" + "d ${gitlabConfig.production.shared.path}/packages 0750 ${cfg.user} ${cfg.group} -" "d ${gitlabConfig.production.shared.path}/pages 0750 ${cfg.user} ${cfg.group} -" + "d ${gitlabConfig.production.shared.path}/terraform_state 0750 ${cfg.user} ${cfg.group} -" "L+ /run/gitlab/config - - - - ${cfg.statePath}/config" "L+ /run/gitlab/log - - - - ${cfg.statePath}/log" "L+ /run/gitlab/tmp - - - - ${cfg.statePath}/tmp" @@ -1129,8 +1136,8 @@ in { ExecStartPre = let preStartFullPrivileges = '' - shopt -s dotglob nullglob - set -eu + set -o errexit -o pipefail -o nounset + shopt -s dotglob nullglob inherit_errexit chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/* if [[ -n "$(ls -A '${cfg.statePath}'/config/)" ]]; then @@ -1140,7 +1147,8 @@ in { in "+${pkgs.writeShellScript "gitlab-pre-start-full-privileges" preStartFullPrivileges}"; ExecStart = pkgs.writeShellScript "gitlab-config" '' - set -eu + set -o errexit -o pipefail -o nounset + shopt -s inherit_errexit umask u=rwx,g=rx,o= @@ -1169,7 +1177,8 @@ in { rm -f '${cfg.statePath}/config/database.yml' ${if cfg.databasePasswordFile != null then '' - export db_password="$(<'${cfg.databasePasswordFile}')" + db_password="$(<'${cfg.databasePasswordFile}')" + export db_password if [[ -z "$db_password" ]]; then >&2 echo "Database password was an empty string!" @@ -1193,10 +1202,11 @@ in { rm -f '${cfg.statePath}/config/secrets.yml' - export secret="$(<'${cfg.secrets.secretFile}')" - export db="$(<'${cfg.secrets.dbFile}')" - export otp="$(<'${cfg.secrets.otpFile}')" - export jws="$(<'${cfg.secrets.jwsFile}')" + secret="$(<'${cfg.secrets.secretFile}')" + db="$(<'${cfg.secrets.dbFile}')" + otp="$(<'${cfg.secrets.otpFile}')" + jws="$(<'${cfg.secrets.jwsFile}')" + export secret db otp jws jq -n '{production: {secret_key_base: $ENV.secret, otp_key_base: $ENV.otp, db_key_base: $ENV.db, @@ -1230,7 +1240,8 @@ in { RemainAfterExit = true; ExecStart = pkgs.writeShellScript "gitlab-db-config" '' - set -eu + set -o errexit -o pipefail -o nounset + shopt -s inherit_errexit umask u=rwx,g=rx,o= initial_root_password="$(<'${cfg.initialRootPasswordFile}')" @@ -1243,13 +1254,13 @@ in { systemd.services.gitlab-sidekiq = { after = [ "network.target" - "redis.service" + "redis-gitlab.service" "postgresql.service" "gitlab-config.service" "gitlab-db-config.service" ]; bindsTo = [ - "redis.service" + "redis-gitlab.service" "gitlab-config.service" "gitlab-db-config.service" ] ++ optional (cfg.databaseHost == "") "postgresql.service"; @@ -1364,7 +1375,7 @@ in { systemd.services.gitlab-mailroom = mkIf (gitlabConfig.production.incoming_email.enabled or false) { description = "GitLab incoming mail daemon"; - after = [ "network.target" "redis.service" "gitlab-config.service" ]; + after = [ "network.target" "redis-gitlab.service" "gitlab-config.service" ]; bindsTo = [ "gitlab-config.service" ]; wantedBy = [ "gitlab.target" ]; partOf = [ "gitlab.target" ]; @@ -1385,12 +1396,12 @@ in { after = [ "gitlab-workhorse.service" "network.target" - "redis.service" + "redis-gitlab.service" "gitlab-config.service" "gitlab-db-config.service" ]; bindsTo = [ - "redis.service" + "redis-gitlab.service" "gitlab-config.service" "gitlab-db-config.service" ] ++ optional (cfg.databaseHost == "") "postgresql.service"; diff --git a/nixos/modules/services/misc/heisenbridge.nix b/nixos/modules/services/misc/heisenbridge.nix new file mode 100644 index 0000000000000..7ce8a23d9af12 --- /dev/null +++ b/nixos/modules/services/misc/heisenbridge.nix @@ -0,0 +1,222 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.heisenbridge; + + pkg = config.services.heisenbridge.package; + bin = "${pkg}/bin/heisenbridge"; + + jsonType = (pkgs.formats.json { }).type; + + registrationFile = "/var/lib/heisenbridge/registration.yml"; + # JSON is a proper subset of YAML + bridgeConfig = builtins.toFile "heisenbridge-registration.yml" (builtins.toJSON { + id = "heisenbridge"; + url = cfg.registrationUrl; + # Don't specify as_token and hs_token + rate_limited = false; + sender_localpart = "heisenbridge"; + namespaces = cfg.namespaces; + }); +in +{ + options.services.heisenbridge = { + enable = mkEnableOption "the Matrix to IRC bridge"; + + package = mkOption { + type = types.package; + default = pkgs.heisenbridge; + defaultText = "pkgs.heisenbridge"; + example = "pkgs.heisenbridge.override { … = …; }"; + description = '' + Package of the application to run, exposed for overriding purposes. + ''; + }; + + homeserver = mkOption { + type = types.str; + description = "The URL to the home server for client-server API calls"; + example = "http://localhost:8008"; + }; + + registrationUrl = mkOption { + type = types.str; + description = '' + The URL where the application service is listening for HS requests, from the Matrix HS perspective.# + The default value assumes the bridge runs on the same host as the home server, in the same network. + ''; + example = "https://matrix.example.org"; + default = "http://${cfg.address}:${toString cfg.port}"; + defaultText = "http://$${cfg.address}:$${toString cfg.port}"; + }; + + address = mkOption { + type = types.str; + description = "Address to listen on. IPv6 does not seem to be supported."; + default = "127.0.0.1"; + example = "0.0.0.0"; + }; + + port = mkOption { + type = types.port; + description = "The port to listen on"; + default = 9898; + }; + + debug = mkOption { + type = types.bool; + description = "More verbose logging. Recommended during initial setup."; + default = false; + }; + + owner = mkOption { + type = types.nullOr types.str; + description = '' + Set owner MXID otherwise first talking local user will claim the bridge + ''; + default = null; + example = "@admin:example.org"; + }; + + namespaces = mkOption { + description = "Configure the 'namespaces' section of the registration.yml for the bridge and the server"; + # TODO link to Matrix documentation of the format + type = types.submodule { + freeformType = jsonType; + }; + + default = { + users = [ + { + regex = "@irc_.*"; + exclusive = true; + } + ]; + aliases = [ ]; + rooms = [ ]; + }; + }; + + identd.enable = mkEnableOption "identd service support"; + identd.port = mkOption { + type = types.port; + description = "identd listen port"; + default = 113; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + description = "Heisenbridge is configured over the command line. Append extra arguments here"; + default = [ ]; + }; + }; + + config = mkIf cfg.enable { + systemd.services.heisenbridge = { + description = "Matrix<->IRC bridge"; + before = [ "matrix-synapse.service" ]; # So the registration file can be used by Synapse + wantedBy = [ "multi-user.target" ]; + + preStart = '' + umask 077 + set -e -u -o pipefail + + if ! [ -f "${registrationFile}" ]; then + # Generate registration file if not present (actually, we only care about the tokens in it) + ${bin} --generate --config ${registrationFile} + fi + + # Overwrite the registration file with our generated one (the config may have changed since then), + # but keep the tokens. Two step procedure to be failure safe + ${pkgs.yq}/bin/yq --slurp \ + '.[0] + (.[1] | {as_token, hs_token})' \ + ${bridgeConfig} \ + ${registrationFile} \ + > ${registrationFile}.new + mv -f ${registrationFile}.new ${registrationFile} + + # Grant Synapse access to the registration + if ${getBin pkgs.glibc}/bin/getent group matrix-synapse > /dev/null; then + chgrp -v matrix-synapse ${registrationFile} + chmod -v g+r ${registrationFile} + fi + ''; + + serviceConfig = rec { + Type = "simple"; + ExecStart = lib.concatStringsSep " " ( + [ + bin + (if cfg.debug then "-vvv" else "-v") + "--config" + registrationFile + "--listen-address" + (lib.escapeShellArg cfg.address) + "--listen-port" + (toString cfg.port) + ] + ++ (lib.optionals (cfg.owner != null) [ + "--owner" + (lib.escapeShellArg cfg.owner) + ]) + ++ (lib.optionals cfg.identd.enable [ + "--identd" + "--identd-port" + (toString cfg.identd.port) + ]) + ++ [ + (lib.escapeShellArg cfg.homeserver) + ] + ++ (map (lib.escapeShellArg) cfg.extraArgs) + ); + + # Hardening options + + User = "heisenbridge"; + Group = "heisenbridge"; + RuntimeDirectory = "heisenbridge"; + RuntimeDirectoryMode = "0700"; + StateDirectory = "heisenbridge"; + StateDirectoryMode = "0755"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectHostname = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RestrictNamespaces = true; + RemoveIPC = true; + UMask = "0077"; + + CapabilityBoundingSet = [ "CAP_CHOWN" ] ++ optional (cfg.port < 1024 || (cfg.identd.enable && cfg.identd.port < 1024)) "CAP_NET_BIND_SERVICE"; + AmbientCapabilities = CapabilityBoundingSet; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + SystemCallFilter = ["@system-service" "~@priviledged" "@chown"]; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_INET AF_INET6"; + }; + }; + + users.groups.heisenbridge = {}; + users.users.heisenbridge = { + description = "Service user for the Heisenbridge"; + group = "heisenbridge"; + isSystemUser = true; + }; + }; + + meta.maintainers = [ lib.maintainers.piegames ]; +} diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix deleted file mode 100644 index 2de25d87ed398..0000000000000 --- a/nixos/modules/services/misc/home-assistant.nix +++ /dev/null @@ -1,409 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.home-assistant; - - # cfg.config != null can be assumed here - configJSON = pkgs.writeText "configuration.json" - (builtins.toJSON (if cfg.applyDefaultConfig then - (recursiveUpdate defaultConfig cfg.config) else cfg.config)); - configFile = pkgs.runCommand "configuration.yaml" { preferLocalBuild = true; } '' - ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out - # Hack to support custom yaml objects, - # i.e. secrets: https://www.home-assistant.io/docs/configuration/secrets/ - sed -i -e "s/'\!