diff options
Diffstat (limited to 'nixos/modules/services')
| -rw-r--r-- | nixos/modules/services/backup/borgbackup.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/services/misc/ollama.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/services/networking/cloudflared.nix | 10 | ||||
| -rw-r--r-- | nixos/modules/services/networking/firefox-syncserver.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/mosquitto.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/networkd-dispatcher.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/services/networking/resilio.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/security/yubikey-agent.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/torrent/rtorrent.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/nextcloud.md | 23 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/shiori.nix | 80 | ||||
| -rw-r--r-- | nixos/modules/services/x11/window-managers/herbstluftwm.nix | 5 |
12 files changed, 101 insertions, 37 deletions
diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index a3c0715c9e607..abb7925e0935f 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -104,6 +104,9 @@ let --what="sleep" \ --why="Scheduled backup" \ '' + backupScript; + unitConfig = optionalAttrs (isLocalPath cfg.repo) { + RequiresMountsFor = [ cfg.repo ]; + }; serviceConfig = { User = cfg.user; Group = cfg.group; diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix index c460514783efc..a0a32f1702bf3 100644 --- a/nixos/modules/services/misc/ollama.nix +++ b/nixos/modules/services/misc/ollama.nix @@ -5,9 +5,6 @@ let cfg = config.services.ollama; ollamaPackage = cfg.package.override { inherit (cfg) acceleration; - linuxPackages = config.boot.kernelPackages // { - nvidia_x11 = config.hardware.nvidia.package; - }; }; in { diff --git a/nixos/modules/services/networking/cloudflared.nix b/nixos/modules/services/networking/cloudflared.nix index 60f6b7c466892..c0d1012ffb80d 100644 --- a/nixos/modules/services/networking/cloudflared.nix +++ b/nixos/modules/services/networking/cloudflared.nix @@ -131,7 +131,7 @@ let `cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: - `""` for the regular proxy - - `"socks"` for a SOCKS5 proxy. Refer to the [https://developers.cloudflare.com/cloudflare-one/tutorials/kubectl/](tutorial on connecting through Cloudflare Access using kubectl) for more information. + - `"socks"` for a SOCKS5 proxy. Refer to the [tutorial on connecting through Cloudflare Access using kubectl](https://developers.cloudflare.com/cloudflare-one/tutorials/kubectl/) for more information. ''; }; }; @@ -167,7 +167,7 @@ in description = '' Credential file. - See [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-terms/#credentials-file](Credentials file). + See [Credentials file](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-terms/#credentials-file). ''; }; @@ -178,7 +178,7 @@ in description = '' Enable warp routing. - See [https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel/](Connect from WARP to a private network on Cloudflare using Cloudflare Tunnel). + See [Connect from WARP to a private network on Cloudflare using Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel/). ''; }; }; @@ -204,7 +204,7 @@ in description = '' Service to pass the traffic. - See [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/#supported-protocols](Supported protocols). + See [Supported protocols](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/#supported-protocols). ''; example = "http://localhost:80, tcp://localhost:8000, unix:/home/production/echo.sock, hello_world or http_status:404"; }; @@ -226,7 +226,7 @@ in description = '' Ingress rules. - See [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/](Ingress rules). + See [Ingress rules](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/). ''; example = { "*.domain.com" = "http://localhost:80"; diff --git a/nixos/modules/services/networking/firefox-syncserver.nix b/nixos/modules/services/networking/firefox-syncserver.nix index a9fcd883beb07..674a424fb0a42 100644 --- a/nixos/modules/services/networking/firefox-syncserver.nix +++ b/nixos/modules/services/networking/firefox-syncserver.nix @@ -316,7 +316,7 @@ in }; meta = { - maintainers = with lib.maintainers; [ pennae ]; + maintainers = with lib.maintainers; [ ]; doc = ./firefox-syncserver.md; }; } diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 9825af47777e5..7baaf93a1bcfa 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -721,7 +721,7 @@ in }; meta = { - maintainers = with lib.maintainers; [ pennae ]; + maintainers = with lib.maintainers; [ ]; doc = ./mosquitto.md; }; } diff --git a/nixos/modules/services/networking/networkd-dispatcher.nix b/nixos/modules/services/networking/networkd-dispatcher.nix index 427835870e59f..cced406934c1a 100644 --- a/nixos/modules/services/networking/networkd-dispatcher.nix +++ b/nixos/modules/services/networking/networkd-dispatcher.nix @@ -13,7 +13,7 @@ in { enable = mkEnableOption '' Networkd-dispatcher service for systemd-networkd connection status - change. See [https://gitlab.com/craftyguy/networkd-dispatcher](upstream instructions) + change. See [upstream instructions](https://gitlab.com/craftyguy/networkd-dispatcher) for usage ''; @@ -35,7 +35,7 @@ in { ''; description = '' Declarative configuration of networkd-dispatcher rules. See - [https://gitlab.com/craftyguy/networkd-dispatcher](upstream instructions) + [upstream instructions](https://gitlab.com/craftyguy/networkd-dispatcher) for an introduction and example scripts. ''; type = types.attrsOf (types.submodule { diff --git a/nixos/modules/services/networking/resilio.nix b/nixos/modules/services/networking/resilio.nix index 395796d39db8e..c788069fbaa55 100644 --- a/nixos/modules/services/networking/resilio.nix +++ b/nixos/modules/services/networking/resilio.nix @@ -291,5 +291,5 @@ in }; }; - meta.maintainers = with maintainers; [ jwoudenberg ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/services/security/yubikey-agent.nix b/nixos/modules/services/security/yubikey-agent.nix index 991f6a5595451..6a4dc7014970a 100644 --- a/nixos/modules/services/security/yubikey-agent.nix +++ b/nixos/modules/services/security/yubikey-agent.nix @@ -10,7 +10,7 @@ in { ###### interface - meta.maintainers = with maintainers; [ philandstuff rawkode jwoudenberg ]; + meta.maintainers = with maintainers; [ philandstuff rawkode ]; options = { diff --git a/nixos/modules/services/torrent/rtorrent.nix b/nixos/modules/services/torrent/rtorrent.nix index e0ce33d13462e..609b06b5e7066 100644 --- a/nixos/modules/services/torrent/rtorrent.nix +++ b/nixos/modules/services/torrent/rtorrent.nix @@ -182,7 +182,7 @@ in { # XMLRPC scgi_local = (cfg.rpcsock) - schedule = scgi_group,0,0,"execute.nothrow=chown,\":rtorrent\",(cfg.rpcsock)" + schedule = scgi_group,0,0,"execute.nothrow=chown,\":${cfg.group}\",(cfg.rpcsock)" schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"g+w,o=\",(cfg.rpcsock)" ''; diff --git a/nixos/modules/services/web-apps/nextcloud.md b/nixos/modules/services/web-apps/nextcloud.md index 0b615deae44be..c433be5350b53 100644 --- a/nixos/modules/services/web-apps/nextcloud.md +++ b/nixos/modules/services/web-apps/nextcloud.md @@ -121,6 +121,29 @@ Auto updates for Nextcloud apps can be enabled using This is not an end-to-end encryption, but can be used to encrypt files that will be persisted to external storage such as S3. + - **Issues with file permissions / unsafe path transitions** + + {manpage}`systemd-tmpfiles(8)` makes sure that the paths for + + * configuration (including declarative config) + * data + * app store + * home directory itself (usually `/var/lib/nextcloud`) + + are properly set up. However, `systemd-tmpfiles` will refuse to do so + if it detects an unsafe path transition, i.e. creating files/directories + within a directory that is neither owned by `root` nor by `nextcloud`, the + owning user of the files/directories to be created. + + Symptoms of that include + + * `config/override.config.php` not being updated (and the config file + eventually being garbage-collected). + * failure to read from application data. + + To work around that, please make sure that all directories in question + are owned by `nextcloud:nextcloud`. + ## Using an alternative webserver as reverse-proxy (e.g. `httpd`) {#module-services-nextcloud-httpd} By default, `nginx` is used as reverse-proxy for `nextcloud`. diff --git a/nixos/modules/services/web-apps/shiori.nix