\([a-z_]\+\) \(.*\)'/\!\1 \2/;s/^\!\!/\!/;" $out - ''; - - lovelaceConfigJSON = pkgs.writeText "ui-lovelace.json" - (builtins.toJSON cfg.lovelaceConfig); - lovelaceConfigFile = pkgs.runCommand "ui-lovelace.yaml" { preferLocalBuild = true; } '' - ${pkgs.remarshal}/bin/json2yaml -i ${lovelaceConfigJSON} -o $out - ''; - - availableComponents = cfg.package.availableComponents; - - explicitComponents = cfg.package.extraComponents; - - usedPlatforms = config: - if isAttrs config then - optional (config ? platform) config.platform - ++ concatMap usedPlatforms (attrValues config) - else if isList config then - concatMap usedPlatforms config - else [ ]; - - # Given a component "platform", looks up whether it is used in the config - # as `platform = "platform";`. - # - # For example, the component mqtt.sensor is used as follows: - # config.sensor = [ { - # platform = "mqtt"; - # ... - # } ]; - useComponentPlatform = component: elem component (usedPlatforms cfg.config); - - useExplicitComponent = component: elem component explicitComponents; - - # Returns whether component is used in config or explicitly passed into package - useComponent = component: - hasAttrByPath (splitString "." component) cfg.config - || useComponentPlatform component - || useExplicitComponent component; - - # List of components used in config - extraComponents = filter useComponent availableComponents; - - package = if (cfg.autoExtraComponents && cfg.config != null) - then (cfg.package.override { inherit extraComponents; }) - else cfg.package; - - # If you are changing this, please update the description in applyDefaultConfig - defaultConfig = { - homeassistant.time_zone = config.time.timeZone; - http.server_port = cfg.port; - } // optionalAttrs (cfg.lovelaceConfig != null) { - lovelace.mode = "yaml"; - }; - -in { - meta.maintainers = teams.home-assistant.members; - - options.services.home-assistant = { - # Running home-assistant on NixOS is considered an installation method that is unsupported by the upstream project. - # https://github.com/home-assistant/architecture/blob/master/adr/0012-define-supported-installation-method.md#decision - enable = mkEnableOption "Home Assistant. Please note that this installation method is unsupported upstream"; - - configDir = mkOption { - default = "/var/lib/hass"; - type = types.path; - description = "The config directory, where your <filename>configuration.yaml</filename> is located."; - }; - - port = mkOption { - default = 8123; - type = types.port; - description = "The port on which to listen."; - }; - - applyDefaultConfig = mkOption { - default = true; - type = types.bool; - description = '' - Setting this option enables a few configuration options for HA based on NixOS configuration (such as time zone) to avoid having to manually specify configuration we already have. - </para> - <para> - Currently one side effect of enabling this is that the <literal>http</literal> component will be enabled. - </para> - <para> - This only takes effect if <literal>config != null</literal> in order to ensure that a manually managed <filename>configuration.yaml</filename> is not overwritten. - ''; - }; - - config = mkOption { - default = null; - # Migrate to new option types later: https://github.com/NixOS/nixpkgs/pull/75584 - type = with lib.types; let - valueType = nullOr (oneOf [ - bool - int - float - str - (lazyAttrsOf valueType) - (listOf valueType) - ]) // { - description = "Yaml value"; - emptyValue.value = {}; - }; - in valueType; - example = literalExpression '' - { - homeassistant = { - name = "Home"; - latitude = "!secret latitude"; - longitude = "!secret longitude"; - elevation = "!secret elevation"; - unit_system = "metric"; - time_zone = "UTC"; - }; - frontend = { - themes = "!include_dir_merge_named themes"; - }; - http = { }; - feedreader.urls = [ "https://nixos.org/blogs.xml" ]; - } - ''; - description = '' - Your <filename>configuration.yaml</filename> as a Nix attribute set. - Beware that setting this option will delete your previous <filename>configuration.yaml</filename>. - <link xlink:href="https://www.home-assistant.io/docs/configuration/secrets/">Secrets</link> - are encoded as strings as shown in the example. - ''; - }; - - configWritable = mkOption { - default = false; - type = types.bool; - description = '' - Whether to make <filename>configuration.yaml</filename> writable. - This only has an effect if <option>config</option> is set. - This will allow you to edit it from Home Assistant's web interface. - However, bear in mind that it will be overwritten at every start of the service. - ''; - }; - - lovelaceConfig = mkOption { - default = null; - type = with types; nullOr attrs; - # from https://www.home-assistant.io/lovelace/yaml-mode/ - example = literalExpression '' - { - title = "My Awesome Home"; - views = [ { - title = "Example"; - cards = [ { - type = "markdown"; - title = "Lovelace"; - content = "Welcome to your **Lovelace UI**."; - } ]; - } ]; - } - ''; - description = '' - Your <filename>ui-lovelace.yaml</filename> as a Nix attribute set. - Setting this option will automatically add - <literal>lovelace.mode = "yaml";</literal> to your <option>config</option>. - Beware that setting this option will delete your previous <filename>ui-lovelace.yaml</filename> - ''; - }; - - lovelaceConfigWritable = mkOption { - default = false; - type = types.bool; - description = '' - Whether to make <filename>ui-lovelace.yaml</filename> writable. - This only has an effect if <option>lovelaceConfig</option> is set. - This will allow you to edit it from Home Assistant's web interface. - However, bear in mind that it will be overwritten at every start of the service. - ''; - }; - - package = mkOption { - default = pkgs.home-assistant.overrideAttrs (oldAttrs: { - doInstallCheck = false; - }); - defaultText = literalExpression '' - pkgs.home-assistant.overrideAttrs (oldAttrs: { - doInstallCheck = false; - }) - ''; - type = types.package; - example = literalExpression '' - pkgs.home-assistant.override { - extraPackages = ps: with ps; [ colorlog ]; - } - ''; - description = '' - Home Assistant package to use. By default the tests are disabled, as they take a considerable amout of time to complete. - Override <literal>extraPackages</literal> or <literal>extraComponents</literal> in order to add additional dependencies. - If you specify <option>config</option> and do not set <option>autoExtraComponents</option> - to <literal>false</literal>, overriding <literal>extraComponents</literal> will have no effect. - Avoid <literal>home-assistant.overridePythonAttrs</literal> if you use <literal>autoExtraComponents</literal>. - ''; - }; - - autoExtraComponents = mkOption { - default = true; - type = types.bool; - description = '' - If set to <literal>true</literal>, the components used in <literal>config</literal> - are set as the specified package's <literal>extraComponents</literal>. - This in turn adds all packaged dependencies to the derivation. - You might still see import errors in your log. - In this case, you will need to package the necessary dependencies yourself - or ask for someone else to package them. - If a dependency is packaged but not automatically added to this list, - you might need to specify it in <literal>extraPackages</literal>. - ''; - }; - - openFirewall = mkOption { - default = false; - type = types.bool; - description = "Whether to open the firewall for the specified port."; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; - - systemd.services.home-assistant = { - description = "Home Assistant"; - after = [ "network.target" ]; - preStart = optionalString (cfg.config != null) (if cfg.configWritable then '' - cp --no-preserve=mode ${configFile} "${cfg.configDir}/configuration.yaml" - '' else '' - rm -f "${cfg.configDir}/configuration.yaml" - ln -s ${configFile} "${cfg.configDir}/configuration.yaml" - '') + optionalString (cfg.lovelaceConfig != null) (if cfg.lovelaceConfigWritable then '' - cp --no-preserve=mode ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml" - '' else '' - rm -f "${cfg.configDir}/ui-lovelace.yaml" - ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml" - ''); - serviceConfig = let - # List of capabilities to equip home-assistant with, depending on configured components - capabilities = [ - # Empty string first, so we will never accidentally have an empty capability bounding set - # https://github.com/NixOS/nixpkgs/issues/120617#issuecomment-830685115 - "" - ] ++ (unique (optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ - # Required for interaction with hci devices and bluetooth sockets - # https://www.home-assistant.io/integrations/bluetooth_le_tracker/#rootless-setup-on-core-installs - "CAP_NET_ADMIN" - "CAP_NET_RAW" - ] ++ lib.optionals (useComponent "emulated_hue") [ - # Alexa looks for the service on port 80 - # https://www.home-assistant.io/integrations/emulated_hue - "CAP_NET_BIND_SERVICE" - ] ++ lib.optionals (useComponent "nmap_tracker") [ - # https://www.home-assistant.io/integrations/nmap_tracker#linux-capabilities - "CAP_NET_ADMIN" - "CAP_NET_BIND_SERVICE" - "CAP_NET_RAW" - ])); - componentsUsingBluetooth = [ - # Components that require the AF_BLUETOOTH address family - "bluetooth_tracker" - "bluetooth_le_tracker" - ]; - componentsUsingSerialDevices = [ - # Components that require access to serial devices (/dev/tty*) - # List generated from home-assistant documentation: - # git clone https://github.com/home-assistant/home-assistant.io/ - # cd source/_integrations - # rg "/dev/tty" -l | cut -d'/' -f3 | cut -d'.' -f1 | sort - # And then extended by references found in the source code, these - # mostly the ones using config flows already. - "acer_projector" - "alarmdecoder" - "arduino" - "blackbird" - "deconz" - "dsmr" - "edl21" - "elkm1" - "elv" - "enocean" - "firmata" - "flexit" - "gpsd" - "insteon" - "kwb" - "lacrosse" - "mhz19" - "modbus" - "modem_callerid" - "mysensors" - "nad" - "numato" - "rflink" - "rfxtrx" - "scsgate" - "serial" - "serial_pm" - "sms" - "upb" - "usb" - "velbus" - "w800rf32" - "xbee" - "zha" - "zwave" - "zwave_js" - ]; - in { - ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - User = "hass"; - Group = "hass"; - Restart = "on-failure"; - RestartForceExitStatus = "100"; - SuccessExitStatus = "100"; - KillSignal = "SIGINT"; - - # Hardening - AmbientCapabilities = capabilities; - CapabilityBoundingSet = capabilities; - DeviceAllow = (optionals (any useComponent componentsUsingSerialDevices) [ - "char-ttyACM rw" - "char-ttyAMA rw" - "char-ttyUSB rw" - ]); - DevicePolicy = "closed"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateTmp = true; - PrivateUsers = false; # prevents gaining capabilities in the host namespace - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProcSubset = "all"; - ProtectSystem = "strict"; - RemoveIPC = true; - ReadWritePaths = let - # Allow rw access to explicitly configured paths - cfgPath = [ "config" "homeassistant" "allowlist_external_dirs" ]; - value = attrByPath cfgPath [] cfg; - allowPaths = if isList value then value else singleton value; - in [ "${cfg.configDir}" ] ++ allowPaths; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" - "AF_UNIX" - ] ++ optionals (any useComponent componentsUsingBluetooth) [ - "AF_BLUETOOTH" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SupplementaryGroups = optionals (any useComponent componentsUsingSerialDevices) [ - "dialout" - ]; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged" - ]; - UMask = "0077"; - }; - path = [ - "/run/wrappers" # needed for ping - ]; - }; - - systemd.targets.home-assistant = rec { - description = "Home Assistant"; - wantedBy = [ "multi-user.target" ]; - wants = [ "home-assistant.service" ]; - after = wants; - }; - - users.users.hass = { - home = cfg.configDir; - createHome = true; - group = "hass"; - uid = config.ids.uids.hass; - }; - - users.groups.hass.gid = config.ids.gids.hass; - }; -} diff --git a/nixos/modules/services/misc/input-remapper.nix b/nixos/modules/services/misc/input-remapper.nix new file mode 100644 index 0000000000000..c2da0d616a317 --- /dev/null +++ b/nixos/modules/services/misc/input-remapper.nix @@ -0,0 +1,29 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let cfg = config.services.input-remapper; in +{ + options = { + services.input-remapper = { + enable = mkEnableOption "input-remapper, an easy to use tool to change the mapping of your input device buttons."; + package = mkOption { + type = types.package; + default = pkgs.input-remapper; + defaultText = literalExpression "pkgs.input-remapper"; + description = '' + The input-remapper package to use. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + # FIXME: udev rule hangs sometimes when lots of devices connected, so let's not use it + # config.services.udev.packages = mapper-pkg; + services.dbus.packages = cfg.package; + systemd.packages = cfg.package; + environment.systemPackages = cfg.package; + systemd.services.input-remapper.wantedBy = [ "graphical.target" ]; + }; +} diff --git a/nixos/modules/services/misc/matrix-appservice-irc.nix b/nixos/modules/services/misc/matrix-appservice-irc.nix index 02627e51c932f..b041c9c82c56e 100644 --- a/nixos/modules/services/misc/matrix-appservice-irc.nix +++ b/nixos/modules/services/misc/matrix-appservice-irc.nix @@ -226,4 +226,7 @@ in { isSystemUser = true; }; }; + + # uses attributes of the linked package + meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/services/misc/matrix-conduit.nix b/nixos/modules/services/misc/matrix-conduit.nix new file mode 100644 index 0000000000000..108f64de7aa95 --- /dev/null +++ b/nixos/modules/services/misc/matrix-conduit.nix @@ -0,0 +1,149 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.matrix-conduit; + + format = pkgs.formats.toml {}; + configFile = format.generate "conduit.toml" cfg.settings; +in + { + meta.maintainers = with maintainers; [ pstn piegames ]; + options.services.matrix-conduit = { + enable = mkEnableOption "matrix-conduit"; + + extraEnvironment = mkOption { + type = types.attrsOf types.str; + description = "Extra Environment variables to pass to the conduit server."; + default = {}; + example = { RUST_BACKTRACE="yes"; }; + }; + + package = mkOption { + type = types.package; + default = pkgs.matrix-conduit; + defaultText = "pkgs.matrix-conduit"; + example = "pkgs.matrix-conduit"; + description = '' + Package of the conduit matrix server to use. + ''; + }; + + settings = mkOption { + type = types.submodule { + freeformType = format.type; + options = { + global.server_name = mkOption { + type = types.str; + example = "example.com"; + description = "The server_name is the name of this server. It is used as a suffix for user # and room ids."; + }; + global.port = mkOption { + type = types.port; + default = 6167; + description = "The port Conduit will be running on. You need to set up a reverse proxy in your web server (e.g. apache or nginx), so all requests to /_matrix on port 443 and 8448 will be forwarded to the Conduit instance running on this port"; + }; + global.max_request_size = mkOption { + type = types.ints.positive; + default = 20000000; + description = "Max request size in bytes. Don't forget to also change it in the proxy."; + }; + global.allow_registration = mkOption { + type = types.bool; + default = false; + description = "Whether new users can register on this server."; + }; + global.allow_encryption = mkOption { + type = types.bool; + default = true; + description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work."; + }; + global.allow_federation = mkOption { + type = types.bool; + default = true; + description = '' + Whether this server federates with other servers. + ''; + }; + global.trusted_servers = mkOption { + type = types.listOf types.str; + default = [ "matrix.org" ]; + description = "Servers trusted with signing server keys."; + }; + global.address = mkOption { + type = types.str; + default = "::1"; + description = "Address to listen on for connections by the reverse proxy/tls terminator."; + }; + global.database_path = mkOption { + type = types.str; + default = "/var/lib/matrix-conduit/"; + readOnly = true; + description = '' + Path to the conduit database, the directory where conduit will save its data. + Note that due to using the DynamicUser feature of systemd, this value should not be changed + and is set to be read only. + ''; + }; + global.database_backend = mkOption { + type = types.enum [ "sqlite" "rocksdb" ]; + default = "sqlite"; + example = "rocksdb"; + description = '' + The database backend for the service. Switching it on an existing + instance will require manual migration of data. + ''; + }; + }; + }; + default = {}; + description = '' + Generates the conduit.toml configuration file. Refer to + <link xlink:href="https://gitlab.com/famedly/conduit/-/blob/master/conduit-example.toml"/> + for details on supported values. + Note that database_path can not be edited because the service's reliance on systemd StateDir. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.conduit = { + description = "Conduit Matrix Server"; + documentation = [ "https://gitlab.com/famedly/conduit/" ]; + wantedBy = [ "multi-user.target" ]; + environment = lib.mkMerge ([ + { CONDUIT_CONFIG = configFile; } + cfg.extraEnvironment + ]); + serviceConfig = { + DynamicUser = true; + User = "conduit"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateUsers = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + StateDirectory = "matrix-conduit"; + ExecStart = "${cfg.package}/bin/conduit"; + Restart = "on-failure"; + RestartSec = 10; + StartLimitBurst = 5; + }; + }; + }; + } diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 404163d2de6c5..feca4c5465ff5 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -119,6 +119,30 @@ ${cfg.extraConfig} hasLocalPostgresDB = let args = cfg.database_args; in usePostgresql && (!