b/nixos/modules/services/web-apps/shiori.nix index 022bb5e438812..df3eeaef16183 100644 --- a/nixos/modules/services/web-apps/shiori.nix +++ b/nixos/modules/services/web-apps/shiori.nix @@ -1,17 +1,15 @@ { config, lib, pkgs, ... }: -with lib; -let - cfg = config.services.shiori; +let cfg = config.services.shiori; in { options = { services.shiori = { - enable = mkEnableOption "Shiori simple bookmarks manager"; + enable = lib.mkEnableOption "Shiori simple bookmarks manager"; - package = mkPackageOption pkgs "shiori" { }; + package = lib.mkPackageOption pkgs "shiori" { }; - address = mkOption { - type = types.str; + address = lib.mkOption { + type = lib.types.str; default = ""; description = '' The IP address on which Shiori will listen. @@ -19,30 +17,55 @@ in { ''; }; - port = mkOption { - type = types.port; + port = lib.mkOption { + type = lib.types.port; default = 8080; description = "The port of the Shiori web application"; }; - webRoot = mkOption { - type = types.str; + webRoot = lib.mkOption { + type = lib.types.str; default = "/"; example = "/shiori"; description = "The root of the Shiori web application"; }; + + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/path/to/environmentFile"; + description = '' + Path to file containing environment variables. + Useful for passing down secrets. + <https://github.com/go-shiori/shiori/blob/master/docs/Configuration.md#overall-configuration> + ''; + }; + + databaseUrl = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "postgres:///shiori?host=/run/postgresql"; + description = "The connection URL to connect to MySQL or PostgreSQL"; + }; }; }; - config = mkIf cfg.enable { - systemd.services.shiori = with cfg; { + config = lib.mkIf cfg.enable { + systemd.services.shiori = { description = "Shiori simple bookmarks manager"; wantedBy = [ "multi-user.target" ]; - - environment.SHIORI_DIR = "/var/lib/shiori"; + after = [ "postgresql.service" "mysql.service" ]; + environment = { + SHIORI_DIR = "/var/lib/shiori"; + } // lib.optionalAttrs (cfg.databaseUrl != null) { + SHIORI_DATABASE_URL = cfg.databaseUrl; + }; serviceConfig = { - ExecStart = "${package}/bin/shiori serve --address '${address}' --port '${toString port}' --webroot '${webRoot}'"; + ExecStart = + "${cfg.package}/bin/shiori server --address '${cfg.address}' --port '${ + toString cfg.port + }' --webroot '${cfg.webRoot}'"; DynamicUser = true; StateDirectory = "shiori"; @@ -50,15 +73,24 @@ in { RuntimeDirectory = "shiori"; # Security options - + EnvironmentFile = + lib.optional (cfg.environmentFile != null) cfg.environmentFile; BindReadOnlyPaths = [ "/nix/store" # For SSL certificates, and the resolv.conf "/etc" - ]; + ] ++ lib.optional (config.services.postgresql.enable && + cfg.databaseUrl != null && + lib.strings.hasPrefix "postgres://" cfg.databaseUrl) + "/run/postgresql" + ++ lib.optional (config.services.mysql.enable && + cfg.databaseUrl != null && + lib.strings.hasPrefix "mysql://" cfg.databaseUrl) + "/var/run/mysqld"; CapabilityBoundingSet = ""; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; DeviceAllow = ""; @@ -78,7 +110,7 @@ in { ProtectKernelTunables = true; RestrictNamespaces = true; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictRealtime = true; RestrictSUIDSGID = true; @@ -88,11 +120,17 @@ in { SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" - "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" + "~@cpu-emulation" + "~@debug" + "~@keyring" + "~@memlock" + "~@obsolete" + "~@privileged" + "~@setuid" ]; }; }; }; - meta.maintainers = with maintainers; [ minijackson ]; + meta.maintainers = with lib.maintainers; [ minijackson CaptainJawZ ]; } diff --git a/nixos/modules/services/x11/window-managers/herbstluftwm.nix b/nixos/modules/services/x11/window-managers/herbstluftwm.nix index 7edaf4e980ec4..94c9f4aa91c8f 100644 --- a/nixos/modules/services/x11/window-managers/herbstluftwm.nix +++ b/nixos/modules/services/x11/window-managers/herbstluftwm.nix @@ -33,7 +33,10 @@ in (cfg.configFile != null) ''-c "${cfg.configFile}"'' ; - in "${cfg.package}/bin/herbstluftwm ${configFileClause} &"; + in '' + ${cfg.package}/bin/herbstluftwm ${configFileClause} & + waitPID=$! + ''; }; environment.systemPackages = [ cfg.package ]; }; |