(args ? host) || (elem args.host [ "localhost" "127.0.0.1" "::1" ])); + + registerNewMatrixUser = + let + isIpv6 = x: lib.length (lib.splitString ":" x) > 1; + listener = + lib.findFirst ( + listener: lib.any ( + resource: lib.any ( + name: name == "client" + ) resource.names + ) listener.resources + ) (lib.last cfg.listeners) cfg.listeners; + in + pkgs.writeShellScriptBin "matrix-synapse-register_new_matrix_user" '' + exec ${cfg.package}/bin/register_new_matrix_user \ + $@ \ + ${lib.concatMapStringsSep " " (x: "-c ${x}") ([ configFile ] ++ cfg.extraConfigFiles)} \ + "${listener.type}://${ + if (isIpv6 listener.bind_address) then + "[${listener.bind_address}]" + else + "${listener.bind_address}" + }:${builtins.toString listener.port}/" + ''; in { options = { services.matrix-synapse = { @@ -294,7 +318,7 @@ in { description = '' List of resources to host on this listener. ''; - example = ["client" "webclient" "federation"]; + example = ["client" "federation"]; }; compress = mkOption { type = types.bool; @@ -319,7 +343,7 @@ in { tls = true; x_forwarded = false; resources = [ - { names = ["client" "webclient"]; compress = true; } + { names = ["client"]; compress = true; } { names = ["federation"]; compress = false; } ]; }]; @@ -792,6 +816,8 @@ in { UMask = "0077"; }; }; + + environment.systemPackages = [ registerNewMatrixUser ]; }; imports = [ diff --git a/nixos/modules/services/misc/mbpfan.nix b/nixos/modules/services/misc/mbpfan.nix index d80b6fafc2cf6..e0a4d8a13e75f 100644 --- a/nixos/modules/services/misc/mbpfan.nix +++ b/nixos/modules/services/misc/mbpfan.nix @@ -5,6 +5,8 @@ with lib; let cfg = config.services.mbpfan; verbose = if cfg.verbose then "v" else ""; + settingsFormat = pkgs.formats.ini {}; + settingsFile = settingsFormat.generate "mbpfan.ini" cfg.settings; in { options.services.mbpfan = { @@ -19,54 +21,6 @@ in { ''; }; - minFanSpeed = mkOption { - type = types.int; - default = 2000; - description = '' - The minimum fan speed. - ''; - }; - - maxFanSpeed = mkOption { - type = types.int; - default = 6200; - description = '' - The maximum fan speed. - ''; - }; - - lowTemp = mkOption { - type = types.int; - default = 63; - description = '' - The low temperature. - ''; - }; - - highTemp = mkOption { - type = types.int; - default = 66; - description = '' - The high temperature. - ''; - }; - - maxTemp = mkOption { - type = types.int; - default = 86; - description = '' - The maximum temperature. - ''; - }; - - pollingInterval = mkOption { - type = types.int; - default = 7; - description = '' - The polling interval. - ''; - }; - verbose = mkOption { type = types.bool; default = false; @@ -74,23 +28,67 @@ in { If true, sets the log level to verbose. ''; }; + + settings = mkOption { + default = {}; + description = "The INI configuration for Mbpfan."; + type = types.submodule { + freeformType = settingsFormat.type; + + options.general.min_fan1_speed = mkOption { + type = types.nullOr types.int; + default = 2000; + description = '' + The minimum fan speed. Setting to null enables automatic detection. + Check minimum fan limits with "cat /sys/devices/platform/applesmc.768/fan*_min". + ''; + }; + options.general.max_fan1_speed = mkOption { + type = types.nullOr types.int; + default = 6199; + description = '' + The maximum fan speed. Setting to null enables automatic detection. + Check maximum fan limits with "cat /sys/devices/platform/applesmc.768/fan*_max". + ''; + }; + options.general.low_temp = mkOption { + type = types.int; + default = 55; + description = "Temperature below which fan speed will be at minimum. Try ranges 55-63."; + }; + options.general.high_temp = mkOption { + type = types.int; + default = 58; + description = "Fan will increase speed when higher than this temperature. Try ranges 58-66."; + }; + options.general.max_temp = mkOption { + type = types.int; + default = 86; + description = "Fan will run at full speed above this temperature. Do not set it > 90."; + }; + options.general.polling_interval = mkOption { + type = types.int; + default = 1; + description = "The polling interval."; + }; + }; + }; }; + imports = [ + (mkRenamedOptionModule [ "services" "mbpfan" "pollingInterval" ] [ "services" "mbpfan" "settings" "general" "polling_interval" ]) + (mkRenamedOptionModule [ "services" "mbpfan" "maxTemp" ] [ "services" "mbpfan" "settings" "general" "max_temp" ]) + (mkRenamedOptionModule [ "services" "mbpfan" "lowTemp" ] [ "services" "mbpfan" "settings" "general" "low_temp" ]) + (mkRenamedOptionModule [ "services" "mbpfan" "highTemp" ] [ "services" "mbpfan" "settings" "general" "high_temp" ]) + (mkRenamedOptionModule [ "services" "mbpfan" "minFanSpeed" ] [ "services" "mbpfan" "settings" "general" "min_fan1_speed" ]) + (mkRenamedOptionModule [ "services" "mbpfan" "maxFanSpeed" ] [ "services" "mbpfan" "settings" "general" "max_fan1_speed" ]) + ]; + config = mkIf cfg.enable { boot.kernelModules = [ "coretemp" "applesmc" ]; - environment = { - etc."mbpfan.conf".text = '' - [general] - min_fan_speed = ${toString cfg.minFanSpeed} - max_fan_speed = ${toString cfg.maxFanSpeed} - low_temp = ${toString cfg.lowTemp} - high_temp = ${toString cfg.highTemp} - max_temp = ${toString cfg.maxTemp} - polling_interval = ${toString cfg.pollingInterval} - ''; - systemPackages = [ cfg.package ]; - }; + environment.etc."mbpfan.conf".source = settingsFile; + environment.systemPackages = [ cfg.package ]; systemd.services.mbpfan = { description = "A fan manager daemon for MacBook Pro"; diff --git a/nixos/modules/services/misc/mediatomb.nix b/nixos/modules/services/misc/mediatomb.nix index ea9ffbb867751..ee5c0ef8d277b 100644 --- a/nixos/modules/services/misc/mediatomb.nix +++ b/nixos/modules/services/misc/mediatomb.nix @@ -217,7 +217,6 @@ in { package = mkOption { type = types.package; - example = literalExpression "pkgs.mediatomb"; default = pkgs.gerbera; defaultText = literalExpression "pkgs.gerbera"; description = '' @@ -367,6 +366,7 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = "${binaryCommand} --port ${toString cfg.port} ${interfaceFlag} ${configFlag} --home ${cfg.dataDir}"; serviceConfig.User = cfg.user; + serviceConfig.Group = cfg.group; }; users.groups = optionalAttrs (cfg.group == "mediatomb") { diff --git a/nixos/modules/services/misc/mwlib.nix b/nixos/modules/services/misc/mwlib.nix deleted file mode 100644 index fedc1e5542a4c..0000000000000 --- a/nixos/modules/services/misc/mwlib.nix +++ /dev/null @@ -1,264 +0,0 @@ -{ config, lib, options, pkgs, ... }: - -with lib; - -let - cfg = config.services.mwlib; - opt = options.services.mwlib; - pypkgs = pkgs.python27Packages; - - inherit (pypkgs) python mwlib; - - user = mkOption { - default = "nobody"; - type = types.str; - description = "User to run as."; - }; - -in -{ - - options.services.mwlib = { - - nserve = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Whether to enable nserve. Nserve is a HTTP - server. The Collection extension is talking to - that program directly. Nserve uses at least - one qserve instance in order to distribute - and manage jobs. - ''; - }; # nserve.enable - - port = mkOption { - default = 8899; - type = types.port; - description = "Specify port to listen on."; - }; # nserve.port - - address = mkOption { - default = "127.0.0.1"; - type = types.str; - description = "Specify network interface to listen on."; - }; # nserve.address - - qserve = mkOption { - default = [ "${cfg.qserve.address}:${toString cfg.qserve.port}" ]; - defaultText = literalExpression '' - [ "''${config.${opt.qserve.address}}:''${toString config.${opt.qserve.port}}" - ]''; - type = types.listOf types.str; - description = "Register qserve instance."; - }; # nserve.qserve - - inherit user; - }; # nserve - - qserve = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - A job queue server used to distribute and manage - jobs. You should start one qserve instance - for each machine that is supposed to render pdf - files. Unless you’re operating the Wikipedia - installation, one machine should suffice. - ''; - }; # qserve.enable - - port = mkOption { - default = 14311; - type = types.port; - description = "Specify port to listen on."; - }; # qserve.port - - address = mkOption { - default = "127.0.0.1"; - type = types.str; - description = "Specify network interface to listen on."; - }; # qserve.address - - datadir = mkOption { - default = "/var/lib/mwlib-qserve"; - type = types.path; - description = "qserve data directory (FIXME: unused?)"; - }; # qserve.datadir - - allow = mkOption { - default = [ "127.0.0.1" ]; - type = types.listOf types.str; - description = "List of allowed client IPs. Empty means any."; - }; # qserve.allow - - inherit user; - }; # qserve - - nslave = { - enable = mkOption { - default = cfg.qserve.enable; - defaultText = literalExpression "config.${opt.qserve.enable}"; - type = types.bool; - description = '' - Pulls new jobs from exactly one qserve instance - and calls the zip and render programs - in order to download article collections and - convert them to different output formats. Nslave - uses a cache directory to store the generated - documents. Nslave also starts an internal http - server serving the content of the cache directory. - ''; - }; # nslave.enable - - cachedir = mkOption { - default = "/var/cache/mwlib-nslave"; - type = types.path; - description = "Directory to store generated documents."; - }; # nslave.cachedir - - numprocs = mkOption { - default = 10; - type = types.int; - description = "Number of parallel jobs to be executed."; - }; # nslave.numprocs - - http = mkOption { - default = {}; - description = '' - Internal http server serving the content of the cache directory. - You have to enable it, or use your own way for serving files - and set the http.url option accordingly. - ''; - type = types.submodule ({ config, options, ... }: { - options = { - enable = mkOption { - default = true; - type = types.bool; - description = "Enable internal http server."; - }; # nslave.http.enable - - port = mkOption { - default = 8898; - type = types.port; - description = "Port to listen to when serving files from cache."; - }; # nslave.http.port - - address = mkOption { - default = "127.0.0.1"; - type = types.str; - description = "Specify network interface to listen on."; - }; # nslave.http.address - - url = mkOption { - default = "http://localhost:${toString config.port}/cache"; - defaultText = literalExpression ''"http://localhost:''${toString config.${options.port}}/cache"''; - type = types.str; - description = '' - Specify URL for accessing generated files from cache. - The Collection extension of Mediawiki won't be able to - download files without it. - ''; - }; # nslave.http.url - }; - }); # types.submodule - }; # nslave.http - - inherit user; - }; # nslave - - }; # options.services - - config = { - - systemd.services.mwlib-nserve = mkIf cfg.nserve.enable - { - description = "mwlib network interface"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "mwlib-qserve.service" ]; - - serviceConfig = { - ExecStart = concatStringsSep " " ( - [ - "${mwlib}/bin/nserve" - "--port ${toString cfg.nserve.port}" - "--interface ${cfg.nserve.address}" - ] ++ cfg.nserve.qserve - ); - User = cfg.nserve.user; - }; - }; # systemd.services.mwlib-nserve - - systemd.services.mwlib-qserve = mkIf cfg.qserve.enable - { - description = "mwlib job queue server"; - - wantedBy = [ "multi-user.target" ]; - - preStart = '' - mkdir -pv '${cfg.qserve.datadir}' - chown -Rc ${cfg.qserve.user}:`id -ng ${cfg.qserve.user}` '${cfg.qserve.datadir}' - chmod -Rc u=rwX,go= '${cfg.qserve.datadir}' - ''; - - serviceConfig = { - ExecStart = concatStringsSep " " ( - [ - "${mwlib}/bin/mw-qserve" - "-p ${toString cfg.qserve.port}" - "-i ${cfg.qserve.address}" - "-d ${cfg.qserve.datadir}" - ] ++ map (a: "-a ${a}") cfg.qserve.allow - ); - User = cfg.qserve.user; - PermissionsStartOnly = true; - }; - }; # systemd.services.mwlib-qserve - - systemd.services.mwlib-nslave = mkIf cfg.nslave.enable - { - description = "mwlib worker"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - preStart = '' - mkdir -pv '${cfg.nslave.cachedir}' - chown -Rc ${cfg.nslave.user}:`id -ng ${cfg.nslave.user}` '${cfg.nslave.cachedir}' - chmod -Rc u=rwX,go= '${cfg.nslave.cachedir}' - ''; - - path = with pkgs; [ imagemagick pdftk ]; - environment = { - PYTHONPATH = concatMapStringsSep ":" - (m: "${pypkgs.${m}}/lib/${python.libPrefix}/site-packages") - [ "mwlib-rl" "mwlib-ext" "pygments" "pyfribidi" ]; - }; - - serviceConfig = { - ExecStart = concatStringsSep " " ( - [ - "${mwlib}/bin/nslave" - "--cachedir ${cfg.nslave.cachedir}" - "--numprocs ${toString cfg.nslave.numprocs}" - "--url ${cfg.nslave.http.url}" - ] ++ ( - if cfg.nslave.http.enable then - [ - "--serve-files-port ${toString cfg.nslave.http.port}" - "--serve-files-address ${cfg.nslave.http.address}" - ] else - [ - "--no-serve-files" - ] - )); - User = cfg.nslave.user; - PermissionsStartOnly = true; - }; - }; # systemd.services.mwlib-nslave - - }; # config -} diff --git a/nixos/modules/services/misc/mx-puppet-discord.nix b/nixos/modules/services/misc/mx-puppet-discord.nix index b6f5e04511ae3..6214f7f7eb6b4 100644 --- a/nixos/modules/services/misc/mx-puppet-discord.nix +++ b/nixos/modules/services/misc/mx-puppet-discord.nix @@ -79,10 +79,7 @@ in { config = mkIf cfg.enable { systemd.services.mx-puppet-discord = { - description = '' - mx-puppet-discord is a discord puppeting bridge for matrix. - It handles bridging private and group DMs, as well as Guilds (servers). - ''; + description = "Matrix to Discord puppeting bridge"; wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ] ++ cfg.serviceDependencies; diff --git a/nixos/modules/services/misc/n8n.nix b/nixos/modules/services/misc/n8n.nix index 27616e5f8226e..77e717eeff9fb 100644 --- a/nixos/modules/services/misc/n8n.nix +++ b/nixos/modules/services/misc/n8n.nix @@ -43,6 +43,7 @@ in # This folder must be writeable as the application is storing # its data in it, so the StateDirectory is a good choice N8N_USER_FOLDER = "/var/lib/n8n"; + HOME = "/var/lib/n8n"; N8N_CONFIG_FILES = "${configFile}"; }; serviceConfig = { diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 869feb05eb7b3..a401458c41697 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -6,20 +6,20 @@ let cfg = config.nix; - nix = cfg.package.out; + nixPackage = cfg.package.out; - nixVersion = getVersion nix; - - isNix23 = versionAtLeast nixVersion "2.3pre"; + isNixAtLeast = versionAtLeast (getVersion nixPackage); makeNixBuildUser = nr: { - name = "nixbld${toString nr}"; + name = "nixbld${toString nr}"; value = { description = "Nix build user ${toString nr}"; - /* For consistency with the setgid(2), setuid(2), and setgroups(2) - calls in `libstore/build.cc', don't add any supplementary group - here except "nixbld". */ + /* + For consistency with the setgid(2), setuid(2), and setgroups(2) + calls in `libstore/build.cc', don't add any supplementary group + here except "nixbld". + */ uid = builtins.add config.ids.uids.nixbld nr; isSystemUser = true; group = "nixbld"; @@ -30,43 +30,83 @@ let nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers)); nixConf = - assert versionAtLeast nixVersion "2.2"; - pkgs.runCommand "nix.conf" { preferLocalBuild = true; extraOptions = cfg.extraOptions; } ( - '' - cat > $out <<END + assert isNixAtLeast "2.2"; + let + + mkValueString = v: + if v == null then "" + else if isInt v then toString v + else if isBool v then boolToString v + else if isFloat v then floatToString v + else if isList v then toString v + else if isDerivation v then toString v + else if builtins.isPath v then toString v + else if isString v then v + else if isCoercibleToString v then toString v + else abort "The nix conf value: ${toPretty {} v} can not be encoded"; + + mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}"; + + mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs); + + in + pkgs.writeTextFile { + name = "nix.conf"; + text = '' # WARNING: this file is generated from the nix.* options in # your NixOS configuration, typically # /etc/nixos/configuration.nix. Do not edit it! - build-users-group = nixbld - max-jobs = ${toString (cfg.maxJobs)} - cores = ${toString (cfg.buildCores)} - sandbox = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox} - extra-sandbox-paths = ${toString cfg.sandboxPaths} - substituters = ${toString cfg.binaryCaches} - trusted-substituters = ${toString cfg.trustedBinaryCaches} - trusted-public-keys = ${toString cfg.binaryCachePublicKeys} - auto-optimise-store = ${boolToString cfg.autoOptimiseStore} - require-sigs = ${boolToString cfg.requireSignedBinaryCaches} - trusted-users = ${toString cfg.trustedUsers} - allowed-users = ${toString cfg.allowedUsers} - ${optionalString (!cfg.distributedBuilds) '' - builders = - ''} - system-features = ${toString cfg.systemFeatures} - ${optionalString isNix23 '' - sandbox-fallback = false - ''} - $extraOptions - END - '' + optionalString cfg.checkConfig ( - if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' - echo "Ignore nix.checkConfig when cross-compiling" - '' else '' - echo "Checking that Nix can read nix.conf..." - ln -s $out ./nix.conf - NIX_CONF_DIR=$PWD ${cfg.package}/bin/nix show-config ${optionalString isNix23 "--no-net --option experimental-features nix-command"} >/dev/null - '') - ); + ${mkKeyValuePairs cfg.settings} + ${cfg.extraOptions} + ''; + checkPhase = + if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' + echo "Ignoring validation for cross-compilation" + '' + else '' + echo "Validating generated nix.conf" + ln -s $out ./nix.conf + set -e + set +o pipefail + NIX_CONF_DIR=$PWD \ + ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \ + ${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \ + |& sed -e 's/^warning:/error:/' \ + | (! grep '${if cfg.checkConfig then "^error:" else "^error: unknown setting"}') + set -o pipefail + ''; + }; + + legacyConfMappings = { + useSandbox = "sandbox"; + buildCores = "cores"; + maxJobs = "max-jobs"; + sandboxPaths = "extra-sandbox-paths"; + binaryCaches = "substituters"; + trustedBinaryCaches = "trusted-substituters"; + binaryCachePublicKeys = "trusted-public-keys"; + autoOptimiseStore = "auto-optimise-store"; + requireSignedBinaryCaches = "require-sigs"; + trustedUsers = "trusted-users"; + allowedUsers = "allowed-users"; + systemFeatures = "system-features"; + }; + + semanticConfType = with types; + let + confAtom = nullOr + (oneOf [ + bool + int + float + str + path + package + ]) // { + description = "Nix config atom (null, bool, int, float, str, path or package)"; + }; + in + attrsOf (either confAtom (listOf confAtom)); in @@ -76,7 +116,7 @@ in (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) (mkRenamedOptionModule [ "nix" "daemonIONiceLevel" ] [ "nix" "daemonIOSchedPriority" ]) (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.") - ]; + ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings; ###### interface @@ -102,81 +142,6 @@ in ''; }; - maxJobs = mkOption { - type = types.either types.int (types.enum ["auto"]); - default = "auto"; - example = 64; - description = '' - This option defines the maximum number of jobs that Nix will try to - build in parallel. The default is auto, which means it will use all - available logical cores. It is recommend to set it to the total - number of logical cores in your system (e.g., 16 for two CPUs with 4 - cores each and hyper-threading). - ''; - }; - - autoOptimiseStore = mkOption { - type = types.bool; - default = false; - example = true; - description = '' - If set to true, Nix automatically detects files in the store that have - identical contents, and replaces them with hard links to a single copy. - This saves disk space. If set to false (the default), you can still run - nix-store --optimise to get rid of duplicate files. - ''; - }; - - buildCores = mkOption { - type = types.int; - default = 0; - example = 64; - description = '' - This option defines the maximum number of concurrent tasks during - one build. It affects, e.g., -j option for make. - The special value 0 means that the builder should use all - available CPU cores in the system. Some builds may become - non-deterministic with this option; use with care! Packages will - only be affected if enableParallelBuilding is set for them. - ''; - }; - - useSandbox = mkOption { - type = types.either types.bool (types.enum ["relaxed"]); - default = true; - description = " - If set, Nix will perform builds in a sandboxed environment that it - will set up automatically for each build. This prevents impurities - in builds by disallowing access to dependencies outside of the Nix - store by using network and mount namespaces in a chroot environment. - This is enabled by default even though it has a possible performance - impact due to the initial setup time of a sandbox for each build. It - doesn't affect derivation hashes, so changing this option will not - trigger a rebuild of packages. - "; - }; - - sandboxPaths = mkOption { - type = types.listOf types.str; - default = []; - example = [ "/dev" "/proc" ]; - description = - '' - Directories from the host filesystem to be included - in the sandbox. - ''; - }; - - extraOptions = mkOption { - type = types.lines; - default = ""; - example = '' - keep-outputs = true - keep-derivations = true - ''; - description = "Additional text appended to <filename>nix.conf</filename>."; - }; - distributedBuilds = mkOption { type = types.bool; default = false; @@ -187,7 +152,7 @@ in }; daemonCPUSchedPolicy = mkOption { - type = types.enum ["other" "batch" "idle"]; + type = types.enum [ "other" "batch" "idle" ]; default = "other"; example = "batch"; description = '' @@ -218,7 +183,7 @@ in }; daemonIOSchedClass = mkOption { - type = types.enum ["best-effort" "idle"]; + type = types.enum [ "best-effort" "idle" ]; default = "best-effort"; example = "idle"; description = '' @@ -250,11 +215,11 @@ in scheduling policy: With idle, priorities are not used in scheduling decisions. best-effort supports values in the range 0 (high) to 7 (low). - ''; + ''; }; buildMachines = mkOption { - type = types.listOf (types.submodule ({ + type = types.listOf (types.submodule { options = { hostName = mkOption { type = types.str; @@ -276,7 +241,7 @@ in }; systems = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "x86_64-linux" "aarch64-linux" ]; description = '' The system types the build machine can execute derivations on. @@ -293,7 +258,7 @@ in The username to log in as on the remote host. This user must be able to log in and run nix commands non-interactively. It must also be privileged to build derivations, so must be included in - <option>nix.trustedUsers</option>. + <option>nix.settings.trusted-users</option>. ''; }; sshKey = mkOption { @@ -331,7 +296,7 @@ in }; mandatoryFeatures = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "big-parallel" ]; description = '' A list of features mandatory for this builder. The builder will @@ -342,7 +307,7 @@ in }; supportedFeatures = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "kvm" "big-parallel" ]; description = '' A list of features supported by this builder. The builder will @@ -350,9 +315,18 @@ in list. ''; }; + publicHostKey = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The (base64-encoded) public host key of this builder. The field + is calculated via <command>base64 -w0 /etc/ssh/ssh_host_type_key.pub</command>. + If null, SSH will use its regular known-hosts file when connecting. + ''; + }; }; - })); - default = []; + }); + default = [ ]; description = '' This option lists the machines to be used if distributed builds are enabled (see <option>nix.distributedBuilds</option>). @@ -366,7 +340,7 @@ in envVars = mkOption { type = types.attrs; internal = true; - default = {}; + default = { }; description = "Environment variables used by Nix."; }; @@ -391,92 +365,13 @@ in ''; }; - binaryCaches = mkOption { - type = types.listOf types.str; - description = '' - List of binary cache URLs used to obtain pre-built binaries - of Nix packages. - - By default https://cache.nixos.org/ is added, - to override it use <literal>lib.mkForce []</literal>. - ''; - }; - - trustedBinaryCaches = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "https://hydra.nixos.org/" ]; - description = '' - List of binary cache URLs that non-root users can use (in - addition to those specified using - <option>nix.binaryCaches</option>) by passing - <literal>--option binary-caches</literal> to Nix commands. - ''; - }; - - requireSignedBinaryCaches = mkOption { - type = types.bool; - default = true; - description = '' - If enabled (the default), Nix will only download binaries from binary caches if - they are cryptographically signed with any of the keys listed in - <option>nix.binaryCachePublicKeys</option>. If disabled, signatures are neither - required nor checked, so it's strongly recommended that you use only - trustworthy caches and https to prevent man-in-the-middle attacks. - ''; - }; - - binaryCachePublicKeys = mkOption { - type = types.listOf types.str; - example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; - description = '' - List of public keys used to sign binary caches. If - <option>nix.requireSignedBinaryCaches</option> is enabled, - then Nix will use a binary from a binary cache if and only - if it is signed by <emphasis>any</emphasis> of the keys - listed here. By default, only the key for - <uri>cache.nixos.org</uri> is included. - ''; - }; - - trustedUsers = mkOption { - type = types.listOf types.str; - default = [ "root" ]; - example = [ "root" "alice" "@wheel" ]; - description = '' - A list of names of users that have additional rights when - connecting to the Nix daemon, such as the ability to specify - additional binary caches, or to import unsigned NARs. You - can also specify groups by prefixing them with - <literal>@</literal>; for instance, - <literal>@wheel</literal> means all users in the wheel - group. - ''; - }; - - allowedUsers = mkOption { - type = types.listOf types.str; - default = [ "*" ]; - example = [ "@wheel" "@builders" "alice" "bob" ]; - description = '' - A list of names of users (separated by whitespace) that are - allowed to connect to the Nix daemon. As with - <option>nix.trustedUsers</option>, you can specify groups by - prefixing them with <literal>@</literal>. Also, you can - allow all users by specifying <literal>*</literal>. The - default is <literal>*</literal>. Note that trusted users are - always allowed to connect. - ''; - }; - nixPath = mkOption { type = types.listOf types.str; - default = - [ - "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" - "nixos-config=/etc/nixos/configuration.nix" - "/nix/var/nix/profiles/per-user/root/channels" - ]; + default = [ + "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" + "nixos-config=/etc/nixos/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ]; description = '' The default Nix expression search path, used by the Nix evaluator to look up paths enclosed in angle brackets @@ -484,45 +379,44 @@ in ''; }; - systemFeatures = mkOption { - type = types.listOf types.str; - example = [ "kvm" "big-parallel" "gccarch-skylake" ]; - description = '' - The supported features of a machine - ''; - }; - checkConfig = mkOption { type = types.bool; default = true; description = '' - If enabled (the default), checks that Nix can parse the generated nix.conf. + If enabled (the default), checks for data type mismatches and that Nix + can parse the generated nix.conf. ''; }; registry = mkOption { type = types.attrsOf (types.submodule ( let - inputAttrs = types.attrsOf (types.oneOf [types.str types.int types.bool types.package]); + referenceAttrs = with types; attrsOf (oneOf [ + str + int + bool + package + ]); in { config, name, ... }: - { options = { + { + options = { from = mkOption { - type = inputAttrs; + type = referenceAttrs; example = { type = "indirect"; id = "nixpkgs"; }; description = "The flake reference to be rewritten."; }; to = mkOption { - type = inputAttrs; + type = referenceAttrs; example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; - description = "The flake reference to which <option>from></option> is to be rewritten."; + description = "The flake reference <option>from></option> is rewritten to."; }; flake = mkOption { type = types.nullOr types.attrs; default = null; example = literalExpression "nixpkgs"; description = '' - The flake input to which <option>from></option> is to be rewritten. + The flake input <option>from></option> is rewritten to. ''; }; exact = mkOption { @@ -537,35 +431,232 @@ in }; config = { from = mkDefault { type = "indirect"; id = name; }; - to = mkIf (config.flake != null) - ({ type = "path"; - path = config.flake.outPath; - } // lib.filterAttrs - (n: v: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") - config.flake); + to = mkIf (config.flake != null) (mkDefault + { + type = "path"; + path = config.flake.outPath; + } // filterAttrs + (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") + config.flake); }; } )); - default = {}; + default = { }; description = '' A system-wide flake registry. ''; }; - }; + extraOptions = mkOption { + type = types.lines; + default = ""; + example = '' + keep-outputs = true + keep-derivations = true + ''; + description = "Additional text appended to <filename>nix.conf</filename>."; + }; + + settings = mkOption { + type = types.submodule { + freeformType = semanticConfType; + + options = { + max-jobs = mkOption { + type = types.either types.int (types.enum [ "auto" ]); + default = "auto"; + example = 64; + description = '' + This option defines the maximum number of jobs that Nix will try to + build in parallel. The default is auto, which means it will use all + available logical cores. It is recommend to set it to the total + number of logical cores in your system (e.g., 16 for two CPUs with 4 + cores each and hyper-threading). + ''; + }; + + auto-optimise-store = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + If set to true, Nix automatically detects files in the store that have + identical contents, and replaces them with hard links to a single copy. + This saves disk space. If set to false (the default), you can still run + nix-store --optimise to get rid of duplicate files. + ''; + }; + cores = mkOption { + type = types.int; + default = 0; + example = 64; + description = '' + This option defines the maximum number of concurrent tasks during + one build. It affects, e.g., -j option for make. + The special value 0 means that the builder should use all + available CPU cores in the system. Some builds may become + non-deterministic with this option; use with care! Packages will + only be affected if enableParallelBuilding is set for them. + ''; + }; + + sandbox = mkOption { + type = types.either types.bool (types.enum [ "relaxed" ]); + default = true; + description = '' + If set, Nix will perform builds in a sandboxed environment that it + will set up automatically for each build. This prevents impurities + in builds by disallowing access to dependencies outside of the Nix + store by using network and mount namespaces in a chroot environment. + This is enabled by default even though it has a possible performance + impact due to the initial setup time of a sandbox for each build. It + doesn't affect derivation hashes, so changing this option will not + trigger a rebuild of packages. + ''; + }; + + extra-sandbox-paths = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "/dev" "/proc" ]; + description = '' + Directories from the host filesystem to be included + in the sandbox. + ''; + }; + + substituters = mkOption { + type = types.listOf types.str; + description = '' + List of binary cache URLs used to obtain pre-built binaries + of Nix packages. + + By default https://cache.nixos.org/ is added. + ''; + }; + + trusted-substituters = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "https://hydra.nixos.org/" ]; + description = '' + List of binary cache URLs that non-root users can use (in + addition to those specified using + <option>nix.settings.substituters</option>) by passing + <literal>--option binary-caches</literal> to Nix commands. + ''; + }; + + require-sigs = mkOption { + type = types.bool; + default = true; + description = '' + If enabled (the default), Nix will only download binaries from binary caches if + they are cryptographically signed with any of the keys listed in + <option>nix.settings.trusted-public-keys</option>. If disabled, signatures are neither + required nor checked, so it's strongly recommended that you use only + trustworthy caches and https to prevent man-in-the-middle attacks. + ''; + }; + + trusted-public-keys = mkOption { + type = types.listOf types.str; + example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; + description = '' + List of public keys used to sign binary caches. If + <option>nix.settings.trusted-public-keys</option> is enabled, + then Nix will use a binary from a binary cache if and only + if it is signed by <emphasis>any</emphasis> of the keys + listed here. By default, only the key for + <uri>cache.nixos.org</uri> is included. + ''; + }; + + trusted-users = mkOption { + type = types.listOf types.str; + default = [ "root" ]; + example = [ "root" "alice" "@wheel" ]; + description = '' + A list of names of users that have additional rights when + connecting to the Nix daemon, such as the ability to specify + additional binary caches, or to import unsigned NARs. You + can also specify groups by prefixing them with + <literal>@</literal>; for instance, + <literal>@wheel</literal> means all users in the wheel + group. + ''; + }; + + system-features = mkOption { + type = types.listOf types.str; + example = [ "kvm" "big-parallel" "gccarch-skylake" ]; + description = '' + The set of features supported by the machine. Derivations + can express dependencies on system features through the + <literal>requiredSystemFeatures</literal> attribute. + + By default, pseudo-features <literal>nixos-test</literal>, <literal>benchmark</literal>, + and <literal>big-parallel</literal> used in Nixpkgs are set, <literal>kvm</literal> + is also included in it is avaliable. + ''; + }; + + allowed-users = mkOption { + type = types.listOf types.str; + default = [ "*" ]; + example = [ "@wheel" "@builders" "alice" "bob" ]; + description = '' + A list of names of users (separated by whitespace) that are + allowed to connect to the Nix daemon. As with + <option>nix.settings.trusted-users</option>, you can specify groups by + prefixing them with <literal>@</literal>. Also, you can + allow all users by specifying <literal>*</literal>. The + default is <literal>*</literal>. Note that trusted users are + always allowed to connect. + ''; + }; + }; + }; + default = { }; + example = literalExpression '' + { + use-sandbox = true; + show-trace = true; + + system-features = [ "big-parallel" "kvm" "recursive-nix" ]; + sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; }; + } + ''; + description = '' + Configuration for Nix, see + <link xlink:href="https://nixos.org/manual/nix/stable/#sec-conf-file"/> or + <citerefentry> + <refentrytitle>nix.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> for avalaible options. + The value declared here will be translated directly to the key-value pairs Nix expects. + </para> + <para> + You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings</command> + to view the current value. By default it is empty. + </para> + <para> + Nix configurations defined under <option>nix.*</option> will be translated and applied to this + option. In addition, configuration specified in <option>nix.extraOptions</option> which will be appended + verbatim to the resulting config file. + ''; + }; + }; }; ###### implementation config = mkIf cfg.enable { - - nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; - nix.binaryCaches = [ "https://cache.nixos.org/" ]; - environment.systemPackages = - [ nix + [ + nixPackage pkgs.nix-info ] ++ optional (config.programs.bash.enableCompletion) pkgs.nix-bash-completions; @@ -579,44 +670,49 @@ in # List of machines for distributed Nix builds in the format # expected by build-remote.pl. - environment.etc."nix/machines" = - { enable = cfg.buildMachines != []; - text = - concatMapStrings (machine: - "${if machine.sshUser != null then "${machine.sshUser}@" else ""}${machine.hostName} " - + (if machine.system != null then machine.system else concatStringsSep "," machine.systems) - + " ${if machine.sshKey != null then machine.sshKey else "-"} ${toString machine.maxJobs} " - + toString (machine.speedFactor) - + " " - + concatStringsSep "," (machine.mandatoryFeatures ++ machine.supportedFeatures) - + " " - + concatStringsSep "," machine.mandatoryFeatures + environment.etc."nix/machines" = mkIf (cfg.buildMachines != [ ]) { + text = + concatMapStrings + (machine: + (concatStringsSep " " ([ + "${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}" + (if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-") + (if machine.sshKey != null then machine.sshKey else "-") + (toString machine.maxJobs) + (toString machine.speedFactor) + (concatStringsSep "," (machine.supportedFeatures ++ machine.mandatoryFeatures)) + (concatStringsSep "," machine.mandatoryFeatures) + ] + ++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-"))) + "\n" - ) cfg.buildMachines; - }; + ) + cfg.buildMachines; + }; + assertions = - let badMachine = m: m.system == null && m.systems == []; - in [ + let badMachine = m: m.system == null && m.systems == [ ]; + in + [ { - assertion = !(builtins.any badMachine cfg.buildMachines); + assertion = !(any badMachine cfg.buildMachines); message = '' At least one system type (via <varname>system</varname> or <varname>systems</varname>) must be set for every build machine. Invalid machine specifications: '' + " " + - (builtins.concatStringsSep "\n " - (builtins.map (m: m.hostName) - (builtins.filter (badMachine) cfg.buildMachines))); + (concatStringsSep "\n " + (map (m: m.hostName) + (filter (badMachine) cfg.buildMachines))); } ]; - - systemd.packages = [ nix ]; + systemd.packages = [ nixPackage ]; systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ]; systemd.services.nix-daemon = - { path = [ nix pkgs.util-linux config.programs.ssh.package ] + { + path = [ nixPackage pkgs.util-linux config.programs.ssh.package ] ++ optionals cfg.distributedBuilds [ pkgs.gzip ]; environment = cfg.envVars @@ -626,7 +722,8 @@ in unitConfig.RequiresMountsFor = "/nix/store"; serviceConfig = - { CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy; + { + CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy; IOSchedulingClass = cfg.daemonIOSchedClass; IOSchedulingPriority = cfg.daemonIOSchedPriority; LimitNOFILE = 4096; @@ -636,9 +733,7 @@ in }; # Set up the environment variables for running Nix. - environment.sessionVariables = cfg.envVars // - { NIX_PATH = cfg.nixPath; - }; + environment.sessionVariables = cfg.envVars // { NIX_PATH = cfg.nixPath; }; environment.extraInit = '' @@ -647,7 +742,7 @@ in fi ''; - nix.nrBuildUsers = mkDefault (lib.max 32 (if cfg.maxJobs == "auto" then 0 else cfg.maxJobs)); + nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)); users.users = nixbldUsers; @@ -663,14 +758,26 @@ in fi ''; - nix.systemFeatures = mkDefault ( - [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ - optionals (pkgs.hostPlatform ? gcc.arch) ( - # a builder can run code for `gcc.arch` and inferior architectures - [ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++ - map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch} - ) - ); + # Legacy configuration conversion. + nix.settings = mkMerge [ + { + trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; + substituters = [ "https://cache.nixos.org/" ]; + + system-features = mkDefault ( + [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ + optionals (pkgs.hostPlatform ? gcc.arch) ( + # a builder can run code for `gcc.arch` and inferior architectures + [ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++ + map (x: "gccarch-${x}") systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch} + ) + ); + } + + (mkIf (!cfg.distributedBuilds) { builders = null; }) + + (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; }) + ]; }; diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix index d5c64fdb26472..355fad5db4681 100644 --- a/nixos/modules/services/misc/nix-ssh-serve.nix +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -20,7 +20,7 @@ in { write = mkOption { type = types.bool; default = false; - description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the nix.trustedUsers option in most use cases, such as allowing remote building of derivations."; + description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the <option>nix.settings.trusted-users</option> option in most use cases, such as allowing remote building of derivations."; }; keys = mkOption { diff --git a/nixos/modules/services/misc/packagekit.nix b/nixos/modules/services/misc/packagekit.nix index 93bd206bd983f..9191078ef9ca4 100644 --- a/nixos/modules/services/misc/packagekit.nix +++ b/nixos/modules/services/misc/packagekit.nix @@ -13,7 +13,7 @@ let (iniFmt.generate "PackageKit.conf" (recursiveUpdate { Daemon = { - DefaultBackend = "test_nop"; + DefaultBackend = "nix"; KeepCache = false; }; } @@ -35,7 +35,7 @@ let in { imports = [ - (mkRemovedOptionModule [ "services" "packagekit" "backend" ] "The only backend that doesn't blow up is `test_nop`.") + (mkRemovedOptionModule [ "services" "packagekit" "backend" ] "Always set to Nix.") ]; options.services.packagekit = { @@ -62,6 +62,8 @@ in services.dbus.packages = with pkgs; [ packagekit ]; + environment.systemPackages = with pkgs; [ packagekit ]; + systemd.packages = with pkgs; [ packagekit ]; environment.etc = listToAttrs (map diff --git a/nixos/modules/services/misc/paperless-ng.nix b/nixos/modules/services/misc/paperless-ng.nix index db8082f072c3b..44efc234a2b31 100644 --- a/nixos/modules/services/misc/paperless-ng.nix +++ b/nixos/modules/services/misc/paperless-ng.nix @@ -6,12 +6,18 @@ let defaultUser = "paperless"; + hasCustomRedis = hasAttr "PAPERLESS_REDIS" cfg.extraConfig; + env = { PAPERLESS_DATA_DIR = cfg.dataDir; PAPERLESS_MEDIA_ROOT = cfg.mediaDir; PAPERLESS_CONSUMPTION_DIR = cfg.consumptionDir; GUNICORN_CMD_ARGS = "--bind=${cfg.address}:${toString cfg.port}"; - } // lib.mapAttrs (_: toString) cfg.extraConfig; + } // ( + lib.mapAttrs (_: toString) cfg.extraConfig + ) // (optionalAttrs (!hasCustomRedis) { + PAPERLESS_REDIS = "unix://${config.services.redis.servers.paperless-ng.unixSocket}"; + }); manage = let setupEnv = lib.concatStringsSep "\n" (mapAttrsToList (name: val: "export ${name}=\"${val}\"") env); @@ -30,7 +36,7 @@ let "-/etc/hosts" "-/etc/localtime" "-/run/postgresql" - ]; + ] ++ (optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.unixSocket); BindPaths = [ cfg.consumptionDir cfg.dataDir @@ -44,8 +50,7 @@ let NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; - # Needs to connect to redis - # PrivateNetwork = true; + PrivateNetwork = true; PrivateTmp = true; PrivateUsers = true; ProcSubset = "pid"; @@ -65,6 +70,7 @@ let RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; + SupplementaryGroups = optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.user; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ]; # Does not work well with the temporary root @@ -190,7 +196,7 @@ in config = mkIf cfg.enable { # Enable redis if no special url is set - services.redis.enable = mkIf (!hasAttr "PAPERLESS_REDIS" env) true; + services.redis.servers.paperless-ng.enable = mkIf (!hasCustomRedis) true; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" @@ -234,6 +240,8 @@ in echo "$superuserState" > "$superuserStateFile" fi ''; + } // optionalAttrs (!hasCustomRedis) { + after = [ "redis-paperless-ng.service" ]; }; # Password copying can't be implemented as a privileged preStart script @@ -248,6 +256,8 @@ in '${cfg.passwordFile}' '${cfg.dataDir}/superuser-password' ''; Type = "oneshot"; + # Needs to talk to mail server for automated import rules + PrivateNetwork = false; }; }; @@ -279,6 +289,8 @@ in CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; # gunicorn needs setuid SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid" ]; + # Needs to serve web page + PrivateNetwork = false; }; environment = env // { PATH = mkForce cfg.package.path; diff --git a/nixos/modules/services/misc/plex.nix b/nixos/modules/services/misc/plex.nix index 2ae4e80d5c3fd..7000d45975fc6 100644 --- a/nixos/modules/services/misc/plex.nix +++ b/nixos/modules/services/misc/plex.nix @@ -6,6 +6,10 @@ let cfg = config.services.plex; in { + imports = [ + (mkRemovedOptionModule [ "services" "plex" "managePlugins" ] "Please omit or define the option: `services.plex.extraPlugins' instead.") + ]; + options = { services.plex = { enable = mkEnableOption "Plex Media Server"; @@ -42,16 +46,6 @@ in ''; }; - managePlugins = mkOption { - type = types.bool; - default = true; - description = '' - If set to true, this option will cause all of the symlinks in Plex's - plugin directory to be removed and symlinks for paths specified in - <option>extraPlugins</option> to be added. - ''; - }; - extraPlugins = mkOption { type = types.listOf types.path; default = []; @@ -59,9 +53,7 @@ in A list of paths to extra plugin bundles to install in Plex's plugin directory. Every time the systemd unit for Plex starts up, all of the symlinks in Plex's plugin directory will be cleared and this module - will symlink all of the paths specified here to that directory. If - this behavior is undesired, set <option>managePlugins</option> to - false. + will symlink all of the paths specified here to that directory. ''; }; diff --git a/nixos/modules/services/misc/rmfakecloud.nix b/nixos/modules/services/misc/rmfakecloud.nix new file mode 100644 index 0000000000000..fe522653c216f --- /dev/null +++ b/nixos/modules/services/misc/rmfakecloud.nix @@ -0,0 +1,147 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.rmfakecloud; + serviceDataDir = "/var/lib/rmfakecloud"; + +in { + options = { + services.rmfakecloud = { + enable = mkEnableOption "rmfakecloud remarkable self-hosted cloud"; + + package = mkOption { + type = types.package; + default = pkgs.rmfakecloud; + defaultText = literalExpression "pkgs.rmfakecloud"; + description = '' + rmfakecloud package to use. + + The default does not include the web user interface. + ''; + }; + + storageUrl = mkOption { + type = types.str; + example = "https://local.appspot.com"; + description = '' + URL used by the tablet to access the rmfakecloud service. + ''; + }; + + port = mkOption { + type = types.port; + default = 3000; + description = '' + Listening port number. + ''; + }; + + logLevel = mkOption { + type = types.enum [ "info" "debug" "warn" "error" ]; + default = "info"; + description = '' + Logging level. + ''; + }; + + extraSettings = mkOption { + type = with types; attrsOf str; + default = { }; + example = { DATADIR = "/custom/path/for/rmfakecloud/data"; }; + description = '' + Extra settings in the form of a set of key-value pairs. + For tokens and secrets, use `environmentFile` instead. + + Available settings are listed on + https://ddvk.github.io/rmfakecloud/install/configuration/. + ''; + }; + + environmentFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/etc/secrets/rmfakecloud.env"; + description = '' + Path to an environment file loaded for the rmfakecloud service. + + This can be used to securely store tokens and secrets outside of the + world-readable Nix store. Since this file is read by systemd, it may + have permission 0400 and be owned by root. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.rmfakecloud = { + description = "rmfakecloud remarkable self-hosted cloud"; + + environment = { + STORAGE_URL = cfg.storageUrl; + PORT = toString cfg.port; + LOGLEVEL = cfg.logLevel; + } // cfg.extraSettings; + + preStart = '' + # Generate the secret key used to sign client session tokens. + # Replacing it invalidates the previously established sessions. + if [ -z "$JWT_SECRET_KEY" ] && [ ! -f jwt_secret_key ]; then + (umask 077; touch jwt_secret_key) + cat /dev/urandom | tr -cd '[:alnum:]' | head -c 48 >> jwt_secret_key + fi + ''; + + script = '' + if [ -z "$JWT_SECRET_KEY" ]; then + export JWT_SECRET_KEY="$(cat jwt_secret_key)" + fi + + ${cfg.package}/bin/rmfakecloud + ''; + + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + + EnvironmentFile = + mkIf (cfg.environmentFile != null) cfg.environmentFile; + + AmbientCapabilities = + mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; + + DynamicUser = true; + PrivateDevices = true; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + WorkingDirectory = serviceDataDir; + StateDirectory = baseNameOf serviceDataDir; + UMask = 0027; + }; + }; + }; + + meta.maintainers = with maintainers; [ pacien ]; +} diff --git a/nixos/modules/services/misc/sourcehut/default.nix b/nixos/modules/services/misc/sourcehut/default.nix index 1bd21c278e000..21551d7d5f033 100644 --- a/nixos/modules/services/misc/sourcehut/default.nix +++ b/nixos/modules/services/misc/sourcehut/default.nix @@ -678,7 +678,7 @@ in rev = "ff96a0fa5635770390b184ae74debea75c3fd534"; ref = "nixos-unstable"; }; - image_from_nixpkgs = (import ("${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix") { + image_from_nixpkgs = (import ("''${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix") { pkgs = (import pkgs_unstable {}); }); in @@ -696,6 +696,7 @@ in package = mkOption { type = types.package; default = pkgs.git; + defaultText = literalExpression "pkgs.git"; example = literalExpression "pkgs.gitFull"; description = '' Git package for git.sr.ht. This can help silence collisions. @@ -712,6 +713,7 @@ in package = mkOption { type = types.package; default = pkgs.mercurial; + defaultText = literalExpression "pkgs.mercurial"; description = '' Mercurial package for hg.sr.ht. This can help silence collisions. ''; |